Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Creating and using execution environments

Red Hat Ansible Automation Platform 2.5

Create and use execution environment containers

Red Hat Customer Content Services

Abstract

This guide shows how to create consistent and reproducible automation execution environments for your Red Hat Ansible Automation Platform.
This document includes content from the upstream docs.ansible.com documentation, which is covered by the Apache 2.0 license.

Preface
Copy link

Use execution environment builder to create consistent and reproducible containers for your Red Hat Ansible Automation Platform needs.

Providing feedback on Red Hat documentation
Copy link

If you have a suggestion to improve this documentation, or find an error, you can contact technical support at https://access.redhat.com to open a request.

Using Ansible content that depends on non-default dependencies can be complicated because the packages must be installed on each node, interact with other software installed on the host system, and be kept in sync.

You must use the same environment during development, testing and in production. Red Hat provides execution environments for this purpose.

Automation execution environments help simplify this process and can easily be created with Ansible Builder.

Chapter 2. Builder
Copy link

Ansible provides an Execution Environment Utilities Collection, infra.ee_utilities. Red Hat provides execution environments for this purpose. This is a collection of roles for creating and managing images, or migrating from the older Tower virtualenvs to execution environment. Using this collection, you can automate the preparation and maintenance of Ansible execution environments.

2.1. About automation execution environments
Copy link

All automation in Red Hat Ansible Automation Platform runs on container images called automation execution environments. Automation execution environments create a common language for communicating automation dependencies, and offer a standard way to build and distribute the automation environment.

Red Hat provides supported execution environments for you to use in the Red Hat ecosystem catalog.

An automation execution environment should contain the following:

  • Ansible Core 2.16 or later
  • Python 3.11 or later
  • Ansible Runner
  • Ansible content collections and their dependencies
  • System dependencies

2.1.1. Why use automation execution environments?
Copy link

With automation execution environments, Red Hat Ansible Automation Platform has transitioned to a distributed architecture by separating the control plane from the execution plane.

Keeping automation execution independent of the control plane results in faster development cycles and improves scalability, reliability, and portability across environments. Red Hat Ansible Automation Platform also includes access to Ansible content tools, making it easy to build and manage automation execution environments.

In addition to speed, portability, and flexibility, automation execution environments provide the following benefits:

  • They ensure that automation runs consistently across multiple platforms and make it possible to incorporate system-level dependencies and collection-based content.
  • They give Red Hat Ansible Automation Platform administrators the ability to provide and manage automation environments to meet the needs of different teams.
  • Automation execution environmentss enable automation teams to define, build, and update their automation environments themselves. System administrators can provide execution environments, but each organization administrator can also provide their own.
  • They allow automation to be easily scaled and shared between teams by providing a standard way of building and distributing the automation environment.

Chapter 3. Using Ansible Builder
Copy link

Ansible Builder is a command line tool that automates the process of building automation execution environments by using metadata defined in various Ansible Collections or created by the user.

Note

You must build an execution environment before you can create it using automation controller. After building it, you must push it to a repository (such as quay) and then, when creating an execution environment in the UI with automation controller, you must point to that repository to use it in Ansible Automation Platform to use it, for example, in a job template.

3.1. Why use Ansible Builder?
Copy link

With Ansible Builder, you can easily create a customizable automation execution environments definition file that specifies the content you want included in your automation execution environments such as Ansible Core, Python, Collections, third-party Python requirements, and system level packages. This enables you to fulfill all of the necessary requirements and dependencies to get jobs running.

3.2. Installing Ansible Builder
Copy link

Install Ansible Builder to create custom execution environments that contain the dependencies and collections required for your automation content. You need a valid Red Hat subscription and Podman installed on your RHEL system

Prerequisites

  • You have valid subscriptions attached on the host. Doing so enables you to access the subscription-only resources needed to install ansible-builder, and ensures that the necessary repository for ansible-builder is automatically enabled. See Attaching your Red Hat Ansible Automation Platform subscription for more information.
  • You have installed the Podman container runtime.

  • You have valid subscriptions attached on the host. Doing so allows you to access the subscription-only resources needed to install ansible-builder, and ensures that the necessary repository for ansible-builder is automatically enabled. See Attaching your Red Hat Ansible Automation Platform subscription for more information.

    Note

    To install the developer tools without consuming a valid Red Hat Ansible Automation Platform managed node entitlement you can use MCT4589–Red Hat Ansible Developer, Standard (10 Managed Nodes), which is free. This subscription is for enabling users of Ansible Automation Platform. This subscription requires the approval of Ansible Business Unit.

Procedure

  • Run the following command to install Ansible Builder and activate your Ansible Automation Platform repo: 

    #  dnf install --enablerepo=ansible-automation-platform-2.5-for-rhel-9-x86_64-rpms ansible-builder
    Copy to Clipboard Toggle word wrap

Creating execution environments for Ansible Automation Platform is a common task which works differently in disconnected environments. When building a custom execution environment, the ansible-builder tool defaults to downloading content from the following locations on the internet:

  • Red Hat Automation hub (console.redhat.com) or Ansible Galaxy (galaxy.ansible.com) for any Ansible content collections added to the execution environment image.
  • PyPI (pypi.org) for any python packages required as collection dependencies.
  • RPM repositories such as the RHEL or UBI repositories (cdn.redhat.com) for adding or updating RPMs to the execution environment image, if needed.
  • registry.redhat.io for access to the base container images.

Building an execution environment image in a disconnected environment requires mirroring content from these locations. For information about importing collections from Ansible Galaxy or automation hub into a private automation hub, see Importing an automation content collection in automation hub .

Mirrored PyPI content once transferred into the disconnected network can be made available by using a web server or an artifact repository such as Nexus. The RHEL and UBI repository content can be exported from an internet-facing Red Hat Satellite Server, copied into the disconnected environment, then imported into a disconnected Satellite so it is available for building custom execution environments. See ISS Export Sync in an Air-Gapped Scenario for details.

The default base container image, ee-minimal-rhel8, is used to create custom execution environment images and is included with the bundled installer. This image is added to the private automation hub at install time.

If a different base container image such as ee-minimal-rhel9 is required, it must be imported to the disconnected network and added to the private automation hub container registry.

Once all of the prerequisites are available on the disconnected network, the ansible-builder command can be used to create custom execution environment images.

3.4. Building a definition file
Copy link

You can use Ansible Builder to create an execution environment. Building a new execution environment involves a definition that specifies which content you want to include in your execution environment, such as collections, Python requirements, and system-level packages.

After you install Ansible Builder, you can create a definition file that Ansible Builder uses to create your automation execution environment image. Ansible Builder makes an automation execution environment image by reading and validating your definition file, then creating a Containerfile, and finally passing the Containerfile to Podman, which then packages and creates your automation execution environment image. The definition file that you create must be in YAML format, with a .yaml or .yml extension, and contain different sections. The default definition filename, if not provided, is execution-environment.yml. For more information on the parts of a definition file, see Breakdown of definition file content.

The following is an example of a version 3 definition file. Each definition file must specify the major version number of the Ansible Builder feature set it uses. If not specified, Ansible Builder defaults to version 1, making most new features and definition keywords unavailable. 

version: 3

build_arg_defaults:
1 

  ANSIBLE_GALAXY_CLI_COLLECTION_OPTS: '--pre'

dependencies:
2 

  galaxy: requirements.yml
  python:
    - six
    - psutil
  system: bindep.txt

images:
3 

  base_image:
    name: registry.redhat.io/ansible-automation-platform-24/ee-minimal-rhel9:latest

# Custom package manager path for the RHEL based images
options:
4 

  package_manager_path: /usr/bin/microdnf

additional_build_steps:
5 

  prepend_base:
    - RUN echo This is a prepend base command!

  prepend_galaxy:
    # Environment variables used for Galaxy client configurations
    - ENV ANSIBLE_GALAXY_SERVER_LIST=automation_hub
    - ENV ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_URL=https://console.redhat.com/api/automation-hub/content/xxxxxxx-synclist/
    - ENV ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_AUTH_URL=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
    # define a custom build arg env passthru - we still also have to pass
    # `--build-arg ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN` to get it to pick it up from the env
    - ARG ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN

  prepend_final: |
    RUN whoami
    RUN cat /etc/os-release
  append_final:
    - RUN echo This is a post-install command!
    - RUN ls -la /etc
Copy to Clipboard Toggle word wrap
  1. Lists default values for build arguments.
  2. Specifies the location of various requirements files.
  3. Specifies the base image to be used. Red Hat support is only provided for the redhat.registry.io base image.
  4. Specifies options that can affect builder runtime functionality.
  5. Commands for additional custom build steps.

Additional resources

When you have installed Ansible Builder, use the following steps to create your custom execution environment.

Procedure

  1. Create a directory to store your custom execution environment build artifacts. Any new files created with the following steps are created under this directory. 

    $ mkdir $HOME/custom-ee $HOME/custom-ee/files
$ cd $HOME/custom-ee/
    Copy to Clipboard Toggle word wrap

  2. Create an execution-environment.yml file that defines the requirements for your custom execution environment.

    Note

    Version 3 of the execution environment definition format is required, so ensure the execution-environment.yml file contains version: 3 explicitly before continuing.

    1. Override the base image to point to the minimal execution environment available in your private automation hub.

    2. Define the additional build files needed to point to any disconnected content sources that will be used in the build process. Your custom execution-environment.yml file should look similar to the following example: 

      version: 3

images:
  base_image:
    name: private-hub.example.com/ee-minimal-rhel8:latest

dependencies:
  python: requirements.txt
  galaxy: requirements.yml

additional_build_files:
  - src: files/ansible.cfg
    dest: configs
  - src: files/pip.conf
    dest: configs
  - src: files/hub-ca.crt
    dest: configs
  # uncomment if custom RPM repositories are required
  #- src: files/custom.repo
  #  dest: configs

additional_build_steps:
  prepend_base:
    # copy a custom pip.conf to override the location of the PyPI content
    - ADD _build/configs/pip.conf /etc/pip.conf
    # remove the default UBI repository definition
    - RUN rm -f /etc/yum.repos.d/ubi.repo
    # copy the hub CA certificate and update the trust store
    - ADD _build/configs/hub-ca.crt /etc/pki/ca-trust/source/anchors
    - RUN update-ca-trust
    # if needed, uncomment to add a custom RPM repository configuration
    #- ADD _build/configs/custom.repo /etc/yum.repos.d/custom.repo

  prepend_galaxy:
    - ADD _build/configs/ansible.cfg ~/.ansible.cfg

...
      Copy to Clipboard Toggle word wrap

  3. Create an ansible.cfg file under the files/ subdirectory that points to your private automation hub. 

    $ cat files/ansible.cfg
[galaxy]
server_list = private_hub

[galaxy_server.private_hub]
url = /https://private-hub.example.com/api/galaxy/
    Copy to Clipboard Toggle word wrap

  4. Create a pip.conf file under the files/ subdirectory which points to the internal PyPI mirror (a web server or something like Nexus): 

    $ cat files/pip.conf
[global]
index-url = https://<pypi_mirror_fqdn>/
trusted-host = <pypi_mirror_fqdn>
    Copy to Clipboard Toggle word wrap

  5. Optional: If you use a bindep.txt file to add RPMs the custom execution environment, create a custom.repo file under the files/ subdirectory that points to your disconnected Satellite or other location hosting the RPM repositories. If this step is necessary, uncomment the steps in the example execution-environment.yml file that correspond with the custom.repo file.

    The following example is for the UBI repositories. Other local repositories can be added to this file as well. The URL path might need to change depending on where the mirror content is located on the web server. 

    $ cat files/custom.repo
[ubi-8-baseos]
name = Red Hat Universal Base Image 8 (RPMs) - BaseOS
baseurl = http://<ubi_mirror_fqdn>/repos/ubi-8-baseos
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1

[ubi-8-appstream]
name = Red Hat Universal Base Image 8 (RPMs) - AppStream
baseurl = http://<ubi_mirror_fqdn>/repos/ubi-8-appstream
enabled = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
gpgcheck = 1
    Copy to Clipboard Toggle word wrap

  6. Add the CA certificate used to sign the private automation hub web server certificate. If the private automation hub uses self-signed certificates provided by the installer:

    1. Copy the file /etc/pulp/certs/pulp_webserver.crt from your private automation hub and name it hub-ca.crt.
    2. Add the hub-ca.crt file to the files/ subdirectory.

  7. If the private automation hub uses user-provided certificates signed by a certificate authority:

    1. Make a copy of that CA certificate and name it hub-ca.crt.
    2. Add the hub-ca.crt file to the files/` subdirectory.

  8. When you have completed the preceding steps, create your python requirements.txt and ansible collection requirements.yml files, with the content needed for your custom execution environment image.

    Note

    Any required collections must already be uploaded into your private automation hub.

    The following files should exist under the custom-ee/ directory, with bindep.txt and files/custom.repo being optional: 

    $ cd $HOME/custom-ee
$ tree .
.
├── bindep.txt
├── execution-environment.yml
├── files
│   ├── ansible.cfg
│   ├── custom.repo
│   ├── hub-ca.crt
│   └── pip.conf
├── requirements.txt
└── requirements.yml

1 directory, 8 files
    Copy to Clipboard Toggle word wrap

When you have created a definition file, you can proceed to build an automation execution environment image.

Note

When building an execution environment image, it must support the architecture that Ansible Automation Platform is deployed with.

Prerequisites

  • You have created a definition file.

Procedure

  1. To build an automation execution environment image, run the following from the command line: 

    $ ansible-builder build
    Copy to Clipboard Toggle word wrap

    By default, Ansible Builder looks for a definition file named execution-environment.yml but a different file path can be specified as an argument with the -f flag:

    For example: 

    $ ansible-builder build -f definition-file-name.yml
    Copy to Clipboard Toggle word wrap

    where definition-file-name specifies the name of your definition file.

3.7. Breakdown of definition file content
Copy link

You must provide a definition file to build automation execution environmentss with Ansible Builder, because it specifies the content that is included in the automation execution environment container image.

The following sections breaks down the different parts of a definition file.

3.7.1. Build arguments
Copy link

The build_arg_defaults section of the definition file is a dictionary whose keys can provide default values for arguments to Ansible Builder.

The following table lists values that can be used in build_arg_defaults:

Expand
ValueDescription

ANSIBLE_GALAXY_CLI_COLLECTION_OPTS

Enables the user to pass arbitrary arguments to the ansible-galaxy CLI during the collection installation phase.

For example, the –pre flag to enable the installation of pre-release collections, or -c to disable verification of the server’s SSL certificate.

ANSIBLE_GALAXY_CLI_ROLE_OPTS

Enables the user to pass any flags, such as –no-deps, to the role installation.

Note

It is generally easier (especially in a pipeline context) to customize the base image into a custom base image using podman first, and then call ansible-builder on this custom image.

The values given inside build_arg_defaults will be hard-coded into the Containerfile, so these values will persist if podman build is called manually.

Note

If the same variable is specified in the CLI --build-arg flag, the CLI value takes higher precedence.

3.7.2. Definition dependencies
Copy link

You can include dependencies that must be installed into the final image in the dependencies section of your definition file.

To avoid issues with your automation execution environment image, make sure that the entries for Galaxy, Python, and system point to a valid requirements file, or are valid content for their respective file types.

3.7.2.1. Galaxy
Copy link

The galaxy entry points to a valid requirements file or includes inline content for the ansible-galaxy collection install -r …​ command.

The entry requirements.yml can be a relative path from the directory of the automation execution environment definition’s folder, or an absolute path.

The content might look like the following: 

collections:
  - community.aws
  - kubernetes.core
Copy to Clipboard Toggle word wrap
3.7.2.2. Python
Copy link

The python entry in the definition file points to a valid requirements file or to an inline list of Python requirements in PEP508 format for the pip install -r …​ command.

The entry requirements.txt is a file that installs extra Python requirements on top of what the Collections already list as their Python dependencies. It might be listed as a relative path from the directory of the automation execution environment definition’s folder, or an absolute path. The contents of a requirements.txt file should be formatted as the following example, similar to the standard output from a pip freeze command.

The content might look like the following: 

boto>=2.49.0
botocore>=1.12.249
pytz
python-dateutil>=2.7.0
awxkit
packaging
requests>=2.4.2
xmltodict
azure-cli-core==2.11.1
openshift>=0.6.2
requests-oauthlib
openstacksdk>=0.13
ovirt-engine-sdk-python>=4.4.10
Copy to Clipboard Toggle word wrap
3.7.2.3. System
Copy link

The system entry in the definition points to a bindep requirements file or to an inline list of bindep entries, which install system-level dependencies that are outside of what the collections already include as their dependencies.

The system entry can be listed as a relative path from the directory of the automation execution environment definition’s folder, or as an absolute path. At a minimum, the the collections must specify necessary requirements for [platform:rpm].

To demonstrate this, the following is an example bindep.txt file that adds the libxml2 and subversion packages to a container.

The content might look like the following: 

libxml2-devel [platform:rpm]
subversion [platform:rpm]
Copy to Clipboard Toggle word wrap

Entries from multiple collections are combined into a single file. This is processed by bindep and then passed to dnf. Only requirements with no profiles or no runtime requirements will be installed to the image.

3.7.2.4. Images
Copy link

The images section of the definition file identifies the base image. Verification of signed container images is supported with the podman container runtime.

The following table shows a list of values that you can use in images:

Expand
ValueDescription

base_image

Specifies the parent image for the automation execution environment which enables a new image to be built that is based on an existing image. This is typically a supported execution environment base image such as ee-minimal or ee-supported, but it can also be an execution environment image that you have created and want to customize further.

A name key is required for the container image to use. Specify the signature _original_name key if the image is mirrored within your repository, but is signed with the image’s original signature key. Image names must contain a tag, such as :latest.

The default image is registry.redhat.io/ansible-automation-platform-24/ee-minimal-rhel8:latest.

3.8. Additional build files
Copy link

You can add any external file to the build context directory by referring or copying them to the additional_build_files section of the definition file. The format is a list of dictionary values, each with a src and dest key and value.

Each list item must be a dictionary containing the following required keys:

src
Specifies the source files to copy into the build context directory. This can be an absolute path (for example, /home/user/.ansible.cfg), or a path that is relative to the execution environment file. Relative paths can be glob expressions matching one or more files (for example, files/*.cfg).
Note

Absolute paths can not include a regular expression. If src is a directory, the entire contents of that directory are copied to dest.

dest
Specifies a subdirectory path underneath the _build subdirectory of the build context directory that contains the source files (for example, files/configs). This can not be an absolute path or contain .. within the path. Ansible Builder creates this directory for you if it does not already exist.

3.9. Additional custom build steps
Copy link

You can specify custom build commands for any build phase in the additional_build_steps section of the definition file. This allows fine-grained control over the build phases.

Use the prepend_ and append_ commands to add directives to the Containerfile that run either before or after the main build steps are executed. The commands must conform to any rules required for the runtime system.

See the following table for a list of values that can be used in additional_build_steps:

Expand
ValueDescription

prepend_base

Allows you to insert commands before building the base image.

append_base

Allows you to insert commands after building the base image.

prepend_galaxy

Allows you to insert before building the galaxy image.

append_galaxy

Allows you to insert after building the galaxy image.

prepend_builder

Allows you to insert commands before building the Python builder image.

append_builder

Allows you to insert commands after building the Python builder image.

prepend_final

Allows you to insert before building the final image.

append_final

Allows you to insert after building the final image.

The syntax for additional_build_steps supports both multi-line strings and lists. See the following examples:

Example 3.1. A multi-line string entry

prepend_final: |
   RUN whoami
   RUN cat /etc/os-release
Copy to Clipboard Toggle word wrap

Example 3.2. A list entry

append_final:
- RUN echo This is a post-install command!
- RUN ls -la /etc
Copy to Clipboard Toggle word wrap

Example 3.3. Copying arbitrary files to execution environments

additional_build_files:
  # copy arbitrary files next to this EE def into the build context - we can refer to them later...
  - src: files/rootCA.crt
    dest: configs

additional_build_steps:
  prepend_base:
    # copy a custom CA cert into the base image and recompute the trust database
    # because this is in "base", all stages will inherit (including the final EE)
    - COPY _build/configs/rootCA.crt /usr/share/pki/ca-trust-source/anchors
    - RUN update-ca-trust
Copy to Clipboard Toggle word wrap

The additional_build_files section enable you to add rootCA.crt to the build context directory. When this file is copied to the build context directory, it can be used in the build process. To use the file, copy it from the build context directory using the COPY directive specified in the prepend_base step of the additional_build_steps section. You can perform any action based upon the copied file, such as in this example updating dynamic configuration of CA certificates by running RUN update-ca-trust.

The following example file specifies environment variables that might be required for the build process.

To achieve this functionality it uses the ENV variable definition in the prepend_base step of the additional_build_steps section. 

—
additional_build_steps:
  prepend_base:
    - ENV FOO=bar
    - RUN echo $FOO > /tmp/file1.txt
Copy to Clipboard Toggle word wrap

The same environment variables can be used in the later stage of the build process.

Ansible Builder schema 3 enables you to perform complex scenarios such as specifying custom Galaxy configurations.

You can use this approach to pass sensitive information, such as authentication tokens, into the execution environment build without leaking them into the final execution environment image.

The following example uses Ansible Galaxy Server environment variables. 

additional_build_steps:
  prepend_galaxy:
    # Environment variables used for Galaxy client configurations
    - ENV ANSIBLE_GALAXY_SERVER_LIST=automation_hub
    - ENV ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_URL=https://console.redhat.com/api/automation-hub/content/xxxxxxx-synclist/
    - ENV ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_AUTH_URL=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
    # define a custom build arg env passthru - we still also have to pass
    # `--build-arg ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN` to get it to pick it up from the env
    - ARG ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN

options:
  package_manager_path: /usr/bin/microdnf  # downstream images use non-standard package manager
Copy to Clipboard Toggle word wrap

You can provide environment variables such as ANSIBLE_GALAXY_SERVER_LIST, ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_URL and ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_AUTH_URL using the ENV directive. For more information, see the Galaxy User Guide in the Ansible documentation.

For security reasons, you must not store sensitive information in ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN. You can use the ARG directive to receive sensitive information from the user as input.

–build-args can be used to provide this information while invoking the ansible-builder command.

Update your execution environment image locations to use images hosted on your private automation hub. You can use execution environments from your private registry instead of the default registry.

Procedure

  1. Log in to Ansible Automation Platform.

  2. Create a container registry credential for your private automation hub:

    1. From the navigation panel, select Automation ExecutionInfrastructureCredentials.
    2. Click Create credential.

    3. Enter your credential information:

      • Name: Enter a name, such as Private Hub Registry.
      • Credential Type: Select Container Registry.
      • Authentication URL: Enter the URL of your private automation hub, such as https://automationhub.example.org.
      • Username: Enter your private automation hub username.
      • Password or Token: Enter your private automation hub password or authentication token.
      • Verify SSL: Clear this checkbox if your private automation hub uses self-signed certificates.
    4. Click Create credential.

  3. Update the default execution environments to use images from your private automation hub:

    1. From the navigation panel, select Automation ExecutionInfrastructureExecution Environments.
    2. Locate the Default execution environment and click Edit to edit it.
    3. In the Image field, update the image path to point to your private automation hub, such as automationhub.example.org/ee-supported-rhel9:latest.
    4. In the Registry Credential field, select the container registry credential that you created.
    5. Click Save execution environment.
    6. Locate the Minimal execution environment and click Edit to edit it.
    7. In the Image field, update the image path to point to your private automation hub, such as automationhub.example.org/ee-minimal-rhel9:latest.
    8. In the Registry Credential field, select the container registry credential that you created.
    9. Click Save execution environment.
    10. Repeat these steps for any other execution environments that you want to update to use images from your private automation hub.

Verification

  1. From the navigation panel, select Automation ExecutionInfrastructureExecution Environments.
  2. Verify that your private automation hub execution environments appear in the list.
  3. Optional: Create a test job template that uses one of the new execution environments and run it to confirm that automation controller can successfully pull and use the image from your private automation hub.

Additional resources

3.11. Optional build command arguments
Copy link

The -t flag will tag your automation execution environment image with a specific name. For example, the following command builds an image named my_first_ee_image: 

$ ansible-builder build -t my_first_ee_image
Copy to Clipboard Toggle word wrap
Note

If you do not use -t with build, an image called ansible-execution-env is created and loaded into the local container registry.

If you have multiple definition files, you can specify which one to use by including the -f flag: 

$ ansible-builder build -f another-definition-file.yml -t another_ee_image
Copy to Clipboard Toggle word wrap

In this example, Ansible Builder uses the specifications provided in the file named another-definition-file.yml instead of the default execution-environment.yml to build an automation execution environment image named another_ee_image.

For other specifications and flags that you can use with the build command, enter ansible-builder build --help to see a list of additional options.

3.12. Containerfile
Copy link

After you have created your definition file, Ansible Builder reads and validates it, creates a Containerfile and container build context, and optionally passes these to Podman to build your automation execution environment image.

The container build occurs in several distinct stages: base , galaxy, builder, and final. The image build steps (along with any corresponding custom prepend_ and append_ steps defined in additional_build_steps) are:

  1. During the base build stage, the specified base image is (optionally) customized with components required by other build stages, including Python, pip, ansible-core, and ansible-runner. The resulting image is then validated to ensure that the required components are available (as they may have already been present in the base image). Ephemeral copies of the resulting customized base image are used as the base for all other build stages.
  2. During the galaxy build stage, collections specified by the definition file are downloaded and stored for later installation during the final build stage. Python and system dependencies declared by the collections, if any, are also collected for later analysis.
  3. During the builder build stage, Python dependencies declared by collections are merged with those listed in the definition file. This final set of Python dependencies is downloaded and built as Python wheels and stored for later installation during the final build stage.
  4. During the final build stage, the previously-downloaded collections are installed, along with system packages and any previously-built Python packages that were declared as dependencies by the collections or listed in the definition file.

If you are required to use shared container images built in sandboxed environments for security reasons, you can create a shareable Containerfile. 

$ ansible-builder create
Copy to Clipboard Toggle word wrap

3.14. Example YAML file to build an image
Copy link

The 'ansible-builder' build command takes an execution environment definition as an input. It outputs the build context necessary for building an execution environment image, and then builds that image.

The image can be re-built with the build context elsewhere, and produces the same result. By default, the builder searches for a file named execution-environment.yml in the current directory.

The following example execution-environment.yml file can be used as a starting point: 

version: 3
dependencies:
  galaxy: requirements.yml
The content of requirements.yml:
---
collections:
  - name: awx.awx
To build an execution environment using the preceding files and run the following command:
ansible-builder build
...
STEP 7: COMMIT my-awx-ee
--> 09c930f5f6a
09c930f5f6ac329b7ddb321b144a029dbbfcc83bdfc77103968b7f6cdfc7bea2
Complete! The build context can be found at: context
Copy to Clipboard Toggle word wrap

In addition to producing a ready-to-use container image, the build context is preserved. This can be rebuilt at a different time or location with the tools of your choice, such as docker build or podman build.

Use the following example definition files to address common configuration scenarios.

4.1. Updating the automation hub CA certificate
Copy link

Use this example to customize the default definition file to include a CA certificate to the additional-build-files section, move the file to the appropriate directory and, finally, run the command to update the dynamic configuration of CA certificates to allow the system to trust this CA certificate.

Prerequisites * A custom CA certificate, for example rootCA.crt.

Note

Customizing the CA certificate using prepend_base means that the resulting CA configuration appears in all other build stages and the final image, because all other build stages inherit from the base image. 

additional_build_files:
  # copy the CA public key into the build context, we will copy and use it in the base image later
  - src: files/rootCA.crt
    dest: configs

additional_build_steps:
  prepend_base:
    # copy a custom CA cert into the base image and recompute the trust database
    # because this is in "base", all stages will inherit (including the final EE)
    - COPY _build/configs/rootCA.crt /usr/share/pki/ca-trust-source/anchors
    - RUN update-ca-trust

options:
  package_manager_path: /usr/bin/microdnf  # downstream images use non-standard package manager

[galaxy]
server_list = automation_hub
Copy to Clipboard Toggle word wrap

Use the following example to customize the default definition file to pass automation hub authentication details into the automation execution environment build without exposing them in the final automation execution environment image.

Prerequisites 

export ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN=$(cat <token.txt>)
Copy to Clipboard Toggle word wrap 
additional_build_steps:
  prepend_galaxy:
    # define a custom build arg env passthru- we still also have to pass
    # `--build-arg ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN` to get it to pick it up from the host env
    - ARG ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_TOKEN
    - ENV ANSIBLE_GALAXY_SERVER_LIST=automation_hub
    - ENV ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_URL=https://console.redhat.com/api/automation-hub/content/<yourhuburl>-synclist/
    - ENV ANSIBLE_GALAXY_SERVER_AUTOMATION_HUB_AUTH_URL=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
Copy to Clipboard Toggle word wrap

Publish and customize your execution environment images. This procedure guides users in adding custom content, such as a collection, to an existing execution environment image like ee-minimal.

Ansible Controller includes the following default execution environments:

  • Minimal - ansible-automation-platform-25 Includes the latest Ansible-core 2.16 release along with Ansible Runner, but does not include collections or other content. Ansible-automation-platform-24 Includes the Ansible-core 2.15 release along with Ansible Runner, but does not include collections or other content.

    While supported execution environments cover many automation prerequisites, minimal execution-environments are the recommended basis for your own custom images, to keep full control over dependencies and their versions.

  • EE Supported - Minimal, plus all Red Hat-supported collections and dependencies

While these environments cover many automation use cases, you can add additional items to customize these containers for your specific needs. The following procedure adds the kubernetes.core collection to the ee-minimal default image:

Procedure

  1. Log in to registry.redhat.io using Podman: 

    $ podman login -u="[username]" -p="[token/hash]" registry.redhat.io
    Copy to Clipboard Toggle word wrap

  2. Ensure that you can pull the required automation execution environment base image: 

    podman pull registry.redhat.io/ansible-automation-platform-24/ee-minimal-rhel8:latest
    Copy to Clipboard Toggle word wrap

  3. Configure your Ansible Builder files to specify the required base image and any additional content to add to the new execution environment image.

    1. For example, to add the Kubernetes Core Collection from Galaxy to the image, use the Galaxy entry: 

      collections:
  - kubernetes.core
      Copy to Clipboard Toggle word wrap
    2. For more information about definition files and their content, see the Breakdown of definition file content section.

  4. In the execution environment definition file, specify the original ee-minimal container’s URL and tag in the EE_BASE_IMAGE field. In doing so, your final execution-environment.yml file appears similar to the following:

    Example 5.1. A customized execution-environment.yml file

    version: 3

images:
  base_image:
    name: 'registry.redhat.io/ansible-automation-platform-25/ee-minimal-rhel9:latest'

dependencies:
  galaxy:
    collections:
      - kubernetes.core
    Copy to Clipboard Toggle word wrap
    Note

    Since this example uses the community version of kubernetes.core and not a certified collection from automation hub, we do not need to create an ansible.cfg file or reference that in our definition file.

  5. Build the new execution environment image by using the following command: 

    $ ansible-builder build -t [username]/new-ee
    Copy to Clipboard Toggle word wrap

    where [username] specifies your username, and new-ee specifies the name of your new container image.

    Note

    If you do not use -t with build, an image called ansible-execution-env is created and loaded into the local container registry.

    • Use the podman images command to confirm that your new container image is in that list:

      The following shows the output of a 'podman images' command with the image new-ee. 

      REPOSITORY          TAG     IMAGE ID      CREATED        SIZE
localhost/new-ee    latest  f5509587efbb  3 minutes ago  769 MB
      Copy to Clipboard Toggle word wrap

  6. Verify that the collection is installed: 

    $ podman run [username]/new-ee ansible-doc -l kubernetes.core
    Copy to Clipboard Toggle word wrap

  7. Tag the image for use in your automation hub: 

    $ podman tag [username]/new-ee [automation-hub-IP-address]/[username]/new-ee
    Copy to Clipboard Toggle word wrap

  8. Log in to your automation hub using Podman:

    Note

    You must have admin or appropriate container repository permissions for automation hub to push a container. For more information, see Manage containers in private automation hub. 

    $ podman login -u="[username]" -p="[token/hash]" [automation-hub-IP-address]
    Copy to Clipboard Toggle word wrap

  9. Push your image to the container registry in automation hub: 

    $ podman push [automation-hub-IP-address]/[username]/new-ee
    Copy to Clipboard Toggle word wrap

  10. Pull your new image into your automation controller instance:

    1. Go to automation controller.
    2. From the navigation panel, select Automation ExecutionInfrastructureExecution Environments.
    3. Click Add.

    4. Enter the appropriate information then click Save to pull in the new image.

      Note

      If your instance of automation hub is password or token protected, ensure that you have the appropriate container registry credential set up.

By default, private automation hub does not include automation execution environments. To populate your container registry, you must push an execution environment to it.

Before the new execution environment image can be used for automation jobs, it must be uploaded to the private automation hub.

Procedure

  1. First, verify that the execution environment image can be seen in the local podman cache: 

    $ podman images --format "table {{.ID}} {{.Repository}} {{.Tag}}"
IMAGE ID	    REPOSITORY					              TAG
b38e3299a65e	private-hub.example.com/custom-ee     	  latest
8e38be53b486	private-hub.example.com/ee-minimal-rhel8  latest
    Copy to Clipboard Toggle word wrap

  2. Then log in to the private automation hub’s container registry and push the image to make it available for use with job templates and workflows: 

    $ podman login private-hub.example.com -u admin
Password:
Login Succeeded!
$ podman push private-hub.example.com/custom-ee:latest
    Copy to Clipboard Toggle word wrap

Use the following workflow to populate your private automation hub remote registry:

  1. Pull execution environments for use in automation hub
  2. Tag execution environment for use in automation hub
  3. Push an execution environment to private automation hub
  4. Set up your container repository
  5. Add a README to your container repository
  6. Provide access to your automation execution environmentss
  7. Tag container images
  8. Create a credential
  9. Pulling images from a container repository
  10. Pull an image
  11. Sync images from a container repository

Project updates always use the control plane automation execution environments by default, however, jobs use the first available automation execution environments as follows:

  1. The execution_environment defined on the template (job template or inventory source) that created the job.
  2. The default_environment defined on the project that the job uses.
  3. The default_environment defined on the organization of the job.
  4. The default_environment defined on the organization of the inventory the job uses.
  5. The current DEFAULT_EXECUTION_ENVIRONMENT setting (configurable at api/v2/settings/system/)
  6. Any image from the GLOBAL_JOB_EXECUTION_ENVIRONMENTS setting.
  7. Any other global execution environment.
Note

If more than one execution environment fits a criteria (applies for 6 and 7), the most recently created one is used.

Chapter 7. Open Source license
Copy link

Apache license

Version 2.0, January 2004

http://www.apache.org/licenses/

TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

1. Definitions.

"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.

"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.

"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.

"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.

"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files.

"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types.

"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).

"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.

"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."

"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work.

2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.

3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed.

4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:

  1. You must give any other recipients of the Work or Derivative Works a copy of this License; and
  2. You must cause any modified files to carry prominent notices stating that You changed the files; and
  3. You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and
  4. If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License.

You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License.

5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions.

6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file.

7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License.

8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages.

9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability.

END OF TERMS AND CONDITIONS

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top