For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Ansible

70 Topics

Connection Refused error when running Ansible Playbook
I'm trying to run an Ansible playbook to create a new local user account on a Big-IP VE running 13.1.3.4 using the bigip_user module. I'm able to run tasks using bigip_device_info and bigip_config modules successfully, but whenever I try to run a playbook with a module to change settings (i.e. bigip_user or bigip_snmp_community) it errors out with the message: "An exception occurred during task execution. To see the full traceback, use -vvv. The error was: urllib.error.URLError: <urlopen error [Errno 111] Connection refused>" I'm new to Ansible on Big-IP platform. Any help on this is greatly appreciated. Playbook: --- - name: Add users playbook hosts: "{{ devices }}" strategy: free order: sorted connection: local gather_facts: no become: no become_method: enable ignore_errors: no collections: - f5networks.f5_modules vars: provider: server: "{{ ansible_host }}" user: <username> password: <password> validate_certs: no server_port: 443 tasks: - name: Add or update the user bigip_user: provider: "{{ provider }}" username_credential: user password_credential: password update_password: always full_name: User shell: bash partition_access: - all:admin state: present delegate_to: localhost Error: The full traceback is: Traceback (most recent call last): File "/usr/local/lib/python3.7/urllib/request.py", line 1350, in do_open encode_chunked=req.has_header('Transfer-encoding')) File "/usr/local/lib/python3.7/http/client.py", line 1277, in request self._send_request(method, url, body, headers, encode_chunked) File "/usr/local/lib/python3.7/http/client.py", line 1323, in _send_request self.endheaders(body, encode_chunked=encode_chunked) File "/usr/local/lib/python3.7/http/client.py", line 1272, in endheaders self._send_output(message_body, encode_chunked=encode_chunked) File "/usr/local/lib/python3.7/http/client.py", line 1032, in _send_output self.send(msg) File "/usr/local/lib/python3.7/http/client.py", line 972, in send self.connect() File "/usr/local/lib/python3.7/http/client.py", line 1439, in connect super().connect() File "/usr/local/lib/python3.7/http/client.py", line 944, in connect (self.host,self.port), self.timeout, self.source_address) File "/usr/local/lib/python3.7/socket.py", line 728, in create_connection raise err File "/usr/local/lib/python3.7/socket.py", line 716, in create_connection sock.connect(sa) ConnectionRefusedError: [Errno 111] Connection refused Thanks, -Edson
Edson_Araujo
Jul 15, 2021 Place Technical Forum
6.5KViews
0likes
4Comments
Extract content of Certificate key file with REST or Ansible
Hi Community, I'm working on an automation for renewing Certificates on multiple BIG-IP's using Ansible. As not all available Ansible F5 modules provide what is required, I'm currently using a mix of modules and REST calls (which is call from Ansible). F5 Module Index What works so far is: Create new CSR/Key on BIG-IP Get new "CA based" Cert and upload to the BIG-IP Upload the same Cert to other BIG-IP's Update SSL profiles on multiple BIG-IP's and some others tasks, like irules..etc Anyhow, what doesnt work so far is to get the content of the key which was created on the first device together with the CSR. Basically I dont have the key which needs to be uploaded to the other BIG-IP's as well. From the CLI, the following gives me what I need: cat /config/filestore/files_d/Common_d/certificate_key_d/*name.key* The problem with this is, I cant integrate it in Ansible using the bigip_command – Run TMSH and BASH commands on F5 devices module. Looks like only tmsh commands are supported even though it states BASH as well. Plus I try to avoid using this module whenever possible in a first place. Through the GUI, simple export and import on an other device - done, but obviously not automated. I have tried all possible Ansible modules as well as REST calls, but dont get the content out of the .key file. I thought that this would/should be a simple tasks. If anyone's done this using any approach please share. I could create a new key and get a cert for each device, but first try to find out if there's another way. Thanks in advance, Stefan
Stefan_Engel
Jun 01, 2021 Place Technical Forum
2.6KViews
0likes
4Comments
Error Running Ansible tasks on the active BIG-IP K10531487
I'm getting an error running code from K10531487: Running Ansible tasks on the active BIG-IP in a device group. This appears to be an auth error on the active device, however the play runs cleanly getting facts on the device, and this environment runs other ansible scripts on the same F5's as well. Any ideas for next steps? I appreciate your help. Error: TASK [Display bigip facts f5bm.express-scripts.com] ****************************************** ok: [f5bm.express-scripts.com] => {} MSG: [u'Hostname: f5bm.express-scripts.com', u'Status: HA_STATE_ACTIVE'] TASK [Create pool] ************************************************************************************ fatal: [f5bm.express-scripts.com -> localhost]: FAILED! => { "changed": false } MSG: Unable to connect to f5bm.express-scripts.com on port 443. The reported error was "Unexpected **kwargs: {'verify': False}". to retry, use: --limit @/home/eh7305/scripts/ansible/f5tst.retry PLAY RECAP ******************************************************************************************** f5am.express-scripts.com : ok=2 changed=0 unreachable=0 failed=0 f5bm.express-scripts.com : ok=2 changed=0 unreachable=0 failed=1 ` Playbook: `--- - name: "Syncing F5 Active config to group" hosts: "drhaf5" serial: 1 vars_files: - "vars/main.yml" - "vars/vault.yml" gather_facts: "no" roles: - "f5syncactive" tasks: - name: "Get bigip facts" bigip_facts: server: "{{inventory_hostname}}" user: "admin" password: "{{adminpass}}" include: - "device" - "system_info" validate_certs: False check_mode: no delegate_to: "localhost" - name: "Display bigip facts {{inventory_hostname}}" debug: msg: - "Hostname: {{ system_info.system_information.host_name }}" - "Status: {{ device['/Common/' + system_info.system_information.host_name].failover_state }}" - name: "Create pool" bigip_pool: server: "{{inventory_hostname}}" user: "admin" password: "{{adminpass}}" lb_method: "round-robin" monitors: http name: "pool1" validate_certs: False notify: - "Save the running configuration to disk" - "Sync configuration from device to group" delegate_to: "localhost" when: device['/Common/' + system_info.system_information.host_name].failover_state == "HA_STATE_ACTIVE" handlers: - name: "Save the running {{inventory_hostname}} configuration to disk" bigip_config: save: "yes" server: "{{inventory_hostname}}" user: "admin" password: "{{adminpass}}" validate_certs: False delegate_to: localhost - name: "Handler Sync configuration from {{inventory_hostname}} to group" bigip_configsync_action: device_group: "sync-failover-group" sync_device_to_group: "yes" server: "{{inventory_hostname}}" user: "admin" password: "{{adminpass}}" validate_certs: False delegate_to: localhost
KernelPanic
Jan 18, 2019 Place Technical Forum
2.1KViews
0likes
6Comments
Connecting to F5 using SSH via Ansible
I am in the process of writing a playbook which uses SSH to connect to F5 and run a bash command (ntpdate -d time_server) to confirm NTP connectivity across the environment. For SSH I am using root. Here is the task that I have in the playbook. - name: "Check NTP on {{override_host}}" vars: ansible_connection: ssh ansible_user: "root" ansible_password: "{{root_pwd}}" ansible_ssh_private_key_file: "~/.ssh/f5-ansible-ssh" command: cmd: ntpdate -d {{item}} loop: "{{new_ntp_servers}}" register: ntp_status The error message that I get is as follows MSG: The module failed to execute correctly, you probably need to set the interpreter. See stdout/stderr for the exact error MODULE_STDOUT: /bin/sh: /usr/local/bin/python3.9: No such file or directory MODULE_STDERR: ******************************* IMPORTANT NOTE ****************************** Banner ***************************************************************************** Shared connection to ltm closed. Any help would be greatly appreciated...
AHS
Apr 30, 2023 Place Technical Forum
1.6KViews
0likes
3Comments
F5 automation using pure iControl REST API and Ansible - Series: Introduction
Introduction : There are many articles covering F5 and ansible integration using F5 ansible modules. But no articles/details on using Ansible with pure iControl REST API. May be it was intended to use bigip ansible modules with Ansible. This series will be helpful where there is no solution available with existing F5 ansible modules to configure a specific object. There are pros and cons of using direct F5 ansible modules. Pros : 1) No need to understand iControl REST API structure 2) Easy to use api with specific parameters to create a specific object Cons : 1) For some modules there is limited functionality based on what is available in any specific Module 2) F5 password has to be put in each and every tasks 3) To create a specific object depends on F5 modules availablity Note: This series is intended for administrator who should have some hands on coding experience or atleast know the coding concepts Purpose : The intended goal of this series is to make the ansible code generic enough that object creation is data driven and not code driven. Change the input data and the ansible scripts should take care of configuring only the required objects. Details : Admininstrator should have basic knowledge of below to start with 1) Ansible a) Installation b) Running playbook c) Ansible Tasks and Roles d) Ansible variables and scope e) Ansible Inventory f) Ansible uri module 2) iControl REST API a) Understandings of iControl REST API b) How to retrieve objects using GET c) How to create/update object using POST/PUT d) How to navigate through REST APIs References: 1) Install Ansible and F5 dependendies https://clouddocs.f5.com/products/orchestration/ansible/devel/usage/getting_started.html 2) Run your first BIG-IP playbook with F5 ansible modules https://clouddocs.f5.com/products/orchestration/ansible/devel/usage/playbook_tutorial.html https://clouddocs.f5.com/products/orchestration/ansible/devel/usage/connection-local-or-delegate-to.html 3) Understanding variables and Inventory in Ansibles https://docs.ansible.com/ansible/latest/user_guide/playbooks_variables.html https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html 4) Understanding of uri module https://docs.ansible.com/ansible/latest/modules/uri_module.htmluri-module 5) Understanding of iControl REST API iControl REST Home page contains all the required links to understand iControl REST in details. No need to go over the code samples presenented in the series https://devcentral.f5.com/wiki/iControlREST.HomePage.ashx iControl REST API Guide for 12.0.0 https://devcentral.f5.com/d/the-user-guide-for-the-icontrol-rest-interface-in-big-ip-version-120 iControl API Reference properties of each object with which parameter is mandatory and which is optional https://devcentral.f5.com/wiki/iControlREST.APIRef_tm_ltm.ashx 4) Integrations of F5 and ansible This articles covers the link to all articles including how to install ansible and how to start using ansible with existing simple modules https://devcentral.f5.com/articles/automate-big-ip-in-customer-environments-using-ansible-27601 5) On demand F5 related videos in Ansible a) https://www.ansible.com/resources/webinars-training/automating-f5-big-ip-using-ansible b) https://www.ansible.com/resources/webinars-training/fast-application-deployment-custer-use-case-with-ansible-f5-big-ip c) https://www.ansible.com/resources/webinars-training/wwt-building-a-f5-solution-with-ansible-tower d) https://www.ansible.com/resources/webinars-training/tackling-big-ip-blue-green-deployments-in-private-cloud-f5
Nazir_52641
Sep 14, 2018 Place Technical Forum
1.6KViews
0likes
0Comments
Ansible playbook error
Hi, Need help in Ansible playbook. Trying to run a basic playbook to fetch facts and command, but it keeps popping error. Can please anyone help. Playbook 1 - name: Collect bigip_device_facts: gather_subset: - interfaces - vlans provider: server: x.x.x.x user: <username> password: <password> Error [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all' ERROR! 'bigip_device_facts' is not a valid attribute for a Play The error appears to have been in '/ansible-01/playbook.yml': line 1, column 3, but may be elsewhere in the file depending on the exact syntax problem. The offending line appears to be: - name: Collect ^ here Playbook 2 - name: run show version bigip_command: commands: show sys version provider: server: x.x.x.x user: <username> password: <password> Error [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all' ERROR! 'bigip_command' is not a valid attribute for a Play The error appears to have been in '/ansible-01/playbook1.yml': line 1, column 3, but may be elsewhere in the file depending on the exact syntax problem. The offending line appears to be: - name: run show version ^ here Thanks, Aditya
Aditya_Mehra
Aug 01, 2019 Place Technical Forum
1.4KViews
0likes
1Comment
Ansible bigip_device_facts - Filter Output
Hi, I'm new to ansible and have installed ansible version 2.7 and I'm trying to understand how I can filter the output from the new bigip_device_facts module as bigip_facts are depreciated. I have checked the devcentral post for the old bigip_facts on https://devcentral.f5.com/questions/ansible-filter-output-48375 But the output from the bigip_device_facts is not the same as bigip_facts. The new one looks like following: changed: [172.16.223.128 -> localhost] => { "changed": true, "invocation": { "module_args": { "auth_provider": null, "gather_subset": [ "vlans" ], "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "server": "172.16.223.128", "server_port": 443, "transport": null, "user": "admin", "validate_certs": false } }, "vlans": [ { "auto_lasthop": "default", "cmp_hash_algorithm": "default", "failsafe_action": "failover-restart-tm", "failsafe_enabled": "no", "failsafe_timeout": 90, "full_path": "/Common/HA", "if_index": 160, "interfaces": [ { "full_path": "1.3", "name": "1.3", "tagged": "no" } ], "learning_mode": "enable-forward", "mtu": 1500, "name": "HA", "sflow_poll_interval": 0, "sflow_poll_interval_global": "yes", "sflow_sampling_rate": 0, "sflow_sampling_rate_global": "yes", "source_check_enabled": "disabled", "tag": 4092, "true_mac_address": "00:0c:29:e0:10:eb" } ] } Compared to the old: "ansible_facts": { "vlan": { "/Common/VLAN_10": { How can I use the debug msg to fileter and print values like vlan id (tag in this case). Br Andréas
Solved
forsan_102218
Nov 06, 2018 Place Technical Forum
1.3KViews
0likes
5Comments
Basic Question on Ansible - Creating Nodes
Hello all I know this is basic but I'm starting off learning about Ansible and F5s. I'm following this lab guide: https://github.com/ansible/workshops/tree/devel/exercises/ansible_f5/1.2-add-node I have configured a basic inventory as such: [lb] f5 ansible_host=X.X.X.X ansible_user=admin private_ip=X.X.X.X ansible_ssh_pass=XXXXXXXX [webservers] host1 ansible_host=X.X.X.X host2 ansible_host=X.X.X.X I then have my YAML file as follows: --- - name: BIG-IP SETUP hosts: lb connection: local gather_facts: false tasks: - name: CREATE NODES bigip_node: provider: server: X.X.X.X user: XXXX password: XXXXXXX server_port: 443 validate_certs: false host: "{{hostvars[webservers].ansible_host}}" name: "{{hostvars[webservers].inventory_hostname}}" loop: "{{ groups[webservers] }}" When I try to run this playbook I get the following error: devlin@ubuntu-v20:~/ansible/f5/lab2$ ansible-playbook -i inventory bigip-node.yaml PLAY [BIG-IP SETUP] ***************************************************************************************************************** TASK [CREATE NODES] ***************************************************************************************************************** fatal: [f5]: FAILED! => {"msg": "'webservers' is undefined"} PLAY RECAP ************************************************************************************************************************** f5 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0 What does it mean "webservers is undefined"? Thank you?
Thornid
Jul 24, 2020 Place Technical Forum
1.3KViews
0likes
4Comments
How to address multiple BIG-IP servers in one Ansible task?
How to address multiple BIG-IP servers in one Ansible task? Ansible noob here, I'm trying to automate the configuration of large numbers of pools (and other things) using Ansible. I have a hosts file that just contains a group of two BIG-IPs: [f5lab] f5-1-hostname f5-2-hostneme I have a very simple playbook: name: Create a pool hosts: f5lab connection: local tasks: - name: Create app1 server pool bigip_pool: name: app1_pl monitors: "/Common/http" lb_method: round-robin password: "adminpassword" server: f5-1-hostname user: "adminuser" validate_certs: no delegate_to: localhost This works fine, but will only create the pool on the one server. I'm trying to find out how to essentially loop through my group of hosts without having to write the same task for each one. The server argument is mandatory for the bigip_pool task, so I can't remove it and have it use the playbook hosts. What is the best procedure for this? Thanks!
Solved
ml4den_387195
Mar 28, 2019 Place Technical Forum
1.2KViews
0likes
3Comments
Ansible - Bricking freshly installed vcmp guests with ansible
Hello fellow F5 admins, currently I try to established a workflow, where new vcmp guests are created and configured with a standard basic config (and even building a HA setup). The creation part is working, but here begin the problems: tl;dr Question: What is the proper way to bootstrap a freshly installed vcmp guests (or appliance), when you are forced to change the default passwords on 1st login, without doing it by hand? The only solution I found (link below) will lock me out of the system forever. Long Version: Freshly installed systems enforce a password change for admin user on 1st access. This password change cannot be accomplished with the standard ansible module "bigip_user". If you try, you will get an error telling you, password has expired and it has to be changed. I then found an article about the security password policy and how one is supposed to change the password with ansible (https://techdocs.f5.com/en-us/bigip-14-0-0/big-ip-system-secure-password-policy/secure-password-policy-chapter-title.html) So I gave it a try and the password was changed "a" password, but not the one provided by the playbook variable. Neither GUI nor SSH or REST login will work. I am locked out. Befor you ask: yes the password in ansible-vault style is correct, because it is used to create the guest on the vcmp hosts. Here is my playbook: --- - name: Test vCMP-Guest hosts: vcmp_guests gather_facts: false vars: f5_api_admin_user: admin f5_api_admin_password: !vault | $ANSIBLE_VAULT;1.1;AES256 35613438373864653838386266616364666366363332646635303036343266646664656333643932 6462363934306365636265313038376436353032303330370a656434643837343165316333393932 66616133376433303136366664303563373034353630656531663864323433663166653539303937 3937646663613064390a663631623733376339353735633362633139383635386661376137653434 6237 bigip_provider: server: "{{ ansible_host }}" server_port: 443 user: "{{ f5_api_admin_user }}" password: "{{ f5_api_admin_password }}" validate_certs: false transport: rest tasks: - name: Set admin Password uri: url: "https://{{ ansible_host }}/mgmt/shared/authz/users/admin" method: PATCH body: '{"oldPassword":"admin","password":"{{ f5_api_admin_password }}"}' body_format: json validate_certs: false force_basic_auth: true user: admin password: admin headers: Content-Type: "application/json" register: result delegate_to: localhost - name: Debug ansible.builtin.debug: var: result - name: Try to get system info f5networks.f5_modules.bigip_device_info: gather_subset: - system-info provider: "{{ bigip_provider }}" register: output delegate_to: localhost - name: Debug ansible.builtin.debug: var: output The Output of the the password reset task look fine to me: TASK [Debug] ******************************************************************************************************************************************************************************** task path: ~/guest-playbook.yml:47 ok: [test-guest] => { "result": { "cache_control": "no-store, no-cache, must-revalidate", "changed": false, "connection": "close", "content_length": "330", "content_security_policy": "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob:; img-src 'self' data: http://127.4.1.1 http://127.4.2.1", "content_type": "application/json; charset=UTF-8", "cookies": {}, "cookies_string": "", "date": "Fri, 29 Sep 2023 11:48:50 GMT", "elapsed": 0, "expires": "-1", "failed": false, "json": { "displayName": "Admin User", "encryptedPassword": "<removed>", "generation": 0, "kind": "shared:authz:users:usersworkerstate", "lastUpdateMicros": 0, "name": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "selfLink": "https://localhost/mgmt/shared/authz/users/********", "shell": "/sbin/nologin" }, "msg": "OK (330 bytes)", "pragma": "no-cache", "redirected": false, "server": "Jetty(9.2.22.v20170606)", "status": 200, "strict_transport_security": "max-age=16070400; includeSubDomains", "url": "https://<removed>/mgmt/shared/authz/users/********", "x_content_type_options": "nosniff", "x_frame_options": "SAMEORIGIN", "x_xss_protection": "1; mode=block" The next task, will already fail with a "unauthorized" message. From now on, I cannot access the system any more, and believe me, I tried a lot. One interesting Thing: When I don't use a ansible-vault encrypted password and instead set the variable directly to the string, login is possible, BUT only to the GUI. I cannot do rest api calls with this password. When I change the admin password again (from within GUI), I can however use rest api again. When I change it back to the original one, api calls will fail. There is one difference I noticed in /var/log/audit in the case, when I set the password as clear-text: User authentication is logged like this and the api request fails: AUDIT - user admin - RAW: httpd(pam_audit): User=admin tty=(unknown) After setting a new password within the GUI oder tmsh and running the same api request, audit messaged changed like this and the request is successfull: [...] AUDIT - user admin - RAW: rest(pam_audit): user=admin(admin)[...] When I now change the password back to the previous one, api request fails again [...]AUDIT - user admin - RAW: httpd(pam_audit): User=admin tty=(unknown)[...] What on earth is going on? How is one supposed to bootstrap a vcmp guest from ground up without manually interaction for setting passwords and stuff? Any usefull advice is thoroughly appreciate. Cheers Ichnafi
Solved
Ichnafi
Sep 29, 2023 Place Technical Forum
1.1KViews
0likes
3Comments