ansible / ansible

Ansible is a radically simple IT automation platform that makes your applications and systems easier to deploy and maintain. Automate everything from code deployment to network configuration to cloud management, in a language that approaches plain English, using SSH, with no agents to install on remote systems. https://docs.ansible.com.
https://www.ansible.com/
GNU General Public License v3.0
62.99k stars 23.91k forks source link

ios_user "unable to retrieve current config" on IOS 12.2. problem with show running-config | section username #33643

Closed Kitus20 closed 5 years ago

Kitus20 commented 6 years ago
ISSUE TYPE
COMPONENT NAME

ios_user

ANSIBLE VERSION
$ ansible --version
ansible 2.4.2.0 (stable-2.4 4433544eb0) last updated 2017/11/13 16:50:30 (GMT +200)
CONFIGURATION

N/A

OS / ENVIRONMENT

Cisco IOS Software, Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)

SUMMARY

The current ios_user module was tested only against IOS 15.6. When I was trying to use it with older releases (12.2 in my example), I encountered the problem with show running-config | section username command, which is invoked by the module, while it is trying to get config. info. about Cisco host.

#file: lib/ansible/modules/network/ios/ios_user.py

237 def map_config_to_obj(module):
238     data = get_config(module, flags=['| section username'])
239
240     match = re.findall(r'^username (\S+)', data, re.M)

It seems that older IOS versions does not support section filter, so when I have made the fallowing change (use include filter instead of section):

237 def map_config_to_obj(module):
238     data = get_config(module, flags=['| i username'])
239
240     match = re.findall(r'^username (\S+)', data, re.M)

module works fine. I was able to change user's password, create/delete user, set user's privileges etc.

Maybe it is worth to make this little change to get compatibility with older versions. Please note that I have not made the detailed tests on the module after the change, but I was able to run all my playbooks where I was using it.

STEPS TO REPRODUCE
---
- hosts: cisco_switch
  connection: local
  tasks:
    - name: change user's password
      ios_user:
        name: testUser
        configured_password: qwertyuiop
        state: present
        update_password: always
        provider:
          authorize: yes
          auth_pass: 12345678
...
EXPECTED RESULTS

Password for testUser will be changed on the Cisco switch with IOS 12.2

ACTUAL RESULTS
$ ansible-playbook test.yml --ask-vault-pass -i customers/someCustomer/ -vvvv
Vault password:
PLAYBOOK: test.yml ******************************************************************************************************************************
1 plays in test.yml

PLAY [cisco_switch] *****************************************************************************************************************************

TASK [Gathering Facts] **************************************************************************************************************************
ok: [host_switch]

TASK [change user's password] *******************************************************************************************************************
  File "/tmp/ansible_lptTV3/ansible_modlib.zip/ansible/module_utils/ios.py", line 86, in get_config
    return _DEVICE_CONFIGS[cmd]

fatal: [host_switch]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "aggregate": null,
            "auth_pass": null,
            "authorize": null,
            "configured_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "host": null,
            "name": "testUser",
            "nopassword": null,
            "password": null,
            "port": null,
            "privilege": null,
            "provider": {
                "auth_pass": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "authorize": true,
                "host": null,
                "password": null,
                "port": null,
                "ssh_keyfile": null,
                "timeout": null,
                "username": null
            },
            "purge": false,
            "ssh_keyfile": null,
            "state": "present",
            "timeout": null,
            "update_password": "always",
            "username": null,
            "view": null
        }
    },
    "msg": "unable to retrieve current config",
    "stderr": "show running-config | section username\r\n                                 ^\r\n% Invalid input detected at '^' marker.\r\n\r\nhost_switch#",
    "stderr_lines": [
        "show running-config | section username",
        "                                 ^",
        "% Invalid input detected at '^' marker.",
        "",
        "host_switch#"
    ]
}

PLAY RECAP **************************************************************************************************************************************
host_switch                 : ok=1    changed=0    unreachable=0    failed=1
ansibot commented 6 years ago

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibot commented 6 years ago

cc @kedarX @privateip @rcarrillocruz @trishnaguha click here for bot help

djh00t commented 6 years ago

Hi Guys,

Has there been any progress on this at all? This issue affects a sizable chunk of older cisco equipment.

Section Command History

Release Modification
12.3(2)T This command was introduced.
12.2(33)SRE This command was integrated into Cisco IOS release 12.(33)SRE.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/fundamentals/command/reference/cf_book/cf_s1.html#wp1171609

rifty commented 6 years ago

Any updates on this one? This issue also affects more recent releases (ie IOS 15.0(2)SG10) for particular switch platforms.

lab-4948ef#sho ver
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-IPBASEK9-M), Version 15.0(2)SG10, RELEASE SOFTWARE (fc1)

lab-4948ef#show running-config | ?
  append    Append redirected output to URL (URLs supporting append operation only)
  begin     Begin with the line that matches
  count     Count number of lines which match regexp
  exclude   Exclude lines that match
  format    Format the output using the specified spec file
  include   Include lines that match
  redirect  Redirect output to URL
  tee       Copy output to URL
Qalthos commented 5 years ago

So after some contemplation, I have made an attempt at gracefully failing this in the above PR. I have tested it after a fashion by changing section to something invalid on all platforms, but would like verification that this works with the real issue in question.

needs_info