はじめに
2020/06/27 に、YouTube Live で「つまずき Ansible 【Part8】Collection を使う」という配信をしました。 実際に作業しながらエラーと戦って進めるシリーズです。
今回は、Collectionのインストールと、Collection のモジュールを利用した Plaubook の実行をためしました。 つまずいたエラーと原因、対処をふりかえります。
ただし今回は Collection とは直接関係ないものであり、かつ明確な原因もわかりませんでした。
動画
■ その前に: Collection とは? (一部 Part7 と重複)
Collection とは
- モジュール、プラグイン、ロールなどを含む新しい配布形式
- Ansible 本体とは別に開発が進められる
- コミュニティとしては Ansible Galaxy 経由で配布される
- インストールは
ansible-galaxy collection install
どういうときに collection が必要?
- インストールは
- Ansible 2.10 では、今まで標準で含まれていた多くのモジュールが Collection に移行
pip install ansible-base
では、標準の68個のモジュールのみpip install ansible
では、上記に加え、今までのモジュールが Collection 経由で一緒にインストール
名前空間
community.general
やcisco.ios
のように名前空間が設けられる- モジュール名は
cisco.ios.ios_config
のような指定(FQCN)- Ansible 2.9 からの移行のしやすさを考慮し、以前のモジュール名の指定で移行先 Collection 名を暗黙的に解決する仕組みがある
参考情報
やったこと
pip install ansible-base==2.10.0b0
でインストール済み
準備
cisco.ios
をインストールansible-galaxy collection install コレクション名
- どこにインストールされた?
~/.ansible/collections/
- 設定
COLLECTIONS_PATHS
のデフォルト
- 設定
- インストールされた一覧の確認方法
ansible-galaxy collection list
(Ansible 2.10)
- いっぺんにいろいろインストールする
requirements.yml
を利用
ansilbe-doc
で確認
Playbook
cisco.ios.ios_acls
を利用した ACL の設定 Playbook。
一応、FQCN で指定。
--- - hosts: rt01 gather_facts: false tasks: - name: set acl cisco.ios.ios_acls: config: - afi: ipv4 acls: - name: test_acl acl_type: extended aces: - grant: permit sequence: 10 protocol: tcp protocol_options: tcp: ack: true source: address: 10.0.0.0 wildcard_bits: 0.0.0.255 destination: address: 172.16.1.0 wildcard_bits: 0.0.0.255 port_protocol: eq: www - grant: deny sequence: 90 protocol: ip source: any: true destination: any: true state: merged register: res - name: debug debug: msg: "{{ res }}"
■ debug でのエラー
ios_acls
モジュール実行結果の変数を debug モジュールで表示時に connection 系のエラー
debug
タスクで、以下のエラー。
fatal: [rt01]: FAILED! => {"msg": "Traceback (most recent call last):\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 202, in send\n response = recv_data(sf)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 76, in recv_data\n d = s.recv(header_len - len(data))\nConnectionResetError: [Errno 104] Connection reset by peer\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File \"/home/vagrant/envs/a210/bin/ansible-connection\", line 342, in
\n main()\n File \"/home/vagrant/envs/a210/bin/ansible-connection\", line 305, in main\n conn.set_options(var_options=variables)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 186, in rpc\n response = self.exec_jsonrpc(name, *args, **kwargs)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 152, in exec_jsonrpc\n out = self.send(data)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 209, in send\n err=to_text(e, errors='surrogate_then_replace'), exception=traceback.format_exc()\nansible.module_utils.connection.ConnectionError: unable to connect to socket /home/vagrant/.ansible/pc/e0f315e513. See the socket path issue category in Network Debug and Troubleshooting Guide\n"}
原因
不明。
PCが重く、処理に時間がかかっていたが、debug
モジュールはネットワーク機器に接続しにいかないはずなので、ConnectionResetError
になるのは解せず。
対処
(なすすべ無し・・。再度実行したら正常となった。)
おまけ
閲覧したサイト
全実行ログ
クリックして開く(長いです)
(a210) [vagrant@stumble stumble]$ ansible-galaxy collection instal cisco.ios usage: ansible-galaxy collection [-h] COLLECTION_ACTION ... ansible-galaxy collection: error: argument COLLECTION_ACTION: invalid choice: 'instal' (choose from 'download', 'init', 'build', 'publish', 'install', 'list', 'verify') usage: ansible-galaxy [-h] [--version] [-v] TYPE ... Perform various Role and Collection related operations. positional arguments: TYPE collection Manage an Ansible Galaxy collection. role Manage an Ansible Galaxy role. optional arguments: --version show program's version number, config file location, configured module search path, module location, executable location and exit -h, --help show this help message and exit -v, --verbose verbose mode (-vvv for more, -vvvv to enable connection debugging) (a210) [vagrant@stumble stumble]$ ansible-galaxy collection install cisco.ios Starting galaxy collection install process Process install dependency map Starting collection install process Installing 'cisco.ios:1.0.0' to '/home/vagrant/.ansible/collections/ansible_collections/cisco/ios' Installing 'ansible.netcommon:1.0.0' to '/home/vagrant/.ansible/collections/ansible_collections/ansible/netcommon' (a210) [vagrant@stumble stumble]$ (a210) [vagrant@stumble stumble]$ (a210) [vagrant@stumble stumble]$ ansible-doc cisco.ios ^C [ERROR]: User interrupted execution (a210) [vagrant@stumble stumble]$ ansible-doc ios_config > IOS_CONFIG (/home/vagrant/.ansible/collections/ansible_collections/cisco/ios/plugins/modules/ios_config.py) Cisco IOS configurations use a simple block indent file syntax for segmenting configuration into sections. This module provides an implementation for working with IOS configuration sections in a deterministic way. OPTIONS (= is mandatory): - after The ordered set of commands to append to the end of the command stack if a change needs to be made. Just like with `before' this allows the playbook designer to append a set of commands to be executed after the command set. [Default: (null)] - backup This argument will cause the module to create a full backup of the current `running-config' from the remote device before any changes are made. If the `backup_options' value is not given, the backup file is written to the `backup' folder in the playbook root directory or role root directory, if playbook is part of an ansible role. If the directory does not exist, it is created. [Default: False] type: bool - backup_options This is a dict object containing configurable options related to backup file path. The value of this option is read only when `backup' is set to `yes', if `backup' is set to `no' this option will be silently ignored. [Default: (null)] type: dict (a210) [vagrant@stumble stumble]$ ansible-doc ios_acls > IOS_ACLS (/home/vagrant/.ansible/collections/ansible_collections/cisco/ios/plugins/modules/ios_acls.py) This module configures and manages the named or numbered ACLs on IOS platforms. OPTIONS (= is mandatory): - config A dictionary of ACL options. [Default: (null)] elements: dict type: list SUBOPTIONS: - acls A list of Access Control Lists (ACL). [Default: (null)] elements: dict type: list SUBOPTIONS: - aces The entries within the ACL. [Default: (null)] elements: dict type: list SUBOPTIONS: - destination Specify the packet destination. [Default: (null)] type: dict SUBOPTIONS: - address Host address to match, or any single host address. [Default: (null)] type: str - any Match any source address. [Default: (null)] type: bool - host A single destination host [Default: (null)] type: str - port_protocol Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options [Default: (null)] type: dict SUBOPTIONS: - eq Match only packets on a given port number. [Default: (null)] type: str - gt Match only packets with a greater port number. [Default: (null)] type: str - lt Match only packets with a lower port number. [Default: (null)] type: str - neq Match only packets not on a given port number. [Default: (null)] type: str - range Port group. [Default: (null)] type: dict SUBOPTIONS: - end Specify the end of the port range. [Default: (null)] type: int - start Specify the start of the port range. [Default: (null)] type: int - wildcard_bits Destination wildcard bits, valid with IPV4 address. [Default: (null)] (a210) [vagrant@stumble stumble]$ (a210) [vagrant@stumble stumble]$ (a210) [vagrant@stumble stumble]$ (a210) [vagrant@stumble stumble]$ (a210) [vagrant@stumble stumble]$ (a210) [vagrant@stumble stumble]$ (a210) [vagrant@stumble stumble]$ deactivate [vagrant@stumble stumble]$ [vagrant@stumble stumble]$ (reverse-i-search)`sou': ^Curce ~/envs/a210/bin/activate [vagrant@stumble stumble]$ [vagrant@stumble stumble]$ [vagrant@stumble stumble]$ python -m venv ~/a29 /usr/bin/python: No module named venv [vagrant@stumble stumble]$ python3 -m venv ~/a29 [vagrant@stumble stumble]$ source ~/a29/bin/activate (a29) [vagrant@stumble stumble]$ (a29) [vagrant@stumble stumble]$ pip install ansible Collecting ansible Downloading https://files.pythonhosted.org/packages/03/4f/cccab1ec2e0ecb05120184088e00404b38854809cf35aa76889406fbcbad/ansible-2.9.10.tar.gz (14.2MB) 100% |████████████████████████████████| 14.2MB 101kB/s Collecting jinja2 (from ansible) Using cached https://files.pythonhosted.org/packages/30/9e/f663a2aa66a09d838042ae1a2c5659828bb9b41ea3a6efa20a20fd92b121/Jinja2-2.11.2-py2.py3-none-any.whl Collecting PyYAML (from ansible) Using cached https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c/PyYAML-5.3.1.tar.gz Collecting cryptography (from ansible) Using cached https://files.pythonhosted.org/packages/58/95/f1282ca55649b60afcf617e1e2ca384a2a3e7a5cf91f724cf83c8fbe76a1/cryptography-2.9.2-cp35-abi3-manylinux1_x86_64.whl Collecting MarkupSafe>=0.23 (from jinja2->ansible) Using cached https://files.pythonhosted.org/packages/b2/5f/23e0023be6bb885d00ffbefad2942bc51a620328ee910f64abe5a8d18dd1/MarkupSafe-1.1.1-cp36-cp36m-manylinux1_x86_64.whl Collecting six>=1.4.1 (from cryptography->ansible) Using cached https://files.pythonhosted.org/packages/ee/ff/48bde5c0f013094d729fe4b0316ba2a24774b3ff1c52d924a8a4cb04078a/six-1.15.0-py2.py3-none-any.whl Collecting cffi!=1.11.3,>=1.8 (from cryptography->ansible) Using cached https://files.pythonhosted.org/packages/f1/c7/72abda280893609e1ddfff90f8064568bd8bcb2c1770a9d5bb5edb2d1fea/cffi-1.14.0-cp36-cp36m-manylinux1_x86_64.whl Collecting pycparser (from cffi!=1.11.3,>=1.8->cryptography->ansible) Using cached https://files.pythonhosted.org/packages/ae/e7/d9c3a176ca4b02024debf82342dab36efadfc5776f9c8db077e8f6e71821/pycparser-2.20-py2.py3-none-any.whl Installing collected packages: MarkupSafe, jinja2, PyYAML, six, pycparser, cffi, cryptography, ansible Running setup.py install for PyYAML ... done Running setup.py install for ansible ... done Successfully installed MarkupSafe-1.1.1 PyYAML-5.3.1 ansible-2.9.10 cffi-1.14.0 cryptography-2.9.2 jinja2-2.11.2 pycparser-2.20 six-1.15.0 You are using pip version 9.0.3, however version 20.1.1 is available. You should consider upgrading via the 'pip install --upgrade pip' command. (a29) [vagrant@stumble stumble]$ pip install paramiko Collecting paramiko Using cached https://files.pythonhosted.org/packages/06/1e/1e08baaaf6c3d3df1459fd85f0e7d2d6aa916f33958f151ee1ecc9800971/paramiko-2.7.1-py2.py3-none-any.whl Collecting bcrypt>=3.1.3 (from paramiko) Using cached https://files.pythonhosted.org/packages/8b/1d/82826443777dd4a624e38a08957b975e75df859b381ae302cfd7a30783ed/bcrypt-3.1.7-cp34-abi3-manylinux1_x86_64.whl Requirement already satisfied: cryptography>=2.5 in /home/vagrant/a29/lib/python3.6/site-packages (from paramiko) Collecting pynacl>=1.0.1 (from paramiko) Using cached https://files.pythonhosted.org/packages/9d/57/2f5e6226a674b2bcb6db531e8b383079b678df5b10cdaa610d6cf20d77ba/PyNaCl-1.4.0-cp35-abi3-manylinux1_x86_64.whl Requirement already satisfied: cffi>=1.1 in /home/vagrant/a29/lib/python3.6/site-packages (from bcrypt>=3.1.3->paramiko) Requirement already satisfied: six>=1.4.1 in /home/vagrant/a29/lib/python3.6/site-packages (from bcrypt>=3.1.3->paramiko) Requirement already satisfied: pycparser in /home/vagrant/a29/lib/python3.6/site-packages (from cffi>=1.1->bcrypt>=3.1.3->paramiko) Installing collected packages: bcrypt, pynacl, paramiko Successfully installed bcrypt-3.1.7 paramiko-2.7.1 pynacl-1.4.0 You are using pip version 9.0.3, however version 20.1.1 is available. You should consider upgrading via the 'pip install --upgrade pip' command. (a29) [vagrant@stumble stumble]$ (a29) [vagrant@stumble stumble]$ (a29) [vagrant@stumble stumble]$ (a29) [vagrant@stumble stumble]$ ansible-doc ios_config > IOS_CONFIG (/home/vagrant/a29/lib64/python3.6/site-packages/ansible/modules/network/ios/ios_config.py) Cisco IOS configurations use a simple block indent file syntax for segmenting configuration into sections. This module provides an implementation for working with IOS configuration sections in a deterministic way. * This module is maintained by The Ansible Network Team OPTIONS (= is mandatory): - after The ordered set of commands to append to the end of the command stack if a change needs to be made. Just like with `before' this allows the playbook designer to append a set of commands to be executed after the command set. [Default: (null)] - auth_pass *Deprecated* Starting with Ansible 2.5 we recommend using `connection: network_cli' and `become: yes' with `become_pass'. For more information please see the L(IOS Platform Options guide, ../network/user_guide/platform_ios.html). HORIZONTALLINE Specifies the password to use if required to enter privileged mode on the remote device. If `authorize' is false, then this argument does nothing. If the value is not specified in the task, the value of environment variable `ANSIBLE_NET_AUTH_PASS' will be used instead. [Default: (null)] type: str - authorize *Deprecated* (a29) [vagrant@stumble stumble]$ ansible-doc ios_acls [WARNING]: module ios_acls not found in: /home/vagrant/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:/home/vagrant/a29/lib64/python3.6/site-packages/ansible/modules (a29) [vagrant@stumble stumble]$ (a29) [vagrant@stumble stumble]$ (a29) [vagrant@stumble stumble]$ (a29) [vagrant@stumble stumble]$ (a29) [vagrant@stumble stumble]$ (a29) [vagrant@stumble stumble]$ (a29) [vagrant@stumble stumble]$ ansible-playbook -i ansible.cfg eos_set.yml export/ inventory.ini ios_set.yml junos_set.yml memo/ collections/ eos_show.yml group_vars/ ios_acls.yml ios_show.yml junos_show.yml server.yml (a29) [vagrant@stumble stumble]$ ansible-playbook -i ansible.cfg eos_set.yml export/ inventory.ini ios_set.yml junos_set.yml memo/ collections/ eos_show.yml group_vars/ ios_acls.yml ios_show.yml junos_show.yml server.yml (a29) [vagrant@stumble stumble]$ ansible-playbook -i inventory.ini ios_acls.yml PLAY [rt01] ************************************************************************************************************************************************************************************* TASK [merge acl] ******************************************************************************************************************************************************************************** changed: [rt01] TASK [gather acl] ******************************************************************************************************************************************************************************* ok: [rt01] PLAY RECAP ************************************************************************************************************************************************************************************** rt01 : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 (a29) [vagrant@stumble stumble]$ ansible-playbook -i inventory.ini ios_acls ERROR! the playbook: ios_acls could not be found (a29) [vagrant@stumble stumble]$ ^C (a29) [vagrant@stumble stumble]$ ansible-doc ios_acls [WARNING]: module ios_acls not found in: /home/vagrant/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:/home/vagrant/a29/lib64/python3.6/site-packages/ansible/modules (reverse-i-search)`': ^C (a29) [vagrant@stumble stumble]$ deactivate [vagrant@stumble stumble]$ [vagrant@stumble stumble]$ (a210) [vagrant@stumble stumble]$ ansible --version ansible 2.10.0b1 config file = /vagrant/stumble/ansible.cfg configured module search path = ['/home/vagrant/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible executable location = /home/vagrant/envs/a210/bin/ansible python version = 3.6.8 (default, Apr 2 2020, 13:34:55) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] (a210) [vagrant@stumble stumble]$ ansible-doc -l | wc -l (a210) [vagrant@stumble stumble]$ (a210) [vagrant@stumble stumble]$ ansible-galaxy collections list usage: ansible-galaxy role [-h] ROLE_ACTION ... ansible-galaxy role: error: argument ROLE_ACTION: invalid choice: 'collections' (choose from 'init', 'remove', 'delete', 'list', 'search', 'import', 'setup', 'login', 'info', 'install') usage: ansible-galaxy [-h] [--version] [-v] TYPE ... Perform various Role and Collection related operations. positional arguments: TYPE collection Manage an Ansible Galaxy collection. role Manage an Ansible Galaxy role. optional arguments: --version show program's version number, config file location, configured module search path, module location, executable location and exit -h, --help show this help message and exit -v, --verbose verbose mode (-vvv for more, -vvvv to enable connection debugging) (a210) [vagrant@stumble stumble]$ ansible-galaxy colleciton list usage: ansible-galaxy role [-h] ROLE_ACTION ... ansible-galaxy role: error: argument ROLE_ACTION: invalid choice: 'colleciton' (choose from 'init', 'remove', 'delete', 'list', 'search', 'import', 'setup', 'login', 'info', 'install') usage: ansible-galaxy [-h] [--version] [-v] TYPE ... Perform various Role and Collection related operations. positional arguments: TYPE collection Manage an Ansible Galaxy collection. role Manage an Ansible Galaxy role. optional arguments: --version show program's version number, config file location, configured module search path, module location, executable location and exit -h, --help show this help message and exit -v, --verbose verbose mode (-vvv for more, -vvvv to enable connection debugging) (a210) [vagrant@stumble stumble]$ ansible-galaxy collection list # /home/vagrant/.ansible/collections/ansible_collections Collection Version ----------------- ------- ansible.netcommon 1.0.0 cisco.ios 1.0.0 (a210) [vagrant@stumble stumble]$ vi requirements.yml (a210) [vagrant@stumble stumble]$ ansible-galaxy collection -r requirements.yml usage: ansible-galaxy collection [-h] COLLECTION_ACTION ... ansible-galaxy collection: error: argument COLLECTION_ACTION: invalid choice: 'requirements.yml' (choose from 'download', 'init', 'build', 'publish', 'install', 'list', 'verify') usage: ansible-galaxy [-h] [--version] [-v] TYPE ... Perform various Role and Collection related operations. positional arguments: TYPE collection Manage an Ansible Galaxy collection. role Manage an Ansible Galaxy role. (a210) [vagrant@stumble stumble]$ ansible-galaxy collection list # /home/vagrant/.ansible/collections/ansible_collections Collection Version --------------------- ------- ansible.netcommon 1.0.0 arista.eos 1.0.0 cisco.ios 1.0.0 junipernetworks.junos 1.0.0 (a210) [vagrant@stumble stumble]$ ansible-doc ios_acls > IOS_ACLS (/home/vagrant/.ansible/collections/ansible_collections/cisco/ios/plugins/modules/ios_acls.py) This module configures and manages the named or numbered ACLs on IOS platforms. OPTIONS (= is mandatory): - config A dictionary of ACL options. [Default: (null)] elements: dict type: list SUBOPTIONS: - acls A list of Access Control Lists (ACL). [Default: (null)] elements: dict type: list SUBOPTIONS: - aces The entries within the ACL. [Default: (null)] elements: dict type: list SUBOPTIONS: - destination Specify the packet destination. [Default: (null)] type: dict SUBOPTIONS: - address Host address to match, or any single host address. [Default: (null)] type: str - any Match any source address. [Default: (null)] type: bool - host A single destination host [Default: (null)] type: str - port_protocol Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options [Default: (null)] type: dict SUBOPTIONS: - eq Match only packets on a given port number. [Default: (null)] type: str - gt Match only packets with a greater port number. [Default: (null)] type: str - lt Match only packets with a lower port number. [Default: (null)] type: str - neq Match only packets not on a given port number. [Default: (null)] type: str - range Port group. [Default: (null)] type: dict SUBOPTIONS: - end Specify the end of the port range. [Default: (null)] type: int - start Specify the start of the port range. [Default: (null)] type: int - wildcard_bits Destination wildcard bits, valid with IPV4 address. [Default: (null)] type: str - dscp Match packets with given dscp value. [Default: (null)] type: str - fragments Check non-initial fragments. [Default: (null)] type: str - grant Specify the action. (Choices: permit, deny)[Default: (null)] type: str - log Log matches against this entry. [Default: (null)] type: str - log_input Log matches against this entry, including input interface. [Default: (null)] type: str - option Match packets with given IP Options value. Valid only for named acls. [Default: (null)] type: dict SUBOPTIONS: - add_ext Match packets with Address Extension Option (147). [Default: (null)] type: bool - any_options Match packets with ANY Option. [Default: (null)] type: bool - com_security Match packets with Commercial Security Option (134). [Default: (null)] type: bool - dps Match packets with Dynamic Packet State Option (151). [Default: (null)] type: bool - encode Match packets with Encode Option (15). [Default: (null)] type: bool - eool Match packets with End of Options (0). [Default: (null)] type: bool - ext_ip Match packets with Extended IP Option (145). [Default: (null)] type: bool - ext_security Match packets with Extended Security Option (133). [Default: (null)] type: bool - finn Match packets with Experimental Flow Control Option (205). [Default: (null)] type: bool - imitd Match packets with IMI Traffic Desriptor Option (144). [Default: (null)] type: bool - lsr Match packets with Loose Source Route Option (131). [Default: (null)] type: bool - mtup Match packets with MTU Probe Option (11). [Default: (null)] type: bool - mtur Match packets with MTU Reply Option (12). [Default: (null)] type: bool - no_op Match packets with No Operation Option (1). [Default: (null)] type: bool - nsapa Match packets with NSAP Addresses Option (150). [Default: (null)] type: bool - record_route Match packets with Record Route Option (7). [Default: (null)] type: bool - router_alert Match packets with Router Alert Option (148). [Default: (null)] type: bool - sdb Match packets with Selective Directed Broadcast Option (149). [Default: (null)] type: bool - security Match packets with Basic Security Option (130). [Default: (null)] type: bool - ssr Match packets with Strict Source Routing Option (137). [Default: (null)] type: bool - stream_id Match packets with Stream ID Option (136). [Default: (null)] type: bool - timestamp Match packets with Time Stamp Option (68). [Default: (null)] type: bool - traceroute Match packets with Trace Route Option (82). [Default: (null)] type: bool - ump Match packets with Upstream Multicast Packet Option (152). [Default: (null)] type: bool - visa Match packets with Experimental Access Control Option (142). [Default: (null)] type: bool - zsu Match packets with Experimental Measurement Option (10). [Default: (null)] type: bool - precedence Match packets with given precedence value. [Default: (null)] type: int - protocol Specify the protocol to match. Refer to vendor documentation for valid values. [Default: (null)] type: str - protocol_options protocol type. [Default: (null)] type: dict SUBOPTIONS: - ahp Authentication Header Protocol. [Default: (null)] type: bool - eigrp Cisco's EIGRP routing protocol. [Default: (null)] type: bool - esp Encapsulation Security Payload. [Default: (null)] type: bool - gre Cisco's GRE tunneling. [Default: (null)] type: bool - hbh Hop by Hop options header. Valid for IPV6 [Default: (null)] type: bool - icmp Internet Control Message Protocol. [Default: (null)] type: dict SUBOPTIONS: - administratively_prohibited Administratively prohibited [Default: (null)] type: bool - alternate_address Alternate address [Default: (null)] type: bool - conversion_error Datagram conversion [Default: (null)] type: bool - dod_host_prohibited Host prohibited [Default: (null)] type: bool - dod_net_prohibited Net prohibited [Default: (null)] type: bool - echo Echo (ping) [Default: (null)] type: bool - echo_reply Echo reply [Default: (null)] type: bool - general_parameter_problem Parameter problem [Default: (null)] type: bool - host_isolated Host isolated [Default: (null)] type: bool - host_precedence_unreachable Host unreachable for precedence [Default: (null)] type: bool - host_redirect Host redirect [Default: (null)] type: bool - host_tos_redirect Host redirect for TOS [Default: (null)] type: bool - host_tos_unreachable Host unreachable for TOS [Default: (null)] type: bool - host_unknown Host unknown [Default: (null)] type: bool - host_unreachable Host unreachable [Default: (null)] type: bool - information_reply Information replies [Default: (null)] type: bool - information_request Information requests [Default: (null)] type: bool - mask_reply Mask replies [Default: (null)] type: bool - mask_request mask_request [Default: (null)] type: bool - mobile_redirect Mobile host redirect [Default: (null)] type: bool - net_redirect Network redirect [Default: (null)] type: bool - net_tos_redirect Net redirect for TOS [Default: (null)] type: bool - net_tos_unreachable Network unreachable for TOS [Default: (null)] type: bool - net_unreachable Net unreachable [Default: (null)] type: bool - network_unknown Network unknown [Default: (null)] type: bool - no_room_for_option Parameter required but no room [Default: (null)] type: bool - option_missing Parameter required but not present [Default: (null)] type: bool - packet_too_big Fragmentation needed and DF set [Default: (null)] type: bool - parameter_problem All parameter problems [Default: (null)] type: bool - port_unreachable Port unreachable [Default: (null)] type: bool - precedence_unreachable Precedence cutoff [Default: (null)] type: bool - protocol_unreachable Protocol unreachable [Default: (null)] type: bool - reassembly_timeout Reassembly timeout [Default: (null)] type: bool - redirect All redirects [Default: (null)] type: bool - router_advertisement Router discovery advertisements [Default: (null)] type: bool - router_solicitation Router discovery solicitations [Default: (null)] type: bool - source_quench Source quenches [Default: (null)] type: bool - source_route_failed Source route failed [Default: (null)] type: bool - time_exceeded All time exceededs [Default: (null)] type: bool - timestamp_reply Timestamp replies [Default: (null)] type: bool - timestamp_request Timestamp requests [Default: (null)] type: bool - traceroute Traceroute [Default: (null)] type: bool - ttl_exceeded TTL exceeded [Default: (null)] type: bool - unreachable All unreachables [Default: (null)] type: bool - igmp Internet Gateway Message Protocol. [Default: (null)] type: dict SUBOPTIONS: - dvmrp Distance Vector Multicast Routing Protocol(2) [Default: (null)] type: bool - host_query IGMP Membership Query(0) [Default: (null)] type: bool - mtrace_resp Multicast Traceroute Response(7) [Default: (null)] type: bool - mtrace_route Multicast Traceroute(8) [Default: (null)] type: bool - pim Protocol Independent Multicast(3) [Default: (null)] type: bool - trace Multicast trace(4) [Default: (null)] type: bool - v1host_report IGMPv1 Membership Report(1) [Default: (null)] type: bool - v2host_report IGMPv2 Membership Report(5) [Default: (null)] type: bool - v2leave_group IGMPv2 Leave Group(6) [Default: (null)] type: bool - v3host_report IGMPv3 Membership Report(9) [Default: (null)] type: bool - ip Any Internet Protocol. [Default: (null)] type: bool - ipinip IP in IP tunneling. [Default: (null)] type: bool - ipv6 Any IPv6. [Default: (null)] type: bool - nos KA9Q NOS compatible IP over IP tunneling. [Default: (null)] type: bool - ospf OSPF routing protocol. [Default: (null)] type: bool - pcp Payload Compression Protocol. [Default: (null)] type: bool - pim Protocol Independent Multicast. [Default: (null)] type: bool - protocol_number An IP protocol number [Default: (null)] type: int - sctp Stream Control Transmission Protocol. [Default: (null)] type: bool - tcp Match TCP packet flags [Default: (null)] type: dict SUBOPTIONS: - ack Match on the ACK bit [Default: (null)] type: bool - established Match established connections [Default: (null)] type: bool - fin Match on the FIN bit [Default: (null)] type: bool - psh Match on the PSH bit [Default: (null)] type: bool - rst Match on the RST bit [Default: (null)] type: bool - syn Match on the SYN bit [Default: (null)] type: bool - urg Match on the URG bit [Default: (null)] type: bool - udp User Datagram Protocol. [Default: (null)] type: bool - sequence Sequence Number for the Access Control Entry(ACE). Refer to vendor documentation for valid values. [Default: (null)] type: int - source Specify the packet source. [Default: (null)] type: dict SUBOPTIONS: - address Source network address. [Default: (null)] type: str - any Match any source address. [Default: (null)] type: bool - host A single source host [Default: (null)] type: str - port_protocol Specify the destination port along with protocol. Note, Valid with TCP/UDP protocol_options [Default: (null)] type: dict SUBOPTIONS: - eq Match only packets on a given port number. [Default: (null)] type: str - gt Match only packets with a greater port number. [Default: (null)] type: str - lt Match only packets with a lower port number. [Default: (null)] type: str - neq Match only packets not on a given port number. [Default: (null)] type: str - range Port group. [Default: (null)] type: dict SUBOPTIONS: - end Specify the end of the port range. [Default: (null)] type: int - start Specify the start of the port range. [Default: (null)] type: int - wildcard_bits Destination wildcard bits, valid with IPV4 address. [Default: (null)] type: str - time_range Specify a time-range. [Default: (null)] type: str - tos Match packets with given TOS value. Note, DSCP and TOS are mutually exclusive [Default: (null)] type: dict SUBOPTIONS: - max_reliability Match packets with max reliable TOS (2). [Default: (null)] type: bool - max_throughput Match packets with max throughput TOS (4). [Default: (null)] type: bool - min_delay Match packets with min delay TOS (8). [Default: (null)] type: bool - min_monetary_cost Match packets with min monetary cost TOS (1). [Default: (null)] type: bool - normal Match packets with normal TOS (0). [Default: (null)] type: bool - service_value Type of service value [Default: (null)] type: int - ttl Match packets with given TTL value. [Default: (null)] type: dict SUBOPTIONS: - eq Match only packets on a given TTL number. [Default: (null)] type: int - gt Match only packets with a greater TTL number. [Default: (null)] type: int - lt Match only packets with a lower TTL number. [Default: (null)] type: int - neq Match only packets not on a given TTL number. [Default: (null)] type: int - range Match only packets in the range of TTLs. [Default: (null)] type: dict SUBOPTIONS: - end Specify the end of the port range. [Default: (null)] type: int - start Specify the start of the port range. [Default: (null)] type: int - acl_type ACL type Note, it's mandatory and required for Named ACL, but for Numbered ACL it's not mandatory. (Choices: extended, standard)[Default: (null)] type: str = name The name or the number of the ACL. type: str = afi The Address Family Indicator (AFI) for the Access Control Lists (ACL). (Choices: ipv4, ipv6) type: str - running_config The module, by default, will connect to the remote device and retrieve the current running-config to use as a base for comparing against the contents of source. There are times when it is not desirable to have the task get the current running-config for every task in a playbook. The `running_config' argument allows the implementer to pass in the configuration to use as the base config for comparison. [Default: (null)] type: str - state The state the configuration should be left in The states `rendered', `gathered' and `parsed' does not perform any change on the device. The state `rendered' will transform the configuration in `config' option to platform specific CLI commands which will be returned in the `rendered' key within the result. For state `rendered' active connection to remote host is not required. The state `gathered' will fetch the running configuration from device and transform it into structured data in the format as per the resource module argspec and the value is returned in the `gathered' key within the result. The state `parsed' reads the configuration from `running_config' option and transforms it into JSON format as per the resource module parameters and the value is returned in the `parsed' key within the result. The value of `running_config' option should be the same format as the output of command `show running-config | include ip route|ipv6 route' executed on device. For state `parsed' active connection to remote host is not required. (Choices: merged, replaced, overridden, deleted, gathered, rendered, parsed)[Default: merged] type: str NOTES: * Tested against Cisco IOSv Version 15.2 on VIRL AUTHOR: Sumit Jaiswal (@justjais) VERSION_ADDED_COLLECTION: cisco.ios EXAMPLES: # Using merged # Before state: # ------------- # # vios#sh access-lists # Extended IP access list 110 # 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10 - name: Merge provided configuration with device configuration cisco.ios.ios_acls: config: - afi: ipv4 acls: - name: std_acl acl_type: standard aces: - grant: deny source: address: 192.168.1.200 - grant: deny source: address: 192.168.2.0 wildcard_bits: 0.0.0.255 - name: 110 aces: - sequence: 10 protocol_options: icmp: traceroute: true - grant: deny protocol_options: tcp: ack: true source: host: 198.51.100.0 destination: host: 198.51.110.0 port_protocol: eq: telnet - name: test acl_type: extended aces: - grant: deny protocol_options: tcp: fin: true source: address: 192.0.2.0 wildcard_bits: 0.0.0.255 destination: address: 192.0.3.0 wildcard_bits: 0.0.0.255 port_protocol: eq: www option: traceroute: true ttl: eq: 10 - name: 123 aces: - grant: deny protocol_options: tcp: ack: true source: address: 198.51.100.0 wildcard_bits: 0.0.0.255 destination: address: 198.51.101.0 wildcard_bits: 0.0.0.255 port_protocol: eq: telnet tos: service_value: 12 - grant: deny protocol_options: tcp: ack: true source: address: 192.0.3.0 wildcard_bits: 0.0.0.255 destination: address: 192.0.4.0 wildcard_bits: 0.0.0.255 port_protocol: eq: www dscp: ef ttl: lt: 20 - afi: ipv6 acls: - name: R1_TRAFFIC aces: - grant: deny protocol_options: tcp: ack: true source: any: true port_protocol: eq: www destination: any: true port_protocol: eq: telnet dscp: af11 state: merged # Commands fired: # --------------- # # - ip access-list standard std_acl # - deny 192.168.1.200 # - deny 192.168.2.0 0.0.0.255 # - ip access-list extended 110 # - no 10 # - 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10 # - deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack # - ip access-list extended test # - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10 # - ip access-list extended 123 # - deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12 # - deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20 # - ipv6 access-list R1_TRAFFIC # - deny tcp any eq www any eq telnet ack dscp af11 # After state: (a210) [vagrant@stumble stumble]$ (a210) [vagrant@stumble stumble]$ (a210) [vagrant@stumble stumble]$ (a210) [vagrant@stumble stumble]$ ansible-playbook -i inventory.ini ios_acls.yml PLAY [rt01] ******************************************************************** TASK [set acl] ***************************************************************** fatal: [rt01]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "msg": "value of state must be one of: merged, replaced, overridden, deleted, gathered, rendered, parsed, got: merge"} PLAY RECAP ********************************************************************* rt01 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0 (a210) [vagrant@stumble stumble]$ ansible-playbook -i inventory.ini ios_acls.yml PLAY [rt01] ******************************************************************** TASK [set acl] ***************************************************************** changed: [rt01] TASK [debug] ******************************************************************* fatal: [rt01]: FAILED! => {"msg": "Traceback (most recent call last):\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 202, in send\n response = recv_data(sf)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 76, in recv_data\n d = s.recv(header_len - len(data))\nConnectionResetError: [Errno 104] Connection reset by peer\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File \"/home/vagrant/envs/a210/bin/ansible-connection\", line 342, in <module>\n main()\n File \"/home/vagrant/envs/a210/bin/ansible-connection\", line 305, in main\n conn.set_options(var_options=variables)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 186, in __rpc__\n response = self._exec_jsonrpc(name, *args, **kwargs)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 152, in _exec_jsonrpc\n out = self.send(data)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 209, in send\n err=to_text(e, errors='surrogate_then_replace'), exception=traceback.format_exc()\nansible.module_utils.connection.ConnectionError: unable to connect to socket /home/vagrant/.ansible/pc/e0f315e513. See the socket path issue category in Network Debug and Troubleshooting Guide\n"} PLAY RECAP ********************************************************************* rt01 : ok=1 changed=1 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0 (a210) [vagrant@stumble stumble]$ ansible-playbook -i inventory.ini ios_acls.yml PLAY [rt01] ****************************************************************************** TASK [set acl] *************************************************************************** ok: [rt01] TASK [debug] ***************************************************************************** ok: [rt01] => { "msg": { "ansible_facts": { "discovered_interpreter_python": "/usr/bin/python" }, "before": [ { "acls": [ { "aces": [ { "destination": { "address": "172.16.1.0", "port_protocol": { "eq": "www" }, "wildcard_bits": "0.0.0.255" }, "grant": "permit", "protocol": "tcp", "protocol_options": { "tcp": { "ack": true } }, "sequence": 10, "source": { "address": "10.0.0.0", "wildcard_bits": "0.0.0.255" } }, { "destination": { "any": true }, "grant": "deny", "protocol": "ip", "protocol_options": { "ip": true }, "sequence": 90, "source": { "any": true } } ], "acl_type": "extended", "name": "test_acl" } ], "afi": "ipv4" } ], "changed": false, "commands": [], "failed": false } } PLAY RECAP ******************************************************************************* rt01 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
Part9 にむけて
企画中です。ちょっと気分転換に Ansible Tower や AWX も良いかもしれません。