Manage Execution Environments in Oracle Linux Automation Manager Private Automation Hub

Introduction

Private Automation Hub is an Oracle Linux Automation Manager repository for managing collections, execution environment images, and other curated content locally within a customer's infrastructure.

This tutorial shows how to install Private Automation Hub and upload a custom execution environment to its container registry. For details on creating customized execution environments, see our tutorial on the Builder utility.

Objectives

In this tutorial, you'll learn how to:

Secure password variables with ansible-vault
Install Private Automation Hub using variables
Upload a custom execution environment to the Private Automation Hub registry

Prerequisites

Two systems running Oracle Linux
- One for installing Private Automation Hub
- Another for running the Builder utility and acting as a client to Private Automation Hub

Deploy Oracle Linux

Note: If running in your own tenancy, read the linux-virt-labs GitHub project README.md and complete the prerequisites before deploying the lab environment.

Open a terminal on the Luna Desktop.

Clone the linux-virt-labs GitHub project.

git clone https://github.com/oracle-devrel/linux-virt-labs.git

Change into the working directory.
```
cd linux-virt-labs/olam
```

Install the required collections.

ansible-galaxy collection install -r requirements.yml

Update the Oracle Linux instance configuration.

cat << EOF | tee instances.yml > /dev/null
compute_instances:
  1:
    instance_name: "devops-node"
    type: "server"
  2:
    instance_name: "ol-pah"
    type: "server"
passwordless_ssh: true
use_olam_builder: true
add_pah_ports: true
EOF

Deploy the lab environment.
```
ansible-playbook create_instance.yml -e ansible_python_interpreter="/usr/bin/python3.6" -e "@instances.yml"
```
The free lab environment requires the extra variable ansible_python_interpreter because it installs the RPM package for the Oracle Cloud Infrastructure SDK for Python. The location for this package's installation is under the python3.6 modules.
The default deployment shape uses the AMD CPU and Oracle Linux 8. To use an Intel CPU or Oracle Linux 9, add -e instance_shape="VM.Standard3.Flex" or -e os_version="9" to the deployment command.
Important: Wait for the playbook to run successfully and reach the pause task. The Oracle Linux Automation Manager installation is complete at this stage of the playbook, and the instances are ready. Take note of the previous play, which prints the public and private IP addresses of the nodes it deploys.

Install the Private Automation Hub Packages

Open a terminal and connect via ssh to the ol-pah instance.
```
ssh oracle@<ip_address_of_instance>
```

Install the Oracle Linux Automation Manager repository.

sudo dnf install -y oraclelinux-automation-manager-release-el8

Install the Private Automation Hub package.
```
sudo dnf install -y ol-private-automation-hub-installer
```
This command installs the Private Automation Hub installation playbooks and roles, ansible-core, python3.11, and other package dependencies.

Install Private Automation Hub

When installing Private Automation Hub, you must set the passwords for the Private Automation Hub admin superuser account and its backend database. Rather than passing these to the playbook in the open, let's perform that step more securely using ansible-vault.

The ansible-vault utility ships with Oracle Linux Automation Engine and enables the encryption and decryption of structured data files such as text files, variables, and YAML playbooks.

We'll encrypt a variable file containing our two passwords for our purposes.

Copy the Private Automation Hub playbook to the working directory.

cp -r /usr/share/ansible/collections/ansible_collections/oraclelinux/private_automation_hub/playbooks/single-node/ ~/single_node

Change to the working directory.
```
cd ~/single_node
```
Create an inventory file.
The inventory file for this playbook requires the hostname and SSH username where the playbook installs Private Automation Hub. You define the inventory file in either INI or YAML format. The sample inventory hosts.singlenode.example the installation includes with the playbook uses YAML, so we'll use the INI format here to demonstrate an alternate option.
```
tee hosts > /dev/null <<EOF
[hub]
ol-pah ansible_host=ol-pah ansible_user=oracle
EOF
```
Unlike the sample that uses hub as a ansible_host alias, this INI inventory file uses hub as a group name. Groups allow for the creation of parent/child relationships between the hosts and grouping them into one or many categories to run tasks or assign variables.
Create a vault containing the password variables.
```
ansible-vault create vault_passwords.yml
```
When running the command, it prompts you to create a vault password. The ansible-vault utility uses this password to decrypt the vault's contents and access these contents from within a playbook. The password can be any combination of characters, but remember it, as you cannot recover it.
Once you enter and confirm the password, the utility opens the vault_passwords.yml file in your default editor. For the free lab environment, the editor is vi. Type i to enter INSERT mode and paste these sample Private Automation Hub password variables.
Note: These are the variables the playbook uses when installing Private Automation Hub and setting the superuser and database passwords.
```
---
olpah_admin_password: password
olpah_db_password: password
```
Close and save the file by typing ESC, :wq! and then ENTER.
Verify the contents of the vault.
```
ansible-vault view vault_passwords.yml
```
Enter the vault password at the prompt, and ansible-vault displays the vault's contents in the terminal.
Run the Private Automation Hub playbook.
```
ansible-playbook single-node-install.yml -i hosts -e "@vault_passwords.yml" --ask-vault-pass
```
- -i defines the inventory file
- -e defines any runtime variables as key=value pairs or in a variable file
- --ask-vault-pass prompts for the vault password
There are alternate methods to provide the vault password, which you can review in the upstream documentation .
Note: The installation of Private Automation Hub takes 10-20 minutes. During the installation, the playbook's progress scrolls in the terminal until all tasks are complete.

Connect to Private Automation Hub

Exit from the existing SSH session.
```
exit
```
Configure an SSH tunnel to the newly deployed Private Automation Hub.
```
ssh -L 5444:localhost:443 oracle@<ip_address_of_ol-pah>
```
In the free lab environment, use the IP address of the ol-pah VM.
Open a web browser and enter the URL.
```
https://localhost:5444
```
Note: Approve the security warning based on the browser used. For Chrome, click the Advanced button and then the Proceed to localhost (unsafe) link.
Log in to the Private Automation Hub WebUI.
Use the Username admin and the Password password. This password is the value we set for olpah_admin_password in the runtime variables file.
The WebUI displays after a successful login.

Add Execution Environment Using the WebUI

One of the items that Private Automation Hub manages is execution environments. This feature allows Private Automation Hub to act as a repository for container images that administrators can interact with using Podman and the WebUI.

Click Remote Registries from the WebUI under Execution Environments in the navigation menu.
Click the Add remote registry button.
Enter the following values in the specific fields.
- Name: Quay Upstream Registry
- URL: https://quay.io
Click the Save button.
The newly created remote registry appears in the Remote Registries panel.
Click Execution Environments under Execution Environments in the navigation menu.
Click the Add execution environment button.
The WebUI displays the Add execution environment dialog. We can pull container images from upstream or other registries through this dialog.
Enter or select the following values in the specific fields.
- Name: upstream/awx-ee
- Upstream Name: ansible/awx-ee
- Registry: Quay Upstream Registry
- Add tag(s) to include: Type latest and then ENTER
Click the Save button.
The newly created execution environment appears in the Execution Environments panel.
Sync the upstream/awx-ee execution environment from the remote registry.
1. Click the vertical three-dot menu to the right of the upstream/awx-ee item.
2. Select Sync from registry
  A pop-up dialog appears stating the sync started.
3. Click the detail page link in the pop-up dialog to see the status of this task.
4. The task shows a Completed icon.
5. Click Execution Environments under Execution Environments in the navigation menu.
6. Click the upstream/awx-ee link in the Execution Environments panel.
  This link displays the instructions for pulling this image from Private Automation Hub under the Details tab.
7. Click the Images tab.
  This panel displays more details about the image, including its tag, size, and sha256 digest.

Push Execution Environment Using Podman

Open a terminal and connect via ssh to the devops-node instance.
```
ssh oracle@<ip_address_of_instance>
```
This instance contains an installation of the Builder utility and a pre-built custom execution environment. For details on performing those tasks, see Build Custom Execution Environments with Oracle Linux Automation Manager Builder Utility .
Change to the project's working directory.
```
cd ~/my_custom_ee_project
```
This directory contains the Builder utility's data files to create the custom execution environment image.
List existing local images.
```
podman images
```
The output displays our custom image and Oracle Linux Automation Manager's default olam-ee and olam-builder images.
Log in to the Private Automation Hub.
```
podman login -u admin https://ol-pah.$(hostname -d) --tls-verify=0
```
- -u is a user with privileges to access the container registry
- ol-pah.$(hostname -d) is the container registry FQDN
- --tls-verify=0 turns off TLS certificate verification as the free lab environment uses self-signed certificates
The command prompts for a Password:. Enter the password matching the login credentials for the Private Automation Hub admin user.
Tag the local custom image.
Before pushing the image to the Private Automation Hub registry, create the required repository structure and tag using the local image.
```
podman tag localhost/my_custom_ee ol-pah.$(hostname -d)/my_first_olam_ee_image
```

Verify the new tagged image exists.

podman images

Example Output:

[oracle@devops-node my_custom_ee_project]$ podman images
REPOSITORY                                                                  TAG         IMAGE ID      CREATED      SIZE
localhost/my_custom_ee                                                      latest      fbc43634b168  5 hours ago  2.29 GB
ol-pah.lv.vcn5ef1c2b6.oraclevcn.com/my_first_olam_ee_image                  latest      fbc43634b168  5 hours ago  2.29 GB
<none>                                                                      <none>      92aa94db3699  5 hours ago  1.4 GB
<none>                                                                      <none>      cc087fbfa018  5 hours ago  1.45 GB
container-registry.oracle.com/oracle_linux_automation_manager/olam-ee       latest      368657c8376d  5 weeks ago  1.25 GB
container-registry.oracle.com/oracle_linux_automation_manager/olam-builder  latest      5e98580f7956  5 weeks ago  546 MB

Upload the custom image to Private Automation Hub.
Note: Replace <IMAGE ID> with the actual image ID of the my_first_olam_ee_image from the podman images output.
```
podman push --tls-verify=0 <IMAGE ID> ol-pah.$(hostname -d)/my_first_olam_ee_image:latest
```
Confirm the upload in the WebUI.
1. Switch to the browser containing the Private Automation Hub WebUI.
2. Navigate to Execution Environments.
3. Notice the new my_first_olam_ee_image.

Next Steps

The output within the WebUI confirms you have a working Private Automation Hub and the ability to upload and store your custom images. Check out our other tutorials using Oracle Linux Automation Manager to practice your skills.