Exploring F5OS automation features on VELOS
Concepts
- System Controller - the two dedicated hardware cards that run F5OS in a VELOS chassis, and supervise VELOS blades.
- System Controller UI (https,ssh) - this is the root level object for Chassis administrators of a VELOS system. The person(s) that own the actual hardware, and can fully administer the system would have this access. The main functions that would be performed at this level are configuring management settings, managing the system controller software and assigning resources to Chassis Partitions.
- Chassis Partition UI (https,ssh) - this is the root level object for Chassis Partition administrators on a VELOS system. The person(s) that have been assigned some amount of blade resources would have this access. The main functions that would be performed at this level are managing the allocation of resources within the Chassis Partition, and managing add/remove/boot of tenants.
- Tenant - the software/functions running on one or more traffic blades in a VELOS chassis. Today this is a classic TMOS v14 or v15 instance. In the near future this will be a containerised tmm pod/BIGIP Next instance.
Creating Chassis Partitions
Get an auth token
In all of the following requests, we will assume $name, $password & $ip are relevant for the System Controller. The API endpoint we are communicating with here is the System Controller.
curl -D - -sk -u "$name":"$password" -H "Content-Type: application/yang-data+json" -H "X-Auth-Token: rctoken" -X HEAD https://$ip:8888/restconf/data/openconfig-system:system/aaa |egrep '^X-Auth-Token: '
Release slots from the default partition
curl -sk -H "Content-Type: application/yang-data+json" -H "X-Auth-Token: $token" -X PATCH -d @release_default https://$ip:8888/restconf/data
{
"f5-system-slot:slots": {
"slot": [
{
"slot-num": 1,
"enabled": true,
"partition": "none"
},
{
"slot-num": 2,
"enabled": true,
"partition": "none"
},
{
"slot-num": 3,
"enabled": true,
"partition": "none"
},
{
"slot-num": 4,
"enabled": true,
"partition": "none"
}
]
}
}
Create a new partitions
curl -sk -H "Content-Type: application/yang-data+json" -H "X-Auth-Token: $token" -X POST -d @partition https://$ip:8888/restconf/data/f5-system-partition:partitions
{
"partition": [{
"name": "orange",
"config": {
"enabled": true,
"iso-version": "1.3.1-5968",
"mgmt-ip": {
"ipv4": {
"address": "10.1.1.84",
"prefix-length": 24,
"gateway": "10.1.1.1"
}
}
}
},
{
"name": "purple",
"config": {
"enabled": true,
"iso-version": "1.2.2-12471",
"mgmt-ip": {
"ipv4": {
"address": "10.1.1.85",
"prefix-length": 24,
"gateway": "10.1.1.1"
}
}
}
}
]
}
Assign blades to the new partition
curl -sk -H "Content-Type: application/yang-data+json" -H "X-Auth-Token: $token" -X PATCH -d @assign_slots https://$ip:8888/restconf/data
{
"f5-system-slot:slots": {
"slot": [
{
"slot-num": 1,
"enabled": true,
"partition": "orange"
},
{
"slot-num": 2,
"enabled": true,
"partition": "purple"
}
]
}
}
Assigning resources to Chassis Partitions
Secure admin credentials
curl -sk -u "$name":"$password" -H "Content-Type: application/yang-data+json" -X POST -d @pwd https://$ip:8888/restconf/operations/openconfig-system:system/aaa/authentication/users/user=admin/config/change-password
{
"input": [
{
"old-password": "admin",
"new-password": "Secure123!",
"confirm-password": "Secure123!"
}
]
}
Get an auth token
In all of the following requests, we will assume $name, $password & $ip are relevant for the Chassis Partition. The API endpoint we are communicating with here is the Chassis Partition. Otherwise, the API calls to get a token are the same as for the Chassis Partition.
Configure Partition VLANs
curl -sk -H "Content-Type: application/yang-data+json" -H "X-Auth-Token: $o_token" -X PATCH -d @vlan https://$ip:8888/restconf/data/openconfig-vlan:vlans
The JSON sent will be similar to below:
{
"openconfig-vlan:vlans": {
"vlan": [
{
"vlan-id": "1",
"config": {
"vlan-id": 1,
"name": "VLAN1"
}
},
{
"vlan-id": "110",
"config": {
"vlan-id": 110,
"name": "VLAN110"
}
},
{
"vlan-id": "120",
"config": {
"vlan-id": 120,
"name": "VLAN120"
}
}
]
}
}
Configure Partition Network Interfaces
curl -sk -H "Content-Type: application/yang-data+json" -H "X-Auth-Token: $o_token" -X PATCH -d @portgroup_orange https://$ip:8888/restconf/data/
{
"f5-portgroup:portgroups": {
"portgroup": [{
"portgroup_name": "1/1",
"config": {
"name": "1/1",
"mode": "MODE_4x25GB"
}
},
{
"portgroup_name": "1/2",
"config": {
"name": "1/2",
"mode": "MODE_4x25GB"
}
}
]
}
}
Assign VLANs to the Network Interfaces
Now that the physical interfaces are ready, we can assign the appropriate VLANs to them.
curl -sk -H "Content-Type: application/yang-data+json" -H "X-Auth-Token: $o_token" -X PATCH -d @interface_orange https://$ip:8888/restconf/data/
The JSON sent will be similar to below:{
"openconfig-interfaces:interfaces": {
"interface": [{
"name": "1/1.1",
"openconfig-if-ethernet:ethernet": {
"openconfig-vlan:switched-vlan": {
"config": {
"native-vlan": 1,
"trunk-vlans": [110]
}
}
}
}]
}
}
Upload BIGIP images to the Chassis Partitions
scp ~/BIGIP-14.1.4.6-0.0.8.T1-VELOS.qcow2.zip.bundle root@10.1.1.81:/var/F5/partition2/IMAGES
Note that there are several options for VELOS tenant images, and depending on which one you select, it can mean that the tenant has a small or larger filesystem size requirement (which has impact on what can be provisioned on the tenant). Read the docs here.
Configure Tenant Deployments
curl -sk -H "Content-Type: application/yang-data+json" -H "X-Auth-Token: $o_token" -X POST -d @tenant_orange https://$ip:8888/restconf/data/f5-tenants:tenants
{
"tenant": [{
"name": "orange-bigip03-small",
"config": {
"image": "BIGIP-14.1.4.6-0.0.8.T1-VELOS.qcow2.zip.bundle",
"nodes": [
1
],
"mgmt-ip": "10.1.1.188",
"gateway": "10.1.1.1",
"prefix-length": 24,
"vlans": [
110
],
"vcpu-cores-per-node": 2,
"memory": 7680,
"cryptos": "enabled",
"running-state": "deployed"
}
},
{
"name": "orange-bigip04-large",
"config": {
"image": "BIGIP-15.1.5.1-0.0.14.ALL-F5OS.qcow2.zip.bundle",
"nodes": [
1
],
"mgmt-ip": "10.1.1.189",
"gateway": "10.1.1.1",
"prefix-length": 24,
"vlans": [
110
],
"vcpu-cores-per-node": 8,
"memory": 30720,
"cryptos": "enabled",
"running-state": "deployed"
}
}
]
}
Exploring the System Controller via SSH
oc get pod --all-namespaces -o wide
oc -n partition-2 get pods
oc -n partition-3 get pods
Configuring tenants
Future state
- michal-kAltostratus
Great article, now, I would love to see the same but tailored to the rSeries appliances, any chance this could be written?