cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

New native Ansible module in 2.10 devel branch - and how to get it working

Hello,

since  a few days there are several new modules in the developement branch of ansible, extending the very basic modules available since ansible version 2.8. (See: https://docs.ansible.com/ansible/devel/modules/list_of_network_modules.html#checkpoint)

Does anyone have implemented a working playbook with these modules? I'm not sure if I use them correctly with the httpapi plugin. But if I do so, I get the following error:

 

ansible.module_utils.connection.ConnectionError: 'Connection' object has no attribute '_session_uid'

The full traceback is:
Traceback (most recent call last):
File "/home/pi/.ansible/tmp/ansible-local-21374ItToPW/ansible-tmp-1567247472.1-86947877065269/AnsiballZ_cp_mgmt_host.py", line 102, in <module>
_ansiballz_main()
File "/home/pi/.ansible/tmp/ansible-local-21374ItToPW/ansible-tmp-1567247472.1-86947877065269/AnsiballZ_cp_mgmt_host.py", line 94, in _ansiballz_main
invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
File "/home/pi/.ansible/tmp/ansible-local-21374ItToPW/ansible-tmp-1567247472.1-86947877065269/AnsiballZ_cp_mgmt_host.py", line 40, in invoke_module
runpy.run_module(mod_name='ansible.modules.network.checkpoint.cp_mgmt_host', init_globals=None, run_name='__main__', alter_sys=False)
File "/usr/lib/python2.7/runpy.py", line 192, in run_module
fname, loader, pkg_name)
File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
exec code in run_globals
File "/tmp/ansible_cp_mgmt_host_payload_N_OLDa/ansible_cp_mgmt_host_payload.zip/ansible/modules/network/checkpoint/cp_mgmt_host.py", line 333, in <module>
File "/tmp/ansible_cp_mgmt_host_payload_N_OLDa/ansible_cp_mgmt_host_payload.zip/ansible/modules/network/checkpoint/cp_mgmt_host.py", line 328, in main
File "/tmp/ansible_cp_mgmt_host_payload_N_OLDa/ansible_cp_mgmt_host_payload.zip/ansible/module_utils/network/checkpoint/checkpoint.py", line 189, in api_call
File "/tmp/ansible_cp_mgmt_host_payload_N_OLDa/ansible_cp_mgmt_host_payload.zip/ansible/module_utils/connection.py", line 185, in __rpc__
ansible.module_utils.connection.ConnectionError: 'Connection' object has no attribute '_session_uid'

 

using this basic playbook:

- name: My First Playbook
  hosts: checkpoint
  connection: httpapi
  gather_facts: no

  tasks:

  - name: add-host
    cp_mgmt_host:
      ip_address: 192.0.2.1
      name: New Host 1
      state: present

In my inventory file I defined the host and the plugin to use:

[checkpoint]
192.168.100.5

[checkpoint:vars]
ansible_network_os=checkpoint
ansible_user=admin
ansible_password=adminpw

 

Is this a bug in the new series of modules or do I use them in the wrong way? Can anyone post an example including necessary variable definitions to make the plugin working?

 

Thanks in advance and have a nice weekend,

Markus

0 Kudos
6 Replies
Admin
Admin

Re: New native Ansible module in 2.10 devel branch - and how to get it working

Let's start with the most obvious question: have you enabled the API and does your user have API access?
See: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Enabling-web-api/m-p/32641
0 Kudos

Re: New native Ansible module in 2.10 devel branch - and how to get it working

Hello PhoneBoy,

 

yes, API is accessible from ALL IP addresses and I am using my admin-account

 

Markus

0 Kudos
Admin
Admin

Re: New native Ansible module in 2.10 devel branch - and how to get it working

The lack of a session ID suggests authentication failed somehow or your user is not enabled for API access.
Can you confirm through some other mechanism that this is the case?
Maybe via something like: curl -vvvv -H "Content-Type: application/json" -X POST -d '{"user":"XXXXXX","password":"YYYYYYYYY"}' https://x.x.x.x/web_api/login --insecure
You should see a sid returned in the result, something like:

* upload completely sent off: 32 out of 32 bytes
< HTTP/1.1 200 OK
< Date: Sun, 01 Sep 2019 21:25:36 GMT
< Server: CPWS
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Frame-Options: SAMEORIGIN
< Content-Type: application/json
< X-UA-Compatible: IE=EmulateIE8
< X-Forwarded-Host-Port: 443
< Transfer-Encoding: chunked
<
{
  "sid" : "S-uXV4DW7A_A84jmWT5zjZokmwMeEQvCS6qkt7_MpNg",
  "url" : "https://x.y.z.w:443/web_api",
  "session-timeout" : 600,
  "last-login-was-at" : {
    "posix" : 1557530249061,
    "iso-8601" : "2019-05-10T16:17-0700"
  },
  "read-only" : true,
  "api-server-version" : "1.3"
* Connection #0 to host x.y.z.w left intact


Otherwise, I'm assuming there's a reason these modules are in dev still and not as part of a release.
Perhaps @Amiad_Stern can comment.

0 Kudos

Re: New native Ansible module in 2.10 devel branch - and how to get it working

I further checked it - and it is not a problem of API communication. The curl request you mentioned is working fine. But using tcpdump I can see that there is no API call at all. Maybe there is still a problem in the devel state of the new modules. It seems that the httpapi plugin of ansible does not call the login API call and so misses the session data for the following requests.

0 Kudos

Re: New native Ansible module in 2.10 devel branch - and how to get it working

Now I got a step forward. My problem was that I did not gather facts.
If I add a task

- name: Get Facts
  cp_mgmt_host_facts:
    details_level: standard

to my Playbook the connection works. It seems that getting the host_facts will call the API logon method so that a session_uid will be created for the next tasks... but:

Trying to add a host will bring up the following error message from my R80.30 build 484 Management server:

FAILED! => {"changed": false, "msg": "Relevant hotfix is not installed on Check Point server. See sk114661 on Check Point Support Center."}

But the given sk114661 is only the hint to the old cpAnsible module. Do I need a special hotfix for automating with the new ansible modules?

0 Kudos

Re: New native Ansible module in 2.10 devel branch - and how to get it working

Hi @Markus_Hauke , i see you had overcome the session_id issue, we saw it today as well and we are handling it on the devel branch.

As for the SK / HF you're referred to , yes there will be a need for special HF which will be part of JHF.  Since we are still in development stages, we didn't yet complete all information needed to be written in that SK. I will update it so it will be clear. We still have some development to so till Sep 19th, afterwards, we will handle the SK.

 

This module is planned to be officially released as part of v2.9 by end of October.

 

Regards,

Amiad.

0 Kudos