Technical Articles
F5 SMEs share good practice.
Showing results for 
Search instead for 
Did you mean: 
Community Manager
Community Manager

Backing up the BIG-IP Configuration is something I've written about a couple times (here and here) previously. Well, third time's the charm, thanks to the new iCall feature in the 11.4 release. This time, I've even wrapped in scp support to send the backup to a remote server! The great thing about this solution is the only thing required outside of tmsh is setting up the ssh keys.

SSH Key Configuration

1. On Big_IP, create your keys


[root@ltm1:Active:Standalone] config # ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
fd:d0:07:64:1d:f6:21:86:49:47:85:77:74:15:2c:36 root@ltm1.dc.local


2. copy the public key to your archive server

[root@ltm1:Active:Standalone] config # scp /root/.ssh/ jrahm@
jrahm@'s password: 

3. Login to your server and append the public key to authorized keys, recommending not a root account!

For my ubuntu installation, I have an encrypted home directory, so there are a couple extra steps to apply the authorized keys:

3a. Create a user-specific directory in /etc/ssh and change permissions/ownership

sudo mkdir /etc/ssh/jrahm
sudo chmod 755 /etc/ssh/jrahm
sudo chown jrahm:jrahm /etc/ssh/jrahm

3b. Edit /etc/ssh/sshd_config to update authorized keys file:

sudo vi /etc/ssh/sshd_config
#update these two lines:
AuthorizedKeysFile /etc/ssh/%u/authorized_keys
PubkeysAuthentication yes

3c. Add your key to the user:

sudo cat /var/tmp/ >> /etc/ssh/jrahm/authorized_keys 

3d. restart sshd on archive server

sudo service ssh restart 

4. Test login from BIG-IP to server (no password prompt, this is good!)

[root@ltm1:Active:Standalone] config # ssh jrahm@ 
Welcome to Ubuntu 12.04.2 LTS (GNU/Linux 3.2.0-23-generic x86_64) 

Last login: Mon Apr  1 15:15:22 2013 from 

5. Test scp functionality:

[root@ltm1:Active:Standalone] tmp # scp f5backup-ltm1.dc.local-20130326160303.tar.gz jrahm@ 

Create the iCall Script

iCall scripts are created in the vim editor much like tmsh scripts by (in the tmsh shell) calling create sys icall script <script name>. The skeleton looks like this:

create script testme { 
    app-service none 
    definition { 
    description none 
    events none 

For this script, we only need to focus on the definition. There is no rocket science in this script at all, just setting date and file information, saving the archive, creating the tarball, zipping it up, and sending it off.

sys icall script f5.config_backup.v1.0.0 { 
    app-service none 
    definition { 
        #Set Current Date/Time for Filename 
        set cdate [clock format [clock seconds] -format "%Y%m%d%H%M%S"] 
        #Pull hostname from config for Filename 
        set host [tmsh::get_field_value [lindex [tmsh::get_config sys global-settings] 0] hostname] 
        #Create Temp Directory 
        set tmpdir [exec mktemp -d /var/tmp/f5backup.XXXXXXXXXX] 
        #Set Filename Root 
        set fname "f5backup-$host-$cdate" 
        #Export UCS 
        tmsh::save /sys ucs $tmpdir/$fname 
        #Create Backup 
        exec tar cvzf /var/tmp/$fname.tar.gz -C $tmpdir . 2> /dev/null 
        #Remove Temp Directory 
        exec rm -rf $tmpdir 
        #SSH settings 
        exec scp /var/tmp/$fname.tar.gz jrahm@ 
    description none 
    events none 

As you can probably surmise, an iCall script is pretty much a tmsh script, same Tcl / tmsh, just stored differently to be utilized by iCall handlers.

Create the iCall Handler

Since backups are typically run once a day, the handler we'll need is a periodic handler. There are several arguments you can set on a periodic handler:

root@(ltm2)(cfg-sync Standalone)(Active)(/Common)(tmos)# create sys icall handler periodic testme ? 
  [object identifier]  Specify a name for the handler item 
  "{"                  Optional delimiter 
  arguments            Specifies a set of name/value pairs to be passed in as data to the script for every execution 
  description          User defined explanation of the item 
  first-occurrence     Specifies the date and time of the first occurrence this handler should execute 
  interval             Specifies the number of seconds between each occurrence of this handler's automatic execution 
  last-occurrence      Specifies the date and time after which no more occurrences will execute 
  script               Specifies the handler's script to execute upon invocation 
  status               Manage the perpetual process by specifying active or inactive

In my case, I only need to set the first-occurrence, the interval, and the script to call:

sys icall handler periodic f5.config_backup.v1.0.0 { 
    first-occurrence 2013-06-26:08:18:00 
    interval 360 
    script f5.config_backup.v1.0.0 

A normal interval would be once per day (86400), but since this is a test scenario, I set the interval low so I could see it happen at least twice. On the BIG-IP, notice that the temp directories are gone (but the archives remain, you can add a line to the script to clean up if you like)

[root@ltm2:Active:Standalone] tmp # ls -las 
total 13100 
    8 drwxrwxrwt  6 root   root       4096 Jun 26 08:23 . 
    8 drwxr-xr-x 21 root   root       4096 Jun 20 09:41 .. 
    8 -rw-r--r--  1 root   root        718 Jun 24 09:59 audit.out 
    8 -rw-r--r--  1 root   root       1013 Jun 24 10:00 csyncd.out 
    4 -rw-r--r--  1 root   root          0 Jun 24 10:00 devmgmtd++.out 
    4 -rw-r--r--  1 root   root          0 Jun 24 09:59 evrouted.out 
  476 -rw-r--r--  1 root   root     478717 Jun 26 08:18 f5backup-ltm2.dc.local-20130626081800.tar.gz 
  476 -rw-r--r--  1 root   root     478556 Jun 26 08:23 f5backup-ltm2.dc.local-20130626082336.tar.gz 
    8 drwxr-xr-x  4 root   root       4096 Jun 20 09:34 install

And finally, the same files in place on my remote server:

jrahm@u1204lts:/var/tmp$ ls -las 
total 2832 
  4 drwxrwxrwt  2 root  root    4096 Jun 26 10:24 . 
  4 drwxr-xr-x 13 root  root    4096 Mar 27 13:35 .. 
468 -rw-r--r--  1 jrahm jrahm 478717 Jun 26 10:18 f5backup-ltm2.dc.local-20130626081800.tar.gz 
468 -rw-r--r--  1 jrahm jrahm 478556 Jun 26 10:24 f5backup-ltm2.dc.local-20130626082336.tar.gz

Going Further

By this point in the article, you might been thinking..."Wait, the previous articles wrapped all that goodness in an iApp. What gives?" Well, I am not leaving you hanging--its' already in the iCall codeshare waiting for you! Stay tuned for future iCall articles, where I'll dive into some perpetual and triggered handler use cases.




Thanks for the good work again. But would you know why these features dont make it into the default bigip package?





Hi Jason



can you please add support for ftp for file copy?







I've successfully managed to create a working script that uses the ftp protocol for the transfer of the file , just modify the following in the original script , follow these steps :


1. replace the lines


SSH settings


exec scp /var/tmp/$fname.tar.gz USERNAME@SERVER:DIRECTORY


2. with these lines


Make sure ftpcommands.txt file doesnt exist to avoid errors


exec rm /var/tmp/ftpcommands.txt -f


Create ftpcommands.txt file


exec echo "open SERVER" >> /var/tmp/ftpcommands.txt


exec echo "user USERNAME PASS" >> /var/tmp/ftpcommands.txt


exec echo "binary" >> /var/tmp/ftpcommands.txt


exec echo "put /var/tmp/cfg-backups/$fname.tar.gz /DIRECTORY/$fname.tar.gz" >> /var/tmp/ftpcommands.txt


exec echo "bye" >> /var/tmp/ftpcommands.txt


Run ftp copy procedure


exec ftp -n < /var/tmp/ftpcommands.txt



good luck !


Thanks again Jason.


I'll test this on my LTM/APM v11.1 and hopefully it works.


Will keep you posted.


How do you debug this? Having copied the iCall script and handler above. Backups are not created and I don't see anything that helps me with debugging, logs or otherwise.



Product BIG-IP, Version 11.4.1, Build 625.0



I copied what was on this particular page, i.e. created an iCall Script and a Handler


Community Manager
Community Manager
Community member Thomas Schockaert just dropped a new improved feature-rich backup iApp...check it out here:
Hi Jason,



just playing around with your backup script. The FTP upload could also be done with curl like 'exec curl -T /var/tmp/$fname.tar.gz -u $ftpuser:$ftppass ftp://$ftp' ..



But we've another problem. Could you explain the argument function of the periodic icall handler and how to get these values in the icall script. I've found the tcpdump event script where also name/value pairs are used, but in a periodic handler it seems to work in another way. could you help us?





ah - we figured out - found the manpage 🙂
Is there a way to run a TCL script created in the editor from within the iCall script definition. Another way of asking this, is, is there a way to invoke that script as a tmsh command. It seems as though tmsh cli script run scriptname.tcl does not work. I have found myself developing a a script to run in iCall as a normal script but there's a little bit of work to transfer the script. It would be easier to just call it from the iCall script if possible,
Community Manager
Community Manager
hi Kevin, is there a reason you wouldn't just put the script contents into the iCall script itself?
Thanks, i used your last iApp solution and it worked great. This one however, I'm having no luck with. Do you know how I could see if the script is executing at all? Or is there a way to trigger the handler? Thanks
Version history
Last update:
‎26-Jun-2013 10:59
Updated by: