Compliance Checks with Ansible

[jabelk]

feedback from user:

User is working on a compliance check where they use Ansible module to interact with NSO’s compliance templates. The challenge is we only could figure out how to save the results to the state directory with the html results. This has been difficult because we want to GET the results form the API to pass to Ansible.

I have a task to run the compliance report but there doesn't seem to be a great way to get the report itself from the API?
Right now, the script just looks to see if there were any violation errors and if there are, it will re-apply the template
It would be best if a preview of what the compliance report violations are could be added to the script. Trying to use the URI module to download that report like a web page could be awkward.
I had to write a small module to attach a device template in NSO as the nso_action ansible module didn't seem to be able to handle it correctly. This could be a bug in the ansible module.

[andubiel]

These are the ansible files mentioned.
nso_self-healing.zip

[jabelk]

dev_nso

Testing the capabilities of NSO templates for runbook automation.

environment

The inventory here uses the NSO DevNET lab.

Set up Local NSO

Notes on LAB setup:
SSH/Netconf must be configured on core-rtr01/02
dist-rtr02 is used as the NTP server (ntp master)

overview

nso_self-healing.yaml:
nso_sync_devices - Pull the current running config of the device into NSO.
nso_compliance_report - Run compliance report. To Do: Need to get the details from the compliance report into ansible.
nso_remediate - If the compliance report returns compliance-status of violations, re-apply the template.
nso_post_change_test - Check that the NTP servers are in sync after the change, if not fail task.
To Do: need 2nd compliance report after the change to verify there are no more violations.

upload to github

Set up Local NSO

ncs-setup --package nso/packages/neds/cisco-ios-cli-6.67
--package nso/packages/neds/cisco-nx-cli-5.20
--package nso/packages/neds/cisco-iosxr-cli-7.32
--package nso/packages/neds/cisco-asa-cli-6.12
--dest nso-instance

cd ~/nso-instance
ncs

ncs_cli -C -u admin

conf
devices authgroups group labadmin
default-map remote-name cisco
default-map remote-password cisco
default-map remote-secondary-password cisco
commit
top

devices device edge-sw01
address 10.10.20.172
authgroup labadmin
device-type cli ned-id cisco-ios-cli-6.67
device-type cli protocol telnet
ssh host-key-verification none
commit
devices device core-rtr01
address 10.10.20.173
ssh host-key-verification none
authgroup labadmin
device-type cli ned-id cisco-iosxr-cli-7.32
device-type cli protocol telnet
state admin-state unlocked
!
devices device core-rtr02
address 10.10.20.174
ssh host-key-verification none
authgroup labadmin
device-type cli ned-id cisco-iosxr-cli-7.32
device-type cli protocol telnet
state admin-state unlocked
!
devices device dist-rtr01
address 10.10.20.175
ssh host-key-verification none
authgroup labadmin
device-type cli ned-id cisco-ios-cli-6.67
device-type cli protocol telnet
state admin-state unlocked
!
devices device dist-rtr02
address 10.10.20.176
ssh host-key-verification none
authgroup labadmin
device-type cli ned-id cisco-ios-cli-6.67
device-type cli protocol telnet
state admin-state unlocked
!
devices device dist-sw01
address 10.10.20.177
ssh host-key-verification none
authgroup labadmin
device-type cli ned-id cisco-nx-cli-5.20
device-type cli protocol telnet
ned-settings cisco-nx behaviours show-interface-all enable
state admin-state unlocked
!
devices device dist-sw02
address 10.10.20.178
ssh host-key-verification none
authgroup labadmin
device-type cli ned-id cisco-nx-cli-5.20
device-type cli protocol telnet
ned-settings cisco-nx behaviours show-interface-all enable
state admin-state unlocked
!
devices device edge-firewall01
address 10.10.20.171
ssh host-key-verification none
authgroup labadmin
device-type cli ned-id cisco-asa-cli-6.12
device-type cli protocol telnet
state admin-state unlocked
!
devices device edge-sw01
address 10.10.20.172
ssh host-key-verification none
authgroup labadmin
device-type cli ned-id cisco-ios-cli-6.67
device-type cli protocol telnet
state admin-state unlocked
!
devices device internet-rtr01
address 10.10.20.181
ssh host-key-verification none
authgroup labadmin
device-type cli ned-id cisco-ios-cli-6.67
device-type cli protocol telnet
state admin-state unlocked
!
commit
end
devices connect
show devices list
devices sync-from

Set up NETCONF

telnet 10.10.20.173
cisco/cisco

conf
ssh server v2
ssh server netconf port 830
ssh server netconf vrf Mgmt-intf
netconf agent tty
!
netconf-yang agent ssh
commit
exit
!
crypto key generate dsa

telnet 10.10.20.174
cisco/cisco

conf
ssh server v2
ssh server netconf port 830
ssh server netconf vrf Mgmt-intf
netconf agent tty
!
netconf-yang agent ssh
commit
exit
!
crypto key generate dsa

re-sync NSO

ncs_cli -C -u admin
devices sync-from

Try running the main playbook

copy files
cd /home/developer/nso_self-healing

ansible-playbook -i inventory/devnet.ini nso_self-healing.yaml -vv

• comment out except first task, fails no nso user/pass
  undefined:

    username: '{{ nso_username }}'
    password: '{{ nso_password }}'

ansible-playbook -i inventory/devnet.ini nso_self-healing.yaml -vv --extra-vars "nso_username=admin nso_password=admin"

got the following error

line 1214, in do_open\n    raise URLError(err)\nurllib2.URLError: <urlopen error [Errno 111] Connection refused>\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error

makes me think there is something wrong with the URL or ports

the role inclue is

---
- name: Playbook to add hosts to NSO.
  hosts: lab_all
  gather_facts: false

  tasks:
  - name: sync devices to nso
    include_role:
      name: nso_sync_devices

which then runs

---
- name: sync all devices
  nso_action:
    url: http://127.0.0.1/jsonrpc
    username: '{{ nso_username }}'
    password: '{{ nso_password }}'
    path: /ncs:devices/device{'{{inventory_hostname}}'}/sync-from
    input: {}
  environment:
   no_proxy: 127.0.0.1, localhost, 10.10.*.*
  register: sync_var

- debug: var=sync_var.output

- name: conditional fail if sync fails
  fail:
    msg: 'Device sync-from not successful'
  when: 'sync_var.output != {"result": "true"}'