In case you missed it: Automation in the Public Sector Q&A at AnsibleFest

AnsibleFest 2020 was a virtual event this year. When taking a two-day immersive event with thousands of attendees to a completely virtual experience, it’s hard to emulate the thought-provoking interactions you’d get when browsing the expo floor or walking from one session to the next with other sys admins, developers, and project managers in attendance. Similar to this year’s Red Hat Summit Virtual Experience, we set up dedicated spaces in AnsibleFest for attendees to bounce ideas with some of our technical experts and get answers to questions not explicitly covered in general or breakout sessions.

Q&A sessions were live during AnsibleFest, but will also be available on demand until next October along with the other event content. During the event, users asked questions and received responses from Red Hat’s solutions architects, community managers, and other technical specialists. These Q&A sessions served as a stage for a discussion on technical challenges both Red Hatters and users have faced and overcome.

We had Q&A topics ranging from Diversity & Inclusion, to the future of automation, to industry-specific discussions. Bill Hirsch, Principal Solutions Architect, and Gerald Dykeman, Senior Specialist Solution Architect, addressed attendee questions regarding the public sector, specifically. More recently, the public sector has started using automation to address security scanning, remediation, and documentation. In case you missed it, we’re recapping some questions covered in the Automation in the Public Sector Q&A session, moderated by Solutions Architect Abraham Snell.

How do Red Hat Ansible Automation Platform (Ansible) subscriptions work?

Subscriptions are node-based (with a node being anything Ansible is going to automate, such as VMs or network devices). There’s one Ansible Automation subscription that comes with Engine, Tower, Collections, Analytics, and Automation Hub. We’ve had customers get 5,000 nodes of Ansible and want to split among multiple Towers, which we can do as well. 

Does this include all platforms? For example, do you need a different subscription for Windows servers and Red Hat servers? 

No, a single subscription can be used across your platforms.

Has expiration changed the behavior of Ansible (Tower) subscription? Government procurement cycles can vary up to a month shifted left or right. Suspending operations due to an expired license for two or three weeks while POs get approved can be very undesirable, especially in mission critical environments.

Tower will continue to work with an expired license. Some functionality will not, such as upgrading Tower. Please reach out to your Red Hat account team for additional details.

What strategies have you been using to push Ansible adoption at departments with longstanding culture?

One of the services we have is Ansible Adoption Journey, which is all about working with a customer over time (not all at once) to show different ways of adopting the technology across the organization to get your money’s worth. With Ansible Adoption Journey, we walk through a whole set of different processes. It’s a DevOps process we’re teaching as much as the technology itself.

Why didn’t Ansible meet the criteria for the latest Gartner Magic Quadrant on Security orchestration, automation and response (SOAR) products?

Ansible is not a SOAR product, nor do we want to play in that space. We want to enable security teams to utilize SOAR and other security solutions in place, with Ansible acting as the glue to bridge the tools together and enable IT orchestration. In summary, we integrate with other security products so that we can bring orchestration and automation to your environment. 

Are there any future plans for specific remediation playbook offerings by standards? For example, roles or collections for remediation of an application for standards (PCI, DISA stig, etc) as a paid offering?

If you followed AnsibleFest, we talked a lot about collections and an Automation Hub. This is where that certified content comes into play. We’ll have a series of pre-written content according to what we consider best practices—co-engineered with our partners—which will come as part of your subscription.

When a job is triggered, an SSH communication is established to the target nodes. Certain networks do not allow SSH communication. What is the workaround?

Ansible relies on SSH. If it’s not a supported connection type, we have to explore other connection mechanisms in order to communicate. For example, we automate Windows, Cloud, etc. not all using SSH. 

To note: If it’s a certain network that doesn’t allow SSH connection, that’s probably not allowing that subnet or enclave from the outside; it doesn’t necessarily mean that SSH is not allowed if you’re inside. What we see with our customers is an instance group or isolated node—think of it as a proxy Tower or proxy Ansible—whereby you still have your central Ansible but also have proxy Ansible Towers spread across different geographical or networking boundaries. With this setup, you don't have to open up full communication to the “outside world.” Tower talks to the proxy, then the proxy uses local networking and security policies to execute the automation. 

We are using Ansible Engine with a valid subscription. We want to experience GUI but Ansible Tower is not budget-friendly for us. Is AWX recommended or supported by Red Hat if we go that route?

The AWX Project—AWX for short—is the upstream open source community project from which the Red Hat Ansible Tower offering is ultimately derived. AWX is not supported by Red Hat. Budgets are often a challenge. When you start talking about cost, you usually talk about acquisition cost—what you see on the PO. We’ve found that cost is just the tip of the iceberg. We would not recommend pure open source in a production environment. The risk that you’re facing is that there is no support and you’re dealing with updates as they come out. 

Could you advise if we could achieve the same functionality using Ansible command line as with the Ansible Tower?

Can you take components and build your own software? Yes, but not without a ton of work. We created Tower to pull together a lot of the great things that Engine does and make it easier to use for the masses. 

What can I gain from adding Tower if I’ve been using Ansible command line? I'm just curious if I could actually gain anything from adding Tower. 

Scalability. We want to promote automation across your enterprise, which can include people who may never write a playbook and people who should only have permissions and templates to certain functions. Tower provides role-based access control. Tower can also help with authentication, whether with active directory or LDAP—it can help control who can get in and what they can see. 

With auditing, Tower provides full logging capability, which means better visibility on who’s doing when, what, how. Tower also provides exposed Application programming interfaces (APIs), connecting northbound tools and collaborating with other teams. 

Want to hear more?

Although this session was aimed at addressing the challenges faced by users in the public sector, some of these questions may be applicable in your environment too. While we can’t exactly replicate those conversations you’d have at an in-person event, one of the perks of a virtual event is that you can go at your own pace and dig into sessions you might have missed! There’s a lot to explore from AnsibleFest. Sign into your AnsibleFest landing page and click on the “Watch & Learn” tab to see Q&A sessions like this and other event sessions. You can still register to watch any of the recorded materials.