Example repository to build Ansible Execution Environments using a Makefile.
TODO: Update docs to leverage new PIP_INDEX_URL environment variable option https://developers.redhat.com/articles/2025/01/27/how-manage-python-dependencies-ansible-execution-environments#python_dependency_management
- Navigate to build server
- Optionally provision build server using script
- Clone this repository
- Customize
- Edit dependencies
requirements.yml,requirements.txt,bindep.txt - Set token environment variable
ANSIBLE_HUB_TOKEN - Edit
execution-environment.ymlaccordingly - Edit
Makefilevariables
- Edit dependencies
- Cleanup with
make clean - Test token with
make token - Build it
make build - Test it
make test - Inspect it
make inspect - Review it
make info - (Optional) Look inside
make shell - Publish it
make publish - Enjoy your day
Search for images and then checks collections, system packages and python packages manually before we run the ansible-builder command.
# Login to registry
podman login registry.redhat.io
# Search registry to find latest images
podman search registry.redhat.io/ansible-automation-platform-25
# Pull image and start container with volume mounts
podman run -it -v $PWD:/opt/ansible registry.redhat.io/ansible-automation-platform-25/ee-minimal-rhel9:latest /bin/bash
# Check dependencies for collections
ansible-galaxy collection install -r requirements.yml
cd /home/runner/.ansible/collections/ansible_collections/
grep -R python39 * | grep bindep.txt
grep -R suds *
# Look at potential newer versions of the collections
ansible-galaxy collection install --upgrade -r requirements.yml
# Install windows packages
microdnf install krb5-libs krb5-workstation krb5-devel
# Install Python 3.8 developer tools
microdnf install vi git rsync unzip tar sudo gcc openssl openssl-devel gcc-c++ dnf libpq-devel python38-devel glibc-headers libcurl-devel libssh-devel jq python3-Cython python3-devel openldap-devel
# Install Python 3.9 developer tools
microdnf install vi git rsync unzip tar sudo gcc openssl openssl-devel gcc-c++ dnf libpq-devel python39-devel glibc-headers libcurl-devel libssh-devel jq python3-Cython python3-devel openldap-devel
# Test the installation of required python libraries
pip3 install -r requirements.txtIt's important to scan your image for vulnerabilities. Below are a couple articles showing how to do that. The recommendation is to implement this inside the Makefile in this repository so you can run it easily as part of your pipeline.
- Using Snyk and Podman to scan container images from development to deployment
- DevSecOps: Image scanning in your pipelines using quay.io scanner
We can test that everything is working by running an Ansible Playbook in the image using ansible-navigator. The tool launches the container, runs the playbook and shows an interactive screen where you can watch the playbook run through. To quit the tool, use similar mechanism :q! like within a vi editor.
# Run playbook to test basic operations against new image
ansible-navigator run playbook.yml --container-engine podman --execution-environment-image ansible-ee:5.0
# Check configuration of new image
ansible-navigator config --container-engine podman --execution-environment-image ansible-ee:5.0Building:
Migration of Python Virtual Environments:
Ansible Collection issues:
- Search for Ansible Collections and versions using these links:
- Issue and resolution when using
kebernetes.corethat requiresopenshift-clientspackage:- How to install the 'openshift-clients' package in Openshift Custom Execution Environment?
- Installing the OpenShift CLI by using an RPM
- How to download rpm packages manually from the Customer Portal?
- Another workaround is using the
openshift-clientspackage rpm that exists inside the AAP bundle tarball
Python dependency issues:
- Install johnnydep inside your current venv and leverage the tool to check various dependencies for python modules that might be causing issues. For example
johnnydep requests.
Image building and customization:
Pipelines:
Ansible Navigator:
- Default execution environment that ansible-navigator uses when not specified: quay.io/ansible/creator-ee
- Examine execution environment using ansible-navigator:
ansible-navigator --eei <image-name> - Extract list of collections from existing execution environment:
ansible-navigator --eei <image-name> collections --mode stdout - Use Credentials within
ansible-navigatortool:- How Do I Use Ansible Tower's Credential Parameters (Machine, Network, Cloud) in my Playbook?
- Mount the file(s) using
--eevparameter on ansible-navigator:--eev --execution-environment-volume-mounts Specify volume to be bind mounted within an execution environment (--eev /home/user/test:/home/user/test:Z)
- How to run
--syntax-checkusingansible-navigator:
ansible-navigator run <playbook> --syntax-check --mode stdout`- Start shell session inside container image:
# Generic command
podman run -it registry.redhat.io/ansible-automation-platform-25/ee-minimal-rhel9:latest /bin/bash
# With volume mounts
podman run -it -v $PWD:/opt/ansible registry.redhat.io/ansible-automation-platform-25/ee-minimal-rhel9:latest /bin/bash
# With volume mounts from SELinux enabled system
podman run -it -v $PWD:/opt/ansible:z registry.redhat.io/ansible-automation-platform-25/ee-minimal-rhel9:latest /bin/bash- Run adhoc commands inside image:
podman run --rm <image-name> <command>- Run ansible-builder:
# Build the image and tag the image
ansible-builder build --verbosity 3 --container-runtime=podman --tag ansible-ee:5.0- Change the yum and pip repositories within the base images:
# Create yum repository file locally
cat > ubi.repo <<EOF
[rhel-8-for-x86_64-appstream-rpms]
baseurl = http://x.x.x.x/rpms/rhel-8-for-x86_64-appstream-rpms
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
[rhel-8-for-x86_64-baseos-rpms]
baseurl = http://x.x.x.x/rpms/rhel-8-for-x86_64-baseos-rpms
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
EOF
# Create pip configuration file locally
cat > pip.conf <<EOF
[global]
index-url = https://artifactory.acme.com/artifactory/api/pypi/pypi/simple
trusted-host = artifactory.acme.com
EOF
# Then run the containers
podman run -d -it --name custom-ee-supported registry.redhat.io/ansible-automation-platform-25/ee-supported-rhel9:latest /bin/bash
podman run -d -it --name custom-ee-builder registry.redhat.io/ansible-automation-platform-25/ansible-builder-rhel9:latest /bin/bash
# Then copy the yum repo file into the containers
podman cp ubi.repo custom-ee-supported:/etc/yum.repos.d/
podman cp ubi.repo custom-ee-builder:/etc/yum.repos.d/
# Then copy the pip config file to set the global pip configuration https://pip.pypa.io/en/stable/topics/configuration/
podman cp pip.conf custom-ee-supported:/etc/
podman cp pip.conf custom-ee-builder:/etc/
#Then stop the containers
podman stop -a
#Then commit the containers
podman commit --message "Replaced yum repos" --author "ACME Company" <containerID> <image>
#Then push the containers
podman push <image-name> quay.io/username/myimageansible-builder:
- Introduction to Ansible Builder
- Ansible Builder - Guide
- Ansible Builder - Read The Docs
- Ansible Builder - Source Code
- Ansible Builder - Releases
ansible-navigator:
- Ansible Navigator Documentation
- Ansible Navigator Creator Guide
- Introduction to Ansible Runner
- Ansible Navigator - Source Code
- Ansible Navigator - Settings
ansible-bender:
ansible-bender is a tool which bends containers using Ansible playbooks and turns them into container images. It has a pluggable builder selection — it is up to you to pick the tool which will be used to construct your container image. Right now the only supported builder is buildah. More to come in the future. Ansible-bender (ab) relies on Ansible connection plugins for performing builds.
buildah:
buildah is a tool that facilitates building Open Container Initiative (OCI) container images. The Buildah package provides a command line tool that can be used to:
- create a working container, either from scratch or using an image as a starting point
- create an image, either from a working container or via the instructions in a Dockerfile
- images can be built in either the OCI image format or the traditional upstream docker image format
- mount a working container's root filesystem for manipulation
- unmount a working container's root filesystem
- use the updated contents of a container's root filesystem as a filesystem layer to create a new image
- delete a working container or an image
- rename a local container
podman:
- Installation
- How to set debug logging from podman?
- Debugging:
podman pull --log-level debug <image>
skopeo:
General:
- microdnf showing ibrhsm-WARNING ** and Found 0 entitlement certificates
- Container Quickstarts by Red Hat's Community of Practice. This repository is meant to help bootstrap users of the OpenShift Container Platform to get started in building and using Source-to-Image to build applications to run in OpenShift.
- Best Practices for successful DevSecOps
- What are image layers?
- Best Practices for Writing Dockerfiles
- 5 Podman features to try now
- Working with Red Hat Enterprise Linux Universal Base Images (UBI)
- Running Virtual Machines Under Vagrant on the New Mac M1/M2/M3
Execution Environments:
- What are Red Hat Ansible Automation Platform automation execution environments?
- AWX - Execution Environments and using awx-manage
- Blog - The Anatomy of Automation Execution Environments
- Automation Controller - Execution Environments
- Execution Environment Setup Reference
Makefiles:
- Makefile Tutorial
- Docker and Makefiles: Building and Pushing Images with Make
- Ansible Builder and Execution Environments
- Docker and Makefiles
- Best practices for building images that pass Red Hat Container Certification
GNU General Public License v3.0
John Wadleigh