-**4. VNF Development Requirements**
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+.. Copyright 2017 AT&T Intellectual Property. All rights reserved.
+
+
+**VNF Development Requirements**
====================================
-a. VNF Design
-==============
+VNF Design
+--------------------
Services are composed of VNFs and common components and are designed to
be agnostic of the location to leverage capacity where it exists in the
packaging and deploying VNFs as needed for the service. It enables
grouping functions in a common cloud data center to minimize
inter-component latency. The VNFs should be designed with a goal of
-being modular and reusable to enable using best-in-breed vendors
+being modular and reusable to enable using best-in-breed vendors.
Section 5.a VNF Design in *VNF Guidelines* describes
the overall guidelines for designing VNFs from VNF Components (VNFCs).
* R-86585 The VNFC **SHOULD** minimize the use of state within a VNFC to facilitate the movement of traffic from one instance to another.
* R-65134 The VNF **SHOULD** maintain state in a geographically redundant datastore that may, in fact, be its own VNFC.
* R-75850 The VNF **SHOULD** decouple persistent data from the VNFC and keep it in its own datastore that can be reached by all instances of the VNFC requiring the data.
-* R-88199 The VNF **MUST** utilize virtualized, scalable open source database software that can meet the performance/latency requirements of the service for all datastores.
+* R-88199 The VNF **MUST** utilize a persistent datastore service that can meet the data performance/latency requirements. (For example: Datastore service could be a VNFC in VNF or a DBaaS in the Cloud execution environment)
* R-99656 The VNF **MUST** NOT terminate stable sessions if a VNFC instance fails.
* R-84473 The VNF **MUST** enable DPDK in the guest OS for VNF’s requiring high packets/sec performance. High packet throughput is defined as greater than 500K packets/sec.
* R-54430 The VNF **MUST** use the NCSP’s supported library and compute flavor that supports DPDK to optimize network efficiency if using DPDK. [1]_
* R-64768 The VNF **MUST** limit the size of application data packets to no larger than 9000 bytes for SDN network-based tunneling when guest data packets are transported between tunnel endpoints that support guest logical networks.
* R-74481 The VNF **MUST** NOT require the use of a dynamic routing protocol unless necessary to meet functional requirements.
-b. VNF Resiliency
-=================
+VNF Resiliency
+-------------------------
The VNF is responsible for meeting its resiliency goals and must factor
in expected availability of the targeted virtualization environment.
Below are more detailed resiliency requirements for VNFs.
All Layer Redundancy
---------------------
+^^^^^^^^^^^^^^^^^^
Design the VNF to be resilient to the failures of the underlying
virtualized infrastructure (Network Cloud). VNF design considerations
* R-36843 The VNF **MUST** support the ability of the VNFC to be deployable in multi-zoned cloud sites to allow for site support in the event of cloud zone failure or upgrades.
Minimize Cross Data-Center Traffic
-----------------------------------
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Avoid performance-sapping data center-to-data center replication delay
by applying techniques such as caching and persistent transaction paths
* R-92935 The VNF **SHOULD** minimize the propagation of state information across multiple data centers to avoid cross data center traffic.
Application Resilient Error Handling
-------------------------------------
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Ensure an application communicating with a downstream peer is equipped
to intelligently handle all error conditions. Make sure code can handle
Application Resilient Error Handling Requirements
-* R-26371 The VNF **MUST** detect connectivity failure for inter VNFC instance and intra/inter VNF and re-establish connectivity automatically to maintain the VNF without manual intervention to provide service continuity.
+* R-26371 The VNF **MUST** detect communication failure for inter VNFC instance and intra/inter VNF and re-establish communication automatically to maintain the VNF without manual intervention to provide service continuity.
* R-18725 The VNF **MUST** handle the restart of a single VNFC instance without requiring all VNFC instances to be restarted.
* R-06668 The VNF **MUST** handle the start or restart of VNFC instances in any order with each VNFC instance establishing or re-establishing required connections or relationships with other VNFC instances and/or VNFs required to perform the VNF function/role without requiring VNFC instance(s) to be started/restarted in a particular order.
-* R-80070 The VNF **MUST** handle errors and exceptions so that they do not interrupt processing of incoming VNF requests to maintain service continuity.
-* R-32695 The VNF **MUST** provide the ability to modify the number of retries, the time between retries and the behavior/action taken after the retries have been exhausted for exception handling to allow the NCSP to control that behavior.
+* R-80070 The VNF **MUST** handle errors and exceptions so that they do not interrupt processing of incoming VNF requests to maintain service continuity (where the error is not directly impacting the software handling the incoming request).
+* R-32695 The VNF **MUST** provide the ability to modify the number of retries, the time between retries and the behavior/action taken after the retries have been exhausted for exception handling to allow the NCSP to control that behavior, where the interface and/or functional specification allows for altering behaviour.
* R-48356 The VNF **MUST** fully exploit exception handling to the extent that resources (e.g., threads and memory) are released when no longer needed regardless of programming language.
* R-67918 The VNF **MUST** handle replication race conditions both locally and geo-located in the event of a data base instance failure to maintain service continuity.
* R-36792 The VNF **MUST** automatically retry/resubmit failed requests made by the software to its downstream system to increase the success rate.
System Resource Optimization
-----------------------------
+^^^^^^^^^^^^^^^^^^^^^^^^^^
Ensure an application is using appropriate system resources for the task
at hand; for example, do not use network or IO operations inside
* R-22059 The VNF **MUST NOT** execute long running tasks (e.g., IO, database, network operations, service calls) in a critical section of code, so as to minimize blocking of other operations and increase concurrent throughput.
* R-63473 The VNF **MUST** automatically advertise newly scaled components so there is no manual intervention required.
* R-74712 The VNF **MUST** utilize FQDNs (and not IP address) for both Service Chaining and scaling.
-* R-41159 The VNF **MUST** deliver any and all functionality from any VNFC in the pool. The VNFC pool member should be transparent to the client. Upstream and downstream clients should only recognize the function being performed, not the member performing it.
+* R-41159 The VNF **MUST** deliver any and all functionality from any VNFC in the pool (where pooling is the most suitable solution). The VNFC pool member should be transparent to the client. Upstream and downstream clients should only recognize the function being performed, not the member performing it.
* R-85959 The VNF **SHOULD** automatically enable/disable added/removed sub-components or component so there is no manual intervention required.
* R-06885 The VNF **SHOULD** support the ability to scale down a VNFC pool without jeopardizing active sessions. Ideally, an active session should not be tied to any particular VNFC instance.
* R-12538 The VNF **SHOULD** support load balancing and discovery mechanisms in resource pools containing VNFC instances.
Application Configuration Management
-------------------------------------
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Leverage configuration management audit capability to drive conformity
to develop gold configurations for technologies like Java, Python, etc.
Intelligent Transaction Distribution & Management
--------------------------------------------------
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Leverage Intelligent Load Balancing and redundant components (hardware
and modules) for all transactions, such that at any point in the
* R-27995 The VNF **SHOULD** include control loop mechanisms to notify the consumer of the VNF of their exceeding SLA thresholds so the consumer is able to control its load against the VNF.
Deployment Optimization
------------------------
+^^^^^^^^^^^^^^^^^^^^^^
Reduce opportunity for failure, by human or by machine, through smarter
deployment practices and automation. This can include rolling code
* R-16039 The VNF **SHOULD** test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle so that the resiliency rating is measured and feedback is provided where software resiliency requirements are not met.
Monitoring & Dashboard
-----------------------
+^^^^^^^^^^^^^^^^^^^^^
Promote dashboarding as a tool to monitor and support the general
operational health of a system. It is critical to the support of the
* R-48917 The VNF **MUST** monitor for and alert on (both sender and receiver) errant, running longer than expected and missing file transfers, so as to minimize the impact due to file transfer errors.
* R-28168 The VNF **SHOULD** use an appropriately configured logging level that can be changed dynamically, so as to not cause performance degradation of the VNF due to excessive logging.
* R-87352 The VNF **SHOULD** utilize Cloud health checks, when available from the Network Cloud, from inside the application through APIs to check the network connectivity, dropped packets rate, injection, and auto failover to alternate sites if needed.
-* R-16560 The VNF **MUST** conduct a resiliency impact assessment for all inter/intra-connectivity points in the VNF to provide an overall resiliency rating for the VNF to be incorporated into the software design and development of the VNF.
+* R-16560 The VNF **SHOULD** conduct a resiliency impact assessment for all inter/intra-connectivity points in the VNF to provide an overall resiliency rating for the VNF to be incorporated into the software design and development of the VNF.
-c. VNF Security
-===============
+VNF Security
+----------------------
The objective of this section is to provide the key security
requirements that need to be met by VNFs. The security requirements are
following sections:
- **VNF General Security**: This section addresses general security
- requirements for the VNFs that the vendors will need to address.
+ requirements for the VNFs that the VNF provider will need to address.
- **VNF Identity and Access Management**: This section addresses
security requirements with respect to Identity and Access Management
requirements associated with data protection.
VNF General Security Requirements
----------------------------------
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This section provides details on the VNF general security requirements
on various security areas such as user access control, network security,
* R-85633 The VNF **MUST** implement Data Storage Encryption (database/disk encryption) for Sensitive Personal Information (SPI) and other subscriber identifiable data. Note: subscriber’s SPI/data must be encrypted at rest, and other subscriber identifiable data should be encrypted at rest. Other data protection requirements exist and should be well understood by the developer.
* R-92207 The VNF **SHOULD** implement a mechanism for automated and frequent "system configuration (automated provisioning / closed loop)" auditing.
* R-23882 The VNF **SHOULD** be scanned using both network scanning and application scanning security tools on all code, including underlying OS and related configuration. Scan reports shall be provided. Remediation roadmaps shall be made available for any findings.
-* R-46986 The VNF **SHOULD** have source code scanned using scanning tools (e.g., Fortify) and provide reports.
+* R-46986 The VNF **SHOULD** have source code scanned using scanning tools (e.g., Fortify) and provide reports.
* R-55830 The VNF **MUST** distribute all production code from NCSP internal sources only. No production code, libraries, OS images, etc. shall be distributed from publically accessible depots.
-* R-99771 The VNF **MUST** provide all code/configuration files in a “Locked down” or hardened state or with documented recommendations for such hardening. All unnecessary services will be disabled. Vendor default credentials, community strings and other such artifacts will be removed or disclosed so that they can be modified or removed during provisioning.
+* R-99771 The VNF **MUST** provide all code/configuration files in a "Locked down" or hardened state or with documented recommendations for such hardening. All unnecessary services will be disabled. VNF provider default credentials, community strings and other such artifacts will be removed or disclosed so that they can be modified or removed during provisioning.
* R-19768 The VNF **SHOULD** support L3 VPNs that enable segregation of traffic by application (dropping packets not belonging to the VPN) (i.e., AVPN, IPSec VPN for Internet routes).
* R-33981 The VNF **SHOULD** interoperate with various access control mechanisms for the Network Cloud execution environment (e.g., Hypervisors, containers).
* R-40813 The VNF **SHOULD** support the use of virtual trusted platform module, hypervisor security testing and standards scanning tools.
* R-98391 The VNF **MUST**, if not using the NCSP’s IDAM API, support Role-Based Access Control to permit/limit the user/application to performing specific activities.
* R-63217 The VNF **MUST**, if not using the NCSP’s IDAM API, support logging via ONAP for a historical view of “who did what and when”.
* R-62498 The VNF **MUST**, if not using the NCSP’s IDAM API, encrypt OA&M access (e.g., SSH, SFTP).
-* R-79107 The VNF **MUST**, if not using the NCSP’s IDAM API, enforce a configurable maximum number of Login attempts policy for the users. VNF vendor must comply with "terminate idle sessions" policy. Interactive sessions must be terminated, or a secure, locking screensaver must be activated requiring authentication, after a configurable period of inactivity. The system-based inactivity timeout for the enterprise identity and access management system must also be configurable.
+* R-79107 The VNF **MUST**, if not using the NCSP’s IDAM API, enforce a configurable maximum number of Login attempts policy for the users. VNF provider must comply with "terminate idle sessions" policy. Interactive sessions must be terminated, or a secure, locking screensaver must be activated requiring authentication, after a configurable period of inactivity. The system-based inactivity timeout for the enterprise identity and access management system must also be configurable.
* R-35144 The VNF **MUST**, if not using the NCSP’s IDAM API, comply with the NCSP’s credential management policy.
* R-75041 The VNF **MUST**, if not using the NCSP’s IDAM API, expire passwords at regular configurable intervals.
* R-46908 The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "password complexity" policy. When passwords are used, they shall be complex and shall at least meet the following password construction requirements: (1) be a minimum configurable number of characters in length, (2) include 3 of the 4 following types of characters: upper-case alphabetic, lower-case alphabetic, numeric, and special, (3) not be the same as the UserID with which they are associated or other common strings as specified by the environment, (4) not contain repeating or sequential characters or numbers, (5) not to use special characters that may have command functions, and (6) new passwords must not contain sequences of three or more characters from the previous password.
* R-39342 The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "password changes (includes default passwords)" policy. Products will support password aging, syntax and other credential management practices on a configurable basis.
* R-40521 The VNF **MUST**, if not using the NCSP’s IDAM API, support use of common third party authentication and authorization tools such as TACACS+, RADIUS.
-* R-41994 The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "No Self-Signed Certificates" policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as LS 1.1 or higher or equivalent security protocols such as IPSec, AES.
-* R-23135 The VNF **MUST**, if not using the NCSP’s IDAM API, authenticate system to system communications were one system accesses the resources of another system, and must never conceal individual accountability.
+* R-41994 The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "No Self-Signed Certificates" policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as TLS 1.2 or higher or equivalent security protocols such as IPSec, AES.
+* R-23135 The VNF **MUST**, if not using the NCSP’s IDAM API, authenticate system to system communications where one system accesses the resources of another system, and must never conceal individual accountability.
VNF Identity and Access Management Requirements
------------------------------------------------
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The following security requirements for logging, identity, and access
management need to be met by the solution in a virtual environment:
* R-95105 The VNF **MUST** host connectors for access to the application layer.
* R-45496 The VNF **MUST** host connectors for access to the OS (Operating System) layer.
* R-05470 The VNF **MUST** host connectors for access to the database layer.
-* R-77737 The VNF **MUST**
* R-99174 The VNF **MUST** comply with Individual Accountability (each person must be assigned a unique ID) when persons or non-person entities access VNFs.
* R-42874 The VNF **MUST** comply with Least Privilege (no more privilege than required to perform job functions) when persons or non-person entities access VNFs.
* R-71787 The VNF **MUST** comply with Segregation of Duties (access to a single layer and no developer may access production without special oversight) when persons or non-person entities access VNFs.
-* R-86261 The VNF **MUST NOT** allow vendor access to VNFs remotely.
-* R-49945 The VNF **MUST** authorize vendor access through a client application API by the client application owner and the resource owner of the VNF before provisioning authorization through Role Based Access Control (RBAC), Attribute Based Access Control (ABAC), or other policy based mechanism.
-* R-31751 The VNF **MUST** subject vendor VNF access to privilege reconciliation tools to prevent access creep and ensure correct enforcement of access policies.
+* R-86261 The VNF **MUST NOT** allow VNF provider access to VNFs remotely.
+* R-49945 The VNF **MUST** authorize VNF provider access through a client application API by the client application owner and the resource owner of the VNF before provisioning authorization through Role Based Access Control (RBAC), Attribute Based Access Control (ABAC), or other policy based mechanism.
+* R-31751 The VNF **MUST** subject VNF provider access to privilege reconciliation tools to prevent access creep and ensure correct enforcement of access policies.
* R-34552 The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for OWASP Top 10.
* R-29301 The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Password Attacks.
* R-72243 The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Phishing / SMishing.
* R-44032 The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Man in the Middle (MITM).
* R-58977 The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Eavesdropping.
* R-24825 The VNF **MUST** provide Context awareness data (device, location, time, etc.) and be able to integrate with threat detection system.
-* R-59391 The VNF vendor **MUST**, where a VNF vendor requires the assumption of permissions, such as root or administrator, first log in under their individual user login ID then switch to the other higher level account; or where the individual user login is infeasible, must login with an account with admin privileges in a way that uniquely identifies the individual performing the function.
-* R-85028 The VNF **MUST** authenticate system to system access and do not conceal a VNF vendor user’s individual accountability for transactions.
-* R-80335 The VNF **MUST** make visible a Warning Notices: A formal statement of resource intent, i.e., a warning notice, upon initial access to a VNF vendor user who accesses private internal networks or Company computer resources, e.g., upon initial logon to an internal web site, system or application which requires authentication.
-* R-73541 The VNF **MIST** use access controls for VNFs and their supporting computing systems at all times to restrict access to authorized personnel only, e.g., least privilege. These controls could include the use of system configuration or access control software.
+* R-59391 The VNF provider **MUST**, where a VNF provider requires the assumption of permissions, such as root or administrator, first log in under their individual user login ID then switch to the other higher level account; or where the individual user login is infeasible, must login with an account with admin privileges in a way that uniquely identifies the individual performing the function.
+* R-85028 The VNF **MUST** authenticate system to system access and do not conceal a VNF provider user’s individual accountability for transactions.
+* R-80335 The VNF **MUST** make visible a Warning Notice: A formal statement of resource intent, i.e., a warning notice, upon initial access to a VNF provider user who accesses private internal networks or Company computer resources, e.g., upon initial logon to an internal web site, system or application which requires authentication.
+* R-73541 The VNF **MUST** use access controls for VNFs and their supporting computing systems at all times to restrict access to authorized personnel only, e.g., least privilege. These controls could include the use of system configuration or access control software.
* R-64503 The VNF **MUST** provide minimum privileges for initial and default settings for new user accounts.
* R-86835 The VNF **MUST** set the default settings for user access to sensitive commands and data to deny authorization.
* R-77157 The VNF **MUST** conform to approved request, workflow authorization, and authorization provisioning requirements when creating privileged users.
-* R-81147 The VNF **MUST** have greater restrictions for access and execution, such as up to 3 factors of authentication and restricted authorization, for commands affecting network services, such as commands relating to VNFs, must.
+* R-81147 The VNF **MUST** have greater restrictions for access and execution, such as up to 3 factors of authentication and restricted authorization, for commands affecting network services, such as commands relating to VNFs.
* R-49109 The VNF **MUST** encrypt TCP/IP--HTTPS (e.g., TLS v1.2) transmission of data on internal and external networks.
* R-39562 The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs.
* R-15671 The VNF **MUST NOT** provide public or unrestricted access to any data without the permission of the data owner. All data classification and access controls must be followed.
VNF API Security Requirements
------------------------------
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
This section covers API security requirements when these are used by the
VNFs. Key security areas covered in API security are Access Control,
VNF Security Analytics Requirements
------------------------------------
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This section covers VNF security analytics requirements that are mostly
applicable to security monitoring. The VNF Security Analytics cover the
* R-84160 The VNF **MUST** have security logging for VNFs and their OSs be active from initialization. Audit logging includes automatic routines to maintain activity records and cleanup programs to ensure the integrity of the audit/logging systems.
VNF Data Protection Requirements
---------------------------------
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
This section covers VNF data protection requirements that are mostly
applicable to security monitoring.
* R-95864 The VNF **MUST** use commercial tools that comply with X.509 standards and produce x.509 compliant keys for public/private key generation.
* R-12110 The VNF **MUST NOT** use keys generated or derived from predictable functions or values, e.g., values considered predictable include user identity information, time of day, stored/transmitted data.
* R-52060 The VNF **MUST** provide the capability to configure encryption algorithms or devices so that they comply with the laws of the jurisdiction in which there are plans to use data encryption.
-* R-69610 The VNF **MUST** provide the capability of using certificates issued from a Certificate Authority not provided by the VNF vendor.
+* R-69610 The VNF **MUST** provide the capability of using certificates issued from a Certificate Authority not provided by the VNF provider.
* R-83500 The VNF **MUST** provide the capability of allowing certificate renewal and revocation.
* R-29977 The VNF **MUST** provide the capability of testing the validity of a digital certificate by validating the CA signature on the certificate.
* R-24359 The VNF **MUST** provide the capability of testing the validity of a digital certificate by validating the date the certificate is being used is within the validity period for the certificate.
* R-39604 The VNF **MUST** provide the capability of testing the validity of a digital certificate by checking the Certificate Revocation List (CRL) for the certificates of that type to ensure that the certificate has not been revoked.
* R-75343 The VNF **MUST** provide the capability of testing the validity of a digital certificate by recognizing the identity represented by the certificate — the "distinguished name".
-d. VNF Modularity
-=================
+VNF Modularity
+---------------------------
-ONAP Heat Orchestration Templates: Overview
--------------------------------------------
+ONAP Heat Orchestration Templates: Overview
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ONAP supports a modular Heat Orchestration Template design pattern,
referred to as *VNF Modularity.*
ONAP VNF Modularity Overview
-----------------------------
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
With VNF Modularity, a single VNF may be composed from one or more Heat
Orchestration Templates, each of which represents a subset of the
volume to be reused on another instance (e.g., during a failover
activity).
-* R-11200 The VNF MUST keep the scope of a Cinder volume module, when it exists, to be 1:1 with the VNF Base Module or Incremental Module.
+* R-11200 The VNF **MUST** keep the scope of a Cinder volume module, when it exists, to be 1:1 with the VNF Base Module or Incremental Module.
-* R-nnnnn The VNF MUST have a corresponding environment file for a Base Module.
-* R-nnnnn The VNF MUST have a corresponding environment file for an Incremental Module.
-* R-nnnnn The VNF MUST have a corresponding environment file for a Cinder Volume Module.
+* R-38474 The VNF **MUST** have a corresponding environment file for a Base Module.
+* R-81725 The VNF **MUST** have a corresponding environment file for an Incremental Module.
+* R-53433 The VNF **MUST** have a corresponding environment file for a Cinder Volume Module.
These concepts will be described in more detail throughout the document.
This overview is provided to set the stage and help clarify the concepts
ONAP VNF Modularity
--------------------
+^^^^^^^^^^^^^^^^^^^
ONAP supports a modular Heat Orchestration Template design pattern,
referred to as *VNF Modularity.* With this approach, a single VNF may be
template.
Suggested Patterns for Modular VNFs
------------------------------------
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
There are numerous variations of VNF modularity. Below are two suggested
usage patterns.
options.
Modularity Rules
-----------------
+^^^^^^^^^^^^^^
There are some rules to follow when building modular VNF templates:
name in the add-on module
VNF Modularity Examples
------------------------
+^^^^^^^^^^^^^^^^^^^^^^
*Example: Base Module creates SecurityGroup*
base\_MODULE.yaml
-.. code-block:: python
+.. code-block:: yaml
parameters:
. . .
INCREMENTAL\_MODULE.yaml
-.. code-block:: python
+.. code-block:: yaml
parameters:
dns_sec_grp_id:
base.yaml
-.. code-block:: python
+.. code-block:: yaml
heat_template_version: 2013-05-23
incremental.yaml
-.. code-block:: python
+.. code-block:: yaml
heat_template_version: 2013-05-23
network_id: { get_param: int_oam_net_id }
...
-e. VNF Devops
-=============
+VNF Devops
+---------------------
-This section includes guidelines for vendors to ensure that a Network
+This section includes guidelines for VNF providers to ensure that a Network
Cloud Service Provider’s operations personnel have a common and
consistent way to support VNFs and VNFCs.
DevOps Requirements
-* R-46960 The VNF **MUST** utilize only the Guest OS versions that are supported by the NCSP’s Network Cloud. [1]_
-* R-23475 The VNF **SHOULD** utilize only NCSP provided Guest OS images. [2]_
-* R-09467 The VNF **MUST** utilize only NCSP standard compute flavors. [2]_
+* R-46960 NCSPs **MAY** operate a limited set of Guest OS and CPU architectures and families, virtual machines, etc.
+* R-23475 VNFCs **SHOULD** be agnostic to the details of the Network Cloud (such as hardware, host OS, Hypervisor or container technology) and must run on the Network Cloud with acknowledgement to the paradigm that the Network Cloud will continue to rapidly evolve and the underlying components of the platform will change regularly.
+* R-33846 The VNF **MUST** install the NCSP required software on Guest OS images when not using the NCSP provided Guest OS images. [1]_
+* R-09467 The VNF **MUST** utilize only NCSP standard compute flavors. [1]_
* R-02997 The VNF **MUST** preserve their persistent data. Running VMs will not be backed up in the Network Cloud infrastructure.
* R-29760 The VNFC **MUST** be installed on non-root file systems, unless software is specifically included with the operating system distribution of the guest image.
* R-20860 The VNF **MUST** be agnostic to the underlying infrastructure (such as hardware, host OS, Hypervisor), any requirements should be provided as specification to be fulfilled by any hardware.
* R-89800 The VNF **MUST NOT** require Hypervisor-level customization from the cloud provider.
* R-86758 The VNF **SHOULD** provide an automated test suite to validate every new version of the software on the target environment(s). The tests should be of sufficient granularity to independently test various representative VNF use cases throughout its lifecycle. Operations might choose to invoke these tests either on a scheduled basis or on demand to support various operations functions including test, turn-up and troubleshooting.
* R-39650 The VNF **SHOULD** provide the ability to test incremental growth of the VNF.
-* R-14853 The VNF **MUST** respond to a "move traffic" [3]_ command against a specific VNFC, moving all existing session elsewhere with minimal disruption if a VNF provides a load balancing function across multiple instances of its VNFCs. Note: Individual VNF performance aspects (e.g., move duration or disruption scope) may require further constraints.
-* R-06327 The VNF **MUST** respond to a "drain VNFC" [2]_ command against a specific VNFC, preventing new session from reaching the targeted VNFC, with no disruption to active sessions on the impacted VNFC, if a VNF provides a load balancing function across multiple instances of its VNFCs. This is used to support scenarios such as proactive maintenance with no user impact,
+* R-14853 The VNF **MUST** respond to a "move traffic" [2]_ command against a specific VNFC, moving all existing session elsewhere with minimal disruption if a VNF provides a load balancing function across multiple instances of its VNFCs. Note: Individual VNF performance aspects (e.g., move duration or disruption scope) may require further constraints.
+* R-06327 The VNF **MUST** respond to a "drain VNFC" [2]_ command against a specific VNFC, preventing new session from reaching the targeted VNFC, with no disruption to active sessions on the impacted VNFC, if a VNF provides a load balancing function across multiple instances of its VNFCs. This is used to support scenarios such as proactive maintenance with no user impact.
+* R-64713 The VNF **SHOULD** support a software promotion methodology from dev/test -> pre-prod -> production in software, development & testing and operations.
-f. VNF Develop Steps
-=======================
+VNF Develop Steps
+--------------------------------
-Aid to help the VNF vendor to fasten the integration with the GVNFM, the
-OpenO provides the VNF SDK tools, and the documents. In this charter,
-the develop steps for VNF vendors will be introduced.
+Aid to help the VNF provider to fasten the integration with the GVNFM, the
+ONAP provides the VNF SDK tools, and the documents. In this charter,
+the develop steps for VNF providers will be introduced.
First, using the VNF SDK tools to design the VNF with TOSCA model and
output the VNF TOSCA package. The VNF package can be validated, and
tested.
-Second, the VNF vendor should provide the VNF Rest API to integrate with
+Second, the VNF provider should provide the VNF Rest API to integrate with
the GVNFM if needed. The VNF Rest API is aligned to the ETSI IFA
document.
Refer to NCSP’s Network Cloud specification
.. [2]
- Refer to NCSP’s Network Cloud specification
-
-.. [3]
Not currently supported in ONAP release 1
Code Review / vnfrqts / requirements.git / blobdiff