SDEWAN Leverage SGX to provide Secure Access Service Edge

SD-WAN handles the network connectivity issues between distributed applications in a seamless, secure, and efficient manner by replacing traditional branch routers with virtualized or appliance-based software. However, as the concept of edge prevails recently, distributed applications are usually deployed across multiple resource-constrained k8s edges. Then how to expose the services and manage the connections in a cloud-native way becomes a critical issue for users. The open-source project Software Define Edge WAN(SD-EWAN) under the Akraino community’s ICN blueprint is definitely a comprehensive solution.

SDEWAN Setup

SDEWAN: Setup by pull mode Version requirement: ​ Ubuntu: 20.04 ​ scc: build from https://github.com/intel-sandbox/akraino-sdewan/tree/rc-22.06 ​ cnf: docker pull integratedcloudnative/sdewan-cnf:0.5.3 crd-controller: docker pull integratedcloudnative/sdewan-controller:0.5.3 0.Create an Github repo for pull mode ​ Create an Github repo for SDEWAN pull mode, for example: https://github.com/airren/flux ​ Next, prepare an Personal access tokens for SDEAN to access the repo. Update your repo info and token to this file SDEWAN-SetUp/ewo-tools/cluster-sync-object.yaml. 1# SDEWAN-SetUp/ewo-tools/cluster-sync-object.yaml 2--- 3# creating cluster-sync-obj 4version: ewo/v1 5resourceContext: 6anchor: overlays/overlay1/cluster-sync-objects 7metadata: 8name: cso2 9description: 10userData1: 11userData2: 12spec: 13kv: 14- gitType: github 15- userName: Airren # change to your own github username 16- gitToken: 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 # change to your own 17- repoName: flux # change to your own 18- branch: main Update the GITHUB_TOKEN in SDEWAN-SetUp/setup_flux.

SDEWAN SGX Test Environment

Prepare Machine 1sudo ip route add default via 10.0.11.100 dev eno1 2 3cat <<EOF | sudo tee /etc/resolv.conf 4nameserver 127.0.0.53,10.248.2.5 5options edns0 trust-ad 6search sh.intel.com 7EOF 8 9sudo vi /etc/netplan/00-installer-config.yaml 10network: 11 ethernets: 12 eno1: 13 dhcp4: true 14 nameservers: 15 addressses: [10.248.2.5] 16 version: 2 17 18 19 20git clone -b sgx http://sdewan.sh.intel.com:10880/airren/SDEWAN-SetUp.git 21 22 23 24 25apt-cache search linux-image 26sudo apt-get install linux-image-your_version_choice linux-headers-your_version_choice linux-image-extra-your_version_choice 27 28# must reboot you machine 29sudo apt update && sudo apt install -y linux-image-5.

Service function chain

1node-1 10.151.128.13 2node-2 10.151.128.14 1# Hub 2ip rule add iif vti_192.169.0.1 lookup 51 3ip rule add iif vti_192.169.0.2 lookup 51 4ip route add default via <net pod> dev net1 table 51 5#ip route add default via 10.151.128.13 dev net1 table 51 6 7# Node-1 8ip route add 192.169.0.0/24 via 10.151.128.14 dev net1 9 10# Node-2 11ip route add 192.169.0.0/24 via 10.151.128.12 dev net1 12 13 14sysctl -w net.ipv4.ip_forward=1 15 echo 1 > /proc/sys/net/ipv4/ip_forward

String 字符串

计算生物学家的一项工作就是根据密码将DNA转换为由4个碱基组成的非常长的字符串。 Knuth、Morris、Pratt 子字符串查找算法，这些经典算法的基础是两个基本概念：形式语言和确定有限状态自动机。 JACA 安装配置

strongswan

When reading/adjusting any StrongSwan configurations, remember these important words: left is local to the machine it’s stated on; right is remote in the same manner So, on the server side, left is local to the server and on the client side, left is local to that client. check the X509 cert details 1openssl x509 -text -noout -in /etc/ipsec.d/private/sunKey.pem ​ Ubuntu Set up IPsec Tunnel 1docker run --rm -d -i --network host --name cnf --user root -v /home/ubuntu/entrypoint.

StrongWAN configure with CNF.

Download the material 1wget -r -N -nd http://sdewan.sh.intel.com:8888/ipsec-demo/ modify the node selector in cnf-1.yaml and cnf-2.yaml respectively. Create 2 pod on different node with host network. 1 nodeSelector: 2 # change to the specific node 3 kubernetes.io/hostname: node Copy cert to the CNF Pod. Find the container id for cnf-1 and cnf-2. 1# For cnf-1, copy sunCert to it 2docker cp ./cert/caCert.pem $(kubectl describe po cnf-1|grep docker:|awk -F / '{print $3}'):/etc/ipsec.

ToDoList

CNCN 项目的几个阶段 Libos NIO BIO DMA是什么 sr-iov ebpf ovs cilium calico flannel ipsec GRE 两个方向，一个是存储，一个是网络 1、有dpdk、ebpf、ovs、lvs、nginx、hyperplane等系统研发经验； 2、有智能网卡、硬件卸载、P4等高性能网络研发经验； 3、有VPC、NAT、负载均衡等云网络产品研发经验。 GRE/VxLAN/OpenFlow等协议； ESXI8.0 license: 4V492-44210-48830-931GK-2PRJ4

toha theme update

Sidecar category update Image URL Update Variable site 开头的变量 {{ if site.IsMultiLingual }} Section Menu for Lazy Bloggers To enable this menu, configure sectionPagesMenu in your site config: 1sectionPagesMenu = "main"

Unix Init

Tools 1apt install vim git tmux golang Vim 1# ~/.vimrc 2cat <<EOF | tee -a ~/.vimrc 3set nu 4syntax on 5inoremap jj <ESC> 6 7 8set fileencodings=utf-8,ucs-bom,gb18030,gbk,gb2312,cp936 9set termencoding=utf-8 10set encoding=utf-8 11 12" show existing tab with 4 spaces width 13set tabstop=4 14" when indenting with '>', use 4 spaces width 15set shiftwidth=4 16" On pressing tab, insert 4 spaces 17set expandtab 18 19EOF oh my zsh 1sudo apt install -y zsh 2sh -c "$(wget https://raw.

User Kuberbuilder to create a CRD operator

Develop Environment Kind kind is a tool for running local Kubernetes clusters using Docker container “nodes”. kind was primarily designed for testing Kubernetes itself but may be used for local development or CI. 1kind load docker-image --name <kind-cluster-name> --nodes <node-name> <image-name>:latest Certmangaer 1helm repo add jetstack https://charts.jetstack.io 2helm repo update 3helm install \ 4 cert-manager jetstack/cert-manager \ 5 --namespace cert-manager \ 6 --create-namespace \ 7 --version v1.10.1 \ 8 --set installCRDs=true Question

VPC