cancel
Showing results for 
Search instead for 
Did you mean: 

Big-IQ use TMSH to manage BIG-IP configuration in Silo

DifanZ
Cirrus
Cirrus

Hi experts,

Is it possible to use the TMSH in Big-IQ to manage configurations for the Big-IP that is in a Silo? Sometimes it is easier to use the TMSH to duplicate configuration, such as an SSL-client profile in the command line than clicking for each setting in the GUI. We used to do that on the Big-IP but now since they are all centrally managed by the Big-IQ, we can't do that anymore. Where is Silo stored on the Big-IQ? Is it in a specific directory? 

Thanks!

Difan

1 ACCEPTED SOLUTION

SiCoffey
F5 Employee
F5 Employee

Hi Difan.  

Short answer - no, the configuration stored in BIG-IQ is not managable from TMSH,  or any direct CLI.   The config is stored in a database, not text files.

Much longer answer: there is a BIG-IQ REST API that provides a means to manipulate the BIG-IP configuration you see in the BIG-IQ UI, "Working Config" in IQ terminology,   but the vast majority of this is precursory and not yet documented.  That said,  if you were prepared to invest the effort , you could in theory script the duplication of existing objects.  Its all very different from TMSH though.

https://clouddocs.f5.com/products/big-iq/mgmt-api/v0.0/ApiReferences/bigiq_precursory_apis_ref/r_pre...

If you want a modern approach to templating configurations, rather than create/duplicate/edit, you should take a look at AS3.  This moves the source of truth for your configuration to your preferred external code repository,  but you can still use BIG-IQ as a kind of proxy for deploying AS3 to BIG-IP.  You can also create AS3 Templates in BIG-IQ which means your external repository needs to store only the variable parts of the config. 

https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/userguide/big-iq.html

In the meantime,  to keep the ability to use TMSH to manage configurations,  something to consider is a 'Dev' instance of BIG-IP where you build some configuration objects locally, using TMSH if you wish.  You can then Discover/Import that device configuration into BIG-IQ.  Ensure conflicts are resolved "Use BIG-IQ" unless they relate to the objects you are intending to import.  The Shared Objects (Profiles, Monitors etc) you created are then available immediately for attaching to your production BIG-IP Virtual Servers.  If you define virtual servers on your dev environment,  you can use the BIG-IQ Clone functionality to duplicate the attributes to a virtual on a BIG-IP.   

A note on Client SSL Profiles - when importing these they have the wrinkle of referencing SSL Certificates which exist on the BIG-IP. The device discovery/import process imports the certificate metadata but not the cert/key files. You will need to import these to BIG-IQ seperately before you can deploy the SSL profile to a different device.   BIG-IQ allows you to pull certificates from your BIG-IP from the BIG-IQ Configuration - Certificates UI.  

Hope all that helps!  

 

 

 

 

 

 

 

View solution in original post

3 REPLIES 3

Anthony_Hynes
F5 Employee
F5 Employee

Thanks for posting this question DifanZ. Let me see if I can get one of our subject matter experts to answer this for you. Hang tight.


-- Director of Community Development

tinycloudnija
F5 Employee
F5 Employee

TMSH is not exposed to the BIG-IQ configuation.

Something I have used is the BIG-IQ Scripts Management. You can create scripts of TMSH commands from BASH> to en masse deploy to a series of BIG-IPs. So as an example; if I needed to chanage the SNMP accross all BIG-IPs. I could author a single script and use the BIG-IQ Device Script to run on the target BIG-IP devices. 

AskF5 | Manual Chapter: Script Management

 

SiCoffey
F5 Employee
F5 Employee

Hi Difan.  

Short answer - no, the configuration stored in BIG-IQ is not managable from TMSH,  or any direct CLI.   The config is stored in a database, not text files.

Much longer answer: there is a BIG-IQ REST API that provides a means to manipulate the BIG-IP configuration you see in the BIG-IQ UI, "Working Config" in IQ terminology,   but the vast majority of this is precursory and not yet documented.  That said,  if you were prepared to invest the effort , you could in theory script the duplication of existing objects.  Its all very different from TMSH though.

https://clouddocs.f5.com/products/big-iq/mgmt-api/v0.0/ApiReferences/bigiq_precursory_apis_ref/r_pre...

If you want a modern approach to templating configurations, rather than create/duplicate/edit, you should take a look at AS3.  This moves the source of truth for your configuration to your preferred external code repository,  but you can still use BIG-IQ as a kind of proxy for deploying AS3 to BIG-IP.  You can also create AS3 Templates in BIG-IQ which means your external repository needs to store only the variable parts of the config. 

https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/userguide/big-iq.html

In the meantime,  to keep the ability to use TMSH to manage configurations,  something to consider is a 'Dev' instance of BIG-IP where you build some configuration objects locally, using TMSH if you wish.  You can then Discover/Import that device configuration into BIG-IQ.  Ensure conflicts are resolved "Use BIG-IQ" unless they relate to the objects you are intending to import.  The Shared Objects (Profiles, Monitors etc) you created are then available immediately for attaching to your production BIG-IP Virtual Servers.  If you define virtual servers on your dev environment,  you can use the BIG-IQ Clone functionality to duplicate the attributes to a virtual on a BIG-IP.   

A note on Client SSL Profiles - when importing these they have the wrinkle of referencing SSL Certificates which exist on the BIG-IP. The device discovery/import process imports the certificate metadata but not the cert/key files. You will need to import these to BIG-IQ seperately before you can deploy the SSL profile to a different device.   BIG-IQ allows you to pull certificates from your BIG-IP from the BIG-IQ Configuration - Certificates UI.  

Hope all that helps!