search

F5Networks / f5-cloud-libs

Node.js libraries to assist in cloud deployments.
Apache License 2.0
29 stars 14 forks source link

network.js needs "none" as default port lockdown setting instead of "default" #4

Closed writemike closed 6 years ago

writemike commented 6 years ago

Hello, As I'm using network.js to create self-IPs from a cloud-config script nested in a Heat template, I have noticed that every self-ip defaults to the "default" port lockdown list when the option is left blank.

Example 1: Works to assign "default" port lockdown - /usr/bin/f5-rest-node /config/cloud/f5-cloud-libs/scripts/network.js -o /var/log/onboard-network.log --host 10.59.25.14 --user admin --password admin --self-ip "name:internal4-1.2_self, address:10.0.3.6/24, vlan:internal-1.2, allow:default"

Example 2: Hangs the script - /usr/bin/f5-rest-node /config/cloud/f5-cloud-libs/scripts/network.js -o /var/log/onboard-network.log --host 10.59.25.14 --user admin --password admin --self-ip "name:internal4-1.2_self, address:10.0.3.6/24, vlan:internal-1.2, allow:none"

Example 3: Works to assign "default" port lockdown - /usr/bin/f5-rest-node /config/cloud/f5-cloud-libs/scripts/network.js -o /var/log/onboard-network.log --host 10.59.25.14 --user admin --password admin --self-ip "name:internal4-1.2_self, address:10.0.3.6/24, vlan:internal-1.2"

I have changed allowService: selfIp.allow ? selfIp.allow.split(/\s+/) : 'default' to allowService: selfIp.allow ? selfIp.allow.split(/\s+/) : 'none' which works, but maybe I'm missing something obvious to assign "none" as the port lockdown setting?

Thanks, Mike

kaustriaf5 commented 6 years ago

@writemike Please correct me if I'm wrong, but it sounds like you may be using the heat orchestration templates. If so, the default is noted in the READMEs and in each template's parameter description:

  bigip_self_port_lockdown:
    type: comma_delimited_list
    label: f5 BIG-IP VE VLAN Allow Services
    description: Optional list of <service:port> lockdown settings for the VLAN. If no value is supplied, default is used.
    default:
-

None is a reserved keyword for OpenStack templates, so you'll have to use another param value (allow-none) to specify allow:none. (Please be aware that this is not implemented yet. It is commented in the onboard-network.sh script.)

There is a pending f5-cloud-libs fix for allowing port lockdown settings for allow:all and allow:none and the corresponding HOT templates will be updated in the next release.

Thanks, Kat

writemike commented 6 years ago

Thanks Kat! I'm using a modified version of this heat template which uses the node.js version of the f5-cloud-libs found in this Github Project. https://github.com/f5devcentral/f5-cloud-init-examples/blob/master/openstack-heat/cluster/3nic/f5_ve_cluster_member1_3_nic_bigiq_license.yaml If I'm understanding you correctly, defining a self-ip port lockdown of "none" is currently not supported from a heat template, BASH script or node.js automated instantiation of a BIG-IP. Correct? Any estimations on the next release date? Thanks again!

seattlevine commented 6 years ago

Our upcoming release (cloud release 9) will support 'none' and 'all' for port lockdown. This is due out in roughly 2 months.

writemike commented 6 years ago

Thank you!