This document describes tests that were performed for PCEI R4:
Describe the components of Test set up
Described in the PCEI R4 Installation Guide
Described in the PCEI R4 End-to-End Validation Guide
Described in the BluVal Test section of this document.
Not used.
For end-to-end functional verification, a simulated IoT Client was provided. Please refer to PCEI R4 End-to-End Validation Guide.
Test APIs NOT USED (except BluVal Robot)
NOT PERFORMED
BluVal Test Environment setup according to:
cd validation vi bluval-pcei.yaml blueprint: name: pcei layers: - os - docker - k8s # Any hardware some basic tests os: &os_pcei - name: ltp what: ltp optional: "True" - name: cyclictest what: cyclictest optional: "True" - name: lynis what: lynis optional: "False" - name: vuls what: vuls optional: "False" docker: &docker_base - name: docker_bench what: docker_bench optional: "True" k8s: &k8s - name: conformance what: conformance optional: "False" - name: etcd_ha what: etcd_ha optional: "True" - name: kube-hunter what: kube-hunter optional: "False" cd /home/onaplab/validation/bluval vi volumes.yaml volumes: # location of the ssh key to access the cluster ssh_key_dir: local: '/home/onaplab/.ssh' target: '/root/.ssh' # location of the k8s access files (config file, certificates, keys) kube_config_dir: local: '/home/onaplab/kube' target: '/root/.kube/' # location of the customized variables.yaml custom_variables_file: local: '/home/onaplab/validation/tests/variables.yaml' target: '/opt/akraino/validation/tests/variables.yaml' # location of the bluval-<blueprint>.yaml file blueprint_dir: local: '/home/onaplab/validation/bluval' target: '/opt/akraino/validation/bluval' # location on where to store the results on the local jumpserver results_dir: local: '/home/onaplab/results' target: '/opt/akraino/results' # location on where to store openrc file openrc: local: '' target: '/root/openrc' # parameters that will be passed to the container at each layer layers: # volumes mounted at all layers; volumes specific for a different layer are below common: - custom_variables_file - blueprint_dir - results_dir hardware: - ssh_key_dir os: - ssh_key_dir networking: - ssh_key_dir docker: - ssh_key_dir k8s: - ssh_key_dir - kube_config_dir k8s_networking: - ssh_key_dir - kube_config_dir openstack: - openrc sds: sdn: vim: cd /home/onaplab/validation/tests vi variables.yaml ### Input variables cluster's master host host: 10.121.7.147 # cluster's master host address username: onaplab # login name to connect to cluster password: onaplab # login password to connect to cluster ssh_keyfile: /root/.ssh/id_rsa # Identity file for authentication |
6. Run BluVal Robot:
cd bash validation/bluval/blucon.sh pcei |
7. Install LFTOOLS:
sudo apt install python3-pip pip3 install lftools |
8. Push BluVal Results to Akraino Nexus
# Create .netrc file vi .netrc machine nexus.akraino.org login <LF ID> password <Password> # Archive log files zip -r results.zip ./results # Push logs to Nexus NEXUS_PATH="/pcei/job/v2" NEXUS_URL="https://nexus.akraino.org/" /home/onaplab/.local/bin/lftools deploy nexus-zip $NEXUS_URL logs $NEXUS_PATH results.zip |
https://nexus.akraino.org/content/sites/logs/pcei/job/v2/results/
CVEs Found:
CVE | CVSS | URL | Exception |
---|---|---|---|
CVE-2016-1585 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2016-1585 | Requested by another BP |
CVE-2017-18342 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2017-18342 | Requested by another BP |
CVE-2017-8283 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2017-8283 | Requested by PCEI |
CVE-2018-20839 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2018-20839 | Requested by another BP |
CVE-2019-17041 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2019-17041 | Requested by another BP |
CVE-2019-17042 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2019-17042 | Requested by another BP |
CVE-2019-19814 | 9.3 | https://nvd.nist.gov/vuln/detail/CVE-2019-19814 | Requested by PCEI |
Exception Requested:
Vulnerabilities found
ID | Status |
---|---|
KHV002 | Fixed |
KHV005 | Pending |
KHV050 | Pending |
CAP_NET_RAW | Pending |
Fix for KHV002:
On SUT K8S Cluster:
kubectl replace -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "false" labels: kubernetes.io/bootstrapping: rbac-defaults name: system:public-info-viewer rules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - get EOF |
Single pane view of how the test score looks like for the Blue print.