CodeShare
Have some code. Share some code.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner
Thomas_Schocka1
Altocumulus
Altocumulus

Problem this snippet solves:

Hi all,

Often I've been scouring the devcentral fora and codeshares to find that one piece of handywork that will drastically simplify my automated backup needs on F5 devices. Based on the works of Jason Rahm in his post "Third Time's the Charm: BIG-IP Backups Simplified with iCall" on the 26th of June 2013, I went ahead and created my own iApp that pretty much provides the answers for all my backup-needs.

Here's a feature list of this iApp:

  • It allows you to choose between both UCS or SCF as backup-types. (whilst providing ample warnings about SCF not being a very good restore-option due to the incompleteness in some cases)
  • It allows you to provide a passphrase for the UCS archives (the standard GUI also does this, so the iApp should too)
  • It allows you to not include the private keys (same thing: standard GUI does it, so the iApp does it too)
  • It allows you to set a Backup Schedule for every X minutes/hours/days/weeks/months or a custom selection of days in the week
  • It allows you to set the exact time, minute of the hour, day of the week or day of the month when the backup should be performed (depending on the usefulness with regards to the schedule type)
  • It allows you to transfer the backup files to external devices using 4 different protocols, next to providing local storage on the device itself

    *   SCP (username/private key without password)
    
    • SFTP (username/private key without password)
    • FTP (username/password)
    • SMB (using smbclient, with username/password)
    • Local Storage (/var/local/ucs or /var/local/scf)
  • It stores all passwords and private keys in a secure fashion: encrypted by the master key of the unit (f5mku), rendering it safe to store the backups, including the credentials off-box

  • It has a configurable automatic pruning function for the Local Storage option, so the disk doesn't fill up (i.e. keep last X backup files)

  • It allows you to configure the filename using the date/time wildcards from the tcl clock command, as well as providing a variable to include the hostname
  • It requires only the WebGUI to establish the configuration you desire
  • It allows you to disable the processes for automated backup, without you having to remove the Application Service or losing any previously entered settings
  • For the external shellscripts it automatically generates, the credentials are stored in encrypted form (using the master key)
  • It allows you to no longer be required to make modifications on the linux command line to get your automated backups running after an RMA or restore operation
  • It cleans up after itself, which means there are no extraneous shellscripts or status files lingering around after the scripts execute

Enjoy!

Thomas Schockaert

Contributed by: Thomas Schockaert

How to use this snippet:

minimum version 11.4

Code :

67735

Tested this on version:

11.4
Comments
Samir_Jha_52506
Noctilucent
Noctilucent
can you please share the script
NetworkNerd_135
Nimbostratus
Nimbostratus
F5 Automated Backups - The Right Way https://devcentral.f5.com/s/articles/f5-automated-backups-the-right-way On that page, there's a pastebin link to: http://pastebin.com/YbDj3eMN
quanquan_99641
Nimbostratus
Nimbostratus
Please share your script,Thanks.
LDS_107638
Nimbostratus
Nimbostratus
willl this work on 11.6
Squeak
Cirrus
Cirrus
If I want to specify which Route domain do I just add the "%x" after the destination address I want to use? Is is possible at all to use "%"?
Xian_Zhong_2015
Nimbostratus
Nimbostratus
Hi Thomas I have encounter this issue totally similar to another user posted back in 2014. The problem is as such: "Has anyone got this to work 100% properly? I am not able to restore from FTP. I have no problem with making a job FTP the UCS file (without passphrase) to a FTP server. But when I download it back to the F5, and try to restore it from the file, it fails with: Saving active configuration... Current configuration backed up to /var/local/ucs/cs_backup.ucs. tar: Skipping to next header tar: Archive contains obsolescent base-64 headers gzip: stdin: invalid compressed data--format violated tar: Child returned status 1 tar: SPEC-Files: Not found in archive tar: Error exit delayed from previous errors Fatal: executing: tar -zxf /var/local/ucs/20140919_backup_test.com.ucs SPEC-Manifest SPEC-Files Operation aborted. /var/tmp/configsync.spec: Error installing package Config install aborted. Unexpected Error: UCS loading process failed. I am not sure what this mean, but I have notices that the version is “unknown” when opening the backup file on the F5. Furthermore, if I set the job to save on F5 instead of FTP, I can restore it without problem, and the version is now shown right version. Please advice. P.S. This is testet in both version 2.0, 2.0.1-tdd and 2.0.2-tdd " Please advice what could be a solution to this.
Sylvain_Q
Nimbostratus
Nimbostratus
After the SFTP scheduled backup runs, it doesn't seems to delete the file in /var/local/ucs folder. Is there a way to be sure that the deletion is in place?
Delalegro_22603
Nimbostratus
Nimbostratus
Has anyone tested this iApp on v12.0?
Richard_Reszler
Nimbostratus
Nimbostratus

Broken in 12. 🙂 Waiting for the updated build, thank you!

 

Richard_Reszler
Nimbostratus
Nimbostratus

Error is "Error parsing template:can't eval proc: "script::run" field not present: "hostname" while executing "tmsh::get_field_value [lindex [tmsh::get_config sys global-settings] 0] hostname" (procedure "script::run" line 2) invoked from within "script::run" line:1"

 

Cirrus
Cirrus
Cirrus

Is there any update for 12.1.0? Because when I deploy it on this firmware the config files are empty...

 

Julio_Flores_15
Nimbostratus
Nimbostratus

hi can you help me please, i use this procedure in one big ip standalone and Works fine!!! But recently i do an DCS configuration with 4 big ip, and this procedure doesn't work, have you another information to do in this Type of cluster or configuration.

 

Thanks

 

Julio F

 

svs
Altocumulus
Altocumulus

@Xian Zhong: I've probably found the reason for this issue. My customer encountered the same issue, when he was using the FTP transfer method from the iApp. It seems, that the iApp is using ASCII instead Binary transport to the FTP server (ASCII is the default mode of the builtin ftp client in Linux). Therefore the compressed file is corrupted. The issue was solved by using SCP/SFTP for transfer.

 

If necessary you can repair the broken files on your FTP server by using "fixgz" (http://www.gzip.org/faq1)..) It worked for me to rescue the corrupted files.

 

@Thomas: If you would add the command "binary" to the scriptfile before the transport starts (put command), it should work as expected.

 

Regards, Sven

 

svs
Altocumulus
Altocumulus

Hi Thomas,

 

this is really a great scripts. Thank your very much!

 

It seems that there are some open issues, but it works like charm most of the time (when using SCP/SFTP). Regarding SCP/SFTP...where is the difference in your script, except for the filenames created during runtime? SCP is used for the transport in both cases. Wouldn't it make sense to really use the sftp command?

 

Regards, Sven

 

EmsNetSec_25831
Nimbostratus
Nimbostratus

Thanks Thomas.

 

You made the life easier with F5 Backup

 

Tony_N_295548
Nimbostratus
Nimbostratus

I'm getting the following error when I run this on BIG-IP 11.5.4 Build 1.0.286 Hotfix HF1. Does anyone have a fix for this?

 

Nov 10 10:10:08 slot1/f5ltm01 err scriptd[3555]: 014f0013:3: Script (/Common/) generated this Tcl error: (script did not successfully complete: (bad decrypt 47145560865920:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:601: while executing "exec $scriptfile" line:17)) Nov 10 10:10:08 slot1/f5ltm01 err mcpd[7254]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (2901).

 

Thank you, Tony

 

Roflcopter
Nimbostratus
Nimbostratus

I am getting the exact same error as you Tony, but only on the standby unit.

 

Nov 18 09:58:01 PROD2-F5-4000S err scriptd[8190]: 014f0004:3: script has exceeded its time to live, terminating the script Nov 18 09:58:01 PROD2-F5-4000S err mcpd[7006]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (2901).

 

Jon_Swick_29911
Altostratus
Altostratus

Script (/Common/) generated this Tcl error: (script did not successfully complete: (ftp: connect: Connection timed out while executing "exec $scriptfile" line:17))

 

Data publisher not found or not implemented when processing request (unknown request), tag (2901).

 

I am getting those two errors when trying to ftp

 

** Server Mis Config. Im all good

 

Nath
Cirrostratus
Cirrostratus

Hi,

 

I got an error in version 12.0

 

Script (/Common/) generated this Tcl error: (script did not successfully complete: (Permission denied, please try again. Permission denied, please try again. Permission denied (publickey,password). lost connection while executing "exec $scriptfile" line:18)) Dec 13 18:09:11 F5-Lab err mcpd[5154]: 0107167d:3: Data publisher not found or not implemented when processing request (unknown request), tag (2901).

 

Could you please help me?

 

Regards,

 

Nat

 

Nath
Cirrostratus
Cirrostratus

Help please 🙂

 

mplaksin_293271
Nimbostratus
Nimbostratus

We have to test it. Thanks you.

 

PinkieCom
Nimbostratus
Nimbostratus

I ran into the same issue as Nathaneil0227.

In my case it was because we were using DSA keys instead of RSA keys. So the cleaning of the keyfile portion didn't work correctly.

So i changed the line:

set cleaned_privatekey [exec echo "$::destination_parameters__scp_sshprivatekey" | sed -e "s/BEGIN RSA PRIVATE KEY/BEGIN;RSA;PRIVATE;KEY/g" -e "s/END RSA PRIVATE KEY/END;RSA;PRIVATE;KEY/g" -e "s/ /\\\n/g" -e "s/;/ /g"]

to:

set cleaned_privatekey [exec echo "$::destination_parameters__scp_sshprivatekey" | sed -e "s/BEGIN RSA PRIVATE KEY/BEGIN;RSA;PRIVATE;KEY/g" -e "s/END RSA PRIVATE KEY/END;RSA;PRIVATE;KEY/g" -e "s/BEGIN DSA PRIVATE KEY/BEGIN;DSA;PRIVATE;KEY/g" -e "s/END DSA PRIVATE KEY/END;DSA;PRIVATE;KEY/g" -e "s/ /\\\n/g" -e "s/;/ /g"]

I also made another tweak to allow you to set the remote folder to be the hostname of the device by entering $hostname for the path.

dsjustin_273687
Nimbostratus
Nimbostratus

This is an awesome Iapp and I approve wholeheartedly. I would like to create a portion for aws client to be able to use that for uploading backups in AWS environment. I am looking at modifying the SMB client portion, and then adding it to the template for AWS. Has anyone else done something like this?

 

Just as a side note, We fought with the SMB using a domain account to authenticate as. We had to use domain\\username (two slashes between) so that the \ passed through to smbclient. Just an FYI.

 

arzhukov_298248
Nimbostratus
Nimbostratus

I have another problem, It seem like work perfectly. But when script try to connect with credentials that I typed in, server doesnt give acces But I`m absolutely sure that I typed valid credentials. Please help me to resolve that issue..

 

Saving active configuration... /var/local/ucs/ltm51.cetelem-bank.ru_20170421.ucs is saved. Script (/Common/) generated this Tcl error: script did not successfully complete: (Permission denied, please try again. Permission denied, please try again. Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). lost connection while executing "exec $scriptfile" line:18)

 

RobertS1
Nimbostratus
Nimbostratus

Question about using SCP server. Which private key is used? How do I find it? Change it?

 

In ltm log I get: (/Common/) generated this Tcl error: (script did not successfully complete: (Host key verification failed. lost connection while executing "exec $scriptfile" line:18))

 

Ramprasath_Sada
Nimbostratus
Nimbostratus

Hello Guys,

 

While executing the f5_automated_backup using FTP. I am getting the following error. Can any one help on this.

 

err mcpd[6853] 0107167d Data publisher not found or not implemented when processing request (unknown request), tag (2901).

 

err scriptd[1797] 014f0013 Script (/Common/) generated this Tcl error: (script did not successfully complete: ("ucs" unexpected argument while executing "tmsh::save /sys ucs $fname passphrase XXXXXX " line:8))

 

regards Ram

 

Nick_Linney_321
Nimbostratus
Nimbostratus

Is it possible to alter the SFTP option on this iApp to use password based authentication rather than private key?

 

@Ramparasath Sadasivam I have the same problem and I'm not sure how to correct this yet.

 

@Thomas Schockaert any possibility that this iApp could be hosted on GitHub (https://github.com/f5networks), like some other iApps are, for code contributions or issue tracking?

 

dlee_302341
Nimbostratus
Nimbostratus

How do you change this script to just backup the config locally?

 

dlee@biztecharchitects.com it has a built in way to save the config locally.

 

Under Destination Parameters, for the question "Where do the backup files need to be saved?", select "on this F5" drop the drop down list.

 

Andreas_Schierm
Nimbostratus
Nimbostratus

To work around "script has exceeded its time to live, terminating the script" errors in /var/log/ltm adjust the allowed script run time by scriptd:

TMSH:

modify /sys scriptd max-script-run-time 600
save /sys config
run /cm config-sync to-group …

This is the error that I am getting when trying to use this iapp: ";

 

010715bc:3: The application service (/Common/f5_pratcice_backup.app/f5_pratcice_backup) has strict updates enabled, the object (icall periodic handler /Common/) must be updated using an application management interface.

 

It's nice to back up your F5 and I can't seem to get backups workign again. I am running 12.1.2 Build 1.0.271 Hotfix HF1.

 

Seven11
Nimbostratus
Nimbostratus

I want to use the Backuptool with SCP and Private Key but the login is not working. Which Format, Encryption or else is needed to get is running with a key?

 

Can you Post an example to see what i need to paste in the GUI.

 

TMOS 13.0.0 HF3

 

Thanks!

 

now available on DevCentral CodeShare:

 

https://devcentral.f5.com/s/articles/f5-iapp-automated-backup-1114

 

(see later comment on this forum)

 

AhmedGalal219_3
Nimbostratus
Nimbostratus

Greate App thanks man it works perfectly with me in version 12.1.2

 

kkohegyi_165129
Nimbostratus
Nimbostratus

Hi,

 

It is a great App.

 

But when the remote destination is not reachable the script does not remove the backup file(s) from local directory.

 

So the /var directory may fill up and it may cause unpredictable behaviour. A little modification is necessary if anybody want to use it production environment.

 

Robert_Goetze
Nimbostratus
Nimbostratus

Hi, Is there a repository of all the versions(V2.0 - V2.2.5) ? I am trying to run multiple instances of the iApp on 11.6.x and think version v2.2.1 would do it or atleast maybe point me in the right direction.

 

Thanks in advance.

 

@Robert, The only change that I am aware of that may not work in v11 is related to SMB (now using "mount -t cifs" instead of smbclient). Does v2.2.5 not load or work properly on v11.6.x?

 

You can find v2.0.0 at https://pastebin.com/YbDj3eMN but that does not include the changes to allow multiple instance.

 

This is now available on GitHub! Please look here for the latest version, and submit any bugs or questions as an "Issue" on GitHub:

 

https://github.com/tabernarious/f5-automated-backup-iapp

 

As a BACKUP, look in the DevCentral CodeShare. This MAY NOT HAVE THE LATEST VERSION:

 

https://devcentral.f5.com/s/articles/f5-iapp-automated-backup-1114

 

I needed to troubleshoot an issue and ended up rolling in many of the proposed and posted fixes into a new iApp.

 

 iApp VERSIONS (From what I gathered perusing DevCentral)
 ~v2.0  - 20140312 - Initially posted releases (v11.4.0-11.6.x? compatibility). (Developed/posted by Thomas Schockaert)
 v2.1.1 - 20160916 - Retooled SMB upload from smbclient to "mount -t cifs" (v12.1+ compatibility). (Developed/posted by MAG)
 v2.2.1 - 20171214 - Allowed multiple instances of iApp by leveraging $tmsh::app_name to create unique object names. (Developed by Daniel Tavernier/tabernarious)
 v2.2.2 - 20171214 - Added "/" to "mount -t cifs" command and clarified/expanded help for SMB (CIFS) Destination Parameters. (Developed by Daniel Tavernier/tabernarious)
 v2.2.3 - 20171214 - Set many fields to "required" and set reasonable default values to prevent loading/configuration errors. Expanded help regarding private keys. (Developed by Daniel Tavernier/tabernarious)
 v2.2.4 - 20171214 - Added fix to force FTP to use binary upload. (Copied code posted by Roy van Dongen, posted by Daniel Tavernier/tabernarious)
 v2.2.4a - 20171215 - Added items to FUTURE list.
 v2.2.5 - 20171228 - Added notes about special characters in passwords. Added Deployment Information and ConfigSync sections. (Developed by Daniel Tavernier/tabernarious)
 v2.2.5a - 20180117 - Added items to FUTURE list.
 v2.2.5b4 - 20180118 - Moved encrypted values for SMB/CIFS to shell script which eliminates ConfigSync issues. Fixed long-password issue by using "-A" with openssl so that base64 encoded strings are written and read as a single line. (Developed by Daniel Tavernier/tabernarious)
 v2.2.5b4+ - 20180118 - Refining changes to SMB/CIFS and replicating to other remote copy types. (Developed by Daniel Tavernier/tabernarious)
 v3.0.0 - 20180124 - (Developed by Daniel Tavernier/tabernarious)
                   - Eliminated ConfigSync issues and removed ConfigSync notes section. (Encrypted values now in $script instead of local file.)
                   - Passwords now have no length limits. (Using "-A" with openssl which reads/writes base64 encoded strings as a single line.)
                   - Added $script error checking for all remote backup types. (Using 'catch' to prevent tcl errors when $script aborts.)
                   - Backup files are cleaned up after $script error due to new error checking.
                   - Added logging. (Run logs sent to '/var/log/ltm' via logger command which is compatible with BIG-IP Remote Logging configuration (syslog). Run logs AND errors sent to '/var/tmp/scriptd.out'. Errors may include plain-text passwords which should not be in /var/log/ltm or syslog.)
                   - Added custom cipher option for SCP.
                   - Added StrictHostKeyChecking=no option.
                   - Combined SCP and SFTP because they are both using SCP to perform the remote copy.
 v3.1.0 - 20180201 - (Developed by Daniel Tavernier/tabernarious)
                   - Removed "app-service none" from iCall objects. The iCall objects are now created as part of the Application Service (iApp) and are properly cleaned up if the iApp is redeployed or deleted.
                   - Reasonably tested on 11.5.4 HF2 (SMB worked fine using "mount -t cifs") and altered requires-bigip-version-min to match.
                   - Fixing error regarding "script did not successfully complete: (can't read "::destination_parameters__protocol_enable": no such variable" by encompassing most of the "implementation" in a block that first checks $::backup_schedule__frequency_select for "Disable".
                   - Added default value to "filename format".
                   - Changed UCS default value for $backup_file_name_extension to ".ucs" and added $fname_noext.
                   - Removed old SFTP sections and references (now handled through SCP/SFTP).
                   - Adjusted logging: added "sleep 1" to ensure proper logging; added $backup_directory to log message.
                   - Adjusted some help messages.

@tabernarious

 

Excellent job with the changelog included in the file. I love it! Thank you for compiling this and your work to improve this iApp.

 

Question, would you be willing to move this over to a GitHub repository for storing the code and tracking changes? This would also provide an issue tracker to make it easier for individuals to find a bug or resolution to a problem. I would be willing to help you maintain this.

 

If you'd like to chat about this you can DM on Twitter @tmurray_pro or find me in the F5 User Group Slack team at https://bit.ly/F5Slack

 

Thanks again!

 

Robert_Goetze
Nimbostratus
Nimbostratus

@tabernarious - Sorry for the delay, I was "watching" this thread and must have missed the change notification. Thank you for the update and posting of V3.0.0.

 

Thanks again.

 

@Troy Murray, I created a Git repository for this iApp which contains my latest release (v3.1.0). I would welcome your collaboration. You can also find me on Twitter @tabernarious.

 

https://github.com/tabernarious/f5-automated-backup-iapp

 

@tabernarious This is excellent news! I've starred the repo and forked it on GitHub.

 

Fiseha_340121
Nimbostratus
Nimbostratus

Thanks Thomas for this excellent script. Is there a way you can add on the script to send email when the backup job is completed or failed.

 

@Fiseha, The latest version (v3.x) (look in the comments for a link) includes logging to /var/log/ltm which will send to syslog. The easiest way to configure email alerts would be to have your syslog/reporting server send the email when it sees the relevant log message(s). There are other ways to get the F5 to send email directly but it’s very custom and I would not recommended it.

 

Celine_LOUEDIN_
Nimbostratus
Nimbostratus

Hi Thomas, I installed your iApp on many BIG-IP but this time it causse a problem one my box (BIG-IP v.13.1.1.4) :it's impossible to do an IApps "reconfigure". The web interface stays on "Loading... Receiving configuration data from your device." I've opened a Service Request and F5 ingeneer told the problem was du to your iApps : "Here are the analysis of our engineering service:

 

sys application service /Common/F5-BACKUP.app/F5-BACKUP { device-group /Common/device-group-failover-8bdec2e304ac inherited-devicegroup true inherited-traffic-group true template /Common/ <<<<<<<<<<<<<<<<<<<<<<<< traffic-group /Common/traffic-group-1

 

The scriptd process coredumped and restarted while it was processing the automated backaup. Automated backup has been executed by iApp, which has not been created by F5 Networks and can be found on DevCentral: https://devcentral.f5.com/s/articles/complete-f5-automated-backup-solution. The script runs everyday at 11:30 and backup files are created under /var/local/ucs (e.g., bigip-1.local_20170922.ucs). The size of the UCS files is about 36 GB.

 

The scriptd died by SIGABRT, due to socket/IO error while it was communicating with mcpd."

 

I've uninstalled the backup iApps but still got the issue. May you help me ?

 

Céline

 

zhaoyh
Nimbostratus
Nimbostratus

67735

h7533967
Nimbostratus
Nimbostratus

67735

Version history
Last update:
‎05-Jun-2023 22:32
Updated by: