Bootstrap the VM-Series Firewall on KVM in OpenStack

You can bootstrap the KVM edition of the VM-Series firewall in an OpenStack environment with:
  • Red Hat OpenStack Platform 5 or OpenStack Platform 7 running on Red Hat Enterprise Linux 7.2 or Mirantis 7.0 running on Ubuntu 14.04.
  • Support for OpenStack CLI only; the UI is not supported.
  • Minimum PAN-OS version is PAN-OS 7.1.4.
  • ISO9660 or VFAT configuration drive formats.
The KVM edition of the VM-Series firewall in an OpenStack environment reads the bootstrap package from a config-drive that attaches to the instance when it boots. The config-drive is limited to a maximum size of 64MB. Therefore, only /config and /license of the Bootstrap Package can have content; /software and /content must remain empty.
PAN-OS supports two methods for passing the bootstrap package to the config-drive:
  • file: passes the bootstrap package as cleartext files
  • user-data: passes the bootstrap package in a compressed tar ball (.tgz file) with base64 encoding
To use the user-data method, ensure that your version of OpenStack Platform 5 (Icehouse-based) has been patched with a fix for this Icehouse issue. Without the patch, use of a tar ball with the user-data method causes the nova boot command to fail.
You can use both methods concurrently in deployments where some files in the bootstrap package are static across all VM-Series instances while other files are unique to each firewall. If you include files using both methods, the compute node unpacks the tar ball first and any files passed by the
--file
command overwrite duplicate files from the tar ball.
  1. Place the bootstrap package in your OpenStack environment.
    When using macOS to create your tar ball, you must create the tar ball using a GNU version of tar. The BSD version of tar that is built in to macOS generates an invlaid tar ball and cannot be read by the VM-Series firewall.
    1. Access the OpenStack CLI.
    2. Save the bootstrap package and PAN-OS image in a location accessible by the OpenStack controller node.
    3. If using the
      --user-data
      method to pass the bootstrap package to the config-drive, you can use the following command to create the tar ball:
      tar -cvzf
      <file-name>
      .tgz config/ license software content
    4. If using the
      --user-data
      method, encode the tar ball (.tgz file) with base64.
      base64 -i <
      in-file
      > -o <
      outfile
      >
  2. Retrieve the network UUID(s).
    To attach a NIC to the VM-Series firewall instance with the --nic net-id= argument, you need the network UUID. You can retrieve the network UUID through the OpenStack CLI by using the following command:
    neutron net-list
  3. Deploy the firewall.
    There are three methods for populating a config-drive with the bootstrap package and attaching it to the host VM. Complete the command sequence of your choice on the OpenStack controller node. See the following table for descriptions of the arguments required for bootstrapping.
    • --user-data
      nova boot --config-drive true --image
      <pan-os-image-file-name>
      --flavor
      <flavor>
      --user-data
      <tgz location and filename>
      --security-groups
      <security-group>
      --nic net-id=
      <mgmt nic net-id>
      --nic net-id=
      <eth1 nic net-id>
      --nic net-id=
      <eth2 nic net-id> <vm-series name>
    • --file
      nova boot --config-drive true --image
      <pan-os-image-file-name>
      --flavor
      <flavor>
      --file /license/authcodes=
      <source-path>
      --file /config/init-cfg.txt=
      <source-path>
      --security-groups
      <security-group>
      --nic net-id=
      <mgmt nic net-id>
      --nic net-id=
      <eth1 nic net-id>
      --nic net-id=
      <eth2 nic net-id> <vm-series name>
    • --user-data and --file
      nova boot --config-drive true --image
      <pan-os-image-file-name>
      --flavor
      <flavor>
      --file /config/init-cfg.txt=
      <source-path>
      --user-data
      <tgz location and filename>
      --security-groups
      <security-group>
      --nic net-id=
      <mgmt nic net-id>
      --nic net-id=
      <eth1 nic net-id>
      --nic net-id=
      <eth2 nic net-id> <vm-series name>
  4. The nova boot command and the following arguments are required to Bootstrap the VM-Series Firewall on KVM in OpenStack.
Arguments
Description
nova boot
Used to boot a new compute instance.
--config-drive true
Enables the config-drive.
--image
Specifies the PAN-OS image file. Only the image name is required. This base image file is required to launch the VM-Series firewall. You can view a list of images available in your OpenStack environment with the following command:
nova image-list
--flavor
The VM instance type. Ensure that you select a flavor that provides the hardware resources required for your VM-Series firewall. You can view a list of available flavors and their hardware resources with the following command:
nova flavor-list
See VM-Series on KVM— Requirements and Prerequisites for minimum hardware resources required by the KVM VM-Series firewall.
--user-data
Used to pass the tar ball containing the bootstrap package to the config-drive.
--file
Used to pass the init-cfg.txt file and license file as cleartext files to the config-drive.
For the bootstrap process to succeed, you must include the /config/init-cfg.txt= argument and either the /license/license.key or /license/authcodes argument. Optionally, bootstrap.xml files are also supported.
--file /config/init-cfg.txt= --file /config/bootstrap.xml= --file /license/license.key= --file /license/authcodes=
The Server Personality defines the maximum number of files that can be passed using the
--file
command. Use the
nova absolute-limits
command to view the limit. In the example below, the Personality limit is five. Therefore, the maximum number of files is limited to five.
nova absolute-limits +--------------------+-------+--------+ | Name | Used | Max | +--------------------+-------+--------+ | Cores | 18 | 240 | | FloatingIps | 0 | 10 | | ImageMeta | - | 128 | | Instances | 12 | 1000 | | Keypairs | - | 100 | | Personality | - | 5 | | Personality Size | - | 65536 | | RAM | 32256 | 393216 | | SecurityGroupRules | - | 20 | | SecurityGroups | 1 | 10 | | Server Meta | - | 128 | | ServerGroupMembers | - | 10 | | ServerGroups | 0 | 10 | +--------------------+-------+--------+
Exceeding this limit generates an error message. If you need to pass more files than this limit allows, use the user-data method or the combined user-data and file method.
--nic net-id <network UUID>
Creates a NIC on the VM-Series firewall with the specified UUID. You should create at least two NICs: one for a management port and one for a data port.
--security-group
You can provide a comma-separated list of security groups to provide access to the VM-Series firewall. If you do not specify a security group, the VM is placed in the default security group.

Related Documentation