Ansible Tower implements a role based access control system. It may appear that you can edit objects that do not belong to you–like being able to pull up an edit dialog of your teammates, which you have been granted permission to view–but when you try to edit something, you will receive a 403 error and you cannot view any information you should not already have access to as defined in the system.
When performing a host comparison against a single host, if there is only one (1) run for the selected date, Tower may display a message saying it could not find any scan job runs in one of the columns.
When performing a host comparison against two hosts, you can only select from a single page of hosts.
Live events status dots are either seen as a red or orange dot at the top of the Tower Dashboard when something goes wrong, or they are not seen at all to indicate a healthy system state. If you encounter a red or orange live events status indicator, even when your system seems fine, the following suggestions may offer a solution:
https://tower-ip:8080/
which should allow you to accept the certificate for the machine.Live event status dots are used for troubleshooting problems with your Tower instance and the socketio logs can point out anything problematic. You can collect troubleshooting help by running a sosreport. As root, run the command sosreport
from your system to automatically generate a diagnostic tar file, then contact Ansible’s Support team with the collected information for further assistance.
Note
Starting with Ansible Tower 2.2.0, live events status indicators only appear if Tower detects a problem. In earlier releases, a green status dot was shown to indicate a healthy system.
Scan jobs may fail when run against Amazon Linux hosts. To ensure that your scan jobs do not hit Amazon Linux hosts, use inventory groups or set a limit in the job template.
Instances have been reported that sudo
/su
commands do not work when using an entirely local playbook or a playbook with some local_actions cases. This is likely due to PRoot being enabled. To use sudo
/su
commands with local playbooks or those with local_actions, PRoot must be disabled. You can disable PRoot by navigating to the /etc/tower/settings.py
file, setting AWX_PROOT_ENABLED=False
, then restarting services with the ansible-tower-service restart
command.
During the testing of Ansible Tower 2.3.0, it was discovered that the installation program does not handle the option to enable su
command support.
When using the Tower installation program to install Tower to a remote system where su
access is required, the installation program will not work. To workaround this issue, you should manually run the ansible-playbook
command with the --su
parameter.
The PRoot functionality in Ansible Tower limits which directories on the Tower file system are available for playbooks to see and use during playbook runs. If you are attempting to customize SSH behavior by using a custom SSH configuration in the Tower user’s home directory, this directory must be added to the list of directories exposed by PRoot.
For example, to add a custom SSH config in /var/lib/awx/.ssh/config
and make it available for Tower jobs, edit the /etc/tower/settings.py
file and add that path to the AWX_PROOT_SHOW_PATHS
variable:
AWX_PROOT_SHOW_PATHS = [ '/var/lib/awx/.ssh/' ]
Once the paths you need have been added to settings.py
, restart Tower using the admin utility script, ansible-tower-service
:
ansible-tower-service restart
If you are using the bundled installer for Ansible Tower 2.3.0, note that only Red Hat Enterprise Linux and CentOS are supported at this time. Ubuntu support has not yet been added to the bundled installer. Ubuntu users can continue to use the unbundled installer.
Instances of YAML parser traceback errors have been reported when users attempt to install Tower without python-yaml
being installed. In this scenario, the installation program uses the built-in YAML parser, but the built-in YAML parser is unable to parse a YAML variable initialized to an empty dictionary (e.g. {}
).
The traceback may look like the following:
Traceback (most recent call last):
File "./configure", line 787, in <module>
if conf['configure_private_vars'].get(field, None):
AttributeError: 'str' object has no attribute ‘get’
To workaround this issue, remove the offending variable (such as configure_private_vars: {}
) from the Tower settings file, tower_setup_conf.yml
.
Proactive session limits will kick the user out when the session is idle. It is strongly recommended that you do not set the session limit to anything less than 1 minute, as doing so will break your Ansible Tower instance.
Ansible 2.0 introduces strategies, such as strategy: free
, but Ansible Tower support for these new strategies is not yet available in Tower version 2.4.0. This Ansible feature will not be added to Tower until a later release.
If you attempt to use strategy: free
in Ansible Tower, jobs will run, but they will not display properly in the Job Detail page.
Refer to the following link for more information: https://docs.ansible.com/ansible/playbooks_strategies.html
Once a user who logs in using social authentication has been deleted, the user will not be able to login again or be recreated until the system administrator runs a cleanup_deleted
action with days=0
to allow users to login again. Once cleanup_deleted
has been run, Tower must be restarted using the ansible-tower-service restart
command. Accounts which have been deleted prior to having the cleanup_deleted
action run will receive a “Your account is inactive” message upon trying to login.