Network config modules (eos_config, ios_config) fuzzy matching lines, and what is the "config" parameter?

Archives Ansible Project
1

Heya,

TLDR, the summary: I’m trying to use Ansible 2.2’s network modules to manage configs on EOS/IOS switches. I’m trying to find a module invocation that adds a number of, say, radius-server commands, removes any that aren’t expected, and also diff properly before applying config so I can accurately measure which switches were already correctly configured and which weren’t. What follows is my series of attempts at making this work before I was out of options short of doing the config diffs manually.

So for example, I want to write a task that manages the radius-server lines on an EOS device. The existing config might be…

`
radius-server host 1.1.1.1
radius-server host 2.2.2.2
radius-server host 3.3.3.3

`

…and I want to replace it with my good configuration:

radius-server host 2.2.2.2 radius-server host 3.3.3.3

BUT, I don’t know what the original two lines are for sure. Maybe they’re as above, or maybe one of them is actually 4.4.4.4 instead. So what I’m really trying to do is remove any lines that begin with “radius-server host …” and then add on the two good config lines. I can’t find a way to make this work that accurately diffs the running config and avoids pushing changes if the lines already match.

I found a couple ‘workarounds’ but they each suffer from this problem. One of them is to use ‘before’ and run ‘no radius-server host’, nuking the existing config and replacing it with my good config:

`

  • name: Install new RADIUS server config.
    eos_config:
    provider: “{{ cli_connection_info }}”
    lines:
  • radius-server host 1.1.1.1 vrf mgmt
  • radius-server host 2.2.2.2 vrf mgmt
    before: “no radius-server host”
    match: none
    replace: block
    save: yes

`

“match” has to be “none” because if both of my good config lines are on the device, but there’s a third “radius-server host …” configured, I want to remove it. The above task accomplishes that but it always detects a diff, which means I can’t dry-run the play and I don’t get any feedback on how many devices in the fleet were actually different from the intended configuration.

But an even bigger problem is that not all OSs/versions support a generic “no …” command as used above. IOS, for example, will not accept “no radius-server host”; an IP must be specified, so I must somehow know what “bad” IPs are already configured before running the config module. And, I’m trying to eliminate config drift so I don’t know what those IPs are off hand. So here’s another workaround:

`

  • name: Get current RADIUS server config.
    ios_command:
    provider: “{{ cli_connection_info }}”
    commands: “show running-config | include radius-server host”
    register: current_config

  • name: Build cleanup commands.
    set_fact:
    ios_radius_commands_to_remove: |
    {% set output = %}
    {% for existing_line in current_config.stdout_lines[0] %}
    {% if existing_line %}
    {% set _ = output.append('no ’ + existing_line) %}
    {% endif %}
    {% endfor %}
    {{ output }}

  • name: Cleanup old and install new config.
    ios_config:
    provider: “{{ cli_connection_info }}”
    before: “{{ ios_radius_commands_to_remove }}”
    lines:

  • radius-server host 1.1.1.1 vrf mgmt

  • radius-server host 2.2.2.2 vrf mgmt
    match: none
    replace: block

`

This makes sure I catch all unknown, bad lines of config and works on pretty much every platform I care about but it too needs to be forced with ‘match: none’ to work; especially on platforms that don’t support config sessions or a similar diff mechanism.

So the last thing I tried was the ‘config’ parameter. From its documentation, I understand it to be a user-provided parameter to replace the auto-fetched running-config from a device. To illustrate this understanding, I would expect something like this to never report a diff and not even connect to the device:

`

  • name: Install RADIUS server config.
    ios_config:
    provider: “{{ cli_connection_info }}”
    config:
  • radius-server host 1.1.1.1 vrf mgmt
  • radius-server host 2.2.2.2 vrf mgmt
    lines:
  • radius-server host 1.1.1.1 vrf mgmt
  • radius-server host 2.2.2.2 vrf mgmt
    match: line
    replace: line

`

But, it does. The module still reports a diff and pushes the content of ‘lines’ to the device. I can’t discern any difference in behavior when using the config parameter.

So, does anyone else have a good way of doing this? At this point I can only assume I went the wrong way on some really simple assumption or the module doesn’t support this behavior. But the ability to specify a class of config that could be unexpected and should be pruned is such a useful feature, a config management system is incomplete without it.

2

I did something similar for NTP on IOS, maybe this will help you:

  1. Provide a list of NTP server addresses I want provisioned

`

  • { role: ntp, state: present,
    ntp_source_interface: Vlan10,
    ntp_servers:
    [ 0.us.pool.ntp.org,
    1.1.1.1,
    2.2.2.2,
    3.3.3.3,
    4.4.4.4 ] }

`

Later finding the NTP servers that may already be there on the IOS device. In a past role, I obviously collected “show running-config” and set_fact “config” to hold that. The regex_findall returns a list of all the ip address instances for ‘ntp server’ lines

`

  • name: get current configured ntp servers
    set_fact: old_ntp_servers=“{{ config | regex_findall(‘ntp server (.+)\n’) }}”

  • name: get current configured ntp source
    set_fact: old_ntp_source=“{{ config | regex_findall(‘ntp source (.+)\n’) }}”

  • name: configure ios ntp parameters
    ios_template:
    src: “{{ state }}/ios.j2”
    config: “{{ config }}”
    provider: “{{ provider }}”

`

And then the template “ios.j2”, basically I let Ansible’s idempotency handle whether or not to issue “ntp server” commands. And later I check for any ntp servers that were previously configured (remember I collected these in old_ntp_servers above) that are not in the list of ntp servers I want configured (ntp_servers) and then issue the “no ntp server” for those.

`

!

Let Ansible idempotency decide for each line if the command needs to be issued

{% if ntp_source_interface is defined %}
ntp source {{ ntp_source_interface }}
{% endif%}
!

Let Ansible idempotency decide for each line if the command needs to be issued

{% if ntp_servers is defined %}
{% for ntp_item in ntp_servers %}
ntp server {{ ntp_item }}
{% endfor %}
!

If there are any ntp servers still listed that aren’t in the list provided by

the user, remove them (compliance).

{% for old_ntp_item in old_ntp_servers %}
{% if old_ntp_item | lower not in ntp_servers | lower %}
no ntp server {{ old_ntp_item }}
{% endif %}
{% endfor %}
{% endif%}
!

`

Hope this gives you some ideas