From 8d8d4b3d86d73fd7544b4b7b66ea46a7fff5241e Mon Sep 17 00:00:00 2001 From: "Ganesh B. Nalawade" Date: Tue, 3 Jul 2018 23:54:26 +0530 Subject: [PATCH 1/6] Add options for jumphost in netconf connetion Fixes #37262 Fixes #36284 * Updates options in netconf connection to enable bastion/jump host setting using configuration/enviornment varaibles. * Update troubleshooting docs from using bastion host with netconf connection --- .../network_debug_troubleshooting.rst | 35 +++++++++++++++++++ lib/ansible/config/base.yml | 8 +++++ lib/ansible/plugins/connection/netconf.py | 17 ++++++++- 3 files changed, 59 insertions(+), 1 deletion(-) diff --git a/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst b/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst index f7c36f812e..6a8d659773 100644 --- a/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst +++ b/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst @@ -597,6 +597,41 @@ no additional changes necessary. The network module will now connect to the network device by first connecting to the host specified in ``ansible_ssh_common_args``, which is ``bastion01`` in the above example. +Using bastion/jump host with netconf connection +----------------------------------------------- + +Enabling jump host setting +-------------------------- + +Bastion/jump host with netconf connection can be enable using +- Setting Ansible variable``ansible_netconf_ssh_config`` or +- Setting environment variable ``ANSIBLE_NETCONF_SSH_CONFIG`` or +- Setting ``ssh_config=Ture`` under ``netconf_connection`` section in ansible configuration file + +The ssh config file (~/.ssh/config) should have the correct proxycommand and required ssh configuration variables + +Example ssh config file (~/.ssh/config) +--------------------------------------- + +.. code-block:: ini + + Host junoshost + HostName junos01 + User myuser + + ProxyCommand ssh user@bastion01 nc %h %p %r + +Example Ansible inventory file + +.. code-block:: ini + [junos] + junoshost + + [junos:vars] + ansible_connection=netconf + ansible_network_os=junos + ansible_user=myuser + ansible_ssh_pass=!vault... .. note:: Using ``ProxyCommand`` with passwords via variables diff --git a/lib/ansible/config/base.yml b/lib/ansible/config/base.yml index 341c769909..3a413a8ae5 100644 --- a/lib/ansible/config/base.yml +++ b/lib/ansible/config/base.yml @@ -1632,4 +1632,12 @@ YAML_FILENAME_EXTENSIONS: - section: defaults key: yaml_valid_extensions type: list +NETCONF_SSH_CONFIG: + description: This variable is used to enable bastion/jump host with netconf connection. The bastion/jump + host ssh settings should be present in ssh configuration file (~/.ssh/config). + env: [{name: ANSIBLE_NETCONF_SSH_CONFIG}] + ini: + - {key: ssh_config, section: netconf_connection} + yaml: {key: netconf_connection.ssh_config} + type: boolean ... diff --git a/lib/ansible/plugins/connection/netconf.py b/lib/ansible/plugins/connection/netconf.py index 17e47fe7ae..0db23ff0e7 100644 --- a/lib/ansible/plugins/connection/netconf.py +++ b/lib/ansible/plugins/connection/netconf.py @@ -152,6 +152,21 @@ options: key: command_timeout env: - name: ANSIBLE_PERSISTENT_COMMAND_TIMEOUT + netconf_ssh_config: + type: boolean + default: False + description: + - This variable is used to enable bastion/jump host with netconf connection. The bastion/jump + host ssh settings should be present in ssh configuration file (~/.ssh/config). + ini: + - section: netconf_connection + key: ssh_config + version_added: '2.7' + env: + - name: ANSIBLE_NETCONF_SSH_CONFIG + vars: + - name: ansible_netconf_ssh_config + version_added: '2.7' """ import os @@ -248,7 +263,7 @@ class Connection(NetworkConnectionBase): device_params = {'name': NETWORK_OS_DEVICE_PARAM_MAP.get(self._network_os) or self._network_os} - ssh_config = os.getenv('ANSIBLE_NETCONF_SSH_CONFIG', False) + ssh_config = self.get_option('netconf_ssh_config') if ssh_config in BOOLEANS_TRUE: ssh_config = True else: From 74a23f50e4f44a939688dae538cd6f7e5f40107b Mon Sep 17 00:00:00 2001 From: "Ganesh B. Nalawade" Date: Wed, 4 Jul 2018 10:14:18 +0530 Subject: [PATCH 2/6] Fix CI failure --- .../user_guide/network_debug_troubleshooting.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst b/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst index 6a8d659773..6689f5c6b5 100644 --- a/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst +++ b/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst @@ -615,7 +615,7 @@ Example ssh config file (~/.ssh/config) .. code-block:: ini - Host junoshost + Host junos HostName junos01 User myuser @@ -625,13 +625,13 @@ Example Ansible inventory file .. code-block:: ini [junos] - junoshost + junos - [junos:vars] - ansible_connection=netconf - ansible_network_os=junos - ansible_user=myuser - ansible_ssh_pass=!vault... + [junos:vars] + ansible_connection=netconf + ansible_network_os=junos + ansible_user=myuser + ansible_ssh_pass=!vault... .. note:: Using ``ProxyCommand`` with passwords via variables From fa8b07e452ca64ebd5debe858737e9d1a671f0cd Mon Sep 17 00:00:00 2001 From: "Ganesh B. Nalawade" Date: Wed, 4 Jul 2018 10:59:18 +0530 Subject: [PATCH 3/6] Fix doc indentation --- .../user_guide/network_debug_troubleshooting.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst b/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst index 6689f5c6b5..af4e0f1f21 100644 --- a/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst +++ b/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst @@ -624,14 +624,14 @@ Example ssh config file (~/.ssh/config) Example Ansible inventory file .. code-block:: ini - [junos] - junos + [junos] + junos - [junos:vars] - ansible_connection=netconf - ansible_network_os=junos - ansible_user=myuser - ansible_ssh_pass=!vault... + [junos:vars] + ansible_connection=netconf + ansible_network_os=junos + ansible_user=myuser + ansible_ssh_pass=!vault... .. note:: Using ``ProxyCommand`` with passwords via variables From d1ff8e2dca1883963dfb33daaaf2001d018d6ce4 Mon Sep 17 00:00:00 2001 From: "Ganesh B. Nalawade" Date: Wed, 4 Jul 2018 11:37:35 +0530 Subject: [PATCH 4/6] Update ssh_config to accept file path --- .../user_guide/network_debug_troubleshooting.rst | 11 +++++++---- lib/ansible/config/base.yml | 7 ++++--- lib/ansible/plugins/connection/netconf.py | 15 ++++++++------- 3 files changed, 19 insertions(+), 14 deletions(-) diff --git a/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst b/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst index af4e0f1f21..8bd1d21dd4 100644 --- a/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst +++ b/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst @@ -604,11 +604,14 @@ Enabling jump host setting -------------------------- Bastion/jump host with netconf connection can be enable using -- Setting Ansible variable``ansible_netconf_ssh_config`` or -- Setting environment variable ``ANSIBLE_NETCONF_SSH_CONFIG`` or -- Setting ``ssh_config=Ture`` under ``netconf_connection`` section in ansible configuration file +- Setting Ansible variable``ansible_netconf_ssh_config`` either to ``True`` or custom ssh config file path +- Setting environment variable ``ANSIBLE_NETCONF_SSH_CONFIG`` to ``True`` or custom ssh config file path +- Setting ``ssh_config = 1`` or ``ssh_config = ``under ``netconf_connection`` section -The ssh config file (~/.ssh/config) should have the correct proxycommand and required ssh configuration variables +If the configuration variable is set to 1 the proxycommand and other ssh variables are read from +default ssh config file (~/.ssh/config). +If the configuration variable is set to file path the proxycommand and other ssh variables are read +from the given custom ssh file path Example ssh config file (~/.ssh/config) --------------------------------------- diff --git a/lib/ansible/config/base.yml b/lib/ansible/config/base.yml index 3a413a8ae5..d7b64e14e3 100644 --- a/lib/ansible/config/base.yml +++ b/lib/ansible/config/base.yml @@ -1633,11 +1633,12 @@ YAML_FILENAME_EXTENSIONS: key: yaml_valid_extensions type: list NETCONF_SSH_CONFIG: - description: This variable is used to enable bastion/jump host with netconf connection. The bastion/jump - host ssh settings should be present in ssh configuration file (~/.ssh/config). + description: This variable is used to enable bastion/jump host with netconf connection. If set to True the bastion/jump + host ssh settings should be present in ~/.ssh/config file, alternatively it can be set + to custom ssh configuration file path to read the bastion/jump host settings. env: [{name: ANSIBLE_NETCONF_SSH_CONFIG}] ini: - {key: ssh_config, section: netconf_connection} yaml: {key: netconf_connection.ssh_config} - type: boolean + default: None ... diff --git a/lib/ansible/plugins/connection/netconf.py b/lib/ansible/plugins/connection/netconf.py index 0db23ff0e7..d886085c49 100644 --- a/lib/ansible/plugins/connection/netconf.py +++ b/lib/ansible/plugins/connection/netconf.py @@ -153,11 +153,12 @@ options: env: - name: ANSIBLE_PERSISTENT_COMMAND_TIMEOUT netconf_ssh_config: - type: boolean - default: False + default: None description: - - This variable is used to enable bastion/jump host with netconf connection. The bastion/jump - host ssh settings should be present in ssh configuration file (~/.ssh/config). + - This variable is used to enable bastion/jump host with netconf connection. If set to + True the bastion/jump host ssh settings should be present in ~/.ssh/config file, + alternatively it can be set to custom ssh configuration file path to read the + bastion/jump host settings. ini: - section: netconf_connection key: ssh_config @@ -175,7 +176,7 @@ import json from ansible.errors import AnsibleConnectionFailure, AnsibleError from ansible.module_utils._text import to_bytes, to_native, to_text -from ansible.module_utils.parsing.convert_bool import BOOLEANS_TRUE +from ansible.module_utils.parsing.convert_bool import BOOLEANS_TRUE, BOOLEANS_FALSE from ansible.plugins.loader import netconf_loader from ansible.plugins.connection import NetworkConnectionBase @@ -202,7 +203,7 @@ NETWORK_OS_DEVICE_PARAM_MAP = { "ce": "huawei" } - +import q class Connection(NetworkConnectionBase): """NetConf connections""" @@ -266,7 +267,7 @@ class Connection(NetworkConnectionBase): ssh_config = self.get_option('netconf_ssh_config') if ssh_config in BOOLEANS_TRUE: ssh_config = True - else: + elif ssh_config in BOOLEANS_FALSE: ssh_config = None try: From c43beef258c9a95b4dc3bc3eaadd6c457dfe2866 Mon Sep 17 00:00:00 2001 From: "Ganesh B. Nalawade" Date: Wed, 4 Jul 2018 11:54:28 +0530 Subject: [PATCH 5/6] Minor changes --- .../user_guide/network_debug_troubleshooting.rst | 14 +++++++------- lib/ansible/config/base.yml | 2 +- lib/ansible/plugins/connection/netconf.py | 3 +-- 3 files changed, 9 insertions(+), 10 deletions(-) diff --git a/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst b/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst index 8bd1d21dd4..1938c0bfd3 100644 --- a/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst +++ b/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst @@ -627,14 +627,14 @@ Example ssh config file (~/.ssh/config) Example Ansible inventory file .. code-block:: ini - [junos] - junos + [junos] + junos - [junos:vars] - ansible_connection=netconf - ansible_network_os=junos - ansible_user=myuser - ansible_ssh_pass=!vault... + [junos:vars] + ansible_connection=netconf + ansible_network_os=junos + ansible_user=myuser + ansible_ssh_pass=!vault... .. note:: Using ``ProxyCommand`` with passwords via variables diff --git a/lib/ansible/config/base.yml b/lib/ansible/config/base.yml index d7b64e14e3..ca1a27ad46 100644 --- a/lib/ansible/config/base.yml +++ b/lib/ansible/config/base.yml @@ -1640,5 +1640,5 @@ NETCONF_SSH_CONFIG: ini: - {key: ssh_config, section: netconf_connection} yaml: {key: netconf_connection.ssh_config} - default: None + default: null ... diff --git a/lib/ansible/plugins/connection/netconf.py b/lib/ansible/plugins/connection/netconf.py index d886085c49..4358fdee97 100644 --- a/lib/ansible/plugins/connection/netconf.py +++ b/lib/ansible/plugins/connection/netconf.py @@ -153,7 +153,6 @@ options: env: - name: ANSIBLE_PERSISTENT_COMMAND_TIMEOUT netconf_ssh_config: - default: None description: - This variable is used to enable bastion/jump host with netconf connection. If set to True the bastion/jump host ssh settings should be present in ~/.ssh/config file, @@ -203,7 +202,7 @@ NETWORK_OS_DEVICE_PARAM_MAP = { "ce": "huawei" } -import q + class Connection(NetworkConnectionBase): """NetConf connections""" From 78b1980474d92479762f260d0395834fe3d0fa08 Mon Sep 17 00:00:00 2001 From: "Ganesh B. Nalawade" Date: Wed, 4 Jul 2018 18:42:54 +0530 Subject: [PATCH 6/6] More CI failure fixes --- .../network/user_guide/network_debug_troubleshooting.rst | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst b/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst index 1938c0bfd3..7323d487c0 100644 --- a/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst +++ b/docs/docsite/rst/network/user_guide/network_debug_troubleshooting.rst @@ -618,7 +618,7 @@ Example ssh config file (~/.ssh/config) .. code-block:: ini - Host junos + Host junos01 HostName junos01 User myuser @@ -627,8 +627,9 @@ Example ssh config file (~/.ssh/config) Example Ansible inventory file .. code-block:: ini + [junos] - junos + junos01 [junos:vars] ansible_connection=netconf @@ -636,6 +637,7 @@ Example Ansible inventory file ansible_user=myuser ansible_ssh_pass=!vault... + .. note:: Using ``ProxyCommand`` with passwords via variables By design, SSH doesn't support providing passwords via environment variables.