1. 1 TREATING LOAD BALANCER CONFIGURATION LIKE CODE Presented
By: Jesse Mauntel 6/19/2015SAN DIEGO DEVOPS MEETUP 1
2. 2 WHO AM I? Operations Engineer whos been in the industry
15+ years and has an extreme dislike for configuration drift,
system snowflakes, manual administration, and time pirates.
@maunteljw devopslove.blogspot.com github.com/jmauntel 6/19/2015SAN
DIEGO DEVOPS MEETUP 2
3. 3 AGENDA So whats the problem? iRule Tester Object cloner
& orphan object audit Self-service website redirects
6/19/2015SAN DIEGO DEVOPS MEETUP 3
4. 4 SO WHATS THE PROBLEM? Work in a world of poorly written
iRules Little to no testability of iRules Code promotion process
that requires a human to manually make iRule changes for each
environment 6/19/2015SAN DIEGO DEVOPS MEETUP 4
5. 5 CHALLENGES The current iRule logic includes
environment-specific definitions in the logic, which makes
promotion of whole iRules through environments impossible
6/19/2015SAN DIEGO DEVOPS MEETUP 5
6. 6 EXAMPLE acme-qa-irule: # Force sensitive acmeCommerce
traffic to SSL if { [class match [HTTP::uri] starts_with
acmeCommerce-qa-class] } { HTTP::redirect
https://[HTTP::host][HTTP::uri] # Send requests for Acme
Information to the information tier } elseif { [HTTP::uri]
starts_with "/AcmeInformation/"} { pool acmeInformation-qa-pool }
6/19/2015SAN DIEGO DEVOPS MEETUP 6
7. 7 CHALLENGES iRule changes are made by hand in all
environments, which is error-prone 6/19/2015SAN DIEGO DEVOPS MEETUP
7
8. 8 EXAMPLE acme-dev-irule: # Force sensitive acmeCommerce
traffic to SSL if { [class match [HTTP::uri] starts_with
acmeCommerce-dev-class] } { HTTP::redirect
https://[HTTP::host][HTTP::uri] acme-qa-irule: # Force sensitive
acmeCommerce traffic to SSL if { [class match [HTTP::uri]
starts_with acmeCommerce-dev-class] } { HTTP::redirect
https://[HTTP::host][HTTP::uri] 6/19/2015SAN DIEGO DEVOPS MEETUP
8
9. 9 CHALLENGES Creating new environments is a manual,
time-consuming, and tedious process bleh 6/19/2015SAN DIEGO DEVOPS
MEETUP 9
10. 10 EXAMPLE acme-dev-irule: # Send all URIs that begin with
/Website/ to acmeWeb pool } elseif { [HTTP::uri] starts_with
"/Website/" } { pool acmeWeb-dev-pool acme-qa-irule: # Send all
URIs that begin with /Website/ to acmeWeb pool } elseif {
[HTTP::uri] starts_with "/Website/" } { pool acmeWeb-qa-pool
6/19/2015SAN DIEGO DEVOPS MEETUP 10
11. 11 CHALLENGES Existing iRules do not have functional tests,
so there is no guarantee that a change to an iRule won't break
other pre- existing logic 6/19/2015SAN DIEGO DEVOPS MEETUP 11
12. 12 EXAMPLE acme-dev-irule: # Send all URIs that begin with
/Website/ to acmeWeb pool } elseif { [HTTP::uri] starts_with
"/Website/" } { pool acmeWeb-dev-pool > # Send store location
details page to content tier > } elseif { [HTTP::uri] contains
"storelocation" } { > pool acmeContent-dev-pool # Send REST
requests to acmeAPI tier } elseif { ([HTTP::uri] starts_with
"/rest/storelocation/allstores") } { pool acmeAPI-dev-pool
6/19/2015SAN DIEGO DEVOPS MEETUP 12
13. 13 SOLUTIONS TO CHALLENGES Revisited The current iRule
logic includes environment-specific definitions in the logic, which
makes promotion of whole iRules through environments impossible
6/19/2015SAN DIEGO DEVOPS MEETUP 13
14. 14 SOLUTION EXAMPLE New iRule standards require environment
detection for variable assignment and environment-agnostic logic
github.com/jmauntel/irule-standards 6/19/2015SAN DIEGO DEVOPS
MEETUP 14
15. 15 SOLUTIONS TO CHALLENGES Revisited iRule changes are made
by hand in all environments, which is error-prone 6/19/2015SAN
DIEGO DEVOPS MEETUP 15
16. 16 SOLUTION EXAMPLE Since all new iRule logic is
environment- agnostic, environments no longer use copies of iRules,
but rather the exact same iRule Also, because iRule logic is
identical in all environments, automated promotion is now possible
6/19/2015SAN DIEGO DEVOPS MEETUP 16
18. 18 SOLUTIONS TO CHALLENGES Revisited Creating new
environments is a manual, time-consuming, and tedious process
6/19/2015SAN DIEGO DEVOPS MEETUP 18
19. 19 SOLUTION EXAMPLE acmeVars-1.0.0-irule: # Assign
environment if { [IP::local_addr] equals "10.0.0.50" } { set my_env
"prd" } elseif { [IP::local_addr] equals "10.254.1.136" } { set
my_env "qa" } else { [IP::local_addr] equals "10.254.1.137" } { set
my_env "dev" } # Pool definitions, sorted alphabetically if {
$my_env equals "prd" } { set acmeWeb-pool "acmeWeb-prd-pool" }
elseif { $my_env equals "qa" } { set acmeWeb-pool "acmeWeb-qa-pool"
} else { $my_env equals "dev" } { set acmeWeb-pool
"acmeWeb-dev-pool" } 6/19/2015SAN DIEGO DEVOPS MEETUP 19
20. 20 SOLUTION EXAMPLE (CONT) acmeVars-1.0.0-irule (applied to
acme-dev-vs) # Send all URIs that begin with /Website/ to acmeWeb
pool } elseif { [HTTP::uri] starts_with "/Website/" } { pool
${acmeWeb-pool} acmeVars-1.0.0-irule (applied to acme-qa-vs) # Send
all URIs that begin with /Website/ to acmeWeb pool } elseif {
[HTTP::uri] starts_with "/Website/" } { pool ${acmeWeb-pool}
6/19/2015SAN DIEGO DEVOPS MEETUP 20
21. 21 SOLUTIONS TO CHALLENGES Revisited Existing iRules do not
have functional tests, so there is no guarantee that a change to an
iRule won't break other pre- existing logic 6/19/2015SAN DIEGO
DEVOPS MEETUP 21
22. 22 SOLUTION EXAMPLE After searching online and not finding
an existing iRule testing tool, I wrote one irule-tester is written
in Bash and leverages Curl to make web requests, and then validates
that the response matches an expectation
github.com/jmauntel/irule-tester 6/19/2015SAN DIEGO DEVOPS MEETUP
22
23. 23 IRULE TESTER 6/19/2015SAN DIEGO DEVOPS MEETUP 23
24. 24 IRULE TESTER: OVERVIEW Written in Bash and uses Curl for
requests Has simple and extended testing modes Supports multiple
output formats, including TAP All tests are stored in source
control Changes to any test are validated with Jenkins 6/19/2015SAN
DIEGO DEVOPS MEETUP 24
25. 25 IRULE TESTER: JENKINS INTEGRATION Tests are executed
after any change in source, or at least daily Test failures notify
the team via email Tests are executed before and after iRule
changes in all environments 6/19/2015SAN DIEGO DEVOPS MEETUP
25
26. 26 IRULE TESTER DEMO 6/19/2015SAN DIEGO DEVOPS MEETUP
26
27. 27 F5 OBJECT CLONER 6/19/2015SAN DIEGO DEVOPS MEETUP
27
28. 28 F5 OBJECT CLONER So if Im versioning iRules and data
groups now, is there an easy way to clone them? Copy/paste is
error-prone and lame 6/19/2015SAN DIEGO DEVOPS MEETUP 28
29. 29 F5 OBJECT CLONER I wrote a utility for that Clones
iRules and data-groups on a single F5 unit or between two different
units github.com/jmauntel/f5-utils 6/19/2015SAN DIEGO DEVOPS MEETUP
29
30. 30 F5 OBJECT CLONER Usage: clone-object.sh -o
{data-group,rule} -s -d -S -D -d destination object name -D
destination F5 -o object type -s source object name -S source F5
All arguments are REQUIRED Example: # clone-object.sh o data-group
s UserIPs-1.0.0-class d UserIPs-1.1.0-class S 10.0.0.1 D 10.0.0.1
6/19/2015SAN DIEGO DEVOPS MEETUP 30