Ansible: updates in key automation solutions for your world
The Ansible community is constantly pleased with new content - plug-ins and modules - creating and a lot of new work for those who are engaged in Ansible maintenance, since the new code needs to be integrated as quickly as possible into the repositories. It’s not always possible to meet deadlines and the launch of some products that are quite ready for release is postponed until the next official version of the Ansible Engine. Until recently, the end user had only one way to get new Ansible content — along with the new version of Ansible Engine.
To eliminate the inconvenience, the Ansible community has begun work on more flexible options for creating and receiving content.
In response to a user request in Ansible Engine 2.8, there were changes regarding the processing of content that is not part of the official release . These changes will allow implementing a new way of delivering content to users, which will not depend on Ansible maintainers when managing both Ansible content and the platform code itself.
')
It is planned that in future releases the Creators of the content will be able to deliver it in the form of special packages, so-called Collections (Collection), which can be installed in the appropriate place for execution on the main Ansible node (control node) or on the managed node ). The creator of the collections will directly register the performance details in the package with the help of roles and playbooks. Thanks to the aforementioned changes to the Ansible Engine, the collections will be one of the tools that will allow you to decouple the release of content from the release of the official versions of the Ansible Engine .
The construction of Become has appeared a long time ago, but since version 2.8 the word BECOME is used by default in the Ansible Engine to request a password when elevating privileges (sudo privileges on * nix-systems or enable-mode on network devices). In other words, now BECOME is a standard authority empowerment tool that already deals with the target system itself.
Here is an example of its use:
In addition, the BECOME plugin appeared in Ansible Engine 2.8, which works as doas on Linux and as runas on Windows, and allows you to perform actions on behalf of a given user. To increase privileges on network devices, use the become-enable plugin.
You may have encountered this error:
The fact is that in previous versions of the Ansible Engine it was assumed by default that the main (used by default) Python interpreter is located in the / usr / bin / python folder. Starting from version 2.8, Ansible looks for an interpreter on each target system, first referring to the table of paths and names of the executable file of the main Python interpreter in various distributions, and then using ordered fallback lists, for more details see the Ansible 2.8 Porting Guide .
Have you searched the disk for .retry files for a long time If you have been using Ansible for a long time, then there are obviously a lot of them, and they only occupy a useful place. Starting from version 2.8, Ansible Engine no longer creates these files by default (which can be canceled by editing the default ansible.cfg file).
An excerpt from the Ansible 2.8 Porting Guide :
And in the Play Recap plate, following the performance of the playbook, the hosts had additional skipped, rescued and ignored columns:
Version 2.8 implements improvements and additions to cloud and container modules for working with Amazon Web Services, Microsoft Azure, Google Cloud, Digital Ocean, podman and kubevirt . It is also worth noting that TOML files can now be used as a source inventory.
Do you use Red Hat Ansible Network Automation? Ansible Engine 2.8 no longer contains paramiko and does not depend on it. By default, the Ansible Engine uses ssh. If you need paramiko, you can install it with the command pip install paramiko
If you need support for using paramiko as part of a Red Hat subscription, refer to the Paramiko Knowledge Base article package .
Thus, the new version of Red Hat Ansible Engine is replenished with an impressive list of improvements and changes, which can be found here .
Since the end of May, the new version of Red Hat Ansible Tower 3.5 is also available, offering several major improvements for automation at once, and we'll talk about them if you haven't had time to check for yourself.
So, first the key:
In addition, the new version fixed more than 160 registered errors and problems.
We often repeat that Red Hat Enterprise Linux (RHEL) is a reliable and universal foundation for building, for example, a hybrid cloud. Ansible Tower 3.5 (as well as Ansible Engine 2.8) provides control of RHEL 8 hosts, and can also be run on Red Hat Enterprise Linux 8 as the managing node of Red Hat Ansible Automation.
In addition to the built-in credential storage, Ansible Tower 3.5 can now use external credential storage, because sometimes you need to make the credentials more accessible to distributed applications. Therefore, the new version of Ansible Tower can work directly with various solutions for storing passwords and keys, for example:
Details of working with these systems are given in the documents of the Secret Management System .
Following the development of the Ansible Engine, Ansible Tower 3.5 offers new inventory-plug-ins and a plug-in for working with a new means of increasing authority.
Thanks to the new inventory plug-ins, Ansible Tower can now use the Microsoft Azure platform, the Google Cloud Platform and the Red Hat OpenStack Platform as a source inventory, which allows working with out-of-the-box hybrid cloud environments.
The new Privilege Escalation plugin provides comprehensive processing of privilege elevation tasks, offering much more flexibility and control than traditional sudo and su.
The new version has become much easier to work with lists. They can be expanded to show details and collapse to display more items. Lists can also be sorted by various fields and filtered by almost any property.
Metrics have the so-called endpoint (/ api / v2 / metrics), thanks to which Ansible Tower is now easily monitored using Prometheus and other similar systems, and you can simultaneously use several systems at once, including cloud ones.
Ansible Tower 3.5 is already available for download, the latest version of Red Hat Ansible Tower can be installed either locally or via Vagrant or Amazon AMI.
Constantly updated repository of webinars on the topic: www.ansible.com/resources/webinars-training?hsLang=en-us
On June 4, the What's New in Ansible Automation webinar was held , dedicated to the new and improved Red Hat Ansible Tower and Red Hat Ansible Engine features. Coming soon in the repository.
A webinar on Automating networks with Ansible is available in Russian .
To eliminate the inconvenience, the Ansible community has begun work on more flexible options for creating and receiving content.
Red Hat Ansible Engine 2.8: Towards New Ansible Content Processing Techniques
In response to a user request in Ansible Engine 2.8, there were changes regarding the processing of content that is not part of the official release . These changes will allow implementing a new way of delivering content to users, which will not depend on Ansible maintainers when managing both Ansible content and the platform code itself.
')
It is planned that in future releases the Creators of the content will be able to deliver it in the form of special packages, so-called Collections (Collection), which can be installed in the appropriate place for execution on the main Ansible node (control node) or on the managed node ). The creator of the collections will directly register the performance details in the package with the help of roles and playbooks. Thanks to the aforementioned changes to the Ansible Engine, the collections will be one of the tools that will allow you to decouple the release of content from the release of the official versions of the Ansible Engine .
New design Become
The construction of Become has appeared a long time ago, but since version 2.8 the word BECOME is used by default in the Ansible Engine to request a password when elevating privileges (sudo privileges on * nix-systems or enable-mode on network devices). In other words, now BECOME is a standard authority empowerment tool that already deals with the target system itself.
Here is an example of its use:
ansible-playbook --become --ask-become-pass site.yml BECOME password: In addition, the BECOME plugin appeared in Ansible Engine 2.8, which works as doas on Linux and as runas on Windows, and allows you to perform actions on behalf of a given user. To increase privileges on network devices, use the become-enable plugin.
Python interpreter search
You may have encountered this error:
/usr/bin/python: bad interpreter: No such file or directory The fact is that in previous versions of the Ansible Engine it was assumed by default that the main (used by default) Python interpreter is located in the / usr / bin / python folder. Starting from version 2.8, Ansible looks for an interpreter on each target system, first referring to the table of paths and names of the executable file of the main Python interpreter in various distributions, and then using ordered fallback lists, for more details see the Ansible 2.8 Porting Guide .
Retry files are no longer created by default.
Have you searched the disk for .retry files for a long time If you have been using Ansible for a long time, then there are obviously a lot of them, and they only occupy a useful place. Starting from version 2.8, Ansible Engine no longer creates these files by default (which can be canceled by editing the default ansible.cfg file).
Updated Play Recap
An excerpt from the Ansible 2.8 Porting Guide :
Play Recap now considers tasks with the status of ignored and rescued, as well as ok, changed, unreachable, failed and skipped, thanks to two new statistics counters in the default callback plugin. Failed tasks for which the ignore_errors: yes flag has been set are counted as ignored. Failed tasks for which the rescue section was then worked out are counted as rescued. Note that unlike previous Ansible versions, rescued tasks are no longer counted as failed.
And in the Play Recap plate, following the performance of the playbook, the hosts had additional skipped, rescued and ignored columns:
Clouds and Containers
Version 2.8 implements improvements and additions to cloud and container modules for working with Amazon Web Services, Microsoft Azure, Google Cloud, Digital Ocean, podman and kubevirt . It is also worth noting that TOML files can now be used as a source inventory.
Paramiko
Do you use Red Hat Ansible Network Automation? Ansible Engine 2.8 no longer contains paramiko and does not depend on it. By default, the Ansible Engine uses ssh. If you need paramiko, you can install it with the command pip install paramiko
If you need support for using paramiko as part of a Red Hat subscription, refer to the Paramiko Knowledge Base article package .
Thus, the new version of Red Hat Ansible Engine is replenished with an impressive list of improvements and changes, which can be found here .
Red Hat Ansible Tower 3.5: more automation
Since the end of May, the new version of Red Hat Ansible Tower 3.5 is also available, offering several major improvements for automation at once, and we'll talk about them if you haven't had time to check for yourself.
So, first the key:
- Red Hat Enterprise Linux 8 support;
- Support for external credential storage using appropriate plug-ins;
- Support for become-plugins in Ansible Tower.
In addition, the new version fixed more than 160 registered errors and problems.
Red Hat Enterprise Linux 8 support
We often repeat that Red Hat Enterprise Linux (RHEL) is a reliable and universal foundation for building, for example, a hybrid cloud. Ansible Tower 3.5 (as well as Ansible Engine 2.8) provides control of RHEL 8 hosts, and can also be run on Red Hat Enterprise Linux 8 as the managing node of Red Hat Ansible Automation.
External credential storage
In addition to the built-in credential storage, Ansible Tower 3.5 can now use external credential storage, because sometimes you need to make the credentials more accessible to distributed applications. Therefore, the new version of Ansible Tower can work directly with various solutions for storing passwords and keys, for example:
- HashiCorp Vault;
- CyberArk AIM;
- CyberArk Conjur;
- Microsoft Azure Key Vault.
Details of working with these systems are given in the documents of the Secret Management System .
New plugins to work with inventory and privilege escalation
Following the development of the Ansible Engine, Ansible Tower 3.5 offers new inventory-plug-ins and a plug-in for working with a new means of increasing authority.
Thanks to the new inventory plug-ins, Ansible Tower can now use the Microsoft Azure platform, the Google Cloud Platform and the Red Hat OpenStack Platform as a source inventory, which allows working with out-of-the-box hybrid cloud environments.
The new Privilege Escalation plugin provides comprehensive processing of privilege elevation tasks, offering much more flexibility and control than traditional sudo and su.
Redesigned list UI
The new version has become much easier to work with lists. They can be expanded to show details and collapse to display more items. Lists can also be sorted by various fields and filtered by almost any property.
Improved metrics
Metrics have the so-called endpoint (/ api / v2 / metrics), thanks to which Ansible Tower is now easily monitored using Prometheus and other similar systems, and you can simultaneously use several systems at once, including cloud ones.
Ansible Tower 3.5 is already available for download, the latest version of Red Hat Ansible Tower can be installed either locally or via Vagrant or Amazon AMI.
Ansible webinars: upgrade your skills
Constantly updated repository of webinars on the topic: www.ansible.com/resources/webinars-training?hsLang=en-us
On June 4, the What's New in Ansible Automation webinar was held , dedicated to the new and improved Red Hat Ansible Tower and Red Hat Ansible Engine features. Coming soon in the repository.
A webinar on Automating networks with Ansible is available in Russian .
Source: https://habr.com/ru/post/456858/
All Articles