Reply
Accepted Solution

Issues with Ansible

micke
Techie
Posts: 4
4268     0

Hey!

 

I have some issues with nios_network Ansible module and need to check if it is working as intended. We have started automation in our network and since people can't be bothered documenting networks in our IPAM i had to add that to Ansible. 

 

When i was testing nios_network module i found something that made me worried, it is possible to change already configured networks. This is a problem since people dont look before they run. 

 

The playbook looks like this in my lab:

    - name: Add IPv4-Prefix to Infoblox IPAM
      nios_network:
        provider: "{{ api_infoblox }}"
        network_view: "default"
        network: "{{ item.ipv4_prefix | ipaddr('net') | ipaddr('192.168.100.0/22') }}"
        comment: "{{ item.vrf_namn }}_{{ item.vlan_id }}"
        state: "{{ item.state | default('present') }}"
        extattrs: {
          Site: XXX-XXX,
          VLAN-ID: "{{ item.vlan_id }}",
          VRF-Namn: "{{ item.vrf_namn }}",
          VLAN-Namn: "{{ item.vrf_namn }}_{{ item.vlan_id }}",
          Router: "YYYY"
          }
      with_items: "{{ vlan }}"
      when: (inventory_hostname in groups["infoblox"])
      any_errors_fatal: true
      tags: never,VLAN'

Current variable file:

vlan:
  - { vrf_namn: sn-ansible1-vpn, vlan_id: 1710, ipv4_prefix: 192.168.100.0/24, }
  - { vrf_namn: sn-ansible2-vpn, vlan_id: 1711, ipv4_prefix: 192.168.101.0/24, }

Creating or removing the above networks is not a problem but when i have both networks in IPAM and then change the netmask in the variable file to a /25 the current /24 gets changed to a container that contains the new /25.

 

1. Both networks in IPAM

1.png

 

2. After running the playbook with a /25 in the variable file

1.png2.png

 

If i instead try to create a /23 that contains both /24 networks i get an error:

failed: [gridmaster] (item={u'ipv4_prefix': u'192.168.100.0/23', u'vlan_id': 1710, u'vrf_namn': u'sn-ansible1-vpn'}) => {
"changed": false, 
"code": "Client.Ibap.Data.Conflict", 
"item": {
"ipv4_prefix": "192.168.100.0/23", 
"vlan_id": 1710, 
"vrf_namn": "sn-ansible1-vpn"
}, 
"operation": "create_object", 
"type": "AdmConDataError"
}

MSG:

The network 192.168.100.0/23 will overlap an existing network

 

 

I would like the same error as soon as someone tries to create a network affecting an already configured one, should not matter if it is with a bigger or smaller mask. 

Misstakes will happen if it is allowed and can't have people breaking subnets by doing typos.

 

Has anyone else noticed this or does anyone know if this is working as intended?

 

 

Re: Issues with Ansible

Adviser
Posts: 132
4268     0

The behavior you're seeing is a consequence of how the underlying "create network" API call works. (The GUI works the same way.) If you create a new network like 192.168.100.0/25 using the API:

 

curl -k1 -u admin:infoblox -X POST https://gm.example.com/wapi/2.9/network -d network=192.168.100.0/25

 

and there is an existing higher-level network like 192.168.100.0/24, then the higher-level network gets converted into a network container and the new network is created. On the other hand, it is an error in the API (and in the GUI) to try to create a network 192.168.100.0/23 if 192.168.100.0/24 exists; the new /23 network would have to be explicitly created as a network container.

 

I'm guessing what's happening here is that the Infoblox module for Ansible is rather straightforwardly translating the playbook instructions into a "create network" APi call like that shown above. If this behavior is undesired, and you want to prevent conversion of the existing network into a network container, then the Ansible Infoblox module would have to have more complex code for this case. For example, it could first check for the existence of a network like 192.168.100.0/24 and then disallow creation of subnetworks below it. But then again, there are times when you want to do exactly that.

Re: Issues with Ansible

micke
Techie
Posts: 4
4268     0

Hey and thanks for the answer, i guess we have to look into how to implement "check" functions before playbooks are executed to make sure production networks are not changed by misstake. 

 

Thanks again for a detailed and great answer.

Re: Issues with Ansible

nanisyako
Techie
Posts: 2
4268     0

I believe if Infoblox has a module to create network containers we can add more specific networks without any issues. That would be very nice feature to have.

Highlighted

Re: Issues with Ansible

RichB
Techie
Posts: 3
4268     0

A module to create containers would be good !

 

I only learnt about the container by having to manually create a "container network" in the GUI and then have Ansible create a /28 within a /24 for example.

 

Then the penny dropped that contianers are implied by the creation of t smaller net rather than explicit configuration.

Showing results for 
Search instead for 
Do you mean 

Recommended for You