Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

need a way to get the DEFAULT cipher string via a yaml script

Kevin_Nail
Nimbostratus
Nimbostratus

Im writing a yaml script to get the DEAULT cipher string being used.

Here is my speciic code section:

block:

    - name: check the default cipher

     bigip_command:

      commands:

      - tmm --clientciphers DEFAULT | grep -i {{ cipher_string}}

      provider: "{{ provider }}"

     delegate_to: localhost

     register: cipher_out

     ignore_errors: true

   when: software_version_out.stdout != '15.1.4.1'

 

This is the error I get:

TASK [check the default cipher] **************************************************************************************************************************************************************

[WARNING]: Using "write" commands is not idempotent. You should use a module that is specifically made for that. If such a module does not exist, then please file a bug. The command in

question is "tmm --clientciphers DEFAULT | grep -i de..."

 

Is there another way to get this information via tmsh?

15 REPLIES 15

SanjayP
MVP
MVP

There might be other ways to retrieve this, but I tried using cli transport (SSH) and it worked. This needs paramiko plugin installed for SSH.

---
 
- name: find cipher
  hosts: bigip
  connection: local
  vars_files:
    - secret
	- f5
 
  vars:
    provider:
        password: "{{ secret }}"
        user: "{{ uid }}"
        server: bigip
        server_port: 22
        transport: cli
 
  tasks:
    - name: find cipher
      bigip_command:
        commands:
          - bash
          - tmm --clientciphers DEFAULT
        provider: "{{ provider }}"

Hey Sanjay,

 

Thanks for the reply, I tried your suggestions and it still fails but I get a different error this time:

 

TASK [check the default cipher] *************************************************************************************************************************************************************

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: socket.timeout: The read operation timed out

 

Here is the new code:

 

    - name: check the default cipher

     bigip_command:

      commands:

      - bash

      - tmm --clientciphers DEFAULT | grep -i {{ cipher_string }}

      provider: "{{ provider }}"

     delegate_to: localhost

     register: cipher_out

     ignore_errors: true

    - debug:

      msg: "{{ cipher_out }}"

 

 

Please check if ssh port is allowed from the ansible server to bigip. ​

Kevin_Nail
Nimbostratus
Nimbostratus

I checked and verified SSH is allowed from the ansible server to the BIG-IPs

Strange. Have you added​ server_port and transport parameters to provider? Also, can you chek full traceback using -vvv

Kevin_Nail
Nimbostratus
Nimbostratus

Good catch, I forgot to add those... They have been added but still no luck. Here the debug output with -vvv for one of the servers

 

seeing this: "msg": "tmsh -c \"tmm --clientciphers DEFAULT \" | grep -i des\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn

 

...ignoring

<localhost> EXEC /bin/sh -c 'rm -f -r /home/knail/.ansible/tmp/ansible-tmp-1626198381.7990808-136657036311064/ > /dev/null 2>&1 && sleep 0'

The full traceback is:

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 719, in main

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 659, in exec_module

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 437, in exec_module

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 599, in execute

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 508, in execute

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 582, in _execute

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 602, in execute_on_device

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/module_utils/network/f5/common.py", line 168, in run_commands

  raise F5ModuleError(to_text(err, errors='surrogate_then_replace'))

fatal: [192.168.196.100 -> localhost]: FAILED! => {

  "changed": false,

  "invocation": {

    "module_args": {

      "chdir": null,

      "commands": [

        "bash",

        "tmm --clientciphers DEFAULT | grep -i des"

      ],

      "interval": 1,

      "match": "all",

      "provider": {

        "auth_provider": null,

        "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",

        "server": "192.168.196.100",

        "server_port": 22,

        "ssh_keyfile": null,

        "timeout": null,

        "transport": "cli",

        "user": "root",

        "validate_certs": false

      },

      "retries": 10,

      "transport": "rest",

      "wait_for": null,

      "warn": true

    }

  },

  "msg": "tmsh -c \"tmm --clientciphers DEFAULT \" | grep -i des\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn:Active:Standalone] config # "

}

...ignoring

 

TASK [debug] ********************************************************************************************************************************************************************************

task path: /home/knail/test-project/final.yaml:38

ok: [192.168.196.100] => {

  "msg": {

    "changed": false,

    "exception": " File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 719, in main\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 659, in exec_module\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 437, in exec_module\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 599, in execute\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 508, in execute\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 582, in _execute\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 602, in execute_on_device\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/module_utils/network/f5/common.py\", line 168, in run_commands\n  raise F5ModuleError(to_text(err, errors='surrogate_then_replace'))\n",

    "failed": true,

    "msg": "tmsh -c \"tmm --clientciphers DEFAULT \" | grep -i des\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn:Active:Standalone] config # "

  }

}

SanjayP
MVP
MVP

It seems to be syntax error from the commands. Please use, transport parameter as "cli". I see, there is another used with "rest"

​Not sure, what are you trying to grep. But can you try just using just default one first without using grep?

e.g. ​tmm --clientciphers DEFAULT

Kevin_Nail
Nimbostratus
Nimbostratus

hmm I dont know where the transport: rest is coming from. Its not in my code anywhere (which I've re-attched)

 

I've removed the grep. Still same error

 

---

 

- name: check DEFAULT and client cipher strings

 gather_facts: false

 hosts: all

 vars:

  provider:

   password: "{{ BACKEND_PASSWORD }}"

   server: "{{ inventory_hostname }}"

   user: "{{ BACKEND_USERNAME }}"

   server_port: 22

   transport: cli

   validate_certs: false

  cipher_string: des

  ignore_cipher: "!des"

  ignore_cipher2: "!3des"

 tasks:

  - name: get virtual list

   bigip_command:

    commands:

     - tmsh show /sys version | grep "Version "

    provider: "{{ provider }}"

   delegate_to: localhost

   register: software_version_out

  - debug:

    msg: "{{ software_version_out.stdout }}"

  - name: run the checks

   block:

    - name: check the default cipher

     bigip_command:

      commands:

      - bash

      - tmm --clientciphers DEFAULT

      provider: "{{ provider }}"

     delegate_to: localhost

     register: cipher_out

     ignore_errors: true

    - debug:

      msg: "{{ cipher_out }}"

   when: software_version_out.stdout != '15.1.4.1'

 

 

 

 

and I still get the same error:

 

fatal: [192.168.196.100 -> localhost]: FAILED! => {

  "changed": false,

  "invocation": {

    "module_args": {

      "chdir": null,

      "commands": [

        "bash",

        "tmm --clientciphers DEFAULT"

      ],

      "interval": 1,

      "match": "all",

      "provider": {

        "auth_provider": null,

        "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",

        "server": "192.168.196.100",

        "server_port": 22,

        "ssh_keyfile": null,

        "timeout": null,

        "transport": "cli",

        "user": "root",

        "validate_certs": false

      },

      "retries": 10,

      "transport": "rest",

      "wait_for": null,

      "warn": true

    }

  },

  "msg": "tmsh -c \"tmm --clientciphers DEFAULT\"\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn:Active:Standalone] config # "

}

SanjayP
MVP
MVP

Looks indentation error. Please use in below format.

​bigip_command:
    commands:
         - bash
         - tmm --clientciphers DEFAULT

Please refer one I pasted in the first comment. Please do not use tab and use spaces as shown there.

Kevin_Nail
Nimbostratus
Nimbostratus

Hey Sanjay

 

Looking back at your first comment... there was indentation there:

 

bigip_command:

commands:

- bash

- tmm --clientciphers DEFAULT

provider: "{{ provider }}"

 

But I will remove them as you suggest

 

Kevin_Nail
Nimbostratus
Nimbostratus

Same error:

 

 "msg": "tmsh -c \"tmm --clientciphers DEFAULT\"\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn12:Active:Standalone] config # "

Please post the screenshot of commands parameter. I will take a look tomorrow. ​

Till then see why syntax error is appearing as the code I posted ​works perfectly fine for me.

Kevin_Nail
Nimbostratus
Nimbostratus

Be happy to.. But what command parameters are you wanting to see? Im just wanting to get the DEFAULT clientciphers from the F5. Apparantly ansible is dropping me into tmsh, which does not like running tmm...

Dont know what the difference is between yours that works and mine that doesnt...

Kevin_Nail
Nimbostratus
Nimbostratus

Hey Sanjay,

 

Just an update. I got this working, The problem was with the way the way the command was processing

 

- tmm --clientciphers DEFAULT

 

ansible big-ip module was prepending "tmsh -c" to the beginning of the line. Making it have problems. I re-arranged the command so that the bash statement and the tmm are passed in the same line, like this:

 

"bash -c 'tmm --clientciphers DEFAULT'"

This works because when processed the big-ip server prepends the tmsh -c so it looks like this:

 

tmsh -c "bash -c 'tmm --clientciphers DEFAULT'"

 

anyway, it works now, Thanks! for all your help. You got me looking in the right place

 

Kevin

Kevin_Nail
Nimbostratus
Nimbostratus

Sanjay,

 

If you dont mind me asking another related question. I have the code working but how do I handle codes? for example... if cipher abc show up in the list, I want debug to print one message like "Found abc" if cipher abc does not show up in the list, I want debug to print a different message like "No cipher found"

 

This is what I have added (in bolc)

     bigip_command:

      commands:

       - tmsh list ltm profile client-ssl ciphers | grep -i -v -E '{{ ignore_cipher }}|{{ ignore_cipher2 }}' | grep -i -B1 {{ cipher_string }}

      provider: "{{ provider }}"

     delegate_to: localhost

     register: cipher_out

     ignore_errors: true

     register: client_cipher_out

     ignore_errors: true

    - debug:

      msg: "No Cipher Found in any Client profile"

     when: client_cipher_out.rc != 0

    - debug:

      msg: "{{ client_cipher_out.stdout_lines }}"

     when: client_cipher_out.rc == 0

 

I suspect my logic is not correct because the exits status will still be 0, even if it does not find anything, however, I see this in the output:

 

TASK [debug] ********************************************************************************************************************************************************************************

fatal: [192.168.196.120]: FAILED! => {"msg": "The conditional check 'client_cipher_out.rc != 0' failed. The error was: error while evaluating conditional (client_cipher_out.rc != 0): 'dict object' has no attribute 'rc'\n\nThe error appears to be in '/home/knail/test-project/final.yaml': line 47, column 10, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n     ignore_errors: true\n    - debug:\n     ^ here\n"}

 

Any ideas?