How I Switched from Docker-Compose to Pure Ansible
Humble Beginnings
Let me tell you a story. It’s 2014 and I had read so many articles about Docker (as the project was called then), how awesome it is and how it makes the lives of developers so much easier. Being one, I decided to try it out. Back in the day, I was working on some django applications. Those apps were really simple: just a webserver and a database. So I went straight ahead to docker-compose. I read in the docs that I should create a docker-compose.yml file and then just docker-compose up. An error message here and there but I was able to navigate the containers to success with no big issues. And that was it. One command to run my application. I was sold on containers.
I Need to Tell Everyone
I was so excited that I started talking about Docker and docker-compose to everyone, everywhere. In the office breakroom, to my dad, at a meetup, to a crowd of 50 at a local conference. It wasn’t completely easy, since some people argued or did not understand fully. But I definitely made some converts. We even made a workshop series with my friends Peter Schiffer and Continue reading
Red Hat Single Sign-on Integration with Ansible Tower
As you might know, Red Hat Ansible Tower supports SAML authentication (both N and Z) by default. This document will guide you through the steps for configuring both products to delegate the authentication to RHSSO/Keycloak (Red Hat Single Sign-On).
Requirements:
- A running RHSSO/Keycloak instance
- Ansible Tower
- Admin rights for both
- DNS resolution
Hands-On Lab
Unless you have your own certificate already, the first step will be to create one. To do so, execute the following command:
openssl req -new -x509 -days 365 -nodes -out saml.crt -keyout saml.key
Now we need to create the Ansible Tower Realm on the RHSSO platform. Go to the "Select Realm" drop-down and click on "Add new realm":
Once created, go to the "Keys" tab and delete all certificates, keys, etc. that were created by default.
Now that we have a clean realm, let's populate it with the appropriate information. Click on "Add Keystore" in the upper right corner and click on RSA:
Click on Save and create your Ansible Tower client information. It is recommend to start with the Tower configuration so that you can inject the metadata file and customize a few of the fields.
Log in as the admin user Continue reading
Red Hat Ansible Tower wins SIIA CODiE Award
We are excited to share that Red Hat Ansible Tower was awarded a 2018 Software & Information Industry Association (SIIA) CODiE Award in the Best DevOps Tool category. The award recognizes the best tools for supporting collaboration between developers and operations. Additionally, we proud to share that Ansible Tower was honored with the Best Overall Business Technology Solution award. This award represents the product with the highest scores of both rounds of judging across all 52 business technology categories.
The SIIA CODiE Awards are the industry's only peer-recognized awards program. Business technology leaders including senior executives, analysts, media, consultants and investors evaluate assigned products during the first-round review which determines the finalists. SIIA members then vote on the finalist products and the scores from both rounds are tabulated to select the winners. Finalists represent the best products, technologies, and services in software, information and business technology.
We would like to thank the Ansible community for their continued support, contributions and excitement for the solution. The community is at the heart of all Ansible products and these awards were made possible because of our tireless community that collaborates everyday to help more people experience the power of automation.
Congratulations to the Continue reading
Shell Scripts to Ansible
During a recent client visit, we were asked to help migrate the following script for deploying a centralized sudoers file to RHEL and AIX servers. This is a common scenario which can provide some good examples of leveraging advanced Ansible features. Additionally, we can consider the shift in approach from a script that does a task to describing and enforcing the state of an item idempotently.
Here is the script:
#!/bin/sh
# Desc: Distribute unified copy of /etc/sudoers
#
# $Id: $
#set -x
export ODMDIR=/etc/repos
#
# perform any cleanup actions we need to do, and then exit with the
# passed status/return code
#
clean_exit()
{
cd /
test -f "$tmpfile" && rm $tmpfile
exit $1
}
#Set variables
PROG=`basename $0`
PLAT=`uname -s|awk '{print $1}'`
HOSTNAME=`uname -n | awk -F. '{print $1}'`
HOSTPFX=$(echo $HOSTNAME |cut -c 1-2)
NFSserver="nfs-server"
NFSdir="/NFS/AIXSOFT_NFS"
MOUNTPT="/mnt.$$"
MAILTO="[email protected]"
DSTRING=$(date +%Y%m%d%H%M)
LOGFILE="/tmp/${PROG}.dist_sudoers.${DSTRING}.log"
BKUPFILE=/etc/sudoers.${DSTRING}
SRCFILE=${MOUNTPT}/skel/sudoers-uni
MD5FILE="/.sudoers.md5"
echo "Starting ${PROG} on ${HOSTNAME}" >> ${LOGFILE} 2>&1
# Make sure we run as root
runas=`id | awk -F'(' '{print $1}' | awk -F'=' '{print $2}'`
if [ $runas -ne 0 ] ; then
echo "$PROG: you must be root to run Continue readingUse Satellite 6 as an Inventory Source in Ansible Tower
Welcome to another entry in the Getting Started series! In this post we’ll talk about how to use Red Hat Satellite 6 as an inventory source within Ansible Tower. A common scenario we see is the use of Satellite 6.3 to manage Red Hat Enterprise Linux infrastructure, which makes adding Red Hat Ansible Tower to the existing environment a snap.
First, Create a User in Satellite
Ansible Tower will need to authenticate to Satellite, so create a user with an integration role that has the permissions needed to manage inventory. The permissions needed are:
| Resource | Permission | Access Type |
| Fact value | view_facts | Read Satellite Server facts. |
| Host | view_hosts | Read Satellite Server hosts. |
| Host group | view_hostgroups | View Satellite Server host groups. |
Once you’ve created your user, log in to the Tower host.
Create Credential in Tower With the Satellite User
Navigate to Settings >> Credentials in Tower and create a new credential.
The credential type can be found in the credential type list:
Once you select ‘Red Hat Satellite 6’, the field to add the Satellite URL will be available:
Add New Inventory
With the Satellite server prepared and the credential in place within Tower, all that’s left Continue reading
Command Module Deep Dive for Networks
Enterprise customers often ask the Ansible Network team about the most common use cases for network automation. For this blog post I want to talk about one of the most used (and most versatile) set of network modules: the command modules. The command modules let you run networking commands with Ansible, the same way a network engineer would type them on the command line. With Ansible, though, the output doesn’t just fly by the terminal window to be lost forever; it can be stored and used in subsequent tasks. It can also be captured in variables, parsed for use by other tasks, and stored in host variables for future reference.
Today we’re going to cover basic use of the network command modules, including retaining command output with the register parameter. We’ll also cover scaling to multiple network devices with hostvars and adding conditional requirements with the wait_for parameter and three related parameters: interval, retries, and match. The takeaway from this blog post is that any repeatable network operations task can be automated. Ansible is more than configuration management, it allows network operators the freedom to decouple themselves from routine tasks and save themselves time.
There are command modules Continue reading
Connect Ansible Tower and Jenkins in under 5 minutes
We often hear from customers that they are using Jenkins in some capacity or another. And since I'm a consultant, I'm lucky to hear first hand what our customers are using and how they need to integrate Ansible Tower. There has always been a way to integrate the Ansible Tower and Jenkins using tower-cli, but I thought there could be a neater, closer to native, way of doing it.
So here we go. I've recorded this short screencast to show you just how easy it is:
Below you will find a few links from the video and a link to how to try Ansible Tower.
plugins.jenkins.io/ansible-tower
wiki.jenkins.io/display/JENKINS/Ansible+Tower+Plugin
Windows Updates and Ansible
Welcome to the fourth installment of our Windows-centric Getting Started Series!
One of the duties of most IT departments is keeping systems up to date. In this post we’re taking a quick look at using Ansible to manage updates on your Windows nodes. Starting with a small example of six Windows machines, we’ll show an example of a play against those hosts. We’ll share the full example at the end.
Updates, Updates, Updates...
Managing Windows updates is something that can be understood and customized quickly with Ansible. Below is a small-scale example of running updates on hosts with some flexibility in what gets updated in the process. The example here is assuming a domain exists and the hosts are being passed domain credentials. If you’re looking to test this example, be sure to read Bianca’s earlier Getting Started post on connecting to a Windows host.
Because this example is running against exclusively Windows machines, the information needed to connect can be included in the inventory file:
[all:vars]
ansible_connection: winrm
ansible_user: administrator
ansible_password: This-Should-Be-a-Password!
For Example
The example hosts include three groups of servers, two in each group. There are terminal servers, application servers, and directory servers. For the purposes of Continue reading
Red Hat Summit 2018 Automation Recap
This year Red Hat Ansible Automation was featured in more talks than ever before at Red Hat Summit, as there was an emphasis on automation and management content throughout the conference. Below you’ll find links to the recorded sessions that included Ansible and our Red Hat Management friends from Red Hat CloudForms, Red Hat Insights and Red Hat Satellite. We hope you enjoy these sessions and share with your colleagues.
Want even more? Mark your calendar for AnsibleFest! We’ll be in Austin, TX this year for two days of conference on Oct 2-3.
SESSION RECAP:
Operations risk remediation in highly secure infrastructures
If you have data concerns about using Red Hat’s operations analytics service, Red Hat Insights, this session is for you. Insights speeds up discovery and automates remediation of potential problems in your Red Hat infrastructure quickly and simply. In this session, William Nix and Bill Hirsch of Red Hat show you how to configure Red Hat Insights to obfuscate and remove sensitive data from Red Hat Insights analytics. You'll learn how Red Hat Insights securely transfers, stores, and protects the data it does use while you're taking advantage of the service.
Easy Integration Using Ansible Tower and Red Hat Insights
Welcome to another entry in the Getting Started Series! In our previous post, we covered how to get started with Ansible and Windows.
In this post we’re going to discuss how you can launch automatically generated playbooks to correct compliance, security and patching issues found in your inventory by Red Hat Insights. To start off, let’s do a brief overview of the magic sauce that is Insights.
What is Insights?
Red Hat Insights is a predictive IT risk analytics tool that helps enable users to proactively identify, prioritize, and resolve vulnerabilities in their environments before business operations are affected. It does this by evaluating select files on a system, getting smarter and better at predicting outcomes with each piece of information it takes in.
Insights conducts an in-depth analysis of customers’ IT infrastructure and compares this information against Red Hat’s constantly expanding knowledge base to identify key risks and vulnerabilities. If a susceptibility or risk is found, Insights has the ability to generate a playbook for most critical problems detected, which can then be used in Ansible Tower to resolve any issues.
Ansible and Insights?
So if Insights makes Ansible Playbooks...how do you use them in Ansible Tower? Continue reading
Windows Package Management
Welcome to the third installment of our Windows-centric Getting Started Series!
In the previous post we covered how you can use Ansible and Ansible Tower to help manage your Active Directory environment. This post will go into how you can configure some of those machines on your domain. Most of this post is going to be dominated by specific modules. Ansible has a plethora of Windows modules that can be found here. As time is not a flat circle, I can’t discuss all of them today but only a few that are widely used.
MSIs and the win_package Module
So you got your domain up, you have machines added to it, now let’s install some stuff on those machines. I do have a few notes before moving forward in regards to the modules we’ll be discussing. The module win_msi is deprecated and will be removed in Ansible 2.8 (current version as of this post is 2.5). In its place you can use win_package which I will be using throughout this post.
Alright, back to installing stuff. The win_package module is the place to be. It is used specifically for .msi and .exe files that need to be installed Continue reading
TEN THINGS I HATE ABOUT YOU: Manage Windows like Linux with Ansible
One of my favorite guilty pleasures is the movie "10 Things I Hate About You". If you're not familiar with it, it's a 90's teenybopper flick that's loosely based on Shakespeare's "The Taming of the Shrew". In the movie, our hero Patrick is surreptitiously paid to woo the man-hating Kat so that slimy Joey will be allowed to date her younger sister Bianca. Kat initially can't stand Patrick and his numerous bad habits, but by the end of the story has fallen for him. She reads him a poem that starts off describing ten things she hates about him, but wraps it up declaring her love for him instead.
I love Windows, but I know many Linux admins can't stand it, and avoid working with it at any cost. While working on a talk to espouse the use of Ansible to manage Windows in the same way as Linux, I imagined a Linux admin discovering the power of Ansible's features and common language to see the beauty in an automated Windows setup. It inspired me to write my own version of Kat's poem:
I hate that you're not SSH, and the shell that you call "Power",
I hate Continue reading
Hybrid Operations with Ansible
Hybrid Operations with Ansible
One of the most common questions I hear while talking about Ansible's support for cloud providers is whether it will work in hybrid environments. You may not be able to use the ec2 module to create an instance in your datacenter, but Ansible has modules for RHV, OpenStack, and VMWare to talk to virtualization tools in your datacenter. I love working in AWS, Azure, and Google Cloud but most environments I've worked in have had on-prem systems as well.
That's what I've been invited to Red Hat Summit to talk about -- best practices for automating all the infrastructure at your disposal, not just the cloud services. My demos will feature a couple new Ansible Core/Engine 2.5 features, as well as preview new 2.6-only features.
My favorite feature to show off is part of the new ec2_instance module. In the demo we'll have a look at how Tower provisioning callbacks are now built in to the ec2_instance module, making provisioning brand new instances as easy as:
- ec2_instance:
image:
id: "{{ latest_centos.image_id }}"
key_name: my-secret-key
instance_type: t2.large
name: call-me-maybe
security_groups:
- demo-web-sg
# COOL MAGIC HERE
tower_callback:
host_config_key: "{{ your_secret_here }}"
job_template_id: Continue readingActive Directory & Ansible Tower
Welcome to the second installment of our Windows-centric Getting Started series!
Last time we walked you through how Ansible connects to a Windows host. We’ve also previously explored logging into Ansible Tower while authenticating against an LDAP directory. In this post, we’ll go over a few ways you can use Ansible to manage Microsoft’s Active Directory. Since AD plays a role in many Windows environments, using Ansible to manage Windows will probably include running commands against the Active Directory domain.
First, Set Your Protocol
We’ll be using WinRM to connect to Windows hosts, so this means making sure Ansible or Tower knows that. Machine credentials in Ansible Tower can be created and used along with variables, but when using Ansible in a terminal the playbook should make it clear with variables:
---
- name: Your Windows Playbook
hosts: win
vars:
ansible_ssh_user: administrator
ansible_ssh_pass: ThisIsWhereStrongPassesGo
ansible_connection: winrm
ansible_winrm_server_cert_validation: ignore
- tasks:
Along with using the local admin account/pass, the WinRM connection method is named specifically. The variable to ignore the certificate validation is for standalone, non-domain hosts because a domain-joined instance should have certificates validated on the domain.
Where’s the Domain?
Speaking of domains, Ansible can spin up a new domain Continue reading
Don’t miss these Ansible Automation sessions at Red Hat Summit
The countdown is on! It’s just a few short days until Red Hat Summit. I’m Kaete Piccirilli and I do all things Ansible Marketing. While it’s not my first Summit at Red Hat, it’s the first one I’ll be attending, and I cannot be more excited to finally be in the mix of our customers, partners and open source communities.
Ansible Automation Breakout Sessions
Red Hat Summit has an action-packed few days planned, and I have picked a few Ansible Automation sessions that you won’t want to miss.
Managing 15,000 network devices with Ansible
Ansible allows network management across virtually any device platform. Any network device can be managed via SSH or an API. We took this cutting-edge network automation to scale with a customer’s global network infrastructure, giving them the ability to manage nearly all of their network devices at one time.
In this session, we'll discuss the architecture and strategies involved in network automation.
Manage Windows like Linux with Ansible
Few questions induce fear into the heart of a Linux admin more than, "Hey, can you manage these Windows servers?"
In this session, we'll show how Ansible does simple, secure, and agentless Windows management with the exact Continue reading
Using Ansible and Ansible Tower with shared roles
Roles are an essential part of Ansible, and help in structuring your automation content. The idea is to have clearly defined roles for dedicated tasks. During your automation code, the roles will be called by the Ansible Playbooks.
Since roles usually have a well defined purpose, they make it easy to reuse your code for yourself, but also in your team. And you can even share roles with the global community. In fact, the Ansible community created Ansible Galaxy as a central place to display, search and view Ansible roles from thousands of people.
So what does a role look like? Basically it is a predefined structure of folders and files to hold your automation code. There is a folder for your templates, a folder to keep files with tasks, one for handlers, another one for your default variables, and so on:
tasks/
handlers/
files/
templates/
vars/
defaults/
meta/
In folders which contain Ansible code - like tasks, handlers, vars, defaults - there are main.yml files. Those contain the relevant Ansible bits. In case of the tasks directory, they often include other yaml files within the same directory. Roles even provide ways to test your automation code - in Continue reading
Connecting to a Windows Host
Welcome to the first installment of our Windows-specific Getting Started series!
Would you like to automate some of your Windows hosts with Red Hat Ansible Tower, but don’t know how to set everything up? Are you worried that Red Hat Ansible Engine won’t be able to communicate with your Windows servers without installing a bunch of extra software? Do you want to easily automate everyone’s best friend, Clippy? 
Image source: aguyiknow.com.au
We can’t help with the last thing, but if you said yes to the other two questions, you've come to the right place. In this post, we’ll walk you through all the steps you need to take in order to set up and connect to your Windows hosts with Ansible Engine.
Why Automate Windows Hosts?
A few of the many things you can do for your Windows hosts with Ansible Engine include:
- Starting, stopping and managing services
- Pushing and executing custom PowerShell scripts
- Managing packages with the Chocolatey package manager
In addition to connecting to and automating Windows hosts using local or domain users, you’ll also be able to use runas to execute actions as the Administrator (the Windows alternative to Linux’s sudo or su), so Continue reading
Porting Ansible Network Playbooks with New Connection Plugins
The Ansible Networking Team is excited about the release of Ansible 2.5. Back in February, I wrote about new Networking Features in Ansible 2.5, and one of the biggest areas of feedback was around the network_cli connection plugin. For more background on this connection plugin, please refer to the previous blog post.
In this post, I convert existing networking playbooks that use connection: local to use connection: network_cli. Please note that the passwords are in plain text for demonstration purposes only. Refer to the following Ansible Networking documentation page recommendation for using Ansible Vault for secure password storage and usage.
To demonstrate, let’s use an existing GitHub repository with working playbooks using the legacy connection local method. NOTE: The connection local method will continue to be supported for quite some time, and has not been announced as deprecated yet. This repository has several examples using Ansible and NAPALM but we are highlighting the Ansible Playbooks in this post. The GitHub repository can be found here.
Example 1 - Backing Up a Configuration
Networking platforms use their specific *_config platform module for easy backups within Ansible. For this playbook we are running the Ansible Playbook Continue reading
Using Ansible to Mitigate Network Vulnerabilities
Even Networks Aren’t Immune
Just like with Windows and Linux servers, networking devices can be exploited by vulnerabilities found in their operating systems. Many IT organizations do not have a comprehensive strategy for mitigating security vulnerabilities that span multiple teams (networking, servers, storage, etc.). Since the majority of network operations is still manual, the need to mitigate quickly and reliably across multiple platforms consisting of hundreds of network devices becomes extremely important.
In Cisco’s March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, 22 vulnerabilities were detailed. While Red Hat does not report or keep track of individual networking vendors CVEs, Red Hat Ansible Engine can be used to quickly automate mitigation of CVEs based on instructions from networking vendors.
In this blog post we are going to walk through CVE-2018-0171 which is titled “Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability.” This CVE is labeled as critical by Cisco, with the following headline summary:
“...a vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a Continue reading
Enable self-healing applications with Ansible and Dynatrace
The size, complexity and high rate of change in today’s IT environments can be overwhelming. Enabling the performance and availability of these modern microservice environments is a constant challenge for IT organizations.
One trend contributing to this rate of change is the adoption of IT automation for provisioning, configuration management and ongoing operations. For this blog, we want to highlight the repeatable and consistent outcomes allowed by IT automation, and explore what is possible when Ansible automation is extended to the application monitoring platform Dynatrace.
Thanks to Jürgen Etzlstorfer for giving us an overview of the Ansible and Dynatrace integration.
---
Monitoring Today
Considering the size, complexity and high rate of change in today's IT environments, traditional methods of monitoring application performance and availability are often necessary and commonplace in most operations teams. Application performance monitoring (APM) platforms are used to detect bottlenecks and problems that can impact the experience of your customers.
Monitoring alone, however, isn’t always enough to help keep your applications running at peak performance. When issues are detected, APM platforms are designed to alert the operator of the problem and its root-cause. The Ops team can then agree on a corrective action, and implement this Continue reading