Complete F5 Automated Backup Solution
Problem this snippet solves:
Hi all,
Often I've been scouring the devcentral fora and codeshares to find that one piece of handywork that will drastically simplify my automated backup needs on F5 devices. Based on the works of Jason Rahm in his post "Third Time's the Charm: BIG-IP Backups Simplified with iCall" on the 26th of June 2013, I went ahead and created my own iApp that pretty much provides the answers for all my backup-needs.
Here's a feature list of this iApp:
- It allows you to choose between both UCS or SCF as backup-types. (whilst providing ample warnings about SCF not being a very good restore-option due to the incompleteness in some cases)
- It allows you to provide a passphrase for the UCS archives (the standard GUI also does this, so the iApp should too)
- It allows you to not include the private keys (same thing: standard GUI does it, so the iApp does it too)
- It allows you to set a Backup Schedule for every X minutes/hours/days/weeks/months or a custom selection of days in the week
- It allows you to set the exact time, minute of the hour, day of the week or day of the month when the backup should be performed (depending on the usefulness with regards to the schedule type)
-
It allows you to transfer the backup files to external devices using 4 different protocols, next to providing local storage on the device itself
* SCP (username/private key without password)
- SFTP (username/private key without password)
- FTP (username/password)
- SMB (using smbclient, with username/password)
- Local Storage (/var/local/ucs or /var/local/scf)
-
It stores all passwords and private keys in a secure fashion: encrypted by the master key of the unit (f5mku), rendering it safe to store the backups, including the credentials off-box
-
It has a configurable automatic pruning function for the Local Storage option, so the disk doesn't fill up (i.e. keep last X backup files)
- It allows you to configure the filename using the date/time wildcards from the tcl clock command, as well as providing a variable to include the hostname
- It requires only the WebGUI to establish the configuration you desire
- It allows you to disable the processes for automated backup, without you having to remove the Application Service or losing any previously entered settings
- For the external shellscripts it automatically generates, the credentials are stored in encrypted form (using the master key)
- It allows you to no longer be required to make modifications on the linux command line to get your automated backups running after an RMA or restore operation
- It cleans up after itself, which means there are no extraneous shellscripts or status files lingering around after the scripts execute
Enjoy!
Thomas Schockaert
Contributed by: Thomas Schockaert
How to use this snippet:
minimum version 11.4
Code :
67735
Tested this on version:
11.4- Daniel_TavernieCirrostratus
This is now available on GitHub! Please look here for the latest version, and submit any bugs or questions as an "Issue" on GitHub:
 
https://github.com/tabernarious/f5-automated-backup-iapp
 
As a BACKUP, look in the DevCentral CodeShare. This MAY NOT HAVE THE LATEST VERSION:
 
https://devcentral.f5.com/s/articles/f5-iapp-automated-backup-1114
 
I needed to troubleshoot an issue and ended up rolling in many of the proposed and posted fixes into a new iApp.
 
iApp VERSIONS (From what I gathered perusing DevCentral) ~v2.0 - 20140312 - Initially posted releases (v11.4.0-11.6.x? compatibility). (Developed/posted by Thomas Schockaert) v2.1.1 - 20160916 - Retooled SMB upload from smbclient to "mount -t cifs" (v12.1+ compatibility). (Developed/posted by MAG) v2.2.1 - 20171214 - Allowed multiple instances of iApp by leveraging $tmsh::app_name to create unique object names. (Developed by Daniel Tavernier/tabernarious) v2.2.2 - 20171214 - Added "/" to "mount -t cifs" command and clarified/expanded help for SMB (CIFS) Destination Parameters. (Developed by Daniel Tavernier/tabernarious) v2.2.3 - 20171214 - Set many fields to "required" and set reasonable default values to prevent loading/configuration errors. Expanded help regarding private keys. (Developed by Daniel Tavernier/tabernarious) v2.2.4 - 20171214 - Added fix to force FTP to use binary upload. (Copied code posted by Roy van Dongen, posted by Daniel Tavernier/tabernarious) v2.2.4a - 20171215 - Added items to FUTURE list. v2.2.5 - 20171228 - Added notes about special characters in passwords. Added Deployment Information and ConfigSync sections. (Developed by Daniel Tavernier/tabernarious) v2.2.5a - 20180117 - Added items to FUTURE list. v2.2.5b4 - 20180118 - Moved encrypted values for SMB/CIFS to shell script which eliminates ConfigSync issues. Fixed long-password issue by using "-A" with openssl so that base64 encoded strings are written and read as a single line. (Developed by Daniel Tavernier/tabernarious) v2.2.5b4+ - 20180118 - Refining changes to SMB/CIFS and replicating to other remote copy types. (Developed by Daniel Tavernier/tabernarious) v3.0.0 - 20180124 - (Developed by Daniel Tavernier/tabernarious) - Eliminated ConfigSync issues and removed ConfigSync notes section. (Encrypted values now in $script instead of local file.) - Passwords now have no length limits. (Using "-A" with openssl which reads/writes base64 encoded strings as a single line.) - Added $script error checking for all remote backup types. (Using 'catch' to prevent tcl errors when $script aborts.) - Backup files are cleaned up after $script error due to new error checking. - Added logging. (Run logs sent to '/var/log/ltm' via logger command which is compatible with BIG-IP Remote Logging configuration (syslog). Run logs AND errors sent to '/var/tmp/scriptd.out'. Errors may include plain-text passwords which should not be in /var/log/ltm or syslog.) - Added custom cipher option for SCP. - Added StrictHostKeyChecking=no option. - Combined SCP and SFTP because they are both using SCP to perform the remote copy. v3.1.0 - 20180201 - (Developed by Daniel Tavernier/tabernarious) - Removed "app-service none" from iCall objects. The iCall objects are now created as part of the Application Service (iApp) and are properly cleaned up if the iApp is redeployed or deleted. - Reasonably tested on 11.5.4 HF2 (SMB worked fine using "mount -t cifs") and altered requires-bigip-version-min to match. - Fixing error regarding "script did not successfully complete: (can't read "::destination_parameters__protocol_enable": no such variable" by encompassing most of the "implementation" in a block that first checks $::backup_schedule__frequency_select for "Disable". - Added default value to "filename format". - Changed UCS default value for $backup_file_name_extension to ".ucs" and added $fname_noext. - Removed old SFTP sections and references (now handled through SCP/SFTP). - Adjusted logging: added "sleep 1" to ensure proper logging; added $backup_directory to log message. - Adjusted some help messages.
@tabernarious
Excellent job with the changelog included in the file. I love it! Thank you for compiling this and your work to improve this iApp.
Question, would you be willing to move this over to a GitHub repository for storing the code and tracking changes? This would also provide an issue tracker to make it easier for individuals to find a bug or resolution to a problem. I would be willing to help you maintain this.
If you'd like to chat about this you can DM on Twitter @tmurray_pro or find me in the F5 User Group Slack team at https://bit.ly/F5Slack
Thanks again!
- Robert_GoetzeNimbostratus
@tabernarious - Sorry for the delay, I was "watching" this thread and must have missed the change notification. Thank you for the update and posting of V3.0.0.
Thanks again.
- Daniel_TavernieCirrostratus
@Troy Murray, I created a Git repository for this iApp which contains my latest release (v3.1.0). I would welcome your collaboration. You can also find me on Twitter @tabernarious.
https://github.com/tabernarious/f5-automated-backup-iapp
@tabernarious This is excellent news! I've starred the repo and forked it on GitHub.
- Fiseha_340121Nimbostratus
Thanks Thomas for this excellent script. Is there a way you can add on the script to send email when the backup job is completed or failed.
- Daniel_TavernieCirrostratus
@Fiseha, The latest version (v3.x) (look in the comments for a link) includes logging to /var/log/ltm which will send to syslog. The easiest way to configure email alerts would be to have your syslog/reporting server send the email when it sees the relevant log message(s). There are other ways to get the F5 to send email directly but it’s very custom and I would not recommended it.
- Celine_LOUEDIN_Nimbostratus
Hi Thomas, I installed your iApp on many BIG-IP but this time it causse a problem one my box (BIG-IP v.13.1.1.4) :it's impossible to do an IApps "reconfigure". The web interface stays on "Loading... Receiving configuration data from your device." I've opened a Service Request and F5 ingeneer told the problem was du to your iApps : "Here are the analysis of our engineering service:
 
sys application service /Common/F5-BACKUP.app/F5-BACKUP { device-group /Common/device-group-failover-8bdec2e304ac inherited-devicegroup true inherited-traffic-group true template /Common/ <<<<<<<<<<<<<<<<<<<<<<<< traffic-group /Common/traffic-group-1
 
The scriptd process coredumped and restarted while it was processing the automated backaup. Automated backup has been executed by iApp, which has not been created by F5 Networks and can be found on DevCentral: https://devcentral.f5.com/s/articles/complete-f5-automated-backup-solution. The script runs everyday at 11:30 and backup files are created under /var/local/ucs (e.g., bigip-1.local_20170922.ucs). The size of the UCS files is about 36 GB.
 
The scriptd died by SIGABRT, due to socket/IO error while it was communicating with mcpd."
 
I've uninstalled the backup iApps but still got the issue. May you help me ?
 
Céline
 
- zhaoyhNimbostratus
67735
- h7533967Nimbostratus
67735