In the second part of this blogpost series about Ansible Automation Platform 2, we show you how to build and use your own Execution Environments (EE).
After setting up your Automation Controller (see the first blogpost), you need to have access to a container registry where you can put your EE for further use. For this purpose we set up a private Automation Hub.
Install Automation Hub
First of all, installing the Automation Hub on the same server as the Automation Controller is not supported. However, we can reuse the same install bundle file that we deployed our Automation Controller with earlier on. Depending on the content of the inventory file, the setup.sh-script installs the Controller or the Hub. The following inventory file was used to install the Automation Hub:
/opt/ansible-automation-platform-setup-bundle-2.1.0-1# cat inventory [automationhub] automationhub.puzzle.ch [all:vars] automationhub_admin_password='XXXXX' automationhub_pg_host='' automationhub_pg_port='' automationhub_pg_database='automationhub' automationhub_pg_username='automationhub' automationhub_pg_password='XXXXX' automationhub_pg_sslmode='prefer'
Install the Automation Hub by running the setup script:
After the installation, you’ll be able to access the Automation Hub in your favourite browser. Use the user „admin“ and the password specified in the inventory:
Its a good idea the create a user dedicated to upload the EE to your hub later. Navigate to „User Access“, and add a group („hubadmins“) and a user („hubadmin“):
With these changes in place, the Automation Hub is ready for later use.
Ansible-builder is the tool that helps us create the EE. Before installing ansible-builder, we have to enable the „ansible-automation-platform-2.1-for-rhel-8-x86_64-rpms“ repository. This requires a valid subcription for Ansible Automation Platform. Keep in mind, that you can build your EE on any host–it doesn’t have to be your Automation Hub!
# subscription-manager repos --enable ansible-automation-platform-2.1-for-rhel-8-x86_64-rpms # dnf install ansible-builder
Create your Execution Environment
Now, that’s the tricky part. If you are working in a corporate environment, chances are that you’ll work behind a mandatory proxy. This means, you cannot use ansible-builder in its simplest form. Ansible-builder uses two containers to build your EE (specified by the args „EE_BASE_IMAGE“ and „EE_BUILDER_IMAGE“). For these two containers to work properly behind a proxy, you’ll need to do some changes to the Containerfile manually. But let’s walk through the whole process step by step. First, we prepare the file that describes our EE:
# cat puzzle-default-ee.yml version: 1 build_arg_defaults: EE_BASE_IMAGE: "registry.redhat.io/ansible-automation-platform-21/ee-29-rhel8" ANSIBLE_GALAXY_CLI_COLLECTION_OPTS: "-c" ansible_config: 'ansible.cfg' dependencies: python: requirements.txt galaxy: requirements.yml additional_build_steps: prepend: | ENV HTTP_PROXY="http://proxy.puzzle.ch:8080" ENV HTTPS_PROXY="http://proxy.puzzle.ch:8080" COPY *.pem /etc/pki/ca-trust/source/anchors/ RUN update-ca-trust
This file („puzzle-default-ee.yml“) references two other files describing the python modules („requirements.txt“) and the collections („requirements.yml“) that should be installed in our EE. Furthermore, it uses an ansible.cfg providing information about how to access the official Red Hat Automation Hub and Ansible Galaxy:
# cat requirements.txt pyfiglet # cat requirements.yml collections: - ansible.posix - community.general - awx.awx - theforeman.foreman # cat ansible.cfg [galaxy] server_list = automation_hub, ansiblegalaxy [galaxy_server.automation_hub] url=https://cloud.redhat.com/api/automation-hub/ auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token token=XXXXX [galaxy_server.ansiblegalaxy] url=https://galaxy.ansible.com
Remember to get your token from https://console.redhat.com/ansible/automation-hub/token/ (Red Hat login required).
Unfortunately, the instructions in the „additional_build_steps“ section shown above will only be applied to the container „EE_BASE_IMAGE“ used by ansible-builder. Hence, we only create the podman context, and do not build the EE yet:
# ansible-builder create -f puzzle-default-ee.yml
This creates a Containerfile below ./context. Next, we manually prepend the additional build steps to the build container („EE_BUILDER_IMAGE“) as well. We also put the certificate of our local certification authority into the ./context/ folder, so we’ll be able to pass the proxy from within our containers:
# ls context/*.pem local_root_ca.pem
The Containerfile will look like this:
# cat context/Containerfile ARG EE_BASE_IMAGE=registry.redhat.io/ansible-automation-platform-21/ee-29-rhel8 ARG EE_BUILDER_IMAGE=registry.redhat.io/ansible-automation-platform-21/ansible-builder-rhel8:latest FROM $EE_BASE_IMAGE as galaxy ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS=-c USER root ADD _build/ansible.cfg ~/.ansible.cfg ADD _build /build WORKDIR /build RUN ansible-galaxy role install -r requirements.yml --roles-path /usr/share/ansible/roles RUN ansible-galaxy collection install $ANSIBLE_GALAXY_CLI_COLLECTION_OPTS -r requirements.yml --collections-path /usr/share/ansible/collections FROM $EE_BUILDER_IMAGE as builder ENV HTTP_PROXY="http://proxy.puzzle.ch:8080" ENV HTTPS_PROXY="http://proxy.puzzle.ch:8080" COPY *.pem /etc/pki/ca-trust/source/anchors/ RUN update-ca-trust COPY --from=galaxy /usr/share/ansible /usr/share/ansible ADD _build/requirements.txt requirements.txt RUN ansible-builder introspect --sanitize --user-pip=requirements.txt --write-bindep=/tmp/src/bindep.txt --write-pip=/tmp/src/requirements.txt RUN assemble FROM $EE_BASE_IMAGE USER root ENV HTTP_PROXY="http://proxy.puzzle.ch:8080" ENV HTTPS_PROXY="http://proxy.puzzle.ch:8080" COPY *.pem /etc/pki/ca-trust/source/anchors/ RUN update-ca-trust COPY --from=galaxy /usr/share/ansible /usr/share/ansible COPY --from=builder /output/ /output/ RUN /output/install-from-bindep && rm -rf /output/wheels
Now lets build the actual EE:
# podman build -f context/Containerfile -t puzzle_default_ee
Your newly built EE is available:
# podman images REPOSITORY TAG IMAGE ID CREATED SIZE localhost/puzzle_default_ee latest 26ed235566f3 2 hours ago 938 MB ...
Push your EE to Automation Hub
Now that our EE is set up, we tag it and simply push it to our Automation Hub:
# podman login automationhub.puzzle.ch --username hubadmin --password XXXXX # podman tag localhost/puzzle_default_ee:latest automationhub.puzzle.ch/puzzle_default_ee # podman push localhost/puzzle_default_ee:latest automationhub.puzzle.ch/puzzle_default_ee
Once pushed, you can find your EE on the Hub:
Use your EE in Ansible Controller
We set up credentials in the Ansible Controller to be able to retrieve the EE from the Automation Hub:
Now we define our Execution Environment on the Controller using the credentials from above. Note that we specify the URL of our Automation Hub when defining the image name:
Now simply point your Controller configuration to use the EE as your default:
That’s all. Automation Controller will use your own EE from now on.
What about ansible-navigator?
There’s a new tool called ansible-navigator available when enabling the repo ansible-automation-platform-2.1-for-rhel-8-x86_64-rpms. It offers a whole bunch of functionality. However, we only use it for inspecting our EE’s:
# podman login automationhub.puzzle.ch --username hubadmin --password XXXXX # ansible-navigator images NAME TAG EXECUTION ENVIRONMENT CREATE SIZE 0│ansible-builder-rhel8 latest False 10 months ago 363 MB 1│puzzle_default_ee latest True 2 hours ago 938 MB
Enter „:1“ to inspect our EE:
PUZZLE DEFAULT EE:LATEST DESCRIPTION 0│Image information Information collected from image inspection 1│General information OS and python version information 2│Ansible version and collections Information about ansible and ansible collections 3│Python packages Information about python and python packages 4│Operating system packages Information about operating system packages 5│Everything All image information
From here on, feel free to have a look at all the details and follow down the rabbit hole…
There’s no black magic involved in setting up your Ansible Controller with your own EE. However, gathering all the required information from various different documentation turned out somewhat time consuming. Hopefully, native support for proxy settings and the inclusion of custom CA certificates for all containers in ansible-builder will be available soon. For sure, the possibility to use your own EE is a big win!