Rolling deployments is well covered in the Ansible Docs. This post is about using those rolling deployments patterns but with F5 Load Balancers. These techniques use the F5 modules require BIG-IP software version >= 11 and have been tested with Ansible 1.9.4.
There are a couple of things to examine before doing one of these deployments:
- Preflight Checks
- Ansible’s pre_tasks / post_tasks
Preflight Checks
If you’re using a pair of F5s for High Availability, consider having a preflight check play to ensure your configurations are in sync and determine your primary F5:
[code]
- name: Collect BIG-IP facts local_action: > bigip_facts server={{ item }} user={{ f5_user }} password={{ f5_password }} include=device_group,device with_items: f5_hosts
- name: determine primary F5 set_fact: primary_lb="{{ device[item][‘management_address’] }}" when: device[item][‘failover_state’] == ‘HA_STATE_ACTIVE’ with_items: device.keys()
- name: fail when not in sync fail: msg=“not proceeding, f5s aren’t in sync” when: device_group[’/Common/device_trust_group’][‘device’]|length > 1 and device_group[’/Common/device_trust_group’][‘sync_status’][‘status’] != ‘In Sync’ [/code]
Recommendation: Use Automatic Sync for doing automated operations against a pair of F5s. I’ve listed the failsafe here for the sake of completeness.
Beware: the bigip_facts module sets facts named “device_group, device” or any other parameter you pass to ‘include’.
pre_tasks & post_tasks
The pre_tasks section looks similar- disable/drain. There’s a new variable introduced- more on that at the end of this post.
[code] pre_tasks: - name: disable node local_action: > bigip_node: server={{ primary_lb }} user={{ f5_user }} password={{ f5_pass }} name={{ inventory_hostname }} state=disabled
- name: wait for connections to drain wait_for: host={{ inventory_hostname }} state=drained exclude_hosts={{ ‘,’.join(heartbeat_ips) }} port=443 [/code]
The post_tasks section isn’t much different. No new variables to worry about, just resume connections and re-enable the node.
[code] post_tasks: - name: wait for connections to resume wait_for: host={{ inventory_hostname }} state=started port=443
- name: enable node local_action: > bigip_node: server={{ primary_lb }} user={{ f5_user }} password={{ f5_pass }} name={{ inventory_hostname }} state=enabled [/code]
A note about heartbeat_ips:
heartbeat_ips. These are the source IP addresses that the F5 uses to health check your node. heartbeat_ips can be discovered on each F5 by navigating to Network -> Self IPs. If you don’t know how to find them, disable your node in the F5 and run something like tcpdump -i eth0 port 443. The heartbeat IPs can be discovered by adding “self_ip” to the bigip_facts module’s include parameter - usually represented like this:
[code] hostvars[’localhost’][‘self_ip’][’/Common/Self-IPv4’][‘address’] [/code]
There are two downsides discovering heartbeat IPs:
- They have to be gathered from each F5 and concatenated together. The way the bigip_facts module operates this requires use of a register. (it gets messy)
[code] exclude_hosts={{ f5_facts.results|join(’,’, attribute=‘ansible_facts.self_ip./Common/internal-self.address’) }} [/code]
- The bigip_facts gathering module is pretty time consuming- I’ve seen up to 30s per F5 depending on the amount of data returned. Storing these IPs elsewhere is much faster =)