https://live.paloaltonetworks.com/t5/automation-api-discussions/building-an-automation-host-in-aws/m-p/313245#M2191 <P>Hi All,</P><P>having just painfully struggled through getting my first ansible automation to work I figured I'd share my findings here for other total beginners. It turns out my fight wasn't about getting Ansible talking to the firewall but about getting Ansible talking. And realizing that just because there's a file listing dependencies and the installer says it is checking dependencies doesn't mean it ACTUALLY deals with them. If it doesn't give details of actions it probably isn't doing anything!</P><P>&nbsp;</P><P>If you've already got a working Ansible control host in CentOS then I'd appreciate any feedback on glaring errors or QoL improvements.</P><P>&nbsp;</P><P>The set of commands below are what I will be using to rebuild the automation host from scratch. It is starting from a CentOS 7 AMI. I've added some comments that help explain what the line is trying to do.</P><P>&nbsp;</P><P>&nbsp;</P><P>#Become root for the session. Saves pre-pending sudo to many lines further down.<BR />sudo su</P><P>&nbsp;</P><P>#Install / update program lists. epel-release needed otherwise many packages are really old versions!</P><P># -y removes the need to hit yes to continue with the install<BR />yum install epel-release -y<BR />yum update -y</P><P>yum install centos-release-scl -y<BR />yum install rh-python36 -y<BR />scl enable rh-python36 bash</P><P># You either run the above scl line for every session!<BR /># or&nbsp;edit your file&nbsp;~/.bash_profile:<BR /># and add: source scl_source enable rh-python36</P><P>&nbsp;</P><P>#Update PIP before installing anything with it</P><P>pip3 install --upgrade pip</P><P>&nbsp;</P><P>#Install some handy basics. unzip and a text editor.<BR />yum install unzip -y<BR />yum install nano -y</P><P>&nbsp;</P><P>#Install ansible</P><P>pip3 install pandevice</P><P>#pip3 install pan-python (appears to not be needed)</P><P>#pip3 install xmltodict (appears to not be needed)</P><P>pip3 install ansible</P><P>&nbsp;</P><P>#Add a nasty hack to avoid certificate error issues for now. =1 is the default behaviour that was causing issues.</P><P>#This "fixes" CERTIFICATE_VERIFY_FAILED errors when you try running playbooks. It's a result of Python 2.7 enhancements.</P><P>#If you are having to add certificate exceptions to your browser to get to devices you probably need to add this.</P><P>#It effectively adds that exception for EVERYTHING so needs a better answer<BR />export PYTHONHTTPSVERIFY=0</P><P>&nbsp;</P><P>#Install terraform<BR />curl -O <A href="https://releases.hashicorp.com/terraform/0.12.21/terraform_0.12.21_linux_amd64.zip" target="_blank">https://releases.hashicorp.com/terraform/0.12.21/terraform_0.12.21_linux_amd64.zip</A><BR /># echo $PATH<BR /># make sure unzip destination is in the path, e.g. /usr/bin<BR />unzip terraform_0.12.21_linux_amd64.zip -d /usr/bin</P><P>&nbsp;</P><P># Install TFTP and set it to start + autostart<BR />yum install tftp tftp-server xinetd -y<BR /># need to edit the config file afterwards, e.g. nano /etc/xinetd.d/tftp<BR /># servers_args needs to have -c added after the = to allow files to be created<BR /># disable needs to be set to no instead of yes so that it can be used<BR />chmod 777 /var/lib/tftpboot<BR />systemctl enable xinetd<BR />systemctl enable tftp<BR />systemctl start xinetd<BR />systemctl start tftp<BR />setsebool -P tftp_anon_write 1<BR />setsebool -P tftp_home_dir 1</P> Thu, 27 Feb 2020 00:52:14 GMT A_Gardner 2020-02-27T00:52:14Z https://live.paloaltonetworks.com/t5/automation-api-discussions/building-an-automation-host-in-aws/m-p/313245#M2191 <P>Hi All,</P><P>having just painfully struggled through getting my first ansible automation to work I figured I'd share my findings here for other total beginners. It turns out my fight wasn't about getting Ansible talking to the firewall but about getting Ansible talking. And realizing that just because there's a file listing dependencies and the installer says it is checking dependencies doesn't mean it ACTUALLY deals with them. If it doesn't give details of actions it probably isn't doing anything!</P><P>&nbsp;</P><P>If you've already got a working Ansible control host in CentOS then I'd appreciate any feedback on glaring errors or QoL improvements.</P><P>&nbsp;</P><P>The set of commands below are what I will be using to rebuild the automation host from scratch. It is starting from a CentOS 7 AMI. I've added some comments that help explain what the line is trying to do.</P><P>&nbsp;</P><P>&nbsp;</P><P>#Become root for the session. Saves pre-pending sudo to many lines further down.<BR />sudo su</P><P>&nbsp;</P><P>#Install / update program lists. epel-release needed otherwise many packages are really old versions!</P><P># -y removes the need to hit yes to continue with the install<BR />yum install epel-release -y<BR />yum update -y</P><P>yum install centos-release-scl -y<BR />yum install rh-python36 -y<BR />scl enable rh-python36 bash</P><P># You either run the above scl line for every session!<BR /># or&nbsp;edit your file&nbsp;~/.bash_profile:<BR /># and add: source scl_source enable rh-python36</P><P>&nbsp;</P><P>#Update PIP before installing anything with it</P><P>pip3 install --upgrade pip</P><P>&nbsp;</P><P>#Install some handy basics. unzip and a text editor.<BR />yum install unzip -y<BR />yum install nano -y</P><P>&nbsp;</P><P>#Install ansible</P><P>pip3 install pandevice</P><P>#pip3 install pan-python (appears to not be needed)</P><P>#pip3 install xmltodict (appears to not be needed)</P><P>pip3 install ansible</P><P>&nbsp;</P><P>#Add a nasty hack to avoid certificate error issues for now. =1 is the default behaviour that was causing issues.</P><P>#This "fixes" CERTIFICATE_VERIFY_FAILED errors when you try running playbooks. It's a result of Python 2.7 enhancements.</P><P>#If you are having to add certificate exceptions to your browser to get to devices you probably need to add this.</P><P>#It effectively adds that exception for EVERYTHING so needs a better answer<BR />export PYTHONHTTPSVERIFY=0</P><P>&nbsp;</P><P>#Install terraform<BR />curl -O <A href="https://releases.hashicorp.com/terraform/0.12.21/terraform_0.12.21_linux_amd64.zip" target="_blank">https://releases.hashicorp.com/terraform/0.12.21/terraform_0.12.21_linux_amd64.zip</A><BR /># echo $PATH<BR /># make sure unzip destination is in the path, e.g. /usr/bin<BR />unzip terraform_0.12.21_linux_amd64.zip -d /usr/bin</P><P>&nbsp;</P><P># Install TFTP and set it to start + autostart<BR />yum install tftp tftp-server xinetd -y<BR /># need to edit the config file afterwards, e.g. nano /etc/xinetd.d/tftp<BR /># servers_args needs to have -c added after the = to allow files to be created<BR /># disable needs to be set to no instead of yes so that it can be used<BR />chmod 777 /var/lib/tftpboot<BR />systemctl enable xinetd<BR />systemctl enable tftp<BR />systemctl start xinetd<BR />systemctl start tftp<BR />setsebool -P tftp_anon_write 1<BR />setsebool -P tftp_home_dir 1</P> Thu, 27 Feb 2020 00:52:14 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/building-an-automation-host-in-aws/m-p/313245#M2191 A_Gardner 2020-02-27T00:52:14Z