Install or Upgrade Software

Installation and upgrade options

There are several types of installation and upgrade options for F5OS software:

• System upgrade
• Clean (or bare metal) installation

System upgrade

A system upgrade installs new Base OS software on the system and results in a service outage. This method preserves old image and configuration data, and includes these three sub-types:

ISO upgrade

Upgrades both the operating system (OS) and services for the Base OS software.

Partial upgrade

Upgrades OS or services for Base OS software. The OS partial update file has a .os extension and the service file has a .img extension. You import partial upgrade files by using either the system import command, the webUI, or by logging in as a root user and using SCP to copy files to the system at the images/import/os or images/import/services directories respectively.

Patch upgrade

Upgrades or patches a subset of Base OS software. The patch file has a .patch extension. You import patch upgrade files by using either the file import command, the webUI, or by logging in as a root user and using SCP to copy files to the system at the images/import/services directory.
Note: Currently, the patch upgrade option is not supported on F5OS software. However, this option might be supported for all versions of F5OS-A.

Clean installation

A clean installation reformats the disk of specific components and restores the system to factory defaults.

Warning: Formatting erases all data on your system.

For information on configuring your rSeries system after you complete a software installation or upgrade, see F5 rSeries Systems: Administration and Configuration in the F5OS Knowledge Center at techdocs.f5.com.

System upgrades

You perform a system upgrade of F5OS software when you want to upgrade the software on both system controllers or on a chassis partition the system with a point release or engineering hotfix. This installation method results in a full service outage and reboots the systemsystem controller or blade automatically when installation completes.

Note: When upgrading from F5OS-A version 1.0.1 to F5OS-A 1.1.0, you should first move the tenant state to provisioned before performing the upgrade. You should then move the tenant back to a deployed state once the F5OS-A upgrade is complete.

Important:

• When upgrading to F5OS-A 1.5.3 from a lower version of F5OS-A, you must upgrade the hardware security module (HSM) firmware to the latest version integrated with the software.

• When upgrading from F5 rSeries FIPS units to F5OS-A 1.5.3, you must upgrade both the BIG-IP tenant version and the FIPS firmware versions simultaneously. This ensures optimal functioning of F5OS FIPS platforms with an embedded HSM and provides the latest SDK. For more information, refer to section Firmware upgrades for hardware HSMs in the F5 rSeries Systems: Software Administration and Configuration guide.

Perform a system upgrade of F5OS software

Verify that you have downloaded and imported the F5OS-A image files from F5 before you attempt to upgrade.

You can upgrade F5OS software on a system from the CLI. This method results in a full service outage.

1. Connect to the system using a management console or console server.

   Note: The default baud rate and serial port configuration is 19200/8-N-1.

2. Log in to the command line interface (CLI) of the system using an account with admin access.

   When you log in to the system, you are in user (operational) mode.

3. Verify that the Base OS image you want to install is listed, and the status is ready.

   show system image

   A summary similar to this example displays:

   Copy

   appliance-1# show system image
   				    IN
   VERSION OS  STATUS  DATE        USE
   --------------------------------------
   1.1.0-1234  ready   2021-08-31  true
   
   
   VERSION                         IN
   SERVICE     STATUS  DATE        USE
   --------------------------------------
   1.1.0-1234  ready   2021-08-31  true
   
   
   VERSION                         IN
   ISO         STATUS  DATE        USE
   ---------------------------------------
   1.1.0-1234  ready   2021-08-31  false

4. Change to config mode.

   config

   The CLI prompt changes to include (config).

5. Set the ISO version to the new version.

   system image set-version iso-version <*version*> proceed [ yes | no ]

   Note: By default, you will be prompted to confirm the upgrade. To bypass the confirmation prompt, include proceed yes at the end of the command sequence.

   This example shows upgrading the ISO version:

   Copy

   appliance-1(config)# system image set-version iso-version 1.1.0-1234

   These examples show upgrading os-version and service-version:

   Upgrade OS version:

   Copy

   appliance-1(config)# system image set-version os-version 1.1.0-1234

   Upgrade service version:

   Copy

   appliance-1(config)# system image set-version service-version 1.1.0-1234

6. When the compatibility check succeeds, enter yes to proceed with the installation process.

   A summary similar to this excerpt displays:

   Copy

   appliance-1(config)# system image set-version iso-version 1.1.0-1234
   Changing software version will trigger system reboot and interrupt tenant operation. Proceed? [yes/no]: yes
   response System iso version has been set

The system installs the upgrade and reboots to the new version. This results in a temporary service outage.

Clean installation

You perform a clean installation of F5OS software when you want to start from scratch or when the system is not recoverable. This installation method requires you to use either an external the built-in PXE server or a USB flash drive.

Warning: Performing a clean installation destroys all information on your system.

Before performing a clean installation of F5OS software on your rSeries system, you must meet these prerequisites:

• Be able to access the system from a management console or console server

• Have root account access

  Note: If your system has appliance mode enabled, you must first disable appliance mode before you can perform a clean installation.

Clean installation using a USB flash drive

When you perform a clean installation of F5OS software on your system using a USB flash drive, you must first enable the front panel USB port on your systemcontroller.

For security purposes, the USB port on the system is disabled by default. You can use Always-On Management (AOM) to enable the front panel USB port. For more information, see the platform guide for your appliance model at techdocs.f5.com.

Enable the front-panel USB port

The front-panel USB port on the platform is disabled by default, but you can use Always-On Management (AOM) to enable the USB port.

1. Connect to the system using a management console or console server.

   Note: The default baud rate and serial port configuration is 19200/8-N-1.

2. Open the AOM Command Menu.

   Esc (

   The system displays the AOM Command Menu:

   Copy

   [root@appliance-1 ~]# 
   
   
   AOM Command Menu:
   
   
   A --- Reset AOM
   B --- Set baud rate
   I --- Display platform information
   P --- Power on/off host subsystem
   R --- Reset host subsystem
   U --- Front panel USB port
   Q --- Quit menu and return to console
   
   
   Enter Command:

3. Type U to configure the USB port on the system.

   The system displays the current status of the USB port:

   Copy

   Front panel USB next boot setting: disabled
   
   
   0 -- Disable front panel USB port
   1 -- Enable front panel USB port
   
   
   Note: Reboot is necessary for change to take effect.
   
   
   Select Option:

4. Type R to reset (restart) the host subsystem.

Create a bootable USB flash drive

Before you create a bootable USB flash drive, be sure that you have used Always-On Management (AOM) to enable the USB port on your system, as the USB port is disabled by default. Also, be sure that you have copied the ISO images to images/staging/ on your system.

• You can use an existing F5 rSeries system to create a bootable USB flash drive that contains an F5OS-A software ISO image.
• You can make a bootable USB flash drive on a different Linux system.

1. Plug the USB flash drive into the USB port on the front of the system.

2. Connect to the system using a management console or console server.

   Note: The default baud rate and serial port configuration is 19200/8-N-1.

3. Log in as the root user.

   Note: The default login credentials are root/default. When logging in as root for the first time, the system prompts you to change the password.

4. Before you create a bootable drive, verify /dev/sda is the correct drive.

   Copy

   lsblk /dev/sda

   This example verifies /dev/sda is the correct drive.

   Copy

   root@controller-1 tmp]# lsblk /dev/sda
   NAME 	MAJ:MIN 	   RM   SIZE	 RO  TYPE 	MOUNTPOINT
   sda 	  8:0 		1   14.4G 	0   disk
   ├─sda1       8:1 		1   4.9G 	 0   part
   └─sda2       8:2 		1   9M  	  0   part

   Note: Ensure the following:

   • Removable (RM) column must be 1
   • Type column is disk
   • Size column approximately matches the size of your USB flash drive.

5. Create a bootable drive.

   dd if=<*iso-image*> of=/dev/sda bs=1M conv=fsync status=progress

   This example writes a specified software ISO to the flash drive:

   Copy

   [root@appliance-1 ~]# dd if=/var/import/staging/F5OS-A-1.2.0 of=/dev/sda bs=1M
     conv=fsync status=progress

   This command sequence writes the ISO image to the flash drive. The flash drive creation process might take several minutes.

You can now use this USB flash drive to boot F5 rSeries systems, as needed.

Perform a clean installation of F5OS software

You can use a USB flash drive to perform a clean installation of F5OS software onto the system from the CLI.

1. Plug the USB flash drive into the USB port for the system onto which you are installing software.

2. Connect to the system using a management console or console server.

   Note: The default baud rate and serial port configuration is 19200/8-N-1.

3. Log in as the root user.

   Note: The default login credentials are root/default. When logging in as root for the first time, the system prompts you to change the password.

4. Reboot the system.

   reboot

5. Intercept the boot by typing b at the BIOS setup screen, and then select the USB flash drive that you created.

6. From the Installer menu, select Install F5OS-A.

   The installation proceeds automatically.

After the installation completes and the system is fully rebooted to the Host OS, you can remove the USB flash drive.

Note: It might take 10-15 minutes for the system to fully boot after a clean installation.

Clean installation using a PXE server

You can perform a clean installation of F5OS software on your system using an external PXE server.

Prerequisites

Before you use an external PXE server to do a clean installation of F5OS software on your system, verify that the external PXE server is configured as follows:

• The PXE server must be on the same network segment as the rSeries platform
• The PXE server must be configured with PXE technologies, including DHCP, TFTP, and HTTP
• On the PXE server, the TFTP root directory is at /tftpboot, and within the /tftpboot directory, there is a directory named pxelinux.cfg
• The /tftpboot directory contains these UEFI files:
  • syslinux.efi
  • ldlinux.e64
• An HTTP service is configured on a file server with /var/www/html as its root directory, and the /tftpboot directory is symlinked within the /var/www/html directory
• The DHCP server has the filename option configured as syslinux.efi
• SELinux (or similar security measures) must be configured to allow TFTP to read and send the contents of the /tftpboot directory
• Any firewalls must allow network access to the HTTP and TFTP services on the PXE server

FIPS HSM Reset

Important: Before you perform the HSM reset, back up any critical data or keys stored on the HSM card. For more information, see section F5 rSeries to F5 rSeries in the documenation F5 Platforms: FIPS Administration

F5 recommends to reset the hardware security module (HSM) installed on your F5 r5000/r10000 FIPS platform. After the clean installation of F5OS software on your system using an external PXE server, you must Initialize the HSM and get HSM into operational state. ‌For more information, see section Initialize the HSM in F5 r5000/r10000 platforms in the F5 rSeries Systems: Software Administration and Configuration guide.

Important: If the HSM card was not reset before the installation, you must perform the below steps after the clean installation using PXE server.

1. Log in to the command line interface (CLI) of the system using an account with admin access.

   Note: The default login credentials are admin/admin. When logging in as admin for the first time, the system prompts you to change the password.

   When you log in to the system, you are in user (operational) mode.

2. Change to config mode.

   config

   The CLI prompt changes to include (config).

3. Initialize the HSM

   Copy

   hsm reset
   
   
   hsm force-init
   
   
   hsm reset
   
   
   hsm init

   A summary to this example dispalys:

   Copy

   appliance-1(config)# fips hsm reset
   Value for 'so-password' (<string, min: 7 chars, max: 30 chars>): default
   result The FIPS device is already in factory default state.
   
   
   appliance-1(config)# fips hsm force-init
   Value for 'new-so-password' (<string, min: 7 chars, max: 30 chars>): default
   Value for 'confirm-new-so-password' (<string, min: 7 chars, max: 30 chars>): default
   [ 3311.525062] liquidsec_pf_vf_driver 0000:ca:00.0: Crypto requests are pending after app shutdown. Partition_index:0 resource cleanup could fail. Please validate partition before re-use.
   Error: HSM force init failed: UNKNOWN: no error message
   
   
   appliance-1(config)# fips hsm reset
   Value for 'so-password' (<string, min: 7 chars, max: 30 chars>): default
   result The FIPS device is already in factory default state.
   
   
   appliance-1(config)# fips hsm init
   Value for 'so-password' (<string, min: 7 chars, max: 30 chars>): default
   Value for 'new-so-password' (<string, min: 7 chars, max: 30 chars>): notdefault
   Value for 'confirm-new-so-password' (<string, min: 7 chars, max: 30 chars>): notdefault
   [ 3508.730404] liquidsec_pf_vf_driver 0000:ca:00.0: Allowing bandwidth of VF 0 to 10000Mbps
   [ 3508.938475] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 1 to 0Mbps
   [ 3508.946179] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 2 to 0Mbps
   [ 3508.953885] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 3 to 0Mbps
   [ 3508.961590] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 4 to 0Mbps
   [ 3508.969296] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 5 to 0Mbps
   [ 3508.977000] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 6 to 0Mbps
   [ 3508.984707] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 7 to 0Mbps
   [ 3508.992416] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 8 to 0Mbps
   [ 3509.000126] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 9 to 0Mbps
   [ 3509.007833] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 10 to 0Mbps
   [ 3509.015627] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 11 to 0Mbps
   [ 3509.023421] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 12 to 0Mbps
   [ 3509.031214] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 13 to 0Mbps
   [ 3509.039007] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 14 to 0Mbps
   [ 3509.046799] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 15 to 0Mbps
   [ 3509.054600] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 16 to 0Mbps
   [ 3509.062397] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 17 to 0Mbps
   [ 3509.070196] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 18 to 0Mbps
   [ 3509.077990] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 19 to 0Mbps
   [ 3509.085780] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 20 to 0Mbps
   [ 3509.093574] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 21 to 0Mbps
   [ 3509.101373] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 22 to 0Mbps
   [ 3509.109170] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 23 to 0Mbps
   [ 3509.116964] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 24 to 0Mbps
   [ 3509.124760] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 25 to 0Mbps
   [ 3509.132558] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 26 to 0Mbps
   [ 3509.140367] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 27 to 0Mbps
   [ 3509.148162] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 28 to 0Mbps
   [ 3509.155954] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 29 to 0Mbps
   [ 3509.163748] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 30 to 0Mbps
   [ 3509.171545] liquidsec_pf_vf_driver 0000:ca:00.0: Limiting bandwidth of VF 31 to 0Mbps
   [ 3509.246002] liquidsec_pf_vf_driver 0000:ca:00.0: Allowing bandwidth of VF 0 to 10000Mbps
   result The FIPS device has been initialized.

   The HSM operations mentioned above typically require a few minutes, with a duration of 4 to 6 minutes.

   After the initialization process is complete, HSM will be in an operational state.

Prepare for a PXE installation

Before you install using a PXE server, you must already have configured a PXE server in your network.

To prepare for a PXE installation, you must make an F5OS-A image file available on the PXE server, determine the MAC address for your rSeries platform, and create a PXE configuration file.

1. Download a software image file from F5 Downloads.

2. Import the image file onto your PXE server.

3. Mount the image file into the /mnt directory, and then copy the contents to /tftpboot.

   Copy

   mount -o loop,ro /var/<*filename*>.iso /mnt/f5os-a
   cp /mnt/f5os-a /tftpboot/f5os-a -R

   The image file is now available over TFTP and HTTP.

4. Determine and make note of the MAC address for your rSeries platform.

   show interfaces interface mgmt ethernet state

   A summary similar to this example displays:

   Copy

   appliance-1# show interfaces interface mgmt ethernet state
   ethernet state auto-negotiate true
   ethernet state duplex-mode FULL
   ethernet state port-speed SPEED_1GB
   ethernet state hw-mac-address 00:12:a1:34:56:02
   ethernet state negotiated-duplex-mode FULL
   ethernet state negotiated-port-speed SPEED_1GB
   ethernet state counters in-mac-pause-frames 0
   ethernet state counters in-oversize-frames 0
   ethernet state counters in-jabber-frames 0
   ethernet state counters in-fragment-frames 0
   ethernet state counters in-crc-errors 0
   ethernet state counters out-mac-pause-frames 0

5. Create a PXE configuration file in the /tftpboot/pxelinux.cfg directory, where the name of the file is the MAC address of the platform, prefixed with “01”.

   All double hex values in the file name should be delimited with a dash. For example, the configuration file for the MAC address identified above would be named 01-00-12-a1-34-56-02.

   The configuration file should contain this information:

   Copy

   SAY Now booting F5OS-A
   
   
   DEFAULT F5OS-A
   
   
   LABEL F5OS-A
   
   
   KERNEL /f5os-a/images/pxeboot/vmlinuz edd=off
   APPEND initrd=/f5os-a/images/pxeboot/initrd.img inst.stage2=http://<*pxe-server-ip-address*>/tftpboot/f5os-a ks=http://<*pxe-server-ip-address*>/tftpboot/f5os-a/ks.cfg console=ttyS0 inst.sshd=1

Next, you can reboot the system and initiate a clean installation from the PXE server.

Install F5OS-A software on a system using a PXE server

Before you install using a PXE server, you must have copied an F5OS-A image file (.iso) to the PXE server and created a PXE configuration file on the server.

You can use an external PXE server to perform a clean installation of F5OS software onto the system from the CLI.

1. Connect to the system using a management console or console server.

   Note: The default baud rate and serial port configuration is 19200/8-N-1.

2. Log in to the command line interface (CLI) of the system using an account with root access.

3. Copy the F5OS-A image file (.iso) to the /var/export/chassis/import/iso directory on the system.

4. Reboot the system.

   reboot

5. Intercept the boot by typing p at the BIOS setup screen.

   The system automatically resets and goes into PXE boot mode, and the installation proceeds automatically. When the installation completes, the system restarts automatically.

   Note: It might take 10-15 minutes for the system to fully boot after a clean installation.

Tenant software installation

When you install a tenant from the rSeries system chassis partition webUI or CLI, you are deploying a new tenant installation.

Important: If you want to upgrade the software for an existing tenant, you must log in to the tenant using the tenant’s web-based management interface or command line interface (CLI), upload the updated software version, and then perform the upgrade inside the tenant.

F5 rSeries systems support running these tenants, for which the installation files are available as .bundle images:

• BIG-IP software

For information on F5OS software compatibility with F5 hardware, see K9476: The F5 hardware/software compatibility matrix.

Tenant image overview

BIG-IP tenant images

These BIG-IP tenant images are available to deploy on F5 rSeries systems:

• ALL-F5OS
• T4-F5OS
• T2-F5OS
• T1-F5OS (see note)

Note: T1-F5OS has limitations, so using the other images is recommended. Other images must be downloaded from F5 Downloads.

Each image type has different uses so you need to be sure to use the correct type for your tenant needs. For additional information about BIG-IP tenant image types, see K45191957: Overview of the BIG-IP tenant image types.

Tenant resource allocation overview

These are recommended resource considerations for determining the amount of memory (RAM) and disk space to allocate when planning tenant deployments on F5 rSeries systems.

Create and deploy tenants from the CLI

Before you get started, import the tenant images you want to use for the tenant deployments. You must already have created VLANs on the system. Before you can create and deploy tenants, you also need to estimate resource requirements so you know how many vCPUs, memory, and other resources to assign to the tenant.

You can create and deploy tenants from the CLI.

1. Log in to the command line interface (CLI) of the system using an account with admin access.

   When you log in to the system, you are in user (operational) mode.

2. Change to config mode.

   config

   The CLI prompt changes to include (config).

3. Create and deploy the tenant.

   tenants tenant <*name*> config <*options*>

   For more information about CLI options, see Tenant CLI command syntax.

   This example creates a BIG-IP tenant called big-ip that is in the configured running-state, by default:

   Copy

   appliance-1(config)# tenants tenant big-ip config type BIG-IP 
     image BIGIP-15.1.6-0.0.3.ALL-F5OS.qcow2.zip.bundle mgmt-ip 192.0.2.200
     prefix-length 24 gateway 192.0.2.254 nodes 1

4. Commit the configuration changes.

   commit

5. Return to user (operational) mode.

   end

6. You can monitor the operational state of the tenant and move the tenant into the provisioned running-state.

   tenants tenant big-ip config running-state provisioned

   This causes the system to assign the tenant to nodes and create virtual disks for the tenant on those nodes.

7. Show the current status for the tenant:

   show tenants tenant big-ip

   When the system is creating the virtual disk and installing the image on a disk, the operational state of the tenant shows this information:

   • PHASE – Allocating resources to the tenant is in progress
   • status – Provisioning A summary similar to this example displays:
   Copy

   appliance-1# show tenants tenant big-ip
   tenants tenant big-ip
    state name          big-ip
    state unit-key-hash PcPJWXRSLgdL3FRivOJODwrIZdYLncH3rqrjkW0X03uKHZFSLPjAc3d3E3Pbgd+Piq8p86LsMgma/kHoRdd+Kg==
    state type          BIG-IP
    state image         BIGIP-15.1.6-0.0.3.ALL-F5OS.qcow2.zip.bundle
    state mgmt-ip       192.0.2.200
    state prefix-length 24
    state gateway       192.0.2.254
    state cryptos       disabled
    state vcpu-cores-per-node 2
    state memory        7680
    state running-state provisioned
    state mac-data mgmt-mac 00:0a:49:ff:20:0c
    state mac-data base-mac 00:0a:49:ff:20:0d
    state mac-data mac-pool-size 1
    state appliance-mode disabled
    state status        Provisioning
                   INSTANCE                                                 CREATION  READY          MGMT
   NODE  POD NAME  ID        PHASE                                          TIME      TIME   STATUS  MAC
   --------------------------------------------------------------------------------------------------------
   1     big-ip-1  1         Allocating resources to tenant is in progress                           -

   When the system completes the virtual disk creation, the operational state shows this information:

   • PHASE – Ready to deploy
   • status – Provisioned A summary similar to this example displays:
   Copy

   appliance-1# show tenants tenant big-ip
   tenants tenant big-ip
    state name          big-ip
    state unit-key-hash PcPJWXRSLgdL3FRivOJODwrIZdYLncH3rqrjkW0X03uKHZFSLPjAc3d3E3Pbgd+Piq8p86LsMgma/kHoRdd+Kg==
    state type          BIG-IP
    state image         BIGIP-15.1.6-0.0.3.ALL-F5OS.qcow2.zip.bundle
    state mgmt-ip       192.0.2.200
    state prefix-length 24
    state gateway       192.0.2.254
    state cryptos       disabled
    state vcpu-cores-per-node 2
    state memory        7680
    state running-state provisioned
    state mac-data mgmt-mac 00:0a:49:ff:20:0c
    state mac-data base-mac 00:0a:49:ff:20:0d
    state mac-data mac-pool-size 1
    state appliance-mode disabled
   state status        Provisioned
                   INSTANCE                   CREATION  READY          MGMT
   NODE  POD NAME  ID        PHASE            TIME      TIME   STATUS  MAC
   --------------------------------------------------------------------------
   1     big-ip-1  1         Ready to deploy                           -

8. Change to config mode.

   config

   The CLI prompt changes to include (config).

9. You can then deploy the tenant.

   tenants tenant big-ip config running-state deployed

   This example moves the tenant into the deployed state, which causes the system to start and maintain VMs on each node to which the tenant is assigned.

10. Commit the configuration changes.

    commit

11. Return to user (operational) mode.

    end

12. You can check the status of the tenant.

    show tenants tenant big-ip state instances

    A summary similar to this example displays:

    Copy

    appliance-1# show tenants tenant big-ip state instances
                    INSTANCE
    NODE  POD NAME  ID        PHASE    CREATION TIME         READY TIME            STATUS                   MGMT MAC
    ---------------------------------------------------------------------------------------------------------------------------
    1     big-ip-1  1         Running  2022-04-08T15:30:20Z  2022-04-08T15:30:21Z  Started tenant instance  00:94:a1:69:34:25

Once you configure and deploy the tenant, and the Status is updated to Running, then you can use the management IP address to access the tenant system using SSH, the web-based interface, or TMOS Shell (tmsh).

Note: Once a tenant is Deployed (and is up and running), changing its state back to Configured or Provisioned stops the tenant. You will receive a warning message before this occurs.

Note: If the Status is Pending instead of Running, this might mean that there are not enough resources (vCPUs, memory, or other resources) for the tenant to be deployed. See the Tenant Details screen in the webUI for more information about the specific tenant.

Create and deploy tenants from the webUI

You must have imported the tenant images that you want to use for the tenant deployments into the system. You must also have previously created any required VLANs. Before you can create and deploy tenants, you also need to estimate resource requirements so you know how many vCPUs, memory, and other resources to assign to the tenant.

An administrator can deploy tenants from the webUI. You can open a preview pane with tenant details by clicking anywhere in a row. You can resize the preview pane to show more or less information. To close the preview pane, click Close or click again anywhere in the row.

1. Log in to the webUI using an account with admin access.

2. On the left, click TENANT MANAGEMENT > Tenant Deployments.

   The Tenant Deployment screen displays showing the existing tenant deployments and associated details.

3. To add a tenant deployment, click Add.

   The Add Tenant Deployment screen displays.

4. For Name, enter a name for the tenant deployment (up to 49 characters).

   Note: The first character in the name cannot be a number. After that, only lowercase alphanumeric characters and hyphens are allowed.

5. For Type, keep the default setting of BIG-IP.

6. For Image, select the software image that was previously imported onto the system.

   Ensure that the image you selected meets your tenant deployment needs.

7. For IP Address, enter the IPv4 address, IPv6 address, or Fully Qualified Domain Name (FQDN) for the tenant.

8. For Prefix Length, enter a number for the length of the prefix.

   The maximum prefix length is 32 for IPv4 and 128 for IPv6.

9. For Gateway, enter the IPv4 address or IPv6 address of the gateway.

10. For VLANs, select one or more VLANs that are available to the tenant.

    You can assign VLANs to more than one tenant.

11. For Virtual Wires, select configured virtual wires for the tenant.

    Note: This field displays only when virtual wires are configured on the system.

12. For Resource Provisioning, select one of these options:

    Option	Description
    Recommended	Recommended values for vCPUs and memory for the tenant.
    Advanced	Enables you to configure custom values for vCPUs and memory on the tenant. For example, if you want to configure a single vCPU tenant, or a tenant that uses more than the recommended amount of memory.

13. For vCPUs, select the number of vCPUs to provide to the tenant.

    The minimum recommended number of vCPUs per typical tenant is two (one vCPU is sufficient only for lightweight tenants that cannot be updated). The number of vCPUs needed depends on the amount of traffic the tenant will be handling. More vCPUs provide faster throughput.

14. For Memory, specify the amount of RAM, in MB, to allocate to the tenant.

    The amount of memory needed depends on the number of vCPUs assigned. The minimum amount of memory needed is determined by the formula [(3.5 * 1024 * #ofvCPUs) + 512].

    If you do not allocate sufficient memory, you may receive a warning message.

15. For Virtual Disk Size, specify the storage quota, in GB, for the tenant virtual disk.

    The default size is 77 GB.

16. For State, choose one of these options:

17. For Crypto/Compression Acceleration, select Enabled if the tenant requires high-performance crypto processing and compression.

    When this option is enabled, the tenant receives dedicated crypto devices proportional to the number of vCPU cores. Crypto processing and compression are off-loaded to the hardware. When the option is disabled, the tenant receives no crypto devices.

18. To restrict usage of the Bash shell for tenant administrators, set Appliance Mode to Enabled (this is Disabled by default.)

19. Click Save & Close.

The tenant is now configured and in the Deployed state. When the status says Running, the tenant administrator can log in to the tenant webUI or CLI using the management IP address (with HTTPS or SSH) and continue configuring the tenant system.

Note: If the Status says Pending instead of Running, this may mean that there are not enough resources (vCPUs, memory, or other resources) for the tenant to be deployed. See the Tenant Details screen in the webUI for more information about the specific tenant.