search

ansible-collections / cisco.ios

Ansible Network Collection for Cisco IOS
GNU General Public License v3.0
283 stars 168 forks source link

ios_config changing config when not necessary #171

Closed bile0026 closed 3 years ago

bile0026 commented 3 years ago
SUMMARY

ios_config seems to be wrongly identifying lines that need to be changed when using a config template with ios_config module.

ISSUE TYPE
COMPONENT NAME

ios_config

ANSIBLE VERSION
ansible 2.9.13
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.17 (default, Jul 20 2020, 15:37:01) [GCC 7.5.0]
CONFIGURATION
Defaults
OS / ENVIRONMENT

Linux NetworkAutomation-1 5.3.0-51-generic #44~18.04.2-Ubuntu SMP Thu Apr 23 14:27:18 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

STEPS TO REPRODUCE

Run playbook twice in a row.

Full playbook at https://github.com/bile0026/cisco_compliance

- name: Check and set cisco compliance configuration items
  hosts: reachable
  gather_facts: False
  connection: network_cli
  vars:
    ansible_network_os: ios
  collections:
    - cisco.ios

  tasks:
    - include_vars: vars/vars.yml

    - name: Gather device information
      cisco.ios.ios_facts:

    - name: Generate 3560 Config
      template:
        src: templates/3560cx_compliance_template.j2
        dest: /tmp/{{ ansible_host }}.cfg

    - name: Apply Config
      cisco.ios.ios_config:
        backup: yes
        src: /tmp/{{ ansible_host }}.cfg
        diff_against: intended
        intended_config: /tmp/{{ ansible_host }}.cfg
      # save_when: modified
      register: config_results
EXPECTED RESULTS

Expect that on the second run, the changes should be remediated by the first run and there should be no required changes,

ACTUAL RESULTS

Several of the lines of config re-apply each time no matter how many times you run the job. Changes are present on the device as they should be after the first run.

no ip domain lookup
ip domain name test.com
ip access-list extended PROTECT_SSH
10 permit tcp 10.0.0.0 0.255.255.255 any eq 22
100 deny ip any any log
ip access-list standard PROTECT_SNMP
10 permit 192.168.0.1
20 permit 192.168.0.2
150 deny any log
logging source-interface g0/0
justjais commented 3 years ago

@bile0026 can u plz check and update if the commands being applied in each run is exactly the same as applied in running-config. As otherwise if it's not exactly the same ios_config would try to apply the config in each play run.

mihudec commented 3 years ago

Hi @bile0026, given the config lines you provided I believe this might be a spacing issue. First, the ACL entry lines should be indented with 1 space, so ios_config modules knows those are part of the ACL section (or children of the ip access-list ... parent). Second, if you look at the device config, you will see that between the ACE sequence number and action, there might be more than 1 space. Try copying the full ACL config section from your device and then re-push it via Ansible. You always need to make sure that the templated config is exactly the same as seen in running-config. Hope this helps.

bile0026 commented 3 years ago

@bile0026 can u plz check and update if the commands being applied in each run is exactly the same as applied in running-config. As otherwise if it's not exactly the same ios_config would try to apply the config in each play run.

The command are what's listed in that last section of the report. Those are the ones that run each time, even though the config is present.

bile0026 commented 3 years ago

Hi @bile0026, given the config lines you provided I believe this might be a spacing issue. First, the ACL entry lines should be indented with 1 space, so ios_config modules knows those are part of the ACL section (or children of the ip access-list ... parent). Second, if you look at the device config, you will see that between the ACE sequence number and action, there might be more than 1 space. Try copying the full ACL config section from your device and then re-push it via Ansible. You always need to make sure that the templated config is exactly the same as seen in running-config. Hope this helps.

Yes, I will try this and provide and update.

bile0026 commented 3 years ago

Hi @bile0026, given the config lines you provided I believe this might be a spacing issue. First, the ACL entry lines should be indented with 1 space, so ios_config modules knows those are part of the ACL section (or children of the ip access-list ... parent). Second, if you look at the device config, you will see that between the ACE sequence number and action, there might be more than 1 space. Try copying the full ACL config section from your device and then re-push it via Ansible. You always need to make sure that the templated config is exactly the same as seen in running-config. Hope this helps.

Yes, I will try this and provide and update.

Spacing did seem to be the issue. Thank you for the pointers.