If you haven’t yet downloaded the  BIG-IP LTM VE trial, I highly suggest you do.  It is a fully-functional LTM, rate-limited to 1Mbps throughput.  If you’re not familiar with virtualized environments, hopefully this blog will fill in some blanks for how to get started on the network front.

Getting Started

Before downloading your VE image, you need to choose what virtualization environment you’re installing into.  The supported options in the type 1 hypervisor are VMWare ESX version 4 and ESXi version 4.  For the type 2 hypervisor (requiring a host OS such as linux or Microsoft Windows) the supported option is VMWare Workstation 7, which offers a 30-day free trial that I recommend you give a shot, or for those with experience on VMWare player, that also will suffice if you are at version 3.  Note, however, that VMWare player is not supported by F5. 

Hypervisor Type 2 Options – VMWare Workstation & Player

In LTM VE, you have three interfaces—one managment and two data (1.1 & 1.2).  On the Workstation/Player products, you specify in the virtual appliance settings how the interfaces will connect.  You can specify any of the following interface types:

• Bridged – Allows access through your physical NIC to participate in the local area network.
• NAT – Allows access through your physical NIC, but utilizes your machines IP and translates for VM traffic.
• Host Only – Networks are defined locally in virtual nics that have no significance outside your locally defined virtualization environment.

With the Workstation product, there is a Virtual Network Editor application where you can define the networks your virtual appliances will use, as well as setting dhcp options, etc.  The player doesn’t have this application, and doesn’t give the custom option in the GUI interface, but the settings can be configured manually in the appliance configuration files (shown below).  To get started quickly, I bridge the management interface so I can download directly from the management shell.  I use a host-only interface assigned at layer3 on both my laptop and the VE image so I can run test traffic against my iRules for syntax and functional checking.  I have a virtual appliance on a layer2 network (layer3 for VE and the server appliance, but there isn’t a layer3 interface for vmware itself) between it and VE so I can pass traffic from my laptop through VE to the vm server and back as necessary for testing.  A diagram detailing this is shown below to the left of the matching configuration options set in the virtual appliance files.

# MGMT NETWORK
ethernet0.present = "true"
ethernet0.virtualDev = "vlance"
ethernet0.addressType = "generated"
ethernet0.connectionType = "bridged"
ethernet0.startConnected = "true"
# INT 1.1
ethernet1.present = "true"
ethernet1.virtualDev = "e1000"
ethernet1.addressType = "generated"
ethernet1.connectionType = "custom"
ethernet1.startConnected = "true"
ethernet1.vnet = "VMnet1"
# INT 1.2
ethernet2.present = "true"
ethernet2.virtualDev = "e1000"
ethernet2.addressType = "generated"
ethernet2.connectionType = "custom"
ethernet2.startConnected = "true"
ethernet2.vnet = "VMnet2"

I think in order to take advantage of route domains on the workstation product, you’d need a couple virtual appliances in different vmnets that are only layer2 aware.  Still, there are plenty of possibilities with apache vserver configurations if you have the memory to spin up a virtual appliance in addition to the BIG-IP LTM VE.

Hypervisor Type 1 Options – VMWare ESX 4/ ESXi 4

In ESX/ESXi, it’s both more complicated and more simple.  Yeah, I said that.  The assigning of interfaces is trivial, as there really isn’t a concept at the virtual appliance level of bridging, natting, or host only.  The ESXi platform has an underlying virtual switching infrastructure where all the science of networking is configured.  You can teem your nics and run all your vlans across them, or you can segment by function.  When deploying the .ova image to ESXi, the only interesting questions are what datastore you will use to house your VE image and what networks to apply to the VE interfaces.  Given that you cannot create them on the fly, you’ll need to do some prep work to make sure your interfaces are already defined before deploying the image.

Questions?  We turned on an LTM VE specific forum today should you have any questions regarding installation, network configuration, VE options, etc.  We hope you get as much use and enjoyment out of this release as we do.

After a week of presentations throughout the Middle East and Europe by Joe & Jeff, I took my turn on the tour, beginning with a couple days in Johannesburg, South Africa, and finishing up the week with a few stops in Europe as well.  Today’s session in Antwerp, Belgium, also featured the iRules Contest grand prize winner in the partner division, Sake Blok, with a fine presentation on writing clean iRules and a walk through of his winning iRule.  Oh, and he delivered his presentation from his brand new 17” MacBook Pro—won in the content—just to rub in the fact that I do in fact not have one.  Just kidding, Sake.  It’s a really nice toy, by the way.

Anyway, I believe the presentations were well received (If I’m wrong about that, don’t tell Jeff!)  The agenda was fairly broad spread, covering in part:

• iRules & iControl basics
• Advanced iRules tips & tricks
• Case studies on iRules from some of this year’s iRules Contest winners
• Case study on a similarly functional iControl script written both in Powershell & Python for comparison
• New v10.1 features, including geolocation, tmsh scripting, the table command, etc.

Among Joe, Jeff, myself, and the hundreds of partners and end-users we met with these past two weeks, we have great feedback on product specific things as well as some constructive commentary on how DevCentral can be improved.  To that end, we’re working feverishly in the shadows on deliver some improvements and new functionality to the DevCentral community.  Stay tuned…

No, I’m not talking cars.  I’m not convinced (yet) that the total cost of ownership is lower, set aside the performance.  So what am I getting at?  Skill sets.  Jon Olstik wrote today that, well, he said it better than I could summarize, so I’ll quote him:

“IT needs new networking/application specialists. F5 financial results and the whole evolution of ADC functionality suggest the need for a new IT skill set. I believe there is a growing requirement for hybrid IT specialists who understand both networking and application requirements. These people will become architects and application performance gurus — and make a ton of dough. F5 should work with application vendors like Microsoft or Oracle to create a certification program in this area.”

When I first began managing BIG-IP duties back in 2002, I quickly recognized that my skill set was inadequate to do it, the infrastructure, or the applications justice.  Its purpose was only load balancing and SSL offload, but the impact to the applications, or really, the potentially positive impact to the applications, was not addressed in design meetings.  It just boiled down to make it work.  This boded well for me since I didn’t really know squat about anything above layer four (shush all you haters who will contend that’s still the case).  As I’ve moved from early exposure to BIG-IP’s full proxy arrival in v9, I’ve also taken interest in understanding the applications.  I’m no expert, but I think every network guy that uses application delivery technology owes it to their customer to not just put it on the network and call it good.  If you manage dozens of web applications on your BIG-IP, it will serve you well to understand the HTTP protocol.  Organizations can make this easier on employees by cross training disciplines.  It may make for a slipped deadline or a sluggish development cycle, but rotating your network guys through a month or so of application development shadowing, (and making your application developers field the calls from the users that “the network is slow" with the network guys showing the app developers the traces that prove its not) can only be good long term.  As for you, Jon is absolutely correct that if you can marry the wisdom of network and application, you will be well compensated for your services.  Get in the lab, get dirty, make mistakes (yes, that’s a Magic School Bus reference) and be humble enough to admit you don’t know it all and ask someone from another discipline to mentor you.  You won’t be sorry.

DevCentral as a community relies upon the talents and contributions of its users to help peers and those who are new to F5 products and technologies.  Without users who are willing to take a moment from their busy day and help resolve the problems of complete strangers, DevCentral would be far less community, resembling more of a corporate news site.  Due in large part to the contributions of a select few, the community continues to flourish.  They are in the trenches facing challenges daily, and it is their expertise the community craves.  Without their help, some of our members might still be struggling to get the most out of their F5 gear, or more likely, the core DevCentral members would be working much longer hours as we attempt to assist our ever-growing user base.  We recognize the time and effort put into the DevCentral community.  To that end, we have created the DevCentral MVP program to honor those who, without incentive, contribute to the greater good of our community.

The 2010 DevCentral MVP Class (by username)

• hoolio -  I have to quote Drago from Rocky 4 here: "He is not human, he is a piece of iron."  Mr. forums has more posts than Joe, Colin, and me--combined.
• bhattman - 2009 iRules contest winner and ever-present in the forums and wiki.
• hamish - Contributor in the iControl and monitoring/management forums.  Contributed several slick templates for the F5 host template.
• hwidjaja - Perl nut, which excites Colin.  Active in several forums.
• smp - He's gotta change his username.  I type snmp every time.  Really--every time.  Also an active contributor in several of the forums.
• naladar - Not only a member of our community, but carries the F5 love out to the world with his own TheF5Guy blog.  Interview guest on podcast 107.
• mikejo - Unashamed Firepass specialist.  Active contributor in said forum.

If you want to hear more about the MVPs, podcast 117 was a dedicated highlight show.  Also, make sure to check out the MVP profile pages.

MVPs – we salute and thank you, and we know the community at large thanks you as well!

At long last, we’re happy to announce pycontrol, version 2! This version is a complete re-write of the original, with many improvements. Over the next several weeks keep an eye out for more samples posted to code share as well as tutorials, both in tech-tip and screen cast form.  Here are a few feature highlights:

• Attribute-driven for easy introspection of iControl methods.
• Optional single-file install. No longer requires root access. Just drop pycontrol.py somewhere you'll remember and add it to sys.path, or drop it onto sys.path itself.
• On-box WSDL or remote-fetch. This means you can have *multiple* WSDL versions available and it's easy to point pycontrol either to a BigIP or a local WSDL file.
• Support for concurrent calls via the suds clone() method. For example, clone() multiple pycontrol objects, then use threads to call multiple systems concurrently and fetch results (See the samples dir for a toy example of this).
• Semi backward-compatible with pyControl version 1.x (most 'getter' methods).
• Sane exception handling.
• Easy debug logging via standard syslog facilities. Set "debug=True" on instantiation for trace logging.
• Support for in-object endpoint changes. This allows you to create one object for, say, LocalLB.Pool and point it to different BigIP systems.
• "Pythonic" type objects with attributes. For example, you create a 'Common.IPPortMember' object, then set its 'address' and 'port' attributes.
• Exposure of the underlying SOAP API, Suds. This will allow for power-users to get at all of the underlying API for 100% flexibility. Suds is an excellent, fast-moving project. See https://fedorahosted.org/suds/ for more information on this excellent library.

See the README file inside the bundle for other information – Installation, Quickstart, and a list of known issues.

**PLEASE NOTE**: given that this is a total rewrite, your old code will not work with pycontrol v2.  We’ve tried to minimize the amount of changes you’ll have to make, but the underlying Python API is totally new, and as you’d expect, different from our old one. You’ll need to port your old pycontrol 1.x code over to take advantage of pycontrol v2.

Videos and code samples will follow as the day/week progresses.  Many thanks to the long hours and dedication of F5's own Matt Cauthorn for this excellent effort.  Happy coding!

There have been several questions over the past month in the iControl forum as to whether or not pyControl works on linux.  In the pyControl labs information, there are instructions for install on Microsoft Windows based systems, but not for linux, so maybe this is the source of confusion.  This is not so much that pyControl isn't linux compatible as it is that the installation instructions on the many flavors of linux vary.  In reality, the only step that should be different between the distributions is the first step: installing python.  Now, on my flavor of choice, Ubuntu, python 2.6 is the default version, which doesn't work so well with the ZSI soap library utilized by pyControl.  So I installed python 2.5 alongside 2.6.  This works fine as long as you keep in mind that running python from the command line will actually run the python2.6 binary.  So when you install the python packages necessary for pyControl to work, just remember to either update the symlink (/usr/bin/python on my Ubuntu 9.10 system) or call the python2.5 binary.  Here's the steps I took to get pyControl prepared on my system.

1. Install python2.5 - sudo apt-get install python2.5
2. Download the necessary packages (I threw them in /var/tmp/)
1. Easy Setup - http://peak.telecommunity.com/dist/ez_setup.py
2. ZSI - http://sourceforge.net/projects/pywebsvcs/files/ZSI/ZSI-2.1_a1/ZSI-2.1_a1-py2.5.egg/download
3. pyControl - http://devcentral.f5.com/LinkClick.aspx?link=http%3a%2f%2fdevcentral.f5.com%2flabs%2fpyControl%2fpyControl-1.3.0_beta-py2.5.egg&tabid=73&mid=433
3. Install the packages
1. sudo python2.5 /var/tmp/ez_setup.py
2. sudo easy_install-2.5 /var/tmp/ZSI-2.1_a1-py2.5.egg
3. sudo easy_install-2.5 /var/tmp/pyControl-1.3.0_beta-py2.5.egg

Hey Community!  Just a gentle nudge that we are still accepting entries for the iRules Contest through 5pm pacific on the 30th of September.  Yes, that's only 15 days from now!  I see several iRules flying by in the forums each week that are no brainers for consideration.  Take this nice example from the forums:

 when HTTP_REQUEST {
    set downtimepool "Downtime-NonSSL"
    set downtimemember "10.21.67.103"
    set downtimeport "16080"
    set downtime 0
    if { ([LB::status pool $downtimepool member $downtimemember $downtimeport] eq "up") \
         and (![IP::addr [IP::client_addr]/16 equals 10.21.0.0]) } {
      pool $downtimepool
      log local0. "Sending request to pool $downtimepool"
      set downtime 1
    }
  }
  when SERVER_CONNECTED {
    if { $downtime == 1 and [PROFILE::exists serverssl] == 1 } {
      set disable "SSL::disable serverside"
      catch {eval $disable}
      log local0. "Disabled server side SSL"
    }
  }

User UZimmerman was looking for a way to allow for downtime without having to touch each virtual before and after.  This iRule is a great example of function, though if submitted for the contest, would benefit from some optimization.

What problems can you solve by sitting down and cranking out code?  There are several really cool prizes waiting for you.

I'm a visual learner.  You know this about me.  I've said as much in earlier posts (Me Caveman, Need Picture).  So it should come as no surprise that I'll be highlighting a picture here.  A picture is worth a thous...yada yada yada, you get it.  I see many drawings, all of which are purposed to convey some type of information.  This, however, is a visual treasure chest building on the event ordering goodness discussed by Colin a while back that hones in on the flow of data through the iRules events specific to the HTTP protocol.  If you develop iRules for HTTP traffic, you need this diagram in your toolbox.  Major thanks to F5er John Alam for putting this gem together!

It's iRules Contest time again, community!  I wasn't new to F5 products for the first contest, as I was a version 4.5 user for a couple years, but I was relatively new to the v9 TCL-based iRules.  I was working on a couple different projects at the time, one with terminal server and one with some multi-site SSL redirection challenges, that brought me full force into the DevCentral experience.  F5ers Joe, Colin, Deb & unRuleY nurtured me along, taking time out of their schedules to assist in my learning curve.  This community that I now get to share in serving really blew me away with the willingness to reach out and help.  It was unRuleY's guidance and insight that led to my winning iRule in the first contest.  It was Jeff's kind request that I join the judging panel for the second contest.  Really, the whole experience with DevCentral, before and since joining F5, feels like family.  And not the family you avoid at holidays.  I'm talking about the family you can't wait to hang out with.  Who knew something as simple as a TCL script and a project could shape my career path the way it has.  So, now that I'm done being sappy...what projects are you working on that makes for a killer iRule?  Not just the technicalities, but the impact it has on your organization?  Submit your iRules entry form, and maybe you'll be booting up a MacBook Pro, or snapping some shots with a Canon EOS 5D Mark II DSLR soon enough!  Click here for contest details.  Happy iRuling!

I was having some windows trouble yesterday so I started cleaning up some utilities I didn't think I was using and subsequently broke my python installation.  As I was contemplating what I needed to do to "fix the glitch" (one of my favorite Office Space quotes) it occurred to me as I've been walking through pyControl in a series of tech tips that I have not been testing my code on platforms other than windows.  So today, I'm making the break.  Here on out, if it's not Visual Studio or Powershell, it will not be done in a windows environment.  I may test it on windows to give it a thumbs up, but all non .NET development will be on Linux going forward.

Now that I have that off my chest...what do you recommend?  I was using Eric4 on windows before breaking it.  I've heard good things about SPE, Geany, & Gedit.  I would like to setup an environment with syntax highlighting, versioning, console, and a GUI designer.

BTW, wanted to give Tux an opportunity to show off one of my childhood homes.  OK, I didn't live in the tower (how could you sleep), but I lived in a town down the road called Livorno.  Good times.