Forum Discussion

catoverflow's avatar
catoverflow
Icon for Altocumulus rankAltocumulus
Jul 22, 2022

How to add a timestamp on iRule

Hello,

I would like to insert a timestamp on an iRule that reflects the current time at the irule creation and then somehow to be able to update that irule when is updated. I need this cuz I want to validate sync between many nodes of the same cluster, and I need to be sure that the irules are in sync and also to be able to generate a report with the irules and the corresponding timestamps.

 

Is there a way to do this?

Thanks in advance.

Best regards

21 Replies

  • I don't understand. Do you have multiple device groups and wish to sync the same iRule between them?

    If you do I'd probably define the iRules in git and roll out the iRules using code and roll them out using a pipeline.

    If you are using BigIPReport you could also get a list with MD5s from multiple devices using a simple Python script:

    import requests
    import hashlib
    
    irules = requests.get('https://bigipreport.xip.se/json/irules.json').json()
    
    for rule in [i for i in irules if i['name'] == 'rulename']:
        print(hashlib.md5(rule['definition'].encode('utf-8')).hexdigest())
    
    # Sample output:
    # d03f96a58892859e80cbd2be39e04b0c
    # d03f96a58892859e80cbd2be39e04b0c
    # d03f96a58892859e80cbd2be39e04b0c
    # d03f96a58892859e80cbd2be39e04b0c
    # d03f96a58892859e80cbd2be39e04b0c
    # a2716b3fd773640b7919b91bb7e7d421

    Pair this with an alert using a Slack webhook or your monitoring system and it should work fine. I would not recommend this though as it requires manual intervention.

    Kind regards,
    Patrik

    Ps. Disclaimer, I am one of the authors of BigIPReport Ds.

    • catoverflow's avatar
      catoverflow
      Icon for Altocumulus rankAltocumulus

      Hi Patrick, how are you? first of all thanks for your quick response ğŸ˜€. To put you in context a little bit. I have an F5 LTM on AWS with an ASG with multiple instances. The cluster synchronizes in an active/active way. And I have an application where developers can generate iRules via REST API against the LTM. Now, what I need is to be able to validate that the irule received by one of the instances is replicated in the rest of the cluster instances. What had occurred to me is precisely, to insert a timestamp when creating/modifying the iRule and that allows me to have a version of it. Where you can also validate that timestamp that is the same throughout all the instances of the cluster. I don't know if maybe F5 LTM already has some mechanism to be able to do this in another way maybe?

      • Patrik_Jonsson's avatar
        Patrik_Jonsson
        Icon for MVP rankMVP

        Doing fine, thank you. Hope the same for you. 🙂 

        My solution using MD5 works in this scenario. Just pull the iRules via REST and run an MD5 against the rule definition and alert/take action if they vary.

        But the better way here would be to include this validation in the pipeline. I suppose the deploy would fail if any of the iRules fails to update? Maybe you can alert if it does?

        May I ask if you have considered enable auto sync and/or replacing the old REST API with AS3? 

  • From the above can I assume that you dont really trust sync and want a way to verify it yourself? 

    • catoverflow's avatar
      catoverflow
      Icon for Altocumulus rankAltocumulus

      Exactly, we want to have a way for us to validate with our control plane that the irules are effectively synchronized and are the same at all times, this, among other things, is because we need to be able to validate that if a request with a specific header enters through an F5, let's say of region A, then if it cannot satisfy the request based on the header, then to be able to evaluate before performing a fallback to the F5 of the other region (let's say B), and be able to control, among other things, that that header exists and that it can resolve it, in which case just there would proceed to perform the fallback and complete the request in the destination of region B, otherwise it would go to the default pool in the source region (in this case A).

      Perhaps I am adding one more degree of complexity in the question, which would be the fallback part.

      • Patrik_Jonsson's avatar
        Patrik_Jonsson
        Icon for MVP rankMVP

        You can validate that the exact same rule is running across your devices with the script above.

        The header stuff confused me. Not sure what you mean?