Re: ETSI SOL003 deployment package failure

neetimit · ‎03-29-2020

Hi

I am trying to setup a NSO package for sol003 deployment of CSR VNF.

I read in the user guide that to allow access to the package artifacts the NFVO must support the /vnf_packages API - I checked this on my NSO by using

curl -X GET -u admin:admin http://<nso ip>:9191/vnfpkgm/v1/vnf_packages and it seems this is working

However whenever I invoke my service I get this error:

Aborted: External error in the NED implementation for device austx-lab-dev-esc-01-sol003: Prepare error: java.lang.Exception: [503] => Error during getAllPackages - 401 Unauthorized

I think I am missing some settings which provide username and password.

Here is my service call:

services csr_sol003 sol3_3 ciscoesc austx-lab-dev-esc-01-sol003 csr-authgroup csrgrp csr-hostname csr-os5 mgmt-net austx-nfv01-0099-prov-cml-SpectrumEnterprisem

admin@ncs(config-csr_sol003-sol3_3/ciscoesc/austx-lab-dev-esc-01-sol003)#

admin@ncs(config-csr_sol003-sol3_3/ciscoesc/austx-lab-dev-esc-01-sol003)# commit dry-run

cli {

local-node {

data devices {

device austx-lab-dev-esc-01-sol003 {

config {

etsisol003:vnf-instances {

+ vnf-instance austx-lab-dev-esc-01-sol003-vnf-info-sol3_3 {

+ d-id CSRsol003;

+ }

}

services {

+ csr_sol003 sol3_3 ciscoesc austx-lab-dev-esc-01-sol003 {

+ csr-authgroup csrgrp;

+ csr-hostname csr-os5;

+ mgmt-net austx-nfv01-0099-prov-cml-SpectrumEnterprise;

+ }

}

nfv {

+ vnf-info sol3_3 {

+ username admin;

+ vnfd CSRsol003;

+ vnfd-flavour vnf-csr;

+ instantiation-level medium;

+ vnfm austx-lab-dev-esc-01-sol003;

+ vnfm-type sol3;

+ vim-type openstack;

+ sol3-vnfm-type default-sol3;

+ vdu CSR {

+ managed;

+ image-name csr1000v-universalk9.03.17.02.S.156-1.S2-std;

+ flavour-name vnf-csr;

+ artifact iosxe_config.txt {

+ destination-name iosxe_config.txt;

+ url http://<ip>:4545/iosxe_config.txt;

+ variable ADMIN_PWD {

+ value [ admin ];

+ }

+ variable HOST_NAME {

+ value [ csr-os5 ];

+ }

+ variable USERNAME {

+ value [ admin ];

+ }

+ authgroup csrgrp;

+ host-key-verification-type none;

+ }

+ resource-orchestration {

+ vim nfvEsc {

+ vim-id nfv_esc;

+ vim-type OPENSTACK_V3;

+ access-params {

+ param password {

+ value ###;

+ type string;

+ }

+ param username {

+ value ciscoesc;

+ type string;

+ }

+ param vim_project {

+ value nfvoEsc;

+ type string;

+ }

+ interface-params {

+ param baseUrl {

+ value http://<ip>:5000/v3;

+ type string;

+ }

+ vnfd-connection-point mgmt {

+ network-name austx-nfv01-0099-prov-cml-SpectrumEnterprise;

+ }

}

admin@ncs(config-csr_sol003-sol3_3/ciscoesc/austx-lab-dev-esc-01-sol003)# commit

Aborted: External error in the NED implementation for device austx-lab-dev-esc-01-sol003: Prepare error: java.lang.Exception: [503] => Error during getAllPackages - 401 Unauthorized

Any hints how I can solve this?

Thanks,

Neetika

ansnaran · ‎03-30-2020

Hi Neetika,

You seem to be running into authentication failure for ESC --> NFVO communication, please ensure, ESC etsi production properties file has right username and password configuration (See below for more details). One of the common issues here is, using username vs userName in ESC etsi production properties. Please check ESC documentation for right configuration.

Hope this helps.

Regards,

Anshu.

admin@ESC-nirali ~]$ sudo vi /opt/cisco/esc/esc_database/etsi-production.properties

...

nfvo.apiRoot=<NSO IP>:9090

nfvo.httpScheme=http

nfvo.username=admin123 (or nfvo.userName)

nfvo.password=admin123

...

KJ Rossavik · ‎03-30-2020

Also, is there any particular reason why you're using SOL003 integration between NSO NFVO and ESC? For the case where there is no 3rd party VNFM then we would recommend to use NETCONF integration. SOL003 is still immature and incomplete, and although it works well in several customer deployments, we still believe integration would be more straightforward, cheaper and quicker using NETCONF.

neetimit · ‎04-02-2020

Hi KJ,

The client has both Netcracker and ESC in their production environment. Different teams develop and support the packages using these VNFMs. The team I am working with is new to these and will be supporting in future. They right now want to learn the implementation using both NETCONF and sol003.

Thanks,

Neetika

neetimit · ‎03-30-2020

Thanks Anshu,

I did check the ETSI-production.properties, as per ESC documentation it should be nfvo.username, I tried with both nfvo.username and nfvo.userName, it is not working either way. Here is my properties file:

[ciscoesc@austx-lab-dev-esc-01 etsi-vnfm]$ cat /opt/cisco/esc/esc_database/etsi-production.properties

# Rest username and password

security.user.name=admin

security.user.password=$1$rnkCB5$4Jf7v7xoK3JFpKmrXvM9O0

security.pam.service=

# Connection details for the NFVO

# apiRoot: The host and port (host:port)

# httpScheme: The http scheme (http or https)

nfvo.apiRoot=97.105.228.244:9191

nfvo.httpScheme=http

nfvo.username=admin

nfvo.password=admin

# server.host: The IP address of this server. Only needs to be set if it has multiple ip addresses

server.host=97.105.228.252

http.enabled=true

https.enabled=false

Do you see any issues with this file? The curl request with user/password as admin/admin for packages work fine:

curl -X GET -u admin:admin http://97.105.228.244:9191/vnfpkgm/v1/vnf_packages

Thanks,

Neetika

ansnaran · ‎03-30-2020

Can you please share output of below command ? Also, please share NSO logs.

show nfv settings

Ideally, you should be able to see username passed to NFVO in access logs (under NSO logs).

Regards,

Anshu.

neetimit · ‎03-30-2020

Hi Anshu,

Here is my NFV settings:

admin@ncs(config)# show full-configuration nfv settings nfv settings image-server document-root /home/nmittal/nfvo

nfv settings etsi-sol3 server ip-address 97.105.228.244

nfv settings etsi-sol3 server port 9191

nfv settings etsi-sol3 server use-ssl false

nfv settings etsi-sol3 server verify-client-cert false

nfv settings etsi-sol3 server auth-enabled true

nfv settings etsi-sol3 server auth-types basic username admin

nfv settings etsi-sol3 server auth-types basic password $8$yo8zCkSla1zUDrVUAQdAkv4X8SaoLkPYt3y6Q+U0I6c=

nfv settings etsi-sol3 vnfm-behaviour vnfm-behaviour-override default-sol3

rpc-behaviour rpc include vim-info false

rpc-behaviour modify pre rpc false

rpc-behaviour modify post rpc false

grant scale authorise-grant true

!

admin@ncs(config)# show full-configuration devices device austx-lab-dev-esc-01-sol003

devices device austx-lab-dev-esc-01-sol003

address 97.105.228.252

port 8250

ssh host-key ssh-rsa

key-data "......"

!

authgroup escsol3

device-type generic ned-id etsi-sol003-gen-1.13

read-timeout 420

trace raw

ned-settings etsi-sol003 connection ssl accept-any

ned-settings etsi-sol003 connection api-base-url /vnflcm/v1/

ned-settings etsi-sol003 connection api

auth

credentials username admin

credentials password admin

type basic

!

param

tenant-id ciscoesc

!

base-url

vnf-instance /vnflcm/v1

!

sync

model vnf-instance

is-syncable true

!

model vnf-op

is-syncable true

!

model vnf-subscription

is-syncable true

!

only [ vnf-instance vnf-op vnf-subscription ]

!

proto

default http

!

number-of-retries 0

time-between-retry 1

!

ned-settings etsi-sol003 log-verbose true

ned-settings etsi-sol003 device model default-sol3

ned-settings etsi-sol003 flow

vnf-instance

instantiate auto true

terminate auto false

!

state admin-state unlocked

config

etsisol003:vnf-subscriptions vnf-subscription nfvo1

callbackUri http://97.105.228.244:9191/vnflcm/events

!

Also I have attached my access logs. Seems like it is getting admin as the username which is what I configured.

Please let me know if you get any clue what is wrong. Thank you.

ansnaran · ‎03-31-2020

I don't see ESC passing username, if you carefully check, PostmanRuntime/7.22.0 and curl/7.29.0 invocations (marked in bold) have username admin, all invocations from Apache-HttpClient/4.5.8 (ESC) don't pass admin user.

Can you please work with ESC team to get right configuration in place for version of ESC you are using?

Would request you again to share all NSO logs for easy trouble-shooing.

Regards,

Anshu.

97.105.228.252 - - [30/Mar/2020:21:16:13 +0000] "GET /vnfpkgm/v1/vnf_packages HTTP/1.1" 401 122 "-" "Apache-HttpClient/4.5.8 (Java/1.8.0_222)"
97.105.228.252 - - [30/Mar/2020:21:16:25 +0000] "GET /vnfpkgm/v1/vnf_packages HTTP/1.1" 401 122 "-" "Apache-HttpClient/4.5.8 (Java/1.8.0_222)"
97.105.228.252 - - [30/Mar/2020:21:21:28 +0000] "POST /vnfpkgm/v1/subscriptions HTTP/1.1" 401 123 "-" "Apache-HttpClient/4.5.8 (Java/1.8.0_222)"
97.105.228.252 - - [30/Mar/2020:21:21:46 +0000] "GET /vnfpkgm/v1/vnf_packages HTTP/1.1" 401 122 "-" "Apache-HttpClient/4.5.8 (Java/1.8.0_222)"
204.235.114.162 - admin [30/Mar/2020:21:23:52 +0000] "GET /vnfpkgm/v1/vnf_packages HTTP/1.1" 200 1203 "-" "PostmanRuntime/7.22.0"
97.105.228.244 - admin [30/Mar/2020:21:46:50 +0000] "GET /vnfpkgm/v1/vnf_packages HTTP/1.1" 200 5056 "-" "curl/7.29.0"
97.105.228.252 - - [31/Mar/2020:03:32:44 +0000] "GET /vnfpkgm/v1/vnf_packages HTTP/1.1" 401 122 "-" "Apache-HttpClient/4.5.8 (Java/1.8.0_222)"
97.105.228.252 - - [31/Mar/2020:03:33:59 +0000] "GET /vnfpkgm/v1/vnf_packages HTTP/1.1" 401 122 "-" "Apache-HttpClient/4.5.8 (Java/1.8.0_222)"

neetimit · ‎03-31-2020

Hi Anshu,

I am sharing the logs on email.

Thanks,

Neetika

neetimit · ‎04-02-2020

The correct settings in etsi-production.properties was:

nfvo.userName=###
nfvo.authenticationType=BASIC

The ESC documentation has it as username which is incorrect and nfvo.authenticationType is not mentioned that it is mandatory.