OpenStack Heat Template Composition

Heat Orchestration Templates (HOT) for OpenStack's Heat service can quickly grow in length as users need to pile in ever more resources to define their applications. A simple Nova instance requires a small volume at first. Soon it needs a private network, a public network, a software configuration deployment, a load balancer, a deluxe karaoke machine. This means the HOT files get bloated and difficult to read for mere humans. Let's think about why that is.... A template defines the set of resources necessary and sufficient to describe an application. It also describes the dependencies that exist between the resources, if any. That way, Heat can manage the life-cycle of the application without you having to worry about it. Often, the resources in a long template need to be visually grouped together to alert the reader that these things depend on one another and share some common goal (e.g. create a network, subnet, and router). When templates get to this state, we need to start thinking about composition.

Composition in HOT is done in a couple of ways. We will tackle the straight-forward approach first. Much of this material is presented in the official documentation for template composition.

The Parent and Child Templates

We'll often refer to a parent template and child template here. The parent template is the user's view into the Heat stack that defines our application. It's the entrypoint. A parent template contains all of the over-arching components of the application. The child on the other hand may describe a logically grouped chunk of that application. For example, one child template creates the Nova instances that launch BIG-IP devices while another child template creates all the network plumbing for those instances.

Let's look at an example of this. Below is the parent template:

heat_template_test.yaml

heat_template_version: 2015-04-30

description: Setup infrastructure for testing F5 Heat Templates.

parameters:
  ve_cluster_ready_image:
    type: string
    constraints:
      - custom_constraint: glance.image
  ve_standalone_image:
    type: string
    constraints:
      - custom_constraint: glance.image
  ve_flavor:
    type: string
    constraints:
      - custom_constraint: nova.flavor
  use_config_drive:
    type: boolean
    default: false
  ssh_key:
    type: string
    constraints:
      - custom_constraint: nova.keypair
  sec_group_name:
    type: string
  admin_password:
    type: string
    label: F5 VE Admin User Password
    description: Password used to perform image import services
  root_password:
    type: string
  license:
    type: string
  external_network:
    type: string
    constraints:
      - custom_constraint: neutron.network

resources:
  # Plumb the newtorking for the BIG-IP instances
  networking:
    type: heat_template_test_networks.yaml
    properties:
      external_network: { get_param: external_network }
      sec_group_name: { get_param: sec_group_name }
  # Wait for networking to come up and then launch two clusterable BIG-IPs
  two_bigip_devices:
    type: OS::Heat::ResourceGroup
    depends_on: networking
    properties:
      count: 2
      resource_def:
        # Reference a child template in the same directly where the heat_template_test.yaml is located
        type: cluster_ready_ve_4_nic.yaml
        properties:
          ve_image: { get_param: ve_cluster_ready_image }
          ve_flavor: { get_param: ve_flavor }
          ssh_key: { get_param: ssh_key }
          use_config_drive: { get_param: use_config_drive }
          open_sec_group: { get_param: sec_group_name }
          admin_password: { get_param: admin_password }
          root_password: { get_param: root_password }
          license: { get_param: license }
          external_network: { get_param: external_network }
          mgmt_network: { get_attr: [networking, mgmt_network_name] }
          ha_network: { get_attr: [networking, ha_network_name] }
          network_1: { get_attr: [networking, client_data_network_name] }
          network_2: { get_attr: [networking, server_data_network_name] }
  # Wait for networking to come up and launch a standalone BIG-IP
  standalone_device:
    # Reference another child template in the local directory
    type: f5_ve_standalone_3_nic.yaml
    depends_on: networking
    properties:
      ve_image: { get_param: ve_standalone_image }
      ve_flavor: { get_param: ve_flavor }
      ssh_key: { get_param: ssh_key }
      use_config_drive: { get_param: use_config_drive }
      open_sec_group: { get_param: sec_group_name }
      admin_password: { get_param: admin_password }
      root_password: { get_param: root_password }
      license: { get_param: license }
      external_network: { get_param: external_network }
      mgmt_network: { get_attr: [networking, mgmt_network_name] }
      network_1: { get_attr: [networking, client_data_network_name] }
      network_2: { get_attr: [networking, server_data_network_name] }

Now that's still fairly verbose, but its doing some heavy lifting for us. It is creating almost all of the networking needed to launch a set of clusterable BIG-IP devices and a single standalone BIG-IP device. It takes in parameters from the user such as ve_standalone_image and external_network and passes them along to the child that requires them. The child stack then receives those parameters in the same way the template above does, by defining a parameter.

The parent template references the heat_template_test_networks.yaml template directly, expecting the file to be in the same local directory where the parent template is located. This is always created in the type field of a resource. In addition to relative paths, you can also reference another template with an absolute path, or URL.

You can also see the group of responsibilities here. One child stack (heat_template_test_networks.yaml) is building networks, another (cluster_ready_ve_4_nic.yaml) is launching a set of BIG-IP devices ready for clustering and yet another (f5_ve_standalone_4_nic.yaml) is launching a standalone BIG-IP device. Yet the dependencies are apparent in the depends_on property and the intrinsic functions called within that resource (more on that later). You will not successfully launch the standalone device without having the networking in place first, thus the standalone_device resource is dependent upon the networking resource. This means we can easily send data into the networking stack (as a parameter) and now we must get data out to be passed into the standalone_device stack. Let's look at the networking template and see what it defines as its outputs.

heat_template_test_networks.yaml

heat_template_version: 2015-04-30

description: >
    Create the four networks needed for the heat plugin tests along with their subnets and connect them to the testlab router.

parameters:
  external_network:
    type: string
  sec_group_name:
    type: string

resources:
  # Four networks
  client_data_network:
    type: OS::Neutron::Net
    properties:
      name: client_data_network
  server_data_network:
    type: OS::Neutron::Net
    properties:
      name: server_data_network
  mgmt_network:
    type: OS::Neutron::Net
    properties:
      name: mgmt_network
  ha_network:
    type: OS::Neutron::Net
    properties:
      name: ha_network
  # And four accompanying subnets
  client_data_subnet:
    type: OS::Neutron::Subnet
    properties:
      cidr: 10.1.1.0/24
      dns_nameservers: [10.190.0.20]
      network: { get_resource: client_data_network }
  server_data_subnet:
    type: OS::Neutron::Subnet
    properties:
      cidr: 10.1.2.0/24
      dns_nameservers: [10.190.0.20]
      network: {get_resource: server_data_network }
  mgmt_subnet:
    type: OS::Neutron::Subnet
    properties:
      cidr: 10.1.3.0/24
      dns_nameservers: [10.190.0.20]
      network: { get_resource: mgmt_network }
  ha_subnet:
    type: OS::Neutron::Subnet
    properties:
      cidr: 10.1.4.0/24
      dns_nameservers: [10.190.0.20]
      network: { get_resource: ha_network }
  # Create router for testlab
  testlab_router:
    type: OS::Neutron::Router
    properties:
      external_gateway_info:
        network: { get_param: external_network }
  # Connect networks to router interface
  client_data_router_interface:
    type: OS::Neutron::RouterInterface
    properties:
      router: { get_resource: testlab_router }
      subnet: { get_resource: client_data_subnet }
  server_data_router_interface:
    type: OS::Neutron::RouterInterface
    properties:
      router: { get_resource: testlab_router }
      subnet: { get_resource: server_data_subnet }
  mgmt_router_interface:
    type: OS::Neutron::RouterInterface
    properties:
      router: { get_resource: testlab_router }
      subnet: { get_resource: mgmt_subnet }
  ha_router_interface:
    type: OS::Neutron::RouterInterface
    properties:
      router: { get_resource: testlab_router }
      subnet: { get_resource: ha_subnet }
  open_sec_group:
    type: OS::Neutron::SecurityGroup
    properties:
      name: { get_param: sec_group_name }
      rules:
        - protocol: icmp
          direction: ingress
        - protocol: icmp
          direction: egress
        - protocol: udp
          direction: ingress
        - protocol: udp
          direction: egress
        - protocol: tcp
          direction: ingress
          port_range_min: 1
          port_range_max: 65535
        - protocol: tcp
          direction: egress
          port_range_min: 1
          port_range_max: 65535

outputs:
  mgmt_network_name:
    value: { get_attr: [mgmt_network, name] }
  ha_network_name:
    value: { get_attr: [ha_network, name] }
  client_data_network_name:
    value: { get_attr: [client_data_network, name] }
  server_data_network_name:
    value: { get_attr: [server_data_network, name] }

You can see the logical grouping here, and this is where template composition shines. This simple template creates a security group, four networks, four subnets, and ties them together with a router. Even though the heat_template_test.yaml parent template uses this to build its networks for defining its application, another user may decide they want the same networking infrastucture, but they want four standalone devices and eight pairs of clusterable devices. Their only modification would be in the parent template, because the heat_template_test_networks.yaml template describes the set of networks those devices need to connect to. It is important to note that the above template is a fully functioning HOT template all by itself. You can launch it and it will build those four networks.

So how does the data get out of the networking template? The outputs section takes care of that. For attaching BIG-IP devices in the parent template to these networks, all we require is the network name, so the networking template kicks those back up to whomever is curious about such things. We saw the get_param function earlier, and now we can see the use of the get_attr function. In the two_bigip_devices resource, the parent template references the networking resource directly and then it accesses the client_data_network_name attribute (as seen below). This operation retrieves the network name for the client_data_network and passes it into the cluster_ready_ve_4_nic.yaml stack.

network_1: { get_attr: [networking, client_data_network_name] }

With that, we've successfully sent information into a child stack, retrieved it, then sent it into another child stack. This is very useful when working in large groups of users because my heat_template_test_networks.yaml template may benefit others. In time, you can build quite a collection of these concise HOT templates then use a parent template to orchestrate them in many complex ways. Keep in mind however, that HOT is declarative, meaning there are no looping constructs or if/else decisions to decide whether to create seven networks or four. For that, you would need to create two separate templates. As seen in the OS::Heat::ResourceGroup resource for two_bigip_devices however, we can toggle the number of instances launched by that resource at stack creation time. We can simply make the count property of that resource a parameter and the user can decide how many clusterable BIG-IP devices should be launched.

To launch the above template with the python-heatclient:

heat stack-create -f heat_template_test.yaml -P "ve_cluster_ready_image=cluster_ready-BIGIP-11.6.0.0.0.401.qcow2;ve_standalone_image=standalone-BIGIP-11.6.0.0.0.401.qcow2;ve_flavor=m1.small;ssh_key=my_key;sec_group_name=bigip_sec_group;admin_password=pass;root_password=pass;license=XXXXX;external_network=public_net" bigip_test_stack

New Resource Types in Environment Files

The second way to do template composition is to define a brand new resource type in an environment file. The environment in which a Heat stack is launched affects the behavior of that stack. To learn more about environment files, check out the official documentation. We will use them here to define a new resource type. The cool thing about environments is that the child templates looks exactly the same, and only one small change is needed in the parent template. It is the environment in which those stacks launch that changes. Below we are defining a Heat environment file and defining a new resource type in the attribute_registry section.

heat_template_test_environment.yaml

parameters:
  ve_cluster_ready_image: cluster_ready-BIG-IP-11.6.0.0.0.401.qcow2
  ve_standalone_image: standalone-BIG-IP-11.6.0.0.0.401.qcow2
  ve_flavor: m1.small
  ssh_key: my_key
  sec_group_name: bigip_sec_group
  admin_password: admin_password
  root_password: root_password
  license: XXXXX
  external_network: public_net

resource_registry:
  OS::Neutron::FourNetworks: heat_template_test_networks.yaml
  F5::BIGIP::ClusterableDevice: cluster_ready_ve_4_nic.yaml
  F5::BIGIP::StandaloneDevice: f5_ve_standalone_3_nic.yaml

The parent template will now reference the new resource types, which are merely mappings to the child templates. This means the parent template has three new resources to use which are not a part of the standard OpenStack Resource Types. The environment makes all this possible.

heat_template_test_with_environment.yaml

heat_template_version: 2015-04-30

description: Setup infrastructure for testing F5 Heat Templates.

parameters:
  ve_cluster_ready_image:
    type: string
    constraints:
      - custom_constraint: glance.image
  ve_standalone_image:
    type: string
    constraints:
      - custom_constraint: glance.image
  ve_flavor:
    type: string
    constraints:
      - custom_constraint: nova.flavor
  use_config_drive:
    type: boolean
    default: false
  ssh_key:
    type: string
    constraints:
      - custom_constraint: nova.keypair
  sec_group_name:
    type: string
  admin_password:
    type: string
    label: F5 VE Admin User Password
    description: Password used to perform image import services
  root_password:
    type: string
  license:
    type: string
  external_network:
    type: string
    constraints:
      - custom_constraint: neutron.network
  default_gateway:
    type: string
    default: None

resources:
  networking:
    # A new resource
    type: OS::Neutron::FourNetworks
    properties:
      external_network: { get_param: external_network }
      sec_group_name: { get_param: sec_group_name }
  two_bigip_devices:
    type: OS::Heat::ResourceGroup
    depends_on: networking
    properties:
      count: 2
      resource_def:
        # A new resource
        type: F5::BIGIP::ClusterableDevice
        properties:
          ve_image: { get_param: ve_cluster_ready_image }
          ve_flavor: { get_param: ve_flavor }
          ssh_key: { get_param: ssh_key }
          use_config_drive: { get_param: use_config_drive }
          open_sec_group: { get_param: sec_group_name }
          admin_password: { get_param: admin_password }
          root_password: { get_param: root_password }
          license: { get_param: license }
          external_network: { get_param: external_network }
          mgmt_network: { get_attr: [networking, mgmt_network_name] }
          ha_network: { get_attr: [networking, ha_network_name] }
          network_1: { get_attr: [networking, client_data_network_name] }
          network_2: { get_attr: [networking, server_data_network_name] }
  standalone_device:
    # A new resource
    type: F5::BIGIP::StandaloneDevice
    depends_on: networking
    properties:
      ve_image: { get_param: ve_standalone_image }
      ve_flavor: { get_param: ve_flavor }
      ssh_key: { get_param: ssh_key }
      use_config_drive: { get_param: use_config_drive }
      open_sec_group: { get_param: sec_group_name }
      admin_password: { get_param: admin_password }
      root_password: { get_param: root_password }
      license: { get_param: license }
      external_network: { get_param: external_network }
      mgmt_network: { get_attr: [networking, mgmt_network_name] }
      network_1: { get_attr: [networking, client_data_network_name] }
      network_2: { get_attr: [networking, server_data_network_name] }

And here is how we utilize those new resources defined in our environment file. Note that we no longer define all the parameters in the cli call to the Heat client (with the -P flag) because it is set in our environment file.

heat stack-create -f heat_template_test_with_environment.yaml -e heat_template_test_environment.yaml test_env_stack

Resources:

For more information on Heat Resource Types, along with the possible inputs and outputs: http://docs.openstack.org/developer/heat/template_guide/openstack.html

For more examples of how to prepare a BIG-IP image for booting in OpenStack and for clustering those clusterable instances: https://github.com/F5Networks/f5-openstack-heat

Reference Templates:

Below is the two child templates used in the above examples. We developed these on OpenStack Kilo with a BIG-IP image prepared from our github repo above.

f5_ve_standalone_3_nic.yaml

heat_template_version: 2015-04-30

description: This template deploys a standard f5 standalone VE.

parameters:
  open_sec_group:
    type: string
    default: open_sec_group
  ve_image:
    type: string
    constraints:
      - custom_constraint: glance.image
  ve_flavor:
    type: string
    constraints:
      - custom_constraint: nova.flavor
  use_config_drive:
    type: boolean
    default: false
  ssh_key:
    type: string
    constraints:
      - custom_constraint: nova.keypair
  admin_password:
    type: string
    hidden: true
  root_password:
    type: string
    hidden: true
  license:
    type: string
    hidden: true
  external_network:
    type: string
    default: test
    constraints:
      - custom_constraint: neutron.network
  mgmt_network:
    type: string
    default: test
    constraints:
      - custom_constraint: neutron.network
  network_1:
    type: string
    default: test
    constraints:
      - custom_constraint: neutron.network
  network_1_name:
    type: string
    default: network-1.1
  network_2:
    type: string
    default: test
    constraints:
      - custom_constraint: neutron.network
  network_2_name:
    type: string
    default: network-1.2
  default_gateway:
    type: string
    default: None

resources:
  mgmt_port:
    type: OS::Neutron::Port
    properties:
      network: { get_param: mgmt_network }
      security_groups: [ { get_param: open_sec_group }]
  network_1_port:
    type: OS::Neutron::Port
    properties:
      network: { get_param: network_1 }
      security_groups: [ { get_param: open_sec_group }]
  floating_ip:
    type: OS::Neutron::FloatingIP
    properties:
      floating_network: { get_param: external_network }
      port_id: { get_resource: mgmt_port }
  network_2_port:
    type: OS::Neutron::Port
    properties:
      network: {get_param: network_2 }
      security_groups: [ { get_param: open_sec_group }]
  ve_instance:
    type: OS::Nova::Server
    properties:
      image: { get_param: ve_image }
      flavor: { get_param: ve_flavor }
      key_name: { get_param: ssh_key }
      config_drive: { get_param: use_config_drive }
      networks:
        - port: {get_resource: mgmt_port}
        - port: {get_resource: network_1_port}
        - port: {get_resource: network_2_port}
      user_data_format: RAW
      user_data:
        str_replace:
          params:
            __admin_password__: { get_param: admin_password }
            __root_password__: { get_param: root_password }
            __license__: { get_param: license }
            __default_gateway__: { get_param: default_gateway }
            __network_1__: { get_param: network_1 }
            __network_1_name__: { get_param: network_1_name }
            __network_2__: { get_param: network_2 }
            __network_2_name__: { get_param: network_2_name }
          template: |
            {
               "bigip": {
                   "f5_ve_os_ssh_key_inject": "true",
                   "change_passwords": "true",
                   "admin_password": "__admin_password__",
                   "root_password": "__root_password__",
                   "license": {
                       "basekey": "__license__",
                       "host": "None",
                       "port": "8080",
                       "proxyhost": "None",
                       "proxyport": "443",
                       "proxyscripturl": "None"
                   },
                   "modules": {
                       "auto_provision": "false",
                       "ltm": "nominal"
                   },
                   "network": {
                       "dhcp": "true",
                       "selfip_prefix": "selfip-",
                       "vlan_prefix": "network-",
                       "routes": [
                          {
                            "destination": "0.0.0.0/0.0.0.0",
                            "gateway": "__default_gateway__"
                          }
                       ],
                       "interfaces": {
                           "1.1": {
                               "dhcp": "true",
                               "selfip_allow_service": "default",
                               "selfip_name": "selfip.__network_1_name__",
                               "selfip_description": "Self IP address for BIG-IP __network_1_name__ network",
                               "vlan_name": "__network_1_name__",
                               "vlan_description": "VLAN for BIG-IP __network_1_name__ network traffic",
                               "is_failover": "false",
                               "is_sync": "false",
                               "is_mirror_primary": "false",
                               "is_mirror_secondary": "false"
                           },
                           "1.2": {
                               "dhcp": "true",
                               "selfip_allow_service": "default",
                               "selfip_name": "selfip.__network_2_name__",
                               "selfip_description": "Self IP address for BIG-IP __network_2_name__ network",
                               "vlan_name": "__network_2_name__",
                               "vlan_description": "VLAN for BIG-IP __network_2_name__ network traffic",
                               "is_failover": "false",
                               "is_sync": "false",
                               "is_mirror_primary": "false",
                               "is_mirror_secondary": "false"
                           }
                       }
                   }
               }
            }

outputs:
  ve_instance_name:
    description: Name of the instance
    value: { get_attr: [ve_instance, name] }
  ve_instance_id:
    description: ID of the instance
    value: { get_resource: ve_instance }
  floating_ip:
    description: The Floating IP address of the VE
    value: { get_attr: [floating_ip, floating_ip_address] }
  mgmt_ip:
    description: The mgmt IP address of f5 ve instance
    value: { get_attr: [mgmt_port, fixed_ips, 0, ip_address] }
  mgmt_mac:
    description: The mgmt MAC address of f5 VE instance
    value: { get_attr: [mgmt_port, mac_address] }
  mgmt_port:
    description: The mgmt port id of f5 VE instance
    value: { get_resource: mgmt_port }
  network_1_ip:
    description: The 1.1 Nonfloating SelfIP address of f5 ve instance
    value: { get_attr: [network_1_port, fixed_ips, 0, ip_address] }
  network_1_mac:
    description: The 1.1 MAC address of f5 VE instance
    value: { get_attr: [network_1_port, mac_address] }
  network_1_port:
    description: The 1.1 port id of f5 VE instance
    value: { get_resource: network_1_port }
  network_2_ip:
    description: The 1.2 Nonfloating SelfIP address of f5 ve instance
    value: { get_attr: [network_2_port, fixed_ips, 0, ip_address] }
  network_2_mac:
    description: The 1.2 MAC address of f5 VE instance
    value: { get_attr: [network_2_port, mac_address] }
  network_2_port:
    description: The 1.2 port id of f5 VE instance
    value: { get_resource: network_2_port }

cluster_ready_ve_4_nic.yaml

heat_template_version: 2015-04-30

description: This template deploys a standard f5 VE ready for clustering.

parameters:
  open_sec_group:
    type: string
    default: open_sec_group
  ve_image:
    type: string
    label: F5 VE Image
    description: The image to be used on the compute instance.
    constraints:
      - custom_constraint: glance.image
  ve_flavor:
    type: string
    label: F5 VE Flavor
    description: Type of instance (flavor) to be used for the VE.
    constraints:
      - custom_constraint: nova.flavor
  use_config_drive:
    type: boolean
    label: Use Config Drive
    description: Use config drive to provider meta and user data.
    default: false
  ssh_key:
    type: string
    label: Root SSH Key Name
    description: Name of key-pair to be installed on the instances.
    constraints:
      - custom_constraint: nova.keypair
  admin_password:
    type: string
    label: F5 VE Admin User Password
    description: Password used to perform image import services
  root_password:
    type: string
    label: F5 VE Root User Password
    description: Password used to perform image import services
  license:
    type: string
    label: Primary VE License Base Key
    description: F5 TMOS License Basekey
  external_network:
    type: string
    label: External Network
    description: Network for Floating IPs
    default: test
    constraints:
      - custom_constraint: neutron.network
  mgmt_network:
    type: string
    label: VE Management Network
    description: Management Interface Network.
    default: test
    constraints:
      - custom_constraint: neutron.network
  ha_network:
    type: string
    label: VE HA Network
    description: HA Interface Network.
    default: test
    constraints:
      - custom_constraint: neutron.network
  network_1:
    type: string
    label: VE Network for the 1.2 Interface
    description: 1.2 TMM network.
    default: test
    constraints:
      - custom_constraint: neutron.network
  network_1_name:
    type: string
    label: VE Network Name for the 1.2 Interface
    description: TMM 1.2 network name.
    default: data1
  network_2:
    type: string
    label: VE Network for the 1.3 Interface
    description: 1.3 TMM Network.
    default: test
    constraints:
      - custom_constraint: neutron.network
  network_2_name:
    type: string
    label: VE Network Name for the 1.3 Interface
    description: TMM 1.3 network name.
    default: data2
  default_gateway:
    type: string
    label: Default Gateway IP
    default: None
    description: Upstream Gateway IP Address for VE instances

resources:
  mgmt_port:
    type: OS::Neutron::Port
    properties:
      network: { get_param: mgmt_network }
      security_groups: [{ get_param: open_sec_group }]
  network_1_port:
    type: OS::Neutron::Port
    properties:
      network: {get_param: network_1 }
      security_groups: [{ get_param: open_sec_group }]
  floating_ip:
    type: OS::Neutron::FloatingIP
    properties:
      floating_network: { get_param: external_network }
      port_id: { get_resource: mgmt_port }
  network_2_port:
    type: OS::Neutron::Port
    properties:
      network: {get_param: network_2 }
      security_groups: [{ get_param: open_sec_group }]
  ha_port:
    type: OS::Neutron::Port
    properties:
      network: {get_param: ha_network}
      security_groups: [{ get_param: open_sec_group }]
  ve_instance:
    type: OS::Nova::Server
    properties:
      image: { get_param: ve_image }
      flavor: { get_param: ve_flavor }
      key_name: { get_param: ssh_key }
      config_drive: { get_param: use_config_drive }
      networks:
        - port: {get_resource: mgmt_port}
        - port: {get_resource: ha_port}
        - port: {get_resource: network_1_port}
        - port: {get_resource: network_2_port}
      user_data_format: RAW
      user_data:
        str_replace:
          params:
            __admin_password__: { get_param: admin_password }
            __root_password__: { get_param: root_password }
            __license__: { get_param: license }
            __default_gateway__: { get_param: default_gateway }
            __network_1_name__: { get_param: network_1_name }
            __network_2_name__: { get_param: network_2_name }
          template: |
            {
               "bigip": {
                   "ssh_key_inject": "true",
                   "change_passwords": "true",
                   "admin_password": "__admin_password__",
                   "root_password": "__root_password__",
                   "license": {
                       "basekey": "__license__",
                       "host": "None",
                       "port": "8080",
                       "proxyhost": "None",
                       "proxyport": "443",
                       "proxyscripturl": "None"
                   },
                   "modules": {
                       "auto_provision": "false",
                       "ltm": "nominal"
                   },
                   "network": {
                       "dhcp": "true",
                       "selfip_prefix": "selfip-",
                       "routes": [
                          {
                            "destination": "0.0.0.0/0.0.0.0",
                            "gateway": "__default_gateway__"
                          }
                       ],
                       "interfaces": {
                           "1.1": {
                               "dhcp": "true",
                               "selfip_allow_service": "default",
                               "selfip_name": "selfip.HA",
                               "selfip_description": "Self IP address for BIG-IP Cluster HA subnet",
                               "vlan_name": "vlan.HA",
                               "vlan_description": "VLAN for BIG-IP Cluster HA traffic",
                               "is_failover": "true",
                               "is_sync": "true",
                               "is_mirror_primary": "true",
                               "is_mirror_secondary": "false"
                           },
                           "1.2": {
                               "dhcp": "true",
                               "selfip_allow_service": "default",
                               "selfip_name": "selfip.__network_1_name__",
                               "selfip_description": "Self IP address for BIG-IP __network_1_name__",
                               "vlan_name": "__network_1_name__",
                               "vlan_description": "VLAN for BIG-IP __network_1_name__ traffic",
                               "is_failover": "false",
                               "is_sync": "false",
                               "is_mirror_primary": "false",
                               "is_mirror_secondary": "false"
                           },
                           "1.3": {
                               "dhcp": "true",
                               "selfip_allow_service": "default",
                               "selfip_name": "selfip.__network_2_name__",
                               "selfip_description": "Self IP address for BIG-IP __network_2_name__",
                               "vlan_name": "__network_2_name__",
                               "vlan_description": "VLAN for BIG-IP __network_2_name__ traffic",
                               "is_failover": "false",
                               "is_sync": "false",
                               "is_mirror_primary": "false",
                               "is_mirror_secondary": "false"
                           }
                       }
                   }
               }
            }
outputs:
  ve_instance_name:
    description: Name of the instance
    value: { get_attr: [ve_instance, name] }
  ve_instance_id:
    description: ID of the instance
    value: { get_resource: ve_instance }
  mgmt_ip:
    description: The mgmt IP address of f5 ve instance
    value: { get_attr: [mgmt_port, fixed_ips, 0, ip_address] }
  mgmt_mac:
    description: The mgmt MAC address of f5 VE instance
    value: { get_attr: [mgmt_port, mac_address] }
  mgmt_port:
    description: The mgmt port id of f5 VE instance
    value: { get_resource: mgmt_port }
  ha_ip:
    description: The HA IP address of f5 ve instance
    value: { get_attr: [ha_port, fixed_ips, 0, ip_address] }
  ha_mac:
    description: The HA MAC address of f5 VE instance
    value: { get_attr: [ha_port, mac_address] }
  ha_port:
    description: The ha port id of f5 VE instance
    value: { get_resource: ha_port }
  network_1_ip:
    description: The 1.2 Nonfloating SelfIP address of f5 ve instance
    value: { get_attr: [network_1_port, fixed_ips, 0, ip_address] }
  network_1_mac:
    description: The 1.2 MAC address of f5 VE instance
    value: { get_attr: [network_1_port, mac_address] }
  network_1_port:
    description: The 1.2 port id of f5 VE instance
    value: { get_resource: network_1_port }
  network_2_ip:
    description: The 1.3 Nonfloating SelfIP address of f5 ve instance
    value: { get_attr: [network_2_port, fixed_ips, 0, ip_address] }
  network_2_mac:
    description: The 1.3 MAC address of f5 VE instance
    value: { get_attr: [network_2_port, mac_address] }
  network_2_port:
    description: The 1.3 port id of f5 VE instance
    value: { get_resource: network_2_port }
  floating_ip:
    description: Floating IP address of VE servers
    value: { get_attr: [ floating_ip, floating_ip_address ] }
Published Jun 27, 2016
Version 1.0
  • In my experience Openstack tenant instances that source or receive traffic from/to IPs not tied to a neutron net/port are denied by the default port security. This is the case of traffic from/to VS in LTM. To work around this I usually disable port security when creating the network:

     

    client_data_network: type: OS::Neutron::Net properties: name: client_data_network port_security_enabled: False

     

    or the more safe approach of using allowed_address_pairs with the port and declaring all the VS IP addresses that I'm planning to use.