F5 Velos/rSeries/F5OS code for automating config backup with the new RESTCONF API and Ansible

  On the new F5OS devices a new RESTCONF based API interface is used that allows everything to be done via that API. Now you can even send API command to make F5 to export the configuration file in outbound connection with HTTPS/SCP and this is an extra security for me.

 

F5 has even released Ansible collections for Velos but some things are still not possible with the collection but with Ansible the URI module can used to do the things I am doing with Postman as even the HTTP headers can be added in the URI module. Some may use python but personally I like Ansible more (look at the end of this article for the Ansible Example)  🙂

https://clouddocs.f5.com/products/orchestration/ansible/devel/velos/velos.html

https://clouddocs.f5.com/products/orchestration/ansible/devel/f5os/f5os.html

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/uri_module.html

 

 

This code allows the automation of the configuration backups for the F5 Velos/rSeries using the new API.

 

To get started with the F5OS API I recommend going through the Devcentral article https://community.f5.com/t5/technical-articles/exploring-f5os-automation-features-on-velos/ta-p/295318

 

The Velos Postman collections are at https://clouddocs.f5.com/api/velos-api/velos-api-workflows.html

 

 

The Velos API documentation can be found at F5OS/F5OS-C OpenAPI Documentation .

 

The F5OS API supports Basic and Bearer token authentication but it is much better to use the BASIC auth just to retrive the Token as shown in the examples below.

 

  1. Generate Bearer Token in Postman. This is from the F5 Postman collection.

Endpoint:

https://{{Chassis1_System_Controller_IP}}:8888/restconf/data/openconfig-system:system/aaa

'No body'

 

 

 

 

 

     2. Create a config backup (now it is  not called UCS but database configuration backup in F5OS).

 

Endpoint:

 

8888/restconf/data/openconfig-system:system/f5-database:database/f5-database:config-backup

 

Body:

 

{

"f5-database:name": "api-backup",

"f5-database:overwrite": "true"

}

 

 

 

Note! For rSeries "f5-database:overwrite": "true" may need to be removed as 1.3.1 does not support to select to overwrite an existing backup or not.

 

    3a. Download the config backup with ‘root’ with SCP from  â€˜/var/confd/configs/’, for example Back up and restore the F5OS-C configuration on a VELOS system

 

 

    3b. Make F5 to send the backup with HTTPS to the backup server with the new file transfer utility that can be triggered with API commands for the F5 to start the file transfer.

 

Endpoint:

 

:8888/restconf/data/f5-utils-file-transfer:file/export

 

Body:

 

{

"f5-utils-file-transfer:username": "test",

"f5-utils-file-transfer:password": "test",

"f5-utils-file-transfer:local-file": "configs/api-backup",

"f5-utils-file-transfer:remote-url": "https://1.1.1.1/file"

}

 

 

In some versions the variable "insecure" : "true" can't be set, so maybe the web server will need a valid and not self-signed SSL cert.

 

    3c. Export the backup with SCP/AFTP initiated from the F5 device with an API command.

 

This is something that will be possible in the future as it seems as of now it is still not possible as I tried to follow the API documentation but sometimes, I get errors about missing element ‘’known-hosts’’ but this file should be created with the below API call as maybe the workaround is to go to the Linux with a root account and create this file but I still have not found where to create it. Another error is unknown element ‘remote-host’ but this should exist, so it is a bug or the documentation has some mistakes but as this is a new feature it will work eventually. As a note you need to add the fingerprints for the Velos or rSeries to start the SCP connection as an extra security step and this is really nice 😀

 

Endpoint:

/restconf/data/f5-utils-file-transfer:file/known-hosts

 

Body:

 

{
"f5-utils-file-transfer:known-host": [
{
"remote-host": "string",
"config": {
"remote-host": "string",
"key-type": "rsa",
"fingerprint": "string"
},
"state": {
"remote-host": "string",
"key-type": "rsa",
"fingerprint": "string"
}
}
]
}

 

Now with F5OS when accessing the GUI, you can use Fiddler or F12 (the devtools) just to see the RESTCONF commands that are used and the use them in Postman/Ansible/Python etc.

 

 
 
 

 


 

 
EDIT:
 
 
 
4. Using Ansible URI Module with F5OS for Basic Auth, Token generation and Config Backup
 
 
 
Here is an example to do the same tasks but with using the Ansible URI module. The Ansible URI module allows us to make our own API requests when there is no build-in module and it even supports basic and form based authentication and after that the token can be saved and used a varible in the next requests that generate the backup and then the backup can be transfered with SCP triggered with cron job or another URI module task can be written that uses the file transfer utility.
 
 
Ansible Playbook using jinja2 template as json body:
 

root@niki1:/home/niki/ansible# cat f5os_backup.yml

 

---

 

- name: F5OS_BACKUP

  hosts: lb

  connection: local

  gather_facts: false

 

  vars:

    Chassis_IP : X.X.X.X

    backup_name : api3_backup

 

  tasks:

 

 

  - name: Create a Basic request

    ansible.builtin.uri:

      url: https://{{ Chassis_IP }}:8888/restconf/data/openconfig-system:system/aaa

      user: xxx

      password: xxx

      method: GET

      force_basic_auth: yes

      status_code: 200

      body_format: json

      validate_certs: false

      headers:

       Content-Type: application/yang-data+json

       X-Auth-Token: rctoken

      return_content: yes

    register: result

 

  - name: Save the token to a fact variable

    set_fact:

      metatoken: "{{ result.x_auth_token }}"

 

 

  - name: Create Backup

    ansible.builtin.uri:

      url: https://{{ Chassis_IP }}:8888/restconf/data/openconfig-system:system/f5-database:database/f5-database:config-backup

      method: POST

      status_code: 200

      body_format: json

      validate_certs: false

      body: "{{ lookup('ansible.builtin.template','f5os.json') }}"

      headers:

       Content-Type: application/yang-data+json

       X-Auth-Token: "{{ metatoken }}"

 

 
f5os.json Template:
 

{
"f5-database:name": "{{ backup_name }}",
"f5-database:overwrite": "true"
}

 

 

 

Edit:

 

 

Now there is an F5 Ansible collection for this 🙂

 

https://clouddocs.f5.com/products/orchestration/ansible/devel/f5os/modules_3_0/f5os_config_backup_module.html

Updated Aug 04, 2023
Version 14.0
No CommentsBe the first to comment