Ansible Automation Platform 2 – Using Execution Environments

In the second part of this blogpost series about Ansible Automation Platform 2, we show you how to build and use your own Execution Environments (EE).

After setting up your Automation Controller (see the first blogpost), you need to have access to a container registry where you can put your EE for further use. For this purpose we set up a private Automation Hub.

Install Automation Hub

First of all, installing the Automation Hub on the same server as the Automation Controller is not supported. However, we can reuse the same install bundle file that we deployed our Automation Controller with earlier on. Depending on the content of the inventory file, the setup.sh-script installs the Controller or the Hub. The following inventory file was used to install the Automation Hub:

/opt/ansible-automation-platform-setup-bundle-2.1.0-1# cat inventory

[automationhub]
automationhub.puzzle.ch

[all:vars]
automationhub_admin_password='XXXXX'
automationhub_pg_host=''
automationhub_pg_port=''
automationhub_pg_database='automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password='XXXXX'
automationhub_pg_sslmode='prefer'

Install the Automation Hub by running the setup script:

/opt/ansible-automation-platform-setup-bundle-2.1.0-1# ./setup.sh

After the installation, you’ll be able to access the Automation Hub in your favourite browser. Use the user „admin“ and the password specified in the inventory:


Its a good idea the create a user dedicated to upload the EE to your hub later. Navigate to „User Access“, and add a group („hubadmins“) and a user („hubadmin“):

With these changes in place, the Automation Hub is ready for later use.

Install ansible-builder

Ansible-builder is the tool that helps us create the EE. Before installing ansible-builder, we have to enable the „ansible-automation-platform-2.1-for-rhel-8-x86_64-rpms“ repository. This requires a valid subcription for Ansible Automation Platform. Keep in mind, that you can build your EE on any host–it doesn’t have to be your Automation Hub!

# subscription-manager repos --enable ansible-automation-platform-2.1-for-rhel-8-x86_64-rpms
# dnf install ansible-builder

Create your Execution Environment

Now, that’s the tricky part. If you are working in a corporate environment, chances are that you’ll work behind a mandatory proxy. This means, you cannot use ansible-builder in its simplest form. Ansible-builder uses two containers to build your EE (specified by the args „EE_BASE_IMAGE“ and „EE_BUILDER_IMAGE“). For these two containers to work properly behind a proxy, you’ll need to do some changes to the Containerfile manually. But let’s walk through the whole process step by step. First, we prepare the file that describes our EE:

# cat puzzle-default-ee.yml

version: 1
build_arg_defaults:
  EE_BASE_IMAGE: "registry.redhat.io/ansible-automation-platform-21/ee-29-rhel8"
  ANSIBLE_GALAXY_CLI_COLLECTION_OPTS: "-c"
ansible_config: 'ansible.cfg'
dependencies:
    python: requirements.txt
    galaxy: requirements.yml
additional_build_steps:
  prepend: |
    ENV HTTP_PROXY="http://proxy.puzzle.ch:8080"
    ENV HTTPS_PROXY="http://proxy.puzzle.ch:8080"
    COPY *.pem /etc/pki/ca-trust/source/anchors/
    RUN update-ca-trust

This file („puzzle-default-ee.yml“) references two other files describing the python modules („requirements.txt“) and the collections („requirements.yml“) that should be installed in our EE. Furthermore, it uses an ansible.cfg providing information about how to access the official Red Hat Automation Hub and Ansible Galaxy:

# cat requirements.txt
pyfiglet

# cat requirements.yml
collections:
  - ansible.posix
  - community.general
  - awx.awx
  - theforeman.foreman

# cat ansible.cfg
[galaxy]
server_list = automation_hub, ansiblegalaxy

[galaxy_server.automation_hub]
url=https://cloud.redhat.com/api/automation-hub/
auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
token=XXXXX

[galaxy_server.ansiblegalaxy]
url=https://galaxy.ansible.com

Remember to get your token from https://console.redhat.com/ansible/automation-hub/token/ (Red Hat login required).

Unfortunately, the instructions in the „additional_build_steps“ section shown above will only be applied to the container „EE_BASE_IMAGE“ used by ansible-builder. Hence, we only create the podman context, and do not build the EE yet:

# ansible-builder create -f puzzle-default-ee.yml

This creates a Containerfile below ./context. Next, we manually prepend the additional build steps to the build container („EE_BUILDER_IMAGE“) as well. We also put the certificate of our local certification authority into the ./context/ folder, so we’ll be able to pass the proxy from within our containers:

# ls context/*.pem

local_root_ca.pem

The Containerfile will look like this:

# cat context/Containerfile

ARG EE_BASE_IMAGE=registry.redhat.io/ansible-automation-platform-21/ee-29-rhel8
ARG EE_BUILDER_IMAGE=registry.redhat.io/ansible-automation-platform-21/ansible-builder-rhel8:latest

FROM $EE_BASE_IMAGE as galaxy
ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS=-c
USER root

ADD _build/ansible.cfg ~/.ansible.cfg

ADD _build /build
WORKDIR /build

RUN ansible-galaxy role install -r requirements.yml --roles-path /usr/share/ansible/roles
RUN ansible-galaxy collection install $ANSIBLE_GALAXY_CLI_COLLECTION_OPTS -r requirements.yml --collections-path /usr/share/ansible/collections

FROM $EE_BUILDER_IMAGE as builder
ENV HTTP_PROXY="http://proxy.puzzle.ch:8080"
ENV HTTPS_PROXY="http://proxy.puzzle.ch:8080"
COPY *.pem /etc/pki/ca-trust/source/anchors/
RUN update-ca-trust
COPY --from=galaxy /usr/share/ansible /usr/share/ansible

ADD _build/requirements.txt requirements.txt
RUN ansible-builder introspect --sanitize --user-pip=requirements.txt --write-bindep=/tmp/src/bindep.txt --write-pip=/tmp/src/requirements.txt
RUN assemble

FROM $EE_BASE_IMAGE
USER root
ENV HTTP_PROXY="http://proxy.puzzle.ch:8080"
ENV HTTPS_PROXY="http://proxy.puzzle.ch:8080"
COPY *.pem /etc/pki/ca-trust/source/anchors/
RUN update-ca-trust

COPY --from=galaxy /usr/share/ansible /usr/share/ansible

COPY --from=builder /output/ /output/
RUN /output/install-from-bindep && rm -rf /output/wheels

Now lets build the actual EE:

# podman build -f context/Containerfile -t puzzle_default_ee

Your newly built EE is available:

# podman images
REPOSITORY                   TAG     IMAGE ID      CREATED        SIZE
localhost/puzzle_default_ee  latest  26ed235566f3  2 hours ago    938 MB
...

Push your EE to Automation Hub

Now that our EE is set up, we tag it and simply push it to our Automation Hub:

# podman login automationhub.puzzle.ch --username hubadmin --password XXXXX
# podman tag localhost/puzzle_default_ee:latest automationhub.puzzle.ch/puzzle_default_ee
# podman push localhost/puzzle_default_ee:latest automationhub.puzzle.ch/puzzle_default_ee

Once pushed, you can find your EE on the Hub:

Use your EE in Ansible Controller

We set up credentials in the Ansible Controller to be able to retrieve the EE from the Automation Hub:


Now we define our Execution Environment on the Controller using the credentials from above. Note that we specify the URL of our Automation Hub when defining the image name:

Use it!

Now simply point your Controller configuration to use the EE as your default:

That’s all. Automation Controller will use your own EE from now on.

What about ansible-navigator?

There’s a new tool called ansible-navigator available when enabling the repo ansible-automation-platform-2.1-for-rhel-8-x86_64-rpms. It offers a whole bunch of functionality. However, we only use it for inspecting our EE’s:

# podman login automationhub.puzzle.ch --username hubadmin --password XXXXX
# ansible-navigator images

NAME                    TAG    EXECUTION ENVIRONMENT CREATE        SIZE
0│ansible-builder-rhel8 latest False                 10 months ago 363 MB
1│puzzle_default_ee     latest True                  2 hours ago   938 MB

Enter „:1“ to inspect our EE:

  PUZZLE DEFAULT EE:LATEST        DESCRIPTION
0│Image information               Information collected from image inspection
1│General information             OS and python version information
2│Ansible version and collections Information about ansible and ansible collections
3│Python packages                 Information about python and python packages
4│Operating system packages       Information about operating system packages
5│Everything                      All image information

From here on, feel free to have a look at all the details and follow down the rabbit hole…

Conclusion

There’s no black magic involved in setting up your Ansible Controller with your own EE. However, gathering all the required information from various different documentation turned out somewhat time consuming. Hopefully, native support for proxy settings and the inclusion of custom CA certificates for all containers in ansible-builder will be available soon. For sure, the possibility to use your own EE is a big win!

Sources:

 

 

 

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.