For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Stefan_Klotz's avatar
Stefan_Klotz
Icon for Cumulonimbus rankCumulonimbus
Jul 14, 2011

Advanced config and software update

Hi,

 

I hope this is the correct Forum for the below question.

 

We are more and more using advanced configurations like:

 

- external monitors

 

- custom alerts (with email-notification)

 

- remote syslog server (for specific local0 messages)

 

- custom cronjobs (to copy config and logs via SCP with authorized keys to avoid password prompt)

 

I guess there are a lot more possibilities of such specific and custom configurations via the commandline or by editing config-files, but most of them will be lost during a software update.

 

Therefor I want to ask which kind of the above mentioned custom configurations are "safe" during a software update. Or how do they need to be configured (if there are several methods possible) that they are "safe".

 

For those configurations which could not be "moved" with a software update, is there any kind of best practice how to prepare a software update which such special configurations?

 

Thank you!

 

 

Ciao Stefan :)

 

config
design

3 Replies

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 14, 2011
    I think any changes made to the system daemons via the bigip_sys.conf (or importing via bpsh) should be preserved during an upgrade. If external monitor scripts are saved under /config they should be preserved as well. If you've customized other files, you can configure them to be included in a UCS:

     

     

    sol4422: Viewing and modifying the files that are configured for inclusion in a UCS archive

     

    http://support.f5.com/kb/en-us/solutions/public/4000/400/sol4422.html

     

     

    Aaron
  • Stefan_Klotz's avatar
    Stefan_Klotz
    Icon for Cumulonimbus rankCumulonimbus
    Jul 15, 2011
    Hi Aaron,

     

    first of all congratulation to break the 10k posts sound barrier!!! Keep up the good work!

     

    Thank you for this great solution, seems to be exactly what I was looking for.

     

    But still one question regarding our SCP cronjob. To get this working without any password prompt, we had to create a private key on each Loadbalancer, which then needs to be added in the authorized_keys file on the remote server.

     

    Will it work to include these key-files in the UCS-archive as well?

     

    I guess when restoring such an UCS-archive the included files will be copied in the same directory, but what happend if a directory, for such backed up files changed between different software versions?

     

    Thank you!

     

     

    Ciao Stefan :)

     

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Jul 15, 2011
    Hi Stefan,

     

     

    Thanks for that. I think the home directories are included in a UCS. Only specific files in root's directory are though:

     

     

    /usr/libdata/configsync/cs.dat

     

    save.4700.file = /root/.bash_profile

     

    save.4710.file = /root/.bashrc

     

    save.4750.file = /root/.tmshrc

     

    save.4800.dir = /home

     

     

    I think it would work fine to either use a non-root account's home directory to store the keys or to specifically include a new directory or set of files for this. I'd definitely add verification of the cron task to your upgrade SOP though.

     

     

    Aaron