Fault in aoscx_acl module: error when updating existing acl

git4m commented 7 months ago

Fault in aoscx_acl module when trying to update an existing acl.

The error occurs when setting state to "update".
The same error occurs when setting the state to "create" on an existing acl.
When using the same module on a non-existing acl, it works fine.

Switch: 6300M Firmware: 10.10.1060

running-config:

access-list ip test_acl
    1 comment Deny the host
    1 deny tcp 158.10.12.57/32 any count

Task in playbook. Note: we are planning to update the acl action from "deny" to "permit" and update the comment:

    - name: Add ACL task 1 (AOSCX)
      arubanetworks.aoscx.aoscx_acl:
        name: test_acl
        type: ipv4
        state: update
        acl_entries:
          1:
            comment: "Permit the host"
            action: permit
            count: true
            src_ip: 158.10.12.57/32
            protocol: tcp

Playbook output:

TASK [Add ACL task 1 (AOSCX)] *******************************************************************************************************************************
fatal: [aruba_6300m_10_10_1060]: FAILED! => changed=false
  msg: '''PARAMETER ERROR: Invalid IP: None does not appear to be an IPv4 or IPv6 interface'''

Ansible collection:

Collection                Version
------------------------- -------
ansible.netcommon         5.2.0
ansible.posix             1.5.4
ansible.utils             2.11.0
arubanetworks.aos_switch  1.7.0
arubanetworks.aoscx       4.3.0
community.general         7.4.0

Python modules:

poetry show
ansible-compat            4.1.10   Ansible compatibility goodies
ansible-core              2.15.0   Radically simple IT automation
ansible-lint              6.17.0   Checks playbooks for practices and behavior that could potentially be improved
ansible-pylibssh          1.1.0    Python bindings for libssh client specific to Ansible use case
attrs                     23.1.0   Classes Without Boilerplate
bcrypt                    4.0.1    Modern password hashing for your software and your servers
black                     23.3.0   The uncompromising code formatter.
bracex                    2.4      Bash style brace expander.
certifi                   2023.5.7 Python package for providing Mozilla's CA Bundle.
cffi                      1.15.1   Foreign Function Interface for Python calling C code.
charset-normalizer        3.1.0    The Real First Universal Charset Detector. Open, modern and actively maintained alternative to Chardet.
click                     8.1.3    Composable command line interface toolkit
cryptography              40.0.2   cryptography is a package which provides cryptographic recipes and primitives to Python developers.
filelock                  3.12.4   A platform independent file lock.
hvac                      0.11.2   HashiCorp Vault API client
idna                      3.4      Internationalized Domain Names in Applications (IDNA)
importlib-resources       5.0.7    Read resources from Python packages
jinja2                    3.1.2    A very fast and expressive template engine.
jmespath                  0.10.0   JSON Matching Expressions
jsonschema                4.19.0   An implementation of JSON Schema validation for Python
jsonschema-specifications 2023.7.1 The JSON Schema meta-schemas and vocabularies, exposed as a Registry
jxmlease                  1.0.3    jxmlease converts between XML and intelligent Python data structures.
lxml                      4.9.2    Powerful and Pythonic XML processing library combining libxml2/libxslt with the ElementTree API.
markdown-it-py            3.0.0    Python port of markdown-it. Markdown parsing, done right!
markupsafe                2.1.2    Safely add untrusted strings to HTML/XML markup.
mdurl                     0.1.2    Markdown URL utilities
mypy-extensions           1.0.0    Type system extensions for programs checked with the mypy type checker.
ncclient                  0.6.13   Python library for NETCONF clients
netaddr                   0.8.0    A network address manipulation library for Python
netifaces                 0.11.0   Portable network interface information.
packaging                 23.1     Core utilities for Python packages
paramiko                  3.1.0    SSH2 protocol library
pathspec                  0.11.1   Utility library for gitignore style pattern matching of file paths.
platformdirs              3.5.1    A small Python package for determining appropriate platform-specific dirs, e.g. a "user data dir".
ply                       3.11     Python Lex & Yacc
pyaoscx                   2.5.0    AOS-CX Python Modules
pyasn1                    0.5.0    Pure-Python implementation of ASN.1 types and DER/BER/CER codecs (X.208)
pycparser                 2.21     C parser in Python
pycryptodomex             3.18.0   Cryptographic library for Python
pycurl                    7.45.2   PycURL -- A Python Interface To The cURL library
pygments                  2.16.1   Pygments is a syntax highlighting package written in Python.
pynacl                    1.5.0    Python binding to the Networking and Cryptography (NaCl) library
pynetbox                  6.6.2    NetBox API client library
pyparsing                 3.0.9    pyparsing module - Classes and methods to define and execute parsing grammars
pyserial                  3.5      Python Serial Port Extension
pysmi                     0.3.4    SNMP SMI/MIB Parser
pysnmp                    4.4.12   SNMP library for Python
python-dotenv             0.19.2   Read key-value pairs from a .env file and set them as environment variables
pyyaml                    6.0      YAML parser and emitter for Python
referencing               0.30.2   JSON Referencing + Python
requests                  2.30.0   Python HTTP for Humans.
requests-toolbelt         1.0.0    A utility belt for advanced users of python-requests
resolvelib                1.0.1    Resolve abstract dependencies into concrete ones
rich                      13.5.2   Render rich text, tables, progress bars, syntax highlighting, markdown and more to the terminal
rpds-py                   0.10.3   Python bindings to Rust's persistent data structures (rpds)
ruamel-yaml               0.17.32  ruamel.yaml is a YAML parser/emitter that supports roundtrip preservation of comments, seq/map flow style, and map ke...
ruamel-yaml-clib          0.2.7    C version of reader, parser and emitter for ruamel.yaml derived from libyaml
scp                       0.14.5   scp module for paramiko
setuptools                63.4.3   Easily download, build, install, upgrade, and uninstall Python packages
six                       1.16.0   Python 2 and 3 compatibility utilities
subprocess-tee            0.4.1    subprocess-tee
thruk                     0.0.6    Library providing functions to create and end a sheduled downtime in Thruk
tomli                     2.0.1    A lil' TOML parser
transitions               0.9.0    A lightweight, object-oriented Python state machine implementation with many extensions.
typing-extensions         4.5.0    Backported and Experimental Type Hints for Python 3.7+
urllib3                   2.0.2    HTTP library with thread-safe connection pooling, file post, and more.
wcmatch                   8.5      Wildcard/glob file name matcher.
wheel                     0.40.0   A built-package format for Python
yamllint                  1.32.0   A linter for YAML files.
yamlordereddictloader     0.4.0    YAML loader and dump for PyYAML allowing to keep keys order.

vrelk-net commented 7 months ago

I just ran into this today. If you enable debug logging, it throws a pyaoscx error, so it could be an issue with that package. I've only used it through ansible though, so I don't think I have enough info to create an issue in that project right now.

The full traceback is:
  File "/tmp/ansible_arubanetworks.aoscx.aoscx_acl_payload_1ubsryud/ansible_arubanetworks.aoscx.aoscx_acl_payload.zip/ansible_collections/arubanetworks/aoscx/plugins/modules/aoscx_acl.py", line 614, in main
  File "/home/user/ansible-venv/lib/python3.10/site-packages/pyaoscx/pyaoscx_module.py", line 40, in ensure_connected
    return fnct(self, *args, **kwargs)
  File "/home/user/ansible-venv/lib/python3.10/site-packages/pyaoscx/acl_entry.py", line 278, in apply
    self._extract_missing_parameters_from(remote_ace)
  File "/home/user/ansible-venv/lib/python3.10/site-packages/pyaoscx/pyaoscx_module.py", line 342, in _extract_missing_parameters_from
    setattr(self, param_name, deepcopy(param))
  File "/home/user/ansible-venv/lib/python3.10/site-packages/pyaoscx/acl_entry.py", line 651, in dst_ip
    version = utils.get_ip_version(new_dst_ip)
  File "/home/user/ansible-venv/lib/python3.10/site-packages/pyaoscx/utils/util.py", line 329, in get_ip_version
    raise ParameterError(msg)
fatal: [wo033-cx6200-stack]: FAILED! => changed=false 
  invocation:
    module_args:
      acl_entries:
        '10':
          action: permit
          comment: xxxxx
          src_ip: 10.10.10.10/32
      name: MGMT
      state: create
      type: ipv4
  msg: '''PARAMETER ERROR: Invalid IP: None does not appear to be an IPv4 or IPv6 interface'''

alagoutte commented 7 months ago

Coming from https://github.com/aruba/pyaoscx/blob/aa91f087304859124f8a2fd91b7cbe1981c306a0/pyaoscx/utils/util.py#L328 i think

May be need to replace 10.10.10.10/32 to 10.10.10.10 ? (i known on this case the doc is wrong!

git4m commented 7 months ago

The problem is the same, regardless if specified with /32 mask or without.

Please note, that the running config shown below was successfully created via ansible-playbook:

access-list ip test_acl
    1 comment Deny the host
    1 deny tcp 158.10.12.57/32 any count

Running below task leads to the error:

    - name: Add ACL task 1 (AOSCX)
      arubanetworks.aoscx.aoscx_acl:
        name: test_acl
        type: ipv4
        state: update
        acl_entries:
          1:
            comment: "Deny the host"
            action: permit
            count: true
            src_ip: 158.10.12.57
            protocol: tcp

leads as well to the same error. The full traceback is:

  File "/tmp/ansible_arubanetworks.aoscx.aoscx_acl_payload_x1z50ukn/ansible_arubanetworks.aoscx.aoscx_acl_payload.zip/ansible_collections/arubanetworks/aoscx/plugins/modules/aoscx_acl.py", line 614, in main
  File "/home/user/proj/network-automation/.venv/lib/python3.9/site-packages/pyaoscx/pyaoscx_module.py", line 40, in ensure_connected
    return fnct(self, *args, **kwargs)
  File "/home/user/proj/network-automation/.venv/lib/python3.9/site-packages/pyaoscx/acl_entry.py", line 278, in apply
    self._extract_missing_parameters_from(remote_ace)
  File "/home/user/proj/network-automation/.venv/lib/python3.9/site-packages/pyaoscx/pyaoscx_module.py", line 342, in _extract_missing_parameters_from
    setattr(self, param_name, deepcopy(param))
  File "/home/user/proj/network-automation/.venv/lib/python3.9/site-packages/pyaoscx/acl_entry.py", line 651, in dst_ip
    version = utils.get_ip_version(new_dst_ip)
  File "/home/user/proj/network-automation/.venv/lib/python3.9/site-packages/pyaoscx/utils/util.py", line 329, in get_ip_version
    raise ParameterError(msg)
fatal: [switch]: FAILED! => changed=false
  invocation:
    module_args:
      acl_entries:
        '1':
          action: permit
          comment: Deny the host
          count: true
          protocol: 6
          src_ip: 158.10.12.57
      name: test_acl
      state: update
      type: ipv4
  msg: '''PARAMETER ERROR: Invalid IP: None does not appear to be an IPv4 or IPv6 interface'''

alagoutte commented 7 months ago

i think, it is a bug on pyaoscx (coming from this change https://github.com/aruba/pyaoscx/commit/225d937186d0bb6686ed2426c8e7c8e3c69b77e3#diff-246653dbf6112e85b21c32b5243dbe2ece1d77308690ca19d820176d6e465765R325

@tchiapuziowong @rajani-abraham

tchiapuziowong commented 7 months ago

@git4m @alagoutte thank you for bringing this to our attention, we're investigating and developing a fix for this and will update the issue once the patch is published

uoe-ahewittbell commented 2 weeks ago

Any update on this one? - I'm also hitting the same error.

TASK [allow AWX in mgmt acl] ***************************************************
fatal: [test6100]: FAILED! => {"changed": false, "msg": "'PARAMETER ERROR: Invalid IP: None does not appear to be an IPv4 or IPv6 interface'"}

    - name: allow AWX in mgmt acl
      aoscx_acl:
        name: acl_test
        type: ipv4
        acl_entries:
          28:
            comment: test line
            action: permit
            src_ip: 10.0.0.1/32
            protocol: tcp
            dst_l4_port: 22

Same error if I try without the mask.

alagoutte commented 2 weeks ago

Any update on this one? - I'm also hitting the same error.

TASK [allow AWX in mgmt acl] ***************************************************
fatal: [test6100]: FAILED! => {"changed": false, "msg": "'PARAMETER ERROR: Invalid IP: None does not appear to be an IPv4 or IPv6 interface'"}

    - name: allow AWX in mgmt acl
      aoscx_acl:
        name: acl_test
        type: ipv4
        acl_entries:
          28:
            comment: test line
            action: permit
            src_ip: 10.0.0.1/32
            protocol: tcp
            dst_l4_port: 22

Same error if I try without the mask.

can you try v4.4.0 ? (and don't forget to upgrade also pyaoscx!)

git4m commented 2 weeks ago

Hi @tchiapuziowong

Thank you for providing the v 4.4.0 fix. It has fixed above issue.

I found another issues with aoscx_acl and icmp-type, going to create a new issue.

aruba / aoscx-ansible-collection

Fault in aoscx_acl module: error when updating existing acl #85