Re: Error Publishing Changes with Ansible

BJ_Brooks · ‎2021-03-26

All,

I'm having trouble tracking down my issue publishing the changes I've made in a playbook. Playbook is below as well as inventory. I've attempted to auto_publish_session when creating the host object, I've attempted removing the vars: from the publish task and various combinations but nothing has worked. My session appears in the MDS as Disconnected after the playbook has run and shows I have 2 changes and locks. I have to manually publish from MDS (right click, publish) for the changes to be applied.

If I run the host creation task and policy install task independently, they work fine. It's only when the publish comes into play. Running in verbose mode provides no additional useful information.

Thoughts?

Error:

FAILED! => {"changed": false, "msg": "Task Publish operation with task id 01234567-7843-cdef-a872-9b93c41e3005 failed. Look at the logs for more details"}

It should be noted, I'm running MDS and 80.40 (JHF 94).

---
- hosts: cma
connection: httpapi
tasks:

- name: Create Host Object
cp_mgmt_host:
name: some-object-name
ipv4_address: 10.10.10.10
state: present
color: firebrick
comments: ChangeRequest#
ignore_warnings: yes
groups:
- Some-Group-Name

vars:
ansible_checkpoint_domain: MDS-Domain

- name: Publish Changes
cp_mgmt_publish:

vars:
ansible_checkpoint_domain: MDS-Domain

- name: Install Policy on MDS-Domain
cp_mgmt_install_policy:
policy_package: FW_Policy
install_on_all_cluster_members_or_fail: yes
targets:
- target1-fw
- target2-fw

vars:
ansible_checkpoint_domain: MDS-Domain

Inventory:

[cma]
10.10.10.10

[cma:vars]
ansible_httpapi_validate_certs=False
ansible_httpapi_use_ssl=True
ansible_network_os=check_point.mgmt.checkpoint
#ansible_network_os=checkpoint
ansible_user=myuser-name

PhoneBoy · ‎2021-03-26

What does $FWDIR/log/api.elg say when you try to publish?

BJ_Brooks · ‎2021-03-26

There is no api.elg to be found... in all of /opt.

BJ_Brooks · ‎2021-03-26

I'll add that the audit log from the CMA only shows a login/logout.

Art_Zalenekas · ‎2021-03-26

Please use the ENV variable $FWDIR to get to that directory. At the end of the day, it will be in /var/log/opt/CPsuite-R80.40/fw1/log/api.elg
If you use the $FWDIR/log/api.elg it will point to the same location.

Vincent_Bacher · ‎2021-03-26

He also can modify api log level using "api log debug" and after replication of issue "api log warn" or whatever.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite

BJ_Brooks · ‎2021-03-29

Thanks... was able to locate. Issue is session description.

"fault-message" : "Publish cannot be performed without entering a session name and description."

BJ_Brooks · ‎2021-03-31

Still haven't cracked this one... api.elg is displaying the below.

"fault-message" : "Publish cannot be performed without entering a session name and description."

I have include a task to set the session... have attempted auto publish on the object creation task to no avail.

- name: set-session
cp_mgmt_set_session:
description: "CR123456789"

Any thoughts? The MDS is set to have a session name generated on publish. If we do it through the CMA, we can set the session name to whatever we want, but through ansible, not so much.

PhoneBoy · ‎2021-03-31

There's a setting on the management side to not require a description.
It's possible this may be required to use the auto-publish feature.
Paging @Or_Soffer

Jonas_Rosenboom · ‎2021-04-09

If your management requires All sessions must have a description you need to explicitly set both description and new_name for the session through Ansible.

If you want to use auto_publish just make sure that `set_session` is performed prior to the task with auto_publish.

The requirement for both name and description is not limited to Ansible, but affects all API usage (including `mgmt_cli`) when All sessions must have a description is enabled.

Are you a member of CheckMates?

Error Publishing Changes with Ansible