Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aoscx_acl 'update' not actually writing any ACL entries but no error shown #86

Open
fusenuk opened this issue Nov 1, 2023 · 3 comments
Open

aoscx_acl 'update' not actually writing any ACL entries but no error shown #86

fusenuk opened this issue Nov 1, 2023 · 3 comments
Assignees
@tchiapuziowong

Comments

@fusenuk
Copy link

fusenuk commented Nov 1, 2023

Product Name : JL721A 8360-12C switch
ArubaOS-CX Version : LL.10.10.1010

A previously working playbook that deletes an ACL then updates the same named ACL has stopped actually writing any ACL entries to the ACL even though it says it was successful. So I get left with an ACL applied to the interface with no entries.

   - name: "Delete existing access-list {{ acl_name }}_EVEN"
      aoscx_acl:
        type: ipv4
        state: delete
        name: "{{ acl_name }}_EVEN"
      when: ( acl_version == "2" )

    - name: "Deploy new access-list {{ acl_name }}_EVEN"
      aoscx_acl:
        type: ipv4
        state: update
        name: "{{ acl_name }}_EVEN"
        acl_entries: "{{v4_acl_entries}}"
      when: ( acl_version == "2" )

Using -vvv mode shows the following

task path: /home/mw284/ansible-acls/aruba-cx-acls.yml:27
<cdc-drsrv-t0-a> ESTABLISH LOCAL CONNECTION FOR USER: mw284
<cdc-drsrv-t0-a> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4 `"&& mkdir "` echo /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835025.4686007-8134-187910541103134 `" && echo ansible-tmp-1698835025.4686007-8134-187910541103134="` echo /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835025.4686007-8134-187910541103134 `" ) && sleep 0'
<cdc-drsrv-t0-b> ESTABLISH LOCAL CONNECTION FOR USER: mw284
<cdc-drsrv-t0-b> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4 `"&& mkdir "` echo /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835025.4680057-8135-138722522150854 `" && echo ansible-tmp-1698835025.4680057-8135-138722522150854="` echo /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835025.4680057-8135-138722522150854 `" ) && sleep 0'
Using module file /home/mw284/.ansible/collections/ansible_collections/arubanetworks/aoscx/plugins/modules/aoscx_acl.py
<cdc-drsrv-t0-a> PUT /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/tmpyjenv0nv TO /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835025.4686007-8134-187910541103134/AnsiballZ_aoscx_acl.py
<cdc-drsrv-t0-a> EXEC /bin/sh -c 'chmod u+x /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835025.4686007-8134-187910541103134/ /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835025.4686007-8134-187910541103134/AnsiballZ_aoscx_acl.py && sleep 0'
Using module file /home/mw284/.ansible/collections/ansible_collections/arubanetworks/aoscx/plugins/modules/aoscx_acl.py
<cdc-drsrv-t0-b> PUT /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/tmpd1sse720 TO /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835025.4680057-8135-138722522150854/AnsiballZ_aoscx_acl.py
<cdc-drsrv-t0-b> EXEC /bin/sh -c 'chmod u+x /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835025.4680057-8135-138722522150854/ /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835025.4680057-8135-138722522150854/AnsiballZ_aoscx_acl.py && sleep 0'
<cdc-drsrv-t0-a> EXEC /bin/sh -c '/usr/bin/python3 /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835025.4686007-8134-187910541103134/AnsiballZ_aoscx_acl.py && sleep 0'
<cdc-drsrv-t0-b> EXEC /bin/sh -c '/usr/bin/python3 /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835025.4680057-8135-138722522150854/AnsiballZ_aoscx_acl.py && sleep 0'
<cdc-drsrv-t0-b> EXEC /bin/sh -c 'rm -f -r /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835025.4680057-8135-138722522150854/ > /dev/null 2>&1 && sleep 0'
<cdc-drsrv-t0-a> EXEC /bin/sh -c 'rm -f -r /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835025.4686007-8134-187910541103134/ > /dev/null 2>&1 && sleep 0'
changed: [cdc-drsrv-t0-b] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "acl_entries": null,
            "name": "testacl_IN_EVEN",
            "state": "delete",
            "type": "ipv4"
        }
    }
}
changed: [cdc-drsrv-t0-a] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "acl_entries": null,
            "name": "testacl_IN_EVEN",
            "state": "delete",
            "type": "ipv4"
        }
    }
}

TASK [Deploy new access-list testacl_IN_EVEN] ****************************************************************************************************************************************
task path: /home/mw284/ansible-acls/aruba-cx-acls.yml:34
<cdc-drsrv-t0-a> ESTABLISH LOCAL CONNECTION FOR USER: mw284
<cdc-drsrv-t0-b> ESTABLISH LOCAL CONNECTION FOR USER: mw284
<cdc-drsrv-t0-b> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4 `"&& mkdir "` echo /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835028.0387414-8189-59338563000377 `" && echo ansible-tmp-1698835028.0387414-8189-59338563000377="` echo /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835028.0387414-8189-59338563000377 `" ) && sleep 0'
<cdc-drsrv-t0-a> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4 `"&& mkdir "` echo /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835028.0391412-8188-194764360662100 `" && echo ansible-tmp-1698835028.0391412-8188-194764360662100="` echo /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835028.0391412-8188-194764360662100 `" ) && sleep 0'
Using module file /home/mw284/.ansible/collections/ansible_collections/arubanetworks/aoscx/plugins/modules/aoscx_acl.py
<cdc-drsrv-t0-a> PUT /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/tmpcf5tthp4 TO /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835028.0391412-8188-194764360662100/AnsiballZ_aoscx_acl.py
Using module file /home/mw284/.ansible/collections/ansible_collections/arubanetworks/aoscx/plugins/modules/aoscx_acl.py
<cdc-drsrv-t0-b> PUT /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/tmpgqxx3ybt TO /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835028.0387414-8189-59338563000377/AnsiballZ_aoscx_acl.py
<cdc-drsrv-t0-a> EXEC /bin/sh -c 'chmod u+x /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835028.0391412-8188-194764360662100/ /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835028.0391412-8188-194764360662100/AnsiballZ_aoscx_acl.py && sleep 0'
<cdc-drsrv-t0-b> EXEC /bin/sh -c 'chmod u+x /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835028.0387414-8189-59338563000377/ /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835028.0387414-8189-59338563000377/AnsiballZ_aoscx_acl.py && sleep 0'
<cdc-drsrv-t0-b> EXEC /bin/sh -c '/usr/bin/python3 /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835028.0387414-8189-59338563000377/AnsiballZ_aoscx_acl.py && sleep 0'
<cdc-drsrv-t0-a> EXEC /bin/sh -c '/usr/bin/python3 /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835028.0391412-8188-194764360662100/AnsiballZ_aoscx_acl.py && sleep 0'
<cdc-drsrv-t0-a> EXEC /bin/sh -c 'rm -f -r /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835028.0391412-8188-194764360662100/ > /dev/null 2>&1 && sleep 0'
<cdc-drsrv-t0-b> EXEC /bin/sh -c 'rm -f -r /home/mw284/.ansible/tmp/ansible-local-81080ga5fve4/ansible-tmp-1698835028.0387414-8189-59338563000377/ > /dev/null 2>&1 && sleep 0'
changed: [cdc-drsrv-t0-b] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "acl_entries": {
                "1": {
                    "comment": "Test ACL for testing ansible script"
                },
                "10": {
                    "action": "permit",
                    "protocol": "tcp",
                    "tcp_established": true
                },
                "20": {
                    "action": "permit",
                    "dst_ip": "172.19.35.0/255.255.255.0",
                    "protocol": "any",
                    "src_ip": "172.19.99.0/255.255.255.0"
                },
                "30": {
                    "action": "permit",
                    "dst_ip": "172.19.35.0/255.255.255.0",
                    "protocol": "any",
                    "src_ip": "172.19.163.0/255.255.255.0"
                }
            },
            "name": "testacl_IN_EVEN",
            "state": "update",
            "type": "ipv4"
        }
    }
}
changed: [cdc-drsrv-t0-a] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "acl_entries": {
                "1": {
                    "comment": "Test ACL for testing ansible script"
                },
                "10": {
                    "action": "permit",
                    "protocol": "tcp",
                    "tcp_established": true
                },
                "20": {
                    "action": "permit",
                    "dst_ip": "172.19.35.0/255.255.255.0",
                    "protocol": "any",
                    "src_ip": "172.19.99.0/255.255.255.0"
                },
                "30": {
                    "action": "permit",
                    "dst_ip": "172.19.35.0/255.255.255.0",
                    "protocol": "any",
                    "src_ip": "172.19.163.0/255.255.255.0"
                }
            },
            "name": "testacl_IN_EVEN",
            "state": "update",
            "type": "ipv4"
        }
    }
}
META: ran handlers

but then when checking the actual ACL on the device shows -

cdc-drsrv-t0-a# show access-list ip testacl_IN_EVEN commands
access-list ip testacl_IN_EVEN
interface vlan911
    apply access-list ip testacl_IN_EVEN routed-out
cdc-drsrv-t0-a#

So it seems to think it successfully applied the ACL entries but never actually writes them to the ACL.

I've force updated

  • pyaoscx
  • arubanetworks.aoscx
  • ansible.netcommon
  • ansible.utils
Collection          Version
------------------- -------
ansible.netcommon   5.2.0
ansible.utils       2.11.0
arubanetworks.aoscx 4.3.0
cisco.ios           4.5.0

Package             Version
------------------- ---------
ansible             4.10.0
ansible-core        2.11.12
ansible-pylibssh    1.1.0
asn1crypto          0.24.0
certifi             2022.6.15
cffi                1.9.1
charset-normalizer  2.0.12
cryptography        2.3
idna                3.3
importlib-resources 5.4.0
Jinja2              2.11.1
jmespath            0.9.4
jxmlease            1.0.3
lxml                4.9.3
MarkupSafe          0.23
ncclient            0.6.15
netaddr             0.8.0
packaging           21.3
paramiko            2.1.1
pip                 21.3.1
ply                 3.9
pyaoscx             2.5.0
pyasn1              0.4.7
pycparser           2.14
pyparsing           3.0.9
PyYAML              6.0
requests            2.27.1
requests-toolbelt   1.0.0
resolvelib          0.5.4
setuptools          59.6.0
six                 1.14.0
urllib3             1.26.10
wheel               0.37.1
xmltodict           0.13.0
zipp                3.6.0
@tchiapuziowong tchiapuziowong self-assigned this Nov 1, 2023
@tchiapuziowong
Copy link
Member

Hi @fusenuk ! Thank you for submitting this issue! We're currently doing a deep investigation into the behavior of the aoscx_acl module and will be focusing on improving it in an upcoming major release - I will update this issue once we've determined a release schedule.

@tchiapuziowong
Copy link
Member

@fusenuk is the ACL applied to an interface when you're attempting to delete it?

@fusenuk
Copy link
Author

fusenuk commented Nov 8, 2023

No.

The process is there are two ACLs

Example_acl_even
Example_acl_odd

Then one of them is assigned to a vlan interface

Interface vlan 123 -> example_acl_even

The ansible script then in the above example would delete the 'example_acl_odd' ACL, write the new entries to that ACL name then apply that ACL to the interface, switching to 'odd' from 'even'

Then the next time the ansible script runs it does the reverse and switches from 'even' to 'odd'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tchiapuziowong tchiapuziowong

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fusenuk @tchiapuziowong