search

F5Networks / f5-declarative-onboarding

F5 BIG-IP Declarative Onboarding
Apache License 2.0
59 stars 22 forks source link

APM Provisioning and Import via BIG-IQ Fails #176

Closed HidingUnderMyRock closed 3 years ago

HidingUnderMyRock commented 4 years ago

Environment

Summary

Onboarding cluster via BIG-IQ with APM provisioned requires different declarations for each device, and specific order of operations to succeed.

Steps To Reproduce

Steps to reproduce the behavior:

  1. Submit the following declarations to onboard each device in the cluster:

    {
"class": "DO",
"declaration": {
    "schemaVersion": "1.5.0",
    "class": "Device",
    "async": true,
    "Common": {
        "class": "Tenant",
        "hostname": "{{hostname}}.{{domain}}",
        "myLicense": {
            "class": "License",
            "licenseType": "licensePool",
            "unitOfMeasure": "yearly",
            "licensePool": "{{ltmLicensePool}}",
            "skuKeyword1": "{{ltmLicenseSku}}",
            "overwrite": true,
            "bigIpUsername": "{{user}}",
            "bigIpPassword": "{{password}}"
        },
        "myProvision": {
            "class": "Provision",
            "ltm": "nominal",
            "asm": "nominal",
            "avr": "nominal",
            "afm": "nominal",
            "apm": "nominal"
        },
        "myDbVariables": {
            "class": "DbVariables",
            "ui.advisory.enabled": "true",
            "ui.advisory.color": "red",
            "ui.advisory.text": "{{hostname}}.{{domain}}",
            "provision.extramb": "500",
            "restjavad.useextramb": "true"
        },
        "myDns": {
            "class": "DNS",
            "nameServers": [
                "10.0.0.2"
            ],
            "search": [
                "{{domain}}"
            ]
        },
        "myNtp": {
            "class": "NTP",
            "servers": [
                "pool.ntp.org"
            ],
            "timezone": "America/Chicago"
        },
        "ext_vlan": {
            "class": "VLAN",
            "interfaces": [
                {
                    "name": "1.1",
                    "tagged": false
                }
            ]
        },
        "int_vlan": {
            "class": "VLAN",
            "interfaces": [
                {
                    "name": "1.2",
                    "tagged": false
                }
            ]
        },
        "ext_self": {
            "class": "SelfIp",
            "address": "{{extIp}}/24",
            "vlan": "ext_vlan",
            "allowService": "none"
        },
        "int_self": {
            "class": "SelfIp",
            "address": "{{intIp}}/24",
            "vlan": "int_vlan"
        },
        "defaultRoute": {
            "class": "Route",
            "gw": "10.0.11.1",
            "network": "default"
        },
        "myConfigSync": {
            "class": "ConfigSync",
            "configsyncIp": "{{intIp}}"
        },
        "myFailoverUnicast": {
            "class": "FailoverUnicast",
            "address": "{{intIp}}"
        },
        "myDeviceTrust": {
            "class": "DeviceTrust",
            "localUsername": "{{user}}",
            "localPassword": "{{password}}",
            "remoteHost": "{{intIp}}",
            "remoteUsername": "{{user}}",
            "remotePassword": "{{password}}"
        },
        "syncFailoverGroup": {
            "class": "DeviceGroup",
            "type": "sync-failover",
            "owner": "{{hostname}}.{{domain}}",
            "members": [
                "{{hostname}}.{{domain}}",
                "{{hostname2}}.{{domain}}"
            ],
            "autoSync": true,
            "asmSync": true,
            "networkFailover": true
        }
    }
},
"targetUsername": "{{user}}",
"targetHost": "{{mgmtIp}}",
"targetPassphrase": "{{tempPassword}}",
"bigIqSettings": {
    "failImportOnConflict": false,
    "conflictPolicy": "USE_BIGIQ",
    "deviceConflictPolicy": "USE_BIGIP",
    "versionedConflictPolicy": "KEEP_VERSION",
    "clusterName": "{{clusterName}}",
    "useBigiqSync": true,
    "statsConfig": {
        "enabled": true,
        "zone": "default"
    },
    "accessModuleProperties": {
        "cm:access:access-group-name": "{{clusterName}}",
        "cm:access:import-shared": true
    }
}
}

  2. Observe the following error response:

    {
"code": 422,
"status": "ERROR",
"message": "failed",
"errors": [
    "Failed to manage device for 10.0.1.78. See log for details: Import for access ended in a FAILED status with: Device '10.0.1.78' can only be added to access group (v15-cluster). Shared import of access group from this device is not allowed."
]
}

Expected Behavior

The DO declaration should create the access cluster and import the standby device without forcing the user to send different declarations, or to send them in a specific order. This is how the creation of deviceTrust and deviceGroups are handled, each device receives identical declarations for these objects, and DO completes the task without regard for the order of operations or user knowledge.

Actual Behavior

Attempts to onboard and import a cluster with APM provisioned fails with the error provided.

dstokesf5 commented 3 years ago

@HidingUnderMyRock I have a few follow up questions as we triage this report:

  1. Have you tried using a newer version of Declarative Onboarding? The latest release is 1.19.0.
  2. Are you able to reproduce this issue when using Declarative Onboarding directly on a BIG-IP instead of going through BIG-IQ?
  3. According to this BIG-IQ documentation, the cm:access:import-shared property should be true for the first device and false for others. Is this the property you are referring to when you mention needing different declarations for each device?
dstokesf5 commented 3 years ago

Closing for inactivity. If you are still encountering issue, please reopen this ticket for a file a new one.