Can't add collection to execution environment for Ansible Automation Platform about ansible_collection_falcon HOT 6 OPEN

Hi @christophercollins - I lead CrowdStrike's technical relationship with Red Hat. I was able to reproduce this and will reach out to our friends at Red Hat to assist!

from ansible_collection_falcon.

@evanstoner Thanks for the quick look into this and look forward to where this ends up. Appreciate it :)

from ansible_collection_falcon.

@christophercollins I did some more messing around with this and got it to work building the image. We are still going to wait on what the RH folks tell us, but in the meantime, you can try to see if the following workaround is suitable:

(Based off this article)

example execution-environment.yml:

---
version: 1
dependencies:
  galaxy: requirements.yml
  python: requirements.txt
  system: bindep.txt

example requirements.yml:

---

collections:
  - name: crowdstrike.falcon

requirements.txt from our collection:

aiohttp==3.8.5
crowdstrike-falconpy==1.3.0

example bindep.txt that seems to be working:

findutils [platform:centos-8 platform:rhel-8]
systemd-devel [platform:centos-8 platform:rhel-8]
gcc [platform:centos-8 platform:rhel-8]
make [platform:centos-8 platform:rhel-8]
python38-devel [platform:centos-8 platform:rhel-8]
python38-cffi [platform:centos-8 platform:rhel-8]
python38-cryptography [platform:centos-8 platform:rhel-8]
python38-pycparser [platform:centos-8 platform:rhel-8]

from ansible_collection_falcon.

@carlosmmatos Thanks for looking into it. Part of the issue definitely was a few missing packages in the bindep.txt file that I needed. The image does build after that but with an issue/extra context I think I should bring up. I'll try to be as concise as possible but apologies if this is a bit verbose :)

An issue I see here is that typically when building execution environments we usually set the base image that ansible builder layers on top of to RedHat's supported one (which is required for official support I believe) which is provided behind the customer portal and is "registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8:latest" that contains a supported installation of ansible in the image as well as a bunch of pre-installed collections (AWS, Azure, ansible.posix, etc). There's also a minimal version that doesn't have any default collections installed but has just a supported version of ansible. In ansible-builder you specify the image you want to use like:

version: 1

build_arg_defaults:
  EE_BASE_IMAGE: "registry.redhat.io/ansible-automation-platform-22/ee-supported-rhel8"
dependencies:
  galaxy: requirements.yml
  python: requirements.txt
  system: bindep.txt

When you build with no image specified it defaults to "quay.io/ansible/ansible-runner:latest" which is quite different than the supported one. One issue is it has ansible-core 2.12.x which is unsupported by the crowd strike collection so I had to also add ansible==6.7.0 to the requirements.txt file so it would upgrade to at least 2.13.0 which you do support. After that I could use it.

I did manage to get it running with the supported base image but with a minor change. If I have everything the same that works using the ansible-builder default image, but change the base image being used to their supported version, it still would fail at the compile process during the pip installs, but after I went into the container I saw the issue is that it is using python3.9.16 in the supported base execution environment image so I had to change the one bindep package to be python39-devel [platform:centos-8 platform:rhel-8] so 39 instead of 38 and it finally built and I can use it using the supported execution environment :)

from ansible_collection_falcon.