You can bootstrap the KVM edition of the VM-Series firewall in an OpenStack environment with:
Red Hat OpenStack Platform 5 or OpenStack Platform 7 running on Red Hat Enterprise Linux 7.2 or Mirantis 7.0 running on Ubuntu 14.04. Support for OpenStack CLI only; the UI is not supported. Minimum PAN-OS version is PAN-OS 7.1.4. ISO9660 or VFAT configuration drive formats.
The KVM edition of the VM-Series firewall in an OpenStack environment reads the bootstrap package from a config-drive that attaches to the instance when it boots. The config-drive is limited to a maximum size of 64MB. Therefore, only /config and /license of the Bootstrap Package can have content; /software and /content must remain empty.
PAN-OS supports two methods for passing the bootstrap package to the config-drive:
file: passes the bootstrap package as cleartext files user-data: passes the bootstrap package in a compressed tar ball (.tgz file)
To use the user-data method, ensure that your version of OpenStack Platform 5 (Icehouse-based) has been patched with a fix for this Icehouse issue. Without the patch, use of a tar ball with the user-data method causes the nova boot command to fail.
You can use both methods concurrently in deployments where some files in the bootstrap package are static across all VM-Series instances while other files are unique to each firewall. If you include files using both methods, the compute node unpacks the tar ball first and any files passed by the --file command overwrite duplicate files from the tar ball.
Bootstrap the VM-Series Firewall on KVM in OpenStack
Place the bootstrap package in your OpenStack environment. Prepare the Bootstrap Package. Access the OpenStack CLI. Save the bootstrap package and PAN-OS image in a location accessible by the OpenStack controller node. If using the --user-data method to pass the bootstrap package to the config-drive, you can use the following command to create the tar ball: tar -cvzf <file-name>.tgz config/ license software content
Retrieve the network UUID(s). To attach a NIC to the VM-Series firewall instance with the --nic net-id= argument, you need the network UUID. You can retrieve the network UUID through the OpenStack CLI by using the following command: neutron net-list
Deploy the firewall. There are three methods for populating a config-drive with the bootstrap package and attaching it to the host VM. Complete the command sequence of your choice on the OpenStack controller node. See Nova Boot Command Arguments for descriptions of the arguments required for bootstrapping. --user-data nova boot --config-drive true --image <pan-os-image-file-name> --flavor <flavor> --user-data <tgz location and filename> --security-groups <security-group> --nic net-id=<mgmt nic net-id> --nic net-id=<eth1 nic net-id> --nic net-id=<eth2 nic net-id> <vm-series name> --file nova boot --config-drive true --image <pan-os-image-file-name> --flavor <flavor> --file /license/authcodes=<source-path> --file /config/init-cfg.txt=<source-path> --security-groups <security-group> --nic net-id=<mgmt nic net-id> --nic net-id=<eth1 nic net-id> --nic net-id=<eth2 nic net-id> <vm-series name> --user-data and --file nova boot --config-drive true --image <pan-os-image-file-name> --flavor <flavor> --file /config/init-cfg.txt=<source-path>--user-data <tgz location and filename> --security-groups <security-group> --nic net-id=<mgmt nic net-id> --nic net-id=<eth1 nic net-id> --nic net-id=<eth2 nic net-id> <vm-series name>
Verify Bootstrap Completion.
The nova boot command and the following arguments are required to Bootstrap the VM-Series Firewall on KVM in OpenStack.
Arguments Description
nova boot Used to boot a new compute instance.
--config-drive true Enables the config-drive.
--image Specifies the PAN-OS image file. Only the image name is required. This base image file is required to launch the VM-Series firewall. You can view a list of images available in your OpenStack environment with the following command: nova image-list
--flavor The VM instance type. Ensure that you select a flavor that provides the hardware resources required for your VM-Series firewall. You can view a list of available flavors and their hardware resources with the following command: nova flavor-list See VM-Series on KVM— Requirements and Prerequisites for minimum hardware resources required by the KVM VM-Series firewall.
--user-data Used to pass the tar ball containing the bootstrap package to the config-drive.
--file Used to pass the init-cfg.txt file and license file as cleartext files to the config-drive. For the bootstrap process to succeed, you must include the /config/init-cfg.txt= argument and either the /license/license.key or /license/authcodes argument. Optionally, bootstrap.xml files are also supported. --file /config/init-cfg.txt= --file /config/bootstrap.xml= --file /license/license.key= --file /license/authcodes= The Server Personality defines the maximum number of files that can be passed using the --file command. Use the nova absolute-limits command to view the limit. In the example below, the Personality limit is five. Therefore, the maximum number of files is limited to five. nova absolute-limits +--------------------+-------+--------+ | Name | Used | Max | +--------------------+-------+--------+ | Cores | 18 | 240 | | FloatingIps | 0 | 10 | | ImageMeta | - | 128 | | Instances | 12 | 1000 | | Keypairs | - | 100 | | Personality | - | 5 | | Personality Size | - | 65536 | | RAM | 32256 | 393216 | | SecurityGroupRules | - | 20 | | SecurityGroups | 1 | 10 | | Server Meta | - | 128 | | ServerGroupMembers | - | 10 | | ServerGroups | 0 | 10 | +--------------------+-------+--------+ Exceeding this limit generates an error message. If you need to pass more files than this limit allows, use the user-data method or the combined user-data and file method.
--nic net-id <network UUID> Creates a NIC on the VM-Series firewall with the specified UUID. You should create at least two NICs: one for a management port and one for a data port.
--security-group You can provide a comma-separated list of security groups to provide access to the VM-Series firewall. If you do not specify a security group, the VM is placed in the default security group.

Related Documentation