安全 – 思科IOS和“重新加载”命令

我想发送命令“重新加载到”Cisco IOS，但是具体的命令需要被确认如下：

#reload in 30 Reload scheduled in 30 minutes by admin on vty0 (192.168.253.15) Proceed with reload? [confirm]

它像ios_command模块不处理这种情况。我的configuration：

  tasks: - name: do reload in case of "catting off" ios_command: commands: reload in 30 commands: y provider: "{{ cli }}"

和playbook的回应：

 TASK [do reload in case of "catting off"] ************************************** task path: /etc/ansible/test1.yml:14 <192.168.0.33> ESTABLISH LOCAL CONNECTION FOR USER: root <192.168.0.33> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1476454008.17-103724241654271 `" && echo ansible-tmp-1476454008.17-103724241654271="` echo $HOME/.ansible/tmp/ansible-tmp-1476454008.17-103724241654271 `" ) && sleep 0' <192.168.0.33> PUT /tmp/tmpAJiZR2 TO /root/.ansible/tmp/ansible-tmp-1476454008.17-103724241654271/ios_command <192.168.0.33> EXEC /bin/sh -c 'LANG=pl_PL.UTF-8 LC_ALL=pl_PL.UTF-8 LC_MESSAGES=pl_PL.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1476454008.17-103724241654271/ios_command; rm -rf "/root/.ansible/tmp/ansible-tmp-1476454008.17-103724241654271/" > /dev/null 2>&1 && sleep 0' fatal: [192.168.0.33]: FAILED! => {"changed": false, "commands": ["y"], "failed": true, "invocation": {"module_args": {"auth_pass": null, "authorize": false, "commands": ["y"], "host": "192.168.0.33", "interval": 1, "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "port": 22, "provider": "{'username': 'admin', 'host': '192.168.0.33', 'password': '********'}", "retries": 10, "ssh_keyfile": null, "timeout": 10, "username": "admin", "waitfor": null}, "module_name": "ios_command"}, "msg": "matched error in response: y\r\n ^\r\n% Invalid input detected at '^' marker.\r\n\r\nsw7.test.lab#"}

我该如何处理？

更新：

如果我尝试在YAML文件中使用expect模块，如下所示：

  name: some tests hosts: sw-test gather_facts: False # connection: local tasks: - name: do reload in case of "catting off" expect: command: reload in 30 responses: 'Reload scheduled in 30 minutes by admin on vty0 (192.168.253.20)\nProceed with reload? \[confirm\]' : y echo: yes

但是连接有问题：

 oot@Kali:/etc/ansible# ansible-playbook test3 -u admin -k -vvvv Using /etc/ansible/ansible.cfg as config file SSH password: Loaded callback default of type stdout, v2.0 PLAYBOOK: test3 **************************************************************** 1 plays in test3 PLAY [some tests] ************************************************************** TASK [do reload in case of "catting off"] ************************************** task path: /etc/ansible/test3:9 <192.168.0.33> ESTABLISH SSH CONNECTION FOR USER: admin <192.168.0.33> SSH: EXEC sshpass -d12 ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r 192.168.0.33 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1476882070.37-92402455055985 `" && echo ansible-tmp-1476882070.37-92402455055985="` echo $HOME/.ansible/tmp/ansible-tmp-1476882070.37-92402455055985 `" ) && sleep 0'"'"'' <192.168.0.33> PUT /tmp/tmp30wGsF TO "` echo $HOME/.ansible/tmp/ansible-tmp-1476882070.37-92402455055985 `" ) && sleep 0'"/expect <192.168.0.33> SSH: EXEC sshpass -d12 sftp -o BatchMode=no -b - -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r '[192.168.0.33]' fatal: [192.168.0.33]: UNREACHABLE! => {"changed": false, "msg": "SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh", "unreachable": true} to retry, use: --limit @/etc/ansible/test3.retry PLAY RECAP ********************************************************************* 192.168.0.33 : ok=0 changed=0 unreachable=1 failed=0 root@Kali:/etc/ansible# ansible-playbook test3 -u admin -k -vvvv -c ssh Using /etc/ansible/ansible.cfg as config file SSH password: Loaded callback default of type stdout, v2.0 PLAYBOOK: test3 **************************************************************** 1 plays in test3 PLAY [some tests] ************************************************************** TASK [do reload in case of "catting off"] ************************************** task path: /etc/ansible/test3:9 <192.168.0.33> ESTABLISH SSH CONNECTION FOR USER: admin <192.168.0.33> SSH: EXEC sshpass -d12 ssh -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r 192.168.0.33 '/bin/sh -c '"'"'( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1476882145.78-139203779538157 `" && echo ansible-tmp-1476882145.78-139203779538157="` echo $HOME/.ansible/tmp/ansible-tmp-1476882145.78-139203779538157 `" ) && sleep 0'"'"'' <192.168.0.33> PUT /tmp/tmpY5qqyW TO "` echo $HOME/.ansible/tmp/ansible-tmp-1476882145.78-139203779538157 `" ) && sleep 0'"/expect <192.168.0.33> SSH: EXEC sshpass -d12 sftp -o BatchMode=no -b - -C -vvv -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o User=admin -o ConnectTimeout=10 -o ControlPath=/root/.ansible/cp/ansible-ssh-%h-%p-%r '[192.168.0.33]' fatal: [192.168.0.33]: UNREACHABLE! => {"changed": false, "msg": "SSH Error: data could not be sent to the remote host. Make sure this host can be reached over ssh", "unreachable": true} to retry, use: --limit @/etc/ansible/test3.retry PLAY RECAP ********************************************************************* 192.168.0.33 : ok=0 changed=0 unreachable=1 failed=0 root@Kali:/etc/ansible# ansible-playbook test3 -u admin -k -vvvv -c local Using /etc/ansible/ansible.cfg as config file SSH password: Loaded callback default of type stdout, v2.0 PLAYBOOK: test3 **************************************************************** 1 plays in test3 PLAY [some tests] ************************************************************** TASK [do reload in case of "catting off"] ************************************** task path: /etc/ansible/test3:9 <192.168.0.33> ESTABLISH LOCAL CONNECTION FOR USER: root <192.168.0.33> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1476882426.62-172601217553809 `" && echo ansible-tmp-1476882426.62-172601217553809="` echo $HOME/.ansible/tmp/ansible-tmp-1476882426.62-172601217553809 `" ) && sleep 0' <192.168.0.33> PUT /tmp/tmpdq1pYy TO /root/.ansible/tmp/ansible-tmp-1476882426.62-172601217553809/expect <192.168.0.33> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1476882426.62-172601217553809/ /root/.ansible/tmp/ansible-tmp-1476882426.62-172601217553809/expect && sleep 0' <192.168.0.33> EXEC /bin/sh -c 'LANG=pl_PL.UTF-8 LC_ALL=pl_PL.UTF-8 LC_MESSAGES=pl_PL.UTF-8 /usr/bin/python /root/.ansible/tmp/ansible-tmp-1476882426.62-172601217553809/expect; rm -rf "/root/.ansible/tmp/ansible-tmp-1476882426.62-172601217553809/" > /dev/null 2>&1 && sleep 0' fatal: [192.168.0.33]: FAILED! => {"changed": false, "failed": true, "invocation": {"module_args": {"chdir": null, "command": "reload in 30", "creates": null, "echo": true, "removes": null, "responses": {"Reload scheduled in 30 minutes by admin on vty0 (192.168.253.20)\\nProceed with reload? \\[confirm\\]": "y"}, "timeout": 30}, "module_name": "expect"}, "msg": "The command was not found or was not executable: reload."} NO MORE HOSTS LEFT ************************************************************* to retry, use: --limit @/etc/ansible/test3.retry PLAY RECAP ********************************************************************* 192.168.0.33 : ok=0 changed=0 unreachable=0 failed=1

更新

我已经安装了2.3，并尝试如下：

  tasks: - name: do reload in case of "catting off" ios_command: commands: - reload in 30 - y wait_for: - result[0] contains "Proceed with reload" provider: "{{ cli }}"

但是，我仍然有一个错误。我认为这是因为ios模块总是等待promt作为响应。按下“y”后，再次加载命令的确认没有“Enter”，所以这可能是另一个问题。

  $ sudo ansible-playbook test1.yml -vvvv Using /etc/ansible/ansible.cfg as config file Loading callback plugin default of type stdout, v2.0 from /usr/local/lib/python2.7/dist-packages/ansible/plugins/callback/__init__.pyc PLAYBOOK: test1.yml ************************************************************ 1 plays in test1.yml PLAY [testowe dzialania] ******************************************************* TASK [do reload in case of "catting off"] ************************************** task path: /home/user1/test1.yml:13 Using module file /usr/local/lib/python2.7/dist-packages/ansible/modules/core/network/ios/ios_command.py <192.168.0.33> ESTABLISH LOCAL CONNECTION FOR USER: root <192.168.0.33> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo $HOME/.ansible/tmp/ansible-tmp-1477557527.56-157304653717324 `" && echo ansible-tmp-1477557527.56-157304653717324="` echo $HOME/.ansible/tmp/ansible-tmp-1477557527.56-157304653717324 `" ) && sleep 0' <192.168.0.33> PUT /tmp/tmphf8EWO TO /home/mszczesniak/.ansible/tmp/ansible-tmp-1477557527.56-157304653717324/ios_command.py <192.168.0.33> EXEC /bin/sh -c 'chmod u+x /home/mszczesniak/.ansible/tmp/ansible-tmp-1477557527.56-157304653717324/ /home/mszczesniak/.ansible/tmp/ansible-tmp-1477557527.56-157304653717324/ios_command.py && sleep 0' <192.168.0.33> EXEC /bin/sh -c '/usr/bin/python /home/mszczesniak/.ansible/tmp/ansible-tmp-1477557527.56-157304653717324/ios_command.py; rm -rf "/home/user1/.ansible/tmp/ansible-tmp-1477557527.56-157304653717324/" > /dev/null 2>&1 && sleep 0' fatal: [192.168.0.33]: FAILED! => { "changed": false, "failed": true, "invocation": { "module_args": { "auth_pass": null, "authorize": false, "commands": [ "reload in 30", "y" ], "host": "192.168.0.33", "interval": 1, "match": "all", "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "port": null, "provider": { "host": "192.168.0.33", "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "username": "admin" }, "retries": 10, "ssh_keyfile": null, "timeout": 10, "transport": null, "use_ssl": true, "username": "admin", "validate_certs": true, "wait_for": [ "result[0] contains \"Proceed with reload\"" ] }, "module_name": "ios_command" }, "msg": "timeout trying to send command: reload in 30\r" } to retry, use: --limit @/home/user1/test1.retry PLAY RECAP ********************************************************************* 192.168.0.33 : ok=0 changed=0 unreachable=0 failed=1

任何人都可以有任何想法如何解决这个问题在ansible或maby唯一的方法是使用纯python脚本或编写自己的模块？

您可以使用：

 - name: reload device ios_command: commands: - "reload in 1\ny" provider: "{{ cli }}"

这将在1分钟内重新加载设备，重新加载提示被接受。它适用于安全，因为ios的默认提示会回来（重新加载1分钟内触发）。

问候，西蒙

ios_command模块的commands参数需要一个YAML格式的命令列表。但是在提供的代码示例中， commands参数被设置了多次。尝试像这样的ios_command任务：

 - name: do reload in case of "catting off" ios_command: commands: - reload in 30 - y provider: "{{ cli }}"

只有Ansible 2.2

你可以使用这样的东西：

  - name: send reload command inc confirmation ios_command: commands: - reload in 30 - y wait_for: - result[0] contains "Proceed with reload" provider: "{{ cli }}"

未经testing，但与ios_command模块的最后一个示例类似。

虽然Ansible 2.2虽然尚未发布，但Ansible的新版本可以有显着的回归。

Ansible 2.0+包含expect模块，但需要远程设备上的Python，所以它不能在IOS或类似设备上工作。

看来最简单的方法是使用“原始”模块将原始SSH命令发送到设备。

这样可以避免使用expect和必须使用ios_command模块。