Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: RANCID: Users

F5 BIG-IP devices - any tricks?

 

 

First page Previous page 1 2 Next page Last page  View All RANCID users RSS feed   Index | Next | Previous | View Threaded


dale.shaw+rancid-discuss at gmail

Jan 11, 2012, 9:14 PM

Post #1 of 27 (6414 views)
Permalink
F5 BIG-IP devices - any tricks?

Hi all,

I'm running RANCID 2.3.6 on a RHEL 4.8 system.

I'm trying to add some F5 BIG-IP devices to the repository but I'm not
having much luck.

I don't know much at all about the F5s themselves but I suspect a
terminal length/paging issue.

The devices are running:

BIG-IP Version 10.1.0 3341.0

Interactive "clogin" works fine -- I am dropped straight into a
'bigpipe' CLI (prompt "bp>"); I'm not sure if that's relevant.

When I execute commands like "version show", the output is paged.
Pressing <SPACE> scrolls by page, <ENTER> scrolls by line, as you'd
expect.

Running "f5rancid -d <hostname>" just results in a file containing:

#RANCID-CONTENT-TYPE: bigip
#
#
#
#

..and the terminal output shows:

dale [at] bo:/tmp$ sudo -H -u rancid f5rancid -d gsu-lb01
executing clogin -t 90 -c"bigpipe version;bigpipe platform;cat
/config/bigip.license;bigpipe monitor list all;bigpipe profile
list;bigpipe base list;bigpipe db show;bigpipe route static show;ls
--full-time --color=never /config/ssl/ssl.crt;ls --full-time
--color=never /config/ssl/ssl.key;bigpipe list" gsu-lb01
gsu-lb01 clogin error: Error: TIMEOUT reached
gsu-lb01 clogin error: Error: TIMEOUT reached
gsu-lb01: missed cmd(s): ls --full-time --color=never
/config/ssl/ssl.crt,bigpipe route static show,bigpipe base list,cat
/config/bigip.license,bigpipe platform,bigpipe db show,bigpipe monitor
list all,ls --full-time --color=never /config/ssl/ssl.key,bigpipe
version,bigpipe profile list,bigpipe list
gsu-lb01: missed cmd(s): ls --full-time --color=never
/config/ssl/ssl.crt,bigpipe route static show,bigpipe base list,cat
/config/bigip.license,bigpipe platform,bigpipe db show,bigpipe monitor
list all,ls --full-time --color=never /config/ssl/ssl.key,bigpipe
version,bigpipe profile list,bigpipe list
gsu-lb01: End of run not found
gsu-lb01: End of run not found

If I run: clogin -t 90 -c"bigpipe version" gsu-lb01

..I see 'clogin' sending the command "terminal length 0", which is not
parsed/accepted by the device, then it sends the command "bigpipe
version", which executes and hangs at the first page of output.

Any clues? I couldn't see an obvious way to disable the CLI pager.

Cheers,
Dale
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


rancid at gheek

Jan 12, 2012, 6:16 AM

Post #2 of 27 (6250 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

In the F5 you need to change the setting under the user so they will get a
full shell
On Jan 11, 2012 10:15 PM, "Dale Shaw" <dale.shaw+rancid-discuss [at] gmail>
wrote:
>
> Hi all,
>
> I'm running RANCID 2.3.6 on a RHEL 4.8 system.
>
> I'm trying to add some F5 BIG-IP devices to the repository but I'm not
> having much luck.
>
> I don't know much at all about the F5s themselves but I suspect a
> terminal length/paging issue.
>
> The devices are running:
>
> BIG-IP Version 10.1.0 3341.0
>
> Interactive "clogin" works fine -- I am dropped straight into a
> 'bigpipe' CLI (prompt "bp>"); I'm not sure if that's relevant.
>
> When I execute commands like "version show", the output is paged.
> Pressing <SPACE> scrolls by page, <ENTER> scrolls by line, as you'd
> expect.
>
> Running "f5rancid -d <hostname>" just results in a file containing:
>
> #RANCID-CONTENT-TYPE: bigip
> #
> #
> #
> #
>
> ..and the terminal output shows:
>
> dale [at] bo:/tmp$ sudo -H -u rancid f5rancid -d gsu-lb01
> executing clogin -t 90 -c"bigpipe version;bigpipe platform;cat
> /config/bigip.license;bigpipe monitor list all;bigpipe profile
> list;bigpipe base list;bigpipe db show;bigpipe route static show;ls
> --full-time --color=never /config/ssl/ssl.crt;ls --full-time
> --color=never /config/ssl/ssl.key;bigpipe list" gsu-lb01
> gsu-lb01 clogin error: Error: TIMEOUT reached
> gsu-lb01 clogin error: Error: TIMEOUT reached
> gsu-lb01: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,bigpipe route static show,bigpipe base list,cat
> /config/bigip.license,bigpipe platform,bigpipe db show,bigpipe monitor
> list all,ls --full-time --color=never /config/ssl/ssl.key,bigpipe
> version,bigpipe profile list,bigpipe list
> gsu-lb01: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,bigpipe route static show,bigpipe base list,cat
> /config/bigip.license,bigpipe platform,bigpipe db show,bigpipe monitor
> list all,ls --full-time --color=never /config/ssl/ssl.key,bigpipe
> version,bigpipe profile list,bigpipe list
> gsu-lb01: End of run not found
> gsu-lb01: End of run not found
>
> If I run: clogin -t 90 -c"bigpipe version" gsu-lb01
>
> ..I see 'clogin' sending the command "terminal length 0", which is not
> parsed/accepted by the device, then it sends the command "bigpipe
> version", which executes and hangs at the first page of output.
>
> Any clues? I couldn't see an obvious way to disable the CLI pager.
>
> Cheers,
> Dale
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss [at] shrubbery
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


dale.shaw+rancid-discuss at gmail

Jan 12, 2012, 3:06 PM

Post #3 of 27 (6241 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

Hi Lance,

On Fri, Jan 13, 2012 at 1:16 AM, Lance Vermilion <rancid [at] gheek> wrote:
> In the† F5 you need to change the setting under the user so they will get a
> full shell

Thanks, yeah, that does appear to be the issue -- f5rancid/clogin
expect to be dropped into a full shell. We discovered yesterday (after
posting to the list) that using the 'root' user results in working
RANCID.

On the surface it seemed that all we needed to do was figure out a way
to disable the pager on a per-session basis within the bigpipe shell.
That still seems like the cleanest way to make this work to me.

Anyway, I'll work with the folks more familiar with the operation of
the F5s to figure out how we provide 'full shell' access to the user
RANCID uses. Hopefully we can provide 'full shell, read only' somehow.

Cheers,
Dale
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


krzysztof.zygmunt at gmail

Mar 14, 2012, 1:08 AM

Post #4 of 27 (6114 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

" Hopefully we can provide 'full shell, read only' somehow. "

Has anyone managed to do that ? (full shell, read only access) or
access using sudo ?

This is (full shell access) the only thing that keeps us not using
rancid for bigips.

On Fri, Jan 13, 2012 at 12:06 AM, Dale Shaw
<dale.shaw+rancid-discuss [at] gmail> wrote:
> Hi Lance,
>
> On Fri, Jan 13, 2012 at 1:16 AM, Lance Vermilion <rancid [at] gheek> wrote:
>> In the  F5 you need to change the setting under the user so they will get a
>> full shell
>
> Thanks, yeah, that does appear to be the issue -- f5rancid/clogin
> expect to be dropped into a full shell. We discovered yesterday (after
> posting to the list) that using the 'root' user results in working
> RANCID.
>
> On the surface it seemed that all we needed to do was figure out a way
> to disable the pager on a per-session basis within the bigpipe shell.
> That still seems like the cleanest way to make this work to me.
>
> Anyway, I'll work with the folks more familiar with the operation of
> the F5s to figure out how we provide 'full shell' access to the user
> RANCID uses. Hopefully we can provide 'full shell, read only' somehow.




>
> Cheers,
> Dale
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss [at] shrubbery
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


shain.singh at gmail

Mar 21, 2012, 1:58 AM

Post #5 of 27 (6080 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

> Has anyone managed to do that ? (full shell, read only access) or
> access using sudo ?

I'd say it may be easier trying to write another Expect script to use
the tmsh instead. Makes it future proof as I believe F5 is heading
away from giving complete shell access to their devices.


--
Shaineel Singh
e: shain.singh [at] gmail
p: +61 422 921 951
w: http://buffet.shainsingh.com

--
"Too many have dispensed with generosity to practice charity" - Albert Camus
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


matthew at walster

Apr 26, 2012, 2:08 AM

Post #6 of 27 (5993 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

On 21 March 2012 08:58, Shain Singh <shain.singh [at] gmail> wrote:
>> Has anyone managed to do that ? (full shell, read only access) or
>> access using sudo ?
>
> I'd say it may be easier trying to write another Expect script to use
> the tmsh instead. Makes it future proof as I believe F5 is heading
> away from giving complete shell access to their devices.

It would appear someone's made a good effort on producing this code,
but I don't have any non-production boxes to test it against.

Does the following work for you?

http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-bigip-v11-x/

Matthew Walster
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


jbaird at follett

Apr 26, 2012, 5:22 AM

Post #7 of 27 (5995 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

I'll try this today.

-----Original Message-----
From: rancid-discuss-bounces [at] shrubbery [mailto:rancid-discuss-bounces [at] shrubbery] On Behalf Of Matthew Walster
Sent: Thursday, April 26, 2012 5:08 AM
To: Shain Singh
Cc: rancid-discuss [at] shrubbery
Subject: Re: [rancid] F5 BIG-IP devices - any tricks?

On 21 March 2012 08:58, Shain Singh <shain.singh [at] gmail> wrote:
>> Has anyone managed to do that ? (full shell, read only access) or
>> access using sudo ?
>
> I'd say it may be easier trying to write another Expect script to use
> the tmsh instead. Makes it future proof as I believe F5 is heading
> away from giving complete shell access to their devices.

It would appear someone's made a good effort on producing this code,
but I don't have any non-production boxes to test it against.

Does the following work for you?

http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-bigip-v11-x/

Matthew Walster
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


kokushibyou at gmail

Apr 26, 2012, 11:30 AM

Post #8 of 27 (5992 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

I've been able to get BIG-IP 10.2.2 Build 763.3 Final and BIG-IP
10.2.2 Build 930.0 Hotfix HF3 to work with rancid.
Ubuntu Lucid version, with some patches:

- rancid user on the LTM device has to have full perms (Administrator
with Advanced Shell)
- the expect patch has to be applied (http://www.shrubbery.net/rancid/#osystems)
- I'm using rancid package 2.3.2-1 but replaced f5login script and
clogin script with the version from 2.3.8

I'm reviewing my changes to verify this is all I've modified, I'll let
you know if I find something else missing (just got it working in Dev
and about to prop the changes to prod so I'll be reviewing it all here
today).

On Thu, Apr 26, 2012 at 05:22, Baird, Josh <jbaird [at] follett> wrote:
> I'll try this today.
>
> -----Original Message-----
> From: rancid-discuss-bounces [at] shrubbery [mailto:rancid-discuss-bounces [at] shrubbery] On Behalf Of Matthew Walster
> Sent: Thursday, April 26, 2012 5:08 AM
> To: Shain Singh
> Cc: rancid-discuss [at] shrubbery
> Subject: Re: [rancid] F5 BIG-IP devices - any tricks?
>
> On 21 March 2012 08:58, Shain Singh <shain.singh [at] gmail> wrote:
>>> Has anyone managed to do that ? (full shell, read only access) or
>>> access using sudo ?
>>
>> I'd say it may be easier trying to write another Expect script to use
>> the tmsh instead. Makes it future proof as I believe F5 is heading
>> away from giving complete shell access to their devices.
>
> It would appear someone's made a good effort on producing this code,
> but I don't have any non-production boxes to test it against.
>
> Does the following work for you?
>
> http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-bigip-v11-x/
>
> Matthew Walster
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss [at] shrubbery
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss [at] shrubbery
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


kokushibyou at gmail

Apr 26, 2012, 11:40 AM

Post #9 of 27 (6006 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

sorry that should read f5rancid not f5login.

On Thu, Apr 26, 2012 at 11:30, dl <kokushibyou [at] gmail> wrote:
> I've been able to get BIG-IP 10.2.2 Build 763.3 Final and BIG-IP
> 10.2.2 Build 930.0 Hotfix HF3 to work with rancid.
> Ubuntu Lucid version, with some patches:
>
> - rancid user on the LTM device has to have full perms (Administrator
> with Advanced Shell)
> - the expect patch has to be applied (http://www.shrubbery.net/rancid/#osystems)
> - I'm using rancid package 2.3.2-1 but replaced f5login script and
> clogin script with the version from 2.3.8
>
> I'm reviewing my changes to verify this is all I've modified, I'll let
> you know if I find something else missing (just got it working in Dev
> and about to prop the changes to prod so I'll be reviewing it all here
> today).
>
> On Thu, Apr 26, 2012 at 05:22, Baird, Josh <jbaird [at] follett> wrote:
>> I'll try this today.
>>
>> -----Original Message-----
>> From: rancid-discuss-bounces [at] shrubbery [mailto:rancid-discuss-bounces [at] shrubbery] On Behalf Of Matthew Walster
>> Sent: Thursday, April 26, 2012 5:08 AM
>> To: Shain Singh
>> Cc: rancid-discuss [at] shrubbery
>> Subject: Re: [rancid] F5 BIG-IP devices - any tricks?
>>
>> On 21 March 2012 08:58, Shain Singh <shain.singh [at] gmail> wrote:
>>>> Has anyone managed to do that ? (full shell, read only access) or
>>>> access using sudo ?
>>>
>>> I'd say it may be easier trying to write another Expect script to use
>>> the tmsh instead. Makes it future proof as I believe F5 is heading
>>> away from giving complete shell access to their devices.
>>
>> It would appear someone's made a good effort on producing this code,
>> but I don't have any non-production boxes to test it against.
>>
>> Does the following work for you?
>>
>> http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-bigip-v11-x/
>>
>> Matthew Walster
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-discuss [at] shrubbery
>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-discuss [at] shrubbery
>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


rwest at zyedge

Apr 27, 2012, 6:27 AM

Post #10 of 27 (5999 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

Josh,

Can you post your full f5rancid? I'm not having much luck with the link that was provided earlier.

Thanks,

-ryan

-----Original Message-----
From: rancid-discuss-bounces [at] shrubbery [mailto:rancid-discuss-bounces [at] shrubbery] On Behalf Of dl
Sent: Thursday, April 26, 2012 2:30 PM
To: Baird, Josh
Cc: rancid-discuss [at] shrubbery
Subject: Re: [rancid] F5 BIG-IP devices - any tricks?

I've been able to get BIG-IP 10.2.2 Build 763.3 Final and BIG-IP
10.2.2 Build 930.0 Hotfix HF3 to work with rancid.
Ubuntu Lucid version, with some patches:

- rancid user on the LTM device has to have full perms (Administrator with Advanced Shell)
- the expect patch has to be applied (http://www.shrubbery.net/rancid/#osystems)
- I'm using rancid package 2.3.2-1 but replaced f5login script and clogin script with the version from 2.3.8

I'm reviewing my changes to verify this is all I've modified, I'll let you know if I find something else missing (just got it working in Dev and about to prop the changes to prod so I'll be reviewing it all here today).

On Thu, Apr 26, 2012 at 05:22, Baird, Josh <jbaird [at] follett> wrote:
> I'll try this today.
>
> -----Original Message-----
> From: rancid-discuss-bounces [at] shrubbery
> [mailto:rancid-discuss-bounces [at] shrubbery] On Behalf Of Matthew
> Walster
> Sent: Thursday, April 26, 2012 5:08 AM
> To: Shain Singh
> Cc: rancid-discuss [at] shrubbery
> Subject: Re: [rancid] F5 BIG-IP devices - any tricks?
>
> On 21 March 2012 08:58, Shain Singh <shain.singh [at] gmail> wrote:
>>> Has anyone managed to do that ? (full shell, read only access) or
>>> access using sudo ?
>>
>> I'd say it may be easier trying to write another Expect script to use
>> the tmsh instead. Makes it future proof as I believe F5 is heading
>> away from giving complete shell access to their devices.
>
> It would appear someone's made a good effort on producing this code,
> but I don't have any non-production boxes to test it against.
>
> Does the following work for you?
>
> http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-b
> igip-v11-x/
>
> Matthew Walster
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss [at] shrubbery
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss [at] shrubbery
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


heas at shrubbery

Apr 28, 2012, 12:22 AM

Post #11 of 27 (5988 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

Thu, Apr 26, 2012 at 11:30:14AM -0700, dl:
> - the expect patch has to be applied (http://www.shrubbery.net/rancid/#osystems)

Please tell us what version of tcl and expect you have.
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


rwest at zyedge

Apr 28, 2012, 7:30 AM

Post #12 of 27 (5992 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

John,

The link that was provided earlier by Matthew seems promising. I was able to run all commands on both v10 and v11 devices. The patch, however, did not apply properly against a 2.3.8 build and my attempts to manually input the lines worked except for this routine, where it fails at the end:

+# This routine processes a "tmsh list"
+sub WriteTermTMSH {
+ my($lines) = 0;
+ print STDERR " In WriteTerm: $_" if ($debug);
+
+ while (<INPUT>) {
+ tr/15//d;
+ next if (/^s*$/);
+ # end of config - hopefully. f5 does not have a reliable end-of-config
+ # tag.
+ if (/^$prompt/) {
+ $found_end++;
+ last;
+ }
+ return(-1) if (/command authorization failed/i);
+
+ $lines++;
+
+ if (/(bind-pw|encrypted-password|user-password-encrypted|passphrase) / && $filter_pwds >= 1) {
+ ProcessHistory("ENABLE","","","# $1 n");
+ next;
+ }
+
+ # catch anything that wasnt matched above.
+ ProcessHistory("","","","$_");
+ }
+
+ if ($lines 'ShowVersion'},

Here is the link to the full changes. If anyone can tell me how to fix the last line, I should be able to quickly test it against v11 and v10 devices that we monitor.

http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-bigip-v11-x/

Thanks,

-ryan

-----Original Message-----
From: rancid-discuss-bounces [at] shrubbery [mailto:rancid-discuss-bounces [at] shrubbery] On Behalf Of heasley
Sent: Saturday, April 28, 2012 3:22 AM
To: dl
Cc: rancid-discuss [at] shrubbery
Subject: Re: [rancid] F5 BIG-IP devices - any tricks?

Thu, Apr 26, 2012 at 11:30:14AM -0700, dl:
> - the expect patch has to be applied (http://www.shrubbery.net/rancid/#osystems)

Please tell us what version of tcl and expect you have.
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


dale.shaw+rancid-discuss at gmail

Apr 30, 2012, 10:31 PM

Post #13 of 27 (5982 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

Hi,

On Sat, Apr 28, 2012 at 10:30 PM, Ryan West <rwest [at] zyedge> wrote:
>
> The link that was provided earlier by Matthew seems promising. †I was able to run all commands on both v10 and v11 devices. >†The patch, however, did not apply properly against a 2.3.8 build and my attempts to manually input the lines worked except for this routine, where it fails at the end:
[...]
>
> Here is the link to the full changes. †If anyone can tell me how to fix the last line, I should be able to quickly test it against v11 and v10 devices that we monitor.
> http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-bigip-v11-x/

Concur; patch as displayed in blog post seems broken. Link to .diff
404's. Cc'ing the blog owner.

Happy to help test this in our small environment (4 x LTMs running
BIG-IP 10.1.0 3341.0).

cheers,
Dale
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


cstubbs at gmail

May 1, 2012, 12:59 AM

Post #14 of 27 (5976 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

Hmm, looks like gmail is spam dropping some of this list for me. This
is the first email that came thru re: this subject :-(

Given I wrote the first patch I'm happy to get cracking on updating
it. I have actually already been doing various things related to that
due to working with BIGIP v11.

There's a bit that needs to change for v11 - anyone else on the list
using it yet and need to monitor devices with it ? bigpipe command
will no longer work and TMSH command syntax is sufficiently different
to bigpipe that they're basically different device types. Would need
fork f5rancid into two different types, provide a configuration option
to specify version, or auto-detect v11 or < v11 and use a different
command set based on that.

Suggestions ?

-Colin

cstubbs @ gmail . com [smtp, g+, fb, msn]
Phone: +61 468 311 061
Skype: c.stubbs
Pub Key ID: 0xC857AC24


On 1 May 2012 15:31, Dale Shaw <dale.shaw+rancid-discuss [at] gmail> wrote:
> Hi,
>
> On Sat, Apr 28, 2012 at 10:30 PM, Ryan West <rwest [at] zyedge> wrote:
>>
>> The link that was provided earlier by Matthew seems promising.  I was able to run all commands on both v10 and v11 devices. > The patch, however, did not apply properly against a 2.3.8 build and my attempts to manually input the lines worked except for this routine, where it fails at the end:
> [...]
>>
>> Here is the link to the full changes.  If anyone can tell me how to fix the last line, I should be able to quickly test it against v11 and v10 devices that we monitor.
>> http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-bigip-v11-x/
>
> Concur; patch as displayed in blog post seems broken. Link to .diff
> 404's. Cc'ing the blog owner.
>
> Happy to help test this in our small environment (4 x LTMs running
> BIG-IP 10.1.0 3341.0).
>
> cheers,
> Dale
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


rwest at zyedge

May 1, 2012, 1:25 AM

Post #15 of 27 (5999 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

Hey Colin,

I have tested on v11 and v10.[12].x boxes and the tmsh commands work on both. I don't have anymore 9.x to work with, so I think just having a working tmsh example should do the trick. Not sure if you caught my email to John Heasley, but it seems the last function before the commandtable is broken. Just clearing that up should be enough to do a little testing. Let me know if you need anymore information.

Thanks,

-ryan

-----Original Message-----
From: Colin Stubbs [mailto:cstubbs [at] gmail]
Sent: Tuesday, May 01, 2012 3:59 AM
To: Dale Shaw
Cc: Ryan West; rancid-discuss [at] shrubbery
Subject: Re: [rancid] F5 BIG-IP devices - any tricks?

Hmm, looks like gmail is spam dropping some of this list for me. This is the first email that came thru re: this subject :-(

Given I wrote the first patch I'm happy to get cracking on updating it. I have actually already been doing various things related to that due to working with BIGIP v11.

There's a bit that needs to change for v11 - anyone else on the list using it yet and need to monitor devices with it ? bigpipe command will no longer work and TMSH command syntax is sufficiently different to bigpipe that they're basically different device types. Would need fork f5rancid into two different types, provide a configuration option to specify version, or auto-detect v11 or < v11 and use a different command set based on that.

Suggestions ?

-Colin

cstubbs @ gmail . com [smtp, g+, fb, msn]
Phone: +61 468 311 061
Skype: c.stubbs
Pub Key ID: 0xC857AC24


On 1 May 2012 15:31, Dale Shaw <dale.shaw+rancid-discuss [at] gmail> wrote:
> Hi,
>
> On Sat, Apr 28, 2012 at 10:30 PM, Ryan West <rwest [at] zyedge> wrote:
>>
>> The link that was provided earlier by Matthew seems promising.  I was able to run all commands on both v10 and v11 devices. > The patch, however, did not apply properly against a 2.3.8 build and my attempts to manually input the lines worked except for this routine, where it fails at the end:
> [...]
>>
>> Here is the link to the full changes.  If anyone can tell me how to fix the last line, I should be able to quickly test it against v11 and v10 devices that we monitor.
>> http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-
>> bigip-v11-x/
>
> Concur; patch as displayed in blog post seems broken. Link to .diff
> 404's. Cc'ing the blog owner.
>
> Happy to help test this in our small environment (4 x LTMs running
> BIG-IP 10.1.0 3341.0).
>
> cheers,
> Dale
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


rancid at gheek

May 1, 2012, 7:05 AM

Post #16 of 27 (5964 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

A new device type setting would be the static method otherwise a version
check would be needed for dynamic.

Simply run a bigpipe command and if the response is not what we expect run
tmsh and if that fails exit with a failure for that node.


cstubbs at gmail

May 5, 2012, 11:32 PM

Post #17 of 27 (5928 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

Patch attached for 2.3.8.

It uses `bigpipe version`'s response to determine if it should use
tmsh or not, and switches command table as appropriate.

So it will only use tmsh on a BIGIP v11 F5, as they respond like this,

[root [at] localhos:] ~ # bp version
/usr/bin/bp: bigpipe is no longer supported; please use tmsh.
[root [at] localhos:] ~ #

This should keep things the same for existing users and avoid
unexpected config diff after upgrade.

Tested against,

bigip1.f5.routedlogic.net:#Sys::Version
bigip1.f5.routedlogic.net-# Main Package
bigip1.f5.routedlogic.net-# Product BIG-IP
bigip1.f5.routedlogic.net-# Version 10.2.3
bigip1.f5.routedlogic.net-# Build 112.0
bigip1.f5.routedlogic.net-# Edition Final
--
bigip2.f5.routedlogic.net:#Sys::Version
bigip2.f5.routedlogic.net-# Main Package
bigip2.f5.routedlogic.net-# Product BIG-IP
bigip2.f5.routedlogic.net-# Version 11.1.0
bigip2.f5.routedlogic.net-# Build 1943.0
bigip2.f5.routedlogic.net-# Edition Final
--
bigip3.f5.routedlogic.net:#Sys::Version
bigip3.f5.routedlogic.net-# Main Package
bigip3.f5.routedlogic.net-# Product BIG-IP
bigip3.f5.routedlogic.net-# Version 10.1.0
bigip3.f5.routedlogic.net-# Build 3341.1084
bigip3.f5.routedlogic.net-# Edition Final


-Colin


On 2 May 2012 00:05, Lance Vermilion <rancid [at] gheek> wrote:
> A new device type setting would be the static method otherwise a version
> check would be needed for dynamic.
>
> Simply run a bigpipe command  and if the response is not what we expect run
> tmsh and if that fails exit with a failure for that node.
Attachments: rancid-2.3.8-f5rancid.in.patch (7.15 KB)


rwest at zyedge

May 6, 2012, 12:20 PM

Post #18 of 27 (5918 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

On Sun, May 06, 2012 at 02:32:37, Colin Stubbs wrote:
> rancid [at] shrubbery
> Subject: Re: [rancid] F5 BIG-IP devices - any tricks?
>
> Patch attached for 2.3.8.
>
> It uses `bigpipe version`'s response to determine if it should use
> tmsh or not, and switches command table as appropriate.
>
> So it will only use tmsh on a BIGIP v11 F5, as they respond like this,
>
> [root [at] localhos:] ~ # bp version
> /usr/bin/bp: bigpipe is no longer supported; please use tmsh.
> [root [at] localhos:] ~ #
>
> This should keep things the same for existing users and avoid
> unexpected config diff after upgrade.
>
> Tested against,
>
> bigip1.f5.routedlogic.net:#Sys::Version
> bigip1.f5.routedlogic.net-# Main Package
> bigip1.f5.routedlogic.net-# Product BIG-IP
> bigip1.f5.routedlogic.net-# Version 10.2.3
> bigip1.f5.routedlogic.net-# Build 112.0
> bigip1.f5.routedlogic.net-# Edition Final
> --
> bigip2.f5.routedlogic.net:#Sys::Version
> bigip2.f5.routedlogic.net-# Main Package
> bigip2.f5.routedlogic.net-# Product BIG-IP
> bigip2.f5.routedlogic.net-# Version 11.1.0
> bigip2.f5.routedlogic.net-# Build 1943.0
> bigip2.f5.routedlogic.net-# Edition Final
> --
> bigip3.f5.routedlogic.net:#Sys::Version
> bigip3.f5.routedlogic.net-# Main Package
> bigip3.f5.routedlogic.net-# Product BIG-IP
> bigip3.f5.routedlogic.net-# Version 10.1.0
> bigip3.f5.routedlogic.net-# Build 3341.1084
> bigip3.f5.routedlogic.net-# Edition Final
>
>

Colin,

Works for me too. Thanks for the patch.

-ryan
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


matthew at walster

May 14, 2012, 4:13 AM

Post #19 of 27 (5819 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

On 6 May 2012 20:20, Ryan West <rwest [at] zyedge> wrote:
>
> Works for me too. Thanks for the patch.


Since applying the patch, I started to get a few "has not been able to
contact for 24 hours" messages.

The logs say:

starting: Mon May 14 10:01:01 UTC 2012



Trying to get all of the configs.
myloadbalancer2: missed cmd(s): ls --full-time --color=never
/config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 1.
myloadbalancer2: missed cmd(s): ls --full-time --color=never
/config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 2.
myloadbalancer2: missed cmd(s): ls --full-time --color=never
/config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 3.
myloadbalancer2: missed cmd(s): ls --full-time --color=never
/config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 4.
devlb02.dev.tradefair: missed cmd(s): ls --full-time --color=never
/config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key

Sending configs/myloadbalancer1
Transmitting file data ...
Committed revision 11893.

ending: Mon May 14 10:06:26 UTC 2012


In order to fix these, I just commented out the licence checks lines in the
two command tables, then everything worked fine! Has anyone else come
across this issue?

Matthew Walster


rwest at zyedge

May 14, 2012, 5:24 AM

Post #20 of 27 (5822 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

Comment those lines out, they have never worked for me. I've recompiled expect for the bug and it doesn't seem to help.

Sent from handheld

On May 14, 2012, at 7:13 AM, "Matthew Walster" <matthew [at] walster<mailto:matthew [at] walster>> wrote:



On 6 May 2012 20:20, Ryan West <rwest [at] zyedge<mailto:rwest [at] zyedge>> wrote:
Works for me too. Thanks for the patch.

Since applying the patch, I started to get a few "has not been able to contact for 24 hours" messages.

The logs say:

starting: Mon May 14 10:01:01 UTC 2012



Trying to get all of the configs.
myloadbalancer2: missed cmd(s): ls --full-time --color=never /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 1.
myloadbalancer2: missed cmd(s): ls --full-time --color=never /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 2.
myloadbalancer2: missed cmd(s): ls --full-time --color=never /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 3.
myloadbalancer2: missed cmd(s): ls --full-time --color=never /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 4.
devlb02.dev.tradefair: missed cmd(s): ls --full-time --color=never /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key

Sending configs/myloadbalancer1
Transmitting file data ...
Committed revision 11893.

ending: Mon May 14 10:06:26 UTC 2012


In order to fix these, I just commented out the licence checks lines in the two command tables, then everything worked fine! Has anyone else come across this issue?

Matthew Walster


cstubbs at gmail

May 14, 2012, 2:58 PM

Post #21 of 27 (5826 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

What O/S or distro you running RANCID on? Expect versions? BIGIP versions? etc

I've seen the same thing back on EL3/4 a few years ago. Mostly rancid
used to have issues with the ls /config/ssl/ssl.xxx commands for me.
Again, I either commented them out, or replaced the command with
something else that worked without issue (a script on the F5 that did
the same thing at one point).

I havn't had any issues for quite awhile though, mostly since moving
away from EL3/4 and using EL5/6 in production and Fedora 14/15/16 at
home.

On 14 May 2012 22:24, Ryan West <rwest [at] zyedge> wrote:
> Comment those lines out, they have never worked for me. I've recompiled
> expect for the bug and it doesn't seem to help.
>
> Sent from handheld
>
> On May 14, 2012, at 7:13 AM, "Matthew Walster" <matthew [at] walster> wrote:
>
>
>
> On 6 May 2012 20:20, Ryan West <rwest [at] zyedge> wrote:
>>
>> Works for me too.  Thanks for the patch.
>
>
> Since applying the patch, I started to get a few "has not been able to
> contact for 24 hours" messages.
>
> The logs say:
>
> starting: Mon May 14 10:01:01 UTC 2012
>
>
>
> Trying to get all of the configs.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 1.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 2.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 3.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 4.
> devlb02.dev.tradefair: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
>
> Sending        configs/myloadbalancer1
> Transmitting file data ...
> Committed revision 11893.
>
> ending: Mon May 14 10:06:26 UTC 2012
>
>
> In order to fix these, I just commented out the licence checks lines in the
> two command tables, then everything worked fine! Has anyone else come across
> this issue?
>
> Matthew Walster
>
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


rwest at zyedge

May 14, 2012, 5:56 PM

Post #22 of 27 (5833 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

On Mon, May 14, 2012 at 17:58:45, Colin Stubbs wrote:
> discuss [at] shrubbery
> Subject: Re: [rancid] F5 BIG-IP devices - any tricks?
>
> What O/S or distro you running RANCID on? Expect versions? BIGIP versions?
> etc
>

Debian 6.0.5, compiled expect 5.45, RANCID 2.3.8, LTM 11.0.0/10.2.3/10.2.0/10.0.1/9.4.8

It always works with rancid-run -r for that device, but never completes a normal run unless the 'ls -al' command is stripped.

> I've seen the same thing back on EL3/4 a few years ago. Mostly rancid
> used to have issues with the ls /config/ssl/ssl.xxx commands for me.
> Again, I either commented them out, or replaced the command with
> something else that worked without issue (a script on the F5 that did
> the same thing at one point).
>
> I havn't had any issues for quite awhile though, mostly since moving
> away from EL3/4 and using EL5/6 in production and Fedora 14/15/16 at home.
>
> On 14 May 2012 22:24, Ryan West <rwest [at] zyedge> wrote:
> > Comment those lines out, they have never worked for me. I've
> > recompiled expect for the bug and it doesn't seem to help.
> >

_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


ler762 at gmail

May 17, 2012, 7:53 PM

Post #23 of 27 (5794 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

On 5/14/12, Matthew Walster <matthew [at] walster> wrote:
> On 6 May 2012 20:20, Ryan West <rwest [at] zyedge> wrote:
>>
>> Works for me too. Thanks for the patch.
>
>
> Since applying the patch, I started to get a few "has not been able to
> contact for 24 hours" messages.
>
> The logs say:
>
> starting: Mon May 14 10:01:01 UTC 2012
>
>
>
> Trying to get all of the configs.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 1.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 2.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 3.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 4.
> devlb02.dev.tradefair: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
>
> Sending configs/myloadbalancer1
> Transmitting file data ...
> Committed revision 11893.
>
> ending: Mon May 14 10:06:26 UTC 2012
>
>
> In order to fix these, I just commented out the licence checks lines in the
> two command tables, then everything worked fine! Has anyone else come
> across this issue?

I think so - I didn't bother to comment the changes I made in
f5rancid, so not sure :(
I don't remember if getting rid of [space][cr] is needed or a remnant
of trying to figure out the problem, but commenting out the 'return
(1) if ...' did the trick:

# This routine parses "ls --full-time --color=never /config/ssl/ssl.key"
sub ShowSslKey {
print STDERR " In ShowSslKey: $_" if ($debug);

while (<INPUT>) {
s/ \015//; # -LR-
tr/\015//d;
# v9 software license does not have CR at EOF
s/^#-+($prompt.*)/$1/;
last if (/^$prompt/);
next if (/^(\s*|\s*$cmd\s*)$/);
## LR return(1) if /^\s*\^\s*$/;

and

# This routine parses "ls --full-time --color=never /config/ssl/ssl.crt"
sub ShowSslCrt {
print STDERR " In ShowSslCrt: $_" if ($debug);

while (<INPUT>) {
s/ \015//; # -LR- [space][cr]
tr/\015//d;
# v9 software license does not have CR at EOF
s/^#-+($prompt.*)/$1/;
last if (/^$prompt/);
next if (/^(\s*|\s*$cmd\s*)$/);
## LR return(1) if /^\s*\^\s*$/;


Regards,
Lee
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


rwest at zyedge

May 20, 2012, 4:50 PM

Post #24 of 27 (5780 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

On Thu, May 17, 2012 at 22:53:07, Lee wrote:
> Subject: Re: [rancid] F5 BIG-IP devices - any tricks?
>
> On 5/14/12, Matthew Walster <matthew [at] walster> wrote:
> > On 6 May 2012 20:20, Ryan West <rwest [at] zyedge> wrote:
> >>
> >> Works for me too. Thanks for the patch.
> >
> >
> > Since applying the patch, I started to get a few "has not been able
> > to contact for 24 hours" messages.
> >
>
> I think so - I didn't bother to comment the changes I made in
> f5rancid, so not sure :( I don't remember if getting rid of
> [space][cr] is needed or a remnant of trying to figure out the
> problem, but commenting out the 'return
> (1) if ...' did the trick:
>
> # This routine parses "ls --full-time --color=never /config/ssl/ssl.key"
> sub ShowSslKey {
> print STDERR " In ShowSslKey: $_" if ($debug);
>
> while (<INPUT>) {
> s/ \015//; # -LR-
> tr/\015//d;
> # v9 software license does not have CR at EOF
> s/^#-+($prompt.*)/$1/;
> last if (/^$prompt/);
> next if (/^(\s*|\s*$cmd\s*)$/);
> ## LR return(1) if /^\s*\^\s*$/;
>
> and
>
> # This routine parses "ls --full-time --color=never /config/ssl/ssl.crt"
> sub ShowSslCrt {
> print STDERR " In ShowSslCrt: $_" if ($debug);
>
> while (<INPUT>) {
> s/ \015//; # -LR- [space][cr]
> tr/\015//d;
> # v9 software license does not have CR at EOF
> s/^#-+($prompt.*)/$1/;
> last if (/^$prompt/);
> next if (/^(\s*|\s*$cmd\s*)$/);
> ## LR return(1) if /^\s*\^\s*$/;
>

Lee,

I tried both variants and neither seemed to help. I've always been able to run a full backup of the devices with rancid-run -r <devname>, but the cron continues to fail on those two routines.

Thanks,

-ryan
_______________________________________________
Rancid-discuss mailing list
Rancid-discuss [at] shrubbery
http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss


mkorourke at gmail

Oct 23, 2012, 2:56 AM

Post #25 of 27 (4684 views)
Permalink
Re: F5 BIG-IP devices - any tricks? [In reply to]

Has anyone already done any work on the f5rancid script to work with F5
11.x configuration partitions? ie. read out
/config/partition/partition_xyz/bigip.conf etc etc

Looking at current master f5rancid from
https://github.com/dotwaffle/rancid-git/tree/master/bin it doesn't appear
to be present.

Mick

First page Previous page 1 2 Next page Last page  View All RANCID users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.