[ Ansible-Fortinet] Fortinet issue with ansible
468 views
Skip to first unread message
ibrahim camara
Aug 18, 2022, 2:15:38 PM8/18/22
to Ansible Project
Hello,
I need help with an ansible deployment
I would like to create a user account (admin) on fortinet.
but when I play the playbook I have an error that I can't debug if someone in the group has already encountered this error when deploying on fortinet could he help me.
i share my simple test configuration below:
inventary hosts:
[forti]
192.168.1.136
192.168.1.136
testForti.yml
---
- name: configure user admin
hosts: forti
connection: httpapi
collections:
- fortinet.fortios
tasks:
- debug: var=ansible_host
- name: task Configure admin users.
fortios_system_admin:
vdom: "{{ vdom }}"
state: "present"
system_admin:
accprofile: "super_admin"
accprofile_override: "enable"
allow_remove_admin_session: "enable"
comments: "test ansible"
email_to: "test-a...@fortinet.com"
force_password_change: "disable"
name: "test"
password: "test123"
- name: configure user admin
hosts: forti
connection: httpapi
collections:
- fortinet.fortios
tasks:
- debug: var=ansible_host
- name: task Configure admin users.
fortios_system_admin:
vdom: "{{ vdom }}"
state: "present"
system_admin:
accprofile: "super_admin"
accprofile_override: "enable"
allow_remove_admin_session: "enable"
comments: "test ansible"
email_to: "test-a...@fortinet.com"
force_password_change: "disable"
name: "test"
password: "test123"
groupe_vars > forti.yml
---
ansible_python_interpreter: /usr/bin/python3
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
ansible_network_os: fortinet.fortios.fortios
ssl_verify: "false"
ansible_user: "admin"
ansible_password: "password"
ansible_python_interpreter: /usr/bin/python3
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
ansible_network_os: fortinet.fortios.fortios
ssl_verify: "false"
ansible_user: "admin"
ansible_password: "password"
playbook
ansible-playbook testForti.yml -vvv
output:
p3-virtualenv-ansible) [user@ansible Automation-Stuff]$ ansible-playbook testForti.yml -vvv
[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.6.8 (default, Nov 16 2020, 16:55:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]. This feature will
be removed from ansible-core in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
/home/user/p3-virtualenv-ansible/lib64/python3.6/site-packages/ansible/parsing/vault/__init__.py:44: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography.exceptions import InvalidSignature
ansible-playbook [core 2.11.12]
config file = /home/user/Automation-Stuff/ansible.cfg
configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/user/p3-virtualenv-ansible/lib64/python3.6/site-packages/ansible
ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
executable location = /home/user/p3-virtualenv-ansible/bin/ansible-playbook
python version = 3.6.8 (default, Nov 16 2020, 16:55:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
jinja version = 3.0.3
libyaml = True
Using /home/user/Automation-Stuff/ansible.cfg as config file
host_list declined parsing /home/user/Automation-Stuff/hosts as it did not pass its verify_file() method
script declined parsing /home/user/Automation-Stuff/hosts as it did not pass its verify_file() method
auto declined parsing /home/user/Automation-Stuff/hosts as it did not pass its verify_file() method
Parsed /home/user/Automation-Stuff/hosts inventory source with ini plugin
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: testForti.yml *********************************************************************************************************************************************************************************************************
1 plays in testForti.yml
PLAY [configure user admin] *****************************************************************************************************************************************************************************************************
META: ran handlers
TASK [debug] ********************************************************************************************************************************************************************************************************************
task path: /home/user/Automation-Stuff/testForti.yml:9
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
ok: [192.168.1.136] => {
"ansible_host": "192.168.1.136"
}
TASK [task Configure admin users.] **********************************************************************************************************************************************************************************************
task path: /home/user/Automation-Stuff/testForti.yml:10
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
<192.168.1.136> ESTABLISH LOCAL CONNECTION FOR USER: user
<192.168.1.136> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0 `"&& mkdir "` echo /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789 `" && echo ansible-tmp-1660791972.256035-21571-153360967314789="` echo /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789 `" ) && sleep 0'
Using module file /home/user/.ansible/collections/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_admin.py
<192.168.1.136> PUT /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/tmp43du_hoy TO /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py
<192.168.1.136> EXEC /bin/sh -c 'chmod u+x /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/ /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py && sleep 0'
<192.168.1.136> EXEC /bin/sh -c '/home/user/p3-virtualenv-ansible/bin/python3 /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py && sleep 0'
<192.168.1.136> EXEC /bin/sh -c 'rm -f -r /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
File "/home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py", line 100, in <module>
_ansiballz_main()
File "/home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py", line 92, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py", line 41, in invoke_module
run_name='__main__', alter_sys=True)
File "/usr/lib64/python3.6/runpy.py", line 205, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code
mod_name, mod_spec, pkg_name, script_name)
File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_admin.py", line 3592, in <module>
File "/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_admin.py", line 3555, in main
File "/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/fortios.py", line 217, in check_schema_versioning
File "/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible/module_utils/connection.py", line 200, in __rpc__
ansible.module_utils.connection.ConnectionError: Could not connect to https://192.168.1.136:443/logincheck: [Errno 104] Connection reset by peer
fatal: [192.168.1.136]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"/home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py\", line 100, in <module>\n _ansiballz_main()\n File \"/home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py\", line 92, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py\", line 41, in invoke_module\n run_name='__main__', alter_sys=True)\n File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n exec(code, run_globals)\n File \"/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_admin.py\", line 3592, in <module>\n File \"/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_admin.py\", line 3555, in main\n File \"/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/fortios.py\", line 217, in check_schema_versioning\n File \"/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible/module_utils/connection.py\", line 200, in __rpc__\nansible.module_utils.connection.ConnectionError: Could not connect to https://192.168.1.136:443/logincheck: [Errno 104] Connection reset by peer\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
PLAY RECAP **********************************************************************************************************************************************************************************************************************
192.168.1.136 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
[DEPRECATION WARNING]: Ansible will require Python 3.8 or newer on the controller starting with Ansible 2.12. Current version: 3.6.8 (default, Nov 16 2020, 16:55:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]. This feature will
be removed from ansible-core in version 2.12. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
/home/user/p3-virtualenv-ansible/lib64/python3.6/site-packages/ansible/parsing/vault/__init__.py:44: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography and will be removed in a future release.
from cryptography.exceptions import InvalidSignature
ansible-playbook [core 2.11.12]
config file = /home/user/Automation-Stuff/ansible.cfg
configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/user/p3-virtualenv-ansible/lib64/python3.6/site-packages/ansible
ansible collection location = /home/user/.ansible/collections:/usr/share/ansible/collections
executable location = /home/user/p3-virtualenv-ansible/bin/ansible-playbook
python version = 3.6.8 (default, Nov 16 2020, 16:55:22) [GCC 4.8.5 20150623 (Red Hat 4.8.5-44)]
jinja version = 3.0.3
libyaml = True
Using /home/user/Automation-Stuff/ansible.cfg as config file
host_list declined parsing /home/user/Automation-Stuff/hosts as it did not pass its verify_file() method
script declined parsing /home/user/Automation-Stuff/hosts as it did not pass its verify_file() method
auto declined parsing /home/user/Automation-Stuff/hosts as it did not pass its verify_file() method
Parsed /home/user/Automation-Stuff/hosts inventory source with ini plugin
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.
PLAYBOOK: testForti.yml *********************************************************************************************************************************************************************************************************
1 plays in testForti.yml
PLAY [configure user admin] *****************************************************************************************************************************************************************************************************
META: ran handlers
TASK [debug] ********************************************************************************************************************************************************************************************************************
task path: /home/user/Automation-Stuff/testForti.yml:9
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
ok: [192.168.1.136] => {
"ansible_host": "192.168.1.136"
}
TASK [task Configure admin users.] **********************************************************************************************************************************************************************************************
task path: /home/user/Automation-Stuff/testForti.yml:10
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
<192.168.1.136> ESTABLISH LOCAL CONNECTION FOR USER: user
<192.168.1.136> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0 `"&& mkdir "` echo /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789 `" && echo ansible-tmp-1660791972.256035-21571-153360967314789="` echo /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789 `" ) && sleep 0'
Using module file /home/user/.ansible/collections/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_admin.py
<192.168.1.136> PUT /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/tmp43du_hoy TO /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py
<192.168.1.136> EXEC /bin/sh -c 'chmod u+x /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/ /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py && sleep 0'
<192.168.1.136> EXEC /bin/sh -c '/home/user/p3-virtualenv-ansible/bin/python3 /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py && sleep 0'
<192.168.1.136> EXEC /bin/sh -c 'rm -f -r /home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
File "/home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py", line 100, in <module>
_ansiballz_main()
File "/home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py", line 92, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py", line 41, in invoke_module
run_name='__main__', alter_sys=True)
File "/usr/lib64/python3.6/runpy.py", line 205, in run_module
return _run_module_code(code, init_globals, run_name, mod_spec)
File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code
mod_name, mod_spec, pkg_name, script_name)
File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
exec(code, run_globals)
File "/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_admin.py", line 3592, in <module>
File "/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_admin.py", line 3555, in main
File "/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/fortios.py", line 217, in check_schema_versioning
File "/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible/module_utils/connection.py", line 200, in __rpc__
ansible.module_utils.connection.ConnectionError: Could not connect to https://192.168.1.136:443/logincheck: [Errno 104] Connection reset by peer
fatal: [192.168.1.136]: FAILED! => {
"changed": false,
"module_stderr": "Traceback (most recent call last):\n File \"/home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py\", line 100, in <module>\n _ansiballz_main()\n File \"/home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py\", line 92, in _ansiballz_main\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n File \"/home/user/.ansible/tmp/ansible-local-21526q5jr4zz0/ansible-tmp-1660791972.256035-21571-153360967314789/AnsiballZ_fortios_system_admin.py\", line 41, in invoke_module\n run_name='__main__', alter_sys=True)\n File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n return _run_module_code(code, init_globals, run_name, mod_spec)\n File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n mod_name, mod_spec, pkg_name, script_name)\n File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n exec(code, run_globals)\n File \"/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_admin.py\", line 3592, in <module>\n File \"/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_system_admin.py\", line 3555, in main\n File \"/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/fortios.py\", line 217, in check_schema_versioning\n File \"/tmp/ansible_fortios_system_admin_payload_lbrhtsap/ansible_fortios_system_admin_payload.zip/ansible/module_utils/connection.py\", line 200, in __rpc__\nansible.module_utils.connection.ConnectionError: Could not connect to https://192.168.1.136:443/logincheck: [Errno 104] Connection reset by peer\n",
"module_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
"rc": 1
}
PLAY RECAP **********************************************************************************************************************************************************************************************************************
192.168.1.136 : ok=1 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
does anyone have an idea about this issue ?
thanks
ibrahim camara
Aug 18, 2022, 2:49:05 PM8/18/22
to Ansible Project
hello,
i resolve the issue .
i see that ansible check "
https://192.168.1.136:443/logincheck" , but in fortinet the port:443 is use for the sslvpn.
So the best practice is to use new port for the management admin exemple: 4433 and configure a certificat (in system setting fortigate) and enable https on the phisycal port.
So ansible can https for the connection to the FW
just change:
ansible_httpapi_port: 443 -->
ansible_httpapi_port: 4433
Reply all
Reply to author
Forward
0 new messages