业务输入模板(可以通过任何形式产生,例如一个自服务的portal website):

createvs.txt  createpool.txt createmonitor.txt

中间程序F5_Deploy.py, 中间输出 tmsh.txt (作为ssh.py的输入)





Openstack Mitaka 在Centos7上的自动化安装

4.pic_hd1.虚机三个网卡, 网卡1 管理网络 host-only, 网卡2 可上网 public internet, 网卡3 openstack未来vm流量网络 host-only (本例中192.168.215.x是管理网络,192.168.214.x是vm流量网络)
2.安装Centos7 x86_64,安装两台,4G+内存,20G+硬盘
3.修改好主机名,安装时候设置好NTP,确保机器可以上网,只安装为 infrastructure server 不安装任何其他服务
4. yum install git
5. yum install centos-release-openstack-mitaka
6. yum -y install http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-7.noarch.rpm
7.yum -y upgrade
8. 修改/etc/sysctl.conf

yum -y install openvswitch
service openvswitch start
chkconfig openvswitch on

ovs-vsctl add-br br-int
ovs-vsctl add-br br-ex
10. 重启
11. cd /root/
12. git clone https://github.com/myf5/openstack-mitaka-installer-centos7.git
13. 在sample-config目录下有2个已经配好的安装文件, 将控制节点配置文件拷贝到控制节点的/root/openstack-mitaka-installer-centos7/configs/下,并命名为main-config.rc
14. ./main-installer.sh install执行安装

更多细节说明请阅读  https://github.com/myf5/openstack-mitaka-installer-centos7 


SNMP (Simple Network Management Protocol) is an internet protocol used to monitor and manage devices including servers, routers, switches and assorted other devices. It allows gathering a glut of data – this can be hardware information (eg. cpu temperature), network information (eg. interface speed) or software information (eg. number of HTTP requests).

However, to get at this information, it first needs to be addressable. SNMP itself does not define which bits of information are available. Instead it uses MIBs, or Management Information Bases which are basically hierarchies or trees of OIDs or object identifiers. SNMP is implemented in numerous devices including the devices we use for load balancing and shaping our traffic.

To load balance our main internet presence we use BIG-IP LTMs from F5. By default, it comes with a rather extensive MIB but sometimes doesn’t have exactly what we want. It wasn’t until version 11.2.0 that F5 introduced the ability to add custom OIDs to the MIB. Even better is that it lets us run and capture the output of shell commands on the device itself. This functionality gives exactly what is needed to get some data that otherwise wouldn’t be automatically available. Without further ado, here is how to use this.

(Fair warning, doing this requires some knowledge of Tcl, but Tcl is a really easy language to pick up.)

First, some information about the OID structure

  • the base OID for F5s BIG-IP devices is .
  • custom OIDs are added with the .100 suffix (ie. .

On startup, the SNMP daemon on the BIG-IP checks for a file called /config/snmp/custom_mib.tcl. This file contains the OID definitions and Tcl functions to be called when the OID is requested.

To add a new OID you first have to register it using the register_mib function

where oid is something like ".1", ".2", ".3.1", etc. tcl_function is the name of the function that you want to call. And finally the type of the OID being defined. There are four types supported: int, string, gauge, and counter.

Once we’ve registered a function, we need to then define that function. So further down in the file, section off a part of it for your custom functions.

For example:


It should be noted that the function will receive no arguments, so whatever processing needs to be done needs to be done without context.

It is recommended that any shell commands executed should be wrapped in a catch statement. This way the snmpd is protected slightly. Also, watch out for things like infinite loops or logic errors. Since the Tcl execution happens within the snmpd process, it is possible to do unhealthy things that can have an adverse impact on the daemon.

To pick up the changes to the custom_mib.tcl the SNMP daemon needs to be restarted (bigstart snmpd restart). And of course, the custom OID should be checked to make sure everything is working:

Remember to check the log file (/var/log/snmpd.log) for errors.

So while this functionality is interesting, it is much more interesting to see a practical application. The default F5 MIB does not include every bit of detail you might want – sometimes it is only retrievable via the interpreter/shell or even tmsh. So here is an example of harvesting the time in seconds since the last configuration update and making it available:

To get the time in seconds since the last configuration update, BASH can be used to call tmsh:

Unfortunately, this returns a string in which only a single field is needed. With a judicious use of cut the seconds can be extracted and stored. And since this information might be useful outside SNMP, it can be stored on the file system somewhere. To generate this file, putting this into the crontab works.

Now that the data is available in a file, all that is needed now is a simple Tcl function to return the data:


Now this data is available via SNMP. Specifically it is available for Nagios to monitor and large discrepancies between last update time between BIG-IP devices can be alerted. This is just the tip of the iceberg. With some more Tcl knowledge, more complex information can be made available via SNMP. Of course, this was just a quick hack and using cron and temporary files might not be suitable to all use cases, but this does demonstrate the ease and hackability of extending the default MIB of BIG-IP devices.

To read further on customizing MIB entries for BIG-IP devices, take a look at the F5 knowledge base article.




文档描述了V12 DNS的行为变化,以及由此带来的配置、运维方面的影响。

下载密码请关注微信 F5技术 后回复downloadpwd 即可获得



V12 DNS(以前的GTM)行为变化 (Release notes)

  1. 418128, 当一个被disabled的 members/POOL在启用后,如果irule在LB selected事件之前的其它事件中执行pool 类命令的话,会导致LB::status对该对象返回的状态信息为session_disabled或down,此版本修正为输出unset
  2. 469020, 为gtm_add增加 -y参数,代表对所有问题输入YES
  3. 471856, version 11.x TMSH and REST GTM Pool and Wide IP related commands are not supported in BIG-IP DNS version 12.x. The changes to iControl REST API and iRules commands are documented on DevCentral. This occurs because of the GSLB Additional Record Types feature in version 12.0.0. This feature adds query types to BIG-IP DNS Pools, Wide IPs, and related objects. That means that version 11.x TMSH and REST commands for GTM Pool, Wide IP, and related objects (Pool Members, Aliases, Wide IP Pools, Wide IP Rules, and so on) are not supported in version 12.x. The changes to iControl REST API and iRules commands are documented on DevCentral
  4. 474024 , zone状态的指示变化,blue-刚启动或刚reenable的临时状态,绿色-成功transfer后,黄色-没有和master连接,但是尚未过期,红色-zone过期且无法更新。 The zxfrd db dump is scheduled every time zone data changes (on transition to unknown, offline or available state).
  5. 475680, tmsh支持对wideip的irule设置优先级
  6. 485104 , 增加return code on failure功能(全局、wideip、或者irule),这样当所有LB方式都失败后(非return to dns情形)系统可以返回设置的failure code,并返回设定的negative SOA TTL值,这将适应RFC的要求:
  7. 501287, Users with the Operator roles can now Enable and Disable Pools, Pool Members, and WideIPs.
  8. 512016, 增加db key dns.udptruncate 控制是否打开和关闭 dns truncate功能,控制当系统收到到大于512 bytes的响应时候行为

TMOS/LTM V12.0 行为变化列表 (Release notes)

  1. 224022:HTTP response 统计信息(例如版本,状态码等)从以前的server side改到在client side统计,这样可以更准确反映客户端所得到的responses
  2. 224131:GSLB中全局设置send-wildcard-rrs(控制是否跟随掩码wideip的创建而自动在BIND中创建通配A记录,例如*.cnadn.net)默认被启用,即以后会自动创建对应的通配A记录
  3. 227347,增加可以控制cookie 属性的irule命令
  4. 250670,修正http cookie 命令不再增加无用的尾部分号
  5. 343455,修正http cookie 命令不再因cookie名称的大小写不同而产生不同的行为
  6. 345389,修正正确处理http request中的cookie名称大小写问题
  7. 248678, vlan group中 控制standby机器是否打开bridge的开关被默认改为关闭
  8. 348194,在一些工程师补丁或者标准累积补丁中提供的控制 finwait2 timeout时间的db key TM.TCPFinWait2Timeout 设置,在v12后变为在profile界面的选项控制,但是之前的这些key设置在升级系统时候不会被自动迁移过来,因此需要手工修改默认的300s值
  9. 357188, grub_default 命令增加-s参数,用于在cluster (viprion)机器上同时修改所有板卡
  10. 通过创建8 MB-aligned partitions/volumes 的方式改进ve在共享存储,ssd,SAN下的IO性能
  11. 374067, 当在one connect情形下,当detach pool member后会话保持条目将被继续保持而不会被reset,以前的行为是会同时reset会话保持从而导致选择新的pool member
  12. 382157, MIBF5-BIGIP-SYSTEM-MIB::sysVlanStatTable 不再被使用,使用IF-MIB::ifXTable代替
  13. 415726, GUI上的irule编辑窗口提供了在线编辑器功能(IE8等老浏览器不支持)
  14. 451433, 以前的版本中当failsafe类触发一个设备不可用时候,这台发生failsafe的设备上所有traffic group都进入不活动状态,然而如果此时同时配置有HA group,这台机器上的HA group score可能还是较大值,可导致Traffic group在所有机器上都不是active状态,现在修正为如果同时配置这两个功能,当failsafe发生时候会强制该设备上的HA group score为0,从而触发HA group的正常切换。
  15. 462879, 修正避免因修改selfip网络而导致系统因静态路由gw不可达而无法加载配置的问题
  16. 463152, 升级时候会自动删除core files
  17. 465286, 增加一个info级别log,当http profile中的 max requests被设置且请求达到阀值后,系统输出log
  18. 468964, GEO location库中增加proxy输出
  19. 473188,dnatutil汇总不再显示缺省的DAG信息
  20. 474465,修正dashboard中的平均cpu和最高cpu计算只使用data平面数据,不再因avr 进程因独占cpu而导致cpu使用率显示的很高
  21. 476444, 可以在zebos中关闭协议的graceful restart功能
  22. 480583,SIP/DNS DOS 检测只检测udp协议包,不检测TCP,SCTP包
  23. 482950, 将phone home功能(automatic update check)的调度时间设置方式由固定的每周改为在安装时候由客户设定,避免升级检测服务器的overload
  24. 484000,此版本ssl ciphers中 设置COMPAT 默认可用cipher为空,需明确设置
  25. 497328, AFM DDOS filters no longer block IGMP IP packets with Router alert option to support multicast use-cases, even if tm.acceptipoptions is disabled. If it is desired to block these packets, both tm.acceptipoptions and tm.allowigmprouteralert sys db variables should be set to disabled.
  26. 497433, ssl forward proxy 在server side支持所有key交换
  27. 499947, 增强virtual address状态变化时候对相关联模块的检测以及代码加固
  28. 502443, viprion中被disable或者offline的板卡不再发送monitoring (bigd),offline的独立设备也不再发送monitoring,这有助于解决SOL16457的问题
  29. 502770, clientside and serverside command error out if client side or server side connection does not exist at the time the command runs. Here is an example of where this might occur: clientside { SSL::disable }. This script fails if the client side connection does not exist. To work correctly, change the script to: SSL::disable clientside.
  30. 505973, 增加新的db key Bigd.NumProcs 来控制有多少个bigd进程,缺省为0由系统自动确定,设置为1,表示只有一个进程(以前版本行为),大于1 小于等于处理器核数将根据该值设置进程个数,每个进程自动负责一部分monitor对象。修改该key需要重启bigd
  31. 517579 ,因为上述ID505973的变化,对应的qkview将采集所有bigd进程状态,bigdlog中也将增加进程id的标记
  32. 506704, 对于大于300G的硬盘,自动分配60G给/shared,以前为30G
  33. 508969, 改进trust domain同步机制
  34. 517789, The Transparent HTTP proxy will go into pass-through mode if a carriage return or newline is seen before a colon in a HTTP header.
  35. 519419, Splunk messages contain only keys and values. The general text in logs is not the value of a key, so it was not included in splunk messages. To include this text in the message, the splunk driver was extended to insert the text as a value for the key ‘msg’.

最新BIND漏洞CVE-2015-5986 and CVE-2015-5722对F5的影响





如果没有开启BIND的dnssec 验证( dnssec-validation yes) 则不受 (CVE-2015-5722)影响。