-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix nxos_acl issues #38283
fix nxos_acl issues #38283
Conversation
if not dcore: | ||
# check the diff in the other way just in case | ||
dcore = dict( | ||
set(existing_core.items()).difference( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wondering why check the other way around? Is this for idempotence?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not just for idempotence. There are 2 ways the existing acl can be changed.
- we can add 1 or more parameters to the existing acl
- we can remove 1 or more parameters from the existing acl
The current code is only taking care of the first change. The 2nd one is being ignored and so if user wants to remove some parameters, there is no way, the playbook run does not even throw an error, it does not change anything and silently exits. The problem exists for both core and options.
Here is an example:
>>> proposed_options = {'c' : 'd'}
>>> existing_options = {'a' : 'b', 'c' : 'd'}
>>> dict(set(proposed_options.items()).difference(existing_options.items()))
{}
>>> dict(set(existing_options.items()).difference(proposed_options.items()))
{'a': 'b'}
So as you can see, the 2nd statement detects if the difference is in the removing part.
Since this is intended behavior, this is a bug.
You can check the documentation:
ansible/lib/ansible/modules/network/nxos/nxos_acl.py
Lines 44 to 45 in cdd21e2
If there is any difference, what is in Ansible will be pushed (configured | |
options will be overridden). This is to improve security, but at the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Makes sense.
cherry-picked to 2.5 |
* fix nxos_acl issues * typo fix * typo fix in sanity.yaml * another typo fix in sanity.yaml (cherry picked from commit 1bf2965)
* nxos_vlan purge (#38202) Signed-off-by: Trishna Guha <trishnaguha17@gmail.com> (cherry picked from commit 119352b) * fix nxos_aaa_server issues (#38117) (cherry picked from commit 697c301) * fix nxos_aaa_server_host issues (#38188) (cherry picked from commit 24cc6b8) * fix nxos_static_route issues (#37614) * fix nxos_static_route issues * remove nxos_static_route from ignore (cherry picked from commit 0df5cfd) * fix nxos_acl issues (#38283) * fix nxos_acl issues * typo fix * typo fix in sanity.yaml * another typo fix in sanity.yaml (cherry picked from commit 1bf2965) * nxos_acl_interface tests addition (#38230) (cherry picked from commit b8cb382) * update changelog with nxos bugfixes for 2.5 Signed-off-by: Trishna Guha <trishnaguha17@gmail.com> * revert ignore.txt Signed-off-by: Trishna Guha <trishnaguha17@gmail.com>
* fix nxos_acl issues * typo fix * typo fix in sanity.yaml * another typo fix in sanity.yaml
SUMMARY
fixes #38282
ISSUE TYPE
COMPONENT NAME
nxos_acl
ANSIBLE VERSION
ADDITIONAL INFORMATION
** Note: Due to to severity of the issue, please consider this PR for cherry picking to 2.5 **