Forum Discussion

DifanZ's avatar
DifanZ
Icon for Cirrus rankCirrus
Sep 20, 2022

Big-IQ use TMSH to manage BIG-IP configuration in Silo

Hi experts,

Is it possible to use the TMSH in Big-IQ to manage configurations for the Big-IP that is in a Silo? Sometimes it is easier to use the TMSH to duplicate configuration, such as an SSL-client profile in the command line than clicking for each setting in the GUI. We used to do that on the Big-IP but now since they are all centrally managed by the Big-IQ, we can't do that anymore. Where is Silo stored on the Big-IQ? Is it in a specific directory? 

Thanks!

Difan

  • Hi Difan.  

    Short answer - no, the configuration stored in BIG-IQ is not managable from TMSH,  or any direct CLI.   The config is stored in a database, not text files.

    Much longer answer: there is a BIG-IQ REST API that provides a means to manipulate the BIG-IP configuration you see in the BIG-IQ UI, "Working Config" in IQ terminology,   but the vast majority of this is precursory and not yet documented.  That said,  if you were prepared to invest the effort , you could in theory script the duplication of existing objects.  Its all very different from TMSH though.

    https://clouddocs.f5.com/products/big-iq/mgmt-api/v0.0/ApiReferences/bigiq_precursory_apis_ref/r_precursory_apis.html

    If you want a modern approach to templating configurations, rather than create/duplicate/edit, you should take a look at AS3.  This moves the source of truth for your configuration to your preferred external code repository,  but you can still use BIG-IQ as a kind of proxy for deploying AS3 to BIG-IP.  You can also create AS3 Templates in BIG-IQ which means your external repository needs to store only the variable parts of the config. 

    https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/userguide/big-iq.html

    In the meantime,  to keep the ability to use TMSH to manage configurations,  something to consider is a 'Dev' instance of BIG-IP where you build some configuration objects locally, using TMSH if you wish.  You can then Discover/Import that device configuration into BIG-IQ.  Ensure conflicts are resolved "Use BIG-IQ" unless they relate to the objects you are intending to import.  The Shared Objects (Profiles, Monitors etc) you created are then available immediately for attaching to your production BIG-IP Virtual Servers.  If you define virtual servers on your dev environment,  you can use the BIG-IQ Clone functionality to duplicate the attributes to a virtual on a BIG-IP.   

    A note on Client SSL Profiles - when importing these they have the wrinkle of referencing SSL Certificates which exist on the BIG-IP. The device discovery/import process imports the certificate metadata but not the cert/key files. You will need to import these to BIG-IQ seperately before you can deploy the SSL profile to a different device.   BIG-IQ allows you to pull certificates from your BIG-IP from the BIG-IQ Configuration - Certificates UI.  

    Hope all that helps!  

     

     

     

     

     

     

     

4 Replies

  • TMSH is not exposed to the BIG-IQ configuation.

    Something I have used is the BIG-IQ Scripts Management. You can create scripts of TMSH commands from BASH> to en masse deploy to a series of BIG-IPs. So as an example; if I needed to chanage the SNMP accross all BIG-IPs. I could author a single script and use the BIG-IQ Device Script to run on the target BIG-IP devices. 

    AskF5 | Manual Chapter: Script Management

     

  • Hi Difan.  

    Short answer - no, the configuration stored in BIG-IQ is not managable from TMSH,  or any direct CLI.   The config is stored in a database, not text files.

    Much longer answer: there is a BIG-IQ REST API that provides a means to manipulate the BIG-IP configuration you see in the BIG-IQ UI, "Working Config" in IQ terminology,   but the vast majority of this is precursory and not yet documented.  That said,  if you were prepared to invest the effort , you could in theory script the duplication of existing objects.  Its all very different from TMSH though.

    https://clouddocs.f5.com/products/big-iq/mgmt-api/v0.0/ApiReferences/bigiq_precursory_apis_ref/r_precursory_apis.html

    If you want a modern approach to templating configurations, rather than create/duplicate/edit, you should take a look at AS3.  This moves the source of truth for your configuration to your preferred external code repository,  but you can still use BIG-IQ as a kind of proxy for deploying AS3 to BIG-IP.  You can also create AS3 Templates in BIG-IQ which means your external repository needs to store only the variable parts of the config. 

    https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/userguide/big-iq.html

    In the meantime,  to keep the ability to use TMSH to manage configurations,  something to consider is a 'Dev' instance of BIG-IP where you build some configuration objects locally, using TMSH if you wish.  You can then Discover/Import that device configuration into BIG-IQ.  Ensure conflicts are resolved "Use BIG-IQ" unless they relate to the objects you are intending to import.  The Shared Objects (Profiles, Monitors etc) you created are then available immediately for attaching to your production BIG-IP Virtual Servers.  If you define virtual servers on your dev environment,  you can use the BIG-IQ Clone functionality to duplicate the attributes to a virtual on a BIG-IP.   

    A note on Client SSL Profiles - when importing these they have the wrinkle of referencing SSL Certificates which exist on the BIG-IP. The device discovery/import process imports the certificate metadata but not the cert/key files. You will need to import these to BIG-IQ seperately before you can deploy the SSL profile to a different device.   BIG-IQ allows you to pull certificates from your BIG-IP from the BIG-IQ Configuration - Certificates UI.  

    Hope all that helps!  

     

     

     

     

     

     

     

  • Thanks for posting this question DifanZ. Let me see if I can get one of our subject matter experts to answer this for you. Hang tight.