Forum Discussion
AltocumulusHow to add a timestamp on iRule
AltocumulusHi Patrick, how are you? first of all thanks for your quick response 😀. To put you in context a little bit. I have an F5 LTM on AWS with an ASG with multiple instances. The cluster synchronizes in an active/active way. And I have an application where developers can generate iRules via REST API against the LTM. Now, what I need is to be able to validate that the irule received by one of the instances is replicated in the rest of the cluster instances. What had occurred to me is precisely, to insert a timestamp when creating/modifying the iRule and that allows me to have a version of it. Where you can also validate that timestamp that is the same throughout all the instances of the cluster. I don't know if maybe F5 LTM already has some mechanism to be able to do this in another way maybe?
NacreousJust have your application add a single line with a manual timestamp at creation time. All you need is # Modified: date. If a developer updates this is automatically updated to a current date. The you can simply check propagation by the timestamp on the deployed iRules. If you want creation date then add that as well when its new. When they edit an iRule using your application you can strip these values off so the developers have no access to them. In essence they are application controlled.
# Creation: date
# Modified: date
- catoverflow
Thank you very much for your answer. As for what you mention, are you saying something like to declare within the irule:
set current_time [clock seconds]so I can get the seconds from the epoch. Or is there any other best way to do it? Sorry if I totally don't follow you, but I'm really new to LTM/TCL.
Best regards
- Kevin_Davies
What I meant is when you go to save an iRule to a BIG-IP your code adds headers to track its deployment. So if my iRule was
when HTTP_REQUEST { my code }
When deployed via API your code would modify it so it becomes
### Deployed: Timestamp Here ###
when HTTP_REQUEST { my code }
Then all it has to do is wait for that to appear at the destination to know it's been propagated. Time stamp is just a unique value at the time of deployment. Epoc seconds would be useful unless you want the value human readable.How does this work? When your API reads the iRule to check for propagation it can verify with the header you added to see if it matches what it should be. When actually reading the iRule to return it downstream it can strip off that header. In essence it's shadow header for tracking propagation, controlled by you. Has zero dependancies on anything else and no effect on the iRule itself because comments are ignored but saved with the iRule.
Using MD5 is another method but without something in the iRule content to make it unique you won't be able to detect propagation if the iRule is redeployed unmodified. When the aim is propagation verification regardless of content each item has to be unique.
( Note: I'm waiting for F5 to step in here and say.. this API mechanisim already exists and you can check it in this way.... LiefZimmerman )
Using MD5 is another method but without something in the iRule content to make it unique you won't be able to detect propagation if the iRule is redeployed unmodified. When the aim is propagation verification regardless of content each item has to be unique.
Either I don't understand you, or you don't understand me. Irules consists of characters, if even one character changes the whole MD5 sum changes. Fetching the irule definition via API from each of the LTMs is a legitimate way of validating that they're all running the same version of an iRule.
catoverflow Here's an example in Python3 without BigIPReport:
import requests, hashlib, urllib3, os urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) class F5rest: def __init__(self, username: str, password: str, device: str, verify_ssl=False): self.device = device self.username = username self.password = password self.verify_ssl = verify_ssl self._session = None @property def session(self): if not self._session: s = requests.Session() body = { 'username': self.username, 'password': self.password, 'loginProviderName': 'tmos' } token_response = s.post( f'https://{self.device}/mgmt/shared/authn/login', verify=self.verify_ssl, auth=(self.username, self.password), json=body) \ .json() token = token_response['token']['token'] s.headers.update({'X-F5-Auth-Token': token}) s.verify = self.verify_ssl self._session = s return self._session def get_irule(self, name: str): response = self.session.get(f'https://{self.device}/mgmt/tm/ltm/rule/{name}') return response.json() username = os.environ.get('F5_USERNAME') password = os.environ.get('F5_PASSWORD') if not (username and password): raise ValueError('Missing credentials in environment variables F5_USERNAME or F5_PASSWORD') device_list = ['bigip.xip.se', 'bigip2.xip.se', 'bigip3.xip.se'] hash = None for device in device_list: f5 = F5rest(username, password, 'bigip.xip.se') rule = f5.get_irule('encrypted_time') rule_hash = hashlib.md5(rule['apiAnonymous'].encode('utf-8')).hexdigest() if hash is None: hash = rule_hash if not hash == rule_hash: # Post Slack webhook here or raise exception raise Exception('Hashes does not match')Now, there are multiple ways to skin the cat. You could also inject headers programmatically using your pipeline that shows the version of the iRule, using the iRule itself. Then read the headers in ie. Splunk/elastic and validate that it has changed by monitoring the traffic logs.
If you just want to know the version by manually logging in to each device and checking the irule with your own eyes then Kevins suggestion to put a version number / deploy time as a comment at the top would work too.
Hard to give an exact answer unless we know how you intend to use this. 🙂
