All my playbooks fail with v13.1.0.3 build 0.0.5 point release 3

mlowcher61 commented 6 years ago

ISSUE TYPE

Bug Report

COMPONENT NAME

all modules, all raw commands. Only ansible CLI ad-hoc works and ReST commands

ANSIBLE VERSION

ansible 2.6.0
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/usr/share/ansible']
  ansible python module location = /usr/local/lib/python2.7/dist-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 2.7.12 (default, Nov 20 2017, 18:23:56) [GCC 5.4.0 20160609]

PYTHON VERSION

Python 2.7.12

BIGIP VERSION

Sys::Version
Main Package
  Product     BIG-IP
  Version     13.1.0.3
  Build       0.0.5
  Edition     Point Release 3
  Date        Mon Feb 12 19:22:50 PST 2018

LIBRARY VERSIONS

bigsuds==1.0.6 f5-sdk==3.0.12 -->

CONFIGURATION

OS / ENVIRONMENT

Ansible in on OS Ubuntu 16.0.4

SUMMARY

All modules are failing now. Only ansible ad-hoc and ReST commands work. For example See "playbooks or commands" below.

STEPS TO REPRODUCE

The following fails:
---
- hosts: localhost
  connection: local
  gather_facts: no
  vars:
    username: admin
    password: admin
    bigip: bigip

  tasks:

   - name: Resetting to default config
     bigip_command:
      server: bigip
      user: "{{username}}"
      password: "{{password}}"
      commands:
      - load sys config default
      validate_certs: false
     delegate_to: localhost

with the following message.

fatal: [10.0.0.168 -> localhost]: FAILED! => {"changed": false, "msg": "Unable to connect to bigip on port 443. Is \"validate_certs\" preventing this?"}
fatal: [10.0.0.167 -> localhost]: FAILED! => {"changed": false, "msg": "Unable to connect to bigip on port 443. Is \"validate_certs\" preventing this?"}

so does:
---
  - hosts: localhost
    tasks:
      - name: Reset the BIG-IP configuration, for example, to RMA the device
        bigip_config:
          reset: yes
          save: yes
          server: bigip
          password: admin
          user: admin
          validate_certs: no
        delegate_to: localhost

If I do the following from Ansible, I can retrieve the login page.

curl -sk -u admin:admin https://10.0.0.168

It retrieves the log on page.

<!--
 THIS IS AN AUTO-GENERATED FILE - DO NOT EDIT!!!
-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
        "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<title>BIG-IP&reg;- Redirect</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="imagetoolbar" content="false">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="Expires" content="-1">
<meta name="MSSmartTagsPreventParsing" content="true">
<meta name="robots" content="all">
<meta name="Copyright" content="Copyright (c) 1996-2011, F5 Networks, Inc., Seattle, Washington.  All rights reserved.">
<meta name="description" content="F5 Networks Configuration Utility.">
<meta name="author" content="F5 Networks, Inc.">
<style type="text/css">
body { width: 100%; height: 100%; background-color: #c4c2be; margin: 0px; padding: 0px; }
#loading { position: absolute; z-index: 1; top: 48%; left: 47%; font-family: sans-serif; font-size: 70%; }
#content {
    table { width: 100%; height: 100%; border: 0px; border-spacing: 0px; }
    td { padding: 0px; }
I omitted the rest of the output  for brevity but this proves that the error message about not being able to connect to port 443 is not true.

If I do the ansible ad-hoc command:
ansible -a "tmsh load sys config default" bigip

It reset both F5s. The difference I'd see here is that the ad-hoc command is using ssh instead of https

EXPECTED RESULTS

ACTUAL RESULTS

fatal: [10.0.0.168 -> localhost]: FAILED! => {"changed": false, "msg": "Unable to connect to bigip on port 443. Is \"validate_certs\" preventing this?"} fatal: [10.0.0.167 -> localhost]: FAILED! => {"changed": false, "msg": "Unable to connect to bigip on port 443. Is \"validate_certs\" preventing this?"}

caphrim007 commented 6 years ago

@mlowcher61 the ability to connect to the remote device is more than just curling the ip. It depends on whether the REST API can be reached at /mgmt/tm/sys

The slice of page that you show there is the BIG-IP configuration Redirect page. This suggests that the device is not yet ready to take configuration.

What is the output of curling the url I mention?

mlowcher61 commented 6 years ago

Mark Lowcher CISSP CCSP | F5 Systems Engineer – AT&T Cloud and Managed Services

F5 Networks

P 888.88.BIG.IP

M 512.745.6263

m.lowcher@f5.commailto:m.lowcher@f5.com

www.f5.comhttp://www.f5.com/

From: Tim Rupp [mailto:notifications@github.com] Sent: Tuesday, March 6, 2018 11:12 AM To: F5Networks/f5-ansible f5-ansible@noreply.github.com Cc: Mark Lowcher M.Lowcher@F5.com; Mention mention@noreply.github.com Subject: Re: [F5Networks/f5-ansible] All my playbooks fail with v13.1.0.3 build 0.0.5 point release 3 (#655)

EXTERNAL MAIL: noreply@github.commailto:noreply@github.com

@mlowcher61https://github.com/mlowcher61 the ability to connect to the remote device is more than just curling the ip. It depends on whether the REST API can be reached at /mgmt/tm/sys

The slice of page that you show there is the BIG-IP configuration Redirect page. This suggests that the device is not yet ready to take configuration.

What is the output of curling the url I mention?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/F5Networks/f5-ansible/issues/655#issuecomment-370855398, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ASzoTXTG0dQYWFx9wOtuR61ayDpiHOAaks5tbsNFgaJpZM4SfD6X.

caphrim007 commented 6 years ago

@mlowcher61 can you view the web ui? does it show a standard login screen? or does it show a "configuration loading" screen?

mlowcher61 commented 6 years ago

Yes, login page is fine.

caphrim007 commented 6 years ago

additionally, try replacing your bigip.py in your module_utils/network/f5/ directory with the one found here

https://github.com/F5Networks/f5-ansible/blob/devel/library/module_utils/network/f5/bigip.py

it will hopefully provide more debugging

caphrim007 commented 6 years ago

@mlowcher61 replied

Ok, I replaced it and ran the default_config.yml playbook seen below.

hosts: bigip connection: local tasks:
- name: Reset the BIG-IP configuration, for example, to RMA the device bigip_config: reset: yes save: yes server: bigip password: "{{ password }}" user: admin validate_certs: no delegate_to: localhost

The verbiage of the error message is different now but essentially the same.

lowcher@ansible:~/app_svc_L4-7/ansible/playbooks$ ansible-playbook default_config.yml

PLAY [bigip] *****

TASK [Gathering Facts] *** ok: [10.0.0.167] ok: [10.0.0.168]

TASK [Reset the BIG-IP configuration, for example, to RMA the device] **** [DEPRECATION WARNING]: Param 'server' is deprecated. See the module docs for more information. This feature will be removed in version 2.9. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [DEPRECATION WARNING]: Param 'user' is deprecated. See the module docs for more information. This feature will be removed in version 2.9. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [DEPRECATION WARNING]: Param 'password' is deprecated. See the module docs for more information. This feature will be removed in version 2.9. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [DEPRECATION WARNING]: Param 'validate_certs' is deprecated. See the module docs for more information. This feature will be removed in version 2.9. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. fatal: [10.0.0.168 -> localhost]: FAILED! => {"changed": false, "msg": "Unable to connect to bigip on port 443. The reported error was \"HTTPSConnectionPool(host='bigip', port=443): Max retries exceeded with url: /mgmt/shared/authn/login (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f65d4cfeb90>: Failed to establish a new connection: [Errno 113] No route to host',))\"."} fatal: [10.0.0.167 -> localhost]: FAILED! => {"changed": false, "msg": "Unable to connect to bigip on port 443. The reported error was \"HTTPSConnectionPool(host='bigip', port=443): Max retries exceeded with url: /mgmt/shared/authn/login (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f72e43b3b90>: Failed to establish a new connection: [Errno 111] Connection refused',))\"."}

PLAY RECAP *** 10.0.0.167 : ok=1 changed=0 unreachable=0 failed=1 10.0.0.168 : ok=1 changed=0 unreachable=0 failed=1

I’m going to try again but change “bigip” to the ip of one device “10.0.0.167”

caphrim007 commented 6 years ago

do you have an entry in your /etc/hosts file for "bigip"? or does it resolve via dns?

caphrim007 commented 6 years ago

@mlowcher61 replied

Ok, setting both to default using “bigip” which calls the /etc/ansible/hosts file now failed.

lowcher@ansible:~/app_svc_L4-7/ansible/playbooks$ ansible-playbook default_config.yml

PLAY [bigip] *****

TASK [Gathering Facts] *** ok: [10.0.0.168] ok: [10.0.0.167]

TASK [Reset the BIG-IP configuration, for example, to RMA the device] **** [DEPRECATION WARNING]: Param 'server' is deprecated. See the module docs for more information. This feature will be removed in version 2.9. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [DEPRECATION WARNING]: Param 'user' is deprecated. See the module docs for more information. This feature will be removed in version 2.9. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [DEPRECATION WARNING]: Param 'password' is deprecated. See the module docs for more information. This feature will be removed in version 2.9. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. [DEPRECATION WARNING]: Param 'validate_certs' is deprecated. See the module docs for more information. This feature will be removed in version 2.9. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg. fatal: [10.0.0.168 -> localhost]: FAILED! => {"changed": false, "msg": "Unable to connect to bigip on port 443. The reported error was \"HTTPSConnectionPool(host='bigip', port=443): Max retries exceeded with url: /mgmt/shared/authn/login (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fa8bff1db90>: Failed to establish a new connection: [Errno 113] No route to host',))\"."} fatal: [10.0.0.167 -> localhost]: FAILED! => {"changed": false, "msg": "Unable to connect to bigip on port 443. The reported error was \"HTTPSConnectionPool(host='bigip', port=443): Max retries exceeded with url: /mgmt/shared/authn/login (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fc701423b90>: Failed to establish a new connection: [Errno 111] Connection refused',))\"."}

PLAY RECAP *** 10.0.0.167 : ok=1 changed=0 unreachable=0 failed=1 10.0.0.168 : ok=1 changed=0 unreachable=0 failed=1

lowcher@ansible:~/app_svc_L4-7/ansible/playbooks$ ansible -m ping bigip 10.0.0.168 | SUCCESS => { "changed": false, "ping": "pong" } 10.0.0.167 | SUCCESS => { "changed": false, "ping": "pong" }

caphrim007 commented 6 years ago

when you specify "bigip" in your task's server line, it's going to try to resolve that. That is presumably what is failing. If you specify the IP address there, it would presumably work.

Or if you add "bigip" to your /etc/hosts (the system static hosts, not the Ansible hosts) it should also work

caphrim007 commented 6 years ago

specify more than one bigip in your Ansible hosts file and playbook hosts line

# inventory
bigip1
bigip2

# Playbook
hosts: "bigip1:bigip2"

caphrim007 commented 6 years ago

@mlowcher61 replied

So this worked. I called the bigip at the hosts and did two reset tasks. I will try your way now and this took a long time.

hosts: bigip connection: local tasks:
- name: Reset the BIG-IP configuration, for example, to RMA the device bigip_config: reset: yes save: yes server: bigip1 password: "{{ password }}" user: admin validate_certs: no delegate_to: localhost
- name: Reset the BIG-IP configuration, for example, to RMA the device bigip_config: reset: yes save: yes server: bigip2 password: "{{ password }}" user: admin validate_certs: no delegate_to: localhost

lowcher@ansible:~/app_svc_L4-7/ansible/playbooks$ ansible-playbook default_config.yml

PLAY [bigip] *****

TASK [Gathering Facts] *** ok: [bigip1] ok: [bigip2]

TASK [Reset the BIG-IP configuration, for example, to RMA the device] **** changed: [bigip2 -> localhost] changed: [bigip1 -> localhost]

TASK [Reset the BIG-IP configuration, for example, to RMA the device] **** changed: [bigip1 -> localhost] changed: [bigip2 -> localhost]

PLAY RECAP *** bigip1 : ok=3 changed=2 unreachable=0 failed=0 bigip2 : ok=3 changed=2 unreachable=0 failed=0

caphrim007 commented 6 years ago

The following should work

---
  - hosts: "bigip1:bigip2"
    connection: local
    tasks:
      - name: Reset the BIG-IP configuration, for example, to RMA the device
        bigip_config:
          reset: yes
          save: yes
          server: "{{ inventory_hostname }}"
          password: "{{ password }}"
          user: admin
          validate_certs: no

caphrim007 commented 6 years ago

@mlowcher61 replied

What if I have other items such as

[webserver]
Web1
Web2
[proxy]
proxy1
proxy2

Won’t that try those as well?

mlowcher61 commented 6 years ago

Yes. I did that

Thx

Sent from my iPhone

On Mar 8, 2018, at 12:39 PM, Tim Rupp notifications@github.com<mailto:notifications@github.com> wrote:

EXTERNAL MAIL: bounces+848413-c0af-m.lowcher=f5.com@sgmail.github.commailto:bounces+848413-c0af-m.lowcher=f5.com@sgmail.github.com

additionally, try replacing your bigip.py in your module_utils/network/f5/ directory with the one found here

https://github.com/F5Networks/f5-ansible/blob/devel/library/module_utils/network/f5/bigip.py

it will hopefully provide more debugging

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/F5Networks/f5-ansible/issues/655#issuecomment-371581982, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ASzoTcIe-uoubALxws6AFy282UJS1erGks5tcXrrgaJpZM4SfD6X.

caphrim007 commented 6 years ago

The hosts: "bigip1:bigip2" limits the playbook to only be run on the hosts in the hosts line. So no.

caphrim007 commented 6 years ago

@mlowcher61 replied

Tim,

Actually, below just worked as well. Which is much better if I’m trying to address a lot of devices at once such as a geolocation db update.

Thanks for your help!

---
  - hosts: bigip
    connection: local
    tasks:
      - name: Reset the BIG-IP configuration, for example, to RMA the device
        bigip_config:
          reset: yes
          save: yes
          server: "{{ inventory_hostname }}"
          password: "{{ password }}"
          user: admin
          validate_certs: no
        delegate_to: localhost

caphrim007 commented 6 years ago

closing as this issue seems to be resolved now

F5Networks / f5-ansible