Core Program Installation

User Documentation - Core

---

• Overview
  • Requirements
  • Operation
  • Files
  • Directory Structure
• Installation Prerequisites
• Installation
• Configuration
  • Config file
  • Device List
• Using the Backup Program
  • Connectivity Verification
  • Manual Backups
  • Automatic Backups

---

Overview

This page covers the installation of the core backup program. Check the home page for Web UI installation.

Installation of the Config Backup for F5 program will require some basic Linux administration skill. If you are new to linux, I would suggesting getting CentOS 6.4 to run the backup program as the installation instructions will be easier.

---

Requirements

Server Requirements -

• Your favorite Linux OS - Has been tested on CentOS 6.4 and Ubuntu 12.04.3 LTS
• Perl - This was developed and tested on Perl v5.10.1. *
• SQLite3
• Enough storage for your UCS files = (Your average UCS file size x archive # size x # of devices)

* Not sure which lower versions of Perl it will work on. If I hear anything else I will add it to the list.

Perl Module Requirements -

• DateTime by Dave Rolsky
• Net::OpenSSH by Salvador Fandiño
• Config::Tiny by Adam Kennedy/Ron Savage
• DBI (which should also include DBD::SQLite)
• IO::Pty by Graham Barr/Roland Giersig
• All modules required by above modules (dependencies will install automatically w/ cpanm)

F5 Requirements-

• An F5 version that has the TMSH CLI (Version 11.*)

Operation

F5 BigIP devices use a setting inside an internal DB called the CID (Commited ID) time to track changes for config sync. Any change made on a box changes the CID time even if it is not a configuration item that is sync'ed (such as a non-floating self IP).

The config backup program logs into each device and checks the CID time to see if it has changed. If there is a change from the last backup job it performed then it will create a UCS backup archive and download it.

Note: GTM, for reasons known only to F5, does everything different than most other modules that F5 offers. It has it's own config sync method and any changes made to the GTM does not change the CID time. In future releases I will try to find another way to work around this.

Files

The config backup program uses the following files for operation -

• f5backup.pl - The perl program that does the backup operation.
• f5backup.conf - The file for user configurable options.
• list.txt - The list for the F5 devices you wish to backup.
• main.db - a SQLite DB used to store device/backup job data as well as Web UI settings.
• Password file - For security purposes the password used for device login is kept separate from the config file. This file should be kept in the /root/ directory.

Directory Structure

The Config backup program has the following directories -

• Base directory - A configurable value that contains the files mentioned above and log files. Default is /var/f5backup.
• Device Archive - A configurable value where UCS files are kept. Each device has a sub-directory here with its UCS files. Default is /var/f5backup/devices.
• BASE/log - Log directory located in the base directory. Each backup job creates a single log file.
• BASE/db - A folder for the DB file. A sepereate folder was create for proper apache/php rights assignment.

---

Installation Prerequisites

---

The backup program has an install script that performs most of the needed functions for installation. However, the requirements listed in the sections above needed to be handled before you can run the script.

Installing the perl modules is one of the most important. The installation script will not let you proceed until all the required modules are installed. Modules can be found at www.cpan.org. Module installation instructions are here. For distro specific information about perl module installation I would recommend a doing a google search for your distro and the module.

The password file should also be created before you begin. The password file should be a file with a single line containing only the password. You can create the file as shown below. Make sure you are in the root directory.

[root@Linux1 ~]# echo "my_password" > pass.txt

Verify the password is in the file -

[root@Linux1 ~]# cat pass.txt
my_password

Change the file permissions so that root is the owner and that it is readable only by the owner-

[root@Linux1 ~]# chmod 0400 pass.txt
[root@Linux1 ~]# ls -lh pass.txt
-r--------. 1 root root 12 Nov  3 22:13 pass.txt

---

Installation

---

To install the program, login as the root user and put the f5backup_core.tgz file in a temporary folder such as /tmp. Then cd into the directory and unpack the tarball as such and cd into the f5backup directory -

[root@Linux1 ~]# cd /tmp/
[root@Linux1 tmp]# tar -zxvf f5backup.tgz
f5backup/f5backup.pl
f5backup/install.sh
[root@Linux1 tmp]# cd f5backup
[root@Linux1 f5backup]# ls -lh
total 28K
-rw-r--r--. 1 root root 17K Nov  3 15:41 f5backup.pl
-rwxr-xr-x. 1 root root 6.3K Nov  2 23:00 install.sh

Start the installation script as shown. It is recommended that you use all default settings as it will ensure that the program will run with the fewest issues. For the most part if you leave everything as default the only thing you will need to manually enter is the password file location and the username. Auto complete is enabled for answer entry -

[root@Linux1 f5backup]# ./install.sh
Starting installation of backup program.

Your version of perl is v5.10.1.

Checking for perl for required modules -
  DateTime is installed.
  Net::OpenSSH is installed.
  Config::Tiny is installed.
  DBI is installed.
Perl modules are good!

What directory would you like to install this program in ?
Press enter for default. [/var/f5backup]

Base directory is /var/f5backup.
Checking if /var/f5backup exists...

/var/f5backup does not exist. Creating directory.

What directory would you like to be the device archive ?
Press enter for default. [/var/f5backup/devices]

Archive directory is /var/f5backup/devices.
Checking if /var/f5backup/devices exists...

/var/f5backup/devices does not exist. Creating directory.

What file would would you like to use for the device list ?
Put file name only. List will be created in install directory location.
Press enter for default. [list.txt]

Creating device list /var/f5backup/list.txt.

What username would you like to use for device login ?
The user needs to be an administrator on the F5 so that it can create UCS files.
Press enter for default. [admin]

What password file would you like to use for device login ?
The file should have permission of 0400 (readable by root only)
/root/pass.txt

How many backup files do you want to keep for each device ?
Press enter for default. [15]

How many backup files do you want to keep for each device ?
Press enter for default. [30]

Creating DB file /var/f5backup/db/main.db

Creating config file /var/f5backup/f5backup.conf with the options you selected.

Copying f5backup.pl file to /var/f5backup/

Creating log directory /var/f5backup/log

Done installing program. Check /var/f5backup for file contents.

Check to see if your files where installed with the find utility -

[root@Linux1 f5backup]# find /var/f5backup/
/var/f5backup/
/var/f5backup/devices
/var/f5backup/f5backup.conf
/var/f5backup/f5backup.pl
/var/f5backup/db/main.db
/var/f5backup/log
/var/f5backup/list.txt

If you get an error at any point during the installation the script will most likely kill the install. Once the issue is fixed you can repeat the installation. After installation is complete you can delete the temporary folder (in our case /tmp/f5backup/)

---

Configuration

---

Config file

The installation script sets most of the settings in the configuration file. This section covers the values in case you need to change in the future. The default configurable items for the backup program are as follows-

# base directory for F5 backups
BASE_DIRECTORY=/var/f5backup

# Archive directory for UCS files
ARCHIVE_DIRECTORY=/var/f5backup/devices/

# List of devices, one per line
# List needs to be in BASE_DIRECTORY location
DEVICE_LIST=list.txt

# Username to log into devices
USERNAME=admin

# Location of password file, file should only contain password
# The file should have permission of 0400 (readable by root only)
PASS_FILE=pass.txt

# Location of DB file
# DB file needs to be in the DB folder of the BASE_DIRECTORY 
DB_FILE=db/main.db

# Number of UCS files to retain per devices
UCS_ARCHIVE_SIZE=15

# Number of log files to maintain
LOG_ARCHIVE_SIZE=30

BASE_DIRECTORY - The directory which contains the main backup Perl script, device list config file and by default the archive directory.

ARCHIVE_DIRECTORY - The directory where the device folders are at with the UCS files. Default is in the base directory but can be anywhere on the file system. It is recommended that you do not change this value as it could create problems for the web UI.

DEVICE_LIST - List of F5 devices you wish to backup. List must be located in the base directory. Format is covered in next section.

USERNAME - The user name for the F5 login. The user needs to be an administrator on the F5 so that it can create UCS files.

PASS_FILE - The file that the contains the password. Must be a single line with only the password in it.

DB_FILE - The SQLite DB file used by the backup program. It is recommended that you do not change this value as it could create problems for the web UI. The option to configure this will be removed from later versions.

UCS_ARCHIVE_SIZE - Number of UCS files to keep in each device folder.

LOG_ARCHIVE_SIZE - Number of log files to keep in log directory. Each backup job produces one log file.

Device List

A device list should have the following format -

# Put your list of devices in this file
# One line per device
#
F5_BIGIP1=192.168.1.245
F5_BIGIP2=192.168.1.246
BIGIP3

The device list file takes one device per line while ignoring any line with a comment "#" sign or a blank line. You can not put a comment in a line that has a device (i.e. "BIGIP_LTM1 # My comment"). If you do the line will be ignored.

Devices can be defined in the following styles -

• DNS Name - If your F5 devices have valid DNS records that the server can resolve, you can put a DNS name only on the line. Example - NYCLTM01
• HOSTNAME=IP - If your F5 devices do not have a DNS name defined you can use the HOSTNAME=IP format. This will make the folder, UCS files and log entries use the hostname while still connecting to the devices by their IP addresses. Example - BIGIP_LTM1=192.168.1.245

---

Using the Backup Program

---

Connectivity Verification

Before a backup job can run, ssh keys must be in the known hosts file for the root user. To make this task easier, a connectivity verification script is included with the backup program. When you run the script it will use settings from your config file to find the the device list and login password. Run this script as root before your first backup job, when ever you add or change devices or just for general connectivity troubleshooting.

Verification script syntax-

/path/to/testssh.pl /path/to/config.file

The program will have an output as such -

[admin@Linux1 f5backup]$ ./testssh.pl f5backup.conf
Opening device list file /var/f5backup/list.txt.
Opening password file /home/root/pass.txt.

Connecting to F5_LTM1.
  Error: Can't connect to F5_LTM1 - unable to establish master SSH connection: the 
  authenticity of the target host can't be established, the remote host public key is 
  probably not present on the '~/.ssh/known_hosts' file.

  The authenticity of host 'F5_LTM1 (192.168.1.245)' can't be established.
  RSA key fingerprint is 45:96:ff:a5:98:1e:b5:5g:63:eb:4c:1s:7c:66:a9:24.
  Do you want to add the key to ~/.ssh/known_hosts file? (yes/no): yes
  Adding F5_LTM1 key to ~/.ssh/known_hosts file.
  Shell for F5_LTM1 is tmsh.

Connecting to F5_LTM2.
  Error: Can't connect to F5_LTM2 - unable to establish master SSH connection: the 
  authenticity of the target host can't be established, the remote host public key is 
  probably not present on the '~/.ssh/known_hosts' file.

  The authenticity of host 'F5_LTM2 (192.168.1.246)' can't be established.
  RSA key fingerprint is 8e:2c:na:46:eb:43:97:80:5d:9v:51:9a:aa:29:90:87.
  Do you want to add the key to ~/.ssh/known_hosts file? (yes/no): yes
  Adding F5_LTM2 key to ~/.ssh/known_hosts file.
  Shell for F5_LTM2 is tmsh.

Done.

Manual Backups

You should first perform a manual backup to ensure that the program works properly. Run the program as root. Syntax for the program is as such -

/path/to/f5backup.pl /path/to/config.file

When you run the program you should not get any errors on the screen. Once it is complete you can check the log file. A successful backup job will have a log file output that looks something like this -

Starting configuration backup on 2013-11-04 at 3:00:01.
Opening DB file /var/f5backup/main.db at 3:00:01.
Adding record to JOB DB table at 3:00:01.
Opening device list file /var/f5backup/list.txt at 3:00:01.
Opening password file /root/pass.txt at 3:00:01.
Device F5_LTM01 is not in database. Adding to DB at 3:00:01.
Device F5_LTM02 is not in database. Adding to DB at 3:00:01.
TThere are 2 device(s) to backup.

Connecting to F5_LTM01 at 3:00:01.
Shell for F5_LTM01 is bash.
CID time for F5_LTM01 is - 1383274665.
CID times do not match for F5_LTM01 at 3:00:01. Downloading backup file.
Making device create UCS - Saving active configuration....
Downloading UCS file at 3:01:06.

Connecting to F5_LTM02 at 3:01:54.
Shell for F5_LTM02 is tmsh.
CID time for F5_LTM02 is - 1382556733.
CID times do not match for F5_LTM02 at 3:01:55. Downloading backup file.
Making device create UCS - Saving active configuration....
Downloading UCS file at 3:02:01.

Deleting old files:

Closing database.

Backup job completed at 3:02:52.

If any errors occurred you would see them in the log file when the error occurs and a count of the number of error near the bottom. Once you have verified everything is working with manual backups you can create an automated schedule.

Automatic Backups

To automate the backup you can create a cron job to start what ever time you wish. There are many ways you can create a cron job and you are free to choose which ever method you prefer. This documentation will use the example of adding the job to the file /etc/crontab.

Note: The smallest interval you can trigger the script is daily. If you attempt to do multiple backups per day then any files created on that day will be over written.

To add a daily job to the file /etc/crontab open the file with you favorite text editor such as vi an add the line using the following syntax -

0 3 * * * root /path/to/f5backup.pl /path/to/config.file > /dev/null 2>&1

Example of job:

.------------ minute 0
| .---------- hour 3am
| | .-------- every day
| | | .------ of every month
| | | | .---- of every day of week 
| | | | |  .- User that will run the job
| | | | |  |
0 3 * * * root /var/f5backup/f5backup.pl /var/f5backup/config.conf > /dev/null 2>&1

Normally when you have not made any changes since the previous backup job your log file will have an output as such -

Starting configuration backup on 2013-11-04 at 3:00:01.
Opening DB file /var/f5backup/main.db at 3:00:01.
Adding record to JOB DB table at 3:00:01.
Opening device list file /var/f5backup/list.txt at 3:00:01.
Opening password file /root/pass.txt at 3:00:01.
There are 2 device(s) to backup.

Connecting to F5_LTM1 at 3:00:01.
Shell for F5_LTM1 is tmsh.
CID time for F5_LTM1 is - 1383559322.
CID times match for F5_LTM1 at 3:00:05. Configuration unchanged. Skipping download.

Connecting to F5_LTM2 at 3:00:05.
Shell for F5_LTM2 is tmsh.
CID time for F5_LTM2 is - 1383167073.
CID times match for F5_LTM2 at 3:00:10. Configuration unchanged. Skipping download.

Deleting old files:

Closing database.

Backup job completed at 3:00:10.

Congratulations! You now have automated daily F5 backups.