search

F5Networks / f5-ansible

Imperative Ansible modules for F5 BIG-IP products
GNU General Public License v3.0
376 stars 231 forks source link

GeoIP DB Updates #2165

Open rmoskalenko opened 2 years ago

rmoskalenko commented 2 years ago

Is your feature request related to a problem? Please describe.

Add ansible support to update F5 GeoIP DB. It's a few step process:

  1. Download the update file (to F5 or to some external system)
  2. Upload the update to F5 (if it was downloaded to some other system)
  3. Run the update commands
  4. Verify
  5. Roll back if needed.

Most of the commands can be run using regular bash commands but the first 2 are problematic.

At least it should be possible to do step 2 and it seems that the general ansible copy module doesn't work against F5.

Describe the solution you'd like

  1. A bare minimal solution - provide a way to upload geoip update file to F5, for example make an equivalent of ansible native copy command to work against F5.
  2. A better solution is to be able to pull that file to a BigIP system directly from F5 Download site

Describe alternatives you've considered

Using external SCP command to push the update to F5 and then run bash commands using ansible but it requires an additional component and not fully contained within ansible.

Additional context

N/A

trinaths commented 2 years ago

Created [INFRAANO-665] for internal tracking

david-sieg commented 2 years ago

I build a workaround for your steps 1 and 2. First I downloaded database and pushed to our internal webserver.

- name: Download GeoIP Database File on F5
  f5networks.f5_modules.bigip_command:
    commands: "run util bash -c 'curl {{ rl_f5_bigip_repo_geoip_url }} --output {{ rl_f5_bigip_geo_ip_path_file }}'"
    provider: "{{ rl_f5_provider }}"
  delegate_to: localhost

- name: Unzip GeoIP Database File on F5
  f5networks.f5_modules.bigip_command:
    commands: "run util bash -c 'unzip {{ rl_f5_bigip_geo_ip_path_file }} -d /shared/GeoIP/'"
    provider: "{{ rl_f5_provider }}"
  delegate_to: localhost
  register: rl_f5_unzip

- name: List GeoIP Database RPM Files on F5
  f5networks.f5_modules.bigip_command:
    commands: run util bash -c 'ls /shared/GeoIP/*.rpm'
    provider: "{{ rl_f5_provider }}"
  delegate_to: localhost
  register: rl_f5_rpm_files

- name: Install GeoIP Database RPM Files on F5
  f5networks.f5_modules.bigip_command:
    commands: "run util bash -c 'geoip_update_data -f {{ item }}'"
    provider: "{{ rl_f5_provider }}"
  delegate_to: localhost
  register: rl_f5_rpm_install
  loop: "{{ rl_f5_rpm_files.stdout_lines | join ('\n') }}"
  when: item != ""
rmoskalenko commented 2 years ago

Well, we wrote a pure bash script that follows https://support.f5.com/csp/article/K11176, but it's a few hundred lines long and it has a lot of complexity to maintain because it needs to handle login and handling site credentials in a more or less secure way, going through a few different pages on F5 website, verifying the downloaded files are matching the checksum, creating a backup, applying update, running verification and if needed, rolling back and verifying again.

While it's working, it seems to be quite fragile because if F5 changes anything in that process, the tool would also need to be updated. So we would rather have an solution with F5 support behind it.

Also, it would be probably beneficial in long term if F5 converts GeoIP DB process to something similar to how ASM updates are done instead of the current human oriented procedure that is hard to automate.

Thanks!