[rancid] Re: F5 ("bigip") script

Sam Munzani smunzani at comcast.net
Tue Apr 21 14:12:54 UTC 2009 

Usually SSL certs don't change every day. The approach I have taken is 
tar ball them all and scp over. Then do those manual steps only when the 
certs change.

Thanks,
Sam
>
> I added the SSL directory listings to track changes to SSL certs 
> [adds/removals/updates]. 
>
>  
>
> Storing these as part of the config within rancid would be reasonable 
> only if there were very few certs.  They are best archived elsewhere 
> by backing up the .ucs file as Marcus mentioned, an rsync to a backup 
> host or similar methods. 
>
>  
>
> Mike
>
>  
>
> *From:* marcus gaysek [mailto:mgaysek at gmail.com]
> *Sent:* Monday, April 20, 2009 12:49 PM
> *To:* john heasley
> *Cc:* Mike Ashcraft; rancid-discuss at shrubbery.net
> *Subject:* Re: [rancid] Re: F5 ("bigip") script
>
>  
>
> Those are actually directories.  The name of the certs are always 
> different. 
>
> Both cat and more are available (BigIPs are linux/bsd based).  I 
> believe all the files below ssl directory are required, excluding 
> ca-bundle.crt.  The amount of files depends on how many certs are 
> installed on the device.
>
> There are four directories: ssl.crl ssl.crt ssl.csr ssl.key
>
> On Mon, Apr 20, 2009 at 2:37 PM, john heasley <heas at shrubbery.net 
> <mailto:heas at shrubbery.net>> wrote:
>
> Mon, Apr 20, 2009 at 02:08:25PM -0400, marcus gaysek:
>
> > The certs are located in  in the config/ssl/ sub-directories, which 
> would
> > need to be download'd. I would think that functionality would be 
> outside of
> > Rancid, but if you lost your LTM you would need them to rebuild a 
> new one.
> > You capture their names as part of the config.  They are listed in 
> the last
> > few lines.
>
> if they're always these files
>        {'ls --full-time --color=never /config/ssl/ssl.crt' => 
> 'ShowSslCrt'},
>        {'ls --full-time --color=never /config/ssl/ssl.key' => 
> 'ShowSslKey'},
> is there a "cat" or "more" command?  Their contents should be ascii.
>
>
> > There is a command in the BigIP devices (GTMs and LTMs) that 
> captures all
> > the files and compresses them in a .ucs file.  Once they are created 
> they
> > can be downloaded and used to restore a BigIP.
> >
> > On Mon, Apr 20, 2009 at 1:37 PM, Mike Ashcraft 
> <mashcraft at omniture.com <mailto:mashcraft at omniture.com>>wrote:
> >
> > > LTM = Local Traffic Manager = F5 Big-IP
> > >
> > > Thanks
> > >
> > > -----Original Message-----
> > > From: rancid-discuss-bounces at shrubbery.net 
> <mailto:rancid-discuss-bounces at shrubbery.net> [mailto:
> > > rancid-discuss-bounces at shrubbery.net 
> <mailto:rancid-discuss-bounces at shrubbery.net>] On Behalf Of john heasley
> > > Sent: Monday, April 20, 2009 11:29 AM
> > > To: marcus gaysek
> > > Cc: rancid-discuss at shrubbery.net <mailto:rancid-discuss at shrubbery.net>
> > > Subject: [rancid] Re: F5 ("bigip") script
> > >
> > > Mon, Apr 20, 2009 at 12:34:18PM -0400, marcus gaysek:
> > > > I have tested with a couple of Cisco devices, including an ASA 
> and I am
> > > not
> > > > seeing the formatting issues I have seen in the past.
> > >
> > > thats probably luck.
> > >
> > > > The LTM config looks great.  The only thing that I can see that 
> needs to
> > > be
> > >
> > > what is 'LTM'?
> > >
> > > > manually downloaded are the certs. All in all this seems to be a 
> great
> > > > improvemant.  Thanks for making it work.
> > >
> > > The certs are in the configuration?  is there a command or option 
> to get
> > > them?
> > >
> > > > On Mon, Apr 20, 2009 at 9:27 AM, Teun Vink <teun at moonblade.net 
> <mailto:teun at moonblade.net>> wrote:
> > > >
> > > > > On Thu, 2009-04-16 at 22:29 +0000, john heasley wrote:
> > > > > > I don't have a F5 box, but had put together a script while 
> someone
> > > had
> > > > > > provided remote access, but hadn't finished testing it.  Would
> > > someone
> > > > > > with one an F5 download
> > > > > >       ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.2a10.tar.gz
> > > > > > and test it, please.
> > > > >
> > > > > Just did a quick test, it works fine for me. I had some issues 
> with the
> > > > > previous version which seemed to have some ordering issues in the
> > > > > output, which resulted in false diffs every single run. I 
> don't see
> > > them
> > > > > in this version, so I'm happy :)
> > > > >
> > > > > regards,
> > > > > Teun
> > > > >
> > > > > _______________________________________________
> > > > > Rancid-discuss mailing list
> > > > > Rancid-discuss at shrubbery.net <mailto:Rancid-discuss at shrubbery.net>
> > > > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> > > > >
> > > _______________________________________________
> > > Rancid-discuss mailing list
> > > Rancid-discuss at shrubbery.net <mailto:Rancid-discuss at shrubbery.net>
> > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> > > _______________________________________________
> > > Rancid-discuss mailing list
> > > Rancid-discuss at shrubbery.net <mailto:Rancid-discuss at shrubbery.net>
> > > http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss
> > >
>
>  
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net
> http://www.shrubbery.net/mailman/listinfo.cgi/rancid-discuss

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20090421/fc48ed62/attachment.html

More information about the Rancid-discuss mailing list