Skip to content

Latest commit

 

History

History
737 lines (593 loc) · 46.3 KB

README.md

File metadata and controls

737 lines (593 loc) · 46.3 KB

tmos-cloudinit

Cloudinit Modules and Patching for F5 TMOS

F5 TMOS is a secured operating system designed for deployment as a network appliance. While TMOS utilizes a CentOS-based kernel and linux-based control processes to bootstrap and configure distributed networking microkernels, it has been highly customized from typical linux distributions.

Linux distributions use a standard bootstrapping agent known as cloudinit to integrate cloud infrastructure metadata with the system's init processes.

Starting with TMOS v13, TMOS inluded a version of cloudinit, but due to TMOS customizations, only the following cloudinit modules were enabled available:

  • bootcmd
  • write_file
  • runcmd

Through the use of these cloudinit modules, various combinations of bash, javascript, and python onboard scripting were evolved within specific cloud ecosystems. TMOS onboarding templates were created for various IaaS environments. The templates created the necessary provisioning scripts to glean instance metadata from sources unique to each IaaS environment.

To standardize TMOS orchestration efforts, F5 created a service framework capable of extending TMOS' REST provisioning called iControl LX. Supported iControl LX extensions that provide base TMOS system provisioning (f5-declarative-onboaring) and TMM service provisioning (f5-appsvcs-extension) are evolving to support a catalog of deployment use cases. These and other extensions make up the F5 Automation and Orchestration (A & O) toolchain.

The cloudinit modules found in this repository unify TMOS cloudinit agent support with iControl LX extensions. Each of these modules supports the publishing and installation of iControl LX extensions for use in TMOS orchestration. They are experimental cloudinit modules that extend TMOS support for static management interface provisioning, provisioning of TMM interfaces through DHCPv4, and total system network provisioning gleaned from TMOS standard network_data.json metadata.

The cloudinit modules included in this repository need to be file-injected into standard TMOS v13+ images before they can be used.

Patching BIG-IP Virtual Edition Images to Install Cloudinit Modules - Using a Docker Instance

This repository includes a Dockerfile and patch scripts that enable you to build a Docker instance capable of patching standard images from downloads.f5.com so that they will include additional cloudinit modules and iControl LX extensions.

From the F5 Downloads site, download all image(s) you wish to patch with these cloudinit modules to a directory available as a volume mount to your docker instance (see mounts below).

ls /data/BIGIP-14.1
BIGIP-14.1.0.5-0.0.5.ALL_1SLOT-ide.ova
BIGIP-14.1.0.5-0.0.5.ALL_1SLOT.qcow2.zip
BIGIP-14.1.0.5-0.0.5.ALL_1SLOT-scsi.ova
BIGIP-14.1.0.5-0.0.5.ALL_1SLOT.vhd.zip
BIGIP-14.1.0.5-0.0.5.LTM_1SLOT-ide.ova
BIGIP-14.1.0.5-0.0.5.LTM_1SLOT-scsi.ova
BIGIP-14.1.0.5-0.0.5.LTM_1SLOT.qcow2.zip
BIGIP-14.1.0.5-0.0.5.LTM_1SLOT.vhd.zip

You can also prepare a directory that contains any iControl LX extension package rpm files that you wish to inject into your image. These packages are installed at boot time when any of the tmos-cloudinit modules are enabled.

$ ls /data/iControlLXLatestBuild
f5-appsvcs-3.11.0-3.noarch.rpm
f5-declarative-onboarding-1.4.0-1.noarch.rpm

Note: do not remove the disk images from their archive containers (zip or ova). The utilities in the container do that ase part of the image patching process.

Build the docker image from the tmos_image_patcher Dockerfile.

$ docker build -t tmos_image_patcher:latest tmos_image_patcher

This will download a vanilla Ubuntu 18.04 container, install all the necessary open source utilities required to patch TMOS images, and designate the python script which performs the image patching as the execution entrypoint for the container image.

After the build completes, a docker image will be available locally.

$ docker images | grep tmos_image_patcher
tmos_image_patcher    latest    3416ed456cfe    22 seconds ago    1.38GB

Patched images can then be built by running a tmos_image_builder docker container instance with the correct volume mounts and image_patch_file directory structure defined.

The tmos_image_builder container uses open source tools to:

  • decompress the downloaded TMOS image archive for all archives found in the /TMOSImages volume mount (see mounts below) directory
  • bind the TMOS disk image partitions
  • mount the logical volumes for /config, /usr, /var, and /shared from the bound TMOS file systems
  • copies files specified in the image_path_files file directory structure into the TMOS image
    • the system_python_path is a special designation which will resolve the correct TMOS version's python system path directory and inject files to the resolved directory
  • copies all iControl LX extension rpm files mounted in the /iControlLXPackages volume mount (see mounts below) direcotry to the /shared/rpms/icontrollx_installs TMOS directory, ready for installation when any of the tmos_cloudinit modules are enabled
  • creates a distribution archive ready for upload to your virtualization image storage services

When you run the tmos_image_patcher container from this repository's root directory, it will find the image_path_files directory structure and patch your images with the files found within. This repository's image_path_files directory structure is designed to inject all four of tmos-cloudinit modules and patch the cloud-init configuration file template to load the tmos-cloudinit modules properly when TMOS boots.

The open source tools used in the container are all user space utilities, thus the container requires no special privledges other then write access to the diretory where your downloaded TMOS disk archives are mounted (/TMOSImages see below).

Expected Docker Volume Mounts for the tmos_image_builder Container

The docker container uses the mount points listed below. Your TMOS image archives folder should be mounted as a volume to the container's /TMOSImages directory. Any iControl LX extensions rpm packages you want injected into your image should be mounted to the container's /iControlLXPackages directory.

Docker Volume Mount Required Description
/TMOSImages Yes Path to the directory with the TMOS Virtual Edition archives to patch
/iControlLXPackages No Path to the directory with optional iControl LX RPM packages to inject into the images

Example Mounts

-v /data/BIGIP-14.1:/TMOSImages -v /data/iControlLXLatestBuild:/iControlLXPackages

You can run the image patch script with the Docker run command.

$ docker run --rm -it -v /data/BIGIP-14.1:/TMOSImages -v /data/iControlLXLatestBuild:/iControlLXPackages tmos_image_patcher

2019-05-29 22:43:48,133 - tmos_image_patcher - DEBUG - process start time: Wednesday, May 29, 2019 10:43:48
2019-05-29 22:43:48,133 - tmos_image_patcher - INFO - Scanning for images in: /TMOSImages
2019-05-29 22:43:48,133 - tmos_image_patcher - INFO - TMOS cloudinit modules sourced from: /tmos-cloudinit
2019-05-29 22:43:48,133 - tmos_image_patcher - INFO - Copying iControl LX install packages from: /iControlLXPackages
2019-05-29 22:43:48,133 - tmos_image_patcher - INFO - Patching TMOS /usr file system from: /tmos-cloudinit/image_patch_files/usr
2019-05-29 22:43:48,133 - tmos_image_patcher - DEBUG - extracting /TMOSImages/BIGIP-14.1.0.5-0.0.5.ALL_1SLOT.vhd.zip to /TMOSImages/BIGIP-14.1.0.5-0.0.5.ALL_1SLOT.vhd
2019-05-29 22:44:41,790 - tmos_image_patcher - DEBUG - extracting /TMOSImages/BIGIP-14.1.0.5-0.0.5.LTM_1SLOT.vhd.zip to /TMOSImages/BIGIP-14.1.0.5-0.0.5.LTM_1SLOT.vhd
2019-05-29 22:45:41,653 - tmos_image_patcher - DEBUG - extracting /TMOSImages/BIGIP-14.1.0.5-0.0.5.LTM_1SLOT-ide.ova to /TMOSImages/BIGIP-14.1.0.5-0.0.5.LTM_1SLOT-ide
...

Each TMOS image archive will be expanded into a folder containing the patched image. The folder will have the same name as the archive file without the extension. The patched image, in the expanedd folder, will be in the same format as the original. You can utilize the patched images just as you would the originals.

> $ tree /data/BIGIP-14.1
/data/BIGIP-14.1
├── BIGIP-14.1.0.5-0.0.5.ALL_1SLOT-ide
│   └── BIGIP-14.1.0.5-0.0.5.ALL_1SLOT-ide.ova
├── BIGIP-14.1.0.5-0.0.5.ALL_1SLOT-ide.ova
├── BIGIP-14.1.0.5-0.0.5.ALL_1SLOT.qcow2
│   └── BIGIP-14.1.0.5-0.0.5.qcow2
├── BIGIP-14.1.0.5-0.0.5.ALL_1SLOT.qcow2.zip
├── BIGIP-14.1.0.5-0.0.5.ALL_1SLOT-scsi
│   └── BIGIP-14.1.0.5-0.0.5.ALL_1SLOT-scsi.ova
├── BIGIP-14.1.0.5-0.0.5.ALL_1SLOT-scsi.ova
├── BIGIP-14.1.0.5-0.0.5.ALL_1SLOT.vhd
│   └── BIGIP-14.1.0.5-0.0.5.vhd
├── BIGIP-14.1.0.5-0.0.5.ALL_1SLOT.vhd.zip
├── BIGIP-14.1.0.5-0.0.5.LTM_1SLOT-ide
│   └── BIGIP-14.1.0.5-0.0.5.LTM_1SLOT-ide.ova
├── BIGIP-14.1.0.5-0.0.5.LTM_1SLOT-ide.ova
├── BIGIP-14.1.0.5-0.0.5.LTM_1SLOT.qcow2
│   └── BIGIP-14.1.0.5-0.0.5.qcow2
├── BIGIP-14.1.0.5-0.0.5.LTM_1SLOT.qcow2.zip
├── BIGIP-14.1.0.5-0.0.5.LTM_1SLOT-scsi
│   └── BIGIP-14.1.0.5-0.0.5.LTM_1SLOT-scsi.ova
├── BIGIP-14.1.0.5-0.0.5.LTM_1SLOT-scsi.ova
├── BIGIP-14.1.0.5-0.0.5.LTM_1SLOT.vhd
│   └── BIGIP-14.1.0.5-0.0.5.vhd
└── BIGIP-14.1.0.5-0.0.5.LTM_1SLOT.vhd.zip

As an example, your patched image could then be uploaded for use in an OpenStack private cloud.

$ openstack image create --disk-format qcow2 --container-format bare --file /data/BIGIP-14.1/BIGIP-14.1.0.5-0.0.5.LTM_1SLOT.qcow2/BIGIP-14.1.0.5-0.0.5.qcow2 OpenStack_BIGIP-14.1.0.5-0.0.5.LTM_1SLOT
+------------------+------------------------------------------------------+
| Field            | Value                                                |
+------------------+------------------------------------------------------+
| checksum         | 4929021d0f045eb91f928f4cf26aeca9                     |
| container_format | bare                                                 |
| created_at       | 2019-05-29T23:23:29Z                                 |
| disk_format      | qcow2                                                |
| file             | /v2/images/c8692af7-66a7-4dd0-8b0a-81506b0b3b74/file |
| id               | c8692af7-66a7-4dd0-8b0a-81506b0b3b74                 |
| min_disk         | 0                                                    |
| min_ram          | 0                                                    |
| name             | OpenStack_BIGIP-14.1.0.5-0.0.5.LTM_1SLOT             |
| owner            | 14910e1a2ed544f7aef81c5019d43f4a                     |
| protected        | False                                                |
| schema           | /v2/schemas/image                                    |
| size             | 5069668352                                           |
| status           | active                                               |
| tags             |                                                      |
| updated_at       | 2019-05-29T23:24:14Z                                 |
| virtual_size     | None                                                 |
| visibility       | shared                                               |
+------------------+------------------------------------------------------+

Once your patched images are deployed in your virtualized environment, you can use cloudinit userdata to handle initial device and service provisioning.

Creating OpenStack Formatted Cloudinit ConfigDrive ISOs - Using a Docker Instance

While IaaS clouds already support mechanisms to supply cloudinit userdata to declare guest instances configurations, some virtualization environments do not. For those environments, an ISO CDROM image can be attached to BIG-IP Virtual Edition guests prior to initial booting. If the ISO image is formatted as a cloudinit ConfigDrive data source, cloudinit modules can still be used, even when the virtualization environemtn does not directly support it.

As an example, VMWare Workstation can be use to deploy a BIG-IP Virtual Edition instance from a patched OVA archive. It will build the instance attributes per the F5-defined OVF, and the instance will be powered off. Prior to starting the instance, the user can add an IDE CDROM drive device and attach a ConfigDrive ISO file.

TMOS supports cloudinit OpenStack ConfigDrive. The ISO CDROM attached needs to have a volume label of config-2 and must follow a specific layout of files, containing a specific JSON file with a specific attribute defined.

/iso (volume label config-2)
└── openstack
    └── latest
        ├── meta_data.json
        ├───────────────────> {"uuid": "a7481585-ee3f-432b-9f7e-ddc7e5b02c27"}
        ├── user_data
        └───────────────────> THIS CAN CONTAIN ANY USERDATA YOU WANT

If you generate an ISO9660 filesystem with Rock Ridge extensions to allow TMOS cloudinit to mount your device and act on your userdata, you can treat any virtualization environment like a properly declared IaaS. You can use any ISO9660 filesystem generation tool you want, as long as it conforms to the standard for the OpenStack ConfigDrive cloudinit data source.

This repository includes a Dockerfile and an ISO9660 generation script, called tmos_configdrive_builder, which will build the CDROM ISO image file with your customized inputs.

You can build the docker image from the tmos_configdrive_builder Dockerfile.

$ docker build -t tmos_configdrive_builder:latest tmos_configdrive_builder

This will use an generic Ubuntu 18.04 image, install all the necessary tools to create ISO image, and designate the python script which creates the ISO image as the execution entrypoint for the container image.

After the build process completes, a docker image will be available locally.

$ docker images|grep tmos_configdrive_builder
tmos_configdrive_builder     latest     23c1d99efdd5     17 seconds ago     274MB

The script takes inputs as environment variables instead of command line arguments. Content, like your declarations or JSON dictionaries, are made available via files in specific directories. Docker consumes these via volume mounts.

The CDROM is built to be used in two modes:

  1. tmos_declared mode - this mode builds f5-declarative-onboarding and, optionally, f5-appsvcs-extensions declarations, phone_home_url, and phone_home_cli variables, into a CDROM ISO usable with the tmos_declared cloudinit module.

  2. Fully explicit mode - this mode builds a CDROM ISO from a fully defined set of user_data, and optionally meta_data.json, vendor_data.json, and network_data.json files. This allows for the construction of any settings in your user_data you want. This can be used to work with any of the modules defined in this repository.

tmos_declared Mode Environment Variables and Files

The following environment variables determine how the CDROM ISO is built:

Environment Variable Required Default Description
DO_DECLARATION_FILE Yes /declarations/do_declaration.json Your f5-declarative-onboarding declaration in a text file. The declaration can be in JSON or YAML format.
AS3_DECLARATION_FILE No /declarations/as3_declaration.json Your f5-appsvcs-extension declaration in a text file. The declaration can be in JSON or YAML format.
PHOME_HOME_URL No None The URL to use as the phone_home_url attributed of the tmos_declared declaration.
PHOME_HOME_CLI No None The URL to use as the phone_home_url attributed of the tmos_declared declaration.
CONFIGDRIVE_FILE Yes /configdrives/configdrive.iso The output ISO file.

The files specified above must be available to the Docker instance, and need to be mounted as volumes by the Docker instance.

Example: If you have a local subfolder declarations directory containing both do_declaration.json and as3_declaration.json, you could create your basic CDROM ISO in the current directory using the following bash shell command.

docker run --rm -it -v $(pwd)/declarations:/declarations -v $(pwd):/configdrives tmos_configdrive_builder
2019-05-30 20:00:59,009 - tmos_image_patcher - INFO - building ISO9660 for tmos_declared module with declarations
2019-05-30 20:00:59,029 - tmos_image_patcher - INFO - adding f5-declarative-onboarding declaration to user_data
2019-05-30 20:00:59,029 - tmos_image_patcher - INFO - adding f5-appsvcs-extensions declaration to user_data
2019-05-30 20:00:59,042 - tmos_image_patcher - INFO - generating OpenStack mandatory ID
2019-05-30 20:00:59,046 - tmos_image_patcher - INFO - output IS09660 file: /configdrives/configdrive.iso
ls ./configdrive.iso
configdrive.iso

To define phone_home_url or phone_home_cli attributes in your tmos_declared declaration, specify them as Docker environment variables.

Expected Docker Volume Mounts

The configdrive ISO builder script expects two mount points. One is a file path to your declarations, either default or explicitly defined by Docker environment variables. The other is the directory to write your ISO file.

Docker Volume Mount Required Description
/declarations Yes Path to the directory containing your declarations
/configdrives Yes Path to the directory to write your ISO files

Example: to create a configdrive.iso file in the current directory which would create metadata for the tmos_declared cloudint module, using declaration files from the ./declarations directory, while explicitly defining a phone_home_url, the Docker run syntax would look like the following.

docker run --rm -it -e PHONE_HOME_URL=https://webhook.site/5f8cd8a7-b051-4648-9296-8f6afad34c93 -v $(pwd)/declarations:/declarations -v $(pwd):/configdrives tmos_configdrive_builder

Explicit Mode Environment Variables and Files

If the script has a USERDATA_FILE or finds a /declarations/user_data file, it will automatically prefer explicit mode.

The other defined optional files METADATA_FILE, VENDORDATA_FILE, and NETWORKDATA_FILE, should conform to the OpenStack metadata standards for use with cloudinit.

Environment Variable Required Default Description
USERDATA_FILE Yes /declarations/user_data Your fully defined user_data to include. See Using F5 TMOS Cloudinit Modules below.
METADATA_FILE No /declarations/meta_data.json Your fully defined instance meta_data to include in JSON format.
VENDOR_FILE No /declarations/vendor_data.json Your fully defined instance vendor_data to include in JSON format.
NETWORKDATA_FILE No /declarations/network_data.json Your fully defined instance network_data to include in JSON format.
CONFIGDRIVE_FILE Yes /configdrives/configdrive.iso The output ISO file.
docker run --rm -it -e USERDATA_FILE=/declarations/instance2224 -v $(pwd)/declarations:/declarations -v $(pwd):/configdrives tmos_configdrive_builder
2019-05-30 20:04:12,158 - tmos_image_patcher - INFO - building ISO9660 configdrive user_data from /declarations/instance2224
2019-05-30 20:04:12,158 - tmos_image_patcher - INFO - generating OpenStack mandatory ID
2019-05-30 20:04:12,163 - tmos_image_patcher - INFO - output IS09660 file: /configdrives/configdrive.iso
ls ./configdrive.iso
configdrive.iso

Using F5 TMOS Cloudinit Modules

F5 TMOS cloudinit modules each include an enabled attribute which must be set to true for any onboard configuration to take place. For the most part, these modules are mutually exclusive, meaning you should only use the one that fits your deployment environment.

All modules log to the common /var/log/f5-cloudinit.log log file on the BIG-IP Virtual Edition instance.

Which Cloudinit Module Should You Use?

Each module handles very specific use cases. Each use case aquires the per-instance configuration data from different resources.

Module Aquires Per-Instance Config From Provisions
tmos_static_mgmt cloudinit YAML declaration Provisions the management interface statically from cloudinit YAML, and then optionally installs iControl LX extensions.
tmos_declared cloudinit YAML declaration Optionally installs iControl LX extensions and then makes f5-declarative-onboarding and f5-appsvcs-extention declarations.
tmos_configdrive_openstack OpenStack metadata, and cloudinit YAML declaration Provisions the management interface from OpenStack metadata, then optionally installs iControl LX extensions. An f5-declarative-onboarding declaration is constructed from OpenStack metadata. Any f5-declarative-onboarding declaration made in the cloudinit YAML is merged with the declaration created from OpenStack metadata. Any attributes defined in the declaration in the cloud YAML overwrites any attribute constructed from the OpenStack metadata. After f5-declarative-onboarding is complete, optionally an f5-appsvcs-extension declaration from the cloudinit YAML delcaration is made.
tmos_dhcpv4_tmm DHCPv4 requests on all interfaces, and cloudinit YAML declaration Provisions the management interface from DHCPv4 lease information, then optionally installs iControl LX extensions. An f5-declarative-onboarding declaration is constructed from DHCPv4 lease information. Any f5-declarative-onboarding declaration made in the cloudinit YAML is merged with the declaration created from DHCPv4 lease information. Any attributes defined in the declaration in the cloud YAML overwrites any attributes constructed from DHCPv4 information. After f5-declarative-onboarding is complete, optionally an f5-appsvcs-extension declaration from the cloudinit YAML delcaration is made.

You should use the module which matches your sources of per-instance configuration data.

The tmos_static_mgmt Cloudinit Module

This cloudinit module extends BIG-IP Virtual Edition to allow for static address assignment provided through cloudinit userdata.

This modules create initialization scripts containing tmsh commands to fulfill the specified configurations. The generated initialization scripts are created in the /opt/cloud/tmos_static_mgmt directory on the BIG-IP device.

Module Attribute Default Description
enabled false Activates ths module
ip none (required) The management IP address or CIDR.
netmask none The management IP netmask, only required if the IP is not CIDR.
gw none The management default gateway IP address.
mtu 1500 The management link MTU.
hostname none The hostname in FQDN format (host and domain) to assign.
nameservers list List of DNS server IP addresses.
searchdomain none A single search domain to assign.
ntpservers list List of NTP server FQDNs or IP addresses.
icontrollx_trusted_sources true Only install iControl LX RPMs which are signed by TMOS trusted keys.
icontrollx_package_urls none List of URLs to download and install iControl LX extension packages before onboarding.
post_onboard_enabled false Enabled the attempt to run a list of commands after onboarding completes.
post_onboard_commands list List of CLI commands to run in order. Execution will halt at the point a CLI command fails.
phone_home_url url Reachable URL to report completion of this modules onboarding.
phone_home_url_verify_tls true If the phone_home_url uses TLS, verify the host certificate.
phone_home_cli cli command CLI command to run when this modules completes successfully.

Note: The tmos_static_mgmt module can be used in conjuction with the tmos_declared module to add managment interface provisioning before iControl LX extension declarations are made.

userdata usage

#cloud-config
tmos_static_mgmt:
  enabled: true
  ip: 192.168.245.100
  netmask: 255.255.255.0
  gw: 192.168.245.1
  mtu: 1450
  icontrollx_trusted_sources: false
  icontrollx_package_urls:
    - https://github.com/F5Networks/f5-declarative-onboarding/raw/master/dist/f5-declarative-onboarding-1.3.0-4.noarch.rpm
    - https://github.com/F5Networks/f5-appsvcs-extension/raw/master/dist/latest/f5-appsvcs-3.10.0-5.noarch.rpm
    - https://github.com/F5Networks/f5-telemetry-streaming/raw/master/dist/f5-telemetry-1.2.0-1.noarch.rpm
  post_onboard_enabled: true
  post_onboard_commands:
    - tmsh modify sys db ui.advisory.color { value orange }
    - tmsh modify sys db ui.advisory.text { value  'Onboarded with OpenStack Metadata' }
    - tmsh modify sys db ui.advisory.enabled { value true }
    - tmsh modify sys db provision.extramb { value 500 }
    - tmsh modify sys global-settings gui-setup disabled
    - tmsh modify sys provision ltm level minimum
    - tmsh modify sys provision asm level minimum
    - /usr/local/bin/SOAPLicenseClient --basekey KALCE-AHJBL-RFJSD-GGNFG-MFJCDYX
  phone_home_url: https://webhook.site/5f8cd8a7-b051-4648-9296-8f6afad34c93
  phone_home_cli: "curl -i -X POST -H 'X-Auth-Token: gAAAAABc5UscwS1py5XfC3yPcyN8KcgD7hYtEZ2-xHw95o4YIh0j5IDjAu9qId3JgMOp9hnHwP42mYA7oPPP0yl-OQXvCaCS3OezKlO7MsS-ZCTJzuS3sSysIMHTA78fGsXbMgCQZCi5G-evLG9xUNrYp5d3blhMnpHR0dlHPz6VMacNkPhyrQI' -H 'Content-Type: application/json' -H 'Accept: application/json' http://192.168.0.121:8004/v1/d3779c949b57403bb7f703016e91a425/stacks/demo_waf/3dd6ce45-bb8c-400d-a48c-87ac9e46e60e/resources/wait_handle/signal"

The tmos_declared Cloudinit Module

This module assumes the management interface provisioning completes via the default method (DHCPv4 or DHCPv6), but that all other onboard configurations should be handled through f5-declarative-onboarding and f5-appsvcs-extension declarations.

Warning: DHCPv6 does not include interface-mtu support, meaning access to your management interface might not be reliable. IPv6 requires the mgmt interface be set to a minumum of 1280 bytes, but SDN tunnel types might limit it to below the standard 1500 bytes. Use the tmos_static_mgmt in your cloudinit YAML if you need to provision your management interface to make it accessible.

The declarations must be coherent with the deployment environment. As an example, the f5-declarative-onboarding declaration would need to include the internal VLAN and the self_1nic SelfIP classes to properly declare a 1NIC deployment.

This cloudinit module optionally composes f5-declarative-onboarding declarations in the /var/lib/cloud/f5-declarative-onboarding directory on BIG-IP. This declaration is in JSON format.

This cloudinit module optionally composes f5-appsvcs-extension declarations in the /var/lib/cloud/f5-appsvcs-extension directory on the BIG-IP. This declaration is in JSON format.

Module Attribute Default Description
enabled false Activates ths module
icontrollx_trusted_sources true Only install iControl LX RPMs which are signed by TMOS trusted keys
icontrollx_package_urls none List of URLs to download and install iControl LX extension packages before onboarding
do_declaration none YAML formatted f5-declarative-onboarding declaration. This declaration will augment or overwrite the declaration created by resource discovery
as3_declaration none The f5-appsvcs-extension declaration to declare if enabled
phone_home_url url Reachable URL to report completion of this modules onboarding.
phone_home_url_verify_tls true If the phone_home_url uses TLS, verify the host certificate.
phone_home_cli cli command CLI command to run when this modules completes successfully.

Note: It is often simplier to use the set-password cloudinit module (referenced below) to change the default admin and root passwords rather than the f5-declarative-onboarding declaration to change user passwords. Both ways work as designed.

userdata usage

#cloud-config
tmos_declared:
  enabled: true
  icontrollx_trusted_sources: false
  icontrollx_package_urls:
    - "https://github.com/F5Networks/f5-declarative-onboarding/raw/master/dist/f5-declarative-onboarding-1.3.0-4.noarch.rpm"
    - "https://github.com/F5Networks/f5-appsvcs-extension/raw/master/dist/latest/f5-appsvcs-3.10.0-5.noarch.rpm"
    - "https://github.com/F5Networks/f5-telemetry-streaming/raw/master/dist/f5-telemetry-1.2.0-1.noarch.rpm"
  do_declaration:
    schemaVersion: 1.0.0
    class: Device
    async: true
    label: Cloudinit Onboarding
    Common:
      class: Tenant
      provisioningLevels:
        class: Provision
        ltm: nominal
        asm: nominal
      poolLicense:
        class: License
        licenseType: licensePool
        bigIqHost: licensor.example.openstack.com
        bigIqUsername: admin
        bigIqPassword: admin
        licensePool: BIGIPVEREGKEYS
        reachable: true
        bigIpUsername: admin
        bigIpPassword: admin
      dnsServers:
        class: DNS
        nameServers:
          - 8.8.8.8
        search:
          - example.openstack.com
      ntpServers:
        class: NTP
        servers:
          - 0.pool.ntp.org
          - 1.pool.ntp.org
          - 2.pool.ntp.org
      HA:
        class: VLAN
        mtu: 1450
        interfaces:
          - name: 1.1
            tagged: false
      HA-self:
        class: SelfIp
        address: 1.1.1.106/24
        vlan: HA
        allowService: all
        trafficGroup: traffic-group-local-only
      configsync:
        class: ConfigSync
        configsyncIp: /Common/HA-self/address
      internal:
        class: VLAN
        mtu: 1450
        interfaces:
          - name: 1.2
            tagged: false
      internal-self:
        class: SelfIp
        address: 192.168.40.51/24
        vlan: internal
        allowService: default
        trafficGroup: traffic-group-local-only
      external:
        class: VLAN
        mtu: 1450
        interfaces:
          - name: 1.3
            tagged: false
      external-self:
        class: SelfIp
        address: 192.168.80.56/24
        vlan: external
        allowService: none
        trafficGroup: traffic-group-local-only
      default:
        class: Route
        gw: 192.168.80.1
        network: default
        mtu: 1500
      dbvars:
        class: DbVariables
        ui.advisory.enabled: true
        ui.advisory.color: orange
        ui.advisory.text: This device is under centralized management.
  as3_declaration:
    class: ADC
    schemaVersion: 3.0.0
    label: ASM_VS1
    remark: ASM_VS1
    Sample_app_sec_01:
      class: Tenant
      HTTP_Service:
        class: Application
        template: http
        serviceMain:
          class: Service_HTTP
          virtualAddresses:
            - 192.168.80.51
          snat: auto
          pool: Pool1
          policyWAF:
            use: WAFPolicy
        Pool1:
          class: Pool
          monitors:
            - http
          members:
            - servicePort: 8001
              serverAddresses:
                - 10.10.10.143
            - servicePort: 8002
              serverAddresses:
                - 10.10.10.144
        WAFPolicy:
          class: WAF_Policy
          url: "https://raw.githubusercontent.com/f5devcentral/f5-asm-policy-template-v13/master/owasp_ready_template/owasp-no-autotune.xml"
          ignoreChanges: true
  post_onboard_enabled: true
  post_onboard_commands:
    - "echo 'curl -s http://monitors.internal.local/rebooted' >> /config/startup"
  phone_home_url: "https://webhook.site/5f8cd8a7-b051-4648-9296-8f6afad34c93"
  phone_home_cli: "curl -i -X POST -H 'X-Auth-Token: gAAAAABc5UscwS1py5XfC3yPcyN8KcgD7hYtEZ2-xHw95o4YIh0j5IDjAu9qId3JgMOp9hnHwP42mYA7oPPP0yl-OQXvCaCS3OezKlO7MsS-ZCTJzuS3sSysIMHTA78fGsXbMgCQZCi5G-evLG9xUNrYp5d3blhMnpHR0dlHPz6VMacNkPhyrQI' -H 'Content-Type: application/json' -H 'Accept: application/json' http://192.168.0.121:8004/v1/d3779c949b57403bb7f703016e91a425/stacks/demo_waf/3dd6ce45-bb8c-400d-a48c-87ac9e46e60e/resources/wait_handle/signal"

The application listening at the phone_home_url must accept a POST reqeust. The POST body will be a JSON object with the following format:

{
  "id": "a67d1edb-0a4a-4101-afd1-2fbf04713cfa",
  "version": "14.1.0.1-0.0.7.0",
  "product": "BIGIP",
  "hostname": "waf1primary.local",
  "management": "192.168.245.119/24",
  "installed_extensions": ["f5-service-discovery", "f5-declarative-onboarding", "f5-appsvcs"],
  "as3_enabled": true,
  "do_enabled": true,
  "status": "SUCCESS"
}

The phone_home_cli will only be called if the module runs succesfully, to the degree the provisioning can be synchronized. The phone_home_cli command execution allows for OpenStack Heat and AWS CFT type wait condition resources to be used with their auto-generated curl CLI notifications.

The tmos_configdrive_openstack Cloudinit Module

This cloudinit module requries the use of a ConfigDrive data source and OpenStack file formatted meta_data.json and network_data.json metadata files. This module extends TMOS functionality to include static provisioning of all interfaces (management and TMM) via either network metadata or the use of DHCPv4. This interface includes the ability to augment the configuration data retrieved via metadata and DHCP with additional f5-declarative-onboarding and f5-appsvc-3 declarations. Any supplied f5-declarative-onboarding declarations will be overwritten or will be merged with configuration declarations defined via metadata resource resolution. This module supports both 1NIC and nNIC deployments.

There are implicit declarations of the TMM intefaces names to use for the data plane default route and the configuration synchronization interfaces. If these declarations are omitted, the module will attempt to assign them dynamically based on available network configuration data.

This module creates initialization scripts containing tmsh commands to fulfill the specified configurations. The generated initialization scripts will be created in the /opt/cloud/tmos_configdrive_openstack directory on the device.

This cloudinit module optionally composes f5-declarative-onboarding declarations in the /var/lib/cloud/f5-declarative-onboarding directory. This declaration is in JSON format.

Any attributes in the do_declaration attriute of the cloudinit YAML will be merged into the f5-declarative-onboarding declaration composed from OpenStack metadata. Any declaration attribute defined in the cloudinit YAML will overwrite the same attribute, if present, in the composed declaration.

This cloudinit module optionally composes f5-appsvcs-extension declarations in the /var/lib/cloud/f5-appsvcs-extension directory. This declaration is in JSON format.

Module Attribute Default Description
enabled false Activates ths module
rd_enabled true Automatically create route domains when needed
configsync_interface 1.1 Sets the TMM interface name to use for configsync
default_route_interface none Explicitly define the TMM interface to use for the default route. If unspecified, one will be determined automatically
dhcp_timeout 120 Seconds to wait for a DHCP response when using DHCP for resource discovery
inject_routes true Creates static routes from discovered route resources
icontrollx_trusted_sources true Only install iControl LX RPMs which are signed by TMOS trusted keys
icontrollx_package_urls none List of URLs to download and install iControl LX extension packages before onboarding
do_enable true Enables an attempt to create a f5-declarative-onboarding declaration from discovered resources. If enabled, an asynchronous attempt to declare resouces via f5-declarative-onboarding will be made. If the initial request fails, non-declarative onboarding will resumse
do_declaration none YAML formatted f5-declarative-onboarding declaration. This declaration will augment or overwrite the declaration created by resource discovery
as3_enabled true Enables attempt to declare an application services configuration with f5-appsvcs-extension
as3_declaration none The f5-appsvcs-extension declaration to declare if enabled
post_onboard_enabled false Enable the attempt to run a list of commands after onboarding completes
post_onboard_commands list List of CLI commands to run in order. Execution will halt at the point a CLI command fails.
phone_home_url url Reachable URL to report completion of this modules onboarding.
phone_home_url_verify_tls true If the phone_home_url uses TLS, verify the host certificate.
phone_home_cli cli command CLI command to run when this modules completes successfully.

Warning: f5-declarative-onboarding and f5-appsvcs-extension do not support the use of route domains at this time. You should disable route domain support when attempting to use f5-declarative-onboarding and f5-appsvcs-extension declarations

SSH keys found in the OpenStack meta_data.json file will also be injected as authorized_keys for the root account.

If f5-declarative-onboarding is disbaled, done by setting do_enabled to false, the device onboarding configuration will continue as described in the OpenStack meta_data.json and network_data.json files. f5-appsvcs-extension declarations can be applied with or without f5-declarative-onboarding being enabled.

userdata usage

#cloud-config
tmos_configdrive_openstack:
  enabled: true
  rd_enabled: false
  configsync_interface: 1.1
  default_route_interface: 1.3
  dhcp_timeout: 120
  inject_routes: true
  icontrollx_trusted_sources: false
  icontrollx_package_urls:
    - https://github.com/F5Networks/f5-declarative-onboarding/raw/master/dist/f5-declarative-onboarding-1.3.0-4.noarch.rpm
    - https://github.com/F5Networks/f5-appsvcs-extension/raw/master/dist/latest/f5-appsvcs-3.10.0-5.noarch.rpm
    - https://github.com/F5Networks/f5-telemetry-streaming/raw/master/dist/f5-telemetry-1.2.0-1.noarch.rpm
  post_onboard_enabled: false
  do_enabled: true
  do_declaration:
    Common:
      class: Tenant
      licenseKey:
        class: License
        licenseType: regKey
        regKey: GJKDM-UJTJH-OJZVX-ZJPEG-XTJIAHI
      provisioningLevels:
        class: Provision
        ltm: nominal
        asm: minimum
  as3_enabled: true
  as3_declaration:
    class: AS3
    action: deploy
    persist: true
    declaration:
      class: ADC
      schemaVersion: 3.0.0
      ...
  phone_home_url: https://webhook.site/5f8cd8a7-b051-4648-9296-8f6afad34c93
  phone_home_cli: "curl -i -X POST -H 'X-Auth-Token: gAAAAABc5UscwS1py5XfC3yPcyN8KcgD7hYtEZ2-xHw95o4YIh0j5IDjAu9qId3JgMOp9hnHwP42mYA7oPPP0yl-OQXvCaCS3OezKlO7MsS-ZCTJzuS3sSysIMHTA78fGsXbMgCQZCi5G-evLG9xUNrYp5d3blhMnpHR0dlHPz6VMacNkPhyrQI' -H 'Content-Type: application/json' -H 'Accept: application/json' http://192.168.0.121:8004/v1/d3779c949b57403bb7f703016e91a425/stacks/demo_waf/3dd6ce45-bb8c-400d-a48c-87ac9e46e60e/resources/wait_handle/signal"

In addition to the delcared elements, this module also supports cloud-config delcarations for ssh_authorized_keys. Any declared keys will be authorized for the TMOS root account.

#cloud-config
ssh_authorized_keys:
  - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoUPND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ mykey@host

The tmos_dhcpv4_tmm Cloudinit Module

This cloudinit module resolves configuration data for all interfaces (management and TMM) through DHCPv4. All interfaces should be connected to networks with DHCPv4 services. This module supports both 1NIC and nNIC deployments.

There are implicit declarations of the TMM inteface names to use for the data plane default route and the configuration synchronization interfaces. If these declarations are omitted, the module will attempt to assign them dynamically based on available network configuration data.

This module creates initialization scripts containing TMOS tmsh commands to fulfill the specified configurations. The generated initialization scripts are created in the /opt/cloud/tmos_dhcpv4_tmm directory on the device.

This cloudinit module optionally composes f5-declarative-onboarding declarations in the /var/lib/cloud/f5-declarative-onboarding directory. This declaration is in JSON format.

Any attributes in the do_declaration attribute of the cloudinit YAML will be merged into the f5-declarative-onboarding declaration composed from DHCPv4 lease information. Any declaration attribute defined in the cloudinit YAML will overwrite the same attribute, if present, in the composed declaration.

This cloudinit module optionally composes f5-appsvcs-extension declarations in the /var/lib/cloud/f5-appsvcs-extension directory. This declaration is in JSON format.

Module Attribute Default Description
enabled false Activates ths module
rd_enabled true Automatically create route domains when needed
configsync_interface 1.1 Sets the TMM interface name to use for configsync
default_route_interface none Explicitly define the TMM interface to use for the default route. Otherwise one will be determined automatically
dhcp_timeout 120 Seconds to wait for a DHCP response when using DHCP for resource discovery
inject_routes true Creates static routes from discovered route resources
icontrollx_trusted_sources true Only install iControl LX RPMs which are signed by TMOS trusted keys
icontrollx_package_urls none List of URLs to download and install iControl LX extension packages before onboarding
do_enable true Enables attempt to create a f5-declarative-onboarding declaration from discovered resources. If enabled, an asynchronous attempt to declare resouces via f5-declarative-onboarding will be made. If the initial request fails, non-declarative onboarding will resumse
do_declaration none YAML formatted f5-declarative-onboarding declaration. This declaration will augment or overwrite the declaration created by resource discovery
as3_enabled true Enables attempt to declare an application services configuration with f5-appsvcs-extension
as3_declaration none The f5-appsvcs-extension declaration to declare if enabled
post_onboard_enabled false Enable the attempt to run a list of commands after onboarding completes
post_onboard_commands list List of CLI commands to run in order. Execution will halt at the point a CLI command fails.
phone_home_url url Reachable URL to report completion of this modules onboarding.
phone_home_url_verify_tls true If the phone_home_url uses TLS, verify the host certificate.
phone_home_cli cli command CLI command to run when this modules completes successfully.

Warning: f5-declarative-onboarding and f5-appsvcs-extension do not support the use of route domains at this time. You should disable route domain support when attempting to use f5-declarative-onboarding and f5-appsvcs-extension declarations

If f5-declarative-onboarding is disbaled by setting do_enabled to false, the device onboarding configuration will contine as described in the OpenStack meta_data.json and network_data.json files. f5-appsvcs-extension declarations can be applied with or without f5-declarative-onboarding being enabled.

userdata usage

#cloud-config
tmos_dhcpv4_tmm:
  enabled: true
  rd_enabled: false
  configsync_interface: 1.1
  default_route_interface: 1.3
  dhcp_timeout: 120
  inject_routes: true
  icontrollx_trusted_sources: false
  icontrollx_package_urls:
    - https://github.com/F5Networks/f5-declarative-onboarding/raw/master/dist/f5-declarative-onboarding-1.3.0-4.noarch.rpm
    - https://github.com/F5Networks/f5-appsvcs-extension/raw/master/dist/latest/f5-appsvcs-3.10.0-5.noarch.rpm
    - https://github.com/F5Networks/f5-telemetry-streaming/raw/master/dist/f5-telemetry-1.2.0-1.noarch.rpm
  do_enabled: false
  as3_enabled: false
  post_onboard_enabled: true
  post_onboard_commands:
    - tmsh modify sys global-settings gui-setup disabled
    - tmsh modify sys db ui.advisory.color { value orange }
    - tmsh modify sys db ui.advisory.text { value  'Onboarded with OpenStack Metadata' }
    - tmsh modify sys db ui.advisory.enabled { value true }
    - tmsh modify sys db provision.extramb { value 500 }
    - tmsh modify sys provision ltm level minimum
    - tmsh modify sys provision asm level minimum
    - /usr/local/bin/SOAPLicenseClient --basekey KALCE-AHJBL-RFJSD-GGNFG-MFJCDYX
  phone_home_url: https://webhook.site/5f8cd8a7-b051-4648-9296-8f6afad34c93
  phone_home_cli: "curl -i -X POST -H 'X-Auth-Token: gAAAAABc5UscwS1py5XfC3yPcyN8KcgD7hYtEZ2-xHw95o4YIh0j5IDjAu9qId3JgMOp9hnHwP42mYA7oPPP0yl-OQXvCaCS3OezKlO7MsS-ZCTJzuS3sSysIMHTA78fGsXbMgCQZCi5G-evLG9xUNrYp5d3blhMnpHR0dlHPz6VMacNkPhyrQI' -H 'Content-Type: application/json' -H 'Accept: application/json' http://192.168.0.121:8004/v1/d3779c949b57403bb7f703016e91a425/stacks/demo_waf/3dd6ce45-bb8c-400d-a48c-87ac9e46e60e/resources/wait_handle/signal"

In addition to the declared elements, this module also supports cloud-config declarations for ssh_authorized_keys. Any declared keys will be authorized for the TMOS root account.

#cloud-config
ssh_authorized_keys:
  - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoUPND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ mykey@host

TMOS Cloudinit Modules Support for SSH Keys and Passwords

In addition to the declared elements, these modules also support cloud-config declarations for ssh_authorized_keys using the standard cloudinit cloud-config declaration syntax. Any declared keys will be authorized for the TMOS root account.

additional userdata

#cloud-config
ssh_authorized_keys:
  - ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAGEA3FSyQwBI6Z+nCSjUUk8EEAnnkhXlukKoUPND/RRClWz2s5TCzIkd3Ou5+Cyz71X0XmazM3l5WgeErvtIwQMyT1KjNoMhoJMrJnWqQPOt5Q8zWd9qG7PBl9+eiH5qV7NZ mykey@host

Support Cloudinit set-password

The patched VE image cloudinit configurations template has been altered to support the standard cloudinit set_password module as well. You can change the built-in TMOS admin and root passwords using the following cloudinit cloud-config declarations.

#cloud-config
chpasswd:
  list: |
    root:f5str0ngPa$$word
    admin:f5str0ngPa$$word
  expire: False