Feature/trace-collector-service

[sankalpatimilsina12]

This adds a dockerized trace collection service.

1. The directory has been renamed from the original ndntdump-exp-2023 to generic traces which will be present on the host and will contain collected traces.
2. The image is under ghcr, tagged and is under a username, happy to upload elsewhere.

Source repository: https://github.com/tntech-ngin/ndn-traffic-capture-scripts/tree/feature/docker

[Pesa]

Please squash the commits.

[yoursunny]

Do you really need write access to the ${PWD}/dist/nlsr folder?

[sankalpatimilsina12]

I was trying to figure this out, we need the nlsr.conf file, but the read access should be enough.

[Pesa]

This was a semi-hack we had in the old scripts to get a unique "node name", IIRC. I think we can do better now with the new framework, e.g. pass the name to the container via env or something...

[Pesa]

@pulsejet what's the easiest way to pass the site from host_vars to the container?

[pulsejet]

Create a new config template, have the container read off it.

[sankalpatimilsina12]

The latest commit has an entrypoint.sh.j2 template which directly reads site name.

[yoursunny]

As discussed in 2025-02-28 meeting, the SSH key pair should be handled as follows:

• trace-collector should not use the SSH key pair that belongs to the operator or assume its existence.
• trace-collector should mount a Docker volume that contains its own SSH key pair (for convenience, it could be mounted at /root/.ssh).
• The public key of the trace-collector's key pair should be published through file-server. This could be achieved by mounting a sub-directory of what's served by the file-server (for example, ${PWD}/dist/file-server/trace-collector-pubkey).

Upon service start, the entrypoint script should perform the following:

1. If the SSH key pair does not exist in the mountpoint of the Docker volume, generate a key pair noninteractively.
2. Copy the public key to a directory published by the file-server. This should be done unconditionally, even if the key pair wasn't generated in this session, because it is possible that last time the container crashed between key pair generation and copying.
3. Invoke the main script.

After the first run of the service, the public key of a router shall be retrievable with ndncat command:

ndncat get-segmented /ndn/edu/neu/file-server/trace-collector-pubkey/id_ed25519.pub

[sankalpatimilsina12]

The entrypoint.sh.j2 has the included flow as discussed. I have added two persistent volume claims for dump and ssh storage, which were added for preserving keys and dumps. The flow was locally verified at my end.

1. Site is read in the template and cleaned. Eg. /edu/memphis get converted to edu_memphis.
2. Ssh keys are generated if not already present and copied to fileserver's subdirectory for trace-collector.
3. Main script is then invoked with the cleaned site name.
4. Commits squashed.

If we just mount ssh and dump subdirectories under the trace-collector ($PWD/dist/trace-collector/.ssh, etc.), it probably should be enough instead of asking persistent volumes. Please suggest what's best. @pulsejet

[Pesa]

ssh-keygen should already take care of this, no?

[Pesa]

can we use ed25519 instead of rsa?

[Pesa]

Just set this to the directory instead of the file name, it seems simpler. The file name should just be the standard one used by openssh (e.g. id_rsa.pub or id_ed25519.pub).

The same applies to the previous two variables. Specifying the file name seems pointless unless there's a way to pass a different identity to the container. If we don't have a use case for this, just keep it simple and use the default openssh naming conventions.

[sankalpatimilsina12]

The file name has been referenced multiple times in the script: Checking existence, non-interactive generation with the file name specified, and during copying. Should we keep the private and public key variables? The export path I believe can just be a directory name.

[Pesa]

Should we keep the private and public key variables?

If you prefer to use a variable, that's fine. But one variable for the private key should be enough, the public key name should always be privatekey + .pub per openssh conventions.

The export path I believe can just be a directory name.

On second thought, we should really avoid using a dot in the NDN name of the pubkey (e.g. id_rsa.pub) because one dot becomes four dots in NDN URI syntax, which is quite ugly. I'd say just use the directory name trace-collector-pubkey as the actual key name. I don't think we need a subdir for this.

[yoursunny]

one dot becomes four dots in NDN URI syntax

False.
One dot becomes four dots only if the component consists solely of dots.

[sankalpatimilsina12]

If you prefer to use a variable, that's fine. But one variable for the private key should be enough, the public key name should always be privatekey + .pub per openssh conventions.

Sure.

[Pesa]

is there an actual dependency on the file server?

[sankalpatimilsina12]

I put this there I think from a documentary perspective, there is no actual dependency. It should be just nfd.