Expand all | Collapse all

Ansible locking configuration

Jump to Best Answer
  • 1.  Ansible locking configuration

    Posted 04-15-2020 06:31



    I have some Ansible playbooks running scheduled and collecting information from JunOS devices (Switches, SRX) and ran into an annoying problem with that. Seems I cannot find a solution, could anyone give me a hint?


    The problem is that Ansible locks the configuration of an SRX cluster in exclusive mode when it retrieves it. It doesn't do any changes or need to commit anything, so I would like it to do the job in operational mode and not lock the cluster configuration. Trying to enter the firewall configuration mode at the same time when Ansible happens to be running the playbook produces this:


    user@fw_node0> configure
    warning: Clustering enabled; using private edit
    warning: changes cannot be committed while 'configure exclusive' is active
    warning: uncommitted changes will be discarded on exit
    Entering configuration mode
    Users currently editing the configuration:
    ansible-username (pid 42598) on since 2020-04-15 13:30:15 EEST


    The playbooks are very simple configuration retrievals like these:

    - name: Get VRFs
      hosts: routers
        - Juniper.junos
      connection: local
      gather_facts: no
        - name: Get list of VRFs
            retrieve: "committed"
            filter: "<configuration><security><zones></zones></security><routing-instances></routing-instances></configuration>"
            format: "xml"
            dest: "/somewhere/{{ inventory_hostname }}-vrf.txt"
          register: response
        - name: Get static NAT rules
            retrieve: "committed"
            filter: "<configuration><security><nat><static></static></nat></security></configuration>"
            format: "xml"
            dest: "/somewhere/{{ inventory_hostname }}-nat.txt"
          register: response



  • 2.  RE: Ansible locking configuration
    Best Answer

    Posted 04-15-2020 07:01

    Think I actually found at least a partial solution when looking into this again. Just adding config_mode: "private" to the playbook makes Ansible use private mode and not lock the entire configuration. It's still not perfect as it fails if there are uncommitted changes, but for our use scenario it's good enough.


    Having a way to fetch the configuration without actually entering the configuration mode would be much better. If anyone has a suggestion how to do it I would be happy to hear it.