Ichnafi
Sep 29, 2023Cirrostratus
Ansible - Bricking freshly installed vcmp guests with ansible
Hello fellow F5 admins, currently I try to established a workflow, where new vcmp guests are created and configured with a standard basic config (and even building a HA setup). The creation part...
- Oct 02, 2023
Got it working!
I ran into several strange issues.
- Password handling seems to be not konsisten. For some reason I had da "\n" at the end of my password in the ansible-vault encrypted string. Why? Don't know. It seems, that normal API and GUI login do not care about this trailing "\n", but password changes do.
- After fixing the password and (just for good measugre) adding the Jinja2 filter "trim" to alle my password variables, I ran everything again using the REST endpoint "mgmt/shared/authz/users/admin" with a PATCH leaving the system bricked again.
3. How did I get it to work
- When connecting via SSH as user "root" you are forced to set a new root password.
This password is also set as an admin password, that still has to be changed. Also worth to mention, that javarestd will automaticly restart. - Connect via SSH as user "admin" with root password and set a new admin password. After the password change you get booted out of you ssh session and the return code is 1, so we have to consider this in ansible.
To automate the password changes I write tasks using module ansible.builtin.expect.
This completly renders idempotency useless. Changes in the SSH login flow and/or messages will let the taks fail.- name: Change root password no_log: true ansible.builtin.expect: command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@"{{ ansible_host }}" timeout: 10 responses: '(.*)Password(.*)': default '(.*)UNIX password:(.*)': default '(.*)New BIG-IP password(.*)': "{{ f5_root_password | trim }}" '(.*)Retype new BIG-IP password(.*)': "{{ f5_root_password | trim }}" '(.*)config(.*)#': exit register: output delegate_to: localhost - name: Debug ansible.builtin.debug: var: output - name: Wait for restjavad to be restarted ansible.builtin.wait_for: timeout: 20 delegate_to: localhost - name: Change admin password no_log: true ansible.builtin.expect: command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no "{{ f5_api_admin_user }}"@"{{ ansible_host }}" timeout: 10 responses: '(.*)Password(.*)': "{{ f5_root_password | trim }}" '(.*)UNIX password:(.*)': "{{ f5_root_password | trim }}" '(.*)New BIG-IP password(.*)': "{{ f5_api_admin_password | trim }}" '(.*)Retype new BIG-IP password(.*)': "{{ f5_api_admin_password | trim }}" register: output failed_when: output.rc not in [0, 1] delegate_to: localhost
The hole thing is still really annoying. I don't understand why this has to be resolved like, in times where cloud first, api first, whatever first is key. This should really be done in a different way.
Cheers
Ichnafi