Forum Discussion
AltocumulusHow to add a timestamp on iRule
AltocumulusThank you very much for your answer. As for what you mention, are you saying something like to declare within the irule:
set current_time [clock seconds]so I can get the seconds from the epoch. Or is there any other best way to do it? Sorry if I totally don't follow you, but I'm really new to LTM/TCL.
Best regards
NacreousWhat I meant is when you go to save an iRule to a BIG-IP your code adds headers to track its deployment. So if my iRule was
when HTTP_REQUEST { my code }
When deployed via API your code would modify it so it becomes
### Deployed: Timestamp Here ###
when HTTP_REQUEST { my code }
Then all it has to do is wait for that to appear at the destination to know it's been propagated. Time stamp is just a unique value at the time of deployment. Epoc seconds would be useful unless you want the value human readable.
How does this work? When your API reads the iRule to check for propagation it can verify with the header you added to see if it matches what it should be. When actually reading the iRule to return it downstream it can strip off that header. In essence it's shadow header for tracking propagation, controlled by you. Has zero dependancies on anything else and no effect on the iRule itself because comments are ignored but saved with the iRule.
Using MD5 is another method but without something in the iRule content to make it unique you won't be able to detect propagation if the iRule is redeployed unmodified. When the aim is propagation verification regardless of content each item has to be unique.
( Note: I'm waiting for F5 to step in here and say.. this API mechanisim already exists and you can check it in this way.... LiefZimmerman )
Using MD5 is another method but without something in the iRule content to make it unique you won't be able to detect propagation if the iRule is redeployed unmodified. When the aim is propagation verification regardless of content each item has to be unique.
Either I don't understand you, or you don't understand me. Irules consists of characters, if even one character changes the whole MD5 sum changes. Fetching the irule definition via API from each of the LTMs is a legitimate way of validating that they're all running the same version of an iRule.
catoverflow Here's an example in Python3 without BigIPReport:
import requests, hashlib, urllib3, os urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) class F5rest: def __init__(self, username: str, password: str, device: str, verify_ssl=False): self.device = device self.username = username self.password = password self.verify_ssl = verify_ssl self._session = None @property def session(self): if not self._session: s = requests.Session() body = { 'username': self.username, 'password': self.password, 'loginProviderName': 'tmos' } token_response = s.post( f'https://{self.device}/mgmt/shared/authn/login', verify=self.verify_ssl, auth=(self.username, self.password), json=body) \ .json() token = token_response['token']['token'] s.headers.update({'X-F5-Auth-Token': token}) s.verify = self.verify_ssl self._session = s return self._session def get_irule(self, name: str): response = self.session.get(f'https://{self.device}/mgmt/tm/ltm/rule/{name}') return response.json() username = os.environ.get('F5_USERNAME') password = os.environ.get('F5_PASSWORD') if not (username and password): raise ValueError('Missing credentials in environment variables F5_USERNAME or F5_PASSWORD') device_list = ['bigip.xip.se', 'bigip2.xip.se', 'bigip3.xip.se'] hash = None for device in device_list: f5 = F5rest(username, password, 'bigip.xip.se') rule = f5.get_irule('encrypted_time') rule_hash = hashlib.md5(rule['apiAnonymous'].encode('utf-8')).hexdigest() if hash is None: hash = rule_hash if not hash == rule_hash: # Post Slack webhook here or raise exception raise Exception('Hashes does not match')Now, there are multiple ways to skin the cat. You could also inject headers programmatically using your pipeline that shows the version of the iRule, using the iRule itself. Then read the headers in ie. Splunk/elastic and validate that it has changed by monitoring the traffic logs.
If you just want to know the version by manually logging in to each device and checking the irule with your own eyes then Kevins suggestion to put a version number / deploy time as a comment at the top would work too.
Hard to give an exact answer unless we know how you intend to use this. 🙂
- Kevin_Davies
Patrik_Jonsson wrote:
Using MD5 is another method but without something in the iRule content to make it unique you won't be able to detect propagation if the iRule is redeployed unmodified. When the aim is propagation verification regardless of content each item has to be unique.
Either I don't understand you, or you don't understand me. Irules consists of characters, if even one character changes the whole MD5 sum changes. 🙂
As to your first question... its one or the other 🙂 You illustrated my point exactly... if you read my post carefully I said unmodified. This means no character has changed therefore the md5 will not change. Now what happens if they re-deployed the same iRule? You will not be able to tell if it has been propagated as the md5 value never changed.
They have a pipeline which updates iRules so he'd know if the iRule was successfully updated or not on the device which syncs data to the other devices.
He want's to make sure that the same iRule is deployed on all devices. If the md5 is the same, the iRules are the same. I'd say that's a pretty good way to know if the iRules matches across devices or not.
