Run the F5 Agent in global routed mode¶
Global routed mode lets you use BIG-IP device(s) as edge load balancer(s) for your OpenStack cloud.
This mode generally applies to BIG-IP device(s) that have an L2 connection to the OpenStack external provider network.
Because all tenants are in the BIG-IP global route domain (rd0),
- global routed mode doesn’t support Neutron tenant isolation, and
- the F5 Agent for OpenStack Neutron assumes that all L3 virtual IP addresses are globally routable.
Global routed mode uses BIG-IP Local Traffic Manager (LTM) secure network address translation (SNAT) ‘automapping’ to route traffic for OpenStack Neutron tenants.
- For incoming traffic, LTM maps the origin IP address to an IP address from the SNAT pool, ensuring the server response returns to the client through the BIG-IP system.
- For server-initiated traffic, LTM maps the server’s IP address to an IP address from the SNAT pool.
Important
SNAT automap allocates existing self IP addresses into a SNAT pool. Be sure to create enough self IPs to handle anticipated connection loads before deploying the F5 agent in global routed mode. [1]
Set-up¶
Important
The F5 agent cannot read existing BIG-IP configurations or non-Neutron network configurations. Be sure to set up the configuration file to correctly reflect the existing network architecture and the BIG-IP system configurations.
Edit the F5 Agent Configuration File
Use your text editor of choice to edit the F5 Agent Configuration File as appropriate for your environment.
vim /etc/neutron/services/f5/f5-openstack-agent.iniSet the desired F5 agent configuration parameter(s). The example below represents the settings used in the F5 agent functional tests.
############################################################################### # Copyright (c) 2015-2018, F5 Networks, Inc. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # ############################################################################### # # ############ # ################ # ###/ _ \###| |# # ###| |#| |##| |###### # ####| |######| |###### # ##| |####\ \### AGILITY YOUR WAY! # ####| |#########| |### # ####| |#########| |## # ###| |########/ /## # #| |####| /## # ############## # ########### # # NETWORKS # ############################################################################### # [DEFAULT] # debug = True # #periodic_interval = 10 # # How often should the agent throw away its service cache and # resync assigned services with the neutron LBaaS plugin. # service_resync_interval = 300 # ############################################################################### # Environment Settings ############################################################################### # # Since many TMOS object names must start with an alpha character # the environment_prefix is used to prefix all service objects. # environment_prefix = 'Test' # ############################################################################### # Static Agent Configuration Setting ############################################################################### # # Static configuration data to sent back to the plugin. This can be used # on the plugin side of neutron to provide agent identification for custom # pool to agent scheduling. This should be a single or comma separated list # of name:value entries which will be sent in the agent's configuration # dictionary to neutron. # static_agent_configuration_data = # ############################################################################### # Device Setting ############################################################################### # # HA mode # # Device can be required to be: # # standalone - single device no HA # pair - active/standby two device HA # scalen - active device cluster # f5_ha_type = standalone # ############################################################################### # L2 Segmentation Mode Settings ############################################################################### # # Device VLAN to interface and tag mapping # # For pools or VIPs created on networks with type VLAN we will map # the VLAN to a particular interface and state if the VLAN tagging # should be enforced by the external device or not. This setting # is a comma separated list of the following format: # # physical_network:interface_name:tagged, physical:interface_name:tagged # f5_external_physical_mappings = default:1.1:True # # VLAN device and interface to port mappings # vlan_binding_driver = # interface_port_static_mappings = # # Device Tunneling (VTEP) Self IPs # # This is the name of a BIG-IP self IP address to use for VTEP addresses. # #f5_vtep_folder = 'Common' #f5_vtep_selfip_name = 'selfip.client' # # Tunnel types # #advertised_tunnel_types = vxlan # # Static ARP population for members on tunnel networks # f5_populate_static_arp = false # # Device Tunneling (VTEP) selfips # l2_population = True # # Hierarchical Port Binding # # If hierarchical networking is not required, these settings must be commented # out or set to None. # # f5_network_segment_physical_network = # # f5_network_segment_polling_interval = 10 # # f5_pending_services_timeout = 60 # ############################################################################### # L3 Segmentation Mode Settings ############################################################################### # # Global Routed Mode - No L2 or L3 Segmentation on BIG-IP # # This setting will cause the agent to assume that all VIPs # and pool members will be reachable via global device # L3 routes, which must be already provisioned on the BIG-IPs. # f5_global_routed_mode = True # # This setting is forced to False if f5_global_routed_mode = True use_namespaces = False # # max_namespaces_per_tenant = 1 # f5_route_domain_strictness = False # # SNAT Mode and SNAT Address Counts # # This setting will force the use of SNATs. # This setting will be forced to True if # f5_global_routed_mode = True. # f5_snat_mode = True # # This setting will be forced to 0 (zero) if # f5_global_routed_mode = True. # f5_snat_addresses_per_subnet = 0 # # Common Networks # # This setting causes all network objects to be created in the /Common # partition # f5_common_networks = False # # These settings are overruled when f5_common_external_networks = True # # This setting will cause all networks with # the router:external attribute set to True # to be created in the Common partition and # placed in route domain 0. # f5_common_external_networks = True # common_network_ids = <Neutron_external_net_UUID>:external # # L3 Bindings # l3_binding_driver = # l3_binding_static_mappings = # ############################################################################### # Device Driver Setting ############################################################################### # f5_bigip_lbaas_device_driver = f5_openstack_agent.lbaasv2.drivers.bigip.icontrol_driver.iControlDriver # ############################################################################### # Device Driver - iControl Driver Setting ############################################################################### # icontrol_hostname = DEVICE_IP # icontrol_username = USERNAME # icontrol_password = PASSWORD # password_cipher_mode = False # ############################################################################### # Certificate Manager ############################################################################### # COMMENT OUT THIS ENTRY IF NOT USING BARBICAN TO MANAGE CERTS # cert_manager = f5_openstack_agent.lbaasv2.drivers.bigip.barbican_cert.BarbicanCertManager # # Two authentication modes are supported for BarbicanCertManager: # keystone_v2, and keystone_v3 # # Keystone v2 authentication: # # auth_version = v2 # os_auth_url = http://localhost:5000/v2.0 # os_username = USERNAME # os_password = PASSWORD # os_tenant_name = PROJECT # # # Keystone v3 authentication: # auth_version = v3 os_auth_url = http://localhost:5000/v3 os_username = USERNAME os_password = PASSWORD os_user_domain_name = default os_project_name = PROJECT os_project_domain_name = default # # # Parent SSL profile name # # An existing BIG-IP SSL profile you want to use as the parent SSL profile # for the client SSL profiles created for TERMINATED_HTTPS LBaaS listeners. # f5_parent_ssl_profile = clientssl #
Restart the F5 agent service.
CENTOS¶systemctl restart f5-openstack-agentUBUNTU¶service f5-oslbaasv2-agent restart
What’s Next¶
See F5 Agent modes for detailed information regarding each of the Agent’s modes of operation and example use cases.
Footnotes
| [1] | In an overcloud deployment, BIG-IP Virtual Edition (VE) may allocate IP addresses automatically. |