community.network
community.network copied to clipboard
ICX connection/elevation fails due to different password prompt
SUMMARY
My ICX switches currently have a configuration setting aaa authentication enable default enable
, which changes the enable prompt. Removing the configuration entry fixes the issue, but would be nice if the module handled both 'Password:' and 'Enable Password' prompts.
ISSUE TYPE
- Bug Report
COMPONENT NAME
All icx_ modules
ANSIBLE VERSION
ansible [core 2.13.3]
config file = /usr/local/foo/ansible/ansible.cfg
configured module search path = ['/home/foo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/local/foo/ansible/lib/python3.8/site-packages/ansible
ansible collection location = /usr/local/foo/ansible/collections
executable location = /usr/local/foo/ansible/bin/ansible
python version = 3.8.10 (default, Nov 14 2022, 12:59:47) [GCC 9.4.0]
jinja version = 3.1.2
libyaml = True
COLLECTION VERSION
# /usr/local/foo/ansible/lib/python3.8/site-packages/ansible_collections
Collection Version
----------------- -------
community.network 4.0.1
# /usr/local/foo/ansible/collections/ansible_collections
Collection Version
----------------- -------
community.network 5.0.0
CONFIGURATION
ANSIBLE_NOCOWS(/usr/local/foo/ansible/ansible.cfg) = True
COLLECTIONS_PATHS(/usr/local/foo/ansible/ansible.cfg) = ['/usr/local/foo/ansible/collections']
DEFAULT_DEBUG(env: ANSIBLE_DEBUG) = False
DEFAULT_HOST_LIST(/usr/local/foo/ansible/ansible.cfg) = ['/usr/local/foo/ansible/hosts']
DEFAULT_KEEP_REMOTE_FILES(env: ANSIBLE_KEEP_REMOTE_FILES) = False
DEFAULT_LOG_PATH(env: ANSIBLE_LOG_PATH) = /home/foo/ansible.log
DEFAULT_REMOTE_USER(/usr/local/foo/ansible/ansible.cfg) = ansdeploy
DEFAULT_ROLES_PATH(/usr/local/foo/ansible/ansible.cfg) = ['/usr/local/foo/ansible/roles']
HOST_KEY_CHECKING(/usr/local/foo/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/usr/local/foo/ansible/ansible.cfg) = auto
OS / ENVIRONMENT
Ruckus ICX switches running OS 08.0.95bcT211
STEPS TO REPRODUCE
Ruckus config contains:
aaa authentication enable default enable
aaa authentication login default local
enable super-user-password .....
username foo password .....
Ansible playbook configured with:
ansible_connection: ansible.netcommon.network_cli
ansible_network_os: community.network.icx
ansible_user: foo
ansible_password: #####
ansible_become: yes
ansible_become_method: enable
ansible_become_password: #####
- name: Gather facts
community.network.icx_facts:
gather_subset: all
Running the above times out. I had one switch configured slightly differently which worked. Eventually found that with the configuration line to use the enable password (1st line) present, the prompt for the password was different (this may also be the case if other authentication options are chosen):
# Without the aaa authentication enable default enable
(ansible) foo@titan:~/ansible$ ssh [email protected]
Password:
SSH@test>ena
Password:
SSH@test#
# With the aaa authentication enable default enable
(ansible) foo@titan:~/ansible$ ssh [email protected]
Password:
SSH@test>ena
Enable Password:
EXPECTED RESULTS
To run the task
ACTUAL RESULTS
To timeout and not run the task
It may be that the Ruckus configuration is superfluous - certainly without the line it still authenticates with the user password and accepts the specific enable password to go into enable mode.
@sjwk hello, thanks for reporting the issue!
@Commscope @sushma-alethea as you mentioned as its maintainers, would you like to take a look?
If anyone else wants to fix it, here's the Quick-start dev guide that can help. Stuff in this collection needs more maintainers, so if you're interested, feel free to pick things up! We'd be happy to assist along the way.
When I have some time I will look into the dev guide, never actually submitted any PRs before and don't have an environment set up, but something I'd be interested in learning.
In the meantime, I've located where the issue is, and worked around it - although my 'fix' is more of a kludge and doesn't scale well, so I'll look at some other network modules and see if they have a better model.
In community/network/plugins/terminal/icx.py
I found the regexp used to match the password prompt, originally:
cmd[u'prompt'] = to_text(r"[\r\n](?:Local_)?[Pp]assword: ?$", errors='surrogate_or_strict')
and updated it to:
cmd[u'prompt'] = to_text(r"[\r\n](?:Enable )?(?:Local_)?[Pp]assword: ?$", errors='surrogate_or_strict')
It seems to work in my test case, but doesn't seem the most efficient way to do it, and if other settings require different password prompts, wouldn't scale well to keep adding more options to the password prompt expression.
When I have some time I will look into the dev guide, never actually submitted any PRs before and don't have an environment set up, but something I'd be interested in learning.
In the meantime, I've located where the issue is, and worked around it - although my 'fix' is more of a kludge and doesn't scale well, so I'll look at some other network modules and see if they have a better model.
In
community/network/plugins/terminal/icx.py
I found the regexp used to match the password prompt, originally:cmd[u'prompt'] = to_text(r"[\r\n](?:Local_)?[Pp]assword: ?$", errors='surrogate_or_strict')
and updated it to:cmd[u'prompt'] = to_text(r"[\r\n](?:Enable )?(?:Local_)?[Pp]assword: ?$", errors='surrogate_or_strict')
It seems to work in my test case, but doesn't seem the most efficient way to do it, and if other settings require different password prompts, wouldn't scale well to keep adding more options to the password prompt expression.
cool, thanks for your interest! i'm not a network engineer and not a spec in the underlying technology used by the modules but i can help with general contribution related stuff. Feel free to ask any questions (fyi i won't be available from tomorrow until next Wednesday/Thursday, i'll reply after that).