ansible-junos-stdlib
ansible-junos-stdlib copied to clipboard
Juniper
juniper_junos_config does not work with bastion configuration
Issue Type
- Bug Report
Module Name
juniper_junos_config
Pip Freeze
#pip freeze ansible==2.8.4 asn1crypto==0.24.0 astroid==1.4.8 backports.functools-lru-cache==1.2.1 backports.shutil-get-terminal-size==1.0.0 bcrypt==3.1.7 certifi==2019.6.16 cffi==1.12.3 chardet==3.0.4 configparser==3.5.0 cryptography==2.7 decorator==4.0.11 enum34==1.1.6 flake8==3.0.4 idna==2.7 ipaddress==1.0.22 ipython==5.4.1 ipython-genutils==0.2.0 isort==4.2.5 Jinja2==2.10.1 junos-eznc==2.2.1 jxmlease==1.0.1 lazy-object-proxy==1.2.2 lxml==4.4.1 MarkupSafe==1.1.1 mccabe==0.5.2 ncclient==0.6.6 netaddr==0.7.19 paramiko==2.6.0 pathlib2==2.3.0 pep8==1.7.0 pexpect==4.2.1 pickleshare==0.7.4 prompt-toolkit==1.0.14 ptyprocess==0.5.2 pycodestyle==2.0.0 pycparser==2.19 pyflakes==1.3.0 Pygments==2.2.0 pylint==1.6.4 PyNaCl==1.3.0 pyserial==3.4 PyYAML==5.1.2 requests==2.20.0 scandir==1.5 scp==0.13.2 selectors2==2.0.1 simplegeneric==0.8.1 six==1.10.0 traitlets==4.3.2 update-service-ip-route-client==0.1.1 urllib3==1.24.3 wcwidth==0.1.7 wrapt==1.10.8 xmltodict==0.12.0
Ansible Roles Version
- Juniper.junos, 2.1.0
OS / Environment
Red Hat Enterprise Linux Server release 7.4 (Maipo)
Junos Version
JUNOS 14.1X53-D45.3
Summary
On my network, the connections to the network and security devices are allowed through a bastion. The module juniper_junos_config does not established the connection through the bastion. The connection is executed from the local server
Steps to reproduce:
####inventory file
[ all:vars] ansible_python_interpreter: '~/conda/envs/py2-env/bin/python' ansible_network_os: 'junos' ansible_connection: 'netconf' ansible_netconf_ssh_config: '/home/myuser/.ssh/through_bastion_config'
[qfx] qfx1
####/.ssh/through_bastion_config file: Host * ProxyCommand ssh -W %h:%p bastion.mycompany.xx
####playbook file: - name: load set config file hosts: - all roles: - Juniper.junos······ gather_facts: no
vars_prompt: - name: config_file prompt: config file private: no
tasks: - name: load configuration from files juniper_junos_config: lines: -set system root-authentication encrypted-password "$5$sQvDYTSP$HBBaRItgMXi7rwOEpRYnr.0FPAJvDOqNEuW8wDYQ6H7"
register: response
- name: Print response
debug:
var: response
Behaviour
When running the playbook, the connection failed because the connection is not allowed from the ansible server. To illustrate this, allow the connection to the device from the bastion AND the ansible server and then monitor the connection on you device:
qfx1# monitor start /var/log/interactive-commands [email protected]> Sep 4 18:10:46 qfx1 mgd[90525]: UI_AUTH_EVENT: Authenticated user 'myuser' at permission level 'j-admin' Sep 4 18:10:46 qfx1 mgd[90525]: UI_LOGIN_EVENT: User 'myuser' login, class 'j-admin' [90525], ssh-connection 'bastion_ip 34558 a.b.c.d 830', client-mode 'cli' Sep 4 18:10:46 qfx1 mgd[90525]: UI_CMDLINE_READ_LINE: User 'myuser', command 'xml-mode netconf need-trailer ' Sep 4 18:10:46 qfx1 mgd[90525]: UI_LOGOUT_EVENT: User 'myuser' logout Sep 4 18:10:48 qfx1 file[90524]: UI_AUTH_EVENT: Authenticated user 'myuser' at permission level 'j-admin' Sep 4 18:10:48 qfx1 file[90524]: UI_LOGIN_EVENT: User 'myuser' login, class 'j-admin' [90524], ssh-connection 'bastion_ip 34558 a.b.c.d 830', client-mode 'netconf' Sep 4 18:10:49 qfx1 mgd[90530]: UI_AUTH_EVENT: Authenticated user 'myuser' at permission level 'j-admin' Sep 4 18:10:49 qfx1 mgd[90530]: UI_LOGIN_EVENT: User 'myuser' login, class 'j-admin' [90530], ssh-connection 'ansible_server_ip 49488 a.b.c.d 830', client-mode 'cli' Sep 4 18:10:49 qfx1 mgd[90530]: UI_CMDLINE_READ_LINE: User 'myuser', command 'xml-mode netconf need-trailer ' Sep 4 18:10:49 qfx1 mgd[90530]: UI_LOGOUT_EVENT: User 'myuser' logout Sep 4 18:10:51 qfx1 file[90529]: UI_AUTH_EVENT: Authenticated user 'myuser' at permission level 'j-admin' Sep 4 18:10:51 qfx1 file[90529]: UI_LOGIN_EVENT: User 'myuser' login, class 'j-admin' [90529], ssh-connection 'ansible_server_ip 49488 a.b.c.d 830', client-mode 'netconf' Sep 4 18:10:51 qfx1 file[90529]: UI_NETCONF_CMD: User 'myuser' used NETCONF client to run command 'lock-configuration' Sep 4 18:10:51 qfx1 file[90529]: UI_NETCONF_CMD: User 'myuser' used NETCONF client to run command 'commit-configuration check' Sep 4 18:10:51 qfx1 file[90529]: UI_COMMIT: User 'myuser' requested 'commit' operation (comment: none) Sep 4 18:10:51 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: start loading commit script changes Sep 4 18:10:51 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: no commit script changes Sep 4 18:10:51 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: no transient commit script changes Sep 4 18:10:51 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: finished loading commit script changes Sep 4 18:10:51 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: copying juniper.db to juniper.data+ Sep 4 18:10:51 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: finished copying juniper.db to juniper.data+ Sep 4 18:10:51 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: exporting juniper.conf Sep 4 18:10:51 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: expanding interface-ranges Sep 4 18:10:51 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: finished expanding interface-ranges Sep 4 18:10:51 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: expanding groups Sep 4 18:10:51 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: finished expanding groups Sep 4 18:10:51 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: setup foreign files Sep 4 18:10:52 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: update license counters Sep 4 18:10:52 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: finish license counters Sep 4 18:10:52 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: propagating foreign files Sep 4 18:10:52 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: complete foreign files Sep 4 18:10:52 qfx1 file[90529]: UI_CHILD_START: Starting child '/usr/sbin/ffp' Sep 4 18:10:52 qfx1 file[90529]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/ffp', PID 90534, status 0 Sep 4 18:10:52 qfx1 file[90529]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/ffp', PID 90534, status 0 Sep 4 18:10:52 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: daemons checking new configuration Sep 4 18:10:52 qfx1 file[90529]: UI_CHILD_START: Starting child '/usr/sbin/ffp' Sep 4 18:10:52 qfx1 file[90529]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/ffp', PID 90543, status 0 Sep 4 18:10:52 qfx1 file[90529]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/ffp', PID 90543, status 0 Sep 4 18:10:52 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: signaling 'Alarm control process', pid 1348, signal 30, status 0 with notification errors enabled Sep 4 18:10:52 qfx1 file[90529]: UI_NETCONF_CMD: User 'myuser' used NETCONF client to run command 'get-configuration compare="rollback" rollback="0" format="text"' Sep 4 18:10:53 qfx1 file[90529]: UI_NETCONF_CMD: User 'myuser' used NETCONF client to run command 'commit-configuration' Sep 4 18:10:53 qfx1 file[90529]: UI_COMMIT: User 'myuser' requested 'commit' operation (comment: none) Sep 4 18:10:53 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: updating commit revision Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: start loading commit script changes Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: no commit script changes Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: no transient commit script changes Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: finished loading commit script changes Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: copying juniper.db to juniper.data+ Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: finished copying juniper.db to juniper.data+ Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: exporting juniper.conf Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: expanding interface-ranges Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: finished expanding interface-ranges Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: expanding groups Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: finished expanding groups Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: setup foreign files Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: update license counters Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: finish license counters Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: propagating foreign files Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: complete foreign files Sep 4 18:10:54 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: dropping unchanged foreign files Sep 4 18:10:54 qfx1 file[90529]: UI_CHILD_START: Starting child '/usr/sbin/ffp' Sep 4 18:10:55 qfx1 file[90529]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/ffp', PID 90549, status 0 Sep 4 18:10:55 qfx1 file[90529]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/ffp', PID 90549, status 0 Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: daemons checking new configuration Sep 4 18:10:55 qfx1 file[90529]: UI_CHILD_START: Starting child '/usr/sbin/ffp' Sep 4 18:10:55 qfx1 file[90529]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/ffp', PID 90558, status 0 Sep 4 18:10:55 qfx1 file[90529]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/ffp', PID 90558, status 0 Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: commit wrapup... Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: start ffp activate Sep 4 18:10:55 qfx1 file[90529]: UI_CHILD_START: Starting child '/usr/sbin/ffp' Sep 4 18:10:55 qfx1 file[90529]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/ffp', PID 90559, status 0 Sep 4 18:10:55 qfx1 file[90529]: UI_CHILD_STATUS: Cleanup child '/usr/sbin/ffp', PID 90559, status 0 Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/etc/pam.conf' Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/etc/pam_radius.conf' Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/etc/pam_tacplus.conf' Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/etc/issue' Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/etc/certs' Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: executing foreign_commands Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: not executing ui_commit in rc.ui Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: finish ffp activate Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: copying configuration to juniper.save Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: db_check_constraint_ids_clear start Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: db_check_constraint_ids_clear done Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: db_groups_info_clear start Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: db_groups_info_clear done Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: activating '/var/run/db/juniper.data' Sep 4 18:10:55 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: Rotate backup configs Sep 4 18:10:56 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: signaling 'Simple Network Management Protocol process', pid 1353, signal 31, status 0 with notification errors enabled Sep 4 18:10:56 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: notifying daemons of new configuration Sep 4 18:10:56 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: commit complete Sep 4 18:10:56 qfx1 file[90529]: UI_COMMIT_COMPLETED: commit complete Sep 4 18:10:56 qfx1 file[90529]: UI_COMMIT_PROGRESS: Commit operation in progress: signaling 'Alarm control process', pid 1348, signal 30, status 0 with notification errors enabled Sep 4 18:10:56 qfx1 file[90529]: UI_NETCONF_CMD: User 'myuser' used NETCONF client to run command 'unlock-configuration' Sep 4 18:10:56 qfx1 file[90529]: UI_NETCONF_CMD: User 'myuser' used NETCONF client to run command 'close-session' Sep 4 18:10:56 qfx1 file[90529]: UI_LOGOUT_EVENT: User 'myuser' logout Sep 4 18:10:57 qfx1 file[90524]: UI_NETCONF_CMD: User 'myuser' used NETCONF client to run command 'close-session' Sep 4 18:10:57 qfx1 file[90524]: UI_LOGOUT_EVENT: User 'myuser' logout
@btiquet This requires an enhancement directly in PyEZ. In the above-described case, PyEZ is not reading the ssh config file to its entirety, i.e the ProxyCommand part is never read.
There is already an issue in PyEZ tracking this https://github.com/Juniper/py-junos-eznc/pull/920, https://github.com/Juniper/py-junos-eznc/pull/648
