ansible-builder icon indicating copy to clipboard operation
ansible-builder copied to clipboard

Published 20 hours ago verified publisher icon ansible

feature request: ability to execute commands BEFORE ansible-galaxy run

Open fibbs opened this issue 4 years ago • 6 comments

In execution_environment.yml, you can provide additional commands to be executed to build the actual ee image. This way, I was able to install extra software packages ("figlet" in my case, for example, which I use to generate lovely looking motds for my servers). A problem I came across is that I wanted to install Ansible roles from a corporate git server (gitlab) within the requirements.yml file. This was not possible because the base EE image used by default of course does not trust my company's CA certificate structure. I have solved this by creating my own base image which I then use to build the ee image, but from my point of view this is not optimal. It would be great to have a possibility right inside the execution_environment.yml to supply "pre-requirements-installation customizations", so that I can copy my CA certificate, eventually needed SSH priv keys for auth, ... or whatever I would need to be able to work through the requirements.yml and requirements.txt.

fibbs avatar Oct 06 '21 07:10 fibbs

+1

This would be very helpful for any OS Dependencies!

nwerker avatar Oct 11 '21 16:10 nwerker

I'm looking for a way to to specify some commands to apply on the $EE_BUILDER_IMAGE image.

At the moment it's possible to specify commands on $EE_BASE_IMAGE before (prepend) or after (append) via additional_build_steps parameter in execution-environment.yml.

Same use-case about SSL certificates.

lucab85 avatar Nov 05 '21 13:11 lucab85

+1

lucab85 avatar Apr 11 '22 14:04 lucab85

+1

SROBER28 avatar May 25 '22 07:05 SROBER28

@lucab85 prepend is actually not running before galaxy install command.. :-/

---
version: 0.1

build_arg_defaults:
  EE_BASE_IMAGE: 'registry.redhat.io/ansible-automation-platform-22/ee-29-rhel8'

additional_build_steps:
  prepend: |
    COPY RootCA.crt /etc/pki/ca-trust/source/anchors/
    RUN /usr/bin/update-ca-trust

dependencies:
  galaxy: requirements.yml

Ends with:

# ansible-builder build -t jskacel/ee-image --prune-images --no-cache -v3
Ansible Builder is building your execution environment image. Tags: jskacel/ee-image
File context/_build/requirements.yml is already up-to-date.
Rewriting Containerfile to capture collection requirements
Running command:
  podman build -f context/Containerfile -t jskacel/ee-image context --no-cache
---
[1/3] STEP 1/7: FROM registry.redhat.io/ansible-automation-platform-22/ee-29-rhel8 AS galaxy
[1/3] STEP 2/7: ARG ANSIBLE_GALAXY_CLI_COLLECTION_OPTS=
--> 6020313cdb4
[1/3] STEP 3/7: USER root
--> 91149e87dd5
[1/3] STEP 4/7: ADD _build /build
--> 5901688abe4
[1/3] STEP 5/7: WORKDIR /build
--> 25c8c6e8894
[1/3] STEP 6/7: RUN ansible-galaxy role install -r requirements.yml --roles-path "/usr/share/ansible/roles"
--> 9ea567c7844
[1/3] STEP 7/7: RUN ANSIBLE_GALAXY_DISABLE_GPG_VERIFY=1 ansible-galaxy collection install $ANSIBLE_GALAXY_CLI_COLLECTION_OPTS -r requirements.yml --collections-path "/usr/share/ansible/collections"
---
Process install dependency map
ERROR! Unknown error when attempting to call Galaxy at 'https://<private_automation_hub>/api/': <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)>

Only workaround I found is create own EE image to build from, but then I need to keep eye to keep it up to date as well:

Dockerfile-ee:

FROM registry.redhat.io/ansible-automation-platform-22/ee-29-rhel8:latest

COPY RootCA.crt /etc/pki/ca-trust/source/anchors/
RUN /usr/bin/update-ca-trust

podman -f Dockerfile-ee -t ee-withca

And changing EE_BASE_IMAGE to EE_BASE_IMAGE: 'localhost/ee-withca'.

jskacel avatar Jul 29 '22 08:07 jskacel

Very useful feature if added. A quick workaround I did was to edit ansible_builder/steps.py and prepend my commands before ansible-galaxy install commands on line 75 into the self.steps list like this:

        self.steps = [
            f"COPY known_hosts  /root/.ssh/known_hosts",
            f"COPY id_rsa_ansible_builder /root/.ssh/id_rsa",
            f"RUN chmod 600 /root/.ssh/id_rsa",
            f"RUN ansible-galaxy role install -r {requirements_naming} --roles-path \"{constants.base_roles_path}\"",
            f"RUN {env}ansible-galaxy collection install $ANSIBLE_GALAXY_CLI_COLLECTION_OPTS {install_opts}",
        ]

ekartsonakis avatar Aug 11 '22 14:08 ekartsonakis

Maybe an idea to work around this issue: What I did is build my own ansible-runner and ansible-builder containers with my company certificates and settings. Then is just passing those through the execution-environment.yml file is easy enough.

edupo avatar Apr 03 '23 11:04 edupo

A new execution environment format (version 3) has just been merged to the devel branch that will support this. In addition to being able to specify commands to run before the galaxy phase (or for any phase, for that matter), you can now add any files to the build context to be copied/referenced in any phase.

You can see the docs for the new EE version here. We will be releasing this as a new version of builder in the coming weeks, but you are encouraged to experiment with it and help us find bugs!

Closing this request as completed.

Shrews avatar Apr 05 '23 12:04 Shrews