Doc updates for London

[dcaegen2.git] / docs / sections / services / dfc / configuration.rst

.. This work is licensed under a Creative Commons Attribution 4.0 International License.\r
.. http://creativecommons.org/licenses/by/4.0\r
\r
.. _dfc_configuration:\r
\r
=============================\r
Configuration and Performance\r
=============================\r
The DataFile Collector (DFC) gets fileReady messages from the Message Router (MR) sent from xNFs, via the VES Collector.\r
These messages contains data about files ready to get from the xNF. DFC then collects these files from the xNF and\r
publishes them to the DataRouter (DR) on a feed. Consumers can subscribe to the feed from DR and process the file for\r
its specific purpose. The connection between a file type and the feed it will be published to is the\r
**changeIdentifier**. DFC can handle multiple **changeIdentifier**/feed combinations, see picture below.\r
\r
.. image:: ../../images/DFC_config.png\r
\r
\r
\r
Configuration\r
^^^^^^^^^^^^^\r
By default, DFC handles the "PM_MEAS_FILES" change identifier and publishes these files on the "bulk_pm_feed" feed.\r
But it can also be configured to handle more/other change identifiers and publish them to more/other feeds. The\r
configuration of DFC is controlled via a blueprint.\r
\r
\r
The user can also specify which version of DFC to use.\r
\r
.. code-block:: yaml\r
\r
    image: onap/org.onap.dcaegen2.collectors.datafile.datafile-app-server:1.9.0\r
\r
The user can also enable secure communication with the DMaaP Message Router.\r
\r
.. code-block:: yaml\r
\r
    dmaap.security.enableDmaapCertAuth: true\r
\r
DFC can handle multiple stream identifiers. For each stream identifier/feed combination the user must provide the\r
** stream identifier**, **feed name**, and **feed location**.\r
\r
**Note!** The **feed name** provided should be used by the consumer/s to set up the subscription to the feed. \r
\r
The **stream identifier** shall be defined as an item under the **streams_publishes** tag in the "**applicationConfig**"\r
section. \r
\r
.. code-block:: yaml\r
\r
  :emphasize-lines: 2,6\r
      applicationConfig:\r
                  streams_publishes:\r
                    PM_MEAS_FILES:\r
                      dmaap_info:\r
                        publisher_id: ${DR_FILES_PUBLISHER_ID_0}\r
                        location: loc00\r
                        log_url: ${DR_LOG_URL_0}\r
                        publish_url: ${DR_FILES_PUBLISHER_URL_0}\r
                        username: ${DR_USERNAME}\r
                        password: ${DR_PASSWORD}\r
                      type: data_router\r
                  streams_subscribes:\r
                    dmaap_subscriber:\r
                      dmaap_info:\r
                        topic_url: "http://message-router:3904/events/unauthenticated.VES_NOTIFICATION_OUTPUT"\r
                      type: message_router\r
\r
\r
\r
Under this tag the internal "**feed identifier**" for the feed shall also be added to get the\r
info about the feed substituted in by CBS (that's what the <<>> tags are for).\r
\r
The **feed name** and **feed location** are defined as inputs for the user to provide in helm chart values.yaml. An example snapshot on default configuration is provided below. \r
\r
.. code-block:: yaml\r
 \r
        # DataRouter Feed Configuration\r
        drFeedConfig:\r
          - feedName: bulk_pm_feed\r
            owner: dcaecm\r
            feedVersion: "0.0"\r
            asprClassification: unclassified\r
            feedDescription: DFC Feed Creation\r
        \r
        # DataRouter Publisher Configuration\r
        drPubConfig:\r
          - feedName: bulk_pm_feed\r
            username: ${DR_USERNAME}\r
            userpwd: ${DR_PASSWORD}\r
            dcaeLocationName: loc00\r
\r
\r
.. _strict_host_checking_config:\r
\r
Turn On/Off StrictHostChecking\r
------------------------------\r
**StrictHostChecking** is a SSH connection option which prevents Man in the Middle (MitM) attacks. If it is enabled, client checks HostName and public key provided by server and compares it with keys stored locally. Only if matching entry is found, SSH connection can be established.\r
By default in DataFile Collector this option is enabled (true) and requires to provide known_hosts list to DFC container.\r
\r
**Important: DFC requires public keys in sha-rsa KeyAlgorithm** \r
\r
**Known_hosts file** is a list in following format:\r
\r
.. code-block:: bash\r
\r
  <HostName/HostIP> <KeyAlgorithms> <Public Key>\r
\r
e.g: \r
\r
.. code-block:: bash\r
\r
  172.17.0.3 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRibxPenQC//2hzTuscdQDUA7P3gB9k4E8IgwCJxZM8YrJ2vqHomN8boByubebvo0L8+DWqzAtjy0nvgzsoEme9Y3lLWZ/2g9stlsOurwm+nFmWn/RPnwjqsAGNQjukV8C9D82rPMOYRES6qSGactFw4i8ZWLH8pmuJ3js1jb91HSlwr4zbZZd2XPKHk3nudyh8/Mwf3rndCU5FSnzjpBo55m48nsl2M1Tb6Xj1R0jQc5LWN0fsbrm5m+szsk4ccgHw6Vj9dr0Jh4EaIpNwA68k4LzrWb/N20bW8NzUsyDSQK8oEo1dvsiw8G9/AogBjQu9N4bqKWcrk5DOLCZHiCTSbbvdMWAMHXBdxEt9GZ0V53Fzwm8fI2EmIHdLhI4BWKZajumsfHRnd6UUxxna9ySt6qxVYZTyrPvfOFR3hRxVaxHL3EXplGeHT8fnoj+viai+TeSDdjMNwqU4MrngzrNKNLBHIl705uASpHUaRYQxUfWw/zgKeYlIbH+aGgE+4Q1vnh10Y35pATePRZgBIu+h2KsYBAtrP88LqW562OQ6T7VkfoAYwOjx9WV3/y5qonsStPhhzmJHDF22oBh5E5tZQxRcIlQF+5kHmXnFRUZtWshFnQATBh3yhOzJbh66CXn7aPj5Kl8TuuSN48zuI2lulVVqcv7GmTS0tWNpbxpzw==\r
\r
HostName could also be hashed, e.g:\r
\r
.. code-block:: bash\r
\r
  |1|FwSOxXYeJyZMAQM3jREjLSIcxRw=|o/b+CHEeHuED7WZS6sb3Y1IyHjk= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDRibxPenQC//2hzTuscdQDUA7P3gB9k4E8IgwCJxZM8YrJ2vqHomN8boByubebvo0L8+DWqzAtjy0nvgzsoEme9Y3lLWZ/2g9stlsOurwm+nFmWn/RPnwjqsAGNQjukV8C9D82rPMOYRES6qSGactFw4i8ZWLH8pmuJ3js1jb91HSlwr4zbZZd2XPKHk3nudyh8/Mwf3rndCU5FSnzjpBo55m48nsl2M1Tb6Xj1R0jQc5LWN0fsbrm5m+szsk4ccgHw6Vj9dr0Jh4EaIpNwA68k4LzrWb/N20bW8NzUsyDSQK8oEo1dvsiw8G9/AogBjQu9N4bqKWcrk5DOLCZHiCTSbbvdMWAMHXBdxEt9GZ0V53Fzwm8fI2EmIHdLhI4BWKZajumsfHRnd6UUxxna9ySt6qxVYZTyrPvfOFR3hRxVaxHL3EXplGeHT8fnoj+viai+TeSDdjMNwqU4MrngzrNKNLBHIl705uASpHUaRYQxUfWw/zgKeYlIbH+aGgE+4Q1vnh10Y35pATePRZgBIu+h2KsYBAtrP88LqW562OQ6T7VkfoAYwOjx9WV3/y5qonsStPhhzmJHDF22oBh5E5tZQxRcIlQF+5kHmXnFRUZtWshFnQATBh3yhOzJbh66CXn7aPj5Kl8TuuSN48zuI2lulVVqcv7GmTS0tWNpbxpzw==\r
\r
\r
\r
To provide known_hosts list to DFC, execute following steps:\r
\r
1. Create file called known_hosts with desired entries.\r
\r
2. Mount file using Kubernetes Config Map.\r
\r
.. code-block:: bash\r
\r
  kubectl -n <ONAP NAMESPACE> create cm <config map name> --from-file <path to known_hosts file>\r
\r
e.g:\r
\r
.. code-block:: bash\r
\r
  kubectl -n onap create cm onap-dcae-dfc-known-hosts --from-file /home/ubuntu/.ssh/known_hosts\r
\r
\r
3. Mount newly created Config Map as Volume to DFC by editing DFC deployment. **DFC deployment contains 3 containers, pay attention to mount the file to the appropriate container.**\r
\r
.. code-block:: yaml\r
  \r
  ...\r
  kind: Deployment\r
  metadata:\r
  ...\r
  spec:\r
    ...\r
    template:\r
      ...\r
      spec:\r
        containers:\r
        - image: <DFC image>\r
          ...\r
          volumeMounts:\r
            ...\r
          - mountPath: /home/datafile/.ssh/\r
            name: onap-dcae-dfc-known-hosts\r
            ...\r
        volumes:\r
        ...\r
        - configMap:\r
            name: <config map name, same as in step 1, e.g. onap-dcae-dfc-known-hosts>\r
          name: onap-dcae-dfc-known-hosts\r
      ...\r
\r
Known_hosts file path can be controlled by Environment Variable *KNOWN_HOSTS_FILE_PATH*. Full (absolute) path has to be provided. Sample deployment with changed known_hosts file path can be seen below.\r
\r
.. code-block:: yaml\r
  \r
  ...\r
  kind: Deployment\r
  metadata:\r
  ...\r
  spec:\r
    ...\r
    template:\r
      ...\r
      spec:\r
        containers:\r
        - image: <DFC image>\r
          envs: \r
            - name: KNOWN_HOSTS_FILE_PATH\r
              value: /home/datafile/.ssh/new/path/<known_hosts file name, e.g. my_custom_keys>\r
          ...\r
          volumeMounts:\r
            ...\r
          - mountPath: /home/datafile/.ssh/new/path\r
            name: onap-dcae-dfc-known-hosts\r
            ...\r
        volumes:\r
        ...\r
        - configMap:\r
            name: <config map name, same as in step 1, e.g. onap-dcae-dfc-known-hosts>\r
          name: onap-dcae-dfc-known-hosts\r
      ...\r
\r
To change mounted known_hosts list, edit existing Config Map or delete and create it again. **The DFC container may refresh changes with a delay.** Pod, nor container restart is NOT required.\r
\r
To edit Config Map execute:\r
\r
.. code-block:: bash\r
\r
  kubectl -n <ONAP NAMESPACE> edit cm <config map name>\r
\r
e.g:\r
\r
.. code-block:: bash\r
\r
   kubectl -n onap edit cm onap-dcae-dfc-known-hosts\r
\r
To delete and create again Config Map execute: \r
\r
.. code-block:: bash\r
\r
  kubectl -n <ONAP NAMESPACE> delete cm <config map name>\r
  kubectl -n <ONAP NAMESPACE> create cm <config map name> --from-file <path to known_hosts file>\r
\r
e.g:\r
\r
.. code-block:: bash\r
\r
  kubectl -n onap delete cm onap-dcae-dfc-known-hosts\r
  kubectl -n onap create cm onap-dcae-dfc-known-hosts --from-file /home/ubuntu/.ssh/known_hosts\r
\r
\r
To turn off StrictHostChecking, set below option to false. It could be changed in DCAE Config Binding Service (CBS).\r
\r
**WARNING: such operation is not recommended as it decreases DFC security and exposes DFC to MitM attacks.**\r
\r
.. code-block:: bash\r
\r
  "sftp.security.strictHostKeyChecking": false\r
\r
\r
\r
Disable TLS connection\r
----------------------\r
The TLS connection in the external interface is enabled by default. To disable TLS, use the following application property:\r
\r
.. code-block:: bash\r
\r
  "dmaap.certificateConfig.enableCertAuth": false\r
\r
\r
\r
Performance\r
^^^^^^^^^^^\r
\r
To see the performance of DFC, see "`Datafile Collector (DFC) performance baseline results`_".\r
\r
.. _Datafile Collector (DFC) performance baseline results: https://wiki.onap.org/display/DW/Datafile+Collector+%28DFC%29+performance+baseline+results\r