F5 Python SDK Overview

Introduction

The purpose of this article is to give a brief overview of the F5 Python SDK. The F5 Python SDK provides a programmatic interface to BIG-IP and its modules. We will cover the basic concepts and definitions of F5 Networks BIG-IP iControl REST interface and how they relate to the SDK in its current state (LTM / core, etc.). We will also demonstrate some calls and then show the current state of AFM in the SDK. As the AFM is not yet developed, we will show one way to build a framework that makes taking the restful JSON endpoints and programmatically iterating to pull additional endpoints.

Concepts

The SDK is an Object model based SDK for the F5 Networks BIG-IP iControl REST interface. The structure of the SDK calls maps to iControl REST:

  http://192.168.1.1/mgmt/tm/ltm/pool/~Common~mypool/members/~Common~m1:80

                  |----|--|---|----|--------------|-------|-------------|

                  |root|OC|OC |Coll| Resource     | SC    |SubColl Resrc|

Organizing Collection:  

An organizing collection is a superset of other collections.  These are not configurable; rather, they contain other submodules which either contain configurable objects (Collection) or are configurable objects (Resource). For example, the ltm or net module listing would be an organizing collection, whereas ltm/pool or net/vlan would be collections. To retrieve either type, you use the get_collection method as shown below, with abbreviated output.

Example:

Collection 

A collection is similar to an organizing collection in that it is not a configurable object. Unlike an organizing collection, however, a collection only contains references to objects (or resources) of the same type. In the SDK, collection objects are usually plural, while Resource objects are singular. When the Resource object’s corresponding URI is already plural, we append the name of the collection with _s.

Example:

URI Collection Resource
/mgmt/tm/net/tunnels/ tm.net.tunnels  tm.net.tunnels.tunnel
/mgmt/tm/ltm/pool/   tm.ltm.pools tm.ltm.pools.pool
/mgmt/tm/ltm/pool/members/ tm.ltm.pool.members_s tm.ltm.pool.members_s.members

Example: Use f5.bigip.resource.Collection.get_collection() to get a list of the objects in the f5.bigip.tm.ltm.pool collection.

Resource:

A resource is a fully configurable object for which the CURDLE methods are supported. 

 Methods 

Method 

HTTP Command 

Action(s) 

create()

POST

creates a new resource on the device with its own URI

update()

PUT

submits a new configuration to the device resource; sets the

Resource attributes to the state reported by the device

|modify|

PATCH

submits a new configuration to the device resource; sets only

the attributes specified in modify method. This is different

from update because update will change all the attributes, not

only the ones that you specify.

refresh()

GET

obtains the state of a device resource; sets the representing

Python Resource Object; tracks device state via its attributes

delete()

DELETE

removes the resource from the device, sets self.__dict__

to {'deleted': True}

load()

GET

obtains the state of an existing resource on the device; sets

the Resource attributes to match that state

exists()

GET

checks for the existence of an object on the BIG-IP
 
Example: Load a f5.bigip.tm.ltm.node.Node Resource object. The output of the f5.bigip.tm.ltm.node.Node.raw (above) shows all of the available attributes.

Subcollection:

A subcollection is a Collection that’s attached to a higher-level Resource object. Subcollections are almost exactly the same as collections; the exception is that they can only be accessed via the resource they’re attached to (the ‘parent’ resource).

Example:

A pool resource has a members_s subcollection attached to it; you must create or load the ‘parent’ resource (pool) before you can access the subcollection (members_s).

  >>> from f5.bigip import ManagementRoot

  >>> mgmt = ManagementRoot('192.168.1.1', 'myuser', 'mypass')

  >>> pool = mgmt.tm.ltm.pools.pool.load(partition='Common', name='p1')

  >>> members = pool.members_s.get_collection()

Subcollection Resource:

 A subcollection resource is essentially the same as a resource. As with collections and subcollections, the only difference between the two is that you must access the subcollection resource via the subcollection attached to the main resource. 

Example

To build on the subcollection example: pool is the resource, members_s is the subcollection, and members (the actual pool member) is the subcollection resource.

  >>> from f5.bigip import ManagementRoot

  >>> mgmt = ManagementRoot('192.168.1.1', 'myuser', 'mypass')

  >>> pool = mgmt.tm.ltm.pools.pool.load(partition='Common', name='p1')

  >>> member = pool.members_s.members.load(partition='Common', name='n1:80')

REST URIs:

You can directly infer REST URIs from the python expressions, and vice versa.

Examples

  • Expression:     mgmt = ManagementRoot('<ip_address>', '<username>', '<password>')
  • URI Returned:   [https://%3cip_address%3e/mgmt/]https://<ip_address>/mgmt/
  • Expression:     cm = mgmt.cm('<ip_address>', '<username>', '<password>')
  • URI Returned:   [https://%3cip_address%3e/mgmt/cm]https://<ip_address>/mgmt/cm
  • Expression:     tm = mgmt.tm('<ip_address>', '<username>', '<password>')
  • URI Returned:   [https://%3cip_address%3e/mgmt/tm]https://<ip_address>/mgmt/tm
  • Expression:     ltm = mgmt.tm.ltm('<ip_address>', '<username>', '<password>')
  • URI Returned:   [https://%3cip_address%3e/mgmt/tm/ltm/]https://<ip_address>/mgmt/tm/ltm/
  • Expression:     pools1 = mgmt.tm.ltm.pools
  • URI Returned:   [https://%3cip_address%3e/mgmt/tm/ltm/pool]https://<ip_address>/mgmt/tm/ltm/pool
  • Expression:     pool_a = pools1.create(partition="Common", name="foo")
  • URI Returned:   [https://%3cip_address%3e/mgmt/tm/ltm/pool/~Common~foo]https://<ip_address>/mgmt/tm/ltm/pool/~Common~foo


Test the SDK:

Create a Virtual Environment

Here are the steps to set up a Python virtual environment:

  1. Install Python. You can download the installer from the official website.
  2. Install pip. Python3 usually comes with pip preinstalled. However, if you get an error, you can install it using the following command: 
    python get-pip.py
    .
  3. Install virtualenv. You can install it using the following command: 
    pip install virtualenv
    .
  4. Create a virtual environment. You can create a virtual environment by specifying the target directory (absolute or relative to the current directory) which is to contain the virtual environment. The create method will either create the environment in the specified directory, or raise an appropriate exception. You can create a virtual environment using the following command: 
    python3 -m venv f5venv
    .
  5. Activate the virtual environment by running 
    source f5venv/bin/activate
  6. Install f5-sdk into the virtual environmet by running
    pip install f5-sdk
     
  7. Run the sample script provided below. 

AFM Code Sample

from f5.bigip import ManagementRoot
import requests
import logging
import json
import sys

class objectview(object):
    def __init__(self, d):
        self.__dict__ = d

def bigip():
    return {
        "bigip": "10.155.255.16",
        "rest_url": "https://admin:admin@",
        "rest_user": "admin",
        "rest_pwd": "admin",
        "partition": "Common"
    }

def afm_rest_api():
    policy_name = "restApiDemo"
    rule_name = "restApiDemoRule"
    return {
        "create_policy": "/mgmt/tm/security/firewall/policy",
        "add_rule": "/mgmt/tm/security/firewall/policy/~Common~"+policy_name+"/rules",
        "get_rules": "/mgmt/tm/security/firewall/policy/~Common~"+policy_name+"/rules",
        "change_rule": "/mgmt/tm/security/firewall/policy/~Common~restApiDemo/rules/"+rule_name,
        "delete_rule": "/mgmt/tm/security/firewall/policy/~Common~restApiDemo/rules/"+rule_name,
        "global_context": "/mgmt/tm/security/firewall/globalRules/",
        "global_rules": "/mgmt/tm/security/firewall/globalRules",
        "delete_policy": "/mgmt/tm/security/firewall/policy/~Common~"+policy_name
    }

def create_firewall_pollcy():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    payload = '''{"name": "restApiDemo"}'''
    logger.info(bip.rest_url + bip.bigip + api.create_policy) 
    resp = requests.post(bip.rest_url + bip.bigip + api.create_policy, headers={'accept': 'application/json','content-type': 'application/json'}, auth=(
         bip.rest_user, bip.rest_pwd), data=payload, verify=False)
    logger.info(resp.text)

def add_rule():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    headers = {'accept': 'application/json','content-type': 'application/json'}
    payload = '''{"name":"restApiDemoRule", "action":"reject", "place-before":"first"}'''
    logger.info(bip.rest_url + bip.bigip + api.add_rule) 
    resp = requests.post(bip.rest_url + bip.bigip + api.add_rule, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), data=payload, verify=False)
    logger.info(resp.text)

def display_rules():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    headers = {'accept': 'application/json','content-type': 'application/json'}
    logger.info(bip.rest_url + bip.bigip + api.add_rule) 
    resp = requests.get(bip.rest_url + bip.bigip + api.get_rules, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), verify=False)
    logger.info(resp.text)

def change_rule():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    headers = {'accept': 'application/json','content-type': 'application/json'}
    payload = '''{"action":"accept"}'''
    logger.info(bip.rest_url + bip.bigip + api.change_rule) 
    resp = requests.patch(bip.rest_url + bip.bigip + api.change_rule, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), data=payload, verify=False)
    logger.info(resp.text)

def delete_rule():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    headers = {'accept': 'application/json','content-type': 'application/json'}
    logger.info(bip.rest_url + bip.bigip + api.delete_rule) 
    resp = requests.delete(bip.rest_url + bip.bigip + api.change_rule, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), verify=False)
    logger.info(resp.text)

def global_context():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    headers = {'accept': 'application/json','content-type': 'application/json'}
    payload = '''{"enforcedPolicy":"restApiDemo"}'''
    logger.info(bip.rest_url + bip.bigip + api.change_rule) 
    resp = requests.patch(bip.rest_url + bip.bigip + api.global_context, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), data=payload, verify=False)
    logger.info(resp.text)

def global_rules():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    headers = {'accept': 'application/json','content-type': 'application/json'}
    logger.info(bip.rest_url + bip.bigip + api.change_rule) 
    resp = requests.get(bip.rest_url + bip.bigip + api.global_rules, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), verify=False)
    logger.info(resp.text)

def delete_policy():
    bip = objectview(bigip())
    api = objectview(afm_rest_api())
    mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)    
    headers = {'accept': 'application/json','content-type': 'application/json'}
    payload = '''{"enforcedPolicy":""}'''
    logger.info(bip.rest_url + bip.bigip + api.change_rule) 
    resp = requests.patch(bip.rest_url + bip.bigip + api.global_rules, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), data=payload, verify=False)
    resp = requests.delete(bip.rest_url + bip.bigip + api.delete_policy, headers=headers, auth=(
         bip.rest_user, bip.rest_pwd), verify=False)
    logger.info(resp.text)

if __name__ == "__main__":
    logger = logging.getLogger(__name__)
    logger.setLevel(logging.INFO)
    formatter = logging.Formatter("%(asctime)s - %(name)s - %(levelname)s - %(message)s")
    handler = logging.StreamHandler(sys.stdout)
    handler.setFormatter(formatter)
    logger.addHandler(handler)
    command= " ".join( sys.argv[1:] )
    if command == "":
        logger.info("""Examples:"
        python afm_rest_api.py "create_firewall_pollcy()"
        python afm_rest_api.py "add_rule()"
        python afm_rest_api.py "display_rules()"
        python afm_rest_api.py "change_rule()"
        python afm_rest_api.py "delete_rule()"        
        python afm_rest_api.py "global_context()"
        python afm_rest_api.py "global_rules()"
        python afm_rest_api.py "delete_policy()""")        
    else:
        logger.info(command)
        eval(command)
Updated Jun 06, 2023
Version 3.0
devops
f5 sirt
security
  • xuwen's avatar
    xuwen
    Icon for Cumulonimbus rankCumulonimbus
    Mar 28, 2023

    I also like use python f5-sdk, from September 2020 to now(Although the sdk does not support updates now),Use it to GET AS3 or Common or other partitions LTM and GTM configuration, or use it POST create LTM virtual server or GTM wideips.