思科 asa 设备的 ansible 备份:错误:% 在“^”标记处检测到无效输入

思科 asa 设备的 ansible 备份:错误:% 在“^”标记处检测到无效输入

我负责备份我们所有的网络设备,所以自然而然地我选择了 ansible。我不是专家,但我确实需要这方面的帮助!我试过了所有的方法,但就是搞不定,chat-gpt 也没有。ansible ping 模块成功运行,调试输出显示它从“sh run”获取了一些数据,但仍然失败。我可以手动登录并运行这两个命令,没有任何错误。我使用的两个命令是“terminal pager 0”和“sh run”,我使用的是 cisco.asa.asa 模块。我也尝试过使用 wait for 指令,但也许我做错了。这是我的 yaml 文件,其中包含更多详细信息,cfg、调试输出等。Yamllint 和 --sytax-check 没有显示错误。谢谢!非常感谢!!

Errors:

[root@ho-lx-ansible01 networking]# play -vvvv mynewtest.zz.yml  > .out 2>&1

ansible-playbook [core 2.13.3]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible-playbook
  python version = 3.9.13 (main, Nov 16 2022, 15:11:16) [GCC 8.5.0 20210514 (Red Hat 8.5.0-15.0.1)]
  jinja version = 3.1.2
  libyaml = True
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/hosts inventory source with ini plugin
Loading collection cisco.asa from /root/.ansible/collections/ansible_collections/cisco/asa
redirecting (type: action) cisco.asa.asa_facts to cisco.asa.asa
Loading collection ansible.netcommon from /root/.ansible/collections/ansible_collections/ansible/netcommon
redirecting (type: callback) ansible.builtin.yaml to community.general.yaml
Loading collection community.general from /usr/share/ansible/collections/ansible_collections/community/general
redirecting (type: callback) ansible.builtin.yaml to community.general.yaml
Loading callback plugin community.general.yaml of type stdout, v2.0 from /usr/share/ansible/collections/ansible_collections/community/general/plugins/callback/yaml.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: mynewtest.zz.yml *****************************************************
Positional arguments: mynewtest.zz.yml
verbosity: 4
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
inventory: ('/etc/ansible/hosts',)
forks: 10
1 plays in mynewtest.zz.yml
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'

PLAY [Backup ASA Configuration] ************************************************
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'
META: ran handlers
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'
redirecting (type: action) cisco.asa.asa_facts to cisco.asa.asa

TASK [Show running config] *****************************************************
task path: /etc/ansible/playbooks/networking/mynewtest.zz.yml:21
redirecting (type: connection) ansible.builtin.network_cli to ansible.netcommon.network_cli
Loading collection ansible.utils from /root/.ansible/collections/ansible_collections/ansible/utils
<zzasaXXX.ad.XXX.com> attempting to start connection
<zzasaXXX.ad.XXX.com> using connection plugin ansible.netcommon.network_cli
Found ansible-connection at path /usr/bin/ansible-connection
<zzasaXXX.ad.XXX.com> local domain socket does not exist, starting it
<zzasaXXX.ad.XXX.com> control socket path is /root/.ansible/pc/f2e7921f36
<zzasaXXX.ad.XXX.com> redirecting (type: connection) ansible.builtin.network_cli to ansible.netcommon.network_cli
<zzasaXXX.ad.XXX.com> Loading collection ansible.netcommon from /root/.ansible/collections/ansible_collections/ansible/netcommon
<zzasaXXX.ad.XXX.com> Loading collection ansible.utils from /root/.ansible/collections/ansible_collections/ansible/utils
<zzasaXXX.ad.XXX.com> Loading collection cisco.asa from /root/.ansible/collections/ansible_collections/cisco/asa
<zzasaXXX.ad.XXX.com> local domain socket listeners started successfully
<zzasaXXX.ad.XXX.com> loaded cliconf plugin ansible_collections.cisco.asa.plugins.cliconf.asa from path /root/.ansible/collections/ansible_collections/cisco/asa/plugins/cliconf/asa.py for network_os cisco.asa.asa
<zzasaXXX.ad.XXX.com> ssh type is set to libssh
<zzasaXXX.ad.XXX.com>
<zzasaXXX.ad.XXX.com> local domain socket path is /root/.ansible/pc/f2e7921f36
redirecting (type: action) cisco.asa.asa_facts to cisco.asa.asa
redirecting (type: action) cisco.asa.asa_facts to cisco.asa.asa
<zzasaXXX.ad.XXX.com> ANSIBLE_NETWORK_IMPORT_MODULES: enabled
<zzasaXXX.ad.XXX.com> ANSIBLE_NETWORK_IMPORT_MODULES: found cisco.asa.asa_facts  at /root/.ansible/collections/ansible_collections/cisco/asa/plugins/modules/asa_facts.py
<zzasaXXX.ad.XXX.com> ANSIBLE_NETWORK_IMPORT_MODULES: running cisco.asa.asa_facts
<zzasaXXX.ad.XXX.com> ANSIBLE_NETWORK_IMPORT_MODULES: complete
ok: [zzasaXXX] => changed=false
  ansible_facts:
    ansible_net_api: cliconf
    ansible_net_asatype: null
    ansible_net_config: |2-
                    Total TLS Proxy Sessions          : 2              perpetual
      Botnet Traffic Filter             : Disabled       perpetual
      Cluster                           : Disabled       perpetual

      This platform has a Base license.

      Serial Number: JAD203707VN
      Running Permanent Activation Key: 0xd221e25c 0x985012a5 0xa44219b4 0xb740ccb0 0x013303a6
      Configuration register is 0x1
      FPGA UPGRADE Version      : 3.0
      FPGA GOLDEN Version       : 3.0
      ROMMON Version            : 1.1.18
      Image type                : Release
      Key Version               : A
      Configuration last modified by XXX\alamonda at 11:24:47.301 EDT Wed May 3 2023
      ZZASAP01# running-config
                 ^
      ERROR: % Invalid input detected at '^' marker.
      ZZASAP01#
    ansible_net_device_mgr_version: 7.19(1)90
    ansible_net_gather_network_resources: []
    ansible_net_gather_subset:
    - default
    - config
    ansible_net_hostname: ZZASAP01
    ansible_net_image: disk0:/asa9-16-3-23-lfbff-k8.SPA
    ansible_net_python_version: 3.9.13
    ansible_net_serialnum: null
    ansible_net_system: asa
    ansible_net_version: 9.16(3)23
    ansible_network_resources: {}
  invocation:
    module_args:
      context: null
      gather_network_resources: null
      gather_subset:
      - config
      passwords: null
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'

TASK [show output] *************************************************************
task path: /etc/ansible/playbooks/networking/mynewtest.zz.yml:27
redirecting (type: connection) ansible.builtin.network_cli to ansible.netcommon.network_cli
Loading collection ansible.utils from /root/.ansible/collections/ansible_collections/ansible/utils
<zzasaXXX.ad.XXX.com> attempting to start connection
<zzasaXXX.ad.XXX.com> using connection plugin ansible.netcommon.network_cli
Found ansible-connection at path /usr/bin/ansible-connection
<zzasaXXX.ad.XXX.com> found existing local domain socket, using it!
<zzasaXXX.ad.XXX.com> invoked shell using ssh_type: libssh
<zzasaXXX.ad.XXX.com> ssh connection done, setting terminal
<zzasaXXX.ad.XXX.com> loaded terminal plugin for network_os cisco.asa.asa
<zzasaXXX.ad.XXX.com> firing event: on_open_shell()
[WARNING]: on_open_shell: failed to set terminal parameters
<zzasaXXX.ad.XXX.com> ssh connection has completed successfully
<zzasaXXX.ad.XXX.com> updating play_context for connection
<zzasaXXX.ad.XXX.com>
<zzasaXXX.ad.XXX.com> local domain socket path is /root/.ansible/pc/f2e7921f36
ok: [zzasaXXX] =>
  ansible_net_config:
    ansible_facts:
      ansible_net_api: cliconf
      ansible_net_asatype: null
      ansible_net_config: |2-
                      Total TLS Proxy Sessions          : 2              perpetual
        Botnet Traffic Filter             : Disabled       perpetual
        Cluster                           : Disabled       perpetual

        This platform has a Base license.

        Serial Number: JAD203707VN
        Running Permanent Activation Key: 0xd221e25c 0x985012a5 0xa44219b4 0xb740ccb0 0x013303a6
        Configuration register is 0x1
        FPGA UPGRADE Version      : 3.0
        FPGA GOLDEN Version       : 3.0
        ROMMON Version            : 1.1.18
        Image type                : Release
        Key Version               : A
        Configuration last modified by XXX\alamonda at 11:24:47.301 EDT Wed May 3 2023
        ZZASAP01# running-config
                   ^
        ERROR: % Invalid input detected at '^' marker.
        ZZASAP01#
      ansible_net_device_mgr_version: 7.19(1)90
      ansible_net_gather_network_resources: []
      ansible_net_gather_subset:
      - default
      - config
      ansible_net_hostname: ZZASAP01
      ansible_net_image: disk0:/asa9-16-3-23-lfbff-k8.SPA
      ansible_net_python_version: 3.9.13
      ansible_net_serialnum: null
      ansible_net_system: asa
      ansible_net_version: 9.16(3)23
      ansible_network_resources: {}
    changed: false
    failed: false
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'

TASK [Save running config to a file] *******************************************
task path: /etc/ansible/playbooks/networking/mynewtest.zz.yml:31
redirecting (type: connection) ansible.builtin.network_cli to ansible.netcommon.network_cli
Loading collection ansible.utils from /root/.ansible/collections/ansible_collections/ansible/utils
<zzasaXXX.ad.XXX.com> attempting to start connection
<zzasaXXX.ad.XXX.com> using connection plugin ansible.netcommon.network_cli
Found ansible-connection at path /usr/bin/ansible-connection
<zzasaXXX.ad.XXX.com> found existing local domain socket, using it!
<zzasaXXX.ad.XXX.com> updating play_context for connection
<zzasaXXX.ad.XXX.com>
<zzasaXXX.ad.XXX.com> local domain socket path is /root/.ansible/pc/f2e7921f36
<zzasaXXX.ad.XXX.com> ESTABLISH LOCAL CONNECTION FOR USER: root
<zzasaXXX.ad.XXX.com> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-local-4699c2_f7d2s `"&& mkdir "` echo /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680 `" && echo ansible-tmp-1683226209.4103367-4714-216689891930680="` echo /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680 `" ) && sleep 0'
Using module file /usr/lib/python3.9/site-packages/ansible/modules/stat.py
<zzasaXXX.ad.XXX.com> PUT /root/.ansible/tmp/ansible-local-4699c2_f7d2s/tmppq9q72rm TO /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/AnsiballZ_stat.py
<zzasaXXX.ad.XXX.com> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/ /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/AnsiballZ_stat.py && sleep 0'
<zzasaXXX.ad.XXX.com> EXEC /bin/sh -c '/usr/bin/python3.9 /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/AnsiballZ_stat.py && sleep 0'
Using module file /usr/lib/python3.9/site-packages/ansible/modules/file.py
<zzasaXXX.ad.XXX.com> PUT /root/.ansible/tmp/ansible-local-4699c2_f7d2s/tmpkjnfx3s1 TO /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/AnsiballZ_file.py
<zzasaXXX.ad.XXX.com> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/ /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/AnsiballZ_file.py && sleep 0'
<zzasaXXX.ad.XXX.com> EXEC /bin/sh -c '/usr/bin/python3.9 /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/AnsiballZ_file.py && sleep 0'
<zzasaXXX.ad.XXX.com> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-local-4699c2_f7d2s/ansible-tmp-1683226209.4103367-4714-216689891930680/ > /dev/null 2>&1 && sleep 0'
ok: [zzasaXXX] => changed=false
  checksum: 5a6e3d377742ec32c0bb911561b81ade44373e96
  dest: /mnt/zzasaXXX.runcfg
  diff:
    after:
      path: /mnt/zzasaXXX.runcfg
    before:
      path: /mnt/zzasaXXX.runcfg
  gid: 0
  group: root
  invocation:
    module_args:
      _diff_peek: null
      _original_basename: tmpv40dwe82
      access_time: null
      access_time_format: '%Y%m%d%H%M.%S'
      attributes: null
      dest: /mnt/zzasaXXX.runcfg
      follow: true
      force: false
      group: null
      mode: null
      modification_time: null
      modification_time_format: '%Y%m%d%H%M.%S'
      owner: null
      path: /mnt/zzasaXXX.runcfg
      recurse: false
      selevel: null
      serole: null
      setype: null
      seuser: null
      src: null
      state: file
      unsafe_writes: false
  mode: '0644'
  owner: root
  path: /mnt/zzasaXXX.runcfg
  secontext: system_u:object_r:nfs_t:s0
  size: 1326
  state: file
  uid: 0
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'
META: ran handlers
Trying secret FileVaultSecret(filename='/etc/ansible/group_vars/.vltfile.yml') for vault_id=default
Read vars_file '/etc/ansible/group_vars/vault.yml'
META: ran handlers

PLAY RECAP *********************************************************************
zzasaXXX                   : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0


############
YAML and CFG:

---
- name: Backup ASA Configuration
  hosts: zzasaXXX
  gather_facts: false

  collections:
    - cisco.asa
    - cisco.asa.asa_facts
    - ansible.netcommon.net_get

  vars:
    # Encrypted variables
    ansible_user: "{{ vault_net_user }}"
    ansible_password: "{{ vault_net_pass }}"

  vars_files:
    - '/etc/ansible/group_vars/vault.yml'

  tasks:

    - name: Show running config
      cisco.asa.asa_facts:
        gather_subset:
          - config
      register: ansible_net_config

    - name: show output
      debug:
        var: ansible_net_config

    - name: Save running config to a file
      copy:
        content: "{{ ansible_net_config }}"
        dest: "/mnt/{{ inventory_hostname }}.runcfg"
...

[root@ho-lx-ansible01 networking]# ls -al /mnt
total 76
drwxrwxrwx.  1 root root    72 May  4 14:49 .
dr-xr-xr-x. 18 root root   235 May  2 13:10 ..
-rwxrwxrwx.  1 root root 67434 May  4 14:19 foo
-rw-r--r--.  1 root root  1326 May  4 14:49 zzasap01.runcfg


### 
SHOW VERSIONS on ASA
###

ZZASAP01# show version

Cisco Adaptive Security Appliance Software Version 9.16(3)23
SSP Operating System Version 2.10(1.214)
Device Manager Version 7.19(1)90

Compiled on Fri 09-Sep-22 18:14 GMT by builders
System image file is "disk0:/asa9-16-3-23-lfbff-k8.SPA"
Config file at boot was "startup-config"

ZZASAP01 up 82 days 23 hours

Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
Internal ATA Compact Flash, 8000MB
BIOS Flash M25P64 @ 0xfed01000, 16384KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
                             Number of accelerators: 1

 1: Ext: GigabitEthernet1/1  : address is 00a2.eef9.d683, irq 255
 2: Ext: GigabitEthernet1/2  : address is 00a2.eef9.d684, irq 255
 3: Ext: GigabitEthernet1/3  : address is 00a2.eef9.d685, irq 255
 4: Ext: GigabitEthernet1/4  : address is 00a2.eef9.d686, irq 255
 5: Ext: GigabitEthernet1/5  : address is 00a2.eef9.d687, irq 255
 6: Ext: GigabitEthernet1/6  : address is 00a2.eef9.d688, irq 255
 7: Ext: GigabitEthernet1/7  : address is 00a2.eef9.d689, irq 255
 8: Ext: GigabitEthernet1/8  : address is 00a2.eef9.d68a, irq 255
 9: Int: Internal-Data1/1    : address is 00a2.eef9.d682, irq 255
10: Int: Internal-Data1/2    : address is 0000.0001.0002, irq 0
11: Int: Internal-Control1/1 : address is 0000.0001.0001, irq 0
12: Int: Internal-Data1/3    : address is 0000.0001.0003, irq 0
13: Ext: Management1/1       : address is 00a2.eef9.d682, irq 0
14: Int: Internal-Data1/4    : address is 0000.0100.0001, irq 0
The Running Activation Key feature: 2 security contexts exceed the limit on the platform, reduced to 0 security contexts.

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 5              perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Disabled       perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 10             perpetual
Total VPN Peers                   : 12             perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Cluster                           : Disabled       perpetual

This platform has a Base license.

Serial Number: JAXXXXX
Running Permanent Activation Key XXXXXXXXXXXXXXX
Configuration register is 0x1
FPGA UPGRADE Version      : 3.0
FPGA GOLDEN Version       : 3.0
ROMMON Version            : 1.1.18
Image type                : Release
Key Version               : A
Configuration last modified by mei\alamonda at 11:24:47.301 EDT Wed May 3 2023
ZZASAP01#

答案1

如果您正在使用cisco.asa模块,建议不要重新发明轮子并使用cisco.asa.asa_facts专门为此目的设计的模块。

- name: Gather only the config and default facts
  cisco.asa.asa_facts:
    gather_subset:
    - config

然后您将获得当前配置ansible_net_config

相关内容