Forum Discussion
need a way to get the DEFAULT cipher string via a yaml script
Im writing a yaml script to get the DEAULT cipher string being used.
Here is my speciic code section:
block:
- name: check the default cipher
bigip_command:
commands:
- tmm --clientciphers DEFAULT | grep -i {{ cipher_string}}
provider: "{{ provider }}"
delegate_to: localhost
register: cipher_out
ignore_errors: true
when: software_version_out.stdout != '15.1.4.1'
This is the error I get:
TASK [check the default cipher] **************************************************************************************************************************************************************
[WARNING]: Using "write" commands is not idempotent. You should use a module that is specifically made for that. If such a module does not exist, then please file a bug. The command in
question is "tmm --clientciphers DEFAULT | grep -i de..."
Is there another way to get this information via tmsh?
- spalandeNacreous
There might be other ways to retrieve this, but I tried using cli transport (SSH) and it worked. This needs paramiko plugin installed for SSH.
--- - name: find cipher hosts: bigip connection: local vars_files: - secret - f5 vars: provider: password: "{{ secret }}" user: "{{ uid }}" server: bigip server_port: 22 transport: cli tasks: - name: find cipher bigip_command: commands: - bash - tmm --clientciphers DEFAULT provider: "{{ provider }}"
- Kevin_NailNimbostratus
Hey Sanjay,
Thanks for the reply, I tried your suggestions and it still fails but I get a different error this time:
TASK [check the default cipher] *************************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: socket.timeout: The read operation timed out
Here is the new code:
- name: check the default cipher
bigip_command:
commands:
- bash
- tmm --clientciphers DEFAULT | grep -i {{ cipher_string }}
provider: "{{ provider }}"
delegate_to: localhost
register: cipher_out
ignore_errors: true
- debug:
msg: "{{ cipher_out }}"
- spalandeNacreous
Please check if ssh port is allowed from the ansible server to bigip.
- Kevin_NailNimbostratus
I checked and verified SSH is allowed from the ansible server to the BIG-IPs
- spalandeNacreous
Strange. Have you added server_port and transport parameters to provider? Also, can you chek full traceback using -vvv
- Kevin_NailNimbostratus
Good catch, I forgot to add those... They have been added but still no luck. Here the debug output with -vvv for one of the servers
seeing this: "msg": "tmsh -c \"tmm --clientciphers DEFAULT \" | grep -i des\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn
...ignoring
<localhost> EXEC /bin/sh -c 'rm -f -r /home/knail/.ansible/tmp/ansible-tmp-1626198381.7990808-136657036311064/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 719, in main
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 659, in exec_module
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 437, in exec_module
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 599, in execute
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 508, in execute
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 582, in _execute
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 602, in execute_on_device
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/module_utils/network/f5/common.py", line 168, in run_commands
raise F5ModuleError(to_text(err, errors='surrogate_then_replace'))
fatal: [192.168.196.100 -> localhost]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"chdir": null,
"commands": [
"bash",
"tmm --clientciphers DEFAULT | grep -i des"
],
"interval": 1,
"match": "all",
"provider": {
"auth_provider": null,
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"server": "192.168.196.100",
"server_port": 22,
"ssh_keyfile": null,
"timeout": null,
"transport": "cli",
"user": "root",
"validate_certs": false
},
"retries": 10,
"transport": "rest",
"wait_for": null,
"warn": true
}
},
"msg": "tmsh -c \"tmm --clientciphers DEFAULT \" | grep -i des\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn:Active:Standalone] config # "
}
...ignoring
TASK [debug] ********************************************************************************************************************************************************************************
task path: /home/knail/test-project/final.yaml:38
ok: [192.168.196.100] => {
"msg": {
"changed": false,
"exception": " File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 719, in main\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 659, in exec_module\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 437, in exec_module\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 599, in execute\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 508, in execute\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 582, in _execute\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 602, in execute_on_device\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/module_utils/network/f5/common.py\", line 168, in run_commands\n raise F5ModuleError(to_text(err, errors='surrogate_then_replace'))\n",
"failed": true,
"msg": "tmsh -c \"tmm --clientciphers DEFAULT \" | grep -i des\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn:Active:Standalone] config # "
}
}
- spalandeNacreous
It seems to be syntax error from the commands. Please use, transport parameter as "cli". I see, there is another used with "rest"
Not sure, what are you trying to grep. But can you try just using just default one first without using grep?
e.g. tmm --clientciphers DEFAULT
- Kevin_NailNimbostratus
hmm I dont know where the transport: rest is coming from. Its not in my code anywhere (which I've re-attched)
I've removed the grep. Still same error
---
- name: check DEFAULT and client cipher strings
gather_facts: false
hosts: all
vars:
provider:
password: "{{ BACKEND_PASSWORD }}"
server: "{{ inventory_hostname }}"
user: "{{ BACKEND_USERNAME }}"
server_port: 22
transport: cli
validate_certs: false
cipher_string: des
ignore_cipher: "!des"
ignore_cipher2: "!3des"
tasks:
- name: get virtual list
bigip_command:
commands:
- tmsh show /sys version | grep "Version "
provider: "{{ provider }}"
delegate_to: localhost
register: software_version_out
- debug:
msg: "{{ software_version_out.stdout }}"
- name: run the checks
block:
- name: check the default cipher
bigip_command:
commands:
- bash
- tmm --clientciphers DEFAULT
provider: "{{ provider }}"
delegate_to: localhost
register: cipher_out
ignore_errors: true
- debug:
msg: "{{ cipher_out }}"
when: software_version_out.stdout != '15.1.4.1'
and I still get the same error:
fatal: [192.168.196.100 -> localhost]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"chdir": null,
"commands": [
"bash",
"tmm --clientciphers DEFAULT"
],
"interval": 1,
"match": "all",
"provider": {
"auth_provider": null,
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"server": "192.168.196.100",
"server_port": 22,
"ssh_keyfile": null,
"timeout": null,
"transport": "cli",
"user": "root",
"validate_certs": false
},
"retries": 10,
"transport": "rest",
"wait_for": null,
"warn": true
}
},
"msg": "tmsh -c \"tmm --clientciphers DEFAULT\"\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn:Active:Standalone] config # "
}
- spalandeNacreous
Looks indentation error. Please use in below format.
bigip_command: commands: - bash - tmm --clientciphers DEFAULT
Please refer one I pasted in the first comment. Please do not use tab and use spaces as shown there.
- Kevin_NailNimbostratus
Hey Sanjay
Looking back at your first comment... there was indentation there:
bigip_command:
commands:
- bash
- tmm --clientciphers DEFAULT
provider: "{{ provider }}"
But I will remove them as you suggest
- Kevin_NailNimbostratus
Same error:
"msg": "tmsh -c \"tmm --clientciphers DEFAULT\"\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn12:Active:Standalone] config # "
- spalandeNacreous
Please post the screenshot of commands parameter. I will take a look tomorrow.
Till then see why syntax error is appearing as the code I posted works perfectly fine for me.
- Kevin_NailNimbostratus
Be happy to.. But what command parameters are you wanting to see? Im just wanting to get the DEFAULT clientciphers from the F5. Apparantly ansible is dropping me into tmsh, which does not like running tmm...
Dont know what the difference is between yours that works and mine that doesnt...
- Kevin_NailNimbostratus
Hey Sanjay,
Just an update. I got this working, The problem was with the way the way the command was processing
- tmm --clientciphers DEFAULT
ansible big-ip module was prepending "tmsh -c" to the beginning of the line. Making it have problems. I re-arranged the command so that the bash statement and the tmm are passed in the same line, like this:
"bash -c 'tmm --clientciphers DEFAULT'"
This works because when processed the big-ip server prepends the tmsh -c so it looks like this:
tmsh -c "bash -c 'tmm --clientciphers DEFAULT'"
anyway, it works now, Thanks! for all your help. You got me looking in the right place
Kevin
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com