Auto updates GeoIP database on Big IP.

Problem this snippet solves:

Securely, auto updates multiple Big IP's, geoip database.

Tested on Version 12.1.2, but should work for others.

How to use this snippet:

Must have PHP installed (tested on 7.0, 5.6 should work too)

Install (on Ubuntu Server 12.04-16.04)

sudo LC_ALL=C.UTF-8 add-apt-repository -y ppa:ondrej/php

sudo apt-get -y install php7.0 php7.0-common php7.0-cli php7.0-curl php7.0-mcrypt php-ssh2 php-zip


Then just issue on the CLI:

php geoip_updater.php <downloads.f5.com https geoip file url - on location page>  <optional, md5 file url>

Modify script to enter your servers ip, hostnames, and Auth settings. Testing updating 8 BigIP's, in under 5 minutes. Due to limitations in how the file is offered on downloads.f5.com, you have to get the filename before running the script.

Code :

http://bit.ly/2uqeAI5

Tested this on version:

12.1
Updated Jun 06, 2023
Version 2.0
  • Joe_M's avatar
    Joe_M
    Icon for Nimbostratus rankNimbostratus

    Thanks for this! In my testing I ran into 2 issues getting this setup on xUbuntu 16.04. When running this command

    sudo apt-get -y install php7.0 php7.0-common php7.0-cli php7.0-curl php7.0-mcrypt php7.0-ssh2
    I received these errors:

    E: Unable to locate package php7.0-ssh
    E: Couldn't find any package by glob 'php7.0-ssh
    E: Couldn't find any package by regex 'php7.0-ssh

    That happened after adding the repository. Running the command

    sudo apt-get -y install php-ssh2
    seemed to fix that.

    The 2nd error I ran into was after the 1st time I ran the sript, I received this error:

    Fatal error: Uncaught Error: "Class 'ZipArchive' not found in /home/xxxx/geoip_updater.php:112
    Stack trace:
    0 {main}
    thrown in /home/xxxx/geoip_updater.php on line 112

    I was able to resolve this by running this command

    sudo apt-get install php-zip

    The security conscious side of me doesn't particularly like having the root password stored in the script. If that could be made a variable that needs to be entered at the very beginning, that would be better in my own opinion.

    The other thing I would suggest, is to see if the files you are about to download are already downloaded. Because of the ziparchive error I received, I ended up downloading the files a 2nd time even though they were already there. As I am typing, it just occurs to me that me that being able to specify a local file might also be nice.

    Oh, and the GTM I was testing against was 11.5.3.

  • Thanks Joe for the feedback. I can certainly update the code to allow for a local director copy of the download. My thought was to delete the local copy if its present, as it might not be complete / or corrupted. And i didn't want to force the MD5 url requirement. Also I will update the documentation to include php-zip. Sorry for the inconvenience, but thanks for the determination of trying to get it working! You rock!

     

    I'm thinking i could make the 3rd cli param be a check if its a url or the remote password. If its a url, then its the path to the MD5 checksum, if not, then use it as a password for the remote boxes. Would that work for you?

     

    Also, did it work for you once you got the require files installed? Any and all feedback is greatly appreciated. Thanks alot! I'm always looking to make things better.

     

  • Joe_M's avatar
    Joe_M
    Icon for Nimbostratus rankNimbostratus

    Yes, it did work! However, it did give me some notices.

    PHP Notice:  Undefined offset: 0 in /home/xxxx/geoip_updater.php on line 135

    Notice: Undefined offset: 0 in /home/xxxx/geoip_updater.php on line 135

    PHP Notice:  Undefined offset: 0 in /home/xxxx/geoip_updater.php on line 169

    Notice: Undefined offset: 0 in /home/xxxx/geoip_updater.php on line 169

    I think that was because I used IP only and not an FQDN. So, no big deal. That's a good point about the file being corrupt or incomplete. But I would think that would be a point towards forcing the md5 check. Which I personally would be OK with. Since the 2 URLs are almost identical, except the 2nd one has ".md5" at the end, you could just infer the 2nd URL from the 1st URL. Then you wouldn't need the MD5 URL parameter. I don't really do any coding and about the most I do is some bash scripting or simple iRules so, I am not exactly sure what would be a good way to do the password or local files. But yeah, just adding another parameter to the command seems good to me.

  • Actually.. the ip-geolocation db file and md5 file have different url's, So I can't infer the md5 from the original download URL. (If you copy and paste both url's in a text program, you will see a different url for both). I wish i could, but I will make those other changes and update the github and devcentral asap.

     

  • Joe_M's avatar
    Joe_M
    Icon for Nimbostratus rankNimbostratus

    Yeah, you're right. Last week I compared them and I could have swore they were the same. But when I did it today, they are definitely different.

     

  • Made some changes, opened a pull request on github. Tested on Ubuntu 18.04 against test boxes running 11.6.0 (v1) and 13.1.0.8 (v2).

    geoip_updater.php

    • version 0.0.8
    • use PHP_EOL for line endings
    • convert to ssh2_auth_agent, default to root user (no password in script)
    • pick f5s from F5S environment variable ie:

      F5S=a.example.com,b.example.com php geoip_updater.php  

    • avoid system() and printf()

    • recommend native php debs, avoid ppa

    • default to UTC
    • tabs, whitespace, etc
    • one ssh connection per f5
  • I removed the hardcoded methods to allow any method and my version now works against BIG-IP 15.x

     I merged your other changes to the repo and updated my pull request on github.

    Note: as comment above, this moves the list of F5s to the environment variable F5S

    I also check for the downloaded files and do not redownload them if they exist. Delete temp files to retry.

    I'm running with php 7.2 on Ubuntu 18.04 under WSL at the moment. WIll be upgrading to 20.04 sometime soon.

    https://github.com/timriker/Vendor_code/raw/master/F5/geoip_updater.php