Self-Contained BIG-IP Provisioning with iRules and pyControl - Part 1
There’s a plethora (yes, a plethora. The Three Amigos taught me well.) of quality information constantly flowing here at DevCentral. And whereas I might not have El Guapo’s superior intellect, I do have enough smarts to lean on my many peers in this community that have performed some serious heavy lifting when it comes to iRules and iControl. iRules and iControl live in separate planes, and rightfully so. iRules work on the live data between client and server, and iControl works on the management plane out of band to collect information or to modify or create configuration objects. However, what if you could combine forces, wholly contained on your BIG-IP LTM? That’s the scenario I hope to tackle. In this first part, I’ll take a look at a few different tech tips that highlight components I’ll use in the final solution.
Laying the Foundation
I’m going to need a mechanism to get user input from an HTTP request to a listener that can act on that request. The pieces are already in place for messages to be logged, utilizing the log command in iRules to send data to syslog. But how do I extract that information real-time? Beginning in version 10, python began shipping with BIG-IP LTM. A simple socket listening for syslog messages would work, wouldn’t it? Why yes, it would. The workflow for the provisioning process within the BIG-IP is shown below.
Preparing Syslog
So the first step in this project is to visit MVP smp’s tech tip on custom syslog files. The rotation can be worked out later, but for functionality, this should get me where I want to go:
I don’t want the listener to be overwhelmed with messages, so by splitting off the messages beginning with “#prov#, I’ll make sure that I only see the provisioning messages on my socket. For a destination, I’m using a local log file for auditing, and a loopback address for my socket to listen on.
Preparing the Socket
The python code to create this listener is actually pretty simple, as gleaned here from the python wiki:
So now that I have syslog sending messages arriving with “#prov” to a destination of 127.0.0.20:514(udp) and I have a socket listening on said destination, I should in theory have a working path. For now, I’ll just use a simple iRule to generate the log entry to test the path:
So after firing up the browser and grabbing http://10.10.20.50/provision, my socket appears to be working just fine:
Good stuff! Now, printing the information to the console is pretty boring, and frankly, the data has already been sent to a local file. So what might I be able to do with that data? What if I wanted to send some pool member information in and do something with that? I’d probably need iControl, right? Well, I’m already using python for the socket, so why not use it for pyControl as well? But, you say, pyControl is not available on the BIG-IP LTM. This is true, but a while back I wrote a tech tip on installing pyControl on BIG-IP LTM, so that’s the next archive I’ll visit.
Preparing the BIG-IP for pyControl
The first thing I need to do is remount my /usr file system as read-write. Looking at my /etc/mtab file, I see that my /usr is on /dev/bg-db-sda, so I need to remount with this command:
Now I can upload my packages and build pyControl. Python version on BIG-IP is 2.4, so I’ll use the 2.4 setuptools egg.
And just to make sure pyControl is working as expected, I enter the python shell and initialize the BIG-IP LTM:
Next Week
Now that the bones are in place, next week I’ll focus on building the iRule necessary to pass data through to the listener. I’ll be using code from George’s excellent HTTP Basic Authentication article as I wouldn’t want to allow provisioning on the box without some authentication in place.