Config unlock failure on SRX

[Dylan Hall]

Hi, I'm trying to build a tool to bulk apply changes to our network in a safe fashion. It's working on MX and EX hardware, but I'm getting failures on SRX hosts.

To demonstrate I've whittled my code down to the following:

#!/usr/bin/env python3

from jnpr.junos import Device

from jnpr.junos.utils.config import Config

device = Device(host="xxx", port=22)

device.open()

device.timeout = 60

config = Config(device)

config.lock()

config.load("set groups test system host-name test", format="set")

print(config.diff())

config.commit_check()

# prompt user to continue

config.commit(comment="test")

config.unlock()

device.close()

The above works as expected. If I then replace config.load with config.load("delete groups test", format="set") I get the following:

[edit groups]

-  test {

-      system {

-          host-name test;

-      }

-  }

Traceback (most recent call last):

  File "/home/dhall/miniconda3/envs/netconf/lib/python3.6/site-packages/jnpr/junos/device.py", line 710, in execute

    ignore_warning=ignore_warning)

  File "/home/dhall/miniconda3/envs/netconf/lib/python3.6/site-packages/jnpr/junos/decorators.py", line 116, in wrapper

    rsp = function(self, *args, **kwargs)

  File "/home/dhall/miniconda3/envs/netconf/lib/python3.6/site-packages/jnpr/junos/device.py", line 1255, in _rpc_reply

    return self._conn.rpc(rpc_cmd_e)._NCElement__doc

  File "/home/dhall/miniconda3/envs/netconf/lib/python3.6/site-packages/ncclient/manager.py", line 172, in wrapper

    return self.execute(op_cls, *args, **kwds)

  File "/home/dhall/miniconda3/envs/netconf/lib/python3.6/site-packages/ncclient/manager.py", line 232, in execute

    raise_mode=self._raise_mode).request(*args, **kwds)

  File "/home/dhall/miniconda3/envs/netconf/lib/python3.6/site-packages/ncclient/operations/third_party/juniper/rpc.py", line 44, in request

    return self._request(rpc)

  File "/home/dhall/miniconda3/envs/netconf/lib/python3.6/site-packages/ncclient/operations/rpc.py", line 343, in _request

    raise TimeoutExpiredError('ncclient timed out while waiting for an rpc reply.')

ncclient.operations.errors.TimeoutExpiredError: ncclient timed out while waiting for an rpc reply.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

  File "/home/dhall/miniconda3/envs/netconf/lib/python3.6/site-packages/jnpr/junos/utils/config.py", line 568, in unlock

    self.rpc.unlock_configuration()

  File "/home/dhall/miniconda3/envs/netconf/lib/python3.6/site-packages/jnpr/junos/rpcmeta.py", line 336, in _exec_rpc

    return self._junos.execute(rpc, **dec_args)

  File "/home/dhall/miniconda3/envs/netconf/lib/python3.6/site-packages/jnpr/junos/decorators.py", line 76, in wrapper

    return function(*args, **kwargs)

  File "/home/dhall/miniconda3/envs/netconf/lib/python3.6/site-packages/jnpr/junos/decorators.py", line 31, in wrapper

    return function(*args, **kwargs)

  File "/home/dhall/miniconda3/envs/netconf/lib/python3.6/site-packages/jnpr/junos/device.py", line 714, in execute

    raise EzErrors.RpcTimeoutError(self, rpc_cmd_e.tag, self.timeout)

jnpr.junos.exception.RpcTimeoutError: RpcTimeoutError(host: xxx, cmd: unlock-configuration, timeout: 60)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

  File "./srx_del.py", line 18, in <module>

    config.unlock()

  File "/home/dhall/miniconda3/envs/netconf/lib/python3.6/site-packages/jnpr/junos/utils/config.py", line 571, in unlock

    raise UnlockError(rsp=err.rsp)

jnpr.junos.exception.UnlockError: UnlockError

I am running the above on an Ubuntu Linux 14.04 host using Miniconda to create the Python environment. I have built the environment as follows:

1. Install the latest version of Miniconda ( http://conda.pydata.org/miniconda.html )
2. Build the environment: conda create -n test python=3.6 cryptography
3. source activate test
4. pip install junos-eznc

e.g.

$ conda create -n test python=3.6 cryptography

Fetching package metadata .........

Solving package specifications: .

Package plan for installation in environment /home/dhall/miniconda3/envs/test:

The following NEW packages will be INSTALLED:

    cffi:         1.9.1-py36_0 

    cryptography: 1.7.1-py36_0 

    idna:         2.2-py36_0   

    libffi:       3.2.1-1      

    openssl:      1.0.2k-1     

    pip:          9.0.1-py36_1 

    pyasn1:       0.2.3-py36_0 

    pycparser:    2.17-py36_0  

    python:       3.6.1-0      

    readline:     6.2-2        

    setuptools:   27.2.0-py36_0

    six:          1.10.0-py36_0

    sqlite:       3.13.0-0     

    tk:           8.5.18-0     

    wheel:        0.29.0-py36_0

    xz:           5.2.2-1      

    zlib:         1.2.8-3      

$ source activate test

$ pip install junos-eznc

Collecting junos-eznc

Collecting PyYAML>=3.10 (from junos-eznc)

Collecting netaddr (from junos-eznc)

  Using cached netaddr-0.7.19-py2.py3-none-any.whl

Collecting jinja2>=2.7.1 (from junos-eznc)

  Using cached Jinja2-2.9.6-py2.py3-none-any.whl

Collecting scp>=0.7.0 (from junos-eznc)

  Using cached scp-0.10.2-py2.py3-none-any.whl

Requirement already satisfied: six in /home/dhall/miniconda3/envs/test/lib/python3.6/site-packages (from junos-eznc)

Collecting lxml>=3.2.4 (from junos-eznc)

  Using cached lxml-3.7.3-cp36-cp36m-manylinux1_x86_64.whl

Collecting paramiko>=1.15.2 (from junos-eznc)

  Using cached paramiko-2.1.2-py2.py3-none-any.whl

Collecting ncclient>=0.5.3 (from junos-eznc)

Collecting pyserial (from junos-eznc)

  Using cached pyserial-3.3-py2.py3-none-any.whl

Collecting jxmlease (from junos-eznc)

  Using cached jxmlease-1.0.1-py2.py3-none-any.whl

Collecting MarkupSafe>=0.23 (from jinja2>=2.7.1->junos-eznc)

Requirement already satisfied: cryptography>=1.1 in /home/dhall/miniconda3/envs/test/lib/python3.6/site-packages (from paramiko>=1.15.2->junos-eznc)

Requirement already satisfied: pyasn1>=0.1.7 in /home/dhall/miniconda3/envs/test/lib/python3.6/site-packages (from paramiko>=1.15.2->junos-eznc)

Requirement already satisfied: setuptools>0.6 in /home/dhall/miniconda3/envs/test/lib/python3.6/site-packages/setuptools-27.2.0-py3.6.egg (from ncclient>=0.5.3->junos-eznc)

Requirement already satisfied: idna>=2.0 in /home/dhall/miniconda3/envs/test/lib/python3.6/site-packages (from cryptography>=1.1->paramiko>=1.15.2->junos-eznc)

Requirement already satisfied: cffi>=1.4.1 in /home/dhall/miniconda3/envs/test/lib/python3.6/site-packages (from cryptography>=1.1->paramiko>=1.15.2->junos-eznc)

Requirement already satisfied: pycparser in /home/dhall/miniconda3/envs/test/lib/python3.6/site-packages (from cffi>=1.4.1->cryptography>=1.1->paramiko>=1.15.2->junos-eznc)

Installing collected packages: PyYAML, netaddr, MarkupSafe, jinja2, paramiko, scp, lxml, ncclient, pyserial, jxmlease, junos-eznc

Successfully installed MarkupSafe-1.0 PyYAML-3.12 jinja2-2.9.6 junos-eznc-2.1.2 jxmlease-1.0.1 lxml-3.7.3 ncclient-0.5.3 netaddr-0.7.19 paramiko-2.1.2 pyserial-3.3 scp-0.10.2

We have 11 SRX hosts that are exhibiting this behaviour. They are all SRX240H except for one SRX650. They are running either 12.1X46-D35.1 or 12.1X44-D40.2.

Any help debugging this would be much appreciated otherwise I'm going to have to go back to using expect to deal with the SRX's.

Thanks,

Dylan

[Nitin Kr (Automation)]

Hi Dylan,

 

From below log it looks like there was no response for unlock RPC from Device.

We would need some more info to get the root cause of the issue. Can you please share netconf logs from the device?

To enable netconf log please refer:

http://www.juniper.net/documentation/en_US/junos12.3/topics/topic-map/netconf-traceoptions.html

 

Thanks

Nitin Kr

1.      Install the latest version of Miniconda ( http://conda.pydata.org/miniconda.html )

2.      Build the environment: conda create -n test python=3.6 cryptography

3.      source activate test

4.      pip install junos-eznc

e.g.

--
You received this message because you are subscribed to the Google Groups "Junos Python EZ" group.
To unsubscribe from this group and stop receiving emails from it, send an email to junos-python-...@googlegroups.com.
Visit this group at https://groups.google.com/group/junos-python-ez.
To view this discussion on the web visit https://groups.google.com/d/msgid/junos-python-ez/2dbf819c-14b7-49b2-98a7-057247aeb420%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Dylan Hall]

Hi Nitin, netconf logs follow:

May  9 09:49:09 Started tracing session: 28677

May  9 09:49:09 [28677] Incoming: <?xml version="1.0" encoding="UTF-8"?><nc:hello xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0"><nc:capabilities><nc:capability>urn:ietf:params:netconf:base:1.0</nc:capability><nc:capability>urn:ietf:params:netconf:base:1.1</nc:capability><nc:capability>urn:ietf:params:netconf:capability:writable-running:1.0</nc:capability><nc:capability>urn:ietf:params:netconf:capability:candidate:1.0</nc:capability><nc:capability>urn:ietf:params:netconf:capability:confirmed-commit:1.

May  9 09:49:09 [28677] Incoming: <?xml version="1.0" encoding="UTF-8"?><nc:rpc xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:dc704ea3-f7ff-440d-83a4-c7ca2a509c25"><lock-configuration/></nc:rpc>]]>]]>

May  9 09:49:09 [28677] Outgoing: <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/12.1X46/junos" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:dc704ea3-f7ff-440d-83a4-c7ca2a509c25">

May  9 09:49:09 [28677] Outgoing: </rpc-reply>

May  9 09:49:09 [28677] Outgoing: ]]>]]>

May  9 09:49:10 [28677] Incoming: <?xml version="1.0" encoding="UTF-8"?><nc:rpc xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0c495d3f-c678-4f4e-9aa3-75c530baf5e0"><load-configuration format="text" action="set"><configuration-set>delete groups test</configuration-set></load-configuration></nc:rpc>]]>]]>

May  9 09:49:10 [28677] Outgoing: <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/12.1X46/junos" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0c495d3f-c678-4f4e-9aa3-75c530baf5e0">

May  9 09:49:10 [28677] Outgoing: <load-configuration-results>

May  9 09:49:10 [28677] Outgoing: <ok/>

May  9 09:49:10 [28677] Outgoing: </load-configuration-results>

May  9 09:49:10 [28677] Outgoing: </rpc-reply>

May  9 09:49:10 [28677] Outgoing: ]]>]]>

May  9 09:49:10 [28677] Incoming: <?xml version="1.0" encoding="UTF-8"?><nc:rpc xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:29522572-baaf-41cf-a79e-69d1cb6985a3"><get-configuration compare="rollback" rollback="0" format="text"/></nc:rpc>]]>]]>

May  9 09:49:10 [28677] Outgoing: <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/12.1X46/junos" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:29522572-baaf-41cf-a79e-69d1cb6985a3">

May  9 09:49:10 [28677] Outgoing: <configuration-information>

May  9 09:49:10 [28677] Outgoing: <configuration-output>

May  9 09:49:10 [28677] Outgoing: [edit groups]

May  9 09:49:10 [28677] Outgoing: -  test {

May  9 09:49:10 [28677] Outgoing: -      system {

May  9 09:49:10 [28677] Outgoing: -          host-name test;

May  9 09:49:10 [28677] Outgoing: -      }

May  9 09:49:10 [28677] Outgoing: -  }

May  9 09:49:10 [28677] Outgoing: </configuration-output>

May  9 09:49:10 [28677] Outgoing: </configuration-information>

May  9 09:49:10 [28677] Outgoing: </rpc-reply>

May  9 09:49:11 [28677] Outgoing: ]]>]]>

May  9 09:49:11 [28677] Incoming: <?xml version="1.0" encoding="UTF-8"?><nc:rpc xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:4f2fb3ce-277a-4cd2-acae-5ca096614abd"><commit-configuration><check/></commit-configuration></nc:rpc>]]>]]>

May  9 09:49:11 [28677] Outgoing: <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/12.1X46/junos" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:4f2fb3ce-277a-4cd2-acae-5ca096614abd">

May  9 09:49:19 [28677] Outgoing: <ok/>

May  9 09:49:19 [28677] Outgoing: </rpc-reply>

May  9 09:49:19 [28677] Outgoing: ]]>]]>

May  9 09:49:20 [28677] Incoming: <?xml version="1.0" encoding="UTF-8"?><nc:rpc xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0c9093e8-416f-41ec-8ef3-014787577892"><commit-configuration><log>test</log></commit-configuration></nc:rpc>]]>]]>

May  9 09:49:20 [28677] Outgoing: <rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:junos="http://xml.juniper.net/junos/12.1X46/junos" xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:0c9093e8-416f-41ec-8ef3-014787577892">

May  9 09:49:46 [28677] Outgoing: <ok/>

May  9 09:49:46 [28677] Outgoing: </rpc-reply>

May  9 09:49:46 [28677] Outgoing: ]]>]]>

May  9 09:50:46 [28677] Outgoing: <!-- session end at 2017-05-09 09:50:46 NZST -->

Thanks,

Dylan