Use Cloud-Init in an OpenStack Environment to Automate the Initialization of vSRX Virtual Firewall Instances
Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, the cloud-init package (version 0.7x) comes pre-installed in the vSRX Virtual Firewall image to help simplify configuring new vSRX Virtual Firewall instances operating in an OpenStack environment according to a specified user-data file. Cloud-init is performed during the first-time boot of a vSRX Virtual Firewall instance.
Cloud-init is an OpenStack software package for automating the initialization of a cloud instance at boot-up. It is available in Ubuntu and most major Linux and FreeBSD operating systems. Cloud-init is designed to support multiple different cloud providers so that the same virtual machine (VM) image can be directly used in multiple hypervisors and cloud instances without any modification. Cloud-init support in a VM instance runs at boot time (first-time boot) and initializes the VM instance according to the specified user-data file.
A user-data file is a special key in the metadata service that contains a file that cloud-aware applications in the VM instance can access upon a first-time boot. In this case, it is the validated Junos OS configuration file that you intend to upload to a vSRX Virtual Firewall instance as the active configuration. This file uses the standard Junos OS command syntax to define configuration details, such as root password, management IP address, default gateway, and other configuration statements.
When you create a vSRX Virtual Firewall instance, you can use cloud-init with a validated Junos OS configuration file (juniper.conf) to automate the initialization of new vSRX Virtual Firewall instances. The user-data file uses the standard Junos OS syntax to define all the configuration details for your vSRX Virtual Firewall instance. The default Junos OS configuration is replaced during the vSRX Virtual Firewall instance launch with a validated Junos OS configuration that you supply in the form of a user-data file.
If using a release earlier than Junos OS Release 15.1X49-D130 and Junos OS Release 18.4R1, the user-data configuration file cannot exceed 16 KB. If your user-data file exceeds this limit, you must compress the file using gzip and use the compressed file. For example, the gzip junos.conf command results in the junos.conf.gz file.
Starting in Junos OS Release 15.1X49-D130 and Junos OS Release 18.4R1, if using a configuration drive data source in an OpenStack environment, the user-data configuration file size can be up to 64 MB.
The configuration must be validated and include details for the fxp0 interface, login, and authentication. It must also have a default route for traffic on fxp0. If any of this information is missing or incorrect, the instance is inaccessible and you must launch a new one.
Ensure that the user-data configuration file is not configured to perform autoinstallation on interfaces using Dynamic Host Configuration Protocol (DHCP) to assign an IP address to the vSRX Virtual Firewall. Autoinstallation with DHCP will result in a "commit fail" for the user-data configuration file.
Starting in Junos
OS Release 15.1X49-D130 and Junos OS Release 18.4R1, the cloud-init
functionality in vSRX Virtual Firewall has been extended to support the use of a configuration
drive data source in an OpenStack environment. The configuration drive
uses the user-data attribute to pass a validated Junos OS configuration
file to the vSRX Virtual Firewall instance. The user-data
can be plain text or MIME file type text/plain. The configuration
drive is typically used in conjunction with the Compute service, and
is present to the instance as a disk partition labeled config-2
. The configuration drive has a maximum size
of 64 MB, and must be formatted with either the vfat or ISO 9660 filesystem.
The configuration drive data source also provides the flexibility to add more than one file that can be used for configuration. A typical use case would be to add a Day0 configuration file and a license file. In this case, there are two methods that can be employed to use a configuration drive data source with a vSRX Virtual Firewall instance:
User-data (Junos OS Configuration File) alone—This approach uses the user-data attribute to pass the Junos OS configuration file to each vSRX Virtual Firewall instance. The user-data can be plain text or MIME file type text/plain.
Junos OS configuration file and license file—This approach uses the configuration drive data source to send the Junos OS configuration and license file(s) to each vSRX Virtual Firewall instance.
Note:If a license file is to be configured in vSRX Virtual Firewall, it is recommended to use the
–file
option rather than theuser-data
option to provide the flexibility to configure files larger than the 16 KB limit of user-data.
To use a configuration drive data source to send Junos OS configuration and license file(s) to a vSRX Virtual Firewall instance, the files needs to be sent in a specific folder structure. In this application, the folder structure of the configuration drive data source in vSRX Virtual Firewall is as follows:
- OpenStack - latest - junos-config - configuration.txt - junos-license - License_file_name.lic - License_file_name.lic
//OpenStack//latest/junos-config/configuration.txt
//OpenStack//latest/junos-license/license.lic
Before you begin:
Create a configuration file with the Junos OS command syntax and save it. The configuration file can be plain text or MIME file type text/plain. The string
#junos-config
must be the first line of the user-data configuration file before the Junos OS configuration.Note:The
#junos-config
string is mandatory in the user-data configuration file; if it is not included, the configuration will not be applied to the vSRX Virtual Firewall instance as the active configuration.Determine the name for the vSRX Virtual Firewall instance you want to initialize with a validated Junos OS configuration file.
Determine the flavor for your vSRX Virtual Firewall instance, which defines the compute, memory, and storage capacity of the vSRX Virtual Firewall instance.
Starting in Junos OS Release 15.1X49-D130 and Junos OS Release 18.4R1, if using a configuration drive, ensure the following criteria is met to enable cloud-init support for a configuration drive in OpenStack:
The configuration drive must be formatted with either the
vfat
oriso9660
filesystem.Note:The default format of a configuration drive is an ISO 9660 file system. To explicitly specify the ISO 9660/vfat format, add the
config_drive_format=iso9660/vfat
line to thenova.conf
file.The configuration drive must have a filesystem label of
config-2
.The folder size must be no greater than 64 MB.
Depending on your OpenStack environment, you can use either
an OpenStack command-line interface (such as nova boot
or openstack server create
) or the OpenStack Dashboard (“Horizon”)
to launch and initialize a vSRX Virtual Firewall instance.
Perform Automatic Setup of a vSRX Virtual Firewall Instance Using an OpenStack Command-Line Interface
You can launch and manage a vSRX Virtual Firewall instance using either
the nova boot
or openstack server create
commands,
which includes the use of a validated Junos OS configuration user-data
file from your local directory to initialize the active configuration
of the target vSRX Virtual Firewall instance.
To initiate the automatic setup of a vSRX Virtual Firewall instance from an OpenStack command-line client:
See Also
Perform Automatic Setup of a vSRX Virtual Firewall Instance from the OpenStack Dashboard (Horizon)
Horizon is the canonical implementation of the OpenStack Dashboard. It provides a Web-based user interface to OpenStack services including Nova, Swift, Keystone, and so on. You can launch and manage a vSRX Virtual Firewall instance from the OpenStack Dashboard, which includes the use of a validated Junos OS configuration user-data file from your local directory to initialize the active configuration of the target vSRX Virtual Firewall instance.
To initiate the automatic setup of a vSRX Virtual Firewall instance from the OpenStack Dashboard:
See Also
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.