Forum Discussion
Kevin_Stewart
Nov 07, 2012Employee
While you can technically do this, it doesn't mean you should. Reaching into the management shell (management plane) from an iRule (data plane) has several performance AND security implications. The management shell consumes a very small subset of total system memory, and is not multi-processing, so it could never scale to handle traffic loads. Also, creating that "bridge" between the two planes potentially opens you up to vulnerabilities if you don't properly protect the mechanisms.
Your best option, in my opinion, would be to employ a sideband call to a remote service (https://devcentral.f5.com/wiki/iRules.SIDEBAND.ashx) and allow it to perform your shell script. You could technically expose some custom service on the BIG-IP (mini web server, netcat, etc.) and reach in from your sideband call, but I'd recommend against that for the aforementioned reasons. If using a remote service, point your sideband call at another virtual server and then load balance (and scale) multiple services.
That said, what is your shell script doing? Perhaps the entire process can be done natively in iRules.