@XRDOCS APP-HOSTING BLOGS TUTORIALS SEARCH  TAGS

Mike Korshunov
Technical Marketing Engineer, Cisco Follow

Save as PDF

Comprehensive guide to Ansible on IOS-XR

 18 minutes read

Home/ Tutorials/Comprehensive guide to Ansible on IOS-XR

 C O M P R E H E N S I V E G U I D E TO A N S I B L E O N I O S - X R

PREREQUISITES

NETWORK MANAGEMENT SPECIFIC MOMENTS

DIRECTORY STRUCTURE

GETTING INTO MODULES

D E A L I N G W I T H PA S S W O R D S

PERFORMANCE TIPS

CONCLUSION

Network Automation for the network is crucial nowadays. It changes how network feels and look. This tutorial is
going to cover Ansible modules for IOS-XR, some tips and tricks and how to increase performance for Ansible
playbooks.

As per Ansible version 2.6.2, we have following 9 modules for IOS-XR. An excerpt from Ansible site below:

iosxr_banner - Manage multiline banners on Cisco IOS XR devices

iosxr_command - Run commands on remote devices running Cisco IOS XR
iosxr_con g - Manage Cisco IOS XR con guration sections
iosxr_facts - Collect facts from remote devices running IOS XR
iosxr_interface - Manage Interface on Cisco IOS XR network devices
iosxr_logging - Con guration management of system logging services on network devices
iosxr_netconf - Con gures NetConf sub-system service on Cisco IOS-XR devices
iosxr_system - Manage the system attributes on Cisco IOS XR devices
iosxr_user - Manage the aggregate of local users on Cisco IOS XR device

Prerequisites

Since Ansible relies on SSH connection to the device, few requirements need to be met.

k9 security package comitted on the device.

PDFCROWD.COM
 

RP/0/RP0/CPU0:flamboyant#show install active

Wed Aug 1 18:00:24.162 UTC
Node 0/RP0/CPU0 [RP]
Boot Partition: xr_lv0
Active Packages: 9
ncs5500-xr-6.3.2 version=6.3.2 [Boot image]
ncs5500-mcast-2.1.0.0-r632
ncs5500-mpls-2.1.0.0-r632
ncs5500-mgbl-4.0.0.0-r632
ncs5500-mpls-te-rsvp-2.2.0.0-r632
ncs5500-ospf-2.0.0.0-r632
ncs5500-isis-1.3.0.0-r632
ncs5500-li-1.0.0.0-r632
ncs5500-k9sec-4.1.0.0-r632

Node 0/0/CPU0 [LC]

Boot Partition: xr_lcp_lv0
Active Packages: 9
ncs5500-xr-6.3.2 version=6.3.2 [Boot image]
ncs5500-mcast-2.1.0.0-r632
ncs5500-mpls-2.1.0.0-r632
ncs5500-mgbl-4.0.0.0-r632
ncs5500-mpls-te-rsvp-2.2.0.0-r632
ncs5500-ospf-2.0.0.0-r632
ncs5500-isis-1.3.0.0-r632
ncs5500-li-1.0.0.0-r632
ncs5500-k9sec-4.1.0.0-r632

RSA key pair is present

RSA key pair needs to be generated. Use the crypto key generate rsa command to generate it. You must
con gure a hostname for the router using the hostname global con guration command.

RP/0/RP0/CPU0:flamboyant# crypto key generate rsa keypair-cisco

Wed Aug 1 18:09:23.836 UTC
The name for the keys will be: keypair-cisco
Choose the size of the key modulus in the range of 512 to 4096 for your General Purpose Keypair. Choosing

How many bits in the modulus [2048]:

Generating RSA keys ...
Done w/ crypto generate keypair
[OK]

RP/0/RP0/CPU0:flamboyant#

RP/0/RP0/CPU0:flamboyant#! If you want to remove keys from device:

RP/0/RP0/CPU0:flamboyant#crypto key zeroize rsa
Wed Aug 1 18:08:37.471 UTC
% Keys to be removed are named keypair-cisco
Do you really want to remove these keys ?? [yes/no]: yes

PDFCROWD.COM
 RP/0/RP0/CPU0:flamboyant#

If you want to generate keys without prompt, use following command:


RP/0/RP0/CPU0:flamboyant#crypto key generate rsa general-keys modulus
Wed Aug 1 19:31:01.233 UTC
The name for the keys will be: modulus
Choose the size of the key modulus in the range of 512 to 4096 for your General Purpose Keypair. Choosing

How many bits in the modulus [2048]: Generating RSA keys ...
Done w/ crypto generate keypair
[OK]

RP/0/RP0/CPU0:flamboyant#

Con g for SSH server

Apply the following con g on the target device to enable SSH and NETCONF.

netconf agent tty

!
netconf-yang agent
ssh
!
ssh server session-limit 10
ssh server v2
ssh server netconf vrf default

Network management speci c moments

Ansible work ow for managing network nodes has its nuances.

Usually, Ansible runs on managed nodes, however, it’s not the case for the network modules. Everything stays the
same from the user perspective and for accustomed keywords. All the magic happens in the background.
Typically network devices lack of Python support (IOS-XR support application hosting concepts. Read more about
it. Because of that network module executes locally and CLI/XML instruction sent over to the device.

One more important aspect for Linux/Unix, con guration les for the system exist in les on hard disks, so the
backup for them created in the same directory. It’s not the case for the network modules (con guration not
stored on disk) and we will see an example in the iosxr_con g module, where backup folder created on the
machine, from which we are running playbooks.

Additional introduction to Network module - conditions. They allow you to work with output and make value
comparison. In conjunction with match parameter, a more sophisticated state can be checked.

PDFCROWD.COM
Communication mechanisms

For network modules, there are 2 main connections: network_cli and netconf

Previous way to connect to targets was local, you can still use old style of declaration in the playbook, however,
it’s deprecated and will be removed eventually. In o cial Ansible documentation, you will notice parameter
provider as an indication that parameter local was used.


---
- name: Configure IOS-XR devices
hosts: routers
gather_facts: no
# connection local instead of network_cli
connection: local

tasks:
- name: collect facts from IOS-XR routers
iosxr_facts:
gather_subset:
- config
provider: ""
register: config

vars:
cli:
host: ""
username: ""
password: ""

If you will run the playbook above with verbose key, in the output you will see

$ ansible-playbook head-playbook.yml -i ansible-hosts.ini --forks 10 -vvv

PLAYBOOK: head-playbook.yml ******************************************************************************
***omitted output***

TASK [include task] **************************************************************************************

task path: /home/cisco/Documents/ansible/head-playbook.yml:16
<172.30.13.70> using connection plugin network_cli (was local)
<172.30.13.71> using connection plugin network_cli (was local)

***omitted output***

The choice between network_cli and netconf connection should be made based on documentation for modules
Not all modules support both connection, so rst check before usage.

Directory structure

All playbooks mentioned in tutorial, available on Github. In Github repo Vagrant folder included, feel free to practice against IOS-XRv image Request
it here.

PDFCROWD.COM
Here is the layout for ansible-playbooks.


$ tree ansible
.
ansible
├── ansible-hosts.ini
├── head-playbook.yml
├── README.md
├── roles
│ ├── get_facts
│ │ └── tasks
│ │ └── main.yml
│ ├── xr_commands
│ │ └── tasks
│ │ └── main.yml
│ └── xr_config
│ ├── backup
│ │ ├── canonball_config.2018-08-06@14:22:09
│ │ └── flamboyant_config.2018-08-06@14:22:09
│ ├── common
│ │ └── router.conf
│ └── tasks
│ └── main.yml
└── xr-passes.yml

9 directories, 12 files

Folder content:

ansible-hosts.ini contains information about target devices. More on inventory;

head-playbook.yml - main playbook, from which most we will execute tasks;
roles - Ansible concept to separate list of provisioned apps/con gs on the device. In terms of servers think of
webserver, database, etc. In networking it’s more about services which could be provided via con g changes:
BGP, VPN, ISIS. In current case, we just demo the ability to separate playbooks into roles;
backup directory appears after iosxr_con g module triggered with backup: yes parameter.

xr-passes.yml - our Vault, described in tutorial.

Getting into modules

Hosts le

We need to de ne the hosts rst. There is a separation of variables from host de nition in ini le. In provided
example, passwords stored in plain text. To avoid it, Ansible Vault should be used and will be covered later in this
tutorial. Another mechanism - passwordless authentication, based on keys.

$ cat ansible-hosts.ini
[routers]
flamboyant ansible_host=172.30.13.70 ansible_user=root
canonball ansible_host=172.30.13.71 ansible_user=cisco

[routers:vars]
ansible_ssh_pass=cisco

PDFCROWD.COM
 ansible_network_os=iosxr
ansible_port=22

NETCONF and Banner modules

As a rst example we will run two modules: enable NETCONF on device, set the banner via NETCONF (we just
enabled it, why not to utilize it?).

Playbook itself demonstrated below. We will just utilize 2 tasks for now. Name of modules is self-describing.

For NETCONF module we can provide additionally VRF value, via netconf_vrf parameter. Default VRF, if the
parameter is omitted - default. State parameter is responsible for adding or removing NETCONF related knob on
the device. Present value will enable NETCONF con guration, Absent will withdraw con g.

Banner module uses same concept for State parameter (present/absent). Text parameter could start with “|” or
“>” as identi cator for the multiline string. As per banner itself con guration, you can select would it be login or
motd message. Currently, there is a minor bug with caret return symbol treatment, so please use “>” as a
multiline identi er.

---
- name: Configure IOS-XR devices
hosts: routers
gather_facts: no
connection: network_cli

tasks:

- name: enable netconf service on port 830

iosxr_netconf:
listens_on: 830
state: present

- name: set welcome banner to device!

iosxr_banner:
banner: login
text: >
! Unauthorized access to device:
restricted.
# text: >
# ""
state: present
connection: netconf

Console output after playbook execution. For rst time we run in verbose mode, since -vvv speci ed. As careful
reader may notice, temporary les created directly on the host machine, not on target nodes. This is speci c of
the network module.

$ ansible-playbook head-playbook.yml -i ansible-hosts.ini --forks 10 -vvv

ansible-playbook 2.6.2
config file = /home/cisco/.ansible.cfg
configured module search path = [u'/home/cisco/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules
ansible python module location = /usr/local/lib/python2.7/dist-packages/ansible

PDFCROWD.COM
 executable location = /usr/local/bin/ansible-playbook
python version = 2.7.12 (default, Nov 20 2017, 18:23:56) [GCC 5.4.0 20160609]
Using /home/cisco/.ansible.cfg as config file
Parsed /home/cisco/Documents/ansible/ansible-hosts.ini inventory source with ini plugin

PLAYBOOK: head-playbook.yml ******************************************************************************

1 plays in head-playbook.yml
[WARNING]: Found variable using reserved name: vars_files

PLAY [Configure IOS-XR devices] ****************************************************************************

META: ran handlers

TASK [enable netconf service on port 830] ****************************************************************

task path: /home/cisco/Documents/ansible/head-playbook.yml:9
<172.30.13.70> ESTABLISH LOCAL CONNECTION FOR USER: cisco
<172.30.13.70> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/cisco/.ansible/tmp/ansible-local-238349mD4b
Using module file /usr/local/lib/python2.7/dist-packages/ansible/modules/network/iosxr/iosxr_netconf.py
Using module file /usr/local/lib/python2.7/dist-packages/ansible/modules/network/iosxr/iosxr_netconf.py
<172.30.13.70> PUT /home/cisco/.ansible/tmp/ansible-local-238349mD4bn/tmpiboupH TO /home/cisco/.ansible/tmp/ansi
<172.30.13.70> EXEC /bin/sh -c 'chmod u+x /home/cisco/.ansible/tmp/ansible-local-238349mD4bn/ansible-tmp-1533330
<172.30.13.70> EXEC /bin/sh -c 'rm -f -r /home/cisco/.ansible/tmp/ansible-local-238349mD4bn/ansible-tmp-15333309
changed: [flamboyant] => {
"changed": true,
"commands": [
"netconf-yang agent ssh",
"ssh server netconf port 830"
],
"invocation": {
"module_args": {
"host": null,
"listens_on": 830,
"netconf_port": 830,
"netconf_vrf": "default",
"password": null,
"port": null,
"provider": null,
"ssh_keyfile": null,
"state": "present",
"timeout": null,
"username": null
}
}
}

TASK [set welcome banner to device!] *********************************************************************

task path: /home/cisco/Documents/ansible/head-playbook.yml:14
<172.30.13.70> ESTABLISH LOCAL CONNECTION FOR USER: cisco
<172.30.13.70> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/cisco/.ansible/tmp/ansible-local-238349mD4b
Using module file /usr/local/lib/python2.7/dist-packages/ansible/modules/network/iosxr/iosxr_banner.py
<172.30.13.70> PUT /home/cisco/.ansible/tmp/ansible-local-238349mD4bn/tmpECuOQc TO /home/cisco/.ansible/tmp/ansi
<172.30.13.70> EXEC /bin/sh -c 'chmod u+x /home/cisco/.ansible/tmp/ansible-local-238349mD4bn/ansible-tmp-1533330
<172.30.13.70> EXEC /bin/sh -c 'https_proxy='"'"''"'"' http_proxy='"'"''"'"' /usr/bin/python /home/cisco/.ansibl
<172.30.13.70> EXEC /bin/sh -c 'rm -f -r /home/cisco/.ansible/tmp/ansible-local-238349mD4bn/ansible-tmp-15333309
changed: [flamboyant] => {
"changed": true,
"invocation": {
"module_args": {
"banner": "login",
"host": null,

PDFCROWD.COM
 "password": null,
"port": null,
"provider": null,
"ssh_keyfile": null,
"state": "present",
"text": "Unauthorized access to device: flamboyant restricted.\n",
"timeout": null,
"username": null
}
},
"xml": "<config xmlns:xc=\
"urn:ietf:params:xml:ns:netconf:base:1.0\"><banners xmlns=\
"http://cisco.com/ns/yang/Cisco-IOS-XR-infra-infra-cfg\"><banner xc:operation=\"merge\">login
! Unauthorized access to device: flamboyant restricted.\n</banner></banners></config>"
}
META: ran handlers

PLAY RECAP ***********************************************************************************************

flamboyant : ok=2 changed=2 unreachable=0 failed=0

From the output, we can observe that both changes applied on the device. There are two ways how to check if
con g properly applied.

The rst approach is a conservative one. Connect to the device and check latest commit changes. Since each
task is separate commit, a command issued for last two con guration changes.

RP/0/RP0/CPU0:flamboyant#show configuration commit changes last 2

Fri Aug 3 21:04:29.739 UTC
Building configuration...
!! IOS XR Configuration version = 6.3.2
banner login Unauthorized access to device: flamboyant restricted.
netconf-yang agent
ssh
!
end

More interesting approach to stay in same operations paradigm and use Ansible for con g validation:

# 1 new task introduced:

- name: check if two first tasks 'enable netconf service on port 830' and 'set welcome banner to device!' s
iosxr_command:
commands:
- show run | begin netconf
- show run | include banner
wait_for:
- result[0] contains 'netconf-yang agent'
- result[1] contains 'banner login !'
# - result[1] contains 'banner login My Not Expected Message'

PDFCROWD.COM
Such playbook will pass, and we will be sure, that con g presented on the device. If we uncomment last string,
the playbook will fail. We can use match parameter with value any and execution will succeed. The default value
is all. Think about them as logical operators AND & OR. If wait_for argument included in the task, an output will
not be returned until success or number of retries exceeded.

As you may notice, wait_for used in the last task. More documentation on this module

"stdout_lines": [
[
"Building configuration...",
"netconf-yang agent",
" ssh",
"!",
"ssh server session-limit 10",
"ssh server v2",
"ssh server netconf vrf default",
"end"
],
[
"Building configuration...",
"banner login ! Unauthorized access to device: flamboyant restricted."
]
]

PLAY RECAP ***********************************************************************************************

flamboyant : ok=3 changed=0 unreachable=0 failed=0

Con g, Logging and System modules

Next modules to be utilized are iosxr_con g, iosxr_logging and iosxr_system.

iosxr_con g doesn’t support netconf connection. ⚠

To show a more sophisticated ow, we will create a role in our initial playbook.

File main.yml will include tasks, which need to be executed. router.conf - common con guration for devices.


|____xr-passes.yml
|____head-playbook.yml
|____ansible-hosts.ini
|____roles
| |____xr_config
| | |____common
| | | |____router.conf
| | |____tasks
| | | |____main.yml

$ cat roles/xr_config/common/router.conf
router ospf 1

PDFCROWD.COM
 area 0
interface HundredGigE0/0/1/0

Playbook consists of three tasks. On rst task, Ansible will change the device hostname. During second task
Ansible applies con guration le on all devices. Third task checks that OSPF con guration is properly applied and
OSPF process is up and running.


cat roles/xr_config/tasks/main.yml
---
- name: Change hostname
iosxr_config:
lines:
- hostname

- name: Apply config from file

iosxr_config:
lines:
- ""
backup: yes

- name: check if OSPF is configured

iosxr_command:
commands:
- show run | i "router ospf"
- show processes ospf | i "Process state"
wait_for:
- result[0] contains "router ospf 1"
- result[1] contains "Run"

Main parameters for the con g module are the following:

lines & parents. Lines - ordered set of con gs. Parents parameter uniquely identi es, under which block lines
should be con gured.
replace values are line (default), block, con g. De nes the behavior for task. If set to block and di erence exist
in lines, whole block will be pushed.
match values are line (default), strict, exact, none. Similar parameter to the previous one in terms of
comparison. De nes matching algorithm.
backup will create the full running con guration in a backup subfolder, before applying new con g;
before & after - will append commands respectively;
comment - text added to commit description. Default: con gured by iosxr_con g;

Ready to get some logs out of the device? Logging module is purposed for that. If you are interested in streaming
operation data, check our thorough Telemetry tutorials


---
- name: Configure IOS-XR devices
hosts: routers
gather_facts: no
connection: network_cli

PDFCROWD.COM
 tasks:
- name: configure console logging level
iosxr_logging:
dest: console
level: debugging
state: present
- name: configure logging for syslog server host
iosxr_logging:
dest: host
name: 172.30.13.2
level: critical
state: present

For logging in IOS-XR Guest OS, check this tutorial

iosxr_logging doesn’t allow you to specify the port, so you may use con g module as a workaround. ⚠

The third module in the section is system con guration: con gure DNS, domain-search, and lookup. State
present/absent used for enable/disable con guration piece, like we saw earlier in the tutorial.


---
- name: Configure IOS-XR devices
hosts: routers
gather_facts: no
connection: network_cli

tasks:
- name: configure DNS and domain-name (default vrf=default)
iosxr_system:
state: present
domain_name: local.cisco.com
domain-search:
- cisco.com
name_servers:
# new DNS from CloudFlare, easy to remember ;)
- 1.1.1.1
- 8.8.8.8
- 8.8.4.4

Interfaces module

Wonder how to manage interfaces? There is the speci c module for interface management. There are 4 states
for interface: present(default), absent, up & down. Up equal to present + operationally up. Down - present +
operationally down.

The aggregate parameter used to con gure multiple interfaces in one task. New interface - new line. The rst
task will enable just one interface, second will enable two interfaces and will set MTU value.


- name: Unshut interface
iosxr_interface:
description: link to RouterXX TenGigE0/0/0/11

PDFCROWD.COM
 name: TenGigE0/0/0/28
state: present

- name: Configure interfaces using aggregate

iosxr_interface:
aggregate:
- name: TenGigE0/0/0/30
- name: TenGigE0/0/0/31
mtu: 512
state: present

User module

One more module, this time for user management. Password for user provided in the clear text. Public key could
be used, but in this case, Python module base64 required (usually it’s included into Python distributions). If
public_key or public_key_contents used and multiple users created, the same key used for every user.

If you use parameter purge, which is boolean, all other users going to be removed from the device, except admin and newly created within the
task.


- name: set multiple users to group sys-admin
iosxr_user:
name: user1
group: sysadmin
state: present
public_key_contents: ""

- name: Create multiple users to multiple groups

iosxr_user:
aggregate:
- name: user2
- name: user3
configured_password: cisco
groups:
- sysadmin
- root-system
state: present

# Remove users
- name: user deletion
iosxr_user:
aggregate:
- name: user1
- name: user2
state: absent

Get Facts module

PDFCROWD.COM
Facts is one of the most straightforward module, but also very resource intense because it will prompt device for
running con guration. If gather_subset supplied, possible values are all, hardware, con g, and interfaces. Try to
limit usage of show running-con g in playbooks to not sacri ce playbook performance.


- name: get config facts and hardware
iosxr_facts:
gather_subset:
- config
- hardware
register: hardware

- name: get all facts, except information regarding interfaces, we have the special module for them!
iosxr_facts:
gather_subset:
- all
- "!interfaces"

Command module

Few examples for this module already provided above. Important parameters for this module:

interval - default 1 second, sets the timer between retries;

retries - how many attempts Ansible will do before failing on task. Default - 10;
wait_for - example was provided when we enable NETCONF on the system and checked response from the
device. Can be used in conjunction with match parameter.

Dealing with passwords

Ansible Vault

Ansible Vault is a feature to store your secrets and sensitive information in encrypted les, instead of plain text.

First step to create vault le:


$ ansible-vault create xr-passes.yml
New Vault password:
Confirm New Vault password:
$

Populate it with values aka variables, same key-value scheme used:


my_sensitive_pass_vault: cisco_SecUre_P@ss

Save le. We can check the encrypted le content:


$ cat xr-passes.yml
$ANSIBLE_VAULT;1.1;AES256
30303565333538383465393933363636653565636465656438333331303261333866376363373932

PDFCROWD.COM
 6539303964623031383065366135663166356263393937310a316436663938346165376636666631
37623938383264396431326464323632346632636634333966376666353731623530343634373263
6235353763653338370a643737653735396261346264633132383537643137383165346433303937
35386364366566643065306633636361353739363865396166623830643630356535

Don’t like your Vault password? You can change it.


$ ansible-vault rekey xr-passes.yml

Advanced Encryption Standard (AES) is used for default encryption (which is shared-secret based).

---
- name: Configure IOS-XR devices
hosts: routers
gather_facts: no
connection: local

roles:
- get_facts
- banner_setup
- xr_config

vars:
# Include vault
vars_files: xr-passes.yml
cli:
host: "{{ inventory_hostname }}"
username: "{{ ansible_user }}"
# Password used from Vault
password: "{{ my_sensitive_pass_vault }}"

To make it possible, you need to include vars_ les key into the playbook with vault le value.

Key-based authentication to IOS-XR device.

To establish passwordless authentication on IOS-XR we need to go through multiple steps. The public key should
be encoded in base64 format. You can use utility base64, part of Linux and macOS distribution, or try to use
online tool for encoding, such as base64decode.org. After copy key to IOS-XR based device and import it.

Make sure that key-pair generated on the device and create b64 le.


$ ls ~/.ssh/ | grep id_rsa.pub
id_rsa.pub

$ cut -d" " -f2 ~/.ssh/id_rsa.pub | base64 -d > ~/.ssh/id_rsa_pub.b64

$ ls -la ~/.ssh/ | grep b64

-rw-rw-r-- 1 cisco cisco 535 Aug 6 10:43 id_rsa_pub.b64

PDFCROWD.COM
Key transfer and import operation:

RP/0/RP0/CPU0:flamboyant#scp cisco@172.30.13.2:/home/cisco/.ssh/id_rsa_pub.b64 /disk0:/id_rsa_pub.b64

Mon Aug 6 17:40:58.958 UTC
Connecting to 172.30.13.2...
Password:
Transferred 535 Bytes
535 bytes copied in 0 sec (535000)bytes/sec

RP/0/RP0/CPU0:flamboyant#dir disk0: | i rsa

Mon Aug 6 10:50:14.476 PDT
56 -rw-r--r-- 1 535 Aug 6 10:41 id_rsa_pub.b64

RP/0/RP0/CPU0:flamboyant#crypto key import authentication rsa disk0:/id_rsa_pub.b64

Mon Aug 6 10:41:03.651 UTC
RP/0/RP0/CPU0:flamboyant#

Veri cation, that key is imported:


RP/0/RP0/CPU0:flamboyant#show crypto key authentication rsa
Mon Aug 6 10:51:24.635 PDT
Key label: root
Type : RSA public key authentication
Size : 4096
Imported : 10:41:03 PDT Mon Aug 06 2018
Data :
30820222 300D0609 2A864886 F70D0101 01050003 82020F00 3082020A 02820201
00D031B9 C0CD4838 C031D9E8 390C51ED 8B77D3F8 F0637BE3 CB4631C5 5D84A294
BE475637 8F7CC395 3E4AD022 ABBE538A 5304CD3A EC9F0B19 0876132F 7675B36C
46ED953D B870F3FB 2EDB9B50 E6C29278 5A48C0B5 66B09AC3 D03A54FB E7F8DE78
A7733571 660DFED5 FB6D0599 54227601 08924FFD CBB890F7 93DCE02C 13F4FFA2
E15FF061 9C64E0BF B62CF8B0 C6305613 D714F84F 7DBA3B1D ED93609B 8E8384A8
EC259CDA EEBBD07E 5931F467 4D86D59A 24B596C7 4AEDE957 FA8866C1 ED2988F5
7B9945F9 CC308EA3 532A2470 75C8CE23 49C0AA75 A1F03538 BC3DD4DE EACC8150
6640B368 7D5696A7 15C6D1BA D6534F34 3CD4ED92 A313A8D0 0480A169 4BF9575C
6BCE836E D72F4E01 E76C94A1 3B35C430 FB6A471B 453B0DE3 ACD28034 2632E111
192A9CA0 3DBF3410 0E9580C7 E0DE4968 01DB0C43 98254390 FDB43E3E 39429EA2
9CFA40A5 2D8A89EC 1DA9ED1D 494306D2 96936B1D ABDA1F7C 513B9E89 4E45F1FA
50B1DB14 A00D4A83 2B72C5EC 4557A975 A76D49D8 AC184BBE 3C75E292 CFE0F032
2DAE7154 83AE0A21 D4177524 11F33960 56732666 84619C01 BA36E257 93DE4A8B
B8E1E7F7 67A80F9A 265320F4 949F6151 D67B1B2E BF3F6C61 C98C45CF EE3F2D87
EE7031D9 AD27C89A 20087789 F711FD69 0957C424 E216E439 51B95831 DCE9008A
7F02D500 802AEADB 4C7469B9 04E98E1A 4BDC6BC1 C36C191F 31747564 5BC178F6
CD020301 0001

Try to connect, to make sure, no password required:

ssh root@172.30.13.70

PDFCROWD.COM
 Unauthorized access to device: flamboyant restricted.

RP/0/RP0/CPU0:flamboyant#

Voilà, passwordless authentication works.

Performance tips

Change strategy for execution

Playbook performance can be increased. In order to achieve this, we need to use strategy plugin and change
default value linear to free. By default, Ansible task execution wait for completion on the host, then goes to
another host and after execution on all hosts for the current task complete, a new task started. With free strategy,
Ansible will create a fork of the process. It wouldn’t wait for execution of task to be completed on all nodes.
When task is completed on the node, next task is started on it, without delay.

It’s easy to change strategy in playbook:

---
- name: Configure IOS-XR devices
hosts: routers
strategy: free
gather_facts: no
connection: network_cli

roles:
- get_facts

Change forks number

Forks - parallel processes spawned by Ansible for communication with remote hosts and task execution. The
default amount of processes - 5. Add the following string to ansible.cfg to increase number of forks.


# ansible.cfg
forks = 10

Another way to change amount of Forks to specify a value, when you run a playbook:


ansible-playbook head-playbook.yml -i ansible-hosts.ini --forks 10

Conclusion

We cover Ansible modules available today for IOS-XR (particular attention to iosxr_command & iosxr_con g
modules), prerequisites required for that, created role examples and tweak Ansible performance for faster
playbook completion. Start slowly with your automation and increase the complexity as you grow.

PDFCROWD.COM
Good luck with further automation 🔧

 Tags: Ansible Automation iosxr

 Updated: August 06, 2018

SHARE ON

   

Leave a Comment

3 Comments xrdocs.github.io 
1 Login

 Recommend 2 t Tweet f Share Sort by Best

Join the discussion…

LOG IN WITH
OR SIGN UP WITH DISQUS ?

Name

Haroon • 3 months ago

Hi Mike, could you please support in below, getting authentication timeout, i am able to
do ssh in IOSXR from Controller but getting failure via controller running playbook.

TASK [Router Health Monitoring Commands] ***************************************

fatal: [IOSXR]: FAILED! => {"msg": "Authentication timeout."}
to retry, use: --limit @/etc/ansible/venv27/playbooks/IOSXRvtest.retry
Regards,
Haroon
△ ▽ • Reply • Share ›

Haroon > Haroon • 3 months ago

Brief of Issue

I am submitting Case1,Case2a & Case2b getting "msg": "Authentication timeout."

Case:1 Adhoc Command Output and Issue

+++Working with local connection++++
venv27) [root@osboxes9 ansible]# ansible IOSXR -c local -m iosxr_command -a
"username=cisco123 password=cisco123 commands='show int des | i down'"
[DEPRECATION WARNING]: Param 'username' is deprecated. See the module
docs for more information. This feature will be removed in version 2.9.
Deprecation warnings can be
PDFCROWD.COM
 ep ecat o a gs ca be
disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: Param 'password' is deprecated. See the module
docs for more information. This feature will be removed in version 2.9.
Deprecation warnings can be
disabled by setting deprecation_warnings=False in ansible.cfg.
IOSXR | SUCCESS => {
"changed": false,
" td t" [
see more

1△ ▽ • Reply • Share ›

Mike Korshunov Mod > Haroon • 3 months ago

Hi Haroon, as a first step to troubleshoot, could you setup passwordless

access to the IOS-XRv and rerun the commands with -vvv option?

To do this, please generate b64 file from your public key and import it on
the device: "crypto key import authentication rsa disk0:/id_rsa_pub.b64"
△ ▽ • Reply • Share ›

✉ Subscribe d Add Disqus to your site 🔒 Disqus' Privacy Policy

FOLLOW:  TWITTER  GITHUB  FEED

This site is maintained by Cisco Systems, Inc. employees. Powered by Jekyll & Minimal Mistakes.

PDFCROWD.COM