on
27-Mar-2023
09:00
- edited on
27-Mar-2023
10:25
by
Rebecca_Moloney
The purpose of this article is to give a brief overview of the F5 Python SDK. The F5 Python SDK provides a programmatic interface to BIG-IP and its modules. We will cover the basic concepts and definitions of F5 Networks BIG-IP iControl REST interface and how they relate to the SDK in its current state (LTM / core, etc.). We will also demonstrate some calls and then show the current state of AFM in the SDK. As the AFM is not yet developed, we will show one way to build a framework that makes taking the restful JSON endpoints and programmatically iterating to pull additional endpoints.
The SDK is an Object model based SDK for the F5 Networks BIG-IP iControl REST interface. The structure of the SDK calls maps to iControl REST:
http://192.168.1.1/mgmt/tm/ltm/pool/~Common~mypool/members/~Common~m1:80
|----|--|---|----|--------------|-------|-------------|
|root|OC|OC |Coll| Resource | SC |SubColl Resrc|
An organizing collection is a superset of other collections. These are not configurable; rather, they contain other submodules which either contain configurable objects (Collection) or are configurable objects (Resource). For example, the ltm or net module listing would be an organizing collection, whereas ltm/pool or net/vlan would be collections. To retrieve either type, you use the get_collection method as shown below, with abbreviated output.
Example:
A collection is similar to an organizing collection in that it is not a configurable object. Unlike an organizing collection, however, a collection only contains references to objects (or resources) of the same type. In the SDK, collection objects are usually plural, while Resource objects are singular. When the Resource object’s corresponding URI is already plural, we append the name of the collection with _s.
Example:
URI | Collection | Resource |
/mgmt/tm/net/tunnels/ | tm.net.tunnels | tm.net.tunnels.tunnel |
/mgmt/tm/ltm/pool/ | tm.ltm.pools | tm.ltm.pools.pool |
/mgmt/tm/ltm/pool/members/ | tm.ltm.pool.members_s | tm.ltm.pool.members_s.members |
Example: Use f5.bigip.resource.Collection.get_collection() to get a list of the objects in the f5.bigip.tm.ltm.pool collection.
A resource is a fully configurable object for which the CURDLE methods are supported.
Methods
Method |
HTTP Command |
Action(s) |
POST |
creates a new resource on the device with its own URI |
|
PUT |
submits a new configuration to the device resource; sets the Resource attributes to the state reported by the device |
|
PATCH |
submits a new configuration to the device resource; sets only the attributes specified in modify method. This is different from update because update will change all the attributes, not only the ones that you specify. |
|
GET |
obtains the state of a device resource; sets the representing Python Resource Object; tracks device state via its attributes |
|
DELETE |
removes the resource from the device, sets self.__dict__ to {'deleted': True} |
|
GET |
obtains the state of an existing resource on the device; sets the Resource attributes to match that state |
|
GET |
checks for the existence of an object on the BIG-IP |
A subcollection is a Collection that’s attached to a higher-level Resource object. Subcollections are almost exactly the same as collections; the exception is that they can only be accessed via the resource they’re attached to (the ‘parent’ resource).
Example:
A pool resource has a members_s subcollection attached to it; you must create or load the ‘parent’ resource (pool) before you can access the subcollection (members_s).
>>> from f5.bigip import ManagementRoot
>>> mgmt = ManagementRoot('192.168.1.1', 'myuser', 'mypass')
>>> pool = mgmt.tm.ltm.pools.pool.load(partition='Common', name='p1')
>>> members = pool.members_s.get_collection()
A subcollection resource is essentially the same as a resource. As with collections and subcollections, the only difference between the two is that you must access the subcollection resource via the subcollection attached to the main resource.
Example
To build on the subcollection example: pool is the resource, members_s is the subcollection, and members (the actual pool member) is the subcollection resource.
>>> from f5.bigip import ManagementRoot
>>> mgmt = ManagementRoot('192.168.1.1', 'myuser', 'mypass')
>>> pool = mgmt.tm.ltm.pools.pool.load(partition='Common', name='p1')
>>> member = pool.members_s.members.load(partition='Common', name='n1:80')
You can directly infer REST URIs from the python expressions, and vice versa.
Examples
Here are the steps to set up a Python virtual environment:
python get-pip.py
.pip install virtualenv
.python3 -m venv f5venv
.source f5venv/bin/activate
pip install f5-sdk
from f5.bigip import ManagementRoot
import requests
import logging
import json
import sys
class objectview(object):
def __init__(self, d):
self.__dict__ = d
def bigip():
return {
"bigip": "10.155.255.16",
"rest_url": "https://admin:admin@",
"rest_user": "admin",
"rest_pwd": "admin",
"partition": "Common"
}
def afm_rest_api():
policy_name = "restApiDemo"
rule_name = "restApiDemoRule"
return {
"create_policy": "/mgmt/tm/security/firewall/policy",
"add_rule": "/mgmt/tm/security/firewall/policy/~Common~"+policy_name+"/rules",
"get_rules": "/mgmt/tm/security/firewall/policy/~Common~"+policy_name+"/rules",
"change_rule": "/mgmt/tm/security/firewall/policy/~Common~restApiDemo/rules/"+rule_name,
"delete_rule": "/mgmt/tm/security/firewall/policy/~Common~restApiDemo/rules/"+rule_name,
"global_context": "/mgmt/tm/security/firewall/globalRules/",
"global_rules": "/mgmt/tm/security/firewall/globalRules",
"delete_policy": "/mgmt/tm/security/firewall/policy/~Common~"+policy_name
}
def create_firewall_pollcy():
bip = objectview(bigip())
api = objectview(afm_rest_api())
mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)
payload = '''{"name": "restApiDemo"}'''
logger.info(bip.rest_url + bip.bigip + api.create_policy)
resp = requests.post(bip.rest_url + bip.bigip + api.create_policy, headers={'accept': 'application/json','content-type': 'application/json'}, auth=(
bip.rest_user, bip.rest_pwd), data=payload, verify=False)
logger.info(resp.text)
def add_rule():
bip = objectview(bigip())
api = objectview(afm_rest_api())
mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)
headers = {'accept': 'application/json','content-type': 'application/json'}
payload = '''{"name":"restApiDemoRule", "action":"reject", "place-before":"first"}'''
logger.info(bip.rest_url + bip.bigip + api.add_rule)
resp = requests.post(bip.rest_url + bip.bigip + api.add_rule, headers=headers, auth=(
bip.rest_user, bip.rest_pwd), data=payload, verify=False)
logger.info(resp.text)
def display_rules():
bip = objectview(bigip())
api = objectview(afm_rest_api())
mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)
headers = {'accept': 'application/json','content-type': 'application/json'}
logger.info(bip.rest_url + bip.bigip + api.add_rule)
resp = requests.get(bip.rest_url + bip.bigip + api.get_rules, headers=headers, auth=(
bip.rest_user, bip.rest_pwd), verify=False)
logger.info(resp.text)
def change_rule():
bip = objectview(bigip())
api = objectview(afm_rest_api())
mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)
headers = {'accept': 'application/json','content-type': 'application/json'}
payload = '''{"action":"accept"}'''
logger.info(bip.rest_url + bip.bigip + api.change_rule)
resp = requests.patch(bip.rest_url + bip.bigip + api.change_rule, headers=headers, auth=(
bip.rest_user, bip.rest_pwd), data=payload, verify=False)
logger.info(resp.text)
def delete_rule():
bip = objectview(bigip())
api = objectview(afm_rest_api())
mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)
headers = {'accept': 'application/json','content-type': 'application/json'}
logger.info(bip.rest_url + bip.bigip + api.delete_rule)
resp = requests.delete(bip.rest_url + bip.bigip + api.change_rule, headers=headers, auth=(
bip.rest_user, bip.rest_pwd), verify=False)
logger.info(resp.text)
def global_context():
bip = objectview(bigip())
api = objectview(afm_rest_api())
mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)
headers = {'accept': 'application/json','content-type': 'application/json'}
payload = '''{"enforcedPolicy":"restApiDemo"}'''
logger.info(bip.rest_url + bip.bigip + api.change_rule)
resp = requests.patch(bip.rest_url + bip.bigip + api.global_context, headers=headers, auth=(
bip.rest_user, bip.rest_pwd), data=payload, verify=False)
logger.info(resp.text)
def global_rules():
bip = objectview(bigip())
api = objectview(afm_rest_api())
mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)
headers = {'accept': 'application/json','content-type': 'application/json'}
logger.info(bip.rest_url + bip.bigip + api.change_rule)
resp = requests.get(bip.rest_url + bip.bigip + api.global_rules, headers=headers, auth=(
bip.rest_user, bip.rest_pwd), verify=False)
logger.info(resp.text)
def delete_policy():
bip = objectview(bigip())
api = objectview(afm_rest_api())
mgmt = ManagementRoot(bip.bigip, bip.rest_user, bip.rest_pwd)
headers = {'accept': 'application/json','content-type': 'application/json'}
payload = '''{"enforcedPolicy":""}'''
logger.info(bip.rest_url + bip.bigip + api.change_rule)
resp = requests.patch(bip.rest_url + bip.bigip + api.global_rules, headers=headers, auth=(
bip.rest_user, bip.rest_pwd), data=payload, verify=False)
resp = requests.delete(bip.rest_url + bip.bigip + api.delete_policy, headers=headers, auth=(
bip.rest_user, bip.rest_pwd), verify=False)
logger.info(resp.text)
if __name__ == "__main__":
logger = logging.getLogger(__name__)
logger.setLevel(logging.INFO)
formatter = logging.Formatter("%(asctime)s - %(name)s - %(levelname)s - %(message)s")
handler = logging.StreamHandler(sys.stdout)
handler.setFormatter(formatter)
logger.addHandler(handler)
command= " ".join( sys.argv[1:] )
if command == "":
logger.info("""Examples:"
python afm_rest_api.py "create_firewall_pollcy()"
python afm_rest_api.py "add_rule()"
python afm_rest_api.py "display_rules()"
python afm_rest_api.py "change_rule()"
python afm_rest_api.py "delete_rule()"
python afm_rest_api.py "global_context()"
python afm_rest_api.py "global_rules()"
python afm_rest_api.py "delete_policy()""")
else:
logger.info(command)
eval(command)
I also like use python f5-sdk, from September 2020 to now(Although the sdk does not support updates now),Use it to GET AS3 or Common or other partitions LTM and GTM configuration, or use it POST create LTM virtual server or GTM wideips.