Ansible Collection For SR Linux#
Ansible collection for SR Linux is identified with
nokia.srlinux fully qualified collection name and contains the plugins and modules to interface with SR Linux devices.
|SR Linux version
Modules contained within this collection fully conform to the idempotence principles of Ansible, as well as provide first-class support for diff and check functionality2.
Besides examples provided for each module of this collection, checkout Ansible with SR Linux tutorial to see how to use this collection in practice.
Nokia SR Linux collection provides the following modules that work via HttpApi connection plugin and therefore rely on SR Linux's JSON-RPC server:
nokia.srlinux.get- retrieve configuration and state.
nokia.srlinux.config- configure SR Linux devices via model driven interface.
nokia.srlinux.cli- execute CLI commands.
nokia.srlinux.validate- validate provided configuration.
Architecturally the modules provide a generic way to retrieve data from and configure SR Linux devices in a model-driven way3. Because SR Linux is a fully-modelled NOS, users should leverage the YANG Browser to navigate the datastores and understand the data model.
Quick examples of how to use the modules. For more information on each module options and return values, please refer to the module's documentation page.
Retrieve configuration and state from SR Linux devices.
Configure SR Linux devices.
Execute CLI commands on SR Linux devices.
The recommended way to install galaxy collections is via the
ansible-galaxy CLI command that ships with the ansible installation.
- Available version are listed in collection's home page.
Collection is installed at the collections path. Default location is
To simplify the usage of the collection, we provide a container image that contains the collection and all its dependencies. To accommodate for the different Ansible versions, we provide multiple images based on the underlying
ansible-core and the python version. The full list of available images and their tags can be found in the Github container registry.
The easiest way to use the image is to create an alias for the
How to test this container?
Let's demonstrate how to use this container image given the alias above.
First, we deploy a simple SR Linux node using containerlab:
Once the lab is deployed, let's create a simple
test.yml playbook that retrieves the SR Linux version:
Finally, let's run the playbook specifying the SR Linux container name
srl as a single inventory host, the connection plugin to use, and the credentials:
SR Linux configuration#
The factory configuration that SR Linux ships with doesn't have JSON-RPC interface enabled. In order to use the modules of this collection, users should enable and configure the JSON-RPC server.
Ansible supports a number of connection modes to establish connectivity with devices over multiple connection protocols. SSH, HTTP and Local connections are likely the most popular one.
To instruct Ansible to use
ansible.netcommon.httpapi connection plugin, users should set the
ansible_connection variable to
There are many ways to set this variable, though most common one is to set in the inventory file:
- Other variables are omitted
ansible_network_os variables users select which Network OS the target host runs. For Nokia SR Linux this variable should be set to
Most commonly, this variable is set in the inventory file:
- Other variables are omitted
Basic HTTP authentication is used by the modules of this collection. Credentials are provided by the common
SR Linux JSON-RPC server which the modules of this connection connect to can operate in two modes:
- Insecure HTTP mode
No TLS certificates required, connection is not encrypted
- Secure HTTPS mode
Requires TLS certificate to be generated and configured.
To instruct Ansible to connect to SR Linux device over https protocol users should set the
ansible_httpapi_use_ssl variable to
true. Again, this can be done on different levels, but most often it is part of the inventory file.
ansible_httpapi_use_ssl is set to
true, Ansible will try to establish the connection over https using
By default, when operating over https protocol, Ansible will try to validate the remote host's certificate. If the node's certificate is signed with CA that is not in the trust chain of the ansible controller, then the certificate validation will fail. There are two ways to make TLS-based connectivity work:
ansible_httpapi_ca_pathvariable pointing to the CA certificate that signed the node's certificate.
- Disable certificate verification with setting
TLS 1.3 support and cipher suites#
In the recent Python versions (>=3.10) default security settings for TLS have been hardened. More specifically the cipher suites have been restricted to the ones that are considered secure.
SR Linux started to ramp up TLS 1.3 support starting with release 23.10.1; users of older SR Linux releases would need to explicitly set the
ansible_httpapi_ciphers variable to the cipher suite that is supported, for example
With the above configuration options in mind, the following
hosts file demonstrates their usage to connect to the SR Linux device:
To demonstrate the usage of the modules in this collection, we will use a very simple containerlab topology to deploy a single SR Linux node:
Save the file as
ansible.clab.yml and deploy the lab with
containerlab deploy -t ansible.clab.yml.
hosts file as shown in the previous section and you're ready to tryout the modules of this collection.