Ansible Builder Guide

Red Hat Ansible Automation Platform 2.1

Execution environment builder to create consistent and reproducible automation execution environments for your Red Hat Ansible Automation Platform.

Red Hat Customer Content Services


Providing Feedback:
If you have a suggestion to improve this documentation, or find an error, please contact technical support at to create an issue on the Ansible Automation Platform Jira project using the Docs component.


Use Ansible Builder to create consistent and reproducible automation execution environments for your Red Hat Ansible Automation Platform needs.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.

Chapter 1. Introduction to Ansible Builder

1.1. About Ansible Builder

Ansible Builder is a command line tool that automates the process of building automation execution environments by using the metadata defined in various Ansible Collections, as well as by the user.

1.1.1. Why use Ansible Builder?

Before Ansible Builder was developed, Automation Platform users would potentially run against dependency issues and multiple error messages as they attempted to create a custom virtual environment or container that had all of their required dependencies installed.

Through the use of an easily customizable definition file, Ansible Builder installs Ansible, specified Collections and any of its dependencies so that all of the necessary requirements to get jobs running are fulfilled behind the scenes.

Chapter 2. Using Ansible Builder

2.1. Installing Ansible Builder

You can install Ansible Builder using Red Hat Subscription Management (RHSM) to attach your Red Hat Ansible Automation Platform subscription. Attaching your Red Hat Ansible Automation Platform subscription allows you to access subscription-only resources necessary to install ansible-builder. Once you attach your subscription, the necessary repository for ansible-builder is automatically enabled.


You must have valid subscriptions attached on the host before installing ansible-builder.


  1. In your terminal, run the following command to activate your Ansible Automation Platform repo:

    $ dnf config-manager --enable ansible-automation-platform-2.1-for-rhel-8-x86_64-rpms
  2. Then enter the following command to install Ansible Builder:

    $ dnf install ansible-builder

2.2. Building a definition file

Once you have Ansible Builder installed, we will need to create a definition file which Ansible Builder will use to create your automation execution environment image. The high level process to build an automation execution environment image is for Ansible Builder to read and validate your definition file, then create a Containerfile, and finally pass the Containerfile to Podman which then packages and creates your automation execution environment image. The definition file we will create for Ansible Builder is in yaml format and contains different sections which we will discuss in further detail.

The following is an example of a definition file:

Example 2.1. A definition file

version: 1

build_arg_defaults: 1

ansible_config: 'ansible.cfg' 2

dependencies: 3
  galaxy: requirements.yml
  python: requirements.txt
  system: bindep.txt

additional_build_steps: 4
  prepend: |
    RUN whoami
    RUN cat /etc/os-release
    - RUN echo This is a post-install command!
    - RUN ls -la /etc
Lists default values for build arguments
Specifies the ansible.cfg file path
Specifies the location of various requirements files
Commands for additional custom build steps

For more information about these definition file parameters, please see this section.

2.3. Executing the build and creating commands


  • You have created a definition file


To build an automation execution environment image, run:

$ ansible-builder build

By default, Ansible Builder will look for a definition file named execution-environment.yml but a different file path can be specified as an argument via the -f flag:

$ ansible-builder build -f definition-file-name.yml

where definition-file-name specifies the name of your definition file.

2.4. Breakdown of definition file content

A definition file is necessary for building automation execution environments with Ansible Builder, as it specifies the content which will be included in the automation execution environment container image.

The following sections breaks down the different parts of a definition file.

2.4.1. Build args and base image

The build_arg_defaults section of the definition file is a dictionary whose keys can provide default values for arguments to Ansible Builder. See the following table for a list of values that can be used in build_arg_defaults:



  • Allows the user to pass the –pre flag to enable the installation of pre-releases collections
  • -c is the equivalent of setting verify_ssl to false


Specifies the parent image for the automation execution environment, enabling a new image to be built that is based off of an already-existing image


Specifies the image used for compiling-type tasks

The values given inside build_arg_defaults will be hard-coded into the Containerfile, so these values will persist if podman build is called manually.


If the same variable is specified in the CLI --build-arg flag, the CLI value will take higher precedence.

2.4.2. Ansible config file path

When using an ansible.cfg file to pass a token and other settings for a private account to an automation hub server, list the config file path (relative to where the definition file is located) as a string to enable it as a build argument in the initial phase of the build.

The ansible.cfg file should be formatted like the following example:

Example 2.2. An ansible.cfg file

server_list = automation_hub


For more information on how to download a collection from automation hub, please see the related Ansible documentation page.

2.4.3. Dependencies Galaxy

The galaxy entry points to a valid requirements file for the ansible-galaxy collection install -r …​ command.

The entry requirements.yml may be a relative path from the directory of the automation execution environment definition’s folder, or an absolute path.

The content of a requirements.yml file may look like the following:

Example 2.3. A requirements.yml file for Galaxy

  - kubernetes.core Python

The python entry in the definition file points to a valid requirements file for the pip install -r …​ command.

The entry requirements.txt is a file that installs extra Python requirements on top of what the Collections already list as their Python dependencies. It may be listed as a relative path from the directory of the automation execution environment definition’s folder, or an absolute path. The contents of a requirements.txt file should be formatted like the following example, similar to the standard output from a pip freeze command:

Example 2.4. A requirements.txt file for Python

python_version >= '2.7'
collection community.vmware
ovirt-engine-sdk-python>=4.4.10 System

The system entry in the definition points to a bindep requirements file, which will install system-level dependencies that are outside of what the collections already include as their dependencies. It may be listed as a relative path from the directory of the automation execution environment definition’s folder, or an absolute path.

To demonstrate this, the following is an example bindep.txt file that adds the libxml2 and subversion packages to a container:

Example 2.5. A bindep.txt file

libxml2-devel [platform:rpm]
subversion [platform:rpm]

2.4.4. Additional custom build steps

The prepend and append commands may be specified in the additional_build_steps section. These will add commands to the Containerfile which will run either before or after the main build steps are executed.

The syntax for additional_build_steps must be one of the following:

  • a multi-line string

    Example 2.6. A multi-line string entry

    RUN whoami
    RUN cat /etc/os-release
  • a list

    Example 2.7. A list entry

    - RUN echo This is a post-install command!
    - RUN ls -la /etc

2.5. Optional build command arguments

The -t flag will give your automation execution environment image a specific name. For example, the following command will build an image named my_first_ee_image:

$ ansible-builder build -t my_first_ee_image

If you have multiple definition files, you can specify which one to use by utilizing the -f flag:

$ ansible-builder build -f another-definition-file.yml -t another_ee_image

In the example above, Ansible Builder will use the specifications provided in the file another-definition-file.yml instead of the default execution-environment.yml to build an automation execution environment image named another_ee_image.

For other specifications and flags that are possible to use with the build command, enter ansible-builder build --help to see a list of additional options.

2.6. Creating a Containerfile without building an image

To create a shareable Containerfile without building an image from it, run:

$ ansible-builder create

Chapter 3. Publishing an automation execution environment

3.1. Pushing an execution environment container image to automation hub


  • You have execution environment permissions in automation hub allowing you to create new containers or push to an existing container.

A container registry is a repository for storing container images. Once you have built an automation execution environment image, you’ll be ready to push that container image to the registry portion of your instance of automation hub.

With your automation hub URL on hand, run the following command to log in to Podman, substituting your username, password, and automation hub URL:

$ podman login -u=username -p=password automation-hub-url

Once you’re logged in to Podman, run the following command to push your container image to the container registry on automation hub:

$ podman push automation-hub-url/ee-image-name

The automation execution environment image name is specified by the -t argument to the ansible-builder build command. If you did not specify a custom image name using the -t flag, the default image tag is ansible-execution-env:latest.

3.2. Pulling from a protected registry

To pull container images from a password or token-protected registry, create a credential in automation controller:


  1. Navigate to automation controller.
  2. In the side-menu bar, click ResourcesCredentials.
  3. Click Add to create a new credential.
  4. Supply an authorization URL, username, and password. Click Save.

For more information, please reference the Pulling from Protected Registries section of the Execution Environment documentation.

Chapter 4. Building off of existing base EEs provided by Red Hat Ansible Automation Platform

4.1. Gathering system-level dependencies

The bindep format provides a way of specifying cross-platform requirements. A minimum expectation is that the collection(s) specify necessary requirements for [platform:rpm].

Below is an example of content from a valid bindep.txt file:

Example 4.1. A bindep.txt file

python38-devel [platform:rpm compile]
subversion [platform:rpm]
git-lfs [platform:rpm]

Entries from multiple collections will be combined into a single file. This will be processed by bindep and then passed to dnf. Only requirements with no profiles or no runtime requirements will be installed to the image.

4.2. Customizing an existing execution environment image

Ansible Controller ships with three default execution environments:

  • Ansible 2.9 - no collections are installed other than Controller modules
  • Minimal - contains the latest Ansible 2.12 release along with Ansible Runner, but contains no collections or other additional content
  • EE Supported - contains all Red Hat-supported content

While these environments cover many automation use cases, you can add additional items to customize these containers for your specific needs. The following procedure adds the kubernetes.core collection to the ee-minimal default image:


  1. Log in to via Podman:

    $ podman login -u="[username]" -p="[token/hash]"
  2. Pull an Automation Execution Environment image

    podman pull
  3. Configure your Ansible Builder files to specify any additional content to add to the new execution environment image which is based off of ee-minimal.

    1. For example, to add the Kubernetes Core Collection from Galaxy to the image, fill out the requirements.yml file as such:

        - kubernetes.core
    2. For more information on definition files and their content, refer to to definition file breakdown section.
  4. In the execution environment definition file, specify the filepath to the original ee-minimal container in the EE_BASE_IMAGE field. In doing so, your final execution-environment.yml file will look like the following:

    Example 4.2. A customized execution-environment.yml file

    version: 1
      EE_BASE_IMAGE: ''
      galaxy: requirements.yml

    Since this example uses the community version of kubernetes.core and not a certified collection from automation hub, we do not need to create an ansible.cfg nor reference that in our definition file.

  5. Build the new execution environment image using the following command:

    $ ansible-builder build -t[username]/new-ee

    where [username] specifies your username, and new-ee specifies the name of your new container image.

    1. Use the podman images command to confirm that your new container image is in that list:

      Example 4.3. Output of a podman images command with the image new-ee

      REPOSITORY          TAG     IMAGE ID      CREATED        SIZE
      localhost/new-ee    latest  f5509587efbb  3 minutes ago  769 MB
  6. Verify your newly-created execution environment image via Ansible Navigator
  7. Tag the image for use in your automation hub:

    $ podman tag[username]_/_new-ee_ [automation-hub-IP-address]/_[username]_/_new-ee_
  8. Log in to your automation hub using Podman:


    You must have admin or appropriate container repository permissions for automation hub to push a container. See Managing containers in private automation hub in the Red Hat Ansible Automation Platform documentation for more information.

    $ podman login -u="[username]" -p="[token/hash]" [automation-hub-IP-address]
  9. Push your image to the container registry in automation hub:

    $ podman push [automation-hub-IP-address]/_[username]_/_new-ee_
  10. Pull your new image into your automation controller instance:

    1. Navigate to automation controller.
    2. From the side-navigational bar, click AdministrationExecution Environments.
    3. Click Add.
    4. Enter the appropriate information then click Save to pull in the new image.


      if your instance of automation hub is password or token protected, ensure that you have the appropriate container registry credential set up.

Legal Notice

Copyright © 2023 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.