panos_type_cmd with xpath not correctly updates PA FW configuration
mhca99 opened this issue · 3 comments
Describe the bug
Hi , We are trying to use panos_type module to add device priority for HA VMs , the ansible task is executed successfully , however when the commit is run in the next task , its failing with following error:
fatal: [PA-A]: FAILED! => {"changed": false, "msg": "Validation Error: | deviceconfig -> high-availability -> group unexpected here | deviceconfig -> high-availability -> group is invalid"}
Expected behavior
The commit should be successful with new settings.
Current behavior
Commit is not successful and there is some issue with the configuration after the config was updated in Ansible task with panos_type module. Even the manual commit on console giving the same error , so it must be configuration messed up when Ansible task is executed.
Possible solution
Check the code if anything additional being updated as I saw a apostrophe " ' " before "</group>" in the candidate configuration , as follows:
<high-availability>
<enabled>yes</enabled>
<group><group-id>1</group-id><configuration-synchronization><enabled>yes</enabled></configuration-synchronization><peer-ip>172.16.33.20</peer-ip><mode><active-passive><passive-link-state>auto</passive-link-state></active-passive></mode><state-synchronization><enabled>yes</enabled><ha2-keep-alive><enabled>yes</enabled></ha2-keep-alive></state-synchronization><election-option><preemptive>yes</preemptive><timers><recommended/></timers><device-priority>200</device-priority></election-option>'</group>
<interface>
<ha1>
<port>management</port>
</ha1>
<ha2>
<ip-address>172.16.36.10</ip-address>
<netmask>255.255.255.0</netmask>
<port>ethernet1/3</port>
<gateway>172.16.36.1</gateway>
</ha2>
<ha1-backup/>
</interface>
</high-availability>
Steps to reproduce
- create a simple playbook and run as follows:
- name: Palo Alto test
hosts: palo
connection: local
collections:
- paloaltonetworks.panos
vars:
provider:
ip_address: "{{ansible_host}}"
username: "{{panos_admin}}"
password: "{{panos_password}}"
tasks:
- name: set the device priority
panos_type_cmd:
provider: '{{ provider }}'
xpath: |
/config/devices/entry[@name='localhost.localdomain']
/deviceconfig/high-availability/group
element: |
'<election-option><device-priority>{{device_priority}}</device-priority></election-option>'
- name: commit (blocks until finished)
paloaltonetworks.panos.panos_commit_firewall:
provider: '{{ provider }}'
8758f10b786f:/# ansible-playbook -i inventory palo-alto-ha.yml -e panos_admin=admin -e panos_password=xxx
PLAY [Palo Alto test] *******************************************************************************************************************************************************************
TASK [Gathering Facts] ******************************************************************************************************************************************************************
[WARNING]: Platform linux on host PA-A is using the discovered Python interpreter at /usr/bin/python3.10, but future installation of another Python interpreter could change the meaning
of that path. See https://docs.ansible.com/ansible-core/2.13/reference_appendices/interpreter_discovery.html for more information.
ok: [PA-A]
TASK [set the device priority] **********************************************************************************************************************************************************
changed: [PA-A]
TASK [commit (blocks until finished)] ***************************************************************************************************************************************************
fatal: [PA-A]: FAILED! => {"changed": false, "msg": "Validation Error: | deviceconfig -> high-availability -> group unexpected here | deviceconfig -> high-availability -> group is invalid"}
PLAY RECAP ******************************************************************************************************************************************************************************
PA-A : ok=2 changed=1 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
Screenshots
Context
I was trying to setup the priority of each VM in HA cluster . Since panos.panos_ha does not have this option to set the priority so was trying to use the panos_type_cmd" to set the priority.
Your Environment
This is simple environment consists two PaloAlto VMs in HA environment.
-
Collection: paloaltonetworks.panos 2.17.3
-
Python: 3.10.12
-
Ansible:
-
4cd96e0bc728:/mnt# ansible --version
ansible [core 2.13.6]
config file = None
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.10/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /usr/bin/ansible
python version = 3.10.12 (main, Jun 9 2023, 02:29:43) [GCC 12.2.1 20220924]
jinja version = 3.1.2
libyaml = True -
PAN-OS Python Library & version (e.g. pandevice 0.14.0, pan-os-python 1.0.2):
4cd96e0bc728:/mnt# pip3 list | grep pan
pan-os-python 1.11.0
pan-python 0.17.0
pandevice 0.14.0
4cd96e0bc728:/mnt#
🎉 Thanks for opening your first issue here! Welcome to the community!
Hi @mhca99,
Changing your task's element from:
element: |
'<election-option><device-priority>{{device_priority}}</device-priority></election-option>'
to this, removing the single quote characters:
element: |
<election-option><device-priority>{{device_priority}}</device-priority></election-option>
seems to work:
Can you confirm please? Thanks
Please reopen this issue if problems persist