Config Backup for F5 Review
Eric Flores, author of Config Backup for F5, will be joining John Wagnon and I for a podcast this evening to discuss his project. This open source project is great for the shops that don't have budget for the robust feature sets of Enterprise Manager and BIG-IQ. The bits are offered as a downloadable tgz, or more attractively for those that want something to just work right out of the box, a VMware appliance! For this review, I opted for the latter.
One of the more frustrating this about most small pet projects on github, sourceforge, and the like is the crazy lack of good documentation. That is not the case with Eric's project. The backup appliance documentation left no step undocumented, and the user guide is well documented as well, removing almost all the guess work.
Deploying the appliance was very easy and the install process clean and tidy, but a few things I'd clarify in the documentation or enhance:
- Make sure the nic on the appliance belongs to a network that has access to your BIG-IPs before powering it up, though, the default nic the appliance grabbed in my workstation was a bridged network my BIG-IPs don't belong to.
- The NTP configuration specified an IP, but it would be nice to support names. It may already as I didn't try to add a name, but it would be good to support both and state that in the configuration utility.
- The NTP configuration utility had my local time and UTC swapped in the display, but in the appliance web GUI it appears fine. I went through the NTP configuration a second time with similar results, so I'm guessing just a variable swap here?
Once the appliance was configured and rebooted, I logged in to the web GUI. This is very straight forward and cleanly laid out very similarly to the F5 GUI.
The user guide goes through the user functions (devices, backup jobs, certificates) first, but I'd recommend configuring the settings first. In the Backup Settings, you set the backup time and the user name and password. This is important, as no device you add will be touched until this information is present.
After updating the backup settings, I added my device.
I added/deleted a couple times before changing my backup time and I was wondering what wasn't working. It turns out the initial discovery of the device isn't done until the backup time occurs. I'd recommend in future enhancements to go ahead and do the device discovery shown in this screen and the Certificates screen when the device is added rather than waiting for the backup window.
Other than those few minor nits, this is a fantastic effort on Eric's part, and a great testament to the power of community. Thanks Eric for sharing and we look forward to seeing what enhancements and features you have in store for this project!
- Buddy_Edwards_1Nimbostratus
Is there a way of firing off a backup to test your configuration before the backup window starts?
- lkchenNimbostratusUpdate to my previous comment...ended up settling for using this wonder solution. Except I made changes to it to solve the different instances having different administrator passwords. My fork is here: https://github.com/TheDreamer/f5configbackup I have wishlist of other things I still want to add, but haven't had time to dig into the code. At least I have backups and get a nice certificate report, which is much better than configuring the F5 to send a flood of emails that can't be stopped when the expired cert has to stay.... (I think I got tired of it and included in a mass conversion to sha2 I did a few months back.) The first is to get email reports of backup status. Especially when backups have failed. A former admin kept changing the passwords to a compromised one and making all the units have the same password. Except he was the reason we made them different. Though repeating the mistake of directly editing bigip.conf (while auto-sync is being used) was.... given all the people with some level of being able to change things (resource admins, firewall managers, operators), even if he did a 'tmsh save /sys config' - make edits - 'tmsh load /sys config' is dangerous. In the past where I've done direct edits, a window is declared where nobody is allowed to login while I make the rush to make the change without too many errors.... Wish there was a way to move objects between administrative partitions. Of the issue of nodes getting created in the partition so not visible to common....though the firewall managers seem to have adapted.... Now I used the VM image as the starting point for our f5configbackup, any issues if I were to try doing OS updates or install vmware-tools on it? Already spent way too much time with selinux after attempting to reset passwords the wong way.
- lkchenNimbostratusBeing tasked with finding a way to backup our new F5s....where my old bash script using bigpipe through cron as root is no longer an option. Because there's no root/bash or bigpipe available on the new appliances. Obvious problem I've run into....backup settings (namely username/password) are not per device but global. But, after an incident...all our (non-appliance) F5 pairs have different admin passwords. And, while I have groups defined that translate to the Administrator role, there are no users in those groups. Not sure if I can get a service account with that role. Normal accounts are subject to frequent password changes, etc, since the F5s are in-scope.... Also not sure if I can (or need to) configure this for other users, haven't looked to see how fixed on AD it is....to work with our ldap. But, the huge set of disallowed special characters for web UI, knocks out characters that are on our list of special characters where a couple are required in our passwords. And, are valid on our F5s.... Guess I'll have keep looking....
- Eric_Flores_131Cirrostratus@Johny Walker - It uses iControl so it connects to the management interface IP on port 443
- EmadCirrostratusWhat if i want to deploy it in different VLAN/Network other then F5 device. On which ports it will connect with F5 device like SSH/22 or any other ?
- Sean_02_142169NimbostratusI just downloaded the VMWare image for this and installed it for testing on VMWare Player. I have two Viprion chassis with multiple vCMP Guests so backups were starting to pose a bit of an issue. The Config Backup for F5 tool looks very promising, easy to use, easy to setup, easy to recover archives from. Just a fantastic piece of software! Thank you for all your efforts in creating this utility.