Hi Tal / All, Thanks for starting this thread to address this important issue and I second both Tal's & Michael's view as well. Infact we are now currently breaking our heads to bring up ONAP "behind corporate proxies" and almost 80% of operational issue which we always run into is this internet dependencies.
Back in Beijing summit, a topic related to "Offline OOM" was presented, however we are unable to find more information on that to try it out locally. As of now we are hitting trial-and-run to find direct & indirect dependencies to bring each container image and trying our best to cache & limit our dependencies to outside internet. Needless to say this is the case for our lab and now just imagine the production scenario where our Ops would go mad if we ask them to open the world for ONAP. As Tal rightly pointed out, we do have curated list of preferred OS, library stacks and port lists and anything that overrides this list we have to take a long-list-of-approval chains inorder to get them under accepted list. While I'm excited about the notion of building container images based on preferred base, I'm also getting scared about the possibilities of unearthing new unseen issues due to this base change, which would have skipped through community hardening, as they would have no idea on how we would intend to cook the container locally. Worst case, if there is a vulnerability introduced in these base packages, how would these get tracked, fixed and updated and how many different permutations & combinations that can lead to. I guess we have opened pandora's box and lot of surprises are awaiting for us. BR, Viswa <http://www.verizon.com> Viswanath Kumar Skand Priya Senior Architect Technology, Architecture & Planning On Fri, Aug 17, 2018 at 6:59 AM Michael Still <[email protected]> wrote: > On Fri, Aug 10, 2018 at 5:17 AM Tal Liron <[email protected]> wrote: > >> Hi everyone, >> >> My colleague Leif Madsen and I have done some research and I'd like to >> present our conclusions as an opening to discussion. If there's interest in >> this, we are happy to also do a proof-of-concept to show how this would >> look in practice. >> > > Thanks for starting this thread -- I think its an important conversation > and one I am personally interested in helping out with, especially if we > can get over the desire to have meetings in the middle of the night. > > I think there's another factor in play here that I want to make sure is on > your radar. I don't know about in other countries, but I am yet to > encounter a non-trivial enterprise in Australia which gives their > production environments internet access. At the moment several ONAP > components run shell scripts on start which pull packages from the internet > (either OS packages, or python pip packages). This simply wont work in many > production environments -- as well as meaning that operations staff don't > know what version of the software they're running any more. > > I'd like to see those dependancies pushed into the container images more > formally during the build process. Perhaps that's something we can solve at > the same time? > > Thanks, > Michael > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11930): https://lists.onap.org/g/onap-discuss/message/11930 Mute This Topic: https://lists.onap.org/mt/24626855/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
