f5-appsvcs-extension
f5-appsvcs-extension copied to clipboard
F5Networks
unable to delete AS3 tenant because of irule dependency issue. Continuation of #699 and #602.
Environment
- Application Services Version: 3.53.0
- BIG-IP Version: 17.1.1.3
Summary
This issue has been raised in #602 and #699.
When declaring a configuration where one iRule references another iRule (using call command), a race condition happens where you cannot delete the tenant because AS3/TMOS tries to delete the library iRule first- which is invalid and causes a TMOS exception.
AS3 treats all iRules equal when it comes to deletion, so sometimes it will try to delete a library iRule before an iRule that references it. It would be great to have a way to signal to AS3 an iRule that should be deleted last (add schema "isLibrary": true or something) so that a TMOS exception does not occur.
Steps To Reproduce
Steps to reproduce the behavior:
Replicating the issue can be tricky. Something causes TMOS to start deleting library_irule before example_irule which causes the exception. Sometimes on a fresh AS3 install, first repro attempt AS3/TMOS happens to delete example_irule before library_irule which is the required order of operations to avoid the TMOS exception.
I found if I declare iRule library first, then add the rest, it makes it more reliable to quickly repro.
- Submit the following declaration:
{
"class": "AS3",
"action": "deploy",
"persist": true,
"loglevel": "debug",
"declaration": {
"class": "ADC",
"schemaVersion": "3.30.0",
"id": "123abc",
"Common": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"library_irule": {
"class": "iRule",
"iRule": {
"text": "proc do_nothing {}"
}
}
}
}
}
}
Should be successful.
- Submit the following declaration:
{
"class": "AS3",
"action": "deploy",
"persist": true,
"loglevel": "debug",
"declaration": {
"class": "ADC",
"schemaVersion": "3.30.0",
"id": "123abc",
"Common": {
"class": "Tenant",
"Shared": {
"class": "Application",
"template": "shared",
"example_service": {
"class": "Service_HTTP",
"virtualAddresses": [
"1.1.1.1"
],
"iRules": [
"example_irule"
]
},
"example_irule": {
"class": "iRule",
"iRule": {
"text": "when HTTP_REQUEST {\n set nothing [call library_irule::do_nothing]\n}"
}
},
"library_irule": {
"class": "iRule",
"iRule": {
"text": "proc do_nothing {}"
}
}
}
}
}
}
Should be successful.
- try deleting the tenant:
curl -u <bigip username> -X DELETE https://<bigip mgmt ip>/mgmt/shared/appsvcs/declare/example_tenant
- AS3 Response:
{
"results": [
{
"code": 200,
"message": "success",
"lineCount": 16,
"host": "localhost",
"tenant": "Common",
"runTime": 4120,
"declarationId": "1732204758704"
},
{
"code": 422,
"message": "declaration failed",
"response": "01070265:3: The rule (/Common/Shared/library_irule) cannot be deleted because it is in use by a rule (/Common/Shared/example_irule).",
"host": "localhost",
"tenant": "Common",
"runTime": 3633,
"declarationId": "1732204758704"
}
]
}
Expected Behavior
Would expect AS3 to delete the tenant.
Actual Behavior
AS3 fails to delete the tenant because it tries to delete library_irule before example_irule which is not a valid order of operations. It would be great to have a way to signal to AS3 an iRule that should be deleted last so that a TMOS exception does not occur.
