Closed chilu49 closed 7 years ago
caphrim007
commented
7 years ago my guess is that you're not delegating to localhost. The BIG-IP modules must run on the Ansible controller. Try adding either of the following to your playbook.
connection: local at the play level
or
delegate_to: localhost at the task level
chilu49
commented
7 years ago i have already mentioned that in the playbook, but still getting the same "unreachable" error. One thing i want to mention is that, my role on F5 is "operator" not admin.
name: Test bigip pool member status change hosts: test
tasks:
caphrim007
commented
7 years ago @chilu49 right, but the error is due to a failure of SSH trying to connect to 10.48.120.149. That's not a bigip module related error.
After you added delegation, what was the error?
chilu49
commented
7 years ago Its the same error.
fatal: [10.48.120.149]: UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013\r\ndebug1: Reading configuration data /etc/ssh/ssh_config\r\ndebug1: /etc/ssh/ssh_config line 56: Applying options for \r\ndebug1: auto-mux: Trying existing master\r\ndebug1: Control socket \"/root/.ansible/cp/28c65d1b29\" does not exist\r\ndebug2: ssh_connect: needpriv 0\r\ndebug1: Connecting to 10.48.120.149 [10.48.120.149] port 22.\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug1: fd 3 clearing O_NONBLOCK\r\ndebug1: Connection established.\r\ndebug3: timeout: 10000 ms remain after connect\r\ndebug1: permanently_set_uid: 0/0\r\ndebug1: identity file /root/.ssh/id_rsa type -1\r\ndebug1: identity file /root/.ssh/id_rsa-cert type -1\r\ndebug1: identity file /root/.ssh/id_dsa type -1\r\ndebug1: identity file /root/.ssh/id_dsa-cert type -1\r\ndebug1: identity file /root/.ssh/id_ecdsa type -1\r\ndebug1: identity file /root/.ssh/id_ecdsa-cert type -1\r\ndebug1: identity file /root/.ssh/id_ed25519 type -1\r\ndebug1: identity file /root/.ssh/id_ed25519-cert type -1\r\ndebug1: Enabling compatibility mode for protocol 2.0\r\ndebug1: Local version string SSH-2.0-OpenSSH_6.6.1\r\ndebug1: Remote protocol version 2.0, remote software version OpenSSH_5.3\r\ndebug1: match: OpenSSH_5.3 pat OpenSSH_5 compat 0x0c000000\r\ndebug2: fd 3 setting O_NONBLOCK\r\ndebug3: load_hostkeys: loading entries for host \"10.48.120.149\" from file \"/root/.ssh/known_hosts\"\r\ndebug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:1\r\ndebug3: load_hostkeys: loaded 1 keys\r\ndebug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa\r\ndebug1: SSH2_MSG_KEXINIT sent\r\ndebug1: SSH2_MSG_KEXINIT received\r\ndebug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\r\ndebug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-dss\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se\r\ndebug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se\r\ndebug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96\r\ndebug2: kex_parse_kexinit: zlib@openssh.com,zlib,none\r\ndebug2: kex_parse_kexinit: zlib@openssh.com,zlib,none\r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: first_kex_follows 0 \r\ndebug2: kex_parse_kexinit: reserved 0 \r\ndebug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1\r\ndebug2: kex_parse_kexinit: ssh-rsa,ssh-dss\r\ndebug2: kex_parse_kexinit: aes128-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes192-cbc,3des-cbc\r\ndebug2: kex_parse_kexinit: aes128-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes192-cbc,3des-cbc\r\ndebug2: kex_parse_kexinit: hmac-sha1\r\ndebug2: kex_parse_kexinit: hmac-sha1\r\ndebug2: kex_parse_kexinit: none,zlib@openssh.com\r\ndebug2: kex_parse_kexinit: none,zlib@openssh.com\r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: \r\ndebug2: kex_parse_kexinit: first_kex_follows 0 \r\ndebug2: kex_parse_kexinit: reserved 0 \r\ndebug2: mac_setup: setup hmac-sha1\r\ndebug1: kex: server->client aes128-ctr hmac-sha1 zlib@openssh.com\r\ndebug2: mac_setup: setup hmac-sha1\r\ndebug1: kex: client->server aes128-ctr hmac-sha1 zlib@openssh.com\r\ndebug1: kex: ecdh-sha2-nistp256 need=20 dh_need=20\r\ndebug1: kex: ecdh-sha2-nistp256 need=20 dh_need=20\r\ndebug1: sending SSH2_MSG_KEX_ECDH_INIT\r\ndebug1: expecting SSH2_MSG_KEX_ECDH_REPLY\r\ndebug1: Server host key: RSA ed:91:ef:a4:64:b0:db:34:b1:63:a1:cf:ac:7a:29:bf\r\ndebug3: load_hostkeys: loading entries for host \"10.48.120.149\" from file \"/root/.ssh/known_hosts\"\r\ndebug3: load_hostkeys: found key type RSA in file /root/.ssh/known_hosts:1\r\ndebug3: load_hostkeys: loaded 1 keys\r\ndebug1: Host '10.48.120.149' is known and matches the RSA host key.\r\ndebug1: Found key in /root/.ssh/known_hosts:1\r\ndebug1: ssh_rsa_verify: signature correct\r\ndebug2: kex_derive_keys\r\ndebug2: set_newkeys: mode 1\r\ndebug1: SSH2_MSG_NEWKEYS sent\r\ndebug1: expecting SSH2_MSG_NEWKEYS\r\ndebug2: set_newkeys: mode 0\r\ndebug1: SSH2_MSG_NEWKEYS received\r\ndebug1: SSH2_MSG_SERVICE_REQUEST sent\r\ndebug2: service_accept: ssh-userauth\r\ndebug1: SSH2_MSG_SERVICE_ACCEPT received\r\ndebug2: key: /root/.ssh/id_rsa ((nil)),\r\ndebug2: key: /root/.ssh/id_dsa ((nil)),\r\ndebug2: key: /root/.ssh/id_ecdsa ((nil)),\r\ndebug2: key: /root/.ssh/id_ed25519 ((nil)),\r\ndebug1: Authentications that can continue: publickey,keyboard-interactive,hostbased\r\ndebug3: start over, passed a different list publickey,keyboard-interactive,hostbased\r\ndebug3: preferred gssapi-with-mic,gssapi-keyex,hostbased,publickey\r\ndebug3: authmethod_lookup hostbased\r\ndebug3: remaining preferred: publickey\r\ndebug3: authmethod_lookup publickey\r\ndebug3: remaining preferred: \r\ndebug3: authmethod_is_enabled publickey\r\ndebug1: Next authentication method: publickey\r\ndebug1: Trying private key: /root/.ssh/id_rsa\r\ndebug3: no such identity: /root/.ssh/id_rsa: No such file or directory\r\ndebug1: Trying private key: /root/.ssh/id_dsa\r\ndebug3: no such identity: /root/.ssh/id_dsa: No such file or directory\r\ndebug1: Trying private key: /root/.ssh/id_ecdsa\r\ndebug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory\r\ndebug1: Trying private key: /root/.ssh/id_ed25519\r\ndebug3: no such identity: /root/.ssh/id_ed25519: No such file or directory\r\ndebug2: we did not send a packet, disable method\r\ndebug1: No more authentication methods to try.\r\nPermission denied (publickey,keyboard-interactive,hostbased).\r\n", "unreachable": true } to retry, use: --limit @/etc/ansible/playbooks/non-prod-F5pool-memberoffline-Mobility-Test.retry
PLAY RECAP ** 10.48.120.149 : ok=0 changed=0 unreachable=1 failed=0
chilu49
commented
7 years ago I tried different playbook with different network module and its working fine. PLAYBOOK:
name: Test bigip_facts hosts: test connection: local
tasks:
PLAYBOOK: bigip_facts.yaml ** 1 plays in bigip_facts.yaml
PLAY [Test bigip_facts] *****
TASK [Gathering Facts] **
Using module file /usr/lib/python2.7/site-packages/ansible/modules/system/setup.py
<10.48.120.149> ESTABLISH LOCAL CONNECTION FOR USER: root
<10.48.120.149> EXEC /bin/sh -c 'echo ~ && sleep 0'
<10.48.120.149> EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /root/.ansible/tmp/ansible-tmp-1503510171.95-44454372803600" && echo ansible-tmp-1503510171.95-44454372803600="echo /root/.ansible/tmp/ansible-tmp-1503510171.95-44454372803600" ) && sleep 0'
<10.48.120.149> PUT /tmp/tmpiuuD4W TO /root/.ansible/tmp/ansible-tmp-1503510171.95-44454372803600/setup.py
<10.48.120.149> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1503510171.95-44454372803600/ /root/.ansible/tmp/ansible-tmp-1503510171.95-44454372803600/setup.py && sleep 0'
<10.48.120.149> EXEC /bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1503510171.95-44454372803600/setup.py; rm -rf "/root/.ansible/tmp/ansible-tmp-1503510171.95-44454372803600/" > /dev/null 2>&1 && sleep 0'
ok: [10.48.120.149]
META: ran handlers
TASK [Get all of the facts from my BIG-IP] **
task path: /etc/ansible/playbooks/bigip_facts.yaml:6
Using module file /usr/lib/python2.7/site-packages/ansible/modules/network/f5/bigip_facts.py
<10.48.120.149> ESTABLISH LOCAL CONNECTION FOR USER: root
<10.48.120.149> EXEC /bin/sh -c 'echo ~ && sleep 0'
<10.48.120.149> EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /root/.ansible/tmp/ansible-tmp-1503510172.71-154989222006778" && echo ansible-tmp-1503510172.71-154989222006778="echo /root/.ansible/tmp/ansible-tmp-1503510172.71-154989222006778" ) && sleep 0'
<10.48.120.149> PUT /tmp/tmpJ_rtdb TO /root/.ansible/tmp/ansible-tmp-1503510172.71-154989222006778/bigip_facts.py
<10.48.120.149> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1503510172.71-154989222006778/ /root/.ansible/tmp/ansible-tmp-1503510172.71-154989222006778/bigip_facts.py && sleep 0'
<10.48.120.149> EXEC /bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1503510172.71-154989222006778/bigip_facts.py; rm -rf "/root/.ansible/tmp/ansible-tmp-1503510172.71-154989222006778/" > /dev/null 2>&1 && sleep 0'
ok: [10.48.120.149] => {
"ansible_facts": {
"system_info": {
caphrim007
commented
7 years ago your second playbook is using connection: local where as your first playbook used delegate_to: localhost.
caphrim007
commented
7 years ago @chilu49 does the failing example work if you change connection to local?
chilu49
commented
7 years ago Thanks for the suggestion. I made the change you suggested and it worked
name: Test bigip pool member status change hosts: test connection: local
tasks:
chilu49
commented
7 years ago But i still recevied an error. It says i do not have "create access to object (pool_member)". But i am able to access through F5 User Interface and make the members of the pool offline/disable. Can you think of any reason as to why this is happening.
fatal: [X.X.X>X]: FAILED! => { "changed": false, "failed": true, "invocation": { "module_args": { "connection_limit": null, "description": null, "host": "X.X.X.X", "monitor_state": "disabled", "partition": "Unix", "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "pool": "Pool-ACC-Test", "port": 8444, "preserve_node": false, "rate_limit": null, "ratio": null, "server": "X.X.X.X", "server_port": 443, "session_state": "disabled", "state": "present", "user": "rchiluve", "validate_certs": false } }, "msg": "received exception: Server raised fault: 'Exception caught in LocalLB::urn:iControl:LocalLB/Pool::add_member_v2()\nException: Common::OperationFailed\n\tprimary_error_code : 17238050 (0x01070822)\n\tsecondary_error_code : 0\n\terror_string : 01070822:3: Access Denied: user (xxxxxxx) does not have create access to object (pool_member)'" } to retry, use: --limit @/etc/ansible/playbooks/non-prod-F5pool-memberoffline-Mobility-Test.retry
PLAY RECAP ** X.X.X.X : ok=1 changed=0 unreachable=0 failed=1
caphrim007
commented
7 years ago @chilu49 the reason it is working is because connection: local forces ansible to never SSH to anything...even the Ansible controller
delegate_to: localhost causes the Ansible controller to SSH to itself first, but what runs on the delegate_to host is run in the "context" of the current node. Your issue is because you are unable to ssh to yourself (your ansible controller) from your ansible controller.
caphrim007
commented
7 years ago @chilu49 I'm not sure if permissions are handled differently in SOAP vs TMUI. If they are, I wouldn't entirely be surprised as TMUI does not use any public interfaces to the BIG-IP control plane.
The error that is being raised there is coming from SOAP itself, not the F5 Ansible modules.
ISSUE TYPE
COMPONENT NAME
bigip_pool_member
ANSIBLE VERSION
PYTHON VERSION
BIGIP VERSION
CONFIGURATION
OS / ENVIRONMENT
oracle linux 7
SUMMARY
I am trying to execute the playbook which disables a member in an F5 pool. I am able to collect the facts from the same F5 but when I try to execute the playbook to disable pool memeber, i am getting UNREACHABLE error. fatal: [X.X.X.X]: UNREACHABLE! =>
STEPS TO REPRODUCE
EXPECTED RESULTS
N/A
ACTUAL RESULTS
N/A