fir3net
PPS-Firenetbanner-780.5x190-30-03-17

vSRX on an Isolated Network - How do I Provision via Cloud-Init?

Background

Introduced within the Junos OS Release - 15.1X49-D100 - the vSRX now comes with cloud-init. As per Junipers configuration guide,

... the cloud-init package (version 0.7x) comes pre-installed in the vSRX image to help simplify configuring new vSRX instances operating in an OpenStack environment according to a specified user-data file. Cloud-init is performed during the first-time boot of a vSRX instance.[1]

In other words, you can pass the Junos configuration to the instance at point of creation, via the use of the user-data key. Like so:

openstack server create --image vsrx-image-15.1X49-D100.6 \
                        --flavor vsrx_flavor \
                        --user-data /root/juniper.conf.txt \
                        --nic net-id=587b75b5-ceb6-49e8-b850-861809f14d5e,v4-fixed-ip=172.29.100.105 \
                        --nic net-id=423b2b1b-5591-4861-baab-64e9fef84f47,v4-fixed-ip=192.168.1.5 \
                        --nic net-id=24ca3340-a3de-4708-ad2b-2a2ab826250c,v4-fixed-ip=172.29.50.105 \
                        vsrx-15.1X49-D100.6

In the background this uploads the configuration to the Nova metadata service, which can then be retrieved via http://169.254.169.254/latest/user-data. The intention is that the vSRX then calls this URL during the initial boot and pulling the required config. Now, to get to this address traffic from your host must either go through the router namespace or the DHCP namespace. For the topic of this discussion will look into the DHCP namespace method.

Within the DHCP namespace (upon the Network Controller) there is a Neutron metadata proxy that forwards the request onto a Neutron metadata agent, who then forwards onto the Nova metadata API. As the Neutron metadata proxy is hosted upon the DHCP agent IP upon the given subnet, it allows the instance to query the metadata service via a local IP, i.e:

root@% ifconfig fxp0
fxp0:   encaps: ether; framing: ether
        flags=0x3/0x8000 <PRESENT|RUNNING>
        curr media: i802 fa:16:3e:e7:b5:2f
fxp0.0: flags=0x4008000 <UP|MULTICAST>
        inet primary mtu 1500 local=172.29.100.106 dest=172.29.100.0/24 bcast=172.29.100.255


root@% curl http://172.29.100.100/latest/user-data #junos-config ## Last changed: 2017-09-04 16:07:32 UTC system { services { ssh; web-management { http { interface fxp0.0; } } }

However, this leads to one small detail. When the vSRX boots up it must have a route telling it that it to reach 169.254.169.254 via the DHCP agents IP. Neutron provides the option to inject static routes into the instance at boot via DHCP and the 121 option. But here lies the problem - the vSRX does not support option 121.

Solution

The solution to the issue is this, we set the default gateway on the Neutron subnet (that we attach for management/FXP0) to that of the DHCP agent IP. Lets step through how this works,

  1. At boot, the vSRX obtains a DHCP lease containing the IP and gateway address.
  2. At the point the vSRX performs a GET for the configuration (from the metadata service) it is routed via the default gateway, which is the IP of the DHCP agent.
  3. The request is proxied onto the Nova metadata service. The vSRX applies the configuration.
  4. Routing issues as negated due to a different management default gateway being defined within the Junos configuration. Due to this overwriting the gateway address previously obtained via DHCP.

References

[1] http://www.juniper.net/documentation/en_US/vsrx/topics/task/configuration/security-vsrx-cloud-init-support.html 

Tags: Juniper, SRX, OpenStack, Neutron, NFV, DHCP, Metadata, Cloud-Init

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001