F5Networks / f5-openstack-agent

The F5 Agent for OpenStack Neutron allows you to deploy BIG-IP services in an OpenStack environment.
http://clouddocs.f5.com/products/openstack/agent/latest
Apache License 2.0
14 stars 38 forks source link

ESD with lbaas_fallback_persist tag does not apply fallback persistence #1046

Closed jgruber closed 6 years ago

jgruber commented 7 years ago

Agent Version

9.4.0 (and 10.1.0)

Operating System

CentOS 7

OpenStack Release

Mitaka (tested Newtron too)

Description

Adding an ESD with both lbaas_perist of 'cookie' with lbaas_fallback_persist also set does not implement fallback persistence. This is the required configuration for J2EE applications and is the one of the most common combinations in LTM configurations.

An example ESD:

"dmzmobile": { "lbaas_ctcp": "tcp-mobile-optimized", "lbaas_stcp": "tcp-lan-optimized", "lbaas_cssl_profile": "clientssl-secure", "lbaas_sssl_profile": "serverssl", "lbaas_irule": ["server_header_scrub","cve-2017-5638","cve-2015-1635","cve-2013-0156"], "lbaas_policy": ["dmz"], "lbaas_persist": "cookie", "lbaas_fallback_persist": "source_addr" }

Deployment

Deploy the above ESD (you can leave out the irules and policy. The full BIG-IP object are available if you want them) defining both lbaas_persist and lbaas_fallback_persist tags per the default /Common/cookie and /Common/source_addr profiles on every BIG-IP.

This is what you virtual will look like before the ESD:

ltm virtual prod_5a9850a2-3348-4181-a8e0-7a42db8465c0 { description test_lb01_listener: destination prod_16f35d9e-b37a-49e8-96cd-f9e720fb8391:https ip-protocol tcp mask 255.255.255.255 partition prod_d303c30a319d422097e5ab0be7b619cd persist { /Common/cookie { default yes } } pool prod_f7be74bc-2f4e-4714-963f-ba536d02c4e2 profiles { /Common/http { } /Common/oneconnect { } /Common/tcp { } } source 0.0.0.0%1/0 source-address-translation { pool prod_d303c30a319d422097e5ab0be7b619cd type snat } translate-address enabled translate-port enabled vlans { tunnel-vxlan-1089 } vlans-enabled vs-index 5 }

This is what it will look like after:

ltm virtual prod_5a9850a2-3348-4181-a8e0-7a42db8465c0 { description test_lb01_listener: destination prod_16f35d9e-b37a-49e8-96cd-f9e720fb8391:https ip-protocol tcp mask 255.255.255.255 partition prod_d303c30a319d422097e5ab0be7b619cd persist { /Common/cookie { default yes } } policies { /Common/dmz { } } pool prod_f7be74bc-2f4e-4714-963f-ba536d02c4e2 profiles { /Common/clientssl-secure { context clientside } /Common/http { } /Common/oneconnect { } /Common/serverssl { context serverside } /Common/tcp-lan-optimized { context serverside } /Common/tcp-mobile-optimized { context clientside } } rules { /Common/server_header_scrub /Common/cve-2017-5638 /Common/cve-2015-1635 /Common/cve-2013-0156 } source 0.0.0.0%1/0 source-address-translation { pool prod_d303c30a319d422097e5ab0be7b619cd type snat } translate-address enabled translate-port enabled vlans { tunnel-vxlan-1089 } vlans-enabled vs-index 5 }

There is not fallback persistence applied.

richbrowne commented 6 years ago

Fixed by commit: ffe2b124bb51f10b0eb10d774720d9985507b66b