Deploying Workload

Public Cloud Deployment

You can create a workload node in the VPC with a processor node already installed.


The processor node secures workload data and control communication including the fabric manager and workload interaction. So, it is mandatory to have a processor node installed in the VPC before the workload deployment.

Create Workload Node

To create a new workload in the VPC, run the command:

(myfab2) bwctl> create workload azr2-vpc-myfab2

You should see output similar to:

[2019-09-25 18:03:26.462]  Creating new workload 'azr2-w01-myfab2'...
[2019-09-25 18:06:24.269]  ['azr2-w01-myfab2'] created successfully
[2019-09-25 18:06:24.297]  Generating SSH config...

To configure the workload, run the command with the FQDN of orchestrator SBI–in this example –as an argument:

(myfab2) bwctl> configure workload azr2-w01-myfab2 --orchestrator-fqdn

You should see output similar to:

[2019-09-25 18:07:17.658]  Generate ansible inventory...
[2019-09-25 18:08:25.858]  Workloads ['azr2-w01-myfab2'] configured successfully

To start the workload, run the command:

(myfab2) bwctl> start workload azr2-w01-myfab2

You should see output similar to:

[2019-09-25 18:09:18.375]  Workloads to be started: ['azr2-w01-myfab2']
[2019-09-25 18:09:21.495]  Workloads ['azr2-w01-myfab2'] started successfully

Private Datacenter Deployment

You can install the policy agent in your private data center on a Linux machine with kernel version 4.15 and up. The policy agent has been fully integrated and tested with the operating systems as follows:

  • Ubuntu 18.04 LTS,
  • RHEL 8 (available starting with the fabric family version 1.3).

You need root access to the Linux machine–thereafter called workload node –in order to install the policy agent.


Add Repository

First, switch to root level access by running this command:

]$ sudo su -

To add the Bayware repository key to the workload node, run this command:

]# wget -qO - | sudo apt-key add -

Now, add the Bayware repository to the workload node by running this command:

]# echo "deb bionic main" > /etc/apt/sources.list.d/bayware-s3-pub.list

Update the package cache on the workload node by running this command:

]# apt update

Install Agent

To install the policy agent on the workload node, run this command:

]# apt install -y ib-agent


The policy agent package depends on: strongswan (>=5), python3 (>=3.6), python3-iniparse, python3-openssl, haveged, libjansson4, libini-config5. All dependencies are installed automatically if not found on workload node.

Configure Agent

The policy agent requires for its operations the following configuration:

  • paths to root CA certificate, workload certificate, workload private key;
  • FQDN of orchestrator southbound API;
  • workload location name.

By default, the policy agent works with the certificates and the private key located at ~/opt/bayware/certs/

To view folder content, run this command:

]# ll /opt/bayware/certs/

If you have the certificates and the key already installed on the workload node, you should see output similar to this:

total 32
drwxr-xr-x 2 root   root 4096 Oct  4 15:28 ./
drwxr-xr-x 4 root   root 4096 Oct  4 15:38 ../
-rw-r--r-- 1 root   root 1956 Oct  4 15:28 ca.crt
-rw-r--r-- 1 root   root 1696 Oct  4 15:28 node.crt
-rw-r--r-- 1 root   root 1001 Oct  4 15:28 node.csr
-r-------- 1 ubuntu root 1675 Oct  4 15:28 node.key
-r-------- 1 ubuntu root 1704 Oct  4 15:28 node.p8
-r-------- 1 ubuntu root 3371 Oct  4 15:28 node.pem


You can find requirements to the workload node certificate in a separate guide under the section Certificate Requirements.

If you want to change the path to the certificates and the key, use options offered by the policy agent configuration script. To find the available options, run this command:

]# /opt/bayware/ib-agent/bin/ib-configure -h

To configure orchestrator and location names, run the command with FQDN of orchestrator southbound API and location name as its arguments. Use the option -s if you want to set up IPsec configuration for this agent:

]# /opt/bayware/ib-agent/bin/ib-configure -s -c <FQDN of Orchestrator SBI> -l <location>

You should see this output:

agent configuration completed successfully


All configuration settings can be changed directly in the config file located at ~/etc/ib-agent.conf

To check the current policy agent configuration, run this command:

]# cat /etc/ib-agent.conf

You should see output similar to this:

controller = <FQDN of Orchestrator SBI>
location = <location>
local_domain = ib.loc
token_file = /opt/bayware/ib-agent/conf/tokens.dat
log_file = /var/log/ib-agent/ib-agent.log
log_level = INFO
log_count = 5

name = ib-fab0
address =

name = ib-ctl0

name = ib-mon0

ca_cert = /opt/bayware/certs/ca.crt
node_cert = /opt/bayware/certs/node.crt
node_key = /opt/bayware/certs/node.key

rest_ip =
rest_port = 5500
log_file = /var/log/ib-agent/ib-agent-rest.log
log_level = WARNING

log_file = /var/log/ib-agent/ib-agent-resolver.log
log_level = WARNING
file_size = 100000
backup_count = 5
dns_port = 5053

Start Agent

To add the policy agent to workload node autostart, run this command:

]# systemctl enable ib-agent

To start the policy agent, run this command:

]# systemctl start ib-agent

Uninstall Agent

To uninstall the policy agent, run this command:

]# apt remove -y ib-agent


In progress…