Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Using Ansible to Restore a Device Running Junos OS to the Factory-Default Configuration Settings

 
Summary

Use the Juniper Networks Ansible modules to restore a device running Junos OS to its factory-default configuration settings.

How to Use Ansible to Restore the Factory-Default Configuration Settings

Juniper Networks supports using Ansible to manage devices running Junos OS and provides modules that enable you to restore a device to its factory-default configuration settings. Table 1 outlines the modules.

Table 1: Modules to Zeroize Devices

Content Set

Module Name

juniper.device collection

system

Juniper.junos role

juniper_junos_system

To use the system or juniper_junos_system module to restore a device to its factory-default configuration settings, set the module’s action argument to 'zeroize'. After a device is restored to the factory-default configuration settings, you must log in through the console as root in order to access the device.

Note

Starting in Juniper.junos Release 2.0.0, the juniper_junos_system module replaces the functionality of the junos_shutdown and junos_zeroize modules.

The action: "zeroize" argument causes the module to execute the request system zeroize operational command on the target host. This command removes all configuration information on the specified Routing Engines, resets all key values on the device, and then reboots the device and resets it to the factory-default configuration settings. The zeroize operation removes all data files, including customized configuration and log files, by unlinking the files from their directories, and it also removes all user-created files from the system including all plain-text passwords, secrets, and private keys for SSH, local encryption, local authentication, IPsec, RADIUS, TACACS+, and SNMP. For more information about the request system zeroize command, see request system zeroize.

The following Ansible playbook uses the juniper.device collection’s system module with action: "zeroize" to reset all Routing Engines on each host in the inventory group to the factory-default configuration settings.

By default, the action: "zeroize" operation resets all Routing Engines in a dual Routing Engine or Virtual Chassis setup to the factory-default configuration settings. You can also instruct the module to perform the operation on only the Routing Engine to which the application is connected.

To explicitly indicate that the operation should be performed on all Routing Engines in a dual Routing Engine or Virtual Chassis setup, include the all_re: True argument, which is the default.

To perform the requested action on only the Routing Engine to which the application is connected, include the all_re: False argument.

To instruct the module to also scrub all memory and media, in addition to removing all configuration and log files, include the media: True argument. Including the media: True argument is equivalent to executing the request system zeroize media operational mode command. The media option scrubs every storage device attached to the system, including disks, flash memory devices, removable USBs, and so on. The duration of the scrubbing process is dependent on the size of the media being erased.

Example: Using Ansible to Restore the Factory-Default Configuration Settings

This example demonstrates how to use the system module in the juniper.device collection to restore a device running Junos OS to its factory-default configuration settings. You can execute the module using any type of connection; however, once you reset the device, you can only access it again as root through a console server or the CONSOLE port. This example connects to the devices through a console server.

Requirements

This example uses the following hardware and software components:

  • Configuration management server running Ansible 2.10 or later with the juniper.device collection installed

  • Device running Junos OS that has access to the console port through a console server and has a user account configured with appropriate permissions

  • Existing Ansible inventory file with required hosts defined

Overview

This example presents an Ansible playbook that uses the system module to reset each host in the inventory group to its factory-default configuration settings. The value of the module’s action argument defines the operation to execute on the host. Setting action to "zeroize" executes the request system zeroize command on each host. This command removes all configuration information on the Routing Engines, resets all key values on the device, and then reboots the device and resets it to the factory-default configuration settings.

Note

The request system zeroize command removes all data files, including customized configuration and log files, by unlinking the files from their directories. The command also removes all user-created files from the system including all plain-text passwords, secrets, and private keys for SSH, local encryption, local authentication, IPsec, RADIUS, TACACS+, and SNMP.

When calling the module from a playbook, we recommend that you use an interactive prompt to confirm that the user does intend to reset the devices. If a user unintentionally runs the playbook and there is no check, it could inadvertently revert devices back to factory-default configurations and disrupt any networks that require those devices. As a precaution, this playbook uses an interactive prompt to verify that the user intends to reset the devices and requires that the user manually type 'yes' on the command line in order to execute the module. If the Confirmation check task fails, the Ansible control node skips the other tasks in the play for that device.

The task that restores the hosts to the factory-default configuration executes the system module provided that the confirmation check was successful. The mode: "telnet" and port: 23 arguments instruct the module to telnet to port 23 of the console server. The  password parameter is set to the value of the password variable, which the playbook prompts for during execution. After the reboot, you must log in through the console as root in order to access the device.

Configuration

Creating and Executing the Ansible Playbook

Step-by-Step Procedure

To create a playbook that uses the system module to restore a device running Junos OS to its factory-default configuration settings:

  1. Include the boilerplate for the playbook and this play, which executes the modules locally.
  2. Create an interactive prompt for the password variable, if the user credentials are not already passed in through some other means.
  3. Create an interactive prompt to prevent the accidental execution of the module.
  4. Create the task that confirms the users intent.
  5. Create the task to reset all Routing Engines on the device to the factory-default configuration settings.
  6. (Optional) Create a task to print the response.

Results

On the Ansible control node, review the completed playbook. If the playbook does not display the intended code, repeat the instructions in this example to correct the playbook.

Executing the Playbook

Step-by-Step Procedure

To execute the playbook:

  • Issue the ansible-playbook command on the control node, and provide the playbook path and any desired options.

    root@ansible-cn:~/ansible# ansible-playbook ansible-pb-junos-zeroize.yaml

Verification

Verifying Playbook Execution

Purpose

Verify that the devices running Junos OS were successfully reset to the factory-default configuration.

Action

Access the device through the console port as root. The device should now be in Amnesiac state.

Meaning

The Amnesiac prompt is indicative of a device that is booting from a factory-default configuration and that does not have a hostname configured.

Release History Table
Release
Description
Starting in Juniper.junos Release 2.0.0, the juniper_junos_system module replaces the functionality of the junos_shutdown and junos_zeroize modules.