Ansible Execution Environment

Example repository to build Ansible Execution Environments using a Makefile.

Quick Start

• Navigate to build server
• Optionally provision build server using script
• Clone down this repository
• Customize
  • Edit dependencies requirements.yml, requirements.txt, bindep.txt
  • Set token environment variable ANSIBLE_HUB_TOKEN
  • Edit execution-environment.yml accordingly
  • Edit Makefile variables
• Cleanup with make clean
• Test token with make token
• Build it make build
• Test it make test
• Inspect it make inspect
• Review it make info
• (Optional) Look inside make shell
• Publish it make publish
• Enjoy your day

Find Base Image

You can find official Ansible container images using https://catalog.redhat.com/software/containers/search. Examples of typical base images:

# Pull base images for Ansible from registry.redhat.io
podman pull registry.redhat.io/ansible-automation-platform-25/ee-29-rhel8:latest
podman pull registry.redhat.io/ansible-automation-platform-25/ee-minimal-rhel8:latest
podman pull registry.redhat.io/ansible-automation-platform-25/ee-supported-rhel8:latest

Login to Image Registry

For both the source and target registries, ensure you login to your registry of choice using podman login <registry_url>.

• Automation Hub Registry (hub.example.com):
  • Ensure podman is authorized to access registry since Automation Hub uses self-signed certificates
  • Run the CLI login command podman login hub.example.com:443
• Quay Registry (quay.io):
  • Ensure you authorize docker/podman with this registry
  • Go to https://quay.io/ and login or create an account
  • Navigate to top-right for Account Settings
  • Select the tool icon on the left
  • Set the Docker/Podman CLI Password to enable encrypted passwords
  • Generate the encryped password (re-enter the password)
  • Select the option "Docker Login" or "Podman Login" to get the CLI command
  • Run the CLI login command to have docker/podman authorized to pull/push images
• Red Hat Registry (registry.redhat.io):
  • Ensure you perform docker login command to authorize with this registry.
  • Go to https://access.redhat.com/terms-based-registry/ and create a registry service account (if not already created)
  • Drill down on existing service account
  • Select the tab "Docker Login" to get the CLI command for both docker/podman
  • Run the CLI login command to have docker/podman authorized to pull/push images
  • Troubleshooting Authentication Issues with registry.redhat.io
• Docker Hub (hub.docker.com):
  • Create a free account on the website
  • Login to the website
  • Run the CLI login command docker login with your credentials

Scan the Image

It's important to scan your image for vulnerabilities. Below are a couple articles showing how to do that. The recommendation is to implement this inside the Makefile in this repository so you can run it easily as part of your pipeline.

• Using Snyk and Podman to scan container images from development to deployment
• DevSecOps: Image scanning in your pipelines using quay.io scanner

Test the Image

We can test that everything is working by running an Ansible Playbook in the image using ansible-navigator. The tool launches the container, runs the playbook and shows an interactive screen where you can watch the playbook run through. To quit the tool, use similar mechanism :q! like within a vi editor.

# Run playbook to test basic operations against new image
ansible-navigator run playbook.yml --container-engine podman --execution-environment-image ansible-ee:5.0

# Check configuration of new image
ansible-navigator config --container-engine podman --execution-environment-image ansible-ee:5.0

Tips and Tricks

Building:

• How to build multi-architecture container images

Migration of Python Virtual Environments:

• Redhat Communities of Practice Execution Environment Utilities Collection

Ansible Collection issues:

• Search for Ansible Collections and versions using these links:
  • Ansible Automation Platform Certified and Validated Content
  • Red Hat Automation Hub - Ansible Collections
  • Ansible Galaxy - Search
• Issue and resolution when using kebernetes.core that requires openshift-clients package:
  • How to install the 'openshift-clients' package in Openshift Custom Execution Environment?
  • Installing the OpenShift CLI by using an RPM
  • How to download rpm packages manually from the Customer Portal?
  • Another workaround is using the openshift-clients package rpm that exists inside the AAP bundle tarball

Python dependency issues:

• Install johnnydep inside your current venv and leverage the tool to check various dependencies for python modules that might be causing issues. For example johnnydep requests.

Image building and customization:

• Best practices for building images that pass Red Hat Container Certification

Pipelines:

• How to Build Ansible Execution Environments with OpenShift Pipelines

Ansible Navigator:

• Default execution environment that ansible-navigator uses when not specified: quay.io/ansible/creator-ee
• Examine execution environment using ansible-navigator: ansible-navigator --eei <image-name>
• Extract list of collections from existing execution environment: ansible-navigator --eei <image-name> collections --mode stdout
• Use Credentials within ansible-navigator tool:
  • How Do I Use Ansible Tower's Credential Parameters (Machine, Network, Cloud) in my Playbook?
  • Mount the file(s) using --eev parameter on ansible-navigator: --eev --execution-environment-volume-mounts Specify volume to be bind mounted within an execution environment (--eev /home/user/test:/home/user/test:Z)
• How to run --syntax-check using ansible-navigator:

ansible-navigator run <playbook> --syntax-check --mode stdout`

• Start shell session inside container image:

podman run -it registry.redhat.io/ansible-automation-platform-24/ee-minimal-rhel9:latest /bin/bash

• Run adhoc commands inside image:

podman run --rm <image-name> <command>

• Run ansible-builder:

# Build the image and tag the image
ansible-builder build --verbosity 3 --container-runtime=podman --tag ansible-ee:5.0

• Change the yum and pip repositories within the base images:

# Create yum repository file locally
cat > ubi.repo <<EOF
[rhel-8-for-x86_64-appstream-rpms]
baseurl = http://x.x.x.x/rpms/rhel-8-for-x86_64-appstream-rpms
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[rhel-8-for-x86_64-baseos-rpms]
baseurl = http://x.x.x.x/rpms/rhel-8-for-x86_64-baseos-rpms
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
EOF

# Create pip configuration file locally
cat > pip.conf <<EOF
[global]
index-url = https://artifactory.acme.com/artifactory/api/pypi/pypi/simple
trusted-host = artifactory.acme.com
EOF

# Then run the containers
podman run -d -it --name custom-ee-supported registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel8:latest /bin/bash
podman run -d -it --name custom-ee-builder registry.redhat.io/ansible-automation-platform-24/ansible-builder-rhel8:latest /bin/bash

# Then copy the yum repo file into the containers
podman cp ubi.repo custom-ee-supported:/etc/yum.repos.d/
podman cp ubi.repo custom-ee-builder:/etc/yum.repos.d/

# Then copy the pip config file to set the global pip configuration https://pip.pypa.io/en/stable/topics/configuration/
podman cp pip.conf custom-ee-supported:/etc/
podman cp pip.conf custom-ee-builder:/etc/

#Then stop the containers
podman stop -a

#Then commit the containers
podman commit --message "Replaced yum repos" --author "ACME Company" <containerID> <image>

#Then push the containers
podman push <image-name> quay.io/username/myimage

• Search for images

The following example searches for images and then checks collections, system packages and python packages manually before we run the ansible-builder command.

# Login to registry
podman login registry.redhat.io
# Search registry to find latest images
# https://docs.podman.io/en/stable/markdown/podman-search.1.html
podman search ansible-automation-platform-24

# Pull image and start container
podman run -it --rm registry.redhat.io/ansible-automation-platform-24/ee-minimal-rhel9:latest /bin/bash

# Check dependencies for collections
ansible-galaxy collection install -r requirements.yml
cd /home/runner/.ansible/collections/ansible_collections/
grep -R python39 * | grep bindep.txt
grep -R suds *
# Look at potential newer versions of the collections
ansible-galaxy collection install --upgrade -r requirements.yml

# Install windows packages
microdnf install krb5-libs krb5-workstation krb5-devel
# Install Python 3.8 developer tools
microdnf install vi git rsync unzip tar sudo gcc openssl openssl-devel gcc-c++ dnf libpq-devel python38-devel glibc-headers libcurl-devel libssh-devel jq python3-Cython python3-devel openldap-devel
# Install Python 3.9 developer tools
microdnf install vi git rsync unzip tar sudo gcc openssl openssl-devel gcc-c++ dnf libpq-devel python39-devel glibc-headers libcurl-devel libssh-devel jq python3-Cython python3-devel openldap-devel
# Test the installation of required python libraries
pip3 install -r requirements.txt

Tools

ansible-builder:

• Introduction to Ansible Builder
• Ansible Builder - Guide
• Ansible Builder - Read The Docs
• Ansible Builder - Source Code
• Ansible Builder - Releases

ansible-navigator:

• Ansible Navigator Documentation
• Ansible Navigator Creator Guide
• Introduction to Ansible Runner
• Ansible Navigator - Source Code
• Ansible Navigator - Settings

ansible-bender:

ansible-bender is a tool which bends containers using Ansible playbooks and turns them into container images. It has a pluggable builder selection — it is up to you to pick the tool which will be used to construct your container image. Right now the only supported builder is buildah. More to come in the future. Ansible-bender (ab) relies on Ansible connection plugins for performing builds.

buildah:

buildah is a tool that facilitates building Open Container Initiative (OCI) container images. The Buildah package provides a command line tool that can be used to:

• create a working container, either from scratch or using an image as a starting point
• create an image, either from a working container or via the instructions in a Dockerfile
• images can be built in either the OCI image format or the traditional upstream docker image format
• mount a working container's root filesystem for manipulation
• unmount a working container's root filesystem
• use the updated contents of a container's root filesystem as a filesystem layer to create a new image
• delete a working container or an image
• rename a local container

podman:

• Installation
• How to set debug logging from podman?
• Debugging: podman pull --log-level debug <image>

skopeo:

• skopeo

References

General:

• microdnf showing ibrhsm-WARNING ** and Found 0 entitlement certificates
• Container Quickstarts by Red Hat's Community of Practice. This repository is meant to help bootstrap users of the OpenShift Container Platform to get started in building and using Source-to-Image to build applications to run in OpenShift.
• Best Practices for successful DevSecOps
• What are image layers?
• Best Practices for Writing Dockerfiles
• 5 Podman features to try now
• Working with Red Hat Enterprise Linux Universal Base Images (UBI)
• Running Virtual Machines Under Vagrant on the New Mac M1/M2/M3

Execution Environments:

• What are Red Hat Ansible Automation Platform automation execution environments?
• AWX - Execution Environments and using awx-manage
• Blog - The Anatomy of Automation Execution Environments
• Automation Controller - Execution Environments
• Execution Environment Setup Reference

Makefiles:

• Makefile Tutorial
• Docker and Makefiles: Building and Pushing Images with Make
• Ansible Builder and Execution Environments
• Docker and Makefiles
• Best practices for building images that pass Red Hat Container Certification

License

GNU General Public License v3.0

Author

John Wadleigh