Merge pull request #19 from ruomengh/ccnp-deploy-update

Update CCNP deployment doc and scripts to adopt container measurement

deployment/docker-compose/README.md

@@ -115,7 +115,7 @@ SUCCESS: Example Container Deleted
 
 ```
 
-The example container will launch and stop automatically, and save the measurement log in `/tmp/docker_ccnp/measurement.log`. The log file is similar to the [sample file](../../docs/sample-output-for-node-measurement-tool-full.txt).
+The example container will launch and stop automatically, and save the measurement log in `/tmp/docker_ccnp/measurement.log`. The log file is similar to the [sample file](../../docs/sample-output-for-container-measurement.txt).
 
 The script provides some options. 
 

deployment/kubernetes/README.md

@@ -25,7 +25,8 @@ The following scripts can help to generate CCNP images and deploy them in the TD
 
 - [build.sh](../../container/build.sh): The tool will build docker images and push them to remote registry if required.
 - [deploy-ccnp.sh](../kubernetes/script/deploy-ccnp.sh): The tool will deploy CCNP services as DaemonSet on TDs in the K8S cluster.
-- [deploy-and-exec-ccnp-example.sh](../kubernetes/script/deploy-and-exec-ccnp-example.sh): The tool will deploy an example pod and show getting event logs, measurement and perform verification using CCNP in the pod.
+- [deploy-ccnp-example.sh](../kubernetes/script/deploy-ccnp-example.sh): The tool will deploy an example pod with CCNP SDK installed.
+- [exec-ccnp-example.sh](../kubernetes/script/exec-ccnp-example.sh): The tool will show getting event logs, measurement and perform verification using CCNP in the pod.
 - [prerequisite.sh](../kubernetes/script/prerequisite.sh): This tool will complete the prerequisites for deploying CCNP on Ubuntu. For other platforms, you can follow the section below.
 
 ### Prerequisite
@@ -106,16 +107,33 @@ At this step, CCNP has been installed successfully. For more detailed informatio
 
 
 ## CCNP Usage Example
-The script [deploy-and-exec-ccnp-example.sh](../kubernetes/script/deploy-and-exec-ccnp-example.sh) is an example of using CCNP to collect event log, measurement and perform verification in a pod.
+The script [deploy-ccnp-example.sh](../kubernetes/script/deploy-ccnp-example.sh) will deploy an example pod with CCNP SDK installed.
+The script [exec-ccnp-example.sh](../kubernetes/script/exec-ccnp-example.sh) will use CCNP SDK to collect event log, measurement and perform verification in the example pod.
+
+- Deploy example pod
 ```
 $ cd script
-# Specify the registry name and tag used in image building
-$ sudo ./deploy-and-exec-ccnp-example.sh -r <remote-registry> -g <tag>
 
-# You can also specify which integrity measurement register (RTMR in the case of Intel TD) to verify
-# e.g. Show RTMR[1] and RTMR[2] using below command
-$ sudo ./deploy-and-exec-ccnp-example.sh -r <remote-registry> -g <tag> -i '1 2'
+# Deploy CCNP example pod
+$ sudo ./deploy-ccnp-example.sh -r <remote-registry> -g <tag>
+```
+
+- Get Pod measurement, event logs, CC report and verify event logs using CCNP SDK.
+
+```
+# Get measurement
+$ sudo ./exec-ccnp-example.sh -m
+
+# Get event logs
+$ sudo ./exec-ccnp-example.sh -e
+
+# Get CC report
+$ sudo ./exec-ccnp-example.sh -r
+
+# Verify event logs with measurements
+$ sudo ./exec-ccnp-example.sh -v
+
 ```
 
-The example output of verification can be found at [sample-output-for-node-measurement-tool-full.txt](../../docs/sample-output-for-node-measurement-tool-full.txt) and
-[sample-output-for-node-measurement-tool-selected.txt](../../docs/sample-output-for-node-measurement-tool-selected.txt).
+The example output of verification can be found at [sample-output-for-container-measurement.txt](../../docs/sample-output-for-container-measurement.txt) and
+[sample-output-for-container-eventlog.txt](../../docs/sample-output-for-container-eventlog.txt).

deployment/kubernetes/manifests/ccnp-example-deployment.yaml

@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: ccnp-example
+  namespace: ccnp
 spec:
   selector:
     matchLabels:

deployment/kubernetes/script/deploy-and-exec-ccnp-example.sh → deployment/kubernetes/script/deploy-ccnp-example.sh

@@ -1,6 +1,5 @@
 #!/bin/bash
-# Script to deploy and execute CCNP example container
-# Attach the RTMR index after the script during execution to verify selected register
+# Script to deploy CCNP example pod
 
 set -e
 
@@ -9,12 +8,12 @@ DEFAULT_TAG=latest
 TEMP_MANIFEST_FILE=/tmp/ccnp-example-deployment.yaml
 DELETE_DEPLOYMENT=false
 
-usage() { echo "Usage: $0 [-r <registry-prefix>] [-g <image-tag>] [-d delete existing deployment] [-i <register-index-to-verify>]"; exit 1; }
-while getopts ":r:g:i:dh" option; do
+
+usage() { echo "Usage: $0 [-r <registry-prefix>] [-g <image-tag>] [-d delete existing deployment] [-m get measurement] [-e get event logs] [-q get cc report] [-v verify event logs]"; exit 1; }
+while getopts ":r:g:i:dmervh" option; do
         case "${option}" in
             r) registry=${OPTARG};;
             g) tag=${OPTARG};;
-            i) index=${OPTARG};;
             d) DELETE_DEPLOYMENT=true;;
             h) usage;;
             *) echo "Invalid option: -${OPTARG}" >&2
@@ -23,7 +22,7 @@ while getopts ":r:g:i:dh" option; do
         esac
     done
 
-echo "Step 1:  Deploy CCNP example for container measurement in Kubernetes"
+echo "Deploy CCNP example for container measurement in Kubernetes"
 # replace registry and image tag according to user input
 cp ../manifests/ccnp-example-deployment.yaml $TEMP_MANIFEST_FILE
 if [[ -n "$registry" ]]; then
@@ -57,8 +56,3 @@ if [[ -z "$POD_NAME" ]]; then
     echo "No ccnp-example pod with status running! Please check your deployment."
     exit 1
 fi
-echo ""
-
-echo "Step 2:  Execute ccnp_example.py"
-IFS=' ' read -r -a arr <<< "${index}"
-kubectl exec -it "$POD_NAME" -- ccnp_example.py "${arr[@]}"

deployment/kubernetes/script/deploy-ccnp.sh

@@ -72,15 +72,19 @@ function deploy_ccnp {
     # Generate temporary yaml files for deployment
     mkdir -p temp_manifests
     cp deployment/kubernetes/manifests/* temp_manifests/
-    cp device-plugin/ccnp-device-plugin/deploy/helm/ccnp-device-plugin/values.yaml temp_manifests/
+
+    mkdir temp_manifests/ccnp-device-plugin
+    cp -r device-plugin/ccnp-device-plugin/deploy/helm/ccnp-device-plugin/* temp_manifests/ccnp-device-plugin/
 
     # If private repo is used, modify the images' names in the yaml files
     if [[ -n "$registry" ]]; then
-        sed -i  "s#${DOCKER_REPO}#${registry}#g" temp_manifests/*
+        sed -i  "s#${DOCKER_REPO}#${registry}#g" temp_manifests/*.yaml
+        sed -i  "s#${DOCKER_REPO}#${registry}#g" temp_manifests/ccnp-device-plugin/values.yaml
     fi
 
     if [[ "$tag" != "latest" ]]; then
-        sed -i  "s#latest#${tag}#g" temp_manifests/*
+        sed -i  "s#latest#${tag}#g" temp_manifests/*.yaml
+        sed -i  "s#latest#${tag}#g" temp_manifests/ccnp-device-plugin/values.yaml
     fi
 
     # Deploy CCNP Dependencies
@@ -89,7 +93,7 @@ function deploy_ccnp {
     helm install $NFD_NAME  nfd/node-feature-discovery --namespace $NFD_NS --create-namespace
 
     kubectl apply -f  device-plugin/ccnp-device-plugin/deploy/node-feature-rules.yaml
-    helm install ccnp-device-plugin  device-plugin/ccnp-device-plugin/deploy/helm/ccnp-device-plugin
+    helm install ccnp-device-plugin  temp_manifests/ccnp-device-plugin
 
     # Deploy CCNP services
     echo "-----------Deploy ccnp namespace..."

deployment/kubernetes/script/exec-ccnp-example.sh

@@ -0,0 +1,52 @@
+#!/bin/bash
+# Script to execute CCNP example pod
+
+set -e
+
+MEASUREMENT=false
+EVENTLOG=false
+CC_REPORT=false
+VERIFY=false
+
+usage() { echo "Usage: $0 [-m get measurement] [-e get event logs] [-r get cc report] [-v verify event logs]"; exit 1; }
+while getopts ":mervh" option; do
+        case "${option}" in
+            m) MEASUREMENT=true;;
+            e) EVENTLOG=true;;
+            r) CC_REPORT=true;;
+            v) VERIFY=true;;
+            h) usage;;
+            *) echo "Invalid option: -${OPTARG}" >&2
+               usage
+               ;;
+        esac
+    done
+
+echo "Exeute the script to get measurement, event log and CC report"
+
+POD_NAME=$(kubectl get po -n ccnp | grep -i ccnp-example | grep Running | awk '{ print $1 }')
+
+if [[ -z "$POD_NAME" ]]; then
+    echo "No ccnp-example pod with status running! Please check your deployment."
+    exit 1
+fi
+
+if [ $MEASUREMENT == true ]; then
+    echo "==> Get Measurements"
+    kubectl exec -it "$POD_NAME" -- python3 ccnp_example.py -m
+fi
+
+if [ $EVENTLOG == true ]; then
+    echo "==> Get Event logs"
+    kubectl exec -it "$POD_NAME" -- python3 ccnp_example.py -e
+fi
+
+if [ $CC_REPORT == true ]; then
+    echo "==> Get CC_REPORT"
+    kubectl exec -it "$POD_NAME" -- python3 ccnp_example.py -r
+fi
+
+if [ $VERIFY == true ]; then
+    echo "==> Verify event logs"
+    kubectl exec -it "$POD_NAME" -- python3 ccnp_example.py -v
+fi

deployment/kubernetes/script/prerequisite.sh

@@ -40,11 +40,6 @@ function check_env {
         CCNP_UDS=flase
         echo "Skip: CCNP uds dir has been prepared."
     fi
-
-    # Set read permission of CCEL table and IMA measurement
-    chmod 444 /sys/firmware/acpi/tables/data/CCEL
-    chmod 444 /sys/kernel/security/ima/ascii_runtime_measurements
-    chmod 444 /sys/firmware/acpi/tables/CCEL
 }
 
 function install_docker {