2. Release Notes
The following list summarizes the additions, changes, and modifications which were made to Ansible Tower 3.2.8.
3. Ansible Tower Version 3.2.8
- Fixed using
include_vars
with vaulted variables to properly handle AnsibleVaultEncryptedUnicode
objects in the callback receiver
4. Ansible Tower Version 3.2.7
- Fixed Smart Inventory filters to no longer filter by the content of sensitive fields
5. Ansible Tower Version 3.2.6
- Fixed Tower callback plugin handling of
v2_playbook_on_notify
events
- Fixed potential information leakage via websocket
- Fixed a CSRF vulnerability in Tower (CVE-2018-10884)
- Fixed editing a job template to no longer overwrite API-only settings
- Fixed certain cluster topologies to no longer cause duplicate project updates
- Fixed unauthorized credentials to no longer be associated with projects and inventory sources
- Updated oVirt client libraries to work with Ansible 2.5 or later
6. Ansible Tower Version 3.2.5
- Fixed a RabbitMQ configuration issue that would affect cluster recovery on network interruptions
7. Ansible Tower Version 3.2.4
- Added
UI_LIVE_UPDATES_ENABLED
setting for disabling websocket updates outside of job output
- Fixed organization admins to no longer be able to modify users by adding them to their organization (CVE-2018-1101)
- Fixed Tower to disable usage of Jinja templates in launch-time variables for security reasons (CVE-2018-1104). This release introduces the
ALLOW_JINJA_IN_EXTRA_VARS
configuration parameter for Tower. This parameter has three values: template
to allow usage of Jinja saved directly on a job template definition (the default), never
to disable all Jinja usage (recommended), and always
to always allow Jinja (strongly discouraged, but an option for prior compatibility). Note that the always
option is deprecated, and will be removed in a future Tower release.
- Fixed sanitization of module arguments with implicit
no_log
- Fixed Smart Inventories to no longer run on hosts marked as disabled
- Fixed Fact Caching documentation to no longer refer to memcached
- Updated bundled python-saml for CVE-2017-11427
- Updated memcached to now listen on a local Unix socket instead of a TCP socket
8. Ansible Tower Version 3.2.3
- Added deprecation warning when installing on certain older operating systems, such as Ubuntu 14.04, which will be removed in a future release
- Fixed Inventory Updates to properly save
group_vars
inside of Tower group variables when used with Ansible 2.5 or later
- Fixed certain Inventory Updates to no longer fail when running against isolated nodes
- Fixed the ability to customize
ANSIBLE_LIBRARY
when Job Template fact caching is enabled
- Fixed fact cache data to no longer prematurely expire for Job Templates with large amounts of fact data
- Fixed isolated job runs to no longer fail when the playbook contained certain Unicode characters
- Fixed the installer to use the correct package version when running isolated Tower nodes
- Fixed Slack notification issues
- Fixed workflow artifacts to no longer periodically go missing in subsequent workflow nodes
- Fixed the Tower web interface to support large numbers of custom Credential Types
- Fixed the “Test” button when configuring UDP-based external logging
- Fixed the database restoration process that affected users with embedded PostgreSQL databases
- Fixed a few XSS vulnerabilities in the Tower web interface
- Fixed the ability to provide the admin password in the MOTD file for the Vagrant and AMI images
9. Ansible Tower Version 3.2.2
- Added support for Ansible Tower and Red Hat Virtualization credentials
- Added dynamic inventory scripts for Ansible Tower and Red Hat Virtualization
- Added
awx_*
extra variables to job runs in addition to tower_*
- Added a setting for maximum user interface job events to show to Tower configuration
- Added support for setting the Azure Cloud Environment in Azure credentials
- Added retry for cleaning up job artifacts from isolated nodes
- Added python-crypto requirement to RPM packaging for GCE inventory script
- Added rsync requirement to RPM packaging for isolated nodes
- Added error handling in installation for PostgreSQL 9.4 to 9.6 migration failures
- Removed unused CALLBACK_CONNECTION, CALLBACK_QUEUE, and JOB_CALLBACK_DEBUG environment variables from the job environment
- Fixed multiple issues where survey passwords were not properly encrypted in the database
- Fixed an issue where cleanup jobs could run slowly and exhaust system memory when large job output was present
- Fixed an issue where cleanup jobs could fail due to a race condition
- Fixed an issue where use of remove: True and remove_users: True in LDAP configuration would cause an excessive number of activity stream entries
- Fixed an issue where the GCE inventory script would erroneously cache information
- Fixed an issue when using Ipsilon as a SAML IdP
- Fixed an issue when using SAML authentication behind a load-balancer
- Fixed an issue where ‘+’ in a search string was not handled properly
- Fixed an issue where non-alphanumeric characters were stripped from SAML usernames
- Fixed an issue where credential_type information appeared in
api/v1
output
- Fixed a styling issue for Host Config Key in the Job Template display
- Fixed an issue where it was impossible to remove an organization from a credential
- Fixed an issue where
overwrite_vars
on an inventory source would overwrite inventory toplevel variables
- Fixed an issue where some credential kinds were not properly shown in the user interface
- Fixed calculation of isolated instance capacity
- Fixed an issue where the ‘Workflow Editor’ and ‘Survey Editor’ buttons were incorrectly shown in some states
- Fixed navigation to additional pages of hosts in the Smart Inventory view
- Fixed an issue where CloudForms inventory would not work with process isolation
- Fixed an issue where job output would not properly word wrap
- Fixed a migration issue with unicode inventory source names
- Fixed an issue when launching an ad-hoc command with forbidden extra variables
- Fixed an issue with symlinked manual projects when used with process isolation
- Fixed an issue where some host_filter queries could not be removed
- Fixed an issue where non-ascii characters could not be used in a LDAP bind DN
- Fixed sizing of the ad-hoc command launch dialog
- Fixed an issue where https://github.com/ansible/ansible/issues/30064 would prevent project sync
- Fixed an issue where a Smart Inventory host_filter query would be improperly encoded when saved
- Fixed month name on dashboard chart
- Fixed scheduling error when browser is in UTC timezone
- Fixed autocompletion of SCM inventory file dropdown
- Fixed modal state handling when a modal dialog was closed by clicking outside of it
- Fixed assorted migration errors on upgrade
- Fixed a user interface error when rapidly deleting inventory groups
- Fixed an issue where the system auditor would get a 404 error when viewing job results
- Fixed assorted issues when cascading job cancellation to dependent jobs
- Fixed opacity of disabled ‘Run Commands’ and ‘Smart Inventory’ buttons
- Fixed ‘total_hosts’ field of Smart Inventories
- Fixed virtualenv paths in sosreport plugins
- Fixed installation with Ansible 2.2
- Fixed ownership on ha.py on installation
- Fixed django superuser check in installation
- Fixed setting of custom RabbitMQ AMQP ports during installation
- Fixed an issue where LDAP authentication could timeout or cause a Tower error
- Improved callback worker’s ability to deal with idle or disconnected database connections
- Improved activity stream output for Tower configuration changes
- Improved deletion of inventory sources to properly delete imported hosts and groups
- Improved various error messages
- Improved initial zoom setting of workflow view
- Improved inline help popovers for credential types
- Improved configuration for SSH key handling for isolated nodes. This is now configurable during setup
- Improved preflight checks for cluster installation
- Improved backup/restore playbooks to be cluster-aware
- Improved error handling in backup/restore playbooks
- Updated translations for Dutch, French, Japanese, and Spanish
10. Ansible Tower Version 3.2.1
- Added support to enforce Tower software version consistency across clustered environments
- Fixed an issue where, when using Tower 3.2.0 + Ansible 2.4.0, creating a Job Template that used an inventory with fact caching enabled could cause the job to run against a host which should have been removed
- Fixed a problem where ad-hoc permissions could be used to run commands against the Tower server
- Fixed an issue where the migration of scan jobs failed due to an organization having a unicode character in the name
- Fixed an issue where database migrations failed for upgrades
11. Ansible Tower Version 3.2.0
- Removed system tracking data (historical facts) feature starting with Ansible Tower 3.2. However, you can collect facts by using the fact caching feature. Refer to Fact Caching for more detail.
- Removed system tracking views in favor of directly viewing facts on hosts. Comparisons are best done with external data analytics systems.
- Removed Rackspace as a supported inventory source type and credential type.
- Removed the storing of
ansible_env
in job event data.
- Removed Job launching capability from
/api/v2/jobs
. Job template launching and job relaunching are the only support launch options.
- Deprecated the
group
field for InventorySource, which has been renamed to deprecated_group
and will be removed from InventorySource completely in Tower 3.3. As a result, the related field on Group, inventory_source
has been renamed deprecated_inventory_source
and will also be removed in Ansible Tower 3.3.
- Deprecated requirement that inventory sources be associated with a group.
- Deprecated the
/api/v1
heirarchy with the introduction of /api/v2
. /api/v1
will be removed in a future Ansible Tower release to be determined.
- Deprecated the
/api/v2/authtoken
endpoint, which will be removed in Ansible Tower 3.3.
- Updated the job environment variables for AWS credentials. Refer to Amazon Web Services section of the Ansible Tower User Guide for new variable names.
- Added support for connecting to external log aggregators via direct TCP and UDP connections.
- Added the ability to test logging configurations through the Configure Tower UI.
- Updated the Ansible Tower Rest API to version 2 which include added endpoints:
instances
, instance_groups
, credential_types
, and inventory_sources
.
- Added ability to create inventory sources and create Smart Inventories.
- Added the ability to access Tower resources via resource-specific human-readable identifiers.
- Added the ability to create and modify credential types.
- Added ability to create and modify instance groups and isolated nodes.
- Added the ability to enable and disable SSL certification verification through the Configure Tower UI. You no longer have to manually set an environment variable in your local
settings.py
file to achieve this.
- Updated upstream Azure libraries will require users who use Ansible Tower with Azure to use Ansible 2.4 or later.
- Fixed an outstanding issue regarding variable precedence so that the variable value is derived from the survey (survey variables take precedence over Job Template variables).
- Added Insights project remediation, which allows you to run the Insights maintenance plan associated with an inventory.
- Added a new API endpoint -
/api/v2/settings/logging/test/
- for testing external log aggregrator connectivity.
- Updated passing
-e create_preload_data=False
to skip creating default organization/project/inventory/credential/job_template during Tower installation.
- Added support for sourcing inventory from a file inside of a source control project.
- Added support for custom cloud and network credential types, which give you the ability to modify environment variables, extra vars, and generate file-based credentials (such as file-based certificates or .ini files) at
ansible-playbook
runtime.
- Added support for assigning multiple cloud and network credential types on job templates. Job templates can now prompt for “extra credentials” at launch time in the same manner as promptable machine credentials.
- Updated custom inventory sources to now specify a
Credential
; you can store third-party credentials encrypted within Tower and use their values from within your custom inventory script (for example - by reading an environment variable or a file’s contents).
- Added support for configuring groups of instance nodes to run tower jobs. Instance groups can be assigned to an organization, inventory, or job template.
- Fixed an issue installing Tower on multiple nodes where cluster internal node references are used.
- Updated Tower to now use a modified version of [Fernet](https://github.com/fernet/spec/blob/master/Spec.md) for encrypting sensitive fields such as credentials. Our Fernet256 class uses AES-256-CBC instead of AES-128-CBC for all encrypted fields.
- Added the ability to set custom environment variables globally for all playbook runs, inventory updates, project updates, and notification sending, via AWX_TASK_ENV configuration setting.
- Added –diff mode to Job Templates and Ad-Hoc Commands. The diff can be found in the standard out when diff mode is enabled.
- Added support for accessing some Tower resources via their name-related unique identifiers apart from primary keys.
- Added support for authentication to Tower via TACACS+.
- Updated names of tower-mange commands
register_instance
-> provision_instance
, deprovision_node
-> deprovision_instance
, and instance_group_remove
-> remove_from_queue
, with backward compatibility support for 3.1 command names.
- Improved handling of workflow logic errors.
- Updated Azure bindings, and therefore, removed support for the old Azure classic modules.
- Fixed system auditor permissions.
- Updated Tower to explicitly prevent non-json bodies from being accepted in the API.
- Improved handling of default values in Tower Configuration.
- Improved handling of sensitive environment variables in job details.
- Added the ability to set the system auditor with
AUTH_LDAP_USER_FLAGS_BY_GROUP
.
- Fixed some minor UTF-8 handling issues.
- Fixed the system to no longer allow using password fields with the
order_by
query parameter in the API.
- Improved censoring of Ansible
no_log
in job output.
- Fixed handling project repository URLs with spaces and special characters.
- Improved explanation when canceling jobs that are dependencies of other jobs.
- Updated the
ansible-playbook
parameters to pass through the setup.sh
script.
- Added translations for Dutch; updated translations for Japanese, French, and Spanish.
- Improved ability to update org admin/member roles on the user detail page.
- Added force shutdown of cluster nodes that are not at the same version as the rest of the cluster.
- Added configuration options in Tower Configuration UI.
- Updated Postgres to 9.6.
- Updated Tower by separating Vault credentials from machine credentials.
- Added more prompting options to job templates.
- Added the ability to prevent IDP user from assuming a local admin role.
- Improved the display of SCM revision hashes by abbreviating them, and added ability to easily copy revision to clipboard.
- Fixed a potential issue showing encrypted values in the activity stream instead of obfuscation characters.
- Added the ability to set an enabled/disabled flag on all supported cloud inventory sources.
- Added support for vmware
host_filters
and groupby_patterns
.
- Fixed an issue where Tower wouldn’t redirect the user to the right URL after clicking a link and logging in.
- Fixed tower to preserve
stderr
from custom inventory scripts.
- Updated Tower to now act as a fact cache source for jobs.
- Improved handling of related resources when inventories are deleted.
- Added the ability to show an indicator during background inventory delete.
- Updated supported cloud regions for some inventories.
- Improved SAML configurations.
- Improved LDAP settings validation.
- Added support for providing SSL cert for log aggregator service.
- Added the ability to set proxy IP whitelists for trusted vs. untrusted load balancers.
- Improved the efficiency in generating entries in the activity stream.
- Added support for upgrading Ansible during setup playbook run (
-e upgrade_ansible_with_tower=1
).
- Fixed downloading ad-hoc command stdout.
- Fixed job launch dependency handling.
- Fixed some xss vulnerabilities.
- Added runas privilege escalation support.
- Improved handling of instance capacity calculation.
- Fixed SSL certificate handling for LDAP.
- Updated the Job detail event modals to now be resizeable.
- Improved yaml/json editor views.
- Improved job list performance.
For older version of the release notes, as well as other reference materials, refer to the Ansible Tower Release Notes.