Closed johncapobianco closed 6 years ago
Files identified in the description:
If these files are inaccurate, please update the component name
section of the description or use the !component
bot command.
cc @kedarX @mikewiebe @privateip @rahushen @rcarrillocruz @trishnaguha click here for bot help
@johncapobianco please share your src file if possible.
Here are the relevant files I have converted them to .txt files so I could upload but you could rename to .yml or .j2
Please let me know if this is what you needed
Thanks for your help
LAB-DC-N7K-AGG_yml.txt LAB-N7K-1-MG06TSZKG-DC-AGG.running_config.txt LAB-N7K-1-MG06TSZKG-DC-AGG.txt 06_nxos_interface_j2.txt config-dc_yml.txt configure_nxos_vlan_interface_yml.txt
Please note the following is idempotent under the SVI configurations:
interface Vlan1301 vrf member LoP_OPZone no ip redirects ip router ospf 100 area 0.0.0.130 ip address 10.144.0.2/24
the following lines are not idempotent:
interface Vlan1301 hsrp version 2 hsrp 1301 authentication md5 key-chain hsrp-md5-key preempt delay minimum 120 reload 300 priority 255 ip 10.144.0.1 ip dhcp relay address 10.167.128.127 ip dhcp relay address 10.167.128.128 description LoP_OPZone no shutdown
Hope this helps
John
Related issue: https://github.com/ansible/ansible/issues/36499.
hsrp 1301
. The group 1301 was not created, show running-config
only shows upto hsrp version 2
.
The device returns error when hsrp sub commands are executed after hsrp 1301
stating: ERROR: Group 1301 is not created
. So this isn't module/idempotence issue.
nxos terminal plugin fails to catch the error, hence returning changed:true
.
With the PR https://github.com/ansible/ansible/pull/37237,
the actual error is caught, instead of silently ignoring the error and returing changed: true
.
The full traceback is:
File "/tmp/ansible_ebpU1k/ansible_modlib.zip/ansible/module_utils/network/nxos/nxos.py", line 195, in load_config
responses = connection.edit_config(config)
File "/tmp/ansible_ebpU1k/ansible_modlib.zip/ansible/module_utils/connection.py", line 146, in __rpc__
raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
fatal: [nxos9k-01]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"after": null,
"backup": false,
"before": null,
"defaults": false,
"diff_against": null,
"diff_ignore_lines": null,
"force": false,
"host": null,
"intended_config": null,
"lines": null,
"match": "line",
"parents": null,
"password": null,
"port": null,
"provider": null,
"replace": "line",
"replace_src": null,
"running_config": null,
"save": false,
"save_when": "never",
"src": "interface Vlan1301\n description BLUE\n no shutdown\n vrf member BLUE\n no ip redirects\n ip address 10.144.0.2/24\n ip router ospf 100 area 0.0.0.130\n hsrp version 2\n ip dhcp relay address 10.167.128.127 \n ip dhcp relay address 10.167.128.128\n hsrp 1301\n authentication md5 key-chain hsrp-md5-key\n preempt delay minimum 120 reload 300\n priority 255\n ip 10.144.0.1\n",
"ssh_keyfile": null,
"timeout": null,
"transport": null,
"use_ssl": null,
"username": null,
"validate_certs": null
}
},
"msg": "authentication md5 key-chain hsrp-md5-key\r\r\nERROR: Group 1301 is not created\r\n\r\n\ran-nxos9k-01(config-if-hsrp)# "
}
Do you have feature HSRP enabled in your global config?
feature hsrp
Because my SVIs all have the HSRP configured - see the attache / sample:
interface Vlan1301 vrf member LoP_OPZone no ip redirects ip address 10.144.0.2/24 ip router ospf 100 area 0.0.0.130 hsrp version 2 hsrp 1301 authentication md5 key-chain hsrp-md5-key preempt delay minimum 120 reload 300 priority 255 ip 10.144.0.1 ip dhcp relay address 10.167.128.127 ip dhcp relay address 10.167.128.128 description LoP_OPZone no shutdown
Every SVI has an hsrp
authentication md5 key-chain hsrp-md5-key
preempt delay minimum 120 reload 300
priority 255
ip <ip>
@johncallender yes I have hsrp
enabled.
Is this your output for show run | section interface.Vlan1301
?
LAB-N7K-1-MG06TSZKG-DC-AGG# sh run | section interface.Vlan1301 interface Vlan1301 vrf member LoP_OPZone no ip redirects ip address 10.144.0.2/24 ip router ospf 100 area 0.0.0.130 hsrp version 2 hsrp 1301 authentication md5 key-chain hsrp-md5-key preempt delay minimum 120 reload 300 priority 255 ip 10.144.0.1 ip dhcp relay address 10.167.128.127 ip dhcp relay address 10.167.128.128 description LoP_OPZone no shutdown
Here is the full out put in verbose mode
TASK [Create NXOS SVI configuration] **** task path: /home/capobj/DC/Lab-Infrastructure/tasks/configurations/nxos/configure_nxos_platform_vlan_interface.yml:3
As discussed with the team, we do not guarantee idempotence with nxos_config when using src
, you need to make sure that you are using the exact spaces indentation that the device uses. I am going to close this issue since we won't fix it. Thanks for taking time to look into this.
The issue comes from your source file not having proper spacing. NX-OS uses two spaces to indent, not one like IOS. Change that and it should work. I just sorted out this issue with my config. Now idempotency is no problem when using "src" with nxos_config module.
_[ edit: using only --check I was too careful testing this workaround, adding 'no hsrp bfd' to your Jinja works in ansible_checkmode, but like John observed, fails when actually sending the configuration. As a workaround one can however ignore the 'no hsrp bfd' line. Good to know Cisco acknowledged and fixed the bug ]
Hope this saves some other people from digging through the sources and inserting debug statements :) Until a Cisco NX-OS version with this issue fixed is deployed, the following workaround can be used.
Using the right indentation is important, but at least for NX-OS 7.1 on a 7K over CLI there's another gotcha: Ansible uses show run all and a non-indented 'no hsrp bfd' line will be inserted which throws off the diff. By inserting this line into your Jinja2, By ignoring this line, idempotency will be restored for the HSRP section.
Like this:
interface Vlan{{ vlan_id }}
description {{ svi_description | default(vlan_name) }}
no shutdown
no ip redirects
ip address {{ svi_ipv4 }}
no ip arp gratuitous hsrp duplicate
hsrp version 2
hsrp {{ vlan_id }}
ip {{ svi_vip }}
ip dhcp relay address 1.2.3.4
- name: "Configure SVI {{ svi_name }}"
nxos_config:
src: "svi_config.j2"
diff_ignore_lines:
- "no hsrp bfd"
Yes but that too doesn’t work as it is a parent nested command and will move you out of the nest
Cisco confirms this is a BUG and fixed in the latest release !!!
Thanks
Get Outlook for iOShttps://aka.ms/o0ukef
From: Albert Siersema notifications@github.com Sent: Monday, March 11, 2019 6:54 AM To: ansible/ansible Cc: johncapobianco; Mention Subject: Re: [ansible/ansible] nxos_config SVI (Interface VLAN) idempotency issues (#36801)
Hope this saves some other people from digging through the sources and inserting debug statements :)
Using the right indentation is important, but at least for NX-OS 7.1 on a 7K over CLI there's another gotcha: Ansible uses show run all and a non-indented 'no hsrp bfd' line will be inserted which throws off the diff. By inserting this line into your Jinja2, idempotency will be restored for the HSRP section. Like this:
interface Vlan{{ vlan_id }} description {{ svi_description | default(vlan_name) }} no shutdown no ip redirects ip address {{ svi_ipv4 }} no ip arp gratuitous hsrp duplicate no hsrp bfd hsrp version 2 hsrp {{ vlan_id }} ip {{ svi_vip }} ip dhcp relay address 1.2.3.4
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/ansible/ansible/issues/36801#issuecomment-471492782, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AjMQOSb4pIiQqD4S_oss7vJcQszH8B8_ks5vVjXngaJpZM4SVoVB.
ISSUE TYPE
COMPONENT NAME
nxos_config
ANSIBLE VERSION
CONFIGURATION
ACCELERATE_CONNECT_TIMEOUT(default) = 1.0 ACCELERATE_DAEMON_TIMEOUT(default) = 30 ACCELERATE_KEYS_DIR(default) = ~/.fireball.keys ACCELERATE_KEYS_DIR_PERMS(default) = 700 ACCELERATE_KEYS_FILE_PERMS(default) = 600 ACCELERATE_MULTI_KEY(default) = False ACCELERATE_PORT(default) = 5099 ACCELERATE_TIMEOUT(default) = 30 ALLOW_WORLD_READABLE_TMPFILES(default) = False ANSIBLE_COW_SELECTION(default) = default ANSIBLE_COW_WHITELIST(default) = ['bud-frogs', 'bunny', 'cheese', 'daemon', 'default', 'dragon', 'elephant-in-snake', 'elephant', 'eyes', 'hellokitty', 'kitty', 'luke-koala', 'meow', 'milk', 'moofasa', 'moos ANSIBLE_FORCE_COLOR(default) = False ANSIBLE_NOCOLOR(default) = False ANSIBLE_NOCOWS(default) = False ANSIBLE_PIPELINING(default) = False ANSIBLE_SSH_ARGS(default) = -C -o ControlMaster=auto -o ControlPersist=60s ANSIBLE_SSH_CONTROL_PATH(default) = None ANSIBLE_SSH_CONTROL_PATH_DIR(default) = ~/.ansible/cp ANSIBLE_SSH_EXECUTABLE(default) = ssh ANSIBLE_SSH_RETRIES(default) = 0 ANY_ERRORS_FATAL(default) = False BECOME_ALLOW_SAME_USER(default) = False CACHE_PLUGIN(default) = memory CACHE_PLUGIN_CONNECTION(default) = None CACHE_PLUGIN_PREFIX(default) = ansible_facts CACHE_PLUGIN_TIMEOUT(default) = 86400 COLOR_CHANGED(default) = yellow COLOR_DEBUG(default) = dark gray COLOR_DEPRECATE(default) = purple COLOR_DIFF_ADD(default) = green COLOR_DIFF_LINES(default) = cyan COLOR_DIFF_REMOVE(default) = red COLOR_ERROR(default) = red COLOR_HIGHLIGHT(default) = white COLOR_OK(default) = green COLOR_SKIP(default) = cyan COLOR_UNREACHABLE(default) = bright red COLOR_VERBOSE(default) = blue COLOR_WARN(default) = bright purple COMMAND_WARNINGS(default) = True DEFAULT_ACTION_PLUGIN_PATH(default) = [u'/home/capobj/.ansible/plugins/action', u'/usr/share/ansible/plugins/action'] DEFAULT_ALLOW_UNSAFE_LOOKUPS(default) = False DEFAULT_ASK_PASS(default) = False DEFAULT_ASK_SUDO_PASS(default) = False DEFAULT_ASK_SU_PASS(default) = False DEFAULT_ASK_VAULT_PASS(default) = False DEFAULT_BECOME(default) = False DEFAULT_BECOME_ASK_PASS(default) = False DEFAULT_BECOME_EXE(default) = None DEFAULT_BECOME_FLAGS(default) = DEFAULT_BECOME_METHOD(default) = sudo DEFAULT_BECOME_USER(default) = root DEFAULT_CACHE_PLUGIN_PATH(default) = [u'/home/capobj/.ansible/plugins/cache', u'/usr/share/ansible/plugins/cache'] DEFAULT_CALLABLE_WHITELIST(default) = [] DEFAULT_CALLBACK_PLUGIN_PATH(default) = [u'/home/capobj/.ansible/plugins/callback', u'/usr/share/ansible/plugins/callback'] DEFAULT_CALLBACK_WHITELIST(default) = [] DEFAULT_CONNECTION_PLUGIN_PATH(default) = [u'/home/capobj/.ansible/plugins/connection', u'/usr/share/ansible/plugins/connection'] DEFAULT_DEBUG(default) = False DEFAULT_EXECUTABLE(default) = /bin/sh DEFAULT_FACT_PATH(default) = None DEFAULT_FILTER_PLUGIN_PATH(default) = [u'/home/capobj/.ansible/plugins/filter', u'/usr/share/ansible/plugins/filter'] DEFAULT_FORCE_HANDLERS(default) = False DEFAULT_FORKS(default) = 5 DEFAULT_GATHERING(default) = implicit DEFAULT_GATHER_SUBSET(default) = all DEFAULT_GATHER_TIMEOUT(default) = 10 DEFAULT_HANDLER_INCLUDES_STATIC(default) = False DEFAULT_HASH_BEHAVIOUR(default) = replace DEFAULT_HOST_LIST(default) = [u'/etc/ansible/hosts'] DEFAULT_INTERNAL_POLL_INTERVAL(default) = 0.001 DEFAULT_INVENTORY_PLUGIN_PATH(default) = [u'/home/capobj/.ansible/plugins/inventory', u'/usr/share/ansible/plugins/inventory'] DEFAULT_JINJA2_EXTENSIONS(default) = [] DEFAULT_KEEP_REMOTE_FILES(default) = False DEFAULT_LIBVIRT_LXC_NOSECLABEL(default) = False DEFAULT_LOAD_CALLBACK_PLUGINS(default) = False DEFAULT_LOCAL_TMP(default) = /home/capobj/.ansible/tmp/ansible-local-27488NYPcf4 DEFAULT_LOG_PATH(default) = DEFAULT_LOOKUP_PLUGIN_PATH(default) = [u'/home/capobj/.ansible/plugins/lookup', u'/usr/share/ansible/plugins/lookup'] DEFAULT_MANAGED_STR(default) = Ansible managed DEFAULT_MODULE_ARGS(default) = DEFAULT_MODULE_COMPRESSION(default) = ZIP_DEFLATED DEFAULT_MODULE_LANG(default) = {{CONTROLER_LANG}} DEFAULT_MODULE_NAME(default) = command DEFAULT_MODULE_PATH(default) = [u'/home/capobj/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] DEFAULT_MODULE_SET_LOCALE(default) = False DEFAULT_MODULE_UTILS_PATH(default) = [u'/home/capobj/.ansible/plugins/module_utils', u'/usr/share/ansible/plugins/module_utils'] DEFAULT_NO_LOG(default) = False DEFAULT_NO_TARGET_SYSLOG(default) = False DEFAULT_NULL_REPRESENTATION(default) = None DEFAULT_POLL_INTERVAL(default) = 15 DEFAULT_PRIVATE_KEY_FILE(default) = None DEFAULT_PRIVATE_ROLE_VARS(default) = False DEFAULT_REMOTE_PORT(default) = None DEFAULT_REMOTE_TMP(default) = ~/.ansible/tmp DEFAULT_REMOTE_USER(default) = None DEFAULT_ROLES_PATH(/etc/ansible/ansible.cfg) = [u'/etc/ansible/roles', u'/usr/share/ansible/roles'] DEFAULT_SCP_IF_SSH(default) = smart DEFAULT_SELINUX_SPECIAL_FS(default) = ['fuse', 'nfs', 'vboxsf', 'ramfs', '9p'] DEFAULT_SFTP_BATCH_MODE(default) = True DEFAULT_SQUASH_ACTIONS(default) = ['apk', 'apt', 'dnf', 'homebrew', 'openbsd_pkg', 'pacman', 'pkgng', 'yum', 'zypper'] DEFAULT_SSH_TRANSFER_METHOD(default) = None DEFAULT_STDOUT_CALLBACK(default) = default DEFAULT_STRATEGY(default) = linear DEFAULT_STRATEGY_PLUGIN_PATH(default) = [u'/home/capobj/.ansible/plugins/strategy', u'/usr/share/ansible/plugins/strategy'] DEFAULT_SU(default) = False DEFAULT_SUDO(default) = False DEFAULT_SUDO_EXE(default) = sudo DEFAULT_SUDO_FLAGS(default) = -H -S -n DEFAULT_SUDO_USER(default) = None DEFAULT_SU_EXE(default) = su DEFAULT_SU_FLAGS(default) = DEFAULT_SU_USER(default) = None DEFAULT_SYSLOG_FACILITY(default) = LOG_USER DEFAULT_TASK_INCLUDES_STATIC(default) = False DEFAULT_TEST_PLUGIN_PATH(default) = [u'/home/capobj/.ansible/plugins/test', u'/usr/share/ansible/plugins/test'] DEFAULT_TIMEOUT(default) = 10 DEFAULT_TRANSPORT(default) = smart DEFAULT_UNDEFINED_VAR_BEHAVIOR(default) = True DEFAULT_VARS_PLUGIN_PATH(default) = [u'/home/capobj/.ansible/plugins/vars', u'/usr/share/ansible/plugins/vars'] DEFAULT_VAULT_IDENTITY(default) = default DEFAULT_VAULT_IDENTITY_LIST(default) = [] DEFAULT_VAULT_ID_MATCH(default) = False DEFAULT_VAULT_PASSWORD_FILE(default) = None DEFAULT_VERBOSITY(default) = 0 DEPRECATION_WARNINGS(default) = True DIFF_ALWAYS(default) = False DIFF_CONTEXT(default) = 3 DISPLAY_ARGS_TO_STDOUT(default) = False DISPLAY_SKIPPED_HOSTS(default) = True ERROR_ON_MISSING_HANDLER(default) = True GALAXY_IGNORE_CERTS(default) = False GALAXY_ROLE_SKELETON(default) = None GALAXY_ROLE_SKELETON_IGNORE(default) = ['^.git$', '^.*/.git_keep$'] GALAXY_SERVER(default) = https://galaxy.ansible.com HOST_KEY_CHECKING(default) = True INVENTORY_ENABLED(default) = ['host_list', 'script', 'yaml', 'ini'] INVENTORY_IGNORE_EXTS(default) = {{(BLACKLIST_EXTS + ( '~', '.orig', '.ini', '.cfg', '.retry'))}} INVENTORY_IGNORE_PATTERNS(default) = [] INVENTORY_UNPARSED_IS_FAILED(default) = False MAX_FILE_SIZE_FOR_DIFF(default) = 104448 MERGE_MULTIPLE_CLI_TAGS(default) = True NETWORK_GROUP_MODULES(default) = ['eos', 'nxos', 'ios', 'iosxr', 'junos', 'ce', 'vyos', 'sros', 'dellos9', 'dellos10', 'dellos6', 'asa', 'aruba', 'aireos'] PARAMIKO_HOST_KEY_AUTO_ADD(default) = False PARAMIKO_LOOK_FOR_KEYS(default) = True PARAMIKO_PROXY_COMMAND(default) = None PARAMIKO_PTY(default) = True PARAMIKO_RECORD_HOST_KEYS(default) = True PERSISTENT_COMMAND_TIMEOUT(default) = 10 PERSISTENT_CONNECT_RETRY_TIMEOUT(default) = 15 PERSISTENT_CONNECT_TIMEOUT(default) = 30 PERSISTENT_CONTROL_PATH_DIR(default) = /home/capobj/.ansible/pc PLAYBOOK_VARS_ROOT(default) = top RETRY_FILES_ENABLED(default) = True RETRY_FILES_SAVE_PATH(default) = None SHOW_CUSTOM_STATS(default) = False STRING_TYPE_FILTERS(default) = ['string', 'to_json', 'to_nice_json', 'to_yaml', 'ppretty', 'json'] SYSTEM_WARNINGS(default) = True USE_PERSISTENT_CONNECTIONS(default) = False VARIABLE_PRECEDENCE(default) = ['all_inventory', 'groups_inventory', 'all_plugins_inventory', 'all_plugins_play', 'groups_plugins_inventory', 'groups_plugins_play'] YAML_FILENAME_EXTENSIONS(default) = ['.yml', '.yaml', '.json']
OS / ENVIRONMENT
CentOS Linux release 7.4.1708 (Core) NXOS 6.2(16) Nexus 7K
SUMMARY
The NXOS_CONFIG module does not appear to be idempotent for Interface VLAN / SVI configurations
STEPS TO REPRODUCE
Running-configuration interface Vlan1301 vrf member BLUE no ip redirects ip address 10.144.0.2/24 ip router ospf 100 area 0.0.0.130 hsrp version 2 hsrp 1301 authentication md5 key-chain hsrp-md5-key preempt delay minimum 120 reload 300 priority 255 ip 10.144.0.1 ip dhcp relay address 10.167.128.127 ip dhcp relay address 10.167.128.128 description BLUE no shutdown
My generated output for the same interface:
interface Vlan1301 vrf member BLUE no ip redirects ip router ospf 100 area 0.0.0.130 hsrp version 2 hsrp 1301 authentication md5 key-chain hsrp-md5-key preempt delay minimum 120 reload 300 priority 255 ip 10.144.0.1 ip dhcp relay address 10.167.128.127 ip dhcp relay address 10.167.128.128 description BLUE no shutdown ip address 10.144.0.2/24
When I run in check mode the following comes back as CHANGES:
["interface Vlan1301", "hsrp version 2", "hsrp 1301", "authentication md5 key-chain hsrp-md5-key", "priority 254", "ip 10.144.0.1", "ip dhcp relay address 10.167.128.127", "ip dhcp relay address 10.167.128.128", "description BLUE", "no shutdown",
Not all of it is idempotent
EXPECTED RESULTS
Based on my comparisons my SVI should be fully idempotent
ACTUAL RESULTS
Idempotency is showing a lot of changes however doing side by side comparisons all the syntax, spacing, commands should not be showing any changes