Відео

Once you are inside the Dev Container, it's just normal ansible operations. I have an inventory with host and group vars (all ansible-vaulted) so I can run all of my jobs

@@alexdworjan ok. I guess I am just trying to make this as close aap as possible. By passing in creds via credentials that uses the environmental variables

@@JC-ov9jb You could create the environment variables inside the Dev Container using normal Linux commands so for example using the AWS Dynamic Inventory Plugin: From the terminal run: export AWS_ACCESS_KEY_ID='AK123' export AWS_SECRET_ACCESS_KEY='abc123'

The image is located on registry.redhat.io which requires either a Red Hat Account or a Red Hat Developers Account. There is an upstream project: github.com/ansible/community-ansible-dev-tools-image and image: ghcr.io/ansible/community-ansible-dev-tools:latest though I do not know how often those are updated. I would certainly recommend using the images from registry.redhat.io

If you installed AAP2.5, you'll no longer see individual access to the component (8446 also gives me the error "Error connecting to Controller API"). That is expected behavior. Everything now runs through the Unified UI which is available via https This has your list of variables: docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/containerized_installation/appendix-inventory-files-vars#ref-general-inventory-variables The TLS specifics: ca_tls_cert ca_tls_key postgresql_tls_cert postgresql_tls_key controller_tls_cert controller_tls_key hub_tls_cert hub_tls_key eda_tls_cert eda_tls_key gateway_tls_cert gateway_tls_key eda_redis_tls_cert eda_redis_tls_key gateway_redis_tls_cert gateway_redis_tls_key receptor_tls_cert receptor_tls_key

The backup of all database items is handled by the Crunchy Database Operator (this is independent of the AAP Operator). Ansible considers this an "external database" so the AAP Operator would not be part of this process

​@@alexdworjan Ok, I didn't found that information in the AAP Backup Operator documentation. However, my understanding is, that the AAP Backup Operator not just only saves the DB content but also other configuration besides the DB. Do you know if this is true for this external database setup?

@@torstenschaefer2475 The Crunchy Data Operator will only handle the dasebase itself. Using the backup Operator would handle the connection secrets and those portions only

All of the containers are created with --log-driver journald, so all of your container logs will be going to the host's journald. You may find them in /var/log/messages, or by using something like journalctl CONTAINER_NAME=automaton-controller-web

@@alexdworjan Thank you for your response. There where right there as you said they were. Can I also ask where the playbook folder is too? I read the documentation but they werent in the /aap directory.

The playbooks all get pulled during a Project Sync in Automation Controller. Then they are available for any Job Templates you are attempting to create

Thank you for your answers, one final question, How do I run the awx-manage Utility in a containerized installation?

@@mariobros237 It's contained inside the container itself, so if you run podman exec -it automation-controller-task bash You will have a bash prompt inside your task container, and you can run awx-manage commands

I would highly recommend looking at the newer Ansible Builder capability since this one is a bit old: ansible.readthedocs.io/projects/builder/en/latest/. Ansible Builder Version 3 allows for more customization and everything can be written in a single file. In the example, I still manually created all those files, and then I would have run ansible-builder build -t MYIMAGE:TAG. That would have completed my build process. If you want a hands on walkthrough of Ansible-Builder version 3, we have a self-paced lab called "Get started with ansible-builder" that you can do here: www.redhat.com/en/interactive-labs/ansible. It's all command line driven, so it will absolutely give you all of the steps

@@alexdworjan Many Thanks. What I'm specifically interested in is creating a custom execution environment, probably through a private (and not public) Automation Hub if I understand the terminologies correctly. Unfortunately Red Hat do not seem to particularise much when describing the step to add an Execution Environment to an Automation Hub.

@@happyuk06 Private Automation Hub is the one created in your environment. Public Automation Hub is the one Red Hat provides through console.redhat.com. The ansible.cfg is where you define where collections can be installed from. This is a template that has an example: github.com/shadowman-lab/Ansible-PAH/blob/main/roles/build_shadowmanee/templates/ansible.cfg.j2. You would use the full https URL and then the token that you get from your private automation hub. For example, url=YOURURL.com/api/galaxy/content/rh-certified/ Then in your execution-environment.yml you'd use the additional_build files section to place your ansible.cfg into the context folder that builder uses additional_build_files: - src: <YOURFULLPATH>/ansible.cfg dest: configs And then you need a prepend_galaxy step to actually place that ansible.cfg into your EE prepend_galaxy: - COPY _build/configs/ansible.cfg /etc/ansible/ansible.cfg This will ensure that collections will only be pulled from your private automation hub when building. Then you just use podman to push to your Hub. Easiest way to do that is to name your EE with your hub URL first. So if your PAH server is test.example.com. You should build the EE to be test.example.com/testee:latest And then when you do podman push test.example.com/testee:latest it will push your EE to your PAH server

Yes, I have this working with AAP 2.4. The api endpoints have not changed so the process is exactly the same for Tower and AAP 2.0-2.4

The servicenow user is a local user I created within Automation controller: docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.4/html-single/automation_controller_user_guide/index#proc-controller-creating-a-user. I created them as a System Administrator, but you could create a normal user and assign execute permissions to the jobs or workflows you want to run from ServiceNow

The Certificate needs to be from automation controller or the load balancer you are pointing ServiceNow at (depending on where you have TLS termination set). This is required because otherwise ServiceNow will reject the connection as an invalid cert (unless you are leveraging a public Certificate Authority). The Servicenow user is a local user I've created within Ansible. This is acting as a service account for all automation triggered from ServiceNow

You'd only need external internet access for EDA if the application sending notifications is hosted in the cloud. Most people I've seen deploying EDA today are using internally hosted monitoring tools. But if you are using externally hosted monitoring tools (like Dynatrace or Datadog) you'd need that external access (which you've already provided outbound for those agents) or you'd need Datadog to push alerts to a messaging bus (such as Kafka) that you subscribe to from EDA. If using a webhook, you'd want to add in the API key and firewall rules to permit traffic only from the monitoring platform to EDA for security purposes

The web server creation is part of the shadowman.reports roles. So as long as you are pointing to a registered RHEL8 or RHEL9 VM with the delegate_to portion of this role: github.com/shadowman-lab/shadowman.reports/tree/main/roles/build_report_linux_patch, it will ensure apache is running plus the CSS styling. For e-mail, I have a Roundcube Webmail server running locally.

Unfortunately, I don't have access to a Windows workstation with WSL. If you look at some of my other development videos, I generally use either code-server (which just runs in a web browser on a Linux VM, ua-cam.com/video/C8908KSjn78/v-deo.html, ua-cam.com/video/H8IaR8wMBlQ/v-deo.html) or the VS Code SSH extension (ua-cam.com/video/2QwkRiVHaxU/v-deo.html) to connect to a Linux VM so I never need to install Ansible or WSL on my workstation. I do this so I can not only develop my playbooks using the Ansible plugins, but then I can also test them via CLI in a sandbox environment. While I don't have a Windows workstation, you could set up WSL, install Ansible, and then use the WSL extension for VSCode code.visualstudio.com/docs/remote/wsl. That WSL extension will work similar to the Remote SSH extension in that VSCode runs locally on your operating system, but Ansible, your playbooks, and the Ansible extension would all be installed within WSL itself

Red Hat provides a free training video: www.redhat.com/en/services/training/do007-ansible-essentials-simplicity-automation-technical-overview Learn Linux TV also has a thorough Playlist: ua-cam.com/users/playlist?app=desktop&list=PLT98CRl2KxKEUHie1m24-wkyHpEsa4Y70 And I have a playlist around the development tools and setting up a developer environment: ua-cam.com/video/C8908KSjn78/v-deo.html

@@alexdworjan thanks 🙏🏿

Red Hat provides a free video course to get you up to speed on Ansible terms: www.redhat.com/en/blog/new-free-ansible-course There is also an Ansible community website: www.ansible.com/ And newer Ansible Forums: forum.ansible.com/ Those are great places to get started but I would certainly say that hands-on experience is best. So if you can deploy Ansible and start coding, that's certainly going to be the best way to learn (for me it is at least)

@@alexdworjan thank you alex🙏

All the reports are built using jinja templates. Each report can be found here: github.com/shadowman-lab/shadowman.reports

@@alexdworjan are the reports displayed in tower or need to host on web server?

@@jg1000c They are all on a separate web server

@@alexdworjan got it. Does your web server digest ansible data? How does it work?

@@jg1000c It's just an apache web server. Ansible is used to take the data and dynamic build the web page using jinja. No actual digestion is happening on the web server. The repo that I shared has exactly how I deploy the different reports

Build that into your Pull Request review process. If you need those steps reviewed by teams, don't use the Ansible survey, only use the gitops approach where teams make changes to the main.tf. Then the code review can include plan to verify any changes prior to approval. There are many different approaches, find the one that fits into your process.

@@alexdworjan ansible is a good tool for config management... But not for infrastructure. Better and safer is use ansible Provider on terraform code.

It's all about using what's best for your team and organization. Since Ansible is being used for config management of all kinds of infrastructure and networking gear plus orchestration (ServiceNow, etc) some customers prefer to use the workflow capabilities of Ansible. In this case, I'm still using Terraform to provision and maintain the state of the infrastructure.

​@@alexdworjan hmm, magic tools don't exist... Ansible was written as configuration management, nothing more.. Terraform was created as an infrastructure management... Forcing Anisble to be a tool... It wasn't designed, it's not a good idea. I've been using Terraform and Ansible for many years. Develops roles and modules. Ansible is not a good idea for managing terraforms, there are much better technologies for this.

That's why most just use Ansible to call Terraform, not to manage Terraform. Similar to how you use the Ansible provider to have Terraform call Ansible, you can use the Terraform modules to have Ansible call Terraform. It's really about using the process that's best for you. In your case, it seems best to use Terraform.

On the Inventories page, when you click the blue Add button, Add constructed inventory will be an option. You must be on AAP 2.4 or newer for constructed inventories to exist

@@alexdworjan Thank you for the quick reply.

Yes, it should work with AWX as well since it's essentially making an API call from ServiceNow. As long as the endpoint matches what you have in AWX, it would work

@pallenrupp Peter, I'm sorry this video wasn't clear. I will admit, Constructed Inventories (just like Smart Inventories) are a more advanced topic that many people, including myself, barely use. Mainly, I would only use Constructed Inventories if I need to combine multiple existing inventories or if I need to divide up an inventory based on limiting access to end-users. I like to think of Constructed Inventories in exactly the same way as Dynamic Inventories. They both leverage inventory plugins with source variables (compose, groups, keyed_groups) and they both have a source. While Dynamic Inventories pull directly from a source of truth (Azure, AWS, VMWare, ServiceNow, etc), Constructed Inventories leverage existing inventories within automation controller as that source. If you are able to, I would recommend creating your own Constructed Inventory and testing it out. I found that was the easiest way for me to see how the plugin worked and what inventory would be created. Follow the doc for some good examples which is how I got started with the concept docs.ansible.com/ansible/latest/collections/ansible/builtin/constructed_inventory.html Please let me know if there is something specific that still isn't clear and I'll do my best to help.

I haven't used ansible molecule as part of my testing but it does look like you can use podman to run the molecule commands if it's been installed in your EE. forum.ansible.com/t/question-about-molecule-and-creator-ee-image/3053/7 For OpenShift Dev Spaces, you can absolutely use molecule since you are essentially doing your development and testing inside your EE. Again you'd need to make sure your EE or Dev EE has molecule installed. The Ansible creator-ee already has that set up.

Individual Job Templates can still have Job Slicing within a Workflow Template. It acts similarly to a workflow being called within a workflow

I've created custom credentials within automation controller and assigned them to the Job Template. They are being passed as extra variables via that custom credential

​@@alexdworjan Okay thank you ! but I also wanted to know if the "cert_key_file" is the private key for your Execution Environment or the execution node ( so that you can push and pull to git ) ? or what else it should be ?

@@SamuelCaroll It is the private key for my specific user in github that has been added into my account: docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account. The private key is injected into the Execution Environment at runtime to provide the authentication.

@@alexdworjan Okay perfect ! thanks for explanation

The detailed version of each of the three options is included in the description. It has a video for exactly how I did it and the Dev Spaces version includes a detailed step-by-step Readme

It's a single playbook, not even a full workflow, so it could be done on the command line via ansible-navigator (or ansible-playbook), if desired. You'd only need the ee_builder role if you don't have Private Automation Hub and it does support pulling execution environments and collections from upstream

Excellent. I was under the impression these types of roles were only available to companies paying a redhat subscription of some kind. Awesome I can go find that role and try this then. Huge thanks for your great work!

With Ansible Builder Version 3, you can use any base image ua-cam.com/video/YTtBW2rDNE4/v-deo.html

If you look at some of my other development videos, I actually use either code-server (which just runs in a web browser, ua-cam.com/video/C8908KSjn78/v-deo.html, ua-cam.com/video/H8IaR8wMBlQ/v-deo.html) or the VS Code SSH extension (ua-cam.com/video/2QwkRiVHaxU/v-deo.html) so I never need to install Ansible or WSL on my workstation. I do this so I can not only develop my playbooks using the Ansible plugins, but then I can also test them via CLI in a sandbox environment. While I don't have a Windows workstation, you could set up WSL, install Ansible, and then use the WSL extension for VSCode code.visualstudio.com/docs/remote/wsl

@@alexdworjan Thank you Alex! I just found out that installing WSL is prohibited by my employer's security dept. However, we have Ansible installed on Linux boxes that I can SSH to. Are you saying the VS Code SSH extension will allow the VS Code Ansible extension to use a remote Ansible installation (including ansible-lint)?

@@watchman1982 That's correct. When using the SSH extension, the Ansible extension installs on the Linux box so it uses Ansible + Ansible-lint that are present there (rather than what's on your laptop) which is perfect for when you can't use WSL

@@alexdworjan This is awesome! Thank you for sharing and I will check out your other videos regarding the setup of this.

There are 3 different examples in the Ansible-PAH repo, build_creationee, build_shadowmandevspaces, build_shadowmanee

thank you@@alexdworjan

That's what I show at 9:58 in the bindep.txt. This is where you define any system dependencies which are RPM for RHEL based systems.

Thanks, I missed it. @@alexdworjan

I go into the actual python code for the event_sources themselves. github.com/ansible/event-driven-ansible/tree/main/extensions/eda/plugins/event_source At the top of each event_source, you can find the docs

Correct, I am using Red Hat Satellite in my environment. Most of the patching work itself is running on the individual servers, so what repository they have set is less important. As long as the OS itself is set to pull from that repository when running yum/dnf/etc, Ansible can use it. I enjoy using Satellite because I can also manage my content views with Ansible and control when I update packages (I update my content views once a month with Ansible for my monthly patching)

@@alexdworjan - thank you so much for the prompt feedback. One more follow up question, so our environment has RHEL, Fedora, Oracle Linux, and Ubuntu (mostly) and we currently use their "Internet" repositories (i.e. we go over Internet connection for each host to download patches) - if we wanted to localize (on our LAN and have a single repo host pull patches for each distro so that each host can pull patches from this single point rather than each going over the Internet) what solution might you recommend? It seems Satellite is a RHEL only solution unless I am mistaken. So instead of hundreds of these multi distro hosts getting patches downloaded directly to each individual host, is there a good solution to centralize patching on our LAN for each of these distros? I hope that question makes sense. We are gaining steam with Ansible but it seems like it would be important to be able to address patching for multiple Linux distros in our use case, not just RHEL. Thanks again - in short, looking for something heterogenous in the OS patch repository management arena and assuming Satellite is a RHEL only solution.

Ansible Navigator will only leverage the credentials that you have set on the VM (I have all of mine vaulted as well using ansible-vault). It isn't designed to fully replace all of the credentials that you use in production or automation controller. Personally, I only use Ansible Navigator in a sandbox environment with sandbox VMs/devices to test against, so I am using different credentials than I am using in my production environments anyway. The problem of consistent, defined environments was definitely a big one in the past, especially when you factor in all of the system, python, collection dependencies needed in ansible today. I will say Ansible Navigator is definitely the tool for CLI testing and it's what I use to test every single playbook in my sandbox before it ever reaches my repository (and then you can still run tests in automation controller at that point as well). But it is MUCH faster to do CLI testing than pushing to a repository, sync the project, run the job, find errors, make changes, and repeat. And since I know I'm using the exact same Execution Environment in controller, I'm confident the playbook itself will work exactly as I expect it to.

@@alexdworjan Thanks for the answer. Exactly what you describe I would like to avoid, because in the end everything must run on the AAP. I don't want to pack all the credentials, the inventory that was created from several sources back into var files. That makes everything much more complicated in our case. In our case we develop code, push it to a git repository and then run the test directly through the AAP. The biggest problem we have with this is that in case of a problem, debugging can be difficult, as I have no way to manually run a job template with the appropriate inventory and credentials, in a container. We have about 400 credentials, 220 machines, about 150 variables and at least 200-300 more credentials in hashicorp vault. That's why I thought it would be great to have access to the artifacts on the AAP and use them. Our solution must work from dev - prod and best without exporting stuff, because everything must be highly secure. And there is no way I can get something like that through an audit. That's why I thought I could solve the problem with the navigator.

@@JoeMild-s5h I would think for most playbooks that you are writing and testing, you aren't using many of those credentials, and certainly wouldn't in a sandbox environment. This is really to limit the amount of time needed to go through pushing, syncing, job running. Especially when you are first writing a playbook, you might get a lot of errors, especially as you try to register variables and figure out what the return is in order to use the information in the remainder of the playbook. Ansible Navigator isn't designed to be a replacement for controller, it's just a way to run playbooks via CLI similar to what ansible-playbook itself provides, but just runs it within the EE now. If you need to have credentials / auditibility for every job run, then controller is your best bet. This is really focused on using a sandbox environment for the initial playbook authoring. If you can't get a sandbox environment at all for testing, then you will probably be limited to the process as you have it today. You could certainly utilize webhooks to at least automatically launch the job template after your code has been merged if you can't get a separate environment for testing.

Is that a custom requirements.txt that you've created or is that part of a collection you are trying to install? If it's custom, I would verify that particular python package version exists in the python version in the EE you are using

yes its a custom requirements.txt that i created i just modified the container file and it builds but now how can i know if my customised execution-environment contains the package thanks in advance

If you use ansible navigator, you can inspect the EE and find all system packages and python libraries that are installed

@@alexdworjan thank you for you help , i succeeded to modify the containerfile in a way to insall my X python package in the system packages but not in the python one my question is will the ee use it anyway when needed thanks

@@aminejawadi6293having issues with pip installing bindep. Any ideas

docs.ansible.com/ansible/latest/os_guide/windows_setup.html#host-requirements I am assuming you are talking about Windows Servers not Windows Desktops (desktops tend to have more connection issues, especially laptops since the network connectivity isn't permanent). If you are talking about Windows Servers, I would verify your connection settings (ensuring WinRM and all of your settings are set properly, and that you aren't receiving any certificate errors). I would also look at the specific error the playbook is giving you. The exact module you are trying to run will give you more details about what's going on (you can also increase the verbosity of your playbook to get better connection debugging information). I would start there to get a better idea of what issues you might be facing.

@@alexdworjan Thank you for your reply. They are all Windows 10 and 11 Professional Desktops. I understand where you are coming from. My hope is that Ansible can still be a great tool for managing Desktop devices -and that once there are ways to ensure desktops are on and connected (via Wake-on-LAN etc), ansible can service them properly! I will explore the resources you have provided and dig deeper!

That's actually what most of my catalog items are triggering. I had to modify the spoke plugin to make it work github.com/shadowman-lab/Ansible-SNOW/tree/main/SNOWSetup#update-spoke-actions-for-workflow-job-templates

I would check out my other code-server video: ua-cam.com/video/H8IaR8wMBlQ/v-deo.html This uses an Ansible playbook to set everything up (essentially I assign a different port and start the service as a different user)

So that's just using the SSL certificate that I had already attached to my controller instances (/etc/tower/tower.cert). So this should come from your certificate authority (I see LetsEncrypt used often, but your business should already have something established). For it to properly work in ServiceNow, you'll need the full SSL certificate chain in controller and then uploaded to ServiceNow as I show at that portion of the video

@@alexdworjan we use the containerized solution I think that would change how we use the certificate correct?

@@kerrymason6371 The certificate itself would still be generated in the same way, but it wouldn't be in the same location since you'd create a TLS secret and then update your automation controller CR with route_tls_secret under spec pointing to the TLS secret you just created: access.redhat.com/solutions/3109871

github.com/shadowman-lab/Ansible-Labextra/blob/main/roles/prometheus/templates/alertmanager.yml.j2