junos_config "[WARNING]: mgd: statement has no contents; ignored" for protocols changes

[ryeleo]

SUMMARY

We have a couple of qfx5120-48y-8c devices that for some reason are reporting "mgd: statement has no contents; ignored" when making changes to protocols.

ISSUE TYPE

• Bug Report

COMPONENT NAME

• junipernetworks.junos.junos_config

ANSIBLE VERSION

$ ansible --version
ansible [core 2.17.3]
  config file = None
  configured module search path = ['/home/rleonar7/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/rleonar7/.local/pipx/venvs/ansible/lib/python3.10/site-packages/ansible
  ansible collection location = /home/rleonar7/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/rleonar7/.local/bin/ansible
  python version = 3.10.12 (main, Jul 29 2024, 16:56:48) [GCC 11.4.0] (/home/rleonar7/.local/pipx/venvs/ansible/bin/python)
  jinja version = 3.1.4
  libyaml = True

COLLECTION VERSION

$ ansible-galaxy collection list junipernetworks.junos

# /home/rleonar7/.ansible/collections/ansible_collections
Collection            Version
--------------------- -------
junipernetworks.junos 9.1.0

CONFIGURATION

$ ansible-config dump --only-changed
CONFIG_FILE() = None

OS / ENVIRONMENT

Target System Information

> show system information 
Model: qfx5120-48y-8c
Family: junos-qfx
Junos: 22.2R3-S2.8
Hostname: test-router1

Target System Software

> show system software
localre:
--------------------------------------------------------------------------
chef-11.10.4_3.0_x86-32  --  chef
dsa-x86-64-22.2R3-S2.8  --  dsa
jail-runtime-x86-32-20230531.cf35cdf_builder_stable_12_222  --  jail runtime
jdocs-x86-32-20230902.110149_builder_junos_222_r3_s2  --  jdocs
jfirmware-x86-32-22.2R3-S1.7  --  jfirmware
jinsight-x86-32-22.2R3-S2.8  --  jinsight
jmrt-base-x86-64-20230902.110149_builder_junos_222_r3_s2  --  jmrt base
jpfe-common-x86-32-20230902.110149_builder_junos_222_r3_s2  --  jpfe common
jpfe-qfx-x86-32-x86-32-20230902.110149_builder_junos_222_r3_s2  --  jpfe qfx x86 32
jphone-home-x86-32-20230902.110149_builder_junos_222_r3_s2  --  jphone home
jsd-x86-32-22.2R3-S2.8-jet-1  --  jsd jet 1
jsdn-x86-32-22.2R3-S2.8  --  jsdn
junos-daemons-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos daemons
junos-daemons-qfx-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos daemons qfx
junos-dp-crypto-support-qfx-x86-32-20230902.110149_builder_junos_222_r3_s2  --  junos dp crypto support qfx
junos-l2-rsi-20230902.110149_builder_junos_222_r3_s2  --  junos l2 rsi
junos-libs-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos libs
junos-libs-compat32-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos libs compat32
junos-modules-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos modules
junos-net-dcp-prd-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos net dcp prd
junos-openconfig-x86-32-22.2R3-S2.8  --  junos openconfig
junos-platform-x86-32-20230902.110149_builder_junos_222_r3_s2  --  junos platform
junos-platform-qfx-x86-32-20230902.110149_builder_junos_222_r3_s2  --  junos platform qfx
junos-probe-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos probe
junos-routing-aggregated-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos routing aggregated
junos-routing-compat32-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos routing compat32
junos-routing-controller-external-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos routing controller external
junos-routing-controller-internal-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos routing controller internal
junos-routing-lsys-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos routing lsys
junos-routing-mpls-oam-advanced-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos routing mpls oam advanced
junos-routing-mpls-oam-basic-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos routing mpls oam basic
junos-routing-protocol-services-x86-64-22.2R3-S2.8  --  junos routing protocol services
junos-runtime-x86-32-20230902.110149_builder_junos_222_r3_s2  --  junos runtime
junos-runtime-qfx-x86-32-20230902.110149_builder_junos_222_r3_s2  --  junos runtime qfx
junos-modules-qfx-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos modules qfx
jweb-ex-x86-32-20230902.110149_builder_junos_222_r3_s2  --  jweb ex
na-telemetry-x86-32-22.2R3-S2.8  --  na telemetry
junos-net-prd-x86-64-20230902.110149_builder_junos_222_r3_s2  --  junos net prd
os-boot-junos-ve-x86-32-20230531.cf35cdf_builder_stable_12_222  --  os boot junos ve
os-compat32-x86-64-20230531.cf35cdf_builder_stable_12_222  --  os compat32
os-crypto-x86-64-20230531.cf35cdf_builder_stable_12_222  --  os crypto
os-kernel-flex-x86-64-20230531.cf35cdf_builder_stable_12_222  --  os kernel flex
os-libs-12-x86-64-20230531.cf35cdf_builder_stable_12_222  --  os libs
os-libs-compat32-12-x86-64-20230531.cf35cdf_builder_stable_12_222  --  os libs compat32
os-runtime-x86-64-20230531.cf35cdf_builder_stable_12_222  --  os runtime
os-vmguest-x86-64-20230531.cf35cdf_builder_stable_12_222  --  os vmguest
py-base-x86-32-20230902.110149_builder_junos_222_r3_s2  --  py base
py-extensions-x86-32-20230902.110149_builder_junos_222_r3_s2  --  py extensions
os-zoneinfo-20230531.cf35cdf_builder_stable_12_222  --  os zoneinfo

STEPS TO REPRODUCE

The simplest way to reproduce the bug I am seeing is with the following "test.yml" playbook:

-
  hosts: test-router
  gather_facts: false
  tasks:
  -
    name: Deploy configuration
    connection: netconf
    diff: true
    junipernetworks.junos.junos_config:
      src: ./test-protocols.config
      update: replace
      src_format: text

This "test.yml" playbook references a "test-protocols.config" file, which is quite lengthy and contains private info.

I am working on producing a 'simplified' version of the "test-protocols.config" file now that I can share.

Until then, I am happy to submit the file directly to JTAC.

EXPECTED RESULTS

Should see a 'diff' and no WARNING.

ACTUAL RESULTS

The diff shows well enough, but there is a concerning warning printed after the diff: "[WARNING]: mgd: statement has no contents; ignored"

$ ansible-playbook --check --diff --private-key env/ssh_key --vault-password-file env/vault_password project/test.yml --inventory inventory/ -vvvv
ansible-playbook [core 2.17.3]
  config file = None
  configured module search path = ['/home/rleonar7/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/rleonar7/.local/pipx/venvs/ansible/lib/python3.10/site-packages/ansible
  ansible collection location = /home/rleonar7/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/rleonar7/.local/bin/ansible-playbook
  python version = 3.10.12 (main, Jul 29 2024, 16:56:48) [GCC 11.4.0] (/home/rleonar7/.local/pipx/venvs/ansible/bin/python)
  jinja version = 3.1.4
  libyaml = True
No config file found; using defaults
setting up inventory plugins
Loading collection ansible.builtin from 
host_list declined parsing /home/rleonar7/git-repos/junos_ansible/ansible/inventory/hosts as it did not pass its verify_file() method
script declined parsing /home/rleonar7/git-repos/junos_ansible/ansible/inventory/hosts as it did not pass its verify_file() method
auto declined parsing /home/rleonar7/git-repos/junos_ansible/ansible/inventory/hosts as it did not pass its verify_file() method
Parsed /home/rleonar7/git-repos/junos_ansible/ansible/inventory/hosts inventory source with ini plugin
Loading collection junipernetworks.junos from /home/rleonar7/.ansible/collections/ansible_collections/junipernetworks/junos
Loading callback plugin default of type stdout, v2.0 from /home/rleonar7/.local/pipx/venvs/ansible/lib/python3.10/site-packages/ansible/plugins/callback/default.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: test.yml *********************************************************************************************************
Positional arguments: project/test.yml
verbosity: 4
private_key_file: /home/rleonar7/git-repos/junos_ansible/ansible/env/ssh_key
connection: ssh
become_method: sudo
tags: ('all',)
check: True
diff: True
inventory: ('/home/rleonar7/git-repos/junos_ansible/ansible/inventory',)
vault_password_files: ('/home/rleonar7/git-repos/junos_ansible/ansible/env/vault_password',)
forks: 5
1 plays in project/test.yml

PLAY [test-router] ************************************************************************************
Trying secret FileVaultSecret(filename='/home/rleonar7/git-repos/junos_ansible/ansible/env/vault_password') for vault_id=default

TASK [Deploy configuration] ************************************************************************************************
task path: /home/rleonar7/git-repos/junos_ansible/ansible/project/test.yml:10
redirecting (type: connection) ansible.builtin.netconf to ansible.netcommon.netconf
Loading collection ansible.netcommon from /home/rleonar7/.ansible/collections/ansible_collections/ansible/netcommon
Loading collection ansible.utils from /home/rleonar7/.ansible/collections/ansible_collections/ansible/utils
redirecting (type: netconf) ansible.builtin.junos to junipernetworks.junos.junos
<test-router> Using network group action junipernetworks.junos.junos for junipernetworks.junos.junos_config
<test-router> attempting to start connection
<test-router> using connection plugin ansible.netcommon.netconf
Found ansible-connection at path /home/rleonar7/.local/bin/ansible-connection
<test-router> local domain socket does not exist, starting it
<test-router> control socket path is /home/rleonar7/.ansible/pc/3e13af4f2f
<test-router> Loading collection ansible.builtin from 
<test-router> redirecting (type: connection) ansible.builtin.netconf to ansible.netcommon.netconf
<test-router> Loading collection ansible.netcommon from /home/rleonar7/.ansible/collections/ansible_collections/ansible/netcommon
<test-router> Loading collection ansible.utils from /home/rleonar7/.ansible/collections/ansible_collections/ansible/utils
<test-router> redirecting (type: netconf) ansible.builtin.junos to junipernetworks.junos.junos
<test-router> Loading collection junipernetworks.junos from /home/rleonar7/.ansible/collections/ansible_collections/junipernetworks/junos
<test-router> local domain socket listeners started successfully
<test-router> loaded netconf plugin ansible_collections.junipernetworks.junos.plugins.netconf.junos from path /home/rleonar7/.ansible/collections/ansible_collections/junipernetworks/junos/plugins/netconf/junos.py for network_os junos
<test-router> Loading collection ansible.builtin from 
<test-router> local domain socket path is /home/rleonar7/.ansible/pc/3e13af4f2f
<test-router> ANSIBLE_NETWORK_IMPORT_MODULES: enabled
<test-router> ANSIBLE_NETWORK_IMPORT_MODULES: found junipernetworks.junos.junos_config  at /home/rleonar7/.ansible/collections/ansible_collections/junipernetworks/junos/plugins/modules/junos_config.py
<test-router> ANSIBLE_NETWORK_IMPORT_MODULES: running junipernetworks.junos.junos_config
<test-router> ANSIBLE_NETWORK_IMPORT_MODULES: complete
[edit protocols bgp group OVERLAY]
-    local-address 10.252.247.249;
+    local-address 10.252.247.22;
[edit protocols bgp group OVERLAY]
+     neighbor 10.1.1.245;
      neighbor 10.252.247.250 { ... }
[edit protocols bgp group OVERLAY]
      neighbor 10.252.247.251 { ... }
+     neighbor 1.2.3.4;
-     neighbor 10.252.247.248;
[WARNING]: mgd: statement has no contents; ignored
changed: [test-router] => {
    "changed": true,
    "diff": {
        "prepared": "[edit protocols bgp group OVERLAY]\n-    local-address 10.252.247.249;\n+    local-address 10.252.247.22;\n[edit protocols bgp group OVERLAY]\n+     neighbor 10.1.1.245;\n      neighbor 10.252.247.250 { ... }\n[edit protocols bgp group OVERLAY]\n      neighbor 10.252.247.251 { ... }\n+     neighbor 1.2.3.4;\n-     neighbor 10.252.247.248;"
    },
    "invocation": {
        "module_args": {
            "backup": false,
            "backup_options": null,
            "check_commit": false,
            "comment": "configured by junos_config",
            "confirm": 0,
            "confirm_commit": false,
            "lines": null,
            "replace": null,
            "rollback": null,
            "src": "\nreplace:\nprotocols {\n    lldp {\n    port-description-type interface-description;\n    port-id-subtype interface-name;\n    interface all;\n    }\n\n    ldp {\ntrack-igp-metric;\ninterface lo0.0;\ninterface et-0/0/49.0;\ninterface et-0/0/55.3503;\ninterface et-0/0/55.3504;\n\n    }\n\n    mpls {\nno-propagate-ttl;\ninterface et-0/0/49.0;\ninterface et-0/0/55.3503;\ninterface et-0/0/55.3504;\n\n    }\n\n    ospf {\n    area 0.0.0.0 {\n        interface lo0.0 {\n    passive;\n    }\n    interface et-0/0/48.0 {\n    ldp-synchronization;\n        interface-type p2p;\n        metric 10;\n        bfd-liveness-detection minimum-interval 300;\n        bfd-liveness-detection multiplier 4;\n        bfd-liveness-detection full-neighbors-only;\n    }\n    interface et-0/0/49.0 {\n    ldp-synchronization;\n        interface-type p2p;\n        metric 10;\n        bfd-liveness-detection minimum-interval 300;\n        bfd-liveness-detection multiplier 4;\n        bfd-liveness-detection full-neighbors-only;\n    }\n    interface et-0/0/50.0 {\n    ldp-synchronization;\n        interface-type p2p;\n        metric 10;\n        bfd-liveness-detection minimum-interval 300;\n        bfd-liveness-detection multiplier 4;\n        bfd-liveness-detection full-neighbors-only;\n    }\n    interface et-0/0/55.3503 {\nldp-synchronization;\n    metric 125;\n    bfd-liveness-detection minimum-interval 300;\n    bfd-liveness-detection multiplier 4;\n    bfd-liveness-detection full-neighbors-only;\n}\n    interface et-0/0/55.3504 {\nldp-synchronization;\n    metric 125;\n    bfd-liveness-detection minimum-interval 300;\n    bfd-liveness-detection multiplier 4;\n    bfd-liveness-detection full-neighbors-only;\n}\n}\n}\n\n    bgp {\n    log-updown;\n    family inet-vpn {\n                unicast;\n            }\n    family inet6-vpn {\n                unicast;\n            }\n    family inet-mvpn {\n                signaling;\n            }\n    family inet6-mvpn {\n                signaling;\n            }\n    family inet {\n                unicast;\n            }\n    group OVERLAY {\n                type internal;\n    local-address 10.252.247.22\n    family evpn {\n                    signaling;\n                }\n    local-as 4250003582;\n    bfd-liveness-detection minimum-interval 500;\n    bfd-liveness-detection multiplier 3;\n    bfd-liveness-detection session-mode automatic;\n    neighbor 10.1.1.245;\n    neighbor 10.252.247.250;\n    neighbor 10.252.247.251;\n    neighbor 1.2.3.4;\n    }\ngroup RRs {\n            type internal;\nlocal-address 10.252.247.249\nfamily inet-vpn {\n                unicast;\n            }\nfamily inet6-vpn {\n                unicast;\n            }\nfamily inet-mvpn {\n                signaling;\n            }\nfamily inet6-mvpn {\n                signaling;\n            }\npeer-as 65000;\nmultipath;\nneighbor 10.252.253.22;\nneighbor 10.252.253.23;\n}\n}\n\n    evpn {\nencapsulation vxlan;\ndefault-gateway no-gateway-community;\nextended-vni-list all;\nduplicate-mac-detection {\nauto-recovery-time 20;\n}\n}\n\n    pim {\njoin-load-balance automatic;\ndefault-vpn-source;\ninterface all {\nmode sparse;\n    version 2;\n}\ninterface em0.0 {\n            disable;\n        }\n}\n\n    igmp {\ninterface all {\nversion 3;\n}\ninterface em0.0 {\n            disable;\n        }\nquery-interval 60;\nquery-response-interval 10;\nquery-last-member-interval 1;\n}\n\n    mld {\ninterface all {\nversion 2;\n}\ninterface em0.0 {\n            disable;\n        }\nquery-interval 60;\nquery-response-interval 10;\nquery-last-member-interval 1;\n}\n\n    mld-snooping {\n        \n    }\n\n    igmp-snooping {\n        \n    }\n\nrouter-advertisement {\n    \n    }\n\n}\n",
            "src_format": "text",
            "update": "replace",
            "zeroize": false
        }
    }
}

PLAY RECAP *****************************************************************************************************************
test-router : ok=1    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

Additional Info

As some additional info, I spent a long time bisecting the config to pinpoint this issue along with junos_config not showing diff for chassis changes #534.

So, here is the full "test.yml" playbook I was using, with code comments to annotate the results in each case:

-
  hosts: test-router
  gather_facts: false
  tasks:
  -
    name: Deploy configuration
    connection: netconf
    diff: yes
    junipernetworks.junos.junos_config:
      update: replace
      src_format: text
      #
      # One config piece at a time Testing
      #
      # src: ./test-chassis.config  # NO diff: https://github.com/ansible-collections/junipernetworks.junos/issues/534
      # src: ./test-firewall.config  # Works
      # src: ./test-interfaces.config  # Works
      # src: ./test-forwarding-options.config  # Works
      # src: ./test-policy-options.config  # Works
      # src: ./test-protocols.config  # WARNING, but also DOES SHOW DIFF
      # src: ./test-routing-options.config  # Works
      # src: ./test-snmp.config  # Works
      # src: ./test-system.config  # Works
      # src: ./test-vlans.config  # Works
      
      #
      # Groups of config Testing
      #
      # src: ./test-only-chassis-and-protocols.config  # WARNING, and also NO diff
      # src: ./test-all-except-chassis-and-protocols.config  # Works
      # src: ./test-all.config  # WARNING, and also NO diff
      # src: ./test-all-except-chassis.config  # WARNING, but also DOES SHOW DIFF

      #
      # Testing that resulted in ONLY WARNING (but still DOES SHOW DIFF)
      #
      src: ./test-protocols.config  # WARNING, but also DOES SHOW DIFF

      #
      # Testing that resulted in NO diff (but also *DOES NOT PRODUCE WARNING*)
      #
      # src: ./test-chassis.config  # NO diff: https://github.com/ansible-collections/junipernetworks.junos/issues/534

      #
      # Testing that resulted in WARNING and also NO diff
      #
      # src: ./test-only-chassis-and-protocols.config  # WARNING, and also NO diff
      # src: ./test-all.config  # WARNING, and also NO diff

[ryeleo]

Thanks for taking a look at this @Ruchip16!

From a triage perspective, issue #534 is a major concern for my team -- if you are in a space of triaging issues, we would like #534 to be a top priority and #535 to be a lower priority!

Thanks again!!!

[ryeleo]

I found a workaround!

• Use the juniper.device.config Ansible module (instead of the junipernetworks.junos.junos_config Ansible Module.)

That juniper.device.config Ansible Module does require using the "ignore_warnings" option to workaround this issue. Our Ansible Task now looks something like the following:

-
  name: Deploy configuration
  connection: local
  juniper.device.config:
    src: "{{ config_path }}"
    load: replace
    ignore_warnings:
      - 'mgd: statement has no contents'
    format: text