End-of-Life (EoL)
Bootstrap the VM-Series Firewall on KVM in OpenStack
You can bootstrap the KVM edition of the VM-Series
firewall in an OpenStack environment with:
- Red Hat OpenStack Platform 5 or OpenStack Platform 7 running on Red Hat Enterprise Linux 7.2 or Mirantis 7.0 running on Ubuntu 14.04.
- Support for OpenStack CLI only; the UI is not supported.
- Minimum PAN-OS version is PAN-OS 7.1.4.
- ISO9660 or VFAT configuration drive formats.
The
KVM edition of the VM-Series firewall in an OpenStack environment
reads the bootstrap package from a config-drive that attaches to
the instance when it boots. The config-drive is limited to a maximum
size of 64MB. Therefore, only /config and /license of the Bootstrap
Package can have content; /software and /content must remain
empty.
PAN-OS supports two methods for passing the bootstrap
package to the config-drive:
- file: passes the bootstrap package as cleartext files
- user-data: passes the bootstrap package in a compressed tar ball (.tgz file) with base64 encoding
To use
the user-data method, ensure that your version of OpenStack Platform
5 (Icehouse-based) has been patched with a fix for this Icehouse issue. Without the patch,
use of a tar ball with the user-data method causes the nova boot
command to fail.
You can use both methods concurrently
in deployments where some files in the bootstrap package are static
across all VM-Series instances while other files are unique to each
firewall. If you include files using both methods, the compute node
unpacks the tar ball first and any files passed by the
--file
command
overwrite duplicate files from the tar ball.- Place the bootstrap package in your OpenStack environment.When using macOS to create your tar ball, you must create the tar ball using a GNU version of tar. The BSD version of tar that is built in to macOS generates an invlaid tar ball and cannot be read by the VM-Series firewall.
- Access the OpenStack CLI.
- Save the bootstrap package and PAN-OS image in a location accessible by the OpenStack controller node.
- If using the--user-datamethod to pass the bootstrap package to the config-drive, you can use the following command to create the tar ball:tar -cvzf<file-name>.tgz config/ license software content
- If using the--user-datamethod, encode the tar ball (.tgz file) with base64.base64 -i <in-file> -o <outfile>
- Retrieve the network UUID(s).To attach a NIC to the VM-Series firewall instance with the --nic net-id= argument, you need the network UUID. You can retrieve the network UUID through the OpenStack CLI by using the following command:neutron net-list
- Deploy the firewall.There are three methods for populating a config-drive with the bootstrap package and attaching it to the host VM. Complete the command sequence of your choice on the OpenStack controller node. See the following table for descriptions of the arguments required for bootstrapping.
- --user-datanova boot --config-drive true --image<pan-os-image-file-name>--flavor<flavor>--user-data<tgz location and filename>--security-groups<security-group>--nic net-id=<mgmt nic net-id>--nic net-id=<eth1 nic net-id>--nic net-id=<eth2 nic net-id> <vm-series name>
- --filenova boot --config-drive true --image<pan-os-image-file-name>--flavor<flavor>--file /license/authcodes=<source-path>--file /config/init-cfg.txt=<source-path>--security-groups<security-group>--nic net-id=<mgmt nic net-id>--nic net-id=<eth1 nic net-id>--nic net-id=<eth2 nic net-id> <vm-series name>
- --user-data and --filenova boot --config-drive true --image<pan-os-image-file-name>--flavor<flavor>--file /config/init-cfg.txt=<source-path>--user-data<tgz location and filename>--security-groups<security-group>--nic net-id=<mgmt nic net-id>--nic net-id=<eth1 nic net-id>--nic net-id=<eth2 nic net-id> <vm-series name>
- The nova boot command and the following arguments are required to Bootstrap the VM-Series Firewall on KVM in OpenStack.
Arguments | Description |
|---|---|
nova boot | Used to boot a new compute instance. |
--config-drive true | Enables the config-drive. |
--image | Specifies the PAN-OS image file. Only the
image name is required. This base image file is required to launch
the VM-Series firewall. You can view a list of images available
in your OpenStack environment with the following command:
|
--flavor | The VM instance type. Ensure that you select
a flavor that provides the hardware resources required for your
VM-Series firewall. You can view a list of available flavors and
their hardware resources with the following command:
See VM-Series
on KVM— Requirements and Prerequisites for minimum hardware
resources required by the KVM VM-Series firewall. |
--user-data | Used to pass the tar ball containing the
bootstrap package to the config-drive. |
--file | Used to pass the init-cfg.txt file and license
file as cleartext files to the config-drive. For the bootstrap
process to succeed, you must include the /config/init-cfg.txt= argument
and either the /license/license.key or /license/authcodes argument.
Optionally, bootstrap.xml files are also supported.
The Server Personality defines
the maximum number of files that can be passed using the --file command.
Use the nova absolute-limits command to view
the limit. In the example below, the Personality limit is five.
Therefore, the maximum number of files is limited to five.
Exceeding this
limit generates an error message. If you need to pass more files
than this limit allows, use the user-data method or the combined
user-data and file method. |
--nic net-id <network UUID> | Creates a NIC on the VM-Series firewall
with the specified UUID. You should create at least two NICs: one
for a management port and one for a data port. |
--security-group | You can provide a comma-separated list of
security groups to provide access to the VM-Series firewall. If
you do not specify a security group, the VM is placed in the default
security group. |
Recommended For You
Recommended Videos
Recommended videos not found.
