Manage network devices with Ansible

Ansible is one of the best technologies we took from buggers after the war.  I loved "Ender's game" book, not the movie.

Inspired by excellent posts  by Kirk Byers I decided to try Ansible not only to generate configuration for network switches, but to make configuration changes. I have virtual Arista switch running in VirtualBox, so this is where I ran my tests, but it's easy to replicate with Juniper or Cisco Nexus switches. I used user "root", although any user with priviledge level 15 will do.

First, enable root user on Arista switch:

Arista-5#(conf) aaa root secret SecretPassword

Next step is to go to managemnent server and generate ssh key without password. Resulted public key should be added to /root/authorized_keys file on Arista switch.

Now, to Ansible.

My ansible.cfg:

[defaults]

host_key_checking=False

hostfile=/home/user1/ansible/hosts

log_path=~/ansible.log

Let's do very simple task: copy new OS image file and update boot variable. Here is my very simple playbook upgrade.yml:

---
- hosts: arista
  remote_user: root
  tasks:
  - name: Push image
     copy: src=/home/user1/Documents/ansible/vEOS-1.swi dest=/mnt/flash/vEOS-1.swi
  - name: Change boot variable
    command: FastCli -p15 -c "install source vEOS-1.swi now"

Really simple inventory file:

[arista]

arista-5

Let's run it:

It worked, boot variable now points to vEOS-1.swi file.

What happens if you you use RADIUS for authentication and have to enter 

password to log into your switch? In this case Ansible uses sshpass which stores your password in the memory. From sshpass man page:

It is close to impossible to securely store the password, and users of sshpass should consider whether ssh's public key authentication provides the same end-user experience, while involving less hassle and being more secure.

If you are willing to take this risk, insert "ask_pass=True" line into your ansible.cfg to be prompted for password or run ansible_playbook command with -k option.