Big-IQ snapshot management
Hello community, I have an interesting situation that I want to run by you guys and hopefully somebody/someone can give me a hand. We have in our environment 20 Big-IQ devices, handling nearly 500 devices (between LTMs, ASMs, DNSs and combination of them). Internally we have configured Big-IQs to trigger snapshots for all of them, the only difference we have is that we only keep snapshot files storaged in the Big-IQ is for ASMs. The rest of the modules keep their snapshots locally. Now, we want (need) to create a python script (basically because we make it run from a 3rd party solution that ssh into the Big-IQs and run that python script) to delete snapshots older than 30 days, for example. For that purpose, I have searched for several documentation regarding API for snapshot management on Big IQ , basically there are 2 API calls relevant for me: 1.- Snapshot checkup: GET /cm/<module>/tasks/snapshot-config/<id> 2.- Snapshot deletion: DELETE mgmt/cm/<module>/tasks/snapshot-config/<id> Now the values between <>, which are: 'module' and 'id', in our case module = asm and 'id' is for the snapshot we want to checkup and delete if meets the criteria. The thing here is that, we do not have any 'id' number, because the snapshots are created by several business units outside our team, where they log into the Big-IQ's GUI and deploy the snapshot manually. I have tried to send a GET request (via POSTMAN) using these variations (hoping some sort of response): GET /cm/<module>/tasks/snapshot-config/ GET /cm/<module>/tasks/snapshot-config/* But logically is expecting the 'id' value so it shoots back an error. NOTE: the 'id' is provided when you try the API call for snapshot creation: POST mgmt/cm/<module>/tasks/snapshot-config. That particular POST, only request the name of the snapshot as parameter and then provides the precious 'id' in return. So you can see my dilemma and where I am missing data. QUESTIONS: 1.- Is there any way to fetch the 'id' using any resource? 2.- where exactly is located the repository for these snapshots in the Big-IQ? I mean the Linux's bash prompt for each Big-IQ, I have searched and searched but I haven't found them... This would be a great peace of information. 3.- Is this the right approach? I found some information about 'restcurl' but I am not completely sure about this resource. Thanks.-Knowledge sharing: Ways to trigger and schedule scripts on the F5 BIG-IP devices.
I think that it is interesting to share how on F5 different scripts can be run at different times and states. 1. You can use the cron job like on any linux device to run a script. As I have used this to restart the tomcat and httpd each night with "bigstart restart <name>" or "tmsh restart /sys service <name>" (https://support.f5.com/csp/article/K89999342), because of a bug till I upgade the devices (https://support.f5.com/csp/article/K25554628 ). https://support.f5.com/csp/article/K03108954 2.Newer versions of F5 also have anacron tool that can add some randomness to the timframe when a script is run and many F5 default scripts use this and not the crontab: https://support.f5.com/csp/article/K33730915 3.You can even trigger scripts on the F5 device if the state changes from active to standby or from standby to active by adding the scripts under /config/failover/<state>. For example if you have a bug for a critical process that causes a failover ( you can use the command show /sys ha-status all-properties to check for this https://support.f5.com/csp/article/K20060182 ) but the device does not reboot or fix the process you can run a script to when the device becomes standby to restart the process. https://support.f5.com/csp/article/K6008 4. You afcource can run scripts at the F5 start time (startup/bootup): https://support.f5.com/csp/article/K11948 5.The final thing thing I can think of is to run a script at the backround that monitors the log and for example when there is a specific message in /var/log/ltm to trigger a tcpdump (in some cases better than creating a rotating tcpdum to catch an issue as per https://support.f5.com/csp/article/K65251607 ). The script can be a bash script with "tail -f" command that is run on the backround or better use the F5 intergrated "icall" feature. Bash: https://www.thegeekstuff.com/2010/12/5-ways-to-execute-linux-command/ Icall: https://devcentral.f5.com/s/articles/what-is-icall-27404 https://devcentral.f5.com/s/articles/run-tcpdump-on-event 5. You can use utility "logger -p" to generate manually log messages in the F5 device's log for testing of your scripts as this is used also for SNMP custom alarm traps tests (for more about SNMP https://support.f5.com/csp/article/K3727 ) https://support.f5.com/csp/article/K86480148 6. You can also trigger scripts from an BIG-IQ device bt you still can't schedule them when to run: https://clouddocs.f5.com/training/community/big-iq-cloud-edition/html/class5/module1/lab6.html 7.Of course the final option is to use ansible or python SDK that uses the F5 rest-api to execute commands on the F5 devices. https://f5-sdk.readthedocs.io/en/latest/ 8. You can even use TCP expect and bash for automations using SSH connection but this is really old way to do things: https://devcentral.f5.com/s/articles/f5-automation-tcl-amp-bash-921 https://f5-sdk.readthedocs.io/en/latest/userguide/ltm_pools_members_code_example.html 9.F5 is well integrated with Ansible and it is better than REST-API Python SDK or TCL for me as even the declarative AS3 interface is supported: https://clouddocs.f5.com/products/orchestration/ansible/devel/ https://clouddocs.f5.com/products/orchestration/ansible/devel/ https://www.f5.com/partners/technology-alliances/ansible Imperative: https://support.f5.com/csp/article/K42420223 https://clouddocs.f5.com/products/orchestration/ansible/devel/usage/playbook_tutorial.html Declaritive: https://www.f5.com/company/blog/f5-as3-and-red-hat-ansible-automation https://clouddocs.f5.com/training/fas-ansible-workshop-101/3.0-as3-intro.html 10. For some automations without rest-api better use the F5 native cli scripts than bash with tmsh commands: https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/cli/cli_script.html https://clouddocs.f5.com/api/tmsh/script__run.html
Read dynamic file in LB internal datagroup
We have list of whitelisted IP stored in remote .csv file, file gets updated ever 5 hours with new set of IP. Currently we read file in perl and update internal data group. In LB using iRule we allow or block IP in making succesful connection to pool members by reading data group. During the time of reading and updating data group, connections are getting dropped around 5 to 10 mins We are replacing content of datagroup and adding each entry, this may not be best approach but there is no easy way to retrieve existing datagroup values and compare with .csv and do intelligent diff No of IP has grown from 10 to 1400 IPs and it might go to 5000 Since it is working for a while, facing issue recently probably because of scale, it will be difficult to change entire logic. but can make minor changes to existing logic/script #File content is delimited and stored in bcontent my @bcontent = split("," , $tmp); #print @bcontent; my $entry = ''; my $first_cm = 1; foreach $entry(@bcontent) { $entry =~ s/^\s+|\s+$//g; if ( $first_cm ) { $cmd = "$tmcom modify ltm data-group internal $BLDG records replace-all-with { $entry }"; system("$cmd"); } } else { $cmd = "$tmcom modify ltm data-group internal $BLDG records add { $entry }"; system("$cmd"); } }
