cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Pool choosing by iRule is wrong, when objects have been named same in different partitions.

Przemyslaw_Wyr1
Altocumulus
Altocumulus

Hello, I am wondering if someone encountered the problem of choosing a pool from partition B by iRule from partition A .

 

This is my description of reproduction

 

Description :

Pool choosing by iRule is wrong, when objects have been named same in different partitions.

 

Installed BigIP :

Choosen Instalation Image on Azure Cloud

"best200mbps": {

"offer": "f5-big-ip-best",

"sku": "f5-bigip-virtual-edition-200m-best-hourly"

},

Choosen BigIP Version : 15.1.2.1

 

Reproduction :

create partition : prep

create virtual : test-case-vs-443 ( dedicated ip for prep , snat:automap)

create pool : test-case-pool ( prep backend web serwer with 443 port)

create iriule : test-case-irule : when HTTP_REQUEST { pool test-case-pool } when LB_SELECTED { log local0.debug "vs : [virtual name] ; lb selected [LB::server]" }

 

create partition : fix

create virtual : test-case-vs-443 ( dedicated ip for fix , snat:automap)

create pool : test-case-pool ( fix backend web serwer with 443 port)

create iriule : test-case-irule : when HTTP_REQUEST { pool test-case-pool } when LB_SELECTED { log local0.debug "vs : [virtual name] ; lb selected [LB::server]" }

 

Testing :

- First shell consele

Fill the /etc/hosts with PREP VS IP and its name (test-case-prep)

while (true) ; do curl -k https://test-case-prep/ ; echo ""; sleep 2 ; done

 

- Second shell console

Login to f5 managemnt via ssh

tail -f /var/log/ltm | grep "LB_SELECTED"

 

Output :

May 5 16:56:06 f5-vm0 debug tmm3[4830]: Rule /prep/test-case-irule <LB_SELECTED>: vs : /prep/test-case-vs ; lb selected /fix/test-case-pool 10.11.99.99 443

May 5 16:56:08 f5-vm0 debug tmm3[4830]: Rule /prep/test-case-irule <LB_SELECTED>: vs : /prep/test-case-vs ; lb selected /fix/test-case-pool 10.11.99.99 443

May 5 16:56:15 f5-vm0 debug tmm2[4830]: Rule /prep/test-case-irule <LB_SELECTED>: vs : /prep/test-case-vs ; lb selected /prep/test-case-pool 10.11.88.77 443

May 5 17:03:17 f5-vm0 debug tmm3[4830]: Rule /prep/test-case-irule <LB_SELECTED>: vs : /prep/test-case-vs ; lb selected /prep/test-case-pool 10.11.88.77 443

 

Is there any explanation for that behavior ?

Why partition isolation is not working in this case ?

 

 

3 REPLIES 3

AlexBCT
MVP
MVP

Hi Przemyslaw,

 

I thinks this document explains a bit of the behaviour you are seeing; https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-system-irules-concepts-11-6-0/4.html (It's from v11.6, but still seems to be relevant)

 

I suspect it has to do with how iRules are executed as part of the flow of traffic, and as partitions are mainly a form of configuration separation, rather than a resource separation.

 

In your iRules, I noticed that you only reference the name of the pool (test-case-pool), rather than the partition AND pool name (/fix/test-case-pool) - have you given that a try? that should fix the problem.

 

Hope this helps.

 

 

Przemyslaw_Wyr1
Altocumulus
Altocumulus

Hi AlexBCT,

I really appreciate it and thank you for your quick reply .

Your description and linked article explains partially to me and make me knowledge about possibility to reference in iRule between partitions .

 

I tried your advice and I can confirm that it works of course - prefixing by partition name chooses the right pool,

The same effect may be achived by renamig of pools ( for example prep-test-case-pool )

 

But still it is strange that decision is made randomly, choosing pool from the same partition ( prep ) and sometimes from another partition ( fix ).

I thought if irule and pool resides in the same partition ( prep ), will have its partition context and will refer to right object in the same partition - this is what I would expect .

 

In my experience with iRule's ( over the years ), I have never used name of the partition as prefix before any object . But also I have never had case with the same names of pools , irules , virtuals in different partitions .

 

I understand all about referencing from iRule to objects in different partitions , but still I thing it is wrong and I thing that partition context should be used by code of iRule .

 

I suspect that when I have two irules in different partition with the same name i and code inside , this code has been compiled and used by CPUs randomly - something like that.

 

Anyway , again I would like to thank you to your answer .

 

Best regards,

Przemek

 

 

 

Hi Przemek,

 

Great to hear it's working at least!

Yeah, it's strange indeed that iRules don't seem to stay within its own partition when referencing objects, so you are not the only one who was surprised by the behaviour 😉

Maybe it's looking for a first match in alphabetical order (i.e. the pool name in the "fix" partition being before the object in the "prep" partition, and just picking the first match it finds. But I'm not an expert in the internal workings of iRules, so can't comment more on that - maybe there is another expert around here who knows more about that.

Whenever I'm working with iRules and partitions (...I try to avoid partitions whenever I can to be honest... ;), I make sure to always reference the full path and name, rather than the name alone to avoid any potential issues.

 

If you're happy with the answer, would be great if you can flag it as "answered" so the rest of the community may benefit from it.