12-Jul-2021 09:03
Im writing a yaml script to get the DEAULT cipher string being used.
Here is my speciic code section:
block:
- name: check the default cipher
bigip_command:
commands:
- tmm --clientciphers DEFAULT | grep -i {{ cipher_string}}
provider: "{{ provider }}"
delegate_to: localhost
register: cipher_out
ignore_errors: true
when: software_version_out.stdout != '15.1.4.1'
This is the error I get:
TASK [check the default cipher] **************************************************************************************************************************************************************
[WARNING]: Using "write" commands is not idempotent. You should use a module that is specifically made for that. If such a module does not exist, then please file a bug. The command in
question is "tmm --clientciphers DEFAULT | grep -i de..."
Is there another way to get this information via tmsh?
13-Jul-2021
03:15
- last edited on
04-Jun-2023
19:22
by
JimmyPackets
There might be other ways to retrieve this, but I tried using cli transport (SSH) and it worked. This needs paramiko plugin installed for SSH.
---
- name: find cipher
hosts: bigip
connection: local
vars_files:
- secret
- f5
vars:
provider:
password: "{{ secret }}"
user: "{{ uid }}"
server: bigip
server_port: 22
transport: cli
tasks:
- name: find cipher
bigip_command:
commands:
- bash
- tmm --clientciphers DEFAULT
provider: "{{ provider }}"
13-Jul-2021 09:29
Hey Sanjay,
Thanks for the reply, I tried your suggestions and it still fails but I get a different error this time:
TASK [check the default cipher] *************************************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: socket.timeout: The read operation timed out
Here is the new code:
- name: check the default cipher
bigip_command:
commands:
- bash
- tmm --clientciphers DEFAULT | grep -i {{ cipher_string }}
provider: "{{ provider }}"
delegate_to: localhost
register: cipher_out
ignore_errors: true
- debug:
msg: "{{ cipher_out }}"
13-Jul-2021 09:33
Please check if ssh port is allowed from the ansible server to bigip.
13-Jul-2021 09:38
I checked and verified SSH is allowed from the ansible server to the BIG-IPs
13-Jul-2021 09:44
Strange. Have you added server_port and transport parameters to provider? Also, can you chek full traceback using -vvv
13-Jul-2021 10:56
Good catch, I forgot to add those... They have been added but still no luck. Here the debug output with -vvv for one of the servers
seeing this: "msg": "tmsh -c \"tmm --clientciphers DEFAULT \" | grep -i des\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn
...ignoring
<localhost> EXEC /bin/sh -c 'rm -f -r /home/knail/.ansible/tmp/ansible-tmp-1626198381.7990808-136657036311064/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 719, in main
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 659, in exec_module
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 437, in exec_module
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 599, in execute
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 508, in execute
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 582, in _execute
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 602, in execute_on_device
File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/module_utils/network/f5/common.py", line 168, in run_commands
raise F5ModuleError(to_text(err, errors='surrogate_then_replace'))
fatal: [192.168.196.100 -> localhost]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"chdir": null,
"commands": [
"bash",
"tmm --clientciphers DEFAULT | grep -i des"
],
"interval": 1,
"match": "all",
"provider": {
"auth_provider": null,
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"server": "192.168.196.100",
"server_port": 22,
"ssh_keyfile": null,
"timeout": null,
"transport": "cli",
"user": "root",
"validate_certs": false
},
"retries": 10,
"transport": "rest",
"wait_for": null,
"warn": true
}
},
"msg": "tmsh -c \"tmm --clientciphers DEFAULT \" | grep -i des\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn:Active:Standalone] config # "
}
...ignoring
TASK [debug] ********************************************************************************************************************************************************************************
task path: /home/knail/test-project/final.yaml:38
ok: [192.168.196.100] => {
"msg": {
"changed": false,
"exception": " File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 719, in main\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 659, in exec_module\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 437, in exec_module\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 599, in execute\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 508, in execute\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 582, in _execute\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 602, in execute_on_device\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/module_utils/network/f5/common.py\", line 168, in run_commands\n raise F5ModuleError(to_text(err, errors='surrogate_then_replace'))\n",
"failed": true,
"msg": "tmsh -c \"tmm --clientciphers DEFAULT \" | grep -i des\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn:Active:Standalone] config # "
}
}
13-Jul-2021 11:05
It seems to be syntax error from the commands. Please use, transport parameter as "cli". I see, there is another used with "rest"
Not sure, what are you trying to grep. But can you try just using just default one first without using grep?
e.g. tmm --clientciphers DEFAULT
13-Jul-2021 11:23
hmm I dont know where the transport: rest is coming from. Its not in my code anywhere (which I've re-attched)
I've removed the grep. Still same error
---
- name: check DEFAULT and client cipher strings
gather_facts: false
hosts: all
vars:
provider:
password: "{{ BACKEND_PASSWORD }}"
server: "{{ inventory_hostname }}"
user: "{{ BACKEND_USERNAME }}"
server_port: 22
transport: cli
validate_certs: false
cipher_string: des
ignore_cipher: "!des"
ignore_cipher2: "!3des"
tasks:
- name: get virtual list
bigip_command:
commands:
- tmsh show /sys version | grep "Version "
provider: "{{ provider }}"
delegate_to: localhost
register: software_version_out
- debug:
msg: "{{ software_version_out.stdout }}"
- name: run the checks
block:
- name: check the default cipher
bigip_command:
commands:
- bash
- tmm --clientciphers DEFAULT
provider: "{{ provider }}"
delegate_to: localhost
register: cipher_out
ignore_errors: true
- debug:
msg: "{{ cipher_out }}"
when: software_version_out.stdout != '15.1.4.1'
and I still get the same error:
fatal: [192.168.196.100 -> localhost]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"chdir": null,
"commands": [
"bash",
"tmm --clientciphers DEFAULT"
],
"interval": 1,
"match": "all",
"provider": {
"auth_provider": null,
"password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"server": "192.168.196.100",
"server_port": 22,
"ssh_keyfile": null,
"timeout": null,
"transport": "cli",
"user": "root",
"validate_certs": false
},
"retries": 10,
"transport": "rest",
"wait_for": null,
"warn": true
}
},
"msg": "tmsh -c \"tmm --clientciphers DEFAULT\"\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn:Active:Standalone] config # "
}
13-Jul-2021
11:34
- last edited on
04-Jun-2023
19:22
by
JimmyPackets
Looks indentation error. Please use in below format.
bigip_command:
commands:
- bash
- tmm --clientciphers DEFAULT
Please refer one I pasted in the first comment. Please do not use tab and use spaces as shown there.
13-Jul-2021 11:38
Hey Sanjay
Looking back at your first comment... there was indentation there:
bigip_command:
commands:
- bash
- tmm --clientciphers DEFAULT
provider: "{{ provider }}"
But I will remove them as you suggest
13-Jul-2021 11:40
Same error:
"msg": "tmsh -c \"tmm --clientciphers DEFAULT\"\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn12:Active:Standalone] config # "
13-Jul-2021 11:47
Please post the screenshot of commands parameter. I will take a look tomorrow.
Till then see why syntax error is appearing as the code I posted works perfectly fine for me.
13-Jul-2021 12:06
Be happy to.. But what command parameters are you wanting to see? Im just wanting to get the DEFAULT clientciphers from the F5. Apparantly ansible is dropping me into tmsh, which does not like running tmm...
Dont know what the difference is between yours that works and mine that doesnt...
13-Jul-2021 13:21
Hey Sanjay,
Just an update. I got this working, The problem was with the way the way the command was processing
- tmm --clientciphers DEFAULT
ansible big-ip module was prepending "tmsh -c" to the beginning of the line. Making it have problems. I re-arranged the command so that the bash statement and the tmm are passed in the same line, like this:
"bash -c 'tmm --clientciphers DEFAULT'"
This works because when processed the big-ip server prepends the tmsh -c so it looks like this:
tmsh -c "bash -c 'tmm --clientciphers DEFAULT'"
anyway, it works now, Thanks! for all your help. You got me looking in the right place
Kevin
13-Jul-2021 14:36
Sanjay,
If you dont mind me asking another related question. I have the code working but how do I handle codes? for example... if cipher abc show up in the list, I want debug to print one message like "Found abc" if cipher abc does not show up in the list, I want debug to print a different message like "No cipher found"
This is what I have added (in bolc)
bigip_command:
commands:
- tmsh list ltm profile client-ssl ciphers | grep -i -v -E '{{ ignore_cipher }}|{{ ignore_cipher2 }}' | grep -i -B1 {{ cipher_string }}
provider: "{{ provider }}"
delegate_to: localhost
register: cipher_out
ignore_errors: true
register: client_cipher_out
ignore_errors: true
- debug:
msg: "No Cipher Found in any Client profile"
when: client_cipher_out.rc != 0
- debug:
msg: "{{ client_cipher_out.stdout_lines }}"
when: client_cipher_out.rc == 0
I suspect my logic is not correct because the exits status will still be 0, even if it does not find anything, however, I see this in the output:
TASK [debug] ********************************************************************************************************************************************************************************
fatal: [192.168.196.120]: FAILED! => {"msg": "The conditional check 'client_cipher_out.rc != 0' failed. The error was: error while evaluating conditional (client_cipher_out.rc != 0): 'dict object' has no attribute 'rc'\n\nThe error appears to be in '/home/knail/test-project/final.yaml': line 47, column 10, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n ignore_errors: true\n - debug:\n ^ here\n"}
Any ideas?