Forum Discussion

Ichnafi's avatar
Ichnafi
Icon for Cirrostratus rankCirrostratus
Sep 29, 2023

Ansible - Bricking freshly installed vcmp guests with ansible

  Hello fellow F5 admins, currently I try to established a workflow, where new vcmp guests are created and configured with a standard basic config (and even building a HA setup). The creation part...
Ansible
application delivery
bootstrap
devops
password
vcmp
  • Ichnafi's avatar
    Ichnafi
    Oct 02, 2023

    Got it working!

    I ran into several strange issues.

    1. Password handling seems to be not konsisten. For some reason I had da "\n" at the end of my password in the ansible-vault encrypted string. Why? Don't know. It seems, that normal API and GUI login do not care about this trailing "\n", but password changes do.
    2. After fixing the password and (just for good measugre) adding the Jinja2 filter "trim" to alle my password variables, I ran everything again using the REST endpoint "mgmt/shared/authz/users/admin" with a PATCH leaving the system bricked again.

    3. How did I get it to work

    1. When connecting via SSH as user "root" you are forced to set a new root password.
      This password is also set as an admin password, that still has to be changed. Also worth to mention, that javarestd will automaticly restart.
    2. Connect via SSH as user "admin" with root password and set a new admin password. After the password change you get booted out of you ssh session and the return code is 1, so we have to consider this in ansible.

    To automate the password changes I write tasks using module ansible.builtin.expect.
    This completly renders idempotency useless. Changes in the SSH login flow and/or messages will let the taks fail. 

     

    - name: Change root password
  no_log: true
  ansible.builtin.expect:
	command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@"{{ ansible_host }}"
	timeout: 10
	responses:
	  '(.*)Password(.*)': default
	  '(.*)UNIX password:(.*)': default
	  '(.*)New BIG-IP password(.*)': "{{ f5_root_password | trim }}"
	  '(.*)Retype new BIG-IP password(.*)': "{{ f5_root_password | trim }}"
	  '(.*)config(.*)#': exit
  register: output
  delegate_to: localhost

- name: Debug
  ansible.builtin.debug:
	var: output

- name: Wait for restjavad to be restarted
  ansible.builtin.wait_for:
	timeout: 20
  delegate_to: localhost

- name: Change admin password
  no_log: true
  ansible.builtin.expect:
	command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no "{{ f5_api_admin_user }}"@"{{ ansible_host }}"
	timeout: 10
	responses:
	  '(.*)Password(.*)': "{{ f5_root_password | trim }}"
	  '(.*)UNIX password:(.*)': "{{ f5_root_password | trim }}"
	  '(.*)New BIG-IP password(.*)': "{{ f5_api_admin_password | trim }}"
	  '(.*)Retype new BIG-IP password(.*)': "{{ f5_api_admin_password | trim }}"
  register: output
  failed_when: output.rc not in [0, 1]
  delegate_to: localhost

     

    The hole thing is still really annoying. I don't understand why this has to be resolved like, in times where cloud first, api first, whatever first is key. This should really be done in a different way.

    Cheers

    Ichnafi

f51's avatar
f51
Icon for Cirrostratus rankCirrostratus
Sep 29, 2023

You're dealing with a complex issue that is likely due to the secure password policy enforced by F5 BIG-IP systems. Your Ansible Playbook seems to be correctly constructed, and it's indeed peculiar that the password isn't working as expected. One possible explanation could be that F5 uses different authentication modules for GUI and REST API. The GUI uses the httpd module, while the REST API uses the restjavad module. It seems that the password change is not getting recognized by the restjavad module.

Here are a few suggestions:

1. Manual Password Change: Although this solution involves manual intervention, you might want to try changing the password manually through the GUI or TMSH first, and then using that password in your Ansible playbook. This would at least allow you to determine if the issue is with Ansible or with F5's password policy.

2. Use REST API directly: Instead of using Ansible's bigip_user module, try using the uri module to send a PATCH request directly to F5's REST API to change the password. You are already using the uri module in your playbook, but you might want to experiment with different parameters or headers.

3. Check F5's Password Policy: F5's BIG-IP systems enforce a strong password policy by default. Make sure your new password meets these requirements. If it doesn't, F5 might be rejecting it without providing a clear error message.

  • Ichnafi's avatar
    Ichnafi
    Icon for Cirrostratus rankCirrostratus
    Sep 29, 2023

    Hi f51,

    thank you for your suggestions.

    f51 wrote:

    [...]One possible explanation could be that F5 uses different authentication modules for GUI and REST API. The GUI uses the httpd module, while the REST API uses the restjavad module. It seems that the password change is not getting recognized by the restjavad module. [...]

    That's what I thought too. When I provided the password in the playbook asl clear-text, I was able to log into GUI. Changing the Admin password there to something different, made REST calls possible. Changing it back to the previous password, let them fail again.
    I then also set a root password, connected via SSH as root, and changed admin password again using command 'tmsh modify auth user admin prompt-for-password'
    Again I set the admin password to something new, and REST calls were successfull.
    Then I changed it back to the original one and REST calls fail again. Again one can observe in the audit logs, that whenn successfull rest(pam-audit) is triggert and back on the ols password its httpd(pam-audit).

    Let me get to your other points:

    1. The chosen password complies to the password policy. This is out of question. It can be set manually without any problems.
    2. The forced password change is accomplished by using the REST API, as it is explained in the policy article. After that done, I tried to do a "regular" REST API call to get a X-F5-Auth-Token with a postman job, that works fine one many our systems (same password as well), and the response was also unauthorized
    3. As said, the password complies and can be set in a manual setup without any complains.

    Is there maybe a way to automize the 1st ssh login with expect or something? I did a writeup on how to run a shell comman on f5 and using expect there in an interactive situation (Ansible-running-bash-commands-with-bigip-command-module), but this only works when one is already on the system. I might need to write a bash script that does the ssh root@<new_vcmp_guest> , accept new fingerprint, enter password and then reenter the new password twice...
    Any bash gurus in the house?

    Cheers

    Ichnafi