Marek Skrobacki

F5 BigIP - how to create persistent local account?

If you create a local username on the F5 BigIP box, it is going to be there only for some time. Unfortunately due to poor design decisions each non-standard account is wiped if you: * reboot the device * execute ConfigSync in High Availability deployments.

This is really bad, but what can you do?

I have done some digging through scripts on the BigIP and it looks like local usernames are listed in the default templates. First of all, I came across /etc/confpp.dat file. This file is a source of information whern the device is initialized after the reboot. By default /etc/confpp.dat contains following line: unix_config_localusers.replace.localonlyusers LT_STRING_LIST “{root} {admin}”

In order to create a username that persists across reboots, follow normal local user setup process and once you are done, change confpp.dat by adding your username at the end of line

unix_config_localusers.replace.localonlyusers LT_STRING_LIST "{root} {admin} {newuser}"

On top of that, you will need to modify /config/bigip/auth/localusers file by adding your username at the last line.

While this is all you have to do for non-redundant deployments, it’s not enough for HA. As soon as you perform ConfigSync from other box, local username will get wiped. That is certainly bad news, but there is way around it.

Same as before, you have to modify another file - /usr/share/defaults/config_base.conf. Below command is going to take care of this for you:

mount -o remount,rw /usr
sed -i 's/localusers { \(.*\) }/localusers { \1 yourusername }/' /usr/share/defaults/config_base.conf
mount -o remount,ro /usr

As you may have noticed, both of those commands are actually modifying filesystem so if you upgrade or move to other partition, remember to execute it again.