0

Red Hat Single Sign-on Integration with Ansible Tower

As you might know, Red Hat Ansible Tower supports SAML authentication (both N and Z) by default. This document will guide you through the steps for configuring both products to delegate the authentication to RHSSO/Keycloak (Red Hat Single Sign-On).

Requirements:

• A running RHSSO/Keycloak instance
• Ansible Tower
• Admin rights for both
• DNS resolution

 

Hands-On Lab

Unless you have your own certificate already, the first step will be to create one. To do so, execute the following command:

openssl req -new -x509 -days 365 -nodes -out saml.crt -keyout saml.key

Now we need to create the Ansible Tower Realm on the RHSSO platform. Go to the "Select Realm" drop-down and click on "Add new realm":

Once created, go to the "Keys" tab and delete all certificates, keys, etc. that were created by default.

Now that we have a clean realm, let's populate it with the appropriate information. Click on "Add Keystore" in the upper right corner and click on RSA:

Click on Save and create your Ansible Tower client information. It is recommend to start with the Tower configuration so that you can inject the metadata file and customize a few of the fields.

Log in as the admin user Continue reading

0

Red Hat Ansible Tower wins SIIA CODiE Award

We are excited to share that Red Hat Ansible Tower was awarded a 2018 Software & Information Industry Association (SIIA) CODiE Award in the Best DevOps Tool category. The award recognizes the best tools for supporting collaboration between developers and operations. Additionally, we proud to share that Ansible Tower was honored with the Best Overall Business Technology Solution award. This award represents the product with the highest scores of both rounds of judging across all 52 business technology categories.

The SIIA CODiE Awards are the industry's only peer-recognized awards program. Business technology leaders including senior executives, analysts, media, consultants and investors evaluate assigned products during the first-round review which determines the finalists. SIIA members then vote on the finalist products and the scores from both rounds are tabulated to select the winners. Finalists represent the best products, technologies, and services in software, information and business technology.

We would like to thank the Ansible community for their continued support, contributions and excitement for the solution. The community is at the heart of all Ansible products and these awards were made possible because of our tireless community that collaborates everyday to help more people experience the power of automation.

Congratulations to the Continue reading

0

Shell Scripts to Ansible

During a recent client visit, we were asked to help migrate the following script for deploying a centralized sudoers file to RHEL and AIX servers. This is a common scenario which can provide some good examples of leveraging advanced Ansible features. Additionally, we can consider the shift in approach from a script that does a task to describing and enforcing the state of an item idempotently.

Here is the script:

#!/bin/sh
# Desc: Distribute unified copy of /etc/sudoers
#
# $Id: $
#set -x

export ODMDIR=/etc/repos

#
# perform any cleanup actions we need to do, and then exit with the
# passed status/return code
#
clean_exit()
{
cd /
test -f "$tmpfile" && rm $tmpfile
exit $1
}

#Set variables
PROG=`basename $0`
PLAT=`uname -s|awk '{print $1}'`
HOSTNAME=`uname -n | awk -F. '{print $1}'`
HOSTPFX=$(echo $HOSTNAME |cut -c 1-2)
NFSserver="nfs-server"
NFSdir="/NFS/AIXSOFT_NFS"
MOUNTPT="/mnt.$$"
MAILTO="[email protected]"
DSTRING=$(date +%Y%m%d%H%M)
LOGFILE="/tmp/${PROG}.dist_sudoers.${DSTRING}.log"
BKUPFILE=/etc/sudoers.${DSTRING}
SRCFILE=${MOUNTPT}/skel/sudoers-uni
MD5FILE="/.sudoers.md5"

echo "Starting ${PROG} on ${HOSTNAME}" >> ${LOGFILE} 2>&1

# Make sure we run as root
runas=`id | awk -F'(' '{print $1}' | awk -F'=' '{print $2}'`
if [ $runas -ne 0 ] ; then
echo "$PROG: you must be root to run  Continue reading

0

Use Satellite 6 as an Inventory Source in Ansible Tower

 Welcome to another entry in the Getting Started series! In this post we’ll talk about how to use Red Hat Satellite 6 as an inventory source within Ansible Tower. A common scenario we see is the use of Satellite 6.3 to manage Red Hat Enterprise Linux infrastructure, which makes adding Red Hat Ansible Tower to the existing environment a snap.

First, Create a User in Satellite

Ansible Tower will need to authenticate to Satellite, so create a user with an integration role that has the permissions needed to manage inventory. The permissions needed are:

Resource	Permission	Access Type
Fact value	view_facts	Read Satellite Server facts.
Host	view_hosts	Read Satellite Server hosts.
Host group	view_hostgroups	View Satellite Server host groups.

Once you’ve created your user, log in to the Tower host.

Create Credential in Tower With the Satellite User

Navigate to Settings >> Credentials in Tower and create a new credential.

The credential type can be found in the credential type list:

 

Once you select ‘Red Hat Satellite 6’, the field to add the Satellite URL will be available:

Add New Inventory

With the Satellite server prepared and the credential in place within Tower, all that’s left Continue reading

0

Command Module Deep Dive for Networks

Enterprise customers often ask the Ansible Network team about the most common use cases for network automation. For this blog post I want to talk about one of the most used (and most versatile) set of network modules: the command modules. The command modules let you run networking commands with Ansible, the same way a network engineer would type them on the command line. With Ansible, though, the output doesn’t just fly by the terminal window to be lost forever; it can be stored and used in subsequent tasks. It can also be captured in variables, parsed for use by other tasks, and stored in host variables for future reference.
Today we’re going to cover basic use of the network command modules, including retaining command output with the register parameter. We’ll also cover scaling to multiple network devices with hostvars and adding conditional requirements with the wait_for parameter and three related parameters: interval, retries, and match. The takeaway from this blog post is that any repeatable network operations task can be automated. Ansible is more than configuration management, it allows network operators the freedom to decouple themselves from routine tasks and save themselves time.

There are command modules Continue reading

0

Connect Ansible Tower and Jenkins in under 5 minutes

We often hear from customers that they are using Jenkins in some capacity or another. And since I'm a consultant, I'm lucky to hear first hand what our customers are using and how they need to integrate Ansible Tower. There has always been a way to integrate the Ansible Tower and Jenkins using tower-cli, but I thought there could be a neater, closer to native, way of doing it.

So here we go. I've recorded this short screencast to show you just how easy it is:

Below you will find a few links from the video and a link to how to try Ansible Tower.

plugins.jenkins.io/ansible-tower

wiki.jenkins.io/display/JENKINS/Ansible+Tower+Plugin

Try Ansible Tower

0

Windows Updates and Ansible

Welcome to the fourth installment of our Windows-centric Getting Started Series!

One of the duties of most IT departments is keeping systems up to date. In this post we’re taking a quick look at using Ansible to manage updates on your Windows nodes. Starting with a small example of six Windows machines, we’ll show an example of a play against those hosts. We’ll share the full example at the end.

Updates, Updates, Updates...

Managing Windows updates is something that can be understood and customized quickly with Ansible. Below is a small-scale example of running updates on hosts with some flexibility in what gets updated in the process. The example here is assuming a domain exists and the hosts are being passed domain credentials. If you’re looking to test this example, be sure to read Bianca’s earlier Getting Started post on connecting to a Windows host.

Because this example is running against exclusively Windows machines, the information needed to connect can be included in the inventory file:

[all:vars]
ansible_connection: winrm
ansible_user: administrator
ansible_password: This-Should-Be-a-Password!

For Example

The example hosts include three groups of servers, two in each group. There are terminal servers, application servers, and directory servers. For the purposes of Continue reading

0

Red Hat Summit 2018 Automation Recap

This year Red Hat Ansible Automation was featured in more talks than ever before at Red Hat Summit, as there was an emphasis on automation and management content throughout the conference. Below you’ll find links to the recorded sessions that included Ansible and our Red Hat Management friends from Red Hat CloudForms, Red Hat Insights and Red Hat Satellite. We hope you enjoy these sessions and share with your colleagues.

Want even more? Mark your calendar for AnsibleFest! We’ll be in Austin, TX this year for two days of conference on Oct 2-3.

SESSION RECAP:

Operations risk remediation in highly secure infrastructures

If you have data concerns about using Red Hat’s operations analytics service, Red Hat Insights, this session is for you. Insights speeds up discovery and automates remediation of potential problems in your Red Hat infrastructure quickly and simply. In this session, William Nix and Bill Hirsch of Red Hat show you how to configure Red Hat Insights to obfuscate and remove sensitive data from Red Hat Insights analytics. You'll learn how Red Hat Insights securely transfers, stores, and protects the data it does use while you're taking advantage of the service. 

 

Push-button deployments with Red Hat Continue reading

0

Easy Integration Using Ansible Tower and Red Hat Insights

Welcome to another entry in the Getting Started Series! In our previous post, we covered how to get started with Ansible and Windows.

In this post we’re going to discuss how you can launch automatically generated playbooks to correct compliance, security and patching issues found in your inventory by Red Hat Insights. To start off, let’s do a brief overview of the magic sauce that is Insights. 

What is Insights?

Red Hat Insights is a predictive IT risk analytics tool that helps enable users to proactively identify, prioritize, and resolve vulnerabilities in their environments before business operations are affected. It does this by evaluating select files on a system, getting smarter and better at predicting outcomes with each piece of information it takes in.

Insights conducts an in-depth analysis of customers’ IT infrastructure and compares this information against Red Hat’s constantly expanding knowledge base to identify key risks and vulnerabilities. If a susceptibility or risk is found, Insights has the ability to generate a playbook for most critical problems detected, which can then be used in Ansible Tower to resolve any issues.

Ansible and Insights?

So if Insights makes Ansible Playbooks...how do you use them in Ansible Tower? Continue reading

0

Windows Package Management

Welcome to the third installment of our Windows-centric Getting Started Series!

In the previous post we covered how you can use Ansible and Ansible Tower to help manage your Active Directory environment. This post will go into how you can configure some of those machines on your domain. Most of this post is going to be dominated by specific modules. Ansible has a plethora of Windows modules that can be found here. As time is not a flat circle, I can’t discuss all of them today but only a few that are widely used.

MSIs and the win_package Module

So you got your domain up, you have machines added to it, now let’s install some stuff on those machines. I do have a few notes before moving forward in regards to the modules we’ll be discussing. The module win_msi is deprecated and will be removed in Ansible 2.8 (current version as of this post is 2.5). In its place you can use win_package which I will be using throughout this post.

Alright, back to installing stuff. The win_package module is the place to be. It is used specifically for .msi and .exe files that need to be installed Continue reading

0

TEN THINGS I HATE ABOUT YOU: Manage Windows like Linux with Ansible

One of my favorite guilty pleasures is the movie "10 Things I Hate About You". If you're not familiar with it, it's a 90's teenybopper flick that's loosely based on Shakespeare's "The Taming of the Shrew". In the movie, our hero Patrick is surreptitiously paid to woo the man-hating Kat so that slimy Joey will be allowed to date her younger sister Bianca. Kat initially can't stand Patrick and his numerous bad habits, but by the end of the story has fallen for him. She reads him a poem that starts off describing ten things she hates about him, but wraps it up declaring her love for him instead.

I love Windows, but I know many Linux admins can't stand it, and avoid working with it at any cost. While working on a talk to espouse the use of Ansible to manage Windows in the same way as Linux, I imagined a Linux admin discovering the power of Ansible's features and common language to see the beauty in an automated Windows setup. It inspired me to write my own version of Kat's poem:

I hate that you're not SSH, and the shell that you call "Power",
I hate Continue reading

0

Hybrid Operations with Ansible

Hybrid Operations with Ansible

One of the most common questions I hear while talking about Ansible's support for cloud providers is whether it will work in hybrid environments. You may not be able to use the ec2 module to create an instance in your datacenter, but Ansible has modules for RHV, OpenStack, and VMWare to talk to virtualization tools in your datacenter. I love working in AWS, Azure, and Google Cloud but most environments I've worked in have had on-prem systems as well.

That's what I've been invited to Red Hat Summit to talk about -- best practices for automating all the infrastructure at your disposal, not just the cloud services. My demos will feature a couple new Ansible Core/Engine 2.5 features, as well as preview new 2.6-only features.

My favorite feature to show off is part of the new ec2_instance module. In the demo we'll have a look at how Tower provisioning callbacks are now built in to the ec2_instance module, making provisioning brand new instances as easy as:

- ec2_instance:
  image:
    id: "{{ latest_centos.image_id }}"
  key_name: my-secret-key
  instance_type: t2.large
  name: call-me-maybe
  security_groups:
    - demo-web-sg
  # COOL MAGIC HERE
  tower_callback:
    host_config_key: "{{ your_secret_here }}"
    job_template_id:  Continue reading

0

Active Directory & Ansible Tower

 Welcome to the second installment of our Windows-centric Getting Started series!

Last time we walked you through how Ansible connects to a Windows host. We’ve also previously explored logging into Ansible Tower while authenticating against an LDAP directory. In this post, we’ll go over a few ways you can use Ansible to manage Microsoft’s Active Directory. Since AD plays a role in many Windows environments, using Ansible to manage Windows will probably include running commands against the Active Directory domain.

First, Set Your Protocol

We’ll be using WinRM to connect to Windows hosts, so this means making sure Ansible or Tower knows that. Machine credentials in Ansible Tower can be created and used along with variables, but when using Ansible in a terminal the playbook should make it clear with variables:

---
- name: Your Windows Playbook
  hosts: win
  vars:
    ansible_ssh_user: administrator
    ansible_ssh_pass: ThisIsWhereStrongPassesGo
    ansible_connection: winrm
    ansible_winrm_server_cert_validation: ignore

- tasks:

Along with using the local admin account/pass, the WinRM connection method is named specifically. The variable to ignore the certificate validation is for standalone, non-domain hosts because a domain-joined instance should have certificates validated on the domain.

Where’s the Domain?

Speaking of domains, Ansible can spin up a new domain Continue reading

0

Don’t miss these Ansible Automation sessions at Red Hat Summit

The countdown is on! It’s just a few short days until Red Hat Summit. I’m Kaete Piccirilli and I do all things Ansible Marketing. While it’s not my first Summit at Red Hat, it’s the first one I’ll be attending, and I cannot be more excited to finally be in the mix of our customers, partners and open source communities.

Ansible Automation Breakout Sessions

Red Hat Summit has an action-packed few days planned, and I have picked a few Ansible Automation sessions that you won’t want to miss.

Managing 15,000 network devices with Ansible

Ansible allows network management across virtually any device platform. Any network device can be managed via SSH or an API. We took this cutting-edge network automation to scale with a customer’s global network infrastructure, giving them the ability to manage nearly all of their network devices at one time.

In this session, we'll discuss the architecture and strategies involved in network automation.

Manage Windows like Linux with Ansible

Few questions induce fear into the heart of a Linux admin more than, "Hey, can you manage these Windows servers?"

In this session, we'll show how Ansible does simple, secure, and agentless Windows management with the exact Continue reading

0

Using Ansible and Ansible Tower with shared roles

Roles are an essential part of Ansible, and help in structuring your automation content. The idea is to have clearly defined roles for dedicated tasks. During your automation code, the roles will be called by the Ansible Playbooks.

Since roles usually have a well defined purpose, they make it easy to reuse your code for yourself, but also in your team. And you can even share roles with the global community. In fact, the Ansible community created Ansible Galaxy as a central place to display, search and view Ansible roles from thousands of people.

So what does a role look like? Basically it is a predefined structure of folders and files to hold your automation code. There is a folder for your templates, a folder to keep files with tasks, one for handlers, another one for your default variables, and so on:

tasks/ 
handlers/ 
files/ 
templates/ 
vars/ 
defaults/ 
meta/

In folders which contain Ansible code - like tasks, handlers, vars, defaults - there are main.yml files. Those contain the relevant Ansible bits. In case of the tasks directory, they often include other yaml files within the same directory. Roles even provide ways to test your automation code - in Continue reading

0

Connecting to a Windows Host

Welcome to the first installment of our Windows-specific Getting Started series!

Would you like to automate some of your Windows hosts with Red Hat Ansible Tower, but don’t know how to set everything up? Are you worried that Red Hat Ansible Engine won’t be able to communicate with your Windows servers without installing a bunch of extra software? Do you want to easily automate everyone’s best friend, Clippy?

Image source: aguyiknow.com.au

We can’t help with the last thing, but if you said yes to the other two questions, you've come to the right place. In this post, we’ll walk you through all the steps you need to take in order to set up and connect to your Windows hosts with Ansible Engine.

Why Automate Windows Hosts?

A few of the many things you can do for your Windows hosts with Ansible Engine include:

• Starting, stopping and managing services
• Pushing and executing custom PowerShell scripts
• Managing packages with the Chocolatey package manager

In addition to connecting to and automating Windows hosts using local or domain users, you’ll also be able to use runas to execute actions as the Administrator (the Windows alternative to Linux’s sudo or su), so Continue reading

0

Porting Ansible Network Playbooks with New Connection Plugins

The Ansible Networking Team is excited about the release of Ansible 2.5. Back in February, I wrote about new Networking Features in Ansible 2.5, and one of the biggest areas of feedback was around the network_cli connection plugin. For more background on this connection plugin, please refer to the previous blog post. 

In this post, I convert existing networking playbooks that use connection: local to use connection: network_cli. Please note that the passwords are in plain text for demonstration purposes only. Refer to the following Ansible Networking documentation page recommendation for using Ansible Vault for secure password storage and usage.

To demonstrate, let’s use an existing GitHub repository with working playbooks using the legacy connection local method. NOTE: The connection local method will continue to be supported for quite some time, and has not been announced as deprecated yet. This repository has several examples using Ansible and NAPALM but we are highlighting the Ansible Playbooks in this post.  The GitHub repository can be found here. 

Example 1 - Backing Up a Configuration

Networking platforms use their specific *_config platform module for easy backups within Ansible. For this playbook we are running the Ansible Playbook Continue reading

0

Using Ansible to Mitigate Network Vulnerabilities

Even Networks Aren’t Immune

Just like with Windows and Linux servers, networking devices can be exploited by vulnerabilities found in their operating systems. Many IT organizations do not have a comprehensive strategy for mitigating security vulnerabilities that span multiple teams (networking, servers, storage, etc.). Since the majority of network operations is still manual, the need to mitigate quickly and reliably across multiple platforms consisting of hundreds of network devices becomes extremely important.

In Cisco’s March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, 22 vulnerabilities were detailed. While Red Hat does not report or keep track of individual networking vendors CVEs, Red Hat Ansible Engine can be used to quickly automate mitigation of CVEs based on instructions from networking vendors.

In this blog post we are going to walk through CVE-2018-0171 which is titled “Cisco IOS and IOS XE Software Smart Install Remote Code Execution Vulnerability.” This CVE is labeled as critical by Cisco, with the following headline summary:

“...a vulnerability in the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a Continue reading

0

Enable self-healing applications with Ansible and Dynatrace

The size, complexity and high rate of change in today’s IT environments can be overwhelming. Enabling the performance and availability of these modern microservice environments is a constant challenge for IT organizations. 

One trend contributing to this rate of change is the adoption of IT automation for provisioning, configuration management and ongoing operations. For this blog, we want to highlight the repeatable and consistent outcomes allowed by IT automation, and explore what is possible when Ansible automation is extended to the application monitoring platform Dynatrace.

Thanks to Jürgen Etzlstorfer for giving us an overview of the Ansible and Dynatrace integration.

---

Monitoring Today

Considering the size, complexity and high rate of change in today's IT environments, traditional methods of monitoring application performance and availability are often necessary and commonplace in most operations teams. Application performance monitoring (APM) platforms are used to detect bottlenecks and problems that can impact the experience of your customers.

Monitoring alone, however, isn’t always enough to help keep your applications running at peak performance. When issues are detected, APM platforms are designed to alert the operator of the problem and its root-cause. The Ops team can then agree on a corrective action, and implement this Continue reading

0

Ansible 2.5: LAUNCH AN Azure CONTAINER INSTANCE

The Ansible 2.5 release includes an additional 13 Azure modules for automators to use in their hybrid cloud journey. We have a goal of making automation as accessible as possible. As part of this goal, we are working with technology partners to bring additional automation know-how to the Ansible blog.

Special thanks to Kylie Liang from the Microsoft Azure DevEx team for giving us a closer look at one of the new Azure module features.

---

Launch an Azure Container Instance 

For this blog entry, we wanted to share a step by step guide to using the Azure Container Instance module that has been included in Ansible 2.5.

The Container Instance service is a PaaS offering on Azure that is designed to let users run containers without managing any of the underlying infrastructure. The Ansible Azure Container Instance module allows users to create, update and delete an Azure Container Instance.

Getting Started

For the purposes of this blog, we’ll assume that you are new to Azure and Ansible and want to automate the Container Instance service. This tutorial will guide you through automating the following steps:

• Install Ansible and Docker
• Set up credentials for your Azure modules
• Create an Continue reading