Building an ansible job to run customized CLI configurations
81 views
Skip to first unread message
Jonathan Umpleby
Feb 22, 2018, 1:44:51 PM2/22/18
to Ansible Project
So, I'm new to ansible, and I'm hoping to find ways to meet a customize-able CLI deployment scenario, where 99% of the commands are the same across devices, but a handful will be unique.
I was originally thinking about using a single response file would cover the 99% (in my example I'm trying to configure multiple ProxySG's at the same time).
There are really two unknowns here (possibly 3).
The first:
I need to configure 3 network interfaces across 12 devices, all having a different IP's and subnet masks. Is there a way to sequentially pull this from a list lets say I have response files like:interface 1 list10.0.0.100 - coordinates to the first device10.0.0.101etcinterface 2 list10.0.1.10010.0.1.101or what would be the best way to accomplish this kind of task.
The second:
I'd like for obvious reasons, not store passwords in the playbook
If I added something like this:
vars_prompt:
- name: 'enable_password'
prompt: 'Enable password:'
private: yes
encrypt: 'sha512_crypt'
confirm: yes
salt_size: 7
how would I use this in the script. After I ssh into the device I would need to type a password for the enable which is what i'm trying to then present through the script in a secure way.
Finally, I guess is there anything special I would need to properly use a cli configuration separate from linux installation playbooks?
Thanks in advance!
Kai Stian Olstad
Feb 23, 2018, 10:52:48 AM2/23/18
to ansible...@googlegroups.com
On Thursday, 22 February 2018 19.44.51 CET Jonathan Umpleby wrote:
> So, I'm new to ansible, and I'm hoping to find ways to meet a
> customize-able CLI deployment scenario, where 99% of the commands are the
> same across devices, but a handful will be unique.
>
> I was originally thinking about using a single response file would cover
> the 99% (in my example I'm trying to configure multiple ProxySG's at the
> same time).
>
>
> There are really two unknowns here (possibly 3).
>
> The first:
>
> I need to configure 3 network interfaces across 12 devices, all having a
> different IP's and subnet masks. Is there a way to sequentially pull this
> from a list lets say I have response files like:
>
> interface 1 list
>
> 10.0.0.100 - coordinates to the first device
> 10.0.0.101
> etc
>
> interface 2 list
> 10.0.1.100
> 10.0.1.101
>
> or what would be the best way to accomplish this kind of task.
The information is a little sparse so it difficult to give a exact answer.
> So, I'm new to ansible, and I'm hoping to find ways to meet a
> customize-able CLI deployment scenario, where 99% of the commands are the
> same across devices, but a handful will be unique.
>
> I was originally thinking about using a single response file would cover
> the 99% (in my example I'm trying to configure multiple ProxySG's at the
> same time).
>
>
> There are really two unknowns here (possibly 3).
>
> The first:
>
> I need to configure 3 network interfaces across 12 devices, all having a
> different IP's and subnet masks. Is there a way to sequentially pull this
> from a list lets say I have response files like:
>
> interface 1 list
>
> 10.0.0.100 - coordinates to the first device
> 10.0.0.101
> etc
>
> interface 2 list
> 10.0.1.100
> 10.0.1.101
>
> or what would be the best way to accomplish this kind of task.
Ansible can loop over list and dictionary, and a combination of them.
Variables can be assign to host/device or to group, how you structure it depends on what you are trying to do.
> The second:
>
> I'd like for obvious reasons, not store passwords in the playbook
>
>
> If I added something like this:
>
> vars_prompt:
> - name: 'enable_password'
> prompt: 'Enable password:'
> private: yes
> encrypt: 'sha512_crypt'
> confirm: yes
> salt_size: 7
>
>
> how would I use this in the script. After I ssh into the device I would
> need to type a password for the enable which is what i'm trying to then
> present through the script in a secure way.
You use is with {{ enable_password }} in Ansible.
Since you need to do this interactively you need to use the expect module.
--
Kai Stian Olstad
Jonathan Umpleby
Feb 23, 2018, 3:42:01 PM2/23/18
to Ansible Project
So here's an example:
enable
<password>
config terminal
appliance-name "proxy1"
interface 0:0 ;mode
label "MGMT"
ip-address 10.0.0.100 255.255.255.0
exit
interface 1:0 ;mode
label "unused"
reject-inbound enable
disable
exit
interface 1:1 ;mode
label "VLAN TAG#"
ip-address 10.0.0.10 255.255.255.128
native-vlan #
exit
interface 2:0 ;mode
label "unused"
reject-inbound enable
disable
exit
interface 2:1 ;mode
label "VLAN TAG#"
ip-address 10.0.0.140 255.255.255.128
native-vlan #
exit
Now, obviously the items in bold are values that need to be customized in the ansible script. So I don't think I can put this into the response file, unless I can somehow pass values into a response file for example:
NAME-file (list of 10 machine names)
MGMT-file (IP address the mgmt port)
if1:1-file (IP addresses of this interface)
if2:1-file (IP address of the third interface)
It was either that, or possibly figuring out a way to do a for loop style playbook where each loop would target the next machine in the list. Fortunately, the IP addresses for these devices are sequential.
----
Jon
Andrew Latham
Feb 23, 2018, 3:47:57 PM2/23/18
to ansible...@googlegroups.com
One of the many methods is to scp or sftp the full config as a template to the device and save as startup or running config and reload it. Then you don't need to muck around with as much expect logic.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/518f5c57-f72d-444a-b907-f07a8c00b948%40googlegroups.com.--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscribe@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
- Andrew "lathama" Latham -
Jonathan Umpleby
Feb 23, 2018, 4:01:05 PM2/23/18
to Ansible Project
I mean I guess I can build them all out and may be easier, however I was hoping to figure out this iterative process mostly because I'm looking at rolling out somewhere around 100 appliances across the globe (not just proxySG), that will all need similar interface tweaks.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/518f5c57-f72d-444a-b907-f07a8c00b948%40googlegroups.com.
Kai Stian Olstad
Feb 23, 2018, 4:42:02 PM2/23/18
to ansible...@googlegroups.com
On Friday, 23 February 2018 21.42.00 CET Jonathan Umpleby wrote:
> So here's an example:
>
> enable
> *<password>*
> So here's an example:
>
> enable
> config terminal
> appliance-name "*proxy1*"
>
> interface 0:0 ;mode
> label "MGMT"
> ip-address *10.0.0.100* 255.255.255.0
> interface 0:0 ;mode
> label "MGMT"
> exit
>
> interface 1:0 ;mode
> label "unused"
> reject-inbound enable
> disable
> exit
>
> interface 1:1 ;mode
> label "VLAN TAG#"
> ip-address *10.0.0.10* 255.255.255.128
>
> interface 1:0 ;mode
> label "unused"
> reject-inbound enable
> disable
> exit
>
> interface 1:1 ;mode
> label "VLAN TAG#"
> native-vlan #
> exit
>
> interface 2:0 ;mode
> label "unused"
> reject-inbound enable
> disable
> exit
>
> interface 2:1 ;mode
> label "VLAN TAG#"
> ip-address *10.0.0.140* 255.255.255.128
> exit
>
> interface 2:0 ;mode
> label "unused"
> reject-inbound enable
> disable
> exit
>
> interface 2:1 ;mode
> label "VLAN TAG#"
> native-vlan #
> exit
>
> Now, obviously the items in bold are values that need to be customized in
> the ansible script. So I don't think I can put this into the response
> file, unless I can somehow pass values into a response file for example:
Just to make it easy to explain I assume that you only have one prompt, the only different when prompt is different is that you need to split the list in smaller ones.
> exit
>
> Now, obviously the items in bold are values that need to be customized in
> the ansible script. So I don't think I can put this into the response
> file, unless I can somehow pass values into a response file for example:
The principal of expect is like this
- expect:
command: a-command
reponses:
prompt1/question:
- answer 1
- answer 2
...
so the prompt just take a list, this can be built before the expect command.
vars:
dynmatic_responds:
- <password>
- <proxy>
- 10.0.0.100
- 10.0.0.10
- 10.0.0.140
response:
- enable
- '{{ dynmatic_responds.0 }}'
- config terminal
- appliance-name "{{ dynmatic_responds.1 }}"
- interface 0:0 ;mode
- label "MGMT"
- ip-address {{ dynmatic_responds.2 }} 255.255.255.0
- exit
- interface 1:0 ;mode
- label "unused"
- reject-inbound enable
- disable
- exit
- interface 1:1 ;mode
- label "VLAN TAG#"
- ip-address {{ dynmatic_responds.3 }} 255.255.255.128
- native-vlan #
- exit
- interface 2:0 ;mode
- label "unused"
- reject-inbound enable
- disable
- exit
- interface 2:1 ;mode
- label "VLAN TAG#"
- ip-address {{ dynmatic_responds.4 }} 255.255.255.128
- native-vlan #
- exit
So the task would be
reponses:
prompt1/question: {{ response }}
This is just and example of how it could be done, I would find a way to make it even more dynamic.
But here you have the skeleton in responses and each device would have a uniq dynmatic_responds.
Hopefully this give you an idea of how this could be done.
--
Kai Stian Olstad
Reply all
Reply to author
Forward
0 new messages