Use Ansible to Restore a Junos Device to the Factory-Default Configuration Settings
SUMMARY Use the Juniper Networks Ansible modules to restore a Junos device to its factory-default configuration settings.
How to Use Ansible to Restore the Factory-Default Configuration Settings
Juniper Networks supports using Ansible to manage Junos devices and provides modules that enable you to restore a device to its factory-default configuration settings. Table 1 outlines the modules.
Content Set |
Module Name |
---|---|
|
|
|
To use the system
or juniper_junos_system
module to restore a device to its factory-default configuration settings, set
the module’s action
argument to 'zeroize'
.
After a device is restored to the factory-default configuration settings, you
must log in through the console as root in order to access the device.
Starting in Juniper.junos
Release 2.0.0, the
juniper_junos_system
module replaces the functionality
of the junos_shutdown
and junos_zeroize
modules.
The action: "zeroize"
argument causes the module to execute the
request system zeroize
operational command on the target
host. This command removes all configuration information on the specified
Routing Engines, resets all key values on the device, and then reboots the
device and resets it to the factory-default configuration settings. The zeroize
operation removes all data files, including customized configuration and log
files, by unlinking the files from their directories, and it also removes all
user-created files from the system including all plain-text passwords, secrets,
and private keys for SSH, local encryption, local authentication, IPsec, RADIUS,
TACACS+, and SNMP.
For more information, see:
The following Ansible playbook uses the juniper.device
collection’s system
module with
action: "zeroize"
to reset all Routing Engines on each host
in the inventory group to the factory-default configuration settings.
--- - name: Restore Junos devices to factory-default configuration hosts: dc1 connection: local gather_facts: no tasks: - name: Restore all Routing Engines to factory-default configuration juniper.device.system: action: "zeroize"
By default, the action: "zeroize"
operation resets all Routing
Engines in a dual Routing Engine or Virtual Chassis setup to the factory-default
configuration settings. You can also instruct the module to perform the
operation on only the Routing Engine to which the application is connected.
To explicitly indicate that the operation should be performed on all Routing
Engines in a dual Routing Engine or Virtual Chassis setup, include the
all_re: True
argument, which is the default.
tasks: - name: Restore all Routing Engines to factory-default configuration juniper.device.system: action: "zeroize" all_re: True
To perform the requested action on only the Routing Engine to which the
application is connected, include the all_re: False
argument.
tasks: - name: Restore connected Routing Engine to factory-default configuration juniper.device.system: action: "zeroize" all_re: False
To instruct the module to also scrub all memory and media, in addition to
removing all configuration and log files, include the media:
True
argument. Including the media: True
argument
is equivalent to executing the request system zeroize media
operational mode command. The media
option scrubs every storage
device attached to the system, including disks, flash memory devices, removable
USBs, and so on. The duration of the scrubbing process is dependent on the size
of the media being erased.
tasks: - name: Restore device to the factory-default configuration and scrub media juniper.device.system: action: "zeroize" media: True
Example: Use Ansible to Restore the Factory-Default Configuration Settings
This example demonstrates how to use the system
module in the
juniper.device
collection to restore a Junos device to its
factory-default configuration settings. You can execute the module using any type of
connection; however, once you reset the device, you can only access it again as root
through a console server or the CONSOLE port. This example
connects to the devices through a console server.
Requirements
This example uses the following hardware and software components:
-
Configuration management server running Ansible 2.10 or later with the
juniper.device
collection installed -
Junos device that has access to the console port through a console server and has a user account configured with appropriate permissions
-
Existing Ansible inventory file with required hosts defined
Overview
This example presents an Ansible playbook that uses the system
module to reset each host in the inventory group to its factory-default
configuration settings. The value of the module’s action
argument defines the operation to execute on the host. Setting
action
to "zeroize"
executes the
request system zeroize
command on each host. This command
removes all configuration information on the Routing Engines, resets all key
values on the device, and then reboots the device and resets it to the
factory-default configuration settings.
The request system zeroize
command removes all data files,
including customized configuration and log files, by unlinking the files
from their directories. The command also removes all user-created files from
the system including all plain-text passwords, secrets, and private keys for
SSH, local encryption, local authentication, IPsec, RADIUS, TACACS+, and
SNMP.
When calling the module from a playbook, we recommend that you use an interactive
prompt to confirm that the user does intend to reset the devices. If a user
unintentionally runs the playbook and there is no check, it could inadvertently
revert devices back to factory-default configurations and disrupt any networks
that require those devices. As a precaution, this playbook uses an interactive
prompt to verify that the user intends to reset the devices and requires that
the user manually type 'yes' on the command line in order
to execute the module. If the Confirmation check
task fails,
the Ansible control node skips the other tasks in the play for that device.
The task that restores the hosts to the factory-default configuration executes
the system
module provided that the confirmation check was
successful. The mode: "telnet"
and port: 23
arguments instruct the module to telnet to port 23 of the console server. The
password
parameter is set to the value of the
password
variable, which the playbook prompts for during
execution. After the reboot, you must log in through the console as root in
order to access the device.
Configuration
Creating and Executing the Ansible Playbook
Step-by-Step Procedure
To create a playbook that uses the system
module to
restore a Junos device to its factory-default configuration
settings:
Include the boilerplate for the playbook and this play, which executes the modules locally.
--- - name: Restore Junos devices to factory-default configuration settings hosts: dc1_console connection: local gather_facts: no
Create an interactive prompt for the
password
variable, if the user credentials are not already passed in through some other means.vars_prompt: - name: "device_password" prompt: "Device password" private: yes
Create an interactive prompt to prevent the accidental execution of the module.
- name: reset_confirmation prompt: > This playbook resets hosts to factory-default configurations! Enter 'yes' to continue. default: "no" private: no
Create the task that confirms the users intent.
tasks: - name: Confirmation check fail: msg="Playbook run confirmation failed" when: reset_confirmation != "yes"
Create the task to reset all Routing Engines on the device to the factory-default configuration settings.
- name: Restore all Routing Engines to factory-default configuration juniper.device.system: password: "{{ device_password }}" mode: "telnet" port: 23 action: "zeroize" timeout: 120 register: result
(Optional) Create a task to print the response.
- name: Print response debug: var: result
Results
On the Ansible control node, review the completed playbook. If the playbook does not display the intended code, repeat the instructions in this example to correct the playbook.
--- - name: Restore Junos devices to factory-default configuration settings hosts: dc1_console connection: local gather_facts: no vars_prompt: - name: "device_password" prompt: "Device password" private: yes - name: reset_confirmation prompt: > This playbook resets hosts to factory-default configurations! Enter 'yes' to continue. default: "no" private: no tasks: - name: Confirmation check fail: msg="Playbook run confirmation failed" when: reset_confirmation != "yes" - name: Restore all Routing Engines to factory-default configuration juniper.device.system: password: "{{ device_password }}" mode: "telnet" port: 23 action: "zeroize" timeout: 120 register: result - name: Print response debug: var: result
Execute the Playbook
To execute the playbook:
-
Issue the
ansible-playbook
command on the control node, and provide the playbook path and any desired options.root@ansible-cn:~/ansible# ansible-playbook ansible-pb-junos-zeroize.yaml Device password: This playbook resets hosts to factory-default configurations! Enter 'yes' to continue. [no]: yes PLAY [Restore Junos devices to factory-default configuration settings] TASK [Confirmation check] ********************************************** skipping: [dc1a-console.example.net] TASK [Restore all Routing Engines to factory-default configuration] **** changed: [dc1a-console.example.net] TASK [Print response] ************************************************** ok: [dc1a-console.example.net] => { "result": { "action": "zeroize", "all_re": true, "changed": true, "failed": false, "media": false, "msg": "zeroize successfully initiated.", "other_re": false, "reboot": false "vmhost": false } } PLAY RECAP ************************************************************ dc1a-console.example.net : ok=2 changed=1 unreachable=0 failed=0 skipped=1 rescued=0 ignored=0
Verification
Verify Playbook Execution
Purpose
Verify that the Junos devices were successfully reset to the factory-default configuration.
Action
Access the device through the console port as root. The device should now be in Amnesiac state.
Amnesiac <ttyd0> login:
Meaning
The Amnesiac
prompt is indicative of a device that is
booting from a factory-default configuration and that does not have a
hostname configured.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
Juniper.junos
Release 2.0.0, the
juniper_junos_system
module replaces the functionality of
the junos_shutdown
and junos_zeroize
modules.