Ansible i Checkpoint

Wszystko o automatyzacji w sieciach i DC
Wiadomość
Autor
Awatar użytkownika
frontier
wannabe
wannabe
Posty: 1861
Rejestracja: 16 lis 2004, 13:55
Lokalizacja: Edinburgh

Ansible i Checkpoint

#1

#1 Post autor: frontier »

Heja,

Uzywajac nieco poprawionych skryptów z tej strony https://community.checkpoint.com/t5/Ans ... td-p/14305 skonfigurowalem sobie ansible w domowym labie i zgrywa mi konfiguracje z Checkpointów.

U klienta jest juz skonfigurowane ansible ale tylko do Cisco wiec pozwolili mi dodac CP. Playbooki ponizej:

Kod: Zaznacz cały

[root@ansible playbooks]# cat Backup.yml
---
#This Playbook will take a backup of "show configuration" gaia command. The out put will be stored to directory named BACKUP, one level up to where the playbook is run from


 - hosts: localhost
   tasks:
    - command: /bin/echo "{{ lookup('pipe','date +%Y-%m-%d_%H-%M') }}"
      register: foo

    - file:
        path: /etc/ansible/fwbackups
        state: directory

## Change the 'hosts' variable to what you have defined in inventory file.
## You can change 'serial' to higher than 1. 'Serial' is the batch size
 - hosts: SP_SCP_FW
   serial: 10
#################### DO NOT CHANGE AYTHING BELOW THIS LINE ######################
   gather_facts: no
   tasks:
     - name: BACKUP
       import_role:
         name: ashwin_sid.gaia_fw1
         tasks_from: backup
[root@ansible playbooks]#
[root@ansible tasks]# cat backup.yml
---
# VARIABLES:
#  cmdfile - File where the comamnds to be run on target hosts are stored, one command pre line.
#  logdir - Directory where the output of the commands will be stored. This can be specified either relative to the directory where the playbook stored ( ../SHOW) OR the full path (/opt/ansible/SHOW)
#
#

- name: set clish
  cli_command: command=clish

- name: set pager
  cli_command: command='set clienv rows 0'

- name: Get hostname
  cli_command: command='show hostname'
  register: r0

- name: SHOW CONFIG
  cli_command: command='show configuration'
         #command='show ipconfiguration'
  register: result1

- name: create dir
  local_action: file path=={{ logdir | default('/etc/ansible/fwbackups') }}/{{ r0.stdout }} state=directory

- name: Store Backup
  local_action: copy content={{ result1.stdout_lines|join('\n') }} dest=/etc/ansible/fwbackups/{{ r0.stdout }}/{{ hostvars['localhost']['foo'].stdout }}.txt
Dodalem 4 firewalle do /etc/ansible/hosts

Kod: Zaznacz cały

[SP_SCP_FW]
10.10.127.91
10.10.127.92
10.12.127.91
10.12.127.92
Niestety, dostaje cos takiego:

Kod: Zaznacz cały

[root@ansible playbooks]# ansible-playbook -k Backup.yml
SSH password:
[DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set to allow bad characters in group names by default, this will change, but still be user configurable on deprecation. This feature will be removed in version 2.10.
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
 [WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details


PLAY [localhost] *****************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [127.0.0.1]

TASK [command] *******************************************************************************************************************************************************************************************************************************
changed: [127.0.0.1]

TASK [file] **********************************************************************************************************************************************************************************************************************************
ok: [127.0.0.1]

PLAY [SP_SCP_FW] ***************************************************************************************************************************************************************************************************************************

TASK [ashwin_sid.gaia_fw1 : set clish] *******************************************************************************************************************************************************************************************************
fatal: [10.10.127.91]: FAILED! => {"changed": false, "msg": [b]"Connection type local is not valid for this module"[/b]}
fatal: [10.10.127.92]: FAILED! => {"changed": false, "msg": [b]"Connection type local is not valid for this module"[/b]}
fatal: [10.12.127.91]: FAILED! => {"changed": false, "msg": [b]"Connection type local is not valid for this module"[/b]}
fatal: [10.12.127.92]: FAILED! => {"changed": false, "msg": [b]"Connection type local is not valid for this module"[/b]}

PLAY RECAP ***********************************************************************************************************************************************************************************************************************************
10.10.127.91               : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
10.10.127.92               : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
10.12.127.91               : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
10.12.127.92               : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
127.0.0.1                  : ok=3    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[root@ansible playbooks]#
Zajrzalem do /etc/ansible/hosts i znalazlem takie rzeczy:

Kod: Zaznacz cały

[local]
127.0.0.1
[all:vars]
ansible_connection = local
ansible_user=xxx
ansible_ssh_pass=xxx
Nie rozumiem po co definicja local..? Zajrzalem do mojego testowego laba i nie bylo ani local ani ansible_connection = local. Po usunieciu obu mam taki blad:

Kod: Zaznacz cały

[root@ansible playbooks]# ansible-playbook -k Backup.yml
SSH password:
[DEPRECATION WARNING]: The TRANSFORM_INVALID_GROUP_CHARS settings is set to allow bad characters in group names by default, this will change, but still be user configurable on deprecation. This feature will be removed in version 2.10.
Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
 [WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details


PLAY [localhost] *****************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [command] *******************************************************************************************************************************************************************************************************************************
changed: [localhost]

TASK [file] **********************************************************************************************************************************************************************************************************************************
ok: [localhost]

PLAY [SP_SCP_FW] ***************************************************************************************************************************************************************************************************************************

TASK [ashwin_sid.gaia_fw1 : set clish] *******************************************************************************************************************************************************************************************************
fatal: [10.12.127.91]: FAILED! => {"msg": "Traceback (most recent call last):\n  File \"/bin/ansible-connection\", line 342, in <module>\n    main()\n  File \"/bin/ansible-connection\", line 261, in main\n    task_uuid = sys.argv[2]\nIndexError: list index out of range\n"}
fatal: [10.10.127.91]: FAILED! => {"msg": "Traceback (most recent call last):\n  File \"/bin/ansible-connection\", line 342, in <module>\n    main()\n  File \"/bin/ansible-connection\", line 261, in main\n    task_uuid = sys.argv[2]\nIndexError: list index out of range\n"}
fatal: [10.10.127.92]: FAILED! => {"msg": "Traceback (most recent call last):\n  File \"/bin/ansible-connection\", line 342, in <module>\n    main()\n  File \"/bin/ansible-connection\", line 261, in main\n    task_uuid = sys.argv[2]\nIndexError: list index out of range\n"}
fatal: [10.12.127.92]: FAILED! => {"msg": "Traceback (most recent call last):\n  File \"/bin/ansible-connection\", line 342, in <module>\n    main()\n  File \"/bin/ansible-connection\", line 261, in main\n    task_uuid = sys.argv[2]\nIndexError: list index out of range\n"}

PLAY RECAP ***********************************************************************************************************************************************************************************************************************************
10.10.127.91               : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
10.10.127.92               : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
10.12.127.91               : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
10.12.127.92               : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0
localhost                  : ok=3    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[root@ansible playbooks]#
Jakies pomysly..?
Jeden konfig wart więcej niż tysiąc słów

snake
member
member
Posty: 24
Rejestracja: 17 kwie 2012, 08:13

Re: Ansible i Checkpoint

#2

#2 Post autor: snake »

Cześć,

a zoabcz czy jak ustawisz ansible_connection: network_cli dla tego playboka backup.yml. Jesli używasz tego modułu to tam chyba własnie "network_cli" jest wymagane.

Pozdrawiam

freel4ncer
wannabe
wannabe
Posty: 581
Rejestracja: 27 wrz 2007, 01:13

Re: Ansible i Checkpoint

#3

#3 Post autor: freel4ncer »

Stary ale poco zasrywasz sobie defaultowy inventory najlepiej go oproznij i zapomnij

Wez używaj inventory per project z flaga -i i dodawaj tam tylko to co Ci potrzebne

w tym przypadku masz tylko podawac
[SP_SCP_FW]
10.10.127.91
10.10.127.92
10.12.127.91
10.12.127.92

(pisze per project bo widac ze kolega jeszcze nie ogarnia ansible wiec na poczatek bedzie latwej mu nie zamieszac za bardzo wiadomo ze na sporej produkcji robi sie to inaczej)

Awatar użytkownika
frontier
wannabe
wannabe
Posty: 1861
Rejestracja: 16 lis 2004, 13:55
Lokalizacja: Edinburgh

Re: Ansible i Checkpoint

#4

#4 Post autor: frontier »

No dobra, jestem początkujący w ansible, obejrzałem trochę filmów, popatrzyłem na inne playbooki, sporo testów i... dałem sobie spokój z używaniem tych gotowców bo nie jestem w stanie ich zmusić do gadania na serwerze klienta. Może to przez inną wersję ansible bo więcej pomysłów nie mam. Dodałem to network_cli, nie ma różnicy. Flagi -i oraz osobny plik hosts też próbowałem.

Napisałem sobie takiego oto prostego playbooka:

Kod: Zaznacz cały

- name: save checkpoint configs
  hosts: CP
  gather_facts: no

  vars:
   backup_root: /root/ans/configs

  tasks:
   - name: get timestamp
     raw: "date +%Y-%m-%d-%H%M"
     register: timestamp

   - name: show conf
     raw: "clish -c 'show configuration'"
     register: print_output

   - name: Store Backup
     copy:
      content: "{{ print_output }}"
      dest: "{{ backup_root }}/{{ inventory_hostname }}_config_{{ timestamp.stdout }}"
i takie hosts

Kod: Zaznacz cały

[CP]
mgmt ansible_host=192.168.0.51
Zapisuje mi konfig ale... na checkpoincie, nie na serwerze z którego odpalam playbooka.
Druga sprawa to formatowanie, wszystko idzie w jednym wierszu. Da się to jakoś zmienić?
Trzecia to z jakiegoś powodu tworzy plik z dwoma ?? na końcu.

Kod: Zaznacz cały

[Expert@mgmt:0]# ls -l
total 16
-rw-rw---- 1 admin root 13543 Jul 23 11:55 mgmt_config_2021-07-23-1155??
[Expert@mgmt:0]#
Jest dla mnie zupełnie niejasne co zrobić aby np. odpalić 'date' na localhost, 'show conf' na remote, a później znowu na localhost zapisać plik. Może mnie ktoś oświeci :)
Jeden konfig wart więcej niż tysiąc słów

freel4ncer
wannabe
wannabe
Posty: 581
Rejestracja: 27 wrz 2007, 01:13

Re: Ansible i Checkpoint

#5

#5 Post autor: freel4ncer »

https://docs.ansible.com/ansible/latest ... odule.html
The copy module copies a file from the local or remote machine to a location on the remote machine.

Mozesz skopiowac ten plik z checkpoint na server uzywajac fetch
https://docs.ansible.com/ansible/latest ... odule.html

Albo z zarejestrowanej zmiennej lokalnie uzywajac delegate
https://docs.ansible.com/ansible/latest ... ation.html

tu masz krotko wytlumaczone connection local vs delegation
https://clouddocs.f5.com/products/orche ... te-to.html
Ostatnio zmieniony 23 lip 2021, 14:17 przez freel4ncer, łącznie zmieniany 1 raz.

Awatar użytkownika
frontier
wannabe
wannabe
Posty: 1861
Rejestracja: 16 lis 2004, 13:55
Lokalizacja: Edinburgh

Re: Ansible i Checkpoint

#6

#6 Post autor: frontier »

Dzięki, delegation działa, mam lokalnie zapisany ale nadal wszystko jest w jednym wierszu i ze znacznikami :(

Kod: Zaznacz cały

{"rc": 0, "stdout": "#\r\n# Configuration of mgmt\r\n# Language version: 14.1v1\r\n#\r\n# Exported by admin on Fri Jul 23 12:54:29 2021\r\n#\r\nset installer policy check-for-updates-period 3 \r\nset installer policy periodically-self-update on \r\nset installer policy auto-compress-snapshot on \r\nset installer policy self-test install-policy off \r\nset installer policy self-test network-link-up off \r\nset installer policy self-test start-processes on \r\nset arp table cache-size 4096\r\nset arp table validity-timeout 60\r\nset arp announce 2\r\nset ip-conflicts-monitor state off \r\nset message banner on \r\n\r\nset message motd off \r\n\r\nset message caption off \r\nadd bonding group 5 \r\nadd bonding group 5 interface eth0 \r\nset bonding group 5 mode round-robin \r\nset bonding group 5 mii-interval 100 \r\nset bonding group 5 down-delay 200 \r\nset bonding group 5 up-delay 200 \r\nset core-dump enable\r\nset core-dump total 1000\r\nset core-dump per_process 2\r\nset core-dump send_crash_data off\r\nset clienv debug 0\r\nset clienv echo-cmd off\r\nset clienv output pretty\r\nset clienv prompt \"%M\"\r\nset clienv rows 0\r\nset clienv syntax-check off\r\nset dns primary 4.2.2.2\r\nset dns secondary 8.8.8.8\r\nset format date dd-mmm-yyyy\r\nset format time 24-hour\r\nset format netmask Dotted\r\nset hostname mgmt\r\nadd allowed-client host any-host \r\nset web table-refresh-rate 15\r\nset web session-timeout 10\r\nset web ssl-port 443\r\nset web ssl3-enabled off\r\nset web daemon-enable on\r\nset inactivity-timeout 10\r\nset ipv6-state off\r\nadd
sama nazwa też jest dziwna?

Kod: Zaznacz cały

root@kubeadm:~/ans/configs# ls -l
total 16
-rw-r--r-- 1 root root 13627 Jul 23 11:56 'mgmt_config_2021-07-23-1156'$'\n'
root@kubeadm:~/ans/configs#
Jeden konfig wart więcej niż tysiąc słów

freel4ncer
wannabe
wannabe
Posty: 581
Rejestracja: 27 wrz 2007, 01:13

Re: Ansible i Checkpoint

#7

#7 Post autor: freel4ncer »

frontier pisze: 23 lip 2021, 14:16 Dzięki, delegation działa, mam lokalnie zapisany ale nadal wszystko jest w jednym wierszu i ze znacznikami :(

Kod: Zaznacz cały

{"rc": 0, "stdout": "#\r\n# Configuration of mgmt\r\n# Language version: 14.1v1\r\n#\r\n# Exported by admin on Fri Jul 23 12:54:29 2021\r\n#\r\nset installer policy check-for-updates-period 3 \r\nset installer policy periodically-self-update on \r\nset installer policy auto-compress-snapshot on \r\nset installer policy self-test install-policy off \r\nset installer policy self-test network-link-up off \r\nset installer policy self-test start-processes on \r\nset arp table cache-size 4096\r\nset arp table validity-timeout 60\r\nset arp announce 2\r\nset ip-conflicts-monitor state off \r\nset message banner on \r\n\r\nset message motd off \r\n\r\nset message caption off \r\nadd bonding group 5 \r\nadd bonding group 5 interface eth0 \r\nset bonding group 5 mode round-robin \r\nset bonding group 5 mii-interval 100 \r\nset bonding group 5 down-delay 200 \r\nset bonding group 5 up-delay 200 \r\nset core-dump enable\r\nset core-dump total 1000\r\nset core-dump per_process 2\r\nset core-dump send_crash_data off\r\nset clienv debug 0\r\nset clienv echo-cmd off\r\nset clienv output pretty\r\nset clienv prompt \"%M\"\r\nset clienv rows 0\r\nset clienv syntax-check off\r\nset dns primary 4.2.2.2\r\nset dns secondary 8.8.8.8\r\nset format date dd-mmm-yyyy\r\nset format time 24-hour\r\nset format netmask Dotted\r\nset hostname mgmt\r\nadd allowed-client host any-host \r\nset web table-refresh-rate 15\r\nset web session-timeout 10\r\nset web ssl-port 443\r\nset web ssl3-enabled off\r\nset web daemon-enable on\r\nset inactivity-timeout 10\r\nset ipv6-state off\r\nadd
sama nazwa też jest dziwna?

Kod: Zaznacz cały

root@kubeadm:~/ans/configs# ls -l
total 16
-rw-r--r-- 1 root root 13627 Jul 23 11:56 'mgmt_config_2021-07-23-1156'$'\n'
root@kubeadm:~/ans/configs#
A czego sie spodziewales ? czytasz stdout i zapisujesz w stringu
Albo uzyjesz jakis regular expressions w shellu uzywajac sed grep etc albo ansible filters https://docs.ansible.com/ansible/2.4/pl ... on-filters
albo parsery np https://docs.ansible.com/ansible/latest ... rsing.html
https://github.com/google/textfsm

Pamietam jak dzis jak dawno dawno temu kiedy urzadzenia sieciowe nie mialy API pisalo sie templaty do textfsm zeby serializowac dane z outputow stare dobre czasy ;)
I dochodzimy do punktu ze jesli tylko jest API to należy uzywac tylko API i olac cli/shell

Awatar użytkownika
frontier
wannabe
wannabe
Posty: 1861
Rejestracja: 16 lis 2004, 13:55
Lokalizacja: Edinburgh

Re: Ansible i Checkpoint

#8

#8 Post autor: frontier »

Dzięki za pomoc, nareszcie działa jak trzeba :) może komuś się przyda?

Kod: Zaznacz cały

- name: save cp configs
  hosts: CP
  gather_facts: no
  vars:
   backup_root: /root/ans/configs
  tasks:
   - name: get timestamp
     raw: "date +%Y-%m-%d-%H%M"
     register: timestamp
     delegate_to: 127.0.0.1
   - name: show conf
     raw: "clish -c 'show configuration'"
     register: print_output
   - name: Store Backup
     copy:
      content: "{{ print_output.stdout_lines|join('\n') }}"
      dest: "{{ backup_root }}/{{ inventory_hostname }}_config_{{ timestamp.stdout_lines|join('\n') }}"
     delegate_to: 127.0.0.1

Kod: Zaznacz cały

root@kubeadm:~/ans/configs# ls -l
total 8
-rw-r--r-- 1 root root 6171 Jul 23 12:46 mgmt_config_2021-07-23-1246
root@kubeadm:~/ans/configs#
Jeden konfig wart więcej niż tysiąc słów

ODPOWIEDZ