Version 2.7, 2.8, and 2.9 aaa_user_certificate doesn't work with APIC version 5.2.(4e)

[jdteis7]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

In ACI collections versions 2.7, 2.8, and 2.9 the module aaa_user_certificate does not work correctly with an APIC running version 5.2.(4e). It does work correctly with an APIC running version 6.

The playbook gets this error on an APIC running 5.2.(4e)

'str' object has no attribute 'format_map'

This playbook works correctly with ACI collection version 2.6. The file generating the error is

ansible_collections/cisco/aci/plugins/module_utils/aci.py

This file was changed to use the string attribute format_map in collection 2.7. The APIC running version 5.2.(4e) has Python 2.7.17 as the default version and has Python 3.7.6 also installed. The APIC running version 6.0.(4c) has Python 2.7.18 as default and Python 3.8.10 also installed. ACI collection version 2.6 works without problems but does not use the format_map attribute.

The full traceback.txt

Playbook info

• name: Installing Certificate For cert user cisco.aci.aci_aaa_user_certificate: host: "{{ apic_ip }}" username: "{{ apic_user }}" password: "{{ apic_pass }}" name: "{{ cert_user }}" use_ssl: yes validate_certs: false aaa_user: "{{ cert_user }}" certificate_name: "{{ cert_user }}" certificate: '{{ lookup("file", "{{ cert_user }}.crt") }}'

• xxxx

Affected Module Name(s):

• aci_aaa_user_certificate

APIC version and APIC Platform

• V 5.2.(4e)

Collection versions

• cisco.aci 2.7, 2.8, 2.9

Output/ Error message

*

Expected Behavior

* Certificate should have been added for a user account.

Actual Behavior

* Certificate was not added

Playbook tasks to Reproduce

*

Important Factoids

References

• 0000

[akinross]

Hi @jdteis7,

Apologies but I am not really understanding the issue as you are explaining in combination with your versions provided. The latest release of the ACI collection is on 2.9.0 which was released last month, but you mention 3.x versions.

Could you please provide the following information:

• your python version
• the ansible collection version
• the ansible version

Furthermore is you issue only there when running aci_aaa_user_certificate task, from looking at the code I would suspect this would be on every task?

[jdteis7]

I apologize that was a typo. The version that works is 2.6 and the versions that do not are 2.7, 2.8, and 2.9 .

The python version I'm running on the server with the Ansible playbooks is 3.9.18, The Ansible version is 2.15.5, but I believe this is a problem on the APIC. I see log messages referencing Python version 2.7 which is not installed on the server with the playbooks. It is installed on the APIC though. The stack trace shows an ssh connection opened to the APIC and I believe the ACI.PY script is trying to run python commands on the APIC for this certificate module. I attached the stack trace.

When the playbook used for a APIC with 5.2.(4e) I see this is the log "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python"

When it is used for an APIC running 6.0. I see this

"ansible_facts": {
    "discovered_interpreter_python": "/usr/bin/**python3"**

[jdteis7]

Other modules I've tested like aaaUserRole, aaaUserDomain, and aaaUser worked, but I noticed they do not open an ssh connection to the APIC like the cert module does.

[jdteis7]

This is the section that fails in the versions 2.7, 2.8, 2.9 ACI.PY file. It's lines 364 - 367

    if self.params.get("port") is not None:
        self.base_url = "{protocol}://{host}:{port}".format_map(self.params)
    else:
        self.base_url = "{protocol}://{host}".format_map(self.params)

This is what 2.6 looked like

    if self.params.get("port") is not None:
        url = "%(protocol)s://%(host)s:%(port)s/api/aaaLogin.json" % self.params
    else:
        url = "%(protocol)s://%(host)s/api/aaaLogin.json" % self.params

I don't think format_map is supported in Python 2.7 and since this appears to be run on the APIC, I have no way to change which version it defaults to.

[akinross]

Is there a difference in the ansible_connection settings for these tasks? Are they all set to local, or delegated to localhost?

Could you share these two tasks and your inventory / ansible connection settings?

[jdteis7]

Thanks! That was the problem. I didn't notice delegate to local host was missing