def download_install(self, version, load_config=None, sync=False):
if isstring(version):
version = PanOSVersion(version)
# Get list of software if needed
if not self.versions:
self.check()
# Get versions as StrictVersion objects
available_versions = map(PanOSVersion, self.versions.keys())
target_version = PanOSVersion(str(version))
current_version = PanOSVersion(self.pandevice.version)
if str(target_version) not in available_versions:
raise err.PanDeviceError("Error upgrading to unknown version: %s" %
target_version)
# Check if already on the target version
if current_version == target_version:
raise err.PanDeviceError(
"Requested upgrade to version %s which is already running on device %s"
% (target_version, self.pandevice.id))
# Download the software upgrade
if not self.versions[str(target_version)]['downloaded']:
self.download(target_version, sync=True)
# Install the software upgrade
result = self.install(target_version,
load_config=load_config,
sync=sync)
return result
def _next_major_version(self, version):
if isstring(version):
version = PanOSVersion(version)
next_version = PanOSVersion(str(version.major + 1) + ".0.0")
# Account for lack of PAN-OS 7.0.0
if next_version == "7.0.0":
next_version = PanOSVersion("7.0.1")
return next_version
def test_gen_eq(panos1, panos2):
x = PanOSVersion(panos1)
y = PanOSVersion(panos2)
assert x == y
assert (x != y) == False
assert x >= y
assert x <= y
assert (x > y) == False
assert (x < y) == False
def test_comp(panos1, panos2):
x = PanOSVersion(panos1)
y = PanOSVersion(panos2)
assert y > x
assert y >= x
assert x < y
assert x <= y
assert x != y
assert (x == y) == False
def main():
helper = get_connection(with_classic_provider_spec=True,
argument_spec=dict(version=dict(type='str',
required=True),
sync_to_peer=dict(
type='bool', default=False),
download=dict(type='bool',
default=True),
install=dict(type='bool',
default=True),
restart=dict(type='bool',
default=False)))
module = AnsibleModule(argument_spec=helper.argument_spec,
required_one_of=helper.required_one_of,
supports_check_mode=True)
# Verify libs are present, get parent object.
device = helper.get_pandevice_parent(module)
# Module params.
version = module.params['version']
sync_to_peer = module.params['sync_to_peer']
download = module.params['download']
install = module.params['install']
restart = module.params['restart']
changed = False
try:
device.software.check()
if PanOSVersion(version) != PanOSVersion(device.version):
if not module.check_mode:
if download:
device.software.download(version,
sync_to_peer=sync_to_peer,
sync=True)
if install:
device.software.install(version, sync=True)
if restart:
device.restart()
changed = True
except PanDeviceError as e:
module.fail_json(msg=e.message)
module.exit_json(changed=changed, version=version)
def _next_minor_version(self, version):
from pandevice.firewall import Firewall
if issubclass(type(version), basestring):
next_version = PanOSVersion(version)
if version.minor == 1:
next_version = PanOSVersion(str(version.major+1)+".0.0")
# There is no PAN-OS 5.1 for firewalls, so next minor release from 5.0.x is 6.0.0.
elif version.major == 5 and version.minor == 0 and issubclass(type(self.pandevice), Firewall):
next_version = PanOSVersion("6.0.0")
else:
next_version = PanOSVersion(str(version.major)+".1.0")
# Account for lack of PAN-OS 7.0.0
if next_version == "7.0.0":
next_version = PanOSVersion("7.0.1")
return next_version
def main():
argument_spec = dict(ip_address=dict(required=True),
username=dict(default='admin'),
password=dict(no_log=True),
api_key=dict(no_log=True),
version=dict(type='str', required=True),
restart=dict(type='bool', default=False))
module = AnsibleModule(argument_spec=argument_spec,
supports_check_mode=False)
if not HAS_LIB:
module.fail_json(
msg='pan-python and pandevice are required for this module.')
ip_address = module.params['ip_address']
username = module.params['username']
password = module.params['password']
api_key = module.params['api_key']
version = module.params['version']
restart = module.params['restart']
changed = False
try:
device = base.PanDevice.create_from_device(ip_address,
username,
password,
api_key=api_key)
device.software.check()
if PanOSVersion(version) != PanOSVersion(device.version):
# Method only performs install if sync is set to true.
device.software.download_install(version, sync=True)
if restart:
device.restart()
changed = True
except PanDeviceError as e:
module.fail_json(msg=e.message)
module.exit_json(changed=changed, version=version)
def main():
argument_spec = dict(ip_address=dict(required=True),
username=dict(default='admin'),
password=dict(no_log=True),
api_key=dict(no_log=True),
version=dict(type='str', required=True),
restart=dict(type='bool', default=False))
module = AnsibleModule(argument_spec=argument_spec,
supports_check_mode=False)
if not HAS_LIB:
module.fail_json(
msg='pan-python and pandevice are required for this module.')
ip_address = module.params['ip_address']
username = module.params['username']
password = module.params['password']
api_key = module.params['api_key']
version = module.params['version']
changed = False
try:
device = base.PanDevice.create_from_device(ip_address,
username,
password,
api_key=api_key)
device.software.check()
preVersion = PanOSVersion(device.version)
if PanOSVersion(version) != PanOSVersion(device.version):
# upgrade_to_version already reboots and waits
device.software.upgrade_to_version(version)
if preVersion != PanOSVersion(device.version):
changed = True
except PanDeviceError as e:
module.fail_json(msg=e.message)
module.exit_json(changed=changed, version=version)
def _direct_upgrade_possible(self, current_version, target_version):
"""Check if current version can directly upgrade to target version
:returns True if a direct upgrade is possible, False if not
"""
if isstring(current_version):
current_version = PanOSVersion(current_version)
if isstring(target_version):
target_version = PanOSVersion(target_version)
# Upgrade the patch version
# eg. 6.0.2 -> 6.0.3
if (current_version.major == target_version.major
and current_version.minor == current_version.minor):
return True
# Upgrade the minor version
# eg. 6.0.2 -> 6.1.0
if (current_version.major == target_version.major
and current_version.minor == 0 and target_version.minor == 1
and target_version.patch == 0):
return True
# Upgrade the major version
# eg. 6.1.2 -> 7.0.0
if (current_version.major + 1 == target_version.major
and current_version.minor == 1 and target_version.minor == 0
and target_version.patch == 0):
return True
# Upgrading a firewall from PAN-OS 5.0.x to 6.0.x
# This is a special case because there is no PAN-OS 5.1.x
from pandevice.firewall import Firewall
if (current_version.major == 5 and current_version.minor == 0
and target_version == "6.0.0"
and issubclass(type(self.pandevice), Firewall)):
return True
return False
def download_install_reboot(self, version, load_config=None, sync=False):
if issubclass(type(version), basestring):
version = PanOSVersion(version)
self.download_install(version, load_config, sync=True)
# Reboot the device
self.pandevice.restart()
if sync:
new_version = self.pandevice.syncreboot()
if version != new_version:
raise err.PanDeviceError("Attempt to upgrade to version %s failed."
"Device %s is on version %s after reboot." %
(version, self.pandevice.id, new_version))
self.pandevice.version = new_version
return new_version
else:
return None
def _next_patch_version(self, version):
if isstring(version):
version = PanOSVersion(version)
next_version = PanOSVersion(
str(version.major) + str(version.minor) + str(version.patch + 1))
return next_version
def upgrade_to_version(self, target_version, dryrun=False):
"""Upgrade to the target version, completely all intermediate upgrades
For example, if firewall is running version 6.0.5 and target version is 7.0.2,
then this method will proceed through the following steps:
- Upgrade to 6.1.0 and reboot
- Upgrade to 7.0.0 and reboot
- Upgrade to 7.0.1 and reboot
This method does not support HA pairs.
"""
# Get list of software if needed
if not self.versions:
self.check()
# For a dry run, need to record the starting version
starting_version = self.pandevice.version
# Get versions as StrictVersion objects
available_versions = map(PanOSVersion, self.versions.keys())
current_version = PanOSVersion(self.pandevice.version)
latest_version = max(available_versions)
next_minor_version = self._next_minor_version(current_version)
# Check that this is an upgrade, not a downgrade
if current_version > target_version:
raise err.PanDeviceError(
"Device %s upgrade failed: Can't upgrade from %s to %s." %
(self.pandevice.id, self.pandevice.version, target_version))
# Determine the next version to upgrade to
if target_version == "latest":
next_version = min(latest_version, next_minor_version)
elif latest_version < target_version:
next_version = next_minor_version
elif not self._direct_upgrade_possible(current_version,
target_version):
next_version = next_minor_version
else:
next_version = PanOSVersion(str(target_version))
if next_version not in available_versions and not dryrun:
self._logger.info(
"Device %s upgrading to %s, currently on %s. Checking for newer versions."
% (self.pandevice.id, target_version, self.pandevice.version))
self.check()
available_versions = map(PanOSVersion, self.versions.keys())
latest_version = max(available_versions)
# Check if done upgrading
if current_version == target_version:
self._logger.info("Device %s is running target version: %s" %
(self.pandevice.id, target_version))
return True
elif target_version == "latest" and current_version == latest_version:
self._logger.info("Device %s is running latest version: %s" %
(self.pandevice.id, latest_version))
if dryrun:
self._logger.info(
"NOTE: dryrun with 'latest' does not show all upgrades,")
self._logger.info(
"as new versions are learned through the upgrade process,")
self._logger.info(
"so results may be different than dryrun output when using 'latest'."
)
return True
# Ensure the content pack is upgraded to the latest
self.pandevice.content.download_and_install_latest(sync=True)
# Upgrade to the next version
self._logger.info("Device %s will be upgraded to version: %s" %
(self.pandevice.id, next_version))
if dryrun:
self.pandevice.version = str(next_version)
else:
self.download_install_reboot(next_version, sync=True)
self.check()
result = self.upgrade_to_version(target_version, dryrun=dryrun)
if result and dryrun:
self.pandevice.version = starting_version
return result
def test_neq(panos1, panos2, expected):
x = PanOSVersion(panos1)
y = PanOSVersion(panos2)
assert (x != y) == expected
def test_gt(panos1, panos2, expected):
x = PanOSVersion(panos1)
y = PanOSVersion(panos2)
assert (x > y) == expected
def _next_patch_version(self, version):
if issubclass(type(version), basestring):
version = PanOSVersion(version)
next_version = PanOSVersion(str(version.major)+str(version.minor)+str(version.patch+1))
return next_version