Hello,I would like to insert a timestamp on an iRule that reflects the current time at the irule creation and then somehow to be able to update that irule when is updated. I need this cuz I want to validate sync between many nodes of the same cluster, and I need to be sure that the irules are in sync and also to be able to generate a report with the irules and the corresponding timestamps. Is there a way to do this?Thanks in advance.Best regards

Doing fine, thank you. Hope the same for you. 🙂 My solution using MD5 works in this scenario. Just pull the iRules via REST and run an MD5 against the rule definition and alert/take action if they vary. But the better way here would be to include this validation in the pipeline. I suppose the deploy would fail if any of the iRules fails to update? Maybe you can alert if it does? May I ask if you have considered enable auto sync and/or replacing the old REST API with AS3?

I don't understand. Do you have multiple device groups and wish to sync the same iRule between them? If you do I'd probably define the iRules in git and roll out the iRules using code and roll them out using a pipeline. If you are using BigIPReport you could also get a list with MD5s from multiple devices using a simple Python script: import requests import hashlib irules = requests.get('https://bigipreport.xip.se/json/irules.json').json() for rule in [i for i in irules if i['name'] == 'rulename']: print(hashlib.md5(rule['definition'].encode('utf-8')).hexdigest()) # Sample output: # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # a2716b3fd773640b7919b91bb7e7d421 Pair this with an alert using a Slack webhook or your monitoring system and it should work fine. I would not recommend this though as it requires manual intervention. Kind regards,Patrik Ps. Disclaimer, I am one of the authors of BigIPReport Ds.

Hi Patrick, how are you? first of all thanks for your quick response 😀. To put you in context a little bit. I have an F5 LTM on AWS with an ASG with multiple instances. The cluster synchronizes in an active/active way. And I have an application where developers can generate iRules via REST API against the LTM. Now, what I need is to be able to validate that the irule received by one of the instances is replicated in the rest of the cluster instances. What had occurred to me is precisely, to insert a timestamp when creating/modifying the iRule and that allows me to have a version of it. Where you can also validate that timestamp that is the same throughout all the instances of the cluster. I don't know if maybe F5 LTM already has some mechanism to be able to do this in another way maybe?

Just have your application add a single line with a manual timestamp at creation time. All you need is # Modified: date. If a developer updates this is automatically updated to a current date. The you can simply check propagation by the timestamp on the deployed iRules. If you want creation date then add that as well when its new. When they edit an iRule using your application you can strip these values off so the developers have no access to them. In essence they are application controlled.# Creation: date# Modified: date

Thank you very much for your answer. As for what you mention, are you saying something like to declare within the irule:set current_time [clock seconds] so I can get the seconds from the epoch. Or is there any other best way to do it? Sorry if I totally don't follow you, but I'm really new to LTM/TCL.Best regards

How to add a timestamp on iRule

21 Replies

Kevin_Davies
MVP
Aug 21, 2022
From the above can I assume that you dont really trust sync and want a way to verify it yourself?
- catoverflow
  Altocumulus
  Aug 25, 2022
  Exactly, we want to have a way for us to validate with our control plane that the irules are effectively synchronized and are the same at all times, this, among other things, is because we need to be able to validate that if a request with a specific header enters through an F5, let's say of region A, then if it cannot satisfy the request based on the header, then to be able to evaluate before performing a fallback to the F5 of the other region (let's say B), and be able to control, among other things, that that header exists and that it can resolve it, in which case just there would proceed to perform the fallback and complete the request in the destination of region B, otherwise it would go to the default pool in the source region (in this case A).
  Perhaps I am adding one more degree of complexity in the question, which would be the fallback part.
  - Kevin_Davies
    MVP
    Sep 01, 2022
    As Patrick suggested MD5 is a great way to determine the rules are the correct. If you want to verify they have been synced thats a great way to do it. It is also efficient in that if they have not changed you will know it.
    
    If you want to verify the sync functionality itself is working as expected then you need something unique for every sync request. Hence the suggestion of adding a header line to your iRule with a millisecond timestamp. Its nothing complex, its just taking the iRule content and adding a string at the top, or bottom of the iRule with a # in front so the F5 ignores it. Then strip it off when you retrieve the iRule. It is probably useful to add a key marker so you know its your header to strip off when you retrieve the iRule. Something like...
    
    ### SYNC 1662070557000 ###
    # Add specific headers required for application
    # v1.7
    iRule code here
    
    As for the sending requests from one BIG-IP to another logging is key. Have the first rule add a tracking id (tid) header and log it with ingress information "tid: virtual source" when handling a request. Have subsequent iRules on different F5's pickup the tid and use it as "tid: log message" when they process the request. Then when you look at your aggregated logs you can track the flow based on the tid.
    
    Pro Tip: If the tid is for tracking TCP connections then the source address and port are a good way to do this as they are required to be unique. They also have the benefit of providing useful information as well.
    
    Hope that helps!
Patrik_Jonsson
MVP
Jul 22, 2022
I don't understand. Do you have multiple device groups and wish to sync the same iRule between them?

If you do I'd probably define the iRules in git and roll out the iRules using code and roll them out using a pipeline.

If you are using BigIPReport you could also get a list with MD5s from multiple devices using a simple Python script:

import requests import hashlib irules = requests.get('https://bigipreport.xip.se/json/irules.json').json() for rule in [i for i in irules if i['name'] == 'rulename']: print(hashlib.md5(rule['definition'].encode('utf-8')).hexdigest()) # Sample output: # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # a2716b3fd773640b7919b91bb7e7d421

Pair this with an alert using a Slack webhook or your monitoring system and it should work fine. I would not recommend this though as it requires manual intervention.

Kind regards,
Patrik

Ps. Disclaimer, I am one of the authors of BigIPReport Ds.
- catoverflow
  Altocumulus
  Jul 23, 2022
  Hi Patrick, how are you? first of all thanks for your quick response 😀. To put you in context a little bit. I have an F5 LTM on AWS with an ASG with multiple instances. The cluster synchronizes in an active/active way. And I have an application where developers can generate iRules via REST API against the LTM. Now, what I need is to be able to validate that the irule received by one of the instances is replicated in the rest of the cluster instances. What had occurred to me is precisely, to insert a timestamp when creating/modifying the iRule and that allows me to have a version of it. Where you can also validate that timestamp that is the same throughout all the instances of the cluster. I don't know if maybe F5 LTM already has some mechanism to be able to do this in another way maybe?
  - Kevin_Davies
    MVP
    Jul 24, 2022
    Just have your application add a single line with a manual timestamp at creation time. All you need is # Modified: date. If a developer updates this is automatically updated to a current date. The you can simply check propagation by the timestamp on the deployed iRules. If you want creation date then add that as well when its new. When they edit an iRule using your application you can strip these values off so the developers have no access to them. In essence they are application controlled.
    
    # Creation: date
    # Modified: date

Forum Discussion

How to add a timestamp on iRule

21 Replies

Recent Discussions

I want to restore disabled&down interface due to LLCF.

Maximum throughput of f5 ltm

Access azure app service using f5 LTM

Reliable resources for identifying IP addresses

Issue on license renewal

Related Content

Redirect iRule for http TimeStamp service

iRULE regsub error

F5 timestamp inquiry

owa iapp assign irule

Irule Trigger two times