Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/bash
- #####
- #
- # This will be run as an external monitor.
- #
- # This script uses curl to grab the content of a status page on the LFEP server,
- # and based on the content analyzes the SNAT configuration and adjusts it if
- # necessary.
- #
- # The first check criteria for this script is the status page content. The
- # only valid content stings are "nj1" and "bxb". This tell us which site
- # current owns the primary IP address, and which site owns the alternate IP
- # address. If there is any other string in the status page the script will
- # log that there wasn't any valid content and exit without making any changes.
- #
- # Once the primary and alternate site is determined "tmsh list ltm snat" is
- # executed to make sure the SNAT configuration matches the IP ownership
- # described above. If there is a conflict, (e.g. bxb is dtermined to be the
- # owner of the primary ip space, but its servers are being SNATed to the
- # alternated IP space) the current SNAT definitions for the primary and
- # alternate IP will be deleted and recreated appropriately.
- #
- # The choice was made to delete and recreated the SNATs instead of modifying
- # the existing configs for two reasons. The first, it was syntax-wise easier.
- # The second, the SNAT configurations should be consistent if the script constantly
- # recreating them.
- #
- # Both sites also have SNAT definitions for both the primary and alternate IP
- # space applied. If one stie owns a particular address space, the SNAT definition
- # for the IP space it doesn't own lists a junk IP address as the origin. This was
- # done to keep the script as small as possible.
- #
- # When the curl result and SNAT definition do not line up appropriately the following happenes:
- # 1. A backup is performed, and the resulting filename will have the "ids-snat.sh" string within it.
- # 2. The exisint SNAT definitions get deleted
- # 3. New SNAT definitions with the same names as the deleted will be created to line up with the expected result.
- # 4. The config will be synced with the peer
- #
- # Any other failure combination should just cause the script to exit without changing anything.
- #
- ####
- #set -eu
- # Full path variables to commands used in the script
- CURL='/usr/bin/curl'
- GREP='/bin/grep'
- TMSH='/usr/bin/tmsh'
- LOGGER='/bin/logger'
- #IP addresses of the VCS members
- VCS1='10.12.1.11'
- VCS2='10.12.1.12'
- #IP address to be configured for the SNAT group not in use by this LTM at this time.
- JUNKVCS='1.1.1.1'
- #iTranslation IP address of the Primary and Alt SNAT definitions
- PRI_IP='10.11.1.10'
- ALT_IP='10.11.1.20'
- # Log debug to local0.debug (/var/log/ltm)?
- # Check if a variable named DEBUG exists from the monitor definition
- # This can be set using a monitor variable DEBUG=0 or 1
- if [ -n "$DEBUG" ]
- then
- if [ $DEBUG -eq 1 ]; then echo "IDS_SNAT: `basename $0`: \$DEBUG: $DEBUG" | $LOGGER -p local0.debug; fi
- else
- # If the monitor config didn't specify debug, enable/disable it here
- DEBUG=1
- #echo "IDS_SNAT: `basename $0`: \$DEBUG: $DEBUG" | logger -p local0.debug
- fi
- # Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format)
- IP=`echo $1 | sed 's/::ffff://'`
- # Save the port for use in the shell command
- PORT="$2"
- #The URL of the status message of the pool member
- URL="http://$IP/apachecheck.html"
- if [ "$DEBUG" -eq 1 ]; then echo "IDS_SNAT: Url being checked -> $URL" | $LOGGER -p local0.debug; fi
- # Check if there is a prior instance of the monitor running
- PIDFILE="/var/run/`basename $0`.$IP.$PORT.pid"
- if [ -f $PIDFILE ]
- then
- kill -9 `cat $PIDFILE` > /dev/null 2>&1
- echo "IDS_SNAT: `basename $0`: exceeded monitor interval, needed to kill ${IP}:${PORT} with PID `cat $PIDFILE`" | $LOGGER -p local0.error
- fi
- # Add the current PID to the PIDFILE
- echo "$$" > $PIDFILE
- if [ "$DEBUG" -eq 1 ]; then echo "IDS_SNAT: Contents of $PIDFILE -> `cat $PIDFILE`" | $LOGGER -p local0.debug; fi
- #Grab the content of the status page and store it in $PAGE
- PAGE=`$CURL -s $URL`
- if [ "$DEBUG" -eq 1 ]; then echo "IDS_SNAT: Status page contains -> $PAGE" | $LOGGER -p local0.debug; fi
- # TMSH list the content of snat definition snat_ids_primary, and look for
- # the VCS IP addresses to store them in the $PRI variable. If the VCS are
- # not in the primary SNAT, $PRI should be empty.
- PRI=`$TMSH list ltm snat snat_ids_primary | $GREP -E "$VCS1|$VCS2"`
- if [ "$DEBUG" -eq 1 ]; then echo "IDS_SNAT: Result of Primary SNAT check -> $PRI" | $LOGGER -p local0.debug; fi
- # TMSH list the content of snat definition snat_ids_alt, and look for
- # the VCS IP addresses to store them in the $BKP variable. If the VCS are
- # not in the alt SNAT, $BKP should be empty.
- BKP=`$TMSH list ltm snat snat_ids_alt | $GREP -E "$VCS1|$VCS2"`
- if [ "$DEBUG" -eq 1 ]; then echo "IDS_SNAT: Result of Backup SNAT check -> $BKP" | $LOGGER -p local0.debug; fi
- # The $DATE variable is used in the UCS backup file name.
- DATE=`/bin/date +"%y%m%d.%H%M%S.%N"`
- # If the status page conatins "bxb", check to see if the VCS IPs are listed
- # in the $PRI variable, and make sure the $BKP variable is empty. If these
- # conditions are met exit the script. If not, delete the SNAT difinitions
- # and recreate them with the appropriate configurations.
- if [ $PAGE = "bxb" ]
- then
- # Echo up to STDOUT for the pool member to be listed as up.
- echo "Up"
- # If bxb is in the status page, the VCS IP should be in $PRI and $BKP should be empty.
- # In this scenarios the bxb LTMs will have the primary IP, and the alt IP will be
- # configured on the nj1 LTMs
- if [[ "$PRI" =~ "$VCS1" ]] && [[ "$PRI" =~ "$VCS2" ]] && [ ! "$BKP" ]
- then
- if [ "$DEBUG" -eq 1 ]; then echo "IDS_SNAT: bxb in status page, and VCS IPs ($VCS1 and $VCS2) listed as origins in snat_ids_primary." | $LOGGER -p local0.debug; fi
- rm -f $PIDFILE
- exit 0
- # If bxb is in the status page, and the VCS IPs are in the snat_ids_atl snat difinition reset the SNAT definitions.
- elif [ ! "$PRI" ] && [[ "$BKP" =~ "$VCS1" ]] && [[ "$BKP" =~ "$VCS2" ]]
- then
- if [ "$DEBUG" -eq 1 ]; then echo "IDS_SNAT: CHANGE CONDITION, bxb in status page, and VCS IPs ($VCS1 and $VCS2) listed as origins in snat_ids_alt." | $LOGGER -p local0.debug; fi
- echo "IDS_SNAT: Status page changed to $PAGE. Starting NAT change process" | $LOGGER -p local0.info
- # Create UCS backup with a name that will identify it with the IDS SNAT process. Log updates regarding this command to /var/log/ltm.
- echo "IDS_SNAT: Starting UCS backup ids_snat_backup_$DATE.ucs" | $LOGGER -p local0.info
- $TMSH save sys ucs ids_snat_backup_$DATE.ucs > /dev/null 2>&1
- if [ $? -eq 0 ]
- then
- echo "IDS_SNAT: Backup ids_snat_backup_$DATE.ucs successfully created" | $LOGGER -p local0.info
- else
- echo "IDS_SNAT: Backup ids_snat_backup_$DATE.ucs failed. Script stopping." | $LOGGER -p local0.info
- rm -f $PIDFILE
- exit 1
- fi
- # Delete the existing snat_ids_primary definition. Log updates regarding this command to /var/log/ltm.
- echo "IDS_SNAT: Deleting SNAT snat_ids_primary" | $LOGGER -p local0.info
- $TMSH delete ltm snat snat_ids_primary > /dev/null 2>&1
- if [ $? -eq 0 ]
- then
- echo "IDS_SNAT: SNAT snat_ids_primary successfully deleted" | $LOGGER -p local0.info
- else
- echo "IDS_SNAT: SNAT snat_ids_primary deletion failed. Script stopping." | $LOGGER -p local0.info
- rm -f $PIDFILE
- exit 1
- fi
- # Delete the existing snat_ids_alt definition. Log updates regarding this command to /var/log/ltm.
- echo "IDS_SNAT: Deleting SNAT snat_ids_alt" | $LOGGER -p local0.info
- $TMSH delete ltm snat snat_ids_alt > /dev/null 2>&1
- if [ $? -eq 0 ]
- then
- echo "IDS_SNAT: SNAT snat_ids_alt successfully deleted" | $LOGGER -p local0.info
- else
- echo "IDS_SNAT: SNAT snat_ids_alt deletion failed. Script stopping." | $LOGGER -p local0.info
- rm -f $PIDFILE
- exit 1
- fi
- # Recreate snat_ids_primary with the VCS IPs listed as origins. Log updates regarding this command to /var/log/ltm.
- echo "IDS_SNAT: Creating SNAT snat_ids_primary" | $LOGGER -p local0.info
- $TMSH create ltm snat snat_ids_primary mirror enabled translation $PRI_IP origins add { $VCS1 $VCS2 } > /dev/null 2>&1
- if [ $? -eq 0 ]
- then
- echo "IDS_SNAT: SNAT snat_ids_primary successfully created" | $LOGGER -p local0.info
- else
- echo "IDS_SNAT: SNAT snat_ids_primay creation failed. Script stopping." | $LOGGER -p local0.info
- rm -f $PIDFILE
- exit 1
- fi
- # Recreate snat_ids_alt with the JUNK IP listed as origins. Log updates regarding this command to /var/log/ltm.
- echo "IDS_SNAT: Creating SNAT snat_ids_alt" | $LOGGER -p local0.info
- $TMSH create ltm snat snat_ids_alt mirror enabled translation $ALT_IP origins add { $JUNKVCS } > /dev/null 2>&1
- if [ $? -eq 0 ]
- then
- echo "IDS_SNAT: SNAT snat_ids_alt successfully created" | $LOGGER -p local0.info
- else
- echo "IDS_SNAT: SNAT snat_ids_alt creation failed. Script stopping." | $LOGGER -p local0.info
- rm -f $PIDFILE
- exit 1
- fi
- # Perform and LTM config sync. Log updates regarding this command to /var/log/ltm.
- echo "IDS_SNAT: SYNCing the LTM config" | $LOGGER -p local0.info
- $TMSH run sys config-sync > /dev/null 2>&1
- if [ $? -eq 0 ]
- then
- echo "IDS_SNAT: LTM successfully synced" | $LOGGER -p local0.info
- rm -f $PIDFILE
- exit 0
- else
- echo "IDS_SNAT: LTM did not sync properly." | $LOGGER -p local0.info
- rm -f $PIDFILE
- exit 1
- fi
- fi
- # If the status page conatins "nj1" and not "bxb", check to see if the VCS IPs are listed
- # in the $BKP variable, and make sure the $PRI variable is empty. If these
- # conditions are met exit the script. If not, delete the SNAT difinitions
- # and recreate them with the appropriate configurations.
- elif [ $PAGE = "nj1" ]
- then
- # Echo up to STDOUT for the pool member to be listed as up.
- echo "Up"
- # If nj1 is in the status page, the VCS IP should be in $BKP and $PRI should be empty.
- # In this scenarios the nj1 LTMs will have the primary IP, and the alt IP will be
- # configured on the bxb LTMs
- if [ ! "$PRI" ] && [[ "$BKP" =~ "$VCS1" ]] && [[ "$BKP" =~ "$VCS2" ]]
- then
- if [ "$DEBUG" -eq 1 ]; then echo "IDS_SNAT: nj1 in status page, and VCS IPs ($VCS1 and $VCS2) listed as origins in snat_ids_alt." | $LOGGER -p local0.debug; fi
- rm -f $PIDFILE
- exit 0
- # If nj1 is in the status page, and the VCS IPs are in the snat_ids_primary snat difinition reset the SNAT definitions.
- elif [[ "$PRI" =~ "$VCS1" ]] && [[ "$PRI" =~ "$VCS2" ]] && [ ! "$BKP" ]
- then
- if [ "$DEBUG" -eq 1 ]; then echo "IDS_SNAT: CHANGE CONDITION, nj1 in status page, and VCS IPs ($VCS1 and $VCS2) listed as origins in snat_ids_primary." | $LOGGER -p local0.debug; fi
- echo "IDS_SNAT: Status page changed to $PAGE. Starting NAT change process" | $LOGGER -p local0.info
- # Create UCS backup with a name that will identify it with the IDS SNAT process. Log updates regarding this command to /var/log/ltm.
- echo "IDS_SNAT: Starting UCS backup ids_snat_backup_$DATE.ucs" | $LOGGER -p local0.info
- $TMSH save sys ucs ids_snat_backup_$DATE.ucs > /dev/null 2>&1
- if [ $? -eq 0 ]
- then
- echo "IDS_SNAT: Backup ids_snat_backup_$DATE.ucs successfully created" | $LOGGER -p local0.info
- else
- echo "IDS_SNAT: Backup ids_snat_backup_$DATE.ucs failed. Script stopping." | $LOGGER -p local0.info
- rm -f $PIDFILE
- exit 1
- fi
- # Delete the existing snat_ids_primary definition. Log updates regarding this command to /var/log/ltm.
- echo "IDS_SNAT: Deleting SNAT snat_ids_primary" | $LOGGER -p local0.info
- $TMSH delete ltm snat snat_ids_primary > /dev/null 2>&1
- if [ $? -eq 0 ]
- then
- echo "IDS_SNAT: SNAT snat_ids_primary successfully deleted" | $LOGGER -p local0.info
- else
- echo "IDS_SNAT: SNAT snat_ids_primary deletion failed. Script stopping." | $LOGGER -p local0.info
- rm -f $PIDFILE
- exit 1
- fi
- # Delete the existing snat_ids_alt definition. Log updates regarding this command to /var/log/ltm.
- echo "IDS_SNAT: Deleting SNAT snat_ids_alt" | $LOGGER -p local0.info
- $TMSH delete ltm snat snat_ids_alt > /dev/null 2>&1
- if [ $? -eq 0 ]
- then
- echo "IDS_SNAT: SNAT snat_ids_alt successfully deleted" | $LOGGER -p local0.info
- else
- echo "IDS_SNAT: SNAT snat_ids_alt deletion failed. Script stopping." | $LOGGER -p local0.info
- rm -f $PIDFILE
- exit 1
- fi
- # Recreate snat_ids_primary with the JUNK IP listed as origins. Log updates regarding this command to /var/log/ltm.
- echo "IDS_SNAT: Creating SNAT snat_ids_primary" | $LOGGER -p local0.info
- $TMSH create ltm snat snat_ids_primary mirror enabled translation $PRI_IP origins add { $JUNKVCS } > /dev/null 2>&1
- if [ $? -eq 0 ]
- then
- echo "IDS_SNAT: SNAT snat_ids_primary successfully created" | $LOGGER -p local0.info
- else
- echo "IDS_SNAT: SNAT snat_ids_primay creation failed. Script stopping." | $LOGGER -p local0.info
- rm -f $PIDFILE
- exit 1
- fi
- # Recreate snat_ids_alt with the VCS IPs listed as origins. Log updates regarding this command to /var/log/ltm.
- echo "IDS_SNAT: Creating SNAT snat_ids_alt" | $LOGGER -p local0.info
- $TMSH create ltm snat snat_ids_alt mirror enabled translation $ALT_IP origins add { $VCS1 $VCS2 } > /dev/null 2>&1
- if [ $? -eq 0 ]
- then
- echo "IDS_SNAT: SNAT snat_ids_alt successfully created" | $LOGGER -p local0.info
- else
- echo "IDS_SNAT: SNAT snat_ids_alt creation failed. Script stopping." | $LOGGER -p local0.info
- rm -f $PIDFILE
- exit 1
- fi
- # Perform and LTM config sync. Log updates regarding this command to /var/log/ltm.
- echo "IDS_SNAT: SYNCing the LTM config" | $LOGGER -p local0.info
- $TMSH run sys config-sync > /dev/null 2>&1
- if [ $? -eq 0 ]
- then
- echo "IDS_SNAT: LTM successfully synced" | $LOGGER -p local0.info
- rm -f $PIDFILE
- exit 0
- else
- echo "IDS_SNAT: LTM did not sync properly." | $LOGGER -p local0.info
- rm -f $PIDFILE
- exit 1
- fi
- fi
- fi
- # If none of the testing conditions match, log it and exit.
- echo "IDS_SNAT ERROR: No conditions met" | $LOGGER -p local0.error
- rm -f $PIDFILE
- exit 1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement