search

ansible-collections / cisco.ios

Ansible Network Collection for Cisco IOS
GNU General Public License v3.0
293 stars 171 forks source link

Unable to implement ACLs with object groups #739

Closed netexgb closed 1 year ago

netexgb commented 1 year ago
SUMMARY

When implement a playbook using the cisco.ios.ios_acls I get the following error:

fatal: [be2012-gcp-proctor-cs.mgmt.slb.net]: FAILED! => {
    "changed": false,
    "module_stderr": "unhashable type: 'dict'",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}
ISSUE TYPE
COMPONENT NAME

cisco.ios.ios_acls

ANSIBLE VERSION
ansible [core 2.13.7]
  config file = /home/gbloise/ansible.cfg
  configured module search path = ['/home/gbloise/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/gbloise/.local/lib/python3.8/site-packages/ansible
  ansible collection location = /home/gbloise/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/gbloise/.local/bin/ansible
  python version = 3.8.10 (default, Nov 14 2022, 12:59:47) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True
COLLECTION VERSION
ansible-galaxy collection list cisco.ios

# /home/gbloise/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.ios  4.3.1

# /home/gbloise/.local/lib/python3.8/site-packages/ansible_collections
Collection Version
---------- -------
cisco.ios  4.3.1
CONFIGURATION
ansible-config dump --only-changed
DEFAULT_HOST_LIST(/home/gbloise/ansible.cfg) = ['/etc/ansible/hosts']
PERSISTENT_COMMAND_TIMEOUT(/home/gbloise/ansible.cfg) = 90
OS / ENVIRONMENT
Cisco IOS XE Software, Version 17.03.04a
Cisco IOS Software [Amsterdam], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 17.3.4a, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2021 by Cisco Systems, Inc.
Compiled Tue 20-Jul-21 04:59 by mcpre

Cisco IOS-XE software, Copyright (c) 2005-2021 by cisco Systems, Inc.
All rights reserved.  Certain components of Cisco IOS-XE software are
licensed under the GNU General Public License ("GPL") Version 2.0.  The
software code licensed under GPL Version 2.0 is free software that comes
with ABSOLUTELY NO WARRANTY.  You can redistribute and/or modify such
GPL code under the terms of GPL Version 2.0.  For more details, see the
documentation or "License Notice" file accompanying the IOS-XE software,
or the applicable URL provided on the flyer accompanying the IOS-XE
software.

ROM: IOS-XE ROMMON

be2012-gcp-proctor-cs uptime is 1 year, 20 weeks, 1 day, 2 hours, 3 minutes
Uptime for this control processor is 1 year, 20 weeks, 1 day, 2 hours, 4 minutes
System returned to ROM by reload at 16:27:51 UTC Tue Sep 14 2021
System restarted at 16:29:18 GMT Tue Sep 14 2021
System image file is "bootflash:packages.conf"
Last reload reason: Reload Command

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

License Level: appx
License Type: N/A(Smart License Enabled)
Next reload license Level: appx

The current throughput level is 10000 kbps

Smart Licensing Status: REGISTERED/AUTHORIZED

cisco CSR1000V (VXE) processor (revision VXE) with 2287893K/3075K bytes of memory.
Processor board ID 9UYUREJ0ZUN
Router operating mode: Autonomous
2 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
15332148K bytes of physical memory.
8285184K bytes of virtual hard disk at bootflash:.

Configuration register is 0x2102
STEPS TO REPRODUCE
# test_tasks_cloud_nasuni_acl_qos.yml
- name: Update Nasuni ACLs
  cisco.ios.ios_acls:
    config:
    - afi: ipv4
      acls:
      - name: QoS_Cloud_Nasuni
        acl_type: extended
        aces:
        - sequence: 10
          grant: permit
          protocol: tcp
          source:
            object_group: 'QoS_Cloud_Nasuni_On-Premises'
          destination:
            object_group: 'QoS_Cloud_Nasuni_Cloud'
            port_protocol:
              eq: '445'
        - sequence: 20
          grant: permit
          protocol: tcp
          source:
            object_group: 'QoS_Cloud_Nasuni_On-Premises'
          destination:
            object_group: 'QoS_Cloud_Nasuni_Cloud'
            port_protocol:
              eq: '443'
        - sequence: 30
          grant: permit
          protocol: tcp
          source:
            object_group: 'QoS_Cloud_Nasuni_On-Premises'
          destination:
            object_group: 'QoS_Cloud_Nasuni_Cloud'
            port_protocol:
              eq: '139'
    state: replaced
- name: Pushing Import Task for TO_TRANSIT_CLOUD_GENERAL
  hosts:
    - be2012
  gather_facts: false

  tasks:
    - import_tasks: test_tasks_cloud_nasuni_acl_qos.yml

    - name: Save the Configuration
      cisco.ios.ios_config:
        save_when: modified
EXPECTED RESULTS
ip access-list extended QoS_Cloud_Nasuni
 10 permit tcp object-group QoS_Cloud_Nasuni_On-Premises object-group QoS_Cloud_Nasuni_Cloud eq 445
 20 permit tcp object-group QoS_Cloud_Nasuni_On-Premises object-group QoS_Cloud_Nasuni_Cloud eq 443
 30 permit tcp object-group QoS_Cloud_Nasuni_On-Premises object-group QoS_Cloud_Nasuni_Cloud eq 139
ACTUAL RESULTS
ansible-playbook test_be2012_rmap_1.yml -k -vvvv
ansible-playbook [core 2.13.7]
  config file = None
  configured module search path = ['/home/gbloise/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/gbloise/.local/lib/python3.8/site-packages/ansible
  ansible collection location = /home/gbloise/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/gbloise/.local/bin/ansible-playbook
  python version = 3.8.10 (default, Nov 14 2022, 12:59:47) [GCC 9.4.0]
  jinja version = 3.1.2
  libyaml = True
No config file found; using defaults
SSH password:
setting up inventory plugins
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with yaml plugin
statically imported: /mnt/c/Users/GBloise/Repositories/SINet%20Cloud%20Infrastructure/playbooks/test_tasks_cloud_nasuni_acl_qos.yml
Loading collection cisco.ios from /home/gbloise/.ansible/collections/ansible_collections/cisco/ios
redirecting (type: action) cisco.ios.ios_acls to cisco.ios.ios
redirecting (type: action) cisco.ios.ios_config to cisco.ios.ios
Loading callback plugin default of type stdout, v2.0 from /home/gbloise/.local/lib/python3.8/site-packages/ansible/plugins/callback/default.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: test_be2012_rmap_1.yml ****************************************************************************************************************************************************************************************************************************
Positional arguments: test_be2012_rmap_1.yml
verbosity: 4
connection: smart
timeout: 10
ask_pass: True
become_method: sudo
tags: ('all',)
inventory: ('/etc/ansible/hosts',)
forks: 5
1 plays in test_be2012_rmap_1.yml

PLAY [Pushing Import Task for TO_TRANSIT_CLOUD_GENERAL] *****************************************************************************************************************************************************************************************************
META: ran handlers
redirecting (type: action) cisco.ios.ios_acls to cisco.ios.ios
Loading collection ansible.netcommon from /home/gbloise/.ansible/collections/ansible_collections/ansible/netcommon

TASK [Update Nasuni ACLs] ***********************************************************************************************************************************************************************************************************************************
task path: /mnt/c/Users/GBloise/Repositories/SINet%20Cloud%20Infrastructure/playbooks/test_tasks_cloud_nasuni_acl_qos.yml:3
redirecting (type: terminal) ansible.builtin.ios to cisco.ios.ios
redirecting (type: cliconf) ansible.builtin.ios to cisco.ios.ios
<be2012-gcp-proctor-cs.mgmt.slb.net> attempting to start connection
<be2012-gcp-proctor-cs.mgmt.slb.net> using connection plugin ansible.netcommon.network_cli
Found ansible-connection at path /home/gbloise/.local/bin/ansible-connection
<be2012-gcp-proctor-cs.mgmt.slb.net> local domain socket does not exist, starting it
<be2012-gcp-proctor-cs.mgmt.slb.net> control socket path is /home/gbloise/.ansible/pc/f66c3593ef
<be2012-gcp-proctor-cs.mgmt.slb.net> Loading collection ansible.netcommon from /home/gbloise/.ansible/collections/ansible_collections/ansible/netcommon
<be2012-gcp-proctor-cs.mgmt.slb.net> redirecting (type: terminal) ansible.builtin.ios to cisco.ios.ios
<be2012-gcp-proctor-cs.mgmt.slb.net> Loading collection cisco.ios from /home/gbloise/.ansible/collections/ansible_collections/cisco/ios
<be2012-gcp-proctor-cs.mgmt.slb.net> redirecting (type: cliconf) ansible.builtin.ios to cisco.ios.ios
<be2012-gcp-proctor-cs.mgmt.slb.net> local domain socket listeners started successfully
<be2012-gcp-proctor-cs.mgmt.slb.net> loaded cliconf plugin ansible_collections.cisco.ios.plugins.cliconf.ios from path /home/gbloise/.ansible/collections/ansible_collections/cisco/ios/plugins/cliconf/ios.py for network_os ios
<be2012-gcp-proctor-cs.mgmt.slb.net> ssh type is set to auto
<be2012-gcp-proctor-cs.mgmt.slb.net> autodetecting ssh_type
[WARNING]: ansible-pylibssh not installed, falling back to paramiko
<be2012-gcp-proctor-cs.mgmt.slb.net> ssh type is now set to paramiko
<be2012-gcp-proctor-cs.mgmt.slb.net>
<be2012-gcp-proctor-cs.mgmt.slb.net> local domain socket path is /home/gbloise/.ansible/pc/f66c3593ef
redirecting (type: action) cisco.ios.ios_acls to cisco.ios.ios
redirecting (type: action) cisco.ios.ios_acls to cisco.ios.ios
<be2012-gcp-proctor-cs.mgmt.slb.net> ANSIBLE_NETWORK_IMPORT_MODULES: enabled
<be2012-gcp-proctor-cs.mgmt.slb.net> ANSIBLE_NETWORK_IMPORT_MODULES: found cisco.ios.ios_acls  at /home/gbloise/.ansible/collections/ansible_collections/cisco/ios/plugins/modules/ios_acls.py
<be2012-gcp-proctor-cs.mgmt.slb.net> ANSIBLE_NETWORK_IMPORT_MODULES: running cisco.ios.ios_acls
<be2012-gcp-proctor-cs.mgmt.slb.net> ANSIBLE_NETWORK_IMPORT_MODULES: complete
fatal: [be2012-gcp-proctor-cs.mgmt.slb.net]: FAILED! => {
    "changed": false,
    "module_stderr": "unhashable type: 'dict'",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error"
}

PLAY RECAP **************************************************************************************************************************************************************************************************************************************************
be2012-gcp-proctor-cs.mgmt.slb.net : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
netexgb commented 1 year ago

In order to check how wrong I configured the ansible playbook, I configured in the router the ACL I need:

ip access-list extended QoS_Cloud_Nasuni
 10 permit tcp object-group QoS_Cloud_Nasuni_On-Premises object-group QoS_Cloud_Nasuni_Cloud eq 445
 20 permit tcp object-group QoS_Cloud_Nasuni_On-Premises object-group QoS_Cloud_Nasuni_Cloud eq 443
 30 permit tcp object-group QoS_Cloud_Nasuni_On-Premises object-group QoS_Cloud_Nasuni_Cloud eq 139

Then I gathered the configuration from the router and parsed it into YAML, using the following playbook:

---
- name: Access List Parsing
  hosts:
    - be2012
  gather_facts: True

  tasks:
    - name: Gather the Access List Configuration in the router
      # when: inventory_hostname == "us1896-atlanta3-internet-cs.mgmt.slb.net"
      cisco.ios.ios_acls:
        state: gathered
      register: acls
    - name: Write ACLs configuration to a file
      ansible.builtin.copy:
        content: "{{ {'acls': acls['gathered']} | to_nice_yaml }}"
        dest: "acls_gathered.yaml"

And interestingly I got the following about the ACL that has the object groups:

acls:
-   acls:
        - {}
        acl_type: extended
        name: QoS_Cloud_Nasuni
'''
Notice the {} denoting a dictionary.
jmarenco02 commented 1 year ago

I'm getting the same output. Any fix for this?

The Cisco device I'm working with is a 3850 running 16.6.6

TASK [acl : Merge provided configuration with device configuration] fatal: [lab-3850.company.org]: FAILED! => changed=false module_stderr: 'unhashable type: ''dict''' module_stdout: '' msg: |- MODULE FAILURE See stdout/stderr for the exact error