Discussion:
[rancid] F5 BIG-IP devices - any tricks?
Dale Shaw
2012-01-12 05:14:56 UTC
Permalink
Hi all,

I'm running RANCID 2.3.6 on a RHEL 4.8 system.

I'm trying to add some F5 BIG-IP devices to the repository but I'm not
having much luck.

I don't know much at all about the F5s themselves but I suspect a
terminal length/paging issue.

The devices are running:

BIG-IP Version 10.1.0 3341.0

Interactive "clogin" works fine -- I am dropped straight into a
'bigpipe' CLI (prompt "bp>"); I'm not sure if that's relevant.

When I execute commands like "version show", the output is paged.
Pressing <SPACE> scrolls by page, <ENTER> scrolls by line, as you'd
expect.

Running "f5rancid -d <hostname>" just results in a file containing:

#RANCID-CONTENT-TYPE: bigip
#
#
#
#

..and the terminal output shows:

***@box:/tmp$ sudo -H -u rancid f5rancid -d gsu-lb01
executing clogin -t 90 -c"bigpipe version;bigpipe platform;cat
/config/bigip.license;bigpipe monitor list all;bigpipe profile
list;bigpipe base list;bigpipe db show;bigpipe route static show;ls
--full-time --color=never /config/ssl/ssl.crt;ls --full-time
--color=never /config/ssl/ssl.key;bigpipe list" gsu-lb01
gsu-lb01 clogin error: Error: TIMEOUT reached
gsu-lb01 clogin error: Error: TIMEOUT reached
gsu-lb01: missed cmd(s): ls --full-time --color=never
/config/ssl/ssl.crt,bigpipe route static show,bigpipe base list,cat
/config/bigip.license,bigpipe platform,bigpipe db show,bigpipe monitor
list all,ls --full-time --color=never /config/ssl/ssl.key,bigpipe
version,bigpipe profile list,bigpipe list
gsu-lb01: missed cmd(s): ls --full-time --color=never
/config/ssl/ssl.crt,bigpipe route static show,bigpipe base list,cat
/config/bigip.license,bigpipe platform,bigpipe db show,bigpipe monitor
list all,ls --full-time --color=never /config/ssl/ssl.key,bigpipe
version,bigpipe profile list,bigpipe list
gsu-lb01: End of run not found
gsu-lb01: End of run not found

If I run: clogin -t 90 -c"bigpipe version" gsu-lb01

..I see 'clogin' sending the command "terminal length 0", which is not
parsed/accepted by the device, then it sends the command "bigpipe
version", which executes and hangs at the first page of output.

Any clues? I couldn't see an obvious way to disable the CLI pager.

Cheers,
Dale
Lance Vermilion
2012-01-12 14:16:26 UTC
Permalink
In the F5 you need to change the setting under the user so they will get a
full shell
On Jan 11, 2012 10:15 PM, "Dale Shaw" <dale.shaw+rancid-***@gmail.com>
wrote:
>
> Hi all,
>
> I'm running RANCID 2.3.6 on a RHEL 4.8 system.
>
> I'm trying to add some F5 BIG-IP devices to the repository but I'm not
> having much luck.
>
> I don't know much at all about the F5s themselves but I suspect a
> terminal length/paging issue.
>
> The devices are running:
>
> BIG-IP Version 10.1.0 3341.0
>
> Interactive "clogin" works fine -- I am dropped straight into a
> 'bigpipe' CLI (prompt "bp>"); I'm not sure if that's relevant.
>
> When I execute commands like "version show", the output is paged.
> Pressing <SPACE> scrolls by page, <ENTER> scrolls by line, as you'd
> expect.
>
> Running "f5rancid -d <hostname>" just results in a file containing:
>
> #RANCID-CONTENT-TYPE: bigip
> #
> #
> #
> #
>
> ..and the terminal output shows:
>
> ***@box:/tmp$ sudo -H -u rancid f5rancid -d gsu-lb01
> executing clogin -t 90 -c"bigpipe version;bigpipe platform;cat
> /config/bigip.license;bigpipe monitor list all;bigpipe profile
> list;bigpipe base list;bigpipe db show;bigpipe route static show;ls
> --full-time --color=never /config/ssl/ssl.crt;ls --full-time
> --color=never /config/ssl/ssl.key;bigpipe list" gsu-lb01
> gsu-lb01 clogin error: Error: TIMEOUT reached
> gsu-lb01 clogin error: Error: TIMEOUT reached
> gsu-lb01: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,bigpipe route static show,bigpipe base list,cat
> /config/bigip.license,bigpipe platform,bigpipe db show,bigpipe monitor
> list all,ls --full-time --color=never /config/ssl/ssl.key,bigpipe
> version,bigpipe profile list,bigpipe list
> gsu-lb01: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,bigpipe route static show,bigpipe base list,cat
> /config/bigip.license,bigpipe platform,bigpipe db show,bigpipe monitor
> list all,ls --full-time --color=never /config/ssl/ssl.key,bigpipe
> version,bigpipe profile list,bigpipe list
> gsu-lb01: End of run not found
> gsu-lb01: End of run not found
>
> If I run: clogin -t 90 -c"bigpipe version" gsu-lb01
>
> ..I see 'clogin' sending the command "terminal length 0", which is not
> parsed/accepted by the device, then it sends the command "bigpipe
> version", which executes and hangs at the first page of output.
>
> Any clues? I couldn't see an obvious way to disable the CLI pager.
>
> Cheers,
> Dale
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-***@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Dale Shaw
2012-01-12 23:06:54 UTC
Permalink
Hi Lance,

On Fri, Jan 13, 2012 at 1:16 AM, Lance Vermilion <***@gheek.net> wrote:
> In the  F5 you need to change the setting under the user so they will get a
> full shell

Thanks, yeah, that does appear to be the issue -- f5rancid/clogin
expect to be dropped into a full shell. We discovered yesterday (after
posting to the list) that using the 'root' user results in working
RANCID.

On the surface it seemed that all we needed to do was figure out a way
to disable the pager on a per-session basis within the bigpipe shell.
That still seems like the cleanest way to make this work to me.

Anyway, I'll work with the folks more familiar with the operation of
the F5s to figure out how we provide 'full shell' access to the user
RANCID uses. Hopefully we can provide 'full shell, read only' somehow.

Cheers,
Dale
Krzysztof Zygmunt
2012-03-14 08:08:42 UTC
Permalink
" Hopefully we can provide 'full shell, read only' somehow. "

Has anyone managed to do that ? (full shell, read only access) or
access using sudo ?

This is (full shell access) the only thing that keeps us not using
rancid for bigips.

On Fri, Jan 13, 2012 at 12:06 AM, Dale Shaw
<dale.shaw+rancid-***@gmail.com> wrote:
> Hi Lance,
>
> On Fri, Jan 13, 2012 at 1:16 AM, Lance Vermilion <***@gheek.net> wrote:
>> In the  F5 you need to change the setting under the user so they will get a
>> full shell
>
> Thanks, yeah, that does appear to be the issue -- f5rancid/clogin
> expect to be dropped into a full shell. We discovered yesterday (after
> posting to the list) that using the 'root' user results in working
> RANCID.
>
> On the surface it seemed that all we needed to do was figure out a way
> to disable the pager on a per-session basis within the bigpipe shell.
> That still seems like the cleanest way to make this work to me.
>
> Anyway, I'll work with the folks more familiar with the operation of
> the F5s to figure out how we provide 'full shell' access to the user
> RANCID uses. Hopefully we can provide 'full shell, read only' somehow.




>
> Cheers,
> Dale
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-***@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Shain Singh
2012-03-21 08:58:40 UTC
Permalink
> Has anyone managed to do that ? (full shell, read only access) or
> access using sudo ?

I'd say it may be easier trying to write another Expect script to use
the tmsh instead. Makes it future proof as I believe F5 is heading
away from giving complete shell access to their devices.


--
Shaineel Singh
e: ***@gmail.com
p: +61 422 921 951
w: http://buffet.shainsingh.com

--
"Too many have dispensed with generosity to practice charity" - Albert Camus
Matthew Walster
2012-04-26 09:08:14 UTC
Permalink
On 21 March 2012 08:58, Shain Singh <***@gmail.com> wrote:
>> Has anyone managed to do that ? (full shell, read only access) or
>> access using sudo ?
>
> I'd say it may be easier trying to write another Expect script to use
> the tmsh instead. Makes it future proof as I believe F5 is heading
> away from giving complete shell access to their devices.

It would appear someone's made a good effort on producing this code,
but I don't have any non-production boxes to test it against.

Does the following work for you?

http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-bigip-v11-x/

Matthew Walster
Baird, Josh
2012-04-26 12:22:43 UTC
Permalink
I'll try this today.

-----Original Message-----
From: rancid-discuss-***@shrubbery.net [mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Matthew Walster
Sent: Thursday, April 26, 2012 5:08 AM
To: Shain Singh
Cc: rancid-***@shrubbery.net
Subject: Re: [rancid] F5 BIG-IP devices - any tricks?

On 21 March 2012 08:58, Shain Singh <***@gmail.com> wrote:
>> Has anyone managed to do that ? (full shell, read only access) or
>> access using sudo ?
>
> I'd say it may be easier trying to write another Expect script to use
> the tmsh instead. Makes it future proof as I believe F5 is heading
> away from giving complete shell access to their devices.

It would appear someone's made a good effort on producing this code,
but I don't have any non-production boxes to test it against.

Does the following work for you?

http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-bigip-v11-x/

Matthew Walster
dl
2012-04-26 18:30:14 UTC
Permalink
I've been able to get BIG-IP 10.2.2 Build 763.3 Final and BIG-IP
10.2.2 Build 930.0 Hotfix HF3 to work with rancid.
Ubuntu Lucid version, with some patches:

- rancid user on the LTM device has to have full perms (Administrator
with Advanced Shell)
- the expect patch has to be applied (http://www.shrubbery.net/rancid/#osystems)
- I'm using rancid package 2.3.2-1 but replaced f5login script and
clogin script with the version from 2.3.8

I'm reviewing my changes to verify this is all I've modified, I'll let
you know if I find something else missing (just got it working in Dev
and about to prop the changes to prod so I'll be reviewing it all here
today).

On Thu, Apr 26, 2012 at 05:22, Baird, Josh <***@follett.com> wrote:
> I'll try this today.
>
> -----Original Message-----
> From: rancid-discuss-***@shrubbery.net [mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Matthew Walster
> Sent: Thursday, April 26, 2012 5:08 AM
> To: Shain Singh
> Cc: rancid-***@shrubbery.net
> Subject: Re: [rancid] F5 BIG-IP devices - any tricks?
>
> On 21 March 2012 08:58, Shain Singh <***@gmail.com> wrote:
>>> Has anyone managed to do that ? (full shell, read only access) or
>>> access using sudo ?
>>
>> I'd say it may be easier trying to write another Expect script to use
>> the tmsh instead. Makes it future proof as I believe F5 is heading
>> away from giving complete shell access to their devices.
>
> It would appear someone's made a good effort on producing this code,
> but I don't have any non-production boxes to test it against.
>
> Does the following work for you?
>
> http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-bigip-v11-x/
>
> Matthew Walster
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-***@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-***@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
dl
2012-04-26 18:40:53 UTC
Permalink
sorry that should read f5rancid not f5login.

On Thu, Apr 26, 2012 at 11:30, dl <***@gmail.com> wrote:
> I've been able to get BIG-IP 10.2.2 Build 763.3 Final and BIG-IP
> 10.2.2 Build 930.0 Hotfix HF3 to work with rancid.
> Ubuntu Lucid version, with some patches:
>
> - rancid user on the LTM device has to have full perms (Administrator
> with Advanced Shell)
> - the expect patch has to be applied (http://www.shrubbery.net/rancid/#osystems)
> - I'm using rancid package 2.3.2-1 but replaced f5login script and
> clogin script with the version from 2.3.8
>
> I'm reviewing my changes to verify this is all I've modified, I'll let
> you know if I find something else missing (just got it working in Dev
> and about to prop the changes to prod so I'll be reviewing it all here
> today).
>
> On Thu, Apr 26, 2012 at 05:22, Baird, Josh <***@follett.com> wrote:
>> I'll try this today.
>>
>> -----Original Message-----
>> From: rancid-discuss-***@shrubbery.net [mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Matthew Walster
>> Sent: Thursday, April 26, 2012 5:08 AM
>> To: Shain Singh
>> Cc: rancid-***@shrubbery.net
>> Subject: Re: [rancid] F5 BIG-IP devices - any tricks?
>>
>> On 21 March 2012 08:58, Shain Singh <***@gmail.com> wrote:
>>>> Has anyone managed to do that ? (full shell, read only access) or
>>>> access using sudo ?
>>>
>>> I'd say it may be easier trying to write another Expect script to use
>>> the tmsh instead. Makes it future proof as I believe F5 is heading
>>> away from giving complete shell access to their devices.
>>
>> It would appear someone's made a good effort on producing this code,
>> but I don't have any non-production boxes to test it against.
>>
>> Does the following work for you?
>>
>> http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-bigip-v11-x/
>>
>> Matthew Walster
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-***@shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>> _______________________________________________
>> Rancid-discuss mailing list
>> Rancid-***@shrubbery.net
>> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
Ryan West
2012-04-27 13:27:25 UTC
Permalink
Josh,

Can you post your full f5rancid? I'm not having much luck with the link that was provided earlier.

Thanks,

-ryan

-----Original Message-----
From: rancid-discuss-***@shrubbery.net [mailto:rancid-discuss-***@shrubbery.net] On Behalf Of dl
Sent: Thursday, April 26, 2012 2:30 PM
To: Baird, Josh
Cc: rancid-***@shrubbery.net
Subject: Re: [rancid] F5 BIG-IP devices - any tricks?

I've been able to get BIG-IP 10.2.2 Build 763.3 Final and BIG-IP
10.2.2 Build 930.0 Hotfix HF3 to work with rancid.
Ubuntu Lucid version, with some patches:

- rancid user on the LTM device has to have full perms (Administrator with Advanced Shell)
- the expect patch has to be applied (http://www.shrubbery.net/rancid/#osystems)
- I'm using rancid package 2.3.2-1 but replaced f5login script and clogin script with the version from 2.3.8

I'm reviewing my changes to verify this is all I've modified, I'll let you know if I find something else missing (just got it working in Dev and about to prop the changes to prod so I'll be reviewing it all here today).

On Thu, Apr 26, 2012 at 05:22, Baird, Josh <***@follett.com> wrote:
> I'll try this today.
>
> -----Original Message-----
> From: rancid-discuss-***@shrubbery.net
> [mailto:rancid-discuss-***@shrubbery.net] On Behalf Of Matthew
> Walster
> Sent: Thursday, April 26, 2012 5:08 AM
> To: Shain Singh
> Cc: rancid-***@shrubbery.net
> Subject: Re: [rancid] F5 BIG-IP devices - any tricks?
>
> On 21 March 2012 08:58, Shain Singh <***@gmail.com> wrote:
>>> Has anyone managed to do that ? (full shell, read only access) or
>>> access using sudo ?
>>
>> I'd say it may be easier trying to write another Expect script to use
>> the tmsh instead. Makes it future proof as I believe F5 is heading
>> away from giving complete shell access to their devices.
>
> It would appear someone's made a good effort on producing this code,
> but I don't have any non-production boxes to test it against.
>
> Does the following work for you?
>
> http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-b
> igip-v11-x/
>
> Matthew Walster
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-***@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-***@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
heasley
2012-04-28 07:22:05 UTC
Permalink
Thu, Apr 26, 2012 at 11:30:14AM -0700, dl:
> - the expect patch has to be applied (http://www.shrubbery.net/rancid/#osystems)

Please tell us what version of tcl and expect you have.
Ryan West
2012-04-28 14:30:35 UTC
Permalink
John,

The link that was provided earlier by Matthew seems promising. I was able to run all commands on both v10 and v11 devices. The patch, however, did not apply properly against a 2.3.8 build and my attempts to manually input the lines worked except for this routine, where it fails at the end:

+# This routine processes a "tmsh list"
+sub WriteTermTMSH {
+ my($lines) = 0;
+ print STDERR " In WriteTerm: $_" if ($debug);
+
+ while (<INPUT>) {
+ tr/15//d;
+ next if (/^s*$/);
+ # end of config - hopefully. f5 does not have a reliable end-of-config
+ # tag.
+ if (/^$prompt/) {
+ $found_end++;
+ last;
+ }
+ return(-1) if (/command authorization failed/i);
+
+ $lines++;
+
+ if (/(bind-pw|encrypted-password|user-password-encrypted|passphrase) / && $filter_pwds >= 1) {
+ ProcessHistory("ENABLE","","","# $1 n");
+ next;
+ }
+
+ # catch anything that wasnt matched above.
+ ProcessHistory("","","","$_");
+ }
+
+ if ($lines 'ShowVersion'},

Here is the link to the full changes. If anyone can tell me how to fix the last line, I should be able to quickly test it against v11 and v10 devices that we monitor.

http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-bigip-v11-x/

Thanks,

-ryan

-----Original Message-----
From: rancid-discuss-***@shrubbery.net [mailto:rancid-discuss-***@shrubbery.net] On Behalf Of heasley
Sent: Saturday, April 28, 2012 3:22 AM
To: dl
Cc: rancid-***@shrubbery.net
Subject: Re: [rancid] F5 BIG-IP devices - any tricks?

Thu, Apr 26, 2012 at 11:30:14AM -0700, dl:
> - the expect patch has to be applied (http://www.shrubbery.net/rancid/#osystems)

Please tell us what version of tcl and expect you have.
Dale Shaw
2012-05-01 05:31:26 UTC
Permalink
Hi,

On Sat, Apr 28, 2012 at 10:30 PM, Ryan West <***@zyedge.com> wrote:
>
> The link that was provided earlier by Matthew seems promising.  I was able to run all commands on both v10 and v11 devices. > The patch, however, did not apply properly against a 2.3.8 build and my attempts to manually input the lines worked except for this routine, where it fails at the end:
[...]
>
> Here is the link to the full changes.  If anyone can tell me how to fix the last line, I should be able to quickly test it against v11 and v10 devices that we monitor.
> http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-bigip-v11-x/

Concur; patch as displayed in blog post seems broken. Link to .diff
404's. Cc'ing the blog owner.

Happy to help test this in our small environment (4 x LTMs running
BIG-IP 10.1.0 3341.0).

cheers,
Dale
Ryan West
2012-05-01 08:25:10 UTC
Permalink
Hey Colin,

I have tested on v11 and v10.[12].x boxes and the tmsh commands work on both. I don't have anymore 9.x to work with, so I think just having a working tmsh example should do the trick. Not sure if you caught my email to John Heasley, but it seems the last function before the commandtable is broken. Just clearing that up should be enough to do a little testing. Let me know if you need anymore information.

Thanks,

-ryan

-----Original Message-----
From: Colin Stubbs [mailto:***@gmail.com]
Sent: Tuesday, May 01, 2012 3:59 AM
To: Dale Shaw
Cc: Ryan West; rancid-***@shrubbery.net
Subject: Re: [rancid] F5 BIG-IP devices - any tricks?

Hmm, looks like gmail is spam dropping some of this list for me. This is the first email that came thru re: this subject :-(

Given I wrote the first patch I'm happy to get cracking on updating it. I have actually already been doing various things related to that due to working with BIGIP v11.

There's a bit that needs to change for v11 - anyone else on the list using it yet and need to monitor devices with it ? bigpipe command will no longer work and TMSH command syntax is sufficiently different to bigpipe that they're basically different device types. Would need fork f5rancid into two different types, provide a configuration option to specify version, or auto-detect v11 or < v11 and use a different command set based on that.

Suggestions ?

-Colin

cstubbs @ gmail . com [smtp, g+, fb, msn]
Phone: +61 468 311 061
Skype: c.stubbs
Pub Key ID: 0xC857AC24


On 1 May 2012 15:31, Dale Shaw <dale.shaw+rancid-***@gmail.com> wrote:
> Hi,
>
> On Sat, Apr 28, 2012 at 10:30 PM, Ryan West <***@zyedge.com> wrote:
>>
>> The link that was provided earlier by Matthew seems promising.  I was able to run all commands on both v10 and v11 devices. > The patch, however, did not apply properly against a 2.3.8 build and my attempts to manually input the lines worked except for this routine, where it fails at the end:
> [...]
>>
>> Here is the link to the full changes.  If anyone can tell me how to fix the last line, I should be able to quickly test it against v11 and v10 devices that we monitor.
>> http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-
>> bigip-v11-x/
>
> Concur; patch as displayed in blog post seems broken. Link to .diff
> 404's. Cc'ing the blog owner.
>
> Happy to help test this in our small environment (4 x LTMs running
> BIG-IP 10.1.0 3341.0).
Lance Vermilion
2012-05-01 14:05:11 UTC
Permalink
A new device type setting would be the static method otherwise a version
check would be needed for dynamic.

Simply run a bigpipe command and if the response is not what we expect run
tmsh and if that fails exit with a failure for that node.
Colin Stubbs
2012-05-06 06:32:37 UTC
Permalink
Patch attached for 2.3.8.

It uses `bigpipe version`'s response to determine if it should use
tmsh or not, and switches command table as appropriate.

So it will only use tmsh on a BIGIP v11 F5, as they respond like this,

[***@localhost:] ~ # bp version
/usr/bin/bp: bigpipe is no longer supported; please use tmsh.
[***@localhost:] ~ #

This should keep things the same for existing users and avoid
unexpected config diff after upgrade.

Tested against,

bigip1.f5.routedlogic.net:#Sys::Version
bigip1.f5.routedlogic.net-# Main Package
bigip1.f5.routedlogic.net-# Product BIG-IP
bigip1.f5.routedlogic.net-# Version 10.2.3
bigip1.f5.routedlogic.net-# Build 112.0
bigip1.f5.routedlogic.net-# Edition Final
--
bigip2.f5.routedlogic.net:#Sys::Version
bigip2.f5.routedlogic.net-# Main Package
bigip2.f5.routedlogic.net-# Product BIG-IP
bigip2.f5.routedlogic.net-# Version 11.1.0
bigip2.f5.routedlogic.net-# Build 1943.0
bigip2.f5.routedlogic.net-# Edition Final
--
bigip3.f5.routedlogic.net:#Sys::Version
bigip3.f5.routedlogic.net-# Main Package
bigip3.f5.routedlogic.net-# Product BIG-IP
bigip3.f5.routedlogic.net-# Version 10.1.0
bigip3.f5.routedlogic.net-# Build 3341.1084
bigip3.f5.routedlogic.net-# Edition Final


-Colin


On 2 May 2012 00:05, Lance Vermilion <***@gheek.net> wrote:
> A new device type setting would be the static method otherwise a version
> check would be needed for dynamic.
>
> Simply run a bigpipe command  and if the response is not what we expect run
> tmsh and if that fails exit with a failure for that node.
Ryan West
2012-05-06 19:20:11 UTC
Permalink
On Sun, May 06, 2012 at 02:32:37, Colin Stubbs wrote:
> ***@shrubbery.net
> Subject: Re: [rancid] F5 BIG-IP devices - any tricks?
>
> Patch attached for 2.3.8.
>
> It uses `bigpipe version`'s response to determine if it should use
> tmsh or not, and switches command table as appropriate.
>
> So it will only use tmsh on a BIGIP v11 F5, as they respond like this,
>
> [***@localhost:] ~ # bp version
> /usr/bin/bp: bigpipe is no longer supported; please use tmsh.
> [***@localhost:] ~ #
>
> This should keep things the same for existing users and avoid
> unexpected config diff after upgrade.
>
> Tested against,
>
> bigip1.f5.routedlogic.net:#Sys::Version
> bigip1.f5.routedlogic.net-# Main Package
> bigip1.f5.routedlogic.net-# Product BIG-IP
> bigip1.f5.routedlogic.net-# Version 10.2.3
> bigip1.f5.routedlogic.net-# Build 112.0
> bigip1.f5.routedlogic.net-# Edition Final
> --
> bigip2.f5.routedlogic.net:#Sys::Version
> bigip2.f5.routedlogic.net-# Main Package
> bigip2.f5.routedlogic.net-# Product BIG-IP
> bigip2.f5.routedlogic.net-# Version 11.1.0
> bigip2.f5.routedlogic.net-# Build 1943.0
> bigip2.f5.routedlogic.net-# Edition Final
> --
> bigip3.f5.routedlogic.net:#Sys::Version
> bigip3.f5.routedlogic.net-# Main Package
> bigip3.f5.routedlogic.net-# Product BIG-IP
> bigip3.f5.routedlogic.net-# Version 10.1.0
> bigip3.f5.routedlogic.net-# Build 3341.1084
> bigip3.f5.routedlogic.net-# Edition Final
>
>

Colin,

Works for
Matthew Walster
2012-05-14 11:13:01 UTC
Permalink
On 6 May 2012 20:20, Ryan West <***@zyedge.com> wrote:
>
> Works for me too. Thanks for the patch.


Since applying the patch, I started to get a few "has not been able to
contact for 24 hours" messages.

The logs say:

starting: Mon May 14 10:01:01 UTC 2012



Trying to get all of the configs.
myloadbalancer2: missed cmd(s): ls --full-time --color=never
/config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 1.
myloadbalancer2: missed cmd(s): ls --full-time --color=never
/config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 2.
myloadbalancer2: missed cmd(s): ls --full-time --color=never
/config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 3.
myloadbalancer2: missed cmd(s): ls --full-time --color=never
/config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 4.
devlb02.dev.tradefair: missed cmd(s): ls --full-time --color=never
/config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key

Sending configs/myloadbalancer1
Transmitting file data ...
Committed revision 11893.

ending: Mon May 14 10:06:26 UTC 2012


In order to fix these, I just commented out the licence checks lines in the
two command tables, then everything worked fine! Has anyone else come
across this issue?

Matthew Walster
Ryan West
2012-05-14 12:24:10 UTC
Permalink
Comment those lines out, they have never worked for me. I've recompiled expect for the bug and it doesn't seem to help.

Sent from handheld

On May 14, 2012, at 7:13 AM, "Matthew Walster" <***@walster.org<mailto:***@walster.org>> wrote:



On 6 May 2012 20:20, Ryan West <***@zyedge.com<mailto:***@zyedge.com>> wrote:
Works for me too. Thanks for the patch.

Since applying the patch, I started to get a few "has not been able to contact for 24 hours" messages.

The logs say:

starting: Mon May 14 10:01:01 UTC 2012



Trying to get all of the configs.
myloadbalancer2: missed cmd(s): ls --full-time --color=never /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 1.
myloadbalancer2: missed cmd(s): ls --full-time --color=never /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 2.
myloadbalancer2: missed cmd(s): ls --full-time --color=never /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 3.
myloadbalancer2: missed cmd(s): ls --full-time --color=never /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
=====================================
Getting missed routers: round 4.
devlb02.dev.tradefair: missed cmd(s): ls --full-time --color=never /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key

Sending configs/myloadbalancer1
Transmitting file data ...
Committed revision 11893.

ending: Mon May 14 10:06:26 UTC 2012


In order to fix these, I just commented out the licence checks lines in the two command tables, then everything worked fine! Has anyone else come across this issue?

Matthew Walster
Colin Stubbs
2012-05-14 21:58:45 UTC
Permalink
What O/S or distro you running RANCID on? Expect versions? BIGIP versions? etc

I've seen the same thing back on EL3/4 a few years ago. Mostly rancid
used to have issues with the ls /config/ssl/ssl.xxx commands for me.
Again, I either commented them out, or replaced the command with
something else that worked without issue (a script on the F5 that did
the same thing at one point).

I havn't had any issues for quite awhile though, mostly since moving
away from EL3/4 and using EL5/6 in production and Fedora 14/15/16 at
home.

On 14 May 2012 22:24, Ryan West <***@zyedge.com> wrote:
> Comment those lines out, they have never worked for me. I've recompiled
> expect for the bug and it doesn't seem to help.
>
> Sent from handheld
>
> On May 14, 2012, at 7:13 AM, "Matthew Walster" <***@walster.org> wrote:
>
>
>
> On 6 May 2012 20:20, Ryan West <***@zyedge.com> wrote:
>>
>> Works for me too.  Thanks for the patch.
>
>
> Since applying the patch, I started to get a few "has not been able to
> contact for 24 hours" messages.
>
> The logs say:
>
> starting: Mon May 14 10:01:01 UTC 2012
>
>
>
> Trying to get all of the configs.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 1.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 2.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 3.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 4.
> devlb02.dev.tradefair: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
>
> Sending        configs/myloadbalancer1
> Transmitting file data ...
> Committed revision 11893.
>
> ending: Mon May 14 10:06:26 UTC 2012
>
>
> In order to fix these, I just commented out the licence checks lines in the
> two command tables, then everything worked fine! Has anyone else come across
> this issue?
>
> Matthew Walster
>
Ryan West
2012-05-15 00:56:20 UTC
Permalink
On Mon, May 14, 2012 at 17:58:45, Colin Stubbs wrote:
> ***@shrubbery.net
> Subject: Re: [rancid] F5 BIG-IP devices - any tricks?
>
> What O/S or distro you running RANCID on? Expect versions? BIGIP versions?
> etc
>

Debian 6.0.5, compiled expect 5.45, RANCID 2.3.8, LTM 11.0.0/10.2.3/10.2.0/10.0.1/9.4.8

It always works with rancid-run -r for that device, but never completes a normal run unless the 'ls -al' command is stripped.

> I've seen the same thing back on EL3/4 a few years ago. Mostly rancid
> used to have issues with the ls /config/ssl/ssl.xxx commands for me.
> Again, I either commented them out, or replaced the command with
> something else that worked without issue (a script on the F5 that did
> the same thing at one point).
>
> I havn't had any issues for quite awhile though, mostly since moving
> away from EL3/4 and using EL5/6 in production and Fedora 14/15/16 at home.
>
> On 14 May 2012 22:24, Ryan West <***@zyedge.com> wrote:
> > Comment those lines out, they have never worked for me. I've
> > recompiled expect
Lee
2012-05-18 02:53:07 UTC
Permalink
On 5/14/12, Matthew Walster <***@walster.org> wrote:
> On 6 May 2012 20:20, Ryan West <***@zyedge.com> wrote:
>>
>> Works for me too. Thanks for the patch.
>
>
> Since applying the patch, I started to get a few "has not been able to
> contact for 24 hours" messages.
>
> The logs say:
>
> starting: Mon May 14 10:01:01 UTC 2012
>
>
>
> Trying to get all of the configs.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 1.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 2.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 3.
> myloadbalancer2: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
> =====================================
> Getting missed routers: round 4.
> devlb02.dev.tradefair: missed cmd(s): ls --full-time --color=never
> /config/ssl/ssl.crt,ls --full-time --color=never /config/ssl/ssl.key
>
> Sending configs/myloadbalancer1
> Transmitting file data ...
> Committed revision 11893.
>
> ending: Mon May 14 10:06:26 UTC 2012
>
>
> In order to fix these, I just commented out the licence checks lines in the
> two command tables, then everything worked fine! Has anyone else come
> across this issue?

I think so - I didn't bother to comment the changes I made in
f5rancid, so not sure :(
I don't remember if getting rid of [space][cr] is needed or a remnant
of trying to figure out the problem, but commenting out the 'return
(1) if ...' did the trick:

# This routine parses "ls --full-time --color=never /config/ssl/ssl.key"
sub ShowSslKey {
print STDERR " In ShowSslKey: $_" if ($debug);

while (<INPUT>) {
s/ \015//; # -LR-
tr/\015//d;
# v9 software license does not have CR at EOF
s/^#-+($prompt.*)/$1/;
last if (/^$prompt/);
next if (/^(\s*|\s*$cmd\s*)$/);
## LR return(1) if /^\s*\^\s*$/;

and

# This routine parses "ls --full-time --color=never /config/ssl/ssl.crt"
sub ShowSslCrt {
print STDERR " In ShowSslCrt: $_" if ($debug);

while (<INPUT>) {
s/ \015//; # -LR- [space][cr]
tr/\015//d;
# v9 software license does not have CR at EOF
s/^#-+($prompt.*)/$1/;
last if (/^$prompt/);
next if (/^(\s*|\s*$cmd\s*)$/);
## LR return(1) if /^\s*\^\s*$/;


Regards,
Lee
Ryan West
2012-05-20 23:50:17 UTC
Permalink
On Thu, May 17, 2012 at 22:53:07, Lee wrote:
> Subject: Re: [rancid] F5 BIG-IP devices - any tricks?
>
> On 5/14/12, Matthew Walster <***@walster.org> wrote:
> > On 6 May 2012 20:20, Ryan West <***@zyedge.com> wrote:
> >>
> >> Works for me too. Thanks for the patch.
> >
> >
> > Since applying the patch, I started to get a few "has not been able
> > to contact for 24 hours" messages.
> >
>
> I think so - I didn't bother to comment the changes I made in
> f5rancid, so not sure :( I don't remember if getting rid of
> [space][cr] is needed or a remnant of trying to figure out the
> problem, but commenting out the 'return
> (1) if ...' did the trick:
>
> # This routine parses "ls --full-time --color=never /config/ssl/ssl.key"
> sub ShowSslKey {
> print STDERR " In ShowSslKey: $_" if ($debug);
>
> while (<INPUT>) {
> s/ \015//; # -LR-
> tr/\015//d;
> # v9 software license does not have CR at EOF
> s/^#-+($prompt.*)/$1/;
> last if (/^$prompt/);
> next if (/^(\s*|\s*$cmd\s*)$/);
> ## LR return(1) if /^\s*\^\s*$/;
>
> and
>
> # This routine parses "ls --full-time --color=never /config/ssl/ssl.crt"
> sub ShowSslCrt {
> print STDERR " In ShowSslCrt: $_" if ($debug);
>
> while (<INPUT>) {
> s/ \015//; # -LR- [space][cr]
> tr/\015//d;
> # v9 software license does not have CR at EOF
> s/^#-+($prompt.*)/$1/;
> last if (/^$prompt/);
> next if (/^(\s*|\s*$cmd\s*)$/);
> ## LR return(1) if /^\s*\^\s*$/;
>

Lee,

I tried both variants and neither seemed to help. I've always been able to run a full backup of the devices with rancid-run -r <devname>, but the cron continues to fail on those two routines.

Thanks,

-ryan
Mick O'Rourke
2012-10-23 09:56:41 UTC
Permalink
Has anyone already done any work on the f5rancid script to work with F5
11.x configuration partitions? ie. read out
/config/partition/partition_xyz/bigip.conf etc etc

Looking at current master f5rancid from
https://github.com/dotwaffle/rancid-git/tree/master/bin it doesn't appear
to be present.

Mick
Matthew Walster
2012-10-31 12:13:57 UTC
Permalink
Mick,

On 23 October 2012 10:56, Mick O'Rourke <***@gmail.com> wrote:

> Has anyone already done any work on the f5rancid script to work with F5
> 11.x configuration partitions? ie. read out
> /config/partition/partition_xyz/bigip.conf etc etc
>
> Looking at current master f5rancid from
> https://github.com/dotwaffle/rancid-git/tree/master/bin it doesn't appear
> to be present.
>

I don't have an F5 running 11.x at the moment, but if you could supply an
idea of the mapping, I'd be very interested. For instance, is it just a
case of adding a glob such as "/config/partition/partition_*/bigip.conf" or
is there something "new" that's going to make me sigh horrible? ;)

M
Colin Stubbs
2012-10-31 12:46:25 UTC
Permalink
Hey Matt

I havn't done any more work on this recently. But my opinion is you will
want to be using tmsh commands to get the partition configuration and not
trying to dump files directly. You just won't get everything otherwise.

http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-bigip-v11-x/

https://devcentral.f5.com/Community/GroupDetails/tabid/1082223/aft/2158962/asg/44/Default.aspx

-Colin

cstubbs @ gmail . com [smtp, g+, fb, msn]
Phone: +61 488 000 977
Skype: c.stubbs
Pub Key ID: 0xC857AC24


On 31 October 2012 12:13, Matthew Walster <***@walster.org> wrote:

> Mick,
>
> On 23 October 2012 10:56, Mick O'Rourke <***@gmail.com> wrote:
>
>> Has anyone already done any work on the f5rancid script to work with F5
>> 11.x configuration partitions? ie. read out
>> /config/partition/partition_xyz/bigip.conf etc etc
>>
>> Looking at current master f5rancid from
>> https://github.com/dotwaffle/rancid-git/tree/master/bin it doesn't
>> appear to be present.
>>
>
> I don't have an F5 running 11.x at the moment, but if you could supply an
> idea of the mapping, I'd be very interested. For instance, is it just a
> case of adding a glob such as "/config/partition/partition_*/bigip.conf" or
> is there something "new" that's going to make me sigh horrible? ;)
>
> M
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-***@shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
>
Colin Stubbs
2012-05-01 07:59:27 UTC
Permalink
Hmm, looks like gmail is spam dropping some of this list for me. This
is the first email that came thru re: this subject :-(

Given I wrote the first patch I'm happy to get cracking on updating
it. I have actually already been doing various things related to that
due to working with BIGIP v11.

There's a bit that needs to change for v11 - anyone else on the list
using it yet and need to monitor devices with it ? bigpipe command
will no longer work and TMSH command syntax is sufficiently different
to bigpipe that they're basically different device types. Would need
fork f5rancid into two different types, provide a configuration option
to specify version, or auto-detect v11 or < v11 and use a different
command set based on that.

Suggestions ?

-Colin

cstubbs @ gmail . com [smtp, g+, fb, msn]
Phone: +61 468 311 061
Skype: c.stubbs
Pub Key ID: 0xC857AC24


On 1 May 2012 15:31, Dale Shaw <dale.shaw+rancid-***@gmail.com> wrote:
> Hi,
>
> On Sat, Apr 28, 2012 at 10:30 PM, Ryan West <***@zyedge.com> wrote:
>>
>> The link that was provided earlier by Matthew seems promising.  I was able to run all commands on both v10 and v11 devices. > The patch, however, did not apply properly against a 2.3.8 build and my attempts to manually input the lines worked except for this routine, where it fails at the end:
> [...]
>>
>> Here is the link to the full changes.  If anyone can tell me how to fix the last line, I should be able to quickly test it against v11 and v10 devices that we monitor.
>> http://blog.routedlogic.net/2011/12/08/rancid-monitoring-of-f5s-with-bigip-v11-x/
>
> Concur; patch as displayed in blog post seems broken. Link to .diff
> 404's. Cc'ing the blog owner.
>
> Happy to help test this in our small environment (4 x LTMs running
> BIG-IP 10.1.0 3341.0).
>
> cheers,
> Dale
Loading...