F5OS-A 1.0.0 - System CLI¶
Purpose of this feature is to provide a CLI for the rSeries system. The WEB GUI and the CLI are part of themanagement agent software framework for network elements called ConfD from tail-f. In this feature we will only discuss the CLI interface
Feature deeper overview¶
ConfD is a device configuration toolkit meant to be integrated as a management sub-system in network devices, providing:
An implementation of the NETCONF protocol
Automatic rendering of northbound interfaces, including CLI, Web UI and NETCONF
Clustered/fault-tolerant storage of configuration data
Master-agent/sub-agent framework for NETCONF, CLI, Web UI and SNMP
ConfD executes as a regular UNIX daemon on the device, acting:
as a NETCONF agent for the NETCONF protocol
as a Web server for the Web UI
as a CLI engine for command-line access
and as an SNMP agent
It also contains a built-in XML configuration database.
The following figure illustrates the overall architecture. The ConfD architecture is modular, with well-defined interfaces between sub-systems.
In order to actually read and write the device-native configuration data, the sessions in the Management Backplane use the Database Plugin API. A database plugin has to provide mapping from the hierarchical view of the data used in the management protocols, to the native view used by the management database.
The management database can either be the integrated management database - called CDB - or some other database. CDB is a light-weight fault-tolerant distributed XML database. CDB can be used in single or multi-node systems in a primary/secondaryconfiguration (note: ConfD uses master/slave in the log output as well as some command output). It handles updates to the database schema automatically.
Purpose of this page is to provide more details on the ConfD CLI portion of the whole suite.
ConfD for the appliance management¶
We mentioned that ConfD is a UNIX like daemon running on a platform. Given the architecture of our F5OS platform, we are actually running multiple daemon for each physical or logical entity of our platform, however a single ConfD database for the appliance. Each of these daemon would have a specific configuration and it will control a specific environment ( License, interfaces, … ). While in the Velos hardware you have separate ConfD running for the controller and for each of the partition, the rSeries appliance will have a uniqe ConfD as the appliance doesn’t have partitions.
The appliance doesn’t have active and standby controller, which means that there is no HA configuration available for ConfD. The command “show system redundancy|redundancy-detail” has been removed:
Redundancy command removed¶
appliance-1# show system ? Possible completions: aaa alarms appliance-mode Configure appliance mode to limit the system administrative access clock diagnostics Diagnostics tools displaylevel Depth to show dns events health Contains various system health state/attributes on component image System Images of appliance licensing locator Support for enabling/disabling system locator logging Logging configuration mgmt-ip Top-level container network Top-level container for appliance network ntp state | Output modifiers <cr> appliance-1# show system
for the same reason the prompt won’t show “active” or “standby” in it.
ConfD and configuration store¶
By default, ConfD stores all configuration data in CDB.In ConfD there are multiple Data stores (CDB) that holds some kind of configuration.
For more details this is the table with available CDBs in the system and what they currently store in it.
|A.cdb||if startup is enabled: the configuration data and the startup datastore is stored persistently in this file if startup is not enabled: the running datastore is stored persistently in this file.|
|C.cdb||the database schema is stored persistently in this file|
|O.cdb||the operational data store is stored persistently in this file|
ConfD works with XML files, and when the startup is disabled in the A.cdb data store, the startup process the *_init.xml files to configure the system.
The CDB data stores and the *_init.xml files are available in the “/var/confd/cdb” directory:
Location of CDB and XML init files¶
[root@appliance-1 cdb]# pwd /var/F5/system/cdb [root@appliance-1 cdb]# ls -l total 2604 -rwxr-xr-x. 1 root root 1346 Oct 28 17:29 aaa_init.xml -rw-r--r--. 1 root root 51829 Nov 9 09:00 A.cdb -rw-r--r--. 1 root root 2449301 Oct 28 17:09 C.cdb -rwxr-xr-x. 1 root root 280 Oct 28 17:29 cluster_node_init.xml -rw-r--r--. 1 root root 22470 Oct 28 17:29 confd.conf -rw-r--r--. 1 root root 22409 Oct 28 17:29 confd.conf.orig -rwxr-xr-x. 1 root root 18843 Oct 28 17:29 f5-logging-component-system-init.xml -rwxr-xr-x. 1 root root 48860 Oct 28 17:29 nacm_init.xml -rw-r--r--. 1 root root 13461 Nov 10 09:47 O.cdb -rwxr-xr-x. 1 root root 663 Oct 28 17:29 oc_mgmt_if_init.xml -rwxr-xr-x. 1 root root 1241 Oct 28 17:29 roles_init.xml -rwxr-xr-x. 1 root root 874 Oct 28 17:29 spanning_tree_init.xml -rwxr-xr-x. 1 root root 1348 Oct 28 17:29 users_init.xml -rwxr-xr-x. 1 root root 1093 Oct 28 17:29 vacm_init.xml [root@appliance-1 cdb]#
In terms of configuration, there are three different configuration databases:
running ( hold current running config )
candidate ( config under construction )
operational ( store status, performance .. )
When ConfD starts for the first time, the CDB database is empty.At startup, when CDB is empty, i.e. no database files are found in the CDB directory, CDB will try to initialize the database from all instantiated XML documents found in the CDB directory. This is the mechanism we use to have an empty database initialized to some default setup.
This feature can be used to for example reset the configuration back to some factory setting or some such.
Basics of using the ConfD CLI¶
Confd provides three different CLI styles, one inspired by the Junos CLI (J), one inspired by the Cisco XR CLI (C), and one inspired by the Cisco IOS CLI (I). All styles can be supported at the same time, or one style can be chosen for a given deployment of ConfD. The default style used by F5 for the F5OS platform is the Cisco XR CLI (C) type.
The CLI is built around a hierarchy of commands. This makes it possible to logically group commands.
To access the CLI of either the controller or the Partition, you need to ssh as “admin” to the assigned IP address. This is an example on how this can be done:
Accessing the ConfD CLI on Velos¶
user1 ~ %ssh admin@<rSeries-mgmt-ip> firstname.lastname@example.org's password: Last login: Wed Nov 10 08:38:33 2021 Welcome to the Management CLI admin connected from 172.18.23.251 using ssh on appliance-1.chassis.local appliance-1# show system system state motd-banner system state current-datetime "2021-11-10 09:51:43 Etc/UTC" system state base-mac 00:94:a1:69:43:00 system state mac-pool-size 256 system clock state timezone-name Etc/UTC <...snip....> appliance-1#
the default password is “admin”, however as soon as you log in the system, like for the classic BIG-IP, you will be required to change the password.
You can also ssh as “root” to have access to the shell, and from the root user to get into the CLI you need to run the command “su admin”, and this will automatically put your terminal in CLI mode. This is an example :
(base) user1@test_machine ~ % ssh root@<F5OS-controller-ip> email@example.com'spassword: Last login: Wed Nov 10 09:50:59 UTC 2021 from 172.18.23.251 on pts/0 [root@appliance-1 ~]# pwd /root [root@appliance-1 ~]1# su admin Welcome to the ConfD CLI admin connected from 172.18.23.12 using ssh on appliance-1 [root@appliance-1 ~]# show system system state motd-banner system state current-datetime "2021-11-10 09:51:43 Etc/UTC" system state base-mac 00:94:a1:69:43:00 system state mac-pool-size 256 system clock state timezone-name Etc/UTC <...snip....> [root@appliance-1 ~]#
For the user root the default password is “default”.
The cli agent for the user admin is the default confd_cli binary with the following options “-C -u admin” ( in case you would like to run it yourself, however this is done automatic when connecting with user admin ):
[root@appliance-1 ~]# cd /var/lib/controller/ [root@appliance-1 ~]# ls confd_cli f5_confd_cli [root@appliance-1 ~]# ./confd_cli -C -u admin Welcome to the ConfD CLI admin connected from 172.18.23.12 using ssh on appliance-1 appliance-1#
The F5OS CLI has two modes of working: Operational Modeand Configure mode
Operational mode is the initial mode after successful login to the CLI. It is primarily used for viewing the system status, controlling the CLI environment, monitoring and troubleshooting network connectivity, and initiating the configure mode.
Configure mode can be initiated by entering the configure command in operational mode. All changes to the device’s configuration are done to a copy of the active configuration, called a candidate configuration. These changes do not take effect until a successful commit or commit confirm command is entered.
This is an example of config mode, available only on the active controller. The prompt will look like the following, assuming the controller 1 is active:
When you are in Configure Mode, you can run Operational Mode commands as well. To do so you need to use the “do” command. This is an example:
appliance-1(config)# do show system system state motd-banner system state current-datetime "2021-11-10 09:59:43 Etc/UTC" system state base-mac 00:94:a1:69:43:00 system state mac-pool-size 256 system clock state timezone-name Etc/UTC system clock state appliance date-time "2021-11-10 09:59:43 Etc/UTC"` <...snip...> appliance-1(config)# do show interfaces interfaces interface 1.0 state name 1.0 state type ethernetCsmacd state mtu 9600 state enabled true state ifindex 19 state oper-status DOWN state counters in-octets 0 state counters in-unicast-pkts 0 state counters in-broadcast-pkts 0 state counters in-multicast-pkts 0 state counters in-discards 0 state counters in-errors 0 state counters in-fcs-errors 0 state counters out-octets 0 state counters out-unicast-pkts 0 state counters out-broadcast-pkts 0 state counters out-multicast-pkts 0 state counters out-discards 0 state counters out-errors 0 state forward-error-correction auto state lacp_state LACP_DEFAULTED ethernet state port-speed SPEED_100GB ethernet state hw-mac-address 00:94:a1:69:43:0d ethernet state counters in-mac-control-frames 0` <...snip...> appliance-1(config)#
How to dump the CLI command list¶
While connected to the ConfD CLI you can dump the full list of commands available. You have seen already that the CLI as two modes: Configure mode and Operational mode. Depending from where you are when you execute this command, the output will show you different commands list.
The command used is the same for any mode, and it is the one shown here for the operational mode:
appliance-1# show parser dump autowizard [false/true] cd <Dir> cd clear history commit [confirm/abort] commit [confirm/abort] persist-id <id> commit commit persist-id <id> compare file <File> [brief] ...<snip>...
or the following for the configure mode:
appliance-1(config)# show parser dump abort annotate SNMPv2-MIB snmp snmpEnableAuthenTraps <comment> annotate SNMPv2-MIB snmp snmpEnableAuthenTraps annotate SNMPv2-MIB system sysContact <comment> annotate SNMPv2-MIB system sysContact annotate SNMPv2-MIB system sysLocation <comment> annotate SNMPv2-MIB system sysLocation annotate SNMPv2-MIB system sysName <comment> annotate SNMPv2-MIB system sysName annotate cluster disk-usage-threshold config critical-limit <comment> annotate cluster disk-usage-threshold config critical-limit annotate cluster disk-usage-threshold config error-limit <comment> annotate cluster disk-usage-threshold config error-limit` ...<snip>...
it is also possible to dump the list of commands starting from a specific hierarchy of the CLI; this is an example to show only the available commands for the interface configuration in configure mode:
appliance-1(config)# tenants tenant test-tenant appliance-1(config-tenant-test-tenant)# show parser dump commit commit and-quit commit and-quit comment <Add a commit comment> commit and-quit comment <Add a commit comment> label <Add a commit label> commit and-quit comment <Add a commit comment> label <Add a commit label> save-running <File> commit and-quit comment <Add a commit comment> save-running <File> <...snip...>
You can pipe the output to “include” to filter the results
appliance-1# show parser dump | include tenant compare file <File> [brief] tenants tenant compare file <File> tenants tenant show running-config tenants show running-config tenants tenant show tenants show tenants displaylevel <unsignedLong> show tenants tenant show tenants tenant displaylevel <unsignedLong> write terminal tenants write terminal tenants tenant appliance-1#
Changing the configuration¶
To change the configuration you need to move from operational mode to configure mode. Once in configure mode you can start writing your changes; Those changes however will only take effect once you have committed them to the CDB operational store. To do so you need to use the command “commit”.
Only at the “commit” the changes to the configuration are validated, and if something is not accepted, it will then be shown and the commit halted:
At any moment while you are writing your changes, you can review them with the “show config” command. Only what is going to be committed will be shown.
show current changes¶
appliance-1# config Entering configuration mode terminal appliance-1(config)# vlans vlan 2060 config name testVlan vlan-id 2060 appliance-1(config-vlan-2060)# show config vlans vlan 2060 config vlan-id 2060 ! vlans vlan 2060 config name testVlan ! appliance-1(config-vlan-2060)# commit Commit complete. appliance-1(config-vlan-2060)#
It is also possible to abort a configuration. To do so you need to use the “abort” command. This command will empty the candidate datastore from the changes you have written till that moment.
You can review the commits and revert them back. To do so you can use the “show configuration rollback changes” command for the changes you want to revert, and then use the command “rollback selective #” to revert just the changes of such commit. If you instead want to revert back all the changes to a specific point, you need to use the command “rollback configuration #”
appliance-1# config Entering configuration mode terminal appliance-1(config)# show configuration rollback changes ? Possible completions: 0 2021-11-10 10:07:40 by admin via cli 1 2021-11-09 09:00:42 by admin via rest 2 2021-11-01 19:09:17 by admin via system 3 2021-11-01 19:09:17 by admin via system 4 2021-11-01 19:07:12 by admin via system 5 2021-11-01 19:07:12 by admin via rest 6 2021-11-01 19:03:47 by admin via system 7 2021-11-01 19:03:47 by admin via system 8 2021-11-01 19:03:46 by admin via rest 9 2021-11-01 18:57:40 by admin via rest <cr> latest appliance-1(config)# show configuration rollback changes 0 no vlans vlan 2060 appliance-1(config)# rollback selective 0 appliance-1(config)# commit Commit complete. appliance-1(config)#
if the CLI session is terminated without doing “commit”, your changes will be aborted.
How to exit the configuration Mode¶
Once you are in Configure Mode you can leave the mode using two commands: “exit” and “end”. While “end” doesn’t consider the hierarchy in which you are, it just leaves the mode, the command “exit” will go up one hierarchy and if you are already at the root it will then exit the mode. In both cases if you have changes not yet committed, the CLI will ask you what to do:
If you choose “yes” it will commit the changes and leave the mode;
if you choose “no” it will abort the changes and leave the mode;
if you choose “CANCEL” it will go back to where it was before the “exit” or “end” command.
“exit” vs “end” on Configure Mode¶
appliance-1(config)# vlans vlan 2060 config name testVlan vlan-id 2060 appliance-1(config-vlan-2060)# end Uncommitted changes found, commit them? [yes/no/CANCEL] CANCEL Aborted: by user appliance-1(config-vlan-2060)# exit appliance-1(config)# exit Uncommitted changes found, commit them? [yes/no/CANCEL] CANCEL Aborted: by user appliance-1(config)#
Save and Restore the configuration with ConfD CLI¶
To be able to save and restore the config, we need to write or read XML files.
In configuration mode this command allows the administrator to either backup or restore the config:
appliance-1# config Entering configuration mode terminal appliance-1(config)# system database config? Possible completions: config-backup Back up the configuration database to XMLfile config-restore Restore configuration database from XML file. appliance-1(config)# system database config
Save to file¶
in case you want to save the configuration from the CDB stores to an XML file, you can use the following command:
appliance-1# config Entering configuration mode terminal appliance-1(config)# system database config-backup name backup-20211110.xml result Database backup successful. appliance-1(config)#
location of the saved file is “/var/F5/system/configs/”.
Restore to default config¶
In case you want to reset your appliance to the default configuration, because for example you want to restore an old config, you can do this with the following command:
appliance-1# config Entering configuration mode terminal appliance-1(config)# system database reset-to-default Removing all user configuration will delete all tenants and stop traffic processing. Proceed? [yes/no]: yes client_loop: send disconnect: Broken pipe user1 ~ %
As you can see the system is reset to default, which means if you were connected via SSH you will loose connection to the box. Make sure you run this command only if you have serial connection available.
Restore from file¶
in case you want to restore the configuration to a previously saved XML file, you can run this command, however make sure you have reset to default first:
appliance-1# config Entering configuration mode terminal appliance-1(config)# system database config-restore name backup-20211110.xml A clean configuration is required before restoring to a previous configuration. Please perform a reset-to-default operation if you have not done so already. Proceed? [yes/no]: no Error: Operation cancelled by user. appliance-1(config)# system database config-restore name backup-20211110.xml proceed Value for 'proceed' [no,yes]: yes result Database config-restore successful. appliance-1(config)# System message at 2021-11-10 10:17:50... Commit performed by admin via tcp using cli. appliance-1(config)#
Note like the output of the command shows that the commit has been done for you by the system. Be careful when using the command as the changes you are applying are automatically pushed into the running-config.