Hello,I would like to insert a timestamp on an iRule that reflects the current time at the irule creation and then somehow to be able to update that irule when is updated. I need this cuz I want to validate sync between many nodes of the same cluster, and I need to be sure that the irules are in sync and also to be able to generate a report with the irules and the corresponding timestamps. Is there a way to do this?Thanks in advance.Best regards

Doing fine, thank you. Hope the same for you. 🙂 My solution using MD5 works in this scenario. Just pull the iRules via REST and run an MD5 against the rule definition and alert/take action if they vary. But the better way here would be to include this validation in the pipeline. I suppose the deploy would fail if any of the iRules fails to update? Maybe you can alert if it does? May I ask if you have considered enable auto sync and/or replacing the old REST API with AS3?

I don't understand. Do you have multiple device groups and wish to sync the same iRule between them? If you do I'd probably define the iRules in git and roll out the iRules using code and roll them out using a pipeline. If you are using BigIPReport you could also get a list with MD5s from multiple devices using a simple Python script: import requests import hashlib irules = requests.get('https://bigipreport.xip.se/json/irules.json').json() for rule in [i for i in irules if i['name'] == 'rulename']: print(hashlib.md5(rule['definition'].encode('utf-8')).hexdigest()) # Sample output: # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # a2716b3fd773640b7919b91bb7e7d421 Pair this with an alert using a Slack webhook or your monitoring system and it should work fine. I would not recommend this though as it requires manual intervention. Kind regards,Patrik Ps. Disclaimer, I am one of the authors of BigIPReport Ds.

Hi Patrick, how are you? first of all thanks for your quick response 😀. To put you in context a little bit. I have an F5 LTM on AWS with an ASG with multiple instances. The cluster synchronizes in an active/active way. And I have an application where developers can generate iRules via REST API against the LTM. Now, what I need is to be able to validate that the irule received by one of the instances is replicated in the rest of the cluster instances. What had occurred to me is precisely, to insert a timestamp when creating/modifying the iRule and that allows me to have a version of it. Where you can also validate that timestamp that is the same throughout all the instances of the cluster. I don't know if maybe F5 LTM already has some mechanism to be able to do this in another way maybe?

Just have your application add a single line with a manual timestamp at creation time. All you need is # Modified: date. If a developer updates this is automatically updated to a current date. The you can simply check propagation by the timestamp on the deployed iRules. If you want creation date then add that as well when its new. When they edit an iRule using your application you can strip these values off so the developers have no access to them. In essence they are application controlled.# Creation: date# Modified: date

Thank you very much for your answer. As for what you mention, are you saying something like to declare within the irule:set current_time [clock seconds] so I can get the seconds from the epoch. Or is there any other best way to do it? Sorry if I totally don't follow you, but I'm really new to LTM/TCL.Best regards

How to add a timestamp on iRule

21 Replies

Patrik_Jonsson
MVP
Jul 22, 2022
I don't understand. Do you have multiple device groups and wish to sync the same iRule between them?

If you do I'd probably define the iRules in git and roll out the iRules using code and roll them out using a pipeline.

If you are using BigIPReport you could also get a list with MD5s from multiple devices using a simple Python script:

import requests import hashlib irules = requests.get('https://bigipreport.xip.se/json/irules.json').json() for rule in [i for i in irules if i['name'] == 'rulename']: print(hashlib.md5(rule['definition'].encode('utf-8')).hexdigest()) # Sample output: # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # d03f96a58892859e80cbd2be39e04b0c # a2716b3fd773640b7919b91bb7e7d421

Pair this with an alert using a Slack webhook or your monitoring system and it should work fine. I would not recommend this though as it requires manual intervention.

Kind regards,
Patrik

Ps. Disclaimer, I am one of the authors of BigIPReport Ds.
- catoverflow
  Altocumulus
  Jul 23, 2022
  Hi Patrick, how are you? first of all thanks for your quick response 😀. To put you in context a little bit. I have an F5 LTM on AWS with an ASG with multiple instances. The cluster synchronizes in an active/active way. And I have an application where developers can generate iRules via REST API against the LTM. Now, what I need is to be able to validate that the irule received by one of the instances is replicated in the rest of the cluster instances. What had occurred to me is precisely, to insert a timestamp when creating/modifying the iRule and that allows me to have a version of it. Where you can also validate that timestamp that is the same throughout all the instances of the cluster. I don't know if maybe F5 LTM already has some mechanism to be able to do this in another way maybe?
  - Patrik_Jonsson
    MVP
    Jul 23, 2022
    Doing fine, thank you. Hope the same for you. 🙂
    
    My solution using MD5 works in this scenario. Just pull the iRules via REST and run an MD5 against the rule definition and alert/take action if they vary.
    
    But the better way here would be to include this validation in the pipeline. I suppose the deploy would fail if any of the iRules fails to update? Maybe you can alert if it does?
    
    May I ask if you have considered enable auto sync and/or replacing the old REST API with AS3?
Kevin_Davies
MVP
Aug 21, 2022
From the above can I assume that you dont really trust sync and want a way to verify it yourself?
- catoverflow
  Altocumulus
  Aug 25, 2022
  Exactly, we want to have a way for us to validate with our control plane that the irules are effectively synchronized and are the same at all times, this, among other things, is because we need to be able to validate that if a request with a specific header enters through an F5, let's say of region A, then if it cannot satisfy the request based on the header, then to be able to evaluate before performing a fallback to the F5 of the other region (let's say B), and be able to control, among other things, that that header exists and that it can resolve it, in which case just there would proceed to perform the fallback and complete the request in the destination of region B, otherwise it would go to the default pool in the source region (in this case A).
  Perhaps I am adding one more degree of complexity in the question, which would be the fallback part.
  - Patrik_Jonsson
    MVP
    Aug 25, 2022
    You can validate that the exact same rule is running across your devices with the script above.
    
    The header stuff confused me. Not sure what you mean?

Forum Discussion

How to add a timestamp on iRule

21 Replies

Recent Discussions

Pricing when used with aws waf

F5 Rseries R2600 Tenant sizing

iRule help masking IBM host URL/URI

Need advise to setup a policy on F5

Advise on setting up IRULE

Related Content

Certificate Bundle Timestamp Query

Impact of disabling TCP Timestamp in TCP and fasl4 profile

F5 BIG-IP Logging API timestamp to UTC

iRules Style Guide

Hey ChatGPT, can you write iRules?