CNFs Software¶

Overview¶

The Cloud-Native Network Functions (CNFs) custom resource definitions (CRDs), software images and installation Helm charts are provided in a single TAR file. A CNFs public signing key, and two signature files are also provided to validate the TAR file’s integrity. Once validated and extracted, the software images can be uploaded to a local container registry, and integrated into the cluster using the CNFs Helm charts. Finally, the CNFs CRDs will be installed into the cluster.

This document describes the CNFs software, and guides you through validating, extracting and installing the CNF software components.

Software images¶

The table below lists and describes the software images for this software release. For a full list of software images by release, refer to the Software Releases guide.

_images/spk_info.png Note: The software image name and deployed container name may differ.

Image	Version	Description
f5ingress	v9.2.11	The helm_release-f5ingress container is a custom CNF controller that watches the K8S API for CR updates, and configures either AFM or TMM based on the update.
tmm-img	v3.1.6	The f5-tmm container is a Traffic Management Microkernel (TMM) instance that proxies and load balances application traffic between the external and internal networks.
f5-l4p-engine	v2.0.8	The f5-afm-pccd container is an Application Firewall Manager (AFM) instance that converts firewall rules and NAT policies into the binary large objects (BLOBs) used by TMM.
f5-nsec-ips-daemon	v2.1.2	The f5-ipsd container is the intrusion detection and prevention instance, providing deep packet inspection and prevention of malignant network packets.
tmrouted-img	v0.10.3	The f5-tmm-tmrouted container proxies and forwards information between the f5-tmm-routing and f5-tmm containers.
f5dr-img	v0.7.8	The f5-tmm-routing container maintains the dynamic routing tables used by TMM.
f5-toda-tmstatsd	v4.0.5	The f5-toda-stats container collects application traffic processing statistics from the f5-tmm container, and forwards the data to the Otel Collectors.
f5-dssm-store	v3.3.1	Contains two sets of software images; The f5-dssm-db containers that store shared, persisted session state data, and the f5-dssm-sentinel containers to monitor the f5-dssm-db containers. For more info, refer to dSSM database.
spk-cwc	v3.0.7	The cnf-cwc container enables software licensing, and reports telemetry statistics regarding monthly software usage. Refer to CNFs CWC.
f5-license-helper	v3.0.5	The f5-lic-helper communicates with the spk-cwc to determine the current license status of the cluster.
rabbit	v3.0.2	The rabbitmq-server container as a general message bus, integrating CNFs CWC with the BIG-IP Controller Pod(s) for licensing purposes.
cert-manager-controller	v1.3.2	The cert-manager-controller manages the generation and rotation of the SSL/TLS certificate that are stored as Secrets, to secure communication between the various CNFs Pods.
cert-manager-cainjector	v1.3.2	The cert-manager-cainjector assists the cert-manager-controller to configure the CA certificates used by the cert-manager-webhook and K8S API.
cert-manager-webhook	v1.3.2	The cert-manager-webhook ensures that SSL/TLS certificate resources created or updated by the cert-manager-contoller conform to the API specifications.
f5-debug-sidecar	v7.18.3-0.0.20	The debug container provides diagnostic tools for viewing TMM's configuration, traffic processing statistics and gathering TMM diagnostic data. For more info, refer to Debug Sidecar.
f5-fluentbit	v0.7.0	The fluentbit container collects and forwards statistics to the f5-fluentd container. Multiple versions are included to support the different CNFs containers.
f5-fluentd	v1.5.0	The f5-fluentd container collects statistics and logging data from the Controller, TMM and dSSM Pods. For more info, refer to Fluentd Logging.
opentelemetry-collector	0.62.1	The otel-collector container gathers metrics and statistics from the TMM Pods. Refer to OTEL Collector.
f5-dssm-upgrader	1.2.2	The dssm-upgrade-hook enables dSSM DBs upgrades without service interruption or data loss. Refer to Upgrading dSSM.

Requirements¶

Ensure you have:

Obtained the CNF software tarball.
A local container registry.
A workstation with Podman.

Procedures¶

Validate and extract¶

Use the following steps to validate the CNFs tarball, extract the software images, installation Helm charts, and CRDs.

Create a new directory for the CNFs files:
```
mkdir <directory>
```
In this example, the new directory is named cnfinstall:
```
mkdir cnfinstall
```

Move the CNFs files into the directory:

mv f5-cnf-tarball* f5-cnf-1.1.1.pem cnfinstall

Change into the directory and list the files:

cd cnfinstall; ls -1

The files appear as:

f5-cnf-1.1.1.pem
f5-cnf-tarball-1.1.1.tgz
f5-cnf-tarball-sha512.txt-1.1.1.sha512.sig
f5-cnf-tarball.tgz-1.1.1.sha512.sig

Use the PEM signing key and each SHA signature file to validate the CNFs TAR file:

openssl dgst -verify <pem file>.pem -keyform PEM \
-sha512 -signature <sig file>.sig <tar file>.tgz

The command output states Verified OK for each signature file:

openssl dgst -verify f5-cnf-1.1.1.pem -keyform PEM -sha512 \
-signature f5-cnf-tarball.tgz-1.1.1.sha512.sig f5-cnf-tarball-1.1.1.tgz

Verified OK

openssl dgst -verify f5-cnf-1.1.1.pem -keyform PEM -sha512 \
-signature f5-cnf-tarball-sha512.txt-1.1.1.sha512.sig f5-cnf-tarball-1.1.1.tgz

Verified OK

Extract the CNFs images, Helm charts, and CRDs from the TAR file:
```
tar xvf f5-cnf-tarball-1.1.1.tgz
```
List the newly extracted files:
```
ls -1
```
The file list shows the CRD bundless and the CNF image TAR file named f5-cnf-images-1.1.1.tgz:
```
f5-cnf-crds-n6lan-5.0.17.tgz
f5-cnf-images-1.1.1.tgz
f5-cnf-tarball-1.1.1.tgz
```
Extract the CNF Helm charts and software images:
```
tar xvf f5-cnf-images-1.1.1.tgz
```

List the extracted Helm charts and software images:

ls -1R

The file list shows a new tar directory with the following files:

f5-cnf-crds-n6lan-5.0.17.tgz
f5-cnf-images-1.1.1.tgz
f5-cnf-tarball-1.1.1.tgz
tar

./tar:
cnf-docker-images.tgz
cwc-3.0.10.tgz
f5-cert-gen-0.7.3.tgz
f5-cert-manager-0.6.6.tgz
f5-dssm-3.0.27.tgz
f5-toda-fluentd-1.22.1.tgz
f5ingress-9.2.11.tgz
rabbitmq-3.0.6.tgz

Install CRDs¶

Use the following steps to extract and install the new CNF CRDs.

List the CNF CRD bundle:
```
ls -1 | grep crd
```
The file list shows three CRD bundles:
```
f5-cnf-crds-n6lan-5.0.17.tgz
```
Extract the CRDs from the bundle:
```
tar xvf f5-cnf-crds-n6lan-5.0.17.tgz
```

Install the CRDs:

oc apply -f f5-cnf-crds-n6lan/crds

Note the command output: Newly installed CRDs will be indicated by created, and updated CRDs will be indicated by configured:

customresourcedefinition.apiextensions.k8s.io/f5-big-alg-ftps.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-alg-pptps.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-alg-rtsps.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-alg-tftps.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-cne-addresslists.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-cne-datagroups.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-cne-portlists.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-cne-snatpools.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-context-globals.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-context-secures.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-ddos-policies.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-dns-apps.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-dns-caches.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-fastl4-settings.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-fw-policies.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-ips-policies.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-log-hslpubs.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-log-profiles.k8s.f5net.com configured
customresourcedefinition.apiextensions.k8s.io/f5-big-nat-policies.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-net-staticroutes.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-net-vlans.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-tcp-settings.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-udp-settings.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/f5-big-zerorating-policies.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cm.f5co.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/certificates.cm.f5co.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cm.f5co.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cm.f5co.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/issuers.cm.f5co.k8s.f5net.com unchanged
customresourcedefinition.apiextensions.k8s.io/orders.acme.cm.f5co.k8s.f5net.com unchanged

List the installed CNFs CRDs:

oc get crds | grep    f5-big

The CRD listing will contain the full list of CRDs:

f5-big-alg-ftps.k8s.f5net.com                         2023-01-24T00:02:02Z
f5-big-alg-pptps.k8s.f5net.com                        2023-01-24T00:02:02Z
f5-big-alg-rtsps.k8s.f5net.com                        2023-01-24T00:02:02Z
f5-big-alg-tftps.k8s.f5net.com                        2023-01-24T00:02:02Z
f5-big-cne-addresslists.k8s.f5net.com                 2023-01-24T00:02:02Z
f5-big-cne-datagroups.k8s.f5net.com                   2023-01-24T00:02:02Z
f5-big-cne-downloaders.k8s.f5net.com                  2023-01-24T00:02:02Z
f5-big-cne-portlists.k8s.f5net.com                    2023-01-24T00:02:02Z
f5-big-cne-snatpools.k8s.f5net.com                    2023-01-24T00:02:02Z
f5-big-context-globals.k8s.f5net.com                  2023-01-24T00:02:02Z
f5-big-context-secures.k8s.f5net.com                  2023-01-24T00:02:02Z
f5-big-ddos-policies.dos.k8s.f5net.com                2023-01-24T00:02:02Z
f5-big-ddos-policies.k8s.f5net.com                    2023-02-09T22:29:25Z
f5-big-dns-apps.k8s.f5net.com                         2023-02-09T22:29:25Z
f5-big-dns-caches.k8s.f5net.com                       2023-01-24T00:02:02Z
f5-big-dns-zones.k8s.f5net.com                        2023-01-24T00:02:02Z
f5-big-dnsx-global-optionses.k8s.f5net.com            2023-01-24T00:02:02Z
f5-big-dpi-appses.k8s.f5net.com                       2023-01-24T00:02:02Z
f5-big-dpi-pe-optionses.k8s.f5net.com                 2023-01-24T00:02:02Z
f5-big-dpi-profiles.k8s.f5net.com                     2023-01-24T00:02:02Z
f5-big-fastl4-settings.k8s.f5net.com                  2023-01-24T00:02:02Z
f5-big-fw-policies.k8s.f5net.com                      2023-01-24T00:02:02Z
f5-big-ips-policies.k8s.f5net.com                     2023-01-24T00:02:02Z
f5-big-log-hslpubs.k8s.f5net.com                      2023-01-24T00:02:02Z
f5-big-log-profiles.k8s.f5net.com                     2023-01-24T00:02:03Z
f5-big-nat-policies.k8s.f5net.com                     2023-01-24T00:02:03Z
f5-big-net-staticroutes.k8s.f5net.com                 2023-01-24T00:02:03Z
f5-big-net-vlans.k8s.f5net.com                        2023-01-24T00:02:03Z
f5-big-pe-policies.k8s.f5net.com                      2023-01-24T00:02:03Z
f5-big-pe-profiles.k8s.f5net.com                      2023-01-24T00:02:03Z
f5-big-tcp-settings.k8s.f5net.com                     2023-01-24T00:02:03Z
f5-big-udp-settings.k8s.f5net.com                     2023-01-24T00:02:03Z
f5-big-zerorating-policies.k8s.f5net.com              2023-01-24T00:02:03Z

Upload the images¶

Use the following steps to upload the CNFs software images to a local container registry.

Install the CNFs images to your workstation’s Podman image store:
```
podman load -i tar/cnf-docker-images.tgz
```

List the CNF images to be tagged and pushed to the local container registry in the next step:

podman images --format "table {{.Repository}} {{.Tag}} {{.ID}}"

REPOSITORY                              TAG             IMAGE ID
local.registry/f5ingress                v9.2.11         1c827067cdc4
local.registry/f5dr-img-init            v0.7.8          926919d8cc68
local.registry/f5dr-img                 v0.7.8          e47812030b51
local.registry/tmm-img                  v3.1.6          f0e108408864
local.registry/f5-debug-sidecar         v7.18.3-0.0.20  3deb25c87d7a
local.registry/spk-cwc                  v3.0.7          7c6e3bddcf1e
local.registry/rabbit                   v3.0.2          d1b34116414b
local.registry/f5-dssm-upgrader         1.2.2           0a820a894522 
local.registry/f5-toda-tmstatsd         v4.0.5          1bf4abd7dc99
local.registry/f5-fluentbit             v0.7.0          dacc7d174284
local.registry/f5-license-helper        v3.0.5          0294fa432d3a
local.registry/f5-dssm-store            v3.3.1          6da480f24203
local.registry/f5-l4p-engine            v2.0.8          285f7c4bd4bd
local.registry/f5-nsec-ips-daemon       v2.1.2          3acee3a47373
local.registry/f5-fluentd               v1.5.0          90c441170966
local.registry/tmrouted-img             v0.10.3         0ec01528a2f0
local.registry/cert-manager-ctl         1.3.2           f12fe2000d77
local.registry/cert-manager-webhook     1.3.2           c7abc19e5278
local.registry/cert-manager-cainjector  1.3.2           6f627f2fddd2
local.registry/cert-manager-controller  1.3.2           b43f59f240d3
local.registry/opentelemetry-collector  0.62.1          ce87f9acddfa

Tag and push each image to the local container registry. For example:

podman tag <local.registry/image name>:<version> <registry>/<image name>:<version>

podman push <registry_name>/<image name>:<version>

In this example, the f5ingress:v9.2.11 image is tagged and pushed to the remote registry registry.com:

podman tag local.registry/f5ingress:v9.2.11 registry.com/f5ingress:v9.2.11

podman push registry.com/f5ingress:v9.2.11

_images/spk_info.png Note: If you encounter the “insufficient UIDs or GIDs available in user namespace” error while pushing the Docker image, kindly use the following command:

A. If you are pushing an image, use this command:

podman --storage-opt overlay.ignore_chown_errors=true push <registry>/<image name>:<version>

Example:

podman --storage-opt overlay.ignore_chown_errors=true push artifactory.f5net.com/f5-mbip-docker/f5-nsec-ips-daemon:v2.1.2

B. If you still encounter the error while pushing the image, increase the subuids and subgids range to larger values. Make sure the subuids and subgids fit within the required range.

Example:

sudo usermod --add-subuids 200000-2010000000 <USERNAME> 

sudo usermod --add-subgids 200000-2010000000 <USERNAME> 

Once all of the images have uploaded, verify the images exist in the local container registry:

curl -X GET https://<registry>/v2/_catalog -u <user:pass>

For example:

curl -X GET https://registry.com/v2/_catalog -u cnfadmin:cnfadmin

"repositories":["f5-debug-sidecar","f5-dssm-store","f5-fluentbit","f5-fluentd","f5-toda-tmstatsd","f5dr-img","f5ingress","tmm-img","tmrouted-img"]}

Next step¶

Continue to the CNFs Cert Manager guide to secure CNFs communications.

Feedback¶

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental¶

Using Podman load.

Previous Next