How network engineers can get more sleep using Red Hat Ansible Automation Platform: Your guide to AnsibleFest 2022

Since connectivity is critical to all types of business applications including cloud apps, managing and maintaining the network often falls into the overnight hours. This is great for the business, but it puts a large wrinkle in your work-life balance. Luckily, AnsibleFest is here to help you get more sleep! 

Continued use of an overnight network management work model can leave you wondering what other technology career options are available… which may mean that your team is smaller than it used to be due to turnover. Search LinkedIn jobs for “Ansible engineer” and you will find as many as 166,000 roles that ask for some form of Ansible skills. Udemy published the 2020 Workplace Learning Trends Report: The Skills of the Future that describes increased enthusiasm for learning technologies such as automation (page 20) and Cisco cites market research showing nearly 23% growth in network automation from 2022 to 2028. If you are in networking, automation can be very important to boost your career. 

Across networking domains, automation plays a key role in helping to balance working hours, so Ansible skills can be good to develop. Red Hat Ansible Automation Platform makes management and other tasks faster and Continue reading

Ansible vs. Terraform Demystified

Ansible and Terraform are two very powerful but unique open source IT tools that are often compared in competitive discussions.  We often see comparisons of the two tools - but many times, these comparisons are done purely from a “spec sheet” comparison. This type of comparison, while an interesting read, doesn’t take into account using the products at scale or if the comparison is realistic as a binary all-or-nothing approach. We at Red Hat have been helping enterprises for over 20 years and have a good idea how most IT administrators are using these two tools in production. Although both tools can generally do most things, we typically see that they are each leveraged by means of their biggest strengths as opposed to having to choose one or the other.

Spoiler:  The two tools are better together and can work in harmony to create a better experience for developers and operations teams.

Both Ansible and Terraform are open source tools with huge user bases, which often leads to cult followings because of the classical “hammer” approach.  That is, if my only tool is a hammer, every problem will start resembling a nail. This ends up trying to solve new Continue reading

The anatomy of automation execution environments

Red Hat Ansible Automation Platform 2 introduced  major architectural changes, like automation mesh and automation execution environments, that help extend Ansible automation across your organization in a flexible manner, providing a single solution to all your organizational and hybrid cloud automation needs.

Automation execution environments are container images that act as Ansible runtimes for automation controller jobs. Ansible Automation Platform also includes a command-line tool called ansible-builder(execution environment builder)that lets you create automation execution environments by specifying Ansible Content Collections and Python dependencies.

In general, an automation execution environment includes:

• A version of Python.
• A version of ansible-core.
• Python modules/dependencies.
• Ansible Content Collections (optional).

In this blog, I will take you through the inner workings of ansible-builder and how all the above requirements are packaged inside automation execution environments and delivered as part of Ansible Automation Platform.

A tale of two ansible-builder packages

As all projects in Red Hat, ansible-builder follows an open development model and an upstream-first approach. The upstream project for ansible-builder is distributed as a Python package, and then packaged into an RPM for Ansible Automation Platform downstream.This also means that there are different ways to install the upstream package and the downstream ansible-builder.

NOTE: Continue reading

The Automation Experience: AnsibleFest 2022

It is almost time for our favorite event of the year! AnsibleFest is back as an in-person event, and it’s the only place to feel the full power of automation. Join us October 18 and 19 in Chicago, and immerse yourself in the movement that’s made Ansible an industry-leading automation technology.

The AnsibleFest 2022 session catalog and agenda builder are now available. That means you can see all this year’s session content and build your own custom experience. Let’s take a closer look at all that AnsibleFest 2022 has to offer.

Breakout Sessions

This year we will be featuring six content tracks. These tracks include: Getting Started with Automation, the Ansible Community, Automation Applied, Ansible Automation Platform, Advanced Ansible, and Automation Adoption. Sessions across these tracks will cover a range of focus areas, including network automation, security automation, automation at the edge, IT leaders, developers, and several more. We also have a wide range of customer, partner, and Ansible contributor talks to join. You can see a list of all the sessions being offered in our session catalog.

Workshops and Labs

Get hands-on experience at AnsibleFest in our workshops and labs. We will have a mixture of self-paced Continue reading

Managing AWS Key Pairs with Pulumi and Go

As I was winding down things at Kong and getting ready to transition to Pulumi (more information on why I moved to Pulumi here), I casually made the comment on Twitter that I needed to start managing my AWS key pairs using Pulumi. When the opportunity arose last week, I started doing exactly that! In this post, I’ll show you a quick example of how to use Pulumi and Go to declaratively manage AWS key pairs.

This is a pretty simple example, so let’s just jump straight to the code:

_, err := ec2.NewKeyPair(ctx, "aws-rsa-keypair", &ec2.KeyPairArgs{
	KeyName:   pulumi.String("key-pair-name"),
	PublicKey: pulumi.String("<ssh-key-material-here>"),
	Tags: pulumi.StringMap{
		"Owner":   pulumi.String("User Name"),
		"Team":    pulumi.String("Team Name"),
		"Purpose": pulumi.String("Public key for authenticating to AWS EC2 instances"),
		},
	})
	if err != nil {
		return err
	}

This code is, by and large, pretty self-explanatory. For PublicKey, you just need to supply the contents of the public key file (use cat or similar to get the contents of the file) where Continue reading

Technology Short Take 159

Welcome to Technology Short Take #159! If you’re interested in finding some links to articles around the web on topics like WASM, Git, Sigstore, or EKS—among other things—then you’ve come to the right place. I’ve spent the last few weeks collecting articles I think you’ll find useful, gleaning them from the depths of Twitter, RSS feeds, Reddit, and Slack. Enjoy, and never stop learning!

Networking

• I’m not a Tailscale user (although I do use WireGuard), but this KB article describing how to use Tailscale on AWS App Runner is pretty cool.
• Speaking of WireGuard: here’s a tutorial on setting up WireGuard on Ubuntu (both 20.04 and 22.04 are covered).
• Ivan Pepelnjak laments the sad state of terminology surrounding router interfaces and switch ports.

Servers/Hardware

• Steven J. Vaughan-Nichols discusses a leak discovered in Intel SGX. It’s a shame, too…I had high hopes for SGX.
• I found Andrew Meier’s post on his personal infrastructure interesting to read. I stopped doing the homelab thing back in 2016, but it’s still interesting to read about how others do things. Thanks for sharing, Andrew!

Security

• Hayden Blauzvern talks through how organizations with existing infrastructure for signing (here we are referring to signing packages Continue reading

Monitoring Red Hat Ansible Automation Platform on Red Hat OpenShift – The Easy Way

As Red Hat Ansible Automation Platform enables teams and organizations to drive their automation from across the cloud and on-premise, keeping Ansible Automation Platform healthy with the ability to monitor key metrics becomes paramount.

This blog post demonstrates how to monitor the API metrics provided by an Ansible Automation Platform environment when deployed within Red Hat OpenShift.

What will we use to monitor the API metrics?

Prometheus and Grafana. 

Prometheus is an open source monitoring solution for collecting and aggregating metrics. Partner Prometheus’ monitoring capabilities with Grafana, an open source solution for running data analytics and pulling up metrics in customizable dashboards, and you get a real-time visualization of metrics to track the status and health of your Ansible Automation Platform.

What can we expect?

Expect to be fast-tracked to a deployment of Ansible Automation Platform that is monitored by Prometheus paired with a Grafana Ansible Automation Platform dashboard showing those metrics in real time.

This blog will guide you through:

• The deployment of Prometheus using an operator.
• Configuring your Prometheus deployment to capture Ansible Automation Platform metrics.
• The deployment of Grafana using an operator.
• Configuring Grafana with a pre-built dashboard that displays the Ansible Automation Platform Continue reading

DevOps and CI/CD with automation controller

DevOps strives to improve service delivery by bringing teams together, streamlining processes, automating tasks and making these available in a self-service manner.

Many organisations don’t realise the full benefits of DevOps for multiple reasons, including unintegrated tools, manual handovers, and lack of a unified automation solution, leading to islands of automation.

“If we develop automation and pipelines that aren’t cohesive and don’t interoperate, there’s a lot of risk of chaos.”

Jayne Groll, CEO, DevOps Institute.

Red Hat Ansible Automation Platform offers an easy-to-understand automation language, a vast array of IT ecosystem integrations, and enterprise features, such as an API and Role-Based Access Control (RBAC). This blog demonstrates how these capabilities can help accelerate your DevOps practices using simple, practical examples. 

This blog covers:

• Using Ansible Automation Platform to automate DevOps tooling configurations.
• Integration of Ansible Automation Platform into existing DevOps environments.
• Orchestrating DevOps workflows using automation controller.
• Use controller approvals to allow for final sign-off of services before production deployment.

Note

The examples shared in this blog are based on the “DevOps and CI/CD with automation controller” self-paced lab. Feel free to get hands-on and try it out!

Environment overview

Let’s explore the tools Continue reading

Managing a VMware Template Lifecycle with Ansible

When we manage a large number of virtual machines (VMs), we want to reduce the differences between them and create a standard template. By using a standard template, it becomes easier to manage and propagate the same operation on the different nodes. When using VMware vSphere, it is a common practice to share a standardized VM template and use it to create new VMs. This template is often called a golden image. Its creation involves a series of steps that can be automated with Ansible. In this blog, we will see how one can create and use a new golden image.

Prepare the golden image

We use image builder to prepare a new image. The tool provides a user interface that allows users to define custom images. In this example, we include the SSH server and tmux. The result image is a file in the VMDK4 format that is not totally supported by VMware vSphere 7, so this is the reason why we use a .vmdk-4 suffix.

We upload the image using the uri module. Uploading large files using this method is rather slow. If you can,  you may want to drop the file on the datastore directly (e. Continue reading

Creating automation execution environments using ansible-builder and Shipwright

Reproducibility and consistency are two key traits that are the driving forces behind the popularity of containers. Consistency is also a principle found within Red Hat Ansible Automation Platform. With only a few lines of YAML-formatted manifests, thousands of instances can be set up and configured uniformly. While the management of target instances is simple, it is the control node, or where the Ansible execution is initiated, that can  be the most challenging aspect. As Ansible is written in Python, does the machine have the correct version of Python installed?  Are the necessary Python modules installed? Are there any operating system dependencies needed? The list goes on and on.

These concerns, along with many others, led to a desire to leverage the benefits of containers to perform the control node’s role and eventually ushered in the concept of automation execution environments in Ansible Automation Platform 2. Running Ansible within containers is not a new concept and has been used quite successfully for some time now. However, there was no consistent process for building the container or executing Ansible from within the container. It seemed like everyone and anyone had their own version of running Ansible in a container. Ansible Continue reading

Jumping Off Cliffs

For quite a few years, I’ve had this desktop wallpaper that I really love. I don’t even remember where I got it or where it came from, so I can’t properly attribute it to anyone. I use this wallpaper from time to time when I want to be reminded to challenge myself, to learn new things, and to step outside of what is comfortable in order to explore the as-yet-unknown. Looking at this wallpaper on my desktop a little while ago, I realized that I may have started taking the inspirational phrase on this wallpaper for granted, instead of truly applying it to my life.

Here’s the wallpaper I’m talking about:

To me, this phrase—illustrated so well by the wallpaper—means taking a leap into the unknown. It means putting yourself into a position where you are forced to grow and adapt in order to survive. It’s going to be scary, and possibly even a bit painful at times. In the end, though, you will emerge different than when you started.

It’s been a while since I did that, at least from a career perspective. Yes, I did change jobs a little over a year ago when I left VMware to Continue reading

Technology Short Take 158

Welcome to Technology Short Take #158! What do I have in store for you this time around? Well, you’ll have to read the whole article to find out for sure, but I have links to articles on…well, lots of different topics! DNS, BGP, hardware-based security, Kubernetes, Linux—they’re all in here. Hopefully I’ve managed to find something useful for someone.

Networking

• Shank Mohan explains some details on NSX-T Tier-1 Service Router (SR) placement.
• See this page for instructions on how to enable BBR on Debian 10.
• Christopher Vierheller supplies a concise guide on how to add custom symbols to EVE-NG.
• Alex Neihaus provides readers with a walkthrough for adding BGP routes to AWS security groups.
• Via Russ White, RFC 9199 was drawn to my attention (“Considerations for Large Authoritative DNS Server Operators”).

Servers/Hardware

• Gabriel Sieben ruminates on the potential dangers of Microsoft Pluton, a new security chip co-developed by Microsoft and AMD.

Security

• Jason Avery walks readers through using Atomic Red Team to test Falco rules in Kubernetes environments. This is pretty neat.
• Also on the Sysdig blog, Miguel Hernández recaps his KubeCon EU 2022 talk on how attackers used an exposed Prometheus server to exploit Kubernetes clusters.
• Kat Continue reading

Creating Kubernetes Dynamic Inventories with kubernetes.core Modules

When managing infrastructure, there are times when a dynamic inventory is essential. Kubernetes is a perfect example of this where you may create multiple applications within a namespace but you will not be able to create a static inventory due to Kubernetes appending a systems-generated string to uniquely identify objects. 

Recently, I decided to play with using a Kubernetes dynamic inventory to manage pods, but finding the details on how to use and apply it was a bit scarce. As such, I wanted to write a quick start guide on how you can create an Ansible Playbook to retrieve your pods within a namespace and generate a Kubernetes dynamic inventory. 

This is much easier to do when you take advantage of the kubernetes.core.k8s_info module.

In my example, I’m going to take advantage of using my existing ansible-automation-platform namespace that has a list of pods to create my dynamic inventory. In your scenario, you’d apply this to any namespace you wish to capture a pod inventory from. 

When creating your inventory, the first step is to register the pods found within a particular namespace. Here’s an example of a task creating an inventory within the ansible-automation-platform Continue reading

Revisiting X.509 Certificates in Kubeconfig Files

In 2018, I wrote an article on examining X.509 certificates embedded in Kubeconfig files. In that article, I showed one way of extracting client certificate data from a Kubeconfig file and looking at the properties of the client certificate data. While there’s nothing technically wrong with that article, since then I’ve found another tool that makes the process a tad easier. In this post, I’ll revisit the topic of examining embedded X.509v3 certificates in Kubeconfig files.

The tool that I’ve found is yq, which is an incredibly useful tool when it comes to parsing YAML (much in the same way that jq is an incredibly useful tool when it comes to parsing JSON). I should probably write some sort of introductory post on yq.

In any case, you can use yq to replace the grep plus awk combo outlined in my earlier article on examining certificate data in Kubeconfig files. Instead, to pull out only the client certificate data, just use this yq command (you did know that Kubeconfig files are YAML, right?):

yq '.users[0].user.client-certificate-data' < ~./kube/config

(Of course, this command assumes your Kubeconfig file is named config in the ~/.kube Continue reading

Posts from the Past, August 2022

I thought I might start highlighting some older posts here on the site through a semi-regular “Posts from the Past” series. I’ll start with posts published in the month of August through the years. Here’s hoping you find something that is useful (or perhaps entertaining, at least)!

August 2021

Last year, I had a couple of posts that I think are still relevant today. First, I talked about using Pulumi with Go to create a VPC Peering relationship on AWS. Second, I showed readers how to have Wireguard interfaces start automatically (using launchd) on macOS.

August 2020

I didn’t write too much in August 2020; my wife and I took a big road trip around the US to visit family and such. However, I did publish a post on some behavior changes in version 0.5.5 of the Cluster API tool clusterawsadm.

August 2019

This was a busy month for the blog! In addition to two Technology Short Takes, I also published posts on converting Kubernetes to an HA control plane, reconstructing the kubeadm join command (in the event you didn’t write down the output of kubeadm init), and one introducing Cluster API.

August 2018

In Continue reading

Site Category Changes

This weekend I made a couple of small changes to the categories on the site, in an effort to make navigation a bit more intuitive. In the past, readers had expressed some confusion over the “Education” and “Explanation” categories, and—to be frank—their confusion was warranted. I also wasn’t clear on the distinction between those categories, so this post explains the changes I’ve made.

The following category changes are now in effect on the site:

• First, the “Education” category has been completely removed. I try to make almost everything on this site educational in nature, so why have an “Education” category? This really only affects you if you’d subscribed to that category’s RSS feed. (Did you know that every category and every tag has its own RSS feed?)
• A lot of the content from the “Education” category has been moved into the “Explanation” category. This is the category that will contain posts where I provide some level of explanation around a concept, technology, product, or project.
• The “Tutorial” category also picked up some new articles from the now-eliminated “Education” category. The “Tutorial” category contains walkthroughs or step-by-step instructions for doing something. There’s most likely going to be explanation along the Continue reading

Peeling back the layers and understanding automation mesh

Red Hat Ansible Automation Platform 2 features an awesome new way to scale out your automation workloads: automation mesh.  If you are unfamiliar with automation mesh, I highly recommend reading Craig Brandt’s blog post What's new: an introduction to automation mesh which outlines how automation mesh can simplify your operations and scale your automation globally.  For this blog post, I want to focus on the technical implementation of automation mesh, what network ports it is using and how you can secure it. 

To quickly summarize both Craig’s blog post and our documentation, we separated the control plane (which includes the webUI and API) from the execution plane (where an Ansible Playbook is executed) in Ansible Automation Platform 2.  This allows you to choose where jobs run across execution nodes, so you can deliver and run automation closer to the devices that need it. In our implementation, there is four different types of nodes:

• Control plane nodes: These are  accessed either via the WebUI and API. Execution capabilities are disabled on these nodes. 
• Execution nodes: This is where Ansible Playbooks are actually executed.  This node will run an automation execution environment which in Continue reading

Using Default AWS Resources with Pulumi

Per the AWS documentation (although I’m sure there are exceptions), when you start using AWS you are given some automatically-created resources: a default VPC that contains public subnets in each availability zone in the region along with an Internet gateway and settings to enable DNS resolution. Most of the infrastructure-as-code tutorials that I’ve seen start with creating a VPC and subnets and gateway, but what if you wanted to use these default resources instead? I wasn’t really able to find a good walkthrough on how to do this, so this post provides some sample Go code you can use with Pulumi to identify these default AWS resources and use them.

I’ll approach this from the perspective of wanting to launch an EC2 instance in the default infrastructure that AWS provides for you in a region. To launch an EC2 instance using Pulumi (and most other infrastructure-as-code tools), there are several pieces of information you need:

1. An AMI ID
2. The instance type
3. The name of an SSH keypair that’s been uploaded to/created in AWS
4. A subnet ID
5. A security group ID

The first three are probably things you’ll want to parameterize (i.e., make it possible for you to pass Continue reading

Using Red Hat Ansible Automation Platform to Enable a Policy as Code Solution

Nelson, the director of operations of a large manufacturing company, told me that he has a highly leveraged staff. That is, most of the work on the company's critical cloud project is being done by consultants and vendors, and not by their team members. Unfortunately, much of the staff’s time is spent making sure that the infrastructure as code (IaC) implementation is in compliance with the standards and policies that his company has for cloud resources. Nelson said, “Oftentimes the code works, but doesn’t conform to naming conventions, or is missing labels, or has security issues, which impacts downstream workflows and applications. We need the environment to conform to our policies, and I don’t want my staff burning cycles to ensure that this is the case.” This was the reason why he brought me in to run a proof of concept (POC). The POC would validate what would become a Policy as Code solution based on one of the common IaC products.  

When the technical team and I reviewed the proof points for the POC, and it was a standard demonstration of Policy as Code capabilities, it was determined that Red Hat Ansible Automation Platform would satisfy all Continue reading

Technology Short Take 157

Welcome to Technology Short Take 157! I hope that this collection of links I’ve gathered is useful to someone out there. In particular, the “Career/Soft Skills” section is a bit bigger than usual this time around, as is the “Security” section.

Networking

• Interested in understanding how NAT Traversal works? David Anderson’s post on how NAT Traversal works should help.
• This happened a couple of months ago, but I don’t think I’ve linked to it in a Technology Short Take: the Envoy Proxy open source project announced Envoy Gateway, a “new member of the Envoy Proxy family aimed at significantly decreasing the barrier to entry when using Envoy for API Gateway (sometimes known as ’north-south’) use cases”.
• This is a slightly older article from Ivan Pepelnjak on using netsim-tools to build Vagrant boxes, but let’s be real—his stuff is kind of timeless anyway, right?

Security

• Tal Maor, along with Nirit Tyomkin, describe moving laterally between Azure AD-joined machines.
• Phil Stokes of SentinelOne describes some of the early security changes found in macOS “Ventura” (i.e., macOS 13).
• Falco recently (at the start of June) released version 0.32.0, which included a number of fairly significant changes. Read more Continue reading