Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Using Ansible to Configure Devices

 

Ansible and Juniper Networks provide collections of Ansible modules that you can use to manage the configuration of devices running Junos OS. This example outlines how to use Ansible to make configuration changes on devices running Junos OS through NETCONF over SSH.

Requirements

This example uses the following hardware and software components:

  • Configuration management server running Ansible 2.1 or later with version 2.0.0 or later of the Juniper.junos role installed

  • Device running Junos OS with NETCONF enabled and a user account configured with appropriate permissions

  • SSH public/private key pair configured for the appropriate user on the Ansible server and the device running Junos OS

  • Existing Ansible inventory file with required hosts defined

Overview

The juniper_junos_config module in the Juniper.junos role enables you to manage the configuration on devices running Junos OS. The user account executing the module must have permissions to change the relevant portions of the configuration on each target device. When configuring a device with the juniper_junos_config module, supported formats for the configuration data include CLI configuration statements, Junos XML elements, Junos OS set commands, and JSON.

This example presents an Ansible playbook that uses the juniper_junos_config module to enable a new op script in the configuration of the target devices running Junos OS. The configuration data file, junos-config.conf, contains the relevant configuration data formatted as text.

The playbook includes the Checking NETCONF connectivity task, which utilizes the wait_for Ansible module to try to establish a NETCONF session with the target device using the NETCONF default port (830). If the control machine fails to establish a NETCONF session with a target device during playbook execution, it skips over the other tasks in the play for that device.

The task to configure the device executes the juniper_junos_config module provided that the NETCONF check was successful. The juniper_junos_config module requires a host argument, but because it uses the {{ inventory_hostname }} variable by default, this argument is not explicitly included.

The load: "merge" module argument loads the new configuration data into the candidate configuration using a load merge operation. By default, the juniper_junos_config module commits configuration data on a device for load and rollback operations. The module arguments include the comment argument, which records a commit comment in the device’s system log file and commit history.

Configuration

Creating the Configuration Data File

Step-by-Step Procedure

To create the configuration data file that is used by the juniper_junos_config module:

  1. Create a new file with the appropriate extension based on the format of the configuration data, which in this example is text.
  2. Include the desired configuration changes in the file, for example:

Creating the Ansible Playbook

Step-by-Step Procedure

To create a playbook that uses the juniper_junos_conifg module to make configuration changes on a device running Junos OS:

  1. Include the playbook boilerplate, which must contain connection: local and the Juniper.junos role.

  2. (Optional) Create a task to verify NETCONF connectivity.

  3. Create the task to load the configuration onto the device and commit it.

  4. (Optional) Create a task to print the response, which includes the configuration changes in diff format.

Results

On the Ansible control machine, review the completed playbook. If the playbook does not display the intended code, repeat the instructions in this example to correct the playbook.

Executing the Playbook

Step-by-Step Procedure

To execute the playbook:

  • Issue the ansible-playbook command on the control machine, and provide the playbook path and any desired options.

    user@ansible-cm:~/ansible$ ansible-playbook ansible-pb-junos-config.yaml

Verification

Verifying the Configuration

Purpose

Verify that the configuration was correctly updated on the device running Junos OS.

Action

Review the Ansible playbook output to see whether the configuration task succeeded or failed. You can also log in to the device running Junos OS and view the configuration, commit history, and log files to verify the configuration and commit, for example:

user@dc1a> show configuration system scripts
user@dc1a> show system commit
user@dc1a> show log messages

Troubleshooting Playbook Errors

Troubleshooting Timeout Errors

Problem

The playbook generates a TimeoutExpiredError error message and fails to update the device configuration.

The default time for a NETCONF RPC to time out is 30 seconds. Large configuration changes might exceed this value causing the operation to time out before the configuration can be uploaded and committed.

Solution

To accommodate configuration changes that might require a commit time that is longer than the default RPC timeout interval, set the juniper_junos_config timeout argument to an appropriate value and re-run the playbook.

Troubleshooting Configuration Lock Errors

Problem

The playbook generates a LockError error message indicating that the configuration cannot be locked. For example:

or

A configuration lock error can occur for the following reasons:

  • Another user has an exclusive lock on the configuration.

  • Another user made changes to the configuration database but has not yet committed the changes.

  • The user executing the Ansible module does not have permissions to configure the device.

Solution

The LockError message string usually indicates the root cause of the issue. If another user has an exclusive lock on the configuration or has modified the configuration, wait until the lock is released or the changes are committed, and execute the playbook again. If the cause of the issue is that the user does not have permissions to configure the device, either execute the playbook with a user who has the necessary permissions, or if appropriate, configure the device running Junos OS to give the current user the necessary permissions to make the changes.

Troubleshooting Configuration Change Errors

Problem

The playbook generates a ConfigLoadError error message indicating that the configuration cannot be modified, because permission is denied.

This error message is generated when the user executing the Ansible module has permission to alter the configuration but does not have permission to alter the requested section of the configuration.

Solution

Either execute the playbook with a user who has the necessary permissions, or if appropriate, configure the device running Junos OS to give the current user the necessary permissions to make the changes.