Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

need a way to get the DEFAULT cipher string via a yaml script

Kevin_Nail
Nimbostratus
Nimbostratus

‎12-Jul-2021 09:03

Im writing a yaml script to get the DEAULT cipher string being used.

Here is my speciic code section:

block:

    - name: check the default cipher

     bigip_command:

      commands:

      - tmm --clientciphers DEFAULT | grep -i {{ cipher_string}}

      provider: "{{ provider }}"

     delegate_to: localhost

     register: cipher_out

     ignore_errors: true

   when: software_version_out.stdout != '15.1.4.1'

 

This is the error I get:

TASK [check the default cipher] **************************************************************************************************************************************************************

[WARNING]: Using "write" commands is not idempotent. You should use a module that is specifically made for that. If such a module does not exist, then please file a bug. The command in

question is "tmm --clientciphers DEFAULT | grep -i de..."

 

Is there another way to get this information via tmsh?

Labels:
0 Kudos
15 REPLIES 15

SanjayP
MVP
MVP

‎13-Jul-2021 03:15 - last edited on ‎04-Jun-2023 19:22 by Fog

There might be other ways to retrieve this, but I tried using cli transport (SSH) and it worked. This needs paramiko plugin installed for SSH. 

---
 
- name: find cipher
  hosts: bigip
  connection: local
  vars_files:
    - secret
	- f5
 
  vars:
    provider:
        password: "{{ secret }}"
        user: "{{ uid }}"
        server: bigip
        server_port: 22
        transport: cli
 
  tasks:
    - name: find cipher
      bigip_command:
        commands:
          - bash
          - tmm --clientciphers DEFAULT
        provider: "{{ provider }}"
0 Kudos

Kevin_Nail
Nimbostratus
Nimbostratus
In response to SanjayP

‎13-Jul-2021 09:29

Hey Sanjay,

 

Thanks for the reply, I tried your suggestions and it still fails but I get a different error this time:

 

TASK [check the default cipher] *************************************************************************************************************************************************************

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: socket.timeout: The read operation timed out

 

Here is the new code:

 

    - name: check the default cipher

     bigip_command:

      commands:

      - bash

      - tmm --clientciphers DEFAULT | grep -i {{ cipher_string }}

      provider: "{{ provider }}"

     delegate_to: localhost

     register: cipher_out

     ignore_errors: true

    - debug:

      msg: "{{ cipher_out }}"

 

 

0 Kudos

SanjayP
MVP
MVP
In response to Kevin_Nail

‎13-Jul-2021 09:33

Please check if ssh port is allowed from the ansible server to bigip. ​

0 Kudos

Kevin_Nail
Nimbostratus
Nimbostratus

‎13-Jul-2021 09:38

I checked and verified SSH is allowed from the ansible server to the BIG-IPs

0 Kudos

SanjayP
MVP
MVP
In response to Kevin_Nail

‎13-Jul-2021 09:44

Strange. Have you added​ server_port and transport parameters to provider? Also, can you chek full traceback using -vvv

0 Kudos

Kevin_Nail
Nimbostratus
Nimbostratus

‎13-Jul-2021 10:56

Good catch, I forgot to add those... They have been added but still no luck. Here the debug output with -vvv for one of the servers

 

seeing this: "msg": "tmsh -c \"tmm --clientciphers DEFAULT \" | grep -i des\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn

 

...ignoring

<localhost> EXEC /bin/sh -c 'rm -f -r /home/knail/.ansible/tmp/ansible-tmp-1626198381.7990808-136657036311064/ > /dev/null 2>&1 && sleep 0'

The full traceback is:

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 719, in main

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 659, in exec_module

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 437, in exec_module

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 599, in execute

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 508, in execute

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 582, in _execute

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py", line 602, in execute_on_device

 File "/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/module_utils/network/f5/common.py", line 168, in run_commands

  raise F5ModuleError(to_text(err, errors='surrogate_then_replace'))

fatal: [192.168.196.100 -> localhost]: FAILED! => {

  "changed": false,

  "invocation": {

    "module_args": {

      "chdir": null,

      "commands": [

        "bash",

        "tmm --clientciphers DEFAULT | grep -i des"

      ],

      "interval": 1,

      "match": "all",

      "provider": {

        "auth_provider": null,

        "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",

        "server": "192.168.196.100",

        "server_port": 22,

        "ssh_keyfile": null,

        "timeout": null,

        "transport": "cli",

        "user": "root",

        "validate_certs": false

      },

      "retries": 10,

      "transport": "rest",

      "wait_for": null,

      "warn": true

    }

  },

  "msg": "tmsh -c \"tmm --clientciphers DEFAULT \" | grep -i des\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn:Active:Standalone] config # "

}

...ignoring

 

TASK [debug] ********************************************************************************************************************************************************************************

task path: /home/knail/test-project/final.yaml:38

ok: [192.168.196.100] => {

  "msg": {

    "changed": false,

    "exception": " File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 719, in main\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 659, in exec_module\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 437, in exec_module\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 599, in execute\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 508, in execute\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 582, in _execute\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/modules/network/f5/bigip_command.py\", line 602, in execute_on_device\n File \"/tmp/ansible_bigip_command_payload_q17s1o1t/ansible_bigip_command_payload.zip/ansible/module_utils/network/f5/common.py\", line 168, in run_commands\n  raise F5ModuleError(to_text(err, errors='surrogate_then_replace'))\n",

    "failed": true,

    "msg": "tmsh -c \"tmm --clientciphers DEFAULT \" | grep -i des\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn:Active:Standalone] config # "

  }

}

0 Kudos

SanjayP
MVP
MVP

‎13-Jul-2021 11:05

It seems to be syntax error from the commands. Please use, transport parameter as "cli". I see, there is another used with "rest"

​Not sure, what are you trying to grep. But can you try just using just default one first without using grep?

e.g. ​tmm --clientciphers DEFAULT

0 Kudos

Kevin_Nail
Nimbostratus
Nimbostratus

‎13-Jul-2021 11:23

hmm I dont know where the transport: rest is coming from. Its not in my code anywhere (which I've re-attched)

 

I've removed the grep. Still same error

 

---

 

- name: check DEFAULT and client cipher strings

 gather_facts: false

 hosts: all

 vars:

  provider:

   password: "{{ BACKEND_PASSWORD }}"

   server: "{{ inventory_hostname }}"

   user: "{{ BACKEND_USERNAME }}"

   server_port: 22

   transport: cli

   validate_certs: false

  cipher_string: des

  ignore_cipher: "!des"

  ignore_cipher2: "!3des"

 tasks:

  - name: get virtual list

   bigip_command:

    commands:

     - tmsh show /sys version | grep "Version "

    provider: "{{ provider }}"

   delegate_to: localhost

   register: software_version_out

  - debug:

    msg: "{{ software_version_out.stdout }}"

  - name: run the checks

   block:

    - name: check the default cipher

     bigip_command:

      commands:

      - bash

      - tmm --clientciphers DEFAULT

      provider: "{{ provider }}"

     delegate_to: localhost

     register: cipher_out

     ignore_errors: true

    - debug:

      msg: "{{ cipher_out }}"

   when: software_version_out.stdout != '15.1.4.1'

 

 

 

 

and I still get the same error:

 

fatal: [192.168.196.100 -> localhost]: FAILED! => {

  "changed": false,

  "invocation": {

    "module_args": {

      "chdir": null,

      "commands": [

        "bash",

        "tmm --clientciphers DEFAULT"

      ],

      "interval": 1,

      "match": "all",

      "provider": {

        "auth_provider": null,

        "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",

        "server": "192.168.196.100",

        "server_port": 22,

        "ssh_keyfile": null,

        "timeout": null,

        "transport": "cli",

        "user": "root",

        "validate_certs": false

      },

      "retries": 10,

      "transport": "rest",

      "wait_for": null,

      "warn": true

    }

  },

  "msg": "tmsh -c \"tmm --clientciphers DEFAULT\"\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn:Active:Standalone] config # "

}

0 Kudos

SanjayP
MVP
MVP

‎13-Jul-2021 11:34 - last edited on ‎04-Jun-2023 19:22 by Fog

Looks indentation error. Please use in below format. 

​bigip_command:
    commands:
         - bash
         - tmm --clientciphers DEFAULT

Please refer one I pasted in the first comment. Please do not use tab and use spaces as shown there.

0 Kudos

Kevin_Nail
Nimbostratus
Nimbostratus

‎13-Jul-2021 11:38

Hey Sanjay

 

Looking back at your first comment... there was indentation there:

 

bigip_command:

commands:

- bash

- tmm --clientciphers DEFAULT

provider: "{{ provider }}"

 

But I will remove them as you suggest

 

0 Kudos

Kevin_Nail
Nimbostratus
Nimbostratus

‎13-Jul-2021 11:40

Same error:

 

 "msg": "tmsh -c \"tmm --clientciphers DEFAULT\"\r\nSyntax Error: unexpected argument \"tmm\"\r\n[root@bigipckn12:Active:Standalone] config # "

0 Kudos

SanjayP
MVP
MVP
In response to Kevin_Nail

‎13-Jul-2021 11:47

Please post the screenshot of commands parameter. I will take a look tomorrow. ​

Till then see why syntax error is appearing as the code I posted ​works perfectly fine for me.

0 Kudos

Kevin_Nail
Nimbostratus
Nimbostratus

‎13-Jul-2021 12:06

Be happy to.. But what command parameters are you wanting to see? Im just wanting to get the DEFAULT clientciphers from the F5. Apparantly ansible is dropping me into tmsh, which does not like running tmm...

Dont know what the difference is between yours that works and mine that doesnt...

0 Kudos

Kevin_Nail
Nimbostratus
Nimbostratus

‎13-Jul-2021 13:21

Hey Sanjay,

 

Just an update. I got this working, The problem was with the way the way the command was processing

 

- tmm --clientciphers DEFAULT

 

ansible big-ip module was prepending "tmsh -c" to the beginning of the line. Making it have problems. I re-arranged the command so that the bash statement and the tmm are passed in the same line, like this:

 

"bash -c 'tmm --clientciphers DEFAULT'"

This works because when processed the big-ip server prepends the tmsh -c so it looks like this:

 

tmsh -c "bash -c 'tmm --clientciphers DEFAULT'"

 

anyway, it works now, Thanks! for all your help. You got me looking in the right place

 

Kevin

0 Kudos

Kevin_Nail
Nimbostratus
Nimbostratus

‎13-Jul-2021 14:36

Sanjay,

 

If you dont mind me asking another related question. I have the code working but how do I handle codes? for example... if cipher abc show up in the list, I want debug to print one message like "Found abc" if cipher abc does not show up in the list, I want debug to print a different message like "No cipher found"

 

This is what I have added (in bolc)

     bigip_command:

      commands:

       - tmsh list ltm profile client-ssl ciphers | grep -i -v -E '{{ ignore_cipher }}|{{ ignore_cipher2 }}' | grep -i -B1 {{ cipher_string }}

      provider: "{{ provider }}"

     delegate_to: localhost

     register: cipher_out

     ignore_errors: true

     register: client_cipher_out

     ignore_errors: true

    - debug:

      msg: "No Cipher Found in any Client profile"

     when: client_cipher_out.rc != 0

    - debug:

      msg: "{{ client_cipher_out.stdout_lines }}"

     when: client_cipher_out.rc == 0

 

I suspect my logic is not correct because the exits status will still be 0, even if it does not find anything, however, I see this in the output:

 

TASK [debug] ********************************************************************************************************************************************************************************

fatal: [192.168.196.120]: FAILED! => {"msg": "The conditional check 'client_cipher_out.rc != 0' failed. The error was: error while evaluating conditional (client_cipher_out.rc != 0): 'dict object' has no attribute 'rc'\n\nThe error appears to be in '/home/knail/test-project/final.yaml': line 47, column 10, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n     ignore_errors: true\n    - debug:\n     ^ here\n"}

 

Any ideas?

0 Kudos
Copyright © 2023 Khoros, LLC