Unable to Perform Simple Disable Service Group Operation

[MrBones757]

The citrix_adc_servicegroup module does not appear to allow you to disable the sg without providing a heap of other parameters.

I am trying to convert Powershell scripts (Enable-NSServiceGroup cmdlet) to these ansible modules for plays.
It appears that every time the module runs, it resets the netscaler to the configuration of the module call rather than simply toggling the enable / disable & graceful functionality.

I have tried to use the citrix_adc_nitro_request module to achieve this though functionality seems to be the same result.

Examples of module invocations:
name: Do a Thing
netscaler_nitro_request:
nitro_protocol: https
nitro_user: "{{ im_ad_username }}"
nitro_pass: "{{ im_ad_password }}"
nsip: "{{ im_netscaler_dict[im_netscaler_sg_name]['im_netscaler_ip'] }}"
validate_certs: no
operation: "action"
action: "disable"
attributes:
servicegroupname: "{{ im_netscaler_sg_name }}"
graceful: "yes"
resource: servicegroup
register: result_sg

• name: Do another thing
  citrix_adc_servicegroup :
  nitro_protocol: https
  nitro_user: "{{ im_ad_username }}"
  nitro_pass: "{{ im_ad_password }}"
  nsip: "{{ im_netscaler_dict[im_netscaler_sg_name]['im_netscaler_ip'] }}"
  validate_certs: no
  servicegroupname: "{{ im_netscaler_sg_name }}"
  disabled: yes
  graceful: "yes"
  state: present

Any information on how to achieve this functionality would be appreciated. It can be done though the UI and Powershell so i assume its doable using Ansible too.

[sumanth-lingappa]

Hello @MrBones757 , thank you for raising this issue. We will get back once analyzing this.
Thank you.

[MrBones757]

I might add that i have tried using the netscaler_* modules included with ansible and citrix_* modules from this repo with the same issue occuring in both scenarios.

[sumanth-lingappa]

Noted.

[MrBones757]

Just wondering if there was any update on this & if you were able to reproduce issues.

[sumanth-lingappa]

@MrBones757 The scenario is perfectly working: Please find below two ways to achieve this. Revert for any.

- hosts: citrix_adc

  vars:
	max_clients: 5

  remote_user: root
  gather_facts: False

  tasks:
	- name: Disable service group
	  delegate_to: localhost
	  citrix_adc_servicegroup:
		nsip: "{{ nsip }}"
		nitro_user: "{{ nitro_user }}"
		nitro_pass: "{{ nitro_pass }}"

		state: present

		servicegroupname: test_svcgrp
		disabled: yes

OR

- hosts: citrix_adc
  gather_facts: no

  tasks:
	- name: Get resource
	  delegate_to: localhost
	  register: result
	  citrix_adc_nitro_request:
		nsip: "{{ nsip }}"
		nitro_user: "{{ nitro_user }}"
		nitro_pass: "{{ nitro_pass }}"

		operation: action
		action: disable

		resource: servicegroup
		attributes:
		  servicegroupname: test_svcgrp

[MrBones757]

Hello,
Sorry for my slow reply.
I have re-verified this configuration and i am still not seeing this functioning. I have made sure i am using the most up to date version of the modules from this repo. Ansible verison is 2.7.5
The configuration used was:

• name: set_state | Toggle new connections to {{ im_netscaler_sg_name }}
  citrix_adc_servicegroup:
  nsip: "{{ ns_ip }}"
  nitro_user: "{{ im_ad_username }}"
  nitro_pass: "{{ im_ad_password }}"
  state: present
  servicegroupname: "{{ im_netscaler_sg_name }}"
  disabled: yes
  validate_certs: no
  nitro_protocol: "https"
  register: result_sg
  delegate_to: localhost

Before:

After:

Job Output:
{
"_ansible_parsed": true,
"_ansible_no_log": false,
"_ansible_delegated_vars": {
"ansible_delegated_host": "localhost",
"ansible_host": "localhost"
},
"changed": true,
"invocation": {
"module_args": {
"comment": null,
"tcpb": null,
"cachetype": null,
"save_config": true,
"disabled": true,
"nitro_protocol": "https",
"maxreq": null,
"maxbandwidth": null,
"graceful": null,
"svrtimeout": null,
"clttimeout": null,
"servicetype": null,
"monthreshold": null,
"autoscale": null,
"maxclient": null,
"monitorbindings": null,
"servicegroupname": "",
"state": "present",
"usip": null,
"nitro_user": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"netprofile": null,
"rtspsessionidremap": null,
"nitro_timeout": 310,
"pathmonitorindv": null,
"pathmonitor": null,
"appflowlog": null,
"servicemembers": null,
"cacheable": null,
"mas_proxy_call": false,
"memberport": null,
"instance_ip": null,
"cka": null,
"tcpprofilename": null,
"sp": null,
"downstateflush": null,
"cipheader": null,
"httpprofilename": null,
"nsip": "192.168.220.219",
"cip": null,
"healthmonitor": null,
"useproxyport": null,
"nitro_pass": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"nitro_auth_token": null,
"validate_certs": false,
"cmp": null
}
},
"loglines": [
"Applying actions for state present",
"Checking if service group exists",
"Servicegroup exists",
"Checking if service group is identical",
"Entering monitor_bindings_identical",
"Entering get_configured_monitor_bindings",
"Entering get_actual_monitor_bindings",
"Gettign actual monitor with name ",
"Entering sync_monitor_bindings",
"Entering get_actual_monitor_bindings",
"Gettign actual monitor with name ",
"Entering get_configured_monitor_bindings",
"servicemembers_identical",
"servicemembers [<nssrc.com.citrix.netscaler.nitro.resource.config.basic.servicegroup_servicegroupmember_binding.servicegroup_servicegroupmember_binding object at 0x7f5e1bfaed10>]",
"get_configured_service_members",
"Number of service group members 1",
"sync_service_members",
"get_configured_service_members",
"Disabling service",
"Sanity checks for state present",
"Checking if service group exists",
"Servicegroup exists",
"Checking if service group is identical",
"servicemembers_identical",
"servicemembers []",
"get_configured_service_members",
"Number of service group members 0",
"Entering monitor_bindings_identical",
"Entering get_configured_monitor_bindings",
"Entering get_actual_monitor_bindings"
]
}

Note all server and monitor configuration has disappeared.
Netscaler vpx version: NS11.1 58.13.nc

[sumanth-lingappa]

@MrBones757 , It is working well in my setup with NS11.1 build. Please allow me couple of days to revert back on this.

[giorgos-nikolopoulos]

@MrBones757
We recently added the ssh_citrix_adc connection plugin which allows you to use standard Ansbile modules with Citrix ADC.

With the use of the shell Ansible module you can issue nscli commands.
Disabling or enabling a servicegroup could be accomplished with the following playbooks

Disabling:

- hosts: citrix_adc
  remote_user: nsroot
  connection: ssh_citrix_adc
  gather_facts: False
  vars:
    ansible_python_interpreter: /var/python/bin/python

  tasks:
    - name: Disable servicegroup test_service_group
      shell: nscli -s -U :nsroot:nsroot "disable servicegroup test_service_group"
      register: nscli_output

    - name: Show nscli output
      debug:
        msg: "{{ nscli_output }}"

Enabling.

  remote_user: nsroot
  connection: ssh_citrix_adc
  gather_facts: False
  vars:
    ansible_python_interpreter: /var/python/bin/python

  tasks:
    - name: Enable servicegroup test_service_group
      shell: nscli -s -U :nsroot:nsroot "enable servicegroup test_service_group"
      register: nscli_output

    - name: Show nscli output
      debug:
        msg: "{{ nscli_output }}"

Make sure you have setup the connection plugin correctly as is detailed in this section of the README file.

Let us know if this works out for you.

[MrBones757]

Apologies for the slow reply.
Unfortunately this solution does not work in the setup implemented as we are using AD/LDAP logins to control access and permissions via the API/UI rather than directly accessing the command-line of the VPX instance.
I have done some research and found an alternative to the standard modules which use API calls to trigger actions on the netscaler. Using these i was able to create my own temporary solution to this issue until the underlying issue (?) with the provided modules can be determined.

[giorgos-nikolopoulos]

Since you cannot access the nscli I see the proposed solution cannot work.

Another alternative that skipped my mind is to use the citrix_adc_nitro_request module to enable/disable the target servicegroup.

Here is a sample playbook that disables the test_service_group

- hosts: citrix_adc
  gather_facts: False
  vars:
  tasks:
    - name: Add Service
      delegate_to: localhost
      register: result
      citrix_adc_nitro_request:
        nsip: "{{ nsip }}"
        nitro_user: "{{ nitro_user }}"
        nitro_pass: "{{ nitro_pass }}"
        operation: action
        action: disable
        resource: servicegroup
        attributes:
          servicegroupname: "test_service_group"

To enable the servicegroup use the same playbook with action: enable

We will be tracking this issue in our internal Jira to make sure we address this when we rewrite the servicegroup module.