Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
code share

Auto updates GeoIP database on Big IP.

Problem this snippet solves:

Securely, auto updates multiple Big IP's, geoip database.

Tested on Version 12.1.2, but should work for others.

How to use this snippet:

Must have PHP installed (tested on 7.0, 5.6 should work too)

Install (on Ubuntu Server 12.04-16.04)

sudo LC_ALL=C.UTF-8 add-apt-repository -y ppa:ondrej/php

sudo apt-get -y install php7.0 php7.0-common php7.0-cli php7.0-curl php7.0-mcrypt php-ssh2 php-zip


Then just issue on the CLI:

php geoip_updater.php <downloads.f5.com https geoip file url - on location page> <optional, md5 file url>

Modify script to enter your servers ip, hostnames, and Auth settings. Testing updating 8 BigIP's, in under 5 minutes. Due to limitations in how the file is offered on downloads.f5.com, you have to get the filename before running the script.

Tested on Version:
12.1
Comments on this Snippet
Comment made 26-Jul-2017 by Gregory Robinson

Awesome script! Great job!

1
Comment made 11-Aug-2017 by Joe 305

Thanks for this! In my testing I ran into 2 issues getting this setup on xUbuntu 16.04. When running this command sudo apt-get -y install php7.0 php7.0-common php7.0-cli php7.0-curl php7.0-mcrypt php7.0-ssh2 I received these errors:

E: Unable to locate package php7.0-ssh E: Couldn't find any package by glob 'php7.0-ssh E: Couldn't find any package by regex 'php7.0-ssh

That happened after adding the repository. Running the command sudo apt-get -y install php-ssh2 seemed to fix that.

The 2nd error I ran into was after the 1st time I ran the sript, I received this error: Fatal error: Uncaught Error: "Class 'ZipArchive' not found in /home/xxxx/geoip_updater.php:112 Stack trace: #0 {main} thrown in /home/xxxx/geoip_updater.php on line 112

I was able to resolve this by running this command sudo apt-get install php-zip

The security conscious side of me doesn't particularly like having the root password stored in the script. If that could be made a variable that needs to be entered at the very beginning, that would be better in my own opinion.

The other thing I would suggest, is to see if the files you are about to download are already downloaded. Because of the ziparchive error I received, I ended up downloading the files a 2nd time even though they were already there. As I am typing, it just occurs to me that me that being able to specify a local file might also be nice.

Oh, and the GTM I was testing against was 11.5.3.

0
Comment made 11-Aug-2017 by Chris Gray 80

Thanks Joe for the feedback. I can certainly update the code to allow for a local director copy of the download. My thought was to delete the local copy if its present, as it might not be complete / or corrupted. And i didn't want to force the MD5 url requirement. Also I will update the documentation to include php-zip. Sorry for the inconvenience, but thanks for the determination of trying to get it working! You rock!

I'm thinking i could make the 3rd cli param be a check if its a url or the remote password. If its a url, then its the path to the MD5 checksum, if not, then use it as a password for the remote boxes. Would that work for you?

Also, did it work for you once you got the require files installed? Any and all feedback is greatly appreciated. Thanks alot! I'm always looking to make things better.

0
Comment made 11-Aug-2017 by Joe 305

Yes, it did work! However, it did give me some notices.

PHP Notice: Undefined offset: 0 in /home/xxxx/geoip_updater.php on line 135
Notice: Undefined offset: 0 in /home/xxxx/geoip_updater.php on line 135
PHP Notice: Undefined offset: 0 in /home/xxxx/geoip_updater.php on line 169
Notice: Undefined offset: 0 in /home/xxxx/geoip_updater.php on line 169

I think that was because I used IP only and not an FQDN. So, no big deal. That's a good point about the file being corrupt or incomplete. But I would think that would be a point towards forcing the md5 check. Which I personally would be OK with. Since the 2 URLs are almost identical, except the 2nd one has ".md5" at the end, you could just infer the 2nd URL from the 1st URL. Then you wouldn't need the MD5 URL parameter. I don't really do any coding and about the most I do is some bash scripting or simple iRules so, I am not exactly sure what would be a good way to do the password or local files. But yeah, just adding another parameter to the command seems good to me.

0
Comment made 11-Aug-2017 by Chris Gray 80

Actually.. the ip-geolocation db file and md5 file have different url's, So I can't infer the md5 from the original download URL. (If you copy and paste both url's in a text program, you will see a different url for both). I wish i could, but I will make those other changes and update the github and devcentral asap.

0
Comment made 16-Aug-2017 by Joe 305

Yeah, you're right. Last week I compared them and I could have swore they were the same. But when I did it today, they are definitely different.

0
Comment made 4 months ago by TimRiker 21

Made some changes, opened a pull request on github. Tested on Ubuntu 18.04 against test boxes running 11.6.0 (v1) and 13.1.0.8 (v2).

geoip_updater.php

  • version 0.0.8
  • use PHP_EOL for line endings
  • convert to ssh2_auth_agent, default to root user (no password in script)
  • pick f5s from F5S environment variable ie:

    F5S=a.example.com,b.example.com php geoip_updater.php <zip url> <md5 url>

  • avoid system() and printf()

  • recommend native php debs, avoid ppa

  • default to UTC
  • tabs, whitespace, etc
  • one ssh connection per f5
0