Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support a new custom remediation specifically to allow for dynamic rememdation overrides heir_config exposes #755

Open
jeffkala opened this issue Apr 3, 2024 · 1 comment · May be fixed by #770
Open

Support a new custom remediation specifically to allow for dynamic rememdation overrides heir_config exposes #755

jeffkala opened this issue Apr 3, 2024 · 1 comment · May be fixed by #770

Comments

@jeffkala
Copy link
Contributor

jeffkala commented Apr 3, 2024

Environment

  • Nautobot version: 2.1+
  • nautobot-golden-config version: 2.0.5

Proposed Functionality

Heir config allows for dynamic remediation functions (custom remediation but within heir-config realm), ability to register these python functions but have compliance-type (heir_config) register them instead of requiring full custom remedation which is essentially just using heir_config with just a dynamic function.

Use Case

This is one of those scenarios where hier_config doesn't work out of the box. At a previous employer, we wrote what we called dynamic remediations for these types of use cases. A dynamic remediation is a python function that you write to perform a remediation in a specific way that overrides the default remediation method.

Here is an example:

#!/usr/bin/env python

from hier_config import Host

## Dynamic Remediation Function
def acl_rem(lineage):

    # Iterate over ACL items
    for line in lineage.all_children():

        # Find remediations that start with 'no'
        if line.text.startswith('no'):
            line_items = line.text.split()

            # Determine if sequence number is in remediation
            try:
                if isinstance(int(line_items[1]), int):

                    # Remove sequence number from remediation
                    line_items.remove(line_items[1])
            except ValueError:
                pass

        # Remove stale remediaiton line
        lineage.del_child_by_text(line.text)

        # Add updated remediation line
        lineage.add_child(' '.join(line_items))

    # Return lineage
    return lineage



host = Host('acl-rtr', os='ios')
host.load_running_config_from_file('./running_acl.conf')
host.load_generated_config_from_file('./generated_acl.conf')
rem = host.remediation_config()

print("## Unfiltered Remediation")
print(host.remediation_config_filtered_text([],[]))

acl = rem.get_child('equals', 'ip access-list TEST')
dynamic_rem = acl_rem(acl)

print("## Filtered Remediation")
print(host.remediation_config_filtered_text([],[]))

Here is the script output:

% python3 acl.py
## Unfiltered Remediation
ip access-list TEST
  no 20 permit ip host 192.2.0.2
## Filtered Remediation
ip access-list TEST
  no permit ip host 192.2.0.2

https://networktocode.slack.com/archives/C01NWPK6WHL/p1712169405284649?thread_ts=1712083136.419609&cid=C01NWPK6WHL
@jtdub
Copy link

jtdub commented Apr 3, 2024

Here were the contents of the configurations:

% cat running_acl.conf
ip access-list TEST
  10 permit ip host 192.2.0.1
  20 permit ip host 192.2.0.2
% cat generated_acl.conf
ip access-list TEST
  10 permit ip host 192.2.0.1

When I imagine hier_config dynamic remediation's in GC, I imagine a repo folder structure with dynamic remediation conf scripts.

Something like:

hier_config_dynamic_remediations/
|
+-- acl.py

When the repo is loaded into Nautobot, Nautobot registers the dynamic remediation's into the ORM. At that point, you can create a dynamic remediation mapping of:

  1. expression_choice: ["startswith", "endswith", "equals", "contains"]
  2. config_str: "ip access-list TEST"
  3. dynamic_remediation_choice: [list of registered dynamic remediations]
  4. platform(s): platforms to execute dynamic remediation against
  5. enabled: Boolean

At that point, when hier_config is invoked, hier_config can invoke the dynamic remediation as part of the remediation process.

@sdoiron0330 sdoiron0330 linked a pull request Jun 10, 2024 that will close this issue
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@jtdub @jeffkala