search

ansible-collections / dellemc.os10

GNU General Public License v3.0
37 stars 49 forks source link

os10_acl needs a pause between defining an ACL and adding it to an interface #125

Closed sc68cal closed 8 months ago

sc68cal commented 2 years ago

We have a playbook that defines an ACL on a S5232-ON, and when we get to the step where we add the ACL to an interface, it appears to fail. Running the role again, the role succeeds in adding the ACL to the interfaces.

{“changed”: false, “command”: “ipv6 access-group MYACL out”, “msg”: “ipv6 access-group MYACL out\r\n% Error: Unrecognized command.\r\n\u0007sw2115a-x(config-ipv6-acl)# “, “rc”: -32603}

I have manually defined the ACL via the CLI, and done show commands to show the ACL, and there appears to be a delay between defining the ACL, and having it show up in the running-configuration. So I assume there is some ASIC programming being done that takes time to complete, and until it is complete it does not get reflected in the running-configuration and does not work in the CLI.

prasadapr commented 1 year ago

HI @sc68cal, I will verify the configuration and let you know. meanwhile pls can you provide the Ansible play book which you have created/executed

prasadapr commented 1 year ago

HI @sc68cal, I have created playbook and able to push the configuration without any error/issue. Pls find the playbook and execution log:

root@UBUNTU18-VM-38-024:~/os10_collections# cat os10_acl_Issue-125.yaml
---
- hosts: spine100
  connection: network_cli
  collections:
   - dellemc.os10
  roles:
   - os10_acl
root@UBUNTU18-VM-38-024:~/os10_collections# 

root@UBUNTU18-VM-38-024:~/os10_collections/host_vars# cat spine100.yaml 
---
hostname: datacenter
ansible_become: false
ansible_ssh_user: admin
ansible_ssh_pass: admin
ansible_network_os: dellemc.os10.os10
ansible_connection: network_cli
os10_cfg_generate: True
build_dir: "/root/os10_collections"

os10_acl:
   - name: ssh
     type: ipv6
     description: ipv6acl
     remark:
       - description: 1
         number: 3
         state: present
     entries:
       - number: 14
         permit: true
         protocol: tcp
         source: any
         src_condition: neq 6
         destination: any
         dest_condition: eq 4
         other_options: count
         state: present
     stage_ingress:
          - name: ethernet 1/1/4
            state: present
          - name: ethernet 1/1/5
            state: present
     stage_egress:
          - name: ethernet 1/1/6
            state: present
     lineterminal:
          state: present
     state: present
root@UBUNTU18-VM-38-024:~/os10_collections/host_vars# 

root@UBUNTU18-VM-38-024:~/os10_collections# cat inventory.yaml 
spine100  ansible_host=100.104.40.188 ansible_user=admin ansible_password=admin ansible_network_os=dellemc.os10.os10 ansible_connection=network_cli

[spineleaf]
spine100

[datacenter:children]
spineleaf
root@UBUNTU18-VM-38-024:~/os10_collections# 

######################  Execution log ##################

root@UBUNTU18-VM-38-024:~/os10_collections# 
root@UBUNTU18-VM-38-024:~/os10_collections# ansible-playbook -i inventory.yaml os10_acl_Issue-125.yaml -vvv
ansible-playbook 2.9.26
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 2.7.17 (default, Feb 27 2021, 15:10:58) [GCC 7.5.0]
Using /etc/ansible/ansible.cfg as config file
host_list declined parsing /root/os10_collections/inventory.yaml as it did not pass its verify_file() method
script declined parsing /root/os10_collections/inventory.yaml as it did not pass its verify_file() method
Parsed /root/os10_collections/inventory.yaml inventory source with ini plugin
Skipping callback 'actionable', as we already have a stdout callback.
Skipping callback 'counter_enabled', as we already have a stdout callback.
Skipping callback 'debug', as we already have a stdout callback.
Skipping callback 'dense', as we already have a stdout callback.
Skipping callback 'dense', as we already have a stdout callback.
Skipping callback 'full_skip', as we already have a stdout callback.
Skipping callback 'json', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'null', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
Skipping callback 'selective', as we already have a stdout callback.
Skipping callback 'skippy', as we already have a stdout callback.
Skipping callback 'stderr', as we already have a stdout callback.
Skipping callback 'unixy', as we already have a stdout callback.
Skipping callback 'yaml', as we already have a stdout callback.

PLAYBOOK: os10_acl_Issue-125.yaml ***********************************************************************************************************************************************************
1 plays in os10_acl_Issue-125.yaml

PLAY [spine100] *****************************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************************
task path: /root/os10_collections/os10_acl_Issue-125.yaml:2
Sunday 27 November 2022  22:06:12 +0530 (0:00:00.055)       0:00:00.055 ******* 
<100.104.40.188> ESTABLISH LOCAL CONNECTION FOR USER: root
<100.104.40.188> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-local-9356TRa0Gs `"&& mkdir "` echo /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669566973.0-9363-136949891701174 `" && echo ansible-tmp-1669566973.0-9363-136949891701174="` echo /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669566973.0-9363-136949891701174 `" ) && sleep 0'
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/system/setup.py
<100.104.40.188> PUT /root/.ansible/tmp/ansible-local-9356TRa0Gs/tmpUW_ilQ TO /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669566973.0-9363-136949891701174/AnsiballZ_setup.py
<100.104.40.188> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669566973.0-9363-136949891701174/ /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669566973.0-9363-136949891701174/AnsiballZ_setup.py && sleep 0'
<100.104.40.188> EXEC /bin/sh -c '/usr/bin/python3 /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669566973.0-9363-136949891701174/AnsiballZ_setup.py && sleep 0'
<100.104.40.188> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669566973.0-9363-136949891701174/ > /dev/null 2>&1 && sleep 0'
ok: [spine100]
META: ran handlers

TASK [dellemc.os10.os10_acl : Generating ACL configuration for os10] ************************************************************************************************************************
task path: /root/.ansible/collections/ansible_collections/dellemc/os10/roles/os10_acl/tasks/main.yml:3
Sunday 27 November 2022  22:06:44 +0530 (0:00:31.924)       0:00:31.980 ******* 
<100.104.40.188> ESTABLISH LOCAL CONNECTION FOR USER: root
<100.104.40.188> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-local-9356TRa0Gs `"&& mkdir "` echo /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633 `" && echo ansible-tmp-1669567005.02-9441-83499762354633="` echo /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633 `" ) && sleep 0'
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/files/stat.py
<100.104.40.188> PUT /root/.ansible/tmp/ansible-local-9356TRa0Gs/tmpSaknr0 TO /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633/AnsiballZ_stat.py
<100.104.40.188> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633/ /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633/AnsiballZ_stat.py && sleep 0'
<100.104.40.188> EXEC /bin/sh -c '/usr/bin/python3 /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633/AnsiballZ_stat.py && sleep 0'
<100.104.40.188> PUT /root/.ansible/tmp/ansible-local-9356TRa0Gs/tmplqhDiF/os10_acl.j2 TO /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633/source
<100.104.40.188> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633/ /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633/source && sleep 0'
Using module file /usr/lib/python2.7/dist-packages/ansible/modules/files/copy.py
<100.104.40.188> PUT /root/.ansible/tmp/ansible-local-9356TRa0Gs/tmpvWECGZ TO /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633/AnsiballZ_copy.py
<100.104.40.188> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633/ /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633/AnsiballZ_copy.py && sleep 0'
<100.104.40.188> EXEC /bin/sh -c '/usr/bin/python3 /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633/AnsiballZ_copy.py && sleep 0'
<100.104.40.188> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633/ > /dev/null 2>&1 && sleep 0'
changed: [spine100] => {
    "changed": true, 
    "checksum": "926a272596b3458bdea69f03c08b303e973bc99e", 
    "dest": "/root/os10_collections/acl10_datacenter.conf.part", 
    "diff": [], 
    "gid": 0, 
    "group": "root", 
    "invocation": {
        "module_args": {
            "_original_basename": "os10_acl.j2", 
            "attributes": null, 
            "backup": false, 
            "checksum": "926a272596b3458bdea69f03c08b303e973bc99e", 
            "content": null, 
            "delimiter": null, 
            "dest": "/root/os10_collections/acl10_datacenter.conf.part", 
            "directory_mode": null, 
            "follow": false, 
            "force": true, 
            "group": null, 
            "local_follow": null, 
            "mode": null, 
            "owner": null, 
            "regexp": null, 
            "remote_src": null, 
            "selevel": null, 
            "serole": null, 
            "setype": null, 
            "seuser": null, 
            "src": "/root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633/source", 
            "unsafe_writes": false, 
            "validate": null
        }
    }, 
    "md5sum": "fc28b1182eb7ee15ab139284aaf1726f", 
    "mode": "0644", 
    "owner": "root", 
    "size": 307, 
    "src": "/root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567005.02-9441-83499762354633/source", 
    "state": "file", 
    "uid": 0
}

TASK [dellemc.os10.os10_acl : Provisioning ACL configuration for os10] **********************************************************************************************************************
task path: /root/.ansible/collections/ansible_collections/dellemc/os10/roles/os10_acl/tasks/main.yml:11
Sunday 27 November 2022  22:06:46 +0530 (0:00:02.358)       0:00:34.338 ******* 
<100.104.40.188> ESTABLISH LOCAL CONNECTION FOR USER: root
<100.104.40.188> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-local-9356TRa0Gs `"&& mkdir "` echo /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567011.04-9488-67239067477654 `" && echo ansible-tmp-1669567011.04-9488-67239067477654="` echo /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567011.04-9488-67239067477654 `" ) && sleep 0'
Using module file /root/.ansible/collections/ansible_collections/dellemc/os10/plugins/modules/os10_config.py
<100.104.40.188> PUT /root/.ansible/tmp/ansible-local-9356TRa0Gs/tmpgMPrhx TO /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567011.04-9488-67239067477654/AnsiballZ_os10_config.py
<100.104.40.188> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567011.04-9488-67239067477654/ /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567011.04-9488-67239067477654/AnsiballZ_os10_config.py && sleep 0'
<100.104.40.188> EXEC /bin/sh -c '/usr/bin/python3 /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567011.04-9488-67239067477654/AnsiballZ_os10_config.py && sleep 0'
<100.104.40.188> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-local-9356TRa0Gs/ansible-tmp-1669567011.04-9488-67239067477654/ > /dev/null 2>&1 && sleep 0'
changed: [spine100] => {
    "changed": true, 
    "commands": [
        "interface ethernet 1/1/4", 
        "ipv6 access-group ssh in", 
        "interface ethernet 1/1/5", 
        "ipv6 access-group ssh in", 
        "interface ethernet 1/1/6", 
        "ipv6 access-group ssh out", 
        "commit"
    ], 
    "invocation": {
        "module_args": {
            "after": null, 
            "backup": false, 
            "backup_options": null, 
            "before": null, 
            "config": null, 
            "lines": null, 
            "match": "line", 
            "parents": null, 
            "provider": null, 
            "replace": "line", 
            "save": false, 
            "src": "ipv6 access-list ssh\n description \"ipv6acl\"\n \n seq 3 remark \"1\"\n        \n seq 14 permit tcp any neq 6 any eq 4 count\n\nline vty\n ipv6 access-class ssh \n\ninterface ethernet 1/1/4\n ipv6 access-group ssh in\ninterface ethernet 1/1/5\n ipv6 access-group ssh in\n\ninterface ethernet 1/1/6\n ipv6 access-group ssh out\n", 
            "update": "merge"
        }
    }, 
    "saved": false, 
    "updates": [
        "interface ethernet 1/1/4", 
        "ipv6 access-group ssh in", 
        "interface ethernet 1/1/5", 
        "ipv6 access-group ssh in", 
        "interface ethernet 1/1/6", 
        "ipv6 access-group ssh out", 
        "commit"
    ]
}
META: ran handlers
META: ran handlers

PLAY RECAP **********************************************************************************************************************************************************************************
spine100                   : ok=3    changed=2    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

Sunday 27 November 2022  22:06:57 +0530 (0:00:10.490)       0:00:44.828 ******* 
=============================================================================== 
Gathering Facts --------------------------------------------------------------------------------------------------------------------------------------------------------------------- 31.92s
/root/os10_collections/os10_acl_Issue-125.yaml:2 -------------------------------------------------------------------------------------------------------------------------------------------
dellemc.os10.os10_acl : Provisioning ACL configuration for os10 --------------------------------------------------------------------------------------------------------------------- 10.49s
/root/.ansible/collections/ansible_collections/dellemc/os10/roles/os10_acl/tasks/main.yml:11 -----------------------------------------------------------------------------------------------
dellemc.os10.os10_acl : Generating ACL configuration for os10 ------------------------------------------------------------------------------------------------------------------------ 2.36s
/root/.ansible/collections/ansible_collections/dellemc/os10/roles/os10_acl/tasks/main.yml:3 ------------------------------------------------------------------------------------------------
root@UBUNTU18-VM-38-024:~/os10_collections# 
root@UBUNTU18-VM-38-024:~/os10_collections# 
root@UBUNTU18-VM-38-024:~/os10_collections# 
root@UBUNTU18-VM-38-024:~/os10_collections# ansible-playbook -i inventory.yaml os10_acl_Issue-125.yaml -vvv


############ OS10 Device configuration ################

spine100# 
spine100# show running-configuration interface ethernet 1/1/4
!
interface ethernet1/1/4
 no shutdown
 switchport access vlan 1
 flowcontrol receive off
 ipv6 access-group ssh in
spine100# 
spine100# show running-configuration interface ethernet 1/1/5
!
interface ethernet1/1/5
 no shutdown
 switchport access vlan 1
 flowcontrol receive off
 ipv6 access-group ssh in
spine100# 
spine100# show running-configuration interface ethernet 1/1/6
!
interface ethernet1/1/6
 no shutdown
 switchport access vlan 1
 flowcontrol receive off
 ipv6 access-group ssh out
spine100# 
spine100# 
spine100# show running-configuration access-list 
!
ipv6 access-list ssh
 description "ipv6acl"
 seq 3 remark "1"
 seq 14 permit tcp any neq 6 any eq 4 count
spine100# 

spine100# show running-configuration line 
!
line vty
 ipv6 access-class ssh
spine100#
prasadapr commented 1 year ago

HI @sc68cal, As provided the logs above, its working fine for me. Pls can you share your complete playbook to figure out what is the issue.

sc68cal commented 1 year ago

Creating a single rule and associating with a small set of interfaces will not manifest this issue. It only occurs with large rulesets associated with lots of interfaces. I am not able to publicly disclose our rulesets due to security policy

mv945 commented 8 months ago

I’ve spent some time attempting to reproduce the error in our environment, and have been unable to do so. We do run a newer version of the dell module (dellemc.os10 1.2.3) and ansible.netcommon (6.0.0) from when the issue was reported, so perhaps something has changed in one of those since then. I have not recreated an environment with the older versions of those. I’ve tried running our full ACL and full configuration playbook on a lab switch running 10.5.1.9, and the acl playbook on switches running 10.5.3.6p2 and our latest 10.5.3.9p1, and all tests ran flawlessly and did not fail on any ACL config tasks. At this point we are OK to close this issue as resolved as we are unable to repro.

prasadapr commented 8 months ago

Hi @mv945, thanks for your time for reproducing the issue and update on the verification. As per your inputs, am closing this issue.