Complete F5 Automated Backup Solution

Problem this snippet solves:

Hi all,

Often I've been scouring the devcentral fora and codeshares to find that one piece of handywork that will drastically simplify my automated backup needs on F5 devices. Based on the works of Jason Rahm in his post "Third Time's the Charm: BIG-IP Backups Simplified with iCall" on the 26th of June 2013, I went ahead and created my own iApp that pretty much provides the answers for all my backup-needs.

Here's a feature list of this iApp:

  • It allows you to choose between both UCS or SCF as backup-types. (whilst providing ample warnings about SCF not being a very good restore-option due to the incompleteness in some cases)
  • It allows you to provide a passphrase for the UCS archives (the standard GUI also does this, so the iApp should too)
  • It allows you to not include the private keys (same thing: standard GUI does it, so the iApp does it too)
  • It allows you to set a Backup Schedule for every X minutes/hours/days/weeks/months or a custom selection of days in the week
  • It allows you to set the exact time, minute of the hour, day of the week or day of the month when the backup should be performed (depending on the usefulness with regards to the schedule type)

  • It allows you to transfer the backup files to external devices using 4 different protocols, next to providing local storage on the device itself

    *   SCP (username/private key without password)
    • SFTP (username/private key without password)
    • FTP (username/password)
    • SMB (using smbclient, with username/password)
    • Local Storage (/var/local/ucs or /var/local/scf)

  • It stores all passwords and private keys in a secure fashion: encrypted by the master key of the unit (f5mku), rendering it safe to store the backups, including the credentials off-box

  • It has a configurable automatic pruning function for the Local Storage option, so the disk doesn't fill up (i.e. keep last X backup files)

  • It allows you to configure the filename using the date/time wildcards from the tcl clock command, as well as providing a variable to include the hostname
  • It requires only the WebGUI to establish the configuration you desire
  • It allows you to disable the processes for automated backup, without you having to remove the Application Service or losing any previously entered settings
  • For the external shellscripts it automatically generates, the credentials are stored in encrypted form (using the master key)
  • It allows you to no longer be required to make modifications on the linux command line to get your automated backups running after an RMA or restore operation
  • It cleans up after itself, which means there are no extraneous shellscripts or status files lingering around after the scripts execute

Enjoy!

Thomas Schockaert

Contributed by: Thomas Schockaert

How to use this snippet:

minimum version 11.4

Code :

67735

Tested this on version:

11.4
Updated Jun 06, 2023
Version 2.0
backups
devops
iApps
  • Cirrus's avatar
    Cirrus
    Icon for Cirrus rankCirrus
    Aug 01, 2016

    Is there any update for 12.1.0? Because when I deploy it on this firmware the config files are empty...

     

  • Julio_Flores_15's avatar
    Julio_Flores_15
    Icon for Nimbostratus rankNimbostratus
    Aug 19, 2016

    hi can you help me please, i use this procedure in one big ip standalone and Works fine!!! But recently i do an DCS configuration with 4 big ip, and this procedure doesn't work, have you another information to do in this Type of cluster or configuration.

     

    Thanks

     

    Julio F

     

  • svs's avatar
    svs
    Icon for Cirrostratus rankCirrostratus
    Aug 24, 2016

    @Xian Zhong: I've probably found the reason for this issue. My customer encountered the same issue, when he was using the FTP transfer method from the iApp. It seems, that the iApp is using ASCII instead Binary transport to the FTP server (ASCII is the default mode of the builtin ftp client in Linux). Therefore the compressed file is corrupted. The issue was solved by using SCP/SFTP for transfer.

     

    If necessary you can repair the broken files on your FTP server by using "fixgz" (http://www.gzip.org/faq1)..) It worked for me to rescue the corrupted files.

     

    @Thomas: If you would add the command "binary" to the scriptfile before the transport starts (put command), it should work as expected.

     

    Regards, Sven

     

  • svs's avatar
    svs
    Icon for Cirrostratus rankCirrostratus
    Aug 24, 2016

    Hi Thomas,

     

    this is really a great scripts. Thank your very much!

     

    It seems that there are some open issues, but it works like charm most of the time (when using SCP/SFTP). Regarding SCP/SFTP...where is the difference in your script, except for the filenames created during runtime? SCP is used for the transport in both cases. Wouldn't it make sense to really use the sftp command?

     

    Regards, Sven

     

  • Tony_N_295548's avatar
    Tony_N_295548
    Icon for Nimbostratus rankNimbostratus
    Nov 10, 2016

    I'm getting the following error when I run this on BIG-IP 11.5.4 Build 1.0.286 Hotfix HF1. Does anyone have a fix for this?

     

    Nov 10 10:10:08 slot1/f5ltm01 err scriptd[3555]: 014f0013:3: Script (/Common/) generated this Tcl error: (script did not successfully complete: (bad decrypt 47145560865920:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:601: while executing "exec $scriptfile" line:17)) Nov 10 10:10:08 slot1/f5ltm01 err mcpd[7254]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (2901).

     

    Thank you, Tony

     

  • Roflcopter's avatar
    Roflcopter
    Icon for Nimbostratus rankNimbostratus
    Nov 17, 2016

    I am getting the exact same error as you Tony, but only on the standby unit.

     

    Nov 18 09:58:01 PROD2-F5-4000S err scriptd[8190]: 014f0004:3: script has exceeded its time to live, terminating the script Nov 18 09:58:01 PROD2-F5-4000S err mcpd[7006]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (2901).

     

  • Jon_Swick_29911's avatar
    Jon_Swick_29911
    Icon for Altostratus rankAltostratus
    Dec 02, 2016

    Script (/Common/) generated this Tcl error: (script did not successfully complete: (ftp: connect: Connection timed out while executing "exec $scriptfile" line:17))

     

    Data publisher not found or not implemented when processing request (unknown request), tag (2901).

     

    I am getting those two errors when trying to ftp

     

    ** Server Mis Config. Im all good

     

  • Nath's avatar
    Nath
    Icon for Cirrostratus rankCirrostratus
    Dec 13, 2016

    Hi,

     

    I got an error in version 12.0

     

    Script (/Common/) generated this Tcl error: (script did not successfully complete: (Permission denied, please try again. Permission denied, please try again. Permission denied (publickey,password). lost connection while executing "exec $scriptfile" line:18)) Dec 13 18:09:11 F5-Lab err mcpd[5154]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (2901).

     

    Could you please help me?

     

    Regards,

     

    Nat