search

scrapli / scrapli_cfg

Network device Configuration Management with scrapli
https://scrapli.github.io/scrapli_cfg/
MIT License
32 stars 4 forks source link

`Failed to acquire requested privilege level root_shell` during configuration junos device #50

Closed omaxx closed 1 year ago

omaxx commented 1 year ago

Script for changing config on junos device:

from scrapli.driver.core import JunosDriver
from scrapli_cfg import ScrapliCfg

device = {
    "host": "192.168.1.1",
    "auth_username": "user",
    "auth_password": "password",
    "auth_strict_key": False,
}

config = """
set interface ae1 disable
"""

with JunosDriver(**device) as conn:
    print(conn.get_prompt())
    print((conn.send_command("show interface ae1 terse")).result)

    cfg_conn = ScrapliCfg(conn=conn)
    cfg_conn.prepare()
    cfg_conn.load_config(config=config, set=True)
    cfg_conn.commit_config()

    print((conn.send_command("show interface ae1 terse")).result)

User has su privileges for make configuration changes. But got an error:

/usr/local/lib/python3.10/site-packages/scrapli/helper.py:298: UserWarning:

********************************************************************************* Authentication Warning! **********************************************************************************
scrapli will try to escalate privilege without entering a password but may fail.
Set an 'auth_secondary' password if your device requires a password to increase privilege, otherwise ignore this message.
********************************************************************************************************************************************************************************************

  warn(warning_message)
Traceback (most recent call last):
  File "/Users/morlov/Projects/eznet/temp/ssh2.py", line 31, in <module>
    main()
  File "/Users/morlov/Projects/eznet/temp/ssh2.py", line 26, in main
    cfg_conn.load_config(config=config, set=True)
  File "/usr/local/lib/python3.10/site-packages/scrapli_cfg/platform/core/juniper_junos/sync_platform.py", line 122, in load_config
    config_result = self.conn.send_config(config=config, privilege_level="root_shell")
  File "/usr/local/lib/python3.10/site-packages/scrapli/driver/network/sync_driver.py", line 575, in send_config
    multi_response = self.send_configs(
  File "/usr/local/lib/python3.10/site-packages/scrapli/driver/network/sync_driver.py", line 514, in send_configs
    self.acquire_priv(desired_priv=resolved_privilege_level)
  File "/usr/local/lib/python3.10/site-packages/scrapli/driver/network/sync_driver.py", line 173, in acquire_priv
    raise ScrapliPrivilegeError(msg)
scrapli.exceptions.ScrapliPrivilegeError: Failed to acquire requested privilege level root_shell
❯ pip list | egrep scrapli
scrapli                2023.1.30
scrapli-cfg            2023.1.30
scrapli-netconf        2022.7.30
carlmontanari commented 1 year ago

👋

Did you set auth_secondary like the message says? I don’t juniper but if I recall correctly we go to root shell and that prompts for a password, even if the password is the same as the “main” password you need to set auth secondary.

If that doesn’t work we will need logs probably. And probably some help on testing since I don’t have any juniper to test with.

omaxx commented 1 year ago

I tried but it doesn't help. Junos doesn't ask any password when go from exec to config mode.

user@host> configure
Entering configuration mode

{master:0}[edit]
user@host# commit
configuration check succeeds
commit complete

{master:0}[edit]
user@host# exit
Exiting configuration mode

{master:0}
user@host>
carlmontanari commented 1 year ago

Scrapli cfg does not edit the config in config mode. It gets into a shell and insets the config as a file. Please get channel logs

omaxx commented 1 year ago

but how do you apply new config without entering to config mode?

carlmontanari commented 1 year ago

but how do you apply new config without entering to config mode?

Scrapli cfg does not edit the config in config mode. It gets into a shell and insets the config as a file.

like I said if you enable secondary auth and get channel log we could see…

omaxx commented 1 year ago

It try to open root shell and it could not, because it doesn't have root password.

omaxx commented 1 year ago

I think I understand what is a problem: it try to open root shell to create file in /config folder and next it try to load and apply it it from config mode

Two things could be optimized: file could be created in user home folder, so it is not necessary to be a root it is also possible to load config directly from terminal, so no need to create file at all

carlmontanari commented 1 year ago

file could be created in user home folder, so it is not necessary to be a root

willing to review pr for this

it is also possible to load config directly from terminal, so no need to create file at all

Then just use scrapli without cfg, there were reasons for this that I don’t recall now but I have no interest in changing this. If there is no need for file ops and you can just send configs then just use scrapli to do this yourself and not futz with cfg.