F5 disable pool/node

1,257 views
Skip to first unread message

Michael Perzel

unread,
Feb 20, 2015, 11:47:54 AM2/20/15
to ansible...@googlegroups.com
We are looking into automating our network failover between datacenters using the F5 network modules. http://docs.ansible.com/list_of_network_modules.html.

I've been able to do simple things like gather facts, add/delete nodes, add/delete pools but one thing I am missing is being able to disable a node or pool. I don't necessarily want to delete a node to in essence disable it. I can't find any documentation stating this is possible. Has anyone come across a way to do this?

Thanks.

Serge van Ginderachter

unread,
Feb 20, 2015, 1:50:27 PM2/20/15
to ansible...@googlegroups.com

On 20 February 2015 at 17:47, Michael Perzel <michae...@gmail.com> wrote:
I've been able to do simple things like gather facts, add/delete nodes, add/delete pools but one thing I am missing is being able to disable a node or pool. I don't necessarily want to delete a node to in essence disable it. I can't find any documentation stating this is possible. Has anyone come across a way to do this?

​As far as I know, the modules don't support that now.​ Might be a feasible addition, but keep in mind bigip has an extremely extensive API for every object, which is not always easy to put into a 1 module.

I'd say, file a feature request, but I dont think it's something the core team can and will support.
I wrote one of those modules, and Matt Hite most others. Not sure who else is there to maintain/extend them.
I might have a look at that.

Perhaps file a feature request ticket, and describe in more detail what you want to do, with which objects.

Perhaps Brian C can assign that ticket to me?



  Serge

Michael Perzel

unread,
Feb 20, 2015, 2:42:12 PM2/20/15
to ansible...@googlegroups.com
Thanks for the response. I filled out issue https://github.com/ansible/ansible/issues/10307. Let me know if this unclear. I can take a look at the bigip api and see what I find.

Serge van Ginderachter

unread,
Feb 20, 2015, 3:39:31 PM2/20/15
to ansible...@googlegroups.com

On 20 February 2015 at 20:42, Michael Perzel <michae...@gmail.com> wrote:
Thanks for the response. I filled out issue https://github.com/ansible/ansible/issues/10307.

​Doesn't this needs to be filed in https://github.com/ansible/ansible-modules-extras ?​

Michael Perzel

unread,
Feb 20, 2015, 4:36:05 PM2/20/15
to ansible...@googlegroups.com
Yes my apologies. Is it possible to move it over or should it just be closed and a new one opened?

Greg Andrews

unread,
Feb 20, 2015, 8:12:08 PM2/20/15
to ansible...@googlegroups.com
This is just a data point from a site that uses Ansible and has F5 load balancers.  Our network admin has written playbooks that use ssh and invoke the F5 tmsh command-line utility to do things like add/remove/enable/disable nodes in pools.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/0a16196c-1d3e-41a5-8f61-3ecd51f43ad4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Serge van Ginderachter

unread,
Feb 21, 2015, 9:58:39 AM2/21/15
to ansible...@googlegroups.com
​Greg,​

On 21 February 2015 at 02:11, Greg Andrews <hva...@gmail.com> wrote:
This is just a data point from a site that uses Ansible and has F5 load balancers.  Our network admin has written playbooks that use ssh and invoke the F5 tmsh command-line utility to do things like add/remove/enable/disable nodes in pools.

​Did you miss to provide a link here?​


Serge van Ginderachter

unread,
Feb 21, 2015, 9:58:58 AM2/21/15
to ansible...@googlegroups.com

On 20 February 2015 at 22:36, Michael Perzel <michae...@gmail.com> wrote:
Yes my apologies. Is it possible to move it over or should it just be closed and a new one opened?


​You'll need to do that manually.​

Greg Andrews

unread,
Feb 21, 2015, 2:43:23 PM2/21/15
to ansible...@googlegroups.com
Hi Serge,

Unfortunately, company policy won't let me share an example.  I wanted to indicate the general idea that we set up keys for ssh access to our F5 devices and use the Ansible shell module to run "tmsh" commands in them.  It's not as nice as a full module, but it seemed easier than the other API options available to us.

  -Greg


--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

Serge van Ginderachter

unread,
Feb 22, 2015, 4:37:54 AM2/22/15
to ansible...@googlegroups.com

On 21 February 2015 at 20:42, Greg Andrews <hva...@gmail.com> wrote:
Unfortunately, company policy won't let me share an example.  I wanted to indicate the general idea that we set up keys for ssh access to our F5 devices and use the Ansible shell module to run "tmsh" commands in them.  It's not as nice as a full module, but it seemed easier than the other API options available to us.


​Ah, ok, I thought you intended to provide an example. No problem.

Did you manage to make those ` command: tmsh​` somehow idempotent?

Michael Perzel

unread,
Feb 22, 2015, 9:22:41 AM2/22/15
to ansible...@googlegroups.com
I opened a new issue at https://github.com/ansible/ansible-modules-extras/issues/276 in the correct repository.

I took a look at ansible-module-extra\network\f5\bigip_node.py seems like it would make sense to add a couple functions called get/set_node_state. They could be invoked from the else statement that updates the attributes. I haven't tested this yet but https://devcentral.f5.com/questions/bigsuds-how-to-enable-disable-certain-pool-members looks like it has the necessary code snippet to do this.

Matt Hite

unread,
Feb 23, 2015, 9:08:04 PM2/23/15
to ansible...@googlegroups.com
I'll get a PR up soon to address this.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

Matt Hite

unread,
Feb 24, 2015, 8:19:09 PM2/24/15
to ansible...@googlegroups.com, hva...@gmail.com, michae...@gmail.com, Serge van Ginderachter
I've posted a P.R. which needs some volunteers to test.

Matt Hite

unread,
Feb 24, 2015, 9:40:16 PM2/24/15
to ansible...@googlegroups.com, hva...@gmail.com, michae...@gmail.com, Serge van Ginderachter
BTW, once I can get some testers on this change, I can incorporate a similar one that works on the pool
-member level.

Michael Perzel

unread,
Feb 25, 2015, 12:13:48 PM2/25/15
to ansible...@googlegroups.com, hva...@gmail.com, michae...@gmail.com, se...@vanginderachter.be
Nice that would be my next request.I can test this out but I'm confused by the table at https://devcentral.f5.com/questions/icontrol-equivalent-call-for-b-node-down

Does that mean even with the session and monitor disabled active connections aren't broken?

Matt Hite

unread,
Feb 25, 2015, 1:13:44 PM2/25/15
to ansible...@googlegroups.com, hva...@gmail.com, Michael Perzel, Serge van Ginderachter
Michael,

My understanding is that setting session state to disabled prevents new connections from being sent to the node UNLESS they match a persistence lookup. If you use simple round robin without a persistence setting for a pool, this shouldn't matter.

However, if you are making use of client to backend node persistence, setting monitor state to disabled will also prevent persistent connections from continuing to reach said node.

Does that help?

-M



Matt Hite

unread,
Feb 25, 2015, 6:55:11 PM2/25/15
to ansible...@googlegroups.com, hva...@gmail.com, Michael Perzel, Serge van Ginderachter
BTW, I've greated a P.R. for doing the same on the pool member level:


Again, could use some testers.

Michael Perzel

unread,
Mar 3, 2015, 2:41:58 PM3/3/15
to ansible...@googlegroups.com, hva...@gmail.com, michae...@gmail.com, se...@vanginderachter.be
I tested out the 2 pull requests. I successfully was able to set the session/monitor state for pools/nodes, non-existent nodes/pools etc. One thing I noticed is that when a node is set to monitor_state=disabled, session_state=enabled it results in forced offline. Is this intended behavior?  That set of parameters isn't in the table. I need to do more testing to see how this effects open connections but as for my use case I think this fixes my issues.

Has there been any work in looking at a module modifying a GTM?

Thanks,


On Tuesday, February 24, 2015 at 8:40:16 PM UTC-6, Matt Hite wrote:

Matt Hite

unread,
Mar 5, 2015, 2:01:00 PM3/5/15
to ansible...@googlegroups.com, hva...@gmail.com, Michael Perzel, Serge van Ginderachter
I think so, although keep in mind that the API doesn't always map to things in the UI.

Matt Hite

unread,
Mar 6, 2015, 12:56:32 PM3/6/15
to ansible...@googlegroups.com, hva...@gmail.com, Michael Perzel, Serge van Ginderachter
Sorry, I realized I answer your first question but not your second.

I have not started work on GTM modules but am open to implementing this for the community. Feel free to share your specific use cases of what you would like to be able to do.

Michael Perzel

unread,
Mar 6, 2015, 1:36:29 PM3/6/15
to ansible...@googlegroups.com, hva...@gmail.com, michae...@gmail.com, se...@vanginderachter.be
I'm still in the preliminary phase of developing requirements. From a high level we have multiple datacenters and use the GTM to route traffic (round-robin by default but during maintenance we may "pin" traffic to one datacenter). I should have more specifics in a few weeks.

I've been reading up on the bigsuds api and would be more than willing to help develop this.

Matt Hite

unread,
Mar 11, 2015, 11:42:50 PM3/11/15
to ansible...@googlegroups.com, hva...@gmail.com, Michael Perzel, Serge van Ginderachter
BTW, if you don't mind -- for those of you who have tested this, please comment on the pull requests so Brian knows it works as intended.


Thanks,

-M

Michael Perzel

unread,
Apr 7, 2015, 11:17:29 AM4/7/15
to ansible...@googlegroups.com, hva...@gmail.com, michae...@gmail.com, se...@vanginderachter.be
I am going to start putting some effort into automating our GTM updates now. 

Our basic process is:
  • Confirm pools are reporting up
  •  Then going to DNS>GSLB and swapping what pools are a member of a particular fqdn.

Seems relatively straightforward. I was thinking for a first step, a module that can get the GTM status and set the member pools would be good. Let me know if you are still interested in taking a look at this or I can put together a initial module as well.

Michael Perzel

unread,
May 29, 2015, 1:22:31 PM5/29/15
to ansible...@googlegroups.com, hva...@gmail.com, michae...@gmail.com
Not sure if anyone is still monitoring this thread but I submitted a pull request for this functionality. As time is available, I'd like to keep adding features even though I've got everything I personally need now.


I accidentally intermingled some unrelated windows changes into this branch. I rolled them back but not sure how to get rid of the history.
Reply all
Reply to author
Forward
0 new messages