When a device has ansible_connection set to netconf:

TASK [ansible-network.juniper_junos : testing] **********************************************************************************
ok: [tovllpst_sc1] =>
  msg:
  - 'ansible_connection: netconf'
  - 'ansible_network_os: junos'

TASK [ansible-network.juniper_junos : validate ansible_connection == 'network_cli' or ansible_connection == 'netconf'] **********
fatal: [tovllpst_sc1]: FAILED! => changed=false
  msg: expected ansible_network to be `network_cli` or `netconf`, got `netconf`
        to retry, use: --limit @/home/4032956/network-automation/retry/get-facts.retry

Expected result:

TASK [ansible-network.juniper_junos : testing] **********************************************************************************
ok: [tovllpst_sc1] =>
  msg:
  - 'ansible_connection: netconf'
  - 'ansible_network_os: junos'

TASK [ansible-network.juniper_junos : set ansible_provider_functions fact] ******************************************************
ok: [tovllpst_sc1]

My fix:

Edit includes/init.yaml

- name: validate ansible_connection == 'network_cli' or ansible_connection == 'netconf'
  fail:
    msg: "expected ansible_network to be `network_cli` or `netconf`, got `{{ ansible_connection }}`"
  when: "not ansible_connection == 'network_cli' and not ansible_connection == 'netconf'"
#  when: "not ansible_connection == 'network_cli' or ansible_connection == 'netconf'"

For network_cli

Task

  - name: use ansible-network provider roles to gather facts
    include_role:
      name: "{{ ansible_network_provider }}"
      tasks_from: get_facts.yaml
    vars:
      subset: 
        - system
      ansible_connection: network_cli

Result

TASK [ansible-network.juniper_junos : run rpc command] ***************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: TypeError: 'NoneType' object is not iterable
fatal: [qatfw2bj-sc1]: FAILED! => changed=false
  module_stderr: |-
    Traceback (most recent call last):
      File "/home/4032956/.ansible/tmp/ansible-local-94658eg4njtmh/ansible-tmp-1543890239.3495862-60100278778874/AnsiballZ_junos_command.py", line 113, in <module>
        _ansiballz_main()
      File "/home/4032956/.ansible/tmp/ansible-local-94658eg4njtmh/ansible-tmp-1543890239.3495862-60100278778874/AnsiballZ_junos_command.py", line 105, in _ansiballz_main
        invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
      File "/home/4032956/.ansible/tmp/ansible-local-94658eg4njtmh/ansible-tmp-1543890239.3495862-60100278778874/AnsiballZ_junos_command.py", line 48, in invoke_module
        imp.load_module('__main__', mod, module, MOD_DESC)
      File "/tmp/ansible_junos_command_payload_8YJyWe/__main__.py", line 451, in <module>
      File "/tmp/ansible_junos_command_payload_8YJyWe/__main__.py", line 371, in main
    TypeError: 'NoneType' object is not iterable
  module_stdout: ''
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error
  rc: 1

For netconf

Task

  - name: use ansible-network provider roles to gather facts
    include_role:
      name: "{{ ansible_network_provider }}"
      tasks_from: get_facts.yaml
    vars:
      subset: 
        - system
      ansible_connection: netconf

Result

TASK [ansible-network.juniper_junos : run command] *******************************************************************************************************************************
fatal: [qatfw2bj-sc1]: FAILED! => changed=false
  msg: jxmlease is required but does not appear to be installed. It can be installed using `pip install jxmlease`

pip list
$ pip list
Package           Version
----------------- ---------
ansible           2.7.2
asn1crypto        0.24.0
astroid           2.0.4
atomicwrites      1.2.1
attrs             18.2.0
bcrypt            3.1.4
certifi           2018.8.24
cffi              1.11.5
chardet           3.0.4
cryptography      2.3.1
idna              2.7
isort             4.3.4
Jinja2            2.10
junos-eznc        2.2.0
jxmlease          1.0.1
lazy-object-proxy 1.3.1
lxml              4.2.3
MarkupSafe        1.0
mccabe            0.6.1
more-itertools    4.3.0
ncclient          0.6.0
netaddr           0.7.19
paramiko          2.4.2
pip               18.1
pluggy            0.8.0
py                1.7.0
pyasn1            0.4.4
pycparser         2.19
pylint            2.1.1
PyNaCl            1.3.0
pyserial          3.4
pytest            4.0.0
PyYAML            3.13
requests          2.19.1
scp               0.11.0
selectors2        2.0.1
setuptools        39.0.1
six               1.11.0
typed-ast         1.1.0
urllib3           1.23
wrapt             1.10.11

This seems like something we we would really like to utilize on our team, specifically get_facts and the pre-built network-engine parser.

Is there any way you could provide some usage instructions?

I am using this playbook to run compliance checks on the juniper firewall.

• name: Juniper SRX configuration compliance checks
  hosts: juniper
  gather_facts: false
  connection: local
  tasks:

  • name: Syslog server check
    junos_config:
    src: ~/ansible_junos/files/syslog_config.txt
    comment: Ensure that appropriate Syslog server configured
    register: junos_output

  • debug:
    var: junos_output

  • name: success
    debug:
    msg: Syslog server check - This check has passed with the following output({{ junos_output }})
    when: not junos_output.changed

  • name: failed
    debug:
    msg: Syslog server check - This check has failed with the following output({{ junos_output }})
    when: junos_output.changed

  • name: Admin credentials check
    junos_config:
    src: ~/ansible_junos/files/admin_user.txt
    comment: Ensure that Admin user havee been created
    register: junos_output

  • debug:
    var: junos_output

  • name: success
    debug:
    msg: Admin credentials check - This check has passed with the following output({{ junos_output }})
    when: not junos_output.changed

  • name: failed
    debug:
    msg: Admin credentials check - This check has failed with the following output({{ junos_output }})
    when: junos_output.changed

  • name: NTP Server check
    junos_config:
    src: ~/ansible_junos/files/NTP_server.txt
    comment: Ensure that correct NTP servers has been configured
    register: junos_output

  • debug:
    var: junos_output

  • name: success
    debug:
    msg: NTP Server check - This check has passed with the following output({{ junos_output }})
    when: not junos_output.changed

  • name: failed
    debug:
    msg: NTP Server check - This check has failed with the following output({{ junos_output }})
    when: junos_output.changed

  • name: Idle timeout check
    junos_config:
    src: ~/ansible_junos/files/idle_timeout.txt
    comment: Ensure that idle timeout has been configured
    register: junos_output

  • debug:
    var: junos_output

  • name: success
    debug:
    msg: Idle timeout check - This check has passed with the following output({{ junos_output }})
    when: not junos_output.changed

  • name: failed
    debug:
    msg: Idle timeout check - This check has failed with the following output({{ junos_output }})
    when: junos_output.changed

I am runnning into this message when I do this :

ansible-playbook -i inventory junos_config_new.yml --check -vvv

ansible-playbook 2.9.9 config file = /etc/ansible/ansible.cfg configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /root/.local/lib/python3.6/site-packages/ansible executable location = /usr/bin/ansible-playbook python version = 3.6.8 (default, Nov 21 2019, 19:31:34) [GCC 8.3.1 20190507 (Red Hat 8.3.1-4)] Using /etc/ansible/ansible.cfg as config file host_list declined parsing /home/gefela/ansible_junos/inventory as it did not pass its verify_file() method script declined parsing /home/gefela/ansible_junos/inventory as it did not pass its verify_file() method auto declined parsing /home/gefela/ansible_junos/inventory as it did not pass its verify_file() method Parsed /home/gefela/ansible_junos/inventory inventory source with ini plugin

PLAYBOOK: junos_config_new.yml ***************************************************************************************************************************** 1 plays in junos_config_new.yml

PLAY [Juniper SRX configuration compliance checks] ********************************************************************************************************* META: ran handlers

TASK [Syslog server check] ********************************************************************************************************************************* task path: /home/gefela/ansible_junos/junos_config_new.yml:8 fatal: [172.16.203.121]: FAILED! => { "changed": false, "msg": "path specified in src not found" }

PLAY RECAP ************************************************************************************************************************************************* 172.16.203.121 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

The directory ~/ansible_junos/files/syslog_config.txt is in the right place

My question is ; should ~/ansible_junos/files/ be the right place to place all the configuration to be compared against the firewall .

Please let me know ..

Issue:

Ansible playbook with junos_interfaces module executes but fails to bring up a disabled port on EX3400.
The playbook executes successfully but has no impact on the port. However, similar playbook to disable a port brings down the port.

ANSIBLE VERSION

ansible-playbook 2.9.13
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.8/site-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 3.8.5 (default, Aug 12 2020, 00:00:00) [GCC 10.2.1 20200723 (Red Hat 10.2.1-1)]

NON-WORKING PLAYBOOK:juniper_port_up.yml

• name: "Get Junos OS configuration."
  hosts: "{{ switch }}"
  roles:

  • Juniper.junos
    connection: local
    gather_facts: no

  tasks:

  • name: Enable switch port
    junos_interfaces:
    config:
    • name: "{{ port }}"
      enabled: yes >>>>>>

BEFORE EXECUTION:

ge-0/0/22 is disabled and we want the above playbook to re-enable it.

admin@EX300-CABB-TEMP> show configuration interfaces ge-0/0/22 | display set
set interfaces ge-0/0/22 description "LAB10E-NFX13 - Ge-0/0"
set interfaces ge-0/0/22 disable
set interfaces ge-0/0/22 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/22 unit 0 family ethernet-switching vlan members all
set interfaces ge-0/0/22 unit 0 family ethernet-switching storm-control default

admin@EX300-CABB-TEMP> show interfaces terse ge-0/0/22
Interface Admin Link Proto Local Remote
ge-0/0/22 down down

PLAYBOOK EXECUTION: The playbook executes but ge-0/0/22 remains disabled.

Example - Running the playbook with verbose +++

[lab@lab-ansible01 ~]$ ansible-playbook juniper_port_up.yml --extra-vars "switch=EX300-CABB-TEMP port=ge-0/0/22" -vvv
ansible-playbook 2.9.14
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/lab/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3.6/site-packages/ansible
executable location = /usr/bin/ansible-playbook
python version = 3.6.8 (default, Apr 16 2020, 01:36:27) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
Using /etc/ansible/ansible.cfg as config file
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
[WARNING]: Invalid characters were found in group names but not replaced, use -vvvv to see details
Parsed /etc/ansible/hosts inventory source with ini plugin

PLAYBOOK: juniper_port_up.yml ******************************************************************************************************************************************************************************
1 plays in juniper_port_up.yml

PLAY [ Configuring Junos device] *************************************************************************************************************************************************************************
META: ran handlers

TASK [Enabling switch port] *******************************************************************************************************************************************************************************
task path: /home/lab/juniper_port_up.yml:8
ESTABLISH LOCAL CONNECTION FOR USER: lab
EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /home/lab/.ansible/tmp/ansible-local-30797cyspwcwk"&& mkdir "echo /home/lab/.ansible/tmp/ansible-local-30797cyspwcwk/ansible-tmp-1602683695.5519297-30803-24392853617769" && echo ansible-tmp-1602683695.5519297-30803-24392853617769="echo /home/lab/.ansible/tmp/ansible-local-30797cyspwcwk/ansible-tmp-1602683695.5519297-30803-24392853617769" ) && sleep 0'
Using module file /home/lab/.ansible/collections/ansible_collections/junipernetworks/junos/plugins/modules/junos_interfaces.py
PUT /home/lab/.ansible/tmp/ansible-local-30797cyspwcwk/tmphqptwaxw TO /home/lab/.ansible/tmp/ansible-local-30797cyspwcwk/ansible-tmp-1602683695.5519297-30803-24392853617769/AnsiballZ_junos_interfaces.py
EXEC /bin/sh -c 'chmod u+x /home/lab/.ansible/tmp/ansible-local-30797cyspwcwk/ansible-tmp-1602683695.5519297-30803-24392853617769/ /home/lab/.ansible/tmp/ansible-local-30797cyspwcwk/ansible-tmp-1602683695.5519297-30803-24392853617769/AnsiballZ_junos_interfaces.py && sleep 0'
EXEC /bin/sh -c '/usr/bin/python3 /home/lab/.ansible/tmp/ansible-local-30797cyspwcwk/ansible-tmp-1602683695.5519297-30803-24392853617769/AnsiballZ_junos_interfaces.py && sleep 0'
EXEC /bin/sh -c 'rm -f -r /home/lab/.ansible/tmp/ansible-local-30797cyspwcwk/ansible-tmp-1602683695.5519297-30803-24392853617769/ > /dev/null 2>&1 && sleep 0'
ok: [EX300-CABB-TEMP] => {
"before": [
{
"description": "Vers EX4300 - Ge-7/0/14",
"enabled": true,
"name": "ge-0/0/0"
},
{
"enabled": true,
"name": "ge-0/0/1"
},
{
"description": "LAB10E-NFX7 - Ge-0/9",
"enabled": true,
"name": "ge-0/0/2"
},
{
"description": "LAB10E-NFX7 - Ge-0/8",
"enabled": true,
"name": "ge-0/0/3"
},
{
"description": "LAB10E-NFX7 - Ge-0/0",
"enabled": true,
"name": "ge-0/0/4"
},
{
"description": "LAB10E-NFX8 - Ge-0/9",
"enabled": true,
"name": "ge-0/0/5"
},
{
"description": "LAB10E-NFX8 - Ge-0/8",
"enabled": true,
"name": "ge-0/0/6"
},
{
"description": "LAB10E-NFX8 - Ge-0/0",
"enabled": true,
"name": "ge-0/0/7"
},
{
"description": "LAB10E-NFX9 - Ge-0/9",
"enabled": true,
"name": "ge-0/0/8"
},
{
"description": "LAB10E-NFX9 - Ge-0/8",
"enabled": true,
"name": "ge-0/0/9"
},
{
"description": "LAB10E-NFX9 - Ge-0/0",
"enabled": true,
"name": "ge-0/0/10"
},
{
"description": "LAB10E-NFX10 - Ge-0/9",
"enabled": true,
"name": "ge-0/0/11"
},
{
"description": "LAB10E-NFX10 - Ge-0/8",
"enabled": true,
"name": "ge-0/0/12"
},
{
"description": "LAB10E-NFX10 - Ge-0/0",
"enabled": true,
"name": "ge-0/0/13"
},
{
"description": "LAB10E-NFX11 - Ge-0/9",
"enabled": true,
"name": "ge-0/0/14"
},
{
"description": "LAB10E-NFX11 - Ge-0/8",
"enabled": true,
"name": "ge-0/0/15"
},
{
"description": "LAB10E-NFX11 - Ge-0/0",
"enabled": true,
"name": "ge-0/0/16"
},
{
"description": "LAB10E-NFX12 - Ge-0/9",
"enabled": true,
"name": "ge-0/0/17"
},
{
"description": "LAB10E-NFX12 - Ge-0/8",
"enabled": true,
"name": "ge-0/0/18"
},
{
"description": "LAB10E-NFX12 - Ge-0/0",
"enabled": true,
"name": "ge-0/0/19"
},
{
"description": "LAB10E-NFX13 - Ge-0/9",
"enabled": true,
"name": "ge-0/0/20"
},
{
"description": "LAB10E-NFX13 - Ge-0/8",
"enabled": true,
"name": "ge-0/0/21"
},
{
"description": "LAB10E-NFX13 - Ge-0/0",
"enabled": false,
"name": "ge-0/0/22"
},
{
"description": "LAB10E-NFX14 - Ge-0/9",
"enabled": true,
"name": "ge-0/0/23"
},
{
"description": "LAB10E-NFX14 - Ge-0/8",
"enabled": true,
"name": "ge-0/0/24"
},
{
"description": "LAB10E-NFX14 - Ge-0/0",
"enabled": true,
"name": "ge-0/0/25"
},
{
"enabled": true,
"name": "ge-0/0/26"
},
{
"enabled": true,
"name": "ge-0/0/27"
},
{
"enabled": true,
"name": "ge-0/0/28"
},
{
"enabled": true,
"name": "ge-0/0/29"
},
{
"enabled": true,
"name": "ge-0/0/30"
},
{
"enabled": true,
"name": "ge-0/0/31"
},
{
"enabled": true,
"name": "ge-0/0/32"
},
{
"enabled": true,
"name": "ge-0/0/33"
},
{
"enabled": true,
"name": "ge-0/0/34"
},
{
"enabled": true,
"name": "ge-0/0/35"
},
{
"enabled": true,
"name": "ge-0/0/36"
},
{
"enabled": true,
"name": "ge-0/0/37"
},
{
"enabled": true,
"name": "ge-0/0/38"
},
{
"enabled": true,
"name": "ge-0/0/39"
},
{
"enabled": true,
"name": "ge-0/0/40"
},
{
"enabled": true,
"name": "ge-0/0/41"
},
{
"enabled": true,
"name": "ge-0/0/42"
},
{
"enabled": true,
"name": "ge-0/0/43"
},
{
"enabled": true,
"name": "ge-0/0/44"
},
{
"enabled": true,
"name": "ge-0/0/45"
},
{
"enabled": true,
"name": "ge-0/0/46"
},
{
"enabled": true,
"name": "ge-0/0/47"
},
{
"description": "IPVPN WAN LABOPS-QCMTRL3-R01",
"enabled": true,
"name": "ge-0/2/0"
},
{
"description": "IPVPN WAN LABOPS-QCMTRL4-R01",
"enabled": true,
"name": "ge-0/2/1"
},
{
"enabled": true,
"name": "ge-0/2/2"
},
{
"description": "IPVPN WAN LABOPS-QCMTRL1-R01",
"enabled": true,
"name": "xe-0/2/2"
},
{
"enabled": true,
"name": "ge-0/2/3"
},
{
"description": "IPVPN WAN LABOPS-QCMTRL2-R01",
"enabled": true,
"name": "xe-0/2/3"
},
{
"description": "Vers EX4300 - ae12",
"enabled": true,
"mtu": 9216,
"name": "ae0"
},
{
"enabled": true,
"name": "irb"
},
{
"enabled": true,
"name": "vme"
}
],
"changed": false,
"commands": [
"<nc:interfaces xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0">nc:interfacenc:namege-0/0/22</nc:name></nc:interface></nc:interfaces>"
],
"invocation": {
"module_args": {
"config": [
{
"description": null,
"duplex": null,
"enabled": true,
"hold_time": null,
"mtu": null,
"name": "ge-0/0/22",
"speed": null
}
],
"running_config": null,
"state": "merged"
}
}
}
META: ran handlers
META: ran handlers

PLAY RECAP *************************************************************************************************************************************************************************************************
EX300-CABB-TEMP : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

AFTER EXECUTION: The playbook executes successfully but doesn't disable ge-0/0/22.

admin@EX300-CABB-TEMP> show interfaces terse ge-0/0/22
Interface Admin Link Proto Local Remote
ge-0/0/22 down down

Interestingly, the playbook to disable a port successfully disables a port.

WORKING PLAYBOOK:juniper_port_down.yml

• name: "Get Junos OS configuration."
  hosts: "{{ switch }}"
  roles:

  • Juniper.junos
    connection: local
    gather_facts: no

  tasks:

  • name: Enable switch port
    junos_interfaces:
    config:
    • name: "{{ port }}"
      enabled: no >>>>>>>

WORKAROUND:

junos_interfaces is the newer module. junos_interface( without the s at the end) is the older module.

If we use the older interface module, then the playbook can successfully bring up the disabled port.

WORKAROUND PLAYBOOK:

• name: "Get Junos OS configuration."

  hosts: junos

  connection: local

  roles:

  • Juniper.junos

  gather_facts: no

  tasks:

  • name: remove interface

    junos_interface: >>>>>>>>>>>>

    name: ge-0/0/1

    enabled: yes