Balanced

Brain dump for at least semi-good ideas

Troubleshooting IPMI pollers in Observium

Getting temperature readings from your ESXi host in Observium

It always irked me that I was not able to read the temperature of my ESXi host. Lately I renovated a storage space underneath my stairs and moved all my infrastructure to it. Since there is a lot of equipment in the same place and probably could get really hot unless I calibrate my fans accordingly I decided to give it one more try.

This time I succeeded, and here’s how to do it.

This guide probably works at least partly for LibreNMS too.

Intalling ipmitool

First things first. Make sure that you have ipmitool installed, otherwise install it:

apt-get install ipmitool

Create a user via your IPMI web interface

Verify that you have a user set up with the correct permissions (“User” was enough in my case).

Test the IPMI interface with ipmitool

Then you can test the connection to your IPMI interface with the following command:

ipmitool -H 192.168.1.50 -L USER -U myuser -P mypassword -I lanplus sdr elist full

What this does is to show the sensor of your chassis using the protocol support used by an IPMI v2.0 RMCP+ LAN Interface.

If this does not work, verify that the port of your IPMI API is 623 (UDP). You can also try a different interface from the following list:

Interfaces:
        open          Linux OpenIPMI Interface [default]
        imb           Intel IMB Interface
        lan           IPMI v1.5 LAN Interface
        lanplus       IPMI v2.0 RMCP+ LAN Interface
        free          FreeIPMI IPMI Interface
        serial-terminal  Serial Interface, Terminal Mode
        serial-basic  Serial Interface, Basic Mode
        usb           IPMI USB Interface(OEM Interface for AMI Devices)

Configuring Observium

Navigate to your ESXi server in Observium, click on the settings button, and the “Properties”. Here, go to IPMI and enter the settings used above.

Troubleshooting Observium

In case you still do not get temperature readings in Observium there is one more trick that you can try.

/opt/observium/poller.php -d -h 192.168.1.50 -m ipmi

This command will show you exactly which command Observium is using. Compare the command with your successful attempt from the steps above and attempt to change accordingly.

TLDR;

My mistake was that the IPMI “API interface”  does not necessarily listen to the same port as the web interface. In my case it was listening on port 623 (UDP).

What was yours?

Using F5 REST API with roles

I recently learned that with version 12 comes the possibility to use roles with the REST API, but only when using token based authentication.

That’s fantastic! Finally there is a secure way of using the REST API without handing over administrative access.

Adding an example in Powershell and a link to an article on Devcentral about how to do it in Python.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
	
$User = "myGuestUser"
$Password = "password"
	
#Create the string that is converted to Base64
$pair = $user + ":" + $Password

#Encode the string to base64
$encodedCreds = [System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes($pair))

#Add the "Basic prefix"
$basicAuthValue = "Basic $encodedCreds"

#Prepare the headers
$headers = @{
	"Authorization" = $basicAuthValue
	"Content-Type" = "application/json"
}

#Create the body of the post
$body = @{"username" = $User; "password" = $Password; "loginProviderName" = "tmos" }

#Convert the body to Json
$body = $Body | ConvertTo-Json

$response  = Invoke-WebRequest -Method "POST" -Headers $headers -Body $body -Uri "https://myltm/mgmt/shared/authn/login" 

#Extract the token from the response
$token = ($response.content | ConvertFrom-Json).Token.token

#Prepare a dictionary with the token
$headers = @{
	"X-F5-Auth-Token" = $token;
}

#Get a list of the ssl profiles of the box
$Response = Invoke-WebRequest -Method "GET" -Headers $headers -Uri "https://myltm.domain.local/mgmt/tm/ltm/profile/client-ssl"
$Profiles = ($response.Content | ConvertFrom-Json).items

Updating with code from the Powershell Guru Joel Newton on how to patch the token to make it valid for 10 hours instead of the default 20 minutes:

#####
#Setup
$LTMName = 'myltm'
$SecPswd = ConvertTo-SecureString "PlainTextPassword" -AsPlainText -Force
$Credentials = New-Object System.Management.Automation.PSCredential "username", $SecPswd

$AuthURL = "https://$LTMName/mgmt/shared/authn/login"
$JSONBody = @{username = $Credentials.username; password=$Credentials.GetNetworkCredential().password; loginProviderName='tmos'} | ConvertTo-Json
$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession

#Request the token
$Result = Invoke-RestMethod -Method POST -Uri $AuthURL -Body $JSONBody -Credential $Credentials -ContentType 'application/json'
$Token = $Result.token.token
#Add the token to our session
$session.Headers.Add('X-F5-Auth-Token', $Token)

#A UUID is returned by LTM v11.6. This is needed for modifying the token.
#For v12+, the name value is used.
if ($Result.token.uuid){
    $TokenReference = $Result.token.uuid;
} else {
    $TokenReference = $Result.token.name;
}

#If we want the token to be valid for a length other than the default of 20 minutes, this is how we modify it
#NB: Max value is 36000 seconds (10 hours)
#Let's set it to 1 hour
$TokenLifespan = 3600
$Body = @{ timeout = $TokenLifespan } | ConvertTo-Json
$Headers = @{
'X-F5-Auth-Token' = $Token
}

Invoke-RestMethod -Method Patch -Uri https://$LTMName/mgmt/shared/authz/tokens/$TokenReference -Headers $Headers -Body $Body -WebSession $session | Out-Null

# Add token expiration time to session
$ts = New-TimeSpan -Minutes ($TokenLifespan/60)
$date = Get-Date -Date $Result.token.startTime
$ExpirationTime = $date + $ts
$session.Headers.Add('Token-Expiration', $ExpirationTime)

I also recommend checking out Joels Powershell module at the Devcentral codeshare!

Synergy effect of running BigIPReport

This could be useful depending on your environment. Bigipreport let’s you find things, but it can only go so far.

If you want to do a bit more advanced searches you can use the built in functions in powershell to convert json into objects. The beauty with powershell objects is that you can easily run queries against them.

Attaching a few examples to get you going:

#Create new webclient object
$WebClient = New-Object System.Net.WebClient
#Enable integrated authentication
$WebClient.UseDefaultCredentials = $true
#Get the json objects
$Virtualservers = ($WebClient.DownloadString("https://bigipreport.mydomain.local/json/virtualservers.json")) | ConvertFrom-Json
$rules = ($WebClient.DownloadString("https://bigipreport.mydomain.local/json/irules.json")) | ConvertFrom-Json
$pools = ($WebClient.DownloadString("https://bigipreport.mydomain.local/json/pools.json")) | ConvertFrom-Json
$monitors = ($WebClient.DownloadString("https://bigipreport.mydomain.local/json/monitors.json")) | ConvertFrom-Json

#The data group lists can be a pain to convert if you have identical data save the case of the characters. If that's the case you need to replace the duplicates before using ConvertFrom-Json
$datagrouplists = ($WebClient.DownloadString("https://bigipreport.mydomain.local/json/datagrouplists.json")) | ConvertFrom-Json
  
#Get which virtual servers that has a specific rule
$Virtualservers | Where-Object { $_.irules -contains "/Mypartition/rulename" } | select name
 
#Find all monitors with dk in the name and no receive string. Show columns name, interval and load balancer
$monitors | Where-Object { $_.name.contains("dk") -and $_.receivestring -eq "" } |  select name, interval, loadbalancer

 

BigipReport 4.2.0

Now with virtual server details and some bug fixes. Please note that you must update your config file too (or add the irules section added in the latest version).

Since devcentral is broken I’m posting an update here instead.

Setting up F5 APM with Google Authenticator

Setting up a secure VPN is easier than you might think. With F5 APM and Google authenticator you’re up and running soon.

There is an article on devcentral doing this but I thought it could be a bit simpler so I wrote my own. Tested on version 12 but should be more or less applicable to version 11 as well. Please let me know if there’s any differences and I’ll update the article.

Tampermonkey – F5 Case creation

Old script does not work anymore since F5 changed their support portal. New script is available here.

Bigip Report installation instructions

New and better instructions for Bigip report can be found here.

 

VMware server home lab

This post will hopefully help anyone wanting a decent home lab and avoid some of the pitfalls.

Helping headers

Since we rely so heavily on the load balancers to handle part of the application logic the line between application servers and network equipment is blurred out. URIs and headers may change, and pools might be chosen depending on many different factors.

To add some transparence here I would recommend using the loadbalancer to give the users of your company additional information if they need it.

Purging Limelight CDN items with Powershell

Taking care of the CDN can be a hassle sometimes. Unless you implement the perfect system with unique keys for every item update you will need to purge content once in a while.

We asked for some guiding from Limelight but they did not have any example for Powershell themselves so I had to translate the existing one from Perl. Hardest part was the authentication and getting the hash right but with some help from the nice people at stackoverflow it worked out in the end.

Kudos also to Limelight for having a good API documentation.

As always, if you improve it then please share it.

Contributions is always appreciated!

Page 2 of 3

Powered by WordPress & Theme by Anders Norén