ansible-collections/cisco.nxos

nxos modules failing on nxos 10.x

jansyren opened this issue · 2 comments

SUMMARY

When executing playbooks with nxos modules on cisco devices with nxos 10.2 (cisco 9336-FX2)
it fails with error unable to execute "show priviledge"
This command seems to be deprecated in 10.x for some reason.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

All nxos modules that write any config

ANSIBLE VERSION

ansible 2.9.18
config file = /etc/ansible/ansible.cfg
configured module search path = ['/var/lib/awx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.6/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.6.8 (default, Aug 24 2020, 17:57:11) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]

COLLECTION VERSION

CONFIGURATION
OS / ENVIRONMENT

AWX 17.10 docker swarm

STEPS TO REPRODUCE

Using nxos modules to configure switches with v10.x


Get the switch type and store in a variable for using custom configuration files

  • name: Get switch type
    nxos_command:
    commands:
    - command: show hardware
    output: json
    register: hardware

Check if the user librenms is configured on the switch, if it is the switch is considered

to be configured

  • name: Check if switch is configured
    nxos_command:
    commands:
    - command: show user-account librenms | wc -l
    output: json
    register: configured_host

  • name: set fact on host
    set_fact:
    configured: yes
    when: configured_host['stdout'][0] == 27

  • name: set fact on host
    set_fact:
    configured: no
    when: configured_host['stdout'][0] != 27

  • name: set fact on host
    set_fact:
    newConfig: no

Block to do the actual configuration of the switch, will only run if configured is set to false

  • name: Start configuring of the switch
    block:

    • name: set rollback
      nxos_rollback:
      checkpoint_file: backup.cfg

    • name: Backup running config
      nxos_config:
      backup: yes
      backup_options:
      filename: "{{ inventory_hostname }}_old.conf"
      dir_path: /home/admin

    • name: set motd
      nxos_banner:
      banner: motd
      text: |
      ***********************************************************************
      state: present

    • name: setup librenms user
      nxos_user:
      name: librenms
      configured_password: "{{ librenmsPass }}"
      role: network-operator
      state: present

    • name: Ensure the right features are enabled
      nxos_feature:
      feature: "{{ item }}"
      state: enabled
      loop:

      • nxapi
      • scp-server
      • ptp
      • lldp
      • lacp
    • name: Ensure a range of VLANs are present on the switch
      nxos_vlan:
      vlan_range: "1-3967"
      state: present

    • name: Configure TCAM on 9336c-fx2
      nxos_command:
      commands:
      - configure
      - hardware access-list tcam region ing-l2-span-filter 0
      - hardware access-list tcam region ing-netflow 0
      - hardware access-list tcam region ing-racl 256
      - hardware access-list tcam region ing-l3-vlan-qos 256
      - hardware access-list tcam region ing-ifacl 3072
      when: Switch9336 in hardware['stdout'][0]['chassis_id']

    • name: Configure TCAM on 93180
      nxos_command:
      commands:
      - configure
      - hardware access-list tcam region ing-l2-qos 0
      - hardware access-list tcam region ing-l2-span-filter 0
      - hardware access-list tcam region ing-l3-span-filter 0
      - hardware access-list tcam region ing-racl 256
      - hardware access-list tcam region ing-l3-vlan-qos 256
      - hardware access-list tcam region egr-racl 512
      - hardware access-list tcam region ing-ifacl 2560
      when: Switch93180 in hardware['stdout'][0]['chassis_id']

    • name: Configure TCAM on 9236c
      nxos_command:
      commands:
      - configure
      - hardware access-list tcam region ing-l2-span-filter 0
      - hardware access-list tcam region ing-l3-span-filter 0
      - hardware access-list tcam region ing-racl 256
      - hardware access-list tcam region ing-ifacl 1536
      when: Switch9236 in hardware['stdout'][0]['chassis_id']

    • name: setup access-lists
      nxos_command:
      commands:
      - configure
      - ip access-list ndb_ipacl_global
      - statistics per-entry
      - 49993001 deny ip any any
      - ipv6 access-list ndb_ipv6acl_global
      - statistics per-entry
      - 49993001 deny ipv6 any any
      - 49993002 deny icmp any any
      - 49993003 deny icmp any any nd-ns
      - 49993004 deny icmp any any router-advertisement
      - 49993005 deny icmp any any router-solicitation
      - 49993006 deny icmp any any nd-na
      - mac access-list ndb_macacl_global
      - statistics per-entry
      - 49993001 deny any any
      - 49993002 deny any any 0x8847
      - 49993003 deny any any 0x8848
      - 49993004 deny any any 0x806

    • name: Misc settings
      nxos_command:
      commands:
      - configure
      - system dot1q-tunnel transit
      - vlan configuration 1-3967
      - no ip igmp snooping
      - exit
      - nxapi http port 80
      - no system default switchport shutdown
      - hostname {{ inventory_hostname }}
      - no spanning-tree vlan 2-3967

    • name: save config to startup config
      nxos_command:
      commands:
      - configure
      - copy run start

    • name: set fact on host
      set_fact:
      newConfig: yes

    when: not configured

    If anything fails of the block above, rollback to old config

    rescue:

    • name: rollback because the configuration failed
      nxos_rollback:
      rollback_to: backup.cfg

    • name: save config to startup config
      nxos_command:
      commands:
      - configure
      - copy run start

    • name: set fact on host
      set_fact:
      newConfig: no

Reboot switch and wait for it to come back online

  • name: reboot
    nxos_command:
    commands: reload in 10
    async: 1
    poll: 0
    when: newConfig

  • name: halt playbook so interfaces comes up before continuing
    pause:
    minutes: 8
    when: newConfig

EXPECTED RESULTS
ACTUAL RESULTS

@jansyren The only time show privilege is run is while escalating privilege whenansible_become is set to True. Since, classic IOS-styled enable privilege escalation has been dropped from NX-OS 10.x, this variable should not be turned on. This has been explained in #304 (comment).

There are two solutions to this:

Turn off privilege escalation (ansible_become=False) for hosts that are running NX-OS >= 10.0.0
Or, set ansible_network_become_errors to determine how privilege escalation failures are handled. This option was added in ansible.netcommon v2.5.0, so if you're running an older version of netcommon than this, you would have to upgrade it.
Hope that resolves this issue for you. Thank you!

Thanks for the reply, greatly appreciated. Now we dare to move forward with our upgrades :)