Forum Discussion

catoverflow's avatar
catoverflow
Icon for Altocumulus rankAltocumulus
Jul 22, 2022

How to add a timestamp on iRule

Hello, I would like to insert a timestamp on an iRule that reflects the current time at the irule creation and then somehow to be able to update that irule when is updated. I need this cuz I want to...
application delivery
cloud
devops
iRules
LTM
Timestamp
Patrik_Jonsson's avatar
Patrik_Jonsson
Icon for MVP rankMVP
Jul 22, 2022

I don't understand. Do you have multiple device groups and wish to sync the same iRule between them?

If you do I'd probably define the iRules in git and roll out the iRules using code and roll them out using a pipeline.

If you are using BigIPReport you could also get a list with MD5s from multiple devices using a simple Python script:

import requests
import hashlib

irules = requests.get('https://bigipreport.xip.se/json/irules.json').json()

for rule in [i for i in irules if i['name'] == 'rulename']:
    print(hashlib.md5(rule['definition'].encode('utf-8')).hexdigest())

# Sample output:
# d03f96a58892859e80cbd2be39e04b0c
# d03f96a58892859e80cbd2be39e04b0c
# d03f96a58892859e80cbd2be39e04b0c
# d03f96a58892859e80cbd2be39e04b0c
# d03f96a58892859e80cbd2be39e04b0c
# a2716b3fd773640b7919b91bb7e7d421

Pair this with an alert using a Slack webhook or your monitoring system and it should work fine. I would not recommend this though as it requires manual intervention.

Kind regards,
Patrik

Ps. Disclaimer, I am one of the authors of BigIPReport Ds.

  • catoverflow's avatar
    catoverflow
    Icon for Altocumulus rankAltocumulus
    Jul 23, 2022

    Hi Patrick, how are you? first of all thanks for your quick response 😀. To put you in context a little bit. I have an F5 LTM on AWS with an ASG with multiple instances. The cluster synchronizes in an active/active way. And I have an application where developers can generate iRules via REST API against the LTM. Now, what I need is to be able to validate that the irule received by one of the instances is replicated in the rest of the cluster instances. What had occurred to me is precisely, to insert a timestamp when creating/modifying the iRule and that allows me to have a version of it. Where you can also validate that timestamp that is the same throughout all the instances of the cluster. I don't know if maybe F5 LTM already has some mechanism to be able to do this in another way maybe?

    • Patrik_Jonsson's avatar
      Patrik_Jonsson
      Icon for MVP rankMVP
      Jul 23, 2022

      Doing fine, thank you. Hope the same for you. 🙂 

      My solution using MD5 works in this scenario. Just pull the iRules via REST and run an MD5 against the rule definition and alert/take action if they vary.

      But the better way here would be to include this validation in the pipeline. I suppose the deploy would fail if any of the iRules fails to update? Maybe you can alert if it does?

      May I ask if you have considered enable auto sync and/or replacing the old REST API with AS3? 

      • catoverflow's avatar
        catoverflow
        Icon for Altocumulus rankAltocumulus
        Jul 27, 2022

        Hello Patrik, regarding the use of AS3, unfortunately we cannot contemplate it, because we have done a development entirely in Java that already makes use of the REST API, and it would be quite expensive in terms of code refactor.

        The issue is how we can do to validate that pipeline, because we write on one of the active nodes, and then the configuration is replicated (sync) in background, with which at that time of the ACK of the call to add or modify the irule we'll have the Ok if the irule is written in at least one of the nodes correctly, but nothing guarantees us that latter on there could be a problem with the sync and they remain in an inconsistent state.

        I like the option of pulling the irules via REST and run the MD5 check against them and take actions based on that, but I will need to install and configure IpReports for that. I was wondering if there is any solution that doesn't involve installing additional components?

        Thanks again!

    • Kevin_Davies's avatar
      Kevin_Davies
      Icon for MVP rankMVP
      Jul 24, 2022

      Just have your application add a single line with a manual timestamp at creation time. All you need is # Modified: date. If a developer updates this is automatically updated to a current date. The you can simply check propagation by the timestamp on the deployed iRules. If you want creation date then add that as well when its new. When they edit an iRule using your application you can strip these values off so the developers have no access to them. In essence they are application controlled.

      # Creation: date
      # Modified: date

      • catoverflow's avatar
        catoverflow
        Icon for Altocumulus rankAltocumulus
        Jul 25, 2022

        Thank you very much for your answer. As for what you mention, are you saying something like to declare within the irule:

        set current_time [clock seconds]

         so I can get the seconds from the epoch. Or is there any other best way to do it? Sorry if I totally don't follow you, but I'm really new to LTM/TCL.

        Best regards