Closed bigdestroyer closed 10 months ago
hosts:
[routers]
router1
router2
group_vars/router.yml:
ansible_connection: ansible.netcommon.network_cli
ansible_network_os: community.routeros.routeros
ansible_network_cli_ssh_type: libssh
ansible_ssh_pass: "{{ router_password }}"
ansible_user: "{{ router_username }}+cte512w"
host_vars/routerX.yml
ansible_host: 192.168.88.1
router_username: foo
router_password: bar
playbook.yml:
- hosts: routers
name: Configure bridge
gather_facts: false
module_defaults:
group/community.routeros.api:
hostname: '{{ ansible_host }}'
password: '{{ router_password }}'
username: '{{ router_username }}'
tls: true
validate_certs: true
validate_cert_hostname: true
ca_path: ca.pem
encoding: Latin1
tasks:
- name: Configure bridge
community.routeros.api_find_and_modify:
path: interface bridge
find: {}
values:
comment: This is the main bridge
name: bridge
require_matches_min: 1
require_matches_max: 1
The playbook uses community.routeros.api_find_and_modify, but adjusting it for community.routeros.api should be easy.
The vars in group_vars/router.yml allow me to also use the community.routeros.command module, if you just want to use API based modules you don't need that.
Hi,
Sorry for being blunt but do I understand correctly that ansible then goes and logs in to router x and from there to router yz?
The ansible_host variable just keeps throwing me off on how it works since ansible can ssh and login to the router itself and run the commands.
On Tue, 25 Oct 2022, 20:19 Felix Fontein, @.***> wrote:
The vars in group_vars/router.yml allow me to also use the community.routeros.command module, if you just want to use API based modules you don't need that.
— Reply to this email directly, view it on GitHub https://github.com/ansible-collections/community.routeros/issues/117#issuecomment-1290966446, or unsubscribe https://github.com/notifications/unsubscribe-auth/AH4XH4WJ3MIYTXZX4RIIMLLWFAQDDANCNFSM6AAAAAAROEVWAM . You are receiving this because you authored the thread.Message ID: @.***>
Ansible logs in to both router1 and router2 and runs the API operation on both routers.
Hi,
Thank you for the clarrification with that, how does the ansible_hostname variable get used. Im still unsure as to what the reason for that variable is for in the yaml file
On Tue, 25 Oct 2022, 20:55 Felix Fontein, @.***> wrote:
Ansible logs in to both router1 and router2 and runs the API operation on both routers.
— Reply to this email directly, view it on GitHub https://github.com/ansible-collections/community.routeros/issues/117#issuecomment-1291004033, or unsubscribe https://github.com/notifications/unsubscribe-auth/AH4XH4SDE5AHFHGDN5AUNVLWFAUKVANCNFSM6AAAAAAROEVWAM . You are receiving this because you authored the thread.Message ID: @.***>
ansible_hostname
does not appear in the YAML files. ansible_host
is the IP/hostname that Ansible connects to by SSH when using the community.routeros.command
module.
So in essence you define the routers in the hosts file in and then in the hosts_var folder create a file for connection details for each router (ip, username, password)?
On Tue, 25 Oct 2022, 21:30 Felix Fontein, @.***> wrote:
ansible_hostname does not appear in the YAML files. ansible_host is the IP/hostname that Ansible connects to by SSH when using the community.routeros.command module.
— Reply to this email directly, view it on GitHub https://github.com/ansible-collections/community.routeros/issues/117#issuecomment-1291038077, or unsubscribe https://github.com/notifications/unsubscribe-auth/AH4XH4QZ4UMRWDNSHB5H2BDWFAYOBANCNFSM6AAAAAAROEVWAM . You are receiving this because you authored the thread.Message ID: @.***>
You can also define the connection details in the hosts
file. Also you can put especially the passwords somewhere else if you don't want to store them in plaintext. I'm using the community.sops.sops vars plugin for that, but I didn't want to show that extra complexity in the above example.
Hi,
Thank you for that clarification. Would it be possible to put the router ips in the hosts file and then still one global credential for all the routers (or even credentials per host group would be even better)? If so how would such config more or less look like?
On Tue, 25 Oct 2022, 22:00 Felix Fontein, @.***> wrote:
You can also define the connection details in the hosts file. Also you can put especially the passwords somewhere else if you don't want to store them in plaintext. I'm using the community.sops.sops vars plugin for that, but I didn't want to show that extra complexity in the above example.
— Reply to this email directly, view it on GitHub https://github.com/ansible-collections/community.routeros/issues/117#issuecomment-1291069846, or unsubscribe https://github.com/notifications/unsubscribe-auth/AH4XH4UTCY4BHQFWORV7Y6TWFA37DANCNFSM6AAAAAAROEVWAM . You are receiving this because you authored the thread.Message ID: @.***>
Yes, that's possible. For how to put variables like ansible_host
in the hosts file please check out the Ansible documentation. You can put the credentials in group_vars/routers.yml
then (routers
replaced by the group you put all the MikroTik devices in; you could also use all
if you only have MikroTik devices in your inventory).
Hi
I managed to get the connection working with the vars set. Could one connection with api-ssl with no cert on the router? I tried by enabling the tls option and having "validate_cert_hostname" and "validate_certs" disabled however I get a SSLv3 handshake error.
TLS needs a certificate, so it's unlikely that you can use API with TLS without a certificate. But you should be able to simply generate a self-signed one and install it on the router. See for example https://docs.ansible.com/ansible/devel/collections/community/routeros/docsite/api-guide.html#setting-up-encryption for how to use Ansible (the SSH based modules) to install a certificate on the router.
Hi
Thank you, I came across this page from Mikrotik hence I got a bit confused https://wiki.mikrotik.com/wiki/Manual:API-SSL where they refer to the following: "In the case no certificate is used in '/ip service' settings then anonymous Diffie-Hellman cipher have to be used to establish connection"
But if I understand you correctly I need a certificate on the Ansible host if I want to access the API-SSL version with no certificate on the router
Hi, I'm not sure what is the problem with multiple hosts and inventory file ? example:
inventory file:
[ros_testing]
10.20.36.253
10.20.36.252
playbook
- name: ros api example
hosts: ros_testing
gather_facts: no
connection: local
tasks:
- name: Get IP addresses
community.routeros.api:
hostname: "{{ inventory_hostname }}"
password: "1234"
username: "admin"
path: ip address
register: result
- name: Print results
ansible.builtin.debug:
var: result.msg[0]['address']
results:
PLAY [ros api example] **********************************************************************************************************************************************
TASK [Get IP addresses] *********************************************************************************************************************************************
ok: [10.20.36.252]
ok: [10.20.36.253]
TASK [Print results] ************************************************************************************************************************************************
ok: [10.20.36.253] =>
result.msg[0]['address']: 10.20.36.253/24
ok: [10.20.36.252] =>
result.msg[0]['address']: 10.20.36.252/24
PLAY RECAP **********************************************************************************************************************************************************
10.20.36.252 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
10.20.36.253 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
For SSL question
https://docs.ansible.com/ansible/devel/collections/community/routeros/docsite/api-guide.html#setting-up-encryption This is a great guide how to configure ROS
However I think you ask for CA ? You have 3 options
ca_path: PATH_TO_CA
in your playbook validate_certs: false
in your playbook Let me know if both examples help with this issue
Hi
Thank you, I came across this page from Mikrotik hence I got a bit confused https://wiki.mikrotik.com/wiki/Manual:API-SSL where they refer to the following: "In the case no certificate is used in '/ip service' settings then anonymous Diffie-Hellman cipher have to be used to establish connection"
But if I understand you correctly I need a certificate on the Ansible host if I want to access the API-SSL version with no certificate on the router
Hi @bigdestroyer, this was recently implemeted in #124
Oh awesome, thank you for the contribution. That is gonna help a lot. Ibreally appreciate it.
On Mon, 14 Nov 2022, 00:25 Tomas Herfert, @.***> wrote:
Hi
Thank you, I came across this page from Mikrotik hence I got a bit confused https://wiki.mikrotik.com/wiki/Manual:API-SSL where they refer to the following: "In the case no certificate is used in '/ip service' settings then anonymous Diffie-Hellman cipher have to be used to establish connection"
But if I understand you correctly I need a certificate on the Ansible host if I want to access the API-SSL version with no certificate on the router
Hi @bigdestroyer https://github.com/bigdestroyer, this was recently implemeted in #124 https://github.com/ansible-collections/community.routeros/pull/124
— Reply to this email directly, view it on GitHub https://github.com/ansible-collections/community.routeros/issues/117#issuecomment-1312838178, or unsubscribe https://github.com/notifications/unsubscribe-auth/AH4XH4SWCUH7C2SOMXBPLXDWIFTGHANCNFSM6AAAAAAROEVWAM . You are receiving this because you were mentioned.Message ID: @.***>
Closing issue for now, will re-open again or create new one if anything comes up
Hi everyone,
I would like to hear if someone can assist with an example of executing commands with the community.routeros.api module to multiple routers with 1 inventry file. I looked through the examples but it seems that you have to specify the ip of the router in each play.
Hope this is enough info.
Regards Ryan