F5 Velos/rSeries/F5OS code for automating config backup with the new RESTCONF API and Ansible
On the new F5OS devices a new RESTCONF based API interface is used that allows everything to be done via that API. Now you can even send API command to make F5 to export the configuration file in outbound connection with HTTPS/SCP and this is an extra security for me.
F5 has even released Ansible collections for Velos but some things are still not possible with the collection but with Ansible the URI module can used to do the things I am doing with Postman as even the HTTP headers can be added in the URI module. Some may use python but personally I like Ansible more (look at the end of this article for the Ansible Example) 🙂
https://clouddocs.f5.com/products/orchestration/ansible/devel/velos/velos.html
https://clouddocs.f5.com/products/orchestration/ansible/devel/f5os/f5os.html
https://docs.ansible.com/ansible/latest/collections/ansible/builtin/uri_module.html
This code allows the automation of the configuration backups for the F5 Velos/rSeries using the new API.
To get started with the F5OS API I recommend going through the Devcentral article https://community.f5.com/t5/technical-articles/exploring-f5os-automation-features-on-velos/ta-p/295318
The Velos Postman collections are at https://clouddocs.f5.com/api/velos-api/velos-api-workflows.html
The Velos API documentation can be found at F5OS/F5OS-C OpenAPI Documentation .
The F5OS API supports Basic and Bearer token authentication but it is much better to use the BASIC auth just to retrive the Token as shown in the examples below.
- Generate Bearer Token in Postman. This is from the F5 Postman collection.
Endpoint:
https://{{Chassis1_System_Controller_IP}}:8888/restconf/data/openconfig-system:system/aaa
'No body'
2. Create a config backup (now it is not called UCS but database configuration backup in F5OS).
Endpoint:
8888/restconf/data/openconfig-system:system/f5-database:database/f5-database:config-backup
Body:
{
"f5-database:name": "api-backup",
"f5-database:overwrite": "true"
}
Note! For rSeries "f5-database:overwrite": "true" may need to be removed as 1.3.1 does not support to select to overwrite an existing backup or not.
3a. Download the config backup with ‘root’ with SCP from ‘/var/confd/configs/’, for example Back up and restore the F5OS-C configuration on a VELOS system
3b. Make F5 to send the backup with HTTPS to the backup server with the new file transfer utility that can be triggered with API commands for the F5 to start the file transfer.
Endpoint:
:8888/restconf/data/f5-utils-file-transfer:file/export
Body:
{
"f5-utils-file-transfer:username": "test",
"f5-utils-file-transfer:password": "test",
"f5-utils-file-transfer:local-file": "configs/api-backup",
"f5-utils-file-transfer:remote-url": "https://1.1.1.1/file"
}
In some versions the variable "insecure" : "true" can't be set, so maybe the web server will need a valid and not self-signed SSL cert.
3c. Export the backup with SCP/AFTP initiated from the F5 device with an API command.
This is something that will be possible in the future as it seems as of now it is still not possible as I tried to follow the API documentation but sometimes, I get errors about missing element ‘’known-hosts’’ but this file should be created with the below API call as maybe the workaround is to go to the Linux with a root account and create this file but I still have not found where to create it. Another error is unknown element ‘remote-host’ but this should exist, so it is a bug or the documentation has some mistakes but as this is a new feature it will work eventually. As a note you need to add the fingerprints for the Velos or rSeries to start the SCP connection as an extra security step and this is really nice 😀
Endpoint:
/restconf/data/f5-utils-file-transfer:file/known-hosts
Body:
{
"f5-utils-file-transfer:known-host": [
{
"remote-host": "string",
"config": {
"remote-host": "string",
"key-type": "rsa",
"fingerprint": "string"
},
"state": {
"remote-host": "string",
"key-type": "rsa",
"fingerprint": "string"
}
}
]
}
Now with F5OS when accessing the GUI, you can use Fiddler or F12 (the devtools) just to see the RESTCONF commands that are used and the use them in Postman/Ansible/Python etc.
EDIT:
4. Using Ansible URI Module with F5OS for Basic Auth, Token generation and Config Backup
Here is an example to do the same tasks but with using the Ansible URI module. The Ansible URI module allows us to make our own API requests when there is no build-in module and it even supports basic and form based authentication and after that the token can be saved and used a varible in the next requests that generate the backup and then the backup can be transfered with SCP triggered with cron job or another URI module task can be written that uses the file transfer utility.
Ansible Playbook using jinja2 template as json body:
root@niki1:/home/niki/ansible# cat f5os_backup.yml
---
- name: F5OS_BACKUP
hosts: lb
connection: local
gather_facts: false
vars:
Chassis_IP : X.X.X.X
backup_name : api3_backup
tasks:
- name: Create a Basic request
ansible.builtin.uri:
url: https://{{ Chassis_IP }}:8888/restconf/data/openconfig-system:system/aaa
user: xxx
password: xxx
method: GET
force_basic_auth: yes
status_code: 200
body_format: json
validate_certs: false
headers:
Content-Type: application/yang-data+json
X-Auth-Token: rctoken
return_content: yes
register: result
- name: Save the token to a fact variable
set_fact:
metatoken: "{{ result.x_auth_token }}"
- name: Create Backup
ansible.builtin.uri:
url: https://{{ Chassis_IP }}:8888/restconf/data/openconfig-system:system/f5-database:database/f5-database:config-backup
method: POST
status_code: 200
body_format: json
validate_certs: false
body: "{{ lookup('ansible.builtin.template','f5os.json') }}"
headers:
Content-Type: application/yang-data+json
X-Auth-Token: "{{ metatoken }}"
f5os.json Template:
{
"f5-database:name": "{{ backup_name }}",
"f5-database:overwrite": "true"
}
Edit:
Now there is an F5 Ansible collection for this 🙂
Updated Aug 04, 2023
Version 14.0
No CommentsBe the first to comment