Complete F5 Automated Backup Solution

Problem this snippet solves:

Hi all,

Often I've been scouring the devcentral fora and codeshares to find that one piece of handywork that will drastically simplify my automated backup needs on F5 devices. Based on the works of Jason Rahm in his post "Third Time's the Charm: BIG-IP Backups Simplified with iCall" on the 26th of June 2013, I went ahead and created my own iApp that pretty much provides the answers for all my backup-needs.

Here's a feature list of this iApp:

  • It allows you to choose between both UCS or SCF as backup-types. (whilst providing ample warnings about SCF not being a very good restore-option due to the incompleteness in some cases)
  • It allows you to provide a passphrase for the UCS archives (the standard GUI also does this, so the iApp should too)
  • It allows you to not include the private keys (same thing: standard GUI does it, so the iApp does it too)
  • It allows you to set a Backup Schedule for every X minutes/hours/days/weeks/months or a custom selection of days in the week
  • It allows you to set the exact time, minute of the hour, day of the week or day of the month when the backup should be performed (depending on the usefulness with regards to the schedule type)

  • It allows you to transfer the backup files to external devices using 4 different protocols, next to providing local storage on the device itself

    *   SCP (username/private key without password)
    • SFTP (username/private key without password)
    • FTP (username/password)
    • SMB (using smbclient, with username/password)
    • Local Storage (/var/local/ucs or /var/local/scf)

  • It stores all passwords and private keys in a secure fashion: encrypted by the master key of the unit (f5mku), rendering it safe to store the backups, including the credentials off-box

  • It has a configurable automatic pruning function for the Local Storage option, so the disk doesn't fill up (i.e. keep last X backup files)

  • It allows you to configure the filename using the date/time wildcards from the tcl clock command, as well as providing a variable to include the hostname
  • It requires only the WebGUI to establish the configuration you desire
  • It allows you to disable the processes for automated backup, without you having to remove the Application Service or losing any previously entered settings
  • For the external shellscripts it automatically generates, the credentials are stored in encrypted form (using the master key)
  • It allows you to no longer be required to make modifications on the linux command line to get your automated backups running after an RMA or restore operation
  • It cleans up after itself, which means there are no extraneous shellscripts or status files lingering around after the scripts execute

Enjoy!

Thomas Schockaert

Contributed by: Thomas Schockaert

How to use this snippet:

minimum version 11.4

Code :

67735

Tested this on version:

11.4
Updated Jun 06, 2023
Version 2.0
backups
devops
iApps
  • PinkieCom's avatar
    PinkieCom
    Icon for Nimbostratus rankNimbostratus
    Jan 06, 2017

    I ran into the same issue as Nathaneil0227.

    In my case it was because we were using DSA keys instead of RSA keys. So the cleaning of the keyfile portion didn't work correctly.

    So i changed the line:

    set cleaned_privatekey [exec echo "$::destination_parameters__scp_sshprivatekey" | sed -e "s/BEGIN RSA PRIVATE KEY/BEGIN;RSA;PRIVATE;KEY/g" -e "s/END RSA PRIVATE KEY/END;RSA;PRIVATE;KEY/g" -e "s/ /\\\n/g" -e "s/;/ /g"]

    to:

    set cleaned_privatekey [exec echo "$::destination_parameters__scp_sshprivatekey" | sed -e "s/BEGIN RSA PRIVATE KEY/BEGIN;RSA;PRIVATE;KEY/g" -e "s/END RSA PRIVATE KEY/END;RSA;PRIVATE;KEY/g" -e "s/BEGIN DSA PRIVATE KEY/BEGIN;DSA;PRIVATE;KEY/g" -e "s/END DSA PRIVATE KEY/END;DSA;PRIVATE;KEY/g" -e "s/ /\\\n/g" -e "s/;/ /g"]

    I also made another tweak to allow you to set the remote folder to be the hostname of the device by entering $hostname for the path.

  • dsjustin_273687's avatar
    dsjustin_273687
    Icon for Nimbostratus rankNimbostratus
    Jan 12, 2017

    This is an awesome Iapp and I approve wholeheartedly. I would like to create a portion for aws client to be able to use that for uploading backups in AWS environment. I am looking at modifying the SMB client portion, and then adding it to the template for AWS. Has anyone else done something like this?

     

  • mike_drennen_16's avatar
    mike_drennen_16
    Icon for Cirrus rankCirrus
    Mar 01, 2017

    Just as a side note, We fought with the SMB using a domain account to authenticate as. We had to use domain\\username (two slashes between) so that the \ passed through to smbclient. Just an FYI.

     

  • arzhukov_298248's avatar
    arzhukov_298248
    Icon for Nimbostratus rankNimbostratus
    Apr 21, 2017

    I have another problem, It seem like work perfectly. But when script try to connect with credentials that I typed in, server doesnt give acces But I`m absolutely sure that I typed valid credentials. Please help me to resolve that issue..

     

    Saving active configuration... /var/local/ucs/ltm51.cetelem-bank.ru_20170421.ucs is saved. Script (/Common/) generated this Tcl error: script did not successfully complete: (Permission denied, please try again. Permission denied, please try again. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). lost connection while executing "exec $scriptfile" line:18)

     

  • RobertS1's avatar
    RobertS1
    Icon for Nimbostratus rankNimbostratus
    May 04, 2017

    Question about using SCP server. Which private key is used? How do I find it? Change it?

     

    In ltm log I get: (/Common/) generated this Tcl error: (script did not successfully complete: (Host key verification failed. lost connection while executing "exec $scriptfile" line:18))

     

  • Ramprasath_Sada's avatar
    Ramprasath_Sada
    Icon for Nimbostratus rankNimbostratus
    May 21, 2017

    Hello Guys,

     

    While executing the f5_automated_backup using FTP. I am getting the following error. Can any one help on this.

     

    err mcpd[6853] 0107167d Data publisher not found or not implemented when processing request (unknown request), tag (2901).

     

    err scriptd[1797] 014f0013 Script (/Common/) generated this Tcl error: (script did not successfully complete: ("ucs" unexpected argument while executing "tmsh::save /sys ucs $fname passphrase XXXXXX " line:8))

     

    regards Ram

     

  • Nick_Linney_321's avatar
    Nick_Linney_321
    Icon for Nimbostratus rankNimbostratus
    Aug 18, 2017

    Is it possible to alter the SFTP option on this iApp to use password based authentication rather than private key?