Видео

The Certificate needs to be from automation controller or the load balancer you are pointing ServiceNow at (depending on where you have TLS termination set). This is required because otherwise ServiceNow will reject the connection as an invalid cert (unless you are leveraging a public Certificate Authority). The Servicenow user is a local user I've created within Ansible. This is acting as a service account for all automation triggered from ServiceNow

You'd only need external internet access for EDA if the application sending notifications is hosted in the cloud. Most people I've seen deploying EDA today are using internally hosted monitoring tools. But if you are using externally hosted monitoring tools (like Dynatrace or Datadog) you'd need that external access (which you've already provided outbound for those agents) or you'd need Datadog to push alerts to a messaging bus (such as Kafka) that you subscribe to from EDA. If using a webhook, you'd want to add in the API key and firewall rules to permit traffic only from the monitoring platform to EDA for security purposes

The web server creation is part of the shadowman.reports roles. So as long as you are pointing to a registered RHEL8 or RHEL9 VM with the delegate_to portion of this role: github.com/shadowman-lab/shadowman.reports/tree/main/roles/build_report_linux_patch, it will ensure apache is running plus the CSS styling. For e-mail, I have a Roundcube Webmail server running locally.

Unfortunately, I don't have access to a Windows workstation with WSL. If you look at some of my other development videos, I generally use either code-server (which just runs in a web browser on a Linux VM, ruclips.net/video/C8908KSjn78/видео.html, ruclips.net/video/H8IaR8wMBlQ/видео.html) or the VS Code SSH extension (ruclips.net/video/2QwkRiVHaxU/видео.html) to connect to a Linux VM so I never need to install Ansible or WSL on my workstation. I do this so I can not only develop my playbooks using the Ansible plugins, but then I can also test them via CLI in a sandbox environment. While I don't have a Windows workstation, you could set up WSL, install Ansible, and then use the WSL extension for VSCode code.visualstudio.com/docs/remote/wsl. That WSL extension will work similar to the Remote SSH extension in that VSCode runs locally on your operating system, but Ansible, your playbooks, and the Ansible extension would all be installed within WSL itself

Red Hat provides a free training video: www.redhat.com/en/services/training/do007-ansible-essentials-simplicity-automation-technical-overview Learn Linux TV also has a thorough Playlist: ruclips.net/user/playlist?app=desktop&list=PLT98CRl2KxKEUHie1m24-wkyHpEsa4Y70 And I have a playlist around the development tools and setting up a developer environment: ruclips.net/video/C8908KSjn78/видео.html

@@alexdworjan thanks 🙏🏿

Red Hat provides a free video course to get you up to speed on Ansible terms: www.redhat.com/en/blog/new-free-ansible-course There is also an Ansible community website: www.ansible.com/ And newer Ansible Forums: forum.ansible.com/ Those are great places to get started but I would certainly say that hands-on experience is best. So if you can deploy Ansible and start coding, that's certainly going to be the best way to learn (for me it is at least)

@@alexdworjan thank you alex🙏

All the reports are built using jinja templates. Each report can be found here: github.com/shadowman-lab/shadowman.reports

@@alexdworjan are the reports displayed in tower or need to host on web server?

@@jg1000c They are all on a separate web server

@@alexdworjan got it. Does your web server digest ansible data? How does it work?

@@jg1000c It's just an apache web server. Ansible is used to take the data and dynamic build the web page using jinja. No actual digestion is happening on the web server. The repo that I shared has exactly how I deploy the different reports

Build that into your Pull Request review process. If you need those steps reviewed by teams, don't use the Ansible survey, only use the gitops approach where teams make changes to the main.tf. Then the code review can include plan to verify any changes prior to approval. There are many different approaches, find the one that fits into your process.

@@alexdworjan ansible is a good tool for config management... But not for infrastructure. Better and safer is use ansible Provider on terraform code.

It's all about using what's best for your team and organization. Since Ansible is being used for config management of all kinds of infrastructure and networking gear plus orchestration (ServiceNow, etc) some customers prefer to use the workflow capabilities of Ansible. In this case, I'm still using Terraform to provision and maintain the state of the infrastructure.

​@@alexdworjan hmm, magic tools don't exist... Ansible was written as configuration management, nothing more.. Terraform was created as an infrastructure management... Forcing Anisble to be a tool... It wasn't designed, it's not a good idea. I've been using Terraform and Ansible for many years. Develops roles and modules. Ansible is not a good idea for managing terraforms, there are much better technologies for this.

That's why most just use Ansible to call Terraform, not to manage Terraform. Similar to how you use the Ansible provider to have Terraform call Ansible, you can use the Terraform modules to have Ansible call Terraform. It's really about using the process that's best for you. In your case, it seems best to use Terraform.

On the Inventories page, when you click the blue Add button, Add constructed inventory will be an option. You must be on AAP 2.4 or newer for constructed inventories to exist

@@alexdworjan Thank you for the quick reply.

Yes, it should work with AWX as well since it's essentially making an API call from ServiceNow. As long as the endpoint matches what you have in AWX, it would work

@pallenrupp Peter, I'm sorry this video wasn't clear. I will admit, Constructed Inventories (just like Smart Inventories) are a more advanced topic that many people, including myself, barely use. Mainly, I would only use Constructed Inventories if I need to combine multiple existing inventories or if I need to divide up an inventory based on limiting access to end-users. I like to think of Constructed Inventories in exactly the same way as Dynamic Inventories. They both leverage inventory plugins with source variables (compose, groups, keyed_groups) and they both have a source. While Dynamic Inventories pull directly from a source of truth (Azure, AWS, VMWare, ServiceNow, etc), Constructed Inventories leverage existing inventories within automation controller as that source. If you are able to, I would recommend creating your own Constructed Inventory and testing it out. I found that was the easiest way for me to see how the plugin worked and what inventory would be created. Follow the doc for some good examples which is how I got started with the concept docs.ansible.com/ansible/latest/collections/ansible/builtin/constructed_inventory.html Please let me know if there is something specific that still isn't clear and I'll do my best to help.

I haven't used ansible molecule as part of my testing but it does look like you can use podman to run the molecule commands if it's been installed in your EE. forum.ansible.com/t/question-about-molecule-and-creator-ee-image/3053/7 For OpenShift Dev Spaces, you can absolutely use molecule since you are essentially doing your development and testing inside your EE. Again you'd need to make sure your EE or Dev EE has molecule installed. The Ansible creator-ee already has that set up.

Individual Job Templates can still have Job Slicing within a Workflow Template. It acts similarly to a workflow being called within a workflow

I've created custom credentials within automation controller and assigned them to the Job Template. They are being passed as extra variables via that custom credential

​@@alexdworjan Okay thank you ! but I also wanted to know if the "cert_key_file" is the private key for your Execution Environment or the execution node ( so that you can push and pull to git ) ? or what else it should be ?

@@SamuelCaroll It is the private key for my specific user in github that has been added into my account: docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account. The private key is injected into the Execution Environment at runtime to provide the authentication.

@@alexdworjan Okay perfect ! thanks for explanation

The detailed version of each of the three options is included in the description. It has a video for exactly how I did it and the Dev Spaces version includes a detailed step-by-step Readme

It's a single playbook, not even a full workflow, so it could be done on the command line via ansible-navigator (or ansible-playbook), if desired. You'd only need the ee_builder role if you don't have Private Automation Hub and it does support pulling execution environments and collections from upstream

Excellent. I was under the impression these types of roles were only available to companies paying a redhat subscription of some kind. Awesome I can go find that role and try this then. Huge thanks for your great work!

With Ansible Builder Version 3, you can use any base image ruclips.net/video/YTtBW2rDNE4/видео.html

If you look at some of my other development videos, I actually use either code-server (which just runs in a web browser, ruclips.net/video/C8908KSjn78/видео.html, ruclips.net/video/H8IaR8wMBlQ/видео.html) or the VS Code SSH extension (ruclips.net/video/2QwkRiVHaxU/видео.html) so I never need to install Ansible or WSL on my workstation. I do this so I can not only develop my playbooks using the Ansible plugins, but then I can also test them via CLI in a sandbox environment. While I don't have a Windows workstation, you could set up WSL, install Ansible, and then use the WSL extension for VSCode code.visualstudio.com/docs/remote/wsl

@@alexdworjan Thank you Alex! I just found out that installing WSL is prohibited by my employer's security dept. However, we have Ansible installed on Linux boxes that I can SSH to. Are you saying the VS Code SSH extension will allow the VS Code Ansible extension to use a remote Ansible installation (including ansible-lint)?

@@watchman1982 That's correct. When using the SSH extension, the Ansible extension installs on the Linux box so it uses Ansible + Ansible-lint that are present there (rather than what's on your laptop) which is perfect for when you can't use WSL

@@alexdworjan This is awesome! Thank you for sharing and I will check out your other videos regarding the setup of this.

There are 3 different examples in the Ansible-PAH repo, build_creationee, build_shadowmandevspaces, build_shadowmanee

thank you@@alexdworjan

That's what I show at 9:58 in the bindep.txt. This is where you define any system dependencies which are RPM for RHEL based systems.

Thanks, I missed it. @@alexdworjan

I go into the actual python code for the event_sources themselves. github.com/ansible/event-driven-ansible/tree/main/extensions/eda/plugins/event_source At the top of each event_source, you can find the docs

Correct, I am using Red Hat Satellite in my environment. Most of the patching work itself is running on the individual servers, so what repository they have set is less important. As long as the OS itself is set to pull from that repository when running yum/dnf/etc, Ansible can use it. I enjoy using Satellite because I can also manage my content views with Ansible and control when I update packages (I update my content views once a month with Ansible for my monthly patching)

@@alexdworjan - thank you so much for the prompt feedback. One more follow up question, so our environment has RHEL, Fedora, Oracle Linux, and Ubuntu (mostly) and we currently use their "Internet" repositories (i.e. we go over Internet connection for each host to download patches) - if we wanted to localize (on our LAN and have a single repo host pull patches for each distro so that each host can pull patches from this single point rather than each going over the Internet) what solution might you recommend? It seems Satellite is a RHEL only solution unless I am mistaken. So instead of hundreds of these multi distro hosts getting patches downloaded directly to each individual host, is there a good solution to centralize patching on our LAN for each of these distros? I hope that question makes sense. We are gaining steam with Ansible but it seems like it would be important to be able to address patching for multiple Linux distros in our use case, not just RHEL. Thanks again - in short, looking for something heterogenous in the OS patch repository management arena and assuming Satellite is a RHEL only solution.

Ansible Navigator will only leverage the credentials that you have set on the VM (I have all of mine vaulted as well using ansible-vault). It isn't designed to fully replace all of the credentials that you use in production or automation controller. Personally, I only use Ansible Navigator in a sandbox environment with sandbox VMs/devices to test against, so I am using different credentials than I am using in my production environments anyway. The problem of consistent, defined environments was definitely a big one in the past, especially when you factor in all of the system, python, collection dependencies needed in ansible today. I will say Ansible Navigator is definitely the tool for CLI testing and it's what I use to test every single playbook in my sandbox before it ever reaches my repository (and then you can still run tests in automation controller at that point as well). But it is MUCH faster to do CLI testing than pushing to a repository, sync the project, run the job, find errors, make changes, and repeat. And since I know I'm using the exact same Execution Environment in controller, I'm confident the playbook itself will work exactly as I expect it to.

@@alexdworjan Thanks for the answer. Exactly what you describe I would like to avoid, because in the end everything must run on the AAP. I don't want to pack all the credentials, the inventory that was created from several sources back into var files. That makes everything much more complicated in our case. In our case we develop code, push it to a git repository and then run the test directly through the AAP. The biggest problem we have with this is that in case of a problem, debugging can be difficult, as I have no way to manually run a job template with the appropriate inventory and credentials, in a container. We have about 400 credentials, 220 machines, about 150 variables and at least 200-300 more credentials in hashicorp vault. That's why I thought it would be great to have access to the artifacts on the AAP and use them. Our solution must work from dev - prod and best without exporting stuff, because everything must be highly secure. And there is no way I can get something like that through an audit. That's why I thought I could solve the problem with the navigator.

@@user-sq1pj9xd8p I would think for most playbooks that you are writing and testing, you aren't using many of those credentials, and certainly wouldn't in a sandbox environment. This is really to limit the amount of time needed to go through pushing, syncing, job running. Especially when you are first writing a playbook, you might get a lot of errors, especially as you try to register variables and figure out what the return is in order to use the information in the remainder of the playbook. Ansible Navigator isn't designed to be a replacement for controller, it's just a way to run playbooks via CLI similar to what ansible-playbook itself provides, but just runs it within the EE now. If you need to have credentials / auditibility for every job run, then controller is your best bet. This is really focused on using a sandbox environment for the initial playbook authoring. If you can't get a sandbox environment at all for testing, then you will probably be limited to the process as you have it today. You could certainly utilize webhooks to at least automatically launch the job template after your code has been merged if you can't get a separate environment for testing.

Is that a custom requirements.txt that you've created or is that part of a collection you are trying to install? If it's custom, I would verify that particular python package version exists in the python version in the EE you are using

yes its a custom requirements.txt that i created i just modified the container file and it builds but now how can i know if my customised execution-environment contains the package thanks in advance

If you use ansible navigator, you can inspect the EE and find all system packages and python libraries that are installed

@@alexdworjan thank you for you help , i succeeded to modify the containerfile in a way to insall my X python package in the system packages but not in the python one my question is will the ee use it anyway when needed thanks

@@aminejawadi6293having issues with pip installing bindep. Any ideas

docs.ansible.com/ansible/latest/os_guide/windows_setup.html#host-requirements I am assuming you are talking about Windows Servers not Windows Desktops (desktops tend to have more connection issues, especially laptops since the network connectivity isn't permanent). If you are talking about Windows Servers, I would verify your connection settings (ensuring WinRM and all of your settings are set properly, and that you aren't receiving any certificate errors). I would also look at the specific error the playbook is giving you. The exact module you are trying to run will give you more details about what's going on (you can also increase the verbosity of your playbook to get better connection debugging information). I would start there to get a better idea of what issues you might be facing.

@@alexdworjan Thank you for your reply. They are all Windows 10 and 11 Professional Desktops. I understand where you are coming from. My hope is that Ansible can still be a great tool for managing Desktop devices -and that once there are ways to ensure desktops are on and connected (via Wake-on-LAN etc), ansible can service them properly! I will explore the resources you have provided and dig deeper!

That's actually what most of my catalog items are triggering. I had to modify the spoke plugin to make it work github.com/shadowman-lab/Ansible-SNOW/tree/main/SNOWSetup#update-spoke-actions-for-workflow-job-templates

I would check out my other code-server video: ruclips.net/video/H8IaR8wMBlQ/видео.html This uses an Ansible playbook to set everything up (essentially I assign a different port and start the service as a different user)

So that's just using the SSL certificate that I had already attached to my controller instances (/etc/tower/tower.cert). So this should come from your certificate authority (I see LetsEncrypt used often, but your business should already have something established). For it to properly work in ServiceNow, you'll need the full SSL certificate chain in controller and then uploaded to ServiceNow as I show at that portion of the video

@@alexdworjan we use the containerized solution I think that would change how we use the certificate correct?

@@kerrymason6371 The certificate itself would still be generated in the same way, but it wouldn't be in the same location since you'd create a TLS secret and then update your automation controller CR with route_tls_secret under spec pointing to the TLS secret you just created: access.redhat.com/solutions/3109871

github.com/shadowman-lab/Ansible-Labextra/blob/main/roles/prometheus/templates/alertmanager.yml.j2

I created an application with the Authorization Code grant type and Confidential Client Type. docs.ansible.com/automation-controller/latest/html/userguide/applications_auth.html#create-a-new-application

@@alexdworjan Thanks Alex. I tried both options, but getting application error. I will try it tonight again. Using version 2.4.1. It there some more verbose logs to find out what happening? Will be looking tonight for logs too.

@@alexal4 An application error in automation controller? Or in EDA controller? And version 2.4.1 of what exactly? I would make sure the user you've created the token for has access to the Job Templates you are trying to run and that the token itself has write access.

@@alexdworjan Error in EDA controller, nothing seen on AAP2 controller. I am using latest AAP2 bundle 2.4.1 Need to check few thing tonight so it is not a template and I am using admin so no access issue. If it was template I would see something in jobs dashboard. I have small lab at home with Grafana and Prometheus and will try to make something similar you did, but sure can use for any services. We are migrating to AAP2 at work, will need it soon there too. This is the error I get: ERROR - Terminating Rule Check if endpoint is responding has an action run_module which needs inventory to be defined

Everything is working now, it was problem with Token.

www.techbeatly.com/how-to-pass-environment-variables-to-ansible-navigator/ This is the easiest way to describe it if you are using ansible-navigator. If you are using automation controller, you can set environment variables as credentials which would then be passed into the EE if you assign it as a credential for the Job Template.

I don't understand your question. The system requirements listed in the reference architecture are for running Ansible on OpenShift. What jobs you run are independent of that including using Ansible to create a VM.

You can set the exact port in the inventory, but it defaults to 27199 TCP. If they want details on what's going on, I would definitely look at this blog: www.ansible.com/blog/peeling-back-the-layers-and-understanding-automation-mesh

@@alexdworjan Great Link! THanks!