Ansible is one of the best technologies we took from buggers after the war. I loved "Ender's game" book, not the movie.
Inspired by excellent posts by Kirk Byers I decided to try Ansible not only to generate configuration for network switches, but to make configuration changes. I have virtual Arista switch running in VirtualBox, so this is where I ran my tests, but it's easy to replicate with Juniper or Cisco Nexus switches. I used user "root", although any user with priviledge level 15 will do.
First, enable root user on Arista switch:
Arista-5#(conf) aaa root secret SecretPassword
Next step is to go to managemnent server and generate ssh key without password. Resulted public key should be added to /root/authorized_keys file on Arista switch.
Now, to Ansible.
Let's do very simple task: copy new OS image file and update boot variable. Here is my very simple playbook upgrade.yml:---
- hosts: arista
- name: Push image
copy: src=/home/garelav/Documents/ansible/vEOS-1.swi dest=/mnt/flash/vEOS-1.swi
- name: Change boot variable
command: FastCli -p15 -c "install source vEOS-1.swi now"
Really simple inventory file:
Let's run it:
It worked, boot variable now points to vEOS-1.swi file.
What happens if you you use RADIUS for authentication and have to enter
password to log into your switch? In this case Ansible uses sshpass which stores your password in the memory. From sshpass man page:
It is close to impossible to securely store the password, and users of sshpass should consider whether ssh's public key authentication provides the same end-user experience, while involving less hassle and being more secure.
If you are willing to take this risk, insert "ask_pass=True" line into your ansible.cfg to be prompted for password or run ansible_playbook command with -k option.