Multiple routers, one playbook.

[bigdestroyer]

Hi everyone,

I would like to hear if someone can assist with an example of executing commands with the community.routeros.api module to multiple routers with 1 inventry file. I looked through the examples but it seems that you have to specify the ip of the router in each play.

Hope this is enough info.

Regards Ryan

[felixfontein]

hosts:

[routers]
router1
router2

group_vars/router.yml:

ansible_connection: ansible.netcommon.network_cli
ansible_network_os: community.routeros.routeros
ansible_network_cli_ssh_type: libssh
ansible_ssh_pass: "{{ router_password }}"
ansible_user: "{{ router_username }}+cte512w"

host_vars/routerX.yml

ansible_host: 192.168.88.1
router_username: foo
router_password: bar

playbook.yml:

- hosts: routers
  name: Configure bridge
  gather_facts: false
  module_defaults:
    group/community.routeros.api:
      hostname: '{{ ansible_host }}'
      password: '{{ router_password }}'
      username: '{{ router_username }}'
      tls: true
      validate_certs: true
      validate_cert_hostname: true
      ca_path: ca.pem
      encoding: Latin1
  tasks:
    - name: Configure bridge
      community.routeros.api_find_and_modify:
        path: interface bridge
        find: {}
        values:
          comment: This is the main bridge
          name: bridge
        require_matches_min: 1
        require_matches_max: 1

The playbook uses community.routeros.api_find_and_modify, but adjusting it for community.routeros.api should be easy.

[felixfontein]

The vars in group_vars/router.yml allow me to also use the community.routeros.command module, if you just want to use API based modules you don't need that.

[bigdestroyer]

Hi,

Sorry for being blunt but do I understand correctly that ansible then goes and logs in to router x and from there to router yz?

The ansible_host variable just keeps throwing me off on how it works since ansible can ssh and login to the router itself and run the commands.

On Tue, 25 Oct 2022, 20:19 Felix Fontein, @.***> wrote:

The vars in group_vars/router.yml allow me to also use the community.routeros.command module, if you just want to use API based modules you don't need that.

— Reply to this email directly, view it on GitHub https://github.com/ansible-collections/community.routeros/issues/117#issuecomment-1290966446, or unsubscribe https://github.com/notifications/unsubscribe-auth/AH4XH4WJ3MIYTXZX4RIIMLLWFAQDDANCNFSM6AAAAAAROEVWAM . You are receiving this because you authored the thread.Message ID: @.***>

[felixfontein]

Ansible logs in to both router1 and router2 and runs the API operation on both routers.

[bigdestroyer]

Hi,

Thank you for the clarrification with that, how does the ansible_hostname variable get used. Im still unsure as to what the reason for that variable is for in the yaml file

On Tue, 25 Oct 2022, 20:55 Felix Fontein, @.***> wrote:

Ansible logs in to both router1 and router2 and runs the API operation on both routers.

— Reply to this email directly, view it on GitHub https://github.com/ansible-collections/community.routeros/issues/117#issuecomment-1291004033, or unsubscribe https://github.com/notifications/unsubscribe-auth/AH4XH4SDE5AHFHGDN5AUNVLWFAUKVANCNFSM6AAAAAAROEVWAM . You are receiving this because you authored the thread.Message ID: @.***>

[felixfontein]

ansible_hostname does not appear in the YAML files. ansible_host is the IP/hostname that Ansible connects to by SSH when using the community.routeros.command module.

[bigdestroyer]

So in essence you define the routers in the hosts file in and then in the hosts_var folder create a file for connection details for each router (ip, username, password)?

On Tue, 25 Oct 2022, 21:30 Felix Fontein, @.***> wrote:

ansible_hostname does not appear in the YAML files. ansible_host is the IP/hostname that Ansible connects to by SSH when using the community.routeros.command module.

— Reply to this email directly, view it on GitHub https://github.com/ansible-collections/community.routeros/issues/117#issuecomment-1291038077, or unsubscribe https://github.com/notifications/unsubscribe-auth/AH4XH4QZ4UMRWDNSHB5H2BDWFAYOBANCNFSM6AAAAAAROEVWAM . You are receiving this because you authored the thread.Message ID: @.***>

[felixfontein]

You can also define the connection details in the hosts file. Also you can put especially the passwords somewhere else if you don't want to store them in plaintext. I'm using the community.sops.sops vars plugin for that, but I didn't want to show that extra complexity in the above example.

[bigdestroyer]

Hi,

Thank you for that clarification. Would it be possible to put the router ips in the hosts file and then still one global credential for all the routers (or even credentials per host group would be even better)? If so how would such config more or less look like?

On Tue, 25 Oct 2022, 22:00 Felix Fontein, @.***> wrote:

You can also define the connection details in the hosts file. Also you can put especially the passwords somewhere else if you don't want to store them in plaintext. I'm using the community.sops.sops vars plugin for that, but I didn't want to show that extra complexity in the above example.

— Reply to this email directly, view it on GitHub https://github.com/ansible-collections/community.routeros/issues/117#issuecomment-1291069846, or unsubscribe https://github.com/notifications/unsubscribe-auth/AH4XH4UTCY4BHQFWORV7Y6TWFA37DANCNFSM6AAAAAAROEVWAM . You are receiving this because you authored the thread.Message ID: @.***>

[felixfontein]

Yes, that's possible. For how to put variables like ansible_host in the hosts file please check out the Ansible documentation. You can put the credentials in group_vars/routers.yml then (routers replaced by the group you put all the MikroTik devices in; you could also use all if you only have MikroTik devices in your inventory).

[bigdestroyer]

Hi

I managed to get the connection working with the vars set. Could one connection with api-ssl with no cert on the router? I tried by enabling the tls option and having "validate_cert_hostname" and "validate_certs" disabled however I get a SSLv3 handshake error.

[felixfontein]

TLS needs a certificate, so it's unlikely that you can use API with TLS without a certificate. But you should be able to simply generate a self-signed one and install it on the router. See for example https://docs.ansible.com/ansible/devel/collections/community/routeros/docsite/api-guide.html#setting-up-encryption for how to use Ansible (the SSH based modules) to install a certificate on the router.

[bigdestroyer]

Hi

Thank you, I came across this page from Mikrotik hence I got a bit confused https://wiki.mikrotik.com/wiki/Manual:API-SSL where they refer to the following: "In the case no certificate is used in '/ip service' settings then anonymous Diffie-Hellman cipher have to be used to establish connection"

But if I understand you correctly I need a certificate on the Ansible host if I want to access the API-SSL version with no certificate on the router

[NikolayDachev]

Hi, I'm not sure what is the problem with multiple hosts and inventory file ? example:

inventory file:

[ros_testing]
10.20.36.253
10.20.36.252

playbook

- name: ros api example
  hosts: ros_testing
  gather_facts: no
  connection: local

  tasks:
    - name: Get IP addresses
      community.routeros.api:
        hostname: "{{ inventory_hostname }}"
        password: "1234"
        username: "admin"
        path: ip address
      register: result

    - name: Print results
      ansible.builtin.debug:
        var: result.msg[0]['address']

results:

PLAY [ros api example] **********************************************************************************************************************************************

TASK [Get IP addresses] *********************************************************************************************************************************************
ok: [10.20.36.252]
ok: [10.20.36.253]

TASK [Print results] ************************************************************************************************************************************************
ok: [10.20.36.253] => 
  result.msg[0]['address']: 10.20.36.253/24
ok: [10.20.36.252] => 
  result.msg[0]['address']: 10.20.36.252/24

PLAY RECAP **********************************************************************************************************************************************************
10.20.36.252               : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
10.20.36.253               : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0 

For SSL question

https://docs.ansible.com/ansible/devel/collections/community/routeros/docsite/api-guide.html#setting-up-encryption This is a great guide how to configure ROS

However I think you ask for CA ? You have 3 options

• install self-sign certificate to ROS and add self CA to your operation system
• set ca_path: PATH_TO_CA in your playbook
• set validate_certs: false in your playbook

Let me know if both examples help with this issue

[therfert]

Hi

Thank you, I came across this page from Mikrotik hence I got a bit confused https://wiki.mikrotik.com/wiki/Manual:API-SSL where they refer to the following: "In the case no certificate is used in '/ip service' settings then anonymous Diffie-Hellman cipher have to be used to establish connection"

But if I understand you correctly I need a certificate on the Ansible host if I want to access the API-SSL version with no certificate on the router

Hi @bigdestroyer, this was recently implemeted in #124

[bigdestroyer]

Oh awesome, thank you for the contribution. That is gonna help a lot. Ibreally appreciate it.

On Mon, 14 Nov 2022, 00:25 Tomas Herfert, @.***> wrote:

Hi

Thank you, I came across this page from Mikrotik hence I got a bit confused https://wiki.mikrotik.com/wiki/Manual:API-SSL where they refer to the following: "In the case no certificate is used in '/ip service' settings then anonymous Diffie-Hellman cipher have to be used to establish connection"

But if I understand you correctly I need a certificate on the Ansible host if I want to access the API-SSL version with no certificate on the router

Hi @bigdestroyer https://github.com/bigdestroyer, this was recently implemeted in #124 https://github.com/ansible-collections/community.routeros/pull/124

— Reply to this email directly, view it on GitHub https://github.com/ansible-collections/community.routeros/issues/117#issuecomment-1312838178, or unsubscribe https://github.com/notifications/unsubscribe-auth/AH4XH4SWCUH7C2SOMXBPLXDWIFTGHANCNFSM6AAAAAAROEVWAM . You are receiving this because you were mentioned.Message ID: @.***>

[bigdestroyer]

Closing issue for now, will re-open again or create new one if anything comes up