Shrink/Compact BIGIP VE Virtual Disk
After running for a while, BIG-IP VE virtual disk size might grow much beyond the actual size of the contained files. For lab environment VE 16.1, I see the used space for is 6.4 GB. If the virtual disk size is more than 7.5 GB, that usually means there is physical space that can be saved. Before running shrink command, the unused space of the virtual disk needs to be zeroed. Best way of zeroing is mounting the partitions or logical volumes then run fstrim. It finishes instantly and doesn't need to actually writes zero to the unused space. It is better than "cat /dev/zero ..." or zerofill which actually needs to write zero and takes lots of time for large size. Zeroing steps: BIG-IP VE uses old Linux distro release that doesn't have builtin fstrim. Hence we need to attach the virtual disk to other Linux system that as fstrim. Shutdown VW virtual machine, then attach the virtual disk file to other Linux machine. If you don't have a Linux VM, you can create empty Linux VM and boot it using Linux iso. I usually use system rescue iso from https://www.system-rescue.org/Download/. BIG-IP VE use LVM volumes as seen in below fdisk output. The /, /var & etc. are stored in LVM volumes. vgscan command will automatically scan LVM volumes and create /dev/dm-*. Device Boot Start End Sectors Size Id Type /dev/sdb1 * 1 409599 409599 200M b W95 FAT32 /dev/sdb2 409600 442367 32768 16M 82 Linux swap / Solaris /dev/sdb3 442368 171965455 171523088 81.8G 8e Linux LVM Run the following commands to do mounting and fstrim on VE virtual disk partitions and LVM volumes. For subsequent usages, store it as file in the Linux VM, e.g. as /var/tmp/trimf5.sh vgscan ###fstrim can't trim swap partition, so need to reformat swap volume as ext4. swapuuid=`blkid /dev/vg-db-vda/dat.swapvol | awk -F "\"" '{print $2}'` mkfs.ext4 -F /dev/vg-db-vda/dat.swapvol for i in `ls -1 /dev/dm-*` do mkdir -p "/tempdir"$i mount $i "/tempdir"$i done fstrim -avvv sleep 2 ###Second fstrim to confirm results of first fstrim. fstrim -avvv for i in `ls -1 /dev/dm-*` do umount $i done mkswap -U $swapuuid /dev/vg-db-vda/dat.swapvol Zeroing result: [root@localhost tmp]# sh trimf5.sh Found volume group "vg-db-vda" using metadata type lvm2 mke2fs 1.46.5 (30-Dec-2021) /dev/vg-db-vda/dat.swapvol contains a swap file system Discarding device blocks: done Creating filesystem with 256000 4k blocks and 64000 inodes Filesystem UUID: 5ae4f6eb-b9ea-41d4-b710-b582eb4a5fa6 Superblock backups stored on blocks: 32768, 98304, 163840, 229376 Allocating group tables: done Writing inode tables: done Creating journal (4096 blocks): done Writing superblocks and filesystem accounting information: done /tempdir/dev/dm-8: 3.9 GiB (4180942848 bytes) trimmed on /dev/mapper/vg--db--vda-set.1._var /tempdir/dev/dm-7: 2 GiB (2195013632 bytes) trimmed on /dev/mapper/vg--db--vda-set.1._config /tempdir/dev/dm-6: 840.6 MiB (881397760 bytes) trimmed on /dev/mapper/vg--db--vda-set.1._usr /tempdir/dev/dm-5: 323.9 MiB (339643392 bytes) trimmed on /dev/mapper/vg--db--vda-set.1.root /tempdir/dev/dm-4: 965.8 MiB (1012744192 bytes) trimmed on /dev/mapper/vg--db--vda-dat.swapvol /tempdir/dev/dm-3: 2.8 GiB (2958065664 bytes) trimmed on /dev/mapper/vg--db--vda-dat.log /tempdir/dev/dm-2: 23.7 GiB (25492357120 bytes) trimmed on /dev/mapper/vg--db--vda-dat.appdata /tempdir/dev/dm-1: 14.5 GiB (15615614976 bytes) trimmed on /dev/mapper/vg--db--vda-dat.share /tempdir/dev/dm-0: 280.5 MiB (294090752 bytes) trimmed on /dev/mapper/vg--db--vda-dat.maint.1 /boot/efi: 493.4 MiB (517373952 bytes) trimmed on /dev/sda1 /: 31.8 GiB (34121232384 bytes) trimmed on /dev/sda2 /tempdir/dev/dm-8: 0 B (0 bytes) trimmed on /dev/mapper/vg--db--vda-set.1._var /tempdir/dev/dm-7: 0 B (0 bytes) trimmed on /dev/mapper/vg--db--vda-set.1._config /tempdir/dev/dm-6: 0 B (0 bytes) trimmed on /dev/mapper/vg--db--vda-set.1._usr /tempdir/dev/dm-5: 0 B (0 bytes) trimmed on /dev/mapper/vg--db--vda-set.1.root /tempdir/dev/dm-4: 0 B (0 bytes) trimmed on /dev/mapper/vg--db--vda-dat.swapvol /tempdir/dev/dm-3: 0 B (0 bytes) trimmed on /dev/mapper/vg--db--vda-dat.log /tempdir/dev/dm-2: 0 B (0 bytes) trimmed on /dev/mapper/vg--db--vda-dat.appdata /tempdir/dev/dm-1: 0 B (0 bytes) trimmed on /dev/mapper/vg--db--vda-dat.share /tempdir/dev/dm-0: 0 B (0 bytes) trimmed on /dev/mapper/vg--db--vda-dat.maint.1 /boot/efi: 493.4 MiB (517373952 bytes) trimmed on /dev/sda1 /: 0 B (0 bytes) trimmed on /dev/sda2 mkswap: /dev/vg-db-vda/dat.swapvol: warning: wiping old ext4 signature. Setting up swapspace version 1, size = 1000 MiB (1048571904 bytes) no label, UUID=6be1839d-eb37-4710-9687-833dd206b6f2 [root@localhost tmp]# Compacting steps: Poweroff the Linux VM, then run VM host's shrink/compact procedure. For Hyper-V, execute powershell command: Optimize-VHD -Path bigip161.vhdx -Mode Full. Change the file name according to your virtual disk file name. https://learn.microsoft.com/en-us/powershell/module/hyper-v/optimize-vhd In my lab environment, compacting reduce the physical virtual disk to around 6.8 GB. Hyper-V also provide GUI menu for compacting but doesn't show the used Mode. VMware and KVM also provides GUI menu and command line for compacting virtual disk. Finally, reboot to run regular VE again.
Is there Limitation of irule "virtual".. can we do it like this?
Hi We have BIG-IQ and BIG-IP AWAF. I see that BIG-IQ application dashboard is show only 1 application per virtual server. But in BIG-IP AWAF.. we config it as 1 virtual server 100 application (multi domain vip+use irule to check host header and send it to specific pool and choose specific waf policy) So we can't see each application metric in BIG-IQ.... This is our issue. I understand we need to config each vip for each application so BIG-IQ can retrive data from each vip per application but we can't use that many public ip. So I found that we have irule "virtual" which can send traffic to another virtual server. Can we do it like this? Instead of when HTTP_REQUEST { if {[HTTP::host] equals "abc.example.com"} { ASM::enable /Common/abc.example.com >>>> choose pool and waf policy by host header pool /External/Pool_abc.example.com } ------------------------------------ Change to when HTTP_REQUEST { if {[HTTP::host] equals "abc.example.com"} { virtual VS_abc.example.com >>> send it to private ip virtual server by host header which craete a new. } and in virtual server VS_abc.example.com we use private ip and assign pool and waf policy normally so we can add VS_abc.example.com in BIG-IQ application dashboard and see metric per application. But is there any limitation on how to use irule "virtual" like this? Is this practical?
ssh authorized_keys softlink missing on F5 Node1
Hello, Need clarification regarding with authorized_keys missing softlink! The difference is that there is a softlink to ‘/var/ssh/root/authorized_keys’ on Node2, which is not on Node1. My question is, why is there such a difference with Node1 and Node2. Any idea? Version: BIG-IP 14.1.0.3 Build 0.0.6 (VE) Node1: [root@node1:ModuleNotLicensed::Standby:In Sync] .ssh # ll total 4307 -rw-r--r--. 1 root root 4395008 May 23 12:12 authorized_keys -rw-r--r--. 1 root root 23 May 23 12:12 config -rw-r--r--. 1 root root 23 May 23 12:12 config.backup lrwxrwxrwx. 1 root root 22 May 18 08:37 identity -> /var/ssh/root/identity lrwxrwxrwx. 1 root root 26 May 18 08:37 identity.pub -> /var/ssh/root/identity.pub -rw-------. 1 root root 891 May 21 04:25 id_rsa -rw-r--r--. 1 root root 259 May 21 04:25 id_rsa.pub lrwxrwxrwx. 1 root root 25 May 18 08:37 known_hosts -> /var/ssh/root/known_hosts -rw-r--r--. 1 root root 262 Mar 25 18:22 README Node2: [root@node2:ModuleNotLicensed::Active:In Sync] .ssh # ll total 14 lrwxrwxrwx. 1 root root 29 May 18 08:50 authorized_keys -> /var/ssh/root/authorized_keys -rw-r--r--. 1 root root 23 May 23 12:12 config -rw-r--r--. 1 root root 23 May 23 12:12 config.backup lrwxrwxrwx. 1 root root 22 May 18 08:50 identity -> /var/ssh/root/identity lrwxrwxrwx. 1 root root 26 May 18 08:50 identity.pub -> /var/ssh/root/identity.pub -rw-------. 1 root root 887 May 21 04:26 id_rsa -rw-r--r--. 1 root root 259 May 21 04:26 id_rsa.pub lrwxrwxrwx. 1 root root 25 May 18 08:50 known_hosts -> /var/ssh/root/known_hosts -rw-r--r--. 1 root root 262 Mar 25 18:22 README
SSL issue
Hello there, We have a F5 LTM and a virtual server configured to a server in port 443, the topology is: Computer --> F5 LTM --> switch --> server When we try to connect to the server through https we saw the message "Connection reset" in the browser, but if we try to connect without passing the F5 the connection is successful. We don't have configured any SSL client profile or server. This is the configuration on F5: #Virtual Server #________________________________________________________________________________ ltm virtual /Common/Server1 { destination /Common/10.1.5.X:443 ip-protocol tcp mask 255.255.255.255 pool /Common/Server1 profiles { /Common/tcp { } } source 0.0.0.0/0 translate-address enabled translate-port enabled } #________________________________________________________________________________ #Pools #________________________________________________________________________________ ltm pool /Common/Server1 { members { /Common/10.1.7.X:443 { address 10.1.7.X } } monitor /Common/https_443 } #________________________________________________________________________________ #Profiles #________________________________________________________________________________ # -Default Profile- ltm profile tcp tcp { ack-on-push enabled close-wait-timeout 5 congestion-control high-speed deferred-accept disabled delayed-acks enabled ecn disabled fin-wait-timeout 5 idle-timeout 300 keep-alive-interval 1800 limited-transmit enabled max-retrans 8 nagle disabled proxy-buffer-high 49152 proxy-buffer-low 32768 proxy-mss disabled proxy-options disabled receive-window-size 65535 reset-on-timeout enabled selective-acks enabled send-buffer-size 65535 slow-start enabled syn-max-retrans 3 time-wait-recycle enabled time-wait-timeout 2000 timestamps enabled } As you can see, we don't have any SSL client or server profile and we tried changing "translate-port" to disabled and "Source Address Translation" to auto map but none of these work. Also we made a tcpdump and we can see the TCP Reset from 10.1.7.X (tcpdump.png) and some curl (curl.png), openssl (openssl.png and openssl2.png) and a telnet (telnet.png). Hope you can help us to find out what's going on. Thank you.
