andubiel
commented
3 years ago These are the ansible files mentioned. nso_self-healing.zip
Open jabelk opened 3 years ago
andubiel
commented
3 years ago These are the ansible files mentioned. nso_self-healing.zip
jabelk
commented
3 years ago Testing the capabilities of NSO templates for runbook automation.
The inventory here uses the NSO DevNET lab.
Set up Local NSO
Notes on LAB setup: SSH/Netconf must be configured on core-rtr01/02 dist-rtr02 is used as the NTP server (ntp master)
nso_self-healing.yaml: nso_sync_devices - Pull the current running config of the device into NSO. nso_compliance_report - Run compliance report. To Do: Need to get the details from the compliance report into ansible. nso_remediate - If the compliance report returns compliance-status of violations, re-apply the template. nso_post_change_test - Check that the NTP servers are in sync after the change, if not fail task. To Do: need 2nd compliance report after the change to verify there are no more violations.
ncs-setup --package nso/packages/neds/cisco-ios-cli-6.67 \ --package nso/packages/neds/cisco-nx-cli-5.20 \ --package nso/packages/neds/cisco-iosxr-cli-7.32 \ --package nso/packages/neds/cisco-asa-cli-6.12 \ --dest nso-instance
cd ~/nso-instance ncs
ncs_cli -C -u admin
conf devices authgroups group labadmin default-map remote-name cisco default-map remote-password cisco default-map remote-secondary-password cisco commit top
devices device edge-sw01 address 10.10.20.172 authgroup labadmin device-type cli ned-id cisco-ios-cli-6.67 device-type cli protocol telnet ssh host-key-verification none commit devices device core-rtr01 address 10.10.20.173 ssh host-key-verification none authgroup labadmin device-type cli ned-id cisco-iosxr-cli-7.32 device-type cli protocol telnet state admin-state unlocked ! devices device core-rtr02 address 10.10.20.174 ssh host-key-verification none authgroup labadmin device-type cli ned-id cisco-iosxr-cli-7.32 device-type cli protocol telnet state admin-state unlocked ! devices device dist-rtr01 address 10.10.20.175 ssh host-key-verification none authgroup labadmin device-type cli ned-id cisco-ios-cli-6.67 device-type cli protocol telnet state admin-state unlocked ! devices device dist-rtr02 address 10.10.20.176 ssh host-key-verification none authgroup labadmin device-type cli ned-id cisco-ios-cli-6.67 device-type cli protocol telnet state admin-state unlocked ! devices device dist-sw01 address 10.10.20.177 ssh host-key-verification none authgroup labadmin device-type cli ned-id cisco-nx-cli-5.20 device-type cli protocol telnet ned-settings cisco-nx behaviours show-interface-all enable state admin-state unlocked ! devices device dist-sw02 address 10.10.20.178 ssh host-key-verification none authgroup labadmin device-type cli ned-id cisco-nx-cli-5.20 device-type cli protocol telnet ned-settings cisco-nx behaviours show-interface-all enable state admin-state unlocked ! devices device edge-firewall01 address 10.10.20.171 ssh host-key-verification none authgroup labadmin device-type cli ned-id cisco-asa-cli-6.12 device-type cli protocol telnet state admin-state unlocked ! devices device edge-sw01 address 10.10.20.172 ssh host-key-verification none authgroup labadmin device-type cli ned-id cisco-ios-cli-6.67 device-type cli protocol telnet state admin-state unlocked ! devices device internet-rtr01 address 10.10.20.181 ssh host-key-verification none authgroup labadmin device-type cli ned-id cisco-ios-cli-6.67 device-type cli protocol telnet state admin-state unlocked ! commit end devices connect show devices list devices sync-from
telnet 10.10.20.173 cisco/cisco
conf ssh server v2 ssh server netconf port 830 ssh server netconf vrf Mgmt-intf netconf agent tty ! netconf-yang agent ssh commit exit ! crypto key generate dsa
telnet 10.10.20.174 cisco/cisco
conf ssh server v2 ssh server netconf port 830 ssh server netconf vrf Mgmt-intf netconf agent tty ! netconf-yang agent ssh commit exit ! crypto key generate dsa
ncs_cli -C -u admin devices sync-from
copy files cd /home/developer/nso_self-healing
ansible-playbook -i inventory/devnet.ini nso_self-healing.yaml -vv
username: '{{ nso_username }}'
password: '{{ nso_password }}'ansible-playbook -i inventory/devnet.ini nso_self-healing.yaml -vv --extra-vars "nso_username=admin nso_password=admin"
got the following error
line 1214, in do_open\n raise URLError(err)\nurllib2.URLError: <urlopen error [Errno 111] Connection refused>\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact errormakes me think there is something wrong with the URL or ports
the role inclue is
---
- name: Playbook to add hosts to NSO.
hosts: lab_all
gather_facts: false
tasks:
- name: sync devices to nso
include_role:
name: nso_sync_deviceswhich then runs
---
- name: sync all devices
nso_action:
url: http://127.0.0.1/jsonrpc
username: '{{ nso_username }}'
password: '{{ nso_password }}'
path: /ncs:devices/device{'{{inventory_hostname}}'}/sync-from
input: {}
environment:
no_proxy: 127.0.0.1, localhost, 10.10.*.*
register: sync_var
- debug: var=sync_var.output
- name: conditional fail if sync fails
fail:
msg: 'Device sync-from not successful'
when: 'sync_var.output != {"result": "true"}'
feedback from user:
User is working on a compliance check where they use Ansible module to interact with NSO’s compliance templates. The challenge is we only could figure out how to save the results to the state directory with the html results. This has been difficult because we want to GET the results form the API to pass to Ansible.
I have a task to run the compliance report but there doesn't seem to be a great way to get the report itself from the API? Right now, the script just looks to see if there were any violation errors and if there are, it will re-apply the template It would be best if a preview of what the compliance report violations are could be added to the script. Trying to use the URI module to download that report like a web page could be awkward. I had to write a small module to attach a device template in NSO as the nso_action ansible module didn't seem to be able to handle it correctly. This could be a bug in the ansible module.