f5networks / f5-appsvcs-extension Goto Github PK
View Code? Open in Web Editor NEWF5 BIG-IP Application Services 3 Extension
License: Apache License 2.0
f5-appsvcs-extension's People
Contributors
Stargazers
Watchers
Forkers
sessin delgadillo22 pcloup mofftech jikui yairshaya m3t4fr4m3-zz sol255 pedrohaoa billchurch payalsin dudesweet wilfrado cyberami halimfaf zixuan-jiang phenetrik pascalyung htanto dumpysquare onesteveo dramdayal zzulipwy dstokesf5 steirtet jiangyidigital trinaths sanjaypatel2003 vbojko oakh1 phollandf5 papineni87 jackice m3t4fr4m3 askmike1 imadnaily shyawnkarim duchri66 taisgeal micskr vink78 mleklund ghalevy charanm08 vhartmannfigaro mikejoh niklaus-xie m-kratochvil stigwengdahl murphy6666 nandakishore2010f5-appsvcs-extension's Issues
Known Issue: Must disable Expect: 100 Continue
ISSUE TYPE
- F5 Known Issue
AS3 BUILD/ VERSION
Application Services Extension Version 3.0.0
BIGIP VERSION
BIG-IP Version 13.0 and higher
SUMMARY
With any kind of client software, be sure to disable the “Expect: 100 Continue” feature commonly used with SOAP+XML APIs. When using cURL, add the option -H ‘Expect:’ to your cURL command line (no space after the colon at the end of ‘Expect:’). For specific information, refer to the instructions from your client libraries.
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS
Regex for pool names does not contain dash character
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
3.7.0
BIGIP VERSION
Sys::Version
Main Package
Product BIG-IP
Version 13.1.1.3
Build 0.0.1
Edition Point Release 3
Date Wed Nov 28 18:50:45 PST 2018
SUMMARY
Regex for pool name does not include dash character, which is a valid character.
STEPS TO REPRODUCE
EXPECTED RESULTS
Dash "-" is a valid character for F5 pool name, but is not included in regex.
ACTUAL RESULTS
{'code': 422,
'declarationFullId': '',
'errors': ['/POD31/lvsp31_pools: propertyName "BLAH-BLA_443" should match '
'pattern "^[A-Za-z][0-9A-Za-z_]{0,47}$"'],
'message': 'declaration is invalid'}
No source code?
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
n/a
BIGIP VERSION
n/a
SUMMARY
No source code is in this repository but there are references to source that should exist here
specifically the schema files
STEPS TO REPRODUCE
EXPECTED RESULTS
Source code would be available
ACTUAL RESULTS
It's not available, and this makes the documentation incorrect
AS3 v3.5 - Declaration fails with duplicate values in members
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
Build 3 / version 3.5
BIGIP VERSION
Sys::Version
Main Package
Product BIG-IP
Version 13.1.0.8
Build 0.0.3
Edition Point Release 8
Date Sat Jun 16 00:03:03 PDT 2018
SUMMARY
Attempting to deploy declaration containing a single application that has 2 pool members. When I deploy I receive an error 'declaration has duplicate values in members'. If I remove a single member the declaration deploys. I have tried different IPs for the pool members and receive same error. This declaration worked using version 3.4.
STEPS TO REPRODUCE
POST a declaration that contains a pool with more than 1 member
{
"action": "deploy",
"class": "AS3",
"declaration": {
"as3_lab": {
"class": "Tenant",
"bodgeit": {
"class": "Application",
"template": "generic",
"vs_bodgeit_443": {
"class": "Service_HTTPS",
"clientTLS": {
"bigip": "/Common/f5demo-serverssl"
},
"iRules": [
{
"bigip": "/Common/bodgeit-irule"
}
],
"persistenceMethods": [
{
"bigip": "/Common/f5demo-persist-cookie"
}
],
"policyWAF": {
"bigip": "/Common/bodgeit"
},
"pool": "vs_bodgeit_pool",
"profileHTTP": {
"bigip": "/Common/f5demo-http"
},
"profileMultiplex": {
"bigip": "/Common/f5demo-oneconnect"
},
"profileTCP": {
"egress": {
"bigip": "/Common/f5demo-tcp-wan"
},
"ingress": {
"bigip": "/Common/f5demo-tcp-lan"
}
},
"redirect80": true,
"serverTLS": {
"bigip": "/Common/san_cert"
},
"snat": "auto",
"virtualAddresses": [
"10.0.1.214"
],
"virtualPort": 443
},
"vs_bodgeit_pool": {
"class": "Pool",
"monitors":[
{ "bigip": "/Common/f5demo-http-head"}
],
"members": [{
"servicePort": 8080,
"serverAddresses": [
"10.128.20.12",
"10.128.20.11"
]
}]
}
}
},
"class": "ADC",
"id": "as3_lab",
"label": "as3_lab",
"remark": "This is a sample remark ",
"schemaVersion": "3.5.0"
},
"persist": true
}
EXPECTED RESULTS
Declaration should deploy successfully
ACTUAL RESULTS
Receive 500 error back.
{
"code": 500,
"declarationFullId": "",
"message": "declaration has duplicate values in members"
}
make as3 validator available in a container
Please make AS3 validator available as a container. either independent or within the AS3 container.
that will make it a lot easier to use
Thanks
AS3 v3.8.0 in the Docker container does not launch
ISSUE TYPE
- Known Issue (internally tracked as #856)
AS3 BUILD/ VERSION
AS3 3.8.0 running in a container
BIGIP VERSION
Any supported version
SUMMARY
When attempting to launch AS3 v3.8.0 from the Docker container (only), AS3 fails during start up. So while the container is functioning properly, there is no AS3 service or endpoints that are available. If you attempt to send a declaration to AS3 in the container, you receive a 404 “Public URI path not registered” error.
This only affects AS3 running in a Docker container and not the standalone AS3 v3.8.0. Additionally, the AS3 Container is currently Community Supported only and in the F5Devcentral organization on Docker Hub. It will move to the F5Networks organization when it is fully supported.
STEPS TO REPRODUCE
Launch AS3 v3.8.0 from the Docker Container, and then attempt to send a GET request to the info endpoint (for example).
EXPECTED RESULTS
AS3 3.8.0 is fully functional and returns AS3 version information.
ACTUAL RESULTS
You receive an error message similar to the following:
{"code":404,"message":"Public URI path not registered: /shared/appsvcs/info","restOperationId":994772,"errorStack":["com.f5.rest.common.RestWorkerUriNotFoundException: Public URI path not registered: /shared/appsvcs/info"
...}
WORKAROUND
If you are not relying on AS3 3.8.0 features, you can use the container with AS3 3.7.0. Run the same docker command and target 3.7.0 instead of "latest". For example:
docker run --name as3_container --rm -d -p 8443:443 -p 8080:80 f5devcentral/f5-as3-container:3.7.0
Known Issue: Declaration fails when you attempt to delete LTM monitor objects in the same transaction in which you are removing the monitor from a pool definition
ISSUE TYPE
- F5 Known Issue
AS3 BUILD/ VERSION
Application Services Extension Version 3.0.0
BIGIP VERSION
BIG-IP Versions 13.0 and higher
SUMMARY
Symptom: You deploy a declaration with a pool with “monitors”: [ { “use”: “Monitor1” }] and a definition for “Monitor1”. If you remove both and then redeploy, the declaration fails.
Workaround: Deploy a declaration that entirely deletes the pool, then deploy a second declaration to re-introduce the pool without the declared monitor.
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS
Node creation in tenant partitions causes conflict
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
3.0.0 v34
BIGIP VERSION
Sys::Version
Main Package
Product BIG-IP
Version 13.1.0.6
Build 0.0.3
Edition Point Release 6
Date Fri Apr 20 18:04:26 PDT 2018
SUMMARY
Nodes are created under their respective tenant/partition. This causes nodes with the same IP:port combination to conflict. Legacy iApps handled this by, typically, creating nodes in /Common. It does not appear to be possible to mimic this behavior with AS3.
In a true multi-tenant environment it is unlikely tenants will have awareness of nodes defined/created by other tenants.
STEPS TO REPRODUCE
POST example 7 followed by example 8 from the reference docs to the same BIG-IP.
EXPECTED RESULTS
Not immediately clear what the best way to handle this would be -- perhaps schema flexibility to allow node creation outside of tenant/partition and then referencing them inside the tenant declaration.
ACTUAL RESULTS
{
"status": 422,
"message": "declaration having id urn:uuid:773ff79d-6df8-4ea7-8ce3-06485202167e|Sample 8 is invalid",
"errors": [
"/Sample_08/A1/gce_pool/members: pool member /Sample_08/A1/gce_pool/members/0 static address 192.0.7.10 conflicts with bigip node /Sample_07/192.0.7.10"
],
"code": 422,
"declarationFullId": ""
}
Where is the adc-schema.json file?
ISSUE TYPE
- Documentation Report
AS3 BUILD/ VERSION
f5-appsvcs (f5-appsvcs-3.2.0-7.noarch) | 3.2.0 | 7
BIGIP VERSION
Version | BIG-IP 12.1.2 Build 2.0.276 Hotfix HF2
SUMMARY
The F5 AS3 documentation indicates there is a json schema available:
For example:
-
The JSON Schema document prescribes the syntax of an AS3 declaration (found in the file adc-schema.json in the /src/schema directory of the GitHub repository).
(Emphasis in original)The Bolded filename and directory are not helpfully when I cannot find the GitHub repository that contains them. I have search F5Network Org in github, all of github, and google, and cannot find this schema file.
-
https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3/refguide/as3-api.html
The request document may be a proper request (see as3-request-schema.json) or a ADC-only declaration (see adc-schema.json).
(Emphasis added)Where can I find these files?
STEPS TO REPRODUCE
Click on the above links.
EXPECTED RESULTS
The documents linked above provide direct links to the json schema files, or are more descriptive of where to find them.
ACTUAL RESULTS
An unsatisfied F5 customer spends most of the day on a worthless Easter Egg hunt.
Error in documentation for Docker usage
ISSUE TYPE
- Documentation Report
SUMMARY
https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3/userguide/as3-container.html
{
"class": "AS3",
"action": "deploy",
"targetHost": "192.0.2.76",
"targetPort": "8443"
"targetUsername": "admin",
"targetPassphrase": "admin",
"declaration": {
"class": "ADC",
"schemaVersion": "3.0.0",
...
}
}
AS3 Docker container reports that "targetPort" should be integer. Defined as string in documentation.
STEPS TO REPRODUCE
Use example config from documentation
EXPECTED RESULTS
Fix documentation to be integer, also a semi-colon is missing.
ACTUAL RESULTS
~$ curl -sku admin:admin -H "Content-Type: application/json" -X POST https://localhost:8443/mgmt/shared/appsvcs/declare --data-binary "@as3.json";
{"code":422,"message":"/targetPort: should be integer"}
Getting "2 unexpected results" during selftest
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
6
BIGIP VERSION
Sys::Version
Main Package
Product BIG-IP
Version 12.1.3.3
Build 0.3.1
Edition Engineering Hotfix
Date Wed Mar 21 12:47:00 PDT 2018
Hotfix List
ID708653-3
SUMMARY
When running the selftest from cURL, I get the the message "2 unexpected results"
STEPS TO REPRODUCE
curl -s -k --user admin:xxxxx --data '{}' -X POST "https://<hostname>/mgmt/shared/appsvcs/selftest"
EXPECTED RESULTS
ACTUAL RESULTS
[
{
"message": "2 unexpected results",
"selfTestRunTime": 43459
},
{
"name": "AS3_Basics_01",
"message": "Warning: test result did not match expected configuration",
"hash": "7231eca15c383cf212b5793ed00552d13e78471f95f6e2d880a229214526371c"
},
{
"name": "AS3_Basics_02",
"message": "Warning: test result did not match expected configuration",
"hash": "8a8d5228c4efe00a992026199495cc313f01f6359ec8ee4e1aa26218d018224b"
}
]
Selftest fails on BIG-IP 14.1.0
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
f5-appsvcs-3.7.0-7.noarch.rpm
BIGIP VERSION
# tmsh show sys version
Sys::Version
Main Package
Product BIG-IP
Version 14.1.0
Build 0.0.116
Edition Final
Date Wed Nov 14 18:41:56 PST 2018
SUMMARY
Running the self-test fails:
curl -k -u "admin:XXX" -X POST -d @selftest.post https://localhost/mgmt/shared/appsvcs/selftest
[{"message":"2 unexpected results","selfTestRunTime":49087},{"name":"AS3_Basics_01","message":"Warning: test result did not match expected configuration","hash":"2524cc929521e7f981265cb52a33a25cd59cb94aeeba36a689521c3c225b490f"},{"name":"AS3_Basics_02","message":"Warning: test result did not match expected configuration","hash":"cddcd4ad20f45e82fcac2c70a2b0f2523422424897f4d9a9e6478ac289501a57"}]
STEPS TO REPRODUCE
See above
Attaching restnoded.log file
TCP profile f5_tcp_progressive_12_1 doesn't generate with app template type other than "http" or "https"
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
f5-appsvcs-3.6.0-5.noarch.rpm
BIGIP VERSION
Main Package
Product BIG-IP
Version 12.1.3
Build 0.0.378
Edition Final
SUMMARY
For BIG-IP device with software version 12.1.x, a TCP profile (f5_tcp_progressive_12_1) should be automatically created for all application types which uses TCP protocol, but with current 3.5/3.6 RPM this profile would be generated only when the template type defined as as "http" or "https" in the declaration. For instance:
"{{application_name}}": {
"class": "Application",
"template": "generic",
Which won't generate the profile.
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS
Existing Chain CA cert cannot be referenced in declaration
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
f5-appsvcs-3.6.0-5.noarch.rpm
BIGIP VERSION
SUMMARY
The exiting Chain CA Cert couldn't be referenced in AS3 declaration. For instance:
"webcert": {
"class": "Certificate",
"certificate": {"bigip": "{{cert_name}}"},
"privateKey": {"bigip": "{{cert_key}}"},
"ChainCA": {"bigip": "{{chain_cert}}"},
.......
Where "chain_cert" refers to an existing chaining CA certificate, this declaration failed.
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS
declare not working with show parameter without trailing /
ISSUE TYPE
- Documentation Report
AS3 BUILD/ VERSION
3.1.0-4
BIGIP VERSION
Product BIG-IP
Version 13.1.0.2
Build 0.0.6
Edition Point Release 2
Date Tue Jan 16 08:46:28 PST 2018
SUMMARY
GET declare with show parameter always fails unless using a / after declare.
#Always fails
GET /mgmt/shared/appsvcs/declare?show=full
#Always works
GET /mgmt/shared/appsvcs/declare/?show=full
Documentation doesn't show a trailing slash after declare, is it supposed to?
STEPS TO REPRODUCE
GET /mgmt/shared/appsvcs/declare?show=full
EXPECTED RESULTS
Return AS3 definition, status 200.
ACTUAL RESULTS
{"code":400,"message":"invalid Tenant name \"show=full\""}
syncToGroup should trigger regardless of "no change"
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
{
"version": "3.7.0",
"release": "7",
"schemaCurrent": "3.7.0",
"schemaMinimum": "3.0.0"
}
BIGIP VERSION
Sys::Version
Main Package
Product BIG-IP
Version 13.1.1.2
Build 0.0.4
Edition Point Release 2
Date Thu Oct 11 15:32:21 PDT 2018
SUMMARY
when you do a deploy, then the subsequent deployment only adds "syncToGroup" nothing happens. Expected behavior is that a device sync would be triggered.
STEPS TO REPRODUCE
first declaration
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.2.0",
"id": "test",
"AS3Demo": {
"class": "Tenant",
"defaultRouteDomain": 0,
"DemoApplication": {
"class": "Application",
"template": "https",
"serviceMain": {
"class": "Service_HTTPS",
"remark": "Accepts HTTPS/TLS connections on port 443",
"clientTLS": {
"bigip": "/Common/serverssl"
},
"virtualAddresses": ["10.1.10.10"],
"redirect80": false,
"pool": "custom_ssl_pool",
"profileTCP": {
"egress": "wan",
"ingress": { "use": "TCP_Profile" } },
"profileHTTP": { "use": "custom_http_profile" },
"serverTLS": { "bigip": "/Common/clientssl" },
"persistenceMethods": [],
"policyWAF": {
"bigip": "/Common/asm-policy-linux-high-security_policy"
},
"securityLogProfiles": [{ "bigip":"/Common/Log all requests"}]
},
"plain_HTTP": {
"class": "Service_HTTP",
"remark": "Accepts HTTP connections on port 80",
"virtualAddresses": ["10.1.10.10"],
"pool": "custom_pool",
"profileTCP": {
"egress": "wan",
"ingress": { "use": "TCP_Profile" } },
"profileHTTP": { "use": "custom_http_profile" },
"policyEndpoint": "forward_policy"
},
"custom_pool": {
"class": "Pool",
"monitors": ["http"],
"members": [{
"servicePort": 8080,
"serverAddresses": ["192.168.128.11","192.168.128.12","192.168.128.13"]
}]
},
"special_pool": {
"class": "Pool",
"monitors": ["http"],
"members": [{
"servicePort": 8080,
"serverAddresses": ["192.168.128.14"]
}]
},
"custom_ssl_pool": {
"class": "Pool",
"monitors": ["https"],
"members": [ {
"serverAddresses": [
"192.168.128.14"
],
"servicePort": 8443
},
{
"serverAddresses": [
"192.168.128.15"
],
"servicePort": 8443
},
{
"serverAddresses": [
"192.168.128.16"
],
"servicePort": 8443
}]
},
"custom_http_profile": {
"class": "HTTP_Profile",
"xForwardedFor": true
},
"TCP_Profile": {
"class": "TCP_Profile",
"idleTimeout": 60 },
"forward_policy": {
"class": "Endpoint_Policy",
"rules": [{
"name": "forward_to_pool",
"conditions": [{
"type": "httpUri",
"path": {
"operand": "starts-with",
"values": ["/headers/"]
}
}],
"actions": [{
"type": "forward",
"event": "request",
"select": {
"pool": {
"use": "special_pool"
}
}
}]
},{
"name": "redirect_secure",
"conditions": [{
"type": "httpUri",
"path": {
"operand": "starts-with",
"values": ["/txt"]
}
}],
"actions": [{
"type": "httpRedirect",
"event": "request",
"location": "tcl:https://[getfield [HTTP::host] \":\" 1][HTTP::uri]"
}]
}]
}
}
}
}
}
this should trigger a sync
{
"class": "AS3",
"action": "deploy",
"persist": true,
"syncToGroup":"/Common/Sync",
"declaration": {
"class": "ADC",
"schemaVersion": "3.2.0",
"id": "test",
"AS3Demo": {
"class": "Tenant",
"defaultRouteDomain": 0,
"DemoApplication": {
"class": "Application",
"template": "https",
"serviceMain": {
"class": "Service_HTTPS",
"remark": "Accepts HTTPS/TLS connections on port 443",
"clientTLS": {
"bigip": "/Common/serverssl"
},
"virtualAddresses": ["10.1.10.10"],
"redirect80": false,
"pool": "custom_ssl_pool",
"profileTCP": {
"egress": "wan",
"ingress": { "use": "TCP_Profile" } },
"profileHTTP": { "use": "custom_http_profile" },
"serverTLS": { "bigip": "/Common/clientssl" },
"persistenceMethods": [],
"policyWAF": {
"bigip": "/Common/asm-policy-linux-high-security_policy"
},
"securityLogProfiles": [{ "bigip":"/Common/Log all requests"}]
},
"plain_HTTP": {
"class": "Service_HTTP",
"remark": "Accepts HTTP connections on port 80",
"virtualAddresses": ["10.1.10.10"],
"pool": "custom_pool",
"profileTCP": {
"egress": "wan",
"ingress": { "use": "TCP_Profile" } },
"profileHTTP": { "use": "custom_http_profile" },
"policyEndpoint": "forward_policy"
},
"custom_pool": {
"class": "Pool",
"monitors": ["http"],
"members": [{
"servicePort": 8080,
"serverAddresses": ["192.168.128.11","192.168.128.12","192.168.128.13"]
}]
},
"special_pool": {
"class": "Pool",
"monitors": ["http"],
"members": [{
"servicePort": 8080,
"serverAddresses": ["192.168.128.14"]
}]
},
"custom_ssl_pool": {
"class": "Pool",
"monitors": ["https"],
"members": [ {
"serverAddresses": [
"192.168.128.14"
],
"servicePort": 8443
},
{
"serverAddresses": [
"192.168.128.15"
],
"servicePort": 8443
},
{
"serverAddresses": [
"192.168.128.16"
],
"servicePort": 8443
}]
},
"custom_http_profile": {
"class": "HTTP_Profile",
"xForwardedFor": true
},
"TCP_Profile": {
"class": "TCP_Profile",
"idleTimeout": 60 },
"forward_policy": {
"class": "Endpoint_Policy",
"rules": [{
"name": "forward_to_pool",
"conditions": [{
"type": "httpUri",
"path": {
"operand": "starts-with",
"values": ["/headers/"]
}
}],
"actions": [{
"type": "forward",
"event": "request",
"select": {
"pool": {
"use": "special_pool"
}
}
}]
},{
"name": "redirect_secure",
"conditions": [{
"type": "httpUri",
"path": {
"operand": "starts-with",
"values": ["/txt"]
}
}],
"actions": [{
"type": "httpRedirect",
"event": "request",
"location": "tcl:https://[getfield [HTTP::host] \":\" 1][HTTP::uri]"
}]
}]
}
}
}
}
}
EXPECTED RESULTS
should sync
ACTUAL RESULTS
{
"results": [
{
"message": "no change",
"host": "localhost",
"tenant": "AS3Demo",
"runTime": 386,
"code": 200
}
],
"declaration": {
"AS3Demo": {
"class": "Tenant",
"defaultRouteDomain": 0,
"DemoApplication": {
"class": "Application",
"template": "https",
"serviceMain": {
"class": "Service_HTTPS",
"remark": "Accepts HTTPS/TLS connections on port 443",
"clientTLS": {
"bigip": "/Common/serverssl"
},
"virtualAddresses": [
"10.1.10.10"
],
"redirect80": false,
"pool": "custom_ssl_pool",
"profileTCP": {
"egress": "wan",
"ingress": {
"use": "TCP_Profile"
}
},
"profileHTTP": {
"use": "custom_http_profile"
},
"serverTLS": {
"bigip": "/Common/clientssl"
},
"persistenceMethods": [],
"policyWAF": {
"bigip": "/Common/asm-policy-linux-high-security_policy"
},
"securityLogProfiles": [
{
"bigip": "/Common/Log all requests"
}
]
},
"plain_HTTP": {
"class": "Service_HTTP",
"remark": "Accepts HTTP connections on port 80",
"virtualAddresses": [
"10.1.10.10"
],
"pool": "custom_pool",
"profileTCP": {
"egress": "wan",
"ingress": {
"use": "TCP_Profile"
}
},
"profileHTTP": {
"use": "custom_http_profile"
},
"policyEndpoint": "forward_policy"
},
"custom_pool": {
"class": "Pool",
"monitors": [
"http"
],
"members": [
{
"servicePort": 8080,
"serverAddresses": [
"192.168.128.11",
"192.168.128.12",
"192.168.128.13"
]
}
]
},
"special_pool": {
"class": "Pool",
"monitors": [
"http"
],
"members": [
{
"servicePort": 8080,
"serverAddresses": [
"192.168.128.14"
]
}
]
},
"custom_ssl_pool": {
"class": "Pool",
"monitors": [
"https"
],
"members": [
{
"serverAddresses": [
"192.168.128.14"
],
"servicePort": 8443
},
{
"serverAddresses": [
"192.168.128.15"
],
"servicePort": 8443
},
{
"serverAddresses": [
"192.168.128.16"
],
"servicePort": 8443
}
]
},
"custom_http_profile": {
"class": "HTTP_Profile",
"xForwardedFor": true
},
"TCP_Profile": {
"class": "TCP_Profile",
"idleTimeout": 60
},
"forward_policy": {
"class": "Endpoint_Policy",
"rules": [
{
"name": "forward_to_pool",
"conditions": [
{
"type": "httpUri",
"path": {
"operand": "starts-with",
"values": [
"/headers/"
]
}
}
],
"actions": [
{
"type": "forward",
"event": "request",
"select": {
"pool": {
"use": "special_pool"
}
}
}
]
},
{
"name": "redirect_secure",
"conditions": [
{
"type": "httpUri",
"path": {
"operand": "starts-with",
"values": [
"/txt"
]
}
}
],
"actions": [
{
"type": "httpRedirect",
"event": "request",
"location": "tcl:https://[getfield [HTTP::host] \":\" 1][HTTP::uri]"
}
]
}
]
}
}
},
"class": "ADC",
"schemaVersion": "3.2.0",
"id": "test",
"updateMode": "selective",
"controls": {
"archiveTimestamp": "2019-01-02T21:08:08.886Z"
}
}
}
Known Issue: AS3 does not respond to cURL
ISSUE TYPE
- Known Issue
AS3 BUILD/ VERSION
All versions
BIGIP VERSION
All supported BIG-IP versions
SUMMARY
REST queries to AS3 hang until cURL times out.
WORKAROUND
Reset the default Expect header with the cURL argument -H "Expect:"
Service Discovery with encryption fails on BIG-IP versions prior to 12.1.1.2
ISSUE TYPE
- Known Issue
AS3 BUILD/ VERSION
All AS3 versions
BIG-IP VERSION
BIG-IP versions prior to 12.1.2.2
SUMMARY
Using Service Discovery with encryption does not work when using any AS3 version with BIG-IP versions prior to 12.1.2.2. Microsoft Azure always requires encryption whether on a local or remote BIG-IP, so Service Discovery will not work on versions prior to 12.1.2.2. For Amazon AWS and Google Cloud Platform, using Service Discovery on a BIG-IP not running in the cloud will fail on versions prior to 12.1.2.2.
AS3 Support for Clone/Server Pools on Virtual Server
ISSUE TYPE
- Feature Idea
AS3 BUILD/ VERSION
Future
BIGIP VERSION
12.1+
SUMMARY
Customer is looking to utilize the clone pool features of the virtual server. this would allow them to specify a declaration which contains sending traffic to other tools for IDS/IPS/ protocol inspections
STEPS TO REPRODUCE
I think this would be a schema update to support these Virtual Properties:
"clonePools": [
{
"name": "client_clone_pool",
"partition": "Common",
"context": "clientside",
"nameReference": {
"link": "https://localhost/mgmt/tm/ltm/pool/~Common~client_clone_pool?ver=13.1.0.8"
}
},
{
"name": "server_clone_pool",
"partition": "Common",
"context": "serverside",
"nameReference": {
"link": "https://localhost/mgmt/tm/ltm/pool/~Common~server_clone_pool?ver=13.1.0.8"
}
}
Full GET from VS with clone:
{
"kind": "tm:ltm:virtual:virtualstate",
"name": "clone_vs",
"fullPath": "clone_vs",
"generation": 20953,
"selfLink": "https://localhost/mgmt/tm/ltm/virtual/clone_vs?ver=13.1.0.8",
"addressStatus": "yes",
"autoLasthop": "default",
"cmpEnabled": "yes",
"connectionLimit": 0,
"destination": "/Common/42.42.42.42:42",
"enabled": true,
"gtmScore": 0,
"ipProtocol": "tcp",
"mask": "255.255.255.255",
"mirror": "disabled",
"mobileAppTunnel": "disabled",
"nat64": "disabled",
"rateLimit": "disabled",
"rateLimitDstMask": 0,
"rateLimitMode": "object",
"rateLimitSrcMask": 0,
"securityNatPolicy": {
"useDevicePolicy": "no",
"useRouteDomainPolicy": "no"
},
"serviceDownImmediateAction": "none",
"source": "0.0.0.0/0",
"sourceAddressTranslation": {
"type": "none"
},
"sourcePort": "preserve",
"synCookieStatus": "not-activated",
"throughputCapacity": 0,
"translateAddress": "enabled",
"translatePort": "enabled",
"vlansDisabled": true,
"vsIndex": 22,
"clonePools": [
{
"name": "client_clone_pool",
"partition": "Common",
"context": "clientside",
"nameReference": {
"link": "https://localhost/mgmt/tm/ltm/pool/~Common~client_clone_pool?ver=13.1.0.8"
}
},
{
"name": "server_clone_pool",
"partition": "Common",
"context": "serverside",
"nameReference": {
"link": "https://localhost/mgmt/tm/ltm/pool/~Common~server_clone_pool?ver=13.1.0.8"
}
}
],
"policiesReference": {
"link": "https://localhost/mgmt/tm/ltm/virtual/~Common~clone_vs/policies?ver=13.1.0.8",
"isSubcollection": true
},
"profilesReference": {
"link": "https://localhost/mgmt/tm/ltm/virtual/~Common~clone_vs/profiles?ver=13.1.0.8",
"isSubcollection": true
}
}
EXPECTED RESULTS
ACTUAL RESULTS
Feature Request to NA
Feature Request to NA
BIG-IP upgrades may fail when AS3 is installed
ISSUE TYPE
- Known Issue
AS3 BUILD/ VERSION
AS3 version 3.7.0
BIGIP VERSION
12.1.0 - 12.1.2
SUMMARY
After installing AS3 3.7.0, if you attempt to upgrade your BIG-IP system, you may receive an error message in liveinstall.log stating the upgrade failed due to fatal error in calculating the md5sum.
info: md5sum: /config/cloud/as3/node_modules/@f5devcentral/f5-cloud-libs-azure/node_modules/har-validator/node_modules/ajv/lib/refs/\$data.json: No such file or directory
info: Fatal: executing: md5sum /config/cloud/as3/node_modules/@f5devcentral/f5-cloud-libs-azure/node_modules/har-validator/node_modules/ajv/lib/refs/\$data.json
info: Operation aborted.
info: /var/tmp/configsync.spec: Error creating package
info:
info: WARNING:There are error(s) during saving.
info: Not everything was saved.
info: Be very careful when using this saved file!
info:
info: Error creating package
info: Error during config save.
info: Unexpected Error: UCS saving process failed.
WORKAROUND
Manually delete the /config/cloud directory and attempt the upgrade again. AS3 recreates these files after the upgrade.
sha256 file check fails
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
3.7.0-7
BIGIP VERSION
Sys::Version
Main Package
Product BIG-IP
Version 14.0.0.3
Build 0.0.4
Edition Point Release 3
Date Mon Oct 22 15:08:29 PDT 2018
SUMMARY
A line feed character (decimal 10, hex 0A) in the .sha256 file causes the sha256sum check to fail.
STEPS TO REPRODUCE
sha256sum -c f5-appsvcs-3.7.0-7.noarch.rpm.sha256
EXPECTED RESULTS
Deleting the trailing line feed from the .sha256 file produces the correct result:
f5-appsvcs-3.7.0-7.noarch.rpm: OK
ACTUAL RESULTS
: No such file or directory-7.noarch.rpm
: FAILED open or readarch.rpm
sha256sum: WARNING: 1 of 1 listed file could not be read
AS3 declarations using auto discovery to a cloud platform succeed, even when invalid cloud credentials are used
ISSUE TYPE
- Known Issue
AS3 BUILD/ VERSION
All AS3 versions that include Service Discovery (1.7 and later)
BIGIP VERSION
N/A
SUMMARY
If you are using AS3 to auto discover nodes in a cloud platform (AWS, Azure, GCP), and supply invalid credentials for the cloud provider in the declaration, the AS3 declaration still succeeds.
WORKAROUND
Ensure you use valid credentials for your cloud platform in your declaration.
unable to change fqdn pool member
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
f5-appsvcs-3.7.0-7.noarch
BIGIP VERSION
Sys::Version
Main Package
Product BIG-IP
Version 13.1.1
Build 0.0.4
Edition Final
Date Fri Jul 20 17:55:49 PDT 2018
SUMMARY
unable to change a fqdn pool member
STEPS TO REPRODUCE
original payload
{
"class": "ADC",
"schemaVersion": "3.0.0",
"label": "autoscale_waf",
"id": "AUTOSCALE_WAF",
"remark": "Autoscale WAF",
"waf": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"serviceAddress": {
"class": "Service_Address",
"virtualAddress": "0.0.0.0"
},
"policyWAF": {
"class": "WAF_Policy",
"file": "/config/cloud/asm-policy-linux-high.xml"
}
},
"http": {
"class": "Application",
"template": "http",
"serviceMain": {
"class": "Service_HTTP",
"virtualAddresses": [
{
"use": "/waf/Shared/serviceAddress"
}
],
"serverTLS": {
"bigip": "/Common/example-clientssl-profile"
},
"snat": "auto",
"securityLogProfiles": [
{
"bigip": "/Common/Log illegal requests"
}
],
"pool": "pool",
"policyWAF": {
"use": "/waf/Shared/policyWAF"
},
"virtualPort": 443
},
"pool": {
"class": "Pool",
"monitors": [
"http"
],
"members": [
{
"autoPopulate": true,
"hostname": "www.example.com",
"servicePort": 80,
"addressDiscovery": "fqdn"
}
]
}
}
}
}
new payload:
{
"class": "ADC",
"schemaVersion": "3.0.0",
"label": "autoscale_waf",
"id": "AUTOSCALE_WAF",
"remark": "Autoscale WAF",
"waf": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"serviceAddress": {
"class": "Service_Address",
"virtualAddress": "0.0.0.0"
},
"policyWAF": {
"class": "WAF_Policy",
"file": "/config/cloud/asm-policy-linux-high.xml"
}
},
"http": {
"class": "Application",
"template": "https",
"serviceMain": {
"class": "Service_HTTPS",
"virtualAddresses": [
{
"use": "/waf/Shared/serviceAddress"
}
],
"serverTLS": {
"bigip": "/Common/example-clientssl-profile"
},
"snat": "auto",
"securityLogProfiles": [
{
"bigip": "/Common/Log illegal requests"
}
],
"pool": "pool",
"policyWAF": {
"use": "/waf/Shared/policyWAF"
},
"virtualPort": 443
},
"pool": {
"class": "Pool",
"monitors": [
"http"
],
"members": [
{
"autoPopulate": true,
"hostname": "ip-10-1-10-188.ec2.internal",
"servicePort": 80,
"addressDiscovery": "fqdn"
}
]
}
}
}
}
EXPECTED RESULTS
pool updated
ACTUAL RESULTS
{
"results": [
{
"message": "declaration failed",
"response": "01070110:3: Node address '/Common/_auto_93.184.216.34' is referenced by a member of pool '/waf/http/pool'.",
"code": 422,
"host": "localhost",
"tenant": "waf",
"runTime": 9509
}
],
"declaration": {
"waf": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"serviceAddress": {
"class": "Service_Address",
"virtualAddress": "0.0.0.0"
},
"policyWAF": {
"class": "WAF_Policy",
"file": "/config/cloud/asm-policy-linux-high.xml"
}
},
"http": {
"class": "Application",
"template": "https",
"serviceMain": {
"class": "Service_HTTPS",
"virtualAddresses": [
{
"use": "/waf/Shared/serviceAddress"
}
],
"serverTLS": {
"bigip": "/Common/example-clientssl-profile"
},
"snat": "auto",
"securityLogProfiles": [
{
"bigip": "/Common/Log illegal requests"
}
],
"pool": "pool",
"policyWAF": {
"use": "/waf/Shared/policyWAF"
},
"virtualPort": 443
},
"pool": {
"class": "Pool",
"monitors": [
"http"
],
"members": [
{
"autoPopulate": true,
"hostname": "www.example.com",
"servicePort": 80,
"addressDiscovery": "fqdn"
}
]
}
}
},
"class": "ADC",
"schemaVersion": "3.0.0",
"label": "autoscale_waf",
"id": "AUTOSCALE_WAF",
"remark": "Autoscale WAF",
"updateMode": "selective",
"controls": {
"archiveTimestamp": "2018-12-19T04:07:54.679Z"
}
},
"code": 422
}
GSLB Server Monitor "gateway_icmp"
ISSUE TYPE
- Feature Request
AS3 BUILD/ VERSION
Public Facing 3.6 Build 5
BIGIP VERSION
13.1.1 Build 0.0.4
SUMMARY
Looking for Support of "gateway-icmp" on the server, we support the "generic host" type and it is recommended for generic host to use the icmp based health monitor.
Documentation Page 102: https://support.f5.com/content/kb/en-us/products/big-ip-dns/manuals/product/bigip-dns-implementations-13-1-0/_jcr_content/pdfAttach/download/file.res/BIG-IP_DNS__Implementations.pdf
Note: Tip: If the server is a BIG-IP system, use the bigip monitor. If the server is a generic host, consider
using the gateway_icmp monitor, because this monitor simply checks that the server responds to a
ping.
FQDN Pool_Members do not auto populate properly
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
f5-appsvcs-3.2.0-7
BIGIP VERSION
Product BIG-IP
Version 12.1.2
Build 1.0.271
Edition Hotfix HF1
SUMMARY
FQDN Pool members do not auto populate IPs at the pool level. The IPs only populate at the node level.
FQDN Pools appear to be undocumented at the moment
STEPS TO REPRODUCE
Prerequisite: A DNS entry that returns a list of IPs. In this case it's demo.development.svc.cluster.local
Example declaration:
{
"class": "ADC",
"schemaVersion": "3.2.0",
"id": "demo",
"label": "Demo",
"remark": "demo with FQDN pool",
"demo_tenant": {
"class": "Tenant",
"demo_app": {
"class": "Application",
"template": "http",
"serviceMain": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.168.0.21"
],
"allowVlans": [
"internal",
"external"
],
"pool": "demo_pool",
"virtualPort": 80,
"persistenceMethods": [
"cookie"
],
"profileHTTP": "basic",
"layer4": "tcp",
"profileTCP": "normal",
"snat": "auto"
},
"demo_pool": {
"class": "Pool",
"members": [
{
"servicePort": 80,
"addressDiscovery": "fqdn",
"autoPopulate": true,
"hostname": "demo.development.svc.cluster.local"
}
]
}
},
"defaultRouteDomain": 0
}
}
EXPECTED RESULTS
Node list
FQDN
--
Address Type | IPv4
Auto Populate | Enabled
Interval | Use TTL
Down Interval | 5
Pool member
FQDN
--
Auto Populate | Enabled
ACTUAL RESULTS
Node list
FQDN
--
Address Type | IPv4
Auto Populate | Enabled
Interval | Use TTL
Down Interval | 5
Pool member
FQDN
--
Auto Populate | Disabled
AS3 container v3.5.0 - "delete single tennants" feature missing
ISSUE TYPE
- Feature Idea
AS3 BUILD/ VERSION
Docker Container - v3.5.0
BIGIP VERSION
BIG-IP 14.0.0 Build 0.0.2187 Final
SUMMARY
Using guide https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3/refguide/as3-api.html#delete-ref, I'm missing a "delete single tennants" function using the Docker container.
I can delete all AS3 applications on a specific host using a POST request to "https://as3-container:8443/mgmt/shared/appsvcs/declare", but I cannot POST to "https://as3-container:8443/mgmt/shared/appsvcs/declare/<tennant>".
STEPS TO REPRODUCE
example declaration:
POST https://as3-container:8443/mgmt/shared/appsvcs/declare
{
"class": "AS3",
"action": "deploy",
"targetHost": "192.168.100.31",
"targetUsername": "as3-admin",
"targetPassphrase": "as3-admin",
"declaration": {
"class": "ADC",
"schemaVersion": "3.0.0",
"id": "container",
"label": "Sample 1 in a container",
"remark": "Simple HTTP application with RR pool",
"AS3_App_01": {
"class": "Tenant",
"VS_App01": {
"class": "Application",
"template": "http",
"serviceMain": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.168.110.190"
],
"pool": "Pool_App01"
},
"Pool_App01": {
"class": "Pool",
"monitors": [
"http"
],
"members": [{
"servicePort": 80,
"serverAddresses": [
"192.168.120.71",
"192.168.120.72",
"192.168.120.73"
]
}]
}
}
}
}
}
Deleting this tennant could be done the following way:
POST https://as3-container:8443/mgmt/shared/appsvcs/declare/AS3_App_01
{
"class": "AS3",
"action": "remove",
"targetHost": "192.168.100.31",
"targetUsername": "as3-admin",
"targetPassphrase": "as3-admin"
}
EXPECTED RESULTS
Get a success message, which indicates the tennant has been removed.
ACTUAL RESULTS
Error message:
{
"code": 400,
"message": "method \"Post\" is currently not allowed on path /AS3_App_01"
}
GSLB Not Changing State
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
Public Facing 3.6 Build 5
BIGIP VERSION
13.1.1 Build 0.0.4
SUMMARY
GSLB Declaration does not change the monitor type if the monitor is changed. GSLB_Server users either "bigip" or "https" as monitor types. If you post a declaration with on style and switch to another the monitor will not change.
STEPS TO REPRODUCE
Post declaration with either no monitor (default bigip) or with https and try to swap with a new post
{
"class": "ADC",
"schemaVersion": "3.6.0",
"id": "Western_Union_GSLB_Sample",
"Common": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"AWS_West_1": {
"class": "GSLB_Data_Center",
"proberPreferred": "outside-datacenter"
},
"AWS_West_2": {
"class": "GSLB_Data_Center",
"proberPreferred": "outside-datacenter"
},
"BIGIPAWSWest1": {
"class": "GSLB_Server",
"serverType": "generic-host",
"monitors": [{
"bigip": "/Common/https"
}
],
"dataCenter": {
"use": "AWS_West_1"
},
"devices": [
{
"address": "2.2.2.2"
}
],
"virtualServers": [
{
"address": "2.2.2.2",
"port": 80,
"monitors": [{
"bigip": "/Common/http"
}
]
}
]
},
"BIGIPAWSWest2": {
"class": "GSLB_Server",
"serverType": "generic-host",
"monitors": [{
"bigip": "/Common/https"
}
],
"dataCenter": {
"use": "AWS_West_2"
},
"devices": [
{
"address": "3.3.3.3"
}
],
"virtualServers": [
{
"address": "3.3.3.3",
"port": 80,
"monitors": [{
"bigip": "/Common/http"
}
]
}
]
}
}
},
"Western_Union": {
"class": "Tenant",
"Application": {
"class": "Application",
"template": "generic",
"testDomain": {
"class": "GSLB_Domain",
"domainName": "Western-Union.f5",
"aliases": [
"aliases.Western-Union.f5*" ],
"resourceRecordType": "A",
"poolLbMode": "round-robin",
"pools": [
{ "use": "Western_Union_GSLB_Pool" }
]
},
"Western_Union_GSLB_Pool": {
"class": "GSLB_Pool",
"enabled": true,
"lbModeAlternate": "ratio",
"lbModeFallback": "ratio",
"manualResumeEnabled": true,
"verifyMemberEnabled": false,
"qosHitRatio": 10,
"qosHops": 11,
"qosKbps": 8,
"qosLinkCapacity": 35,
"qosPacketRate": 5,
"qosRoundTripTime": 75,
"qosTopology": 3,
"qosVirtualServerCapacity": 2,
"qosVirtualServerScore": 1,
"members": [
{
"ratio": 10,
"server": {
"use": "/Common/Shared/BIGIPAWSWest1"
},
"virtualServer": "0"
},
{
"ratio": 10,
"server": {
"use": "/Common/Shared/BIGIPAWSWest2"
},
"virtualServer": "0"
}
],
"bpsLimit": 5,
"bpsLimitEnabled": true,
"ppsLimit": 4,
"ppsLimitEnabled": true,
"connectionsLimit": 3,
"connectionsLimitEnabled": true,
"maxAnswersReturned": 10,
"monitors": [
{
"bigip": "/Common/https"
}
],
"resourceRecordType": "A",
"fallbackIP": "1.1.1.1"
}
}
}
}
EXPECTED RESULTS
Expected it to follow the declaration
ACTUAL RESULTS
Monitor type on the Server wasnt changed
Declaration fails when deleting a tenant
ISSUE TYPE
- Known Issue
AS3 BUILD/ VERSION
Versions 3.0.0 and 3.1.0
BIGIP VERSION
All supported versions.
SUMMARY
Issue: Declaration fails when deleting a Tenant
When attempting to DELETE an AS3 tenant on a BIG-IP with APM provisioned, you receive an Declaration Failed error stating a folder can’t be deleted because it contains configuration items. See article https://support.f5.com/csp/article/K42807763.
• Workaround: Repeating the AS3 declaration or directly deleting the Partition may solve the issue. For example, from the BIG-IP Configuration utility, select “Common” from the partition list in the upper right, then click Users > Partition List and then check the box for the partition you want to remove.
FIX
Upgrade to AS3 v3.2.0.
PREVIOUS WORKAROUND
Workaround: Repeating the AS3 declaration or directly deleting the Partition may solve the issue. For example, from the BIG-IP Configuration utility, select “Common” from the partition list in the upper right, then click Users > Partition List and then check the box for the partition you want to remove.
Can't post to Common
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
f5-appsvcs-3.3.0-6.noarch
BIGIP VERSION
12.1.3.3
SUMMARY
{
"status": 422,
"message": "declaration is invalid",
"errors": [
"/Common: should NOT have additional properties"
],
"code": 422,
"declarationFullId": ""
}
STEPS TO REPRODUCE
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.0.0",
"id": "urn:uuid:33045210-3ab8-4636-9b2a-c98122ab915d",
"label": "Sample 1",
"remark": "Simple HTTP Service with Round-Robin Load Balancing",
"Common": {
"A1": {
"class": "Application",
"template": "http",
"testervip": {
"class": "Service_HTTP",
"virtualAddresses": [
"10.0.1.10"
],
"pool": "testerpool"
},
"testerpool": {
"class": "Pool",
"monitors": [
"http"
],
"members": [
{
"servicePort": 80,
"serverAddresses": [
"192.0.1.10",
"192.0.1.11"
]
}
]
}
}
}
}
}
EXPECTED RESULTS
200
ACTUAL RESULTS
422
error in 3.8: Cannot read property 'forEach' of undefined
Do you already have an issue opened with F5 support?
no existing SR
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
{
"version": "3.8.0",
"release": "3",
"schemaCurrent": "3.8.0",
"schemaMinimum": "3.0.0"
}
BIGIP VERSION
Sys::Version
Main Package
Product BIG-IP
Version 13.1.1.2
Build 0.0.4
Edition Point Release 2
Date Thu Oct 11 15:32:21 PDT 2018
SUMMARY
when submitting a declaration that previously worked in 3.7 it fails in 3.8 with the error
Cannot read property 'forEach' of undefined
STEPS TO REPRODUCE
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.2.0",
"id": "test",
"AS3Demo": {
"class": "Tenant",
"defaultRouteDomain": 0,
"DemoApplication": {
"class": "Application",
"template": "https",
"serviceMain": {
"class": "Service_HTTPS",
"remark": "Accepts HTTPS/TLS connections on port 443",
"clientTLS": {
"bigip": "/Common/serverssl"
},
"virtualAddresses": ["10.1.10.10"],
"redirect80": false,
"pool": "custom_ssl_pool",
"profileTCP": {
"egress": "wan",
"ingress": { "use": "TCP_Profile" } },
"profileHTTP": { "use": "custom_http_profile" },
"serverTLS": { "bigip": "/Common/clientssl" },
"persistenceMethods": [],
"policyWAF": {
"bigip": "/Common/asm-policy-linux-high-security_policy"
},
"securityLogProfiles": [{ "bigip":"/Common/Log all requests"}]
},
"plain_HTTP": {
"class": "Service_HTTP",
"remark": "Accepts HTTP connections on port 80",
"virtualAddresses": ["10.1.10.10"],
"pool": "custom_pool",
"profileTCP": {
"egress": "wan",
"ingress": { "use": "TCP_Profile" } },
"profileHTTP": { "use": "custom_http_profile" },
"policyEndpoint": "forward_policy"
},
"custom_pool": {
"class": "Pool",
"monitors": ["http"],
"members": [{
"servicePort": 8080,
"serverAddresses": ["192.168.128.11","192.168.128.12","192.168.128.13"]
}]
},
"special_pool": {
"class": "Pool",
"monitors": ["http"],
"members": [{
"servicePort": 8080,
"serverAddresses": ["192.168.128.14"]
}]
},
"custom_ssl_pool": {
"class": "Pool",
"monitors": ["https"],
"members": [ {
"serverAddresses": [
"192.168.128.14"
],
"servicePort": 8443
},
{
"serverAddresses": [
"192.168.128.15"
],
"servicePort": 8443
},
{
"serverAddresses": [
"192.168.128.16"
],
"servicePort": 8443
}]
},
"custom_http_profile": {
"class": "HTTP_Profile",
"xForwardedFor": true
},
"TCP_Profile": {
"class": "TCP_Profile",
"idleTimeout": 60 },
"forward_policy": {
"class": "Endpoint_Policy",
"rules": [{
"name": "forward_to_pool",
"conditions": [{
"type": "httpUri",
"path": {
"operand": "starts-with",
"values": ["/headers/"]
}
}],
"actions": [{
"type": "forward",
"event": "request",
"select": {
"pool": {
"use": "special_pool"
}
}
}]
},{
"name": "redirect_secure",
"conditions": [{
"type": "httpUri",
"path": {
"operand": "starts-with",
"values": ["/txt"]
}
}],
"actions": [{
"type": "httpRedirect",
"event": "request",
"location": "tcl:https://[getfield [HTTP::host] \":\" 1][HTTP::uri]"
}]
}]
}
}
}
}
}
EXPECTED RESULTS
not error
ACTUAL RESULTS
error
{
"code": 500,
"declarationFullId": "test",
"message": "Cannot read property 'forEach' of undefined"
}
Declaring a TLS_Client without a clientCertificate property fails
ISSUE TYPE
- Bug Report
- Feature Idea
- Documentation Report
AS3 BUILD/ VERSION
f5-appsvcs-3.4.0-2
BIGIP VERSION
Product BIG-IP
Version 13.1.1
Build 0.0.4
Edition Final
SUMMARY
When declaring a VS while using a **TLS_Client** without a **clientCertificate** defined, AS3 will emit an "Cannot read property 'replace' of undefined" error and code of 422. According to [the documentation](https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3/refguide/schema-reference.html#tls-client), this parameter is supposed to be optional. Additionally, the error does not indicate what the problem actually is.
STEPS TO REPRODUCE
POST the following to /mgmt/shared/appsvcs/declare
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.0.0",
"id": "Sample_04",
"label": "Sample_04",
"remark": "HTTPS with round-robin pool",
"Sample_04": {
"class": "Tenant",
"A1_01": {
"class": "Application",
"template": "https",
"serviceMain": {
"class": "Service_HTTPS",
"virtualAddresses": [
"10.0.2.13"
],
"pool": "web_pool",
"profileHTTP": "basic",
"serverTLS": {
"bigip": "/Common/clientssl"
},
"clientTLS": "clienttls"
},
"web_pool": {
"class": "Pool",
"loadBalancingMode": "round-robin",
"members": [
{
"servicePort": 84,
"serverAddresses": [
"10.0.3.6"
]
}
]
},
"clienttls": {
"class": "TLS_Client",
"label": "A1_01: clienttls",
"remark": " ",
"sendSNI": "none",
"ciphers": "DEFAULT",
"serverName": "none",
"validateCertificate": false,
"trustCA": "generic",
"ignoreExpired": false,
"ignoreUntrusted": false,
"sessionTickets": false
},
"webcert": {
"class": "Certificate",
"label": "A1_01: webcert",
"remark": "in practice using a passphrase is recommended",
"certificate": "-----BEGIN CERTIFICATE-----\nMIICnDCCAgWgAwIBAgIJAJ5n2b0OCEjwMA0GCSqGSIb3DQEBCwUAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRQwEgYDVQQKDAtmNV9OZXR3b3JrczEbMBkGA1UEAwwSc2FtcGxlLmV4YW1wbGUubmV0MB4XDTE3MTEyNjE5NTAyNFoXDTE4MDIyNTE5NTAyNFowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxFDASBgNVBAoMC2Y1X05ldHdvcmtzMRswGQYDVQQDDBJzYW1wbGUuZXhhbXBsZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALEsuXmSXVQpYjrZPW+WiTBjn491mwZYT7Q92V1HlSBtM6WdWlK1aZN5sovfKtOX7Yrm8xa+e4o/zJ2QYLyyv5O+t2EGN/4qUEjEAPY9mwJdfzRQy6Hyzm84J0QkTuUJ/EjNuPji3D0QJRALUTzu1UqqDCEtiN9OGyXEkh7uvb7BAgMBAAGjUDBOMB0GA1UdDgQWBBSVHPNrGWrjWyZvckQxFYWO59FRFjAfBgNVHSMEGDAWgBSVHPNrGWrjWyZvckQxFYWO59FRFjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAJeJ9SEckEwPhkXOm+IuqfbUS/RcziifBCTmVyE+Fa/j9pKSYTgiEBNdbJeBEa+gPMlQtbV7Y2dy8TKx/8axVBHiXC5geDML7caxOrAyHYBpnx690xJTh5OIORBBM/a/NvaR+P3CoVebr/NPRh9oRNxnntnqvqD7SW0U3ZPe3tJc\n-----END CERTIFICATE-----",
"privateKey": "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,D8FFCE6B255601587CB54EC29B737D31\n\nkv4Fc3Jn0Ujkj0yRjt+gQQfBLSNF2aRLUENXnlr7Xpzqu0Ahr3jS1bAAnd8IWnsR\nyILqVmKsYF2DoHh0tWiEAQ7/y/fe5DTFhK7N4Wml6kp2yVMkP6KC4ssyYPw27kjK\nDBwBZ5O8Ioej08A5sgsLCmglbmtSPHJUn14pQnMTmLOpEtOsu6S+2ibPgSNpdg0b\nCAJNG/KHe+Vkx59qNDyDeKb7FZOlsX30+y67zUq9GQqJEDuysPJ2BUNP0IJXAjst\nFIt1qNoZew+5KDYs7u/lPxcMGTirUhgI84Jy4WcDvSOsP/tKlxj04TbIE3epmSKy\n+TihHkwY7ngIGtcm3Sfqk5jz2RXoj1/Ac3SW8kVTYaOUogBhn7zAq4Wju6Et4hQG\nRGapsJp1aCeZ/a4RCDTxspcKoMaRa97/URQb0hBRGx3DGUhzpmX9zl7JI2Xa5D3R\nmdBXtjLKYJTdIMdd27prBEKhMUpae2rz5Mw4J907wZeBq/wu+zp8LAnecfTe2nGY\nE32x1U7gSEdYOGqnwxsOexb1jKgCa67Nw9TmcMPV8zmH7R9qdvgxAbAtwBl1F9OS\nfcGaC7epf1AjJLtaX7krWmzgASHl28Ynh9lmGMdv+5QYMZvKG0LOg/n3m8uJ6sKy\nIzzvaJswwn0j5P5+czyoV5CvvdCfKnNb+3jUEN8I0PPwjBGKr4B1ojwhogTM248V\nHR69D6TxFVMfGpyJhCPkbGEGbpEpcffpgKuC/mEtMqyDQXJNaV5HO6HgAJ9F1P6v\n5ehHHTMRvzCCFiwndHdlMXUjqSNjww6me6dr6LiAPbejdzhL2vWx1YqebOcwQx3G\n-----END RSA PRIVATE KEY-----",
"passphrase": {
"ciphertext": "ZjVmNQ==",
"protected": "eyJhbGciOiJkaXIiLCJlbmMiOiJub25lIn0",
"ignoreChanges": true,
"miniJWE": true,
"allowReuse": false
},
"chainCA": "-----BEGIN CERTIFICATE-----\nMIID9TCCAt2gAwIBAgIJALxQA/NW2bpRMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTELMAkGA1UECgwCRjUxDTALBgNVBAsMBFRlc3QxFzAVBgNVBAMMDnRlc3RfQ0FfYnVuZGxlMSUwIwYJKoZIhvcNAQkBFhZzb21lYm9keUBzb21ld2hlcmUub3JnMB4XDTE4MDIyNzE5MjEyNVoXDTE4MDMyOTE5MjEyNVowgZAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMQswCQYDVQQKDAJGNTENMAsGA1UECwwEVGVzdDEXMBUGA1UEAwwOdGVzdF9DQV9idW5kbGUxJTAjBgkqhkiG9w0BCQEWFnNvbWVib2R5QHNvbWV3aGVyZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCjhUZmbwwuMMFTNic73t0mfJ/pyM3BnEs0riv6lbrF5znFKBlAM2pxWBfkQvr92gUwitij7BqMagnR26/C7GcJJNJQGNK482vgSPhUpGeN0t4W71Dv5SpwJN+0do6gV0eXPwvcgA/XZxXqZAePwXTp36YMrNTgw49OWZpHoNXfYCZ+1KUL032RdQ/Ik2wO/UwV0csL1Rwuu2L8/NI9VtrThCAr8dsMsDJ53jDh7xQdP3K2V9NYtAHk66697kk7TpzR1moqTJxSVaPKo2eDuKNke1BRbjYWoamu0hfC5YG6l5P9i8QaVklbtmDcmoLpU9fLVSSW6CWHkrtdifQiCOChAgMBAAGjUDBOMB0GA1UdDgQWBBRv7/Q0VoBgDYzgJOKLz4GsgXP27zAfBgNVHSMEGDAWgBRv7/Q0VoBgDYzgJOKLz4GsgXP27zAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQA9r6+6hGVlQ188l+wLFJ1wI83y27BdtE0ZsZGdFv98qi9kcUm17Z0tprEwypODZ1/syt9b1JhD4RgU30qwgeF4kec8UpoG49UkQImRD3AqfsiYSdjZeBpcpEl3n8lkjKGoVY7GB2lMGoWDxv/1A0CSjVTmWgQSFGHoMtzOW1tCr9yGXVEdy691l7PVC1kK5ekwkO8YbSO6hvV/u83KuUiGcIoY1PIzAK301i9YXWUNxybIVfHregoQ11QzjhfdfpOLBTtW1B4QZqZz8qFGIr1remmQK3ljEcct9bWjMLOx2QYMvk6uRFzh+V5L2UnhldNy5wQYMXRDz6SU3LdTJ2OA\n-----END CERTIFICATE-----"
}
}
}
}
}
EXPECTED RESULTS
status of "success" returned
ACTUAL RESULTS
status of "Cannot read property 'replace' of undefined" returned
"results": [
{
"message": "Cannot read property 'replace' of undefined",
"host": "localhost",
"tenant": "Sample_04",
"code": 422
}
]
Known Issue: Declaration fails when changing monitor type
ISSUE TYPE
- Known Issue
AS3 BUILD/ VERSION
All versions
BIGIP VERSION
All supported versions
SUMMARY
You deploy a declaration with a pool, such as “monitors”: [ { “use”: “Monitor1” }] and a definition for Monitor1. If you remove both and then redeploy, the declaration fails.
WORKAROUND
Deploy a declaration that entirely deletes the pool, then deploy a second declaration to re-introduce the pool without the declared monitor.
Documentation: APM integration
ISSUE TYPE
- Documentation Report
AS3 BUILD/ VERSION
3.3
BIGIP VERSION
n/a
SUMMARY
the AS3 documentation shows no indication that existing APM policies can be attached in an AS3 declaration. Appendix C: Declaration using all AS3 Properties does not show any command how to integrate an APM policy.
https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3/refguide/all-properties.html
STEPS TO REPRODUCE
For bugs, show exactly how to reproduce the problem.
For new features, show how the feature would be used.
-->
<!--- Paste example declarations between quotes below -->
EXPECTED RESULTS
ACTUAL RESULTS
Declaration History Limited to 4 (ages 0-3)
ISSUE TYPE
- Bug Report or Documentation Update
AS3 BUILD/ VERSION
f5-appsvcs-3.0.0-34.noarch.rpm
BIGIP VERSION
Sys::Version
Main Package
Product BIG-IP
Version 13.1.0.6
Build 0.0.3
Edition Point Release 6
Date Fri Apr 20 18:04:26 PDT 2018
NOTE: this is a VE with 1 core and 2GB RAM (perhaps declaration history is keyed to resources?)
SUMMARY
Documentation states a declaration history of 16 declarations (0-15) is kept. AS3 only keeps a history of 4 declarations.
STEPS TO REPRODUCE
POST 4 declarations and note the output of a GET to https://{{bigip}}/mgmt/shared/appsvcs/declare?age=list
[
{
"name": "____appsvcs_declaration-1525273534246",
"timestamp": 1525273534246,
"date": "2018-05-02T15:05:34.246Z",
"age": 0
},
{
"name": "____appsvcs_declaration-1525273530784",
"timestamp": 1525273530784,
"date": "2018-05-02T15:05:30.784Z",
"age": 1
},
{
"name": "____appsvcs_declaration-1525273527654",
"timestamp": 1525273527654,
"date": "2018-05-02T15:05:27.654Z",
"age": 2
},
{
"name": "____appsvcs_declaration-1525273520317",
"timestamp": 1525273520317,
"date": "2018-05-02T15:05:20.317Z",
"age": 3
}
]
Now POST a 5th declaration and note the output of https://{{bigip}}/mgmt/shared/appsvcs/declare?age=list.
[
{
"name": "____appsvcs_declaration-1525273591802",
"timestamp": 1525273591802,
"date": "2018-05-02T15:06:31.802Z",
"age": 0
},
{
"name": "____appsvcs_declaration-1525273534246",
"timestamp": 1525273534246,
"date": "2018-05-02T15:05:34.246Z",
"age": 1
},
{
"name": "____appsvcs_declaration-1525273530784",
"timestamp": 1525273530784,
"date": "2018-05-02T15:05:30.784Z",
"age": 2
},
{
"name": "____appsvcs_declaration-1525273527654",
"timestamp": 1525273527654,
"date": "2018-05-02T15:05:27.654Z",
"age": 3
}
]
Checking the output of https://{{bigip}}/mgmt/shared/appsvcs/declare shows the 5th declaration is present -- its just not displayed in the history.
EXPECTED RESULTS
Declaration history of 16 entries with ages from 0-15 to be present.
ACTUAL RESULTS
Declaration history was limited to 4 entries (0-3).
Known Issue: Browser access blocked by blank screen with gray bar
ISSUE TYPE
- Known Issue
AS3 BUILD/ VERSION
All versions
BIGIP VERSION
All supported versions
SUMMARY
After using the DELETE method to remove an AS3 configuration, you are unable to access the BIG-IP configuration utility. In your browser window, you see only a gray screen with a dark gray bar.
WORKAROUND
Use one of the following workarounds:
- Return to your API client and re-deploy the tenant that was previously configured. This should unlock the web interface.
- Login to the BIG-IP CLI shell and restart the tomcat daemon by typing
bigstart restart tomcat.
Update Issue Template
ISSUE TYPE
- Documentation Report
SUMMARY
Update the "AS3 BUILD/ VERSION" in the Issue template to suggest retrieving the AS3 RPM version.
Support for AFM SSH Proxy missing
ISSUE TYPE
- Feature Idea
AS3 BUILD/ VERSION
3.7
BIGIP VERSION
13.1
SUMMARY
I'm working on a customers's project for SSH Proxy automation. Regarding SSH Proxy the schema contains no declaration for SSH Proxy Profile and assignment to Virtual (just Proxy Logging Profile is available).
Currently we have to use the Ansible bigip_command module to work around but we like to use a full declaration using AS3.
Please include SSH Proxy in the next version.
Docs: appendix B example 9 fails deployment...missing servicePort
ISSUE TYPE
Documentation Report
AS3 BUILD/ VERSION
f5-appsvcs-3.1.0-4.noarch.rpm
BIGIP VERSION
13.1.0.7
SUMMARY
Example 9 declaration in appendix B is missing servicePort for gce_pool. As a result, the POST fails.
STEPS TO REPRODUCE
Run example 9 as is. It will fail.
EXPECTED RESULTS
Push example 9 declaration successfully
ACTUAL RESULTS
error in API response stating that servicePort is missing
Workaround
--snippet--
"gce_pool": {
"class": "Pool",
"monitors": [
"http"
],
"members": [
{
"servicePort": 80, <<<<<<<< add this line
"serverAddresses": [
"192.0.7.10",
"192.0.7.11"
]
}
Error message for invalid iRule is confusing
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
3.5.0-3
BIGIP VERSION
BIG-IP 13.1.1 Build 0.0.4 Final
SUMMARY
The JSON parser does not appear to respect line breaks "\n" in multi line iRules
This is important because TCL syntax is line break aware
STEPS TO REPRODUCE
POST this example declaration with a mutli-line iRule
{
"class": "AS3",
"action": "deploy",
"syncToGroup": "/Common/Sync-Failover",
"declaration": {
"class": "ADC",
"schemaVersion": "3.5.0",
"id": "error-codes",
"label": "iRules and pools for http status",
"test_tenant": {
"class": "Tenant",
"shared_app": {
"class": "Application",
"template": "shared",
"test_irule": {
"class": "iRule",
"iRule": "# 503 for service unavailable\nif {[active_members [LB::server pool]] < 1} {\n if {[HTTP::path] eq \"/robots.txt\"} {\n HTTP::respond 200 content \"<html><head><title></title></head><body>User-agent:*<br>Disallow:/<p></body></html>\"\n }\n else {\n HTTP::respond 503 content [ifile get 503.html] \"Content-Type\" \"text/html\"\n }\n}\n"
}
}
}
}
}
EXPECTED RESULTS
message: success
host: localhost
tenant: test_tenant
code: 200
ACTUAL RESULTS
"results": [
{
"message": "declaration failed",
"response": "[active_members unknown property",
"code": 422,
"host": "localhost",
"tenant": "test_tenant",
"runTime": 1527
}
...
AS3 and BIG-IP 12.1 with WAF policy - removing a WAF policy then deleting the tenant may fail
ISSUE TYPE
- Known Issue
AS3 BUILD/ VERSION
3.2.0
BIGIP VERSION
12.1 only
SUMMARY
On BIG-IP 12.1 with ASM provisioned, any WAF policy imported by AS3 must only be deleted when the AS3 Tenant is deleted. If it is removed from the declaration prior to removing the Tenant, a subsequent operation to delete the Tenant may fail
STEPS TO REPRODUCE
Deploy a declaration that imports a WAF policy. Remove the WAF policy from the declaration and redeploy. Then try to delete the tenant. Deleting the tenant may fail.
WORKAROUND
Delete the entire Tenant, and then post back the configuration you wanted without the WAF policy
Docker proxy ignores targetPort
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
~$ curl -k https://localhost:8443/mgmt/shared/appsvcs/info
{"version":"3.5.0","release":"3","schemaCurrent":"3.5.0","schemaMinimum":"3.0.0"}
BIGIP VERSION
Sys::Version
Main Package
Product BIG-IP
Version 13.1.1.2
Build 0.0.4
Edition Point Release 2
Date Thu Oct 11 15:32:21 PDT 2018
SUMMARY
Using the AS3 in a Docker container accessing a BIG-IP in AWS fails with the management port listening on port 8443. AS3 tries to connect to port 443.
STEPS TO REPRODUCE
{
"class": "AS3",
"action": "deploy",
"persist": true,
"targetHost": "MGMT-IP",
"targetPort": 8443,
"targetUsername": "XXX",
"targetPassphrase": "XXX",
"declaration": {
"class": "ADC",
"schemaVersion": "3.5.0",
...
EXPECTED RESULTS
Should connect to port 8443 as configured in the json file.
ACTUAL RESULTS
~$ curl -sku admin:admin -H "Content-Type: application/json" -X POST https://localhost:8443/mgmt/shared/appsvcs/declare --data-binary "@as3.json";
{"code":500,"declarationFullId":"","message":"cannot contact xx.xx.xx.xx (GET https://xx.xx.xx.xx:443/mgmt/shared/echo failed (connect ECONNREFUSED xx.xx.xx.xx:443))"}
'tenants' query parameter for DELETE unrecognized
ISSUE TYPE
- Bug Report or Documentation Issue
AS3 BUILD/ VERSION
f5-appsvcs-3.0.0-34.noarch.rpm
BIGIP VERSION
Sys::Version
Main Package
Product BIG-IP
Version 13.1.0.6
Build 0.0.3
Edition Point Release 6
Date Fri Apr 20 18:04:26 PDT 2018
SUMMARY
DELETE method doesn't recognize the "tenants" query parameter as described in the documentation.
DELETE https://192.0.2.10/mgmt/shared/appsvcs/declare?tenants=T1,T2,T5
removes Tenants T1, T2, and T5 leaving the rest of the most recent declared configuration for localhost in place (assuming there are other Tenants, such as T3 and T4).
You can also remove declarations or particular Tenants using POST instead of DELETE. You must POST a request document with action=remove and a suitable declaration. For localhost, we recommend using DELETE to remove declarations.
STEPS TO REPRODUCE
send DELETE to https://{{bigip}}/mgmt/shared/appsvcs/declare?tenants=Sample_03,Sample_04,Sample_05 where the example tenants exist.
EXPECTED RESULTS
Tenants specified in the query parameter are deleted.
ACTUAL RESULTS
{
"code": 400,
"message": "unrecognized URL query parameter 'tenants'"
}
aws service discvery
ISSUE TYPE
- Bug Report
- Documentation Report
AS3 BUILD/ VERSION
3.7
BIGIP VERSION
13.1.1
SUMMARY
service discovery gets stuck and stops working.
STEPS TO REPRODUCE
when using the example posted here:
https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/declarations/discovery.html
the example for AWS service discovery has both static members and is using the service discovery.
when posting this declaration it works, meaning i see both the static members and the ones discovered by the service discovery.
then, if i delete the static ones from the declaration, it doesn't populate any members.
even if i post the same declaration now with the static members it won't populate the dynamic ones.
i can fix it by completely removing the pool from the declaration and posting it. then send another declaration with just the service discovery.
example of first declaration (with both static and service discovery)
{
"class": "ADC",
"schemaVersion": "3.7.0",
"id": "5489432",
"label": "ASM_policy_external_URL",
"remark": "ASM_policy_external_URL",
"controls": {
"class": "Controls",
"trace": true,
"logLevel": "debug"
},
"Sample_sec_02": {
"class": "Tenant",
"HTTP_Service": {
"class": "Application",
"template": "http",
"serviceMain": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.10.107"
],
"snat": "auto",
"pool": "web_pool",
"policyWAF": {
"use": "My_ASM_Policy"
}
},
"web_pool": {
"class": "Pool",
"monitors": [
"http"
],
"members": [
{
"servicePort": 80,
"addressDiscovery": "aws",
"updateInterval": 1,
"tagKey": "aws:autoscaling:groupName",
"tagValue": "rosenbo-App10-master-app-appAutoscaleGroup-1HC0ALV8ZIFQ5",
"addressRealm": "private",
"region": "us-west-2"
},
{
"enable": true,
"servicePort": 443,
"serverAddresses": [
"192.0.2.7",
"192.0.2.8"
]
}
]
},
"My_ASM_Policy": {
"class": "WAF_Policy",
"url": "https://raw.githubusercontent.com/F5-use-cases/f5-rs-waf/master/roles/waf_policies/files/waf_policies/owasptop10-v01.xml",
"ignoreChanges": true
}
}
}
}
example of declaration with just the service discovery (works fine if used on a clean bigip, fails to populate members if used after the previous declaration)
{
"class": "ADC",
"schemaVersion": "3.7.0",
"id": "5489432",
"label": "ASM_policy_external_URL",
"remark": "ASM_policy_external_URL",
"controls": {
"class": "Controls",
"trace": true,
"logLevel": "debug"
},
"Sample_sec_02": {
"class": "Tenant",
"HTTP_Service": {
"class": "Application",
"template": "http",
"serviceMain": {
"class": "Service_HTTP",
"virtualAddresses": [
"192.0.10.107"
],
"snat": "auto",
"pool": "web_pool",
"policyWAF": {
"use": "My_ASM_Policy"
}
},
"web_pool": {
"class": "Pool",
"monitors": [
"http"
],
"members": [
{
"servicePort": 80,
"addressDiscovery": "aws",
"updateInterval": 1,
"tagKey": "aws:autoscaling:groupName",
"tagValue": "rosenbo-App10-master-app-appAutoscaleGroup-1HC0ALV8ZIFQ5",
"addressRealm": "private",
"region": "us-west-2"
}
]
},
"My_ASM_Policy": {
"class": "WAF_Policy",
"url": "https://raw.githubusercontent.com/F5-use-cases/f5-rs-waf/master/roles/waf_policies/files/waf_policies/owasptop10-v01.xml",
"ignoreChanges": true
}
}
}
}
EXPECTED RESULTS
discover members
ACTUAL RESULTS
didn't discover members
Error after upgrading from AS3 3.2.0 to 3.3.0 when modifying an existing pool
ISSUE TYPE
- Known Issue
AS3 BUILD/ VERSION
AS3 v3.3.0
BIGIP VERSION
All supported BIG-IP versions
SUMMARY
When sending a POST request to the declare endpoint using a declaration that results in modifications to an existing pool, AS3 attempts to create the pool instead of applying the modification. Upgrading from 3.2.0 to 3.3.0 triggers a modification to pools to add auto-discovery related metadata.
SYMPTOM
A POST request to the declare endpoint results in a 422 status code response containing a message about a pool already existing. Example message: “The requested Pool (/AS3/https_waf/pool) already exists in partition AS3”.
WORKAROUND
Delete the tenant through the declare endpoint, and retry the POST request that generated the error.
selftest folder location wrong
ISSUE TYPE
- Documentation Report
AS3 BUILD/ VERSION
3.0.0-34
BIGIP VERSION
13.1.0.6
SUMMARY
http://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/3/userguide/self-test.html mentions that running selftest uses stuff in located in /var/config/rest/iapps/appsvcs/selftest. That folder doesn't exist on my F5. I show this...
[admin@jgf5-v13-1:Active:Standalone] selftest # pwd
/var/config/rest/iapps/f5-appsvcs/selftest
The difference being that appsvcs has f5- as a prefix.
STEPS TO REPRODUCE
n/a
EXPECTED RESULTS
update folder path
ACTUAL RESULTS
n/a
Custom HTTP Profile
Do you already have an issue opened with F5 support?
Github Issues are consistently monitored by F5 staff, but should be considered as best effort only and you should not expect to receive the same level of response as provided by F5 Support. Please open an case with F5 if this is a critical issue.
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
f5-appsvcs-3.7.0-7.noarch
BIGIP VERSION
BIG-IP | 13.1.1 | 0.0.4
SUMMARY
Unable to create a custom HTTP profile, get error: {"code":422,"declarationFullId":"","message":"declaration is invalid","errors":["/Stage/A1/myVS3/profileHTTP: should be equal to one of the allowed values [\"basic\"]"]}
STEPS TO REPRODUCE
"myVS3": {
"class": "Service_HTTP",
"virtualAddresses": [
"10.0.2.13"
],
"pool": "web_pool",
"iRules": [
{ "bigip": "/Common/local_irule" }
],
"virtualPort": 80,
"persistenceMethods": [
"cookie"
],
"profileHTTP": "custom_http_profile",
"layer4": "tcp",
"profileTCP": "normal",
"enable": true,
"maxConnections": 0,
"snat": "auto",
"addressStatus": true,
"mirroring": "none",
"lastHop": "default",
"translateClientPort": false,
"translateServerAddress": true,
"translateServerPort": true
},
"custom_http_profile": { "class": "HTTP_Profile", "knownMethods": [ "CONNECT","DELETE","HEAD","POST","PUT" ] },
EXPECTED RESULTS
Should be able to use the custom HTTP profile that is defined, but error says that only basic is supported. Is that really the case, that basic is only supported or is there a syntax error on my part?
ACTUAL RESULTS
{"code":422,"declarationFullId":"","message":"declaration is invalid","errors":["/Stage/A1/myVS3/profileHTTP: should be equal to one of the allowed values [\"basic\"]"]}
SelfTest returns 503 but actually passes
ISSUE TYPE
Bug Report
AS3 BUILD/ VERSION
f5-appsvcs-3.5
BIGIP VERSION
BIG-IP 13.1.1.0.0.4
SUMMARY
Error on self test:
Reported by:
@malbertus
@ColinHeathman
From this issue 23
See details below
STEPS TO REPRODUCE
Restart restnoded
tmsh restart /sys service restnoded
POST to https://{{host}}/mgmt/shared/appsvcs/selftest using a service account (not admin)
EXPECTED RESULTS
Self test suite passes
ACTUAL RESULTS
{"message":"POST http://admin:XXXXXX@localhost:8100/mgmt/shared/appsvcs/declare submit tests response=503 body={\"code\":503,\"declarationFullId\":\"\",\"message\":\"Device localhost configuration operation in progress for (urn:uuid:5cff22e8-d3d1-6056-8577-b0b193f812eb), please try again in 2 minutes\"}","level":"error"}
Reported by @malbertus From this issue 23:
I'm having a similar issue, though now it's
urn:uuid:5cff22e8-d3d1-6056-8577-b0b193f812ebcausing the 500 response instead ofTEST_AS3_Basics. Coincidentally, this is the ID given to the Declaration Using All Properties appendix so I assume that the intent is to create and delete this declaration after posting to the selftest api.Problem seems to be how long it takes to create and delete this selftest declaration as the 500 response is given 60 seconds after initial POST, yet the declaration appears to be created and deleted successfully a few seconds after the timeout, which suggests the selftest passes.
This is with 3.5
Mon, 22 Oct 2018 06:09:53 GMT - fine: [appsvcs] {"message":"probe target 'localhost'","level":"debug"} Mon, 22 Oct 2018 06:09:53 GMT - fine: [appsvcs] {"message":"found F5 device at http://admin:@localhost:8100 port 8100","level":"debug"} Mon, 22 Oct 2018 06:09:53 GMT - info: [appsvcs] {"message":"modules provisioned: ltm","level":"info"} Mon, 22 Oct 2018 06:09:53 GMT - info: [appsvcs] {"message":"target device is BIG-IP version 13.1.1.0.0.4","level":"info"} Mon, 22 Oct 2018 06:09:54 GMT - info: [appsvcs] {"message":"cloud libraries installed: true","level":"info"} Mon, 22 Oct 2018 06:09:54 GMT - fine: [appsvcs] {"message":"got transaction lock; fetch previous decl","level":"debug"} Mon, 22 Oct 2018 06:09:54 GMT - fine: [appsvcs] {"message":"did not get age 0 declaration","level":"debug"} Mon, 22 Oct 2018 06:09:54 GMT - fine: [appsvcs] {"message":"found no stored declaration","level":"debug"} Mon, 22 Oct 2018 06:09:54 GMT - fine: [appsvcs] {"message":"validating declaration having id urn:uuid:5cff22e8-d3d1-6056-8577-b0b193f812eb|AS3_Basics","level":"debug"} <SNIP> Mon, 22 Oct 2018 06:10:55 GMT - info: [appsvcs] {"message":"Error: Device localhost configuration operation in progress for (urn:uuid:5cff22e8-d3d1-6056-8577-b0b193f812eb), please try again in 2 minutes","stack":["Error: Device localhost configuration operation in progress for (urn:uuid:5cff22e8-d3d1-6056-8577-b0b193f812eb), please try again in 2 minutes","/var/config/rest/iapps/f5-appsvcs/nodejs/declarationRequestHandler.js:1389:37","process._tickCallback (node.js:438:9)"],"level":"info"} Mon, 22 Oct 2018 06:10:55 GMT - severe: [appsvcs] {"message":"POST http://admin:XXXXXX@localhost:8100/mgmt/shared/appsvcs/declare submit tests response=503 body={\"code\":503,\"declarationFullId\":\"\",\"message\":\"Device localhost configuration operation in progress for (urn:uuid:5cff22e8-d3d1-6056-8577-b0b193f812eb), please try again in 2 minutes\"}","level":"error"} Mon, 22 Oct 2018 06:10:55 GMT - severe: [ErrorHandlingModule] RestOperation failed: "/shared/appsvcs/selftest". {"error":{"code":500,"message":"POST http://admin:XXXXXX@localhost:8100/mgmt/shared/appsvcs/declare submit tests response=503 body={\"code\":503,\"declarationFullId\":\"\",\"message\":\"Device localhost configuration operation in progress for (urn:uuid:5cff22e8-d3d1-6056-8577-b0b193f812eb), please try again in 2 minutes\"}","innererror":{"referer":"restnoded","originalRequestBody":"\"{}\"","errorStack":[]}}} <SNIP> Mon, 22 Oct 2018 06:10:59 GMT - fine: [appsvcs] {"message":"deployed= 5 good 0 bad 5 changes","level":"debug"} Mon, 22 Oct 2018 06:10:59 GMT - fine: [appsvcs] {"message":"5 changes, save current declaration for later","level":"debug"} Mon, 22 Oct 2018 06:10:59 GMT - fine: [appsvcs] {"message":"purge stored decls in excess of 0","level":"debug"} Mon, 22 Oct 2018 06:10:59 GMT - fine: [appsvcs] {"message":"unlocking transaction","level":"debug"} <FINISH>
[Doc] Patch example
ISSUE TYPE
Documentation Report
AS3 BUILD/ VERSION
3.6.0 build 5
BIGIP VERSION
13.1.0.5
SUMMARY
https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/refguide/as3-api.html#using-patch-to-add-an-application-to-a-tenant
The following example could benefit from some more details
STEPS TO REPRODUCE
PATCH {host}/mgmt/shared/appsvcs/declare
"path": "/tenant1"
"op": "add",
"value": {
"app3": {... }
}
just to make it less prone to error, i would highlight that the class statement is still required
PATCH {host}/mgmt/shared/appsvcs/declare
"path": "/tenant1"
"op": "add",
"value": {
"class": "Tenant",
"app3": {... }
}
TEST_AS3_Basics lock always blocks self-test
ISSUE TYPE
- Bug Report
AS3 BUILD/ VERSION
f5-appsvcs-3.2.0-7
BIGIP VERSION
BIG-IP 12.1.2 Build 2.0.276 Hotfix HF2
SUMMARY
Error on self test:
Device localhost configuration operation in progress for (TEST_AS3_Basics), please try again in 5 minutes
STEPS TO REPRODUCE
Restart restnoded
tmsh restart /sys service restnoded
POST to https://{{host}}/mgmt/shared/appsvcs/selftest using a service account (not admin)
EXPECTED RESULTS
Self test suite passes
ACTUAL RESULTS
{
"code": 500,
"message": "POST http://admin:XXXXXX@localhost:8100/mgmt/shared/appsvcs/declare submit tests response=503 body={\"status\":503,\"retryAfter\":300,\"message\":\"Device localhost configuration operation in progress for (TEST_AS3_Basics), please try again in 5 minutes\",\"code\":503,\"declarationFullId\":\"\"}",
"originalRequestBody": "",
"referer": "restnoded",
"restOperationId": 0,
"kind": ":resterrorresponse"
}
Gist of /var/log/restnoded/restnoded.log, including startup
https://gist.github.com/ColinHeathman/a82774e450bc037b6d51087993b9c35c
AS3: Allow use of existing TCP profiles (Client & Serverside)
Feature Idea
AS3 BUILD/ VERSION
f5-appsvcs-3.2.0-7.noarch.rpm
BIGIP VERSION
V13.1.0.8
SUMMARY
Customers typically utilize base TCP profiles for client-side and server-side. Currently with AS3 you can chose an existing profile, but cannot specify different profiles for client and server sides. If you want separate profiles you can use the ingress and egress but this will assign the f5-tcp-<wan/lan>.
STEPS TO REPRODUCE
{
"class": "AS3",
"action": "deploy",
"persist": true,
"declaration": {
"class": "ADC",
"schemaVersion": "3.2.0",
"id": "FirstTestApp",
"label": "Test",
"remark": "Test virtual server for vicor PoC",
"lab": {
"class": "Tenant",
"bodgeit": {
"class": "Application",
"template": "https",
"serviceMain": {
"class": "Service_HTTPS",
"virtualAddresses": [
"10.0.1.110"
],
"virtualPort": 443,
"profileHTTP": {
"bigip": "/Common/f5demo-http"
},
"profileMultiplex": {
"bigip": "/Common/f5demo-oneconnect"
},
"profileTCP": {
"ingress": "/Common/f5demo-tcp-wan",
"egress": "/Common/f5demo-tcp-lan"
},
"pool": "bodgeit",
"redirect80": false,
"clientTLS": {
"bigip": "/Common/f5demo-serverssl"
},
"serverTLS": {
"bigip": "/Common/san_cert"
},
"snat": "auto"
},
"bodgeit_redir": {
"class": "Service_HTTP",
"virtualAddresses": [
"10.0.1.110"
],
"virtualPort": 80,
"profileHTTP": {
"bigip": "/Common/f5demo-http"
},
"profileTCP": {
"bigip": "/Common/f5demo-tcp-lan"
},
"iRules": [
{
"bigip": "/Common/_sys_https_redirect"
}
]
},
"bodgeit": {
"class": "Pool",
"monitors": [{
"bigip": "/Common/f5demo-https-head"
}],
"members": [{
"servicePort": 443,
"serverAddresses": [
"10.128.20.11",
"10.128.20.12"
]
}]
}
}
}
}
}
EXPECTED RESULTS
virtual server created with separate TCP profiles assigned to client and server side.
ACTUAL RESULTS
{
"status": 422,
"message": "declaration is invalid",
"errors": [
"/lab/bodgeit/serviceMain/profileTCP/ingress: should be equal to one of the allowed values [\"normal\",\"lan\",\"wan\",\"mobile\"]"
],
"code": 422,
"declarationFullId": ""
}
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.