てくなべ (tekunabe)

ansible / network automation / 学習メモ

[Ansible] 「つまずき Ansible 【Part8】Collection を使う」ふりかえり

はじめに

2020/06/27 に、YouTube Live で「つまずき Ansible 【Part8】Collection を使う」という配信をしました。 実際に作業しながらエラーと戦って進めるシリーズです。

tekunabe.connpass.com

今回は、Collectionのインストールと、Collection のモジュールを利用した Plaubook の実行をためしました。 つまずいたエラーと原因、対処をふりかえります。

ただし今回は Collection とは直接関係ないものであり、かつ明確な原因もわかりませんでした。

動画

youtu.be


■ その前に: Collection とは? (一部 Part7 と重複)

Collection とは

  • モジュール、プラグイン、ロールなどを含む新しい配布形式
  • Ansible 本体とは別に開発が進められる
  • コミュニティとしては Ansible Galaxy 経由で配布される
  • Ansible 2.10 では、今まで標準で含まれていた多くのモジュールが Collection に移行
    • pip install ansible-base では、標準の68個のモジュールのみ
    • pip install ansible では、上記に加え、今までのモジュールが Collection 経由で一緒にインストール

名前空間

参考情報


やったこと

pip install ansible-base==2.10.0b0 でインストール済み

準備

  • cisco.ios をインストール
    • ansible-galaxy collection install コレクション名
  • どこにインストールされた?
    • ~/.ansible/collections/
      • 設定 COLLECTIONS_PATHS のデフォルト
  • インストールされた一覧の確認方法
    • ansible-galaxy collection list (Ansible 2.10)
  • いっぺんにいろいろインストールする
    • requirements.yml を利用
  • ansilbe-doc で確認

Playbook

cisco.ios.ios_acls を利用した ACL の設定 Playbook。

一応、FQCN で指定。

---
  - hosts: rt01
    gather_facts: false
  
    tasks:
      - name: set acl
        cisco.ios.ios_acls:
          config:
            - afi: ipv4
              acls:
                - name: test_acl
                  acl_type: extended
                  aces:
                    - grant: permit
                      sequence: 10
                      protocol: tcp
                      protocol_options:
                        tcp:
                          ack: true
                      source:
                        address: 10.0.0.0
                        wildcard_bits: 0.0.0.255
                      destination:
                        address: 172.16.1.0
                        wildcard_bits: 0.0.0.255
                        port_protocol:
                          eq: www
                    - grant: deny
                      sequence: 90
                      protocol: ip
                      source:
                        any: true
                      destination:
                        any: true
          state: merged
        register: res
  
      - name: debug
        debug:
          msg: "{{ res }}"


■ debug でのエラー

ios_acls モジュール実行結果の変数を debug モジュールで表示時に connection 系のエラー

debug タスクで、以下のエラー。

fatal: [rt01]: FAILED! => {"msg": "Traceback (most recent call last):\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 202, in send\n response = recv_data(sf)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 76, in recv_data\n d = s.recv(header_len - len(data))\nConnectionResetError: [Errno 104] Connection reset by peer\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n File \"/home/vagrant/envs/a210/bin/ansible-connection\", line 342, in \n main()\n File \"/home/vagrant/envs/a210/bin/ansible-connection\", line 305, in main\n conn.set_options(var_options=variables)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 186, in rpc\n response = self.exec_jsonrpc(name, *args, **kwargs)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 152, in exec_jsonrpc\n out = self.send(data)\n File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 209, in send\n err=to_text(e, errors='surrogate_then_replace'), exception=traceback.format_exc()\nansible.module_utils.connection.ConnectionError: unable to connect to socket /home/vagrant/.ansible/pc/e0f315e513. See the socket path issue category in Network Debug and Troubleshooting Guide\n"}

原因

不明。 PCが重く、処理に時間がかかっていたが、debug モジュールはネットワーク機器に接続しにいかないはずなので、ConnectionResetError になるのは解せず。

対処

(なすすべ無し・・。再度実行したら正常となった。)


おまけ

閲覧したサイト

全実行ログ

クリックして開く(長いです)

(a210) [vagrant@stumble stumble]$ ansible-galaxy collection instal cisco.ios
usage: ansible-galaxy collection [-h] COLLECTION_ACTION ...
ansible-galaxy collection: error: argument COLLECTION_ACTION: invalid choice: 'instal' (choose from 'download', 'init', 'build', 'publish', 'install', 'list', 'verify')
 
usage: ansible-galaxy [-h] [--version] [-v] TYPE ...

Perform various Role and Collection related operations.

positional arguments:
  TYPE
    collection   Manage an Ansible Galaxy collection.
    role         Manage an Ansible Galaxy role.

optional arguments:
  --version      show program's version number, config file location,
                 configured module search path, module location, executable
                 location and exit
  -h, --help     show this help message and exit
  -v, --verbose  verbose mode (-vvv for more, -vvvv to enable connection
                 debugging)
 (a210) [vagrant@stumble stumble]$ ansible-galaxy collection install cisco.ios
Starting galaxy collection install process
Process install dependency map
Starting collection install process
Installing 'cisco.ios:1.0.0' to '/home/vagrant/.ansible/collections/ansible_collections/cisco/ios'
Installing 'ansible.netcommon:1.0.0' to '/home/vagrant/.ansible/collections/ansible_collections/ansible/netcommon'
(a210) [vagrant@stumble stumble]$ 
(a210) [vagrant@stumble stumble]$ 
(a210) [vagrant@stumble stumble]$ ansible-doc cisco.ios
^C [ERROR]: User interrupted execution
(a210) [vagrant@stumble stumble]$ ansible-doc ios_config
> IOS_CONFIG    (/home/vagrant/.ansible/collections/ansible_collections/cisco/ios/plugins/modules/ios_config.py)

        Cisco IOS configurations use a simple block indent file syntax for segmenting configuration into sections.  This module provides an implementation
        for working with IOS configuration sections in a deterministic way.

OPTIONS (= is mandatory):

- after
        The ordered set of commands to append to the end of the command stack if a change needs to be made.  Just like with `before' this allows the
        playbook designer to append a set of commands to be executed after the command set.
        [Default: (null)]

- backup
        This argument will cause the module to create a full backup of the current `running-config' from the remote device before any changes are made. If
        the `backup_options' value is not given, the backup file is written to the `backup' folder in the playbook root directory or role root directory,
        if playbook is part of an ansible role. If the directory does not exist, it is created.
        [Default: False]
        type: bool

- backup_options
        This is a dict object containing configurable options related to backup file path. The value of this option is read only when `backup' is set to
        `yes', if `backup' is set to `no' this option will be silently ignored.
        [Default: (null)]
        type: dict

(a210) [vagrant@stumble stumble]$ ansible-doc ios_acls
> IOS_ACLS    (/home/vagrant/.ansible/collections/ansible_collections/cisco/ios/plugins/modules/ios_acls.py)

        This module configures and manages the named or numbered ACLs on IOS platforms.

OPTIONS (= is mandatory):

- config
        A dictionary of ACL options.
        [Default: (null)]
        elements: dict
        type: list

        SUBOPTIONS:

        - acls
            A list of Access Control Lists (ACL).
            [Default: (null)]
            elements: dict
            type: list

            SUBOPTIONS:

            - aces
                The entries within the ACL.
                [Default: (null)]
                elements: dict
                type: list

                SUBOPTIONS:

                - destination
                    Specify the packet destination.
                    [Default: (null)]
                    type: dict

                    SUBOPTIONS:

                    - address
                        Host address to match, or any single host address.
                        [Default: (null)]
                        type: str

                    - any
                        Match any source address.
                        [Default: (null)]
                        type: bool

                    - host
                        A single destination host
                        [Default: (null)]
                        type: str

                    - port_protocol
                        Specify the destination port along with protocol.
                        Note, Valid with TCP/UDP protocol_options
                        [Default: (null)]
                        type: dict

                        SUBOPTIONS:

                        - eq
                            Match only packets on a given port number.
                            [Default: (null)]
                            type: str

                        - gt
                            Match only packets with a greater port number.
                            [Default: (null)]
                            type: str

                        - lt
                            Match only packets with a lower port number.
                            [Default: (null)]
                            type: str

                        - neq
                            Match only packets not on a given port number.
                            [Default: (null)]
                            type: str

                        - range
                            Port group.
                            [Default: (null)]
                            type: dict

                            SUBOPTIONS:

                            - end
                                Specify the end of the port range.
                                [Default: (null)]
                                type: int

                            - start
                                Specify the start of the port range.
                                [Default: (null)]
                                type: int

                    - wildcard_bits
                        Destination wildcard bits, valid with IPV4 address.
                        [Default: (null)]
(a210) [vagrant@stumble stumble]$ 
(a210) [vagrant@stumble stumble]$ 
(a210) [vagrant@stumble stumble]$ 
(a210) [vagrant@stumble stumble]$ 
(a210) [vagrant@stumble stumble]$ 
(a210) [vagrant@stumble stumble]$ 
(a210) [vagrant@stumble stumble]$ deactivate 
[vagrant@stumble stumble]$ 
[vagrant@stumble stumble]$ 
(reverse-i-search)`sou': ^Curce ~/envs/a210/bin/activate
[vagrant@stumble stumble]$ 
[vagrant@stumble stumble]$ 
[vagrant@stumble stumble]$ python -m venv ~/a29
/usr/bin/python: No module named venv
[vagrant@stumble stumble]$ python3 -m venv ~/a29
[vagrant@stumble stumble]$ source ~/a29/bin/activate
(a29) [vagrant@stumble stumble]$ 
(a29) [vagrant@stumble stumble]$ pip install ansible
Collecting ansible
  Downloading https://files.pythonhosted.org/packages/03/4f/cccab1ec2e0ecb05120184088e00404b38854809cf35aa76889406fbcbad/ansible-2.9.10.tar.gz (14.2MB)
    100% |████████████████████████████████| 14.2MB 101kB/s 
Collecting jinja2 (from ansible)
  Using cached https://files.pythonhosted.org/packages/30/9e/f663a2aa66a09d838042ae1a2c5659828bb9b41ea3a6efa20a20fd92b121/Jinja2-2.11.2-py2.py3-none-any.whl
Collecting PyYAML (from ansible)
  Using cached https://files.pythonhosted.org/packages/64/c2/b80047c7ac2478f9501676c988a5411ed5572f35d1beff9cae07d321512c/PyYAML-5.3.1.tar.gz
Collecting cryptography (from ansible)
  Using cached https://files.pythonhosted.org/packages/58/95/f1282ca55649b60afcf617e1e2ca384a2a3e7a5cf91f724cf83c8fbe76a1/cryptography-2.9.2-cp35-abi3-manylinux1_x86_64.whl
Collecting MarkupSafe>=0.23 (from jinja2->ansible)
  Using cached https://files.pythonhosted.org/packages/b2/5f/23e0023be6bb885d00ffbefad2942bc51a620328ee910f64abe5a8d18dd1/MarkupSafe-1.1.1-cp36-cp36m-manylinux1_x86_64.whl
Collecting six>=1.4.1 (from cryptography->ansible)
  Using cached https://files.pythonhosted.org/packages/ee/ff/48bde5c0f013094d729fe4b0316ba2a24774b3ff1c52d924a8a4cb04078a/six-1.15.0-py2.py3-none-any.whl
Collecting cffi!=1.11.3,>=1.8 (from cryptography->ansible)
  Using cached https://files.pythonhosted.org/packages/f1/c7/72abda280893609e1ddfff90f8064568bd8bcb2c1770a9d5bb5edb2d1fea/cffi-1.14.0-cp36-cp36m-manylinux1_x86_64.whl
Collecting pycparser (from cffi!=1.11.3,>=1.8->cryptography->ansible)
  Using cached https://files.pythonhosted.org/packages/ae/e7/d9c3a176ca4b02024debf82342dab36efadfc5776f9c8db077e8f6e71821/pycparser-2.20-py2.py3-none-any.whl
Installing collected packages: MarkupSafe, jinja2, PyYAML, six, pycparser, cffi, cryptography, ansible
  Running setup.py install for PyYAML ... done
  Running setup.py install for ansible ... done
Successfully installed MarkupSafe-1.1.1 PyYAML-5.3.1 ansible-2.9.10 cffi-1.14.0 cryptography-2.9.2 jinja2-2.11.2 pycparser-2.20 six-1.15.0
You are using pip version 9.0.3, however version 20.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
(a29) [vagrant@stumble stumble]$ pip install paramiko
Collecting paramiko
  Using cached https://files.pythonhosted.org/packages/06/1e/1e08baaaf6c3d3df1459fd85f0e7d2d6aa916f33958f151ee1ecc9800971/paramiko-2.7.1-py2.py3-none-any.whl
Collecting bcrypt>=3.1.3 (from paramiko)
  Using cached https://files.pythonhosted.org/packages/8b/1d/82826443777dd4a624e38a08957b975e75df859b381ae302cfd7a30783ed/bcrypt-3.1.7-cp34-abi3-manylinux1_x86_64.whl
Requirement already satisfied: cryptography>=2.5 in /home/vagrant/a29/lib/python3.6/site-packages (from paramiko)
Collecting pynacl>=1.0.1 (from paramiko)
  Using cached https://files.pythonhosted.org/packages/9d/57/2f5e6226a674b2bcb6db531e8b383079b678df5b10cdaa610d6cf20d77ba/PyNaCl-1.4.0-cp35-abi3-manylinux1_x86_64.whl
Requirement already satisfied: cffi>=1.1 in /home/vagrant/a29/lib/python3.6/site-packages (from bcrypt>=3.1.3->paramiko)
Requirement already satisfied: six>=1.4.1 in /home/vagrant/a29/lib/python3.6/site-packages (from bcrypt>=3.1.3->paramiko)
Requirement already satisfied: pycparser in /home/vagrant/a29/lib/python3.6/site-packages (from cffi>=1.1->bcrypt>=3.1.3->paramiko)
Installing collected packages: bcrypt, pynacl, paramiko
Successfully installed bcrypt-3.1.7 paramiko-2.7.1 pynacl-1.4.0
You are using pip version 9.0.3, however version 20.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
(a29) [vagrant@stumble stumble]$ 
(a29) [vagrant@stumble stumble]$ 
(a29) [vagrant@stumble stumble]$ 
(a29) [vagrant@stumble stumble]$ ansible-doc ios_config
> IOS_CONFIG    (/home/vagrant/a29/lib64/python3.6/site-packages/ansible/modules/network/ios/ios_config.py)

        Cisco IOS configurations use a simple block indent file syntax for segmenting configuration into sections.  This module provides an implementation
        for working with IOS configuration sections in a deterministic way.

  * This module is maintained by The Ansible Network Team
OPTIONS (= is mandatory):

- after
        The ordered set of commands to append to the end of the command stack if a change needs to be made.  Just like with `before' this allows the
        playbook designer to append a set of commands to be executed after the command set.
        [Default: (null)]

- auth_pass
        *Deprecated*
        Starting with Ansible 2.5 we recommend using `connection: network_cli' and `become: yes' with `become_pass'.
        For more information please see the L(IOS Platform Options guide, ../network/user_guide/platform_ios.html).
        HORIZONTALLINE
        Specifies the password to use if required to enter privileged mode on the remote device.  If `authorize' is false, then this argument does
        nothing. If the value is not specified in the task, the value of environment variable `ANSIBLE_NET_AUTH_PASS' will be used instead.
        [Default: (null)]
        type: str

- authorize
        *Deprecated*
(a29) [vagrant@stumble stumble]$ ansible-doc ios_acls
[WARNING]: module ios_acls not found in: /home/vagrant/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:/home/vagrant/a29/lib64/python3.6/site-packages/ansible/modules
(a29) [vagrant@stumble stumble]$ 
(a29) [vagrant@stumble stumble]$ 
(a29) [vagrant@stumble stumble]$ 
(a29) [vagrant@stumble stumble]$ 
(a29) [vagrant@stumble stumble]$ 
(a29) [vagrant@stumble stumble]$ 
(a29) [vagrant@stumble stumble]$ ansible-playbook -i 
ansible.cfg     eos_set.yml     export/         inventory.ini   ios_set.yml     junos_set.yml   memo/           
collections/    eos_show.yml    group_vars/     ios_acls.yml    ios_show.yml    junos_show.yml  server.yml      
(a29) [vagrant@stumble stumble]$ ansible-playbook -i 
ansible.cfg     eos_set.yml     export/         inventory.ini   ios_set.yml     junos_set.yml   memo/           
collections/    eos_show.yml    group_vars/     ios_acls.yml    ios_show.yml    junos_show.yml  server.yml      
(a29) [vagrant@stumble stumble]$ ansible-playbook -i inventory.ini ios_acls.yml 

PLAY [rt01] *************************************************************************************************************************************************************************************

TASK [merge acl] ********************************************************************************************************************************************************************************
changed: [rt01]

TASK [gather acl] *******************************************************************************************************************************************************************************
ok: [rt01]

PLAY RECAP **************************************************************************************************************************************************************************************
rt01                       : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

(a29) [vagrant@stumble stumble]$ ansible-playbook -i inventory.ini ios_acls
ERROR! the playbook: ios_acls could not be found
(a29) [vagrant@stumble stumble]$ ^C
(a29) [vagrant@stumble stumble]$ ansible-doc ios_acls
[WARNING]: module ios_acls not found in: /home/vagrant/.ansible/plugins/modules:/usr/share/ansible/plugins/modules:/home/vagrant/a29/lib64/python3.6/site-packages/ansible/modules
(reverse-i-search)`': ^C
(a29) [vagrant@stumble stumble]$ deactivate 
[vagrant@stumble stumble]$ 
[vagrant@stumble stumble]$ 
(a210) [vagrant@stumble stumble]$ ansible --version
ansible 2.10.0b1
  config file = /vagrant/stumble/ansible.cfg
  configured module search path = ['/home/vagrant/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible
  executable location = /home/vagrant/envs/a210/bin/ansible
  python version = 3.6.8 (default, Apr  2 2020, 13:34:55) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
(a210) [vagrant@stumble stumble]$ ansible-doc -l | wc -l
(a210) [vagrant@stumble stumble]$ 
(a210) [vagrant@stumble stumble]$ ansible-galaxy collections list
usage: ansible-galaxy role [-h] ROLE_ACTION ...
ansible-galaxy role: error: argument ROLE_ACTION: invalid choice: 'collections' (choose from 'init', 'remove', 'delete', 'list', 'search', 'import', 'setup', 'login', 'info', 'install')
 
usage: ansible-galaxy [-h] [--version] [-v] TYPE ...

Perform various Role and Collection related operations.

positional arguments:
  TYPE
    collection   Manage an Ansible Galaxy collection.
    role         Manage an Ansible Galaxy role.

optional arguments:
  --version      show program's version number, config file location,
                 configured module search path, module location, executable
                 location and exit
  -h, --help     show this help message and exit
  -v, --verbose  verbose mode (-vvv for more, -vvvv to enable connection
                 debugging)
 (a210) [vagrant@stumble stumble]$ ansible-galaxy colleciton list
usage: ansible-galaxy role [-h] ROLE_ACTION ...
ansible-galaxy role: error: argument ROLE_ACTION: invalid choice: 'colleciton' (choose from 'init', 'remove', 'delete', 'list', 'search', 'import', 'setup', 'login', 'info', 'install')
 
usage: ansible-galaxy [-h] [--version] [-v] TYPE ...

Perform various Role and Collection related operations.

positional arguments:
  TYPE
    collection   Manage an Ansible Galaxy collection.
    role         Manage an Ansible Galaxy role.

optional arguments:
  --version      show program's version number, config file location,
                 configured module search path, module location, executable
                 location and exit
  -h, --help     show this help message and exit
  -v, --verbose  verbose mode (-vvv for more, -vvvv to enable connection
                 debugging)
 (a210) [vagrant@stumble stumble]$ ansible-galaxy collection list

# /home/vagrant/.ansible/collections/ansible_collections
Collection        Version
----------------- -------
ansible.netcommon 1.0.0  
cisco.ios         1.0.0  
(a210) [vagrant@stumble stumble]$ vi requirements.yml
(a210) [vagrant@stumble stumble]$ ansible-galaxy collection -r requirements.yml 
usage: ansible-galaxy collection [-h] COLLECTION_ACTION ...
ansible-galaxy collection: error: argument COLLECTION_ACTION: invalid choice: 'requirements.yml' (choose from 'download', 'init', 'build', 'publish', 'install', 'list', 'verify')
 
usage: ansible-galaxy [-h] [--version] [-v] TYPE ...

Perform various Role and Collection related operations.

positional arguments:
  TYPE
    collection   Manage an Ansible Galaxy collection.
    role         Manage an Ansible Galaxy role.
(a210) [vagrant@stumble stumble]$ ansible-galaxy collection list

# /home/vagrant/.ansible/collections/ansible_collections
Collection            Version
--------------------- -------
ansible.netcommon     1.0.0  
arista.eos            1.0.0  
cisco.ios             1.0.0  
junipernetworks.junos 1.0.0  
(a210) [vagrant@stumble stumble]$ ansible-doc ios_acls
> IOS_ACLS    (/home/vagrant/.ansible/collections/ansible_collections/cisco/ios/plugins/modules/ios_acls.py)

        This module configures and manages the named or numbered ACLs on IOS
        platforms.

OPTIONS (= is mandatory):

- config
        A dictionary of ACL options.
        [Default: (null)]
        elements: dict
        type: list

        SUBOPTIONS:

        - acls
            A list of Access Control Lists (ACL).
            [Default: (null)]
            elements: dict
            type: list

            SUBOPTIONS:

            - aces
                The entries within the ACL.
                [Default: (null)]
                elements: dict
                type: list

                SUBOPTIONS:

                - destination
                    Specify the packet destination.
                    [Default: (null)]
                    type: dict

                    SUBOPTIONS:

                    - address
                        Host address to match, or any single host address.
                        [Default: (null)]
                        type: str

                    - any
                        Match any source address.
                        [Default: (null)]
                        type: bool

                    - host
                        A single destination host
                        [Default: (null)]
                        type: str

                    - port_protocol
                        Specify the destination port along with protocol.
                        Note, Valid with TCP/UDP protocol_options
                        [Default: (null)]
                        type: dict

                        SUBOPTIONS:

                        - eq
                            Match only packets on a given port number.
                            [Default: (null)]
                            type: str

                        - gt
                            Match only packets with a greater port number.
                            [Default: (null)]
                            type: str

                        - lt
                            Match only packets with a lower port number.
                            [Default: (null)]
                            type: str

                        - neq
                            Match only packets not on a given port number.
                            [Default: (null)]
                            type: str

                        - range
                            Port group.
                            [Default: (null)]
                            type: dict

                            SUBOPTIONS:

                            - end
                                Specify the end of the port range.
                                [Default: (null)]
                                type: int

                            - start
                                Specify the start of the port range.
                                [Default: (null)]
                                type: int

                    - wildcard_bits
                        Destination wildcard bits, valid with IPV4 address.
                        [Default: (null)]
                        type: str

                - dscp
                    Match packets with given dscp value.
                    [Default: (null)]
                    type: str

                - fragments
                    Check non-initial fragments.
                    [Default: (null)]
                    type: str

                - grant
                    Specify the action.
                    (Choices: permit, deny)[Default: (null)]
                    type: str

                - log
                    Log matches against this entry.
                    [Default: (null)]
                    type: str

                - log_input
                    Log matches against this entry, including input interface.
                    [Default: (null)]
                    type: str

                - option
                    Match packets with given IP Options value.
                    Valid only for named acls.
                    [Default: (null)]
                    type: dict

                    SUBOPTIONS:

                    - add_ext
                        Match packets with Address Extension Option (147).
                        [Default: (null)]
                        type: bool

                    - any_options
                        Match packets with ANY Option.
                        [Default: (null)]
                        type: bool

                    - com_security
                        Match packets with Commercial Security Option (134).
                        [Default: (null)]
                        type: bool

                    - dps
                        Match packets with Dynamic Packet State Option (151).
                        [Default: (null)]
                        type: bool

                    - encode
                        Match packets with Encode Option (15).
                        [Default: (null)]
                        type: bool

                    - eool
                        Match packets with End of Options (0).
                        [Default: (null)]
                        type: bool

                    - ext_ip
                        Match packets with Extended IP Option (145).
                        [Default: (null)]
                        type: bool

                    - ext_security
                        Match packets with Extended Security Option (133).
                        [Default: (null)]
                        type: bool

                    - finn
                        Match packets with Experimental Flow Control Option
                        (205).
                        [Default: (null)]
                        type: bool

                    - imitd
                        Match packets with IMI Traffic Desriptor Option (144).
                        [Default: (null)]
                        type: bool

                    - lsr
                        Match packets with Loose Source Route Option (131).
                        [Default: (null)]
                        type: bool

                    - mtup
                        Match packets with MTU Probe Option (11).
                        [Default: (null)]
                        type: bool

                    - mtur
                        Match packets with MTU Reply Option (12).
                        [Default: (null)]
                        type: bool

                    - no_op
                        Match packets with No Operation Option (1).
                        [Default: (null)]
                        type: bool

                    - nsapa
                        Match packets with NSAP Addresses Option (150).
                        [Default: (null)]
                        type: bool

                    - record_route
                        Match packets with Record Route Option (7).
                        [Default: (null)]
                        type: bool

                    - router_alert
                        Match packets with Router Alert Option (148).
                        [Default: (null)]
                        type: bool

                    - sdb
                        Match packets with Selective Directed Broadcast Option
                        (149).
                        [Default: (null)]
                        type: bool

                    - security
                        Match packets with Basic Security Option (130).
                        [Default: (null)]
                        type: bool

                    - ssr
                        Match packets with Strict Source Routing Option (137).
                        [Default: (null)]
                        type: bool

                    - stream_id
                        Match packets with Stream ID Option (136).
                        [Default: (null)]
                        type: bool

                    - timestamp
                        Match packets with Time Stamp Option (68).
                        [Default: (null)]
                        type: bool

                    - traceroute
                        Match packets with Trace Route Option (82).
                        [Default: (null)]
                        type: bool

                    - ump
                        Match packets with Upstream Multicast Packet Option
                        (152).
                        [Default: (null)]
                        type: bool

                    - visa
                        Match packets with Experimental Access Control Option
                        (142).
                        [Default: (null)]
                        type: bool

                    - zsu
                        Match packets with Experimental Measurement Option (10).
                        [Default: (null)]
                        type: bool

                - precedence
                    Match packets with given precedence value.
                    [Default: (null)]
                    type: int

                - protocol
                    Specify the protocol to match.
                    Refer to vendor documentation for valid values.
                    [Default: (null)]
                    type: str

                - protocol_options
                    protocol type.
                    [Default: (null)]
                    type: dict

                    SUBOPTIONS:

                    - ahp
                        Authentication Header Protocol.
                        [Default: (null)]
                        type: bool

                    - eigrp
                        Cisco's EIGRP routing protocol.
                        [Default: (null)]
                        type: bool

                    - esp
                        Encapsulation Security Payload.
                        [Default: (null)]
                        type: bool

                    - gre
                        Cisco's GRE tunneling.
                        [Default: (null)]
                        type: bool

                    - hbh
                        Hop by Hop options header. Valid for IPV6
                        [Default: (null)]
                        type: bool

                    - icmp
                        Internet Control Message Protocol.
                        [Default: (null)]
                        type: dict

                        SUBOPTIONS:

                        - administratively_prohibited
                            Administratively prohibited
                            [Default: (null)]
                            type: bool

                        - alternate_address
                            Alternate address
                            [Default: (null)]
                            type: bool

                        - conversion_error
                            Datagram conversion
                            [Default: (null)]
                            type: bool

                        - dod_host_prohibited
                            Host prohibited
                            [Default: (null)]
                            type: bool

                        - dod_net_prohibited
                            Net prohibited
                            [Default: (null)]
                            type: bool

                        - echo
                            Echo (ping)
                            [Default: (null)]
                            type: bool

                        - echo_reply
                            Echo reply
                            [Default: (null)]
                            type: bool

                        - general_parameter_problem
                            Parameter problem
                            [Default: (null)]
                            type: bool

                        - host_isolated
                            Host isolated
                            [Default: (null)]
                            type: bool

                        - host_precedence_unreachable
                            Host unreachable for precedence
                            [Default: (null)]
                            type: bool

                        - host_redirect
                            Host redirect
                            [Default: (null)]
                            type: bool

                        - host_tos_redirect
                            Host redirect for TOS
                            [Default: (null)]
                            type: bool

                        - host_tos_unreachable
                            Host unreachable for TOS
                            [Default: (null)]
                            type: bool

                        - host_unknown
                            Host unknown
                            [Default: (null)]
                            type: bool

                        - host_unreachable
                            Host unreachable
                            [Default: (null)]
                            type: bool

                        - information_reply
                            Information replies
                            [Default: (null)]
                            type: bool

                        - information_request
                            Information requests
                            [Default: (null)]
                            type: bool

                        - mask_reply
                            Mask replies
                            [Default: (null)]
                            type: bool

                        - mask_request
                            mask_request
                            [Default: (null)]
                            type: bool

                        - mobile_redirect
                            Mobile host redirect
                            [Default: (null)]
                            type: bool

                        - net_redirect
                            Network redirect
                            [Default: (null)]
                            type: bool

                        - net_tos_redirect
                            Net redirect for TOS
                            [Default: (null)]
                            type: bool

                        - net_tos_unreachable
                            Network unreachable for TOS
                            [Default: (null)]
                            type: bool

                        - net_unreachable
                            Net unreachable
                            [Default: (null)]
                            type: bool

                        - network_unknown
                            Network unknown
                            [Default: (null)]
                            type: bool

                        - no_room_for_option
                            Parameter required but no room
                            [Default: (null)]
                            type: bool

                        - option_missing
                            Parameter required but not present
                            [Default: (null)]
                            type: bool

                        - packet_too_big
                            Fragmentation needed and DF set
                            [Default: (null)]
                            type: bool

                        - parameter_problem
                            All parameter problems
                            [Default: (null)]
                            type: bool

                        - port_unreachable
                            Port unreachable
                            [Default: (null)]
                            type: bool

                        - precedence_unreachable
                            Precedence cutoff
                            [Default: (null)]
                            type: bool

                        - protocol_unreachable
                            Protocol unreachable
                            [Default: (null)]
                            type: bool

                        - reassembly_timeout
                            Reassembly timeout
                            [Default: (null)]
                            type: bool

                        - redirect
                            All redirects
                            [Default: (null)]
                            type: bool

                        - router_advertisement
                            Router discovery advertisements
                            [Default: (null)]
                            type: bool

                        - router_solicitation
                            Router discovery solicitations
                            [Default: (null)]
                            type: bool

                        - source_quench
                            Source quenches
                            [Default: (null)]
                            type: bool

                        - source_route_failed
                            Source route failed
                            [Default: (null)]
                            type: bool

                        - time_exceeded
                            All time exceededs
                            [Default: (null)]
                            type: bool

                        - timestamp_reply
                            Timestamp replies
                            [Default: (null)]
                            type: bool

                        - timestamp_request
                            Timestamp requests
                            [Default: (null)]
                            type: bool

                        - traceroute
                            Traceroute
                            [Default: (null)]
                            type: bool

                        - ttl_exceeded
                            TTL exceeded
                            [Default: (null)]
                            type: bool

                        - unreachable
                            All unreachables
                            [Default: (null)]
                            type: bool

                    - igmp
                        Internet Gateway Message Protocol.
                        [Default: (null)]
                        type: dict

                        SUBOPTIONS:

                        - dvmrp
                            Distance Vector Multicast Routing Protocol(2)
                            [Default: (null)]
                            type: bool

                        - host_query
                            IGMP Membership Query(0)
                            [Default: (null)]
                            type: bool

                        - mtrace_resp
                            Multicast Traceroute Response(7)
                            [Default: (null)]
                            type: bool

                        - mtrace_route
                            Multicast Traceroute(8)
                            [Default: (null)]
                            type: bool

                        - pim
                            Protocol Independent Multicast(3)
                            [Default: (null)]
                            type: bool

                        - trace
                            Multicast trace(4)
                            [Default: (null)]
                            type: bool

                        - v1host_report
                            IGMPv1 Membership Report(1)
                            [Default: (null)]
                            type: bool

                        - v2host_report
                            IGMPv2 Membership Report(5)
                            [Default: (null)]
                            type: bool

                        - v2leave_group
                            IGMPv2 Leave Group(6)
                            [Default: (null)]
                            type: bool

                        - v3host_report
                            IGMPv3 Membership Report(9)
                            [Default: (null)]
                            type: bool

                    - ip
                        Any Internet Protocol.
                        [Default: (null)]
                        type: bool

                    - ipinip
                        IP in IP tunneling.
                        [Default: (null)]
                        type: bool

                    - ipv6
                        Any IPv6.
                        [Default: (null)]
                        type: bool

                    - nos
                        KA9Q NOS compatible IP over IP tunneling.
                        [Default: (null)]
                        type: bool

                    - ospf
                        OSPF routing protocol.
                        [Default: (null)]
                        type: bool

                    - pcp
                        Payload Compression Protocol.
                        [Default: (null)]
                        type: bool

                    - pim
                        Protocol Independent Multicast.
                        [Default: (null)]
                        type: bool

                    - protocol_number
                        An IP protocol number
                        [Default: (null)]
                        type: int

                    - sctp
                        Stream Control Transmission Protocol.
                        [Default: (null)]
                        type: bool

                    - tcp
                        Match TCP packet flags
                        [Default: (null)]
                        type: dict

                        SUBOPTIONS:

                        - ack
                            Match on the ACK bit
                            [Default: (null)]
                            type: bool

                        - established
                            Match established connections
                            [Default: (null)]
                            type: bool

                        - fin
                            Match on the FIN bit
                            [Default: (null)]
                            type: bool

                        - psh
                            Match on the PSH bit
                            [Default: (null)]
                            type: bool

                        - rst
                            Match on the RST bit
                            [Default: (null)]
                            type: bool

                        - syn
                            Match on the SYN bit
                            [Default: (null)]
                            type: bool

                        - urg
                            Match on the URG bit
                            [Default: (null)]
                            type: bool

                    - udp
                        User Datagram Protocol.
                        [Default: (null)]
                        type: bool

                - sequence
                    Sequence Number for the Access Control Entry(ACE).
                    Refer to vendor documentation for valid values.
                    [Default: (null)]
                    type: int

                - source
                    Specify the packet source.
                    [Default: (null)]
                    type: dict

                    SUBOPTIONS:

                    - address
                        Source network address.
                        [Default: (null)]
                        type: str

                    - any
                        Match any source address.
                        [Default: (null)]
                        type: bool

                    - host
                        A single source host
                        [Default: (null)]
                        type: str

                    - port_protocol
                        Specify the destination port along with protocol.
                        Note, Valid with TCP/UDP protocol_options
                        [Default: (null)]
                        type: dict

                        SUBOPTIONS:

                        - eq
                            Match only packets on a given port number.
                            [Default: (null)]
                            type: str

                        - gt
                            Match only packets with a greater port number.
                            [Default: (null)]
                            type: str

                        - lt
                            Match only packets with a lower port number.
                            [Default: (null)]
                            type: str

                        - neq
                            Match only packets not on a given port number.
                            [Default: (null)]
                            type: str

                        - range
                            Port group.
                            [Default: (null)]
                            type: dict

                            SUBOPTIONS:

                            - end
                                Specify the end of the port range.
                                [Default: (null)]
                                type: int

                            - start
                                Specify the start of the port range.
                                [Default: (null)]
                                type: int

                    - wildcard_bits
                        Destination wildcard bits, valid with IPV4 address.
                        [Default: (null)]
                        type: str

                - time_range
                    Specify a time-range.
                    [Default: (null)]
                    type: str

                - tos
                    Match packets with given TOS value.
                    Note, DSCP and TOS are mutually exclusive
                    [Default: (null)]
                    type: dict

                    SUBOPTIONS:

                    - max_reliability
                        Match packets with max reliable TOS (2).
                        [Default: (null)]
                        type: bool

                    - max_throughput
                        Match packets with max throughput TOS (4).
                        [Default: (null)]
                        type: bool

                    - min_delay
                        Match packets with min delay TOS (8).
                        [Default: (null)]
                        type: bool

                    - min_monetary_cost
                        Match packets with min monetary cost TOS (1).
                        [Default: (null)]
                        type: bool

                    - normal
                        Match packets with normal TOS (0).
                        [Default: (null)]
                        type: bool

                    - service_value
                        Type of service value
                        [Default: (null)]
                        type: int

                - ttl
                    Match packets with given TTL value.
                    [Default: (null)]
                    type: dict

                    SUBOPTIONS:

                    - eq
                        Match only packets on a given TTL number.
                        [Default: (null)]
                        type: int

                    - gt
                        Match only packets with a greater TTL number.
                        [Default: (null)]
                        type: int

                    - lt
                        Match only packets with a lower TTL number.
                        [Default: (null)]
                        type: int

                    - neq
                        Match only packets not on a given TTL number.
                        [Default: (null)]
                        type: int

                    - range
                        Match only packets in the range of TTLs.
                        [Default: (null)]
                        type: dict

                        SUBOPTIONS:

                        - end
                            Specify the end of the port range.
                            [Default: (null)]
                            type: int

                        - start
                            Specify the start of the port range.
                            [Default: (null)]
                            type: int

            - acl_type
                ACL type
                Note, it's mandatory and required for Named ACL, but for
                Numbered ACL it's not mandatory.
                (Choices: extended, standard)[Default: (null)]
                type: str

            = name
                The name or the number of the ACL.

                type: str

        = afi
            The Address Family Indicator (AFI) for the Access Control Lists
            (ACL).
            (Choices: ipv4, ipv6)
            type: str

- running_config
        The module, by default, will connect to the remote device and retrieve
        the current running-config to use as a base for comparing against the
        contents of source. There are times when it is not desirable to have the
        task get the current running-config for every task in a playbook.  The
        `running_config' argument allows the implementer to pass in the
        configuration to use as the base config for comparison.
        [Default: (null)]
        type: str

- state
        The state the configuration should be left in
        The states `rendered', `gathered' and `parsed' does not perform any
        change on the device.
        The state `rendered' will transform the configuration in `config' option
        to platform specific CLI commands which will be returned in the
        `rendered' key within the result. For state `rendered' active connection
        to remote host is not required.
        The state `gathered' will fetch the running configuration from device
        and transform it into structured data in the format as per the resource
        module argspec and the value is returned in the `gathered' key within
        the result.
        The state `parsed' reads the configuration from `running_config' option
        and transforms it into JSON format as per the resource module parameters
        and the value is returned in the `parsed' key within the result. The
        value of `running_config' option should be the same format as the output
        of command `show running-config | include ip route|ipv6 route' executed
        on device. For state `parsed' active connection to remote host is not
        required.
        (Choices: merged, replaced, overridden, deleted, gathered, rendered,
        parsed)[Default: merged]
        type: str


NOTES:
      * Tested against Cisco IOSv Version 15.2 on VIRL


AUTHOR: Sumit Jaiswal (@justjais)

VERSION_ADDED_COLLECTION: cisco.ios

EXAMPLES:

# Using merged

# Before state:
# -------------
#
# vios#sh access-lists
# Extended IP access list 110
#    10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 echo dscp ef ttl eq 10

- name: Merge provided configuration with device configuration
  cisco.ios.ios_acls:
    config:
    - afi: ipv4
      acls:
      - name: std_acl
        acl_type: standard
        aces:
        - grant: deny
          source:
            address: 192.168.1.200
        - grant: deny
          source:
            address: 192.168.2.0
            wildcard_bits: 0.0.0.255
      - name: 110
        aces:
        - sequence: 10
          protocol_options:
            icmp:
              traceroute: true
        - grant: deny
          protocol_options:
            tcp:
              ack: true
          source:
            host: 198.51.100.0
          destination:
            host: 198.51.110.0
            port_protocol:
              eq: telnet
      - name: test
        acl_type: extended
        aces:
        - grant: deny
          protocol_options:
            tcp:
              fin: true
          source:
            address: 192.0.2.0
            wildcard_bits: 0.0.0.255
          destination:
            address: 192.0.3.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: www
          option:
            traceroute: true
          ttl:
            eq: 10
      - name: 123
        aces:
        - grant: deny
          protocol_options:
            tcp:
              ack: true
          source:
            address: 198.51.100.0
            wildcard_bits: 0.0.0.255
          destination:
            address: 198.51.101.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: telnet
          tos:
            service_value: 12
        - grant: deny
          protocol_options:
            tcp:
              ack: true
          source:
            address: 192.0.3.0
            wildcard_bits: 0.0.0.255
          destination:
            address: 192.0.4.0
            wildcard_bits: 0.0.0.255
            port_protocol:
              eq: www
          dscp: ef
          ttl:
            lt: 20
    - afi: ipv6
      acls:
      - name: R1_TRAFFIC
        aces:
        - grant: deny
          protocol_options:
            tcp:
              ack: true
          source:
            any: true
            port_protocol:
              eq: www
          destination:
            any: true
            port_protocol:
              eq: telnet
          dscp: af11
    state: merged

# Commands fired:
# ---------------
#
# - ip access-list standard std_acl
# - deny 192.168.1.200
# - deny 192.168.2.0 0.0.0.255
# - ip access-list extended 110
# - no 10
# - 10 deny icmp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 traceroute dscp ef ttl eq 10
# - deny tcp host 198.51.100.0 host 198.51.110.0 eq telnet ack
# - ip access-list extended test
# - deny tcp 192.0.2.0 0.0.0.255 192.0.3.0 0.0.0.255 eq www fin option traceroute ttl eq 10
# - ip access-list extended 123
# - deny tcp 198.51.100.0 0.0.0.255 198.51.101.0 0.0.0.255 eq telnet ack tos 12
# - deny tcp 192.0.3.0 0.0.0.255 192.0.4.0 0.0.0.255 eq www ack dscp ef ttl lt 20
# - ipv6 access-list R1_TRAFFIC
# - deny tcp any eq www any eq telnet ack dscp af11

# After state:
(a210) [vagrant@stumble stumble]$ 
(a210) [vagrant@stumble stumble]$ 
(a210) [vagrant@stumble stumble]$ 
(a210) [vagrant@stumble stumble]$ ansible-playbook -i inventory.ini ios_acls.yml 

PLAY [rt01] ********************************************************************

TASK [set acl] *****************************************************************
fatal: [rt01]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "msg": "value of state must be one of: merged, replaced, overridden, deleted, gathered, rendered, parsed, got: merge"}

PLAY RECAP *********************************************************************
rt01                       : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

(a210) [vagrant@stumble stumble]$ ansible-playbook -i inventory.ini ios_acls.yml 

PLAY [rt01] ********************************************************************

TASK [set acl] *****************************************************************
changed: [rt01]

TASK [debug] *******************************************************************
fatal: [rt01]: FAILED! => {"msg": "Traceback (most recent call last):\n  File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 202, in send\n    response = recv_data(sf)\n  File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 76, in recv_data\n    d = s.recv(header_len - len(data))\nConnectionResetError: [Errno 104] Connection reset by peer\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File \"/home/vagrant/envs/a210/bin/ansible-connection\", line 342, in <module>\n    main()\n  File \"/home/vagrant/envs/a210/bin/ansible-connection\", line 305, in main\n    conn.set_options(var_options=variables)\n  File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 186, in __rpc__\n    response = self._exec_jsonrpc(name, *args, **kwargs)\n  File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 152, in _exec_jsonrpc\n    out = self.send(data)\n  File \"/home/vagrant/envs/a210/lib64/python3.6/site-packages/ansible/module_utils/connection.py\", line 209, in send\n    err=to_text(e, errors='surrogate_then_replace'), exception=traceback.format_exc()\nansible.module_utils.connection.ConnectionError: unable to connect to socket /home/vagrant/.ansible/pc/e0f315e513. See the socket path issue category in Network Debug and Troubleshooting Guide\n"}

PLAY RECAP *********************************************************************
rt01                       : ok=1    changed=1    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

(a210) [vagrant@stumble stumble]$ ansible-playbook -i inventory.ini ios_acls.yml 

PLAY [rt01] ******************************************************************************

TASK [set acl] ***************************************************************************
ok: [rt01]

TASK [debug] *****************************************************************************
ok: [rt01] => {
    "msg": {
        "ansible_facts": {
            "discovered_interpreter_python": "/usr/bin/python"
        },
        "before": [
            {
                "acls": [
                    {
                        "aces": [
                            {
                                "destination": {
                                    "address": "172.16.1.0",
                                    "port_protocol": {
                                        "eq": "www"
                                    },
                                    "wildcard_bits": "0.0.0.255"
                                },
                                "grant": "permit",
                                "protocol": "tcp",
                                "protocol_options": {
                                    "tcp": {
                                        "ack": true
                                    }
                                },
                                "sequence": 10,
                                "source": {
                                    "address": "10.0.0.0",
                                    "wildcard_bits": "0.0.0.255"
                                }
                            },
                            {
                                "destination": {
                                    "any": true
                                },
                                "grant": "deny",
                                "protocol": "ip",
                                "protocol_options": {
                                    "ip": true
                                },
                                "sequence": 90,
                                "source": {
                                    "any": true
                                }
                            }
                        ],
                        "acl_type": "extended",
                        "name": "test_acl"
                    }
                ],
                "afi": "ipv4"
            }
        ],
        "changed": false,
        "commands": [],
        "failed": false
    }
}

PLAY RECAP *******************************************************************************
rt01                       : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

Part9 にむけて

企画中です。ちょっと気分転換に Ansible Tower や AWX も良いかもしれません。