Big-IQ use TMSH to manage BIG-IP configuration in Silo
Hi experts,
Is it possible to use the TMSH in Big-IQ to manage configurations for the Big-IP that is in a Silo? Sometimes it is easier to use the TMSH to duplicate configuration, such as an SSL-client profile in the command line than clicking for each setting in the GUI. We used to do that on the Big-IP but now since they are all centrally managed by the Big-IQ, we can't do that anymore. Where is Silo stored on the Big-IQ? Is it in a specific directory?
Thanks!
Difan
Hi Difan.
Short answer - no, the configuration stored in BIG-IQ is not managable from TMSH, or any direct CLI. The config is stored in a database, not text files.
Much longer answer: there is a BIG-IQ REST API that provides a means to manipulate the BIG-IP configuration you see in the BIG-IQ UI, "Working Config" in IQ terminology, but the vast majority of this is precursory and not yet documented. That said, if you were prepared to invest the effort , you could in theory script the duplication of existing objects. Its all very different from TMSH though.
If you want a modern approach to templating configurations, rather than create/duplicate/edit, you should take a look at AS3. This moves the source of truth for your configuration to your preferred external code repository, but you can still use BIG-IQ as a kind of proxy for deploying AS3 to BIG-IP. You can also create AS3 Templates in BIG-IQ which means your external repository needs to store only the variable parts of the config.
https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/userguide/big-iq.html
In the meantime, to keep the ability to use TMSH to manage configurations, something to consider is a 'Dev' instance of BIG-IP where you build some configuration objects locally, using TMSH if you wish. You can then Discover/Import that device configuration into BIG-IQ. Ensure conflicts are resolved "Use BIG-IQ" unless they relate to the objects you are intending to import. The Shared Objects (Profiles, Monitors etc) you created are then available immediately for attaching to your production BIG-IP Virtual Servers. If you define virtual servers on your dev environment, you can use the BIG-IQ Clone functionality to duplicate the attributes to a virtual on a BIG-IP.
A note on Client SSL Profiles - when importing these they have the wrinkle of referencing SSL Certificates which exist on the BIG-IP. The device discovery/import process imports the certificate metadata but not the cert/key files. You will need to import these to BIG-IQ seperately before you can deploy the SSL profile to a different device. BIG-IQ allows you to pull certificates from your BIG-IP from the BIG-IQ Configuration - Certificates UI.
Hope all that helps!