diff --git a/docs/automating_rseries.rst b/docs/automating_rseries.rst new file mode 100644 index 0000000..843a9da --- /dev/null +++ b/docs/automating_rseries.rst @@ -0,0 +1,420 @@ +=========================================== +Automating F5OS on rSeries +=========================================== + +Since F5OS is an API first architecture, everything is automatable at the F5OS layer. There are F5OS API's for every function, and the GUI and CLI are built on top of the API. API reference materials are published on clouddocs.f5.com in addtion to the most common API workflows. In addition, Terraform providers and Ansible collections are also available for F5OS, and more functionality is being added with each release of those packages. + +If you want to see what API functions are available you can view the API reference documentation for the specific F5OS version you are running. As you can see, rSeries / F5OS-A have its own API reference pages and F5OS-C / VELOS have similar pages, most of the API calls are common expcept for those that are specific to the platform. + +`F5OS-A/F5 rSeries - API `_ + +.. image:: images/automating_rseries/image1.png + :align: center + :scale: 70% + +The API workflows section has an index which maps to all the common API workflow examples in the rSeries planning guide. In addtion, there is an accompanying Postman collection which can be downloaded and used within your own environment if you want to become familiar with the F5OS API. + +`F5 rSeries API Workflows `_ + +Below is a smaple of some of the workflows available in the link above, and there are many more. + +.. image:: images/automating_rseries/image2.png + :align: center + :scale: 70% + +F5OS Ansible Collection +======================= + +Ansible collections have been created for F5OS for some of the more common tasks. Addtional API workflows are constantly being added to the collections. + + +`F5OS modules Ansible collection `_ + +F5OS Terraform Provider +======================= + +Terraform providers have been created for F5OS for some of the more common tasks. Addtional API workflows are constantly being added to the providers. An overview of the F5OS provider is available using the link below. + +`F5OS Provider Overview `_ + +The github location of the Terraform provider files is at the following location. + +`Terraform Provider F5OS v1.3.0 `_ + +Getting Started with F5OS Automation +==================================== + +If you would prefer to automate the setup of the rSeries appliance, there are F5OS-A API calls for all of the examples above. rSeries supports token-based authentication for the F5OS API's. You may send API calls to either port 8888 or port 443. The URI path will change slightly depending on which TCP port you choose to use. For API calls sent to port 443, the initial path will be **/api**, while API calls to port 8888 will start with **/restconf**. F5OS also listens on port 80 and will redirect to TCP port 443. + + +Example of API call using port 8888. + +.. code-block:: bash + + https://{{rseries_rseries_appliance1_ip}}:8888/restconf/data/openconfig-system:system/aaa + +Example of API call using port 443. Replace **/restconf** with **/api**. + +.. code-block:: bash + + https://{{rseries_rseries_appliance1_ip}}/api/data/openconfig-system:system/aaa + + +You can send a standard API call with user/password-based authentication (basic auth), and then store the token for subsequent API calls. The X-Auth-Token has a lifetime of fifteen minutes and can be renewed a maximum of five times before you need to authenticate again using basic auth. The renewal period begins at the ten-minute point, where the API will start sending a new X-Auth-Token in the response for the next five minutes. If your API calls fail to start using the new token by the 15-minute point, API calls will start returning 401 Not Authorized. All the API examples in this guide were generated using the Postman utility. Below is an example of using password-based authentication to the rSeries F5OS management IP address. Be sure to go to the **Auth** tab and set the *Type** to **Basic Auth** and enter the username and password to log into your rSeries appliance. + +.. image:: images/initial_setup_of_rseries_platform_layer/image5a.png + :align: center + :scale: 70% + +To capture the token and save it for use in subsequent API calls, go to the **Test** option in the API call and enter the following: + +.. code-block:: bash + + var headerValue = pm.response.headers.get("x-auth-token"); + pm.environment.set("x-auth-token_rseries_appliance1", headerValue); + +This will capture the auth token and store it in a variable called **x-auth-token_rseries_appliance1**. + +.. image:: images/initial_setup_of_rseries_platform_layer/image5b.png + :align: center + :scale: 70% + +This will be stored as a variable in the Postman **Environment** as seen below. + +.. image:: images/initial_setup_of_rseries_platform_layer/image5c.png + :align: center + :scale: 70% + + +Once the variable is stored with the auth token, it can be used instead of using basic auth on all subsequent API calls. On any subsequent API call under the **Auth** option, set the **Type** to **Bearer Token**, and set the **Token** to the variable name. Note, Postman references variables by encasing the variable name in these types of parentheses **{{Variable-Name}}**. In this case the **Token** is set to **{{x-auth-token_rseries_appliance1}}**. + +.. image:: images/initial_setup_of_rseries_platform_layer/image5d.png + :align: center + :scale: 70% + +You must also add some required headers to any API calls sent to F5OS. It is important to include the header **Content-Type** **application/yang-data+json** and the Token header **X-Auth-Token** with a value of **{{x-auth-token_rseries_appliance1}}**. The variable and header will change depending on the destination of the API call. It can be sent to a second appliance if desired. + +.. image:: images/initial_setup_of_rseries_platform_layer/image5e.png + :align: center + :scale: 70% + + +Below is an example of using the API. To set the DNS configuration (servers and search domains) for the appliance, use the following API call. For any API calls to the rSeries F5OS layer it is important to include the header **Content-Type** **application/yang-data+json** and use port 8888 as seen below: + +.. code-block:: bash + + PATCH https://{{rseries_appliance1_ip}}:8888/restconf/data/openconfig-system:system/dns + +Below is the body of the API call which contains the desired configuration: + +.. code-block:: json + + { + "openconfig-system:dns": { + "config": { + "search": [ + "olympus.f5net.com" + ] + }, + "servers": { + "server": [ + { + "address": "192.168.11.0", + "config": { + "address": "192.168.11.0" + } + } + ] + } + } + } + +You may then view the current DNS configuration with the following API call: + +.. code-block:: bash + + GET https://{{rseries_appliance1_ip}}:8888/restconf/data/openconfig-system:system/dns + +Below is the output from the API query above: + +.. code-block:: json + + { + "openconfig-system:dns": { + "config": { + "search": [ + "olympus.f5net.com" + ] + }, + "state": { + "search": [ + "olympus.f5net.com" + ] + }, + "servers": { + "server": [ + { + "address": "192.168.11.0", + "config": { + "address": "192.168.11.0", + "port": 53 + }, + "state": { + "port": 53 + } + } + ] + } + } + } + +Curl Examples +============== + +Below is an API call using Curl to an rSeries system. Note, that the Curl request is using **username:password** to authenticate. In the response, an authentication token is generated by F5OS with the header **X-Auth-Token**. This token can be used for future reqests instead of using the basic authentication method until the token times out. At that point you'll need to refresh the token. + +.. code-block:: bash + + prompt% curl -i -sku admin:password -H "Content-Type: application/yang-data+json" https://10.255.2.40:443/api + HTTP/1.1 200 OK + Date: Fri, 17 Nov 2023 20:17:18 GMT + Server: Apache + Strict-Transport-Security: max-age=63072000; includeSubdomains; + Cache-Control: private, no-cache, must-revalidate, proxy-revalidate + Content-Length: 90 + Content-Type: application/yang-data+json + Pragma: no-cache + X-Auth-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJTZXNzaW9uIElEIjoiYWRtaW4xNzAwMjUyMjM4IiwiYXV0aGluZm8iOiJhZG1pbiAxMDAwIDkwMDAgXC92YXJcL0Y1XC9zeXN0ZW0iLCJidWZmZXJ0aW1lbGltaXQiOiIzMDAiLCJleHAiOjE3MDAyNTMxMzgsImlhdCI6MTcwMDI1MjIzOCwicmVuZXdsaW1pdCI6IjUiLCJ1c2VyaW5mbyI6ImFkbWluIDE3Mi4xOC4xMDUuMjAyIn0.bT9yAXQIaihrAJrluVAIVsKIvuCsWLr97T5M1UjRGUs + Content-Security-Policy: default-src 'self'; block-all-mixed-content; base-uri 'self'; frame-ancestors 'none'; + Strict-Transport-Security: max-age=15552000; includeSubDomains + X-Content-Type-Options: nosniff + X-Frame-Options: DENY + X-XSS-Protection: 1; mode=block + Content-Security-Policy: default-src 'self'; upgrade-insecure-requests; frame-ancestors 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; media-src 'self'; worker-src 'none'; + + {"ietf-restconf:restconf":{"data":{},"operations":{},"yang-library-version":"2019-01-04"}}% prompt% + +You may send API calls to either port 8888 or port 443. The URI path will change slightly depending on which TCP port you choose to use. For API calls sent to port 443, the initial path will be **/api**, while API calls to port 8888 will start with **/restconf**. F5OS also listens on port 80 and will redirect to TCP port 443. The API call below is sent to port 443, note the intial path will be **/api/data**. + +.. code-block:: bash + + prompt% curl -i -sku admin:password -H "Content-Type: application/yang-data+json" https://10.255.2.40:443/api/data/openconfig-system:system/f5-system-snmp:snmp + HTTP/1.1 200 OK + Date: Fri, 17 Nov 2023 20:25:01 GMT + Server: Apache + Strict-Transport-Security: max-age=63072000; includeSubdomains; + Last-Modified: Fri, 17 Nov 2023 19:34:16 GMT + Cache-Control: private, no-cache, must-revalidate, proxy-revalidate + Etag: "1700-249656-981804" + Content-Type: application/yang-data+json + Pragma: no-cache + X-Auth-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJTZXNzaW9uIElEIjoiYWRtaW4xNzAwMjUyNzAxIiwiYXV0aGluZm8iOiJhZG1pbiAxMDAwIDkwMDAgXC92YXJcL0Y1XC9zeXN0ZW0iLCJidWZmZXJ0aW1lbGltaXQiOiIzMDAiLCJleHAiOjE3MDAyNTM2MDEsImlhdCI6MTcwMDI1MjcwMSwicmVuZXdsaW1pdCI6IjUiLCJ1c2VyaW5mbyI6ImFkbWluIDE3Mi4xOC4xMDUuMjAyIn0.iqwf4h4190pvUUMDsScM7X357b1sAMyG0rK7jj4AWs4 + Content-Security-Policy: default-src 'self'; block-all-mixed-content; base-uri 'self'; frame-ancestors 'none'; + Strict-Transport-Security: max-age=15552000; includeSubDomains + X-Content-Type-Options: nosniff + X-Frame-Options: DENY + X-XSS-Protection: 1; mode=block + Content-Security-Policy: default-src 'self'; upgrade-insecure-requests; frame-ancestors 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; media-src 'self'; worker-src 'none'; + Transfer-Encoding: chunked + + { + "f5-system-snmp:snmp": { + "users": { + "user": [ + { + "name": "jim", + "config": { + "name": "jim", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + }, + "state": { + "name": "jim", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + } + }, + { + "name": "snmpv3-user3", + "config": { + "name": "snmpv3-user3", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + }, + "state": { + "name": "snmpv3-user3", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + } + }, + { + "name": "snmpv3user", + "config": { + "name": "snmpv3user", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + }, + "state": { + "name": "snmpv3user", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + } + } + ] + }, + "communities": { + "community": [ + { + "name": "public", + "config": { + "name": "public", + "security-model": ["v1", "v2c"] + }, + "state": { + "name": "public", + "security-model": ["v1", "v2c"] + } + }, + { + "name": "public2", + "config": { + "name": "public2", + "security-model": ["v1", "v2c"] + }, + "state": { + "name": "public2", + "security-model": ["v1", "v2c"] + } + } + ] + }, + "engine-id": { + "config": { + "value": "mac" + }, + "state": { + "engine-id": "80:00:2f:f4:03:00:94:a1:69:59:02", + "type": "mac" + } + }, + "config": { + "port": 161 + }, + "state": { + "port": 161 + } + } + } + prompt% + +You may send API calls to either port 8888 or port 443. The URI path will change slightly depending on which TCP port you choose to use. For API calls sent to port 443, the initial path will be **/api**, while API calls to port 8888 will start with **/restconf**. F5OS also listens on port 80 and will redirect to TCP port 443. The API call below is sent to port 8888, note the intial path will be **/restconf/data**. + +.. code-block:: bash + + prompt% curl -i -sku admin:password -H "Content-Type: application/yang-data+json" https://10.255.2.40:8888/restconf/data/openconfig-system:system/f5-system-snmp:snmp + HTTP/1.1 200 OK + Date: Fri, 17 Nov 2023 20:26:46 GMT + Server: Apache + Last-Modified: Fri, 17 Nov 2023 19:34:16 GMT + Cache-Control: private, no-cache, must-revalidate, proxy-revalidate + Etag: "1700-249656-981804" + Content-Type: application/yang-data+json + Pragma: no-cache + X-Auth-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJTZXNzaW9uIElEIjoiYWRtaW4xNzAwMjUyODA2IiwiYXV0aGluZm8iOiJhZG1pbiAxMDAwIDkwMDAgXC92YXJcL0Y1XC9zeXN0ZW0iLCJidWZmZXJ0aW1lbGltaXQiOiIzMDAiLCJleHAiOjE3MDAyNTM3MDYsImlhdCI6MTcwMDI1MjgwNiwicmVuZXdsaW1pdCI6IjUiLCJ1c2VyaW5mbyI6ImFkbWluIDE3Mi4xOC4xMDUuMjAyIn0.nxhAQcNikgIQ0LU6HeuY2zSG7ysPb2jdjeVgkjYCltg + Content-Security-Policy: default-src 'self'; block-all-mixed-content; base-uri 'self'; frame-ancestors 'none'; + Strict-Transport-Security: max-age=15552000; includeSubDomains + X-Content-Type-Options: nosniff + X-Frame-Options: DENY + X-XSS-Protection: 1; mode=block + Transfer-Encoding: chunked + + { + "f5-system-snmp:snmp": { + "users": { + "user": [ + { + "name": "jim", + "config": { + "name": "jim", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + }, + "state": { + "name": "jim", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + } + }, + { + "name": "snmpv3-user3", + "config": { + "name": "snmpv3-user3", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + }, + "state": { + "name": "snmpv3-user3", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + } + }, + { + "name": "snmpv3user", + "config": { + "name": "snmpv3user", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + }, + "state": { + "name": "snmpv3user", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + } + } + ] + }, + "communities": { + "community": [ + { + "name": "public", + "config": { + "name": "public", + "security-model": ["v1", "v2c"] + }, + "state": { + "name": "public", + "security-model": ["v1", "v2c"] + } + }, + { + "name": "public2", + "config": { + "name": "public2", + "security-model": ["v1", "v2c"] + }, + "state": { + "name": "public2", + "security-model": ["v1", "v2c"] + } + } + ] + }, + "engine-id": { + "config": { + "value": "mac" + }, + "state": { + "engine-id": "80:00:2f:f4:03:00:94:a1:69:59:02", + "type": "mac" + } + }, + "config": { + "port": 161 + }, + "state": { + "port": 161 + } + } + } + prompt% + diff --git a/docs/images/automating_rseries/image1.png b/docs/images/automating_rseries/image1.png new file mode 100644 index 0000000..11119d3 Binary files /dev/null and b/docs/images/automating_rseries/image1.png differ diff --git a/docs/images/automating_rseries/image2.png b/docs/images/automating_rseries/image2.png new file mode 100644 index 0000000..5c54ca5 Binary files /dev/null and b/docs/images/automating_rseries/image2.png differ diff --git a/docs/images/initial_setup_of_rseries_platform_layer/accept_eula.png b/docs/images/initial_setup_of_rseries_platform_layer/accept_eula.png new file mode 100644 index 0000000..80a51f7 Binary files /dev/null and b/docs/images/initial_setup_of_rseries_platform_layer/accept_eula.png differ diff --git a/docs/images/initial_setup_of_rseries_platform_layer/download_license.png b/docs/images/initial_setup_of_rseries_platform_layer/download_license.png new file mode 100644 index 0000000..70a4cc8 Binary files /dev/null and b/docs/images/initial_setup_of_rseries_platform_layer/download_license.png differ diff --git a/docs/images/initial_setup_of_rseries_platform_layer/edit_license.png b/docs/images/initial_setup_of_rseries_platform_layer/edit_license.png new file mode 100644 index 0000000..008bcf1 Binary files /dev/null and b/docs/images/initial_setup_of_rseries_platform_layer/edit_license.png differ diff --git a/docs/images/initial_setup_of_rseries_platform_layer/enter_dossier.png b/docs/images/initial_setup_of_rseries_platform_layer/enter_dossier.png new file mode 100644 index 0000000..bacbfe0 Binary files /dev/null and b/docs/images/initial_setup_of_rseries_platform_layer/enter_dossier.png differ diff --git a/docs/images/rseries_deploying_a_tenant/file-upload-tenant-body.png b/docs/images/rseries_deploying_a_tenant/file-upload-tenant-body.png new file mode 100644 index 0000000..2997cf5 Binary files /dev/null and b/docs/images/rseries_deploying_a_tenant/file-upload-tenant-body.png differ diff --git a/docs/images/rseries_deploying_a_tenant/file-upload-tenant-headers-f5os.png b/docs/images/rseries_deploying_a_tenant/file-upload-tenant-headers-f5os.png new file mode 100644 index 0000000..906408e Binary files /dev/null and b/docs/images/rseries_deploying_a_tenant/file-upload-tenant-headers-f5os.png differ diff --git a/docs/images/rseries_deploying_a_tenant/file-upload-tenant-headers.png b/docs/images/rseries_deploying_a_tenant/file-upload-tenant-headers.png new file mode 100644 index 0000000..dcd478d Binary files /dev/null and b/docs/images/rseries_deploying_a_tenant/file-upload-tenant-headers.png differ diff --git a/docs/images/rseries_deploying_a_tenant/image10new.png b/docs/images/rseries_deploying_a_tenant/image10new.png new file mode 100644 index 0000000..9de7c2f Binary files /dev/null and b/docs/images/rseries_deploying_a_tenant/image10new.png differ diff --git a/docs/images/rseries_deploying_a_tenant/image9new.png b/docs/images/rseries_deploying_a_tenant/image9new.png new file mode 100644 index 0000000..e493a50 Binary files /dev/null and b/docs/images/rseries_deploying_a_tenant/image9new.png differ diff --git a/docs/images/rseries_deploying_a_tenant/upload-id.png b/docs/images/rseries_deploying_a_tenant/upload-id.png new file mode 100644 index 0000000..cdf526b Binary files /dev/null and b/docs/images/rseries_deploying_a_tenant/upload-id.png differ diff --git a/docs/images/rseries_deploying_a_tenant/upload-image-api.png b/docs/images/rseries_deploying_a_tenant/upload-image-api.png new file mode 100644 index 0000000..7ba9717 Binary files /dev/null and b/docs/images/rseries_deploying_a_tenant/upload-image-api.png differ diff --git a/docs/images/rseries_diagnostics/auditlog.png b/docs/images/rseries_diagnostics/auditlog.png new file mode 100644 index 0000000..65fb09e Binary files /dev/null and b/docs/images/rseries_diagnostics/auditlog.png differ diff --git a/docs/images/rseries_diagnostics/downloadqkviewapi.png b/docs/images/rseries_diagnostics/downloadqkviewapi.png new file mode 100644 index 0000000..c10d67f Binary files /dev/null and b/docs/images/rseries_diagnostics/downloadqkviewapi.png differ diff --git a/docs/images/rseries_diagnostics/downloadtcpdumpapi.png b/docs/images/rseries_diagnostics/downloadtcpdumpapi.png new file mode 100644 index 0000000..8862d88 Binary files /dev/null and b/docs/images/rseries_diagnostics/downloadtcpdumpapi.png differ diff --git a/docs/images/rseries_diagnostics/headers.png b/docs/images/rseries_diagnostics/headers.png new file mode 100644 index 0000000..0094ba0 Binary files /dev/null and b/docs/images/rseries_diagnostics/headers.png differ diff --git a/docs/images/rseries_diagnostics/platformlog.png b/docs/images/rseries_diagnostics/platformlog.png new file mode 100644 index 0000000..87497fe Binary files /dev/null and b/docs/images/rseries_diagnostics/platformlog.png differ diff --git a/docs/images/rseries_diagnostics/sendanddownload.png b/docs/images/rseries_diagnostics/sendanddownload.png new file mode 100644 index 0000000..3567684 Binary files /dev/null and b/docs/images/rseries_diagnostics/sendanddownload.png differ diff --git a/docs/images/rseries_f5os_configuration_backup_and_restore/configfile.png b/docs/images/rseries_f5os_configuration_backup_and_restore/configfile.png new file mode 100644 index 0000000..3d76f14 Binary files /dev/null and b/docs/images/rseries_f5os_configuration_backup_and_restore/configfile.png differ diff --git a/docs/images/rseries_f5os_configuration_backup_and_restore/configheaders.png b/docs/images/rseries_f5os_configuration_backup_and_restore/configheaders.png new file mode 100644 index 0000000..d044032 Binary files /dev/null and b/docs/images/rseries_f5os_configuration_backup_and_restore/configheaders.png differ diff --git a/docs/images/rseries_f5os_configuration_backup_and_restore/sendanddownload.png b/docs/images/rseries_f5os_configuration_backup_and_restore/sendanddownload.png new file mode 100644 index 0000000..3567684 Binary files /dev/null and b/docs/images/rseries_f5os_configuration_backup_and_restore/sendanddownload.png differ diff --git a/docs/images/rseries_monitoring_snmp/downloadmibsapi1.png b/docs/images/rseries_monitoring_snmp/downloadmibsapi1.png new file mode 100644 index 0000000..5e3237e Binary files /dev/null and b/docs/images/rseries_monitoring_snmp/downloadmibsapi1.png differ diff --git a/docs/images/rseries_monitoring_snmp/downloadmibsapi2.png b/docs/images/rseries_monitoring_snmp/downloadmibsapi2.png new file mode 100644 index 0000000..34ba532 Binary files /dev/null and b/docs/images/rseries_monitoring_snmp/downloadmibsapi2.png differ diff --git a/docs/images/rseries_monitoring_snmp/sendanddownload.png b/docs/images/rseries_monitoring_snmp/sendanddownload.png new file mode 100644 index 0000000..3567684 Binary files /dev/null and b/docs/images/rseries_monitoring_snmp/sendanddownload.png differ diff --git a/docs/images/rseries_monitoring_snmp/snmpheaders.png b/docs/images/rseries_monitoring_snmp/snmpheaders.png new file mode 100644 index 0000000..0094ba0 Binary files /dev/null and b/docs/images/rseries_monitoring_snmp/snmpheaders.png differ diff --git a/docs/images/rseries_monitoring_snmp/snmplogdownload.png b/docs/images/rseries_monitoring_snmp/snmplogdownload.png new file mode 100644 index 0000000..a631ac9 Binary files /dev/null and b/docs/images/rseries_monitoring_snmp/snmplogdownload.png differ diff --git a/docs/images/rseries_software_upgrades/file-upload-tenant-body.png b/docs/images/rseries_software_upgrades/file-upload-tenant-body.png new file mode 100644 index 0000000..2997cf5 Binary files /dev/null and b/docs/images/rseries_software_upgrades/file-upload-tenant-body.png differ diff --git a/docs/images/rseries_software_upgrades/file-upload-tenant-headers-f5os.png b/docs/images/rseries_software_upgrades/file-upload-tenant-headers-f5os.png new file mode 100644 index 0000000..906408e Binary files /dev/null and b/docs/images/rseries_software_upgrades/file-upload-tenant-headers-f5os.png differ diff --git a/docs/images/rseries_software_upgrades/file-upload-tenant-headers.png b/docs/images/rseries_software_upgrades/file-upload-tenant-headers.png new file mode 100644 index 0000000..dcd478d Binary files /dev/null and b/docs/images/rseries_software_upgrades/file-upload-tenant-headers.png differ diff --git a/docs/images/rseries_software_upgrades/image10new.png b/docs/images/rseries_software_upgrades/image10new.png new file mode 100644 index 0000000..9de7c2f Binary files /dev/null and b/docs/images/rseries_software_upgrades/image10new.png differ diff --git a/docs/images/rseries_software_upgrades/image9new.png b/docs/images/rseries_software_upgrades/image9new.png new file mode 100644 index 0000000..e493a50 Binary files /dev/null and b/docs/images/rseries_software_upgrades/image9new.png differ diff --git a/docs/images/rseries_software_upgrades/upload-id.png b/docs/images/rseries_software_upgrades/upload-id.png new file mode 100644 index 0000000..cdf526b Binary files /dev/null and b/docs/images/rseries_software_upgrades/upload-id.png differ diff --git a/docs/images/rseries_software_upgrades/upload-image-api.png b/docs/images/rseries_software_upgrades/upload-image-api.png new file mode 100644 index 0000000..7ba9717 Binary files /dev/null and b/docs/images/rseries_software_upgrades/upload-image-api.png differ diff --git a/docs/index.rst b/docs/index.rst index ffe57ea..5856b3b 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -25,4 +25,7 @@ Planning for rSeries Guide monitoring_rseries_health_status.rst monitoring_rseries.rst rseries_monitoring_snmp.rst - migration_to_rseries.rst \ No newline at end of file + automating_rseries.rst + rseries_api_workflows.rst + migration_to_rseries.rst + rseries_references.rst \ No newline at end of file diff --git a/docs/initial_setup_of_rseries_platform_layer.rst b/docs/initial_setup_of_rseries_platform_layer.rst index 56c93a9..90acdc3 100644 --- a/docs/initial_setup_of_rseries_platform_layer.rst +++ b/docs/initial_setup_of_rseries_platform_layer.rst @@ -5,7 +5,7 @@ Initial Setup of rSeries F5OS Platform Layer Connect a console or terminal server to the console port of the rSeries appliance. Follow the guidance in the link below: -https://techdocs.f5.com/en-us/hardware/f5-rseries-systems-getting-started/gs-system-initial-config.html#run-setup-wizard +`Run the Setup wizard `_ Login as admin/admin and access the F5OS CLI. F5OS utilizes **ConfD** for configuration management of F5OS and will be a familiar navigation experience if you have used it on other products. The CLI supports command completion and online help and is easy to navigate. There are **show** commands to display current configurations and status, and a **config** mode to alter current configuration. @@ -1048,16 +1048,16 @@ The CLI command **show system licensing** will display the appliance level licen Boston-r10900-1# show system licensing system licensing license Licensed version 1.0.0 - Registration Key I5251-44764-04805-81212-8207880 + Registration Key XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX Licensed date 2022/01/01 License start 2021/09/27 License end 2022/02/12 Service check date 2022/01/13 Platform ID C129 - Appliance SN f5-zcxz-qxpq + Appliance SN f5-xxxx-xxxx Active Modules - Local Traffic Manager, r5900 (P167390-1282512) + Local Traffic Manager, r5900 (XXXXXXX-XXXXXXX) Rate Shaping Anti-Virus Checks Base Endpoint Security Checks @@ -1076,10 +1076,430 @@ The CLI command **show system licensing** will display the appliance level licen **Note: rSeries supports AWAF versus ASM licensing, and modules like AAM are not supported on the rSeries platform since it has reached End-of-Life.** -https://support.f5.com/csp/article/K70113407 +`K70113407: End of Software Development for BIG-IP AAM `_ + + +Manual Licensing via API +======================== + +Sometimes a manual licensing operation may need to be performed. This is common in environments where the rSeries appliance doesn't have access to the Internet to reach the licensing server. In this case, you may perform a manual licensing operation via the API. First, obtain the **Base Registration Key** that is tied to your system. Below is an example for a temporary evaluation license but the process would be similar for a production license. In the example below, the actual Registration Key has been obfuscated with XXXX's. + + + +.. code-block:: bash + + + --------------------------------------------------------- + Contact : Jim@F5.com + --------------------------------------------------------- + + Registration Key : XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX + F5 Product : F5-BIG-BT-R10900-LIC-DEV + Evaluation Duration : 30 days + Requested Registration Key Configuration + --------------------------------------------------------- + +Then send the Base Reg Key in the body of the get-dossier API call below: + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/openconfig-system:system/f5-system-licensing:licensing/f5-system-licensing-install:get-dossier + +Within the body of API call, enter your registation-key. Note, in the example below the actual Registration Key has been obfuscated with XXXX's. + + +.. code-block:: json + + { + "registration-key": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX" + } + + +If the API call is successful, then the output will give you a system-dossier as seen below. Note, in the example below the actual system-dossier has been obfuscated with random characters. You'll need to copy and save the dossier, as you'll need to input it into F5's licensing server, to get the license for your system. + +.. code-block:: json + + { + "f5-system-licensing-install:output": { + "system-dossier": "42bd1c9c5c1e9081522beea5ceab5c3e7726f9b5a90dd9d5a8d73d9dba80094317c6aeab2b75219226d9a2f8b335651d395ade0384debe1086ee0f46d0d7043c90b03f08a7fcdc28db75984892f1e28f394d07d569b45a1868ceeb264a272243e4c842c41fbd043fd4bcx19c6f1e3a274589d4f06253c49d31f1ed48731ddda10a5a68eb78d8473c06c38c3ea2cb6db0ae2902c5a9323dccf5e00212a9f541a58cd85fe191b12daa4a6975cee14fe33242cb8183fea43xa21c2a8c1944f14583895eb920306b4f9e0fd7834561026b0c669f736081e9da80bf536874d9a3737bacff59e6240381ddc2b821c380c81d963c95beedc6a940a4db97a527922383096c54d8028f3f3f6dccfe213fdad4a1316b772317cae0d45911469972bd3f761636f3f397467cf8a2e7ae1d22e1ea30d6b21d47ff4d8ab112ebc5d7eaab3819f0ed18b0830bc4250069a80de428ef28a9c4dba725a3623887019b7c31dc210997104140a58b8f172e8c4d0c4ea819b6743df711d0b65eb2c235e79313b1e9ff2dcd1768770e7f23dc626d2e44d0a394916a8b8debaf73971b91cbf3d96f7be6e1afcf18b42f84fd1b2ba7fe021e95417bbe2cf1bdb42077b8aefb350d865ae7db13073781212c8534d204a0e4023023de8b5380463b67b935fce2e4474f8f607130ee01c961cf978ccdb6211d9bc6f8axx4aab784f50c7e71a5bc1297f3453c9d0feb62e809315b7421f598275a2e8435aee8b2658f6a355706259820fde8702cb8940bf324494c4511d62964be657cc570a0947731e8ef025d6d7ea4038d91fe0084f11dda9a4713ae056bb21733958f4963a6051259a78d3336b368c345cc24da99a9ebf10e5f5b7c376484d60fd8d80ed2f6fbc9ef3bdf7b737af9780e7f4f72ea6a79b32a24da84fae44fdc0fd30761b3dd62d6660x462d90c843f1916eb2c01fd5efd25f05c196e6a6eb0ba93db3e549ee4fb2f79b08ed1edaae9aaf01d83fe87b473852b97fa89573ff85247e1c5be23a599b3f8c65d1d7f6d2c4f56d13217bb2ba07d383d038b29ab407e4cf40986a83d0b18933d53078e80b7cd7550" + } + } + +Go to F5 license server: + + +`Activate F5 License `_ + + +Paste in the dossier from your system. + +.. image:: images/initial_setup_of_rseries_platform_layer/enter_dossier.png + :align: center + :scale: 50% + +Next, you'll be prompted to accept the End User License Agreement (EULA). Click on the check box to acknowledge that you have read and agree to the terms in the EULA. Then click Next. + +.. image:: images/initial_setup_of_rseries_platform_layer/accept_eula.png + :align: center + :scale: 70% + +A license will be displayed. You can either copy the output or download the License File. It is recommended you download the file if possible. + +.. image:: images/initial_setup_of_rseries_platform_layer/download_license.png + :align: center + :scale: 70% + +You'll need to edit the license file to escape any double quotes within the license body. In the body of the API call you have to escape any double quotes (inside the license) with slashes ( \ ), as seen below. + +.. image:: images/initial_setup_of_rseries_platform_layer/edit_license.png + :align: center + :scale: 40% + +Send the following API call to install the new license: + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/openconfig-system:system/f5-system-licensing:licensing/f5-system-licensing-install:manual-install + + +In the body of the API call enter the edited license in the proper area. Below is the full body with the escaped double quotes in the license. Note the file has been obfuscated from its original: + +.. code-block:: json + + + { + "input": + [ + {"license":"# + Auth vers : 5b + # + # + # BIG-IP System License Key File + # DO NOT EDIT THIS FILE!! + # + # Install this file as \"/config/bigip.license\". + # + # Contact information in file /CONTACTS + # + # + # Warning: Changing the system time while this system is running + # with a time-limited license may make the system unusable. + # + Usage : Evaluation + # + # + # Only the specific use referenced above is allowed. Any other uses are prohibited. + # + Vendor : F5 Networks, Inc. + # + # Module List + # + active module : Best Bundle, r10900|E135699-1129899|Rate Shaping|DNS Services|BIG-IP, DNS (Max)|Routing Bundle|Access Policy Manager, Base, r109XX|Advanced Web Application Firewall, r10XXX|Max Compression, r10900|Max SSL, r10900|Advanced Firewall Manager, r10XXX|DNSSEC|Anti-Virus Checks|Base Endpoint Security Checks|Firewall Checks|Machine Certificate Checks|Network Access|Protected Workspace|Secure Virtual Keyboard|APM, Web Application|App Tunnel|Remote Desktop|DNS Rate Fallback, Unlimited|DNS Licensed Objects, Unlimited|DNS Rate Limit, Unlimited QPS|GTM Rate Fallback, (UNLIMITED)|GTM Licensed Objects, Unlimited|GTM Rate, Unlimited|DNS RATE LIMITED, MAX|Carrier Grade NAT (AFM ONLY)|Protocol Security Manager + optional module : Advanced Protocols + optional module : APM, Max Access Sessions, i108XX + optional module : Basic Policy Enforcement Manager, r10XXX + optional module : BIG-IP, Multicast Routing + optional module : BIG-IP, Privileged User Access, 100 Endpoints + optional module : BIG-IP, Privileged User Access, 1000 Endpoints + optional module : BIG-IP, Privileged User Access, 250 Endpoints + optional module : BIG-IP, Privileged User Access, 50 Endpoints + optional module : BIG-IP, Privileged User Access, 500 Endpoints + optional module : Carrier-Grade NAT, r10XXX + optional module : Concurrent Users + optional module : DDOS, r10XXX + optional module : Dynamic Policy Provisioning, r10XXX + optional module : External Interface and Network HSM + optional module : FIPS 140 License, r10XXX + optional module : FIX Low Latency + optional module : Intrusion Prevention System, r10XXX + optional module : IP Intelligence, 1Yr + optional module : IP Intelligence, 3Yr + optional module : IPS, 1Yr + optional module : IPS, 3Yr + optional module : Link Controller + optional module : Policy Enforcement Manager, r10XXX + optional module : SM2_SM3_SM4 + optional module : SSL Orchestrator, r10XXX + optional module : Subscriber Discovery, r10XXX + optional module : SWG Max, 1Yr, 10XXX/i10XXX/12250v/r10XXX + optional module : SWG Max, 3Yr, 10XXX/i10XXX/12250v/r10XXX + optional module : SWG, 1Yr, 10XXX/i10XXX/12250v/r10XXX + optional module : SWG, 3Yr, 10XXX/i10XXX/12250v/r10XXX + optional module : Threat Campaigns, 1Yr + optional module : Threat Campaigns, 3Yr + optional module : Traffic Classification, r10XXX + optional module : URL Filtering, 1Yr + optional module : URL Filtering, 1Yr, Max + optional module : URL Filtering, 3Yr + optional module : URL Filtering, 3Yr, Max + optional module : VPN Users + # + # Accumulated Tokens for Module + # Max SSL, r10900 perf_SSL_Mbps 1 key XXXXXXX-XXXXXXX + # + perf_SSL_Mbps : 1 + # + # Accumulated Tokens for Module + # Access Policy Manager, Base, r109XX apm_access_sessions 100000000 key XXXXXXX-XXXXXXX + # + # Accumulated Tokens for Module + # Access Policy Manager, Base, r109XX apm_sessions 500 key XXXXXXX-XXXXXXX + # + # Accumulated Tokens for Module + # Access Policy Manager, Base, r109XX apm_urlf_limited_sessions 100000000 key XXXXXXX-XXXXXXX + # + apm_access_sessions : 100000000 + apm_sessions : 500 + apm_urlf_limited_sessions : 100000000 + # + # License Tokens for Module Advanced Web Application Firewall, r10XXX key XXXXXXX-XXXXXXX + # + waf_gc : enabled + mod_waf : enabled + mod_datasafe : enabled + mod_asm : enabled + ltm_persist_cookie : enabled + ltm_persist : enabled + ltm_lb_rr : enabled + ltm_lb_ratio : enabled + ltm_lb_priority : enabled + ltm_lb_pool_member_limit : UNLIMITED + ltm_lb_least_conn : enabled + ltm_lb_l3_addr : enabled + ltm_lb : enabled + asm_apps : unlimited + # + # License Tokens for Module Best Bundle, r10900 key XXXXXXX-XXXXXXX + # + throttle_level : 900 + perf_vcmp_max_guests : UNLIMITED + perf_PVA_dram_limit : enabled + perf_CPU_cores : UNLIMITED + nw_vlan_groups : enabled + mod_ltm : enabled + mod_lbl : enabled + mod_ilx : enabled + ltm_network_virtualization : enabled + # + # License Tokens for Module Max SSL, r10900 key XXXXXXX-XXXXXXX + # + perf_SSL_total_TPS : UNLIMITED + perf_SSL_per_core : enabled + perf_SSL_cmp : enabled + # + # License Tokens for Module Max Compression, r10900 key XXXXXXX-XXXXXXX + # + perf_http_compression_Mbps : UNLIMITED + perf_http_compression_hw : enabled + # + # License Tokens for Module Routing Bundle key XXXXXXX-XXXXXXX + # + nw_routing_rip : enabled + nw_routing_ospf : enabled + nw_routing_isis : enabled + nw_routing_bgp : enabled + nw_routing_bfd : enabled + # + # License Tokens for Module Advanced Firewall Manager, r10XXX key XXXXXXX-XXXXXXX + # + nw_l2_transparent : enabled + mod_afm : enabled + ltm_netflow_switching : enabled + ltm_monitor_rule : enabled + # + # License Tokens for Module BIG-IP, DNS (Max) key XXXXXXX-XXXXXXX + # + mod_dnsgtm : enabled + ltm_dns_v13 : enabled + ltm_dns_lite : enabled + # + # License Tokens for Module Carrier Grade NAT (AFM ONLY) key XXXXXXX-XXXXXXX + # + mod_cgnat : enabled + ltm_network_map : enabled + ltm_monitor_udp : enabled + ltm_monitor_tcp_ho : enabled + ltm_monitor_tcp : enabled + ltm_monitor_radius : enabled + ltm_monitor_icmp : enabled + ltm_monitor_gateway_icmp : enabled + dslite : enabled + cgnat : enabled + # + # License Tokens for Module Access Policy Manager, Base, r109XX key XXXXXXX-XXXXXXX + # + mod_apm : enabled + apm_pingaccess : enabled + apm_logon_page_fraud_protection : enabled + apm_api_protection : enabled + api_protection_infra : enabled + # + # License Tokens for Module Protocol Security Manager key XXXXXXX-XXXXXXX + # + mod_afw : enabled + # + # License Tokens for Module DNS Services key XXXXXXX-XXXXXXX + # + ltm_rule_dns_write : enabled + ltm_dnsexpress : enabled + ltm_dns64 : enabled + ltm_dns_switching : enabled + ltm_dns_mgmt : enabled + ltm_dns_cache_resolver : enabled + admin_dns_mgmt : enabled + # + # License Tokens for Module DNSSEC key XXXXXXX-XXXXXXX + # + ltm_dnssec : enabled + # + # License Tokens for Module DNS Rate Limit, Unlimited QPS key XXXXXXX-XXXXXXX + # + ltm_dns_rate_limit : UNLIMITED + # + # License Tokens for Module DNS Rate Fallback, Unlimited key XXXXXXX-XXXXXXX + # + ltm_dns_rate_fallback : UNLIMITED + # + # License Tokens for Module DNS Licensed Objects, Unlimited key XXXXXXX-XXXXXXX + # + ltm_dns_licensed_objects : UNLIMITED + # + # License Tokens for Module Rate Shaping key XXXXXXX-XXXXXXX + # + ltm_bandw_rate_tosque : enabled + ltm_bandw_rate_fairque : enabled + ltm_bandw_rate_classl7 : enabled + ltm_bandw_rate_classl4 : enabled + ltm_bandw_rate_classes : enabled + # + # License Tokens for Module GTM Rate, Unlimited key XXXXXXX-XXXXXXX + # + gtm_rate_limit : UNLIMITED + # + # License Tokens for Module GTM Rate Fallback, (UNLIMITED) key XXXXXXX-XXXXXXX + # + gtm_rate_fallback : UNLIMITED + # + # License Tokens for Module GTM Licensed Objects, Unlimited key XXXXXXX-XXXXXXX + # + gtm_licensed_objects : UNLIMITED + # + # License Tokens for Module APM, Web Application key XXXXXXX-XXXXXXX + # + apm_web_applications : enabled + # + # License Tokens for Module Remote Desktop key XXXXXXX-XXXXXXX + # + apm_remote_desktop : enabled + # + # License Tokens for Module Network Access key XXXXXXX-XXXXXXX + # + apm_na : enabled + # + # License Tokens for Module Secure Virtual Keyboard key XXXXXXX-XXXXXXX + # + apm_ep_svk : enabled + # + # License Tokens for Module Protected Workspace key XXXXXXX-XXXXXXX + # + apm_ep_pws : enabled + # + # License Tokens for Module Machine Certificate Checks key XXXXXXX-XXXXXXX + # + apm_ep_machinecert : enabled + # + # License Tokens for Module Firewall Checks key XXXXXXX-XXXXXXX + # + apm_ep_fwcheck : enabled + # + # License Tokens for Module Anti-Virus Checks key XXXXXXX-XXXXXXX + # + apm_ep_avcheck : enabled + # + # License Tokens for Module Base Endpoint Security Checks key XXXXXXX-XXXXXXX + # + apm_ep : enabled + # + # License Tokens for Module App Tunnel key XXXXXXX-XXXXXXX + # + apm_app_tunnel : enabled + # + # + # Licensing Information + # + Licensed date : 20231115 + License start : 20231114 + License end : 20231216 + Service check date : 20231115 + # + # Platform Information + # + Registration Key : XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX + Licensed version : 1.7.0 + Platform ID : C128 + Appliance SN : f5-xxxx-xxxx + # + # Outbound License Dossier Validation + # + Dossier : 01ac66f1c5a13fad15f3a0eca6428220df12b8e94506a852dae2c13fbbb67556e48f1x73b849d7cd3962e270e73y23218e85871670e84e9485e774357250f8f7299a176f + # + # Outbound License Authorization Signature + # + Authorization : 185b003ad1b2b9c9e4365ef7315e17cee59c96d958354ba4931bd5c934600acbdf2ecc0f7093db5ded3a5e800038051960d9ab95a45a171d1c0d9f9c0480e2a2e43939c79cecb216bd6bc592b630b9a8787e3847d2bb731915258ef96c921bc6b1e7bd08c0e86bc6476e5ax3bb942e9964d61de662b3e370994335c84193cc03b7adb7f4ef9d1df7d5eb74f53bb1d801604e3d0d4eab875585c88ba708e5832bf5b666aaad894a2218c627666ce6a97f12cf7c9de65c72b6187756008fd8c23cf6475e4c1bd082423ce90f4f0b83455d3c5b1d3ac76b5d5932c9cf506f059d3802a2ba954d4d2ma86d16db40ceeccc59106051fe7d69ab8df5es713914e81f91 + # + #----------------------------------------- + # Copyright 1996-2023, F5 Networks, Inc. + # All rights reserved. + #----------------------------------------- + " + } + ] + } + + +You'll get the following confirmation that the license has been installed successfully: + +.. code-block:: json + + { + "f5-system-licensing-install:output": { + "result": "License installed successfully." + } + } + + +Automatic Licensing via API +=========================== + +You can very easily apply a license automatically with the following API call. This assumes the VELOS system controllers are on the network, have internet access and DNS has been configured. This will allow the system to resolve the domain name for the F5 licensing server to apply the license. + + +.. code-block:: bash + + POST https://{{velos_chassis1_system_controller_ip}}:8888/restconf/data/openconfig-system:system/f5-system-licensing:licensing/f5-system-licensing-install:install + +In the body of the API call add your Base Registration Key: + +.. code-block:: json + + { + "f5-system-licensing-install:input": [ + { + "registration-key": "{{velos_license_registration_key_chassis1}}" + } + ] + } + +You should receive a success message indicating the License installed successfully. + +.. code-block:: json + + { + "f5-system-licensing-install:output": { + "result": "License installed successfully." + } + } -Licensing via API -================= To get the current licensing status via API use the following API call. Issue a **GET** to the out-of-band management IP address of the F5OS layer: @@ -1093,13 +1513,13 @@ To get the current licensing status via API use the following API call. Issue a "f5-system-licensing:licensing": { "config": { "registration-key": { - "base": "B1249-45920-70635-24344-7350724" + "base": "XXXXX-XXXXX-XXXXX-XXXXX-XXXXXXX" }, - "dossier": "01ac66f1c5a13fad15f3a0eca6528220df04f42baa4c48f1c35682c6691dde0e306406407cec3f6b9c3cfa93751f21360bfcf7085585d79b4feb7170a314637e8f99f22b09fcd4a4c54b27def300a8f9c83420b9cc0a6bd097a8f7e958fc2b8c4e93d685f6b70bc415e7999b869eba07d5976183ee31e612b8e94506a852dae2c13fbbb67556e48f1473b849d7cd396be270e73123218e85871670e84e9485e774a57250f8f7299a876f17106158c62efb579aad689ebfc629b31e2175c4485b59a4bed33bd3e2dd31e7fb83", - "license": "#\nAuth vers : 5b\n#\n#\n# BIG-IP System License Key File\n# DO NOT EDIT THIS FILE!!\n#\n# Install this file as \"/config/bigip.license\".\n#\n# Contact information in file /CONTACTS\n#\n#\n# Warning: Changing the system time while this system is running\n# with a time-limited license may make the system unusable.\n#\nUsage : F5 Internal Product Development\n#\n#\n# Only the specific use referenced above is allowed. Any other uses are prohibited.\n#\nVendor : F5 Networks, Inc.\n#\n# Module List \n#\nactive module : Local Traffic Manager, r10900|Y226037-5242227|Rate Shaping|Anti-Virus Checks|Base Endpoint Security Checks|Firewall Checks|Machine Certificate Checks|Network Access|Protected Workspace|Secure Virtual Keyboard|APM, Web Application|App Tunnel|Remote Desktop|APM, Limited|Max SSL, r10900|Max Compression, r10900\noptional module : Access Policy Manager, Base, r109XX\noptional module : Access Policy Manager, Max, r109XX\noptional module : Advanced Firewall Manager, r10XXX\noptional module : Advanced Protocols\noptional module : Advanced Web Application Firewall, r10XXX\noptional module : App Mode (TMSH Only, No Root/Bash)\noptional module : Basic Policy Enforcement Manager, i10XXX\noptional module : BIG-IP, Multicast Routing\noptional module : BIG-IP, Privileged User Access, 100 Endpoints\noptional module : BIG-IP, Privileged User Access, 1000 Endpoints\noptional module : BIG-IP, Privileged User Access, 250 Endpoints\noptional module : BIG-IP, Privileged User Access, 50 Endpoints\noptional module : BIG-IP, Privileged User Access, 500 Endpoints\noptional module : Carrier-Grade NAT, r10XXX\noptional module : DataSafe, r10XXX\noptional module : DDOS, r10XXX\noptional module : DNS 1K, rSeries\noptional module : DNS Max, rSeries\noptional module : Dynamic Policy Provisioning, r10XXX\noptional module : External Interface and Network HSM\noptional module : FIPS 140-2\noptional module : FIX Low Latency\noptional module : Intrusion Prevention System, r10XXX\noptional module : IP Intelligence, 1Yr\noptional module : IP Intelligence, 3Yr\noptional module : IPS, 1Yr\noptional module : IPS, 3Yr\noptional module : Link Controller\noptional module : LTM to Best Upgrade, r109XX\noptional module : LTM to Better Upgrade, r109XX\noptional module : Policy Enforcement Manager, r10XXX\noptional module : Routing Bundle\noptional module : SM2_SM3_SM4\noptional module : SSL Orchestrator, r10XXX\noptional module : Subscriber Discovery, r10XXX\noptional module : Threat Campaigns, 1Yr\noptional module : Threat Campaigns, 3Yr\noptional module : Traffic Classification, r10XXX\noptional module : URL Filtering, 1Yr\noptional module : URL Filtering, 1Yr, Max\noptional module : URL Filtering, 3Yr\noptional module : URL Filtering, 3Yr, Max\noptional module : VPN Users\n#\n# Accumulated Tokens for Module\n# Max SSL, r10900 perf_SSL_Mbps 1 key Y226037-5242227\n#\nperf_SSL_Mbps : 1\n#\n# Accumulated Tokens for Module\n# APM, Limited apm_urlf_limited_sessions 10 key Y226037-5242227\n#\n# Accumulated Tokens for Module\n# APM, Limited apml_sessions 10 key Y226037-5242227\n#\napm_urlf_limited_sessions : 10\napml_sessions : 10\n#\n# License Tokens for Module Local Traffic Manager, r10900 key Y226037-5242227\n#\nthrottle_level : 900\nperf_vcmp_max_guests : UNLIMITED\nperf_PVA_dram_limit : enabled\nperf_CPU_cores : UNLIMITED\nnw_vlan_groups : enabled\nmod_ltm : enabled\nmod_lbl : enabled\nmod_ilx : enabled\nltm_network_virtualization : enabled\nfpga_performance : enabled\n#\n# License Tokens for Module Max SSL, r10900 key Y226037-5242227\n#\nperf_SSL_total_TPS : UNLIMITED\nperf_SSL_per_core : enabled\nperf_SSL_cmp : enabled\n#\n# License Tokens for Module Max Compression, r10900 key Y226037-5242227\n#\nperf_http_compression_Mbps : UNLIMITED\nperf_http_compression_hw : enabled\n#\n# License Tokens for Module APM, Limited key Y226037-5242227\n#\nmod_apml : enabled\n#\n# License Tokens for Module Rate Shaping key Y226037-5242227\n#\nltm_bandw_rate_tosque : enabled\nltm_bandw_rate_fairque : enabled\nltm_bandw_rate_classl7 : enabled\nltm_bandw_rate_classl4 : enabled\nltm_bandw_rate_classes : enabled\n#\n# License Tokens for Module APM, Web Application key Y226037-5242227\n#\napm_web_applications : enabled\n#\n# License Tokens for Module Remote Desktop key Y226037-5242227\n#\napm_remote_desktop : enabled\n#\n# License Tokens for Module Network Access key Y226037-5242227\n#\napm_na : enabled\n#\n# License Tokens for Module Secure Virtual Keyboard key Y226037-5242227\n#\napm_ep_svk : enabled\n#\n# License Tokens for Module Protected Workspace key Y226037-5242227\n#\napm_ep_pws : enabled\n#\n# License Tokens for Module Machine Certificate Checks key Y226037-5242227\n#\napm_ep_machinecert : enabled\n#\n# License Tokens for Module Firewall Checks key Y226037-5242227\n#\napm_ep_fwcheck : enabled\n#\n# License Tokens for Module Anti-Virus Checks key Y226037-5242227\n#\napm_ep_avcheck : enabled\n#\n# License Tokens for Module Base Endpoint Security Checks key Y226037-5242227\n#\napm_ep : enabled\n#\n# License Tokens for Module App Tunnel key Y226037-5242227\n#\napm_app_tunnel : enabled\n#\n# Debug Msg - Is sol18346625 affected; Usage, \"2021-09-28 00.00.00\", started after requirement date \"2016-04-15 00.00.00\"\n#\n# LC disabled in accordance with https://support.f5.com/kb/en-us/solutions/public/k/18/sol18346625.html\n#\ngtm_lc : disabled\n#\n# Licensing Information \n#\nLicensed date : 20211129\nLicense start : 20210927\nLicense end : 20220121\nService check date : 20211222\n#\n# Platform Information \n#\nRegistration Key : B1249-45920-70635-24344-7350724\nLicensed version : 1.0.0\nPlatform ID : C128\nAppliance SN : f5-xpdn-ngmu\n#\n# Outbound License Dossier Validation\n#\nDossier : 01ac66f1c5a13fad15f3a0eca6528220df12b8e94506a852dae2c13fbbb67556e48f1473b849d7cd396be270e73123218e85871670e84e9485e774a57250f8f7299a876f\n#\n# Outbound License Authorization Signature\n#\nAuthorization : 9f41c2f3f96ed6fc9c8112934fab434ba63bce96f73cd24d61b49fa7c9dc8e5d662e27f837ba734c6c8a3c52577b8b9e1a64aefc46aed07441eff37a52575d7341d701597b2ef59d27230cf1b3d41524978f522f23386bc2ab7c1b34756d9be36d433f34d0339227e8ec5f37af432614141f3c749df1e26d3d069ad9a043c2ebedd4bc60f81ff155ade7b172714075786a7916f32b06830747c3da3ee1281e1965042df766ac31c5690b802257685b87d1ff980a83a5ac9e14cc7e5b73045b4a7c34fea60e4a8dd3b7c460cca83d3805006afc4a82071b3cc502e3dc7c2c40958046bfc835eb0386017352b90175b1cb37a4e3e1bc51467d08cd360a957998a4\n#\n#-----------------------------------------\n# Copyright 1996-2021, F5 Networks, Inc.\n# All rights reserved. \n#-----------------------------------------\n" + "dossier": "01ac66f1c5a13fad15f3a0eca6528220df04f42baa4c48f1c35682c6691dde0e306406407cec3f6b9c3cfa93751421360bfcf7085585d79b4feb7170a314637e8f99f22b09fcd4a4c54b27def300a8f9c83420b9cc0a6bd097a8f7e958fc2b8c4e93d685f6b70bc415e7999b869eba07d5976183ee31e612b8e94506a852dae2c13fbbb67556e48f1475b849d7xd396be270e73123258e85871670e81e9485e774a57250f8f7299a876f17106158c62efb579aad689ebfc629b31e2175c4485b59a4bed33bd3e2dd31e7fb83", + "license": "#\nAuth vers : 5b\n#\n#\n# BIG-IP System License Key File\n# DO NOT EDIT THIS FILE!!\n#\n# Install this file as \"/config/bigip.license\".\n#\n# Contact information in file /CONTACTS\n#\n#\n# Warning: Changing the system time while this system is running\n# with a time-limited license may make the system unusable.\n#\nUsage : F5 Internal Product Development\n#\n#\n# Only the specific use referenced above is allowed. Any other uses are prohibited.\n#\nVendor : F5 Networks, Inc.\n#\n# Module List \n#\nactive module : Local Traffic Manager, r10900|XXXXXX-XXXXXX|Rate Shaping|Anti-Virus Checks|Base Endpoint Security Checks|Firewall Checks|Machine Certificate Checks|Network Access|Protected Workspace|Secure Virtual Keyboard|APM, Web Application|App Tunnel|Remote Desktop|APM, Limited|Max SSL, r10900|Max Compression, r10900\noptional module : Access Policy Manager, Base, r109XX\noptional module : Access Policy Manager, Max, r109XX\noptional module : Advanced Firewall Manager, r10XXX\noptional module : Advanced Protocols\noptional module : Advanced Web Application Firewall, r10XXX\noptional module : App Mode (TMSH Only, No Root/Bash)\noptional module : Basic Policy Enforcement Manager, i10XXX\noptional module : BIG-IP, Multicast Routing\noptional module : BIG-IP, Privileged User Access, 100 Endpoints\noptional module : BIG-IP, Privileged User Access, 1000 Endpoints\noptional module : BIG-IP, Privileged User Access, 250 Endpoints\noptional module : BIG-IP, Privileged User Access, 50 Endpoints\noptional module : BIG-IP, Privileged User Access, 500 Endpoints\noptional module : Carrier-Grade NAT, r10XXX\noptional module : DataSafe, r10XXX\noptional module : DDOS, r10XXX\noptional module : DNS 1K, rSeries\noptional module : DNS Max, rSeries\noptional module : Dynamic Policy Provisioning, r10XXX\noptional module : External Interface and Network HSM\noptional module : FIPS 140-2\noptional module : FIX Low Latency\noptional module : Intrusion Prevention System, r10XXX\noptional module : IP Intelligence, 1Yr\noptional module : IP Intelligence, 3Yr\noptional module : IPS, 1Yr\noptional module : IPS, 3Yr\noptional module : Link Controller\noptional module : LTM to Best Upgrade, r109XX\noptional module : LTM to Better Upgrade, r109XX\noptional module : Policy Enforcement Manager, r10XXX\noptional module : Routing Bundle\noptional module : SM2_SM3_SM4\noptional module : SSL Orchestrator, r10XXX\noptional module : Subscriber Discovery, r10XXX\noptional module : Threat Campaigns, 1Yr\noptional module : Threat Campaigns, 3Yr\noptional module : Traffic Classification, r10XXX\noptional module : URL Filtering, 1Yr\noptional module : URL Filtering, 1Yr, Max\noptional module : URL Filtering, 3Yr\noptional module : URL Filtering, 3Yr, Max\noptional module : VPN Users\n#\n# Accumulated Tokens for Module\n# Max SSL, r10900 perf_SSL_Mbps 1 key XXXXXX-XXXXXX\n#\nperf_SSL_Mbps : 1\n#\n# Accumulated Tokens for Module\n# APM, Limited apm_urlf_limited_sessions 10 key XXXXXX-XXXXXX\n#\n# Accumulated Tokens for Module\n# APM, Limited apml_sessions 10 key XXXXXX-XXXXXX\n#\napm_urlf_limited_sessions : 10\napml_sessions : 10\n#\n# License Tokens for Module Local Traffic Manager, r10900 key XXXXXX-XXXXXX\n#\nthrottle_level : 900\nperf_vcmp_max_guests : UNLIMITED\nperf_PVA_dram_limit : enabled\nperf_CPU_cores : UNLIMITED\nnw_vlan_groups : enabled\nmod_ltm : enabled\nmod_lbl : enabled\nmod_ilx : enabled\nltm_network_virtualization : enabled\nfpga_performance : enabled\n#\n# License Tokens for Module Max SSL, r10900 key XXXXXX-XXXXXX\n#\nperf_SSL_total_TPS : UNLIMITED\nperf_SSL_per_core : enabled\nperf_SSL_cmp : enabled\n#\n# License Tokens for Module Max Compression, r10900 key XXXXXX-XXXXXX\n#\nperf_http_compression_Mbps : UNLIMITED\nperf_http_compression_hw : enabled\n#\n# License Tokens for Module APM, Limited key XXXXXX-XXXXXX\n#\nmod_apml : enabled\n#\n# License Tokens for Module Rate Shaping key XXXXXX-XXXXXX\n#\nltm_bandw_rate_tosque : enabled\nltm_bandw_rate_fairque : enabled\nltm_bandw_rate_classl7 : enabled\nltm_bandw_rate_classl4 : enabled\nltm_bandw_rate_classes : enabled\n#\n# License Tokens for Module APM, Web Application key XXXXXX-XXXXXX\n#\napm_web_applications : enabled\n#\n# License Tokens for Module Remote Desktop key XXXXXX-XXXXXX\n#\napm_remote_desktop : enabled\n#\n# License Tokens for Module Network Access key XXXXXX-XXXXXX\n#\napm_na : enabled\n#\n# License Tokens for Module Secure Virtual Keyboard key XXXXXX-XXXXXX\n#\napm_ep_svk : enabled\n#\n# License Tokens for Module Protected Workspace key XXXXXX-XXXXXX\n#\napm_ep_pws : enabled\n#\n# License Tokens for Module Machine Certificate Checks key XXXXXX-XXXXXX\n#\napm_ep_machinecert : enabled\n#\n# License Tokens for Module Firewall Checks key XXXXXX-XXXXXX\n#\napm_ep_fwcheck : enabled\n#\n# License Tokens for Module Anti-Virus Checks key XXXXXX-XXXXXX\n#\napm_ep_avcheck : enabled\n#\n# License Tokens for Module Base Endpoint Security Checks key XXXXXX-XXXXXX\n#\napm_ep : enabled\n#\n# License Tokens for Module App Tunnel key XXXXXX-XXXXXX\n#\napm_app_tunnel : enabled\n#\n# Debug Msg - Is sol18346625 affected; Usage, \"2021-09-28 00.00.00\", started after requirement date \"2016-04-15 00.00.00\"\n#\n# LC disabled in accordance with https://support.f5.com/kb/en-us/solutions/public/k/18/sol18346625.html\n#\ngtm_lc : disabled\n#\n# Licensing Information \n#\nLicensed date : 20211129\nLicense start : 20210927\nLicense end : 20220121\nService check date : 20211222\n#\n# Platform Information \n#\nRegistration Key : B1249-45920-70635-24344-7350724\nLicensed version : 1.0.0\nPlatform ID : C128\nAppliance SN : f5-xpdn-ngmu\n#\n# Outbound License Dossier Validation\n#\nDossier : 01ac66f1c5a13fad15f3a0eca6528220df12b8e94506a852dae2c13fbbb67556e48f1473b849d7cd396be270e73123218e85871670e84e9485e774a57250f8f7299a876f\n#\n# Outbound License Authorization Signature\n#\nAuthorization : 9f41c2f3f96ed6fc9c8112934fab434ba63bce96f73cd24d61b49fa7c9dc8e5d662e27f837ba734c6c8a3c52577b8b9e1a63aefc46aed07441eff37a52575d7341d701597b2ef59d27230cf1b3d41524978f522f23386bc2ab7c1b34756d9be36d433f34d0339227e8ec5f37af432614141f3c749df1e26d3d069ad9a043c2ebedd4bc6xf81ff155ade7b172714075786a7916f32b06830787c3da3ee1281e1965042df766ac31c5690b802257685b87d1ff980a83a5ac9e14cc7e5b73045b4a7c34fea60e4a8dd3b7c460cca83d3805006afc4a82071b3cc502e3dc7c2c40958046bfc835eb0386017352b90175b1cb37a4e3e1bc51467d08cd360a957998a4\n#\n#-----------------------------------------\n# Copyright 1996-2021, F5 Networks, Inc.\n# All rights reserved. \n#-----------------------------------------\n" }, "state": { - "license": "\nLicensed version 1.0.0\nRegistration Key B1249-45920-70635-24344-7350724\nLicensed date 2021/11/29\nLicense start 2021/09/27\nLicense end 2022/01/21\nService check date 2021/12/22\nPlatform ID C128\nAppliance SN f5-xpdn-ngmu\n\nActive Modules\n Local Traffic Manager, r10900 (Y226037-5242227)\n Rate Shaping\n Anti-Virus Checks\n Base Endpoint Security Checks\n Firewall Checks\n Machine Certificate Checks\n Network Access\n Protected Workspace\n Secure Virtual Keyboard\n APM, Web Application\n App Tunnel\n Remote Desktop\n APM, Limited\n Max SSL, r10900\n Max Compression, r10900\n" + "license": "\nLicensed version 1.0.0\nRegistration Key B1249-45920-70635-24344-7350724\nLicensed date 2021/11/29\nLicense start 2021/09/27\nLicense end 2022/01/21\nService check date 2021/12/22\nPlatform ID C128\nAppliance SN f5-xpdn-ngmu\n\nActive Modules\n Local Traffic Manager, r10900 (XXXXXX-XXXXXX)\n Rate Shaping\n Anti-Virus Checks\n Base Endpoint Security Checks\n Firewall Checks\n Machine Certificate Checks\n Network Access\n Protected Workspace\n Secure Virtual Keyboard\n APM, Web Application\n App Tunnel\n Remote Desktop\n APM, Limited\n Max SSL, r10900\n Max Compression, r10900\n" } } } @@ -1277,7 +1697,7 @@ Licenses can be applied via CLI, webUI, or API. A base registration key and opti General ======= -The **System Settings > General** page allows you to configure Appliance mode for the F5OS layer. Appliance mode is a security feature where all root and bash shell access is disabled. A user will only be able to utilize the F5OS CLI and not the bash shell when Appliance mode is enabled. The page also displays the Systems Properties which includes the Base OS and Service Versions currently running on the appliance. Here you can also configure the **Hostname** of the system and configure a Message of the Day (**MOTD**) which is displayed on login. +The **System Settings > General** page allows you to configure Appliance mode for the F5OS layer. Appliance mode is a security feature where all root and bash shell access are disabled. A user will only be able to utilize the F5OS CLI and not the bash shell when Appliance mode is enabled. The page also displays the Systems Properties which includes the Base OS and Service Versions currently running on the appliance. Here you can also configure the **Hostname** of the system and configure a Message of the Day (**MOTD**) which is displayed on login. .. image:: images/initial_setup_of_rseries_platform_layer/image31.png :align: center diff --git a/docs/rseries_api_workflows.rst b/docs/rseries_api_workflows.rst new file mode 100644 index 0000000..d99d9ef --- /dev/null +++ b/docs/rseries_api_workflows.rst @@ -0,0 +1,163 @@ +===================== +rSeries API Workflows +===================== + +There are two main points of management within the rSeries appliances: the F5OS-C platform layer, and the individual tenants. Both support their own CLI, webUI, and API access. + +At the F5OS-A platform layer level, initial configuration consists of defining static management IP addresses, routing, and other system parameters like DNS and NTP. Licensing is also configured at the F5OS-A platform layer level and is similar to iSeries in that it is applied at the appliance level and inherited by all tenants. + +For more information about configuring your system, see rSeries Systems: Getting Started and rSeries Systems: Administration and Configuration at support.f5.com. + +You can use a RESTful API client like Postman to configure the F5 rSeries platform. + +Download the F5 rSeries F5OS-A platform Postman Collection **Coming Soon**. + +These workflows assume that the initial out-of-band management configuration has been completed. + +Workflows +========= + +Initial Setup of rSeries F5OS Platform Layer +-------------------------------------------- + +`Configure System Settings via API `_ + +`Manual Licensing via API `_ + +`Automatic Licensing via API `_ + +Initial Setup of the rSeries Network Layer +------------------------------------------ + +`Configuring PortGroups via API `_ + +`Configuring Interfaces via API `_ + +`Configuring VLANs via API `_ + +`Configuring LAGs via API `_ + +Deploying an rSeries Tenant +--------------------------- + + +`Loading Tenant Images from a Remote Server via API `_ + +`Uploading Tenant Images from a Client Machine via the API `_ + +`Creating a Tenant via API `_ + +`Validating Tenant Status via API `_ + +`Expanding a Tenant via API `_ + +`Deleting a Tenant via API `_ + +rSeries Software Upgrades +------------------------- + + +`Importing F5OS-A Images from a Remote Server via the API `_ + +`Uploading F5OS-A Images from a Client Machine via the API `_ + +`Upgrading F5OS via API `_ + +`Loading Tenant Images from a Remote Server via API `_ + +`Uploading Tenant Images from a Client Machine via the API `_ + +rSeries Configuration Backup and Restore +---------------------------------------- + +`Backing Up F5OS via API `_ + +`Exporting F5OS Backup via API `_ + +`Downloading an F5OS Backup via API `_ + +`Resetting the system via API `_ + +`Changing the Default Password and Importing F5OS Backups via API `_ + +`Importing an F5OS Backup from a Remote Server via API `_ + +`Uploading an F5OS Backup from a Client Machine via API `_ + +`Restore via API `_ + +Diagnostics +----------- + +`qkview Creation and Upload to iHealth via API `_ + +`qkview Download to Client via API `_ + +`Downloading Logs from the API `_ + +`Viewing Event Logs via API `_ + +`Changing the Software Component Log Levels via API `_ + +`TCPDUMP Download to Client via API `_ + +Monitoring rSeries Health & Alert Status +---------------------------------------- + +`Checking Active Alerts via API `_ + +`Checking System Health via API `_ + +`Filter to Get a Summary of System Health via API `_ + +Monitoring +---------- + +`Hardware and System Component Monitoring via API `_ + +`Appliance Component Status via API `_ + +`LCD Status via API `_ + +`Power Supply Status via API `_ + +`Storage Status via API `_ + +`CPU Status via API `_ + +`Temperature Status via API `_ + +`Memory Status via API `_ + +`Trusted Protection Module Status via API `_ + +`Software Health and Status via API `_ + +`F5 Cluster Status via API `_ + +`F5 Service Instances Status via API `_ + +`F5 Services Status via API `_ + +`Layer2 FDB Status via API `_ + +`F5 Service-Pods Status via API `_ + +`System Health via API `_ + +rSeries F5OS-A SNMP Monitoring and Alerting +------------------------------------------- + +`Downloading MIBs via API `_ + +`Exporting MIBs to a Remote Server via the API `_ + +`Adding Allowed IPs for SNMP via API `_ + +`Adding Interface and LAG descriptions via API `_ + +`Configuring SNMP Access via API `_ + +`Enabling SNMP Traps in the API `_ + +`Downloading SNMP Logs from the API `_ \ No newline at end of file diff --git a/docs/rseries_deploying_a_tenant.rst b/docs/rseries_deploying_a_tenant.rst index d92d96d..1cd7ee7 100644 --- a/docs/rseries_deploying_a_tenant.rst +++ b/docs/rseries_deploying_a_tenant.rst @@ -74,9 +74,9 @@ Tenant Deployment via CLI Uploading a Tenant Image via CLI ================================ -Tenant software images are loaded directly into the F5OS platform layer. For the initial release of rSeries, supported tenant versions are v15.1.5 for the r5000 and r10000, and v15.1.6 for the r2000 and r4000. No other TMOS versions are supported other than hotfixes or rollups based on those versions of software, and upgrades to newer versions happen within the tenant itself, not in the F5OS layer. The images inside F5OS are for initial deployment only. +Tenant software images are loaded directly into the F5OS platform layer. For the initial release of rSeries, supported tenant versions are v15.1.5 for the r5000 and r10000, and v15.1.6 for the r2000 and r4000. No other TMOS versions are supported other than hotfixes or rollups based on those versions of software, and upgrades to newer versions happen within the tenant itself, not in the F5OS layer. The images inside F5OS are for initial deployment only. rSeries tenants do not support versions 16.0, 16.0 or 17.0, you can run either the minimum 15.1.x release or later for a given platform or any versions 17.1.x and later. -Before deploying any tenant, you must ensure you have a proper tenant software release loaded into the F5OS platform layer. If an HTTPS/SCP/SFTP server is not available, you may upload a tenant image using scp directly to the F5OS platform layer. Simply SCP an image to the out-of-band management IP address using the admin account and a path of **IMAGES**. There are also other upload options available in the webUI (Upload from Browser) or API (HTTPS/SCP/SFTP). +Before deploying any tenant, you must ensure you have a proper tenant software release loaded into the F5OS platform layer. If an HTTPS/SCP/SFTP server is not available, you may upload a tenant image using scp directly to the F5OS platform layer. Simply SCP an image to the out-of-band management IP address using the admin account and a path of **IMAGES**. There are also other upload options available in the webUI (Upload from Browser) or API (HTTPS/SCP/SFTP). Below is an example of using SCP from a remote client. .. code-block:: bash @@ -90,7 +90,7 @@ You may also import the tenant image file from the F5OS CLI. Use the **file impo Value for 'password' (): ******** result File transfer is initiated.(images/tenant/BIGIP-15.1.4-0.0.47.ALL-VELOS.qcow2.zip.bundle) -If a remote HTTPS server is not available, you may also copy the file form the CLI over SCP by adding the **protocol scp** option to the command line: +If a remote HTTPS server is not available, you may also import the file from the CLI over SCP by adding the **protocol scp** option to the command line: .. code-block:: bash @@ -263,10 +263,13 @@ To see the actual status of the tenants, issue the CLI command **show tenants**. Tenant Deployment via webUI -------------------------- +--------------------------- -Uploading a Tenant Image via webUI -================================ + +Uploading Tenant Images via webUI +================================= + +Before deploying any tenant, you must ensure you have a proper tenant software release loaded into F5OS. Under **Tenant Management** there is a page for uploading tenant software images. There are TMOS images specifically for rSeries. Only supported rSeries TMOS releases should be loaded into this system. Do not attempt to load older or even newer images unless there are officially supported on rSeries. You can upload a tenant image via the webUI in two different places. The first is by going to the **Tenant Management > Tenant Images** page. There are two options on this page; you can click the **Import** button and you will receive a pop-up asking for the URL of a remote HTTPS server with optional credentials, and the ability to ignore certificate warnings. @@ -290,6 +293,12 @@ After the image is uploaded, you need to wait until it shows **Verified** status :align: center :scale: 70% +If an HTTPS server is not available and uploading from a client machine is not an option, you may upload a tenant image using SCP directly to the appliance. Simply SCP an image to the F5OS out-of-band management IP address using the admin account and a path of **IMAGES**. + +.. code-block:: bash + + scp BIGIP-15.1.5-0.0.8.ALL-VELOS.qcow2.zip.bundle admin@10.255.0.148:IMAGES + Creating a Tenant via webUI ========================= @@ -300,7 +309,7 @@ You can deploy a tenant from the webUI using the **Add** button in the **Tenant :align: center :scale: 70% -The tenant deployment options are almost identical to deploying a vCMP guest, with a few minor differences. Supply the tenant a name and choose the TMOS tenant image for it to run. Next you will assign an out-of-band management address, prefix, and gateway, and assign VLANs you want the tenant to inherit. There is also an option to adjust the virtual disk size if this tenant will need more space. There are **Recommended** and **Advanced** options for resource provisioning; choosing recommended will automatically adjust memory based on the vCPUs allocated to the tenant. Choosing Advanced will allow you to over-allocate memory which is something iSeries did not support. You can choose different states (Configured, Provisioned, Deployed) just like vCMP and there is an option to enable/disable HW Crypto and Compression Acceleration (recommended this stay enabled). And finally, there is an option to enable Appliance mode which will disable root/bash access to the tenant. Once you click **Save** the tenant will move to the desired state of **Configured**, **Provisioned**, or **Deployed**. +The tenant deployment options are almost identical to deploying a vCMP guest, with a few minor differences. Supply a name for the tenant and choose the TMOS tenant image for it to run. Next you will assign an out-of-band management address, prefix, and gateway, and assign VLANs you want the tenant to inherit. There is also an option to adjust the virtual disk size if this tenant will need more space. There are **Recommended** and **Advanced** options for resource provisioning; choosing recommended will automatically adjust memory based on the vCPUs allocated to the tenant. Choosing Advanced will allow you to over-allocate memory which is something iSeries did not support. You can choose different states (Configured, Provisioned, Deployed) just like vCMP and there is an option to enable/disable HW Crypto and Compression Acceleration (recommended this stay enabled). And finally, there is an option to enable Appliance mode which will disable root/bash access to the tenant. Once you click **Save** the tenant will move to the desired state of **Configured**, **Provisioned**, or **Deployed**. .. image:: images/rseries_deploying_a_tenant/image75.png :align: center @@ -362,18 +371,15 @@ Now login with the new admin password, and you'll be brought into the initial se :align: center :scale: 70% -At this point you can configure the tenant as you normally would any BIG-IP device. You could use Declarative Onboarding (DO) to configure all the lower-level network and system settings, and then use AS3 to automate application deployments. +At this point you can configure the tenant as you normally would any BIG-IP device. You could use Declarative Onboarding (DO) to configure all the lower-level network and system settings, and then use AS3 to automate application deployments. Tenant Deployment via API -------------------------- +--------------------------- -The rSeries tenant lifecycle is fully supported in the F5OS API. This section will cover common examples. +Loading Tenant Images from a Remote Server via API +================================================== -Uploading a Tenant Image via F5OS API -===================================== - -The upload utility requires a remote HTTPS, SCP, or SFTP server that is hosting the tenant image file. All API calls for tenant lifecycle are posted to the F5OS out-of-band management IP address of the appliance. -To copy a tenant image into the appliance, use the following API call to the out-of-band F5OS management IP address: +To copy a tenant image into F5OS over the API, use the following API call to the F5OS out-of-band management IP address. The example below copies a tenant image from a remote HTTPS server. You may also edit the API call to copy from remote SFTP or SCP servers by adding the proper **protocol** option. .. code-block:: bash @@ -394,7 +400,7 @@ To copy a tenant image into the appliance, use the following API call to the out ] } -To list the current tenant images available within F5OS use the following API Call: +To list the current tenant images available on the appliance, use the following API Call: .. code-block:: bash @@ -421,11 +427,99 @@ Below is output generated from the previous command: "name": "BIGIP-15.1.5-0.0.8.ALL-F5OS.qcow2.zip.bundle", "in-use": true, "status": "verified" + }, + { + "name": "BIGIP-bigip15.1.x-europa-15.1.5-0.0.210.ALL-F5OS.qcow2.zip.bundle", + "in-use": false, + "status": "verified" + }, + { + "name": "BIGIP-bigip15.1.x-europa-15.1.5-0.0.222.ALL-F5OS.qcow2.zip.bundle", + "in-use": false, + "status": "verified" + }, + { + "name": "BIGIP-bigip15.1.x-europa-15.1.5-0.0.225.ALL-F5OS.qcow2.zip.bundle", + "in-use": false, + "status": "verified" + }, + { + "name": "BIGIP-bigip151x-miranda-15.1.4.1-0.0.171.ALL-VELOS.qcow2.zip.bundle", + "in-use": false, + "status": "verified" + }, + { + "name": "BIGIP-bigip151x-miranda-15.1.4.1-0.0.173.ALL-VELOS.qcow2.zip.bundle", + "in-use": false, + "status": "verified" + }, + { + "name": "BIGIP-bigip151x-miranda-15.1.4.1-0.0.176.ALL-VELOS.qcow2.zip.bundle", + "in-use": false, + "status": "verified" + }, + { + "name": "F5OS-A-1.0.0-11432.R5R10.iso", + "in-use": false, + "status": "verification-failed" } ] } } + +Uploading Tenant Images from a Client Machine via the API +========================================================= + +You can upload an F5OS tenant image from a client machine over the API. First you must obtain an **upload-id** using the following API call. + + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/f5-file-upload-meta-data:upload/start-upload + +In the body of the API call enter the **size**, **name**, and **file-path** as seen in the example below. + +.. code-block:: json + + { + "size":2239554028, + "name": "BIGIP-15.1.10.1-0.0.9.ALL-F5OS.qcow2.zip.bundle", + "file-path": "images/tenant/" + } + +If you are using Postman, the API call above will generate an upload-id that will need to be captured so it can be used in the API call to upload the file. Below is an example of the code that should be added to the **Test** section of the API call so that the **upload-id** can be captured and saved to a variable called **upload-id** for subsequent API calls. + +.. code-block:: bash + + var resp = pm.response.json(); + pm.environment.set("upload-id", resp["f5-file-upload-meta-data:output"]["upload-id"]) + +Below is an example of how this would appear inside the Postman interface under the **Tests** section. + +.. image:: images/rseries_deploying_a_tenant/upload-id.png + :align: center + :scale: 70% + +Once the upload-id is captured, you can then initiate a file upload of the F5OS TENANT_NAME image using the following API call. + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/openconfig-system:system/f5-image-upload:image/upload-image + +In the body of the API call select **form-data**, and then in the **Value** section click **Select Files** and select the F5OS tenant image you want to upload as seen in the example below. + +.. image:: images/rseries_deploying_a_tenant/file-upload-tenant-body.png + :align: center + :scale: 70% + +In the **Headers** section ensure you add the **file-upload-id** header, with the variable used to capture the id in the previous API call. + +.. image:: images/rseries_deploying_a_tenant/file-upload-tenant-headers.png + :align: center + :scale: 70% + + Creating a Tenant via API ========================= @@ -660,7 +754,6 @@ Below is the output from the above API call: } - ----------------- Resizing a Tenant ----------------- diff --git a/docs/rseries_diagnostics.rst b/docs/rseries_diagnostics.rst index d9c7cac..16bd0d6 100644 --- a/docs/rseries_diagnostics.rst +++ b/docs/rseries_diagnostics.rst @@ -2,23 +2,24 @@ rSeries Diagnostics =================== -This section will go through some of the diagnostic capabilities within the new F5OS layer. Inside the tenant the same BIG-IP diagnostic utilities that customers are used to are still available. +This section will go through some of the diagnostic capabilities within the F5OS platform layer. Inside the TMOS tenant, the same BIG-IP diagnostic utilities that customers are used to are still available. + qkviews ======= rSeries appliances support the ability to generate qkviews to collect and bundle configuration and diagnostic data that can be sent to F5 support or uploaded to iHealth. It is important to understand the rSeries architecture when generating qkviews. Generating a qkview from the F5OS platform layer will capture OS data, container information, and info related to the health of the underlying F5OS layer. To capture tenant level information, you’ll need to run a qkview inside the TMOS layer of the tenant. The following links provide more details: -`K2633: Submit a support case _` +`K2633: Submit a support case `_ -`K04756153: Generating diagnostic data for rSeries systems using the qkview utility _` +`K04756153: Generating diagnostic data for rSeries systems using the qkview utility `_ In general, you can use the qkview utility on rSeries systems to automatically collect configuration and diagnostic information from the system. The qkview utility provided in F5OS-A software captures diagnostic information from the rSeries system and associated containers. Note: The qkview utility on the rSeries system does not capture diagnostic data from tenant BIG-IP systems. To generate diagnostic data for a tenant BIG-IP, log in to the tenant system and perform the relevant procedure in: -K12878: Generating diagnostic data using the qkview utility: https://support.f5.com/csp/article/K12878 +`K12878: Generating diagnostic data using the qkview utility `_ The qkview utility on the rSeries system generates machine-readable JavaScript Object Notation (JSON) diagnostic data and combines the data into a single compressed Tape ARchive (TAR) format file. The single TAR file is comprised of embedded TAR files containing the diagnostic data of individual containers running on the system, as well as diagnostic data from the rSeries system. You can upload this file, called a qkview file, to iHealth, or give it to F5 Support to help them troubleshoot any issues. @@ -115,8 +116,8 @@ To upload the qkview file to iHealth using the CLI use the following command: ** appliance-1# -qkview Creation and Upload via API ----------------------------------- +qkview Creation and Upload to iHealth via API +--------------------------------------------- To generate a qkview from the API, POST the following API call to the F5OS out-of-band management IP. @@ -132,7 +133,7 @@ In the body of the API call, supply the filename for the qkview: "f5-system-diagnostics-qkview:filename": "my-qkview4.tgz" } -Below is the following output showing successful intiation of the qkview: +Below is the following output showing successful initiation of the qkview: .. code-block:: json @@ -188,14 +189,86 @@ In the output of the API call, the upload initiation is confirmed. } } +qkview Download to Client via API +-------------------------------- + +You can download qkviews direct to a client machine using the F5OS API. First, list the contents of the path **diags/shared/qkview** to see the save qkview files: + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/list + +In the body of the API call, add the following path: + +.. code-block:: json + + { + "f5-utils-file-transfer:path": "diags/shared/qkview" + } + +The output should look similar to the output below. + +.. code-block:: json + + + { + "f5-utils-file-transfer:output": { + "entries": [ + { + "name": "my-qkview.tar", + "date": "", + "size": "525MB" + }, + { + "name": "my-qkview4.tgz", + "date": "", + "size": "590MB" + } + ] + } + } + +To download one of the qkview files to the local client machine enter the following API call. + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/f5-file-download:download-file/f5-file-download:start-download + + +For the **Headers** secion of the Postman request be sure to add the following headers: + +.. image:: images/rseries_diagnostics/headers.png + :align: center + :scale: 70% + +If you are using Postman, in the body of the API call select **Body**, then selct **form-data**. Then enter the **file-name**, **path**, and **token** as seen below. + +.. image:: images/rseries_diagnostics/downloadqkviewapi.png + :align: center + :scale: 70% + +If you are using Postman, instead of clicking **Send**, click on the arrow next to Send, and then select **Send and Download**. You will then be prompted to save the file to your local file system. + +.. image:: images/rseries_diagnostics/sendanddownload.png + :align: center + :scale: 70% Logging ======= -Many functions inside the F5OS layer will log their events to the **platform.log** file that resides in the **/log/system/** path. You'll also notice there are other files for other types of logs. +F5OS has extensive logging and diagnostic capabilities, logs are stored locally on disk and can optionally be sent to a remote syslog server. In addition, there are multiple logging subsystems that can be tweaked to be more or less verbose via the **Software Component Log Levels**. Many functions inside the F5OS layer will log their important events to the default **platform.log** file that resides in the **/log/system/** path. This is the file that will also redirect all logs to a remote location (in addition to local disk) when **Remote Log Servers** are added. There are many other log files available local on the disk (some can also be redirected to be sent remotely) for various functions. As an example, there is an **snmp.log** which logs all SNMP requests and traps that the system sends and receives. Another example is the **audit.log** that captures audit related information such as "who has logged in?", "What changes were made?", "Who made the changes?", and unsuccessful login attempts. This section will provide more details on the various logging subsystems, and how to configure them. + +There are published error catalogs for each F5OS-A release here: + +`F5OS-A Error Catalog `_ + + +Viewing Logs +------------ + Viewing Logs from the CLI --------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^ In the F5OS CLI, the paths are simplified so that you don’t have to know the underlying directory structure. You can use the **file list path** command to see the files inside the **log/system/** directory; use the tab complete to see the options: @@ -244,7 +317,7 @@ There are options to manipulate the output of the file. Add **| ?** to the comma until End with the line that matches appliance-1# file show log/system/platform.log | -There are also other file options to tail the log file using **file tail -f** for live tail of the file or **file tail -n **. +There are also other file options to tail the log file using **file tail -f** for live tail of the file or **file tail -n **. Below is the live tail example. .. code-block:: bash @@ -261,7 +334,9 @@ There are also other file options to tail the log file using **file tail -f** fo 2022-01-18T01:46:40.247870+00:00 appliance-1 sys-host-config[10328]: priority="Err" version=1.0 msgid=0x7001000000000031 msg="" func_name="static int SystemDateTimeOperHdlr::s_finish(confd_trans_ctx*)". appliance-1# +The example below shows the last 20 lines of the platform.log file. +.. code-block:: bash appliance-1# file tail -n 20 log/system/platform.log 2022-01-18T01:42:40.217019+00:00 appliance-1 sys-host-config[10328]: priority="Err" version=1.0 msgid=0x7001000000000031 msg="" func_name="static int SystemDateTimeOperHdlr::s_init(confd_trans_ctx*)". @@ -286,7 +361,7 @@ There are also other file options to tail the log file using **file tail -f** fo 2022-01-18T01:46:40.247870+00:00 appliance-1 sys-host-config[10328]: priority="Err" version=1.0 msgid=0x7001000000000031 msg="" func_name="static int SystemDateTimeOperHdlr::s_finish(confd_trans_ctx*)". appliance-1# -Within the bash shell, the path for the logging is different; **/var/F5/system/log**. +Within the bash shell, the actual underlying path for logging is different; it is at the following location: **/var/F5/system/log**. The non-bash shell user interfaces (CLI,webUI,API) do not use the real paths, and instead use the virtual paths to simplify things for administrators. .. code-block:: bash @@ -320,43 +395,10 @@ Within the bash shell, the path for the logging is different; **/var/F5/system/l drwxr-xr-x. 2 root root 4096 Jan 17 05:17 webUI [root@appliance-1 /]# -If you would like to change any of the logging levels via the CLI you must be in config mode. Use the **system logging sw-components sw-component config ** command. You must **commit** for this change to take effect. Be sure to set logging levels back to normal after troubleshooting has completed. - - -.. code-block:: bash - - appliance-1(config)# system logging sw-components sw-component ? - Possible completions: - alert-service api-svc-gateway appliance-orchestration-agent appliance-orchestration-manager authd confd-key-migrationd - dagd-service datapath-cp-proxy diag-agent disk-usage-statd dma-agent fips-service - fpgamgr ihealth-upload-service ihealthd image-agent kubehelper l2-agent - lacpd license-service line-dma-agent lldpd lopd network-manager - nic-manager optics-mgr platform-diag platform-fwu platform-hal platform-mgr - platform-monitor platform-stats-bridge qkviewd rsyslog-configd snmp-trapd stpd - sw-rbcast sys-host-config system-control tcpdumpd-manager tmstat-agent tmstat-merged - upgrade-service user-manager vconsole - appliance-1(config)# system logging sw-components sw-component lacpd ? - Possible completions: - config Configuration data for platform sw-component logging - - appliance-1(config)# system logging sw-components sw-component lacpd config ? - Possible completions: - description Text that describes the platform sw-component (read-only) - name Name of the platform sw-component (read-only) - severity sw-component logging severity level. - appliance-1(config)# system logging sw-components sw-component lacpd config severity ? - Description: sw-component logging severity level. Default is INFORMATIONAL. - Possible completions: - [INFORMATIONAL] ALERT CRITICAL DEBUG EMERGENCY ERROR INFORMATIONAL NOTICE WARNING - appliance-1(config)# system logging sw-components sw-component lacpd config severity DEBUG - appliance-1(config-sw-component-lacpd)# commit - Commit complete. - appliance-1(config-sw-component-lacpd)# - Viewing Logs from the webUI --------------------------- +^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -In the current release you cannot view the F5OS logs directly from the webUI, although you can download them from the webUI. To view the logs, you can use the CLI or API, or download the files and then view, or use a remote syslog server. To download log files from the webUI, go to the **System Settings -> File Utilities** page. Here there are various logs directories you can download files from. You have the option to **Export** files to a remote HTTPS server, or **Download** the files directly to your client machine through the browser. +In the current release you cannot view the F5OS logs directly from the webUI, although you can download them from the webUI. To view the logs, you can use the CLI or API, or download the files and then view, or use a remote syslog server. To download log files from the webUI, go to the **System Settings -> File Utilities** page. Here there are various logs directories you can download files from. You have the option to **Export** files to a remote HTTPS server or **Download** the files directly to your client machine through the browser. .. image:: images/rseries_diagnostics/image4.png :align: center @@ -369,15 +411,56 @@ If you want to download the main **platform.log**, select the directory **/log/s :align: center :scale: 70% +Downloading Logs from the API +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -Currently F5OS webUI’s logging levels can be configured for local logging, and remote logging servers can be added. The **Software Component Log Levels** can be changed to have additional logging information sent to the local log. The remote logging has its own **Severity** level which will ultimately control the maximum level of all messages going to a remote log server regardless of the individual Component Log Levels. This will allow for more information to be logged locally for debug purposes, while keeping remote logging to a minimum. If you would like to have more verbose information going to the remote logging host, you can raise its severity to see additional messages. +You can download various logs from the F5OS layer using the F5OS API. To list the current log files in the **log/system/** directory use the following API call. -.. image:: images/rseries_diagnostics/image6.png +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/list + +In the body of the API call, add the virtual path you want to list. + +.. code-block:: json + + { + "f5-utils-file-transfer:path": "log/system/" + } + +To download a specific log file use the following API call. + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/f5-file-download:download-file/f5-file-download:start-download + +In the body of the API call select **form-data**, and then enter the key/value pairs as seen below. The example provided will download the **platform.log** file that resides in the **log/system** directory. + +.. image:: images/rseries_diagnostics/platformlog.png + :align: center + :scale: 70% + + +For the **Headers** secion of the Postman request be sure to add the following headers: + +.. image:: images/rseries_diagnostics/headers.png + :align: center + :scale: 70% + +If you are using Postman, instead of clicking **Send**, click on the arrow next to Send, and then select **Send and Download**. You will then be prompted to save the file to your local file system. + +.. image:: images/rseries_diagnostics/sendanddownload.png + :align: center + :scale: 70% + +If you wanted to download another log file in the same directory such as the **audit.log** file, simply change the file name in the **form-data** section as seen below. + +.. image:: images/rseries_diagnostics/auditlog.png :align: center :scale: 70% -Viewing Logs from the API --------------------------- +Viewing Event Logs from the API +^^^^^^^^^^^^^^^^^^^^^^^^^ If the system currently has any active alarms, you can view them via the following API call: @@ -1060,6 +1143,65 @@ This will display all events (not just the active ones) from the beginning in th } } + + + + + + +Logging Subsystems/ Software Component Levels +----------------------------------------------- + + +Changing the Software Component Log Levels via CLI +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +If you would like to change any of the logging levels via the CLI you must be in config mode. Use the **system logging sw-components sw-component config ** command. You must **commit** for this change to take effect. Be sure to set logging levels back to normal after troubleshooting has completed. + + +.. code-block:: bash + + appliance-1(config)# system logging sw-components sw-component ? + Possible completions: + alert-service api-svc-gateway appliance-orchestration-agent appliance-orchestration-manager authd confd-key-migrationd + dagd-service datapath-cp-proxy diag-agent disk-usage-statd dma-agent fips-service + fpgamgr ihealth-upload-service ihealthd image-agent kubehelper l2-agent + lacpd license-service line-dma-agent lldpd lopd network-manager + nic-manager optics-mgr platform-diag platform-fwu platform-hal platform-mgr + platform-monitor platform-stats-bridge qkviewd rsyslog-configd snmp-trapd stpd + sw-rbcast sys-host-config system-control tcpdumpd-manager tmstat-agent tmstat-merged + upgrade-service user-manager vconsole + appliance-1(config)# system logging sw-components sw-component lacpd ? + Possible completions: + config Configuration data for platform sw-component logging + + appliance-1(config)# system logging sw-components sw-component lacpd config ? + Possible completions: + description Text that describes the platform sw-component (read-only) + name Name of the platform sw-component (read-only) + severity sw-component logging severity level. + appliance-1(config)# system logging sw-components sw-component lacpd config severity ? + Description: sw-component logging severity level. Default is INFORMATIONAL. + Possible completions: + [INFORMATIONAL] ALERT CRITICAL DEBUG EMERGENCY ERROR INFORMATIONAL NOTICE WARNING + appliance-1(config)# system logging sw-components sw-component lacpd config severity DEBUG + appliance-1(config-sw-component-lacpd)# commit + Commit complete. + appliance-1(config-sw-component-lacpd)# + + +Changing the Software Component Log Levels via webUI +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Currently F5OS webUI’s logging levels can be configured for local logging, and remote logging servers can be added. The **Software Component Log Levels** can be changed to have additional logging information sent to the local log. The remote logging has its own **Severity** level which will ultimately control the maximum level of all messages going to a remote log server regardless of the individual Component Log Levels. This will allow for more information to be logged locally for debug purposes, while keeping remote logging to a minimum. If you would like to have more verbose information going to the remote logging host, you can raise its severity to see additional messages. + +.. image:: images/rseries_diagnostics/image6.png + :align: center + :scale: 70% + +Changing the Software Componenet Log Levels via API +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + You can display all the logging subsystem's logging levels via the following API call: @@ -1453,6 +1595,8 @@ If you need to change the logging level to troubleshoot an issue, you can change PATCH https://{{rseries_appliance1_ip}}:8888/restconf/data/openconfig-system:system/logging +In the body of the API call, enter the sw-component you want to change, and the severity level you'd like to set. + .. code-block:: json @@ -1490,6 +1634,22 @@ When you are finished troubleshooting, you can set the logging level back to def } } +Audit Logging +------------- + +Details on F5OS-A audit logging can be found here: + +`F5OS-A Audit Logging `_ + +SNMP Logging +------------ + +Details on F5OS-A SNMP logging can be found here: + +`F5OS-A SNMP Logging `_ + + + TCPDUMP ======= @@ -1512,8 +1672,7 @@ You can see this in the following example output: More detail on configuration and filtering of tcpdump is provided here: -https://support.f5.com/csp/article/K80685750 - +`K80685750: Overview of the tcpdump utility on rSeries systems `_ You can capture traffic for a specific interface using the **interface** keyword in the **tcpdump** command. You specify the interface using the following syntax: **.**. If you do not supply the interface keyword, or if you specify **0.0** for the interface no interface filtering occurs and the command captures all interfaces. @@ -1585,6 +1744,82 @@ At the prompt, to transfer the file, enter the password for the remote host. To 3 |Export file|SCP |diags/shared/example_capture.pcap |10.10.10.100 |/tmp/example_capture.pcap | Completed| +TCPDUMP Download to Client via API +-------------------------------- + +You can download tcpdump files direct to a client machine using the F5OS API. First list the contents of the path **diags/shared/tcpdump** to see the save qkview files: + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/list + +In the body of the API call add the follwowing path: + +.. code-block:: json + + { + "f5-utils-file-transfer:path": "diags/shared/tcpdump" + } + +The output should look similar to the output below. + +.. code-block:: json + + + { + "f5-utils-file-transfer:output": { + "entries": [ + { + "name": "132.pcap", + "date": "", + "size": "574KB" + }, + { + "name": "132_28.pcap", + "date": "", + "size": "442KB" + }, + { + "name": "jimtcpdump.pcap", + "date": "", + "size": "4.3KB" + }, + { + "name": "test.pcap", + "date": "", + "size": "23KB" + } + ] + } + } + +To copy one of the tcpdump files to the local client machine enter the following API call. + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/f5-file-download:download-file/f5-file-download:start-download + +For the **Headers** secion of the Postman request be sure to add the following headers: + +.. image:: images/rseries_diagnostics/headers.png + :align: center + :scale: 70% + + +If you are using Postman, in the body of the API call select **Body**, then select **form-data**. Then enter the **file-name**, **path**, and **token** as seen below. Note, that the path for downloading is currently **diags/shared/** and not the full path of **diags/shared/tcpdump/**. This may change in a future release. + +.. image:: images/rseries_diagnostics/downloadtcpdumpapi.png + :align: center + :scale: 70% + +If you are using Postman, instead of clicking **Send**, click on the arrow next to Send, and then select **Send and Download**. You will then be prompted to save the file to your local file system. + +.. image:: images/rseries_diagnostics/sendanddownload.png + :align: center + :scale: 70% + + + Console Access via Built-In Terminal Server ============================================== @@ -1680,7 +1915,7 @@ The built-in terminal server will switch the connection to the appropriate tenan .. code-block:: bash - FLD-ML-00054045:~ jmccarron$ ssh tenant1@10.255.0.135 -p 7001 + prompt$ssh tenant1@10.255.0.135 -p 7001 tenant1@10.255.0.135's password: Successfully connected to tenant1-1 console. The escape sequence is ^] diff --git a/docs/rseries_f5os_configuration_backup_and_restore.rst b/docs/rseries_f5os_configuration_backup_and_restore.rst index 207b62b..180c837 100644 --- a/docs/rseries_f5os_configuration_backup_and_restore.rst +++ b/docs/rseries_f5os_configuration_backup_and_restore.rst @@ -251,6 +251,95 @@ You can then check on the status of the export via the following API call: } } +Downloading an F5OS Backup via API +---------------------------------- + +You can download configuration backup files from the F5OS layer using the F5OS API. To list the current config files in the **configs/** directory use the following API call. + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/list + +In the body of the API call, add the virtual path you want to list. + +.. code-block:: json + + { + "f5-utils-file-transfer:path": "configs/" + } + +You should see output like the example below. + +.. code-block:: json + + { + "f5-utils-file-transfer:output": { + "entries": [ + { + "name": "F5OS-BACKUP-APPLIANCE12022-04-19", + "date": "Tue Apr 19 15:19:07 UTC 2022", + "size": "81KB" + }, + { + "name": "F5OS-BACKUP-APPLIANCE12023-01-09", + "date": "Mon Jan 9 16:31:10 UTC 2023", + "size": "80KB" + }, + { + "name": "F5OS-BACKUP-APPLIANCE12023-11-17", + "date": "Fri Nov 17 18:49:45 UTC 2023", + "size": "88KB" + }, + { + "name": "F5OS-BACKUP-APPLIANCE12023-11-28", + "date": "Wed Nov 29 00:21:07 UTC 2023", + "size": "77KB" + }, + { + "name": "F5OS-BACKUP2022-01-20", + "date": "Thu Jan 20 05:09:39 UTC 2022", + "size": "60KB" + }, + { + "name": "jim-july", + "date": "Wed Jul 13 15:35:15 UTC 2022", + "size": "78KB" + }, + { + "name": "jim-test1", + "date": "Wed Nov 8 21:09:09 UTC 2023", + "size": "77KB" + } + ] + } + } + +To download a specific config file, use the following API call. + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/f5-file-download:download-file/f5-file-download:start-download + + +For the **Headers** secion of the Postman request be sure to add the following headers: + +.. image:: images/rseries_f5os_configuration_backup_and_restore/configheaders.png + :align: center + :scale: 70% + +In the body of the API call select **form-data**, and then enter the key/value pairs as seen below. The example provided will download the configuration file named **jim-july** file that resides in the **configs/** directory. + +.. image:: images/rseries_f5os_configuration_backup_and_restore/configfile.png + :align: center + :scale: 70% + +If you are using Postman, instead of clicking **Send**, click on the arrow next to Send, and then select **Send and Download**. You will then be prompted to save the file to your local file system. + +.. image:: images/rseries_f5os_configuration_backup_and_restore/sendanddownload.png + :align: center + :scale: 70% + + Backing up Tenants ================== @@ -360,7 +449,7 @@ The reset of the database will not completely wipe out the system configuration. .. code-block:: bash - FLD-ML-00054045:~ jmccarron$ ssh -l admin 10.255.0.133 + prompt$ssh -l admin 10.255.0.133 admin@10.255.0.133's password: ***** You are required to change your password immediately (root enforced) Last failed login: Thu Jan 20 16:01:00 EST 2022 from 172.18.104.143 on ssh:notty @@ -380,7 +469,7 @@ After the password is changed for the admin account, you will be disconnected an .. code-block:: bash - FLD-ML-00054045:~ jmccarron$ ssh -l admin 10.255.0.133 + prompt$ssh -l admin 10.255.0.133 admin@10.255.0.133's password: Last login: Thu Jan 20 16:01:04 2022 from 172.18.104.143 Welcome to the Management CLI @@ -441,6 +530,8 @@ The body of the API call contains the following: ] } +Importing an F5OS Backup from a Remote Server via API +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You'll need to use the new password/token on subsequent API calls. Post the following API call to the F5OS out-of-band IP address to import the archived ConfD backup file from a remote HTTPS server to the configs directory on the appliance. @@ -466,16 +557,37 @@ You may query the transfer status of the file via the following API command: .. code-block:: bash - POST https://{{Appliance1_Controller_IP}}:8888/api/data/f5-utils-file-transfer:file/transfer-status + POST https://{{rseries_appliance1_ip}}:8888/api/data/f5-utils-file-transfer:file/transfer-status The body of the API call should have the file name you want to query: .. code-block:: json { - "f5-utils-file-transfer:file-name": "configs/F5OS-BACKUP-APPLIANCE4{{currentdate}}" + "f5-utils-file-transfer:file-name": "configs/F5OS-BACKUP-APPLIANCE1{{currentdate}}" } +Uploading an F5OS Backup from a Client Machine via API +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +You can upload an F5OS backup file directly from a client machine using the API. Use the following API call: + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/f5-file-upload-meta-data:upload/start-upload + +In the body of the API call, you must enter the **size**, **name**, and **file-path** as seen in the example below. + +.. code-block:: json + + { + "size":66000, + "name": "F5OS-BACKUP-APPLIANCE1{{currentdate}}", + "file-path": "configs/" + } + + + If you want to list the contents of the config directory via API, use the following API command: .. code-block:: bash @@ -487,7 +599,7 @@ The body of the API call above will list the **configs** directory as the one to .. code-block:: json { - "f5-utils-file-transfer:path": "configs" + "f5-utils-file-transfer:path": "configs/" } You’ll see the contents of the directory in the API response and the file should be listed: diff --git a/docs/rseries_monitoring_snmp.rst b/docs/rseries_monitoring_snmp.rst index 89d4971..6a849e0 100644 --- a/docs/rseries_monitoring_snmp.rst +++ b/docs/rseries_monitoring_snmp.rst @@ -38,13 +38,163 @@ As of F5OS-A 1.6.0.the following F5OS Appliance MIBs are available: - F5-PLATFORM-STATS-MIB - F5OS-APPLIANCE-ALERT-NOTIF-MIB +Downloading MIBs +================ -MIBs can be downloaded directly from the F5OS layer starting in F5OS-A v1.2.0. From the webUI, you can go to the **System Settings > File Utility** page. Then, from the **Base Directory** drop down, select the **mibs** directory to download the MIB files. There are two separate MIB files: NetSNMP and F5OS MIBs for the appliance. Download both archives and extract them to see the individual MIB files. +MIBs can be downloaded directly from the F5OS layer starting in F5OS-A v1.2.0. + + +Downloading MIBs via webUI +-------------------------- + +From the webUI, you can go to the **System Settings > File Utility** page. Then, from the **Base Directory** drop down, select the **mibs** directory to download the MIB files. There are two separate MIB files: NetSNMP and F5OS MIBs for the appliance. Download both archives and extract them to see the individual MIB files. .. image:: images/rseries_monitoring_snmp/image8.png :align: center :scale: 70% +Uploading MIBs to a Remote Server via CLI +----------------------------------------- + +From the CLI, use the **file export** command to transfer the MIB files to a remote server. First, list the MIB files using the **file list** command as seen below. + +.. code-block:: bash + + r10900-1# file list path mibs/ + entries { + name mibs_f5os_appliance.tar.gz + date Thu Nov 30 20:52:26 UTC 2023 + size 9.3KB + } + entries { + name mibs_netsnmp.tar.gz + date Thu Nov 30 20:52:26 UTC 2023 + size 110KB + } + r10900-1# + +To upload each of the files to a remote HTTPS server use the following command. You can also upload using SCP or SFTP by using the proper protocol option. + +.. code-block:: bash + + appliance-1# file export local-file mibs/mibs_f5os_appliance.tar.gz remote-host 10.255.0.142 remote-file /upload/upload.php username corpuser insecure + Value for 'password' (): ******** + result File transfer is initiated.(mibs/mibs_f5os_appliance.tar.gz) + appliance-1# + +Repeat the same API call but change the filename to the **mibs_netsnmp.tar.gz** file. + +Downloading MIBs via API +-------------------------- + +You can utilize the F5OS API to download the MIB files directly to a client machine, or to upload to a remote server over HTTPS, SCP, or SFTP. First, list the contents of the **mibs/** directory on the rSeries appliance using the following API call to get the filenames. + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/list + +In the body of the API call add the following: + +.. code-block:: json + + { + "f5-utils-file-transfer:path": "mibs/" + } + +This will list the contents of the mibs directory as seen below. + +.. code-block:: json + + { + "f5-utils-file-transfer:output": { + "entries": [ + { + "name": "mibs_f5os_appliance.tar.gz", + "date": "Thu Nov 30 20:52:26 UTC 2023", + "size": "9.3KB" + }, + { + "name": "mibs_netsnmp.tar.gz", + "date": "Thu Nov 30 20:52:26 UTC 2023", + "size": "110KB" + } + ] + } + } + +You'll notice there are two separate MIB files, one is for Enterprise MIBs, while the other is for F5 specific MIBs. You'll need to download both files and add them to your SNMP manager. Below are example API calls to download each of the SNMP MIB files. + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/f5-file-download:download-file/f5-file-download:start-download + +For the **Headers** secion of the Postman request, be sure to add the following headers: + +.. image:: images/rseries_monitoring_snmp/snmpheaders.png + :align: center + :scale: 70% + +If you are using Postman, in the body of the API call select **Body**, then select **form-data**. Then enter the **file-name**, **path**, and **token** as seen below. + +.. image:: images/rseries_monitoring_snmp/downloadmibsapi1.png + :align: center + :scale: 70% + +Repeat the same process for the other MIB file. + +.. image:: images/rseries_monitoring_snmp/downloadmibsapi2.png + :align: center + :scale: 70% + +If you are using Postman, instead of clicking **Send**, click on the arrow next to Send, and then select **Send and Download**. You will then be prompted to save the file to your local file system. + +.. image:: images/rseries_monitoring_snmp/sendanddownload.png + :align: center + :scale: 70% + +Exporting MIBs to a Remote Server via the API +--------------------------------------------- + + +To copy the SNMP MIB files from the appliance to a remote https server use the following API call: + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/export + +In the body of the API call, add the remote server info and local file you want to export. + +.. code-block:: json + + { + "f5-utils-file-transfer:insecure": "", + "f5-utils-file-transfer:protocol": "https", + "f5-utils-file-transfer:username": "corpuser", + "f5-utils-file-transfer:password": "password", + "f5-utils-file-transfer:remote-host": "10.255.0.142", + "f5-utils-file-transfer:remote-file": "/upload/upload.php", + "f5-utils-file-transfer:local-file": "mibs/mibs/mibs_f5os_appliance.tar.gz" + } + +You can then check on the status of the export via the following API call: + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/api/data/f5-utils-file-transfer:file/transfer-status + +The output will show the status of the file export. + +.. code-block:: json + + { + "f5-utils-file-transfer:output": { + "result": "\nS.No.|Operation |Protocol|Local File Path |Remote Host |Remote File Path |Status |Time \n1 |Export file|HTTPS |mibs/mibs_f5os_appliance.tar.gz |10.255.0.142 |/upload/upload.php | Completed|Thu Jan 20 05:11:44 2022" + } + } + +Repeat the same steps for the other MIB file. + + Adding Allowed IPs for SNMP =========================== @@ -519,7 +669,8 @@ To configure a Security Group for both SNMPv1 and SNMPv2c. Configuring SNMP Access via API ------------------------------- -SNMP Communities, Users, and Targets can be setup via the API. An admin can enable access for SNMP monitoring of the system through either communities for SNMPv1/v2c, or through users for SNMPv3. In addition, remote SNMP Trap receiver locations can be enabled for alerting. + +SNMP Communities, Users, and Targets can be setup via the API. An admin can enable access for SNMP monitoring of the system through either a community for SNMPv1/v2c, or through users for SNMPv3. In addition, remote SNMP Trap receiver locations can be enabled for alerting. To create an SNMPv3 user use the following API call. @@ -590,6 +741,105 @@ The output should appear similar to the example below. .. code-block:: json + { + "f5-system-snmp:snmp": { + "users": { + "user": [ + { + "name": "jim", + "config": { + "name": "jim", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + }, + "state": { + "name": "jim", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + } + }, + { + "name": "snmpv3-user3", + "config": { + "name": "snmpv3-user3", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + }, + "state": { + "name": "snmpv3-user3", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + } + }, + { + "name": "snmpv3user", + "config": { + "name": "snmpv3user", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + }, + "state": { + "name": "snmpv3user", + "authentication-protocol": "md5", + "privacy-protocol": "aes" + } + } + ] + }, + "communities": { + "community": [ + { + "name": "public", + "config": { + "name": "public", + "security-model": [ + "v1", + "v2c" + ] + }, + "state": { + "name": "public", + "security-model": [ + "v1", + "v2c" + ] + } + }, + { + "name": "public2", + "config": { + "name": "public2", + "security-model": [ + "v1", + "v2c" + ] + }, + "state": { + "name": "public2", + "security-model": [ + "v1", + "v2c" + ] + } + } + ] + }, + "engine-id": { + "config": { + "value": "mac" + }, + "state": { + "engine-id": "80:00:2f:f4:03:00:94:a1:69:59:02", + "type": "mac" + } + }, + "config": { + "port": 161 + }, + "state": { + "port": 161 + } + } Configuring SNMP Access via webUI @@ -905,13 +1155,43 @@ This SNMP Trap is for the VELOS system, and it monitors various temperature sens .. code-block:: bash - r10900-1# file show log/system/snmp.log | include sensor-fault + syscon-1-active# file show log/confd/snmp.log | include sensor-fault + 9-Nov-2023::19:21:08.938 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244105 10.255.0.139:162 (TimeTicks sysUpTime=271109396)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=1)(INTEGER alertSeverity=3)(OCTET STRING alertTimeStamp=2023-11-10 00:21:08.927022179 UTC)(OCTET STRING alertDescription=Sensor fault detected in hardware) + 9-Nov-2023::19:21:08.939 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244105 10.255.0.144:162 (TimeTicks sysUpTime=271109396)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=1)(INTEGER alertSeverity=3)(OCTET STRING alertTimeStamp=2023-11-10 00:21:08.927022179 UTC)(OCTET STRING alertDescription=Sensor fault detected in hardware) + 9-Nov-2023::19:21:08.942 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244106 10.255.0.144:162 (TimeTicks sysUpTime=271109396)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=1)(INTEGER alertSeverity=3)(OCTET STRING alertTimeStamp=2023-11-10 00:21:08.927022179 UTC)(OCTET STRING alertDescription=Sensor fault detected in hardware) + 9-Nov-2023::19:21:08.943 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244106 10.255.0.143:162 (TimeTicks sysUpTime=271109396)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=1)(INTEGER alertSeverity=3)(OCTET STRING alertTimeStamp=2023-11-10 00:21:08.927022179 UTC)(OCTET STRING alertDescription=Sensor fault detected in hardware) + 9-Nov-2023::19:21:08.988 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244107 10.255.0.139:162 (TimeTicks sysUpTime=271109401)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 00:21:08.927133721 UTC)(OCTET STRING alertDescription=Asserted: sensor fault: Inlet) + 9-Nov-2023::19:21:08.989 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244107 10.255.0.144:162 (TimeTicks sysUpTime=271109401)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 00:21:08.927133721 UTC)(OCTET STRING alertDescription=Asserted: sensor fault: Inlet) + 9-Nov-2023::19:21:08.993 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244108 10.255.0.144:162 (TimeTicks sysUpTime=271109401)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 00:21:08.927133721 UTC)(OCTET STRING alertDescription=Asserted: sensor fault: Inlet) + 9-Nov-2023::19:21:08.996 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244108 10.255.0.143:162 (TimeTicks sysUpTime=271109401)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 00:21:08.927133721 UTC)(OCTET STRING alertDescription=Asserted: sensor fault: Inlet) + 9-Nov-2023::19:26:08.930 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244111 10.255.0.139:162 (TimeTicks sysUpTime=271139395)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=0)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 00:26:08.911277769 UTC)(OCTET STRING alertDescription=Sensor fault detected in hardware) + 9-Nov-2023::19:26:08.931 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244111 10.255.0.144:162 (TimeTicks sysUpTime=271139395)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=0)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 00:26:08.911277769 UTC)(OCTET STRING alertDescription=Sensor fault detected in hardware) + 9-Nov-2023::19:26:08.934 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244112 10.255.0.144:162 (TimeTicks sysUpTime=271139395)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=0)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 00:26:08.911277769 UTC)(OCTET STRING alertDescription=Sensor fault detected in hardware) + 9-Nov-2023::19:26:08.935 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244112 10.255.0.143:162 (TimeTicks sysUpTime=271139395)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=0)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 00:26:08.911277769 UTC)(OCTET STRING alertDescription=Sensor fault detected in hardware) + 9-Nov-2023::19:26:08.989 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244113 10.255.0.139:162 (TimeTicks sysUpTime=271139401)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 00:26:08.911332002 UTC)(OCTET STRING alertDescription=Deasserted: sensor fault: Inlet) + 9-Nov-2023::19:26:08.990 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244113 10.255.0.144:162 (TimeTicks sysUpTime=271139401)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 00:26:08.911332002 UTC)(OCTET STRING alertDescription=Deasserted: sensor fault: Inlet) + 9-Nov-2023::19:26:08.990 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244114 10.255.0.144:162 (TimeTicks sysUpTime=271139401)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 00:26:08.911332002 UTC)(OCTET STRING alertDescription=Deasserted: sensor fault: Inlet) + 9-Nov-2023::19:26:08.991 controller-1 confd[604]: snmp snmpv2-trap reqid=1548244114 10.255.0.143:162 (TimeTicks sysUpTime=271139401)(OBJECT IDENTIFIER snmpTrapOID=sensor-fault)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 00:26:08.911332002 UTC)(OCTET STRING alertDescription=Deasserted: sensor fault: Inlet) **module-present .1.3.6.1.4.1.12276.1.1.1.66304** .. code-block:: bash - r10900-1# file show log/system/snmp.log | include module-present + syscon-1-active# file show log/confd/snmp.log | include module-present + 31-Aug-2023::17:29:41.592 controller-1 confd[604]: snmp snmpv2-trap reqid=1410087723 10.255.0.139:162 (TimeTicks sysUpTime=10937)(OBJECT IDENTIFIER snmpTrapOID=module-present)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-08-31 21:29:16.554609619 UTC)(OCTET STRING alertDescription=Blade6 removed) + 31-Aug-2023::17:29:41.593 controller-1 confd[604]: snmp snmpv2-trap reqid=1410087723 10.255.0.144:162 (TimeTicks sysUpTime=10937)(OBJECT IDENTIFIER snmpTrapOID=module-present)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-08-31 21:29:16.554609619 UTC)(OCTET STRING alertDescription=Blade6 removed) + 31-Aug-2023::17:29:41.604 controller-1 confd[604]: snmp snmpv2-trap reqid=1410087731 10.255.0.139:162 (TimeTicks sysUpTime=10938)(OBJECT IDENTIFIER snmpTrapOID=module-present)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-08-31 21:29:16.596222405 UTC)(OCTET STRING alertDescription=Blade4 removed) + 31-Aug-2023::17:29:41.605 controller-1 confd[604]: snmp snmpv2-trap reqid=1410087731 10.255.0.144:162 (TimeTicks sysUpTime=10938)(OBJECT IDENTIFIER snmpTrapOID=module-present)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-08-31 21:29:16.596222405 UTC)(OCTET STRING alertDescription=Blade4 removed) + 31-Aug-2023::17:29:41.607 controller-1 confd[604]: snmp snmpv2-trap reqid=1410087733 10.255.0.139:162 (TimeTicks sysUpTime=10938)(OBJECT IDENTIFIER snmpTrapOID=module-present)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-08-31 21:29:16.618843267 UTC)(OCTET STRING alertDescription=Blade5 removed) + 31-Aug-2023::17:29:41.608 controller-1 confd[604]: snmp snmpv2-trap reqid=1410087733 10.255.0.144:162 (TimeTicks sysUpTime=10938)(OBJECT IDENTIFIER snmpTrapOID=module-present)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-08-31 21:29:16.618843267 UTC)(OCTET STRING alertDescription=Blade5 removed) + 31-Aug-2023::17:29:41.611 controller-1 confd[604]: snmp snmpv2-trap reqid=1410087735 10.255.0.139:162 (TimeTicks sysUpTime=10939)(OBJECT IDENTIFIER snmpTrapOID=module-present)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-08-31 21:29:17.006214637 UTC)(OCTET STRING alertDescription=Vpc1 present) + 31-Aug-2023::17:29:41.612 controller-1 confd[604]: snmp snmpv2-trap reqid=1410087735 10.255.0.144:162 (TimeTicks sysUpTime=10939)(OBJECT IDENTIFIER snmpTrapOID=module-present)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-08-31 21:29:17.006214637 UTC)(OCTET STRING alertDescription=Vpc1 present) + 31-Aug-2023::17:29:41.614 controller-1 confd[604]: snmp snmpv2-trap reqid=1410087737 10.255.0.139:162 (TimeTicks sysUpTime=10939)(OBJECT IDENTIFIER snmpTrapOID=module-present)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-08-31 21:29:17.018550834 UTC)(OCTET STRING alertDescription=Vpc2 present) + 31-Aug-2023::17:29:41.615 controller-1 confd[604]: snmp snmpv2-trap reqid=1410087737 10.255.0.144:162 (TimeTicks sysUpTime=10939)(OBJECT IDENTIFIER snmpTrapOID=module-present)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-08-31 21:29:17.018550834 UTC)(OCTET STRING alertDescription=Vpc2 present) + 31-Aug-2023::17:29:41.627 controller-1 confd[604]: snmp snmpv2-trap reqid=1410087745 10.255.0.139:162 (TimeTicks sysUpTime=10940)(OBJECT IDENTIFIER snmpTrapOID=module-present)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-08-31 21:29:17.040748272 UTC)(OCTET STRING alertDescription=Blade1 present) + 31-Aug-2023::17:29:41.628 controller-1 confd[604]: snmp snmpv2-trap reqid=1410087745 10.255.0.144:162 (TimeTicks sysUpTime=10940)(OBJECT IDENTIFIER snmpTrapOID=module-present)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-08-31 21:29:17.040748272 UTC)(OCTET STRING alertDescription=Blade1 present) + 31-Aug-2023::17:29:41.630 controller-1 confd[604]: snmp snmpv2-trap reqid=1410087747 10.255.0.139:162 (TimeTicks sysUpTime=10941)(OBJECT IDENTIFIER snmpTrapOID=module-present)(OCTET STRING alertSource=controller-1)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-08-31 21:29:17.051477248 UTC)(OCTET STRING alertDescription=Blade2 present) + **psu-fault .1.3.6.1.4.1.12276.1.1.1.66305** @@ -1110,14 +1390,25 @@ This trap will indicate that the system has rebooted. It's possible this was a p .. code-block:: bash - r10900-1# file show log/system/snmp.log | include reboot - 10-Jul-2023::13:41:23.284 appliance-1 confd[130]: snmp snmpv2-trap reqid=1977423794 10.255.0.144:161 (TimeTicks sysUpTime=2909)(OBJECT IDENTIFIER snmpTrapOID=reboot)(OCTET STRING alertSource=appliance)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-07-10 17:41:23.281740739 UTC)(OCTET STRING alertDescription=reboot - appliance-1.chassis.local F5OS-A R5R10 version 1.7.0-0528) + r10900-1# file show log/system/snmp.log + 17-Nov-2023::12:06:13.587 appliance-1 confd[130]: snmp snmpv2-trap reqid=1025467718 10.255.0.144:161 (TimeTicks sysUpTime=380496)(OBJECT IDENTIFIER snmpTrapOID=reboot)(OCTET STRING alertSource=appliance)(INTEGER alertEffect=2)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-17 17:06:13.583723667 UTC)(OCTET STRING alertDescription=System reboot is triggered by user) + 17-Nov-2023::12:09:02.207 appliance-1 confd[117]: snmp snmpv2-trap reqid=1710762179 10.255.0.144:161 (TimeTicks sysUpTime=69)(OBJECT IDENTIFIER snmpTrapOID=coldStart) **raid-event .1.3.6.1.4.1.12276.1.1.1.393216** .. code-block:: bash r10900-1# file show log/system/snmp.log | include raid-event + 10-Nov-2023::15:05:09.223 appliance-1 confd[130]: snmp snmpv2-trap reqid=1889680977 10.255.0.144:161 (TimeTicks sysUpTime=261782586)(OBJECT IDENTIFIER snmpTrapOID=raidEvent)(OCTET STRING alertSource=appliance)(INTEGER alertEffect=1)(INTEGER alertSeverity=1)(OCTET STRING alertTimeStamp=2023-11-10 20:05:09.216697040 UTC)(OCTET STRING alertDescription=RAID STATUS:raid_failed SSD:ssd2) + 10-Nov-2023::15:05:09.274 appliance-1 confd[130]: snmp snmpv2-trap reqid=1889680978 10.255.0.144:161 (TimeTicks sysUpTime=261782591)(OBJECT IDENTIFIER snmpTrapOID=raidEvent)(OCTET STRING alertSource=appliance)(INTEGER alertEffect=0)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 20:05:09.264314422 UTC)(OCTET STRING alertDescription=RAID STATUS:raid_ok SSD:ssd1) + 10-Nov-2023::15:05:09.326 appliance-1 confd[130]: snmp snmpv2-trap reqid=1889680979 10.255.0.144:161 (TimeTicks sysUpTime=261782596)(OBJECT IDENTIFIER snmpTrapOID=raidEvent)(OCTET STRING alertSource=appliance)(INTEGER alertEffect=1)(INTEGER alertSeverity=1)(OCTET STRING alertTimeStamp=2023-11-10 20:05:09.275871180 UTC)(OCTET STRING alertDescription=RAID STATUS:raid_failed SSD:ssd2) + 10-Nov-2023::15:05:09.377 appliance-1 confd[130]: snmp snmpv2-trap reqid=1889680980 10.255.0.144:161 (TimeTicks sysUpTime=261782602)(OBJECT IDENTIFIER snmpTrapOID=raidEvent)(OCTET STRING alertSource=appliance)(INTEGER alertEffect=0)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 20:05:09.318350942 UTC)(OCTET STRING alertDescription=RAID STATUS:raid_ok SSD:ssd1) + 10-Nov-2023::15:05:09.430 appliance-1 confd[130]: snmp snmpv2-trap reqid=1889680981 10.255.0.144:161 (TimeTicks sysUpTime=261782607)(OBJECT IDENTIFIER snmpTrapOID=raidEvent)(OCTET STRING alertSource=appliance)(INTEGER alertEffect=1)(INTEGER alertSeverity=1)(OCTET STRING alertTimeStamp=2023-11-10 20:05:09.330028590 UTC)(OCTET STRING alertDescription=RAID STATUS:raid_failed SSD:ssd2) + 10-Nov-2023::15:05:09.481 appliance-1 confd[130]: snmp snmpv2-trap reqid=1889680982 10.255.0.144:161 (TimeTicks sysUpTime=261782612)(OBJECT IDENTIFIER snmpTrapOID=raidEvent)(OCTET STRING alertSource=appliance)(INTEGER alertEffect=0)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 20:05:09.373077858 UTC)(OCTET STRING alertDescription=RAID STATUS:raid_ok SSD:ssd1) + 10-Nov-2023::15:05:09.533 appliance-1 confd[130]: snmp snmpv2-trap reqid=1889680983 10.255.0.144:161 (TimeTicks sysUpTime=261782617)(OBJECT IDENTIFIER snmpTrapOID=raidEvent)(OCTET STRING alertSource=appliance)(INTEGER alertEffect=1)(INTEGER alertSeverity=1)(OCTET STRING alertTimeStamp=2023-11-10 20:05:09.384442574 UTC)(OCTET STRING alertDescription=RAID STATUS:raid_failed SSD:ssd2) + 10-Nov-2023::15:05:09.584 appliance-1 confd[130]: snmp snmpv2-trap reqid=1889680984 10.255.0.144:161 (TimeTicks sysUpTime=261782622)(OBJECT IDENTIFIER snmpTrapOID=raidEvent)(OCTET STRING alertSource=appliance)(INTEGER alertEffect=0)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 20:05:09.425790569 UTC)(OCTET STRING alertDescription=RAID STATUS:raid_ok SSD:ssd1) + 10-Nov-2023::15:05:09.636 appliance-1 confd[130]: snmp snmpv2-trap reqid=1889680985 10.255.0.144:161 (TimeTicks sysUpTime=261782627)(OBJECT IDENTIFIER snmpTrapOID=raidEvent)(OCTET STRING alertSource=appliance)(INTEGER alertEffect=1)(INTEGER alertSeverity=1)(OCTET STRING alertTimeStamp=2023-11-10 20:05:09.437237512 UTC)(OCTET STRING alertDescription=RAID STATUS:raid_failed SSD:ssd2) + 10-Nov-2023::15:07:15.992 appliance-1 confd[130]: snmp snmpv2-trap reqid=1889680986 10.255.0.144:161 (TimeTicks sysUpTime=261795263)(OBJECT IDENTIFIER snmpTrapOID=raidEvent)(OCTET STRING alertSource=appliance)(INTEGER alertEffect=0)(INTEGER alertSeverity=8)(OCTET STRING alertTimeStamp=2023-11-10 20:07:15.972123613 UTC)(OCTET STRING alertDescription=RAID STATUS:raid_ok SSD:ssd1) **backplane .1.3.6.1.4.1.12276.1.1.1.262144** @@ -1491,7 +1782,7 @@ Polling SNMP Endpoints ===================== -Once SNMP is properly setup and allow-lists are enabled you can poll SNMP objects from remote endpoints. If you have an SNMP manager it is recommended you download the appropriate MIBs from the rSeries appliance and compile them into you SNMP manager. Alternatively, you can use SNMP command line utilities from a remote client to validate the SNMP endpoints. You can then poll/query the appliance via SNMP to get stats from the system using the following SNMP OID’s: +Once SNMP is properly setup and allow-lists are enabled you can poll SNMP objects from remote endpoints. If you have an SNMP manager, it is recommended you download the appropriate MIBs from the rSeries appliance and compile them into you SNMP manager. Alternatively, you can use SNMP command line utilities from a remote client to validate the SNMP endpoints. You can then poll/query the appliance via SNMP to get stats from the system using the following SNMP OID’s: SNMP System ----------- @@ -1880,7 +2171,7 @@ This MIB displays the memory utilization for the system. SNMP FPGA Table --------------- -The FPGA Stats table shows the current FPGA versions. Depending on the rSeries appliance model there may be one or more FPGAs installed. The r2000/r4000 models have no FPGAs. The r5000 models have one Application Traffic Servcie Engine (ATSE) and one Appliance SWitch (ASW) FPGA. The r10000 and r12000 models have 2 ATSE FPGAs, one ASW FPGA, and an additional FPGA called the Network SOcket (NSO). The output below is from an r10900. +The FPGA Stats table shows the current FPGA versions. Depending on the rSeries appliance model there may be one or more FPGAs installed. The r2000/r4000 models have no FPGAs. The r5000 models have one Application Traffic Service Engine (ATSE) and one Appliance SWitch (ASW) FPGA. The r10000 and r12000 models have 2 ATSE FPGAs, one ASW FPGA, and an additional FPGA called the Network SOcket (NSO). The output below is from an r10900. **F5-PLATFORM-STATS-MIB:fpgaTable OID: .1.3.6.1.4.1.12276.1.2.1.5.1** @@ -1930,7 +2221,7 @@ This MIB provides the current firmware status and version for all firmware subsy fw-version-drive-u.2.slot2 VDV10184 false none prompt% -SNMP Fantry Stats Table +SNMP Fantray Stats Table ---------------------- Query the following SNMP OID to get detailed fan speeds. @@ -1947,13 +2238,52 @@ Query the following SNMP OID to get detailed fan speeds. prompt% +SNMP LLDP Configuration Table +----------------------------- + +Query the following SNMP OID to get detailed LLDP configuration table. + +.. code-block:: bash + + prompt% snmptable -v 2c -c public -m ALL 10.255.2.40 F5-OS-LLDP-MIB:lldpIfConfigTable + SNMP table: F5-OS-LLDP-MIB::lldpIfConfigTable + + lldpIfName lldpIfEnabled lldpIfTlvAdvertisement lldpIfTlvmap + 1.0 true txrx 130943 + 2.0 true txrx 130943 + 6.0 true txrx 130943 + 13.0 true txrx 130943 + 14.0 true txrx 130943 + 15.0 true txrx 130943 + 16.0 true txrx 130943 + prompt% + + +SNMP LLDP Neighbors Table +----------------------------- + +Query the following SNMP OID to get detailed LLDP neighbors table. + +.. code-block:: bash + + prompt% snmptable -v 2c -c public -m ALL 10.255.2.40 F5-OS-LLDP-MIB:lldpNeighborsTable + SNMP table: F5-OS-LLDP-MIB::lldpNeighborsTable + + lldpLocalInterface lldpNeighborPortId lldpNeighborChassisId lldpNeighborPortDesc lldpNeighborSysName lldpNeighborSysDesc lldpNeighborSysCap lldpNeighborMgmtAddr lldpNeighborPvid lldpNeighborPpvid lldpNeighborVlanName lldpNeighborVlanTag lldpNeighborProtocolIdentity lldpNeighborAutoNego lldpNeighborPmd lldpNeighborMau lldpNeighborAggStatus lldpNeighborAggPortid lldpNeighborMfs lldpNeighborF5ProductModel + 13.0 13.0 f5-wjex-ngkt Jim McCarron's r10900-2 r10900-2.f5demo.net Jim McCarron's r10900-2 1310740 :: 0 1 ? 0 1 1 0 0 1 0 9600 r10900 + 14.0 14.0 f5-wjex-ngkt Jim McCarron's r10900-2 r10900-2.f5demo.net Jim McCarron's r10900-2 1310740 :: 0 1 ? 0 1 1 0 0 1 0 9600 r10900 + 15.0 15.0 f5-wjex-ngkt Jim McCarron's r10900-2 r10900-2.f5demo.net Jim McCarron's r10900-2 1310740 :: 0 1 ? 0 1 1 0 0 1 0 9600 r10900 + 16.0 16.0 f5-wjex-ngkt Jim McCarron's r10900-2 r10900-2.f5demo.net Jim McCarron's r10900-2 1310740 :: 0 1 ? 0 1 1 0 0 1 0 9600 r10900 + prompt% + + Troubleshooting SNMP ==================== There are SNMP logs within each appliance. SNMP information is captured in the **snmp.log** file located with the **/log/system** directory in the F5OS layer: -**Note: The CLI and webUI abstract the full paths for logs so that they are easier to find. If using root access to the bash shell, then the full path to the system controller snmp logs is **/var/F5/system/log/snmp.log** +**Note: The CLI and webUI abstract the full paths for logs so that they are easier to find. If using root access to the bash shell, then the full path to the system controller SNMP logs is **/var/F5/system/log/snmp.log** To list the files in the **log/system** directory in the CLI use the **file list path log/system** command: @@ -2027,6 +2357,41 @@ SNMP information (requests/traps) are captured in the **snmp.log** file located 12-Apr-2022::16:18:02.471 appliance-1 confd[104]: snmp snmpv2-trap reqid=1799379632 10.255.0.144:6011 (TimeTicks sysUpTime=86087995)(OBJECT IDENTIFIER snmpTrapOID=linkDown)(INTEGER ifIndex.0.=33554456)(INTEGER ifAdminStatus.0.=1)(INTEGER ifOperStatus.0.=2) appliance-1# +Downloading SNMP Logs from the API +---------------------------------- + +You can download various logs from the F5OS layer using the F5OS API. To list the current log files in the **log/system/** directory use the following API call. + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/list + +In the body of the API call, add the virtual path you want to list. + + .. code-block:: json + + { + "f5-utils-file-transfer:path": "log/system/" + } + +To download a specific log file use the following API call. + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/f5-file-download:download-file/f5-file-download:start-download + +In the body of the API call select **form-data**, and then enter the key/value pairs as seen below. The example provided will download the **snmp.log** file that resides in the **log/system** directory. + +.. image:: images/rseries_monitoring_snmp/snmplogdownload.png + :align: center + :scale: 70% + +If you are using Postman, instead of clicking **Send**, click on the arrow next to Send, and then select **Send and Download**. You will then be prompted to save the file to your local file system. + +.. image:: images/rseries_monitoring_snmp/sendanddownload.png + :align: center + :scale: 70% + diff --git a/docs/rseries_networking.rst b/docs/rseries_networking.rst index d20b921..16b89db 100644 --- a/docs/rseries_networking.rst +++ b/docs/rseries_networking.rst @@ -72,13 +72,13 @@ rSeries 1GB SFP SKU's +----------------------+----------------------------------------------------------------------------------------+ The r2000 / r4000 will support both **F5-UPG-SFPC-R** with one caveat. **F5-UPG-SFPC-R** will only be supported at 1000Mbps on r2000 / r4000, there will be no support for 10Mbps or 100Mbps speeds. -The r5000 / r10000 platforms do not support 1G SFPs currently, so **F5-UPG-SFPC-R** is not supported on those platforms. -However, **F5-UPG-SFPC+-3M-8** is still supported on r5000 / r10000 for 10G operation. +The r5000 / r10000 / r12000-DS platforms do not support 1G SFPs currently, so **F5-UPG-SFPC-R** is not supported on those platforms. +However, **F5-UPG-SFPC+-3M-8** is still supported on r5000 / r10000 / r12000-DS for 10G operation. rSeries 10GB SFP+ SKU's ----------------------- -10Gb Optics are supported on all rSeries (r2000/r4000/r5000/r10000) platforms: +10Gb Optics are supported on all rSeries (r2000/r4000/r5000/r10000/r12000-DS) platforms: +----------------------+---------------------------------------------------------------------------------------+ | F5-UPG-SFP+-R | Field Upgrade: SFP+ Fiber Connector (10G-LC/850nm) ROHS | @@ -92,7 +92,7 @@ rSeries 10GB SFP+ SKU's rSeries 25GB SFP28 SKU's -------------------------- -25Gb Optics are supported on all rSeries (r2000/r4000/r5000/r10000) platforms: +25Gb Optics are supported on all rSeries (r2000/r4000/r5000/r10000/r12000-DS) platforms: +----------------------+---------------------------------------------------------------------------------------+ | F5-UPG-SFP28-SR | Field Upgrade: Transceiver SFP28, 25G-SR, 100M, LC, MMF, DDM (rSeries ONLY) | @@ -104,7 +104,7 @@ rSeries 25GB SFP28 SKU's rSeries 40GB QSFP+ SKU's -------------------------- -40Gb Optics are only supported on the r5000/r10000 platforms: +40Gb Optics are only supported on the r5000/r10000/r12000-DS platforms: +----------------------+---------------------------------------------------------------------------------------+ | F5-UPG-QSFP+SR4 | Field Upgrade: QSFP+ Transceiver (40G-SR4, 850NM, 100M, MPO, DDM Support) | @@ -119,7 +119,7 @@ rSeries 40GB QSFP+ SKU's rSeries 100GB QSFP28 SKU's -------------------------- -100Gb Optics are only supported on the r5000/r10000 platforms: +100Gb Optics are only supported on the r5000/r10000/r12000-DS platforms: +----------------------+---------------------------------------------------------------------------------------+ | F5-UPG-QSFP28-SR4 | Field Upgrade: QSFP28 Transceiver (100G-SR4, 850NM, 70M/100M, OM3/OM4, MMF, MPO, DDM) | diff --git a/docs/rseries_references.rst b/docs/rseries_references.rst new file mode 100644 index 0000000..5b93b89 --- /dev/null +++ b/docs/rseries_references.rst @@ -0,0 +1,21 @@ +================== +rSeries References +================== + +`Documentation - F5OS-A and F5 rSeries `_ + +`F5OS-A/F5 rSeries - API `_ + +`F5OS-A/F5 rSeries - CLI `_ + +`F5OS-A/F5 rSeries Error Catalog `_ + +`F5OS modules Ansible collection `_ + +`F5OS Provider Resources for Terraform `_ + +`F5 rSeries and F5OS-A Hardware Platforms `_ + +`F5 rSeries Appliance Datasheet `_ + + diff --git a/docs/rseries_software_upgrades.rst b/docs/rseries_software_upgrades.rst index e0b3126..c0987e5 100644 --- a/docs/rseries_software_upgrades.rst +++ b/docs/rseries_software_upgrades.rst @@ -37,7 +37,7 @@ You can upload F5OS-A images to the appliance via the webUI. This is done from t Here you'll have the option to **Upload** or **Import** a new F5OS image. If you choose **Import**, you will be prompted to provide the configuration details for a remote HTTPS server where the images can be downloaded from. If you choose **Upload** you will be able to upload an image directly from your local client machine via the browser. -Alternatively, you may also upload images to the controller through the **System Settings -> File Utilities** page. You can select the **images/staging** option from the drop-down menu to import new F5OS-A images. Once uploaded into the staging area, they will be imported and made available for upgrades after a brief delay. +Alternatively, you may also upload images to the rSeries appliance via the **System Settings -> File Utilities** page. You can select the **images/staging** option from the drop-down menu to import new F5OS-A images. Once uploaded into the staging area, they will be imported and made available for upgrades after a brief delay. .. image:: images/rseries_software_upgrades/image5.png :align: center @@ -45,13 +45,13 @@ Alternatively, you may also upload images to the controller through the **System -After the upload completes, it will take some time for it to be fully imported and verified. At that point it should show up in the CLI and webUI. If you don’t see it immediately, be patient and wait a few minutes for it to show up as it will not show up until the file has been verified. Inside the **ISO** file are two different types of software, the **OS** and the **Service**. All three types should be displayed in the **Software Management** page. In the example below the ISO for version 1.0.0-11432 consists of an **OS** and **Service** with the same version number. +After the upload completes, it will take some time for it to be fully imported and verified. At that point it should show up in the CLI and webUI. If you don’t see it immediately, be patient and wait a few minutes for it to show up as it may take come time to verify the image file. Inside the **ISO** file are two different types of software, the **OS** and the **Service**. All three types should be displayed in the **Software Management** page. In the example below the ISO for version 1.0.0-11432 consists of an **OS** and **Service** with the same version number. .. image:: images/rseries_software_upgrades/image6.png :align: center :scale: 70% -When upgrading the F5OS platform layer, you will have a choice of upgrading either a **Bundled** release, meaning **OS** and **Services** are bundled together in an ISO image or **Unbundled**, where you can upgrade Service and/or OS independently. Note that currently F5 has not released any Service only or OS only releases, but they may be an option in the future. For now, it is recommended to choose **Bundled** upgrades. +When upgrading the F5OS platform layer, you will have a choice of upgrading either a **Bundled** release, meaning **OS** and **Services** are bundled together in an ISO image or **Unbundled**, where you can upgrade Service and/or OS independently. Note that currently, F5 has not released any Service only or OS only releases, but they may be an option in the future. For now, it is recommended to choose **Bundled** upgrades. .. image:: images/rseries_software_upgrades/image7.png :align: center @@ -64,7 +64,7 @@ When upgrading the F5OS platform layer, you will have a choice of upgrading eith Uploading F5OS Images via the CLI --------------------------------- -If you would prefer to upload the F5OS image via the CLI this can be done with the **file import** command. Use the **file import** command to get the F5OS image file from a remote HTTPS server or from a remote server over SCP or SFTP. Below is an example importing from a remote HTTPS server. Note the target directory should be **images/staging**: +If you would prefer to upload the F5OS image via the CLI, this can be done with the **file import** command. Use the **file import** command to get the F5OS image file from a remote HTTPS server or from a remote server over SCP or SFTP. Below is an example importing from a remote HTTPS server. Note the target directory should be **images/staging**: .. code-block:: bash @@ -73,7 +73,7 @@ If you would prefer to upload the F5OS image via the CLI this can be done with t result File transfer is initiated.(images/staging/F5OS-A-1.0.0-11432.R5R10.iso) Boston-r10900-1# -If a remote HTTPS server is not available you may also copy the file from the CLI over SCP by adding the **protocol scp** option to the command line: +If a remote HTTPS server is not available, you may also copy the file from the CLI over SCP by adding the **protocol scp** option to the command line: .. code-block:: bash @@ -120,7 +120,7 @@ You can view the current F5OS images and their status in the F5OS CLI by using t 1.0.0-11432 ready 2021-12-03 false -You can alternatively copy the F5OS images into the management IP address of F5OS from a client machine over SCP. You would use the **root** account and the target directory should be **/var/import/staging/**. +You can alternatively copy the F5OS images into the management IP address of F5OS from a client machine over SCP. You would use the **root** account and the target directory should be **/var/import/staging/**. Currently, only the root account can copy F5OS images into the system over SCP. An enhancement currently being worked on will allow the admin account to copy F5OS images into the system over SCP. .. code-block:: bash @@ -128,12 +128,12 @@ You can alternatively copy the F5OS images into the management IP address of F5O root@10.255.0.132's password: F5OS-A-1.0.0-11433.R5R10.iso 100% 5291MB 110.2MB/s 00:48 -Uploading F5OS-A Images via the API ------------------------------------- +Importing F5OS-A Images from a Remote Server via the API +--------------------------------------------------------- -When uploading or importing F5OS-A images into the rSeries appliance, the files should be imported into the **images/staging** directory. Once the file import is initiated you can check its status using the **file transfer-status** API calls. Below are API calls to upload and monitor status. +When uploading or importing F5OS-A images into the rSeries appliance, the files should be imported into the **images/staging** directory. Once the file import is initiated you can check its status using the **file transfer-status** API calls. Below are API calls to upload and/or import F5OS images and monitor status. -List the current F5OS images in the **images/staging** directory via the following API call: +You may list the current F5OS images in the **images/staging** directory via the following API call: .. code-block:: bash @@ -190,7 +190,7 @@ Below is an example output: } -To import an F5OS-A image, use the following API example: +To import an F5OS-A image from a remote HTTPS server, use the following API example. You can optionally import using other protocols such as SFTP or SCP by adding the proper **protocol** option to the API command below. .. code-block:: bash @@ -228,6 +228,7 @@ A response like the one below will provide the status of the transfer: } } + After transferring the file, you can view the contents of the images/staging directory. The file will then go through an import process before it is ready for use. .. code-block:: bash @@ -349,6 +350,56 @@ The output will show the status for the OS, Service, ISO, and Install Status. } } +Uploading F5OS-A Images from a Client Machine via the API +--------------------------------------------------------- + +You can upload an F5OS image from a client machine over the API. First you must obtain an **upload-id** using the following API call. + + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/f5-file-upload-meta-data:upload/start-upload + +In the body of the API call enter the **size**, **name**, and **file-path** as seen in the example below. + +.. code-block:: json + + { + "size":4293919232 , + "name": "F5OS-A-1.5.0-5781.R5R10.iso", + "file-path": "images/staging/" + } + +If you are using Postman, the API call above will generate an upload-id that will need to be captured so it can be used in the subsequent API call to upload the file. Below is an example of the code that should be added to the **Test** section of the API call so that the upload-id can be captured and saved to a variable for subsequent API calls. + +.. code-block:: bash + + var resp = pm.response.json(); + pm.environment.set("upload-id", resp["f5-file-upload-meta-data:output"]["upload-id"]) + +Below is an example of how this would appear inside the Postman interface. + +.. image:: images/rseries_software_upgrades/upload-id.png + :align: center + :scale: 70% + +Once the upload-id is captured, you can then initiate a file upload of the F5OS image using the following API call. + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/openconfig-system:system/f5-image-upload:image/upload-image + +In the body of the API call select **form-data**, and then in the **Value** section click **Select Files** and select the F5OS-A image you want to upload as seen in the example below. + +.. image:: images/rseries_software_upgrades/upload-image-api.png + :align: center + :scale: 70% + +In the **Headers** section ensure you add the **file-upload-id** header, with the variable used to capture the id in the previous API call. + +.. image:: images/rseries_software_upgrades/file-upload-tenant-headers-f5os.png + :align: center + :scale: 70% Upgrading F5OS ============== @@ -534,10 +585,10 @@ You can view the current tenant images and their status in the F5OS CLI using th Boston-r10900-1# -Loading Tenant Images for New Tenants via API +Loading Tenant Images from a Remote Server via API --------------------------------------------- -To copy a tenant image into F5OS over the API, use the following API call to the F5OS out-of-band management IP address: +To copy a tenant image into F5OS over the API, use the following API call to the F5OS out-of-band management IP address. The example below copies a tenant image from a remote HTTPS server. You may also edit the API call to copy from remote SFTP or SCP servers by adding the proper **protocol** option. .. code-block:: bash @@ -626,6 +677,58 @@ Below is output generated from the previous command: } +Uploading Tenant Images from a Client Machine via the API +--------------------------------------------------------- + +You can upload an F5OS tenant image from a client machine over the API. First you must obtain an **upload-id** using the following API call. + + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/f5-utils-file-transfer:file/f5-file-upload-meta-data:upload/start-upload + +In the body of the API call enter the **size**, **name**, and **file-path** as seen in the example below. + +.. code-block:: json + + { + "size":2239554028, + "name": "BIGIP-15.1.10.1-0.0.9.ALL-F5OS.qcow2.zip.bundle", + "file-path": "images/tenant/" + } + +If you are using Postman, the API call above will generate an upload-id that will need to be captured so it can be used in the API call to upload the file. Below is an example of the code that should be added to the **Test** section of the API call so that the **upload-id** can be captured and saved to a variable called **upload-id** for subsequent API calls. + +.. code-block:: bash + + var resp = pm.response.json(); + pm.environment.set("upload-id", resp["f5-file-upload-meta-data:output"]["upload-id"]) + +Below is an example of how this would appear inside the Postman interface under the **Tests** section. + +.. image:: images/rseries_software_upgrades/upload-id.png + :align: center + :scale: 70% + +Once the upload-id is captured, you can then initiate a file upload of the F5OS TENANT_NAME image using the following API call. + +.. code-block:: bash + + POST https://{{rseries_appliance1_ip}}:8888/restconf/data/openconfig-system:system/f5-image-upload:image/upload-image + +In the body of the API call select **form-data**, and then in the **Value** section click **Select Files** and select the F5OS tenant image you want to upload as seen in the example below. + +.. image:: images/rseries_software_upgrades/file-upload-tenant-body.png + :align: center + :scale: 70% + +In the **Headers** section ensure you add the **file-upload-id** header, with the variable used to capture the id in the previous API call. + +.. image:: images/rseries_software_upgrades/file-upload-tenant-headers.png + :align: center + :scale: 70% + + Tenant Upgrades --------------- diff --git a/docs/rseries_troubleshooting.rst b/docs/rseries_troubleshooting.rst index 2b9bab1..3c1d42f 100644 --- a/docs/rseries_troubleshooting.rst +++ b/docs/rseries_troubleshooting.rst @@ -57,7 +57,8 @@ Determining Free Space F5OS Configuration Backups -------------------------- -Backups of the F5OS configuration are stored in the path **/var/F5/system/configs/**. +Backups of the F5OS configuration are stored in the path **/var/F5/system/configs/** within the underlying linux filesytem. If using the F5OS CLI, API, or webUI then these paths are simplified to the simplified path of **configs**. Below is a view of the **/var/F5/system/configs/** path within the bash shell. + .. code-block:: bash @@ -65,6 +66,29 @@ Backups of the F5OS configuration are stored in the path **/var/F5/system/config [root@appliance-1(r10900.f5demo.net) configs]# ls backup1 F5OS-BACKUP2022-01-20 F5OS-BACKUP-APPLIANCE12022-04-19 jim-backup jim-backup.db jim-july kfo-bkp kfo-bkup new-backup +In the F5OS CLI it appears as the simplified **configs** for file import/export commands. The same virtual path will be shown in the other F5OS user interfaces (API/webUI). + +.. code-block:: bash + + r10900-1# file export local-file + Possible completions: + configs/ diags/ images/ log/ mibs/ tenant/spec/ + r10900-1# file export local-file configs/ + Possible completions: (first 100): + F5OS-BACKUP-APPLIANCE12022-04-19 F5OS-BACKUP-APPLIANCE12023-01-09 F5OS-BACKUP-APPLIANCE12023-11-17 F5OS-BACKUP2022-01-20 GSA-Daily_GSA-rSeries-1_20230329070500 GSA-Daily_GSA-rSeries-1_20230330070500 GSA-Daily_GSA-rSeries-1_20230331070500 GSA-Daily_GSA-rSeries-1_20230402070500 + GSA-Daily_GSA-rSeries-1_20230403070500 GSA-Daily_GSA-rSeries-1_20230404070500 GSA-Daily_GSA-rSeries-1_20230405070500 GSA-Daily_GSA-rSeries-1_20230406070500 Initial_backup_gsa_GSA-r10900-1_20230410084408 Nightly_F5OS_GSA-r10900-1_20230410210100 Nightly_F5OS_GSA-r10900-1_20230411210100 Nightly_F5OS_GSA-r10900-1_20230412210100 + Nightly_F5OS_GSA-r10900-1_20230413210100 Nightly_F5OS_GSA-r10900-1_20230414210100 Nightly_F5OS_GSA-r10900-1_20230415210100 Nightly_F5OS_GSA-r10900-1_20230416210100 Nightly_F5OS_GSA-r10900-1_20230417210100 Nightly_F5OS_GSA-r10900-1_20230418210100 Nightly_F5OS_GSA-r10900-1_20230419210100 Nightly_F5OS_GSA-r10900-1_20230420210100 + Nightly_F5OS_GSA-r10900-1_20230421210100 Nightly_F5OS_GSA-r10900-1_20230422210100 Nightly_F5OS_GSA-r10900-1_20230423210100 Nightly_F5OS_GSA-r10900-1_20230424210100 Nightly_F5OS_GSA-r10900-1_20230425210100 Nightly_F5OS_GSA-r10900-1_20230426210100 Nightly_F5OS_GSA-r10900-1_20230427210100 Nightly_F5OS_GSA-r10900-1_20230428210100 + Nightly_F5OS_GSA-r10900-1_20230429210100 Nightly_F5OS_GSA-r10900-1_20230430210100 Nightly_F5OS_GSA-r10900-1_20230501210100 Nightly_F5OS_GSA-r10900-1_20230502210100 Nightly_F5OS_GSA-r10900-1_20230503210100 Nightly_F5OS_GSA-r10900-1_20230504210100 Nightly_F5OS_GSA-r10900-1_20230505210100 Nightly_F5OS_GSA-r10900-1_20230506210100 + Nightly_F5OS_GSA-r10900-1_20230507210100 Nightly_F5OS_GSA-r10900-1_20230508210100 Nightly_F5OS_GSA-r10900-1_20230509210100 Nightly_F5OS_GSA-r10900-1_20230510210100 Nightly_F5OS_GSA-r10900-1_20230515210100 Nightly_F5OS_GSA-r10900-1_20230516210100 Nightly_F5OS_GSA-r10900-1_20230517210100 Nightly_F5OS_GSA-r10900-1_20230518210100 + Nightly_F5OS_GSA-r10900-1_20230519210100 Nightly_F5OS_GSA-r10900-1_20230520210100 Nightly_F5OS_GSA-r10900-1_20230521210100 Nightly_F5OS_GSA-r10900-1_20230522210100 Nightly_F5OS_GSA-r10900-1_20230523210100 Nightly_F5OS_GSA-r10900-1_20230524210100 Nightly_F5OS_GSA-r10900-1_20230525210100 Nightly_F5OS_GSA-r10900-1_20230526210100 + Nightly_F5OS_GSA-r10900-1_20230527210100 Nightly_F5OS_GSA-r10900-1_20230528210100 Nightly_F5OS_GSA-r10900-1_20230529210100 Nightly_F5OS_GSA-r10900-1_20230530210100 Nightly_F5OS_GSA-r10900-1_20230531210100 Nightly_F5OS_GSA-r10900-1_20230601210100 Nightly_F5OS_GSA-r10900-1_20230602210100 Nightly_F5OS_GSA-r10900-1_20230603210100 + Nightly_F5OS_GSA-r10900-1_20230604210100 Nightly_F5OS_GSA-r10900-1_20230605210100 Nightly_F5OS_GSA-r10900-1_20230606210100 Nightly_F5OS_GSA-r10900-1_20230607210100 Nightly_F5OS_GSA-r10900-1_20230608210100 Nightly_F5OS_GSA-r10900-1_20230609210100 Nightly_F5OS_GSA-r10900-1_20230610210100 Nightly_F5OS_GSA-r10900-1_20230611210100 + Nightly_F5OS_GSA-r10900-1_20230612210100 Nightly_F5OS_GSA-r10900-1_20230613210100 Nightly_F5OS_GSA-r10900-1_20230614210100 Nightly_F5OS_GSA-r10900-1_20230615210100 Nightly_F5OS_GSA-r10900-1_20230616210100 Nightly_F5OS_GSA-r10900-1_20230617210100 Nightly_F5OS_GSA-r10900-1_20230618210100 Nightly_F5OS_GSA-r10900-1_20230619210100 + Nightly_F5OS_GSA-r10900-1_20230620210100 Nightly_F5OS_GSA-r10900-1_20230621210100 Nightly_F5OS_GSA-r10900-1_20230622210100 Nightly_F5OS_GSA-r10900-1_20230623210100 Nightly_F5OS_GSA-r10900-1_20230624210100 Nightly_F5OS_GSA-r10900-1_20230625210100 Nightly_F5OS_GSA-r10900-1_20230626210100 Nightly_F5OS_GSA-r10900-1_20230627210100 + Nightly_F5OS_GSA-r10900-1_20230628210100 backup1 dave/ jim-backup jim-backup.db jim-july jim-test1 jim2 + kfo-bkp kfo-bkup new-backup rseriesjim_GSArSeries1_20230227054500 + r10900-1# F5OS Images ----------- @@ -189,6 +213,14 @@ F5OS Diag Files tcpdump , core files, qkviews etc... +F5OS System Services +==================== + +The rSeries system services perform a variety of functions, such as configuring and controlling switch chips, managing partitions and tenants, and performing high availability (HA) failover actions between system controllers. + +`K000134978: Overview of F5 rSeries system services `_ + + @@ -1963,10 +1995,17 @@ Log rotation is currently hard coded and handled via **/var/F5/system/etc/logrot .. code-block:: bash - [root@appliance-1(r10900-2.f5demo.net) logrotate.d]# pwd - /var/F5/system/etc/logrotate.d - [root@appliance-1(r10900-2.f5demo.net) logrotate.d]# more platform.conf - /var/log/audit.log + [root@appliance-1(r10900-1.f5demo.net) ~]# cd /var/F5/system/etc/logrotate.d + [root@appliance-1(r10900-1.f5demo.net) logrotate.d]# more platform.conf + /var/log/audit.log { + rotate 5 + size 100M + sharedscripts + postrotate + pkill -HUP rsyslogd + endscript + } + /var/log/confd.log /var/log/devel.log /var/log/lcd.log @@ -1981,16 +2020,34 @@ Log rotation is currently hard coded and handled via **/var/F5/system/etc/logrot copytruncate } /var/log/platform.log { - rotate 10 - size 1G + rotate 20 + size 500M sharedscripts postrotate pkill -HUP rsyslogd endscript } /var/log/logrotate.log - /var/log/rsyslogd.log { + /var/log/rsyslogd_init.log { rotate 2 size 5M copytruncate } + + /var/log/webui/*.access + /var/log/vconsole*.log{ + rotate 5 + size 50M + copytruncate + } + /var/log/dma-agent.log { + rotate 5 + size 2M + copytruncate + } + /var/log/dma-agent-launcher.log { + rotate 1 + size 256K + copytruncate + } + [root@appliance-1(r10900-1.f5demo.net) logrotate.d]# \ No newline at end of file diff --git a/rseries_diagnostics.rst b/rseries_diagnostics.rst index 2b5315b..94674a9 100644 --- a/rseries_diagnostics.rst +++ b/rseries_diagnostics.rst @@ -1679,7 +1679,7 @@ The built-in terminal server will switch the connection to the appropriate tenan .. code-block:: bash - FLD-ML-00054045:~ jmccarron$ ssh tenant1@10.255.0.135 -p 7001 + prompt$ssh tenant1@10.255.0.135 -p 7001 tenant1@10.255.0.135's password: Successfully connected to tenant1-1 console. The escape sequence is ^]