Passing enable secret

Some devices require to go into “enable” mode before you can execute most commands, going into “enable” mode may also require to enter a second password after login. How can I tell nornir which is the enable password?

1 Like

Specifying the enable password is going to depend on whether you are using napalm actions or netmiko actions.

napalm

You can specify the enable password in your inventory by using the following structure:

device_name:
  connection_options:
    napalm:
      extras:
        optional_args:
            secret: something

You can also specify it in a group or even as a default.

netmiko

You can specify the enable password in your inventory by using the following structure:

device_name:
  connection_options:
    netmiko:
      extras:
          secret: something

You can also specify it in a group or even as a default.

And this can also be set live in the .py file too right? I have to grab all of the secret information live from a password manager source that I can access via API.

Yes, you can set this dynamically, but you will have to maintain the required inventory structure. Here is an example of doing that:

https://nornir.readthedocs.io/en/stable/howto/transforming_inventory_data.html#Using-ConnectionOptions

2 Likes

You can also set it to the defaults if you have a single set of creds you want to use for the majority of your inventory. If nr represents your Nornir object, you just set it like this:

nr.inventory.defaults.password = password
nr.inventory.defaults.username = username

This can be overridden for individual hosts or groups where the creds may differ by setting those values at that level of the hierarchy as @ktbyers demonstrated above. Nornir will always take values using inheritance, so if it is set at the Host object level, that will override the Group object’s attribute. Group's attributes will override the Defaults object’s attribute.

One other point, you might also need to call in some way the enable() method of Netmiko. For example, netmiko_send_command supports an enable argument:

results = nr.run(task=netmiko_send_command, command_string="show run", enable=True)

Or you might need to create a custom task and explicitly call Netmiko’s enable() method.

1 Like

Is there no way that we could make it host.enable_secret or host.secret type thing so you don’t have to go and add a function. So far I’ve only been lab testing of this and have not really had success yet.

if you want to set it on a per host basis you are going to require either a for loop or the transform_function regardless.

Just if someone else needs that.
That’s the way to set the default enable secret for netmiko
nr.inventory.defaults.connection_options['netmiko'] = ConnectionOptions(extras={secret":"secretpass"})

Hi Guys,
I’m still trying to figure it out, could you guys be more specific?
above how i structured my hosts.yaml file. thanks in advance.

CSR_02:
hostname: 192.168.133.101
platform: ‘ios’
username: cisco
password: cisco
connection_options:
napalm:
extras:
optional_args:
secret: cisco
groups:
- automation

Can’t get more specific than the first post :smiley: In any case, if you don’t format your code properly it is impossible to spot the error.

1 Like

Hi, I am currently still trying to setup mine. My secret password works if I add it on the hosts.yaml file. However I cannot use it like this.

hosts.yaml
---
host1:
  hostname: 192.168.1.5
  platform: ios
  username:
  password:
  groups:
    - cisco_group
  data:
    site: home
  connection_options:
    netmiko:
      extras:
       secret:

test_command.py
nr = InitNornir(config_file="config.yaml", dry_run=True)

login = input("Enter your login: ")
pwd = getpass()

nr.inventory.defaults.password = pwd
nr.inventory.defaults.username = login
nr.inventory.defaults.connection_options['netmiko'] = ConnectionOptions(extras={"secret":pwd})

def checks(b0ki):
    b0ki.run(task=netmiko_send_command, command_string = "show version", enable=True)

results = nr.run (task = checks)

print_title("Deploying test status")
print_result(results)

I am not sure if I am doing this correctly. I am trying to get where my team can just use their own credentials instead of having those credentials set on hosts.yaml.

check below solution which works fine.

hosts.yaml

host1:
hostname: 192.168.1.5
platform: ios
username:
password:
groups:
- cisco_group
data:
site: home
connection_options:
netmiko:
extras:
secret:

test_command.py
nr = InitNornir(config_file=“config.yaml”, dry_run=True)

login = input("Enter your login: ")
pwd = getpass()
en_pwd = getpass()

nr.inventory.defaults.password = pwd
nr.inventory.defaults.username = login
nr.inventory.defaults.connection_options[‘netmiko’].extras[“secret”] = en_pwd

def checks(b0ki):
b0ki.run(task=netmiko_send_command, command_string = “show version”, enable=True)

results = nr.run (task = checks)

print_title(“Deploying test status”)
print_result(results)

Hi All. I am at the beginning of my network automation journey. Started to look at Nornir/Napalm/Netmiko in lab environment using nxos, ios and arista eos devices.
Using Netmiko I am able to establish connections to all devices and get information, write configs…
Using Napalm I have few issues, hence my first post here :slight_smile:

  1. Using following script without any device filter napalm runs over all devices in hosts.yml:
    from nornir import InitNornir
    from nornir_utils.plugins.functions import print_result
    from nornir_napalm.plugins.tasks import napalm_get, napalm_cli

nr = InitNornir(config_file=“config.yml”,)

results = nr.run(
task=napalm_get, getters=[“facts”, “interfaces”]
)
print_result(results)

I only see response from ios devices. eos and nxos fail. Here the error messages for nxos and eos.
napalm.base.exceptions.ConnectionException: Cannot connect to nxos-c2
pyeapi.eapilib.CommandError: Error [1005]: CLI command 1 of 2 ‘enable’ failed: permission to run command denied

Using following connection_options in defaults.yml which work fine when using netmiko:
connection_options:
netmiko:
extras:
secret: cisco
napalm:
extras:
optional_args:
secret: cisco

Do I need to specify something special for nxos and eos using napalm?

  1. When trying to do device filtering I always get empty response without any errors for all devices using napalm. Again. Netmiko works fine with filtering also.
    ^^^^ END napalm_get ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    (nornir) ~/nornir/napalm_get.py
    napalm_get**********************************************************************
    (nornir) ~/nornir$

After some digging found the answer to most my little issues. Had to give platform: nxos_ssh instead of nxos in groups.yml. Filters are now also working with napalm.
Only thing missing is napalm connecting to eos devices. Seems some ssl_cert_verification issue.

$ napalm --vendor eos --user admin --password admin --optional_args ‘port=22, config_lock=False’ arista-r1 call get_facts
[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1124)

Is there a way to disable ssl verfication?

This should work if you leave port out or change it to 443, which is the default for eos driver.

Hi Progala. Thanks for your reply. This worked out for me. Have a nice day.

The link ktbyers posted no longer exists.

https://nornir.readthedocs.io/en/stable/howto/transforming_inventory_data.html#Using-ConnectionOptions

Can that be restored? or put somewhere else?

Thanks!