Forum Discussion

Ichnafi's avatar
Ichnafi
Icon for Cirrostratus rankCirrostratus
Sep 29, 2023
Solved

Ansible - Bricking freshly installed vcmp guests with ansible

  Hello fellow F5 admins, currently I try to established a workflow, where new vcmp guests are created and configured with a standard basic config (and even building a HA setup). The creation part...
Ansible
application delivery
bootstrap
devops
password
vcmp
  • Ichnafi's avatar
    Ichnafi
    Oct 02, 2023

    Got it working!

    I ran into several strange issues.

    1. Password handling seems to be not konsisten. For some reason I had da "\n" at the end of my password in the ansible-vault encrypted string. Why? Don't know. It seems, that normal API and GUI login do not care about this trailing "\n", but password changes do.
    2. After fixing the password and (just for good measugre) adding the Jinja2 filter "trim" to alle my password variables, I ran everything again using the REST endpoint "mgmt/shared/authz/users/admin" with a PATCH leaving the system bricked again.

    3. How did I get it to work

    1. When connecting via SSH as user "root" you are forced to set a new root password.
      This password is also set as an admin password, that still has to be changed. Also worth to mention, that javarestd will automaticly restart.
    2. Connect via SSH as user "admin" with root password and set a new admin password. After the password change you get booted out of you ssh session and the return code is 1, so we have to consider this in ansible.

    To automate the password changes I write tasks using module ansible.builtin.expect.
    This completly renders idempotency useless. Changes in the SSH login flow and/or messages will let the taks fail. 

     

    - name: Change root password
  no_log: true
  ansible.builtin.expect:
	command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@"{{ ansible_host }}"
	timeout: 10
	responses:
	  '(.*)Password(.*)': default
	  '(.*)UNIX password:(.*)': default
	  '(.*)New BIG-IP password(.*)': "{{ f5_root_password | trim }}"
	  '(.*)Retype new BIG-IP password(.*)': "{{ f5_root_password | trim }}"
	  '(.*)config(.*)#': exit
  register: output
  delegate_to: localhost

- name: Debug
  ansible.builtin.debug:
	var: output

- name: Wait for restjavad to be restarted
  ansible.builtin.wait_for:
	timeout: 20
  delegate_to: localhost

- name: Change admin password
  no_log: true
  ansible.builtin.expect:
	command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no "{{ f5_api_admin_user }}"@"{{ ansible_host }}"
	timeout: 10
	responses:
	  '(.*)Password(.*)': "{{ f5_root_password | trim }}"
	  '(.*)UNIX password:(.*)': "{{ f5_root_password | trim }}"
	  '(.*)New BIG-IP password(.*)': "{{ f5_api_admin_password | trim }}"
	  '(.*)Retype new BIG-IP password(.*)': "{{ f5_api_admin_password | trim }}"
  register: output
  failed_when: output.rc not in [0, 1]
  delegate_to: localhost

     

    The hole thing is still really annoying. I don't understand why this has to be resolved like, in times where cloud first, api first, whatever first is key. This should really be done in a different way.

    Cheers

    Ichnafi

Ichnafi's avatar
Ichnafi
Icon for Cirrostratus rankCirrostratus
Oct 02, 2023

Got it working!

I ran into several strange issues.

  1. Password handling seems to be not konsisten. For some reason I had da "\n" at the end of my password in the ansible-vault encrypted string. Why? Don't know. It seems, that normal API and GUI login do not care about this trailing "\n", but password changes do.
  2. After fixing the password and (just for good measugre) adding the Jinja2 filter "trim" to alle my password variables, I ran everything again using the REST endpoint "mgmt/shared/authz/users/admin" with a PATCH leaving the system bricked again.

3. How did I get it to work

  1. When connecting via SSH as user "root" you are forced to set a new root password.
    This password is also set as an admin password, that still has to be changed. Also worth to mention, that javarestd will automaticly restart.
  2. Connect via SSH as user "admin" with root password and set a new admin password. After the password change you get booted out of you ssh session and the return code is 1, so we have to consider this in ansible.

To automate the password changes I write tasks using module ansible.builtin.expect.
This completly renders idempotency useless. Changes in the SSH login flow and/or messages will let the taks fail. 

 

- name: Change root password
  no_log: true
  ansible.builtin.expect:
	command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no root@"{{ ansible_host }}"
	timeout: 10
	responses:
	  '(.*)Password(.*)': default
	  '(.*)UNIX password:(.*)': default
	  '(.*)New BIG-IP password(.*)': "{{ f5_root_password | trim }}"
	  '(.*)Retype new BIG-IP password(.*)': "{{ f5_root_password | trim }}"
	  '(.*)config(.*)#': exit
  register: output
  delegate_to: localhost

- name: Debug
  ansible.builtin.debug:
	var: output

- name: Wait for restjavad to be restarted
  ansible.builtin.wait_for:
	timeout: 20
  delegate_to: localhost

- name: Change admin password
  no_log: true
  ansible.builtin.expect:
	command: ssh -oStrictHostKeyChecking=no -oCheckHostIP=no "{{ f5_api_admin_user }}"@"{{ ansible_host }}"
	timeout: 10
	responses:
	  '(.*)Password(.*)': "{{ f5_root_password | trim }}"
	  '(.*)UNIX password:(.*)': "{{ f5_root_password | trim }}"
	  '(.*)New BIG-IP password(.*)': "{{ f5_api_admin_password | trim }}"
	  '(.*)Retype new BIG-IP password(.*)': "{{ f5_api_admin_password | trim }}"
  register: output
  failed_when: output.rc not in [0, 1]
  delegate_to: localhost

 

The hole thing is still really annoying. I don't understand why this has to be resolved like, in times where cloud first, api first, whatever first is key. This should really be done in a different way.

Cheers

Ichnafi