Ansible Automation Platform Notifications for package reporting
I was recently asked to outline the options available to do package reporting after a patch cycle for RHEL. There was preference to try to do this in Ansible Automation Platform, consumed via an emailed report, so I’ll focus the bulk of the effort there. The specifics were to have view into what packages were installed, updated, removed, etc. as part of a patch cycle. From there, the intent is to list this out and respond to anything that may have failed or done something unexpected during the update. After outlining this I realised that this is a really common question that didn’t have much blog coverage on it. So here we go!
There’s a couple of ways to get this info depending on the granularity you’re after and the problem you’re trying to solve for. I’ll order them in what I see folks most commonly do, that’s also the least amount of re-work.
- Red Hat Satellite has errata reporting already built-in that will go to this granularity level of reporting packages applied, their status, on a patch cycle. It’s located in:
- Monitor –> Report Templates –> Host - Applied Errata
Usually folks will clone the default report template provided here, narrow down the fields/columns that they’re after, apply a host filter, etc. Satellite can mail this to you on a schedule.
If you want to auto-generate the report every time a patch cycle is run, the best way to automate that is with the Hammer CLI.
- Ansible Tower / Ansible Controller has email notifications built-in and with its idempotency already tracked in job output, you don’t have to do any extra playbook work necessarily, unless you want some extra metadata in your email body that Ansible Tower/Controller doesn’t provide. Sending all this info can get pretty verbose with a lot of hosts & package updates, I find folks don’t find email as the best way to consume this information, Tower/Controller GUI Job status output is more nicely formatted and already built for you, but to each their own.
Customers typically tend to default to “only show me actionable stuff” in any Ansible notification, so if for example a patch run that didn’t update something is shown instead of all the things that did update successfully.
Here’s a playbook example that I mocked up and used below. The job output:
(You can see that this could get pretty verbose if we wanted to report across multiple hosts)
Next, I created an email Notification that’s associated with that Job, the notification parameters can be customized, but as I mentioned above the data available here is more specific to the job than the content results from tasks & hosts.
Ref: Ansible Notifications Docs
Ref: Ansible Notifications Supported Parameters
In the success message body below, I configure job metadata that summarizes all hosts and their results, then one that just shows job status counts, ie what changed/failed and folks can click on the job ID link to Tower GUI to dig deeper. I’m using my ISP SMTP relay here:
And here’s what it looks like once it shows up:
If you prefer different information here, using the community.general.mail module in a task can get you there.
- Red Hat Insights already does all of the above here for you, auditing all systems, tracking errata, identifying vulnerabilities/CVEs that are present on systems, drift analysis, notifications & webhooks, and high-level executive reporting. There’s also an API to do some of these pieces in a programmatic fashion.
For as granular as an email/report as we’re after here though, it might be quicker to use one of the above options. Insights does not yet have customized reporting like Satellite does, it’s still in RFE status. And it’s a little more dashboard-y/GUI driven answering more high-level questions than what we’re afterhere.