Search code examples
ansibleredhatansible-2.xansible-awx

Question about Ansible execution environment

I read below statement about RedHat Ansible execution environment

"By using an automation execution environment, you can use the same portable environment to develop your Ansible Playbooks on one system and run them on another"

I need some clarification related to above statement. It is mentioned that we can use sample playbook on multiple system without worrying about the dependencies as execution environment will take care of the dependencies. However what if python on my managed node is a different version or what if ansible on control node is different version then when the playbook was created and executed first. Same playbook wont work in this scenario after few years. Then how execution environment will help us here.

Solution

  • The whole point of automation execution environments is to containerize userspace of control node as far as ansible concerned. As per docs, in the image you get

    • the base container image
    • the version of Python
    • the version of ansible-core
    • the version of ansible-runner
    • Ansible collections, with version restrictions
    • system packages, with version restrictions
    • Python packages, with version restrictions
    • other items to download, install, or configure

    So let's illustrate it by example, let's say you want to manage VMware with ansible. Community.vmware collection docs instruct us to install

    • Pyvmomi
    • vSphere Automation SDK for Python
    • vSAN Management SDK for Python

    So you do just that - when building your execution env, you specify concrete base image, ansible version, collection version, python requirements etc, and after building it - you can't change anything in it! All dependencies are frozen in time. Each subsequent run will use the same container image, and in a few years nothing will change. You get bug-to-bug compatible runs.

    They above is only correct if you use immutable tags concept - that is, each built/rebuilt image should have a distinct tag, and that you can't override an existing one on repository level. Don't expect any guarantees if you always build and use latest tag, that's an anti-pattern.

    Re: "what if python on my managed node is a different version" - that's on you!

    If you absolutely need a specific python version on managed node, and a specific set of dependencies - your playbook should reflect that. Ansible requires pretty barebone python installation, and in my 10 years of using it i rarely encountered interpreter issue, though i certainly can't say there were none. Usually, you should expect a certain level of python compatibility and stability on OS level, and I'd consider filing a support case to redhat if this kind of regression happened on RHEL during its supported lifetime.