Ansible NETCONF Automation

Ansible supports configuring remote hosts using NETCONF (instead of the default SSH connection along with Linux shell commands). This guide explains how to leverage Ansible to configure multiple Turbo IPsec instances.

Dependencies

This guide assumes that you have two (or more) Turbo IPsec instances that are booted and accessible on the network (NETCONF uses TCP port 830). Also, for clarity purposes, these machines should be reachable with their respective hostnames (thus, DNS or /etc/hosts must be configured accordingly).

To make sure it works, ansible version greater than 2.7.10 along with the ncclient and jxmlease python libraries are required. Here is how to install this in a python virtualenv:

$ python3 -m venv /tmp/ansible-netconf
$ . /tmp/ansible-netconf/bin/activate
$ which python
/tmp/ansible-netconf/bin/python
$ pip install -U pip setuptools wheel
...
Successfully installed pip-19.1.1 setuptools-41.0.1 wheel-0.33.4
$ pip install "ansible > 2.7.10" ncclient jxmlease
...
Successfully installed MarkupSafe-1.1.1 PyYAML-5.1 ansible-2.8.0
asn1crypto-0.24.0 bcrypt-3.1.6 cffi-1.12.3 cryptography-2.6.1 jinja2-2.10.1
jxmlease-1.0.1 lxml-4.3.3 ncclient-0.6.4 paramiko-2.4.2 pyasn1-0.4.5
pycparser-2.19 pynacl-1.3.0 six-1.12.0

Configuration

Inventory

We need an “inventory” file that will reference all machines that we want to control with Ansible. Here we are using the YAML inventory format which is more readable than the default INI format.

# /tmp/ansible-netconf/hosts.yml
---
vrouters:
  vars:
    ansible_connection: netconf
    ansible_user: admin
    ansible_ssh_pass: admin      # using default admin user/password
    ansible_python_interpreter: python
  hosts:
    vrouter1:
      peer: vrouter2
      ifname: int0
      port: pci-b0s4
      ipaddr: 172.16.200.1
    vrouter2:
      peer: vrouter1
      ifname: ext0
      port: pci-b0s4
      ipaddr: 172.16.200.2

Playbook

We also need to write a playbook. Here is a basic example that configures the hostname depending on the Ansible inventory name, and that configures a physical interface on both machines. Then, it runs the ping NETCONF RPC to check that the IP addresses have been properly configured on both machines.

# /tmp/ansible-netconf/playbook.yml
---
- hosts: vrouters
  gather_facts: false  # facts gathering is not supported at the moment
  tasks:
    - name: fetch initial state
      netconf_get:
        display: json
        filter: "{{lookup('file', 'filter.xml')}}"
      register: state

    - name: print initial state
      debug:
        var: state.output.data

    - name: configure
      netconf_config:
        content: "{{lookup('template', 'config.xml')}}"

    - name: fetch state again
      netconf_get:
        display: json
        filter: "{{lookup('file', 'filter.xml')}}"
      register: state

    - name: print state after configuration has been applied
      debug:
        var: state.output.data

    - name: check connection both ways
      netconf_rpc:
        rpc: ping
        display: json
        xmlns: 'urn:6wind:vrouter/system'
        content: |
          <count>1</count>
          <destination>{{hostvars[peer].ipaddr}}</destination>
      register: ping

    - name: print ping outputs
      debug:
        msg: "{{ping.output['nc:rpc-reply']['buffer'].splitlines()}}"

    - name: unset hostname
      netconf_config:
        content: |
          <config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
            <config xmlns="urn:6wind:vrouter">
              <system xmlns="urn:6wind:vrouter/system">
                <hostname xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="delete"/>
              </system>
            </config>
          </config>

    - name: change ipv4 address (not add a new one)
      netconf_config:
        content: |
          <config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
            <config xmlns="urn:6wind:vrouter">
              <vrf>
                <name>main</name>
                <interface xmlns="urn:6wind:vrouter/interface">
                  <physical>
                    <name>{{ifname}}</name>
                    <ipv4 xmlns:nc="urn:ietf:params:xml:ns:netconf:base:1.0" nc:operation="replace">
                      <address>
                        <ip>{{ipaddr}}00/24</ip>
                      </address>
                    </ipv4>
                  </physical>
                </interface>
              </vrf>
            </config>
          </config>

    - name: fetch state again
      netconf_get:
        display: json
        filter: "{{lookup('file', 'filter.xml')}}"
      register: state

    - name: print state after configuration has been modified
      debug:
        var: state.output.data

    - name: check connection both ways (again)
      netconf_rpc:
        rpc: ping
        display: json
        xmlns: 'urn:6wind:vrouter/system'
        content: |
          <count>1</count>
          <destination>{{hostvars[peer].ipaddr}}00</destination>
      register: ping

    - name: print ping outputs
      debug:
        msg: "{{ping.output['nc:rpc-reply']['buffer'].splitlines()}}"

See also

The official Ansible documentation of the netconf_get, netconf_config and netconf_rpc modules.

Two additional XML files are referenced. They should be placed next to the playbook file itself.

Config

<!-- /tmp/ansible-netconf/config.xml -->
<config xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <config xmlns="urn:6wind:vrouter">
    <system xmlns="urn:6wind:vrouter/system">
      <hostname>{{inventory_hostname}}</hostname>
    </system>
    <vrf>
      <name>main</name>
      <interface xmlns="urn:6wind:vrouter/interface">
        <physical>
          <name>{{ifname}}</name>
          <port>{{port}}</port>
          <ipv4>
            <address>
              <ip>{{ipaddr}}/24</ip>
            </address>
          </ipv4>
        </physical>
      </interface>
    </vrf>
  </config>
</config>

The structure of config.xml may be generated by running the following CLI commands:

localhost> edit running
localhost running config# system hostname vrouter2
localhost running config# vrf main interface physical ext0 port pci-b0s4 ipv4 address 172.16.200.2/24
localhost running config# show config xml absolute nodefault
<config xmlns="urn:6wind:vrouter">
  <system xmlns="urn:6wind:vrouter/system">
    <hostname>vrouter2</hostname>
  </system>
  <vrf>
    <name>main</name>
    <interface xmlns="urn:6wind:vrouter/interface">
      <physical>
        <name>ext0</name>
        <port>pci-b0s4</port>
        <ipv4>
          <address>
            <ip>172.16.200.2/24</ip>
          </address>
        </ipv4>
      </physical>
    </interface>
  </vrf>
</config>

Important

By default, the contents of the <config> XML node are merged with the current configuration. This is explained extensively in RFC 6241, Section 7.2..

In order to replace or delete some parts of the configuration, the operation XML attribute must be specified on the related XML nodes. The example playbook makes use of this attribute to unset a previously set hostname and replace an IPv4 address.

Filter

<!-- /tmp/ansible-netconf/filter.xml -->
<state xmlns="urn:6wind:vrouter">
  <system xmlns="urn:6wind:vrouter/system">
    <hostname/>
    <product xmlns="urn:6wind:vrouter/system/product"/>
  </system>
  <vrf>
    <name>main</name>
    <interface xmlns="urn:6wind:vrouter/interface">
      <physical>
        <name/>
        <ipv4>
          <address/>
        </ipv4>
        <port/>
        <oper-status/>
      </physical>
    </interface>
  </vrf>
</state>

The structure of filter.xml may be generated from combining the output of the following CLI commands:

localhost> show state xml absolute nodefault system
<state xmlns="urn:6wind:vrouter">
  <system xmlns="urn:6wind:vrouter/system">
    <hostname>localhost</hostname>
...
localhost> show state xml absolute nodefault vrf main interface physical ens3
<state xmlns="urn:6wind:vrouter">
  <vrf>
    <name>main</name>
    <interface xmlns="urn:6wind:vrouter/interface">
      <physical>
        <name>ens3</name>
        <ipv4>
          <address>
...

Note

The playbook.yml and config.xml files contain templating placeholders that will be replaced by respective host variables when the playbook is executed.

See Ansible official documentation for more details.

Execution

Once all these files are created, you may run ansible-playbook as follows:

$ ansible-playbook -i /tmp/ansible-netconf/hosts.yml /tmp/ansible-netconf/playbook.yml

PLAY [vrouters] *************************************************************

TASK [fetch initial state] **************************************************
ok: [vrouter1]
ok: [vrouter2]

TASK [print initial state] **************************************************
ok: [vrouter2] => {
    "state.output.data": {
        "state": {
            "system": {
                "hostname": "localhost",
                "product": {
                    "license": "valid",
                    "name": "Turbo IPsec",
                    "version": "2.2"
                }
            },
            "vrf": {
                "interface": {
                    "physical": [
                        {
                            "ipv4": {
                                "address": {
                                    "ip": "10.0.2.15/24"
                                }
                            },
                            "name": "ens3",
                            "oper-status": "UP",
                            "port": "pci-b0s3"
                        },
                        {
                            "name": "ens4",
                            "oper-status": "DOWN",
                            "port": "pci-b0s4"
                        }
                    ]
                },
                "name": "main"
            }
        }
    }
}
ok: [vrouter1] => {
    "state.output.data": {
        "state": {
            "system": {
                "hostname": "localhost",
                "product": {
                    "license": "valid",
                    "name": "Turbo IPsec",
                    "version": "2.2"
                }
            },
            "vrf": {
                "interface": {
                    "physical": [
                        {
                            "ipv4": {
                                "address": {
                                    "ip": "10.0.2.15/24"
                                }
                            },
                            "name": "ens3",
                            "oper-status": "UP",
                            "port": "pci-b0s3"
                        },
                        {
                            "name": "ens4",
                            "oper-status": "DOWN",
                            "port": "pci-b0s4"
                        }
                    ]
                },
                "name": "main"
            }
        }
    }
}

TASK [configure] ************************************************************
changed: [vrouter2]
changed: [vrouter1]

TASK [fetch state again] ****************************************************
ok: [vrouter1]
ok: [vrouter2]

TASK [print state after configuration has been applied] *********************
ok: [vrouter2] => {
    "state.output.data": {
        "state": {
            "system": {
                "hostname": "vrouter2",
                "product": {
                    "license": "valid",
                    "name": "Turbo IPsec",
                    "version": "2.2"
                }
            },
            "vrf": {
                "interface": {
                    "physical": [
                        {
                            "ipv4": {
                                "address": {
                                    "ip": "10.0.2.15/24"
                                }
                            },
                            "name": "ens3",
                            "oper-status": "UP",
                            "port": "pci-b0s3"
                        },
                        {
                            "ipv4": {
                                "address": {
                                    "ip": "172.16.200.2/24"
                                }
                            },
                            "name": "ext0",
                            "oper-status": "UP",
                            "port": "pci-b0s4"
                        }
                    ]
                },
                "name": "main"
            }
        }
    }
}
ok: [vrouter1] => {
    "state.output.data": {
        "state": {
            "system": {
                "hostname": "vrouter1",
                "product": {
                    "license": "valid",
                    "name": "Turbo IPsec",
                    "version": "2.2"
                }
            },
            "vrf": {
                "interface": {
                    "physical": [
                        {
                            "ipv4": {
                                "address": {
                                    "ip": "10.0.2.15/24"
                                }
                            },
                            "name": "ens3",
                            "oper-status": "UP",
                            "port": "pci-b0s3"
                        },
                        {
                            "ipv4": {
                                "address": {
                                    "ip": "172.16.200.1/24"
                                }
                            },
                            "name": "int0",
                            "oper-status": "UP",
                            "port": "pci-b0s4"
                        }
                    ]
                },
                "name": "main"
            }
        }
    }
}

TASK [check connection both ways] *******************************************
ok: [vrouter1]
ok: [vrouter2]

TASK [print ping outputs] ***************************************************
ok: [vrouter2] => {
    "msg": [
        "PING 172.16.200.1 (172.16.200.1) 56(84) bytes of data.",
        "64 bytes from 172.16.200.1: icmp_seq=1 ttl=64 time=0.652 ms",
        "",
        "--- 172.16.200.1 ping statistics ---",
        "1 packets transmitted, 1 received, 0% packet loss, time 0ms",
        "rtt min/avg/max/mdev = 0.652/0.652/0.652/0.000 ms"
    ]
}
ok: [vrouter1] => {
    "msg": [
        "PING 172.16.200.2 (172.16.200.2) 56(84) bytes of data.",
        "64 bytes from 172.16.200.2: icmp_seq=1 ttl=64 time=0.758 ms",
        "",
        "--- 172.16.200.2 ping statistics ---",
        "1 packets transmitted, 1 received, 0% packet loss, time 0ms",
        "rtt min/avg/max/mdev = 0.758/0.758/0.758/0.000 ms"
    ]
}

TASK [unset hostname] *******************************************************
changed: [vrouter2]
changed: [vrouter1]

TASK [change ipv4 address (not add a new one)] ******************************
changed: [vrouter2]
changed: [vrouter1]

TASK [fetch state again] ****************************************************
ok: [vrouter1]
ok: [vrouter2]

TASK [print state after configuration has been modified] ********************
ok: [vrouter1] => {
    "state.output.data": {
        "state": {
            "system": {
                "hostname": "vrouter1",
                "product": {
                    "license": "unknown",
                    "name": "Turbo IPsec",
                    "version": "2.2"
                }
            },
            "vrf": {
                "interface": {
                    "physical": [
                        {
                            "ipv4": {
                                "address": {
                                    "ip": "10.0.2.15/24"
                                }
                            },
                            "name": "ens3",
                            "oper-status": "UP",
                            "port": "pci-b0s3"
                        },
                        {
                            "ipv4": {
                                "address": {
                                    "ip": "172.16.200.100/24"
                                }
                            },
                            "name": "int0",
                            "oper-status": "UP",
                            "port": "pci-b0s4"
                        }
                    ]
                },
                "name": "main"
            }
        }
    }
}
ok: [vrouter2] => {
    "state.output.data": {
        "state": {
            "system": {
                "hostname": "vrouter2",
                "product": {
                    "license": "unknown",
                    "name": "Turbo IPsec",
                    "version": "2.2"
                }
            },
            "vrf": {
                "interface": {
                    "physical": [
                        {
                            "ipv4": {
                                "address": {
                                    "ip": "10.0.2.15/24"
                                }
                            },
                            "name": "ens3",
                            "oper-status": "UP",
                            "port": "pci-b0s3"
                        },
                        {
                            "ipv4": {
                                "address": {
                                    "ip": "172.16.200.200/24"
                                }
                            },
                            "name": "ext0",
                            "oper-status": "UP",
                            "port": "pci-b0s4"
                        }
                    ]
                },
                "name": "main"
            }
        }
    }
}

TASK [check connection both ways (again)] ***********************************
ok: [vrouter1]
ok: [vrouter2]

TASK [print ping outputs] ***************************************************
ok: [vrouter1] => {
    "msg": [
        "PING 172.16.200.200 (172.16.200.200) 56(84) bytes of data.",
        "64 bytes from 172.16.200.200: icmp_seq=1 ttl=64 time=1.07 ms",
        "",
        "--- 172.16.200.200 ping statistics ---",
        "1 packets transmitted, 1 received, 0% packet loss, time 0ms",
        "rtt min/avg/max/mdev = 1.076/1.076/1.076/0.000 ms"
    ]
}
ok: [vrouter2] => {
    "msg": [
        "PING 172.16.200.100 (172.16.200.100) 56(84) bytes of data.",
        "64 bytes from 172.16.200.100: icmp_seq=1 ttl=64 time=10.1 ms",
        "",
        "--- 172.16.200.100 ping statistics ---",
        "1 packets transmitted, 1 received, 0% packet loss, time 0ms",
        "rtt min/avg/max/mdev = 10.119/10.119/10.119/0.000 ms"
    ]
}

PLAY RECAP ******************************************************************
vrouter1: ok=13  changed=3  unreachable=0  failed=0  skipped=0  rescued=0  ignored=0
vrouter2: ok=13  changed=3  unreachable=0  failed=0  skipped=0  rescued=0  ignored=0