Two-Factor Authentication (2FA) is an additional layer of security that can be used to help protect enterprise applications from unauthorized access. While OAuth, and even some LDAP configs are viable options to enable 2FA in Ansible Automation Platform, users prefer to leverage Security Assertion Markup Language (SAML) for this purpose, as described in Using two-factor SAML with Red Hat Ansible Tower. On the other hand, 2FA to managed machines is discouraged.
SAML is an open standard that allows Identity Providers (IdP) exchange authorization credentials with a Service Provider (SP). The IdP supplies an XML document—known as assertion—to the SP to deliver a series of attributes that identify the login user.
These attributes can be used in Ansible Automation Platform to determine the team and organization of a user. Let’s explore an example, with Microsoft Azure’s Active Directory as the IdP (and, of course, Ansible Automation Platform as the SP).
The goal of this example is to map users from four different groups (Alpha, Beta, Gamma and Delta) to either the Cloud or Network Organization in Ansible Tower, and make them part of a specific team (Engineering or Operations). Continue reading
Leading enterprises today use Red Hat Ansible Automation Platform to provision, configure, manage, secure and orchestrate hybrid IT environments. A common misconception is that Ansible is just used to manage the Linux operating system. This is a false belief. Ansible supports Linux, Windows, AIX, IBM i and IBM z/OS environments. This blog will help AIX system administrators get started with Ansible on AIX, and introduce a patching use case.
When Ansible Automation Platform was released, Ansible Content Collections became the de facto standard for distributing, maintaining and consuming automation content. The shift to Collections increased community participation and has exponentially increased the number of stable and supported Ansible modules. Modules delivered via Collections rather than packaged with Ansible Core have resulted in a faster release cadence for new modules.
Let us explore the IBM provided Ansible Collection for AIX. It is important to note that many of the Ansible modules for the Linux operating system will also work on AIX (in addition to the IBM provided AIX modules), making the use cases for Ansible on AIX very broad.
The AIX operating system has been around for 35 years and is used to Continue reading
VMware vCenter Server tags are labels that can be applied to objects like the system’s environment and usage, therefore it is a very useful method of asset management - also making tags a perfect fit in the Ansible world to organize systems in an Ansible inventory. Red Hat customers have regularly requested the ability to use vCenter Tags in Red Hat Ansible Tower. This is now possible with an Ansible Tower inventory source that supports tags and provides the vmware_vm_inventory plugin.
Ansible Automation Platform 1.2 brings completely native Ansible inventory plugin support to Ansible Tower 3.8. In previous versions, there were specific inventory plugin configurations based on the old inventory scripts where a specific set of parameters surfaced in Ansible Tower's user interface. For example: cloud region and a specific subset of variables you could pass to those inventory scripts surfaced as variables you could pass to the inventory source, which means that new configuration parameters that come with Ansible inventory plugins are not supported in order to maintain compatibility with the old inventory scripts.
The move to support native inventory plugins allows Red Hat Ansible Automation Platform customers to use all the configuration parameters available through Continue reading
Technological advancements are intended to bring more control, agility and velocity to organizations. However, adopting these new technologies and techniques, such as cloud computing and microservices, increases an organization’s security footprint, bringing greater risk of security breaches.
Cyberattacks potentially expose organizations to financial loss, reputational damage, legal liability, and business continuity risk. As a result, security teams are under increased pressure to help proactively protect organizations against cyberattacks and maintain a more consistent, rapid incident response framework to respond to security breaches.
In our previous blogs in this series, we explored how Ansible security automation enables security teams to automate and simplify investigation enrichment and threat hunting practices. We also discussed and provided our answer to the lack of integration across the IT security industry.
In this blog post, we’ll have a closer look at incident response and how Ansible security automation empowers security teams to respond effectively to security breaches.
Incident response is the approach and techniques that security departments implement to neutralize and mitigate cyberattacks, and is a core responsibility of the security team. Recent news headlines are rife with high-profile security breaches and Continue reading
As the adoption of containers and Kubernetes increases to drive application modernization, IT organizations must find ways to easily deploy and manage multiple Kubernetes clusters across regions, both residing in the public cloud and/or on-premises, and all the way to the edge. As such, we continue to expand on the capabilities of our Certified Ansible Content Collection for kubernetes.core.
In this blog post, we’ll highlight some of the exciting new changes in the 2.0 release of this Collection.
Development on the kubernetes.core Collection had historically taken place in the community.kubernetes GitHub repository, which was built off community contributions before Red Hat supported it. That code base served as the source for both Collections. With this release, we have shifted all development to the kubernetes.core GitHub repository. Moving forward, the community.kubernetes namespace will simply redirect to the kubernetes.core Collection. If you are currently using the community.kubernetes namespace in your playbooks, we encourage you to begin switching over to kubernetes.core. This change better reflects that this codebase is a Red Hat supported Collection.
One of the main objectives of our 2.0 release was to Continue reading
AnsibleFest will be a free, virtual two day event again this year on September 29-30. You can expect all the usual highlights, like customer keynotes, breakout sessions, direct access to Ansible experts and more. We will also be bringing back tracks from last year like Network, Security, Developer and more to give you exactly the type of information you need for wherever you are in your Ansible journey.
Do you have a story to share about how you're using Ansible?
The Call for Proposals will be open from June 8-29. We will be choosing a variety of sessions across all subjects and skill areas. Notifications will be sent out in July for session approval status. Share your automation story with us today!
Want to be the first to hear the latest updates about AnsibleFest? Then sign up to stay connected and up-to-date on all things on the AnsibleFest page.
As we all know, Ansible is a well-adapted tool for the end-to-end automation of IT infrastructures. At the same time, due to the addition of new features and developments within the project, the Ansible community is growing at an accelerated rate. To help structure the project and also to facilitate the change in direction, we are launching a Steering Committee for the Ansible Community Project.
The Steering Committee’s role is to provide guidance, suggestions, and ensure delivery of the Ansible Community package. The committee shall be broadly representative of the planning and approval areas.
The initial Steering Committee members, selected based on their wide knowledge of and active contributions to the Ansible project, are:
Members of the committee will work with community users plus Ansible teams within Red Hat to assist in the composition of idea proposals/new collection inclusion requests. Rather than advocating on behalf of particular interests or perspectives, the job of the Steering Committee members is to listen carefully to their fellow community members, discuss, Continue reading
With the introduction of Ansible Automation Platform 1.2 at AnsibleFest 2020, Ansible released private Automation Hub. This enables a means to deliver, manage and curate Ansible Automation Platform Certified Content via a central on-premises, self-hosted solution for use by internal automation communities.
This sparked my interest in digging deeper into what private Automation Hub is and how I could leverage it. My initial perception went from a mysterious black box to viewing it as the perfect Ansible Automation Platform sidecar.
I learned quite a bit on how I could optimize it for my environments and wanted to share my findings. Before we start, a brief history of Ansible content and Ansible Content Collections may be helpful.
"Following the light of the sun, we left the Old World." - Christopher Columbus on Ansible Collections
During 2017, the number of modules, roles and content under Ansible's GitHub repository surged. The backlog of issues started to increase as the inflow of new content for different platforms and network appliances/devices outpaced the growth of the Ansible Core team. Various YouTube videos and blog posts provided commentary and insights from the Ansible community. The rapid growth of Ansible content led to the birth Continue reading
Red Hat Ansible Engine v2.9 introduced the first set of Resource Modules that make network automation easier and more consistent, especially in multi-vendor environments. These network resource specific and opinionated Ansible modules help us avoid creating overly complex Jinja2 templates to render and push network configurations, thereby easing the adoption of network automation both in green and brownfield environments. The resource modules, along with the tools provided in ansible.utils, are highly focused on allowing the end user to manipulate network configuration as “structured data” and not have to worry about network platform specific details.
In the past, we have gone through resource modules that facilitate managing BGP, OSPFv2, ACLs and VLANS configurations on network devices. In this blog post, we’ll cover the newly added route maps resource modules using cisco.nxos.nxos_route_maps as an example.
Route maps are used to define which routes from a source routing protocol are to be distributed to a target routing protocol. It also allows filtering routes that are sent or received between BGP peers. Every route map can have multiple entries, with each entry having a sequence number and an action (the “permit” or “deny” clause) associated with it. Continue reading
Red Hat Ansible Network Automation continues to be a popular domain for Red Hat Ansible Automation Platform. We have continually developed additional resource modules to make automating network appliances easier, and more approachable, for novices and experts alike. These resource modules provide a consistent experience across multiple network vendors. There are seven main state parameters for resource modules: merged, replaced, overridden, deleted, gathered, rendered and parsed. The Ansible network team is adding one more parameter, purged, to this tool chest for resource modules. This blog will cover the purged parameter and show use-cases through a practical example.
For this example, we will be using two BGP resource modules to configure a Cisco network device. We will be using the bgp_global module, which was covered in Rohit’s blog post, and the bgp_address_family module. The BGP configuration is split between these two separate modules to simplify configuration and data models associated with them.
Let’s start with a data model:
bgp_global: as_number: '65000' bgp: log_neighbor_changes: true router_id: address: 192.168.1.1 neighbor: - activate: true address: 10.200.200.2 remote_as: 65001 bgp_address_family: address_family: - afi: ipv4 neighbor: - activate: true address: 10.200.200.2 network: - address: 10.25. Continue reading
A comprehensive infrastructure as code (IaC) initiative should include monitoring and observability. Incorporating the active monitoring of the infrastructure under management results in a symbiotic relationship in which failures are detected automatically, enabling event-driven code changes and new deployments.
In this post, I’ll recap a webinar I hosted with Tadej Borovšak, Ansible Evangelist at XLAB Steampunk (who we collaborated with on our certified Ansible Content Collection for Sensu Go). You’ll learn how monitoring as code can serve as a feedback loop for IaC workflows, improving the overall automation solution and how to automate your monitoring with the certified Ansible Content Collection for Sensu Go (with demos!).
Before we dive in, here’s a brief overview of Sensu.
Sensu is the turn-key observability pipeline that delivers monitoring as code on any cloud — from bare metal to cloud native. Sensu provides a flexible observability platform for DevOps and SRE teams, allowing them to reuse their existing monitoring and observability tools, and integrates with best-of-breed solutions — like Red Hat Ansible Automation Platform.
With Sensu, you can reuse existing tooling, like Nagios plugins, as well as monitor ephemeral, cloud-based infrastructure, like Red Hat OpenShift. Sensu helps you Continue reading
In this blog I would like to showcase the power of Ansible Content Collections to build powerful abstractions. Collections are a distribution format for Ansible content that can include playbooks, roles, modules and plugins. For this blog post, let us address an Infrastructure as Code(IaC) use case for network configuration management of BGP. We will walk through examples for both Cisco IOS and Arista EOS devices.
First, let us define a data-model that encapsulates the vendor-agnostic configuration.
bgp_global: as_number: '65000' bgp: log_neighbor_changes: true router_id: address: 192.168.1.1 neighbor: - activate: true address: 10.200.200.2 remote_as: 65001 bgp_address_family: address_family: - afi: ipv4 neighbor: - activate: true address: 10.200.200.2 network: - address: 10.25.25.0 mask: 255.255.255.0 - address: 10.25.26.0 mask: 255.255.255.0 - address: 10.100.100.0 mask: 255.255.255.0 - address: 10.200.200.0 mask: 255.255.255.0 - address: 172.16.0.0 - address: 192.168.1.1 mask: 255.255.255.255
As you might have observed, this data-model matches exactly the input expected by the <vendor>.bgp_global and bgp_address_family modules within the IOS and EOS Continue reading
What does successful network automation look like? What are the metrics that can measure the effectiveness of this practice and its business value?
Some will say we should look at time and cost savings, but we should not forget about driving consistency and a simpler operation to reduce risk. In this context, what are the use-cases that will get us there?
While there are generic use-cases, the real value of automation is truly uncovered when you are able to translate your existing processes into automated workflows that need no human intervention in order to be executed.
If your current processes are too complex, you can start by breaking them down into smaller chunks of work that will become the building blocks of your workflows. The simpler these units of work are, the more reliable/reusable they become. This blog post will walk through several use-cases for network automation, and show examples of data validation and functional testing to automate Methods of Procedure (MOP). We can then combine these building blocks into an overall workflow to gradually increase our time savings and reap more benefits from our automation as we add more building blocks.
“Do something Continue reading
At AnsibleFest 2020, we announced the extension of our security automation initiative to support endpoint protection use cases. If you have missed it, check out the recording of the talk “Automate your endpoint protection using Ansible” on the AnsibleFest page.
Today, following this announcement we release the supported Ansible Content Collection for Trend Micro Deep Security. We will walk through several examples and describe the use cases and how we envision the Collection being used in real world scenarios.
If you want to refresh your memory about our endpoint protection support with Ansible in general, head over to the the introducing blog post Automating Endpoint Protection with Ansible.
Trend Micro Deep Security is one of the latest additions to the Ansible security automation initiative. As an endpoint protection solution it secures services and applications in virtual, cloud and container environments. It provides automated security policies and consolidates the security aspects across different environments in a single platform.
Enterprise security isn’t a homogeneous entity; it’s a portfolio of multi-vendor solutions run by disparate and often siloed teams. With so many different layers, automation proved to be effective in helping security operations teams to integrate and share accountability.
Automated processes and workflows simplify and accelerate shared processes, like investigation & response and, if enabled with a platform with the right characteristics, encourage a more open culture of collaboration.
Red Hat Ansible Automation Platform caters to this growing importance of security with Ansible security automation: our answer to the lack of integration across the IT security industry. If you are new to the topic, a good place to start is our investigation enrichment blog. A good follow up is our blog post about threat hunting, extending the application of Ansible security automation to multiple teams across the IT department.
The Ansible security automation initiative grew significantly over the last two years, adding more partners and covering additional domains and use cases. If you want to know more about what is available, have a look at the supported Collections that can be accessed via cloud.redhat.com for more details. The most recent addition to our security automation initiative was Continue reading
IT service management (ITSM) is a collection of policies and processes for the management and support of IT services. The main focus of ITSM is increasing the value of the customers’ service chain. But without the proper automation support, providing IT services can quickly become a major time-sink.
This is where the Red Hat Ansible Automation Platform and the Red Hat Ansible Certified Content Collection for ServiceNow come into play. Ansible Automation (with some help from existing Ansible content) can automate just about any task, while the modules from this Certified Collection allow us to keep the ServiceNow information up to date.
This Collection was designed and developed by the XLAB Steampunk team in close collaboration with Red Hat Ansible, specifically keeping end-users in mind. ServiceNow modules have an intuitive user interface backed by a robust implementation, offering support for things Ansible users expect (e.g., check mode and change detection).
In this post, we will look at a few sample Ansible Playbooks that take care of essential tasks such as:
Managing virtual machines in an IT infrastructure is often a common task, specifically VMware virtualization technology has been around for over 20 years. VMware administrators spend a lot of their time in automating the creation, management, and removal of virtual instances that contain various operating systems. One operating system that often resides on VMware infrastructure is Red Hat Enterprise Linux.
With the introduction of VMware REST APIs, we recently announced the initial release of the vmware.vmware_rest Collection, for production use. As opposed to the community.vmware Collection, the vmware.vmware_rest Collection is based on next generation VMware REST APIs. This new Collection no longer requires any third party Python bindings to communicate with VMware infrastructure. A large part of the new Collection that has been introduced is support for automating virtual machine operations.
In this blog post I will show you how VMware users can automate the installation of Red Hat Enterprise Linux 8 (RHEL 8) using the vmware.vmware_rest.vcenter_vm module and a valid Kickstart file.
For this scenario, we will assume following requirements:
With the increasing size and complexity of modern enterprise networks, the demand on simplifying the networks management becomes more intense. The introduction of resources modules with Ansible Engine 2.9 provide a path to users to ease the network management, especially across multiple different product vendors.
In the past, we’ve already covered resource modules for OSPF management and for ACLs. However, simplifying network management is not limited to rather local network setups or intra domain routing only. “Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information between autonomous systems (AS) on the internet. The protocol is often classified as a path vector protocol but is sometimes also classed as a distance-vector routing protocol.” It is used in larger network setups, as the NetworkWorld so aptly observes:
BGP has been called the glue of the Internet and the postal service of the internet. One comparison likens BGP to GPS applications on mobile phones.
Managing BGP manually for a network device can be a very difficult and tedious task, and more often this needs to be performed carefully, as the manual process is more prone to human error.
This blog post goes Continue reading
The 2020 results of the NetDevOps Survey are out! This was the third time the survey was conducted and was targeted to the network automation community. But first, a huge shout out to the team that led this effort again (Damien Garros and Francois Caen). The survey was 100% community-driven, and I thank them for allowing me to be a part of the team, and to provide feedback to existing and new questions.
This survey is a good representation of how network operators and network engineers are utilizing automation to get their jobs done, but largely without management buy-in or a proactive automation strategy. This blog is largely my hot take on the results, as seen through the lens of my history at Red Hat as an Ansible Product Manager helping to get network automation as an official commercial use case off the ground. I’m going to compare and contrast the survey questions and results between the most recent NetDevOps survey and the Enterprise Management Associates (EMA) Enterprise Network Automation for 2020 and Beyond results that Red Hat sponsored back in 2019.
Here are the main ideas I gleaned:
Today we're thrilled to announce that the RHEL System Roles Collection is now certified with Ansible Automation Platform and is being delivered to organizations through Ansible Automation Hub. Starting with the forthcoming RHEL 8.4, this means that the system roles Collection is immediately available under technology preview support and planned to be fully supported by both RHEL and Ansible Automation Platform product support experts.
Red Hat Enterprise Linux (RHEL) is the world's leading enterprise Linux platform. System administrators expect features and improvements to deliver on the agility demanded by their end users. In order to abstract away tedious, error-prone manual administration and configuration, RHEL system roles offer a path towards a repeatable and predictable operating system configuration. Under the hood, these Ansible roles and modules are now packaged, provided via an Ansible Content Collection.
For customers with both RHEL and Ansible Automation Platform subscriptions, this means that the automation platform gains new certified content to predictably drive the configuration of RHEL, wherever it may be deployed, to ensure the stability that Red Hat customers expect from an enterprise Linux operating system. Finally, continuing the commitment for upstream community development and Continue reading