Page MenuHomeVyOS Platform
Create Task
Maniphest T7620

Ansible Role is not idempotent when SSH key is rsa with 4096bits
Not ApplicablePublicBUG
Actions

Description

Tested on:

  • Vyos 1.4.2 & 1.3.8
  • Ansible: 10.7.0
  • vyos.vyos collection: 4.1.0 and 6.0.0

When using Ansible to create a user with an ssh key login, it will claim there is a change if the users ssh key is a rsa key with 4096 length

Example:

Create a SSH keys:
ssh-keygen -t rsa -b 2048 -f rsa2048.key
ssh-keygen -t rsa -b 4096 -f rsa4096.key

Playbook:

---
- name: Test vyos idempotency
  hosts: dev-firewall
  tasks:
    - name: Create Users for the first time
      vyos.vyos.vyos_config:
        lines:
          - set system login user rsatest authentication public-keys rsatest key 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDlO81lWC343i3Y++Wpj6ojKcR2fIMfWyy3a2HvIzD2U/l2z0HxDGdJpvNWR3PW3C4EacMHAdsJNSqiVrXbMfdXWVxCPK5sIk5YjPRgM1pXoJ/TtvZWuD+1fembM4WP9rZASe7bWgdCC5mQvO2/79UKfW0Yi3WK1pjxaW29IeN0+rVCCJmZUFQ1xsbfIZiE5IJFRHXyfRV/K3P7Rw0Z/m3vW804s1l8xKo745eKups4ORwntoIZL2x95C/kAs5QrizVM2PILhPGXx/b1F5axHCaJYZbWdn9Fbn4CE++XkeyxSScEdQrIt4FGc7biNPW67OtmfRrxjwH5TMZoCj0LBOAxYrBNZExHsOZbns6DyhqA9s8ndoGazBUI3/s2lmgnvZ9W0DGmj8Iw7/nCTSDmvb+5YssNq9SvTLaSdfPFeo6JlDUJCNi7TaslobBDauKBs8LqYUYig48CK8ie6QQPAyXDp3D7yxBzLpO2Qz/ZermsD5q8+wkCz5TOuxUXId6TJo8/VdCkmC0nVt5AmxtCVbSC8dooqXrp1ROEu2hvEZEbGf6aM0NtAaxYd4QGDShjgbLWysfmUjL89BA4E3Psn/OE7HzlQMQrRNHnYJavloy9RaI/jMiN08xft6e5U9ERVaS0ttLB/rugISbnkc+DsJJugLQ4TAy+a+gIK+XxmAUGQ=='
          - set system login user rsatest authentication public-keys rsatest type 'ssh-rsa'
          - set system login user rsatest2 authentication public-keys rsatest2 key 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDIT7cbfSkhqgyy0nzacYjLKq5+yFNTiC3NPvqWgwNgjplTRYCNCnTLeIXZhPi0C4IGOTX+hMGyxERU3CTzwoSieZpC7QsmXrTRtVlenGpcF7CfNyHzfCMiozMihgEQiMQyJaJQfkLyb3luR/AyobwI4nDzLNA34EU0Q/tnuJoo17tbB/w0QVeKq5MVziyYrAy+0A/uu9+UpIVZa6sfhQfCg0dU6rYtV4fLuQq968sWTDw0UOvCN0e+SvYM816wKzPX8lLBlqgMOnioHGIMgZ/hyotexP/wkPse79PivuKBrRhN/cM/0Uo+dBit9mKSULPuo6JZa/DsQGKkMRvetlIt'
          - set system login user rsatest2 authentication public-keys rsatest2 type 'ssh-rsa'

    - name: Create Users for the second time (should not result in a change)
      vyos.vyos.vyos_config:
        lines:
          - set system login user rsatest authentication public-keys rsatest key 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDlO81lWC343i3Y++Wpj6ojKcR2fIMfWyy3a2HvIzD2U/l2z0HxDGdJpvNWR3PW3C4EacMHAdsJNSqiVrXbMfdXWVxCPK5sIk5YjPRgM1pXoJ/TtvZWuD+1fembM4WP9rZASe7bWgdCC5mQvO2/79UKfW0Yi3WK1pjxaW29IeN0+rVCCJmZUFQ1xsbfIZiE5IJFRHXyfRV/K3P7Rw0Z/m3vW804s1l8xKo745eKups4ORwntoIZL2x95C/kAs5QrizVM2PILhPGXx/b1F5axHCaJYZbWdn9Fbn4CE++XkeyxSScEdQrIt4FGc7biNPW67OtmfRrxjwH5TMZoCj0LBOAxYrBNZExHsOZbns6DyhqA9s8ndoGazBUI3/s2lmgnvZ9W0DGmj8Iw7/nCTSDmvb+5YssNq9SvTLaSdfPFeo6JlDUJCNi7TaslobBDauKBs8LqYUYig48CK8ie6QQPAyXDp3D7yxBzLpO2Qz/ZermsD5q8+wkCz5TOuxUXId6TJo8/VdCkmC0nVt5AmxtCVbSC8dooqXrp1ROEu2hvEZEbGf6aM0NtAaxYd4QGDShjgbLWysfmUjL89BA4E3Psn/OE7HzlQMQrRNHnYJavloy9RaI/jMiN08xft6e5U9ERVaS0ttLB/rugISbnkc+DsJJugLQ4TAy+a+gIK+XxmAUGQ=='
          - set system login user rsatest authentication public-keys rsatest type 'ssh-rsa'
          - set system login user rsatest2 authentication public-keys rsatest2 key 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDIT7cbfSkhqgyy0nzacYjLKq5+yFNTiC3NPvqWgwNgjplTRYCNCnTLeIXZhPi0C4IGOTX+hMGyxERU3CTzwoSieZpC7QsmXrTRtVlenGpcF7CfNyHzfCMiozMihgEQiMQyJaJQfkLyb3luR/AyobwI4nDzLNA34EU0Q/tnuJoo17tbB/w0QVeKq5MVziyYrAy+0A/uu9+UpIVZa6sfhQfCg0dU6rYtV4fLuQq968sWTDw0UOvCN0e+SvYM816wKzPX8lLBlqgMOnioHGIMgZ/hyotexP/wkPse79PivuKBrRhN/cM/0Uo+dBit9mKSULPuo6JZa/DsQGKkMRvetlIt'

In this example you would expect the second task to not return a changed, since it does the same as the first step.

Running ansible in verbose(-vvv) mode shows that the 4096 bit key will always return as changed:

TASK [Create Users for the second time (should not result in a change)] ***************************************************************************************************************************************************************************************************************************************************
task path: /home/nicolas.berens/repos/gs-networking/test.yml:13
[WARNING]: Failure using method (v2_on_file_diff) in callback plugin (<ansible_collections.ansible.posix.plugins.callback.debug.CallbackModule object at 0x7f134ac27980>): sequence item 0: expected str instance, NoneType found
Callback Exception: 
  File "/home/nicolas.berens/.local/lib/python3.12/site-packages/ansible/executor/task_queue_manager.py", line 461, in send_callback
    method(*new_args, **kwargs)
   File "/home/nicolas.berens/.local/lib/python3.12/site-packages/ansible/plugins/callback/default.py", line 231, in v2_on_file_diff
    diff = self._get_diff(result._result['diff'])
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File "/home/nicolas.berens/.local/lib/python3.12/site-packages/ansible/plugins/callback/__init__.py", line 402, in _get_diff
    return u''.join(ret)
           ^^^^^^^^^^^^^
changed: [fw-dev] => {
    "changed": true,
    "commands": [
        "set system login user rsatest authentication public-keys rsatest key 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDlO81lWC343i3Y++Wpj6ojKcR2fIMfWyy3a2HvIzD2U/l2z0HxDGdJpvNWR3PW3C4EacMHAdsJNSqiVrXbMfdXWVxCPK5sIk5YjPRgM1pXoJ/TtvZWuD+1fembM4WP9rZASe7bWgdCC5mQvO2/79UKfW0Yi3WK1pjxaW29IeN0+rVCCJmZUFQ1xsbfIZiE5IJFRHXyfRV/K3P7Rw0Z/m3vW804s1l8xKo745eKups4ORwntoIZL2x95C/kAs5QrizVM2PILhPGXx/b1F5axHCaJYZbWdn9Fbn4CE++XkeyxSScEdQrIt4FGc7biNPW67OtmfRrxjwH5TMZoCj0LBOAxYrBNZExHsOZbns6DyhqA9s8ndoGazBUI3/s2lmgnvZ9W0DGmj8Iw7/nCTSDmvb+5YssNq9SvTLaSdfPFeo6JlDUJCNi7TaslobBDauKBs8LqYUYig48CK8ie6QQPAyXDp3D7yxBzLpO2Qz/ZermsD5q8+wkCz5TOuxUXId6TJo8/VdCkmC0nVt5AmxtCVbSC8dooqXrp1ROEu2hvEZEbGf6aM0NtAaxYd4QGDShjgbLWysfmUjL89BA4E3Psn/OE7HzlQMQrRNHnYJavloy9RaI/jMiN08xft6e5U9ERVaS0ttLB/rugISbnkc+DsJJugLQ4TAy+a+gIK+XxmAUGQ=='"
    ],
    "diff": {
        "prepared": null
    },
    "filtered": [],
    "invocation": {
        "module_args": {
            "backup": false,
            "backup_options": null,
            "comment": "configured by vyos_config",
            "config": null,
            "lines": [
                "set system login user rsatest authentication public-keys rsatest key 'AAAAB3NzaC1yc2EAAAADAQABAAACAQDlO81lWC343i3Y++Wpj6ojKcR2fIMfWyy3a2HvIzD2U/l2z0HxDGdJpvNWR3PW3C4EacMHAdsJNSqiVrXbMfdXWVxCPK5sIk5YjPRgM1pXoJ/TtvZWuD+1fembM4WP9rZASe7bWgdCC5mQvO2/79UKfW0Yi3WK1pjxaW29IeN0+rVCCJmZUFQ1xsbfIZiE5IJFRHXyfRV/K3P7Rw0Z/m3vW804s1l8xKo745eKups4ORwntoIZL2x95C/kAs5QrizVM2PILhPGXx/b1F5axHCaJYZbWdn9Fbn4CE++XkeyxSScEdQrIt4FGc7biNPW67OtmfRrxjwH5TMZoCj0LBOAxYrBNZExHsOZbns6DyhqA9s8ndoGazBUI3/s2lmgnvZ9W0DGmj8Iw7/nCTSDmvb+5YssNq9SvTLaSdfPFeo6JlDUJCNi7TaslobBDauKBs8LqYUYig48CK8ie6QQPAyXDp3D7yxBzLpO2Qz/ZermsD5q8+wkCz5TOuxUXId6TJo8/VdCkmC0nVt5AmxtCVbSC8dooqXrp1ROEu2hvEZEbGf6aM0NtAaxYd4QGDShjgbLWysfmUjL89BA4E3Psn/OE7HzlQMQrRNHnYJavloy9RaI/jMiN08xft6e5U9ERVaS0ttLB/rugISbnkc+DsJJugLQ4TAy+a+gIK+XxmAUGQ=='",
                "set system login user rsatest authentication public-keys rsatest type 'ssh-rsa'",
                "set system login user rsatest2 authentication public-keys rsatest2 key 'AAAAB3NzaC1yc2EAAAADAQABAAABAQDIT7cbfSkhqgyy0nzacYjLKq5+yFNTiC3NPvqWgwNgjplTRYCNCnTLeIXZhPi0C4IGOTX+hMGyxERU3CTzwoSieZpC7QsmXrTRtVlenGpcF7CfNyHzfCMiozMihgEQiMQyJaJQfkLyb3luR/AyobwI4nDzLNA34EU0Q/tnuJoo17tbB/w0QVeKq5MVziyYrAy+0A/uu9+UpIVZa6sfhQfCg0dU6rYtV4fLuQq968sWTDw0UOvCN0e+SvYM816wKzPX8lLBlqgMOnioHGIMgZ/hyotexP/wkPse79PivuKBrRhN/cM/0Uo+dBit9mKSULPuo6JZa/DsQGKkMRvetlIt'"
            ],
            "match": "line",
            "save": false,
            "src": null
        }
    }
}

Details

Version
1.4
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Related Objects

Event Timeline

nicolasberens created this task.Jul 9 2025, 1:20 PM
syncer removed projects: VyOS 1.3 Equuleus (1.3.8), VyOS 1.4 Sagitta.Jul 9 2025, 4:30 PM
evgmol claimed this task.Jul 10 2025, 1:24 AM
gaige subscribed.Jul 10 2025, 10:03 AM

I think this may be related to the other T7621, since they would both involve the diff engine for the cliconf plugin.

gaige added a comment.Jul 10 2025, 10:04 AM

@nicolasberens You may want to give the vyos_user command a try as it should deal with this appropriately.

nicolasberens added a comment.Jul 10 2025, 12:40 PM

Using this playbook i can reproduce the same bug with the vyos_user command (2048 does not change on the second run, 4096 does):

---
- name: Test vyos idempotency
  hosts: fw-dev
  tasks:

    - name: Create Users for the first time
      vyos.vyos.vyos_user:
        name: rsatest
        state: present
        update_password: on_create
        public_keys:
          - name: rsatest
            key: AAAAB3NzaC1yc2EAAAADAQABAAACAQDlO81lWC343i3Y++Wpj6ojKcR2fIMfWyy3a2HvIzD2U/l2z0HxDGdJpvNWR3PW3C4EacMHAdsJNSqiVrXbMfdXWVxCPK5sIk5YjPRgM1pXoJ/TtvZWuD+1fembM4WP9rZASe7bWgdCC5mQvO2/79UKfW0Yi3WK1pjxaW29IeN0+rVCCJmZUFQ1xsbfIZiE5IJFRHXyfRV/K3P7Rw0Z/m3vW804s1l8xKo745eKups4ORwntoIZL2x95C/kAs5QrizVM2PILhPGXx/b1F5axHCaJYZbWdn9Fbn4CE++XkeyxSScEdQrIt4FGc7biNPW67OtmfRrxjwH5TMZoCj0LBOAxYrBNZExHsOZbns6DyhqA9s8ndoGazBUI3/s2lmgnvZ9W0DGmj8Iw7/nCTSDmvb+5YssNq9SvTLaSdfPFeo6JlDUJCNi7TaslobBDauKBs8LqYUYig48CK8ie6QQPAyXDp3D7yxBzLpO2Qz/ZermsD5q8+wkCz5TOuxUXId6TJo8/VdCkmC0nVt5AmxtCVbSC8dooqXrp1ROEu2hvEZEbGf6aM0NtAaxYd4QGDShjgbLWysfmUjL89BA4E3Psn/OE7HzlQMQrRNHnYJavloy9RaI/jMiN08xft6e5U9ERVaS0ttLB/rugISbnkc+DsJJugLQ4TAy+a+gIK+XxmAUGQ==
            type: ssh-rsa

    - name: Create Users for the second time (should not result in a change)
      vyos.vyos.vyos_user:
        name: rsatest
        state: present
        update_password: on_create
        public_keys:
          - name: rsatest
            key: AAAAB3NzaC1yc2EAAAADAQABAAACAQDlO81lWC343i3Y++Wpj6ojKcR2fIMfWyy3a2HvIzD2U/l2z0HxDGdJpvNWR3PW3C4EacMHAdsJNSqiVrXbMfdXWVxCPK5sIk5YjPRgM1pXoJ/TtvZWuD+1fembM4WP9rZASe7bWgdCC5mQvO2/79UKfW0Yi3WK1pjxaW29IeN0+rVCCJmZUFQ1xsbfIZiE5IJFRHXyfRV/K3P7Rw0Z/m3vW804s1l8xKo745eKups4ORwntoIZL2x95C/kAs5QrizVM2PILhPGXx/b1F5axHCaJYZbWdn9Fbn4CE++XkeyxSScEdQrIt4FGc7biNPW67OtmfRrxjwH5TMZoCj0LBOAxYrBNZExHsOZbns6DyhqA9s8ndoGazBUI3/s2lmgnvZ9W0DGmj8Iw7/nCTSDmvb+5YssNq9SvTLaSdfPFeo6JlDUJCNi7TaslobBDauKBs8LqYUYig48CK8ie6QQPAyXDp3D7yxBzLpO2Qz/ZermsD5q8+wkCz5TOuxUXId6TJo8/VdCkmC0nVt5AmxtCVbSC8dooqXrp1ROEu2hvEZEbGf6aM0NtAaxYd4QGDShjgbLWysfmUjL89BA4E3Psn/OE7HzlQMQrRNHnYJavloy9RaI/jMiN08xft6e5U9ERVaS0ttLB/rugISbnkc+DsJJugLQ4TAy+a+gIK+XxmAUGQ==
            type: ssh-rsa
pasik subscribed.Jul 10 2025, 8:05 PM
evgmol added a comment.Jul 10 2025, 8:06 PM

Hi,
I am testing against 1.4.2, via pylibssh, - I see 4096-long one does break idempotency but I see no Exception
I will retest with vyos_user

Nonetheless, this is a bug

evgmol added a comment.Jul 10 2025, 11:22 PM

I can see the community module we use (necommon/network_cli) actually returns the running config with a broken long strings - it inserts extra space

set system login user rsatest authentication public-keys rsatest key AAAAB3NzaC1yc2EAAAADAQABAAACAQDlO81lWC343i3Y++Wpj6ojKcR2fIMfWyy3a2HvIzD2U/l2z0HxDGdJpvNWR3PW3C4EacMHAdsJNSqiVrXbMfdXWVxCPK5sIk5YjPRgM1pXoJ/TtvZWuD+1fembM4WP9rZASe7bWgdCC5mQvO2/79UKfW0Yi3WK1pjxaW29IeN0+rVCCJmZUFQ1xsbfIZiE5IJFRHXyfRV/K3P7Rw0Z/m3vW804s1l8xKo745eKups4ORwntoIZL2x95C/kAs5QrizVM2PILhPGXx/b1F5axHCaJYZbWdn9Fbn4CE++XkeyxSScEdQrIt4FGc7biNPW67OtmfRrxjwH5TMZoCj0LBOAxYrBNZExHsOZbns6DyhqA9s8ndoGazBUI3/s2lmgnvZ9W0DGmj8Iw7/nCTSDmvb+5YssNq SvTLaSdfPFeo6JlDUJCNi7TaslobBDauKBs8LqYUYig48CK8ie6QQPAyXDp3D7yxBzLpO2Qz/ZermsD5q8+wkCz5TOuxUXId6TJo8/VdCkmC0nVt5AmxtCVbSC8dooqXrp1ROEu2hvEZEbGf6aM0NtAaxYd4QGDShjgbLWysfmUjL89BA4E3Psn/OE7HzlQMQrRNHnYJavloy9RaI/jMiN08xft6e5U9ERVaS0ttLB/rugISbnkc+DsJJugLQ4TAy+a+gIK+XxmAUGQ==
evgmol added a comment.Jul 11 2025, 9:02 AM

It seems that community plugin netcommon network_cli breaks long lines resulting in diff. I tried ansible_terminal_width but no luck
I will be looking for some workarounds, unless there is already an open issue with Netcommon

syncer triaged this task as Normal priority.Jul 11 2025, 10:50 PM
evgmol added a comment.Aug 5 2025, 11:30 PM

Hello @nicolasberens
Apologies for this taking too long to respond.
I investigated further and found that community module function netcommon.CliConf inserts an extra space, thus breaking the long lines and causing diff to generate, which, in turns, impacts the idempotency of the VyOS modules.

image (5).png (360×1 px, 123 KB)

I raised an issue with the community https://github.com/ansible-collections/ansible.netcommon/issues/713

Given there is no actual reprovision or service disruption due to this issue we consider this a known problem for long lines.
It’s an edge case and the effect right now seems to be inappropriately indicating a change.
Temporary work around can be a move to elliptic curve as a better long-term solution, given RSA general retirement process

evgmol closed this task as Not Applicable.Aug 5 2025, 11:30 PM