"arista.eos.eos_acls" idempotency is not working correctly #512
Comments
|
Stumbled across this issue while troubleshooting something similar. I can confirm the above behavior still exists in ansible core 2.15.13 + arista.eos 10.0.1 Note: Changing changed: [clab-ceos-ceos1] => {
"after": [
{
"acls": [
{
"aces": [
{
"destination": {
"any": true
},
"grant": "permit",
"protocol": "ip",
"sequence": 10,
"source": {
"host": "10.10.10.5"
}
}
],
"name": "SNMP-ACCESS"
},
{
"aces": [
{
"destination": {
"any": true
},
"grant": "permit",
"protocol": "ip",
"sequence": 10,
"source": {
"any": true
}
}
],
"name": "SSH-ACCESS"
}
],
"afi": "ipv4"
}
],
"before": [
{
"acls": [
{
"aces": [
{
"destination": {
"any": true
},
"grant": "permit",
"protocol": "ip",
"sequence": 10,
"source": {
"host": "10.10.10.5"
}
}
],
"name": "SNMP-ACCESS"
},
{
"aces": [
{
"destination": {
"any": true
},
"grant": "permit",
"protocol": "ip",
"sequence": 10,
"source": {
"any": true
}
}
],
"name": "SSH-ACCESS"
}
],
"afi": "ipv4"
}
],
"changed": true,
"commands": [
"ip access-list SSH-ACCESS",
"10 permit ip any any"
]
}so while the config becomes idempotent, you can't tell, because it's always marked as changed. As a very interesting sidebar to this, the following playbook: - name: Network Getting Started First Playbook
gather_facts: false
hosts: all
tasks:
- name: push ACL 1
arista.eos.eos_acls:
state: replaced
config:
- afi: ipv4
acls:
- name: TEST-LIST-1
aces:
- sequence: "10"
remark: "test"
- sequence: "20"
grant: permit
log: true
destination:
any: true
port_protocol:
eq: "https"
protocol: tcp
source:
subnet_address: 192.0.2.0/24
- name: push ACL 2
arista.eos.eos_acls:
state: replaced
config:
- afi: ipv4
acls:
- name: TEST-LIST-2
aces:
- sequence: "10"
remark: "test"
- sequence: "20"
grant: permit
log: true
destination:
any: true
port_protocol:
eq: "https"
protocol: tcp
source:
subnet_address: 192.0.2.0/24produces one changed task, and one unchanged task: ok: [clab-ceos-ceos1] => {
"before": [
{
"acls": [
{
"aces": [
{
"remark": "test",
"sequence": 10
},
{
"destination": {
"any": true,
"port_protocol": {
"eq": "https"
}
},
"grant": "permit",
"log": true,
"protocol": "tcp",
"sequence": 20,
"source": {
"subnet_address": "192.0.2.0/24"
}
}
],
"name": "TEST-LIST-1"
},
{
"aces": [
{
"remark": "test",
"sequence": 10
},
{
"destination": {
"any": true,
"port_protocol": {
"eq": "https"
}
},
"grant": "permit",
"log": true,
"protocol": "tcp",
"sequence": 20,
"source": {
"subnet_address": "192.0.2.0/24"
}
}
],
"name": "TEST-LIST-2"
}
],
"afi": "ipv4"
}
],
"changed": false,
"commands": []
}changed: [clab-ceos-ceos1] => {
"after": [
{
"acls": [
{
"aces": [
{
"remark": "test",
"sequence": 10
},
{
"destination": {
"any": true,
"port_protocol": {
"eq": "https"
}
},
"grant": "permit",
"log": true,
"protocol": "tcp",
"sequence": 20,
"source": {
"subnet_address": "192.0.2.0/24"
}
}
],
"name": "TEST-LIST-1"
},
{
"aces": [
{
"remark": "test",
"sequence": 10
},
{
"destination": {
"any": true,
"port_protocol": {
"eq": "https"
}
},
"grant": "permit",
"log": true,
"protocol": "tcp",
"sequence": 20,
"source": {
"subnet_address": "192.0.2.0/24"
}
}
],
"name": "TEST-LIST-2"
}
],
"afi": "ipv4"
}
],
"before": [
{
"acls": [
{
"aces": [
{
"remark": "test",
"sequence": 10
},
{
"destination": {
"any": true,
"port_protocol": {
"eq": "https"
}
},
"grant": "permit",
"log": true,
"protocol": "tcp",
"sequence": 20,
"source": {
"subnet_address": "192.0.2.0/24"
}
}
],
"name": "TEST-LIST-1"
},
{
"aces": [
{
"remark": "test",
"sequence": 10
},
{
"destination": {
"any": true,
"port_protocol": {
"eq": "https"
}
},
"grant": "permit",
"log": true,
"protocol": "tcp",
"sequence": 20,
"source": {
"subnet_address": "192.0.2.0/24"
}
}
],
"name": "TEST-LIST-2"
}
],
"afi": "ipv4"
}
],
"changed": true,
"commands": [
"ip access-list TEST-LIST-2",
"10 remark test",
"20 permit tcp 192.0.2.0/24 any eq https log"
]
}so definitely a bug somewhere in the parsing related to whether or not an ACL is the first ACL configured on the host. |
|
As a workaround, you can leverage ACL rendering and an idempotent config push to ensure the status of individual ACLs on a device: - name: Set two ACLs idempotently
gather_facts: false
hosts: all
tasks:
- name: Render ACL 1
register: acl_1
arista.eos.eos_acls:
state: rendered
config:
- afi: ipv4
acls:
- name: TEST-LIST-1
aces:
- sequence: "10"
remark: "test"
- sequence: "20"
grant: permit
log: true
destination:
any: true
port_protocol:
eq: "https"
protocol: tcp
source:
subnet_address: 192.0.2.0/24
- name: Render ACL 2
register: acl_2
arista.eos.eos_acls:
state: rendered
config:
- afi: ipv4
acls:
- name: TEST-LIST-2
aces:
- sequence: "10"
remark: "test"
- sequence: "20"
grant: permit
log: true
destination:
any: true
port_protocol:
eq: "https"
protocol: tcp
source:
subnet_address: 192.0.3.0/24
- name: Push ACL 1
arista.eos.eos_config:
lines: "{{ ['no ip access-list TEST-LIST-1'] + acl_1['rendered'] }}"
match: none
save_when: changed
- name: Push ACL 2
arista.eos.eos_config:
lines: "{{ ['no ip access-list TEST-LIST-2'] + acl_2['rendered'] }}"
match: none
save_when: changedNote that due to how |
bewing
added a commit
to bewing/arista.eos
that referenced
this issue
Dec 30, 2024
bewing
added a commit
to bewing/arista.eos
that referenced
this issue
Dec 30, 2024
Only check for missing wanted ACLs after processing all had ACLs, not just the first one. Addresses ansible-collections#512
|
I didn't add a specific test case in the PR for the original commit, which I think is actually addressed by #563, but did test and confirm a fix for the issue I was experiencing with a |
bewing
added a commit
to bewing/arista.eos
that referenced
this issue
Dec 30, 2024
bewing
added a commit
to bewing/arista.eos
that referenced
this issue
Dec 30, 2024
Only check for missing wanted ACLs after processing all had ACLs, not just the first one. Addresses ansible-collections#512
bewing
added a commit
to bewing/arista.eos
that referenced
this issue
Dec 30, 2024
bewing
added a commit
to bewing/arista.eos
that referenced
this issue
Dec 30, 2024
Only check for missing wanted ACLs after processing all had ACLs, not just the first one. Addresses ansible-collections#512
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SUMMARY
I'm trying to deploy simple access-lists to an Arista switch:
For which I'm using the following playbook:
The initial run completes successfully, and the ACLs are deployed. Unfortunately, if I rerun the playbook, the access lists get broken.
As you can see on the below output, the "before" and "after" do not match, and a change is made. The entry in "SSH-ACCESS" gets deleted. This is not the expected behavior since no changes are desired and Ansible should identify that.
If I rerun it one more time the issue get fixed but in a weird way - check the applied by Ansible commands - there is one unnecessary "no 10":
Another run repeats the same behavior.
My assumption is that during the check for differences before/after the names of the two ACLs are not compared but only their entries (in my case the two ACLs have seq 10). If I change the sequence number in the second access list from 10 to 20 the issue is not observed. Another evidence for this theory is that if I create another playbook and include an access list with different name but same entries, Ansible reports that no changes need to be done, and the new ACL is not configured.
ISSUE TYPE
COMPONENT NAME
arista.eos.eos_acls
ANSIBLE VERSION
COLLECTION VERSION
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
Run the following play book 2-3 times:
EXPECTED RESULTS
On the second run (and every next one), no changes have to me made on the end device.
ACTUAL RESULTS
On the second run, Ansible does not properly identify the differences before/after (there aren't any) and make changes on the first ACL in the playbook:
The text was updated successfully, but these errors were encountered: