Closed leungk1234 closed 3 months ago
Looks like the error I got is when I install the ibm roles from "/opt/bin/ansible-galaxy collection install ibm.isam" (1 year old) which is a much updated version of the roles. Now if I replace that with the one from https://github.com/IBM-Security/isam-ansible-roles I get a totally a different error which (2 years old). BTW the documentation for https://github.com/IBM-Security/isam-ansible-roles on how to install doesn't work at all. I have to download the zip and copy it over to the ibm roles directory. This is the error I got when it reach the get firmware code of report_fix_levels.yml:
fatal: [isam10]: FAILED! => {"changed": false, "msg": "Unsupported parameters for (isam) module: appliance, lmi_port, password, username. Supported parameters include: action, force, log, isamapi."}
name: Get Firmware Level ibm.isam.isam: log: "{{ log_level | default('INFO') }}" force: "{{ force | default(False) }}" action: ibmsecurity.isam.base.firmware.get register: ret_obj
name: Set variable for use by rest of playbook set_fact: firmware_ret_obj: "{{ ret_obj }}"
If there differences why do you guys keep 2 different versions of roles out there? When should we use which version of roles? The latest version of roles doesn't have start_config role at all.
You need the ibm.isam collection, so the new roles. They no longer use the start_config.
I use the new playbook yaml files which no longer has the start_config in there but I see a different error now: task path: /apps/ansible/isam-playbook/report_fix_levels.yml:5 <192.168.42.148> ESTABLISH SSH CONNECTION FOR USER: admin <192.168.42.148> SSH: EXEC sshpass -d10 ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=443 -o 'IdentityFile="/apps/ansible/.ssh/known_hosts"' -o 'User="admin"' -o ConnectTimeout=10 -o ControlPath=/apps/ansible/.ansible/cp/e392d76273 192.168.42.148 '/bin/sh -c '"'"'echo ~admin && sleep 0'"'"'' <192.168.42.148> (255, b'', b'ssh_exchange_identification: Connection closed by remote host\r\n') fatal: [isam10]: UNREACHABLE! => { "changed": false, "msg": "Failed to connect to the host via ssh: ssh_exchange_identification: Connection closed by remote host", "unreachable": true }
PLAY RECAP ***** isam10 : ok=0 changed=0 unreachable=1 failed=0 skipped=0 rescued=0 ignored=0
Looks like it is attempting to use the cli to connect to the ISAM appliances. I know for sure this is working fine for SSH but did you notice the port above mentioned 443?
ibm.isam.get_memory_statistics is found in the report_memory_statistics.yml but looking at the collection I do not see this role in the role directory at all.
system_alerts.yml file contains roles that is missing "ibm.isam." prefix for each role.
I have a playbook file as this:
name: Get CPU Statistics hosts: isam10 connection: local tasks:
name: CPU stats ibm.isam.isam: log: default('INFO') force: True action: ibmsecurity.isam.statistics.get_cpu isamapi: statistics_duration: 6d register: ret_obj when: statistics_duration is defined
name: Set variable for use by rest of playbook set_fact: cpu_stats_obj: "{{ ret_obj }}" when: statistics_duration is defined
this is the error I got: fatal: [isam10]: FAILED! => {"ansible_facts": {}, "changed": false, "failed_modules": {"ansible.legacy.setup": {"failed": true, "module_stderr": "Shared connection to 192.168.42.148 closed.\r\n", "module_stdout": "Unknown command: /bin/sh -c '/opt/bin/python3 '\"'\"'top Return\r\nto the top level./AnsiballZ_setup.py'\"'\"' && sleep 0'\r\nCurrent mode commands:\r\ndiagnostics Work with the IBM Security Verify Access diagnostics.\r\nfirmware Work with firmware images.\r\nfixpacks Work with fix packs.\r\nhardware Work with the hardware settings.\r\nisam Work with the IBM Security Verify Access settings.\r\nlicense Work with licenses.\r\nlmi Work with the local management interface.\r\nlmt Work with the license metric tool.\r\nmanagement Work with management settings.\r\nnetwork Work with network settings.\r\npending_changes Work with the IBM Security Verify Access pending changes.\r\nsnapshots Work with policy snapshot files.\r\nsupport Work with support information files.\r\ntools Work with network diagnostic tools.\r\nupdates Work with firmware and security updates.\r\nGlobal commands:\r\nback Return to the previous command mode.\r\nexit Log off from the appliance.\r\nhelp Display information for using the specified command.\r\nreboot Reboot the appliance.\r\nshutdown End system operation and turn off the power.\r\ntop Return to the top level.\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 0}}, "msg": "The following modules failed to execute: ansible.legacy.setup\n"}
It appears that it is executing ssh into the appliances ssh console and exexcuted the following: opt/bin/python3 which of course it will failed.
Am I missing something here in my playbook?
the strange thing is why would the module uses the ssh for the statistic and not the lmi call?
I have the following code: ...... if name == "main": """ This test program should not execute when imported, which would otherwise cause problems when generating the documentation. """
u = ApplianceUser(username="admin@local", password="admin")
# Create an ISAM appliance with above credential
isam_server = ISAMAppliance(hostname="192.168.42.148", user=u, lmi_port=443)
# Get the current SNMP monitoring setup details
p(ibmsecurity.isam.base.overview.get(isamAppliance=isam_server))
and I tested it out it did work: [2021-10-29 11:36:06,125] [PID:33334 TID:140712185812800] [DEBUG] [ibmsecurity.appliance.ibmappliance] [_log_response():678] Response: 0 { 'changed': False, 'data': { 'available': {}, 'dca': { 'ip_rep': { 'curr.version': '0.00000000', 'date': 'Never', 'percent': '0', 'status': 'Waiting'}, 'ipr.feedback': 'No', 'ipr.include_info_in_ips_events': 'No', 'ipr.update.auto': 'Yes', 'update.auto': 'Yes', 'url_category': { 'curr.version': '0.00000000', 'date': 'Never', 'percent': '0', 'status': 'Waiting'}, 'use_proxy': 'No', 'web_application': { 'curr.version': '0.00000000', 'date': 'Never', 'percent': '0', 'status': 'Waiting'}, 'weblearn': 'No'}, 'system': { 'build_label': '20210610-0034', 'product_description': 'IBM Security Verify Access', 'product_modules': { 'firmware': { 'install_date': 'N/A', 'name': 'Firmware', 'version': '10.0.2.0'}, 'ipm': { 'install_date': 'N/A', 'name': 'X-Force Content', 'version': '32.075'}}, 'product_version': '10.0.2.0', 'update_allowed_types': ['firmware', 'ips']}}, 'rc': 0, 'status_code': 0, 'warnings': []}
So I know for sure the ibmsecurity module did install correctly and work. The main issue is the Ibm roles it the culprit.
so what is the variable name for sec_master and sec_master password for the new collection of roles?
Is it still the same as this one: sec_master_id: "sec_master" sec_master_pwd: "{{vault_sec_master_pwd}}"
are you running the playbook using isam-ansible-collection? the isam-ansible-collection is not just a collection of playbooks and roles but it has connection plugins so when you run the playbook, your environment has to be setup to use the isam-ansible-collection.
yes that is what I am using. So here is the end product for the invemtories that works for isam, pdadmin and also compare: hosts: [isam_sandbox] vap0xxx.allstate.com
[isam_sandbox:vars] ansible_connection="ibm.isam.isam" ansible_isam_port="443" ansible_python_interpreter="/opt/bin/python3" master_lmi_port="443"
ansible_isam_username: "admin@local" ansible_isam_password: "xxxxx" sec_master_id: "sec_master" sec_master_pwd: "xxxx" master_username: "admin@local" master_password: "xxxxx"
I do not know which sec)master line that works in pdadmin.yml and also compare.yml but it works with both in there.
just looking at the roles for access policy. I do not see any roles for list or delete access policy in the IBM ansible roles. The only roles there is to set the access policy.
10.85.158.21> ESTABLISH LOCAL CONNECTION FOR USER: root <10.85.158.21> EXEC /bin/sh -c 'echo ~root && sleep 0' <10.85.158.21> EXEC /bin/sh -c '( umask 77 && mkdir -p "
_ansiballz_main()
File "/root/.ansible/tmp/ansible-tmp-1634671937.5714831-5637-197440173555494/AnsiballZ_isamadmin.py", line 92, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/root/.ansible/tmp/ansible-tmp-1634671937.5714831-5637-197440173555494/AnsiballZ_isamadmin.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible_collections.ibm.isam.plugins.modules.isamadmin', init_globals=dict(_module_fqn='ansible_collections.ibm.isam.plugins.modules.isamadmin', _modlib_path=modlib_path),
File "/opt/lib/python3.9/runpy.py", line 210, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/opt/lib/python3.9/runpy.py", line 97, in _run_module_code
_run_code(code, mod_globals, init_globals,
File "/opt/lib/python3.9/runpy.py", line 87, in _run_code
exec(code, run_globals)
File "/tmp/ansible_ibm.isam.isamadmin_payload_2wi20nu3/ansible_ibm.isam.isamadmin_payload.zip/ansible_collections/ibm/isam/plugins/modules/isamadmin.py", line 114, in
File "/tmp/ansible_ibm.isam.isamadmin_payload_2wi20nu3/ansible_ibm.isam.isamadmin_payload.zip/ansible_collections/ibm/isam/plugins/modules/isamadmin.py", line 92, in main
File "/tmp/ansible_ibm.isam.isamadmin_payload_2wi20nu3/ansible_ibm.isam.isamadmin_payload.zip/ansible_collections/ibm/isam/plugins/module_utils/isam.py", line 16, in init
File "/tmp/ansible_ibm.isam.isamadmin_payload_2wi20nu3/ansible_ibm.isam.isamadmin_payload.zip/ansible/module_utils/connection.py", line 124, in init
AssertionError: socket_path must be a value
fatal: [10.85.158.21]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"/root/.ansible/tmp/ansible-tmp-1634671937.5714831-5637-197440173555494/AnsiballZ_isamadmin.py\", line 100, in \n _ansiballz_main()\n File \"/root/.ansible/tmp/ansible-tmp-1634671937.5714831-5637-197440173555494/AnsiballZ_isamadmin.py\", line 92, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/root/.ansible/tmp/ansible-tmp-1634671937.5714831-5637-197440173555494/AnsiballZ_isamadmin.py\", line 40, in invoke_module\n runpy.run_module(mod_name='ansible_collections.ibm.isam.plugins.modules.isamadmin', init_globals=dict(_module_fqn='ansible_collections.ibm.isam.plugins.modules.isamadmin', _modlib_path=modlib_path),\n File \"/opt/lib/python3.9/runpy.py\", line 210, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/opt/lib/python3.9/runpy.py\", line 97, in _run_module_code\n _run_code(code, mod_globals, init_globals,\n File \"/opt/lib/python3.9/runpy.py\", line 87, in _run_code\n exec(code, run_globals)\n File \"/tmp/ansible_ibm.isam.isamadmin_payload_2wi20nu3/ansible_ibm.isam.isamadmin_payload.zip/ansible_collections/ibm/isam/plugins/modules/isamadmin.py\", line 114, in \n File \"/tmp/ansible_ibm.isam.isamadmin_payload_2wi20nu3/ansible_ibm.isam.isamadmin_payload.zip/ansible_collections/ibm/isam/plugins/modules/isamadmin.py\", line 92, in main\n File \"/tmp/ansible_ibm.isam.isamadmin_payload_2wi20nu3/ansible_ibm.isam.isamadmin_payload.zip/ansible_collections/ibm/isam/plugins/module_utils/isam.py\", line 16, in init\n File \"/tmp/ansible_ibm.isam.isamadmin_payload_2wi20nu3/ansible_ibm.isam.isamadmin_payload.zip/ansible/module_utils/connection.py\", line 124, in init\nAssertionError: socket_path must be a value\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
echo /root/.ansible/tmp
"&& mkdir "echo /root/.ansible/tmp/ansible-tmp-1634671937.5714831-5637-197440173555494
" && echo ansible-tmp-1634671937.5714831-5637-197440173555494="echo /root/.ansible/tmp/ansible-tmp-1634671937.5714831-5637-197440173555494
" ) && sleep 0' Using module file /root/.ansible/collections/ansible_collections/ibm/isam/plugins/modules/isamadmin.py <10.85.158.21> PUT /root/.ansible/tmp/ansible-local-5629rqyvc4rk/tmpe637qbon TO /root/.ansible/tmp/ansible-tmp-1634671937.5714831-5637-197440173555494/AnsiballZ_isamadmin.py <10.85.158.21> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1634671937.5714831-5637-197440173555494/ /root/.ansible/tmp/ansible-tmp-1634671937.5714831-5637-197440173555494/AnsiballZ_isamadmin.py && sleep 0' <10.85.158.21> EXEC /bin/sh -c '/opt/bin/python3 /root/.ansible/tmp/ansible-tmp-1634671937.5714831-5637-197440173555494/AnsiballZ_isamadmin.py && sleep 0' <10.85.158.21> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1634671937.5714831-5637-197440173555494/ > /dev/null 2>&1 && sleep 0' The full traceback is: Traceback (most recent call last): File "/root/.ansible/tmp/ansible-tmp-1634671937.5714831-5637-197440173555494/AnsiballZ_isamadmin.py", line 100, inIs it missing some configuration properties that causes the isam.py behaves this way?