Forum Discussion
DM_5174
Nimbostratus
Nimbostratusenabling/disabling maintenance page IRULE remotely from browser or Script without having to login to the LTM
Hi All,
I have a question that I am assuming many on this forum may want to know or having similar objectives as I do.
Is there a way to remotely change an I-rule on an LTM for maintenance page purpose? I know one topic on this forum is to create a maintenance page I-rule that can be enabled or disabled via a connection to the LTM via the web browser (http://devcentral.f5.com/wiki/default.aspx/iRules/LTMMaintenanceWindow.html).
I have tried that and it does not work, or was not clearly shown how to run it. How is security controlled and if there is any other alternative in doing this?
How we do this on our end is to have a network admin login to the LTM and change the normal i-rule on a virtual server to the maintenance i-rule during our maintenance window. This limit us to one group and if we want anyone other than a network admin to do this task, we would have to give out an ID on the LTM.
Can I achieve this by:
1. Creating a script to do this(perl etc)? is there one already on this forum?
2. Can I connect to the LTM via a browser to do this (change i-rule) without using i-control?
Thanks again!
- The_BhattmanHi AH,
I think the best approach for now is to see why
http://devcentral.f5.com/wiki/default.aspx/iRules/LTMMaintenanceWindow.html
failed for you. What errors did you receive? As for security, it's not really secure if someone has working knowledge that has access to it.
Thanks,
Bhattman 
DM_5174Hi Bhattman,
I tried this IRULE already and get error or a 404 when issuing the commands to enable or disable. I thought with this IRULE you get a web page where there is a drop down to select for enabling or disabling the maintenance page feature for a specific VS. It turns out you pass the commands through the URI. There must be a easier way of doing this..Giving permissions to other team member during deployments to swap i-rules is not my decisions by management. I agree with you and cringed at the thought of this, but they want to remove dependency from the network group for deployments i guess.
BTW: I just re-did my irule based on your help earlier and will test tomorrow to see if I get forwarded to the APACHE pool if specifying the "/APPxx" prefix.
Thanks again.
AH
hoolioCirrostratus
A couple of other options for allowing the server admins to control which pool members receive connections (from a related post):
http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=1168252&ptarget=1145129
You could configure a monitor that checks each server for a specific page and content within that page. When the server admins want to take a server down, they could change or remove the page being monitored, reboot the member, wait for the services to come up fully and then restore the monitor page. The downside to this approach is that when they change/rename the monitor page, all existing sessions will be broken.
If you did want to do this with connections drained off gracefully, you could create a simple iControl-based script run from the pool member(s) themselves that disables the node, checks for no connections to the node, reboots, and then re-enables itself in the pool once it's services have come up. The mechanism for disabling a pool member should be fairly simple with iControl.
There are a few related examples in the iControl Codeshare:
http://devcentral.f5.com/wiki/default.aspx/iControl.CodeShare
If you did opt for the maintenance iRule, it would be ideal to restrict access to the "admin" functions of the rule using source IP addresses. You could do this by creating an address datagroup containing the allowed client IP addresses and then checking in the iRule to see if the client IP is a member of the admin datagroup before taking any action.
Aaron- Michael_YatesI wanted to do something similar to what you are asking for. I decided to take a slightly different approach. I hope it helps.
Usage: Create a Matchclass (Address) under iRules -> Data Group List
Apply to whatever VIP you want to test it on. Edit Values in the iRule:
Current Rule Settings - Action START TIME
set time_start [ clock scan {16:58} ]
Current Rule Settings - Action STOP TIME
set time_stop [ clock scan {17:00} ]
Set Target Day (uses short - Mon, Tue, Wed, Thu, Fri, Sat, or Sun)
set target_day Mon
- URL accessing the VIP during the Maintenance Window will get the HTTP Message (you can change this to a pool of servers that serve up the content if you like).
- Override of the Maintenance Page (Allows the developers to test during the window) is performed by adding the testers IP Addresses to the Matchclass (MaintenancePageOverride in this example)
- Verify the testers IP Address by using the VIP URL and appending "/maintenanceaccess" or (http://website.com/maintenanceaccess) ...it will provide the IP Addess you used to hit that page for addition to the Matchclass
- Verify the Maintenance Window by using the VIP URL and appending "/maintenancestatus" or (http://website.com/maintenancestatus)
If anyone can see any ways to improve this, please share...
when CLIENT_ACCEPTED {
Retrieve Values from the System
set current_time [ clock seconds ]
set current_day [ clock format [clock seconds] -format {%a} ]
Current Rule Settings - Action START TIME
set time_start [ clock scan {16:58} ]
Current Rule Settings - Action STOP TIME
set time_stop [ clock scan {17:00} ]
Set Target Day (uses short - Mon, Tue, Wed, Thu, Fri, Sat, or Sun)
set target_day Mon
Conversions for Human Readable Time for Maintenance Status Page
set readable_start [clock format $time_start -format "%H:%M"]
set readable_stop [clock format $time_stop -format "%H:%M"]
if { ($current_day == $target_day) and ($current_time > $time_start) and ($current_time < $time_stop) and !([matchclass [IP::remote_addr] equals $::MaintenancePageOverride ]) } {
If it's not on the exclusion list. Tag it here.
set rewrite_response 1
} else {
If it is to be excluded, set value here.
set rewrite_response 0
}
}
when HTTP_REQUEST {
if { [HTTP::uri] contains "maintenanceaccess" } {
set rewrite_response 3
}
elseif { [HTTP::uri] contains "maintenancestatus" } {
set rewrite_response 4
}
}
when HTTP_RESPONSE {
if { $rewrite_response equals "1" } {
HTTP::respond 200 content "Site UnavailableSystem Maintenance NOTICE: This website down for system maintenance.
"
}
elseif { $rewrite_response equals "3" } {
HTTP::respond 200 content "Maintenance AccessMaintenance Access Assistance Your IP Address is: [IP::client_addr] Please provide the IP Address listed above to the Support Team Representative assisting you with your maintenance window. This will allow the Representative to grant you override access to the maintenance page. Thank you.
"
}
elseif { $rewrite_response equals "4" } {
HTTP::respond 200 content "Maintenance StatusMaintenance Access Status Website Maintenance is currently configured for your website. Day of the Week Maintenance is Schedule for: $target_day Scheduled Maintenance Start Time: $readable_start CST Scheduled Maintenance End Time: $readable_stop CST Current Time: [clock format [clock seconds] -format {%H:%M:%S}] CST If you have any questions please contact the Support Team Representative assisting you with your maintenance window. Thank you.
"
}
} - Hey Michael, That's a good idea.. The only issue I would see is in real life maintenance windows run longer/shorter than expected.. How do you deal with that at your shop?
I think we could really simplify this rule, give control to the other teams, and possibly fix the issue of the original poster..
What if we defined the class as an "External File", you could do away with the whole start/stop time idea.. Then write the irule to direct (or not direct) traffic based on the matches in the external file... You could go at it from a few different angles..
You could then have scripts out there to change that file remotley..
