Forum Discussion
AltocumulusHow to add a timestamp on iRule
I don't understand. Do you have multiple device groups and wish to sync the same iRule between them?
If you do I'd probably define the iRules in git and roll out the iRules using code and roll them out using a pipeline.
If you are using BigIPReport you could also get a list with MD5s from multiple devices using a simple Python script:
import requests
import hashlib
irules = requests.get('https://bigipreport.xip.se/json/irules.json').json()
for rule in [i for i in irules if i['name'] == 'rulename']:
print(hashlib.md5(rule['definition'].encode('utf-8')).hexdigest())
# Sample output:
# d03f96a58892859e80cbd2be39e04b0c
# d03f96a58892859e80cbd2be39e04b0c
# d03f96a58892859e80cbd2be39e04b0c
# d03f96a58892859e80cbd2be39e04b0c
# d03f96a58892859e80cbd2be39e04b0c
# a2716b3fd773640b7919b91bb7e7d421Pair this with an alert using a Slack webhook or your monitoring system and it should work fine. I would not recommend this though as it requires manual intervention.
Kind regards,
Patrik
Ps. Disclaimer, I am one of the authors of BigIPReport Ds.
AltocumulusHi Patrick, how are you? first of all thanks for your quick response 😀. To put you in context a little bit. I have an F5 LTM on AWS with an ASG with multiple instances. The cluster synchronizes in an active/active way. And I have an application where developers can generate iRules via REST API against the LTM. Now, what I need is to be able to validate that the irule received by one of the instances is replicated in the rest of the cluster instances. What had occurred to me is precisely, to insert a timestamp when creating/modifying the iRule and that allows me to have a version of it. Where you can also validate that timestamp that is the same throughout all the instances of the cluster. I don't know if maybe F5 LTM already has some mechanism to be able to do this in another way maybe?
Doing fine, thank you. Hope the same for you. 🙂
My solution using MD5 works in this scenario. Just pull the iRules via REST and run an MD5 against the rule definition and alert/take action if they vary.
But the better way here would be to include this validation in the pipeline. I suppose the deploy would fail if any of the iRules fails to update? Maybe you can alert if it does?
May I ask if you have considered enable auto sync and/or replacing the old REST API with AS3?
- catoverflow
Hello Patrik, regarding the use of AS3, unfortunately we cannot contemplate it, because we have done a development entirely in Java that already makes use of the REST API, and it would be quite expensive in terms of code refactor.
The issue is how we can do to validate that pipeline, because we write on one of the active nodes, and then the configuration is replicated (sync) in background, with which at that time of the ACK of the call to add or modify the irule we'll have the Ok if the irule is written in at least one of the nodes correctly, but nothing guarantees us that latter on there could be a problem with the sync and they remain in an inconsistent state.
I like the option of pulling the irules via REST and run the MD5 check against them and take actions based on that, but I will need to install and configure IpReports for that. I was wondering if there is any solution that doesn't involve installing additional components?
Thanks again!
Hi Altostratus
You definitely do not need BigIPReport to use the rest API. I just used it as an example to showcase the MD5 idea and the data was available. Here's an article on how to manage iRules using curl.
With a bit of programming know-how you can adopt it to your favorite language.
Kind regards,
Patrik
- Kevin_Davies
Nacreous
Just have your application add a single line with a manual timestamp at creation time. All you need is # Modified: date. If a developer updates this is automatically updated to a current date. The you can simply check propagation by the timestamp on the deployed iRules. If you want creation date then add that as well when its new. When they edit an iRule using your application you can strip these values off so the developers have no access to them. In essence they are application controlled.
# Creation: date
# Modified: date- catoverflow
Thank you very much for your answer. As for what you mention, are you saying something like to declare within the irule:
set current_time [clock seconds]so I can get the seconds from the epoch. Or is there any other best way to do it? Sorry if I totally don't follow you, but I'm really new to LTM/TCL.
Best regards
- Kevin_Davies
What I meant is when you go to save an iRule to a BIG-IP your code adds headers to track its deployment. So if my iRule was
when HTTP_REQUEST { my code }
When deployed via API your code would modify it so it becomes
### Deployed: Timestamp Here ###
when HTTP_REQUEST { my code }
Then all it has to do is wait for that to appear at the destination to know it's been propagated. Time stamp is just a unique value at the time of deployment. Epoc seconds would be useful unless you want the value human readable.How does this work? When your API reads the iRule to check for propagation it can verify with the header you added to see if it matches what it should be. When actually reading the iRule to return it downstream it can strip off that header. In essence it's shadow header for tracking propagation, controlled by you. Has zero dependancies on anything else and no effect on the iRule itself because comments are ignored but saved with the iRule.
Using MD5 is another method but without something in the iRule content to make it unique you won't be able to detect propagation if the iRule is redeployed unmodified. When the aim is propagation verification regardless of content each item has to be unique.
( Note: I'm waiting for F5 to step in here and say.. this API mechanisim already exists and you can check it in this way.... LiefZimmerman )
