Skip to content

FortiOS: update logic in the initial playbook #3336

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ipspace merged 5 commits into from
Apr 23, 2026
Merged

FortiOS: update logic in the initial playbook #3336

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f5372a2
FortiOS: update logic in the initial playbook
Apr 19, 2026
c0b971a
FortiOS: switch to api-user key authentication
Apr 20, 2026
f78f89f
FortiOS: refactor changes to initial template
Apr 21, 2026
5163f14
Feedback for #3336
Apr 21, 2026
c5ba614
Documentation
ipspace Apr 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 6 additions & 16 deletions netsim/ansible/tasks/fortios/initial.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,30 +7,28 @@
fortinet.fortios.fortios_system_global:
vdom: "{{ vdom }}"
system_global:
management_vdom: "{{ vdom }}"
vdom_mode: multi-vdom
hostname: '{{ inventory_hostname.replace("_","-") }}'
vdom_mode: "{{ netlab_vdom_is_enabled|ternary('multi-vdom', 'no-vdom') }}"
Comment thread
a-v-popov marked this conversation as resolved.
Outdated
register: vdom_mode_result
when: netlab_vdom_is_enabled

- name: Ensure FortiGate is ready after VDOM mode change
block:
- name: Wait 60 seconds after VDOM mode change
- name: Wait after VDOM mode change
Comment thread
a-v-popov marked this conversation as resolved.
Outdated
ansible.builtin.wait_for:
host: "{{ ansible_host }}"
port: 443
timeout: 180
sleep: 10 # time in seconds between checks
delay: 60 # Initial delay in seconds before first check
sleep: 10 # time in seconds between checks
delay: "{{ netlab_vdom_timer }}" # Initial delay in seconds before first check
Copy link
Copy Markdown
Owner

@ipspace ipspace Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be replaced with until/delay/retries parameters (see my response to @sdargoeuves comment)

Copy link
Copy Markdown
Collaborator Author

@a-v-popov a-v-popov Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To my understanding the key part was to sit there quietly for delay seconds first. With until it will hit with http query immediately. But I might be missing something.

state: started
when: netlab_vdom_timer|default(0) > 0
- name: Test FortiGate API readiness after VDOM mode change
fortinet.fortios.fortios_system_global:
vdom: "{{ vdom }}"
system_global:
hostname: '{{ inventory_hostname.replace("_","-") }}'
register: hostname_result
retries: 5
Copy link
Copy Markdown
Owner

@ipspace ipspace Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could use the same netlab_check_... variables here for consistency.

delay: 10 # Initial delay and waiting time between retries
delay: 10 # waiting time between retries
until: hostname_result is not failed and hostname_result.meta.http_status == 200
Copy link
Copy Markdown
Owner

@ipspace ipspace Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would simple hostname_result|success work here?

when: >-
vdom_mode_result.meta is defined and
Copy link
Copy Markdown
Owner

@ipspace ipspace Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand it correctly, this applies the hostname only when we switched into multi-VDOM mode before, but isn't the hostname applied in the configuration template? I'm probably missing some nuance here.

Also, if the purpose of this task is to check the API readiness (and setting the hostname is just a convoluted way of doing that), then maybe we could use a simpler R/O call and have it executed all the time (without the "when" condition)?

Copy link
Copy Markdown
Owner

@ipspace ipspace Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more thought: if the "when" condition is identifying whether we changed the VDOM, maybe we can just put the two waiting tasks in a block and apply the when condition to the block? That would skip them completely for @a-v-popov setup while still allowing @sdargoeuves setup to work.

Expand All @@ -43,13 +41,5 @@
vdom_type: admin
when: netlab_vdom_is_enabled

- name: Configure `{{ netlab_vdom }}` virtual domain
fortinet.fortios.fortios_system_vdom:
vdom: "{{ vdom }}"
state: present
system_vdom:
name: "{{ netlab_vdom }}"
when: netlab_vdom_is_enabled

- name: Deploy initial configuration from template
include_tasks: tasks/deploy-config/fortios.yml
30 changes: 16 additions & 14 deletions netsim/ansible/templates/initial/fortios.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
config global
{% endif %}
config system global
set management-vdom {{vdom}}
set hostname {{ inventory_hostname.replace("_","-") }}
end

Expand All @@ -15,6 +16,20 @@ config system interface
set lldp-reception disable
set allowaccess ping https ssh http fgfm
next

{% if multi_vdom %}
end

end

{# End of `config global` #}

config vdom
edit {{ vdom_traffic }}

config system interface
{% endif %}

{% if loopback is defined %}
edit "{{ loopback.ifname }}"
set vdom "{{ vdom_traffic }}"
Expand Down Expand Up @@ -66,19 +81,7 @@ config system interface
{% endfor %}
end

{% if multi_vdom %}
end
{% endif %}

{# End of `config global` #}

{% if netlab_default_policy|default(false) %}

{% if multi_vdom %}
config vdom
edit {{ vdom_traffic }}
{% endif %}

config firewall policy
edit 1000
{% if not netlab_default_policy.enable|default(true) %}
Expand All @@ -97,9 +100,8 @@ config firewall policy
set logtraffic disable
next
end
{% endif %}

{% if multi_vdom %}
end
{% endif %}

{% endif %}
Loading