Automating F5 Big-IP Using Ansible Webinar Q&A

May 15, 2017 by Mani Gadde

Ansible-and-F5-Blog-Header.png

The following blog contains answers to all questions asked during the Automating F5 BIG-IP using Ansible webinar.

Interested in exploring other Ansible webinars? Register for one of our upcoming webinars or watch an on-demand webinar.

Q: Can you pass the BIG-IP username and password by variable? Also, is there a way to mask the password in the Playbooks or manually feed the credentials as the Playbooks run? How can we ensure security here given that administrative passwords are clear text in the Playbooks themselves?

Yes, the BIG-IP username and password can be passed as a variable by referencing them from the inventory file or even provide them during runtime on the cli -- although this would show them in the process list if you did a 'ps'. You can also specify them in a vars_prompt; this would prevent them from being shown in 'ps'. The downside here is that this would limit the amount of automation you can provide because running the Playbook would require that either be typed in or specified with '-e' ('-e' auto fills vars_prompts that match). The recommended way is to get the vars from a secure location. Ansible provides Vault, but the same could be accomplished by using another password store that can return Facts. For example, some organizations have in-house password safes that can be queried with scripts to set the necessary facts.

Q: How can we upload or import SSL certificates to the F5 using Ansible?

By using the bigip_ssl_certificate module.

Q: How granular can we get with Ansible Playbooks? For example, is mass change of SSL profile Cipher suite possible?

Granularity largely depends on what customers need. If a setting is missing it is because either:

  • A customer has not yet asked for it. Or,
  • They have asked for it, but it has not yet been added.

I don’t remember seeing ciphers, so this might need to be added. Please create a GitHub issue if you’re interested. We hope the URI concept can be used to address your ask immediately.

Q: Is there any way to debug the execution of Playbooks in a more detailed fashion? Like, who calls who and so on...

A Playbook debugger was added to Ansible 2.1, and you can also increase the verbosity level of the print commands, which can also assist.

Q: Can I configure local traffic policies with Ansible modules?

Not yet, there is a GitHub issue open for this. We recommend that you take a look and feel free to add information about your requirements to it.

Q: Do I need to use the local root/admin user on the BigIP to work with Ansible, or does Ansible also work if I, for example, use TACACS authentication for my BigIP LTMs? All my tests using the API of F5 with a TACACS user failed so far-- it only worked with the local admin user.

TACACS will work as long as it's configured correctly on BIG-IP. Any local username/password should also work. The failure you are seeing may be due to not using token authentication.. we (F5) would need to verify this. We have a TACACS test harness that we can try it against. The only requirement for user accounts is that the account be an administrator. If you can provide details on your setup by creating a GitHub issue, that would help too.

Q: Are there any Ansible modules for BIG-IP CGNAT?

We are not currently aware of such a module. If you want it, please state requirements and request by creating a GitHub issue.

Q: What does delegate_to accomplish?

‘delegate_to’ runs the module locally. It must be used esp. with F5 modules. Without it, the module will try to run on the BIG-IP and will fail. This is because none of the supporting python modules exist on the BIG-IP.

Q: When it comes to adding multiple hosts to a pool, can you create an empty with_items list so the user can input as many backend servers as needed?

Yes, you can specify another list within the with_items tag .

E.G. with_items: "" and that list will be added to the pool.

Q: Isn't there a BIG-IP module for Ansible using iControl?

Yes, we have Ansible modules for F5 BIG-IP. . The supported modules right now can be found here: http://docs.ansible.com/ansible/list_of_network_modules.html

The BIG-IP modules for Ansible are using iControl REST and some use iControl SOAP. The "legacy" modules use iControl SOAP and the newer modules which use iControl REST. Moving forward all modules will eventually transition to iControl REST as the SOAP API is, for all intents and purposes, deprecated.

Q: Can the AFM / APN / DNS modules be managed / controlled by Ansible?

Yes, the BIG-IP DNS modules can, but AFM/ASM policies cannot be managed by Ansible right now. Please create a GitHub issue if you have a requirement.

Q: So an Ansible "module" in BIG-IP is a specific create function that includes whatever sub-parameters for that F5 object?

Yes, an Ansible module like bigip_virtual_server would create, modify and delete a virtual server. And under a virtual server module you would provide parameters for that virtual server. Modules are "generally" targeted to specific objects on the BIG-IP. This is not always true though. For example, the DNS module configures 3 or 4 APIs but lumps all of them together in one module because that's where they fit. You would more likely see a module target the functionality shown in TMUI (the web interface). If the GUI lumps it together, then the module likely lumps it together.

Q: REST API, how is that call made? Is Python module making the call?

Yes, the F5-sdk (python library for REST) is used if it’s a REST call, bigsuds (python library for SOAP) is used for SOAP call.

Q: Is there a difference between local_action module and delegate_to task keyword?

Yes, local_action will cause the module to run on the local Ansible control host. The delegate_to directive is used to assign the workload to a different host than the one being managed. In some instances, this could be set to localhost in which case the difference between the two directives is negligible.

Q: Is there a full demo that I can run here at home in my lab... to get more familiar with the roles, hosts, task, Playbooks to setup GTMs and LTMs on the fly?

If you are looking for information on a BIG-IP module or an example Playbook, please check out F5 Ansible GitHub page: https://github.com/F5Networks/F5-ansible/. You can also contact us offline at DevOpsBD@F5.com if you are looking for some specific Playbook examples, practices etc. You can also reach out to your F5 sales rep for pointers to Virtual Editions (VEs) of F5 BIG-IP.

Q: After installing Ansible will I be able to see the API calls tied to the modules?

All of the module source code is freely available at github.com/ansible/ansible.git. Any module can be reviewed to see which API calls are being made from the code.

Q: I'm unable to use the bigip_ucs_fetch.py to save the config before changes are made. The module fails on both of my test units. The modules I'm referring to are from your GitHub repo. Can you help?

This module is a SOAP module and one that needs to be refactored to use the REST module. It's currently a mess of both SOAP and REST. We will file an issue for this. Also, please create a create a GitHub issue so that we can track it. Please keep in mind that the modules are intended to work best with 12.x and may or may not support less than that.

Q: Is there a module which I can use to offline a node in the F5 pool?

Yes, refer to this example and the documentation above it.

Q: Can we run these Playbooks in Tower and will F5 respect them with Idempotentcy?

Absolutely.

Q: Can Ansible get running config for all partition in one go provided multi partition F5?

There are modules for download UCS configurations of the running config which gets the running config from all partitions. The BIG-IP's configuration is more than just what you might see from showing the running config, so a UCS is the best choice for getting the running config. There is also a bigip_config module that can consume a running config output and apply it.

Q: With URI concept am I able to fully utilize REST interface (iControl) or are there some limitations?

If you want to do stuff on the bigip that there are no modules for, you should use the bigip_command module, which will be up-streamed in the Ansible 2.4 release window. We are not aware of any limitations. Yes, you can fully utilize the iControl interface.. however, if there is some logic needed (example: license the server and then wait for X process to get restarted to confirm licensing), that kind of logic would have to be taken care of in the Ansible Playbook. If you use the F5 module, that logic will be handled by that module.

Q: Is it possible to modify data group list object?

Not right now, please create a GitHub issue for this.

Q: Is the Ansible module using the API or does it SSH onto the BIG-IP?

They all use the API.

Q: When will persistence be added to the F5 SDK?

We need more context on what "persistence" means. If it is about holding a connection open to the BIG-IP to increase performance, then "never". The SDK interacts with the BIG-IP like a non-web-socket web-browser does, not like how a SSH client does.

On the other hand, if the question is about persistence profiles in the BIG-IP, then they already exist. Please refer here.

Q: Can you combine modules and REST commands in the same Playbook?

Yes, you can do that through different tasks; one task can use a module, the other task can use the URI command.

Q: Can we get a link to this specific demo... the downloads?

https://www.ansible.com/webinars-training/automating-F5-big-ip-using-ansible

Also look at https://devcentral.F5.com/articles/dig-deeper-into-ansible-and-F5-integration-25984

Q: Are there Playbooks for recurring scheduled jobs… like UCS backups?

There are modules for download UCS configurations of running config.

Q: Is there a config sync module as well in Playbook?

This is coming up in future releases, it is not available right now, please create a GitHub issue for this.

Q: Would it be possible to use SSH with Ansible instead using the API? (without using the Ansible modules it should work right?)

The F5 Ansible modules do not use SSH, and there are no plans to make them use SSH as the technical requirements to parse TMSH output would delay the development of modules that folks are asking for today. If you just want to use the native Ansible modules like 'copy', 'template', 'command', etc., then yes, you can do that as long as you have BIG-IP >= 12.x

Prior to 12.x, the BIG-IP does not ship with a JSON python module, which is required by Ansible. Note that if you do choose this route, you need to be aware that the standard Linux utilities on BIG-IP such as 'route', 'useradd', etc., do not work as you would expect. The 'TMSH' command must be used for all that sort of configuration.

Q: Are there good Playbooks in the wild to help migrate off of older platforms onto Viprions VCMP guests? It is road-mapped? As we are migrating to the Viprion platform this is of concern.

We need more context here. If the question is about Ansible F5 modules to migrate: we don’t have any. We do not have Playbooks to create VCMP guests on a VIPRION as of today. Please create a GitHub issue to help us understand what your requirement is.

Q: Can a Playbook be run to configure different BIG-IP device for different objects and different variables?

Yes, you can. Your Playbooks can include a ‘hosts:’ line that can target a set of BIG-IPs or other devices -- just make sure that within the module you are specifying the IP of the BIG-IP you want to configure. Also, running config shows the config of the partition in which it is run.

Q: Is there an iRule deployment module?

Yes, there is an iRule deployment module.

Q: Where can I find the new modules that are not published?

https://github.com/F5Networks/F5-ansible/tree/master/library

Q: Problem with existing F5 modules?

https://github.com/F5Networks/F5-ansible/issues

Q: Where can I learn to Get started and other F5 questions?

https://devcentral.F5.com/ or email: DevopsBD@F5.com

Need More?

Learn how Ansible’s simple agentless framework can help you build, manage and scale network automation.

Read about the solution benefits of the Ansible and F5 integration.

Keep an eye on the Ask Ansible page for upcoming sessions.

If you have any comments or ideas for other Ask an Expert sessions, feel free to tweet at @Ansible.

 

Share:

Topics:
Network Automation


 

Mani Gadde

Mani is a Solution Engineer at F5 Networks.


rss-icon  RSS Feed