Network Automation and Orchestration

ReneMolenaar · February 21, 2019, 12:40pm

This topic is to discuss the following lesson:

michmoor · March 3, 2019, 7:24pm

Hi Rene. Its been a very long time since we spoke. Still a huge fan of your website. You helped me through my CCNP/CCIE(written) studies. I will always be eternally grateful
That being said I am entering the phase in my career will automation through Python is a great interest. Will you write an article about Python for Network Engs? Im thinking about Python + REST apis + Postman. If the article can be written like this network automation and orchestration article I think it will greatly help alot of people. No in depth knowledge of Python or REST is even needed. What do you think?

ReneMolenaar · March 4, 2019, 8:41pm

Hi Michael,

You are very welcome, it’s good to hear my work has been so useful to you. I’m definitely going to add some python material in the future. The “evolving technologies” blueprint also has REST APIs so I’m going to write some articles what REST APIs are and how to play around with postman or python.

It doesn’t take too long to learn python and use it to talk with APIs or manage network devices. It’s a lot of fun too.

Rene

ankisang · October 4, 2019, 6:56pm

Seems like the Network Automation and Orchestration link is broken. getting 403 error message.
Did the topic link has moved to other location.

lagapidis · October 7, 2019, 11:22am

Hi Ankit

I tried it out now and it seems to work. Can you tell me from which page you are trying to link? The page may be up but the link may be incorrect. Let us know and we’ll fix it.

Thanks!

Laz

ankisang · October 9, 2019, 5:24pm

page timed out error was related to my vpn connection…thanks.

coolcomfort22 · April 13, 2020, 4:11am

Hello, I am having some trouble understanding the Kubernetes section. I understand how Master Components and Node Components are separated, correct? I am trying to match your definitions to the diagram.

Master Components = Master Node
Node Components = Worker Node

But you describe the Node Components as “[running] on all master and worker nodes”. Does this mean kubelet, kube-proxy, and container runtime also exist on Master Components? Or does this mean Node Components is a general term that refers to both Master Node and Worker Node?

Giovanni · July 15, 2021, 2:12pm

Hi,

I know that it is an old topic but I’m tryng to replicate the ansible lab without success.

ansible give me this error.

TASK [Configure credentials] *************************************************************************************************************************************************************************************
ok: [R1]
ok: [R2]
ok: [R3]

TASK [Backup Configuration] **************************************************************************************************************************************************************************************
fatal: [R3]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3"}, "changed": false, "msg": "operation requires privilege escalation"}
fatal: [R2]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3"}, "changed": false, "msg": "operation requires privilege escalation"}
fatal: [R1]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3"}, "changed": false, "msg": "operation requires privilege escalation"}

PLAY RECAP *******************************************************************************************************************************************************************************************************
R1                         : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   
R2                         : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   
R3                         : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

What I’m missing? the yaml file is the same of this lesson.

lagapidis · July 17, 2021, 5:54am

Hello Giovanni

The message “operate requires privilege escalation” initially gave me the impression that the credentials being used are not provided with privilege level 15 on the Cisco IOS. I’m sure that’s something that you’ve checked however…

Looking a litter deeper I have found that others have had similar problems and it may be a result of a strange combination of Ansible version and IOS version. In particular, you can take a look at this GIT bug report for Ansible.

github.com/ansible/ansible

ios_config traceback on some devices

opened 02:40PM - 30 May 18 UTC

closed 03:35PM - 22 Oct 18 UTC

pffs

affects_2.5 bug cisco ios module networking support:network traceback

##### SUMMARY On some devices, ios_config will create a traceback when running the ios_config module. Nothing obviously different between devices that work and devices that do not, same model and some firmware. Sometimes running a play multiple times will result in it working, but usually they continue to fail. Attempted to change the tmp file location via remote_tmp and local_tmp, but still looks to be putting the tmp files into /tmp. All the devices are configured to auto-enable into priv 15, and confirmed that the credentials do in fact work. The ios_facts module works with no problems on this device, only the ios_config module seems to be having issues. ##### ISSUE TYPE - Bug Report ##### COMPONENT NAME  ios_config ##### ANSIBLE VERSION ``` ansible 2.5.3 config file = /home/pffs/ansible-scripts/ansible.cfg configured module search path = [u'/home/pffs/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/dist-packages/ansible executable location = /usr/bin/ansible python version = 2.7.12 (default, Dec 4 2017, 14:50:18) [GCC 5.4.0 20160609] ``` ##### CONFIGURATION  ``` ANSIBLE_PIPELINING(/home/pffs/ansible-scripts/ansible.cfg) = True DEFAULT_CALLBACK_WHITELIST(/home/pffs/ansible-scripts/ansible.cfg) = ['profile_tasks', 'timer', 'json_result'] DEFAULT_FORKS(/home/pffs/ansible-scripts/ansible.cfg) = 15 DEFAULT_HOST_LIST(/home/pffs/ansible-scripts/ansible.cfg) = [u'/home/pffs/ansible-scripts/inventory'] DEFAULT_LOCAL_TMP(/home/pffs/ansible-scripts/ansible.cfg) = /home/pffs/.ansible/tmp/ansible-local-8904QiZGq4 DEFAULT_LOG_PATH(/home/pffs/ansible-scripts/ansible.cfg) = /home/pffs/ansible-scripts/log HOST_KEY_CHECKING(/home/pffs/ansible-scripts/ansible.cfg) = False PERSISTENT_COMMAND_TIMEOUT(/home/pffs/ansible-scripts/ansible.cfg) = 45 PERSISTENT_CONNECT_TIMEOUT(/home/pffs/ansible-scripts/ansible.cfg) = 90 ``` ##### OS / ENVIRONMENT  Ubuntu 16.04 connecting to Cisco 891FW running 15.4(3)M5 ##### STEPS TO REPRODUCE  main playbook: ```yaml --- - hosts: all gather_facts: no vars_files: - ../../tacacs.yaml tasks: - ios_config: lines: - logging monitor ``` group_vars/all.yaml: ```yaml --- ansible_connection: network_cli ansible_network_os: ios ansible_become: yes ansible_become_method: enable ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q bastion"' ``` ##### EXPECTED RESULTS Completes with change ##### ACTUAL RESULTS Traces back: ``` ansible-playbook 2.5.3 config file = /home/pffs/ansible-scripts/ansible.cfg configured module search path = [u'/home/pffs/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python2.7/dist-packages/ansible executable location = /usr/bin/ansible-playbook python version = 2.7.12 (default, Dec 4 2017, 14:50:18) [GCC 5.4.0 20160609] Using /home/pffs/ansible-scripts/ansible.cfg as config file setting up inventory plugins Parsed /home/pffs/ansible-scripts/inventory inventory source with ini plugin Loading callback plugin default of type stdout, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/default.pyc Loading callback plugin json_result of type aggregate, v1.1 from /home/pffs/.ansible/plugins/callback/json_result.pyc Loading callback plugin profile_tasks of type aggregate, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/profile_tasks.pyc Loading callback plugin timer of type aggregate, v2.0 from /usr/lib/python2.7/dist-packages/ansible/plugins/callback/timer.pyc PLAYBOOK: test.yaml ***************************************************************************************************************************************************************************************************************************************************** 1 plays in test.yaml Read vars_file '../../tacacs.yaml' Read vars_file '../../tacacs.yaml' PLAY [all] ************************************************************************************************************************************************************************************************************************************************************** META: ran handlers Read vars_file '../../tacacs.yaml' TASK [ios_config] ******************************************************************************************************************************************************************************************************************************************************* task path: /home/pffs/ansible-scripts/test.yaml:8 Wednesday 30 May 2018 10:31:12 -0400 (0:00:00.714) 0:00:00.714 ********* <10.0.0.1> attempting to start connection <10.0.0.1> using connection plugin network_cli <10.0.0.1> local domain socket does not exist, starting it <10.0.0.1> control socket path is /home/pffs/.ansible/pc/1ac44613c3 <10.0.0.1> <10.0.0.1> ESTABLISH CONNECTION FOR USER: scripts on PORT 22 TO 10.0.0.1 <10.0.0.1> <10.0.0.1> CONFIGURE PROXY COMMAND FOR CONNECTION: ssh -W 10.0.0.1:22 -q bastion <10.0.0.1> <10.0.0.1> ssh connection done, setting terminal <10.0.0.1> <10.0.0.1> loaded terminal plugin for network_os ios <10.0.0.1> <10.0.0.1> loaded cliconf plugin for network_os ios <10.0.0.1> <10.0.0.1> firing event: on_open_shell() <10.0.0.1> <10.0.0.1> firing event: on_become <10.0.0.1> <10.0.0.1> ssh connection has completed successfully <10.0.0.1> connection to remote device started successfully <10.0.0.1> local domain socket listeners started successfully <10.0.0.1> <10.0.0.1> local domain socket path is /home/pffs/.ansible/pc/1ac44613c3 Using module_utils file /usr/lib/python2.7/dist-packages/ansible/module_utils/network/__init__.py Using module_utils file /usr/lib/python2.7/dist-packages/ansible/module_utils/network/common/parsing.py Using module_utils file /usr/lib/python2.7/dist-packages/ansible/module_utils/six/__init__.py Using module_utils file /usr/lib/python2.7/dist-packages/ansible/module_utils/basic.py Using module_utils file /usr/lib/python2.7/dist-packages/ansible/module_utils/network/common/config.py Using module_utils file /usr/lib/python2.7/dist-packages/ansible/module_utils/network/common/__init__.py Using module_utils file /usr/lib/python2.7/dist-packages/ansible/module_utils/network/ios/ios.py Using module_utils file /usr/lib/python2.7/dist-packages/ansible/module_utils/network/ios/__init__.py Using module_utils file /usr/lib/python2.7/dist-packages/ansible/module_utils/parsing/convert_bool.py Using module_utils file /usr/lib/python2.7/dist-packages/ansible/module_utils/parsing/__init__.py Using module_utils file /usr/lib/python2.7/dist-packages/ansible/module_utils/_text.py Using module_utils file /usr/lib/python2.7/dist-packages/ansible/module_utils/pycompat24.py Using module_utils file /usr/lib/python2.7/dist-packages/ansible/module_utils/network/common/utils.py Using module_utils file /usr/lib/python2.7/dist-packages/ansible/module_utils/connection.py Using module file /usr/lib/python2.7/dist-packages/ansible/modules/network/ios/ios_config.py <10.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: pffs <10.0.0.1> EXEC /bin/sh -c '/usr/bin/python && sleep 0' The full traceback is: Traceback (most recent call last): File "/tmp/ansible_b_9Rr0/ansible_module_ios_config.py", line 583, in <module> main() File "/tmp/ansible_b_9Rr0/ansible_module_ios_config.py", line 512, in main load_config(module, commands) File "/tmp/ansible_b_9Rr0/ansible_modlib.zip/ansible/module_utils/network/ios/ios.py", line 168, in load_config File "/tmp/ansible_b_9Rr0/ansible_modlib.zip/ansible/module_utils/connection.py", line 149, in __rpc__ ansible.module_utils.connection.ConnectionError: operation requires privilege escalation fatal: [dmvpn-1]: FAILED! => { "changed": false, "module_stderr": "Traceback (most recent call last):\n File \"/tmp/ansible_b_9Rr0/ansible_module_ios_config.py\", line 583, in <module>\n main()\n File \"/tmp/ansible_b_9Rr0/ansible_module_ios_config.py\", line 512, in main\n load_config(module, command s)\n File \"/tmp/ansible_b_9Rr0/ansible_modlib.zip/ansible/module_utils/network/ios/ios.py\", line 168, in load_config\n File \"/tmp/ansible_b_9Rr0/ansible_modlib.zip/ansible/module_utils/connection.py\", line 149, in __rpc__\nansible.module_utils.connection.Conn ectionError: operation requires privilege escalation\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 1 } to retry, use: --limit @/home/pffs/ansible-scripts/test.retry PLAY RECAP ************************************************************************************************************************************************************************************************************************************************************** dmvpn-1 : ok=0 changed=0 unreachable=0 failed=1 ```

If you do a search for that error, you’ll find more resources. Some have solved it by downgrading their Ansible version, while others have done so by adjusting other parameters.

I hope this has been helpful!

Laz

ruben.trazanet · November 28, 2021, 8:40pm

Hi Team,
Great lesson!! I tried to run a playbook connecting from a Centos 8 (ansible 2.9.27) to a cisco Cisco IOS XE Software, Version 16.06.07 by using ssh keys. I followed the lesson where ssh key connectivity is explained and I am able to connect with success. Despite all the changes I tried I always receive: fatal: [Cisco1941]: FAILED! => {“ansible_facts”: {“discovered_interpreter_python”: “/usr/libexec/platform-python”}, “changed”: false, “msg”: “not a valid RSA private key file”}.

I uncommented this to disable SSH key host checking in ansible.cfg
host_key_checking = False
the key has 2048 module
I also tried
ansible-playbook --private-key=/root/.ssh/id_rsa -u root playbooks/show_version.yml

Any suggestions

Thanks in advanced for your support

Ruben

ReneMolenaar · December 7, 2021, 12:17pm

Hello Ruben,

What kind of SSH key do you have? Does it show up as OPENSSH or RSA?

[root@localhost test-ansible]# cat ~/.ssh/id_rsa | grep "KEY"
-----BEGIN OPENSSH PRIVATE KEY-----
-----END OPENSSH PRIVATE KEY-----

I think it has to do with the key format. The output above is from a CentOS 8 test machine.

Rene

ruben.trazanet · December 7, 2021, 7:10pm

Hi Rene,
I am using a centos8 and the outpout of the command indicates openssh:

[root@centos8-ansible ssh]# cat ~/.ssh/id_rsa | grep "KEY"
-----BEGIN OPENSSH PRIVATE KEY-----
-----END OPENSSH PRIVATE KEY-----

I can however connect to the router from centos with no issues:

[root@centos8-ansible ssh]# ssh root@10.100.50.29
Cisco1941#

It is failing when using ansible playbook. Is there anyway to address this or should I use Ubuntu instead of Centos8?
I will in any case deploy Ubuntu and give it a go. I will keep you posted.

Thanks

Ruben Sanchez
Hi Rene,

I found out the root cause. Paramiko doesn’t support openssh. The workaround is PEM:

 sudo ssh-keygen -p -m PEM -f ~/.ssh/id_rsa. Now I get 
ruben@Ubuntu-20:~$ cat ~/.ssh/id_rsa | grep "KEY"
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

and playbooks are running with no issues. You put me in the right direction.
Thank you
Ruben Sanchez

lagapidis · December 9, 2021, 7:10am

Hello Ruben

It’s great to hear that you found the root cause and resolved the issue! It’s helpful to have this information on the forum.

Thanks for updating your post!

Laz

lennarnoc2020 · December 28, 2021, 4:07pm

Hi Rene, while following the steps, the ssh connection was refused. I’m getting a Connection refused error when trying to ssh into the host IP.

rod.deluhery · December 29, 2021, 2:35pm

in the ansible lab, copying a html file to the web root directory. question on this topic. is there a way to do this so the html file in on the ansible server itself, or another server? so doing a network copy (scp copy) from one host to another?
thanks!

lagapidis · January 3, 2022, 7:06am

Hello Michel

The SSH connectivity can sometimes be tricky, and it occasionally depends upon the versions you are using. The best way to troubleshoot this would be to debug SSH on the Cisco device to see the reason behind the refused connection so that you can further correct the problem. Take a look at this NetworkLessons note on SSH connectivity troubleshooting for some additional info.

Let us know how you get along and if you require any additional help.

I hope this has been helpful!

Laz

lagapidis · January 3, 2022, 7:12am

Hello Rod

Anything you can do with the CLI can be automated. So if you are able to copy the HTML file to another server, either the ansible server or another server, using the CLI, then you can automate it using automation.

Before creating a playbook, the first thing that you should do is determine what you want to achieve, and how this can be achieved using the CLI. You then automate those CLI commands using the process described in the lesson.

I hope this has been helpful!

Laz

AZEAHMED · April 16, 2023, 5:54am

Hello Rene,

chef, puppet and ansible are config management tool. Are there any tools available to upgrade the router/server operating system . Any insight will appreciated.

P.S> Found paid product below wanted to know about open source tool.

Thanks,
Mu

lagapidis · April 19, 2023, 4:25am

Hello Muhammad

Take a look at this answer here:

I hope this has been helpful!

Laz