Infrastructure as Code: Automating F5 Distributed Cloud CEs with Ansible
Introduction Welcome to the first installment of our Infrastructure as Code (IaC) series, focusing on F5 products and Ansible. This series has been a long-standing desire of mine to showcase the ability of IaC utilizing Ansible Automation Platform to deliver Day 0 through Day 2 operations with multiple F5 virtualized platforms. Over time, I've encountered numerous financial clients expressing interest in this topic. For many of these clients, the prospect of leveraging IaC to redeploy an environment outweighs the traditional approach of performing upgrades. This series will hopefully provide insight, documentation, and code for anyone embarking on this journey. Why Ansible Automation Platform? Like most people, I started my journey with community editions of Ansible. As my coding became more complex, so did the need to ensure that my lab infrastructure adhered to the best security guidelines required by my company (my goal being to mimic how customers would/should do things in real life). I began utilizing Ansible Automation Platform to ensure my credentials were protected, as well as to organize and share my code with the rest of my team (following the 'just in case you got hit by a bus' theory). Ansible Automation Platform utilizes execution environments (EE) to ensure code runs efficiently and cleanly every time. Now, I am also creating Execution Environments via GitHub with workflows and pushing them up to Quay.io (https://github.com/VDI-Tech-Guy/f5-execution-engines). Huge thanks to Colin McNaughton at Red Hat for making my life so much easier with building EEs! Why deploy F5 Distributed Cloud on VMware vSphere? As I mentioned before, I had this desire to build this Infrastructure as Code (IaC) code a while back. This was prior to the Broadcom acquisition of VMware. Being an ex-VMware employee, I had a lot of knowledge of virtualization platform infrastructure going into this project, and I started my focus on deploying on VMware vSphere. F5 Distributed Cloud can be deployed in any cloud, anywhere. However, I really wanted to focus on on-premises deployments because not every customer can afford the cloud. Moreover, there's always a back-and-forth battle between on-premises and the cloud, which has evolved into the Hybrid Cloud and the Multi-Cloud. I do intend to extend this series to the Multi-Cloud, but these initial deployments will be focused on VMware vSphere, as it is still utilized in many organizations across the globe. Information about the Setup in the Demo Video If you watch the video (down below) on how the deployment works, you can see i did a bunch of the pre-work prior to launching the deployment, in the git repostory (link in Resources). Here are some Prework items i did Had a fully functional Ansible Automation Platform 2.4+ enviornment setup and working. (at the time the controller version was 4.4.4) Execution Environment was imported into Ansible Automation Platform Controller The Project was setup to import the Playbooks from the Git Repository (In Resources Section below) and setup the Default Execution Environment Demo Inventory was setup (in our usecase we only needed the vCenter Host) We Setup Network Credentials for the vCenter The Template was setup and had Variables populated in it (Note the API Key was hidden). As mentioned in the Video (Below) The variables were populated to my environment, this contains all the information, i have provided a Demo Example in the git repository for anyone to mimic my settings to their environment, also the example has comments about each field or area of a field and the purpose of the variable. { "rhel_location": "https://vesio.blob.core.windows.net/releases/rhel/9/x86_64/images/vmware/rhel-9.2023.29-20231212012955-single-nic.ova", "xc_api_credential": "_____________________________________", "xc_namespace": "mmabis-automation", "xc_console_host": "f5-bd", "xc_user": "admin", "xc_pass": "Ansible123!", "vcenter_hostname": "{{ ansible_host }}", "vcenter_username": "{{ ansible_env.ANSIBLE_NET_USERNAME }}", "vcenter_password": "{{ ansible_env.ANSIBLE_NET_PASSWORD }}", "vcenter_validate_certs": false, "datacenter_name": "Apex", "cluster_name": "Worlds-Edge", "datastore": "TrueNAS-SSD", "dvs_switch_name": "DSC-DVS", "dns_name_servers": [ "192.168.192.20", "192.168.192.1" ], "dns_name_search": [ "dsc-services.local", "localdomain" ], "ntp_servers": [ "0.pool.ntp.org", "1.pool.ntp.org", "2.pool.ntp.org" ], "domain_fqdn": "dsc-services.local", "DVS_Name": "{{dvs_switch_name}}", "Internal_Network": "DVS-Server-vLan", "External_Network": "DVS-DMZ-vLan", "resource_pool_name": "Lab-XC", "waiting_period": 2, "temp_download_location": "/tmp/xc-ova-download.ova", "xc_ova_builds": [ { "hostname": "xc-automation-rhel-demo", "tmpl_name": "xc-automation-rhel-demo", "admin_password": "Ansible123!", "cluster_name": "xc-automation-cluster-rhel-demo", "dhcp": "no", "external_ip": "172.16.192.170", "external_ip_subnet_prefix": "24", "external_ip_gw": "172.16.192.1", "external_ip_route": "0.0.0.0/0", "internal_ip": "192.168.192.170", "internal_ip_subnet_prefix": "22", "internal_ip_gw": "192.168.192.1", "certified_hw": "vmware-regular-nic-voltmesh", "latitude": "39.51833126", "longitude": "-104.759496962", "build_count": 3, "nic_config": "rhel-multi" } ] } Launching the Code With all of that prework Handled it was as easy as launch the code, there were a few caviats i learned over time when dealing with the atuomation that i wanted to share. Never re-use a cluster name in F5 Distributed Cloud, especially if it was used in a different version of the CE (there were communications issues with the CEs and previous cluster information that was stored in F5 Distributred Cloud Console) The Api Credentials are system level when trying to accept registration or create the token for importing in to the environment. This code is designed to check for "{{ xc-namespace}}-token" if it exists then it will utilize the existing token, if not it will try to create it so you need system level permissions to do this. Build Count should be 3 by default (still needs to be defined) or an ODD number based on recomendations i have heard from our F5 Field. If there are more that i think of ill definatly edit the post and make sure its up-to-date. When launching the code i was able to get the lab to build up correctly multiple times, so please if there is an issue or something i might not have documented well, feel free to let me know and give it a shot for yourself! YouTube Video now on DevCentral Channel Resources https://github.com/f5devcentral/f5-bd-ansible-day0-automation - The Code utilized for this deployment https://github.com/VDI-Tech-Guy/f5-execution-engines - Building Execution Environments with Github and Workflows Conclusion I do hope that this series will help everyone who wants to embrace IaC and if you have any questions feel free to reach out!
APM :: VMware View :: Blast HTML5
I'm trying to get the APM functioning with VMware View Blast client - and I am having quite the time. I have tried the iApp (1.5) but haven't been able to get that to function either. At the moment, I have a manual configuration based-off of the deployment guide. The deployment guide says to create a forwarding virtual server, and the iApp does the same thing. Neither of which seem to be working for me. So with the forwarding VS above created… I can log-in fine, the webtop displays, the RDP link I have works great... the Blast HTML5 link... not so much. If I click on the VMware View desktop shown above, it brings me to the following: The error shown above is thrown-around a lot by View, so it’s hard to say what the real problem is. I’ve seen that error displayed for straight-up communications issues in the past… which I think this is. If I do a tcpdump on the BIG-IP, I can see it trying to connect to 8443, but it cannot connect (SYNs… no SYN/ACKs). 11:27:30.022625 IP x.x.x.10.28862 > x.x.x.252.8443: Flags [S], seq 2246191783, win 4140, options [mss 1380,sackOK,eol], length 0 out slot1/tmm0 lis=/Common/xxxxxxxxxxxxxxxxxxxx-https Source is the floating IP, destination is the VS. I know 8443 is listening on the VMware View server because I can connect to it locally. And I know the VMware View server knows how to get back to the F5 because it populates the webtop with my available desktop(s) shown above. I tried converting the forwarding VS to standard, assigned a pool, etc… and it still did the same thing. SYNs… no SYN/ACKs. What might be telling though is the lis= above. It lists my main virtual server with the APM policy assigned. That makes me think though… Why is it trying to connect to that VS and not the forwarding VS? The forwarding virtual server is a better match no? In any event, yeah if the virtual server isn’t listening on 8443, of course it won’t reply back (my thought-process anyway). So I figure… welp, why not just try an “any” port VS… yeah not so much. If I manually remove the :0 and submit, it loads the same error about the certificate. Nothing shows-up in tcpdump trying to connect to 8443 either - so, a step back. If anybody happen to have any ideas for me, I would be really appreciative. Thanks!BIG-IP APM with Horizon 7.x HTML5 gets a Hotfix For Updated Code
Technical update on some new hotfixes that were rolled out to resolve some issues with HTML5 connectivity with VMware Horizon 7.1/7.2 with BIG-IP Access Policy Manager. What is VMware Horizon HTML Access? VMware Horizon HTML Access provides the ability for employees to access applications and desktops via web browsers (HTML5 compliant) and without the need for additional plugins or native client installations. This method of access provides advantages to customers who utilize very strict software installation requirements and require access to their internal resources, as well as customers who utilize BYOD based implementations. VMware Horizon HTML Access is an alternative way of accessing company internal resources without the requirement of software installation. What does the Hotfix Do? The Hotfix is designed to allow the newer version of the VMware Horizon HTML Access Clients which were upgraded with new URI information to be accessible via APM. Without this hotfix, customers who upgrade to the Horizon 7.1/7.2 code may experience an issue where HTML5 will not connect to the VDI Resource (blank or grey screen.) The easiest way to determine if you are affected by the issue is within the URL. If you do not see the string f5vdifwd within the URL then you are most likely affected by this issue. Here is an example of a working configuration. Notice the f5vdifwd string in the URL: https://test.test.local/f5vdifwd/vmview/68a5058e-2911-4316-849b-3d55f5b5cafb/portal/webclient/index.html#/desktop The Hotfix Information Details Note that the fixes are incorporated into Hotfixes. F5 recommends to use the Hotfix builds over the iRules listed in the below article. If the iRules are in place when upgrading to a build with the incorporated fix, make sure that the iRule is removed. Version 12.1.2 HF1 Release Notes Version 13.0 HF2 Release Notes 638780-3 Handle 302 redirects for VMware Horizon View HTML5 client Component Access Policy Manager Symptoms Starting from v4.4, Horizon View HTML5 client is using new URI for launching remote sessions, and supports 302 redirect from old URI for backward compatibility. Conditions APM webtop with a VMware View resource assigned. HTML5 client installed on backend is of version 4.4 or later. Impact This fix allows for VMware HTML5 clients v4.4 or later to work properly through APM. Workaround for versions 11.6.x and 12.x priority 2 when HTTP_REQUEST { regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] vmview_html5_prefix dummy } when HTTP_RESPONSE { if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } { if { [info exists vmview_html5_prefix] } { set location [HTTP::header "Location"] set location_path [URI::path $location] if { $location_path starts_with "/portal/" } { set path_index [string first $location_path $location] set new_location [substr $location $path_index] regsub "/portal/" $new_location $vmview_html5_prefix new_location HTTP::header replace "Location" $new_location } unset vmview_html5_prefix } } } Workaround for version 13.0 priority 2 when HTTP_REQUEST { regexp {(/f5vdifwd/vmview/[0-9a-f\-]{36})/} [HTTP::uri] dummy vmview_html5_prefix } when HTTP_RESPONSE { if { ([HTTP::status] == "302") && ([HTTP::header exists "Location"]) } { if { [info exists vmview_html5_prefix] } { set location [HTTP::header "Location"] set location_path [URI::path $location] if { $location_path starts_with "/portal/" } { set path_index [string first $location_path $location] set new_location "$vmview_html5_prefix[substr $location $path_index]" HTTP::header replace "Location" $new_location } unset vmview_html5_prefix } } }
BIG-IP : iRule return statement
From the docs : Causes immediate exit from the currently executing event in the currently executing iRule. iRule processing is not aborted, and subsequent events will be triggered and evaluated. Note that return does not: - cause an exit from the iRule altogether; - prevent the same event from firing in another iRule; or - prevent the same event with a higher priority value from firing in the same iRule. To prevent further processing of an event in the current rule or other rules for the current TCP connection, you can use 'event EVENT_NAME disable'. Here are my questions : How can the same event exist more than once within a single iRule ? Is 'current TCP connection' refer to a session that is maintained across multiple request-response sequences from a given client-browser ? Or does each new request initiate a new TCP connection ?Checksums for F5 supported VMware vCenter cloud templates
Problem this snippet solves: Checksums for F5 supported VMware vCenter cloud templates F5 Networks provides checksums for all of our supported VMware vCenter templates (for other Cloud providers, see https://devcentral.f5.com/codeshare/checksums-for-f5-supported-cft-and-arm-templates-on-github-1014). See the README files on GitHub for information on individual templates. You can find the VMware templates in the appropriate supported directory on GitHub: https://github.com/F5Networks/f5-vmware-vcenter-templates/tree/master/supported You can get a checksum for a particular template by running one of the following commands, depending on your operating system: Linux: sha512sum <path_to_template> Windows using CertUtil: CertUtil –hashfile <path_to_template> SHA512 You can compare the checksum produced by that command against the following list. To find your hash, copy the script-signature hash out of your template and search for it on this page. To find the script signature, click the link in the Solution File column (look closely at the path to find the template you are using) and search for script-signature. The hash immediately follows. Release 1.4.0 Solution File Hash https://github.com/F5Networks/f5-vmware-vcenter-templates/tree/master/supported/failover/same-net/traditional/4nic/existing-stack/f5-existing-stack-failover-4nic-bigip.js `38a48d1f93e91cafcbe3324f5705ea9573918f48e987f2ad127ff38b3de1a2bbe38225bb62be969bba4e6d655b40f8f5f0a4eec43f3b2999c03ddfc22a0b0744` https://github.com/F5Networks/f5-vmware-vcenter-templates/tree/master/supported/standalone/n-nic/existing-stack/f5-existing-stack-nNic-bigip.js `5b1ddbbe50a0986b4ef4a0d347f30d36e20cb36186f1741449b47cfe8651e57e13bd76ab21164c0b98730f202823b3aa747d232196d0cc32759f558124b2a973` Release 1.3.0 Solution File Hash https://github.com/F5Networks/f5-vmware-vcenter-templates/tree/master/supported/failover/same-net/traditional/4nic/existing-stack/f5-existing-stack-failover-4nic-bigip.js `75613cb46c9639c9e5632dd6099fa424e1b92c6cfd1e4996fc16a1186a3b73e7e9ea8008ab1a27bddf8d0324260d3e2678ed4b1ff5575cfe7f0a492087998cec` https://github.com/F5Networks/f5-vmware-vcenter-templates/tree/master/supported/standalone/n-nic/existing-stack/f5-existing-stack-nNic-bigip.js `b0dc9b2d814aff8598426b7b1c94d06bab58cc5d7d76b77d7df1251c782e534eb40655c8104911e9007ae9806daa0d02520c2c86816ec1f76721840bb3f4f324` Code : You can get a checksum for a particular template by running one of the following commands, depending on your operating system: * **Linux**: `sha512sum ` * **Windows using CertUtil**: `CertUtil –hashfile SHA512`irule class match each query param separately
Data Group dg1 param1=p11¶m2=p21 := host1 param1=p12¶m2=p22 := host2 The problem is that some request urls might list their query params in reverse order param2=p21¶m1=p11 Therefore I need to match query params individually. So I have two problems to solve : extract from [HTTP::query] the param segments for param1 and param2 determine if both param1_segment and param2_segment are found together in some key in dg1 So something like : set param1 "param1" set param2 "param2" set param1_segment = [[HTTP:query] $param1] set param2_segment = [[HTTP:query] $param2] if { (class match $param1_segment&$param2_segment equals dg1) or (class match $param2_segment&$param1_segment equals dg1) } { NOTE: I know the above is wrong in terms of both language elements and syntax. I'm just providing to better describe the problem I need to solve. Because my use-case might extend to 3 query params ( in any order ) it might be better to AND together class match for each query param segment.ADFS 3.0 Monitor not working
Hi All, I have been tussling with this for a couple of days now. I have used the links, http://www.f5.com/pdf/deployment-guides/microsoft-adfs-dg.pdf and https://devcentral.f5.com/articles/big-ip-and-adfs-part-5-working-with-adfs-30-and-sni to follow with no success. I have uploaded the script and set the variable but i still get the monitor down, when i browse directly to the server i am able to get to the sign in page, so I know at least ADFS configuration is correct. Below is the script i am using: !/bin/sh These argument This script expects the following Name/Value pairs: s supplied automatically for all external monitors: $1 = IP (nnn.nnn.nnn.nnn notation) $2 = port (decimal, host byte order) SNI = the host name of the SNI-enabled site URI = the URI to request RECV = the expected response Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format) NODE= echo ${1} | sed 's/::ffff://' if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then node is v4 NODE=${NODE} else node is v6 NODE=[${NODE}] fi PORT=${2} PIDFILE="/var/run/ basename ${0} .sni_monitor_${SNI}_${PORT}_${NODE}_sni.pid" kill of the last instance of this monitor if hung and log current pid if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${SNI}:${PORT}:${NODE}" | logger -p local0.error kill -9 cat $PIDFILE > /dev/null 2>&1 fi echo "$$" > $PIDFILE curl-apd -k -v --resolve $SNI:$PORT:$NODE https://$SNI$URI 2>&1 > /dev/null | grep -i "${RECV}" STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then echo "UP" fi exit Variable are: SNI= sso.mysite.com URI= adfs/ls/idpinitiatedsignon.htm RECV= HTTP/1.1 200 Please assist if you can. Thanks!11.4.0 unable to import 3M-record external data-file
f5 BIG-IP LTM VE v11.4.0 ESXi VM allocated with 200 gb hdd , 16 gb ram System > File Management > Data Group File List > Import > point to 3M-record data-file on disk ( 216 MB ) receive error : " File upload failed, please check log file for details " I review all logs but don't see any entries related to data-file load. System > File Management > iFile List > Import > point to the same 3M-record file I receive the same error. Examining /var/log/ltm I see : err diskmonitor: 011d0004: Disk partition _root_ has only 0% free but the timestamp of this error does not coincide with my attempted file uploads. I assume _root_ refers to the Linux disk partition -- why would I receive an error showing 0% free ? In /var/log i see tmm , tmm1 , tmm2 , tmm3bigstart restart now logs not being written
I successfully completed a bigstart restart sequence ( logs show everything coming back up as expected ). However, now logs that should be written by my irule are not being written. Also, I've been restarting BIG-IP to force data-group-files to be re-cached, but is there a better way ?
