Shared/RBAC network support and bugfixes

.github/ISSUE_TEMPLATE.md

@@ -22,10 +22,10 @@
 <Fill in the OpenStack release, such as Liberty>
 
 #### Description
-<Describe the bug in detail, steps taken prior to encountering the issue, yand a short explanation of you have deployed openstack and F5® agent>
+<Describe the bug in detail, steps taken prior to encountering the issue, yand a short explanation of you have deployed openstack and F5 agent>
 
 #### Deployment
-<Explain in reasonable detail your OpenStack deployment, the F5® OpenStack agent, and BIG-IP®(s)>
-<Example: Single OpenStack controller with one F5® agent managing a cluster of 4 BIG-IP® VEs>
-<Example: Three OpenStack controllers in HA, each with one standalone F5® agent managing a single BIG-IP® appliance>
+<Explain in reasonable detail your OpenStack deployment, the F5 OpenStack agent, and BIG-IP(s)>
+<Example: Single OpenStack controller with one F5 agent managing a cluster of 4 BIG-IP VEs>
+<Example: Three OpenStack controllers in HA, each with one standalone F5 agent managing a single BIG-IP appliance>
 

.gitignore

@@ -115,3 +115,4 @@ logs
 # vim
 *~
 *.swp
+*.iml

CONTRIBUTING.md

@@ -58,7 +58,7 @@ $ py.test --cov ./ --cov-report=html
 $ open htmlcov/index.html
 ```
 
-If you are running our functional tests you will need a real BIG-IP® to run 
+If you are running our functional tests you will need a real BIG-IP to run
 them against; you can get one of those pretty easily in [Amazon EC2](https://aws.amazon.com/marketplace/pp/B00JL3UASY/ref=srh_res_product_title?ie=UTF8&sr=0-10&qid=1449332167461).
 
 ## License
@@ -77,4 +77,4 @@ See the License for the specific language governing permissions and
 limitations under the License.
 
 ### Contributor License Agreement
-Individuals or business entities who contribute to this project must have completed and submitted the [F5® Contributor License Agreement](http://f5-openstack-docs.readthedocs.org/en/latest/cla_landing.html#cla-landing) to Openstack_CLA@f5.com prior to their code submission being included in this project.
+Individuals or business entities who contribute to this project must have completed and submitted the [F5 Contributor License Agreement](http://f5-openstack-docs.readthedocs.org/en/latest/cla_landing.html#cla-landing) to Openstack_CLA@f5.com prior to their code submission being included in this project.

README.rst

@@ -24,7 +24,7 @@ f5-openstack-agent
 Introduction
 ************
 
-The F5® agent translates from 'OpenStack' to 'F5®'. It uses the `f5-sdk <http://f5-sdk.readthedocs.io>`_ to translate OpenStack messaging calls -- such as those from the Neutron RPC messaging queue -- into iControl® REST calls to F5® technologies, such as BIG-IP®.
+The F5 agent translates from 'OpenStack' to 'F5'. It uses the `f5-sdk <http://f5-sdk.readthedocs.io>`_ to translate OpenStack messaging calls -- such as those from the Neutron RPC messaging queue -- into iControl REST calls to F5 technologies, such as BIG-IP.
 
 Documentation
 *************
@@ -34,9 +34,9 @@ Documentation is published on Read the Docs, at http://f5-openstack-agent.readth
 Compatibility
 *************
 
-The F5® OpenStack agent is compatible with OpenStack releases from Liberty forward. If you are using Kilo or earlier, you'll need the `LBaaSv1 plugin <http://f5-openstack-lbaasv1.readthedocs.io>`_.
+The F5 OpenStack agent is compatible with OpenStack releases from Liberty forward. If you are using Kilo or earlier, you'll need the `LBaaSv1 plugin <http://f5-openstack-lbaasv1.readthedocs.io>`_.
 
-See the `F5® OpenStack Releases and Support Matrix <http://f5-openstack-docs.readthedocs.org/en/latest/releases_and_versioning.html>`_ for more information.
+See the `F5 OpenStack Releases and Support Matrix <http://f5-openstack-docs.readthedocs.org/en/latest/releases_and_versioning.html>`_ for more information.
 
 Installation
 ************
@@ -59,7 +59,7 @@ Test
 ****
 Before you open a pull request, your code must have passing
 `pytest <http://pytest.org>`__ unit tests. In addition, you should
-include a set of functional tests written to use a real BIG-IP® device
+include a set of functional tests written to use a real BIG-IP device
 for testing. Information on how to run our set of tests is included
 below.
 
@@ -160,7 +160,7 @@ limitations under the License.
 Contributor License Agreement
 =============================
 
-Individuals or business entities who contribute to this project must have completed and submitted the `F5® Contributor License Agreement <http://f5-openstack-docs.readthedocs.org/en/latest/cla_landing.html#cla-landing>`_ to Openstack\_CLA@f5.com prior to their code submission being included in this project.
+Individuals or business entities who contribute to this project must have completed and submitted the `F5 Contributor License Agreement <http://f5-openstack-docs.readthedocs.org/en/latest/cla_landing.html#cla-landing>`_ to Openstack\_CLA@f5.com prior to their code submission being included in this project.
 
 
 .. |Build Status| image:: https://travis-ci.org/F5Networks/f5-openstack-agent.svg?branch=liberty

dev_install

@@ -0,0 +1,6 @@
+#git init
+python setup.py install
+
+python /var/lib/openstack/bin/f5-oslbaasv2-agent --config-file /etc/neutron/f5-oslbaasv2-agent.ini --config-file /etc/neutron/neutron.conf --log-file /var/log/neutron/f5-agent.log
+
+#python /var/lib/kolla/venv/bin/f5-oslbaasv2-purge --config-file /etc/neutron/f5-oslbaasv2-agent.ini --partition 234

docs/index.rst

@@ -1,6 +1,6 @@
 .. _home:
 
-F5® OpenStack Agent
+F5 OpenStack Agent
 ===================
 
 |Build Status| |Docs Build Status|
@@ -28,13 +28,13 @@ Installation
 .. include:: topic_install-f5-agent.rst
     :start-line: 3
 
-For more information about using F5® technologies in OpenStack with Neutron LBaaSv2, please see the :ref:`f5-openstack-lbaasv2-driver documentation <lbaasv2driver:home>`.
+For more information about using F5 technologies in OpenStack with Neutron LBaaSv2, please see the :ref:`f5-openstack-lbaasv2-driver documentation <lbaasv2driver:home>`.
 
 
 Configuration and Usage
 -----------------------
 
-See the :ref:`F5® OpenStack LBaaSv2 documentation <lbaasv2driver:home>`.
+See the :ref:`F5 OpenStack LBaaSv2 documentation <lbaasv2driver:home>`.
 
 
 .. |Build Status| image:: https://travis-ci.org/F5Networks/f5-openstack-agent.svg?branch=liberty

docs/ref_agent-config-file.rst

@@ -4,7 +4,7 @@
 Agent Configuration File
 ------------------------
 
-A sample F5® OpenStack agent configuration file is shown below. The file can be found at ``/etc/neutron/services/f5/f5-openstack-agent.ini``. When setting up your own F5® agent(s), be sure to use the correct information for your environment.
+A sample F5 OpenStack agent configuration file is shown below. The file can be found at ``/etc/neutron/services/f5/f5-openstack-agent.ini``. When setting up your own F5 agent(s), be sure to use the correct information for your environment.
 
 .. literalinclude:: ../etc/neutron/services/f5/f5-openstack-agent.ini
 

etc/init.d/f5-oslbaasv2-agent

@@ -8,7 +8,7 @@
 # Default-Start:        2 3 4 5
 # Default-Stop:         0 1 6
 # Short-Description:    f5-openstack-agent
-# Description:          Provides the F5® OpenStack agent to configure BIG-IP®
+# Description:          Provides the F5 OpenStack agent to configure BIG-IP
 ### END INIT INFO
 
 PROJECT_NAME=neutron

etc/neutron/services/f5/esd/esd.json

@@ -0,0 +1,47 @@
+{
+  "proxy_protocol_2edF_v1_0": {
+    "lbaas_fastl4": "",
+    "lbaas_ctcp": "tcp",
+    "lbaas_irule": ["proxy_protocol_2edF_v1_0"],
+    "lbaas_one_connect": ""
+  },
+  "proxy_protocol_V2_e8f6_v1_0": {
+    "lbaas_fastl4": "",
+    "lbaas_ctcp": "tcp",
+    "lbaas_irule": ["cc_proxy_protocol_V2_e8f6_v1_0"],
+    "lbaas_one_connect": ""
+  },
+  "fastl4_protocol_keepalive_dd2b_v1_0": {
+    "lbaas_fastl4": "cc_fastl4",
+    "lbaas_one_connect": ""
+  },
+  "standard_tcp_a3de_v1_0": {
+    "lbaas_fastl4": "",
+    "lbaas_ctcp": "tcp",
+    "lbaas_one_connect": ""
+  },
+  "x_forward_5b6e_v1_0": {
+    "lbaas_irule": ["cc_x_forward_5b6e_v1_0"]
+  },
+  "one_connect_dd5c_v1_0": {
+    "lbaas_one_connect": "oneconnect"
+  },
+  "no_one_connect_3caB_v1_0": {
+    "lbaas_one_connect": ""
+  },
+  "http_compression_e4a2_v1_0": {
+    "lbaas_http_compression": "cc_http_compression_e4a2_v1_0"
+  },
+  "cookie_encryption_b82a_v1_0": {
+    "lbaas_irule": ["cc_cookie_encryption_b82a_v1_0"]
+  },
+  "sso_22b0_v1_0": {
+    "lbaas_irule": ["cc_sso_22b0_v1_0"]
+  },
+  "sso_required_f544_v1_0": {
+    "lbaas_irule": ["cc_sso_required_f544_v1_0"]
+  },
+  "http_redirect_a26c_v1_0": {
+    "lbaas_irule": ["cc_http_redirect_a26c_v1_0"]
+  }
+}

etc/neutron/services/f5/f5-openstack-agent.ini

@@ -50,17 +50,17 @@ periodic_interval = 10
 #  Environment Settings
 ###############################################################################
 #
-# Since many TMOS® object names must start with an alpha character
+# Since many TMOS object names must start with an alpha character
 # the environment_prefix is used to prefix all service objects.
 #
-# Objects created on the BIG-IP® by this agent will have their names prefixed
+# Objects created on the BIG-IP by this agent will have their names prefixed
 # by an environment string. This allows you set this string.  The default is
 # 'Project'.
 #
 # WARNING - you should only set this before creating any objects.  If you change
 # it with established objects, the objects created with an alternative prefix,
 # will no longer be associated with this agent and all objects in neutron
-# and on the the BIG-IP® associated with the old environment will need to be managed
+# and on the the BIG-IP associated with the old environment will need to be managed
 # manually.
 #
 # environment_prefix = 'Project'
@@ -183,10 +183,10 @@ f5_external_physical_mappings = default:1.1:True
 # Some systems require the need to bind and prune VLANs ids
 # allowed to specific ports, often for security. 
 #
-# An example would be if a LBaaS iControl® endpoint is using
+# An example would be if a LBaaS iControl endpoint is using
 # tagged VLANs. When a VLAN tagged network is added to a 
-# specific BIG-IP® device, the facing switch port will need
-# to allow traffic for that VLAN tag through to the BIG-IP®'s
+# specific BIG-IP device, the facing switch port will need
+# to allow traffic for that VLAN tag through to the BIG-IP's
 # port for traffic to flow. 
 #
 # What is required is a software hook which allows the binding.
@@ -197,16 +197,16 @@ f5_external_physical_mappings = default:1.1:True
 # vlan_binding_driver = f5.oslbaasv1agent.drivers.bigip.vlan_binding.NullBinding
 #
 # The interface_port_static_mappings allows for a JSON encoded dictionary
-# mapping BIG-IP® devices and interfaces to corresponding ports. A port id can be
+# mapping BIG-IP devices and interfaces to corresponding ports. A port id can be
 # any string which is meaningful to a vlan_binding_driver. It can be a 
 # switch_id and port, or it might be a neutron port_id.
 #
-# In addition to any static mappings, when the iControl® endpoints
+# In addition to any static mappings, when the iControl endpoints
 # are initialized, all their TMM interfaces will be collect
 # for each device and neutron will be queried to see if which 
 # device port_ids correspond to known neutron ports. If they do, 
 # automatic entries for all mapped port_ids will be made referencing 
-# the BIG-IP® device name and interface and the neutron port_ids.
+# the BIG-IP device name and interface and the neutron port_ids.
 #
 # interface_port_static_mappings = {"device_name_1":{"interface_ida":"port_ida","interface_idb":"port_idb"}, {"device_name_2":{"interface_ida":"port_ida","interface_idb":"port_idb"}} 
 #                  
@@ -216,7 +216,7 @@ f5_external_physical_mappings = default:1.1:True
 #
 # Device Tunneling (VTEP) Self IPs
 #
-# This is the name of a BIG-IP® self IP address to use for VTEP addresses.
+# This is the name of a BIG-IP self IP address to use for VTEP addresses.
 #
 # If no gre or vxlan tunneling is required, these settings should be
 # commented out or set to None.
@@ -265,10 +265,10 @@ f5_populate_static_arp = False
 #
 # Device Tunneling (VTEP) self IPs
 #
-# This is a boolean entry which determines if the BIG-IP® will use
+# This is a boolean entry which determines if the BIG-IP will use
 # L2 Population service to update its fdb tunnel entries. This needs
 # to be set up in accordance with the way the other tunnel agents are
-# set up.  If the BIG-IP® agent and other tunnel agents don't match
+# set up.  If the BIG-IP agent and other tunnel agents don't match
 # the tunnel setup will not work properly.
 #
 l2_population = True
@@ -303,13 +303,13 @@ l2_population = True
 #  L3 Segmentation Mode Settings
 ###############################################################################
 #
-# Global Routed Mode - No L2 or L3 Segmentation on BIG-IP®
+# Global Routed Mode - No L2 or L3 Segmentation on BIG-IP
 #
 # This setting will cause the agent to assume that all VIPs 
 # and pool members will be reachable via global device 
-# L3 routes, which must be already provisioned on the BIG-IP®s.
+# L3 routes, which must be already provisioned on the BIG-IPs.
 #
-# In f5_global_routed_mode, BIG-IP® will not assume L2
+# In f5_global_routed_mode, BIG-IP will not assume L2
 # adjacentcy to any neutron network, therefore no 
 # L2 segementation between tenant services in the data plane 
 # will be provisioned by the agent. Because the routing 
@@ -320,22 +320,22 @@ l2_population = True
 #
 # WARNING: setting this mode to True will override
 # the use_namespaces, setting it to False, because only 
-# one global routing space will used on the BIG-IP®.  This
+# one global routing space will used on the BIG-IP.  This
 # means overlapping IP addresses between tenants is no 
 # longer supported. 
 #
 # WARNING: setting this mode to True will override
 # the f5_snat_mode, setting it to True, because pool members
-# will never be considered L2 adjacent to the BIG-IP® by
+# will never be considered L2 adjacent to the BIG-IP by
 # the agent. All member access will be via L3 routing, which
-# will need to be set up on the BIG-IP® before LBaaS provisions
+# will need to be set up on the BIG-IP before LBaaS provisions
 # resources on behalf of tenants.
 #
 # WARNING: setting this mode to True will override the
 # f5_snat_addresses_per_subnet, setting it to 0 (zero).
 # This will force all VIPs to use AutoMap SNAT for which 
 # enough Self IP will need to be pre-provisioned on the
-# BIG-IP® to handle all pool member connections. The SNAT,
+# BIG-IP to handle all pool member connections. The SNAT,
 # an L3 mechanism, will all be global without reference
 # to any specific tenant SNAT pool.
 #
@@ -344,7 +344,7 @@ l2_population = True
 # because no L2 information will be taken from 
 # neutron, thus making the assumption that all VIP
 # L3 addresses will be globally routable without 
-# segmentation at L2 on the BIG-IP®.
+# segmentation at L2 on the BIG-IP.
 #
 f5_global_routed_mode = True 
 #
@@ -399,14 +399,14 @@ f5_route_domain_strictness = False
 # This setting will force the use of SNATs. 
 #
 # If this is set to False, a SNAT will not
-# be created (routed mode) and the BIG-IP®
+# be created (routed mode) and the BIG-IP
 # will attempt to set up a floating self IP
 # as the subnet's default gateway address.
 # and a wild card IP forwarding virtual
 # server will be set up on member's network.
 # Setting this to False will mean Neutron
 # floating self IPs will not longer work
-# if the same BIG-IP® device is not being used
+# if the same BIG-IP device is not being used
 # as the Neutron Router implementation.
 #
 # This setting will be forced to True if 
@@ -444,16 +444,16 @@ f5_common_external_networks = True
 # separated list where if the name is a neutron
 # network id used for a vip or a pool member, 
 # the network should not be created or deleted
-# on the BIG-IP®, but rather assumed that the value
+# on the BIG-IP, but rather assumed that the value
 # is the name of the network already created in
 # the Common partition with all L3 addresses 
 # assigned to route domain 0.  This is useful
 # for shared networks which are already defined
-# on the BIG-IP® prior to LBaaS configuration. The
+# on the BIG-IP prior to LBaaS configuration. The
 # network should not be managed by the LBaaS agent,
 # but can be used for VIPs or pool members
 #
-# If your Internet VLAN on your BIG-IP® is named
+# If your Internet VLAN on your BIG-IP is named
 # /Common/external, and that corresponds to 
 # Neutron uuid: 71718972-78e2-449e-bb56-ce47cc9d2680
 # then the entry would look like:
@@ -472,7 +472,7 @@ f5_common_external_networks = True
 # Some systems require the need to bind L3 addresses
 # to specific ports, often for security. 
 #
-# An example would be if a LBaaS iControl® endpoint is using
+# An example would be if a LBaaS iControl endpoint is using
 # untagged VLANs and is a nova guest instance. By 
 # default, neutron will attempt to apply security rule
 # for anti-spoofing which will not allow just any L3
@@ -492,7 +492,7 @@ f5_common_external_networks = True
 # vary between providers. They may look like a neutron port id
 # and a nova guest instance id.
 #
-# In addition to any static mappings, when the iControl® endpoints
+# In addition to any static mappings, when the iControl endpoints
 # are initialized, all their TMM MAC addresses will be collect
 # and neutron will be queried to see if the MAC addresses
 # correspond to known neutron ports. If they do, automatic entries
@@ -511,7 +511,7 @@ f5_bigip_lbaas_device_driver = f5_openstack_agent.lbaasv2.drivers.bigip.icontrol
 #
 #
 ###############################################################################
-#  Device Driver - iControl® Driver Setting
+#  Device Driver - iControl Driver Setting
 ###############################################################################
 #
 # icontrol_hostname is valid for external device type only.
@@ -524,17 +524,17 @@ f5_bigip_lbaas_device_driver = f5_openstack_agent.lbaasv2.drivers.bigip.icontrol
 # is not standalone, all devices in the sync failover
 # device group for the hostname specified must have 
 # their management IP address reachable to the agent.
-# If order to access devices' iControl® interfaces via
+# If order to access devices' iControl interfaces via
 # self IPs, you should specify them as a comma
 # separated list below. 
 #
 icontrol_hostname = 10.190.7.232
 #
-# If you are using vCMP® with VLANs, you will need to configure
-# your vCMP® host addresses, in addition to the guests addresses.
-# vCMP® Host access is necessary for provisioning VLANs to a guest.
-# Use icontrol_hostname for vCMP® guests and icontrol_vcmp_hostname
-# for vCMP® hosts. The plug-in will automatically determine
+# If you are using vCMP with VLANs, you will need to configure
+# your vCMP host addresses, in addition to the guests addresses.
+# vCMP Host access is necessary for provisioning VLANs to a guest.
+# Use icontrol_hostname for vCMP guests and icontrol_vcmp_hostname
+# for vCMP hosts. The plug-in will automatically determine
 # which host corresponds to each guest.
 #
 # icontrol_vcmp_hostname = 192.168.1.245
@@ -585,4 +585,5 @@ os_project_domain_name = default
 # inherit settings from the parent you define. This must be an existing profile,
 # and if it does not exist on your BIG-IP system the agent will use the default
 # profile, clientssl.
-f5_parent_ssl_profile = clientssl
+f5_parent_ssl_profile = cc_clientssl
+f5_parent_https_monitor = /Common/cc_https