nxos modules failing on nxos 10.x
jansyren opened this issue · 2 comments
SUMMARY
When executing playbooks with nxos modules on cisco devices with nxos 10.2 (cisco 9336-FX2)
it fails with error unable to execute "show priviledge"
This command seems to be deprecated in 10.x for some reason.
ISSUE TYPE
- Bug Report
COMPONENT NAME
All nxos modules that write any config
ANSIBLE VERSION
ansible 2.9.18
config file = /etc/ansible/ansible.cfg
configured module search path = ['/var/lib/awx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.6/site-packages/ansible
executable location = /usr/bin/ansible
python version = 3.6.8 (default, Aug 24 2020, 17:57:11) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
AWX 17.10 docker swarm
STEPS TO REPRODUCE
Using nxos modules to configure switches with v10.x
Get the switch type and store in a variable for using custom configuration files
- name: Get switch type
nxos_command:
commands:
- command: show hardware
output: json
register: hardware
Check if the user librenms is configured on the switch, if it is the switch is considered
to be configured
-
name: Check if switch is configured
nxos_command:
commands:
- command: show user-account librenms | wc -l
output: json
register: configured_host -
name: set fact on host
set_fact:
configured: yes
when: configured_host['stdout'][0] == 27 -
name: set fact on host
set_fact:
configured: no
when: configured_host['stdout'][0] != 27 -
name: set fact on host
set_fact:
newConfig: no
Block to do the actual configuration of the switch, will only run if configured is set to false
-
name: Start configuring of the switch
block:-
name: set rollback
nxos_rollback:
checkpoint_file: backup.cfg -
name: Backup running config
nxos_config:
backup: yes
backup_options:
filename: "{{ inventory_hostname }}_old.conf"
dir_path: /home/admin -
name: set motd
nxos_banner:
banner: motd
text: |
***********************************************************************
state: present -
name: setup librenms user
nxos_user:
name: librenms
configured_password: "{{ librenmsPass }}"
role: network-operator
state: present -
name: Ensure the right features are enabled
nxos_feature:
feature: "{{ item }}"
state: enabled
loop:- nxapi
- scp-server
- ptp
- lldp
- lacp
-
name: Ensure a range of VLANs are present on the switch
nxos_vlan:
vlan_range: "1-3967"
state: present -
name: Configure TCAM on 9336c-fx2
nxos_command:
commands:
- configure
- hardware access-list tcam region ing-l2-span-filter 0
- hardware access-list tcam region ing-netflow 0
- hardware access-list tcam region ing-racl 256
- hardware access-list tcam region ing-l3-vlan-qos 256
- hardware access-list tcam region ing-ifacl 3072
when: Switch9336 in hardware['stdout'][0]['chassis_id'] -
name: Configure TCAM on 93180
nxos_command:
commands:
- configure
- hardware access-list tcam region ing-l2-qos 0
- hardware access-list tcam region ing-l2-span-filter 0
- hardware access-list tcam region ing-l3-span-filter 0
- hardware access-list tcam region ing-racl 256
- hardware access-list tcam region ing-l3-vlan-qos 256
- hardware access-list tcam region egr-racl 512
- hardware access-list tcam region ing-ifacl 2560
when: Switch93180 in hardware['stdout'][0]['chassis_id'] -
name: Configure TCAM on 9236c
nxos_command:
commands:
- configure
- hardware access-list tcam region ing-l2-span-filter 0
- hardware access-list tcam region ing-l3-span-filter 0
- hardware access-list tcam region ing-racl 256
- hardware access-list tcam region ing-ifacl 1536
when: Switch9236 in hardware['stdout'][0]['chassis_id'] -
name: setup access-lists
nxos_command:
commands:
- configure
- ip access-list ndb_ipacl_global
- statistics per-entry
- 49993001 deny ip any any
- ipv6 access-list ndb_ipv6acl_global
- statistics per-entry
- 49993001 deny ipv6 any any
- 49993002 deny icmp any any
- 49993003 deny icmp any any nd-ns
- 49993004 deny icmp any any router-advertisement
- 49993005 deny icmp any any router-solicitation
- 49993006 deny icmp any any nd-na
- mac access-list ndb_macacl_global
- statistics per-entry
- 49993001 deny any any
- 49993002 deny any any 0x8847
- 49993003 deny any any 0x8848
- 49993004 deny any any 0x806 -
name: Misc settings
nxos_command:
commands:
- configure
- system dot1q-tunnel transit
- vlan configuration 1-3967
- no ip igmp snooping
- exit
- nxapi http port 80
- no system default switchport shutdown
- hostname {{ inventory_hostname }}
- no spanning-tree vlan 2-3967 -
name: save config to startup config
nxos_command:
commands:
- configure
- copy run start -
name: set fact on host
set_fact:
newConfig: yes
when: not configured
If anything fails of the block above, rollback to old config
rescue:
-
name: rollback because the configuration failed
nxos_rollback:
rollback_to: backup.cfg -
name: save config to startup config
nxos_command:
commands:
- configure
- copy run start -
name: set fact on host
set_fact:
newConfig: no
-
Reboot switch and wait for it to come back online
-
name: reboot
nxos_command:
commands: reload in 10
async: 1
poll: 0
when: newConfig -
name: halt playbook so interfaces comes up before continuing
pause:
minutes: 8
when: newConfig
EXPECTED RESULTS
ACTUAL RESULTS
@jansyren The only time show privilege is run is while escalating privilege whenansible_become
is set to True. Since, classic IOS-styled enable privilege escalation has been dropped from NX-OS 10.x, this variable should not be turned on. This has been explained in #304 (comment).
There are two solutions to this:
Turn off privilege escalation (ansible_become=False
) for hosts that are running NX-OS >= 10.0.0
Or, set ansible_network_become_errors to determine how privilege escalation failures are handled. This option was added in ansible.netcommon v2.5.0, so if you're running an older version of netcommon than this, you would have to upgrade it.
Hope that resolves this issue for you. Thank you!
Thanks for the reply, greatly appreciated. Now we dare to move forward with our upgrades :)