{"id":18798798,"url":"https://github.com/f5networks/f5-agent-auditor","last_synced_at":"2025-07-14T06:42:20.195Z","repository":{"id":226161392,"uuid":"767863803","full_name":"F5Networks/f5-agent-auditor","owner":"F5Networks","description":null,"archived":false,"fork":false,"pushed_at":"2024-03-06T03:17:39.000Z","size":79,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":4,"default_branch":"ng-stable","last_synced_at":"2024-12-29T18:24:37.925Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/F5Networks.png","metadata":{"files":{"readme":"README.rst","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2024-03-06T03:03:48.000Z","updated_at":"2024-03-06T05:32:45.000Z","dependencies_parsed_at":"2024-03-06T07:48:03.210Z","dependency_job_id":null,"html_url":"https://github.com/F5Networks/f5-agent-auditor","commit_stats":null,"previous_names":["f5networks/f5-agent-auditor"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/F5Networks%2Ff5-agent-auditor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/F5Networks%2Ff5-agent-auditor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/F5Networks%2Ff5-agent-auditor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/F5Networks%2Ff5-agent-auditor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/F5Networks","download_url":"https://codeload.github.com/F5Networks/f5-agent-auditor/tar.gz/refs/heads/ng-stable","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":239727253,"owners_count":19687138,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T22:13:01.019Z","updated_at":"2025-02-19T20:20:23.925Z","avatar_url":"https://github.com/F5Networks.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"BIG-IP配置补齐和NG Auditor 需求分析\n \n**主要输入:**\n\n\n1.\tAuditor 会以命令行的方式运行\n2.\tAuditor 会抓取 Neutron DB,DB 建立连接需要的信息,通过命令行提供 /etc/neutron/neutron.conf 配置文件寻找 connection 配置。\n3.\tAuditor 会抓取 Bigip 上数据,Bigip 连接需要的加密 username,password。通过 Neutron DB 中 lbaas_loadbalanceragentbindings, lbaas_devices 和 lbaas_device_members 中信息定位,如果 management IP 存在双栈,初步版本只支持 IPv4 management IP。\n4.\tAuditor 产生 Bash script 需要 keystone admin 角色调用lbaas rebuild 命令,admin rc 文件需要通过命令行提供。\n\n**检查有无的配置粒度包含以下资源(针对单机不在线,创建删除资源双机不一致状况):**\n\n\ntenant(partition), loadbalancer (vip),snatpool(pool 级别),selfip,vlan,route domain,route(gateway),listener(vs),pool,pool member,pool healthmonitor,l7rule (irule)。\n\n**主备 bigip 互比(属性配置)的粒度包含以下资源(针对单机不在线,mutable 可更改资源更新不一致的状况):**\n\n\nvirtual_address, snatpool, cookie_persistence, universal_persistence, sip_persistence, source_addr_persistence, http_profile, tcp_profile, http2_profile, client_ssl_profile, cipher_group, cipher_rule, bwc_policy, l7policy, http_monitor, https_monitor, tcp_monitor, ping_monitor, pool, member\n\n**运行命令:** \n\n\n`f5-agent-auditor --config-file /etc/neutron/neutron.conf --rcfile-path /root/pzhang/pzhang.rc --rebuild --nodebug`\n\n**主要输出:**\n\n\n1.\t审计结果有无和差异资源信息会输出在 /tmp 目录中。\n2.\tRebuild Bash 脚本会输出在 /tmp 目录中。\n3.\tRebuild Bash 脚本运行 log 会输出在 /tmp 目录中。\n4.\tAuditor 本身运行可以使用选择输出在屏幕或者文件中。\n\n**Auditor的审计文件记录内容:**\n\n\n1.\t有无: missing 和 unknown 文件。\n2.\t差异: diff 文件。\n\n**审计文件名称:missing_\u003cbigip-ip\u003e_\u003ctimestamp\u003e**\n\n\n用于记录Bigip 上缺失的 lbaas 配置和其关联的 loadbalancer。\n审计文件内容:\n\n```\n{\n \"\u003cagent-id\u003e\": {\n \"\u003cproject-id\u003e\": {\n \"\u003cmissing-resource-name\u003e\": [\n \"\u003cmissing-resource-related-loadbalancers\u003e\",\n \"\u003cmissing-resource-related-loadbalancers\u003e\",\n ...\n ]\n }\n},\n\t \"\u003cagent-id\u003e\": {\n \"\u003cproject-id\u003e\": {\n \"\u003cmissing-resource-name\u003e\": {\n \"\u003cmissing-resource-related-loadbalancers\u003e\",\n }\n }\n},\n…\n}\n```\n\t\n**Rebuild all Bash 脚本文件名称:rebuild_all_\u003ctimestamp\u003e.sh**\n\n\nBash 脚本用于 rebuild loadbalancer。\nRebuild all Bash 脚本文件内容:\n\n```\n#!/bin/bash\n\nwait_until_loadbalancer () {\n local LB=$1\n local EXPECTED_STATUS=$2\n local STATUS=\"unknown\"\n local timeout=60\n\n while [[ $STATUS != $EXPECTED_STATUS ]] \u0026\u0026 [[ $timeout -gt 0 ]] ; do\n STATUS=$(neutron lbaas-loadbalancer-show $LB | grep provisioning_status | awk '{ print $4 }')\n if [[ $STATUS == \"ERROR\" ]] ; then\n echo \"$(date): $LB is in $STATUS state.\"\n return 1\n fi\n if [[ $STATUS != $EXPECTED_STATUS ]] ; then\n sleep 1\n ((timeout=timeout-1))\n else\n echo \"$(date): $LB is in $STATUS state\"\n break\n fi\n done\n\n if [[ $timeout -lt 0 ]]; then\n echo \"$(date): $LB rebuild checking timeout\"\n fi\n}\n\nsource /root/pzhang/pzhang.rc\n\nlogfile=/tmp/rebuild_$(date +%Y%m%d_%H%M%S).log\n\nrm -rf $logfile\ntouch $logfile\n\n\n\n\nneutron lbaas-loadbalancer-rebuild --all f7183210-25b2-435f-893a-d0ce66069181\nwait_until_loadbalancer f7183210-25b2-435f-893a-d0ce66069181 ACTIVE \u003e\u003e $logfile\n\nrebuild all bash 运行后产生的 log 文件名称:rebuild_\u003ctimestamp\u003e.log\n记录 rebuild bash 脚本执行结果。\nrebuild all bash 运行后 log 内容:\nWed Dec 13 14:57:19 CST 2023: 616c92e2-12db-4327-8af7-fb223ade6e31 is in ACTIVE state\nWed Dec 13 14:57:36 CST 2023: 0171629c-2fab-4109-8da8-c65024c7ac24 is in ACTIVE state\nWed Dec 13 14:57:55 CST 2023: dac67cbf-c314-4500-9f81-b1ee4e13392c is in ACTIVE state\nWed Dec 13 14:58:20 CST 2023: b0e33fa5-3625-4140-9733-4b3544a1f543 is in ACTIVE state\n…\n```\n\n**审计文件名称:unknown_\u003cbigip-ip\u003e_\u003ctimestamp\u003e**\n\n\n记录 Bigip 上多于 lbaas 配置的脏数据。\n审计文件内容:\n\n```\n{\n \"Project_f00e925a7095432ca32ba528f2599b30\": {},\n \"Project_6fd06a50b7824ae48386565786e94b38\": {\n \"vlans\": [\n \"unknown\"\n ],\n \"gateways\": [\n \"tes\"\n ],\n \"rds\": [\n \"ttt\"\n ],\n \"selfips\": [\n \"disselfip\"\n ]\n }\n}\n```\n\n**审计文件名称:diff_\u003cactive-bigip-ip\u003e_\u003cbackup-bigip-ip\u003e_\u003ctimestamp\u003e**\n\n\n记录备机相对主机不一致的部分。\n审计文件内容:\n\n```\n{\n \"http2_profile\": {},\n \"http_monitor\": {},\n \"cipher_rule\": {},\n \"cookie_persistence\": {},\n \"l7policy\": {},\n \"snatpool\": {\n \"/Common/CORE_56137826-e1de-4e76-a67e-49e49a4cfa6a\": {\n \"active\": {\n \"kind\": \"tm:ltm:snatpool:snatpoolstate\",\n \"name\": \"CORE_56137826-e1de-4e76-a67e-49e49a4cfa6a\",\n \"generation\": 1,\n \"partition\": \"Common\",\n \"members\": [\n \"/Common/10.250.19.12%0\",\n \"/Common/10.250.19.21%0\",\n \"/Common/2005:db8:cafe:16::11%0\"\n ],\n \"membersReference\": [\n {\n \"link\": \"https://localhost/mgmt/tm/ltm/snat-translation/~Common~10.250.19.12%250?ver=15.1.10\"\n },\n {\n \"link\": \"https://localhost/mgmt/tm/ltm/snat-translation/~Common~10.250.19.21%250?ver=15.1.10\"\n },\n {\n \"link\": \"https://localhost/mgmt/tm/ltm/snat-translation/~Common~2005:db8:cafe:16::11%250?ver=15.1.10\"\n }\n ],\n \"fullPath\": \"/Common/CORE_56137826-e1de-4e76-a67e-49e49a4cfa6a\",\n \"selfLink\": \"https://localhost/mgmt/tm/ltm/snatpool/~Common~CORE_56137826-e1de-4e76-a67e-49e49a4cfa6a?ver=15.1.10\"\n },\n \"backup\": null\n }\n },\n \"virtual_address\": {},\n \"cipher_group\": {},\n \"http_profile\": {},\n \"ping_monitor\": {},\n \"source_addr_persistence\": {},\n \"tcp_monitor\": {},\n \"https_monitor\": {},\n \"bwc_policy\": {},\n \"tcp_profile\": {},\n \"client_ssl_profile\": {},\n \"sip_persistence\": {},\n \"pool\": {},\n \"universal_persistence\": {}\n …\n}\n```\n\n**Auditor使用方式**\n\n\n命令行:\t\n\n`f5-agent-auditor --config-file /etc/neutron/neutron.conf --rcfile-path /root/pzhang/pzhang.rc --rebuild --nodebug`\n\n* --config-file: 指定 neutron.conf 文件,主要是用了里面的 mysql connection配置。\n\n* --rcfile-path:指定admin 角色的 keystone RC 文件。\n\n* --rebuild:指定自动运行 rebuild bash 脚本。如果带此参数,会自动运行auditor 生成的rebuild 脚本。\n\n* --nodebug:命令行运行情况下可以选择不输出部分 debug log。\n\nRebuild all bash 脚本手工运行/自动运行:\n\n\nRebuild bash 脚本可以通过 参数指定自动运行。如果不指定 参数,则需要在 bash 脚本产生后,手动到 /tmp 目录下运行 bash \u003crebuild_all.sh\u003e 脚本。\n\n\n**命令行手动/自动运行**:\n\n\n可以手动运行 f5-agent-auditor 命令,也可以通过配置crontab 自动在某个时间运行f5-agent-auditor 命令。\n\n\n**执行和权限(包含自动化执行)**\n\n\nf5-agent-auditor: 需要用 linux root 或者 neutron linux user 级别的角色运行保障文件可执行,/tmp 文件可以读写 log,keystone admin rc file 可读,bash脚本可执行。\n\nRebuild all bash 脚本:如果手动运行需要 linux root 或者 openstack linux user 级别的角色,可执行 neutron rebuild 命令,可读 keystone admin rc file 和在/tmp 目录下读写权限。\n\n命令行中 refile-path 提供的 rc 配置:需要是 keystone admin 角色,需要可以执行各个 loadbalancer rebuild 级别的命令。 \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff5networks%2Ff5-agent-auditor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ff5networks%2Ff5-agent-auditor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ff5networks%2Ff5-agent-auditor/lists"}