search

ansible-collections / cisco.nxos

Ansible Network Collection for Cisco NXOS
GNU General Public License v3.0
114 stars 105 forks source link

cisco.nxos.nxos_command send "show version" command #863

Open tonytjo opened 1 month ago

tonytjo commented 1 month ago
SUMMARY

In one of our customers environment, their security team needs to allow individually each command issued to Cisco NXOS.

We are using cisco.nxos.nxos_command to issue command.

However, we find that Ansible will issue "show version" command to the switch before the actually commands specified in our Ansible nxos_command playbook.

The security team of the customer is challenging us why extra commands are executed.

Also in the customer's environment, the show version and show inventory commands will cause a command timeout error when execute the playbook and so none of the commands could be issued on the switch.

ISSUE TYPE
COMPONENT NAME

nxos_command

ANSIBLE VERSION

ansible --version

ansible [core 2.14.5]

  config file = /home/user/.ansible.cfg

  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']

  ansible python module location = /usr/local/lib/python3.9/site-packages/ansible

  ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections

  executable location = /usr/local/bin/ansible

  python version = 3.9.16 (main, May 31 2023, 12:21:58) [GCC 8.5.0 20210514 (Red Hat 8.5.0-18)] (/bin/python3.9)

  jinja version = 3.1.2

  libyaml = True
COLLECTION VERSION

ansible-galaxy collection list cisco.nxos

# /home/user/.ansible/collections/ansible_collections

Collection Version

---------- -------

cisco.nxos 5.2.1

# /usr/local/lib/python3.9/site-packages/ansible_collections

Collection Version

---------- -------

cisco.nxos 4.3.0
CONFIGURATION

ansible-config dump --only-changed

CONFIG_FILE() = /home/user/.ansible.cfg

DEFAULT_STDOUT_CALLBACK(/home/user/.ansible.cfg) = json

HOST_KEY_CHECKING(/home/user/.ansible.cfg) = False
OS / ENVIRONMENT

Red Hat 8.8

Cisco Nexus 9K 10.1.2

STEPS TO REPRODUCE

We have developed a frontend for the customer to manage the switches.

In the backend we will manipulate the switches.

For example in the frontend, the customer can disable port-security of an interface:


- name: Disable port-security

  cisco.nxos.nxos_command:

   commands:

      - "configure terminal"

      - "interface {{interfaceName}}"

      - "no switchport port-security"

      - "end"
EXPECTED RESULTS

Only the specified commands in the playbook are executed in the switch.

ACTUAL RESULTS

Before the specified commands in the playbook are executed, "show version" command is executed in the switch.

Module failure returned with message: "command timeout triggered, timeout value is 30 secs.\nSee the timeout setting options in the Network Debug and Troubleshooting Guide."

We have tried changing ansible_network_cli_ssh_type to paramiko, the message becomes: "timeout value 30 seconds reached while trying to send command b'show version'"

Meanwhile if we manually SSH directly to the switch and execute the commands (without "show version" or "show inventory") in the playbook, the commands are executable successfully without error.