F5 iApp Automated Backup

Problem this snippet solves:

This is now available on GitHub!

Please look on GitHub for the latest version, and submit any bugs or questions as an "Issue" on GitHub:

(Note: DevCentral admin update - Daniel's project appears abandoned so it's been forked and updated to the link below. @damnski on github added some SFTP code that has been merged in as well.)

https://github.com/f5devcentral/f5-automated-backup-iapp

Intro

Building on the significant work of Thomas Schockaert (and several other DevCentralites) I enhanced many aspects I needed for my own purposes, updated many things I noticed requested on the forums, and added additional documentation and clarification. As you may see in several of my comments on the original posts, I iterated through several 2.2.x versions and am now releasing v3.0.0. Below is the breakdown!

Also, I have done quite a bit of testing (mostly on v13.1.0.1 lately) and I doubt I've caught everything, especially with all of the changes. Please post any questions or issues in the comments.

Cheers!

Daniel Tavernier (tabernarious)

Related posts:

• Git Repository for f5-automated-backup-iapp (https://github.com/tabernarious/f5-automated-backup-iapp)
• https://community.f5.com/t5/technical-articles/f5-automated-backups-the-right-way/ta-p/288454
• https://community.f5.com/t5/crowdsrc/complete-f5-automated-backup-solution/ta-p/288701
• https://community.f5.com/t5/crowdsrc/complete-f5-automated-backup-solution-2/ta-p/274252
• https://community.f5.com/t5/technical-forum/automated-backup-solution/m-p/24551
• https://community.f5.com/t5/crowdsrc/tkb-p/CrowdSRC

v3.2.1 (20201210)

• Merged v3.1.11 and v3.2.0 for explicit SFTP support (separate from SCP).
• Tweaked the SCP and SFTP upload directory handling; detailed instructions are in the iApp.
• Tested on 13.1.3.4 and 14.1.3

v3.1.11 (20201210)

• Better handling of UCS passphrases, and notes about characters to avoid.
• I successfully tested this exact passphrase in the 13.1.3.4 CLI (surrounded with single quote) and GUI (as-is): `~!@#$%^*()aB1-_=+[{]}:./?
• I successfully tested this exact passphrase in 14.1.3 (square-braces and curly-braces would not work): `~!@#$%^*()aB1-_=+:./?
• Though there may be situations these could work, avoid these characters (separated by spaces): " ' & | ; < > \ [ ] { } ,
• Moved changelog and notes from the template to CHANGELOG.md and README.md.
• Replaced all tabs (\t) with four spaces.

v3.1.10 (20201209)

• Added SMB Version and SMB Security options to support v14+ and newer versions of Microsoft Windows and Windows Server.
• Tested SMB/CIFS on 13.1.3.4 and 14.1.3 against Windows Server 2019 using "2.0" and "ntlmsspi"

v3.1.0:

• Removed "app-service none" from iCall objects. The iCall objects are now created as part of the Application Service (iApp) and are properly cleaned up if the iApp is redeployed or deleted.
• Reasonably tested on 11.5.4 HF2 (SMB worked fine using "mount -t cifs") and altered requires-bigip-version-min to match.
• Fixing error regarding "script did not successfully complete: (can't read "::destination_parameters__protocol_enable": no such variable" by encompassing most of the "implementation" in a block that first checks $::backup_schedule__frequency_select for "Disable".
• Added default value to "filename format".
• Changed UCS default value for $backup_file_name_extension to ".ucs" and added $fname_noext.
• Removed old SFTP sections and references (now handled through SCP/SFTP).
• Adjusted logging: added "sleep 1" to ensure proper logging; added $backup_directory to log message.
• Adjusted some help messages.

New v3.0.0 features:

• Supports multiple instances! (Deploy multiple copies of the iApp to save backups to different places or perhaps to keep daily backups locally and send weekly backups to a network drive.)
• Fully ConfigSync compatible! (Encrypted values now in $script instead of local file.)
• Long passwords supported! (Using "-A" with openssl which reads/writes base64 encoded strings as a single line.)
• Added $script error checking for all remote backup types! (Using 'catch' to prevent tcl errors when $script aborts.)
• Backup files are cleaned up after any $script errors due to new error checking.
• Added logging! (Run logs sent to '/var/log/ltm' via logger command which is compatible with BIG-IP Remote Logging configuration (syslog). Run logs AND errors sent to '/var/tmp/scriptd.out'. Errors may include plain-text passwords which should not be in /var/log/ltm or syslog.)
• Added custom cipher option for SCP! (In case BIG-IP and the destination server are not cipher-compatible out of the box.)
• Added StrictHostKeyChecking=no option. (This is insecure and should only be used for testing--lots of warnings.)
• Combined SCP and SFTP because they are both using SCP to perform the remote copy. (Easier to maintain!)

Original v1.x.x and v2.x.x features kept (copied from an original post):

• It allows you to choose between both UCS or SCF as backup-types. (whilst providing ample warnings about SCF not being a very good restore-option due to the incompleteness in some cases)
• It allows you to provide a passphrase for the UCS archives (the standard GUI also does this, so the iApp should too)
• It allows you to not include the private keys (same thing: standard GUI does it, so the iApp does it too)
• It allows you to set a Backup Schedule for every X minutes/hours/days/weeks/months or a custom selection of days in the week
• It allows you to set the exact time, minute of the hour, day of the week or day of the month when the backup should be performed (depending on the usefulness with regards to the schedule type)
• It allows you to transfer the backup files to external devices using 4 different protocols, next to providing local storage on the device itself
• SCP (username/private key without password)
• SFTP (username/private key without password)
• FTP (username/password)
• SMB (now using TMOS v12.x.x compatible 'mount -t cifs', with username/password)
• Local Storage (/var/local/ucs or /var/local/scf)
• It stores all passwords and private keys in a secure fashion: encrypted by the master key of the unit (f5mku), rendering it safe to store the backups, including the credentials off-box
• It has a configurable automatic pruning function for the Local Storage option, so the disk doesn't fill up (i.e. keep last X backup files)
• It allows you to configure the filename using the date/time wildcards from the tcl [clock] command, as well as providing a variable to include the hostname
• It requires only the WebGUI to establish the configuration you desire
• It allows you to disable the processes for automated backup, without you having to remove the Application Service or losing any previously entered settings
• For the external shellscripts it automatically generates, the credentials are stored in encrypted form (using the master key)
• It allows you to no longer be required to make modifications on the linux command line to get your automated backups running after an RMA or restore operation
• It cleans up after itself, which means there are no extraneous shellscripts or status files lingering around after the scripts execute

How to use this snippet:

1. Find and download the latest iApp template on GitHub (e.g "f5.automated_backup.v3.2.1.tmpl.tcl").
2. Import the text file as an iApp Template in the BIG-IP GUI.
3. Create an Application Service using the imported Template.
4. Answer the questions (paying close attention to the help sections).
5. Check /var/tmp/scriptd.out for general logs and errors.

Tested this on version:

16.0