ANSIBLE FROM CLI TO TOWER

Flávio Andrade
Platform Technical Account Manager
fandrade@[Link]
Aug/2018
 Ansible Super Powers

2 RED HAT TAM WEBINAR

 Why companies are adopting Ansible?

Ansible is the smoothest way to automate your IT!

SIMPLE POWERFUL AGENTLESS

3 RED HAT TAM WEBINAR

 Ansible Playbooks
---
- hosts: webservers
vars:
http_port: 80
max_clients: 200
remote_user: root
tasks:
- name: ensure apache is at the latest version
yum: name=httpd state=latest
- name: write the apache config file
template: src=/https/www.scribd.com/srv/httpd.j2 dest=/etc/[Link]
notify:
- restart apache
- name: ensure apache is running (and enable it at
boot)
Simple and powerful
service: name=httpd state=started enabled=yes automation tool!
handlers:
- name: restart apache
service: name=httpd state=restarted

4 RED HAT TAM WEBINAR

 TOWER EXPANDS AUTOMATION TO YOUR ENTERPRISE.

CONTROL KNOWLEDGE DELEGATION

Scheduled and Visibility and Role-based access
centralized jobs compliance and self-service

SIMPLE POWERFUL AGENTLESS

Designed for Predictable,
Everyone speaks
Multi-tier reliable,
the same
deployments and secure
language

AT ANSIBLE’S CORE IS AN OPEN-SOURCE AUTOMATION ENGINE.

5 RED HAT TAM WEBINAR

 WHAT IS ANSIBLE TOWER?
Ansible tower is an enterprise
framework for controlling, securing
and managing your Ansible automation
– with a UI and RESTful API.

• Role-based access control keeps

environments secure, and teams efficient.

• Non-privileged users can safely deploy entire

applications with push-button deployment
access.

• All Ansible automations are centrally logged,

ensuring complete auditability and
compliance.

6 RED HAT TAM WEBINAR

 WHAT PROBLEMS DOES IT SOLVES?

RED HAT TAM WEBINAR

 Ansible solves the problem Tower spotlights security
of automating considerations and
and orchestrating provides predictability

Does not address bigger Role-based access control and

picture security/compliance secure credential storage

API integrations, accountability and

execution history

8 RED HAT TAM WEBINAR

 Only respects security in place at
host user level

No abstraction of remote host or Abstracts security from the user

cloud credentials from user

No guarantee of execution
parameters or integrity of Playbook
as designed by the team

9 RED HAT TAM WEBINAR

 ANSIBLE TOWER FEATURES

RED HAT TAM WEBINAR

 DELEGATE ANSIBLE TO ANYONE
EMPOWER YOUR TEAMS INSIDE AND OUTSIDE OF OPERATIONS

● Connect to your LDAP, AD, SAML and other directories

● Full role-based access control engine
● Store credentials for use without exposure
● Enable users to automate without previous Ansible knowledge
● Find relevant information more quickly
● Simple surveys configure automation at run-time
● Workflows chain together automations to orchestrate more of your infrastructure
● REST API allows integration into your existing processes and tools
● Add capacity with by adding more Tower front end instances to cluster

11 RED HAT TAM WEBINAR

 KNOWLEDGE IS KEY
ENSURE ENVIRONMENT CONSISTENCY

● All automation securely logged in Tower

● Use Tower’s activity stream for auditing
● Notifications automatically alert the channel of your choice
● Enterprise Logging Support automatically pushes results to external
aggregators

12 RED HAT TAM WEBINAR

 CLI and the Tower Equivalent - RBAC
● UI login accounts do not mean you execute in your own shell account
(No matter the auth integrations used)
○ Execution environment is built based on everything configured,
but ultimately is done as the awx user on the command-line
level.

● Repeatability and Consistency are the Goal of Security Abstraction

● Ability to use, but not expose, credentials/inventory/playbooks and

secure vars key to allocation of a user’s role within the organization.

13 RED HAT TAM WEBINAR

 CLI and the Tower Equivalent - Credentials
From CLI to Tower - Credentials from both:

● ~/.ssh/id_rsa (SSH keys, or username/password etc.)

● Windows usernames/passwords
● Cloud credentials/API credentials (like ~/.boto )
● Networking devices username/password
● SCM (Usually also an SSH key, but possibly username/password)

14 RED HAT TAM WEBINAR

 CLI and the Tower Equivalent - Inventory

$ ls ~/inventory/cloud/
[Link] [Link] group_vars hosts

● CLI and Tower can both mix dynamic and static sources
● Group_vars and host_vars can also be static or dynamic
● Like CLI:
○ Var and namespace is collapsed at run time, similar scripts
overwrite each other

15 RED HAT TAM WEBINAR

 INVENTORY CONSIDERATIONS
Groups are not hierarchies they are Venn diagrams
• “Type” groups can overlap with “location” groups
• Bare groups (not groups of groups) should be specific as possible
• Groups of groups should not have overlapping variables to bare
groups

Group variables can overstep each other in unpredictable ways

Variable precedence is key to knowing where to put your variables

16 RED HAT TAM WEBINAR

ORGANIZATION AND RBAC
CONSIDERATIONS
Multiple Inventories may be needed
• Network automation may not need to have app/cache/db
hosts in their inventory
• Multiple Cloud Dynamic Sources will overwrite each other

Things that “just work” for CLI may need consideration in Tower
• Execution isolation means config files at ~/.* need to be placed
for AWX user in Tower
• Bubblewrap isolates Tower runs to project/Playbook directory
(can’t write to /tmp locally, etc.)

SCM is to your advantage:

• Playbook projects for different teams/orgs can utilize forks, branch tags
• Roles don’t need one monolithic repository

RED HAT TAM WEBINAR

 CLI and the Tower Equivalent - Projects

$ ls lamp-playbooks/ Projects are:

● A directory containing your
[Link] playbooks and roles
[Link] ● Local disk or remote SCM
roles/ ● Able to be assigned via RBAC
[Link]

RED HAT TAM WEBINAR

CLI and the Tower Equivalent - Job Templates
Job Templates are the UI representation of each option of the
ansible-playbook command, including:
● Connection information
● Playbook to run
● Inventory specifications (inventory and target groups)
● Privilege escalation
● General options under “man ansible-playbook”

$ ansible-playbook [Link] \
-e “var=extra” --ask-vault-pass -i inventory -b \
--private-key=~/.ssh/id_rsa -u user1 \
-t tag1 --skip-tags=SKIP_TAGS

19 RED HAT TAM WEBINAR

 Red Hat Ansible Tower Integration
INTEGRATED INTO TOOLS YOU ALREADY USE

Ansible Tower could be integrate with:

● Red Hat Satellite

● Red Hat Cloud Forms

● Red Hat Openstack

● Red Hat OpenShift

20 RED HAT TAM WEBINAR

 RED HAT Ansible Tower benefits
IMPROVE SECURITY, AUDITING, AND WORKFLOW CI/CD

Red Hat Ansible addresses key business concerns to help IT quickly and effectively address
Provisioning and orchestration with CI/CD and auditing

Avoid Correct issues — such as security vulnerabilities and configuration errors — faster
downtime than a manually intervention, who could impact business operations

Boost Maintain control of configuration files, and versions of tools installed on a system,
security With auditing of actions and comparative dashboards

Workflow
Automation Take advantage of idempotence of playbooks with Workflow automation, granting
& a continuous integration and a continuous delivery
CI/CD

21 RED HAT TAM WEBINAR

 RED HAT ANSIBLE TOWER
BENEFITS SUMMARY

With Red Hat Ansible Tower could configure, orchestrate and automatize all infrastructure in a single
dashboard, and integrating with another Red Hat Tools Ansible Tower coulçd be even more powerfull

Faster provisioning
Grant automation in a Increased
avoiding human
single dashboard efficiency
intervation

22 RED HAT TAM WEBINAR

 RED HAT ANSIBLE TOWER
OFFERING CHOICE BASED ON CUSTOMER NEEDS

● Single Dashboard
● Real time jobs status update
● Multi-playbook workflow
● Who run what job when
● Scale capacity with tower cluster
● Integrating notifications
● Schedule Ansible job
● Manage and Track your entire inventory
● Simplified self service
● Remote command execution
● Comprehensive REST API
● Tower CLI tool
23 RED HAT TAM WEBINAR
 RED HAT ANSIBLE TOWER

DEMO SESSION

RED HAT TAM WEBINAR

 RED HAT ANSIBLE TOWER
ADDITIONAL REFERENCES

Learn more:
[Link]

Get Started:
[Link]

Red Hat Ansible Tower product:

[Link]

Red Hat Ansible Tower & Red Hat Products integration::

[Link]

Ansible Tower Product documentation::

[Link]

Red Hat Ansible Tower API reference guide:

[Link]

25 RED HAT TAM WEBINAR

 THANK YOU
[Link]/+RedHat [Link]/redhatinc

[Link]/company/red-hat [Link]/RedHatNews

[Link]/user/RedHatVideos

RED HAT TAM WEBINAR