What’s new: network automation with ansible.netcommon 3.0.0
With the recent release of the ansible.netcommon Collection version 3.0.0, we have promoted two features as standard: libssh transport and import_modules. These features provide increased performance and resiliency for your network automation. These two features, which have been available since July 2020 (libssh) and March 2021 (import_modules), are now turned on by default for playbooks running the latest version of the netcommon Collection, so let's take a look at what makes these changes so exciting!
The road to libssh
Libssh support was formally announced in November 2020 for FIPS mode compatibility and speed. This blog goes into great detail about why we started this change, and it's worth a read if you want to know more about how we use paramiko or libssh in the network_cli connection plugin. I'm going to try not to rehash everything from that post, but I do want to take a little time to revisit security and speed to show what libssh brings to the experience of using ansible with network devices.
FIPS Mode
One of the earliest issues we identified with paramiko, our earlier SSH transport plugin, is that it was not FIPS 140 compliant. This meant that environments Continue reading
Technology Short Take 156
Welcome to Technology Short Take #156! It’s been about a month since the last Technology Short Take, and in that time I’ve been gathering links that I wanted to share with my readers. (I still have quite the backlog of links to read!) Hopefully something I share here will prove useful to someone. Enjoy the links below, and enjoy your weekend!
Networking
- I’d never heard of Pipy before seeing it in this article, but it look like it could be quite useful for a number of use cases.
- William Morgan, one of the creators of Linkerd, has a lengthy treatise on eBPF, sidecars, and the future of the service mesh. As a (relative) layperson—meaning I’m not an eBPF expert—I don’t know if I should believe the eBPF cheerleaders (some of whom I know personally and are familiar with their technical expertise) or folks like William who have clearly “been there, done that” with service mesh. I certainly think there’s a place for eBPF in service meshes, but I’m not yet on board with sidecar-less service meshes (or per-node proxy models).
Security
- BPFDoor, as it is known, is a passive backdoor that allows threat actors to remotely connect Continue reading
Digitally signing Ansible Content Collections using private automation hub
Red Hat Ansible Automation Platform can manage and execute automation made from many different origins, coming from Red Hat product teams, ISV partners, community and private contributors.
Here is a typical makeup of an automation play that is launched from automation controller:
- A job template is executed by automation controller and is a playbook.
- The playbook runs inside of an automation execution environment by the automation controller.
- The automation execution environment is made using the execution environment builder (ansible-builder tool).
- When ansible-builder creates the execution environment, it includes dependencies.
- The dependencies are Ansible Content Collections and their requirements.
- Collections and their dependencies can be private, community-based, or supplied by Red Hat or its ISV partners.
Previously, there was no way to verify that a Collection downloaded from either Ansible automation hub (console.redhat.com) or private automation hub was developed and released by its original Collection maintainer. This is a potential security issue and breaks the supply chain from creator to consumer.
Providing security-focused features in Ansible Automation Platform 2 continues to be a priority, to enable the execution of certified and supported automation anywhere in your hybrid cloud environment. New in Ansible Automation Platform 2.2 is Continue reading
Scaling Automation Controller for API Driven Workloads
When scaling automation controller in an enterprise organization, administrators are faced with more clients automating their interactions with its REST API. As with any web application, automation controller has a finite capacity to serve web requests, and web clients can experience degraded service if that capacity is met or superseded.
In this blog, we will explore methods to:
- Increase the number of web requests an Red Hat Ansible Automation Platform cluster can serve.
- Implement best practices on the client side to reduce the load on the automation controller API to improve performance and uptime.
We will use automation controller 4.2 in our examples, but many of the best practices and solutions described in this blog apply to most versions, including Ansible Tower 3.8.z.
Use cases that cause high-volume API requests
In this section, we will outline some of the use cases that can drive a high volume of API requests. In the recommendations section, we will address options to improve the quality of service at the client, load balancer, and controller levels.
External inventory management
In some use cases, organizations maintain their inventory in an external system. This practice can lead to a pattern Continue reading
Red Hat Ansible Automation Platform on Microsoft Azure – Network Access – blog #2
Thank you to Hicham Mourad and Scott Harwell for co-authoring this blog.
Introduction
In this blog series, we will continue discussing the deployment of Red Hat Ansible Automation Platform on Microsoft Azure.
The first blog covered the deployment process as well as how to access a Red Hat Ansible Automation Platform on Azure deployment that was deployed using the “Public” access option.
This blog we’ll cover how to access the managed application when it’s deployed using the “Private” access option.
Connecting to Red Hat Ansible Automation Platform on Microsoft Azure
There are three ways you can access Red Hat Ansible Automation Platform on Azure if you selected “Private” access.
- An Azure hosted virtual machine (VM)
- Azure VPN or Direct Connect
- SSH Tunnel
Let’s assume that you have already configured network peering between the Red Hat Ansible Automation Platform on Azure deployment, on the Azure network and your existing Azure Virtual Networks. Network peering is an Azure action for connecting two or more networks on Azure that route traffic to resources across those networks. See Microsoft Azure documentation for more information on network peering types.
Access Details
Regardless of whether you selected public or private Continue reading
Red Hat Ansible Automation Platform on Microsoft Azure – Network Access – blog #1
Introduction
In this blog series we will discuss the deployment of Red Hat Ansible Automation Platform on Microsoft Azure, specifically focusing on the deployment access types and what that means for accessing Red Hat Ansible Automation Platform on Azure after deployment completion.
Deployment Access Types
First let’s start by discussing the different deployment access types.
During deployment, Red Hat Ansible Automation Platform on Azure will present an option called “Access” that determines how you will access the user interfaces.
Access Selection at Deploy Time
| Deployment Type |
Details |
| Public |
Public deployments allow ingress to the user interfaces over the public internet. Upon deployment, a domain name is issued to the Red Hat Ansible Automation Platform on Azure instance, and users will be able to navigate to the domain to login. This is the easiest approach to deploy because there is no configuration required to access Red Hat Ansible Automation Platform on Azure. Public Access Architecture Diagram below |
Public Access Architecture Diagram
| Deployment Type |
Details |
| Private |
Private deployments omit access from the public internet. When deployed, Red Hat Ansible Automation Platform on Azure will reside in an isolated Azure VNET with no access from external sources or even other Continue reading |
Pump-Up your ITIL with Automation
In the world of automation and agility, it seems that Information Technology Infrastructure Library (ITIL) doesn’t have a role to play anymore, being marked as an “old school” framework. Can it be the end of the methodology after it served numerous IT organizations for so long as a guideline and blueprint for their processes?
This series of articles shows how automation, and more specifically Red Hat Ansible Automation Platform and the principles of Infrastructure as Code (IaC), can help bring some of the ITIL topics into the agile and automated bliss:
- Configuration management
- Change and release management
- Incident and problem management
So let’s step into the topic of configuration management and what everybody still knows as CMDB (Configuration Management Database) even if ITIL has since long titled it as CMS (Configuration Management System). This name change was meant to highlight the fact that the function can be fulfilled by a combination of multiple databases and tools, but it won’t matter here, so we’ll stick to the infamous CMDB term.
Do you love your CMDB? Probably not, according to my experience with numerous customers. The data is generally outdated and wrong, considered useless, which means that its maintenance is considered a Continue reading
8 private automation hub features about automation execution environments
Red Hat Ansible Automation Platform 2.1 introduced automation execution environments, which is a new way to package automation into a container runtime environment. In addition, private automation hub also joined the party by adding significant support for execution environments.
Let's dive into those features:
Feature 1 - The registry
Private automation hub now ships with the pulp container registry. This means it can store and serve up container images.
We only support the Ansible private automation hub registry serving execution environment images.
Feature 2 - Remote registries
The Ansible private automation hub user interface allows the administrator to define remote registries. This allows for the registry to mirror container images from their source. A good example of remote registries is adding the base execution environment images available at Red Hat.
To access the Red Hat registry, visit registry.redhat.io and use the same username and password that you use for access.redhat.com.
Upon adding the registry, you will see a new remote registry definition.
Feature 3 - Indexing a remote registry
This capability is available after you have added a remote registry as per Feature 2;click the menu on the registry Continue reading
Inside Ansible Automation Platform’s Automation Services Catalog
Red Hat Ansible Automation Platform 2.2 introduces a technical preview of automation services catalog.
Automation services catalog was first developed in the cloud at console.redhat.com, with capabilities for fast, agile development and feature release. Over time, Red Hat continually adapted features to meet customer requirements and incorporate their feedback. As customers became more familiar with the benefits, they’ve since requested the ability to access these catalog components within their firewalled infrastructure with direct access to the Ansible clusters and their corporate identity services. We continue to listen and are providing a private version of automation services catalog, installed by the platform installer alongside automation controller and private automation hub.
Products, Portfolios and Platforms
As far as catalogs go, there is a fairly standard pattern to follow. Here is the first glimpse of the user interface.
This image shows what are known as “products”. Products reside within “portfolios,” which allow the administrator to group products into sharable, access controlled folders. Products are simply references to a job template or workflow.
What I really like about having this new level of abstraction is that I can reference the same job template in a product multiple times. Continue reading
Making Flatpak Firefox use Private Browsing by Default
In April 2021 I wrote a post on making Firefox use Private Browsing by default, in which I showed how to modify the GNOME desktop file so that Firefox would open private windows by default without restricting access to normal browsing windows and functionality. I’ve used that technique on all my Fedora-based systems since that time, until just recently. What happened recently, you ask? I switched to the Flatpak version of Firefox. Fortunately, with some minor tweaks, this technique works with the Flatpak version of Firefox as well. In this post, I’ll share with you the changes needed to make the Flatpak version of Firefox also use private browsing by default.
When working with the non-Flatpak version of Firefox, the GNOME desktop file installed with the Firefox package is found at /usr/share/applications. In my earlier article, I suggested editing that file to add the --private-window parameter to the Exec line. Unfortunately, that change gets overwritten every time the Firefox package is updated. It’s better, actually, to use a locally customized desktop file placed in ~/.local/share/applications instead, which will take precedence over the shared desktop file.
With the Flatpak version of Firefox, there is still a shared Continue reading
Released: Automation content navigator 2.0
Automation content navigator releases with Ansible Automation Platform 2.2
What is it?
Automation content navigator was released alongside Red Hat Ansible Automation Platform 2.0 and changed the way content creators build and test Ansible automation. Navigator 1.0 drew together multiple Ansible command line tools like ansible-playbook, ansible-doc, ansible-config, etc. and continues to accrue seriously useful new features to help deliver greater flexibility to automation creators.
Coinciding with the release of Ansible Automation Platform 2.2, navigator 2.0 introduces improvements to existing functionality alongside additional features to aid in the development of automation content.
Within navigator 2.0, you will find:
- Automation execution environment image build support
- Ability to interact in real-time with automation execution environments
- Settings subcommand to view active configuration of local environment
- Generate a sample configuration file that can be used for new projects
- Automatic mode selection (stdout vs. interactive)
- Technology preview lint support, UI improvements, Collections view support for Ansible built-ins, time zone support, color enhancements, and more!
Looking closer
Image builder support
Before the release of navigator 2.0, a separate command line application (ansible-builder) was needed to build execution environment images from human readable YAML files. With this release, ansible-navigator Continue reading
Automating multi-vendor network prefix-lists
To keep the networks healthy, cause connectivity matters
I love being a network engineer, even though I struggled to explain to non-networking people about the utmost relevance of network administration. However, during the last two years of the COVID-19 pandemic, the world could see the relevance of having connectivity. Networks are the highways of information. Data, applications, entertainment, and factories need the network connectivity roads to make the world run. It’s interesting that even network models to estimate traffic behavior use algorithms that are similar to the ones to estimate transportation.
To enable this communication, networks have to interconnect through routing protocols. There are many ways to configure routing; you can permit or restrict traffic to certain networks to leave some sectors isolated, and propagate routes to allow connectivity only to specific segments of your network.
When you configure routing settings to allow this interconnection, you not only want to reach the ultimate purpose of configuring connectivity, but you want to do this in an efficient manner.
The use of prefix-lists is one mechanism to permit a better use of resources in your routers. In this blog we are going to briefly cover why prefix-lists configuration is relevant, and Continue reading
Git Difftool and Meld as a Flatpak
I’ve recently started migrating many of the applications on my Fedora 36 laptop to their Flatpak versions. For the most part, this has been pretty straightforward, although there isn’t really any method for migrating configuration and data. Today I ran into a problem with Meld, a graphical diff utility, and using it with the git difftool command. Below I’ll share how I worked around this problem.
Normally, the integration between Git and Meld—which is what enables you to run git difftool and have the results show up in Meld—would look something like this (this is from ~/.gitconfig):
[merge]
tool = meld
[diff]
tool = meld
[difftool]
prompt = no
[difftool "meld"]
cmd = /usr/bin/meld "$LOCAL" "$REMOTE"
[mergetool "meld"]
cmd = /usr/bin/meld "$LOCAL" "$REMOTE"
However, when Meld is installed as a Flatpak, /usr/bin/meld doesn’t exist. In order to continue using Meld with the git difftool command, you must change the Git configuration to look like this instead:
[merge]
tool = meld
[diff]
tool = meld
[difftool]
prompt = no
[difftool "meld" Continue readingTechnology Short Take 155
Welcome to Technology Short Take #155, just in time for the 2022 Memorial Day holiday weekend! (Here in the US, at least.) I mean, don’t you want to spend this weekend catching up on some technology-related articles instead of cooking on the grill and gathering with friends and family? I certainly hope not! Still, for those who need a little technology fix over the weekend, hopefully I’ve included something useful in the list of articles below. Enjoy!
Networking
- Isovalent—the company behind the Cilium project—has been talking a lot about how the use of eBPF will transform things, including the architecture of a service mesh. Along those lines, one of their latest articles discusses how to achieve identity-based mutual authentication leveraging eBPF. If I’m understanding the article correctly (and feel free to correct me if I am mistaken) it looks as if Cilium Service Mesh will leverage/does leverage a combination of certificate-based mTLS for identity at the workload level and node-based transport encryption (via WireGuard) for data confidentiality. Even though I know that the underlying mechanisms are different, subjectively this feels a lot like using tunnels to connect workloads on different compute nodes (i.e., network virtualization). Is the Continue reading
What’s new in Ansible Automation Platform 2.2
The Ansible product team at Red Hat is thrilled to announce the general availability of Red Hat Ansible Automation Platform 2.2, which includes numerous features and bug fixes that further solidify Ansible Automation Platform as the de facto enterprise IT automation solution for developers to operations teams in data centers, clouds, and at the edge. A few of the most noteworthy features in this release include:
- New automation topology viewer in automation controller
- Red Hat Ansible Certified Content Collections to be digitally signed in Ansible automation hub
- Updated Ansible developer and creator tooling: ansible-navigator, ansible-lint, and VSCode language server support
- Enhanced network automation Collections
- Automation services catalog now available on-premise
- Reporting and analytics of automation data are now further integrated and streamlined
- Red Hat Enterprise Linux 9 support
Don’t forget to check out the product documentation including the release notes!
Automation topology viewer
Let’s face it, automating at enterprise scale is really hard. Although many features were added for the content creator and developer in Ansible Automation Platform 2, the automation operations teams are typically responsible for making sure automation is up and running as it should across all inventories, worldwide, with 24/7 availability and uptime. As enterprise Continue reading
Exploring New Possibilities with the AWS Cloud Control Collection
We recently made available an experimental alpha Collection of generated modules using the AWS Cloud Control API for interacting with AWS Services. This content is not intended for production in its current state. We are making this work available because we thought it was important to share our research and get your feedback.
In this post, we’ll highlight how to try out this alpha release of the new amazon.cloud content Collection.
The AWS Cloud Control API
Launched in September 2021 and featured at AWS re:Invent, AWS Cloud Control API is a set of common application programming interfaces (APIs) that provides five operations for developers to create, read, update, delete, and list (CRUDL) resources and make it easy for developers and partners to manage the lifecycle of AWS and third-party services in a standard way.
The Cloud Control API provides support for hundreds of AWS resources today with support for more existing AWS resources across services such as Amazon Elastic Compute Cloud (Amazon EC2) and Amazon Simple Storage Service (Amazon S3) in the coming months.
AWS delivers a broad and deep portfolio of cloud services. It started with Amazon Simple Storage Service (Amazon S3) and grew over Continue reading
Uplevel your automation skills with Red Hat training for Ansible Automation Platform
Red Hat Ansible Automation Platform 2 includes major features that allow customers to onboard more easily with even more flexible automation architectures and use cases. Ansible Automation Platform enables IT professionals to automate at enterprise scale more easily and flexibly. This means that everything you know and love about writing Ansible Playbooks is largely unchanged, but what is evolving is the underlying implementation of how automation is developed, managed, and operated in large complex environments.
Ansible Automation Platform now includes new automation creator tools such as ansible-lint, ansible-navigator and ansible-builder, a new architecture using container-based automation execution environments and automation mesh, and new tools such as private automation hub and automation services catalog to help operationalize teams to work together. For a complete list of everything included in your subscription, check out the knowledge base article: What is included in Red Hat Ansible Automation Platform subscription? If you prefer to consume our content via videos, check out my blog and YouTube video: Ansible Automation Platform - A video tour.
That is a lot of cool new stuff that is included in your Red Hat subscription! You might be thinking that your Ansible knowledge is really good, but you are unsure Continue reading
Automation at the Edge – Summit 2022
As some of you may know, Red Hat Summit was back in person in Boston last week. For those who are not familiar, Red Hat Summit is the premier enterprise open source event for IT professionals to learn, collaborate, and innovate on technologies from the datacenter and public cloud to the edge and beyond. Red Hat made a lot of exciting announcements, with several that included Red Hat Ansible Automation Platform. If you could not make the event or would like to revisit some of the content, you can access any session on demand.
One of the big announcements at Summit was the unveiling of new levels of security from the software supply chain to the edge. In Ansible Automation Platform 2.2, Red Hat is introducing a technical preview of Ansible content signing technology. The new capability helps with software supply chain security by enabling automation teams to validate that the automation content being executed in their enterprise is verified and trusted.
With the announcement of this new edge capability, we showcased a session for Ansible and edge that is available on demand. The session “GitOps your distributed edge computing model with Red Hat Ansible Automation Platform” Continue reading
Ask me Anything Recap – April
I recently had the opportunity to emcee an Ask me Anything webinar in April 12, These sessions are a good opportunity for the community, customers, partners and more to talk directly to Red Hat employees about what is happening on Red Hat Ansible Automation Platform and beyond. For this webinar, we had an awesome group of individuals with a diverse talent range across multiple skill sets from Product Management, Technical Marketing and Engineering:
- Richard Henshall - based in England, Richard is head of Product Management for Ansible Automation Platform
- Hicham Mourad - based in Canada, Hicham is a Technical Marketing manager for Ansible Automation Platform on Microsoft Azure
- Anshul Behl - also in Canada, Anshul is a Technical Marketing manager for Ansible Automation Platform
- Mike Graves - joining us from North Carolina, Mike is a senior software engineer working on Ansible for public clouds and Ansible for cloud native
- Shane McDonald - senior principal software engineer working on automation controller, automation execution environments and Podman as well as Kubernetes and Red Hat OpenShift Integration
To watch the webinar on-demand check it out here.
As it turns out, we can’t get to every question that comes in, so we had Continue reading
Fine-Tuning Control Plane Access with Cluster API
When Cluster API creates a workload cluster, it also creates a load balancing solution to handle traffic to the workload cluster’s control plane. This is necessary so that the control plane endpoint is decoupled from the underlying control plane nodes (which facilitates scaling the control plane, among other things). On AWS, this mean creating an ELB and a set of security groups. For flexibility, Cluster API provides a limited ability to customize this control plane load balancer. In this post, I’ll show you how to use this functionality to fine-tune access to a workload cluster’s control plane when using Cluster API with AWS.
If you’re not familiar with Cluster API (hereafter just referred to as “CAPI”), then my introduction to CAPI article may be useful. Keep in mind that article was written in 2019, while the project was still in its early stages. The high-level concepts are correct, but some of the details may have shifted slightly over the last three years as the project progressed from v1alpha1 APIs to the now-current v1beta1 APIs.
The key here is the controlPlaneLoadBalancer object, which is part of the AWSCluster object (see details here in the code or here via pkg.go.dev Continue reading