community.network
community.network copied to clipboard
ICX "Invalid input -> skip"
SUMMARY
The ICX community module fails and spits out an invalid ICX command result "Invalid input -> skip". The reason is that the ICX module assumes its starting privilege level is enable, however on many of our switches, the starting level is 5 "read-only." 'skip' is not a valid command for level 5 and the module needs to first elevate.
ISSUE TYPE
- Bug Report
COMPONENT NAME
community.network.icx_config
ANSIBLE VERSION
ansible [core 2.14.3]
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /root/ve39/lib/python3.9/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /root/ve39/bin/ansible
python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] (/root/ve39/bin/python3)
jinja version = 3.1.2
libyaml = True
CONFIGURATION
HOST_KEY_CHECKING(env: ANSIBLE_HOST_KEY_CHECKING) = False
OS / ENVIRONMENT
Debian 11 Bullseye
Switch: Ruckus ICX7150-24-POE running SW 08.0.95dT211
STEPS TO REPRODUCE
- Reset switch using
erase system factory-default
- Login using ssh
- Change password as requested
- Place this new password in hosts file as var ansible_password
- SSH into switch
- Confirm default privileged level is Read-Only (prompt ends with ">" not "#")
- (This bug does not occur on switches where privilege level starts elevated)
- Run playbook below
---
- hosts: all
connection: network_cli
gather_facts: false
vars:
ansible_network_os: icx
tasks:
- name: Set Dummy Location
community.network.icx_config:
lines:
- snmp-server location "Earth"
save_when: modified
EXPECTED RESULTS
Ansible runs to completion and snmp-location is set to Earth.
ACTUAL RESULTS
The full traceback is:
File "/tmp/ansible_community.network.icx_config_payload_d4wpz2h6/ansible_community.network.icx_config_payload.zip/ansible_collections/community/network/plugins/module_utils/network/icx/icx.py", line 34, in run_commands
return connection.run_commands(commands=commands, check_rc=check_rc)
File "/tmp/ansible_community.network.icx_config_payload_d4wpz2h6/ansible_community.network.icx_config_payload.zip/ansible/module_utils/connection.py", line 200, in __rpc__
raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
fatal: [10.253.2.30]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"after": null,
"backup": false,
"before": null,
"defaults": false,
"diff_against": null,
"diff_ignore_lines": null,
"intended_config": null,
"lines": [
"snmp-server location \"Earth\""
],
"match": "line",
"multiline_delimiter": "@",
"parents": null,
"replace": "line",
"running_config": null,
"save_when": "modified",
"src": null
}
},
"msg": "skip\r\nInvalid input -> skip\r\nType ? for a list\r\nSSH@ICX7150-24P Switch>"
}
PATCH DEMONSTRATION
- On your system, modify icx_config.py (https://github.com/ansible-collections/community.network/blob/main/plugins/modules/icx_config.py)
- Change line line 364 to
run_commands(module, ['enable', 'skip'])
- Run again on switch
- Success!
- However, if this modified icx_config.py is used on switches where the default privilege is elevated (4), the task will fail
I do not know enough about ansible internals, but this module needs to check privilege level upon connect before running elevated commands.
@computercolin hello, thanks for reporting the issue! Would you like to submit a patch yourself? If yes, here's the Quick-start guide
cc @Commscope @sushma-alethea
This issue is also happens when using icx_command
or icx_config
and CLI presents an error during configuration. Example, removing NTP servers.
- name: Remove old NTP hosts
community.network.icx_command:
commands:
- configure terminal
- ntp
- no server {{ item }}
- end
loop: "{{ ntp_deprecated_servers }}"
when: ntp_deprecated_servers is defined
register: _ntp
Unlike DNS or logging hosts, which seem to be stateful, these have to be configured using CLI. Since they are not stateful, we usually have to feed a static list (ntp_deprecated_servers
). Sometimes a host may not be configured when I try to remove it. Other CLI commands, such as no radius-host
or no snmp-host
fail gracefully. In the case of NTP, it presents an error:
Error: Cannot delete server/peer, the association entry is not present
This error causes the SSH connection to remain in the config-ntp
context for all commands going forward. I tried to work around it with this, but no luck.
- name: Escape from NTP config mode
community.network.icx_command:
commands:
- end
ignore_errors: "{{ icx_bypass_errors }}"
skip
is not allowed in the config-ntp
context:
TASK [icx-cleanup : Escape from NTP config mode] *******************************
fatal: [switch]: FAILED! => {"changed": false, "msg": "skip\r\nInvalid input -> skip\r\nType ? for a list\r\nSSH@switch(config-ntp)#"}
I believe in this case, the proposed patch above would not work since it only addresses unauthenticated context not sub-context where this is also broken.
The solution would have to understand what context it is in, in order to issue the correct commands. In the case of sub-contexts, it seems it should append an end
command whether it succeeds or not when reusing the same SSH connection so that subsequent commands do not get stuck in the failed context.
To add some more depth here, in FastIron 9.0.0, the command "aaa authentication login privilege-mode" was deprecated and is not available in FastIron 10.0.0. Without this command, it is impossible to SSH into an ICX and go straight for privileged mode (enable) without issuing the enable command and re-typing password.
This means this Ansible module is incompatible with all FastIron 10 devices, regardless of configuration, and possibly FastIron 9 devices as well.
@commscope I request this module get an update to be compatible with your current product lineup.