Loading expose_ingress_grpc.sh 0 → 100755 +55 −0 Original line number Diff line number Diff line #!/bin/bash # Copyright 2022-2023 ETSI TeraFlowSDN - TFS OSG (https://tfs.etsi.org/) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######################################################################################################################## # Define your deployment settings here ######################################################################################################################## # If not already set, set the name of the Kubernetes namespace to deploy to. export TFS_K8S_NAMESPACE=${TFS_K8S_NAMESPACE:-"tfs"} # If not already set, set the list of components you want to build images for, and deploy. export TFS_COMPONENTS=${TFS_COMPONENTS:-"context device automation policy service compute monitoring l3_attackmitigator l3_centralizedattackdetector webui"} ######################################################################################################################## # Automated steps start here ######################################################################################################################## echo "Exposing GRPC ports for components..." for COMPONENT in $TFS_COMPONENTS; do echo "Processing '$COMPONENT' component..." SERVICE_GRPC_PORT=$(kubectl get service ${COMPONENT}service --namespace $TFS_K8S_NAMESPACE -o 'jsonpath={.spec.ports[?(@.name=="grpc")].port}') echo " '$COMPONENT' service port: $SERVICE_GRPC_PORT" if [ -z "${SERVICE_GRPC_PORT}" ]; then printf "\n" continue; fi COMPONENT_OBJNAME=$(echo "${COMPONENT}" | sed "s/\_/-/") PATCH='{"data": {"'${SERVICE_GRPC_PORT}'": "'$TFS_K8S_NAMESPACE'/'${COMPONENT_OBJNAME}service':'${SERVICE_GRPC_PORT}'"}}' #echo "PATCH: ${PATCH}" kubectl patch configmap nginx-ingress-tcp-microk8s-conf --namespace ingress --patch "${PATCH}" PORT_MAP='{"containerPort": '${SERVICE_GRPC_PORT}', "hostPort": '${SERVICE_GRPC_PORT}'}' CONTAINER='{"name": "nginx-ingress-microk8s", "ports": ['${PORT_MAP}']}' PATCH='{"spec": {"template": {"spec": {"containers": ['${CONTAINER}']}}}}' #echo "PATCH: ${PATCH}" kubectl patch daemonset nginx-ingress-microk8s-controller --namespace ingress --patch "${PATCH}" printf "\n" done echo "Done!" s.shdeleted 100755 → 0 +0 −7 Original line number Diff line number Diff line if [ -s /etc/docker/daemon.json ]; then cat /etc/docker/daemon.json; else echo '{}'; fi \ | jq 'if has("insecure-registries") then . else .+ {"insecure-registries": []} end' -- \ | jq '."insecure-registries" |= (.+ ["localhost:32000"] | unique)' -- \ | tee tmp.daemon.json sudo mv tmp.daemon.json /etc/docker/daemon.json sudo chown root:root /etc/docker/daemon.json sudo chmod 600 /etc/docker/daemon.json src/l3_centralizedattackdetector/.gitlab-ci.yml 0 → 100644 +106 −0 Original line number Diff line number Diff line # Copyright 2022-2023 ETSI TeraFlowSDN - TFS OSG (https://tfs.etsi.org/) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Build, tag, and push the Docker image to the GitLab Docker registry build l3_centralizedattackdetector: variables: IMAGE_NAME: 'l3_centralizedattackdetector' # name of the microservice IMAGE_TAG: 'latest' # tag of the container image (production, development, etc) stage: build before_script: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY script: - docker build -t "$IMAGE_NAME:$IMAGE_TAG" -f ./src/$IMAGE_NAME/Dockerfile . - docker tag "$IMAGE_NAME:$IMAGE_TAG" "$CI_REGISTRY_IMAGE/$IMAGE_NAME:$IMAGE_TAG" - docker push "$CI_REGISTRY_IMAGE/$IMAGE_NAME:$IMAGE_TAG" after_script: - docker images --filter="dangling=true" --quiet | xargs -r docker rmi rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && ($CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "develop" || $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH)' - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "develop"' - changes: - src/common/**/*.py - proto/*.proto - src/$IMAGE_NAME/**/*.{py,in,yml} - src/$IMAGE_NAME/Dockerfile - src/$IMAGE_NAME/tests/*.py - manifests/${IMAGE_NAME}service.yaml - .gitlab-ci.yml # Apply unit test to the component unit test l3_centralizedattackdetector: variables: IMAGE_NAME: 'l3_centralizedattackdetector' # name of the microservice IMAGE_TAG: 'latest' # tag of the container image (production, development, etc) stage: unit_test needs: - build l3_centralizedattackdetector before_script: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY - if docker network list | grep teraflowbridge; then echo "teraflowbridge is already created"; else docker network create -d bridge teraflowbridge; fi - if docker container ls | grep $IMAGE_NAME; then docker rm -f $IMAGE_NAME; else echo "$IMAGE_NAME image is not in the system"; fi script: - docker pull "$CI_REGISTRY_IMAGE/$IMAGE_NAME:$IMAGE_TAG" - docker run --name $IMAGE_NAME -d -p 10001:10001 --env CAD_CLASSIFICATION_THRESHOLD=0.5 -v "$PWD/src/$IMAGE_NAME/tests:/opt/results" --network=teraflowbridge $CI_REGISTRY_IMAGE/$IMAGE_NAME:$IMAGE_TAG - sleep 5 - docker ps -a - docker logs $IMAGE_NAME - docker exec -i $IMAGE_NAME bash -c "coverage run -m pytest --log-level=INFO --verbose $IMAGE_NAME/tests/test_unitary.py --junitxml=/opt/results/${IMAGE_NAME}_report.xml" - docker exec -i $IMAGE_NAME bash -c "coverage report --include='${IMAGE_NAME}/*' --show-missing" coverage: '/TOTAL\s+\d+\s+\d+\s+(\d+%)/' after_script: - docker rm -f $IMAGE_NAME - docker network rm teraflowbridge rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && ($CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "develop" || $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH)' - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "develop"' - changes: - src/common/**/*.py - proto/*.proto - src/$IMAGE_NAME/**/*.{py,in,yml} - src/$IMAGE_NAME/Dockerfile - src/$IMAGE_NAME/tests/*.py - src/$IMAGE_NAME/tests/Dockerfile - manifests/${IMAGE_NAME}service.yaml - .gitlab-ci.yml artifacts: when: always reports: junit: src/$IMAGE_NAME/tests/${IMAGE_NAME}_report.xml # Deployment of the service in Kubernetes Cluster deploy l3_centralizedattackdetector: variables: IMAGE_NAME: 'l3_centralizedattackdetector' # name of the microservice IMAGE_TAG: 'latest' # tag of the container image (production, development, etc) stage: deploy needs: - unit test l3_centralizedattackdetector # - integ_test execute script: - 'sed -i "s/$IMAGE_NAME:.*/$IMAGE_NAME:$IMAGE_TAG/" manifests/${IMAGE_NAME}service.yaml' - kubectl version - kubectl get all - kubectl apply -f "manifests/${IMAGE_NAME}service.yaml" - kubectl get all # environment: # name: test # url: https://example.com # kubernetes: # namespace: test rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && ($CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "develop" || $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH)' when: manual - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "develop"' when: manual src/l3_centralizedattackdetector/service/l3_centralizedattackdetectorServiceServicerImpl.py +1 −1 Original line number Diff line number Diff line Loading @@ -506,7 +506,7 @@ class l3_centralizedattackdetectorServiceServicerImpl(L3Centralizedattackdetecto self.l3_ml_model_confidence_crypto = ( self.l3_ml_model_confidence_crypto * (self.l3_inferences_in_interval_counter_crypto - 1) + cryptomining_detector_output["confidence"] ) / self.l3_inferences_in_interval_counter_crypt ) / self.l3_inferences_in_interval_counter_crypto if connection_info not in self.l3_attacks: self.l3_attacks.append(connection_info) Loading Loading
expose_ingress_grpc.sh 0 → 100755 +55 −0 Original line number Diff line number Diff line #!/bin/bash # Copyright 2022-2023 ETSI TeraFlowSDN - TFS OSG (https://tfs.etsi.org/) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######################################################################################################################## # Define your deployment settings here ######################################################################################################################## # If not already set, set the name of the Kubernetes namespace to deploy to. export TFS_K8S_NAMESPACE=${TFS_K8S_NAMESPACE:-"tfs"} # If not already set, set the list of components you want to build images for, and deploy. export TFS_COMPONENTS=${TFS_COMPONENTS:-"context device automation policy service compute monitoring l3_attackmitigator l3_centralizedattackdetector webui"} ######################################################################################################################## # Automated steps start here ######################################################################################################################## echo "Exposing GRPC ports for components..." for COMPONENT in $TFS_COMPONENTS; do echo "Processing '$COMPONENT' component..." SERVICE_GRPC_PORT=$(kubectl get service ${COMPONENT}service --namespace $TFS_K8S_NAMESPACE -o 'jsonpath={.spec.ports[?(@.name=="grpc")].port}') echo " '$COMPONENT' service port: $SERVICE_GRPC_PORT" if [ -z "${SERVICE_GRPC_PORT}" ]; then printf "\n" continue; fi COMPONENT_OBJNAME=$(echo "${COMPONENT}" | sed "s/\_/-/") PATCH='{"data": {"'${SERVICE_GRPC_PORT}'": "'$TFS_K8S_NAMESPACE'/'${COMPONENT_OBJNAME}service':'${SERVICE_GRPC_PORT}'"}}' #echo "PATCH: ${PATCH}" kubectl patch configmap nginx-ingress-tcp-microk8s-conf --namespace ingress --patch "${PATCH}" PORT_MAP='{"containerPort": '${SERVICE_GRPC_PORT}', "hostPort": '${SERVICE_GRPC_PORT}'}' CONTAINER='{"name": "nginx-ingress-microk8s", "ports": ['${PORT_MAP}']}' PATCH='{"spec": {"template": {"spec": {"containers": ['${CONTAINER}']}}}}' #echo "PATCH: ${PATCH}" kubectl patch daemonset nginx-ingress-microk8s-controller --namespace ingress --patch "${PATCH}" printf "\n" done echo "Done!"
s.shdeleted 100755 → 0 +0 −7 Original line number Diff line number Diff line if [ -s /etc/docker/daemon.json ]; then cat /etc/docker/daemon.json; else echo '{}'; fi \ | jq 'if has("insecure-registries") then . else .+ {"insecure-registries": []} end' -- \ | jq '."insecure-registries" |= (.+ ["localhost:32000"] | unique)' -- \ | tee tmp.daemon.json sudo mv tmp.daemon.json /etc/docker/daemon.json sudo chown root:root /etc/docker/daemon.json sudo chmod 600 /etc/docker/daemon.json
src/l3_centralizedattackdetector/.gitlab-ci.yml 0 → 100644 +106 −0 Original line number Diff line number Diff line # Copyright 2022-2023 ETSI TeraFlowSDN - TFS OSG (https://tfs.etsi.org/) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Build, tag, and push the Docker image to the GitLab Docker registry build l3_centralizedattackdetector: variables: IMAGE_NAME: 'l3_centralizedattackdetector' # name of the microservice IMAGE_TAG: 'latest' # tag of the container image (production, development, etc) stage: build before_script: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY script: - docker build -t "$IMAGE_NAME:$IMAGE_TAG" -f ./src/$IMAGE_NAME/Dockerfile . - docker tag "$IMAGE_NAME:$IMAGE_TAG" "$CI_REGISTRY_IMAGE/$IMAGE_NAME:$IMAGE_TAG" - docker push "$CI_REGISTRY_IMAGE/$IMAGE_NAME:$IMAGE_TAG" after_script: - docker images --filter="dangling=true" --quiet | xargs -r docker rmi rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && ($CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "develop" || $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH)' - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "develop"' - changes: - src/common/**/*.py - proto/*.proto - src/$IMAGE_NAME/**/*.{py,in,yml} - src/$IMAGE_NAME/Dockerfile - src/$IMAGE_NAME/tests/*.py - manifests/${IMAGE_NAME}service.yaml - .gitlab-ci.yml # Apply unit test to the component unit test l3_centralizedattackdetector: variables: IMAGE_NAME: 'l3_centralizedattackdetector' # name of the microservice IMAGE_TAG: 'latest' # tag of the container image (production, development, etc) stage: unit_test needs: - build l3_centralizedattackdetector before_script: - docker login -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD" $CI_REGISTRY - if docker network list | grep teraflowbridge; then echo "teraflowbridge is already created"; else docker network create -d bridge teraflowbridge; fi - if docker container ls | grep $IMAGE_NAME; then docker rm -f $IMAGE_NAME; else echo "$IMAGE_NAME image is not in the system"; fi script: - docker pull "$CI_REGISTRY_IMAGE/$IMAGE_NAME:$IMAGE_TAG" - docker run --name $IMAGE_NAME -d -p 10001:10001 --env CAD_CLASSIFICATION_THRESHOLD=0.5 -v "$PWD/src/$IMAGE_NAME/tests:/opt/results" --network=teraflowbridge $CI_REGISTRY_IMAGE/$IMAGE_NAME:$IMAGE_TAG - sleep 5 - docker ps -a - docker logs $IMAGE_NAME - docker exec -i $IMAGE_NAME bash -c "coverage run -m pytest --log-level=INFO --verbose $IMAGE_NAME/tests/test_unitary.py --junitxml=/opt/results/${IMAGE_NAME}_report.xml" - docker exec -i $IMAGE_NAME bash -c "coverage report --include='${IMAGE_NAME}/*' --show-missing" coverage: '/TOTAL\s+\d+\s+\d+\s+(\d+%)/' after_script: - docker rm -f $IMAGE_NAME - docker network rm teraflowbridge rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && ($CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "develop" || $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH)' - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "develop"' - changes: - src/common/**/*.py - proto/*.proto - src/$IMAGE_NAME/**/*.{py,in,yml} - src/$IMAGE_NAME/Dockerfile - src/$IMAGE_NAME/tests/*.py - src/$IMAGE_NAME/tests/Dockerfile - manifests/${IMAGE_NAME}service.yaml - .gitlab-ci.yml artifacts: when: always reports: junit: src/$IMAGE_NAME/tests/${IMAGE_NAME}_report.xml # Deployment of the service in Kubernetes Cluster deploy l3_centralizedattackdetector: variables: IMAGE_NAME: 'l3_centralizedattackdetector' # name of the microservice IMAGE_TAG: 'latest' # tag of the container image (production, development, etc) stage: deploy needs: - unit test l3_centralizedattackdetector # - integ_test execute script: - 'sed -i "s/$IMAGE_NAME:.*/$IMAGE_NAME:$IMAGE_TAG/" manifests/${IMAGE_NAME}service.yaml' - kubectl version - kubectl get all - kubectl apply -f "manifests/${IMAGE_NAME}service.yaml" - kubectl get all # environment: # name: test # url: https://example.com # kubernetes: # namespace: test rules: - if: '$CI_PIPELINE_SOURCE == "merge_request_event" && ($CI_MERGE_REQUEST_TARGET_BRANCH_NAME == "develop" || $CI_MERGE_REQUEST_TARGET_BRANCH_NAME == $CI_DEFAULT_BRANCH)' when: manual - if: '$CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH == "develop"' when: manual
src/l3_centralizedattackdetector/service/l3_centralizedattackdetectorServiceServicerImpl.py +1 −1 Original line number Diff line number Diff line Loading @@ -506,7 +506,7 @@ class l3_centralizedattackdetectorServiceServicerImpl(L3Centralizedattackdetecto self.l3_ml_model_confidence_crypto = ( self.l3_ml_model_confidence_crypto * (self.l3_inferences_in_interval_counter_crypto - 1) + cryptomining_detector_output["confidence"] ) / self.l3_inferences_in_interval_counter_crypt ) / self.l3_inferences_in_interval_counter_crypto if connection_info not in self.l3_attacks: self.l3_attacks.append(connection_info) Loading
