search

aristanetworks / avd

Arista Validated Designs
https://avd.arista.com
Apache License 2.0
298 stars 219 forks source link

management_eapi cannot be disabled in role eos_designs #4751

Open PeterKaufmannControlware opened 1 day ago

PeterKaufmannControlware commented 1 day ago

Issue Summary

AVD Version 4.10.0 using the official Container FROM ghcr.io/aristanetworks/avd/universal:python3.12-avd-v4.10.0

With the role eos_designs you are not able to disable api http-commands section to default:

The default (hidden) config of a EOS switch has a disabled api http-commands section. We want to render the switch default. We need it disbled for hardening, becaue we dont use the eos_config_deploy_eapi role

CLI:

show run all | sec management api http-command
management api http-commands
   protocol https port 443
   no protocol http port 80
   no protocol http localhost port 8080
   no protocol unix-socket
   qos dscp 0
   no log-level
   default-services
   no header csp frame-ancestors
   no cors allowed-origin
   no protocol https ssl profile
   no protocol https certificate
   shutdown

With the role eos_designs you are not able to represent the switch default, even if you set all avd parameters to false: AVD:

management_eapi:
  enable_http: false
  enable_https: false
  default_services: false

CLI:

management api http-commands
   no protocol https
   no protocol http
   no default-services
   no shutdown
   !
   vrf MGMT
      no shutdown

Even if you dont use the management_eapi: key at all, there is still a unwanted configruation rendered by eos_designs:

CLI:

management api http-commands
   protocol https
   no shutdown
   !
   vrf MGMT
      no shutdown

Which component(s) of AVD impacted

eos_designs

How do you run AVD ?

Ansible CLI with AVD Runner

Steps to reproduce

No response

Relevant log output

No response

Contributing Guide

ClausHolbechArista commented 1 day ago

Thank you for reporting this. I don't see this as a bug, but intended behavior. I will update this issue to enhancement.

You can avoid this config by overriding the output of eos_designs:

custom_structured_configuration_management_api_http: null

I am curious why this is not coming up more. Are you sure deploying with CloudVision will work without this? I believe CloudVision uses eAPI tunneled over TerminAttr. If you are deploying with other means, please share :)

The request here would be to add a knob to eos_designs like:

management_eapi:
  enabled: <bool; default: true>
PeterKaufmannControlware commented 1 day ago

Thank you, the workaround with custom_structured_configuration_management_api_http: null It is working for our usecase.

We roll out configuration by sending configlets to CVP via the cvp_configlet_upload role and deploy it with the tasks in changes via CVP. There is no Problem in communication between CVP and the Switches, when using custom_structured_configuration_management_api_http: null

I think the Terminattr initates a session to CVP and CVP uses this initiated session for pushing configuration. But maybe i am wrong here

we are using AVD Rendered TerminaAttr settings ! daemon TerminAttr exec /usr/bin/TerminAttr -cvaddr=x.x.x.x:9910 -cvauth=token,/tmp/token -cvvrf=MGMT -disableaaa -smashexcludes=ale,flexCounter,hardware,kni,pulse,strata -ingestexclude=/Sysdb/cell/1/agent,/Sysdb/cell/2/agent -taillogs no shutdown !