blob: e481ed62735d132136c0b618878eff2c6f9495b5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
.. _netconf_enabled_platform_options:
***************************************
Netconf enabled Platform Options
***************************************
This page offers details on how the netconf connection works in Ansible and how to use it.
.. contents::
:local:
Connections available
================================================================================
.. table::
:class: documentation-table
==================== ==========================================
.. NETCONF
all modules except ``junos_netconf``,
which enables NETCONF
==================== ==========================================
Protocol XML over SSH
Credentials uses SSH keys / SSH-agent if present
accepts ``-u myuser -k`` if using password
Indirect Access through a bastion (jump host)
Connection Settings ``ansible_connection: ansible.netcommon.netconf``
==================== ==========================================
The ``ansible_connection: local`` has been deprecated. Please use ``ansible_connection: ansible.netcommon.netconf`` instead.
Using NETCONF in Ansible
========================
Enabling NETCONF
----------------
Before you can use NETCONF to connect to a switch, you must:
- install the ``ncclient`` Python package on your control node(s) with ``pip install ncclient``
- enable NETCONF on the Junos OS device(s)
To enable NETCONF on a new switch through Ansible, use the platform specific module through the CLI connection or set it manually.
For example set up your platform-level variables just like in the CLI example above, then run a playbook task like this:
.. code-block:: yaml
- name: Enable NETCONF
connection: ansible.netcommon.network_cli
junipernetworks.junos.junos_netconf:
when: ansible_network_os == 'junipernetworks.junos.junos'
Once NETCONF is enabled, change your variables to use the NETCONF connection.
Example NETCONF inventory ``[junos:vars]``
------------------------------------------
.. code-block:: yaml
[junos:vars]
ansible_connection=ansible.netcommon.netconf
ansible_network_os=junipernetworks.junos.junos
ansible_user=myuser
ansible_password=!vault |
Example NETCONF task
--------------------
.. code-block:: yaml
- name: Backup current switch config
junipernetworks.junos.netconf_config:
backup: yes
register: backup_junos_location
Example NETCONF task with configurable variables
------------------------------------------------
.. code-block:: yaml
- name: configure interface while providing different private key file path
junipernetworks.junos.netconf_config:
backup: yes
register: backup_junos_location
vars:
ansible_private_key_file: /home/admin/.ssh/newprivatekeyfile
Note: For netconf connection plugin configurable variables see :ref:`ansible.netcommon.netconf <ansible_collections.ansible.netcommon.netconf_connection>`.
Bastion/Jumphost configuration
------------------------------
To use a jump host to connect to a NETCONF enabled device you must set the ``ANSIBLE_NETCONF_SSH_CONFIG`` environment variable.
``ANSIBLE_NETCONF_SSH_CONFIG`` can be set to either:
- 1 or TRUE (to trigger the use of the default SSH config file ~/.ssh/config)
- The absolute path to a custom SSH config file.
The SSH config file should look something like:
.. code-block:: ini
Host *
proxycommand ssh -o StrictHostKeyChecking=no -W %h:%p jumphost-username@jumphost.fqdn.com
StrictHostKeyChecking no
Authentication for the jump host must use key based authentication.
You can either specify the private key used in the SSH config file:
.. code-block:: ini
IdentityFile "/absolute/path/to/private-key.pem"
Or you can use an ssh-agent.
ansible_network_os auto-detection
---------------------------------
If ``ansible_network_os`` is not specified for a host, then Ansible will attempt to automatically detect what ``network_os`` plugin to use.
``ansible_network_os`` auto-detection can also be triggered by using ``auto`` as the ``ansible_network_os``. (Note: Previously ``default`` was used instead of ``auto``).
.. include:: shared_snippets/SSH_warning.txt
.. seealso::
:ref:`timeout_options`
|
