Automatic backup of BIGIP LTM

I wrote a script to run "tmsh save /sys ucs" on each of a set of LTMs, download the resulting archive, then expand it and store the changes in git. Here's a copy of it, cleaned up for distribution a little bit.

!/bin/sh


 f5-backup: create UCS backups of a list of BIG-IP F5 devices
 (most likely Local Traffic Managers, aka LTMs)

 See https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13132.html

 Author: O'Shaughnessy Evans, 2015-09


trap sigdie INT QUIT
umask 022

 safety checks:  exit on unset variables and errors, don't expand *
set -o nounset
set -o errexit
set -o noglob

ME=${0*/}
HOSTS=${*:-"FIX: put your default hosts here"}
BACKUP_DIR=$HOME/var/f5
BACKUP_USER=rancid
REMOTE_TMPDIR=/var/tmp


 sigdie() - Signal handler that reports the cause of death (barely)

function sigdie
{
    die $EX_OSERR "killed"
}


 Make sure we're running as the intended backup user.
 This ensures that ssh always runs under the same conditions
 and that directories relative to $HOME are always the same.
if [[ "$USER" != "$BACKUP_USER" ]]; then
    echo "fatal error: running as $USER; please invoke as $BACKUP_USER" >&2
    exit 2
fi

remote_backup=$REMOTE_TMPDIR/backup-$(date +%F).ucs
for host in $HOSTS; do
    local_backup=$host-$(date +%F).tar.gz

    cd $BACKUP_DIR
    [[ -d $host ]] || mkdir $host
    cd $host

    echo " Creating UCS backup for $host"
    echo ""
    echo "    tmsh save /sys ucs ..."
    ssh $host tmsh save /sys ucs $remote_backup 2>&1 |sed 's,^,    tmsh save: ,'
    echo ""

    echo "* Downloading"
    echo ""
            echo "    $remote_backup -> $local_backup"
    scp -o 'StrictHostKeyChecking no' -q $host:$remote_backup $local_backup 2>&1 |sed 's,^,    scp: ,'
    gunzip -c $local_backup |tar xf -
    rm $local_backup
    echo ""

    echo "* Saving change in Git"
    echo ""
    git add . |sed 's,^,    git-add:     ,'
    git commit -m"$ME: automated backup of $host at $(date)" |sed 's,^,    git-commit: ,'
    git push 2>&1 |sed 's,^,    git-push:    ,'

    echo ""
done

You'll want to change a few things:

• Where you see "FIX: put your default hosts here", replace it with a space-separated list of the hostnames you're backing up. Alternatively, you can pass the list of hostnames on the command line when you run the script.
• Assign the username of the user ID you're running the backup script as to

  BACKUP_USER

  .
• Assign the directory where you want to maintain your git repo to

  BACKUP_DIR

  .

I wrote it assuming that

$BACKUP_USER

has a shell account on the F5 that can be accessed with its ssh key. If you don't have one, create an account with "advanced shell" permissions and "Resource Administrator" rights, then generate an ssh key for it on the host where this script will run (e.g.

ssh-keygen -t rsa -b 2048

), then copy the public key to

~/.ssh/authorized_keys

on each of the F5s you want to back up. You'll also need to enable the user of an authorized keys file if you haven't done so. See SOL13454: Configuring SSH host-based authentication on BIG-IP systems (11.x) for more details.

You'll want to initialize

$BACKUP_DIR

as a git repository, too. The script will git-add, commit, and push any changes between runs, so if you set a remote repository as your origin, you'll get a changelog on your Git server. It's very convenient.

To recover with the contents of this repository, you would need to check out the repo, remove the .git subdir, then tar it up and gzip it. The result should be the same as the last

tmsh save /sys ucs

that was run on that server. I should add that I haven't tested a restore from this, though, and that should be a real big caveat here. So... buyer beware :^)