What you can expect: AnsibleFest 2021 for IT Leaders
This year, we are adapting our signature automation event, AnsibleFest, into a free virtual experience. Seasoned pros and new Ansible enthusiasts alike can find answers and learn more about Red Hat Ansible Automation Platform, the platform for building and operating automation at scale and creating an enterprise automation strategy. We are excited to offer a track designed specifically for IT leaders.
Let’s take a closer look at this track for AnsibleFest 2021.
IT Leaders at AnsibleFest
The role of automation for IT leaders has certainly evolved in recent years. Automation that used to be contained to domain-specific, task-bound practices has evolved to encompass full enterprises -- connecting teams and areas that were not connected before. The prospect of beginning an automation practice, or even unifying separate automation efforts, can often seem daunting. No matter where you are on your automation journey, we have a session for you.
Attendees will hear from like-minded companies about their targeted use cases and experiences with automation, sharing how they navigated their digital transformation journeys and lessons learned. We are also excited to be joined by several analysts who will share their insights and perspectives.
If you are experienced with the Ansible Automation Continue reading
What you can expect: AnsibleFest 2021 for Telco Customers
This year, we are adapting our signature automation event, AnsibleFest, into a free virtual experience. Seasoned pros and new Ansible enthusiasts alike can find answers and learn more about Red Hat Ansible Automation Platform, the platform for building and operating automation at scale and creating an enterprise automation strategy. This year, we have a content topic designed specifically for attendees from telecommunications and media companies with our Telco topic within the Network track.
Let’s take a closer look at this content topic for AnsibleFest 2021.
Telco Automation at AnsibleFest
Telecommunication service providers have extremely critical and complex workflows that require specialized attention for automation. Attendees can expect to learn about targeted use cases, especially for Telecommunications customers, partners and vendors. You will hear from like-minded companies about their experiences with automation, understand advanced automation use cases like AIOps, pair programming, provisioning for Red Hat OpenShift, NetOps with continuous innovation/continuous delivery (CI/CD) and more.
In addition, you can take advantage of the Telco content topic where Telco customers can learn how to get started with network automation, how to expand their network automation use cases, what’s new for those developing the automation for network projects, and how they Continue reading
What’s new: Automating ServiceNow with Ansible Automation Platform
It has been almost half a year since the XLAB Steampunk and Red Hat Ansible Automation Platform teams developed the first version of the Red Hat Ansible Certified Content Collection for ServiceNow IT Service Management (ITSM). You may also want to read our ServiceNow introduction if you are not familiar with this already. So, let’s take a look at what is new since the last release.
We will skip most of the technical details in this post because, let us face it, talking about interactions between API pagination and filtering is not something many people enjoy. Instead, we will focus on the new things users can do using the current 1.2.0 version of this collection.
Attachment management
ServiceNow records (incidents, problems, change requests, etc.) may contain attachments, but the first version of the ServiceNow Collection did not expose this capability to Ansible Automation Platform users. We changed this in version 1.2.0 when we added the attachments parameter to all non-info modules.
Ansible users can now upload error logs and other artifacts when creating new incidents and other ServiceNow records. They can also add them later to existing ServiceNow records. For example, users might Continue reading
AnsibleFest 2021: Network Automation Track
This year, we are adapting our signature automation event, AnsibleFest, into a free virtual experience to connect our communities with a wider audience and to collaborate to solve problems. Seasoned pros and new Ansible enthusiasts alike can find answers and learn more about Red Hat Ansible Automation Platform, the platform for building and operating automation at scale and creating an enterprise automation strategy. Have you already automated some type of server or infrastructure management? Use the network automation track to understand the benefits that come with automating network management the Ansible way.
Let’s take a closer look at this track for AnsibleFest 2021.
Network Automation at AnsibleFest
Gone are the days of hand-typing commands into network devices one by one, because you simply can’t keep up. Manage your network infrastructure using Ansible Automation Platform throughout the entire development and production life cycle, and free time as a result to focus on your top priority network engineering challenges. This AnsibleFest track focuses on network automation topics for automation content developers as well as network and cloud engineers or operators.
Attendees will learn how network automation can no longer be a point tool, but instead part of a holistic Continue reading
Technology Short Take 144
Welcome to Technology Short Take #144! I have a fairly diverse set of links for readers this time around, covering topics from microchips to improving your writing, with stops along the way in topics like Kubernetes, virtualization, Linux, and the popular JSON-parsing tool jq along the way. I hope you find something useful!
Networking
- A short while ago I was helping someone (an acquaintance of a friend) with some odd DNS issues. I never found the root cause, but we did find a workaround; however, along the way, someone shared this article with me. I thought it was useful, so now I’m sharing it with you.
- Michael Kashin shares the journey of containerizing NVIDIA Cumulus Linux.
Servers/Hardware
- Plastic microchips? That’s kind of cool.
- Kevin Houston explores multi-node servers as an alternative to blade servers due to increasing thermal requirements from CPUs. (And since Kevin didn’t define TDP—shame, shame!—see this post for an explanation.)
- This is an interesting deep dive into Intel’s “Ice Lake” Xeon SP architecture.
Security
- A severity score of 9.9 out of 10 for a Hyper-V vulnerability? Ouch.
- Dan Lorenc’s article on policy and attestations does a great job of covering key concepts like signatures, Continue reading
Establishing VPC Peering with Pulumi and Go
I use Pulumi to manage my lab infrastructure on AWS (I shared some of the details in this April 2020 blog post published on the Pulumi site). Originally I started with TypeScript, but later switched to Go. Recently I had a need to add some VPC peering relationships to my lab configuration. I was concerned that this may pose some problems—due entirely to the way I structure my Pulumi projects and stacks—but as it turned out it was more straightforward than I expected. In this post, I’ll share some example code and explain what I learned in the process of writing it.
Some Background
First, let me share some background on how I structure my Pulumi projects and stacks.
It all starts with a Pulumi project that manages my base AWS infrastructure—VPC, subnets, route tables and routes, Internet gateways, NAT gateways, etc. I use a separate stack in this project for each region where I need base infrastructure.
All other projects build on “top” of this base project, referencing the resources created by the base project in order to create their own resources. Referencing the resources created by the base project is accomplished via a Pulumi StackReference.
In my Continue reading
Using the AWS CLI to Tag Groups of AWS Resources
To conduct some testing, I recently needed to spin up a group of Kubernetes clusters on AWS. Generally speaking, my “weapon of choice” for something like this is Cluster API (CAPI) with the AWS provider. Normally this would be enormously simple. In this particular case—for reasons that I won’t bother going into here—I needed to spin up all these clusters in a single VPC. This presents a problem for the Cluster API Provider for AWS (CAPA), as it currently doesn’t add some required tags to existing AWS infrastructure (see this issue). The fix is to add the tags manually, so in this post I’ll share how I used the AWS CLI to add the necessary tags.
Without the necessary tags, the AWS cloud provider—which is responsible for the integration that creates Elastic Load Balancers (ELBs) in response to the creation of a Service of type LoadBalancer, for example— won’t work properly. Specifically, the following tags are needed:
kubernetes.io/cluster/<cluster-name>
kubernetes.io/role/elb
kubernetes.io/role/internal-elb
The latter two tags are mutually exclusive: the former should be assigned to public subnets to tell the AWS cloud provider where to place public-facing ELBs, while the latter is assigned to private subnets Continue reading
Technology Short Take 143
Welcome to Technology Short Take #143! I have what I think is an interesting list of links to share with you this time around. Since taking my new job at Kong, I’ve been spending more time with Envoy, so you’ll see some Envoy-related content showing up in this Technology Short Take. I hope this collection of links has something useful for you!
Networking
- Here’s a quick look at using Envoy as a load balancer in Kubernetes.
- Back in April of this year, Patrick Ogenstad announced Netrasp, a Go package for writing network automation tooling in Go.
- Eric Sloof shows readers how to use the “Applied To” feature in NSX-T to potentially improve resource utilization.
- Michael Kashin explains how he built a DIY (Do It Yourself) SD-WAN using Envoy and Wireguard.
Servers/Hardware
- Travis Downs explores a recent Intel microcode update that may have negatively impacted performance.
Security
- I saw this blog post about Curiefense, an open source Envoy extension to add WAF (web application firewall) functionality to Envoy.
- This post on using SPIFFE/SPIRE, Kubernetes, and Envoy together shows how to implement mutual TLS (mTLS) for a simple application. As a learning resource, I thought this post was helpful. However, Continue reading
Starting WireGuard Interfaces Automatically with Launchd on macOS
In late June of this year, I wrote a piece on using WireGuard on macOS via the CLI, where I walked readers using macOS through how to configure and use the WireGuard VPN from the terminal (as opposed to using the GUI client, which I discussed here). In that post, I briefly mentioned that I was planning to explore how to have macOS' launchd automatically start WireGuard interfaces. In this post, I’ll show you how to do exactly that.
These instructions borrow heavily from this post showing how to use macOS as a WireGuard VPN server. These instructions also assume that you’ve already walked through installing the necessary WireGuard components, and that you’ve already created the configuration file(s) for your WireGuard interface(s). Finally, I wrote this using my M1-based MacBook Pro, so my example files and instructions will be referencing the default Homebrew prefix of /opt/homebrew. If you’re on an Intel-based Mac, change this to /usr/local instead.
The first step is to create a launchd job definition. This file should be named <label>.plist, and it will need to be placed in a specific location. The <label> value is taken from the name given to the job Continue reading
An Alternate Approach to etcd Certificate Generation with Kubeadm
I’ve written a fair amount about kubeadm, which was my preferred way of bootstrapping Kubernetes clusters until Cluster API arrived. Along the way, I’ve also discussed using kubeadm to assist with setting up etcd, the distributed key-value store leveraged by the Kubernetes control plane (see here, here, and here). In this post, I’d like to revisit the topic of using kubeadm to set up an etcd cluster once again, this time taking a look at an alternate approach to generating the necessary TLS certificates than what the official documentation describes.
There is absolutely nothing wrong with the process the official documentation describes (I’m referring to this page, by the way); this process just creates slightly “cleaner” certificates. What do I mean by “cleaner” certificates? The official documentation uses a series of kubeadm configuration files, one for each etcd cluster member, to control how the utility creates the necessary certificates and configuration files. The user is instructed to use these configuration files on a single system to generate the certificates for all the cluster members. This works fine, with one caveat: each of the certificates will have an extra hostname—the hostname of the system being used Continue reading
Audit your VMware vCenter Server using Ansible
vCenter has a graphical user interface if you want to interact with it, but what if you manage multiple vCenter servers and want to automate audits or the maintenance of those servers? In this blog, we will see how we can retrieve details about the VMware vCenter Server directly using Ansible. The practices laid out in the blog will help system administrators responsible for managing multiple vCenter servers. In addition, Ansible automation becomes imperative in development environments for testing against multiple instances in your CI/CD pipeline.
The new vmware.vmware_rest Collection has recently been released and published, and it comes with a new set of modules dedicated to vCenter Server (VCSA) management.
VMware vSphere (Product bundle that includes vCenter Server and other features) 7.0.2 (a.k.a 7.0U2) comes with some new REST end-points. This REST API does not cover all the features exposed over the SOAP interface. Modules in the vmware.vmware_rest Collection are built on top of this API and face the same limitations.
The vmware.vmware_rest Collection contains these modules, which is supported by Red Hat and available on Ansible automation hub.
Validate the state of a vCenter Server instance from Ansible
Getting Started With BGP Address Family Resource Modules
Modern enterprise networks have grown a lot in size and complexity, making them more difficult to manage than ever before. Working on these complex networks manually can be tedious, time-consuming, costly, and more prone to error.
Red Hat Ansible Network Automation resource modules provide a path for users to ease the network management, especially across multiple different product vendors. This enables users to manipulate configuration as structured data without worrying about network platform specific details.
In this blog post, we’ll explore the newly added BGP address family resource module using junipernetwork.junos.junos_bgp_address_family as an example. Similar blogs are also available, which cover resource modules for OSPFv2, ACLs, BGP Global and route maps.
Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information between autonomous systems (AS) on the internet. The protocol is often classified as a path vector protocol, but is sometimes also classed as a distance-vector routing protocol. It is used in larger network setups, as Network World so aptly observes:
BGP has been called the glue of the Internet and the postal service of the internet. One comparison likens BGP to GPS applications on mobile phones.
Managing Continue reading
Fun with private Automation Hub – Part 2
In the previous blog post, I provided a brief history on Ansible Content Collections and demonstrated how to upload a Collection to a private Automation Hub. We ended the blog by synchronizing content from Ansible Galaxy and Automation Hub. Today, we will configure Ansible Tower to communicate with private Automation Hub.
"Great things are done by a series of small things brought together." - Vincent Van Gogh on Ansible Collections
A particular type of credential: "Ansible Galaxy/Automation Hub API Token" is what allows Red Hat Ansible Tower to authenticate and connect to private Automation Hub. Logging into Ansible Tower's GUI, in the left frame under ‘Resources’, let's click on 'Credentials,' then 'Create a new credential' 
Creating credentials to connect Ansible Tower directly to 'Automation Hub' or 'Ansible Galaxy' will not be described here, as the scope of this blog is limited to Continue reading
Technology Short Take 142
Welcome to Technology Short Take #142! This time around, the Networking section is a bit light, but I’ve got plenty of cloud computing links and articles for you to enjoy, along with some stuff on OSes and applications, programming, and soft skills. Hopefully there’s something useful here for you!
Networking
- Bill Doerrfeld discusses the use of WebAssembly to extend the Envoy proxy here after a discussion with Idit Levine, CEO and founder of Solo.io. Envoy is increasingly becoming an important component in many cloud-native networking solutions, so the ability to extend or customize Envoy’s behavior is quite important in my opinion.
Servers/Hardware
- Kevin Houston speculates on the future of the blade server, wondering if higher-wattage CPUs mean the end of the blade server form factor.
- Is the introduction of Google Cloud’s new Tau VMs an indication that AMD’s influence continues to grow over Intel’s?
Security
- Andy Robbins discusses the concept of attack paths (specifically, identity-based attack paths) in this post.
- Matt Fuller has authored a pretty comprehensive look at the ways data can be shared across AWS accounts.
- Microsoft has released clarified guidance for dealing with the recent Windows Print Spooler vulnerability.
Cloud Computing/Cloud Management
- Etcd—the key-value store Continue reading
Automation Savings Planner
Pre-plan your automation savings with Red Hat Insights for Red Hat Ansible Automation Platform
Enterprise organizations understand that to be leaders in their industries, they must change the way they deliver applications, improve their relationships with customers and gain competitive advantages.
Positioning those advantages to have a positive return on investment often starts with proper planning and automation.
But what does proper planning of your automation even look like?
For some enterprises, proper planning includes reducing automation costs. For others, it’s reducing time spent to open new opportunities.
With this in mind, Red Hat is excited to introduce Automation Savings Planner, a new enhancement that puts automation planning in the forefront within the hosted services on console.redhat.com.
The Automation Savings Planner is designed to provide a one stop shop to plan, track and analyze potential efficiency improvements and cost savings of your automation initiatives.
How does it work?
Users can create an automation savings plan within Red Hat Insights for Red Hat Ansible Automation Platform by defining how long and often the work is done manually, as well as a list of tasks needed to successfully automate this job.
Once defined, you can integrate your newly Continue reading
Mapping SAML attributes to Red Hat Ansible Automation Platform organizations and teams
Two-Factor Authentication (2FA) is an additional layer of security that can be used to help protect enterprise applications from unauthorized access. While OAuth, and even some LDAP configs are viable options to enable 2FA in Ansible Automation Platform, users prefer to leverage Security Assertion Markup Language (SAML) for this purpose, as described in Using two-factor SAML with Red Hat Ansible Tower. On the other hand, 2FA to managed machines is discouraged.
https://pixabay.com/illustrations/eye-iris-biometrics-2771174/
SAML is an open standard that allows Identity Providers (IdP) exchange authorization credentials with a Service Provider (SP). The IdP supplies an XML document—known as assertion—to the SP to deliver a series of attributes that identify the login user.
These attributes can be used in Ansible Automation Platform to determine the team and organization of a user. Let’s explore an example, with Microsoft Azure’s Active Directory as the IdP (and, of course, Ansible Automation Platform as the SP).
Attribute mapping
The goal of this example is to map users from four different groups (Alpha, Beta, Gamma and Delta) to either the Cloud or Network Organization in Ansible Tower, and make them part of a specific team (Engineering or Operations). Continue reading
Adding Multiple Items Using Kustomize JSON 6902 Patches
Recently, I needed to deploy a Kubernetes cluster via Cluster API (CAPI) into a pre-existing AWS VPC. As I outlined in this post from September 2019, this entails modifying the CAPI manifest to include the VPC ID and any associated subnet IDs, as well as referencing existing security groups where needed. I knew that I could use the kustomize tool to make these changes in a declarative way, as I’d explored using kustomize with Cluster API manifests some time ago. This time, though, I needed to add a list of items, not just modify an existing value. In this post, I’ll show you how I used a JSON 6902 patch with kustomize to add a list of items to a CAPI manifest.
By the way, if you’re not familiar with kustomize, you may find my introduction to kustomize post to be helpful. Also, for those readers who are unfamiliar with JSON 6902 patches, the associated RFC is useful, as is this site.
In this particular case, the addition of the VPC ID and the subnet IDs were easily handled with a strategic merge patch that referenced the AWSCluster object. More challenging, though, was the reference to the existing security Continue reading
AIX Patch Management with Ansible
Leading enterprises today use Red Hat Ansible Automation Platform to provision, configure, manage, secure and orchestrate hybrid IT environments. A common misconception is that Ansible is just used to manage the Linux operating system. This is a false belief. Ansible supports Linux, Windows, AIX, IBM i and IBM z/OS environments. This blog will help AIX system administrators get started with Ansible on AIX, and introduce a patching use case.
Ansible Content Collections
When Ansible Automation Platform was released, Ansible Content Collections became the de facto standard for distributing, maintaining and consuming automation content. The shift to Collections increased community participation and has exponentially increased the number of stable and supported Ansible modules. Modules delivered via Collections rather than packaged with Ansible Core have resulted in a faster release cadence for new modules.
Let us explore the IBM provided Ansible Collection for AIX. It is important to note that many of the Ansible modules for the Linux operating system will also work on AIX (in addition to the IBM provided AIX modules), making the use cases for Ansible on AIX very broad.
Ansible and AIX, why?
The AIX operating system has been around for 35 years and is used to Continue reading
Using WireGuard on macOS via the CLI
I’ve written a few different posts on WireGuard, the “simple yet fast and modern VPN” (as described by the WireGuard web site) that aims to supplant tools like IPSec and OpenVPN. My first post on WireGuard showed how to configure WireGuard on Linux, both on the client side as well as on the server side. After that, I followed it up with posts on using the GUI WireGuard app to configure WireGuard on macOS and—most recently—making WireGuard from Homebrew work on an M1-based Mac. In this post, I’m going to take a look at using WireGuard on macOS again, but this time via the CLI.
Some of this information is also found in this WireGuard quick start. Here I’ll focus only on using macOS as a WireGuard client, not as a server; refer to the WireGuard docs (or to my earlier post) for information on setting up a WireGuard server. I’ll also assume that you’ve installed WireGuard via Homebrew.
Generating Keys
The first step is to generate the public/private keys you’ll need. If the /usr/local/etc/wireguard (or the /opt/homebrew/etc/wireguard for users on an M1-based Mac) directory doesn’t exist, you’ll need to first create that directory. (It didn’t exist Continue reading
Installing Older Versions of Kumactl on an M1 Mac
The Kuma community recently released version 1.2.0 of the open source Kuma service mesh, and along with it a corresponding version of kumactl, the command-line utility for interacting with Kuma. To make it easy for macOS users to get kumactl, the Kuma community maintains a Homebrew formula for the CLI utility. That includes providing M1-native (ARM64) macOS binaries for kumactl. Unfortunately, installing an earlier version of kumactl on an M1-based Mac using Homebrew is somewhat less than ideal. Here’s one way—probably not the only way—to work around some of the challenges.
Note that this post really only applies to users of M1-based Macs; users of Intel-based Macs can extract the kumactl binary from the release archive available linked from the Kuma install docs. (The same goes for users of Linux distributions running on Intel-based hardware.) On the Kuma website, simply select the desired version of Kuma from the drop-down in the upper left, check the page for the direct download link, and off you go. This doesn’t work for M1-based Macs because at the time this post was written, the Kuma community was not providing ARM64 binaries. This leaves Homebrew as the only way (aside Continue reading