Differences
This shows you the differences between two versions of the page.
linux_wiki:ansible_awx [2018/07/07 00:06] billdozor [Example Template Fields to Use] |
linux_wiki:ansible_awx [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Ansible AWX ====== | ||
- | |||
- | **General Information** | ||
- | |||
- | Installation and operational notes for Ansible AWX (Tower). | ||
- | |||
- | "AWX is the upstream project from which the Red Hat Ansible Tower offering is ultimately derived." | ||
- | |||
- | Resources | ||
- | * Github Project: https:// | ||
- | * Ansible AWX FAQ: https:// | ||
- | * Copr RPM Repo: https:// | ||
- | * Github for Copr RPM repo: https:// | ||
- | |||
- | ---- | ||
- | |||
- | ====== Install ====== | ||
- | |||
- | Start with a CentOS 7 minimal install. | ||
- | |||
- | \\ | ||
- | Postgresql 9.6 required for AWX. Add the repo | ||
- | <code bash>yum install -y https:// | ||
- | |||
- | \\ | ||
- | Install Postgresql 9.6 Database and other required packages | ||
- | <code bash> | ||
- | yum install postgresql96-server rabbitmq-server wget memcached nginx | ||
- | </ | ||
- | |||
- | \\ | ||
- | Add AWX Dev Repo | ||
- | <code bash> | ||
- | wget -O / | ||
- | </ | ||
- | |||
- | \\ | ||
- | Install AWX | ||
- | <code bash> | ||
- | yum install awx | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Initial Setup ====== | ||
- | |||
- | Initialize the database | ||
- | <code bash> | ||
- | / | ||
- | </ | ||
- | |||
- | \\ | ||
- | Configure memcached to listen locally | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | # Daemon | ||
- | USER=" | ||
- | |||
- | # Reserved Cache in MBs (Default: 64) | ||
- | CACHESIZE=" | ||
- | |||
- | # Memcached Options - Listen on localhost only | ||
- | OPTIONS=" | ||
- | |||
- | # Networking | ||
- | PORT=" | ||
- | MAXCONN=" | ||
- | </ | ||
- | |||
- | \\ | ||
- | Configure rabbitmq-server to listen locally | ||
- | <code bash> | ||
- | vim / | ||
- | |||
- | # Uncomment the following (and delete trailing comma in ipv6 line) | ||
- | {tcp_listeners, | ||
- | {":: | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Services ===== | ||
- | |||
- | Start and Enable some services. | ||
- | |||
- | \\ | ||
- | Start/ | ||
- | <code bash> | ||
- | systemctl start rabbitmq-server | ||
- | systemctl enable rabbitmq-server | ||
- | </ | ||
- | |||
- | \\ | ||
- | Start/ | ||
- | <code bash> | ||
- | systemctl start memcached | ||
- | systemctl enable memcached | ||
- | </ | ||
- | |||
- | \\ | ||
- | Start/ | ||
- | <code bash> | ||
- | systemctl start postgresql-9.6 | ||
- | systemctl enable postgresql-9.6 | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Database Setup ===== | ||
- | |||
- | Create Postgres user (awx) and database | ||
- | <code bash> | ||
- | su - postgres | ||
- | createuser -S awx | ||
- | createdb -O awx awx | ||
- | |||
- | exit | ||
- | </ | ||
- | |||
- | \\ | ||
- | Workaround for 1.0.5.32 and up: Comment out CELERY_QUEUES line< | ||
- | |||
- | # | ||
- | </ | ||
- | * If you don't comment out the above line, migrations next will fail with an error. | ||
- | |||
- | \\ | ||
- | Workaround for 1.6.8 and up: Comment out the CELERY_ROUTES lines< | ||
- | |||
- | # | ||
- | # | ||
- | |||
- | \\ | ||
- | Migrate AWX App data into the database (fyi; this is a Django app) | ||
- | <code bash> | ||
- | sudo -u awx / | ||
- | </ | ||
- | |||
- | \\ | ||
- | Initialize the AWX Django App: Create admin user | ||
- | <code bash> | ||
- | echo "from django.contrib.auth.models import User; User.objects.create_superuser(' | ||
- | </ | ||
- | |||
- | \\ | ||
- | Initialize the AWX Django App: Add tower instance (AWX Server) | ||
- | <code bash> | ||
- | sudo -u awx / | ||
- | </ | ||
- | |||
- | \\ | ||
- | Initialize the AWX Django App: Create some pre-loaded organization data | ||
- | <code bash> | ||
- | sudo -u awx / | ||
- | </ | ||
- | |||
- | \\ | ||
- | Initialize the AWX Django App: Create a queue group | ||
- | <code bash> | ||
- | sudo -u awx / | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Proxy Setup ===== | ||
- | |||
- | Nginx will act as the proxy to the AWX application. | ||
- | |||
- | \\ | ||
- | Configure Nginx - Main Config (/ | ||
- | <code bash> | ||
- | ## NGINX - Main Configuration ## | ||
- | |||
- | # Context: Main - General Server Configuration | ||
- | |||
- | # User that worker processes run as | ||
- | user nginx; | ||
- | |||
- | # Number of worker processes (auto = set to number of CPUs) | ||
- | worker_processes | ||
- | |||
- | # Error Log and PID of main process | ||
- | error_log | ||
- | pid / | ||
- | |||
- | |||
- | # Context: Events - Connection Processing | ||
- | events { | ||
- | # Max number of connections per worker process | ||
- | worker_connections | ||
- | } | ||
- | |||
- | # Context: HTTP - HTTP Server Directives | ||
- | http { | ||
- | # MIME - Include file and default type | ||
- | include | ||
- | default_type | ||
- | |||
- | # Logging: Format and Main Access Log | ||
- | log_format | ||
- | ' | ||
- | '" | ||
- | access_log | ||
- | |||
- | # server_tokens off - Disable nginx version on error pages and response headers | ||
- | server_tokens off; | ||
- | |||
- | ## Headers - Add additional headers ## | ||
- | # X-Frame-Options SAMEORIGIN -> Page can only be displayed in a frame on same origin | ||
- | add_header X-Frame-Options SAMEORIGIN; | ||
- | |||
- | # X-Content-Type-Options nosniff -> Prevent MIME Type Attacks | ||
- | add_header X-Content-Type-Options nosniff; | ||
- | |||
- | # X-XSS-Protection "1; mode=block" | ||
- | # | ||
- | add_header X-XSS-Protection "1; mode=block" | ||
- | |||
- | # Content-Security-Policy -> Prevent XSS, clickjacking, | ||
- | add_header Content-Security-Policy " | ||
- | |||
- | # Combined directives: sendfile, tcp_nopush, tcp_nodelay all on | ||
- | # sendfile+tcp_nopush = use kernel dma to fill packets up to MSS, then send | ||
- | # tcp_nodelay = once the last packet is reached, tcp_nopush auto turned off, | ||
- | # then tcp_nodelay forces the fast sending of the last data | ||
- | |||
- | # Sendfile - Send files directly in kernel space | ||
- | # on -> keep on for locally stored files | ||
- | # off -> turn off for files served over network mounted storage | ||
- | sendfile | ||
- | |||
- | # tcp_nopush - Do not send data until packet reaches MSS | ||
- | # Dependency: sendfile MUST be on for this to work | ||
- | # | ||
- | |||
- | # tcp_nodelay - Send packets in buffer as soon as they are available | ||
- | # | ||
- | |||
- | # Server side keepalive timeout in seconds (default: 75) | ||
- | keepalive_timeout | ||
- | |||
- | # Gzip - Compress responses using gzip | ||
- | #gzip on; | ||
- | |||
- | # AWX ADDED: Connection upgrade | ||
- | map $http_upgrade $connection_upgrade { | ||
- | default upgrade; | ||
- | '' | ||
- | } | ||
- | |||
- | # Include enabled configurations | ||
- | include / | ||
- | |||
- | # AWX ADDED: Upstream Apps | ||
- | upstream uwsgi { | ||
- | server 127.0.0.1: | ||
- | } | ||
- | |||
- | upstream daphne { | ||
- | server 127.0.0.1: | ||
- | } | ||
- | } | ||
- | </ | ||
- | |||
- | \\ | ||
- | Configure Nginx - AWX Drop in Config (/ | ||
- | <code bash> | ||
- | ## Default Config - Catch All Matches ## | ||
- | |||
- | # HTTP (Port 80) | ||
- | server { | ||
- | listen 80 default_server; | ||
- | server_name | ||
- | |||
- | # Redirect everything to HTTPS | ||
- | return 301 https:// | ||
- | } | ||
- | |||
- | # HTTPS (Port 443) | ||
- | server { | ||
- | listen 443 ssl default_server; | ||
- | listen [::]:443 ssl default_server; | ||
- | server_name _; | ||
- | |||
- | # HSTS (HTTPS Strict Transport Security) | ||
- | # 63072000 seconds = 2 years | ||
- | add_header Strict-Transport-Security " | ||
- | |||
- | # SSL - Certificate Config | ||
- | ssl on; | ||
- | ssl_certificate / | ||
- | ssl_certificate_key / | ||
- | ssl_client_certificate / | ||
- | |||
- | # SSL - Session Config | ||
- | ssl_session_timeout 5m; | ||
- | ssl_session_cache shared: | ||
- | |||
- | # SSL - Protocols and Ciphers | ||
- | ssl_protocols TLSv1.2; | ||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_ciphers " | ||
- | |||
- | # Locations for AWX | ||
- | location /static/ { | ||
- | alias / | ||
- | } | ||
- | |||
- | location / | ||
- | |||
- | location /websocket { | ||
- | # Pass request to the upstream alias | ||
- | proxy_pass http:// | ||
- | # Require http version 1.1 to allow for upgrade requests | ||
- | proxy_http_version 1.1; | ||
- | # We want proxy_buffering off for proxying to websockets. | ||
- | proxy_buffering off; | ||
- | # http:// | ||
- | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
- | # enable this if you use HTTPS: | ||
- | proxy_set_header X-Forwarded-Proto https; | ||
- | # pass the Host: header from the client for the sake of redirects | ||
- | proxy_set_header Host $http_host; | ||
- | # We've set the Host header, so we don't need Nginx to muddle | ||
- | # about with redirects | ||
- | proxy_redirect off; | ||
- | # Depending on the request value, set the Upgrade and | ||
- | # connection headers | ||
- | proxy_set_header Upgrade $http_upgrade; | ||
- | proxy_set_header Connection $connection_upgrade; | ||
- | } | ||
- | |||
- | # Location: Webserver root | ||
- | location / { | ||
- | # autoindex off - Disable directory listing output | ||
- | autoindex off; | ||
- | uwsgi_read_timeout 120s; | ||
- | uwsgi_pass uwsgi; | ||
- | include / | ||
- | } | ||
- | } | ||
- | </ | ||
- | |||
- | \\ | ||
- | Deploy your SSL certificates as (tip: use symlinks so you never have to update the nginx config file) | ||
- | * / | ||
- | * / | ||
- | * / | ||
- | |||
- | \\ | ||
- | Start/ | ||
- | <code bash> | ||
- | systemctl start nginx | ||
- | systemctl enable nginx | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== AWX Services ===== | ||
- | |||
- | Start/ | ||
- | <code bash> | ||
- | systemctl start awx-cbreceiver awx-celery-beat awx-celery-worker awx-channels-worker awx-daphne awx-web | ||
- | systemctl enable awx-cbreceiver awx-celery-beat awx-celery-worker awx-channels-worker awx-daphne awx-web | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Upgrade Steps ====== | ||
- | |||
- | **WARNING: | ||
- | |||
- | ===== AWX RPM Method ===== | ||
- | |||
- | To upgrade: | ||
- | |||
- | * Stop all services< | ||
- | * Upgrade AWX<code bash>yum update awx</ | ||
- | * Make Migrations< | ||
- | * Migrate Database changes< | ||
- | * Ensure other users still have read/ | ||
- | * Clear RabbitMQ Queues< | ||
- | rabbitmqctl reset | ||
- | rabbitmqctl start_app</ | ||
- | * Start all services< | ||
- | |||
- | ---- | ||
- | |||
- | ===== AWX Team Suggested Upgrade Steps ===== | ||
- | |||
- | To Upgrade: | ||
- | |||
- | * Install cli tool< | ||
- | * Export all data< | ||
- | * Stop all AWX services< | ||
- | * Upgrade AWX<code bash>yum update awx</ | ||
- | * Drop and then re-create the database< | ||
- | su - postgres -c " | ||
- | * Migrate app data back in<code bash> | ||
- | * Initial app data setup in db<code bash> | ||
- | sudo -u awx / | ||
- | sudo -u awx / | ||
- | * Import saved data< | ||
- | |||
- | ---- | ||
- | |||
- | ====== Configuration ====== | ||
- | |||
- | Other configuration steps. | ||
- | |||
- | ---- | ||
- | |||
- | ===== SSH Client Settings ===== | ||
- | |||
- | Changes to ssh client settings (/ | ||
- | # | ||
- | |||
- | ---- | ||
- | |||
- | ===== Logos ===== | ||
- | |||
- | Get rid of the angry potato pictures. | ||
- | |||
- | \\ | ||
- | Download AWX logos | ||
- | <code bash> | ||
- | |||
- | \\ | ||
- | Install unzip utility (if not installed) | ||
- | <code bash> | ||
- | yum install unzip | ||
- | </ | ||
- | |||
- | \\ | ||
- | Unzip archive | ||
- | <code bash> | ||
- | |||
- | \\ | ||
- | Copy Logos to installed asset directory | ||
- | <code bash> | ||
- | cp -fv awx-logos-master/ | ||
- | cp -fv awx-logos-master/ | ||
- | cp -fv awx-logos-master/ | ||
- | </ | ||
- | * **Note**: The logo-header and favicon.ico will be over written at first login; you will need to login first before replacing that image or re-copy it and refresh the browser to see the changes take effect. If you are having issues getting the replacement images to show up, clear browser cache/ | ||
- | |||
- | ---- | ||
- | |||
- | ===== LDAP Authentication ===== | ||
- | |||
- | Example configuration for LDAP. | ||
- | |||
- | **Tip**: The fields on this page do zero error checking as of this writing. In order to save lots of re-typing, fill out one field at a time and click Save. Leave the page and come back to see if the change stayed there (if there is a problem with it, it will be reset to default). This helps track down the field that AWX doesn' | ||
- | |||
- | \\ | ||
- | Configure LDAP | ||
- | * On the left navigation bar: | ||
- | * SETTINGS | ||
- | * SUB CATEGORY -> LDAP | ||
- | |||
- | FreeIPA Example | ||
- | * LDAP Server URI<code bash> | ||
- | * LDAP BIND DN<code bash> | ||
- | * LDAP BIND PASSWORD< | ||
- | * LDAP USER DN TEMPLATE< | ||
- | * LDAP Group Type< | ||
- | * LDAP Require Group< | ||
- | * LDAP Deny Group< | ||
- | * LDAP Start TLS: **On** | ||
- | |||
- | * LDAP User Search< | ||
- | * LDAP Group Search< | ||
- | [ | ||
- | " | ||
- | " | ||
- | " | ||
- | ]</ | ||
- | * LDAP User Attribute Map<code bash> | ||
- | { | ||
- | " | ||
- | " | ||
- | " | ||
- | }</ | ||
- | * LDAP Group Type Parameters< | ||
- | { | ||
- | " | ||
- | " | ||
- | }</ | ||
- | * LDAP User Flags by group< | ||
- | { | ||
- | " | ||
- | }</ | ||
- | * LDAP Organization Map<code bash> | ||
- | * LDAP Team Map<code bash> | ||
- | |||
- | ---- | ||
- | |||
- | ===== Configure for Inventory ===== | ||
- | |||
- | * **Create an Organization** | ||
- | * " | ||
- | * Fill in: | ||
- | * Name | ||
- | * Description | ||
- | * Instance Groups (what AWX instances the Organization will use) | ||
- | * Save | ||
- | |||
- | * **Add credentials for source control** | ||
- | * " | ||
- | * Fill in: | ||
- | * Name | ||
- | * Description | ||
- | * Organization | ||
- | * Credential Type: Source Control | ||
- | * Username | ||
- | * Password (will be stored encrypted) | ||
- | * Save | ||
- | |||
- | * **Add credentials for running jobs/ | ||
- | * " | ||
- | * Fill in: | ||
- | * Name | ||
- | * Description | ||
- | * Organization | ||
- | * Credential Type: Machine | ||
- | * Username | ||
- | * Password (will be stored encrypted) | ||
- | * SSH Private Key: Copy/Paste from " | ||
- | * Privilege escalation method: sudo | ||
- | * Save | ||
- | |||
- | * **Add a project** | ||
- | * " | ||
- | * Fill in: | ||
- | * Name | ||
- | * Description | ||
- | * Organization | ||
- | * SCM Type (Git) | ||
- | * SCM URL | ||
- | * SCM Credential: select previously created | ||
- | * SCM Update Options | ||
- | * Clean | ||
- | * Save | ||
- | * Note: Initial sync begins immediate, watch progress on the " | ||
- | |||
- | * **Schedule Regular Project Syncs** | ||
- | * " | ||
- | * To the right of the target Project, under " | ||
- | * Click the green " | ||
- | * Fill in | ||
- | * Name (unique) | ||
- | * Start Date | ||
- | * Start Time | ||
- | * Time zone | ||
- | * Repeat (hourly, etc) | ||
- | * Every X hours | ||
- | * End (never) | ||
- | |||
- | * **Sync Inventory File from Project** (Git source) | ||
- | * Create a new inventory for EACH Ansible inventory file; ie dev, test, prod. | ||
- | * " | ||
- | * Fill in: | ||
- | * Name | ||
- | * Description | ||
- | * Organization | ||
- | * Instance Groups | ||
- | * Save | ||
- | * Within the same inventory config, click the " | ||
- | * Click the "Add Source" | ||
- | * Fill in: | ||
- | * Name | ||
- | * Description | ||
- | * Source: Sourced from a Project | ||
- | * Project (select previously created Project) | ||
- | * Inventory file (relative directory to project directory) | ||
- | * Example on disk: / | ||
- | * Example configured: inventories/ | ||
- | * Update Options | ||
- | * Overwrite (Keep in sync with inventory source) | ||
- | * Update on Project Change (Update inventory source when Project revision number is updated) | ||
- | |||
- | ---- | ||
- | |||
- | ===== Create a Job Template ===== | ||
- | |||
- | AWX requires you to create a job template in order to run Playbooks cloned from source control. | ||
- | |||
- | The templates define default run settings for the playbooks. | ||
- | |||
- | \\ | ||
- | To Create a Job Template | ||
- | * Click " | ||
- | * Required Fields: | ||
- | * Name | ||
- | * Job Type (Run/Check) | ||
- | * Inventory | ||
- | * Project | ||
- | * Playbook (populated from Project) | ||
- | * Credential | ||
- | * Verbosity | ||
- | * Any field: check " | ||
- | |||
- | \\ | ||
- | ==== Example Template Fields to Use ==== | ||
- | |||
- | * **Name**: < | ||
- | * **Description**: | ||
- | * **Job Type**: Run | ||
- | |||
- | * **Inventory**: | ||
- | * **Project**: | ||
- | * **Playbook**: | ||
- | |||
- | * **Credential**: | ||
- | * **Forks**: 10 | ||
- | * **Limit**: <leave blank>, check " | ||
- | |||
- | * **Verbosity**: | ||
- | * **Job Tags**: <leave blank>, check " | ||
- | * **Skip Tags**: <leave blank>, check " | ||
- | |||
- | * **Labels**: <leave blank> | ||
- | * **Instance Groups**: tower | ||
- | * **Show Changes**: Off | ||
- | |||
- | * **Options** | ||
- | * Enable Privilege Escalation: **checked** | ||
- | * Allow Provisioning Callbacks: not checked | ||
- | * Enable Concurrent Jobs: not checked | ||
- | * Use Fact Cache: **checked** | ||
- | |||
- | ---- | ||
- | |||
- | ====== Operating AWX ====== | ||
- | |||
- | AWX operations notes. | ||
- | |||
- | ---- | ||
- | |||
- | ===== Service ===== | ||
- | |||
- | **Enabled On Boot** | ||
- | |||
- | Check to see if the service is enabled on boot | ||
- | <code bash> | ||
- | # AWX Depedencies: | ||
- | systemctl is-enabled postgresql-9.6 memcached rabbitmq-server nginx | ||
- | |||
- | # AWX Services | ||
- | systemctl is-enabled awx-cbreceiver awx-celery-beat awx-celery-worker awx-channels-worker awx-daphne awx-web | ||
- | </ | ||
- | |||
- | \\ | ||
- | **Service Status** | ||
- | |||
- | View the service status | ||
- | <code bash> | ||
- | # AWX Depedencies: | ||
- | systemctl status postgresql-9.6 memcached rabbitmq-server nginx | ||
- | |||
- | # AWX Services | ||
- | systemctl status awx-cbreceiver awx-celery-beat awx-celery-worker awx-channels-worker awx-daphne awx-web | ||
- | </ | ||
- | |||
- | \\ | ||
- | **Service Start** | ||
- | |||
- | Start the services | ||
- | <code bash> | ||
- | # AWX Depedencies: | ||
- | systemctl start postgresql-9.6 memcached rabbitmq-server nginx | ||
- | |||
- | # AWX Services | ||
- | systemctl start awx-cbreceiver awx-celery-beat awx-celery-worker awx-channels-worker awx-daphne awx-web | ||
- | </ | ||
- | |||
- | \\ | ||
- | **Service Stop** | ||
- | |||
- | Stop the services | ||
- | <code bash> | ||
- | # AWX Depedencies: | ||
- | systemctl stop postgresql-9.6 memcached rabbitmq-server nginx | ||
- | |||
- | # AWX Services | ||
- | systemctl stop awx-cbreceiver awx-celery-beat awx-celery-worker awx-channels-worker awx-daphne awx-web | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Log Files ===== | ||
- | |||
- | Log files are located: | ||
- | * Database (Postgres): / | ||
- | * Database caching (memcahed): / | ||
- | * Message Broker (rabbitmq): / | ||
- | * Web Proxy (nginx): / | ||
- | * AWX Web: / | ||
- | |||
- | ---- | ||