OpenStack in a backpack - how to create a demo environment for F5 Heat Plugins, part 3

Part 3 – F5 Heat Plugins installation and BIG-IP VE onboarding

This article demonstrates how to install the F5 Heat Plugins and onboard a BIG-IP VE image into OpenStack Mitaka using F5 Heat templates.

Before you get started, please review the installation instructions for the F5 Heat plugins ( to ensure you’re using the latest version. The instructions provided in this article are current at the time of posting.

Install the F5 Heat Plugins

Run the following commands on the heat service node. Root privileges are required.

  1. Install the Python installation tool (pip):
    yum -y install python-pip
  2. Install the F5 Heat plugins.
    pip install f5-openstack-heat-plugins
  3. Make the Heat plugins directory (NOTE: this may already exist).
    mkdir -p /usr/lib/heat
  4. Create a link to the F5 plugins in the Heat plugins directory.
    ln -s /usr/lib/python2.7/site-packages/f5_heat /usr/lib/heat/f5_heat
  5. Restart the Heat engine service:
    systemctl restart openstack-heat-engine.service

Now, you should see the F5 Heat resources in the OpenStack Horizon dashboard, under “Orchestration->Resource Types”:

Prepare Your Project to use the F5 Heat Template

Next, you’ll use the F5 BIG-IP ‘Image Patch and Upload’ heat template ( to patch your VE image for use in OpenStack and onboard it.

‘Patching’ is modifying the BIG-IP QCOW2 image so it can run within OpenStack and make use of the OpenStack Metadata service, for licensing, setting networking parameters etc.

This template requires a bit of preparation, described in the Prerequisites section of the template documentation. In particular, you need to create an OpenStack flavor for the BIG-IP appliance and create an SSH key to use to log in to the BIG-IP. You will also need to provide a link to a Ubuntu image, as the template utilizes an Ubuntu server to extract and patch the image. An appropriate tenant network was already created and tested in the previous article in this series, so no need to do it again.

First, log in as the OpenStack admin user to create a new flavor for the BIG-IP and adjust the ‘demo’ user’s permissions. The default OpenStack non-admin privileges do not allow creation of OpenStack Flavors or Heat stacks.

  1. Create a new flavor via the command line:
    openstack flavor create --ram 4096 --disk 20 --vcpus 2 \ 
      --public "F5-small 1 slot"
    Refer to for additional information regarding BIG-IP VE flavor requirements.
  2. Give permission to create Heat stacks to the demo user:
    openstack role add --project demo --user demo heat_stack_owner
  3. You can now switch back to your ‘demo’ user account and import an Ubuntu image to Glance.
    source keystonerc_demo
    curl | \
      openstack image create --container-format bare \
      --disk-format qcow2 --min-disk 10 "Ubuntu 14.04 LTS"

The Heat template requires that the BIG-IP image be hosted in a location accessible to the Heat engine via ‘http’. Assuming that you do not have any other place to host the BIG-IP qcow2 image, we’ll create it one on the Horizon Apache server.

  1. Create a new directory to store the image in.
    mkdir -p /home/openstack/bigipimages/
  2. Add the following lines to
    , just before closing
    Alias /bigipimages "/home/openstack/bigipimages/"
    <Directory "/home/openstack/bigipimages/">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride None
        Require all granted
  3. Restart the httpd service:
    systemctl restart httpd.service
  4. Download
    from and upload it to
    Direct link:
  5. Change the permissions so the file can be seen by Apache:
    chmod -x+r /home/openstack/bigipimages/*.zip
  6. The compressed qcow2 image should now be accessible at:

    Please replace <ip_address> with an IP address of your CentOS host.

Launch Your Heat Stack

Most of the Heat templates require you to supply some specific configuration parameters (e.g., which networks should be used, what flavor, security group etc). Those parameters are rendered as a questionnaire in the Horizon GUI, right after you specify the source heat template's file or url. Unfortunately, I noticed that Mitaka release doesn't always show external networks in the GUI correctly, while the external network's name can be provided via CLI without any problems. Another disadvantage of Orchestration section in Horizon is that if you make any mistakes or typos, you need to type all the parameters over again. So, the easiest and the most efficient method is to provide Heat parameters in an environment file.

  1. Create an environment file – for example,
    – that contains the following parameters:
      onboard_image: "Ubuntu 14.04 LTS"
      flavor: m1.medium # THE FLAVOR YOU CREATED
      private_network: management
      f5_image_import_auth_url: http://<ip_address>:5000/v2.0 # YOUR KEYSTONE AUTHENTICATION URL
      f5_image_import_tenant: admin # THE NAME OF YOUR PROJECT SPACE
      f5_image_import_user: admin # YOUR USERNAME
      f5_image_import_password: default # YOUR PASSWORD
      f5_ve_image_url: http://<ip_address>/bigipimages/
      f5_ve_image_name: BIGIP-
      image_prep_key: default
    Note: Leading white spaces are significant in the yaml file.
  2. Launch the stack:
    openstack stack create -e patch_upload_paremeters.yaml \
      -t \

Please note that we used the GitHub version of the template in the above command (https://raw...). You can also use the download link for the template provided in the documentation. Do not try to use the link for an html-formatted yaml file.

You should see your stack being created in Horizon at "Orchestration -> Stacks -> F5_onboard". You can supervise the patching progress by clicking on a Compute instance log:

At the end, the stack status should be "Status Create_Complete: Stack CREATE completed successfully". You can check it by clicking on "Orchestration -> Stacks -> F5_onboard -> Overview".

If you can't see the stack in your account in Horizon, double-check which user you identified in the environment file; if you specified 'admin', you’ll need to log in as the admin user.

Now that you have a BIG-IP image onboarded, you can use it with the F5-supported Heat Templates ( to deploy BIG-IP VE from any of your OpenStack user accounts.

First, make sure the BIG-IP image is visible to all users in your OpenStack environment.

source keystonerc_admin
openstack image set --public BIGIP-
source keystonerc_demo

The patched BIG-IP image should be visible in “Compute -> Images” or via the

openstack image-list
As an exercise, you can change the Heat template to include this step.

You can now safely delete the onboarding stack. Don’t worry, the BIG-IP image will stick around.

openstack stack delete F5_onboard

Now, let’s spin up a stand-alone BIG-IP VE with two production interfaces using the F5 BIG-IP VE: Standalone, 3-nic Heat template (

We already have a Management subnet, but we’ll need to add the traffic subnets.

  1. Create client and server-side networks:
    neutron net-create client
    neutron subnet-create --name client_subnet client
    neutron router-interface-add router1 client_subnet
    neutron net-create server
    neutron subnet-create --name server_subnet server
    neutron router-interface-add router1 server_subnet
    Now your network topology should look as follows:
  2. Create a
    environment file that contains:
      ve_image: BIGIP-
      ve_flavor: "F5-small 1 slot"
      admin_password: admin
      f5_ve_os_ssh_key: default
      root_password: default
      license: <<<your eval license goes here>>>
      external_network: external_network
      mgmt_network: management
      network_1: client
      network_1_name: client
      network_2: server
      network_2_name: server
    Please remember to insert your evaluation license key.
  3. Launch the stack:
    openstack stack create -e standalone_3_nic_paremeters.yaml \ 
      -t \
  4. Now you can find a floating IP address in "Orchestration -> Stacks -> F5_standalon_2nic -> Overview -> Floating IP". You should be able to observe the patching process by running the following command:
    ssh -i demo_default.pem root@<<floating IP>>
    tail -f /var/log/messages
    If the patching process is complete you should see something like this:
    Sep 14 11:21:05 host-10 notice openstack-init: Completed OpenStack auto-configuration in 167 seconds...
  5. You should now be able to log into the BIG-IP configuration utility at the [OpenStack] floating ip address allocated by Neutron. Be sure to use https (e.g., "https://<the_floating_IP>") and give the BIG-IP enough time to fully boot. The VE platform should be properly licensed and basic network configuration should be set up.

If everything works fine, you are ready to play with other F5 heat templates, and maybe write your own F5 heat resources. Good starting points would be the GitHub repo ( and the project docs (

Special thanks to John Gruber, Laurent Boutet, Paul Breaux, Shawn Wormke, Jodie Putrino, and the whole F5 OpenStack PD team.

Updated Jun 06, 2023
Version 2.0

Was this article helpful?