Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ICX "Invalid input -> skip" #536

Open
computercolin opened this issue Mar 13, 2023 · 3 comments
Open

ICX "Invalid input -> skip" #536

computercolin opened this issue Mar 13, 2023 · 3 comments
Labels
help_wanted

Comments

@computercolin
Copy link

computercolin commented Mar 13, 2023
edited

SUMMARY

The ICX community module fails and spits out an invalid ICX command result "Invalid input -> skip".
The reason is that the ICX module assumes its starting privilege level is enable, however on many of our switches, the starting level is 5 "read-only." 'skip' is not a valid command for level 5 and the module needs to first elevate.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

community.network.icx_config

ANSIBLE VERSION
ansible [core 2.14.3]
  config file = None
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /root/ve39/lib/python3.9/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /root/ve39/bin/ansible
  python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] (/root/ve39/bin/python3)
  jinja version = 3.1.2
  libyaml = True
CONFIGURATION
HOST_KEY_CHECKING(env: ANSIBLE_HOST_KEY_CHECKING) = False
OS / ENVIRONMENT

Debian 11 Bullseye

Switch: Ruckus ICX7150-24-POE running SW 08.0.95dT211

STEPS TO REPRODUCE
  • Reset switch using erase system factory-default
  • Login using ssh
  • Change password as requested
  • Place this new password in hosts file as var ansible_password
  • SSH into switch
    • Confirm default privileged level is Read-Only (prompt ends with ">" not "#")
    • (This bug does not occur on switches where privilege level starts elevated)
  • Run playbook below
---
- hosts: all
  connection: network_cli
  gather_facts: false
  vars:
    ansible_network_os: icx

  tasks:
   - name: Set Dummy Location
     community.network.icx_config:
       lines:
         - snmp-server location "Earth"
       save_when: modified
EXPECTED RESULTS

Ansible runs to completion and snmp-location is set to Earth.

ACTUAL RESULTS
The full traceback is:
  File "/tmp/ansible_community.network.icx_config_payload_d4wpz2h6/ansible_community.network.icx_config_payload.zip/ansible_collections/community/network/plugins/module_utils/network/icx/icx.py", line 34, in run_commands
    return connection.run_commands(commands=commands, check_rc=check_rc)
  File "/tmp/ansible_community.network.icx_config_payload_d4wpz2h6/ansible_community.network.icx_config_payload.zip/ansible/module_utils/connection.py", line 200, in __rpc__
    raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
fatal: [10.253.2.30]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "after": null,
            "backup": false,
            "before": null,
            "defaults": false,
            "diff_against": null,
            "diff_ignore_lines": null,
            "intended_config": null,
            "lines": [
                "snmp-server location \"Earth\""
            ],
            "match": "line",
            "multiline_delimiter": "@",
            "parents": null,
            "replace": "line",
            "running_config": null,
            "save_when": "modified",
            "src": null
        }
    },
    "msg": "skip\r\nInvalid input -> skip\r\nType ? for a list\r\nSSH@ICX7150-24P Switch>"
}
PATCH DEMONSTRATION

I do not know enough about ansible internals, but this module needs to check privilege level upon connect before running elevated commands.
@Andersson007
Copy link
Contributor

@computercolin hello, thanks for reporting the issue!
Would you like to submit a patch yourself? If yes, here's the Quick-start guide

cc @commscope @sushma-alethea

@yamjoepobuda
Copy link

yamjoepobuda commented Aug 3, 2023
edited

This issue is also happens when using icx_command or icx_config and CLI presents an error during configuration. Example, removing NTP servers.

- name: Remove old NTP hosts
  community.network.icx_command:
    commands:
      - configure terminal
      - ntp
      - no server {{ item }}
      - end
  loop: "{{ ntp_deprecated_servers }}"
  when: ntp_deprecated_servers is defined
  register: _ntp

Unlike DNS or logging hosts, which seem to be stateful, these have to be configured using CLI. Since they are not stateful, we usually have to feed a static list (ntp_deprecated_servers). Sometimes a host may not be configured when I try to remove it. Other CLI commands, such as no radius-host or no snmp-host fail gracefully. In the case of NTP, it presents an error:

Error: Cannot delete server/peer, the association entry is not present

This error causes the SSH connection to remain in the config-ntp context for all commands going forward. I tried to work around it with this, but no luck.

- name: Escape from NTP config mode
  community.network.icx_command:
    commands:
      - end
  ignore_errors: "{{ icx_bypass_errors }}"

skip is not allowed in the config-ntp context:

TASK [icx-cleanup : Escape from NTP config mode] *******************************
fatal: [switch]: FAILED! => {"changed": false, "msg": "skip\r\nInvalid input -> skip\r\nType ? for a list\r\nSSH@switch(config-ntp)#"}

I believe in this case, the proposed patch above would not work since it only addresses unauthenticated context not sub-context where this is also broken.

The solution would have to understand what context it is in, in order to issue the correct commands. In the case of sub-contexts, it seems it should append an end command whether it succeeds or not when reusing the same SSH connection so that subsequent commands do not get stuck in the failed context.

@computercolin
Copy link
Author

To add some more depth here, in FastIron 9.0.0, the command "aaa authentication login privilege-mode" was deprecated and is not available in FastIron 10.0.0.
Without this command, it is impossible to SSH into an ICX and go straight for privileged mode (enable) without issuing the enable command and re-typing password.

This means this Ansible module is incompatible with all FastIron 10 devices, regardless of configuration, and possibly FastIron 9 devices as well.

@commscope I request this module get an update to be compatible with your current product lineup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help_wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@computercolin @yamjoepobuda @Andersson007