はじめに
2020/06/27 に、YouTube Live で「つまずき Ansible 【Part8】Collection を使う」という配信をしました。 実際に作業しながらエラーと戦って進めるシリーズです。
今回は、Collectionのインストールと、Collection のモジュールを利用した Plaubook の実行をためしました。 つまずいたエラーと原因、対処をふりかえります。
ただし今回は Collection とは直接関係ないものであり、かつ明確な原因もわかりませんでした。
動画
■ その前に: Collection とは? (一部 Part7 と重複)
Collection とは
- モジュール、プラグイン、ロールなどを含む新しい配布形式
- Ansible 本体とは別に開発が進められる
- コミュニティとしては Ansible Galaxy 経由で配布される
- インストールは
ansible-galaxy collection installどういうときに collection が必要?
- インストールは
- Ansible 2.10 では、今まで標準で含まれていた多くのモジュールが Collection に移行
pip install ansible-baseでは、標準の68個のモジュールのみpip install ansibleでは、上記に加え、今までのモジュールが Collection 経由で一緒にインストール
名前空間
community.generalやcisco.iosのように名前空間が設けられる- モジュール名は
cisco.ios.ios_configのような指定(FQCN)- Ansible 2.9 からの移行のしやすさを考慮し、以前のモジュール名の指定で移行先 Collection 名を暗黙的に解決する仕組みがある
参考情報
やったこと
pip install ansible-base==2.10.0b0 でインストール済み
準備
cisco.iosをインストールansible-galaxy collection install コレクション名
- どこにインストールされた?
~/.ansible/collections/- 設定
COLLECTIONS_PATHSのデフォルト
- 設定
- インストールされた一覧の確認方法
ansible-galaxy collection list(Ansible 2.10)
- いっぺんにいろいろインストールする
requirements.ymlを利用
ansilbe-docで確認
Playbook
cisco.ios.ios_acls を利用した ACL の設定 Playbook。
一応、FQCN で指定。
--- - hosts: rt01 gather_facts: false tasks: - name: set acl cisco.ios.ios_acls: config: - afi: ipv4 acls: - name: test_acl acl_type: extended aces: - grant: permit sequence: 10 protocol: tcp protocol_options: tcp: ack: true source: address: 10.0.0.0 wildcard_bits: 0.0.0.255 destination: address: 172.16.1.0 wildcard_bits: 0.0.0.255 port_protocol: eq: www - grant: deny sequence: 90 protocol: ip source: any: true destination: any: true state: merged register: res - name: debug debug: msg: "{{ res }}"
■ debug でのエラー
ios_acls モジュール実行結果の変数を debug モジュールで表示時に connection 系のエラー
debug タスクで、以下のエラー。
fatal: [rt01]: FAILED! => {"msg": "Traceback (most recent call last):\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 202, in send\n response = recv_data(sf)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 76, in recv_data\n d = s.recv(header_len - len(data))\nConnectionResetError: [Errno 104] Connection reset by peer\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File \"/home/vagrant/envs/a210/bin/ansible-connection\", line 342, in
\n main()\n File \"/home/vagrant/envs/a210/bin/ansible-connection\", line 305, in main\n conn.set_options(var_options=variables)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 186, in rpc\n response = self.exec_jsonrpc(name, *args, **kwargs)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 152, in exec_jsonrpc\n out = self.send(data)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 209, in send\n err=to_text(e, errors='surrogate_then_replace'), exception=traceback.format_exc()\nansible.module_utils.connection.ConnectionError: unable to connect to socket /home/vagrant/.ansible/pc/e0f315e513. See the socket path issue category in Network Debug and Troubleshooting Guide\n"}
原因
不明。
PCが重く、処理に時間がかかっていたが、debug モジュールはネットワーク機器に接続しにいかないはずなので、ConnectionResetError になるのは解せず。
対処
(なすすべ無し・・。再度実行したら正常となった。)
おまけ
閲覧したサイト
全実行ログ
クリックして開く(長いです)
(a210) [vagrant@stumble stumble]$ ansible-galaxy collection instal cisco.ios
usage: ansible-galaxy collection [-h] COLLECTION_ACTION ...
ansible-galaxy collection: error: argument COLLECTION_ACTION: invalid choice: 'instal' (choose from 'download', 'init', 'build', 'publish', 'install', 'list', 'verify')
usage: ansible-galaxy [-h] [--version] [-v] TYPE ...
Perform various Role and Collection related operations.
positional arguments:
TYPE
collection Manage an Ansible Galaxy collection.
role Manage an Ansible Galaxy role.
optional arguments:
--version show program's version number, config file location,
configured module search path, module location, executable
location and exit
-h, --help show this help message and exit
-v, --verbose verbose mode (-vvv for more, -vvvv to enable connection
debugging)
(a210) [vagrant@stumble stumble]$ ansible-galaxy collection install cisco.ios
Starting galaxy collection install process
Process install dependency map
Starting collection install process
Installing 'cisco.ios:1.0.0' to '/home/vagrant/.ansible/collections/ansible_collections/cisco/ios'
Installing 'ansible.netcommon:1.0.0' to '/home/vagrant/.ansible/collections/ansible_collections/ansible/netcommon'
(a210) [vagrant@stumble stumble]$
(a210) [vagrant@stumble stumble]$
(a210) [vagrant@stumble stumble]$ ansible-doc cisco.ios
^C [ERROR]: User interrupted execution
(a210) [vagrant@stumble stumble]$ ansible-doc ios_config
> IOS_CONFIG (/home/vagrant/.ansible/collections/ansible_collections/cisco/ios/plugins/modules/ios_config.py)
Cisco IOS configurations use a simple block indent file syntax for segmenting configuration into sections. This module provides an implementation
for working with IOS configuration sections in a deterministic way.
OPTIONS (= is mandatory):
- after
The ordered set of commands to append to the end of the command stack if a change needs to be made. Just like with `before' this allows the
playbook designer to append a set of commands to be executed after the command set.
[Default: (null)]
- backup
This argument will cause the module to create a full backup of the current `running-config' from the remote device before any changes are made. If
the `backup_options' value is not given, the backup file is written to the `backup' folder in the playbook root directory or role root directory,
if playbook is part of an ansible role. If the directory does not exist, it is created.
[Default: False]
type: bool
- backup_options
This is a dict object containing configurable options related to backup file path. The value of this option is read only when `backup' is set to
`yes', if `backup' is set to `no' this option will be silently ignored.
[Default: (null)]
type: dict
(a210) [vagrant@stumble stumble]$ ansible-doc ios_acls
> IOS_ACLS (/home/vagrant/.ansible/collections/ansible_collections/cisco/ios/plugins/modules/ios_acls.py)
This module configures and manages the named or numbered ACLs on IOS platforms.
OPTIONS (= is mandatory):
- config
A dictionary of ACL options.
[Default: (null)]
elements: dict
type: list
SUBOPTIONS:
- acls
A list of Access Control Lists (ACL).
[Default: (null)]
elements: dict
type: list
SUBOPTIONS:
- aces
The entries within the ACL.
[Default: (null)]
elements: dict
type: list
SUBOPTIONS:
- destination
Specify the packet destination.
[Default: (null)]
type: dict
SUBOPTIONS:
- address
Host address to match, or any single host address.
[Default: (null)]
type: str
- any
Match any source address.
[Default: (null)]
type: bool
- host
A single destination host
[Default: (null)]
type: str
- port_protocol
Specify the destination port along with protocol.
Note, Valid with TCP/UDP protocol_options
[Default: (null)]
type: dict
SUBOPTIONS:
- eq
Match only packets on a given port number.
[Default: (null)]
type: str
- gt
Match only packets with a greater port number.
[Default: (null)]
type: str
- lt
Match only packets with a lower port number.
[Default: (null)]
type: str
- neq
Match only packets not on a given port number.
[Default: (null)]
type: str
- range
Port group.
[Default: (null)]
type: dict
SUBOPTIONS:
- end
Specify the end of the port range.
[Default: (null)]
type: int
- start
Specify the start of the port range.
[Default: (null)]
type: int
- wildcard_bits
Destination wildcard bits, valid with IPV4 address.
[Default: (null)]
(a210) [vagrant@stumble stumble]$
(a210) [vagrant@stumble stumble]$
(a210) [vagrant@stumble stumble]$
(a210) [vagrant@stumble stumble]$
(a210) [vagrant@stumble stumble]$
(a210) [vagrant@stumble stumble]$
(a210) [vagrant@stumble stumble]$ deactivate
[vagrant@stumble stumble]$
[vagrant@stumble stumble]$
(reverse-i-search)`sou': ^Curce ~/envs/a210/bin/activate
[vagrant@stumble stumble]$
[vagrant@stumble stumble]$
[vagrant@stumble stumble]$ python -m venv ~/a29
/usr/bin/python: No module named venv
[vagrant@stumble stumble]$ python3 -m venv ~/a29
[vagrant@stumble stumble]$ source ~/a29/bin/activate
(a29) [vagrant@stumble stumble]$
(a29) [vagrant@stumble stumble]$ pip install ansible
Collecting ansible
Downloading https://files.pythonhosted.org/packages/03/4f/cccab1ec2e0ecb05120184088e00404b38854809cf35aa76889406fbcbad/ansible-2.9.10.tar.gz (14.2MB)
100% |████████████████████████████████| 14.2MB 101kB/s
Collecting jinja2 (from ansible)
Using cached https://files.pythonhosted.org/packages/30/9e/f663a2aa66a09d838042ae1a2c5659828bb9b41ea3a6efa20a20fd92b121/Jinja2-2.11.2-py2.py3-none-any.whl
Collecting PyYAML (from ansible)
Using cached https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c/PyYAML-5.3.1.tar.gz
Collecting cryptography (from ansible)
Using cached https://files.pythonhosted.org/packages/58/95/f1282ca55649b60afcf617e1e2ca384a2a3e7a5cf91f724cf83c8fbe76a1/cryptography-2.9.2-cp35-abi3-manylinux1_x86_64.whl
Collecting MarkupSafe>=0.23 (from jinja2->ansible)
Using cached https://files.pythonhosted.org/packages/b2/5f/23e0023be6bb885d00ffbefad2942bc51a620328ee910f64abe5a8d18dd1/MarkupSafe-1.1.1-cp36-cp36m-manylinux1_x86_64.whl
Collecting six>=1.4.1 (from cryptography->ansible)
Using cached https://files.pythonhosted.org/packages/ee/ff/48bde5c0f013094d729fe4b0316ba2a24774b3ff1c52d924a8a4cb04078a/six-1.15.0-py2.py3-none-any.whl
Collecting cffi!=1.11.3,>=1.8 (from cryptography->ansible)
Using cached https://files.pythonhosted.org/packages/f1/c7/72abda280893609e1ddfff90f8064568bd8bcb2c1770a9d5bb5edb2d1fea/cffi-1.14.0-cp36-cp36m-manylinux1_x86_64.whl
Collecting pycparser (from cffi!=1.11.3,>=1.8->cryptography->ansible)
Using cached https://files.pythonhosted.org/packages/ae/e7/d9c3a176ca4b02024debf82342dab36efadfc5776f9c8db077e8f6e71821/pycparser-2.20-py2.py3-none-any.whl
Installing collected packages: MarkupSafe, jinja2, PyYAML, six, pycparser, cffi, cryptography, ansible
Running setup.py install for PyYAML ... done
Running setup.py install for ansible ... done
Successfully installed MarkupSafe-1.1.1 PyYAML-5.3.1 ansible-2.9.10 cffi-1.14.0 cryptography-2.9.2 jinja2-2.11.2 pycparser-2.20 six-1.15.0
You are using pip version 9.0.3, however version 20.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
(a29) [vagrant@stumble stumble]$ pip install paramiko
Collecting paramiko
Using cached https://files.pythonhosted.org/packages/06/1e/1e08baaaf6c3d3df1459fd85f0e7d2d6aa916f33958f151ee1ecc9800971/paramiko-2.7.1-py2.py3-none-any.whl
Collecting bcrypt>=3.1.3 (from paramiko)
Using cached https://files.pythonhosted.org/packages/8b/1d/82826443777dd4a624e38a08957b975e75df859b381ae302cfd7a30783ed/bcrypt-3.1.7-cp34-abi3-manylinux1_x86_64.whl
Requirement already satisfied: cryptography>=2.5 in /home/vagrant/a29/lib/python3.6/site-packages (from paramiko)
Collecting pynacl>=1.0.1 (from paramiko)
Using cached https://files.pythonhosted.org/packages/9d/57/2f5e6226a674b2bcb6db531e8b383079b678df5b10cdaa610d6cf20d77ba/PyNaCl-1.4.0-cp35-abi3-manylinux1_x86_64.whl
Requirement already satisfied: cffi>=1.1 in /home/vagrant/a29/lib/python3.6/site-packages (from bcrypt>=3.1.3->paramiko)
Requirement already satisfied: six>=1.4.1 in /home/vagrant/a29/lib/python3.6/site-packages (from bcrypt>=3.1.3->paramiko)
Requirement already satisfied: pycparser in /home/vagrant/a29/lib/python3.6/site-packages (from cffi>=1.1->bcrypt>=3.1.3->paramiko)
Installing collected packages: bcrypt, pynacl, paramiko
Successfully installed bcrypt-3.1.7 paramiko-2.7.1 pynacl-1.4.0
You are using pip version 9.0.3, however version 20.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
(a29) [vagrant@stumble stumble]$
(a29) [vagrant@stumble stumble]$
(a29) [vagrant@stumble stumble]$
(a29) [vagrant@stumble stumble]$ ansible-doc ios_config
> IOS_CONFIG (/home/vagrant/a29/lib64/python3.6/site-packages/ansible/modules/network/ios/ios_config.py)
Cisco IOS configurations use a simple block indent file syntax for segmenting configuration into sections. This module provides an implementation
for working with IOS configuration sections in a deterministic way.
* This module is maintained by The Ansible Network Team
OPTIONS (= is mandatory):
- after
The ordered set of commands to append to the end of the command stack if a change needs to be made. Just like with `before' this allows the
playbook designer to append a set of commands to be executed after the command set.
[Default: (null)]
- auth_pass
*Deprecated*
Starting with Ansible 2.5 we recommend using `connection: network_cli' and `become: yes' with `become_pass'.
For more information please see the L(IOS Platform Options guide, ../network/user_guide/platform_ios.html).
HORIZONTALLINE
Specifies the password to use if required to enter privileged mode on the remote device. If `authorize' is false, then this argument does
nothing. If the value is not specified in the task, the value of environment variable `ANSIBLE_NET_AUTH_PASS' will be used instead.
[Default: (null)]
type: str
- authorize
*Deprecated*
(a29) [vagrant@stumble stumble]$ ansible-doc ios_acls
[WARNING]: module ios_acls not found in: /home/vagrant/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:/home/vagrant/a29/lib64/python3.6/site-packages/ansible/modules
(a29) [vagrant@stumble stumble]$
(a29) [vagrant@stumble stumble]$
(a29) [vagrant@stumble stumble]$
(a29) [vagrant@stumble stumble]$
(a29) [vagrant@stumble stumble]$
(a29) [vagrant@stumble stumble]$
(a29) [vagrant@stumble stumble]$ ansible-playbook -i
ansible.cfg eos_set.yml export/ inventory.ini ios_set.yml junos_set.yml memo/
collections/ eos_show.yml group_vars/ ios_acls.yml ios_show.yml junos_show.yml server.yml
(a29) [vagrant@stumble stumble]$ ansible-playbook -i
ansible.cfg eos_set.yml export/ inventory.ini ios_set.yml junos_set.yml memo/
collections/ eos_show.yml group_vars/ ios_acls.yml ios_show.yml junos_show.yml server.yml
(a29) [vagrant@stumble stumble]$ ansible-playbook -i inventory.ini ios_acls.yml
PLAY [rt01] *************************************************************************************************************************************************************************************
TASK [merge acl] ********************************************************************************************************************************************************************************
changed: [rt01]
TASK [gather acl] *******************************************************************************************************************************************************************************
ok: [rt01]
PLAY RECAP **************************************************************************************************************************************************************************************
rt01 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
(a29) [vagrant@stumble stumble]$ ansible-playbook -i inventory.ini ios_acls
ERROR! the playbook: ios_acls could not be found
(a29) [vagrant@stumble stumble]$ ^C
(a29) [vagrant@stumble stumble]$ ansible-doc ios_acls
[WARNING]: module ios_acls not found in: /home/vagrant/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:/home/vagrant/a29/lib64/python3.6/site-packages/ansible/modules
(reverse-i-search)`': ^C
(a29) [vagrant@stumble stumble]$ deactivate
[vagrant@stumble stumble]$
[vagrant@stumble stumble]$
(a210) [vagrant@stumble stumble]$ ansible --version
ansible 2.10.0b1
config file = /vagrant/stumble/ansible.cfg
configured module search path = ['/home/vagrant/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible
executable location = /home/vagrant/envs/a210/bin/ansible
python version = 3.6.8 (default, Apr 2 2020, 13:34:55) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
(a210) [vagrant@stumble stumble]$ ansible-doc -l | wc -l
(a210) [vagrant@stumble stumble]$
(a210) [vagrant@stumble stumble]$ ansible-galaxy collections list
usage: ansible-galaxy role [-h] ROLE_ACTION ...
ansible-galaxy role: error: argument ROLE_ACTION: invalid choice: 'collections' (choose from 'init', 'remove', 'delete', 'list', 'search', 'import', 'setup', 'login', 'info', 'install')
usage: ansible-galaxy [-h] [--version] [-v] TYPE ...
Perform various Role and Collection related operations.
positional arguments:
TYPE
collection Manage an Ansible Galaxy collection.
role Manage an Ansible Galaxy role.
optional arguments:
--version show program's version number, config file location,
configured module search path, module location, executable
location and exit
-h, --help show this help message and exit
-v, --verbose verbose mode (-vvv for more, -vvvv to enable connection
debugging)
(a210) [vagrant@stumble stumble]$ ansible-galaxy colleciton list
usage: ansible-galaxy role [-h] ROLE_ACTION ...
ansible-galaxy role: error: argument ROLE_ACTION: invalid choice: 'colleciton' (choose from 'init', 'remove', 'delete', 'list', 'search', 'import', 'setup', 'login', 'info', 'install')
usage: ansible-galaxy [-h] [--version] [-v] TYPE ...
Perform various Role and Collection related operations.
positional arguments:
TYPE
collection Manage an Ansible Galaxy collection.
role Manage an Ansible Galaxy role.
optional arguments:
--version show program's version number, config file location,
configured module search path, module location, executable
location and exit
-h, --help show this help message and exit
-v, --verbose verbose mode (-vvv for more, -vvvv to enable connection
debugging)
(a210) [vagrant@stumble stumble]$ ansible-galaxy collection list
# /home/vagrant/.ansible/collections/ansible_collections
Collection Version
----------------- -------
ansible.netcommon 1.0.0
cisco.ios 1.0.0
(a210) [vagrant@stumble stumble]$ vi requirements.yml
(a210) [vagrant@stumble stumble]$ ansible-galaxy collection -r requirements.yml
usage: ansible-galaxy collection [-h] COLLECTION_ACTION ...
ansible-galaxy collection: error: argument COLLECTION_ACTION: invalid choice: 'requirements.yml' (choose from 'download', 'init', 'build', 'publish', 'install', 'list', 'verify')
usage: ansible-galaxy [-h] [--version] [-v] TYPE ...
Perform various Role and Collection related operations.
positional arguments:
TYPE
collection Manage an Ansible Galaxy collection.
role Manage an Ansible Galaxy role.
(a210) [vagrant@stumble stumble]$ ansible-galaxy collection list
# /home/vagrant/.ansible/collections/ansible_collections
Collection Version
--------------------- -------
ansible.netcommon 1.0.0
arista.eos 1.0.0
cisco.ios 1.0.0
junipernetworks.junos 1.0.0
(a210) [vagrant@stumble stumble]$ ansible-doc ios_acls
> IOS_ACLS (/home/vagrant/.ansible/collections/ansible_collections/cisco/ios/plugins/modules/ios_acls.py)
This module configures and manages the named or numbered ACLs on IOS
platforms.
OPTIONS (= is mandatory):
- config
A dictionary of ACL options.
[Default: (null)]
elements: dict
type: list
SUBOPTIONS:
- acls
A list of Access Control Lists (ACL).
[Default: (null)]
elements: dict
type: list
SUBOPTIONS:
- aces
The entries within the ACL.
[Default: (null)]
elements: dict
type: list
SUBOPTIONS:
- destination
Specify the packet destination.
[Default: (null)]
type: dict
SUBOPTIONS:
- address
Host address to match, or any single host address.
[Default: (null)]
type: str
- any
Match any source address.
[Default: (null)]
type: bool
- host
A single destination host
[Default: (null)]
type: str
- port_protocol
Specify the destination port along with protocol.
Note, Valid with TCP/UDP protocol_options
[Default: (null)]
type: dict
SUBOPTIONS:
- eq
Match only packets on a given port number.
[Default: (null)]
type: str
- gt
Match only packets with a greater port number.
[Default: (null)]
type: str
- lt
Match only packets with a lower port number.
[Default: (null)]
type: str
- neq
Match only packets not on a given port number.
[Default: (null)]
type: str
- range
Port group.
[Default: (null)]
type: dict
SUBOPTIONS:
- end
Specify the end of the port range.
[Default: (null)]
type: int
- start
Specify the start of the port range.
[Default: (null)]
type: int
- wildcard_bits
Destination wildcard bits, valid with IPV4 address.
[Default: (null)]
type: str
- dscp
Match packets with given dscp value.
[Default: (null)]
type: str
- fragments
Check non-initial fragments.
[Default: (null)]
type: str
- grant
Specify the action.
(Choices: permit, deny)[Default: (null)]
type: str
- log
Log matches against this entry.
[Default: (null)]
type: str
- log_input
Log matches against this entry, including input interface.
[Default: (null)]
type: str
- option
Match packets with given IP Options value.
Valid only for named acls.
[Default: (null)]
type: dict
SUBOPTIONS:
- add_ext
Match packets with Address Extension Option (147).
[Default: (null)]
type: bool
- any_options
Match packets with ANY Option.
[Default: (null)]
type: bool
- com_security
Match packets with Commercial Security Option (134).
[Default: (null)]
type: bool
- dps
Match packets with Dynamic Packet State Option (151).
[Default: (null)]
type: bool
- encode
Match packets with Encode Option (15).
[Default: (null)]
type: bool
- eool
Match packets with End of Options (0).
[Default: (null)]
type: bool
- ext_ip
Match packets with Extended IP Option (145).
[Default: (null)]
type: bool
- ext_security
Match packets with Extended Security Option (133).
[Default: (null)]
type: bool
- finn
Match packets with Experimental Flow Control Option
(205).
[Default: (null)]
type: bool
- imitd
Match packets with IMI Traffic Desriptor Option (144).
[Default: (null)]
type: bool
- lsr
Match packets with Loose Source Route Option (131).
[Default: (null)]
type: bool
- mtup
Match packets with MTU Probe Option (11).
[Default: (null)]
type: bool
- mtur
Match packets with MTU Reply Option (12).
[Default: (null)]
type: bool
- no_op
Match packets with No Operation Option (1).
[Default: (null)]
type: bool
- nsapa
Match packets with NSAP Addresses Option (150).
[Default: (null)]
type: bool
- record_route
Match packets with Record Route Option (7).
[Default: (null)]
type: bool
- router_alert
Match packets with Router Alert Option (148).
[Default: (null)]
type: bool
- sdb
Match packets with Selective Directed Broadcast Option
(149).
[Default: (null)]
type: bool
- security
Match packets with Basic Security Option (130).
[Default: (null)]
type: bool
- ssr
Match packets with Strict Source Routing Option (137).
[Default: (null)]
type: bool
- stream_id
Match packets with Stream ID Option (136).
[Default: (null)]
type: bool
- timestamp
Match packets with Time Stamp Option (68).
[Default: (null)]
type: bool
- traceroute
Match packets with Trace Route Option (82).
[Default: (null)]
type: bool
- ump
Match packets with Upstream Multicast Packet Option
(152).
[Default: (null)]
type: bool
- visa
Match packets with Experimental Access Control Option
(142).
[Default: (null)]
type: bool
- zsu
Match packets with Experimental Measurement Option (10).
[Default: (null)]
type: bool
- precedence
Match packets with given precedence value.
[Default: (null)]
type: int
- protocol
Specify the protocol to match.
Refer to vendor documentation for valid values.
[Default: (null)]
type: str
- protocol_options
protocol type.
[Default: (null)]
type: dict
SUBOPTIONS:
- ahp
Authentication Header Protocol.
[Default: (null)]
type: bool
- eigrp
Cisco's EIGRP routing protocol.
[Default: (null)]
type: bool
- esp
Encapsulation Security Payload.
[Default: (null)]
type: bool
- gre
Cisco's GRE tunneling.
[Default: (null)]
type: bool
- hbh
Hop by Hop options header. Valid for IPV6
[Default: (null)]
type: bool
- icmp
Internet Control Message Protocol.
[Default: (null)]
type: dict
SUBOPTIONS:
- administratively_prohibited
Administratively prohibited
[Default: (null)]
type: bool
- alternate_address
Alternate address
[Default: (null)]
type: bool
- conversion_error
Datagram conversion
[Default: (null)]
type: bool
- dod_host_prohibited
Host prohibited
[Default: (null)]
type: bool
- dod_net_prohibited
Net prohibited
[Default: (null)]
type: bool
- echo
Echo (ping)
[Default: (null)]
type: bool
- echo_reply
Echo reply
[Default: (null)]
type: bool
- general_parameter_problem
Parameter problem
[Default: (null)]
type: bool
- host_isolated
Host isolated
[Default: (null)]
type: bool
- host_precedence_unreachable
Host unreachable for precedence
[Default: (null)]
type: bool
- host_redirect
Host redirect
[Default: (null)]
type: bool
- host_tos_redirect
Host redirect for TOS
[Default: (null)]
type: bool
- host_tos_unreachable
Host unreachable for TOS
[Default: (null)]
type: bool
- host_unknown
Host unknown
[Default: (null)]
type: bool
- host_unreachable
Host unreachable
[Default: (null)]
type: bool
- information_reply
Information replies
[Default: (null)]
type: bool
- information_request
Information requests
[Default: (null)]
type: bool
- mask_reply
Mask replies
[Default: (null)]
type: bool
- mask_request
mask_request
[Default: (null)]
type: bool
- mobile_redirect
Mobile host redirect
[Default: (null)]
type: bool
- net_redirect
Network redirect
[Default: (null)]
type: bool
- net_tos_redirect
Net redirect for TOS
[Default: (null)]
type: bool
- net_tos_unreachable
Network unreachable for TOS
[Default: (null)]
type: bool
- net_unreachable
Net unreachable
[Default: (null)]
type: bool
- network_unknown
Network unknown
[Default: (null)]
type: bool
- no_room_for_option
Parameter required but no room
[Default: (null)]
type: bool
- option_missing
Parameter required but not present
[Default: (null)]
type: bool
- packet_too_big
Fragmentation needed and DF set
[Default: (null)]
type: bool
- parameter_problem
All parameter problems
[Default: (null)]
type: bool
- port_unreachable
Port unreachable
[Default: (null)]
type: bool
- precedence_unreachable
Precedence cutoff
[Default: (null)]
type: bool
- protocol_unreachable
Protocol unreachable
[Default: (null)]
type: bool
- reassembly_timeout
Reassembly timeout
[Default: (null)]
type: bool
- redirect
All redirects
[Default: (null)]
type: bool
- router_advertisement
Router discovery advertisements
[Default: (null)]
type: bool
- router_solicitation
Router discovery solicitations
[Default: (null)]
type: bool
- source_quench
Source quenches
[Default: (null)]
type: bool
- source_route_failed
Source route failed
[Default: (null)]
type: bool
- time_exceeded
All time exceededs
[Default: (null)]
type: bool
- timestamp_reply
Timestamp replies
[Default: (null)]
type: bool
- timestamp_request
Timestamp requests
[Default: (null)]
type: bool
- traceroute
Traceroute
[Default: (null)]
type: bool
- ttl_exceeded
TTL exceeded
[Default: (null)]
type: bool
- unreachable
All unreachables
[Default: (null)]
type: bool
- igmp
Internet Gateway Message Protocol.
[Default: (null)]
type: dict
SUBOPTIONS:
- dvmrp
Distance Vector Multicast Routing Protocol(2)
[Default: (null)]
type: bool
- host_query
IGMP Membership Query(0)
[Default: (null)]
type: bool
- mtrace_resp
Multicast Traceroute Response(7)
[Default: (null)]
type: bool
- mtrace_route
Multicast Traceroute(8)
[Default: (null)]
type: bool
- pim
Protocol Independent Multicast(3)
[Default: (null)]
type: bool
- trace
Multicast trace(4)
[Default: (null)]
type: bool
- v1host_report
IGMPv1 Membership Report(1)
[Default: (null)]
type: bool
- v2host_report
IGMPv2 Membership Report(5)
[Default: (null)]
type: bool
- v2leave_group
IGMPv2 Leave Group(6)
[Default: (null)]
type: bool
- v3host_report
IGMPv3 Membership Report(9)
[Default: (null)]
type: bool
- ip
Any Internet Protocol.
[Default: (null)]
type: bool
- ipinip
IP in IP tunneling.
[Default: (null)]
type: bool
- ipv6
Any IPv6.
[Default: (null)]
type: bool
- nos
KA9Q NOS compatible IP over IP tunneling.
[Default: (null)]
type: bool
- ospf
OSPF routing protocol.
[Default: (null)]
type: bool
- pcp
Payload Compression Protocol.
[Default: (null)]
type: bool
- pim
Protocol Independent Multicast.
[Default: (null)]
type: bool
- protocol_number
An IP protocol number
[Default: (null)]
type: int
- sctp
Stream Control Transmission Protocol.
[Default: (null)]
type: bool
- tcp
Match TCP packet flags
[Default: (null)]
type: dict
SUBOPTIONS:
- ack
Match on the ACK bit
[Default: (null)]
type: bool
- established
Match established connections
[Default: (null)]
type: bool
- fin
Match on the FIN bit
[Default: (null)]
type: bool
- psh
Match on the PSH bit
[Default: (null)]
type: bool
- rst
Match on the RST bit
[Default: (null)]
type: bool
- syn
Match on the SYN bit
[Default: (null)]
type: bool
- urg
Match on the URG bit
[Default: (null)]
type: bool
- udp
User Datagram Protocol.
[Default: (null)]
type: bool
- sequence
Sequence Number for the Access Control Entry(ACE).
Refer to vendor documentation for valid values.
[Default: (null)]
type: int
- source
Specify the packet source.
[Default: (null)]
type: dict
SUBOPTIONS:
- address
Source network address.
[Default: (null)]
type: str
- any
Match any source address.
[Default: (null)]
type: bool
- host
A single source host
[Default: (null)]
type: str
- port_protocol
Specify the destination port along with protocol.
Note, Valid with TCP/UDP protocol_options
[Default: (null)]
type: dict
SUBOPTIONS:
- eq
Match only packets on a given port number.
[Default: (null)]
type: str
- gt
Match only packets with a greater port number.
[Default: (null)]
type: str
- lt
Match only packets with a lower port number.
[Default: (null)]
type: str
- neq
Match only packets not on a given port number.
[Default: (null)]
type: str
- range
Port group.
[Default: (null)]
type: dict
SUBOPTIONS:
- end
Specify the end of the port range.
[Default: (null)]
type: int
- start
Specify the start of the port range.
[Default: (null)]
type: int
- wildcard_bits
Destination wildcard bits, valid with IPV4 address.
[Default: (null)]
type: str
- time_range
Specify a time-range.
[Default: (null)]
type: str
- tos
Match packets with given TOS value.
Note, DSCP and TOS are mutually exclusive
[Default: (null)]
type: dict
SUBOPTIONS:
- max_reliability
Match packets with max reliable TOS (2).
[Default: (null)]
type: bool
- max_throughput
Match packets with max throughput TOS (4).
[Default: (null)]
type: bool
- min_delay
Match packets with min delay TOS (8).
[Default: (null)]
type: bool
- min_monetary_cost
Match packets with min monetary cost TOS (1).
[Default: (null)]
type: bool
- normal
Match packets with normal TOS (0).
[Default: (null)]
type: bool
- service_value
Type of service value
[Default: (null)]
type: int
- ttl
Match packets with given TTL value.
[Default: (null)]
type: dict
SUBOPTIONS:
- eq
Match only packets on a given TTL number.
[Default: (null)]
type: int
- gt
Match only packets with a greater TTL number.
[Default: (null)]
type: int
- lt
Match only packets with a lower TTL number.
[Default: (null)]
type: int
- neq
Match only packets not on a given TTL number.
[Default: (null)]
type: int
- range
Match only packets in the range of TTLs.
[Default: (null)]
type: dict
SUBOPTIONS:
- end
Specify the end of the port range.
[Default: (null)]
type: int
- start
Specify the start of the port range.
[Default: (null)]
type: int
- acl_type
ACL type
Note, it's mandatory and required for Named ACL, but for
Numbered ACL it's not mandatory.
(Choices: extended, standard)[Default: (null)]
type: str
= name
The name or the number of the ACL.
type: str
= afi
The Address Family Indicator (AFI) for the Access Control Lists
(ACL).
(Choices: ipv4, ipv6)
type: str
- running_config
The module, by default, will connect to the remote device and retrieve
the current running-config to use as a base for comparing against the
contents of source. There are times when it is not desirable to have the
task get the current running-config for every task in a playbook. The
`running_config' argument allows the implementer to pass in the
configuration to use as the base config for comparison.
[Default: (null)]
type: str
- state
The state the configuration should be left in
The states `rendered', `gathered' and `parsed' does not perform any
change on the device.
The state `rendered' will transform the configuration in `config' option
to platform specific CLI commands which will be returned in the
`rendered' key within the result. For state `rendered' active connection
to remote host is not required.
The state `gathered' will fetch the running configuration from device
and transform it into structured data in the format as per the resource
module argspec and the value is returned in the `gathered' key within
the result.
The state `parsed' reads the configuration from `running_config' option
and transforms it into JSON format as per the resource module parameters
and the value is returned in the `parsed' key within the result. The
value of `running_config' option should be the same format as the output
of command `show running-config | include ip route|ipv6 route' executed
on device. For state `parsed' active connection to remote host is not
required.
(Choices: merged, replaced, overridden, deleted, gathered, rendered,
parsed)[Default: merged]
type: str
NOTES:
* Tested against Cisco IOSv Version 15.2 on VIRL
AUTHOR: Sumit Jaiswal (@justjais)
VERSION_ADDED_COLLECTION: cisco.ios
EXAMPLES:
# Using merged
# Before state:
# -------------
#
# vios#sh access-lists
# Extended IP access list 110
# 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10
- name: Merge provided configuration with device configuration
cisco.ios.ios_acls:
config:
- afi: ipv4
acls:
- name: std_acl
acl_type: standard
aces:
- grant: deny
source:
address: 192.168.1.200
- grant: deny
source:
address: 192.168.2.0
wildcard_bits: 0.0.0.255
- name: 110
aces:
- sequence: 10
protocol_options:
icmp:
traceroute: true
- grant: deny
protocol_options:
tcp:
ack: true
source:
host: 198.51.100.0
destination:
host: 198.51.110.0
port_protocol:
eq: telnet
- name: test
acl_type: extended
aces:
- grant: deny
protocol_options:
tcp:
fin: true
source:
address: 192.0.2.0
wildcard_bits: 0.0.0.255
destination:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
option:
traceroute: true
ttl:
eq: 10
- name: 123
aces:
- grant: deny
protocol_options:
tcp:
ack: true
source:
address: 198.51.100.0
wildcard_bits: 0.0.0.255
destination:
address: 198.51.101.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: telnet
tos:
service_value: 12
- grant: deny
protocol_options:
tcp:
ack: true
source:
address: 192.0.3.0
wildcard_bits: 0.0.0.255
destination:
address: 192.0.4.0
wildcard_bits: 0.0.0.255
port_protocol:
eq: www
dscp: ef
ttl:
lt: 20
- afi: ipv6
acls:
- name: R1_TRAFFIC
aces:
- grant: deny
protocol_options:
tcp:
ack: true
source:
any: true
port_protocol:
eq: www
destination:
any: true
port_protocol:
eq: telnet
dscp: af11
state: merged
# Commands fired:
# ---------------
#
# - ip access-list standard std_acl
# - deny 192.168.1.200
# - deny 192.168.2.0 0.0.0.255
# - ip access-list extended 110
# - no 10
# - 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# - deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# - ip access-list extended test
# - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# - ip access-list extended 123
# - deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# - deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# - ipv6 access-list R1_TRAFFIC
# - deny tcp any eq www any eq telnet ack dscp af11
# After state:
(a210) [vagrant@stumble stumble]$
(a210) [vagrant@stumble stumble]$
(a210) [vagrant@stumble stumble]$
(a210) [vagrant@stumble stumble]$ ansible-playbook -i inventory.ini ios_acls.yml
PLAY [rt01] ********************************************************************
TASK [set acl] *****************************************************************
fatal: [rt01]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "msg": "value of state must be one of: merged, replaced, overridden, deleted, gathered, rendered, parsed, got: merge"}
PLAY RECAP *********************************************************************
rt01 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
(a210) [vagrant@stumble stumble]$ ansible-playbook -i inventory.ini ios_acls.yml
PLAY [rt01] ********************************************************************
TASK [set acl] *****************************************************************
changed: [rt01]
TASK [debug] *******************************************************************
fatal: [rt01]: FAILED! => {"msg": "Traceback (most recent call last):\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 202, in send\n response = recv_data(sf)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 76, in recv_data\n d = s.recv(header_len - len(data))\nConnectionResetError: [Errno 104] Connection reset by peer\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File \"/home/vagrant/envs/a210/bin/ansible-connection\", line 342, in <module>\n main()\n File \"/home/vagrant/envs/a210/bin/ansible-connection\", line 305, in main\n conn.set_options(var_options=variables)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 186, in __rpc__\n response = self._exec_jsonrpc(name, *args, **kwargs)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 152, in _exec_jsonrpc\n out = self.send(data)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 209, in send\n err=to_text(e, errors='surrogate_then_replace'), exception=traceback.format_exc()\nansible.module_utils.connection.ConnectionError: unable to connect to socket /home/vagrant/.ansible/pc/e0f315e513. See the socket path issue category in Network Debug and Troubleshooting Guide\n"}
PLAY RECAP *********************************************************************
rt01 : ok=1 changed=1 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
(a210) [vagrant@stumble stumble]$ ansible-playbook -i inventory.ini ios_acls.yml
PLAY [rt01] ******************************************************************************
TASK [set acl] ***************************************************************************
ok: [rt01]
TASK [debug] *****************************************************************************
ok: [rt01] => {
"msg": {
"ansible_facts": {
"discovered_interpreter_python": "/usr/bin/python"
},
"before": [
{
"acls": [
{
"aces": [
{
"destination": {
"address": "172.16.1.0",
"port_protocol": {
"eq": "www"
},
"wildcard_bits": "0.0.0.255"
},
"grant": "permit",
"protocol": "tcp",
"protocol_options": {
"tcp": {
"ack": true
}
},
"sequence": 10,
"source": {
"address": "10.0.0.0",
"wildcard_bits": "0.0.0.255"
}
},
{
"destination": {
"any": true
},
"grant": "deny",
"protocol": "ip",
"protocol_options": {
"ip": true
},
"sequence": 90,
"source": {
"any": true
}
}
],
"acl_type": "extended",
"name": "test_acl"
}
],
"afi": "ipv4"
}
],
"changed": false,
"commands": [],
"failed": false
}
}
PLAY RECAP *******************************************************************************
rt01 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Part9 にむけて
企画中です。ちょっと気分転換に Ansible Tower や AWX も良いかもしれません。
