Enterprise Grade Ansible Automates Slide...Any playbook run would run one ansible-playbook process...
Transcript of Enterprise Grade Ansible Automates Slide...Any playbook run would run one ansible-playbook process...
October 28, 2019
Enterprise Grade Ansible
Michelle PerzManager - Ansible Support
1
AGENDA
2
What’s Coming with the Ansible Automation Platform
Notable Past Features
Future Directions
Demo
What we’ll be discussing today
What is coming with the Red Hat Ansible Automation Platform?
3
OPO
NAL SECTION
MARKER O
R TITLE
RED HAT ANSIBLE AUTOMATION PLATFORM - COLLECTIONS
4
Red Hat Ansible Automation Platform
CollectionsAutomation Hub
Content Packages
Automation Analytics
Scalable Execution
Additional Tower Notes
Introducing Collections
RED HAT ANSIBLE AUTOMATION - INTRODUCING COLLECTIONS
5
A new way to create, package, and distribute Ansible Content
Repository structure and artifact to enable simple delivery of Ansible Content (Roles, Modules, and Plugins)
- A format for consistent project structure while in development
- Enables versioning of external content- Allows consistent delivery outside of Ansible packages
Allows for immediate use of the content found within the Artifact within a play
Namespacing support built into platform to account for content in a Collection
Example Collection
RED HAT ANSIBLE AUTOMATION - INTRODUCING COLLECTIONS
6
.├── galaxy.yml├── plugins│ ├── action│ │ └── ping.py│ ├── module_utils│ │ └── pingutils.py│ └── modules│ └── ping.py└── roles ├── ping_bootstrap │ ├── defaults │ ├── filters │ ├── meta │ ├── tasks │ └── vars └── ping_deploy ├── defaults ├── meta └── tasks
hosts: somehostscollections: - tima.pinger - redhat.open_ping
tasks: - tima.pinger.ping:
- ansible.builtin.ping: # use only the ping packaged in core
- ansible.legacy.ping: # use core or library(etc)/ping.py when: thing | tima.pinger.filter == 42
- ping: # searches collections “path” otherwise… # still works, == ansible.legacy.ping:
Layout In a playbook
RED HAT ANSIBLE AUTOMATION PLATFORM - AUTOMATION HUB
7
Red Hat Ansible Automation Platform
Collections
Automation HubContent Packages
Automation Analytics
Scalable Execution
Additional Tower Notes
Red Hat Ansible Automation Platform services (Automation Hub and Automation Analytics) require an active subscription to the platform.
8
DISCLAIMER AN
D WARN
ING
A note about services
Introducing the Automation Hub:
Discover, publish, and manage Collections
Introducing the Automation Hub, a new service available to Ansible Automation subscribers.
Quickly discover available Red Hat and certified content through Collections.
Manage and test your organization’s view of available content.*
Manage your locally available automation via on-premise.*
*FY21 roadmap
Example Collection on Automation Hub
RED HAT ANSIBLE AUTOMATION PLATFORM - CONTENT PACKAGES
11
Red Hat Ansible Automation Platform
Collections
Automation Hub
Content PackagesAutomation Analytics
Scalable Execution
Additional Tower Notes
Resource modules transform structured data into configurations.
Fact modules transform network configuration into structured data.
Ansible NetworkingBuilding resource-based management
RED HAT ANSIBLE AUTOMATION PLATFORM - AUTOMATION CONTENT PACKAGES
12
snmp: communities: <list> - community: <string> group: <string> ipv4acl: <string> ipv6acl: <string> contact: <string> location: <string> users: <list> - algorithm: <md5|sha> group: <string> localized_key: <bool> password: <string> username: <string>
NETWORK NATIVE
CONFIGURATION(ON BOX)
snmp: communities: <list> - community: <string> group: <string> ipv4acl: <string> ipv6acl: <string> contact: <string> location: <string> users: <list> - algorithm: <md5|sha> group: <string> localized_key: <bool> password: <string> username: <string>
NETWORK NATIVE
CONFIGURATION(ON BOX)
Ansible Security Automation
RED HAT ANSIBLE AUTOMATION PLATFORM - AUTOMATION CONTENT PACKAGES
13
Triage Of Suspicious Activities
Enabling programmatic access to log configurations such as destination, verbosity, etc.
Threat Hunting
Automating alerts, correlation searches and signature
manipulation
Incident Response
Creating new security policies to whitelist, blacklist or quarantine a
machine
RED HAT ANSIBLE AUTOMATION PLATFORM - AUTOMATION ANALYTICS
14
Red Hat Ansible Automation Platform
Collections
Automation Hub
Content Packages
Automation AnalyticsScalable Execution
Additional Tower Notes
Introducing Automation AnalyticsEnabling an Automation Center of Excellence
RED HAT ANSIBLE AUTOMATION PLATFORM - AUTOMATION ANALYTICS
15
View real-time information about automation health, usage and performance across your enterprise. Powered by the Red Hat Cloud Platform.
Gain information about automation in your organization:
• Which organizations are using the most automation • Utilization rates• Enterprise-wide success and failure rates for automation • If automation is failing in certain cases, why?
Analytics DashboardInformation across all clusters for an enterprise:
● Job Status graph● Top Job Templates● Top Modules
Health Notifications
● Ansible Tower Cluster is down● Node (within a cluster) is down● Last time data was updated● Near license count● More TBD...
Organizational Statistics
Filter by Organization
Job Status by Organization
Usage by Organization
Job Runs by Organization
RED HAT ANSIBLE AUTOMATION PLATFORM - SCALABLE EXECUTION
19
Red Hat Ansible Automation Platform
Collections
Automation Hub
Content Packages
Automation Analytics
Scalable ExecutionAdditional Tower Notes
Scalable Execution Capacity
RED HAT ANSIBLE AUTOMATION PLATFORM - SCALABLE EXECUTION
20
Automate across and beyond the enterprise
Where you need itUnifying task execution across execution nodes
When you need itLeverage Kubernetes and OpenShift to spin upexecution capacity at runtime
How you need itExpand execution to be able to pull jobs from a central Ansible Tower infrastructure
Scalable Execution Capacity
RED HAT ANSIBLE AUTOMATION PLATFORM - SCALABLE EXECUTION
21
Automation Webhooks
RED HAT ANSIBLE AUTOMATION PLATFORM - SCALABLE EXECUTION
22
Enabling GitOps
Automatically provision, update, configure, and apply based on pushes to your source control.
RED HAT ANSIBLE AUTOMATION PLATFORM - ADDITIONAL TOWER NOTES
23
Red Hat Ansible Automation Platform
Collections
Automation Hub
Content Packages
Automation Analytics
Scalable Execution
Additional Tower Notes
Introducing the awx CLI
RED HAT ANSIBLE AUTOMATION PLATFORM - ADDITIONAL TOWER NOTES
24
A brand-new CLI for use with Tower. (replacing tower-cli)
● Auto-detects API versions, available endpoints, and features across multiple versions of Tower (where possible) without requiring changes
● JSON and human readable output formats● Tested and shipped with Tower
Note: users of the send/receive functionality of tower-cli should still use tower-cli
[user@server: ~]$ awx organizations create --name "The Round Table"{ "id": 2, "type": "organization", "url": "/api/v2/organizations/2/", "summary_fields": { "created_by": {...[user@server: ~]$ awx -f human organizations listid name == ====================1 Here be Dragons 2 The Round Table[user@server: ~]$ awx -f human job_template launch "apply configuration"id name === =======================103 apply configuration
Assorted minor enhancements
- Created an Ansible collection for the awx/tower Ansible modules- Updated PostgreSQL to version 10.x- Configurable TLS connection support for:
- PostgreSQL (bring your own cert)- RabbitMQ (deployed by installer)
- Added the ability to collect detailed Ansible performance information for debugging- Adjusted LOG_AGGREGATOR_LEVEL to also change local logging level- Added notifications on job start and more authentication options for webhook
notifications- Added support for mapping org auditors via LDAP (analogous to org admins)
RED HAT ANSIBLE AUTOMATION PLATFORM - ADDITIONAL TOWER NOTES
25
Notes for operators DEPRECATIONS, REMOVALS, AND BEHAVIOR CHANGES
- REMOVED /api/v1- this also removes the single credential field on templates
- REMOVED support for Ubuntu as a Tower platform- REMOVED OAuth2 ‘implicit grant’ type applications- REMOVED support for ‘Any’ notification template type
- Upgrades will migrate ‘any’ notifications into separate ‘success’ and ‘failure’ notifications- DEPRECATED /api/v2/dashboard
Use the /api/v2/metrics endpoint for summary data for monitoring- DEPRECATED support for custom inventory scripts
Please use SCM for custom inventory sources.
26
RED HAT ANSIBLE AUTOMATION PLATFORM - ADDITIONAL TOWER NOTES
Notable Past Features
27
OPTIO
NAL SECTION
MARKER O
R TITLE
Support for External Credential Vaults
RED HAT ANSIBLE TOWER 3.5 OVERVIEW
28
Use credentials from your corporate standard password and key storage directly from Tower.
● HashiCorp Vault● CyberArk AIM● CyberArk Conjur● Microsoft Azure Key Vault
Enabling Advanced Ansible Features
RED HAT ANSIBLE TOWER 3.5 OVERVIEW
29
Note: these features require Ansible 2.8
Inventory Plugins
AzureGCE
OpenStackTower
Privilege Escalation Plugins
Handle complex privilege escalation in your enterprise environment.
Metrics for Monitoring
RED HAT ANSIBLE TOWER 3.5 OVERVIEW
30
Ansible Tower Health And Stats at a Glance
New, Prometheus-compatible metrics
Available at /api/v2/metrics
31
ENHANCED WORKFLOWS
WORKFLOW CONVERGENCE NODES
● Wait for any number of steps to finish before proceeding
● Allows for built-in synchronization points, easy result collection, and simplified error handling
Workflow convergence makes it easier than ever to have your Ansible
automation workflows model and match your actual deployment
processes.
32
JOB DISTRIBUTION VIA JOB SLICING
BEFORE ANSIBLE TOWER 3.4
● Any playbook run would run one ansible-playbook process on one cluster node
● Jobs run across thousands of machines could potentially starve that cluster node’s resources, or fail due to memory contention
● Job resizing could be a complicated manual process
WITH TOWER 3.4 AND LATER JOB SLICING
Jobs have a configurable number of slices. Each slice will be run as a separate ansible-playbook run, and slices will be distributed across the Tower cluster.
● Run fact gathering, configuration, and more across thousands of machines with ease
● Increase both job throughput and job reliability
NOTE: Job slicing is only appropriate when each host’s automation is independent of other hosts
Future Directions
33
OPTIO
NAL SECTION
MARKER O
R TITLE
RED HAT ANSIBLE AUTOMATION - ROADMAP TIMELINE
34
Automation AnalyticsCollections (GA)Automation Hub launch- Certified Partner content home- Delivery of Collections to subscribersBasic collection support in TowerGit WebhooksScalable execution in OpenShift/KubernetesSecurity Automation (GA)Network Automation Collections introduced
Initial release of the Automation PlatformFall
2019
RED HAT ANSIBLE AUTOMATION - ROADMAP TIMELINE
35
Collection synchronization and management in TowerDirect Collection use in WorkflowsAnsible content now delivered in CollectionsOn-premise content management in Automation HubOn-demand execution scaling outside of OpenShift/KubernetesNetworking Automation reference architecturesCollections for additional Automation use casesDeveloper tools for content testing and publishing
Spring 2020 and beyond
Demo
36
OPTIO
NAL SECTION
MARKER O
R TITLE
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHat
Red Hat is the world’s leading provider of enterprise
open source software solutions. Award-winning
support, training, and consulting services make
Red Hat a trusted adviser to the Fortune 500.
Thank you
37