AS3 ACC Conversion
hi, I have a qkview extracted from a bigip r5600 running 17.1.1 version. I have imported the qkview to vscode and converted it to as3 using ACC. When I try to post the declaration, I have errors about ssl certificate not being found even though the certificates are in place. the fact is, when the configuration has been created in the first place on F5 via the GUI, there is no concept of PATH under domain partition, and now with AS3 I have this Shared App that has been added to the configuration. What is exactly the right process of converting to AS3 via ACC when the original configuration qkview file does not have any Application subfolder just Admin partition (i.e Tenant) ? here is the error I am getting right now { "id": "82530133-0b46-46c3-97a5-68766a5a663f", "results": [ { "code": 422, "message": "declaration failed", "response": "01070277:3: The requested key (/TENANT1/Mycert-2024) was not found.", "host": "localhost", "tenant": "TENANT1", "runTime": 2739, "declarationId": "urn:uuid:bdc310a7-31ad-4f07-bf96-2566912cd989" } ], "declaration": { "class": "ADC", "schemaVersion": "3.37.0", "id": "urn:uuid:bdc310a7-31ad-4f07-bf96-2566912cd989", "label": "Converted Declaration", "remark": "Generated by Automation Config Converter", "controls": { "class": "Controls", "userAgent": "vscode-f5/3.16.1", "archiveTimestamp": "2024-03-06T15:36:02.267Z" }, "updateMode": "selective" } } thanks.
AS3 add another VS to existing tenant
I have deployed the sample AS3 script to create a VS with pool and pool members from here: { "class": "AS3", "action": "deploy", "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.0.0", "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab915d", "label": "Sample 1", "remark": "Simple HTTP Service with Round-Robin Load Balancing", "AS1": { "class": "Tenant", "A1": { "class": "Application", "template": "generic", "MyVS1": { "class": "Service_HTTP", "virtualAddresses": [ "10.0.1.11" ], "pool": "web_pool_1" }, "web_pool_1": { "class": "Pool", "monitors": [ "http" ], "members": [ { "servicePort": 80, "serverAddresses": [ "192.0.1.10", "192.0.1.11" ] } ] } } } } } Now I want to add another VS to the same tenant (same partition) but when I edit the above script and deploy this: { "class": "AS3", "action": "deploy", "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.0.0", "id": "urn:uuid:33045210-3ab8-4636-9b2a-c98d22ab915d", "label": "Sample 1", "remark": "Simple HTTP Service with Round-Robin Load Balancing", "AS1": { "class": "Tenant", "A1": { "class": "Application", "template": "generic", "MyVS2": { "class": "Service_HTTP", "virtualAddresses": [ "10.0.1.12" ], "pool": "web_pool_2" }, "web_pool_2": { "class": "Pool", "monitors": [ "http" ], "members": [ { "servicePort": 80, "serverAddresses": [ "192.0.1.12", "192.0.1.13" ] } ] } } } } } It replaces the old configuration and I only have MyVS2. How can I add MyVS2 to the current configuration without losing MyVS1?DELETE method with AS3 is too powerful !
Am I the only one totally freaking out about the fact that with AS3, you just have to send a DELETE method to mgmt/shared/appsvcs/declare and everything is gone ?? All your production system could be wiped off that easily ... From my understanding it's mandatory to have the administrator privilege to use AS3, and administrators can access all the partitions ; so you cannot even create users that would be allowed to manage only specific partitions ... It's all or nothing. In my opinion the least you should do is to get rid of this dangerous default behavior, and instead use the keyword "ALL" to remove all tenants ... ========================== Extract from the doc : Use DELETE to remove configurations for one or more declared Tenants from the target ADC. If you do not specify any Tenants, DELETE removes all of them, which is to say, it removes the entire declared configuration. Indicate the target device and Tenants to remove by appending elements to the main AS3 URL path (/mgmt/shared/appsvcs/declare). By default (just main URL) DELETE removes all Tenants from target localhost. DELETE examples: DELETEhttps://192.0.2.10/mgmt/shared/appsvcs/declare removes all tenants DELETEhttps://192.0.2.10/mgmt/shared/appsvcs/declare/T1,T2,T5 removes Tenants T1, T2, and T5 leaving the rest of the most recent declared configuration for localhost in place ========================== Does anyone agree, or have a suggestion to add some security ?AS3 Shared Objects and Virtual Service Address Lists
Below is a declaration that will create a virtual service that has a host 1.1.1.50/32 as the allowed source host. How in AS3 do you create a shared object address list if that is possible, or if that is not possible how do reference an existing address list in the declaration so I can specify multiple source hosts rather than a subnet? { "class": "AS3", "action": "patch", "patchBody": [ { "op": "add", "path": "/{{tenant}}/testvip", "value": { "class": "Application", "template": "generic", "testvip_http_8080": { "class": "Service_HTTP", "snat": "auto", "virtualPort": 8080, "virtualAddresses": [ ["10.10.10.10", "1.1.1.50/32"] ], "iRules": [], "pool": "testvip_tcp_8080_pool", "persistenceMethods": [] }, "testvip_tcp_8080_pool": { "class": "Pool", "monitors": [ { "use": "testvip_http_8080_monitor" } ], "loadBalancingMode": "least-connections-member", "members": [ { "adminState": "enable", "shareNodes": false, "servicePort": 8080, "serverAddresses": [ "2.2.2.2" ], "hostname": "server1" }, { "adminState": "enable", "shareNodes": false, "servicePort": 8080, "serverAddresses": [ "3.3.3.3" ], "hostname": "server2" }, { "adminState": "enable", "shareNodes": false, "servicePort": 8080, "serverAddresses": [ "4.4.4.4" ], "hostname": "server3" } ] }, "testvip_http_8080_monitor": { "class": "Monitor", "monitorType": "http", "send": "GET /keepalive.txt HTTP/1.0", "receive": "200" } } } ] }
An example of an AS3 Rest API call to create a GSLB configuration on BIG-IP.
Hi everyone, Below you can find an example of an AS3 Rest API call that creates a simple GSLB configuration on BIG-IP devices. The main purpose of this article is to share this configuration with others. Of course, on different sites (github, etc) you can find different bits of data, but I think this example will be useful, because it contains all the necessary information about how to create different GSLB objects at the same time, such as: Data Centers (DCs), Servers, Virtual Servers (VSs), Wide IPs, pools and more over. { "class": "AS3", "declaration": { "class": "ADC", "schemaVersion": "3.21.0", "id": "GSLB_test", "Common": { "class": "Tenant", "Shared": { "class": "Application", "template": "shared", "DC1": { "class": "GSLB_Data_Center" }, "DC2": { "class": "GSLB_Data_Center" }, "device01": { "class": "GSLB_Server", "dataCenter": { "use": "DC1" }, "virtualServers": [ { "name": "/ocp/Shared/ingress_vs_1_443", "address": "A.B.C.D", "port": 443, "monitors": [ { "bigip": "/Common/custom_icmp_2" } ] } ], "devices": [ { "address": "A.B.C.D" } ] }, "device02": { "class": "GSLB_Server", "dataCenter": { "use": "DC2" }, "virtualServers": [ { "name": "/ocp2/Shared/ingress_vs_2_443", "address": "A.B.C.D", "port": 443, "monitors": [ { "bigip": "/Common/custom_icmp_2" } ] } ], "devices": [ { "address": "A.B.C.D" } ] }, "dns_listener": { "class": "Service_UDP", "virtualPort": 53, "virtualAddresses": [ "A.B.C.D" ], "profileUDP": { "use": "custom_udp" }, "profileDNS": { "use": "custom_dns" } }, "custom_dns": { "class": "DNS_Profile", "remark": "DNS Profile test", "parentProfile": { "bigip": "/Common/dns" } }, "custom_udp": { "class": "UDP_Profile", "datagramLoadBalancing": true }, "testpage_local": { "class": "GSLB_Domain", "domainName": "testpage.local", "resourceRecordType": "A", "pools": [ { "use": "testpage_pool" } ] }, "testpage_pool": { "class": "GSLB_Pool", "resourceRecordType": "A", "members": [ { "server": { "use": "/Common/Shared/device01" }, "virtualServer": "/ocp/Shared/ingress_vs_1_443" }, { "server": { "use": "/Common/Shared/device02" }, "virtualServer": "/ocp2/Shared/ingress_vs_2_443" } ] } } } } } P.S. The AS3 scheme guide was very helpful: https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/schema-reference.htmlPatching additional TLS certificate to the existing virtual server
Hi, I am New to AS3. tried following json file to patch the new TLS certificate to the existing virtual server however its not working. can you let me know what is the correct procedure ? { "class":"AS3", "action":"patch", "patchBody":[ { "op":"add", "path":"/tenanat/Application/private-vip/front-cert", "value":{ "class":"TLS_Server", "certificates":[ { "certificate":"frontend-cert" } ], "ciphers":"DEFAULT", "frontend-cert":{ "class":"Certificate", "certificate":"-----BEGINCERTIFICATE-----fsdfsdfdshfd-----ENDCERTIFICATE-----\n", "privateKey":"-----BEGINPRIVATEKEY-----edfddsfdsfds-----ENDPRIVATEKEY-----\n" }, "private-vip":{ "layer4":"tcp", "class":"Service_HTTPS", "ServerTLS":"front-cert", "redirect80":false, "shareAddresses":true, "virtualAddresses":[ "192.168.1.x" ] } } } ] }Creating an iRule from external source using AS3
I am attempting to create a new iRule using AS3 by pointing to an external file and can't seem to get the declaration and/or rule correct. I am receiving the below error when trying as is. I have tried iterations of braces around each when clause and around the entire iRule, but can't seem to get the syntax right. Anyone have any luck with this? If not, how are you declaring complex iRules within your AS3 declaration without having to manually escape all the json special characters? Error: {"message":"Declaration failed: 01070151:3: Rule [/Common/Shared/log4j_mitigation] error: /Common/Shared/log4j_mitigation:1: error: [braces are required around the expression][when HTTP_REQUEST {\n # Version 2.0 - 2021-12-11 23:40 Eastern\n # - Handling nested URI encoding\n # - Improved matching\n # Version 1.0 - 2021-12-11 06:10 Eastern\n # - Initial release\n # less aggressive regexp for those concerned about false positives \\\"\\\\$\\\\{(\\\\$\\\\{env:[^:]+:-|\\\\$\\\\{[a-z]+:)\\?j\\\\}\\?(\\\\$\\\\{env:[^:]+:-|\\\\$\\\\{[a-z]+:)\\?n.+:.+\\\\}\\\" (remove quotes)\n # very aggressive regexp \\\"\\\\$\\\\{.+\\?\\\\}\\\" (remove quotes)\n # URI – based on 200004474\n set tmpUri [HTTP::uri -normalized]\n set uri [URI::decode $tmpUri]\n while { $uri ne $tmpUri } {\n set tmpUri $uri\n set uri [URI::decode $tmpUri]\n }\n if {[string tolower $uri] matches_regex {\\\\$\\\\{}} {\n log local0. \\\"log4j_rce_detection drop on URI: $uri\\\"\n drop\n event disable all\n return\n }\n set tmpReq [HTTP::request]\n set req [URI::decode $tmpReq]\n while { $req ne $tmpReq } {\n set tmpReq $req\n set req [URI::de","level":"error"} iRule: when HTTP_REQUEST { # Version 2.0 - 2021-12-11 23:40 Eastern # - Handling nested URI encoding # - Improved matching # Version 1.0 - 2021-12-11 06:10 Eastern # - Initial release # less aggressive regexp for those concerned about false positives "\$\{(\$\{env:[^:]+:-|\$\{[a-z]+:)?j\}?(\$\{env:[^:]+:-|\$\{[a-z]+:)?n.+:.+\}" (remove quotes) # very aggressive regexp "\$\{.+?\}" (remove quotes) # URI – based on 200004474 set tmpUri [HTTP::uri -normalized] set uri [URI::decode $tmpUri] while { $uri ne $tmpUri } { set tmpUri $uri set uri [URI::decode $tmpUri] } if {[string tolower $uri] matches_regex {\$\{}} { log local0. "log4j_rce_detection drop on URI: $uri" drop event disable all return } set tmpReq [HTTP::request] set req [URI::decode $tmpReq] while { $req ne $tmpReq } { set tmpReq $req set req [URI::decode $tmpReq] } # Header – looks for ${j…} or ${${…}} if {[string tolower $req] matches_regex {\$\{\s*(j|\$\{).+?\}}} { log local0. "log4j_rce_detection drop on header: $req" drop event disable all return } # Payload – looks for ${j…} or ${${…}} if {[HTTP::method] eq "POST"}{ # Trigger collection for up to 1MB of data if {[HTTP::header "Content-Length"] ne "" && [HTTP::header "Content-Length"] <= 1048576}{ set content_length [HTTP::header "Content-Length"] } else { set content_length 1048576 } # Check if $content_length is not set to 0 if { $content_length > 0} { HTTP::collect $content_length } } } when HTTP_REQUEST_DATA { set tmpPayload [HTTP::payload] set payload [URI::decode $tmpPayload] while { $payload ne $tmpPayload } { set tmpPayload $payload set payload [URI::decode $tmpPayload] } if {[string tolower $payload] matches_regex {\$\{\s*(j|\$\{).+?\}}} { log local0. "log4j_rce_detection drop on payload" drop event disable all } } AS3 json: { "class": "AS3", "action": "deploy", "persist": true, "declaration": { "class": "ADC", "schemaVersion": "3.0.0", "id": "molecule_192.168.121.79_1642700459", "label": "molecule_192.168.121.79_2022-01-20T17:40:59Z", "remark": "DTI f5 as3 declaration for molecule_192.168.121.79", "Common":{ "Shared": { "class": "Application", "log4j_mitigation": { "class": "iRule", "iRule": { "url": { "skipCertificateCheck": true, "url": "https://xxxxxxx/Bradley.Anderson/irules_test/-/raw/main/log4j_mitigation.irule" } } }, "template": "shared" }, "class": "Tenant" },"Molecule":{ "Molecule-API": { "class": "Application", "molecule_api": { "class": "Service_HTTP", "pool": "molecule_api_pool", "virtualAddresses": [ "192.168.100.101" ] }, "molecule_api_pool": { "class": "Pool", "members": [ { "serverAddresses": [ "10.0.1.5", "10.0.1.6" ], "servicePort": 80 } ], "monitors": [ "http" ] } }, "Molecule-Web": { "class": "Application", "molecule_web": { "class": "Service_HTTP", "pool": "molecule_web_pool", "virtualAddresses": [ "192.168.100.100" ] }, "molecule_web_pool": { "class": "Pool", "members": [ { "serverAddresses": [ "10.0.1.3", "10.0.1.4" ], "servicePort": 80 } ], "monitors": [ "http" ] } }, "class": "Tenant" },"Foo":{ "Foo-Web": { "class": "Application", "foo_web": { "class": "Service_HTTP", "pool": "foo_web_pool", "virtualAddresses": [ "192.168.100.102" ] }, "foo_web_pool": { "class": "Pool", "members": [ { "serverAddresses": [ "10.0.1.7", "10.0.1.8" ], "servicePort": 80 } ], "monitors": [ "http" ] } }, "class": "Tenant" }} }Restnoded keep coring dump when running as3 container
Follow the document, run below commands: docker run --name as3_container --rm -d -p 8443:443 -p 8080:80 f5devcentral/f5-as3-container:latest The restnoded keep restarting: [root@k8s-node1 ~] docker exec -it 715941f037b07d01a5fbb3fe990540a6b73627d9d1ce9198614ed3dfe828888b /bin/bash bash-4.4 cd /etc/service/restnoded/ bash-4.4 ls core.13042 core.13189 core.13220 core.13240 core.13270 core.13291 core.13328 core.13349 core.13396 core.13420 core.13443 core.13503 core.13525 finish run core.13170 core.13206 core.13230 core.13253 core.13280 core.13314 core.13339 core.13364 core.13410 core.13433 core.13491 core.13515 core.13542 log supervise logs of the container: bash-4.4 cd /var/log bash-4.4 ls -lrt total 76 drwxrwxrwx 2 root root 6 Jul 25 16:14 restnoded -rw-r--r-- 1 root root 136 Nov 28 02:16 restjavad.out -rw-r--r-- 1 root root 0 Nov 28 02:16 restjavad.0.log.lck -rw-r--r-- 1 root root 2479 Nov 28 02:16 restjavad-api-usage.json -rw-r--r-- 1 root root 58719 Nov 28 02:16 restjavad.0.log -rw-r--r-- 1 root root 1342 Nov 28 02:17 restjavad-gc.log.0.current -rw-r--r-- 1 root root 79 Nov 28 02:17 restnoded.out bash-4.4 tail -f restnoded.out lowering process privileges to: root/root, groups:0,0,1,2,3,4,6,10,11,20,26,27 ^C bash-4.4 ls restnoded/ bash-4.4 tail -f restjavad-gc.log.0.current 2018-11-28T02:16:51.923+0000: 8.186: [GC 40516K->14918K(95040K), 0.0107790 secs] 2018-11-28T02:16:56.864+0000: 13.127: [GC 41158K->14976K(95040K), 0.0038870 secs] 2018-11-28T02:17:02.518+0000: 18.781: [GC 41216K->14982K(95040K), 0.0028530 secs] 2018-11-28T02:17:08.314+0000: 24.577: [GC 41222K->14957K(95040K), 0.0038880 secs] 2018-11-28T02:17:14.038+0000: 30.302: [GC 41197K->15010K(95040K), 0.0028630 secs] 2018-11-28T02:17:18.423+0000: 34.686: [GC 41250K->14592K(95040K), 0.0033240 secs] 2018-11-28T02:17:24.217+0000: 40.480: [GC 40832K->14486K(95040K), 0.0028170 secs] 2018-11-28T02:17:29.925+0000: 46.188: [GC 40726K->14569K(95040K), 0.0035090 secs] 2018-11-28T02:17:35.722+0000: 51.985: [GC 40809K->14492K(95040K), 0.0028700 secs] 2018-11-28T02:17:41.398+0000: 57.662: [GC 40732K->14561K(95040K), 0.0029170 secs] 2018-11-28T02:17:46.786+0000: 63.049: [GC 40801K->14345K(95040K), 0.0029630 secs] 2018-11-28T02:17:52.369+0000: 68.632: [GC 40585K->14375K(95040K), 0.0027940 secs] Go into the container,and check logs: bash-4.4 cd /var/log bash-4.4 ls -lrt total 76 drwxrwxrwx 2 root root 6 Jul 25 16:14 restnoded -rw-r--r-- 1 root root 136 Nov 28 02:16 restjavad.out -rw-r--r-- 1 root root 0 Nov 28 02:16 restjavad.0.log.lck -rw-r--r-- 1 root root 2479 Nov 28 02:16 restjavad-api-usage.json -rw-r--r-- 1 root root 58719 Nov 28 02:16 restjavad.0.log -rw-r--r-- 1 root root 1342 Nov 28 02:17 restjavad-gc.log.0.current -rw-r--r-- 1 root root 79 Nov 28 02:17 restnoded.out bash-4.4 tail -f restnoded.out lowering process privileges to: root/root, groups:0,0,1,2,3,4,6,10,11,20,26,27 ^C bash-4.4 ls restnoded/ bash-4.4 tail -f restjavad-gc.log.0.current 2018-11-28T02:16:51.923+0000: 8.186: [GC 40516K->14918K(95040K), 0.0107790 secs] 2018-11-28T02:16:56.864+0000: 13.127: [GC 41158K->14976K(95040K), 0.0038870 secs] 2018-11-28T02:17:02.518+0000: 18.781: [GC 41216K->14982K(95040K), 0.0028530 secs] 2018-11-28T02:17:08.314+0000: 24.577: [GC 41222K->14957K(95040K), 0.0038880 secs] 2018-11-28T02:17:14.038+0000: 30.302: [GC 41197K->15010K(95040K), 0.0028630 secs] 2018-11-28T02:17:18.423+0000: 34.686: [GC 41250K->14592K(95040K), 0.0033240 secs] 2018-11-28T02:17:24.217+0000: 40.480: [GC 40832K->14486K(95040K), 0.0028170 secs] 2018-11-28T02:17:29.925+0000: 46.188: [GC 40726K->14569K(95040K), 0.0035090 secs] 2018-11-28T02:17:35.722+0000: 51.985: [GC 40809K->14492K(95040K), 0.0028700 secs] 2018-11-28T02:17:41.398+0000: 57.662: [GC 40732K->14561K(95040K), 0.0029170 secs] 2018-11-28T02:17:46.786+0000: 63.049: [GC 40801K->14345K(95040K), 0.0029630 secs] 2018-11-28T02:17:52.369+0000: 68.632: [GC 40585K->14375K(95040K), 0.0027940 secs]
