Forum Discussion

Daniel_H's avatar
Icon for Nimbostratus rankNimbostratus
May 21, 2024

Ansible F5 imperative collection works with proxies, declarative collection doesn't

I have a case where most of the F5s in our environment are accessible from our
Ansible Tower environment controllers without going through an internal proxy.
However, a few F5s can only be accessed via an http/s forwarding proxy.

I have gotten F5's imperative (f5_modules) and declarative (f5_bigip) Ansible
collections to work fine without using a proxy as described at:

However, when using a proxy (by specifying them using the ansible 'environment'
parameter), I've only been able to get the imperative collection to work. I've
had no success getting the declarative collection to work through a proxy, which
is a bit ironic as the httpapi connection type indicates that 'use_proxy' is
true by default.

I've done testing on a test VM that I created with Ansible installed and have had
the same results as when using Ansible Tower. Some details of the test

inventory file:


cnb-ilb01-t001 ansible_host=
cnb-ilb01-t002 ansible_host=

vars.yml file:


ansible_ssh_user: "root"
ansible_ssh_pass: "{{ ansible_ssh_pass_vault }}"

playbook (excerpt, showing only the first task):

- hosts: "{{ f5_cluster }}"
  environment: "{{ proxy_env | default({}) }}"
  collections: f5networks.f5_bigip
  connection: httpapi
    ansible_server: "{{ ansible_host }}"
    ansible_user: "{{ ansible_ssh_user }}"
    ansible_network_os: f5networks.f5_bigip.bigip 
    ansible_httpapi_password: "{{ ansible_ssh_pass }}"
    ansible_httpapi_port: 443
    ansible_httpapi_use_ssl: true
    ansible_httpapi_use_proxy: true
    ansible_httpapi_validate_certs: false
  - name: get failover state
    - devices
    register: f5_device_info

I've enabled debug logging:

export ANSIBLE_LOG_PATH=~/ansible.log

and used '-vvvv' when running ansible-playbook and can see the ansible 'httpapi'
and F5 'f5_bigip' collections being used.  However, it appears that proxy
environment variables are loaded (during the implicit 'gather_facts') after the
connection has been established:

<> EXEC /bin/sh -c 'http_proxy= https_proxy= /usr/bin/python3 /home/osboxes/.ansible/tmp/ansible-local-67825q3anan16/ansible-tmp-1716235016.7934482-67834-4566673767345/ && sleep 0'

And when the 'get failover state' task is run, it appears to be using the
session established during gather_facts:

<> found existing local domain socket, using it!

and hence not still not using any proxy environment values.

I ran a tcpdump on the proxy host itself and no traffic is ever sent to the
proxy from the playbook. I have tried setting 'gather_facts: false', but
then I see no debug output even mentioning using a proxy.

I'm not sure if I'm doing something wrong (quite possible), if it's an f5_bigip
collection issue, or something with Ansible.

Has anyone had any success getting declarative (f5_bigip) collection to
work using a proxy? I've tried everything I can think of, but no luck.

No RepliesBe the first to reply