How to: Install BIG-IP Next tenant on VELOS

Overview

This document describes how to install the BIG-IP Next instance on VELOS.

Prerequisites

  • VELOS chassis install is complete; power is on in data center

  • Initial configuration of a VELOS system is complete

  • MyF5 account to download the bundle file

  • Tenant - memory requirements (see Create a tenant):

    vCPUs

    Memory

    4

    14848 MB

    8

    29184 MB

  • You must also have the instance’s IP address, username and password.

    Note: When you add a BIG-IP Next instance that was onboarded locally to BIG-IP Next Central Manager, all users currently configured on that local BIG-IP Next instance are automatically disabled, so management of the instance is done exclusively from BIG-IP Next Central Manager. You must set an initial “admin” password before adding the instance to Central Manager via Postman.

Procedures

Download the bundle file

  1. Navigate to MyF5.

  2. In the upper-right corner, click SIGN IN,

  3. Type your Email address and click Next.

  4. From the top menu, click the RESOURCES list, and select Downloads.

  5. To agree with the terms of downloading software, review the End User License Agreement and Program Terms. Click the checkbox and then click Next.

  6. From the Group list, select F5OS.

  7. From the Product Line list, select F5OS Platform Software for VELOS.

  8. From the Product Version list, select the desired version.

  9. From Select a product container, select a version number.

  10. From Select a download file, select a .tar file.

  11. From the Download locations list, select a location and then click the Download link.

  12. After the download is complete, move the .tar file to a desired location for uploading.

Update the system controller software

Update the system controller software (F5OS) to the required controller version: v1.6.2.

  1. Log in to the system controller webUI using an account with admin access.

  2. On the left, click SYSTEM SETTINGS > Controller Management.

  3. For Update Software, select Bundled.

  4. For the ISO Image, select the full version release ISO image.

  5. Click Save.

    The software on the system controllers is updated.

Create a chassis partition

  1. Log in to the system controller webUI using an account with admin access.

  2. On the left, click CHASSIS PARTITIONS.
    The Chassis Partitions screen opens with a graphical view of the VELOS chassis.

  3. On the chassis graphic, select the available blade where you want to create a partition.

  4. Click Create.

  5. For Name, type a name for the chassis partition.

  6. In the IPv4 section, type the values for IP Address, Prefix Length, and Gateway.

  7. In the IPv6 section, click Bundled. For the ISO image, select the previously uploaded software image to run on the chassis partition.

  8. Click Save.
    In the chassis partition list, for the new parition, the Operational State goes from Starting to Running.

    You can now log into the chassis partition using its management IP address to access the partition webUI.

Login to the chassis partition webUI

  1. First-time login after creating a chassis partition requires using default credentials. For both the Username and Password, type admin, and click Login.

  2. When prompted, type a New Password, Confirm New Password, and then click Save.

  3. Login with the new credentials (Username and Password), and click Login.
    The F5OS|VELOS DASHBOARD opens.

Upload a tenant image onto the chassis partition

Upload with the GUI.

  1. With the DASHBOARD open, on the left, click TENANT MANAGEMENT > Tenant Images.

  2. Click Upload.
    The Tenant Images window opens.

  3. Select the bundle file.

  4. Click Open.
    The upload process starts.

    After the upload to the VELOS partition is complete, the bundle file is unbundled and replicated across the blades assigned to the partition.

Create VLANs in the VELOS partition

Create a VLAN and associate physical interfaces or LAGs with the VLAN:

  • Any host that sends traffic to an interface is logically a member of the VLAN(s) to which that interface or LAG belongs.

  • Create a VLAN before deploying a tenant.

Create VLANs with the GUI.

  1. Login to the chassis partition webUI using an account with admin access.

  2. On the left, click NETWORK SETTINGS > VLANs.
    The screen displays VLANs configured for the chassis partition.

  3. Click Add.

  4. In the Name field, type a name for the VLAN.

  5. In the VLAN ID, type a number between 1-4094 for the VLAN.
    The VLAN ID identifies the traffic from hosts in the associated VLAN for an associated interface or LAG.

  6. Click Add VLAN to create the VLAN.
    The VLAN is created and displays in the VLAN list.
    You can use the VLANs when configuring interfaces and creating LAGs.

    You can now deploy a tenant using the same chassis partition webUI.

Create a tenant

Before you start, decide which slots to use for tenant deployment. Ensure you have already created a VLAN in the chassis partition.

Prerequisites

  • A tenant name may only be a maximum of twelve characters.

  • Support high availability (HA): A tenant name needs to be the same for both tenants in a single HA pair, and created on two different chassis.

  • Support for multi-tenancy (deploying more than one tenant per blade): See: How to: Configure multi-tenancy for BIG-IP Next on VELOS

    For standalone, multi-tenancy, and HA:

  • Support in a single blade: 4 and 8 vCPUs BIG-IP Next tenants.

  • Classic BIG-IP and BIG-IP Next tenants should not be deployed in the same partition/blade.

  • The number of tenants per blade is restricted to two tenants, with a maximum of 8 vCPUs per blade.

    • 2 – 4 vCPU BIG-IP Next tenants per blade.

    • 1 – 8 vCPU BIG-IP Next tenant per blade.

Procedures:

If you are deploying HA, create one BIG-IP Next tenant on each chassis partition using the appropriate network information.

  1. Log in to the chassis partition webUI using an account with admin access.

  2. On the left, click TENANT MANAGEMENT > Tenant Deployments.
    The Tenant Deployment screen displays showing the existing tenant deployments and associated details.

  3. To add a tenant deployment, click Add.
    The Add Tenant Deployment screen displays.

  4. For Name, type a name for the tenant deployment (up to 12 characters).

    Note: The first character in the name cannot be a number. After that, only lowercase alphanumeric characters and hyphens are allowed.

  5. Leave Type set to the default.

  6. For Image, select a software image.

  7. For Allowed Slots, first select the appropriate option:

    • Partition Member Slots: Lists only slots that the chassis partition includes.

    • Any Slots: Lists any slot on the chassis, even if not associated with the chassis partition, and even if no blade is installed in that slot.

      There is the option of selecting slots 1-8 whether or not they are associated with the chassis partition. This allows for preconfiguring tenant deployments before the hardware is installed and before the partition is configured to include it.

      Then, select the slots (or blades) that you want the tenant to span from the list.

  8. For IP Address, type the IP address of the tenant.

  9. For Prefix Length, type a number from 1-32 for the length of the prefix.

  10. For Gateway, type the IP address of the gateway.

  11. For VLANs, select the VLAN that you created.

  12. For Resource Provisioning, select Recommended.
    This specifies recommended values for vCPUs and memory for the tenant.

  13. For vCPUs Per Slot, only select 4 or 8.

  14. For Memory Per Slot, accept the default values.

  15. For State, choose Deployed.
    This changes the tenant to the Deployed state.

    The tenant is set up, resources are allocated to the tenant, the image is moved onto the blade, and the software is installed. After those tasks are complete, the tenant is fully deployed and running.

    It takes a few minutes to complete the deployment and bring up the system.

  16. For Crypto/Compression Acceleration, select Enabled.
    When this option is enabled, the tenant receives dedicated crypto devices proportional to number of vCPU cores. Crypto processing and compression are offloaded to the hardware.

  17. For Appliance Mode, accept the default value (Disabled).

  18. Click Save & Close.

    Note: The tenant administrator can also connect using SSH to the CLI through the VELOS System Controller.

  19. Wait until the status is “Running” before proceeding.

    1. Ensure to select the Tenant name from the dropdown under the Tenant Details tab on your VELOS Provider. You will see a table displaying each of the pods.

    2. Before resetting the password, verify that the table shows each pod is in the Running phase with a status of Started Tenant Instance.

    3. Once all pods display the Started Tenant Instance status, the tenant is now configured and deployed.

Add a BIG-IP Next instance to BIG-IP Next Central Manager

Installation is now complete. You can add the new instance to BIG-IP Next Central Manager. See: How to: Add a locally-onboarded BIG-IP Next instance to BIG-IP Next Central Manager.

Generate and change certificate in provider and tenant

As of version 20.2.1, the BIG-IP Next Central Manager includes a security update that requires a BIG-IP Next Instance to possess a device certificate with DNS and IP subjectAlternativeName (SAN) values. A BIG-IP Next Instance does not create a device certificate with these values, and hence, a new device certificate must be created before importing to BIG-IP Next Central Manager version 20.2.1.

DEVICE-00060: Internal error testing authentication

Upgrade to BIG-IP Next Central Manager version 20.2.1 to take advantage of security enhancements, including certificate SAN IP check during SSL handshake.

However, the providers and tenant device certificates does not contain the IP in SAN. Hence, to generate and change the certificate in the provider and tenant, read through the following scenarios and pick the one that is applicable. Perform the steps provided in the scenario that is suitable for you.

Following are the different scenarios:

Scenario 1:

To add a BIG-IP Next Instance with a version earlier than 20.2.0 on BIG-IP Next Central Manager 20.2.0 or later versions.

Solution:

The BIG-IP Next Central Manager 20.2.0 and later requires that the BIG-IP Next instance uses a TLS certificate with well-formed Subject Alternative Names (SAN).

Follow the recommended actions provided in the KB article, BIG-IP Next Instance discovery error to change the certification and settings.

Scenario 2:

How to change the certificate on provider to allow CM 20.2.0 or later with VELOS (1.7 or below versions) as a provider to add them.

Solution:

  1. Create a device certificate and private key with SAN DNS and IP values, run the following openssl command:

    DNS=big-ip-next
    IP=10.1.1.7
    openssl req -x509 -newkey rsa:2048 -days 1024 -keyout bigip_key.pem -out bigip_crt.pem -nodes -addext "subjectAltName = DNS:${DNS},IP:${IP}"
    
  2. Use the following API to push the new certificate and key to the BIG-IP Next Instance:

    a. Export Next instance variables

    export NEXT=10.1.1.7
    export USER=admin
    export PASS='mypassword'
    

    b. Get a logon bearer token and BIG-IP Next Instance system ID

    TOKEN=$(curl -sk "https://${NEXT}:5443/api/v1/login" -H 'Content-Type: application/json' --user "${USER}:${PASS}" | jq -r '.token')
    SYSID=$(curl -sk "https://${NEXT}:5443/api/v1/systems" -H 'Content-Type: application/json' -H "Authorization: Bearer ${TOKEN}" | jq -r '._embedded.systems[0].id')
    

    c. Push the private key to BIG-IP Next Instance files API

    curl -sk \
    -H 'Accept-Encoding: gzip, deflate, br' \
    -H "Authorization: Bearer ${TOKEN}" \
    -H 'Content-Type: multipart/form-data' \
    -F "fileName=@bigip_key.pem;type=application/pkcs8" -F "name=bigip_key.pem" "https://${NEXT}:5443/api/v1/files"
    

    d. Push the certificate to BIG-IP Next Instance files API

    curl -sk \
    -H 'Accept-Encoding: gzip, deflate, br' \
    -H "Authorization: Bearer ${TOKEN}" \
    -H 'Content-Type: multipart/form-data' \
    -F "fileName=@bigip_crt.pem;type=application/x-x509-ca-cert" -F "name=bigip_crt.pem" "https://${NEXT}:5443/api/v1/files"
    

    e. Set BIG-IP Next Instance device certificate to the new certificate and private key

    curl -sk -X PUT \
    -H 'Accept-Encoding: gzip, deflate, br' \
    -H "Authorization: Bearer ${TOKEN}" \
    -H 'Content-type: application/json' \
    -d '{"cert": "bigip_crt.pem", "key": "bigip_key.pem"}' \
    "https://${NEXT}:5443/api/v1/systems/${SYSID}/device-certificate"
    

Scenario 3:

Upgrading from BIG-IP Next Central Manager 20.1.0 to 20.2.0 or later, with a manually added BIG-IP Next Instance.

Solution:

After upgrading the Central Manager to 20.2.0 or later versions, click on Accept cert fingerprint on the pop-up that is displayed on the screen.

Scenario 4:

If VELOS (F5OS-C version 1.7 or earlier) is added manually as a provider in the BIG-IP Next Central Manager version 20.1.0, and the BIG-IP Next Central Manager is upgraded to version 20.2.1, then ensure that the provider is working as usual.

Solution:

After upgrading the BIG-IP Next Central Manager to 20.2.1 or later versions, to ensure that the provider works as usual, click on Accept cert fingerprint in the pop-up displayed on the screen.

Note: This solution does not work for BIG-IP Next Central Manager upgrade to version 20.2.0.