Forum Discussion

mhite_60883's avatar
mhite_60883
Icon for Cirrocumulus rankCirrocumulus
Sep 17, 2012

Run tmsh command via iControl?

Is it possible to run a tmsh command via iControl?

 

5 Replies

  • I've put this request into PD for a while but it hasn't made it into the product yet. I would suggest that if you want this feature, you send in an enhancement request. The implementation is fairly easy but PD will need use cases for why the current API doesn't cover your needs.
  • There are long standing bugs in the certain parts of iControl that don't exist in their tmsh equivalent. For example, you can't update certificate/key pairs via iControl, period. So I've got hacky workarounds in my automation tools that actually uses ssh to execute various tmsh commands alongside the iControl commands.

     

     

    IE.

     

     

    tmsh_cmd = "tmsh -q -c \"cd /%s; modify sys file ssl-cert %s.crt source-path %s\"" % (partition, identifier, urlpath)

     

     

    Which will work.

     

     

    Bottom line is that the test coverage for tmsh seems far more extensive than iControl, and getting things fixed in iControl seems to be a much lower priority than fixing something that is wrong with tmsh. At least with a tmsh gateway via iControl, we can fail back to tmsh in certain circumstances without having to resort to ssh hackery.

     

     

    I'm just trying to rapidly scale out solutions and often times I hit hurdles that F5 isn't very agile at addressing. I need a plan B, which is automating through tmsh.

     

     

  • The key/cert issue is resolved by introduction of the set_key_certificate_file in version 11 (and now 10.2.4). That issue can also be resolved by using transactions (v11).

     

     

    If you think about tmsh, it structurally doesn't have the transaction issues as much as iControl because in tmsh you enter an entire command yourself, sitting at the keyboard, and you can define the transaction boundary yourself by pressing newline. All of the attributes you modify get done as an entire batch. at once. Both tmsh and iControl have the ability to define transactions more explicitly, as well (start, add stuff, submit). iControl has always used a "lego-building block" approach where it allows access to all the attributes individually, as we can't predict which you will want to use, and we do not want to package them up into a fixed unit because this introduces backwards compatibility worries (as well as being more than you are likely interested in). We've been aware of a potential string-based approach, such as that used with iControl's LTConfig module, but that is really pretty ugly (compared with canned specific interfaces) when you see it in action ("set(myobjs, myfields, myvalues)" and so on) and is difficult to document, understand, and check at compile time (still, that notion is on our radar).

     

     

    Regarding the "test coverage for tmsh seems far more extensive than iControl" I appreciate your input, and of course we are interested in doing everything we can, but this isn't true: iControl has a very extensive regression test suite, comparable to anything we do for tmsh. tmsh has a lot of people pounding on it, though, it's true. Here at f5 we use iControl extensively for in-house testing, though (beyond the explicit test suite for it, itself) so there is a lot of testing through that channel too.

     

     

    Regarding "getting things fixed in iControl seems to be a much lower priority", again I appreciate your input. I can assure you we have all of the bugs and RFEs well-organized for iControl, and we prioritize them carefully, taking into account all requests. I am personally familiar with all bugs and requests made for iControl, and I am not the only one.

     

     

    If there is a specific RFE or bug that is not getting the priority you'd like, please let us know.
  • Thanks for your reply, Todd. I don't think we're talking about the same issue regarding replacement of certificates. I am reuploading in order to replace existing certificate/key pairs. For example, the certificate/key has been reissued with new SANs or it is expiring soon. Read about it here:

     

     

    https://devcentral.f5.com/community/group/aft/2164077/asg/51

     

     

    Let me know if there is some workaround you have in mind. Definitely interested in your thoughts on the matter!

     

     

    Thanks for your assurances. Obviously fixes and features speak the loudest and go a long way in addressing matters of customer perception. I will say I am a very happy man to see bigsuds get released and would love for you to pass on my thanks to the developer on that!
  • I will pass on the thanks. I thought it would be important for usability to get bigsuds out. It's pretty pleasant to use. Interactive fun with iControl. Nicer error messages. No type factory (from the user at least)!