Forum Discussion

jacket's avatar
jacket
Icon for Nimbostratus rankNimbostratus
Nov 10, 2022

unable insert and run cli script to tmos

Hi all  , 

Can somebody advice what is the correct step to insert the cli script into the F5 system. it is appreciate for any comment or advice given.  

i am facing an error as i with enable auto enrollment of data into datagroup with google authenticator solution with link below . 
https://github.com/yamashin55/f5-google-authenticator-datagroup/blob/master/index.mdf5-google-authenticator-datagroup/index.md at master · yamashin55/f5-google-authenticator-datagroup (github.com)

Base on the step , when #tmsh list cli script , it shall with positive result showing as below 

cli script add_totp_key {
proc script::run {} {
set cmd "tmsh::modify /ltm data-group internal [lindex $tmsh::argv 3] \{ records add \{ [lindex $tmsh::argv 1] \{ data [lindex $tmsh::argv 2] \} \} \}"
tmsh::log "Executing the command: $cmd"
eval $cmd
}
total-signing-status not-all-signed
}

Thus , i am go to tmsh command with work on this accordingly with put in the exactly same script.and it state is error . please see  below output with show error "total-signing-status" is a read-only property. Then , i am delete the syntax "total-signing-status not-all-signed" and system are allow without error.  

==TMSH CLI output 

root@(bigip01)(cfg-sync Standalone)(Active)(/Common)(tmos)# edit cli script add_totp_key


root@(bigip01)(cfg-sync Standalone)(Active)(/Common)(tmos)# edit cli script add_totp_key
Save changes? (y/n/e) y

Syntax Error: "total-signing-status" is a read-only property
There were errors. Continue editing(y) or discard changes(n) (y/n)

==TMSH output end == 

However , i proceed the test and i found my solution not working and i dig down it likely the script didnt process accordingly . Then i run another command #run cli script  add_totp_key,  it introduce an error message likely showing the script are not working as show below 

==tmsh output start ==

root@(bigip01)(cfg-sync Standalone)(Active)(/Common)(tmos)# run cli script
Configuration Items:
add_totp_key delete_totp_key f5.app_utils
Options:
file verbatim-arguments
root@(bigip01)(cfg-sync Standalone)(Active)(/Common)(tmos)# run cli script add_totp_key
add_totp_key: script failed to complete:
can't eval proc: "script::run"
"{" unknown property
while executing
"tmsh::modify /ltm data-group internal { records add { { data } } }"
("eval" body line 1)
invoked from within
"eval $cmd"
(procedure "script::run" line 4)
invoked from within
"script::run" line:1
script did not successfully complete, status:1
root@(bigip01)(cfg-sync Standalone)(Active)(/Common)(tmos)#

 

==tmsh output end  ==

 

                                       

 

 

 

  • This is a really complex configuration. I've tried messing with it a little in my lab, running BIG-IP 15.1.5.1.

    To answer part 1 of your question, I was able to create a new CLI script using the tmsh edit cli script syntax.
    I've noticed that in this version, several procedures are automatically set when creating the script.

    I've deleted those and pasted your exact syntax, then saved.
    I've seen the same error message for "total-signing-status" being read-only, and just as you did I was able to complete creation by removing that line -- which I also noticed is added automatically by builder afterwards.

     

    The error you're getting when running script, is that "tmsh modify ltm data-group internal" command is missing object name before the opening {    --    which means, [lindex $tmsh::argv 3] is returning null value in your script. 

    I think you're supposed to pass some parameters to this procedure, or at least this is what happens in iRule code. Moreover, Data Group name is defined statically as a variable in RULE_INIT event.  

    Sorry for the very bad and quick paint art, but I hope this helps to clarify it. 

     

    Maybe you should try running proc with a set of parameters? 

    Regards

    CA

    • jacket's avatar
      jacket
      Icon for Nimbostratus rankNimbostratus

      Hi Valli 

      thanks for quick paint art for pointing the "f5_google_auth" code relation as well.  The solutions are google authenticator automatic enroll the share token key into the datagroup. The datagroup name "token_keys" .  

      https://github.com/yamashin55/f5-google-authenticator-datagroup

      i am no idea how to pass some parameter to the cli script ,Perhaps will it possible you can assist to insert some related parameter into the script for me to know how possible i can add in for further test ? 

      The below are irule that i export from my bigip system , i didnt modify the rule but i just change the credential only . 

      "add_user" {
      set result [call add_totp_key "VS_F5-MGMT-ETH" "[b64encode "admin:Pacific@work123!!"]" "[ACCESS::session data get session.logon.last.username]" "[ACCESS::session data get session.custom.otp.secret]" "$static::ga_key_dg"]
      log local0.info "Result: $result"
      if { $result equals "Success" } {
      ACCESS::session data set session.custom.add_user.result $result
      }
      }
      "delete_user" {
      set result [call delete_totp_key "VS_F5-MGMT-ETH" "[b64encode "admin:Pacific@work123!!"]" "[ACCESS::session data get session.logon.last.username]" "[ACCESS::session data get session.custom.otp.secret]" "$static::ga_key_dg"]
      log local0.info "Result: $result"
      if { $result equals "Success" } {
      ACCESS::session data set session.custom.delete_user.result $result
      }
      }
      }
      }

       

       

       

  • I've looked into this a little more.

    iRule code for procedure proc add_totp_key , after being passed the parameters I highlighted in my last message, runs a shell command at line #5 .

     This will be the add_totp_key script you created with tmsh edit cli script . You can see it passes three parameters: username, key, and datagroup. You can see in my last message what the supposed value of those variables is. It is important that you follow this order when you pass the parameters to the command. 

    I think you should be able to test cli script by running it as written:

     

    run cli script add_totp_key testuser testkey testgroup

     

     

    See my test below: i had an empty DG that was populated with testuser:testkey values after running command with variables.

    Regards
    CA