This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Cesc
Explorer
‎2021-12-17 06:57 AM

SSH to gateways with ansible

Hello everyone,

I can connect via ssh with the command ansible without playbook:

$ ansible all -i inventory -a "clish -c 'show version all'"
[WARNING]: Platform linux on host ckp-lab is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python interpreter could change
this. See https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information.
ckp-lab | CHANGED | rc=0 >>
Product version Check Point Gaia R80.40
OS build 294
OS kernel version 3.10.0-957.21.3cpx86_64
OS edition 64-bit

 

But when I try with ansible-playbook does not work:

 

$ ansible-playbook -i inventory ssh-test.yml

PLAY [My playbook] **************************************************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************************************
fatal: [ckp-lab]: FAILED! => {"ansible_facts": {}, "changed": false, "failed_modules": {"setup": {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "exception": "Traceback (most recent call last):\r\n File \"/home/test/.ansible/tmp/ansible-tmp-1639752859.0839593-81645-52571446332867/AnsiballZ_setup.py\", line 102, in <module>\r\n _ansiballz_main()\r\n File \"/home/test/.ansible/tmp/ansible-tmp-1639752859.0839593-81645-52571446332867/AnsiballZ_setup.py\", line 94, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/home/test/.ansible/tmp/ansible-tmp-1639752859.0839593-81645-52571446332867/AnsiballZ_setup.py\", line 40, in invoke_module\r\n runpy.run_module(mod_name='ansible.modules.system.setup', init_globals=None, run_name='__main__', alter_sys=True)\r\n File \"/opt/CPsuite-R80.40/fw1/Python/lib/python2.7/runpy.py\", line 188, in run_module\r\n fname, loader, pkg_name)\r\n File \"/opt/CPsuite-R80.40/fw1/Python/lib/python2.7/runpy.py\", line 82, in _run_module_code\r\n mod_name, mod_fname, mod_loader, pkg_name)\r\n File \"/opt/CPsuite-R80.40/fw1/Python/lib/python2.7/runpy.py\", line 72, in _run_code\r\n exec code in run_globals\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/modules/system/setup.py\", line 136, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/__init__.py\", line 34, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/compat.py\", line 33, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/default_collectors.py\", line 51, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/system/service_mgr.py\", line 35, in <module>\r\nImportError: No module named distutils.version\r\n", "failed": true, "module_stderr": "Shared connection to 192.168.251.220 closed.\r\n", "module_stdout": "Traceback (most recent call last):\r\n File \"/home/test/.ansible/tmp/ansible-tmp-1639752859.0839593-81645-52571446332867/AnsiballZ_setup.py\", line 102, in <module>\r\n _ansiballz_main()\r\n File \"/home/test/.ansible/tmp/ansible-tmp-1639752859.0839593-81645-52571446332867/AnsiballZ_setup.py\", line 94, in _ansiballz_main\r\n invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\r\n File \"/home/test/.ansible/tmp/ansible-tmp-1639752859.0839593-81645-52571446332867/AnsiballZ_setup.py\", line 40, in invoke_module\r\n runpy.run_module(mod_name='ansible.modules.system.setup', init_globals=None, run_name='__main__', alter_sys=True)\r\n File \"/opt/CPsuite-R80.40/fw1/Python/lib/python2.7/runpy.py\", line 188, in run_module\r\n fname, loader, pkg_name)\r\n File \"/opt/CPsuite-R80.40/fw1/Python/lib/python2.7/runpy.py\", line 82, in _run_module_code\r\n mod_name, mod_fname, mod_loader, pkg_name)\r\n File \"/opt/CPsuite-R80.40/fw1/Python/lib/python2.7/runpy.py\", line 72, in _run_code\r\n exec code in run_globals\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/modules/system/setup.py\", line 136, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/__init__.py\", line 34, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/compat.py\", line 33, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/default_collectors.py\", line 51, in <module>\r\n File \"/tmp/ansible_setup_payload_LAX3Ae/ansible_setup_payload.zip/ansible/module_utils/facts/system/service_mgr.py\", line 35, in <module>\r\nImportError: No module named distutils.version\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1, "warnings": ["Platform linux on host ckp-lab is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python interpreter could change this. See https://docs.ansible.com/ansible/2.9/reference_appendices/interpreter_discovery.html for more information."]}}, "msg": "The following modules failed to execute: setup\n"}

PLAY RECAP **********************************************************************************************************************************************************************
ckp-lab : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

 

playbook:

more ssh-test.yml
---
- name: My playbook
hosts: all
tasks:
- name: show version
command: "clish -c 'show version all'"

 

Do someone knows what I am doing wrong?

Thank you in advance! 🙂

 

0 Kudos
2 Replies
StuartGreen
Employee
Employee
‎2021-12-21 02:17 AM

Hi Cesc,

That's a really long and messy error message but basically it means that the host you're connecting to can't run the Ansible Python module that gets transferred and executed automatically. You should be fine with the CP Ansible modules which use the HTTP API, raw and possibly shell commands with Ansible, but the Python setup on Gaia is hardened so doesn't include the necessary modules for Ansible. 

0 Kudos
Art_Zalenekas
Employee
Employee
‎2021-12-21 01:06 PM

There are a couple of issues: One, you are running with gather_facts = True, which is default state in Ansible for Playbooks. you ran ad-hoc command, which executes just the command/module you ask for. CHKP GW does not have default gathering stats over SSH, but we do have a module for that which we execute over HTTPAPI Plugin. Solution: Either add gather_facts: false to the playbook, or disable in the ansible.cfg file globally (/etc/ansible/ansible.cfg) or locally to either the project (playbook location) or your home directory (~). Under section [defaults] add gathering = explicit . Look at the Ansible variables precedence on their Docs pageIn general, don't collect facts of systems, unless you need to use those somewhere for whatever (conditional) reason.
Second, our CHKP Gaia does not carry distutils python package. That is why it fails execution. Ansible needs it to package up and execute gathering facts on the host.
When you are working with SSH sessions to manage hosts, use pipelining = True in your ansible config (look at the explanation in the main ansible.cfg file). For SSH connections, always use pipelining = True unless you have issues with compatibility. That helps with a lot quicker execution of tasks over SSH.

Here is my .ansible.cfg in my project directory:

 

 

[defaults]
inventory = inventory.ini
gathering = explicit
interpreter_python = /usr/bin/python3
callback_whitelist = timer

[ssh_connection]
pipelining = True
host_key_checking = False
control_path_dir = ~/.ansible/cp

 

 

Here is my inventory:

 

[chkp]
chkp-gw ansbile_host=10.10.12.1 ansible_user=admin

 

 

Here is my playbook:

 

---
- name: test ssh to chkp group
  hosts: chkp
  vars_prompt:
    - name: ansible_password
      prompt: Enter password
      unsafe: yes
      private: yes
  tasks:
  - name: show version
    command: clish -c 'show version all'
    register: result

  - debug: var=result.stdout_lines
...

 

Run playbook:
$ ansible-playbook test.yml

Now, you can use the prompt in the playbook to force and ask for the password for the ansible_password variable (you don't want to hard-code that in the inventory or the playbook), you can skip that and call the playbook with --ask-pass, or best is to copy your SSH public key to the managed host with $ ssh-copy-id admin@10.10.12.1, and not use any password at all, which is highly recommended. You can of course encrypt with Ansible Vault a variable file, but that is another topic (Google for that). If you go the PKI route, don't forget to add ansible_ssh_private_key_file=<path_to_private_key> in either the playbook or directly into the inventory file for that host or group of hosts.

That should help. Have fun on the automation side!
PS: Look at using the HTTPAPI Plugin for managing CHKP GWs (Gaia or Passthrough over MGMT) and MGMT servers.

 

Kind regards,
Arturas Zalenekas

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top