vyos.vyos
vyos.vyos copied to clipboard
vyos
vyos_facts confused about value of firewall rule log attribute.
SUMMARY
vyos_facts slightly confused about the value of log in firewall rule
ISSUE TYPE
- Bug Report
COMPONENT NAME
vyos_facts
ANSIBLE VERSION
ansible [core 2.16.5]
config file = /home/ops/ansible/ansible.cfg
configured module search path = ['/home/ops/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/ops/ansible/venv/lib/python3.10/site-packages/ansible
ansible collection location = /home/ops/.ansible/collections:/usr/share/ansible/collections
executable location = /home/ops/ansible/venv/bin/ansible
python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/home/ops/ansible/venv/bin/python3)
jinja version = 3.1.3
libyaml = True
COLLECTION VERSION
ansible-galaxy collection list vyos.vyos
# /home/ops/.ansible/collections/ansible_collections
Collection Version
---------- -------
vyos.vyos 4.1.0
# /home/ops/ansible/venv/lib/python3.10/site-packages/ansible_collections
Collection Version
---------- -------
vyos.vyos 4.1.0
CONFIGURATION
ANSIBLE_NOCOWS(/home/ops/ansible/ansible.cfg) = True
CONFIG_FILE() = /home/ops/ansible/ansible.cfg
DEFAULT_FILTER_PLUGIN_PATH(/home/ops/ansible/ansible.cfg) = ['/home/ops/ansible/plugins/filter']
DEFAULT_FORKS(/home/ops/ansible/ansible.cfg) = 20
DEFAULT_ROLES_PATH(/home/ops/ansible/ansible.cfg) = ['/home/ops/ansible/roles.galaxy', '/home/ops/ansible/roles']
DEFAULT_VAULT_PASSWORD_FILE(env: ANSIBLE_VAULT_PASSWORD_FILE) = /home/ops/.seconvault
DEPRECATION_WARNINGS(/home/ops/ansible/ansible.cfg) = False
RETRY_FILES_ENABLED(/home/ops/ansible/ansible.cfg) = False
OS / ENVIRONMENT
Host running ansible ubuntu 22.04, vyos target 1.3.2
STEPS TO REPRODUCE
Use the vyos_facts module.
- name: Firwall configuration, rules and aliases only
hosts:
- XXXX-fw-01
gather_facts: false
tasks:
- name: Get running config from remote firewall
vyos_facts:
gather_subset: all
gather_network_resources: all
register: orig_vyos_config
EXPECTED RESULTS
The running config, not an error message
ACTUAL RESULTS
Result short:
PLAY [Firwall configuration, rules and aliases only] ***********************************************************************************************************************************************************************************************************************************************************
TASK [Get running config from remote firewall] *****************************************************************************************************************************************************************************************************************************************************************
fatal: [XXX-fw-01]: FAILED! => {"changed": false, "msg": "value of log must be one of: enable, disable, got: TCP found in config -> rule_sets -> rules"}
Verbose output:
ansible-playbook [core 2.16.5]
config file = /home/ops/ansible/ansible.cfg
configured module search path = ['/home/ops/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/ops/ansible/venv/lib/python3.10/site-packages/ansible
ansible collection location = /home/ops/.ansible/collections:/usr/share/ansible/collections
executable location = /home/ops/ansible/venv/bin/ansible-playbook
python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/home/ops/ansible/venv/bin/python3)
jinja version = 3.1.3
libyaml = True
Using /home/ops/ansible/ansible.cfg as config file
Reading vault password file: /home/ops/.seconvault
setting up inventory plugins
Loading collection ansible.builtin from
host_list declined parsing /home/ops/ansible/inventories/vyos/inventory as it did not pass its verify_file() method
script declined parsing /home/ops/ansible/inventories/vyos/inventory as it did not pass its verify_file() method
auto declined parsing /home/ops/ansible/inventories/vyos/inventory as it did not pass its verify_file() method
Parsed /home/ops/ansible/inventories/vyos/inventory inventory source with ini plugin
redirecting (type: modules) ansible.builtin.vyos_facts to vyos.vyos.vyos_facts
Loading collection vyos.vyos from /home/ops/.ansible/collections/ansible_collections/vyos/vyos
Loading callback plugin default of type stdout, v2.0 from /home/ops/ansible/venv/lib/python3.10/site-packages/ansible/plugins/callback/default.py
Attempting to use 'default' callback.
Skipping callback 'default', as we already have a stdout callback.
Attempting to use 'junit' callback.
Attempting to use 'minimal' callback.
Skipping callback 'minimal', as we already have a stdout callback.
Attempting to use 'oneline' callback.
Skipping callback 'oneline', as we already have a stdout callback.
Attempting to use 'tree' callback.
PLAYBOOK: site.yml *************************************************************
Positional arguments: playbooks/vyos/site.yml
verbosity: 7
connection: ssh
become_method: sudo
tags: ('all',)
inventory: ('/home/ops/ansible/inventories/vyos/inventory',)
subset: XXX-fw-01
forks: 20
1 plays in playbooks/vyos/site.yml
PLAY [Firwall configuration, rules and aliases only] ***************************
TASK [Get running config from remote firewall] *********************************
task path: /home/ops/ansible/playbooks/vyos/site.yml:11
redirecting (type: connection) ansible.builtin.network_cli to ansible.netcommon.network_cli
Loading collection ansible.netcommon from /home/ops/.ansible/collections/ansible_collections/ansible/netcommon
Loading collection ansible.utils from /home/ops/.ansible/collections/ansible_collections/ansible/utils
redirecting (type: terminal) ansible.builtin.vyos to vyos.vyos.vyos
redirecting (type: cliconf) ansible.builtin.vyos to vyos.vyos.vyos
redirecting (type: modules) ansible.builtin.vyos_facts to vyos.vyos.vyos_facts
redirecting (type: action) ansible.builtin.vyos to vyos.vyos.vyos
<172.16.21.71> Using network group action vyos for vyos_facts
redirecting (type: action) ansible.builtin.vyos to vyos.vyos.vyos
<172.16.21.71> attempting to start connection
<172.16.21.71> using connection plugin ansible.netcommon.network_cli
Found ansible-connection at path /home/ops/ansible/venv/bin/ansible-connection
<172.16.21.71> local domain socket does not exist, starting it
<172.16.21.71> control socket path is /home/ops/.ansible/pc/8eabc378a2
<172.16.21.71> Loading collection ansible.builtin from
<172.16.21.71> redirecting (type: connection) ansible.builtin.network_cli to ansible.netcommon.network_cli
<172.16.21.71> Loading collection ansible.netcommon from /home/ops/.ansible/collections/ansible_collections/ansible/netcommon
<172.16.21.71> Loading collection ansible.utils from /home/ops/.ansible/collections/ansible_collections/ansible/utils
<172.16.21.71> redirecting (type: terminal) ansible.builtin.vyos to vyos.vyos.vyos
<172.16.21.71> Loading collection vyos.vyos from /home/ops/.ansible/collections/ansible_collections/vyos/vyos
<172.16.21.71> redirecting (type: cliconf) ansible.builtin.vyos to vyos.vyos.vyos
<172.16.21.71> local domain socket listeners started successfully
<172.16.21.71> loaded cliconf plugin ansible_collections.vyos.vyos.plugins.cliconf.vyos from path /home/ops/.ansible/collections/ansible_collections/vyos/vyos/plugins/cliconf/vyos.py for network_os vyos
<172.16.21.71> ssh type is set to auto
<172.16.21.71> autodetecting ssh_type
<172.16.21.71> ssh type is now set to libssh
<172.16.21.71> Loading collection ansible.builtin from
<172.16.21.71> local domain socket path is /home/ops/.ansible/pc/8eabc378a2
redirecting (type: action) ansible.builtin.vyos to vyos.vyos.vyos
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES: enabled
redirecting (type: modules) ansible.builtin.vyos_facts to vyos.vyos.vyos_facts
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES: found vyos_facts at /home/ops/.ansible/collections/ansible_collections/vyos/vyos/plugins/modules/vyos_facts.py
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES: running vyos_facts
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES: complete
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES:
<172.16.21.71> ANSIBLE_NETWORK_IMPORT_MODULES: Result: {'failed': True, 'msg': 'value of log must be one of: enable, disable, got: TCP found in config -> rule_sets -> rules', 'invocation': {'module_args': {'config': [{'afi': 'ipv4', 'rule_sets': [{'default_action': 'reject', 'enable_default_log': True, 'rules': [{'action': 'accept', 'description': 'no remove', 'state': {'related': True, 'established': True, 'invalid': None, 'new': None}, 'number': 10, 'destination': None, 'disable': None, 'fragment': None, 'icmp': None, 'ipsec': None, 'limit': None, 'log': None, 'p2p': None, 'protocol': None, 'recent': None, 'source': None, 'tcp': None, 'time': None}, {'log': 'enable', 'action': 'accept', 'protocol': 'tcp', 'description': 'ANSIBLE: EX001_Secon_ad_tcp - Internal access to ad', 'state': {'new': True, 'established': None, 'invalid': None, 'related': None}, 'destination': {'group': {'port_group': 'AD_tcp', 'address_group': 'com-ad-w01', 'network_group': None}, 'address': None, 'port': None}, 'number': 1030, 'disable': None, 'fragment': None, 'icmp': None, 'ipsec': None, 'limit': None, 'p2p': None, 'recent': None, 'source': None, 'tcp': None, 'time': None}, {'log': 'enable', 'action': 'accept', 'protocol': 'udp', 'description': 'ANSIBLE: EX001_Secon_ad_udp - Internal access to ad', 'state': {'new': True, 'established': None, 'invalid': None, 'related': None}, 'destination': {'group': {'port_group': 'AD_udp', 'address_group': 'com-ad-w01', 'network_group': None}, 'address': None, 'port': None}, 'number': 1040, 'disable': None, 'fragment': None, 'icmp': None, 'ipsec': None, 'limit': None, 'p2p': None, 'recent': None, 'source': None, 'tcp': None, 'time': None}, {'log': 'enable', 'action': 'accept', 'protocol': 'tcp', 'description': 'ANSIBLE: EX002_wsus - This rule is for all wsus updates', 'state': {'new': True, 'established': None, 'invalid': None, 'related': None}, 'destination': {'group': {'port_group': 'WSUS', 'address_group': 'com-wsus-w01', 'network_group': None}, 'address': None, 'port': None}, 'number': 1050, 'disable': None, 'fragment': None, 'icmp': None, 'ipsec': None, 'limit': None, 'p2p': None, 'recent': None, 'source': None, 'tcp': None, 'time': None}, {'log': 'enable', 'action': 'accept', 'protocol': 'udp', 'description': 'ANSIBLE: EX004_icinga_ntp_check - Allow all windows hosts to check the time against edge-fw-01', 'state': {'new': True, 'established': None, 'invalid': None, 'related': None}, 'destination': {'group': {'port_group': 'NTP', 'address_group': 'edge-fw-01', 'network_group': None}, 'address': None, 'port': None}, 'number': 1160, 'disable': None, 'fragment': None, 'icmp': None, 'ipsec': None, 'limit': None, 'p2p': None, 'recent': None, 'source': None, 'tcp': None, 'time': None}, {'log': 'TCP', 'action': 'accept', 'protocol': 'tcp', 'description': 'ANSIBLE: EX005_graylog_tcp - Destination Graylog TCP', 'state': {'new': True, 'established': None, 'invalid': None, 'related': None}, 'destination': {'gro .....
Example of more clear output found later in the printout, excerpt of the problematic section:
{
"action": "accept",
"description": "ANSIBLE: EX005_graylog_tcp - Destination Graylog TCP",
"destination": {
"address": null,
"group": {
"address_group": "com-graylog",
"network_group": null,
"port_group": "EX005_graylog_tcp"
},
"port": null
},
"disable": null,
"fragment": null,
"icmp": null,
"ipsec": null,
"limit": null,
"log": "TCP",
"number": 1170,
"p2p": null,
"protocol": "tcp",
"recent": null,
"source": null,
"state": {
"established": null,
"invalid": null,
"new": true,
"related": null
},
"tcp": null,
"time": null
},
The corresponding rule on the firewall as printed by show command in configure mode:
rule 1170 {
action accept
description "ANSIBLE: EX005_graylog_tcp - Destination Graylog TCP"
destination {
group {
address-group com-graylog
port-group EX005_graylog_tcp
}
}
log enable
protocol tcp
state {
new enable
}
}
The firewall does not have the value of the log parameter set to TCP, somehow the vyos_facts module seems to be a little confused about this.
I will provide any extra information requested.
We just upgraded the ansible version, the vyos_module has worked flawless for many years before.
