search

ansible-collections / community.vmware

Ansible Collection for VMware
GNU General Public License v3.0
352 stars 336 forks source link

vmware_dvswitch: Network Policy added in 1.11.0 is not working #907

Closed BryanEaay closed 1 month ago

BryanEaay commented 3 years ago
SUMMARY

Hi there, i'm re-openning the case in some sort (I'm the contributor of #833 ),

Since the release of the 1.11.0 collection, i've tried to use the implemented Network Policy from the dvswitch module. But the result is clearly not what's supposed to be.

ISSUE TYPE
COMPONENT NAME

community.vmware.vmware_dvswitch

ANSIBLE VERSION
ansible 2.10.2
  config file = /home/gs8630/.ansible.cfg
  configured module search path = ['/home/gs8630/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/gs8630/venv/vmware/lib/python3.6/site-packages/ansible
  executable location = /home/gs8630/venv/vmware/bin/ansible
  python version = 3.6.8 (default, Aug 24 2020, 17:57:11) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
STEPS TO REPRODUCE
- name: Create dvswitch
    vmware_dvswitch:
      hostname: "{{ VMWARE_VCENTER}}"
      username: "{{ VMWARE_USER }}"
      password: "{{ VMWARE_PASSWORD }}"
      folder: "{{ VMWARE_DATACENTER}}/network/NF-{{VMWARE_CLUSTER}}"
      dvswitch: "dvs1-{{VMWARE_CLUSTER}}"
      version: 6.6.0
      uplink_quantity: 2
      discovery_protocol: lldp
      discovery_operation: both
      state: present
      network_policy:
        promiscuous: no
        forged_transmits: yes
        mac_changes: yes
      validate_certs: no
    delegate_to: localhost
    register: result

Indeed, the output is write, as you can see :

TASK [debug] ******************************************************************************************************************************************
ok: [localhost] => {
    "result": {
        "changed": false,
        "contact": null,
        "contact_details": null,
        "description": null,
        "discovery_operation": "both",
        "discovery_protocol": "lldp",
        "dvswitch": "dvs1-VG2S_TTR_03",
        "failed": false,
        "health_check_teaming": false,
        "health_check_teaming_interval": 0,
        "health_check_vlan": false,
        "health_check_vlan_interval": 0,
        "mtu": 1500,
        "multicast_filtering_mode": "basic",
        "network_policy": {
            "forged_transmits": true,
            "mac_changes": true,
            "promiscuous": false
        },
        "result": "DVS already configured properly",
        "uplink_quantity": 2,
        "uplinks": [
            "Uplink 1",
            "Uplink 2"
        ],
        "uuid": "50 1f 5e 3a fd 44 be 03-3e 78 02 25 e4 6b d7 c2",
        "version": "6.6.0"
    }
}

But here, with the following Powercli, it's clear that zero change has been done on the network policy of the created dvswitch : 

PS C:\Users\GS8630\Documents\AUTOMATION\SCRIPTS\VMWARE> get-vdswitch -name dvs1-VG2S_TTR_03 | Get-VDSecurityPolicy

VDSwitch                       AllowPromiscuous MacChanges ForgedTransmits
--------                       ---------------- ---------- ---------------
dvs1-VG2S_TTR_03               False            False      False
EXPECTED RESULTS
PS C:\Users\GS8630\Documents\AUTOMATION\SCRIPTS\VMWARE> get-vdswitch -name dvs1-VG2S_TTR_03 | Get-VDSecurityPolicy

VDSwitch                       AllowPromiscuous MacChanges ForgedTransmits
--------                       ---------------- ---------- ---------------
dvs1-VG2S_TTR_03               False            True       True

Thank's in advance for taking a look at it !

ansibullbot commented 3 years ago

Files identified in the description: None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

BryanEaay commented 3 years ago

@mariolenz

mariolenz commented 3 years ago

I'm sorry, but I can't reproduce this in our environment. Might be a bit hard to troubleshoot this.

Although... I've created a new switch. Your task is called "Create dvswitch" but, actually, you want to set network_policy on an existing dvswich, correct? Otherwise, I don't understand why the result is "changed": false but your PowerCLI command finds the switch.

BryanEaay commented 3 years ago

Hi @mariolenz, Thank you for your answer !

I had to re-launch the task in order to get the output i paste on the thread yes, because at first run, when the dvswitch is actually created, the output is pretty useless ... : 

TASK [Création du dvSwitch] *********************************************************************************************************************************************
changed: [localhost]

TASK [debug] ************************************************************************************************************************************************************
ok: [localhost] => {
    "result": {
        "changed": true,
        "failed": false,
        "result": "DVS created"
    }
}

That's why the results was "changed": false above.

mariolenz commented 3 years ago

Sorry, I can't reproduce this in our environment (vSphere 7U2a).

Ansible version:

ansible [core 2.11.2]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /bin/ansible
  python version = 3.6.1 (default, Oct 26 2017, 01:54:52) [GCC 6.3.0]
  jinja version = 2.11.1
  libyaml = True

Collection version:

# /usr/lib/python3.6/site-packages/ansible_collections
Collection       Version
---------------- -------
community.vmware 1.11.0

My playbook:

---
- name: "Test Playbook"
  hosts: localhost
  gather_facts: false
  tasks:
    - name: Create dvSwitch
      vmware_dvswitch:
        hostname: '{{ vcenter_ip }}'
        username: '{{ vcenter_username }}'
        password: '{{ vcenter_password }}'
        folder: "{{ VMWARE_DATACENTER }}/network/NF-VG2S_TTR_03"
        dvswitch: "dvs1-VG2S_TTR_03"
        version: 6.6.0
        uplink_quantity: 2
        discovery_protocol: lldp
        discovery_operation: both
        state: present
        network_policy:
          promiscuous: no
          forged_transmits: yes
          mac_changes: yes
        validate_certs: no

Result:

PS C:\Users\mariolenz> Get-VDSwitch -Name dvs1-VG2S_TTR_03 | Get-VDSecurityPolicy

VDSwitch                       AllowPromiscuous MacChanges ForgedTransmits
--------                       ---------------- ---------- ---------------
dvs1-VG2S_TTR_03               False            True       True

Could you show me the results from this PowerCLI code:

$dvs = Get-VDSwitch -Name dvs1-VG2S_TTR_03
$dvs.ExtensionData.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value
$dvs.ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.ForgedTransmits
BryanEaay commented 3 years ago

Hi @mariolenz , I don't understand why i can't have the same result,

Here's the result you asked me from PowerCLI : 

PS C:\Users\GS8630\Documents\AUTOMATION\SCRIPTS\VMWARE> $dvs = Get-VDSwitch -Name dvs1-VG2S_NACRE_TTR_003 | Get-VDSecurityPolicy
PS C:\Users\GS8630\Documents\AUTOMATION\SCRIPTS\VMWARE> $dvs.ExtensionData.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value
PS C:\Users\GS8630\Documents\AUTOMATION\SCRIPTS\VMWARE> $dvs.ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.ForgedTransmits
PS C:\Users\GS8630\Documents\AUTOMATION\SCRIPTS\VMWARE> $dvs

VDSwitch                       AllowPromiscuous MacChanges ForgedTransmits
--------                       ---------------- ---------- ---------------
dvs1-VG2S_NACRE_TTR_003        False            False      False

My playbook : 

- name: Création du dvSwitch
  community.vmware.vmware_dvswitch:
    hostname: "{{ VMWARE_VCENTER }}"
    username: "{{ VMWARE_USER }}"
    password: "{{ VMWARE_PASSWORD }}"
    folder: "{{ VMWARE_DATACENTER}}/network/NF-{{awx_survey_cluster_existant }}"
    dvswitch: "dvs1-{{awx_survey_cluster_existant}}"
    version: 6.6.0
    uplink_quantity: 2
    discovery_protocol: lldp
    discovery_operation: both
    state: present
    network_policy:
      promiscuous: no
      forged_transmits: yes
      mac_changes: yes
    validate_certs: no
  delegate_to: localhost
  register: result

Playbook output : 

TASK [Création du dvSwitch] *********************************************************************************************************************************************
changed: [localhost -> localhost]

TASK [debug] ************************************************************************************************************************************************************
ok: [localhost] => {
    "result": {
        "changed": true,
        "failed": false,
        "result": "DVS created"
    }
}

PLAY RECAP **************************************************************************************************************************************************************
localhost                  : ok=7    changed=2    unreachable=0    failed=0    skipped=3    rescued=0    ignored=0

Ansible version : 

ansible [core 2.11.2] 
  config file = /home/gs8630/.ansible.cfg
  configured module search path = ['/home/gs8630/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/gs8630/venv/vmware/lib/python3.6/site-packages/ansible
  ansible collection location = /home/gs8630/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/gs8630/venv/vmware/bin/ansible
  python version = 3.6.8 (default, Aug 24 2020, 17:57:11) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
  jinja version = 2.11.2
  libyaml = False

Collections versions : 

# /home/gs8630/.ansible/collections/ansible_collections
Collection           Version
-------------------- -------
ansible.netcommon    1.3.0  
ansible.posix        1.1.1  
ansible.windows      1.2.0  
community.general    1.2.0  
community.kubernetes 1.1.1  
community.vmware     1.11.0 
community.windows    1.1.0  
google.cloud         1.0.1
mariolenz commented 3 years ago 

PS C:\Users\GS8630\Documents\AUTOMATION\SCRIPTS\VMWARE> $dvs.ExtensionData.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value
PS C:\Users\GS8630\Documents\AUTOMATION\SCRIPTS\VMWARE> $dvs.ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.ForgedTransmits

You didn't get any output for this? Did you run this as a PowerShell script or in a PowerShell shell? If you've copy&pasted the code to a shell, I'd have expected either Trueor False. But not nothing.

BryanEaay commented 3 years ago

Exactly, i copy/pasted it in PS Admin session, not in a script.

BryanEaay commented 3 years ago

UP

Any news on this ?

mariolenz commented 3 years ago

Not from me. I still can't reproduce the issue in our environment and that makes it a bit hard to debug.

@sky-joker or @Tomorrow9, can you reproduce the issue?

BryanEaay commented 3 years ago 
PS C:\Users\GS8630\Documents\AUTOMATION\SCRIPTS\VMWARE> $dvs.ExtensionData.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value
PS C:\Users\GS8630\Documents\AUTOMATION\SCRIPTS\VMWARE> $dvs.ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.ForgedTransmits

You didn't get any output for this? Did you run this as a PowerShell script or in a PowerShell shell? If you've copy&pasted the code to a shell, I'd have expected either Trueor False. But not nothing.

Hi, I'm coming back for some news on this topic.

I've finally been able to get the oupt you asked me 👍

PS C:\Users\GS8630\Documents\AUTOMATION\SCRIPTS\VMWARE> $dvs = Get-VDSwitch -Name dvs1-VG2S_NACRE_TTR_003
PS C:\Users\GS8630\Documents\AUTOMATION\SCRIPTS\VMWARE> $dvs.ExtensionData.Config.DefaultPortConfig.SecurityPolicy.ForgedTransmits.Value
False
PS C:\Users\GS8630\Documents\AUTOMATION\SCRIPTS\VMWARE> $dvs.ExtensionData.Config.DefaultPortConfig.MacManagementPolicy.ForgedTransmits
True
PS C:\Users\GS8630\Documents\AUTOMATION\SCRIPTS\VMWARE> $dvs | Get-VDSecurityPolicy

VDSwitch                       AllowPromiscuous MacChanges ForgedTransmits
--------                       ---------------- ---------- ---------------
dvs1-VG2S_NACRE_TTR_003        False            False      False
mariolenz commented 1 month ago

1.11.0 is pretty old and, actually, EOL. I think we should close this issue for now.

Feel free to re-open it or open a new one if you're still running into this problem with current versions of the collection.