I have a playbook to harden the NXOS API on Nexus switches. It requires connecting to the Nexus, running the bash shell and executing some commands to configure iptables. Some of the commands execute correctly and others seem to try to run on the local host even though I don’t have delegate_to: set for those tasks. These tasks seem to run on the switch:
- set the vrf for NXAPI
- enter the shell
- become root
- apply the ip tables config
All the others seem to run on localhost (my ansible box). Has anyone run into this before?
part of the playbook:
-
name: set the vrf for NXAPI
nxos_config:
lines: nxapi use-vrf management -
name: enter the shell
cli_command:
command: run bash
sendonly: yes
-
name: become root
command: sudo su - -
name: setup the iptables_init.log
command: sudo touch /etc/iptables_init.log; sudo chmod 777 /etc/iptables_init.log -
name: Create the init file
command: sudo echo “{{ initfile }}” > /etc/init.d/iptables_init -
name: set the default action to drop
cli_command:
command: sudo ip netns exec management iptables -F INPUT
sendonly: yes -
name: apply the ip tables config
cli_command:
command: sudo ip netns exec management iptables -A INPUT -s {{ item.source }} -p tcp --dport 443 -j ACCEPT
sendonly: yes
when:
-
“‘WEB’ in item.remark”
-
“‘remark’ not in item.action”
with_items: “{{ current_acl.list }}” -
name: save the ipchains
cli_command:
command: “sudo ip netns exec management iptables-save > /etc/sysconfig/iptables”
sendonly: yes