Technical Articles
F5 SMEs share good practice.
cancel
Showing results for 
Search instead for 
Did you mean: 
JRahm
Community Manager
Community Manager

Backing up the BIG-IP Configuration is something I've written about a couple times (here and here) previously. Well, third time's the charm, thanks to the new iCall feature in the 11.4 release. This time, I've even wrapped in scp support to send the backup to a remote server! The great thing about this solution is the only thing required outside of tmsh is setting up the ssh keys.

SSH Key Configuration

1. On Big_IP, create your keys

 

[root@ltm1:Active:Standalone] config # ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
fd:d0:07:64:1d:f6:21:86:49:47:85:77:74:15:2c:36 root@ltm1.dc.local

 

2. copy the public key to your archive server

[root@ltm1:Active:Standalone] config # scp /root/.ssh/id_rsa.pub jrahm@192.168.6.10:/var/tmp/id_rsa.pub-ltm1
jrahm@192.168.6.10's password:
id_rsa.pub 

3. Login to your server and append the public key to authorized keys, recommending not a root account!

For my ubuntu installation, I have an encrypted home directory, so there are a couple extra steps to apply the authorized keys:

3a. Create a user-specific directory in /etc/ssh and change permissions/ownership

sudo mkdir /etc/ssh/jrahm
sudo chmod 755 /etc/ssh/jrahm
sudo chown jrahm:jrahm /etc/ssh/jrahm

3b. Edit /etc/ssh/sshd_config to update authorized keys file:

sudo vi /etc/ssh/sshd_config
#update these two lines:
AuthorizedKeysFile /etc/ssh/%u/authorized_keys
PubkeysAuthentication yes

3c. Add your key to the user:

sudo cat /var/tmp/id_rsa.pub-ltm1 >> /etc/ssh/jrahm/authorized_keys 

3d. restart sshd on archive server

sudo service ssh restart 

4. Test login from BIG-IP to server (no password prompt, this is good!)

[root@ltm1:Active:Standalone] config # ssh jrahm@192.168.6.10 
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.2.0-23-generic x86_64) 

Last login: Mon Apr  1 15:15:22 2013 from 192.168.6.5 

5. Test scp functionality:

[root@ltm1:Active:Standalone] tmp # scp f5backup-ltm1.dc.local-20130326160303.tar.gz jrahm@192.168.6.10:/var/tmp/ 
f5backup-ltm1.dc.local-20130326160303.tar.gz

Create the iCall Script

iCall scripts are created in the vim editor much like tmsh scripts by (in the tmsh shell) calling create sys icall script <script name>. The skeleton looks like this:

create script testme { 
    app-service none 
    definition { 
    } 
    description none 
    events none 
}

For this script, we only need to focus on the definition. There is no rocket science in this script at all, just setting date and file information, saving the archive, creating the tarball, zipping it up, and sending it off.

sys icall script f5.config_backup.v1.0.0 { 
    app-service none 
    definition { 
        #Set Current Date/Time for Filename 
        set cdate [clock format [clock seconds] -format "%Y%m%d%H%M%S"] 
        #Pull hostname from config for Filename 
        set host [tmsh::get_field_value [lindex [tmsh::get_config sys global-settings] 0] hostname] 
        #Create Temp Directory 
        set tmpdir [exec mktemp -d /var/tmp/f5backup.XXXXXXXXXX] 
        #Set Filename Root 
        set fname "f5backup-$host-$cdate" 
        #Export UCS 
        tmsh::save /sys ucs $tmpdir/$fname 
        #Create Backup 
        exec tar cvzf /var/tmp/$fname.tar.gz -C $tmpdir . 2> /dev/null 
        #Remove Temp Directory 
        exec rm -rf $tmpdir 
        #SSH settings 
        exec scp /var/tmp/$fname.tar.gz jrahm@192.168.6.10:/var/tmp/ 
    } 
    description none 
    events none 
}

As you can probably surmise, an iCall script is pretty much a tmsh script, same Tcl / tmsh, just stored differently to be utilized by iCall handlers.

Create the iCall Handler

Since backups are typically run once a day, the handler we'll need is a periodic handler. There are several arguments you can set on a periodic handler:

root@(ltm2)(cfg-sync Standalone)(Active)(/Common)(tmos)# create sys icall handler periodic testme ? 
Identifier: 
  [object identifier]  Specify a name for the handler item 
Properties: 
  "{"                  Optional delimiter 
  app-service 
  arguments            Specifies a set of name/value pairs to be passed in as data to the script for every execution 
  description          User defined explanation of the item 
  first-occurrence     Specifies the date and time of the first occurrence this handler should execute 
  interval             Specifies the number of seconds between each occurrence of this handler's automatic execution 
  last-occurrence      Specifies the date and time after which no more occurrences will execute 
  script               Specifies the handler's script to execute upon invocation 
  status               Manage the perpetual process by specifying active or inactive

In my case, I only need to set the first-occurrence, the interval, and the script to call:

sys icall handler periodic f5.config_backup.v1.0.0 { 
    first-occurrence 2013-06-26:08:18:00 
    interval 360 
    script f5.config_backup.v1.0.0 
}

A normal interval would be once per day (86400), but since this is a test scenario, I set the interval low so I could see it happen at least twice. On the BIG-IP, notice that the temp directories are gone (but the archives remain, you can add a line to the script to clean up if you like)

[root@ltm2:Active:Standalone] tmp # ls -las 
total 13100 
    8 drwxrwxrwt  6 root   root       4096 Jun 26 08:23 . 
    8 drwxr-xr-x 21 root   root       4096 Jun 20 09:41 .. 
    8 -rw-r--r--  1 root   root        718 Jun 24 09:59 audit.out 
    8 -rw-r--r--  1 root   root       1013 Jun 24 10:00 csyncd.out 
    4 -rw-r--r--  1 root   root          0 Jun 24 10:00 devmgmtd++.out 
    4 -rw-r--r--  1 root   root          0 Jun 24 09:59 evrouted.out 
  476 -rw-r--r--  1 root   root     478717 Jun 26 08:18 f5backup-ltm2.dc.local-20130626081800.tar.gz 
  476 -rw-r--r--  1 root   root     478556 Jun 26 08:23 f5backup-ltm2.dc.local-20130626082336.tar.gz 
    8 drwxr-xr-x  4 root   root       4096 Jun 20 09:34 install

And finally, the same files in place on my remote server:

jrahm@u1204lts:/var/tmp$ ls -las 
total 2832 
  4 drwxrwxrwt  2 root  root    4096 Jun 26 10:24 . 
  4 drwxr-xr-x 13 root  root    4096 Mar 27 13:35 .. 
468 -rw-r--r--  1 jrahm jrahm 478717 Jun 26 10:18 f5backup-ltm2.dc.local-20130626081800.tar.gz 
468 -rw-r--r--  1 jrahm jrahm 478556 Jun 26 10:24 f5backup-ltm2.dc.local-20130626082336.tar.gz

Going Further

By this point in the article, you might been thinking..."Wait, the previous articles wrapped all that goodness in an iApp. What gives?" Well, I am not leaving you hanging--its' already in the iCall codeshare waiting for you! Stay tuned for future iCall articles, where I'll dive into some perpetual and triggered handler use cases.

Comments
dariusjs_19885
Nimbostratus
Nimbostratus
Jason,

 

 

Thanks for the good work again. But would you know why these features dont make it into the default bigip package?

 

 

Regards,

 

Darius
Valentin_Z__956
Nimbostratus
Nimbostratus
Hi Jason

 

 

can you please add support for ftp for file copy?

 

 

Thanks

 

V.Z
Valentin_Z__956
Nimbostratus
Nimbostratus
Hello,

 

I've successfully managed to create a working script that uses the ftp protocol for the transfer of the file , just modify the following in the original script , follow these steps :

 

1. replace the lines

 

SSH settings

 

exec scp /var/tmp/$fname.tar.gz USERNAME@SERVER:DIRECTORY

 

2. with these lines

 

Make sure ftpcommands.txt file doesnt exist to avoid errors

 

exec rm /var/tmp/ftpcommands.txt -f

 

Create ftpcommands.txt file

 

exec echo "open SERVER" >> /var/tmp/ftpcommands.txt

 

exec echo "user USERNAME PASS" >> /var/tmp/ftpcommands.txt

 

exec echo "binary" >> /var/tmp/ftpcommands.txt

 

exec echo "put /var/tmp/cfg-backups/$fname.tar.gz /DIRECTORY/$fname.tar.gz" >> /var/tmp/ftpcommands.txt

 

exec echo "bye" >> /var/tmp/ftpcommands.txt

 

Run ftp copy procedure

 

exec ftp -n < /var/tmp/ftpcommands.txt

 

 

good luck !

 

Etienne_Noumen_
Nimbostratus
Nimbostratus
Thanks again Jason.

 

I'll test this on my LTM/APM v11.1 and hopefully it works.

 

Will keep you posted.

 

Kevin_Burrell_1
Nimbostratus
Nimbostratus
How do you debug this? Having copied the iCall script and handler above. Backups are not created and I don't see anything that helps me with debugging, logs or otherwise.

 

 

Thanks
Kevin_Burrell_1
Nimbostratus
Nimbostratus
Product BIG-IP, Version 11.4.1, Build 625.0

 

 

I copied what was on this particular page, i.e. created an iCall Script and a Handler

 

JRahm
Community Manager
Community Manager
Community member Thomas Schockaert just dropped a new improved feature-rich backup iApp...check it out here: https://devcentral.f5.com/s/articles/f5-automated-backups-the-right-way
clammers
Nimbostratus
Nimbostratus
Hi Jason,

 

 

just playing around with your backup script. The FTP upload could also be done with curl like 'exec curl -T /var/tmp/$fname.tar.gz -u $ftpuser:$ftppass ftp://$ftp' ..

 

 

But we've another problem. Could you explain the argument function of the periodic icall handler and how to get these values in the icall script. I've found the tcpdump event script where also name/value pairs are used, but in a periodic handler it seems to work in another way. could you help us?

 

 

thanks,

 

chris
clammers
Nimbostratus
Nimbostratus
ah - we figured out - found the manpage 🙂
Kevin_Burrell_1
Nimbostratus
Nimbostratus
Is there a way to run a TCL script created in the editor from within the iCall script definition. Another way of asking this, is, is there a way to invoke that script as a tmsh command. It seems as though tmsh cli script run scriptname.tcl does not work. I have found myself developing a a script to run in iCall as a normal script but there's a little bit of work to transfer the script. It would be easier to just call it from the iCall script if possible,
JRahm
Community Manager
Community Manager
hi Kevin, is there a reason you wouldn't just put the script contents into the iCall script itself?
Dan_Eather_2042
Nimbostratus
Nimbostratus
Thanks, i used your last iApp solution and it worked great. This one however, I'm having no luck with. Do you know how I could see if the script is executing at all? Or is there a way to trigger the handler? Thanks
Version history
Last update:
‎26-Jun-2013 10:59
Updated by:
Contributors