17. Tower Tips and Tricks¶
17.1. Using the Tower CLI Tool¶
Ansible Tower has a full-featured command line interface. It communicates with Tower via Tower’s REST API. You can install it from any machine with access to your Tower machine, or on Tower itself.
Installation can be done using the pip command:
pip install ansible-tower-cli
Refer to api_towercli and https://github.com/ansible/tower-cli/blob/master/README.md for configuration and usage instructions.
17.2. Changing the Tower Admin Password¶
During the installation process, you are prompted to enter an administrator password which is used for the admin superuser/first user created in Tower. If you log into the instance via SSH, it will tell you the default admin password in the prompt. If you need to change this password at any point, run the following command as root on the Tower server:
tower-manage changepassword admin
Next, enter a new password. After that, the password you have entered will work as the admin password in the web UI.
17.3. Setting up a jump host to use with Tower¶
Credentials supplied by Tower will not flow to the jump host via ProxyCommand. They are only used for the end-node once the tunneled connection is set up.
To make this work, configure a fixed user/keyfile in the AWX user’s SSH config in the ProxyCommand definition that sets up the connection through the jump host. For example:
Host tampa
Hostname 10.100.100.11
IdentityFile [privatekeyfile]
Host 10.100..
Proxycommand ssh -W [jumphostuser]@%h:%p tampa
Note
You must disable PRoot by default if you need to use a jump host. You can disable PRoot by navigating to the /etc/tower/settings.py file, setting AWX_PROOT_ENABLED=False, then restarting services with the ansible-tower-service restart command.
17.4. View Ansible outputs for JSON commands when using Tower¶
When working with Ansible Tower, you can use the API to obtain the Ansible outputs for commands in JSON format.
To view the Ansible outputs, browse to:
https://<tower server name>/api/v1/jobs/<job_id>/job_events/
17.5. Locate and configure the Ansible configuration file¶
While Ansible does not require a configuration file, OS packages often include a default one in /etc/ansible/ansible.cfg for possible customization. You can also install your own copy in ~/.ansible.cfg or keep a copy in a directory relative to your playbook named as ansible.cfg.
To learn which values you can use in this file, refer to the configuration file on github.
Using the defaults are acceptable for starting out, but know that you can configure the default module path or connection type here, as well as other things.
17.6. View a listing of all ansible_ variables¶
Ansible by default gathers “facts” about the machines under its management, accessible in Playbooks and in templates. To view all facts available about a machine, run the setup module as an ad hoc action:
ansible -m setup hostname
This prints out a dictionary of all facts available for that particular host. For more information, refer to: https://docs.ansible.com/ansible/playbooks_variables.html#information-discovered-from-systems-facts
17.7. Launching Jobs with curl¶
Note
Tower now offers a full-featured command line interface called tower-cli which may be of interest to you if you are considering using curl.
This method works with Tower versions 2.1.x and newer.
Launching jobs with the Tower API is simple. Here are some easy to follow examples using the curl tool. Assuming that your Job Template ID is ‘1’, your Tower IP is 192.168.42.100, and that admin and awxsecret are valid login credentials, you can create a new job this way:
curl -f -k -H 'Content-Type: application/json' -XPOST \
--user admin:awxsecret \
http://192.168.42.100/api/v1/job_templates/1/launch/
This returns a JSON object that you can parse and use to extract the ‘id’ field, which is the ID of the newly created job.
You can also pass extra variables to the Job Template call, such as is shown in the following example:
curl -f -k -H 'Content-Type: application/json' -XPOST \
-d '{"extra_vars": "{\"foo\": \"bar\"}"}' \
--user admin:awxsecret http://192.168.42.100/api/v1/job_templates/1/launch/
View the live API documentation by logging into http://192.168.42.100/api/ and browsing around to the various objects available.
Note
The extra_vars parameter needs to be a string which contains JSON, not just a JSON dictionary, as you might expect. Use caution when escaping the quotes, etc.
17.8. Dynamic Inventory and private IPs¶
By default, Tower only shows instances in a VPC that have an Elastic IP (EIP) associated with them. To view all of your VPC instances, perform the following steps:
- In the Tower interface, select your inventory.
- Click on the group that has the Source set to AWS, and click on the Source tab.
- In the “Source Variables” box, enter:
vpc_destination_variable: private_ip_address
Save and trigger an update of the group. You should now be able to see all of your VPC instances.
Note
Tower must be running inside the VPC with access to those instances in order to usefully configure them.
17.9. Filtering instances returned by the dynamic inventory sources in Tower¶
By default, the dynamic inventory sources in Tower (AWS, Rackspace, etc) return all instances available to the cloud credentials being used. They are automatically joined into groups based on various attributes. For example, AWS instances are grouped by region, by tag name and value, by security groups, etc. To target specific instances in your environment, write your playbooks so that they target the generated group names. For example:
---
- hosts: tag_Name_webserver
tasks:
...
You can also use the Limit field in the Job Template settings to limit a playbook run to a certain group, groups, hosts, or a combination thereof. The syntax is the same as the --limit parameter on the ansible-playbook command line.
You may also create your own groups by copying the auto-generated groups into your custom groups. Make sure that the Overwrite option is disabled on your dynamic inventory source, otherwise subsequent synchronization operations will delete and replace your custom groups.
17.10. Using an unreleased module from Ansible source with Tower¶
If there is a feature that is available in the latest Ansible core branch that you would like to leverage with your Tower system, making use of it in Tower is fairly simple.
First, determine which is the updated module you want to use from the available Ansible Core Modules or Ansible Extra Modules GitHub repositories.
Next, create a new directory next to your Ansible source playbooks, named /library.
Once this is created, copy the module you want to use and drop it into the /library directory–it will be consumed first over your system modules and can be removed once you have updated the the stable version via your normal package manager.
17.11. Using callback plugins with Tower¶
Ansible has a flexible method of handling actions during playbook runs, called callback plugins. You can use these plugins with Tower to do things like notify services upon playbook runs or failures, send emails after every playbook run, etc. For official documentation on the callback plugin architecture, refer to: http://docs.ansible.com/developing_plugins.html#callbacks
You may also want to review some example plugins, which should be modified for site-specific purposes, such as those available at: https://github.com/ansible/ansible/tree/devel/plugins/callbacks
To use these plugins, put the callback plugin .py file into a directory called /callback_plugins alongside your playbook in your Tower Project.
To make the callback apply to every playbook, independent of any projects, put the plugins .py file in one of the following directories (depending on your particular Linux distribution and method of Ansible installation):
/usr/lib/pymodules/python2.7/ansible/callback_plugins
/usr/local/lib/python2.7/dist-packages/ansible/callback_plugins
/usr/lib/python2.6/site-packages/ansible/callback_plugins
17.12. Connecting to Windows with winrm¶
By default Tower attempts to ssh to hosts. You must add the winrm connection info to the group variables to which the Windows hosts belong. To get started, edit the Windows group in which the hosts reside and place the variables in the source/edit screen for the group.
To add winrm connection info:
Edit the properties for the selected group by clicking on the 
button to the right of the group name that contains the Windows servers. In the “variables” section, add your connection information as such: ansible_connection: winrm
Once done, save your edits. If Ansible was previously attempting an SSH connection and failed, you should re-run the job template.
17.13. Importing existing inventory files and host/group vars into Tower¶
To import an existing static inventory and the accompanying host and group vars into Tower, your inventory should be in a structure that looks similar to the following:
inventory/
|-- group_vars
| `-- mygroup
|-- host_vars
| `-- myhost
`-- hosts
To import these hosts and vars, run the tower-manage command:
tower-manage inventory_import --source=inventory/ \
--inventory-name="My Tower Inventory"
If you only have a single flat file of inventory, a file called ansible-hosts, for example, import it like the following:
tower-manage inventory_import --source=./ansible-hosts \
--inventory-name="My Tower Inventory"
In case of conflicts or to overwrite an inventory named “My Tower Inventory”, run:
tower-manage inventory_import --source=inventory/ \
--inventory-name="My Tower Inventory" \
--overwrite --overwrite-vars
If you receive an error, such as:
ValueError: need more than 1 value to unpack
Your inventory file is most likely in “[groupname:vars]” structure. At this time, the inventory importer tool does not support this format. For each of the groups that has vars attached, move those groups into a group_vars file.
Create a directory to hold the hosts file, as well as the group_vars:
mkdir -p inventory-directory/group_vars
Then, for each of the groups that have :vars listed, create a file called inventory-directory/group_vars/<groupname> and format the variables in YAML format.
Once broken out, the importer will handle the conversion correctly.