Problem using filter parameter with junos_get_config in Ansible module

[Dan Houtz]

Hi,

I am running into an issue with the following play which makes use of junos_get_config and it's filter parameter:

$ cat mgmt-pfxlist-report.pb.yml

---

- name: MANAGEMENT Prefix List Report

  hosts: all

  connection: local

  gather_facts: no

  vars_prompt:

    - name: USERNAME

      prompt: User name

      private: no

    - name: DEVICE_PASSWORD

      prompt: Device password

      private: yes

  tasks:

    - name: Get MANAGEMENT prefix list

      junos_get_config:

        host={{ansible_host}}

        user={{USERNAME}}

        passwd={{DEVICE_PASSWORD}}

        logfile=/tmp/get_config.log

        filter="system/syslog"

        dest=/tmp/{{inventory_hostname}}

      when: switch_vendor == 'Juniper Networks'

If I use a simple one level filter such as "filter=groups" or "filter=system" everything works as expected. However if I try to defined a deeper path like "filter=system/syslog" in the configuration I run into problem, getting the following error message:

fatal: [aggrfq178-1.ord6]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to get config: RpcError(severity: error, bad_element: syslog, message: syntax error, expecting </configuration>)"}

In logs I see:

2016-03-05 20:39:46,747:CONFIG:204.93.204.238:connecting to host: ro...@192.168.1.1:830

2016-03-05 20:39:46,811:ncclient.transport.ssh:Connected (version 2.0, client OpenSSH_6.0)

2016-03-05 20:39:47,259:ncclient.transport.ssh:Authentication (password) successful!

2016-03-05 20:39:49,256:ncclient.transport.session:initialized: session-id=473 | server_capabilities=['http://xml.juniper.net/dmi/system/1.0', 'urn:ietf:params:xml:ns:netconf:capability:confirmed-commit:1.0', 'http://xml.juniper.net/netconf/junos/1.0', 'urn:ietf:params:xml:ns:netconf:capability:validate:1.0', 'urn:ietf:params:xml:ns:netconf:capability:candidate:1.0', 'urn:ietf:params:xml:ns:netconf:capability:url:1.0?protocol=http,ftp,file', 'urn:ietf:params:xml:ns:netconf:base:1.0']

2016-03-05 20:39:49,256:CONFIG:192.168.1.1:Getting config with filter=<configuration><system/><syslog/></configuration>

2016-03-05 20:39:49,256:CONFIG:192.168.1.1:Getting config with options={'format': 'text'}

2016-03-05 20:39:49,257:ncclient.operations.rpc:Requesting 'ExecuteRpc'

2016-03-05 20:39:49,372:CONFIG:192.168.1.1:Unable to get config: RpcError(severity: error, bad_element: syslog, message: syntax error, expecting </configuration>)

2016-03-05 20:39:49,373:ncclient.operations.rpc:Requesting 'CloseSession'

I believe I'm specifying the path correctly per the example at http://junos-ansible-modules.readthedocs.org/en/1.2.0/junos_get_config.html which shows an example of "groups/routeinst/routing-instances/ISP-1"

Any insight would be greatly appreciated!

-Dan

[Nitin Kumar]

Hi Dan,

Yes, looks like a bug. We can have this raised as issue in github.

For now, if you got latest ansible-junos module. You can use (junos_rpc module to get the desired result):

      junos_rpc:

        host={{ansible_host}}

        user={{USERNAME}}

        passwd={{DEVICE_PASSWORD}}

        rpc=get-config

        filter_xml="<configuration><system><syslog/></system></configuration>"

        dest=/tmp/{{inventory_hostname}}.conf

Thanks

Nitin Kr

--
You received this message because you are subscribed to the Google Groups "Junos Python EZ" group.
To unsubscribe from this group and stop receiving emails from it, send an email to junos-python-...@googlegroups.com.
Visit this group at https://groups.google.com/group/junos-python-ez.
To view this discussion on the web visit https://groups.google.com/d/msgid/junos-python-ez/f9ee2afb-51a0-4c00-90f8-5baf3e0e03ea%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Stacy W. Smith]

Dan,

FYI. I opened an issue to track this bug:

https://github.com/Juniper/ansible-junos-stdlib/issues/120

I have also submitted a pull request with a proposed fix:

https://github.com/Juniper/ansible-junos-stdlib/pull/121

--Stacy

To view this discussion on the web visit https://groups.google.com/d/msgid/junos-python-ez/D3033BA2.28F19%25nitinkr%40juniper.net.

[Chris Lorier]

This solution doesnt seem to deal with the situation where you have a named element in the config. 

For instance, on an MX80 running 13.3R8.7:

junos_get_config: host={{ ansible_ssh_host }} port=22 user={{ juniper_user }} passwd={{juniper_passwd }} dest=/home/chris/ansible/and13-LAB.conf filter="firewall/filter/protect-re"

Returns:

"Unable to get config: RpcError(severity: error, bad_element: protect-re, message: syntax error)"

In the logs we see:

Mar 22 11:50:32 [1667] Incoming: <?xml version="1.0" encoding="UTF-8"?><nc:rpc xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="urn:uuid:d00ffb64-efb6-11e5-9c47-f01fafd64a6e"><get-configuration format="text"><configuration><firewall><filter><protect-re/></filter></firewall></configuration></get-configuration></nc:rpc>]]>]]>

I tried a few variations involving adding a name entry into the hierarchy, but the "protect-re" is always appearing as a tag rather than as a value, or I get syntax errors.

Cheers,

Chris

2016-03-05 20:39:46,747:CONFIG:204.93.204.238:connecting to host: r...@192.168.1.1:830

2016-03-05 20:39:46,811:ncclient.transport.ssh:Connected (version 2.0, client OpenSSH_6.0)

2016-03-05 20:39:47,259:ncclient.transport.ssh:Authentication (password) successful!

2016-03-05 20:39:49,256:ncclient.transport.session:initialized: session-id=473 | server_capabilities=['http://xml.juniper.net/dmi/system/1.0', 'urn:ietf:params:xml:ns:netconf:capability:confirmed-commit:1.0', 'http://xml.juniper.net/netconf/junos/1.0', 'urn:ietf:params:xml:ns:netconf:capability:validate:1.0', 'urn:ietf:params:xml:ns:netconf:capability:candidate:1.0', 'urn:ietf:params:xml:ns:netconf:capability:url:1.0?protocol=http,ftp,file', 'urn:ietf:params:xml:ns:netconf:base:1.0']

2016-03-05 20:39:49,256:CONFIG:192.168.1.1:Getting config with filter=<configuration><system/><syslog/></configuration>

2016-03-05 20:39:49,256:CONFIG:192.168.1.1:Getting config with options={'format': 'text'}

2016-03-05 20:39:49,257:ncclient.operations.rpc:Requesting 'ExecuteRpc'

2016-03-05 20:39:49,372:CONFIG:192.168.1.1:Unable to get config: RpcError(severity: error, bad_element: syslog, message: syntax error, expecting </configuration>)

2016-03-05 20:39:49,373:ncclient.operations.rpc:Requesting 'CloseSession'

I believe I'm specifying the path correctly per the example at http://junos-ansible-modules.readthedocs.org/en/1.2.0/junos_get_config.html which shows an example of "groups/routeinst/routing-instances/ISP-1"

Any insight would be greatly appreciated!

-Dan

--
You received this message because you are subscribed to the Google Groups "Junos Python EZ" group.
To unsubscribe from this group and stop receiving emails from it, send an email to junos-python-...@googlegroups.com.
Visit this group at https://groups.google.com/group/junos-python-ez.
To view this discussion on the web visit https://groups.google.com/d/msgid/junos-python-ez/f9ee2afb-51a0-4c00-90f8-5baf3e0e03ea%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Stacy W. Smith]

Yes. Unfortunately, there's no way to make this work. The underlying <get-config> RPC which is used can only filter based on an XML subtree of the configuration. So, it's not an Ansible or PyEZ limitation, but a Junos limitation.

Because this area of the configuration looks like:

<configuration>
    <firewall>
        <filter>
            <name>protect-re</name>
            <term>
                <name>one</name>
                <then>
                    <reject>
                    </reject>
                </then>
            </term>
            <term>
                <name>two</name>
                <then>
                    <reject>
                    </reject>
                </then>
            </term>
        </filter>
    </firewall>
</configuration>

Because the protect-re filter is identified by the <name> XML element inside a <filter> XML element, there's now way to specify an XML subtree for the portion of the configuration you wan to retrieve. You could pass filter="firewall" to get everything at the [edit firewall] hierarchy, but you can't retrieve just a specific firewall filter from the configuration.

--Stacy

To view this discussion on the web visit https://groups.google.com/d/msgid/junos-python-ez/ef67c545-eb52-4dab-87ec-b0c82feb0a2d%40googlegroups.com.

[Nitin Kr (Automation)]

Hi Chris,

I am able to fetch specific interface detail by passing name to filter. You can also use in similar way for your filter. I am using junos_rpc module for the same, and used the code from github as it has got some modification in last few days.

You can just copy https://raw.githubusercontent.com/Juniper/ansible-junos-stdlib/master/library/junos_rpc to /etc/ansible/roles/Juniper.junos/library/junos_rpc

These changes will be released in galaxy in upcoming days.

---

- name: Junos OS version

  hosts: all

  roles:

    - Juniper.junos

  connection: local

  gather_facts: no

  tasks:

    - name: Get rpc run

      junos_rpc:

        host={{ inventory_hostname }}

        rpc=get-config

        filter_xml="<configuration><interfaces><interface><name>ge-1/1/4</name></interface></interfaces></configuration>"

        dest=/tmp/{{inventory_hostname}}.conf

Do let me know if this helps.

Thanks

Nitin Kr

To view this discussion on the web visit https://groups.google.com/d/msgid/junos-python-ez/E8145E19-6688-4B11-A861-6D8B1AA42832%40acm.org.

[Stacy W. Smith]

Nitin,

Thanks for correcting me.

--Stacy