Forum Discussion
Fred_Slater_856
Aug 03, 2015Historic F5 Account
Steve- This sounds like a bug. A virtual should not lose its app-service property any more than it should lose its profiles or any other properties that are associated with it. I assume that strict-updates was enabled at the time this occurred? What version of TMOS are you running? Is this an F5 iApp or one of your own? -Fred
- lostinberlin_11Aug 04, 2015NimbostratusHi Fred, thanks for the prompt reply. Version (11.6 with the latest Hotfix). Strict-updates were enabled. It is one of our own in-house iApps made from an in-house template. The template uses a utils cli script with some common procedures. I will add an extract of the main functionality to the main question (we will have formatting then). Thanks, Steve
- lostinberlin_11Aug 04, 2015NimbostratusOkay, for some reason the edit Answer -> Save button is not working (I'm on Ubuntu 12.04. Tried with Firefox and Chrome if it's any help), so here the edit I would have added. **EDIT (04.08.2015): Answers to Fred comment:** - Version: 11.6.0 (HF5) - Strict-updates: enabled - In-house iApp template. Version **** Version (11.6 with the latest Hotfix): Sys::Version Main Package Product BIG-IP Version 11.6.0 Build 5.0.429 Edition Hotfix HF5 Date Thu Jun 18 17:57:52 PDT 2015 Extract from iApp Template and Utils file. ******** TEMPLATE ******** set myType myApp set mySyncPrefix ${myEnv}${myType}2 get config objects set myInternalIP [getMandatory $myEnv $myType internalIP ] iapp::debug "Creating pools..." set syncNodes [iapp::get_items -filter NAME =~ "^${mySyncPrefix}" ltm node ] createPool "${mySyncPrefix}" 6557 "monitor M-HTTP-8000_isAlive" $syncNodes $myExcludedNodes createPool "${mySyncPrefix}" 9000 "monitor M-HTTP-8000_isAlive" $syncNodes $myExcludedNodes createPool "${mySyncPrefix}" 9050 "monitor M-HTTP-8000_isAlive" $syncNodes $myExcludedNodes iapp::debug "Creating internal VS..." INTERNAL-6556 set vsName ${mySyncPrefix} set vsDestination $myInternalIP set vsPort 6556 set vsPersistence "" set vsPolicies "" set vsProfiles "tcp-default { }" set vsRules "" set vsPool ${mySyncPrefix}-6557 createVS $vsName $vsDestination $vsPort $vsPersistence $vsPolicies $vsProfiles $vsRules $vsPool ******** UTILS ******** proc createPool {myPrefix poolPort customAttrs nodes {excludedNodes ""}} { set poolName "${myPrefix}-${poolPort}" set defaultAttrs "service-down-action reselect reselect-tries 1" set default if not found if { [string first " slow-ramp-time" [string tolower $customAttrs]] == -1 } { set defaultAttrs "${defaultAttrs} slow-ramp-time 30" } iapp::conf "create ltm pool ${poolName} { ${customAttrs} ${defaultAttrs} }" foreach node $nodes { if {[expr {[lsearch -exact $excludedNodes $node] >= 0 }]} { iapp::debug " Excluding node $node" } else { iapp::debug " Adding node $node" iapp::conf "modify ltm pool ${poolName} members add { $node:$poolPort }" } } } proc createVS { vsName vsDestination vsPort vsPersistence vsPolicies vsProfiles vsRules vsPool } { if {$vsPolicies != "" } { set vsPolicies "policies replace-all-with { $vsPolicies }" } if {$vsProfiles != "" } { set vsProfiles "profiles replace-all-with { $vsProfiles }" } if {$vsPool == "" } {set vsPool none } iapp::conf "create ltm virtual ${vsName}-${vsPort} { \ destination ${vsDestination}:${vsPort} \ ip-protocol tcp \ mask 255.255.255.255 \ $vsPersistence \ $vsPolicies \ $vsProfiles \ rules { \ $vsRules \ } \ pool $vsPool source 0.0.0.0/0 \ source-address-translation { type automap } \ vlans-disabled \ }" }
- lostinberlin_11Aug 04, 2015NimbostratusHi Fred, Okay, I have narrowed it down to the merging of bigip config files which seems to be the problem. We have snippets of bigip config which we keep in SVN in order to track the changes. This test only applies to the iRules used in a virtual server. However, my guess is that the shared SSL configs do the same. Example: - iRule definition (kept in subversion to allow traceability). - myApp.app/myAppIntern-443 uses this iRule - iRule merged into the config. - myApp.app/myAppIntern-443 loses app-service **** iRule config file ****** steve@(myBigIP)(cfg-sync In Sync)(Active)(/Common)(tmos) bash [steve@myBigIP:Active:In Sync] ~ cat /tmp/irules.conf ltm rule ir-myApp-webstart { when HTTP_REQUEST { $Header: http://subversion/path/to/file/irules.conf 83700 2015-07-30 13:31:20Z steve $ if { [string tolower [HTTP::uri]] starts_with "/webstart/" } { HTTP::uri [string replace [HTTP::uri] 1 12 myAppwebstart] } } } **** Servers BEFORE ****** sbl@(lb1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual myApp.app/myApp app-service rules ltm virtual myApp.app/myAppIntern-9000 { app-service /Common/myApp.app/myApp rules { ir-myApp-admin } } ltm virtual myApp.app/myAppIntern-443 { app-service /Common/myApp.app/myApp rules { ir-encrypt128bits ir-myApp-webstart ir-myApp-admin } } ltm virtual myApp.app/myAppExtern-back-80 { app-service /Common/myApp.app/myApp rules none } ltm virtual myApp.app/myAppExtern-front-80 { app-service /Common/myApp.app/myApp rules { _sys_https_redirect } } ltm virtual myApp.app/myAppExtern-front-443 { app-service /Common/myApp.app/myApp rules { ir-encrypt128bits } } **** Merge ****** steve@(myBigIP)(cfg-sync In Sync)(Active)(/Common)(tmos) load sys config file /tmp/irules.conf merge Loading configuration... /tmp/irules.conf **** Servers AFTER ****** sbl@(lb1a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual myApp.app/myApp app-service rules ltm virtual myApp.app/myAppIntern-9000 { app-service /Common/myApp.app/myApp rules { ir-myApp-admin } } ltm virtual myApp.app/myAppIntern-443 { app-service none rules { ir-encrypt128bits ir-myApp-webstart ir-myApp-admin } } ltm virtual myApp.app/myAppExtern-back-80 { app-service /Common/myApp.app/myApp rules none } ltm virtual myApp.app/myAppExtern-front-80 { app-service /Common/myApp.app/myApp rules { _sys_https_redirect } } ltm virtual myApp.app/myAppExtern-front-443 { app-service /Common/myApp.app/myApp rules { ir-encrypt128bits } }