Send and run TMSH commands¶
Overview¶
A network administrator can use BIG-IQ as a proxy to send a script of TMSH commands to run on a BIG-IP. For example, a BIG-IQ admin might use this to disable shell access for a specified non-admin user on the BIG-IP. The admin user of this BIG-IP is required to have advanced shell access enabled. See the documentation at K12029: Accessing the TMOS Shell for information about how to enable the Advanced Shell for an admin user of the BIG-IP. See the documentation at F5 TMSH Reference for information about TMSH commands.
Requests¶
Send a POST request to the /mgmt/shared/user-scripts endpoint on the BIG-IQ to add a custom user script of TMSH commands.
Requests¶
Examples¶
The following example can add and run a script of TMSH commands which disables a specified user’s access to the shell. The user being disabled must not be an admin user.
1. Add the user script of TMSH commands¶
Send a POST to the /mgmt/shared/user-scripts endpoint of the BIG-IQ to add a script of TMSH commands named “disableShellAccess”. The body of the POST can contain the TMSH commands as the value of script. In the following example, the placeholder <not admin user name> represents the user name of a non-admin user.
POST https://<BIG-IQ>/mgmt/shared/user-scripts
{
"name": "disableShellAccess",
"description": "Disables a non-admin user access to shell",
"script": “tmsh modify /auth user <not admin user name> shell none”
}
On success, the response to the POST can look similar to the following. The JSON in the body can include the values of id and selfLink, which are the UUID and URL that identifies the user script.
{
"id": "8c091843-b80e-4f4a-91a7-5aaa12501ed8",
"name": "disableShellAccess",
"description": "Disables a non-admin user access to shell",
"script": "tmsh modify /auth user <not admin user name> shell none",
"generation": 1,
"lastUpdateMicros": 1606940723803181,
"kind": "shared:user-scripts:userscriptstate",
"selfLink": "https://localhost/mgmt/shared/user-scripts/8c091843-b80e-4f4a-91a7-5aaa12501ed8"
}
2. Run the TMSH commands on the BIG-IP¶
Send a POST to the /mgmt/shared/user-script-execution endpoint of the BIG-IQ to start the execution of the script on the BIG-IP. In the following, the value of deviceReferences is the URL for the BIG-IP. The value of scriptReference is the URL of the selfLink of the script obtained in the previous step.
POST https://<BIG-IQ>/mgmt/shared/user-script-execution
{
"name": "disableShellAccess",
"deviceReferences": [{
"link": "https://localhost/mgmt/shared/resolver/device-groups/cm-bigip-allBigIpDevices/devices/e0c5d64c-9cba-45af-93ed-6e45da63a6e3"
}],
"timeoutInSeconds": 600,
"scriptReference": {
"link": "https://localhost/mgmt/shared/user-scripts/8c091843-b80e-4f4a-91a7-5aaa12501ed8"
}
}
3. Check the status of a specified user script¶
To check for the status and completion of the script, send a GET request to the /mgmt/shared/user-script-execution endpoint and specify the id of the the script.
GET https://<BIG-IQ>/mgmt/shared/user-script-execution/ef16e813-0c62-499e-913c-c11ec757c826