This section list the contents of two example .yaml files that could be used for deployment.
An Example Environment File
The following is an example environment .yaml file.# Virtual Deployment - Example parameter_defaults: image: fw_image flavor: fw_flavor key_name: fw_admin_key external_net_id: ext-net external_subnet_id: ext-net-subnet external_subnet_static_ip: 10.200.1.4 dmz_net_id: dmz dmz_subnet_cidr_v4: 192.168.50.0/24 dmz_subnet_gateway_ip_v4: 192.168.50.1 dmz_subnet_static_ip_v4: 192.168.50.22 dmz2_net_id: dmz2 dmz2_subnet_cidr: 192.168.51.0/24 dmz2_subnet_gateway_ip: 192.168.51.1 dmz2_subnet_static_ip: 192.168.51.5 user_net_id: user user_subnet_cidr: 192.168.52.0/24 user_subnet_gateway_ip: 192.168.52.1 user_subnet_pool_start: 192.168.52.7 user_subnet_pool_end: 192.168.52.253
An Example HOT File
The following is an example HOT .yaml file that is paired with the preceding environment file.# Virtual Deployment - Example
heat_template_version: 2015-04-30
description: Virtual Deployment - Example
parameters:
image:
type: string
default: fw_image
description: Instance image ID
flavor:
type: string
default: fw_flavor
description: Instance flavor
key_name:
type: string
default: fw_admin_key
description: SSH public key
external_net_id:
type: string
description: External network ID
external_subnet_id:
type: string
description: External subnet ID
external_subnet_static_ip:
type: string
description: Fixed IP on external subnet
dmz_net_id:
type: string
description: DMZ network ID
dmz_subnet_cidr_v4:
type: string
description: DMZ subnet IPv4 CIDR
dmz_subnet_gateway_ip_v4:
type: string
description: DMZ subnet gateway IPv4 address
dmz_subnet_static_ip_v4:
type: string
description: FW instance fixed IPv4 address on DMZ subnet
dmz2_net_id:
type: string
description: DMZ2 network ID
dmz2_subnet_cidr:
type: string
description: DMZ2 subnet CIDR
dmz2_subnet_gateway_ip:
type: string
description: DMZ2 subnet gateway IP
dmz2_subnet_static_ip:
type: string
description: FW instance fixed IP on DMZ2 subnet
user_net_id:
type: string
description: User network ID
user_subnet_cidr:
type: string
description: User subnet CIDR
user_subnet_gateway_ip:
type: string
description: User subnet gateway IP
user_subnet_pool_start:
type: string
description: User subnet IP pool start
user_subnet_pool_end:
type: string
description: User subnet IP pool end
resources:
dmz_net:
type: OS::Neutron::Net
properties:
name: { get_param: dmz_net_id }
dmz_subnet:
type: OS::Neutron::Subnet
properties:
ip_version: 4
enable_dhcp: False
network_id: { get_resource: dmz_net }
cidr: { get_param: dmz_subnet_cidr_v4 }
gateway_ip: { get_param: dmz_subnet_gateway_ip_v4 }
dmz2_net:
type: OS::Neutron::Net
properties:
name: { get_param: dmz2_net_id }
dmz2_subnet:
type: OS::Neutron::Subnet
properties:
ip_version: 4
enable_dhcp: False
network_id: { get_resource: dmz2_net }
cidr: { get_param: dmz2_subnet_cidr }
gateway_ip: { get_param: dmz2_subnet_gateway_ip }
user_net:
type: OS::Neutron::Net
properties:
name: { get_param: user_net_id }
user_subnet:
type: OS::Neutron::Subnet
properties:
ip_version: 4
enable_dhcp: True
network_id: { get_resource: user_net }
cidr: { get_param: user_subnet_cidr }
gateway_ip: { get_param: user_subnet_gateway_ip }
allocation_pools:
- start: { get_param: user_subnet_pool_start }
end: { get_param: user_subnet_pool_end }
fw-inst_port0:
type: OS::Neutron::Port
properties:
network_id: { get_param: external_net_id }
security_groups:
- default
fixed_ips:
- ip_address: { get_param: external_subnet_static_ip }
fw-inst_port1:
type: OS::Neutron::Port
properties:
network_id: { get_resource: dmz_net }
mac_address: "0a:bc:de:ed:cb:a0"
security_groups:
- default
fixed_ips:
- ip_address: { get_param: dmz_subnet_static_ip_v4 }
fw-inst_port2:
type: OS::Neutron::Port
properties:
network_id: { get_resource: dmz2_net }
security_groups:
- default
fixed_ips:
- ip_address: { get_param: dmz2_subnet_static_ip }
fw-inst_port3:
type: OS::Neutron::Port
properties:
network_id: { get_resource: user_net }
security_groups:
- default
fixed_ips:
- subnet_id: { get_resource: user_subnet }
fw-instance:
type: OS::Nova::Server
properties:
name: fw-inst
admin_pass: "plaintextpassword"
config_drive: true
image: { get_param: image }
flavor: { get_param: flavor }
key_name: { get_param: key_name }
networks:
- port: { get_resource: fw-inst_port0 }
- port: { get_resource: fw-inst_port1 }
- port: { get_resource: fw-inst_port2 }
- port: { get_resource: fw-inst_port3 }
user_data_format: RAW
user_data: |
#cli-config
echo "\r\n --- Configuring SSH remote management if ---\r\n"
set System Name=assigned_by_userdata
set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH -enable
set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH
(line continued) SourceInterface=if1 SourceNetwork=if1_net
outputs:
fw-inst_external_subnet_ip:
description: IP addresses assigned to FW for external subnet
value: { get_attr: [ fw-instance, networks, private, 1 ] }
fw-inst_dmz_subnet_ip:
description: IP addresses assigned to FW for DMZ subnet
value: { get_attr: [ fw-instance, networks, dmz, 0 ] }
fw-inst_dmz2_subnet_ip:
description: IP addresses assigned to FW for DMZ2 subnet
value: { get_attr: [ fw-instance, networks, dmz2, 0 ] }
fw-inst_user_subnet_ip:
description: IP addresses assigned to FW for User subnet
value: { get_attr: [ fw-instance, networks, user, 0 ] }
Successful Console Output
The console output shows the progressive of the deployment. Below is an example of console output from successful deployment of the configuration described in the preceding .yaml files. This output is shortened so it begins immediately after the initial system startup.Note that some lines in this output have been folded to fit inside the width of the document page.
************************************************************************** ************************************************************************** Applicable for cloud configuration deployment. ************************************************************************** ************************************************************************** ************************************************************************** Setup: ************************************************************************** Created Config Drive mount point at '/os_config_drive'. Mounted Config Drive on ISO9660 format at '/os_config_drive'. ************************************************************************** Network Data: ************************************************************************** Buffered '/os_config_drive/openstack/2015-10-15/network_data.json' contents Parsed '/os_config_drive/openstack/2015-10-15/network_data.json' contents into Network Data DOM. Successfully validated Network Data DOM. Created ethernet device node 'if1'. Created ethernet interface node 'if1'. Configured ethernet interface 'if1' for DHCPv4. { DHCPEnabled = True } Created ethernet device node 'if2'. Created ethernet interface node 'if2'. Created IP address node 'if2_ip'. { Address = '192.168.50.22' } Configured ethernet interface 'if2' to use address 'if2_ip'. Created IP address node 'if2_net_v4'. { Address = '192.168.50.0/24' } Created IP address node 'if2_broadcast'. { Address = '192.168.50.255' } Configured ethernet interface if2 to use broadcast address 'if2_broadcast'. Created ethernet device node 'if3'. Created ethernet interface node 'if3'. Created IP address node 'if3_ip'. { Address = '192.168.51.5' } Configured ethernet interface 'if3' to use address 'if3_ip'. Created IP address node 'if3_net_v4'. { Address = '192.168.51.0/24' } Created IP address node 'if3_broadcast'. { Address = '192.168.51.255' } Configured ethernet interface if3 to use broadcast address 'if3_broadcast'. Created ethernet device node 'if4'. Created ethernet interface node 'if4'. Configured ethernet interface 'if4' for DHCPv4. { DHCPEnabled = True } Successfully configured system using Network Data DOM. ************************************************************************** Meta Data: ************************************************************************** Buffered '/os_config_drive/openstack/2015-10-15/meta_data.json' contents. Parsed '/os_config_drive/openstack/2015-10-15/meta_data.json' contents into Meta Data DOM. Successfully validated Meta Data DOM. Configured System name. { Name = 'fw-inst' } Created SSHClientKey node 'fw_admin_key'. { PublicKey = 'ssh-rsa AAAAB3NzaC1yc2EAAA...' } Configuring local user 'admin' with plain-text password. { Password = <hidden> } Configuring local user 'admin' with PSKs. { SSHKeys = 'fw_admin_key' } Successfully configured system using Meta Data DOM. ************************************************************************** User Data: ************************************************************************** Buffered user_data file contents from '/os_config_drive/openstack/2015-10-15/user_data'. Created temporary CLI script file '/tmp/cfn-userdata.sgs' from user_data. ========================================================================== Executing user data CLI script ========================================================================== cfn-userdata.sgs(2): echo "\r\n --- Configuring SSH remote management interface ---\r\n" --- Configuring SSH remote management interface (example 1) --- cfn-userdata.sgs(3): set System Name=assigned_by_userdata Modified System. cfn-userdata.sgs(4): set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH -enable Enabled RemoteMgmtSSH/RemoteMgmtSSH. cfn-userdata.sgs(5): set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH SourceInterface=if1 SourceNetwork=if1_net Modified RemoteMgmtSSH/RemoteMgmtSSH. Object no longer has errors. ========================================================================== CLI script execution complete ========================================================================== ************************************************************************** Activate: ************************************************************************** Config notice vsinit:3396 2016-12-01 14:37:23 - Beginning system reconfigure. Activating new configuration. Ethernet Devices: Name HW identity string Autoneg MAC -------- ------------------------------ ------- ---------------- 00:00:00:00:00:00 UNUSED if1 pci=00:03.0 X fa:16:3e:03:9e:68 if2 pci=00:04.0 X 0a:bc:de:ed:cb:a0 if3 pci=00:05.0 X fa:16:3e:b4:6c:82 if4 pci=00:06.0 X fa:16:3e:7f:eb:5f Ethernet Interfaces: if1: on device if1 MAC:fa:16:3e:03:9e:68 MTU: 1500 IP: 0.0.0.0 Routing Table membership: <all> if2: on device if2 MAC:0a:bc:de:ed:cb:a0 MTU: 1500 IP: 192.168.50.22 Routing Table membership: <all> if3: on device if3 MAC:fa:16:3e:b4:6c:82 MTU: 1500 IP: 192.168.51.5 Routing Table membership: <all> if4: on device if4 MAC:fa:16:3e:7f:eb:5f MTU: 1500 IP: 0.0.0.0 Routing Table membership: <all> Config warning vsinit:3787 2016-12-01 14:37:24 - License: Lockdown is in effect because the license is invalid. Only access from admin nets to the firewall itself is allowed, everything else is dropped. Config notice vsinit:301 2016-12-01 14:37:24 - System: Bootloader configuration will be updated on commit; please restart the device at your earliest convenience, after the commit, for the changes to take effect. Once the device has been restarted please review the output of the 'cfglog' command to see if there were any problems with the new configuration. Config notice vsinit:3950 2016-12-01 14:37:24 - Reconfigure completed successfully. Successfully activated the configuration. ************************************************************************** Commit: ************************************************************************** 2016-12-01 14:37:24 INTERNAL: The kernel generated a new message [reason=<7>[ 23.948290] ISO 9660 Extensions: Microsoft Joliet Level 3] Config notice vsinit:4556 2016-12-01 14:37:24 - Configuration changes committed. Successfully committed the configuration. 2016-12-01 14:37:24 INTERNAL: The kernel generated a new message [reason=<7>[ 23.951352] ISO 9660 Extensions: RRIP_1991A] ************************************************************************** Unmounted Config Drive. Removed Config Drive mount point. ************************************************************************** ************************************************************************** Cloud configuration deployment successful. ************************************************************************** **************************************************************************