Documentation

8. The Tower Installation Wizard

The Tower setup process consists of two parts–an installation wizard that determines your Tower configuration and a setup playbook that uses that information to install Tower.

The Tower Installation Wizard and the Tower setup playbook do not need to be run from the system that will run Tower, although they can. The Tower Installation Wizard asks for credentials needed to access external systems where necessary.

The Tower Installation Wizard is invoked as configure from the path where you unpacked the Tower installation tarball. It writes a file called tower_setup_conf.yml which contains the configuration for Tower.

username@localhost:~$ ./configure

8.1. Installation Arguments

The wizard takes the following arguments:

  • -h, --help Displays a brief usage summary.

  • -l, --local Assumes that you are installing Tower on the local machine where you are running configure. This implies an internal embedded PostgreSQL database as well. This option skips some questions in the wizard.

  • --no-secondary-prompt Assumes you are not installing in a high-availability setup. This option skips some questions in the wizard.

  • -A, --no-autogenerate Do not autogenerate random passwords for PostgreSQL or Redis–prompt the user for them instead.

  • -o FILE, --options-file=FILE Use the file FILE as a source of answers. This can be the tower_setup_conf.yml file from a previous run of the wizard. Depending on the contents of the file, this option skips some questions in the wizard. The contents of the tower_setup_conf.yml file may look similar to the following:

    admin_password: password
    database: internal
    munin_password: password
    pg_password: cmTM4eaCpnDS54ReXGv34szoHQiXccFno3atfBij
    primary_machine: localhost
    redis_password: 8nG2TRpSDnpr69eWbqFwXTbryCUW64r76VjBqsKx
    

Once you invoke the Tower Installation Wizard, you are asked about the configuration of a few different items.

8.2. Primary Tower machine configuration

First, the Tower wizard asks about where you intend to place the primary (or only) Tower instance.

root@localhost:~$ ./configure
-------------------------------------------
Welcome to the Ansible Tower Install Wizard
-------------------------------------------

PRIMARY TOWER MACHINE
Tower can be installed (or upgraded) on this machine, or onto a remote machine
that is reachable by SSH.

Note: If using the High Availability features of Tower, you must use DNS
resolvable hostnames or IP addresses (do not use "localhost").

Enter the hostname or IP to configure Ansible Tower
(default: localhost):

If you are installing on the current machine, enter localhost or 127.0.0.1 for the current machine. If you are installing on a different machine, enter the IP address or hostname of the machine. This machine must be running and accessible via SSH when running the setup playbook later.

8.2.1. Configuring the Database

Tower can be setup as an internal database installed on the primary Tower machine or as an external PostgreSQL database.

Enter i for an internal database on the same machine as Tower, or e for an external database. To run Tower in a high-availability configuration, you must use an external database.

DATABASE
Tower can use an internal database installed on the Tower machine, or an
external PostgreSQL database. An external database could be a hosted database,
such as Amazon's RDS.

An internal database is fine for most situations. However, to use the High
Availability features of Tower, an external database is required.

If using an external database, the database (but not the necessary tables) must
already exist.

Will this installation use an (i)nternal or (e)xternal database?

If you choose to use an external database, the wizard prompts you for the following additional database parameters:

  • Database host to connect to
  • Database name
  • PostgreSQL user to use to access the database
  • Password for the above PostgreSQL user
  • Port to connect to the PostgreSQL database on (hit enter for the default PostgreSQL port)

The wizard will attempt to verify these parameters if your system has the PostgreSQL client libraries installed.

8.3. Secondary Installation (if applicable)

At this time, if you chose to setup an external database, you can configure any neccessary secondary Tower instances.

SECONDARY MACHINES
You may optionally elect to add any number of secondary machines, on which
Ansible Tower will also be installed (in secondary mode).
Add secondary machines (y/n)?

Enter y to configure additional secondary Tower instances.

Enter the hostnames or IP addresses of machines you want to configure as secondary Tower instances, one at a time. Enter a blank line to end the list. These machines must be running and accessible via SSH when running the setup playbook later.

8.4. Passwords

You are then prompted for the passwords you need for various Tower services.

PASSWORDS
For security reasons, since this is a new install, you must specify the
following application passwords.

The installation wizard prompts you to provide an Admin Password. This ‘admin’ password is used for the first user (and superuser) created upon installation. You must have this password for your initial login to Tower.

If you passed the -A or --no-autogenerate parameters to the Installation Wizard, you are prompted for a PostgreSQL password and a Redis password. These are used internally to Tower and are not needed by the admin at runtime. These additional passwords are normally auto-generated as a random value.

Note

Once Tower setup has been completed, you can log into the instance via SSH and it will provide the default admin password in the prompt. The admin password can be changed with the following command (as root or as AWX user): tower-manage changepassword admin

After that, the password you’ve entered will work as the admin password in the web UI.

8.4.1. Password Strength Configuration

This feature allows you to define minimum strengths for passwords. Password strength configuration for Tower specifies policies and security mechanisms for providing rules to specify user passwords.

To make use of this feature, set your preferred password strength configuration options in a local_settings.json file.

Next, set the password_* variables to true/false based on the rules you want to enforce.

The password strength configuration feature allows you to create passwords of any combination of upper and lowercase characters, numbers, and special characters that include “!”, “@”, “#”, “$”, “%”,“^”, “&”, “*”, “(“, and “)”.

You can also set the password’s minimum (1) and maximum (64) length. The recommended minimum password length is eight (8) characters.

8.5. Connection Information

If you chose to install on machines other than the current machine you are running the installation wizard on, you must also enter details on how to connect to those machines.

CONNECTION INFORMATION
Enter the SSH user to connect with (default: root):

First, you are prompted for the user to SSH to the remote hosts with. If this user is not root, you are prompted for how you will escalate privileges.

Root access is required to install Tower.
Will you use (1) sudo or (2) su?

Choose either 1 or 2 to configure sudo or su access. If you enter that you need a password for sudo or su access, this will be prompted for during the setup playbook run.

You are then prompted for SSH key information. If you are using a SSH key to access this host, you are prompted for the path to the SSH private key to use.

The same connection and su/sudo information will be used for all machines that are configured by the setup playbook, whether primary or secondary nodes. If you need different connection information for different machines, this can be configured by manually modifying the inventory file generated by the Installation Wizard.

8.6. Review and Confirm

You are then asked to review the settings you entered. An example would be:

REVIEW
You selected the following options:

The primary Tower machine is: tower.example.com
Tower will operate on an EXTERNAL database.
  host: database.example.com
  database: mydb
  user: db_admin
  password: ********
  port: 5432
Additional secondary machines:
  - tower-backup.example.com
  - tower-backup2.example.com
Using SSH user: jdoe

Are these settings correct (y/n)?

Select y, and you will then be given some information on running the setup playbook.

FINISHED!
You have completed the setup wizard. You may execute the installation of
Ansible Tower by issuing the following command:

# Add your SSH key to SSH agent.
# You may be asked to enter your SSH unlock key password to do this.
ssh-agent bash
ssh-add ~/.ssh/id_my-example-key
./setup.sh -s

8.7. Reviewing the Tower Configuration

The Tower configuration is written into two files by the Tower Installation Wizard.

  • tower_setup_conf.yml This Tower configuration file contains needed Tower passwords, database connection information, and machine connection information.
  • inventory This includes the machines that the setup playbook will operate on, grouped into the primary and secondary groups of nodes.

8.8. The Setup Playbook

The Tower setup playbook is invoked as setup.sh from the path where you unpacked the Tower installer tarball. It uses the tower_setup_conf.yml and inventory files written by the Tower Installation Wizard. The setup script takes the following arguments:

  • -h, --help Displays a brief usage summary.
  • -c FILE Use the specified FILE as the Tower configuration file rather than tower_setup_conf.yml in the current directory.
  • -i FILE Use the specified FILE as the inventory for the setup playbook rather than inventory in the current directory.
  • -p Set ansible to prompt for a SSH password when connecting to remote machines
  • -s Set ansible to prompt for a sudo password on remote machines when installing Tower.
  • -u Set ansible to prompt for a su password on remote machines when installing Tower.
  • -e Set additional ansible variables for the playbook to use either in key=value or YAML/JSON form. This should not be needed in normal operation.
  • -b Perform a database backup in lieu of installing.
  • -r BACKUP_FILE Perform a database restore in lieu of installing.

Depending on the configuration you entered when running the Tower Installation Wizard, it may have prompted you to run the setup playbook with some combination of -p, -s, or -u.

After calling setup.sh with the appropriate parameters, Tower is installed on the appropriate machines as has been configured.

Once installed, if you log into the Tower instance via SSH, the default admin password is provided in the prompt. You can then change it with the following command (as root or as AWX user):

tower-manage changepassword admin

After that, the password you have entered will work as the admin password in the web UI.