MANAGE_ORGANIZATION_AUTH
settings to allow superusers to make changesGCE_PEM_FILE_PATH
to GCE_CREDENTIALS_FILE_PATH
in accordance with recent Ansible versionsinclude_vars
ansible_host
is usedextra_vars
for scheduled jobs/api/v2/authtoken
compatibility shim. See the compatibility shim for detail.member_attr
to properly set on some LDAP configurations during upgrade, preventing loginPosixUIDGroupType
LDAP configurations/api/v1/
), which will be removed in a future release of Ansible Tower"$encrypted$"
from becoming a literal survey question defaultask_variables_on_launch
to workflow job templates (WFJT)diff_mode
and verbosity
fields to WFJT nodesextra_data
to WFJT nodes, and added “schedule this job” endpoint.awx-manage expire_sessions
script
inventory plugin for job runs and vendored inventory updatesinventory
field to inventory updatesORG_ADMINS_CAN_SEE_ALL_USERS
setting is enabledask_credential_on_launch
is set.fact_versions
and fact_view
endpoints from the API, including OPTIONSawx-manage cleanup_facts
command for fact cleanup/api/v2/authtoken/
endpoint in the API and replaced it with /api/v2/tokens/
. See the compatibility shim for detail.TOWER_HOST
as a default environment variable in job running environments. Playbook authors should replace their use with AWX_HOST
.execute_role
if another user provided promptscredential
to many-to-many credentials
admin_role
associated with usersscm_url
execution_node
in task manager and submitting waiting jobs to only the queue for the specific instance job is targeted to run onauth-token-timeout
header name to Session-Timeout
AUTH_TOKEN_EXPIRATION
setting name to change to SESSION_COOKIE_AGE
and AUTH_TOKEN_PER_USER
changed to SESSIONS_PER_USER
ANSIBLE_DISPLAY_ARGS_TO_STDOUT
to False
by default for all playbook runs to match Ansible’s default behavior. See Jobs for more information.extra_vars
and environment variables to False
when a value is not providedinclude_vars
with vaulted variables to properly handle AnsibleVaultEncryptedUnicode
objects in the callback receiverv2_playbook_on_notify
eventsUI_LIVE_UPDATES_ENABLED
setting for disabling websocket updates outside of job outputALLOW_JINJA_IN_EXTRA_VARS
configuration parameter for Tower. This parameter has three values: template
to allow usage of Jinja saved directly on a job template definition (the default), never
to disable all Jinja usage (recommended), and always
to always allow Jinja (strongly discouraged, but an option for prior compatibility). Note that the always
option is deprecated, and will be removed in a future Tower release.no_log
group_vars
inside of Tower group variables when used with Ansible 2.5 or laterANSIBLE_LIBRARY
when Job Template fact caching is enabledawx_*
extra variables to job runs in addition to tower_*
api/v1
outputoverwrite_vars
on an inventory source would overwrite inventory toplevel variablesansible_env
in job event data./api/v2/jobs
. Job template launching and job relaunching are the only support launch options.group
field for InventorySource, which has been renamed to deprecated_group
and will be removed from InventorySource completely in Tower 3.3. As a result, the related field on Group, inventory_source
has been renamed deprecated_inventory_source
and will also be removed in Ansible Tower 3.3./api/v1
heirarchy with the introduction of /api/v2
. /api/v1
will be removed in a future Ansible Tower release to be determined./api/v2/authtoken
endpoint, which will be removed in Ansible Tower 3.3.instances
, instance_groups
, credential_types
, and inventory_sources
.settings.py
file to achieve this./api/v2/settings/logging/test/
- for testing external log aggregrator connectivity.-e create_preload_data=False
to skip creating default organization/project/inventory/credential/job_template during Tower installation.ansible-playbook
runtime.Credential
; you can store third-party credentials encrypted within Tower and use their values from within your custom inventory script (for example - by reading an environment variable or a file’s contents).register_instance
-> provision_instance
, deprovision_node
-> deprovision_instance
, and instance_group_remove
-> remove_from_queue
, with backward compatibility support for 3.1 command names.AUTH_LDAP_USER_FLAGS_BY_GROUP
.order_by
query parameter in the API.no_log
in job output.ansible-playbook
parameters to pass through the setup.sh
script.host_filters
and groupby_patterns
.stderr
from custom inventory scripts.-e upgrade_ansible_with_tower=1
).
- Fixed a minor XSS vulnerability in the scheduling page
- Fixed potential information leakage via websocket
- Fixed a CSRF vulnerability in Tower (CVE-2018-10884)
- Fixed a RabbitMQ configuration issue that would affect cluster recovery on network interruptions
- Fixed organization admins to no longer be able to modify users by adding them to their organization (CVE-2018-1101)
- Fixed Tower to disable usage of Jinja templates in launch-time variables for security reasons (CVE-2018-1104). This release introduces the
ALLOW_JINJA_IN_EXTRA_VARS
configuration parameter for Tower. This parameter has three values:template
to allow usage of Jinja saved directly on a job template definition (the default),never
to disable all Jinja usage (recommended), andalways
to always allow Jinja (strongly discouraged, but an option for prior compatibility). Note that thealways
option is deprecated, and will be removed in a future Tower release.- Updated memcached to now listen on a local Unix socket instead of a TCP socket
- Fixed an issue where certain API endpoints were unreasonably slow when jobs contained large amounts of output
- Enhanced Tower to properly show stdout for ad-hoc commands run on other cluster nodes
- Fixed an issue where a user, who could modify playbooks, could potentially compromise Tower via an injection of git hooks in SCM repositories (CVE-2017-12148)
- Fixed an issue where a specially crafted ad-hoc command could compromise Tower (CVE-2017-12148)
- Upgraded the available and bundled versions of RabbitMQ to 3.6.9, which addresses various RabbitMQ CVEs (CVE-2017-4965, CVE-2017-4966, CVE-2017-4967)
- Added the ability to customize the log format and the
job_events
payload will mirror the API structure with minor differences when upgrading from version 3.1.3 to 3.1.4.- Added the ability to configure known proxies in order to allow certain load balancers and hosts when setting up proxy server support.
- Added Spanish translations for Ansible Tower
- Fixed a problem where survey password defaults of a certain length could prevent a job from launching
- Fixed truncation of long job run results causing an excessive number of blank lines
- Fixed a problem where running two different jobs in parallel from the same project could cause an error
- Fixed a problem where Splunk HTTP event collectors did not send job_event data
- Fixed a problem where email notifications could send survey password values in plain text in extra_vars
- Fixed handling of job output from certain modules
- Fixed a problem where setting “Required” for a Multiple Choice (Single Select) survey question could prevent changing the default
- Fixed a problem where provisioning callbacks configured to prompt for extra variables could return an error
- Fixed a problem where modifying team permissions when using a basic license would return an error
- Fixed a problem in LDAP configuration where adding values to the database caused users to lose permanent access to Tower
- Fixed an issue where a database restore could fail
- Fixed an issue where setup could fail if there was no firewall installed
- Fixed an issue where Insights projects could cause project syncs to fail
- Fixed an issue applying Tower configuration across cluster nodes
- Added the ability to disable SSL certificate verification for hosted Splunk logging
- Improved Ansible Tower to allow for passing extra_vars on ad_hoc commands
- Updated Ansible Tower so that it can process facts output from Ansible 2.3
- Added subpackaging for sever, UI, and setup packages
- Added support for Red Hat Insights project type
- Added support for explicitly specifying the host descriptor used for RabbitMQ config via rabbitmq_host
- Adjusted search on the Job Details screen to match the behavior across Tower
- Adjusted Tower logging to log asynchronously
- Fixed various and minor UI bugs
- Fixed a callback bug which was causing a task_args leak between job events
- Fixed an issue where jobs were not able to be sorted by descending ID
- Fixed an issue where, when working with Splunk, the log aggregator type shows as Logstash instead of Splunk
- Fixed an issue where, when a user has two groups in an inventory (one using a VMware script and one using a custom script), clicking sync on the custom script group caused the sync icon to link to the wrong inventory sync
- Fixed a problem where users were not able to put multi-line text in a Text Area-type field in a survey
- Fixed a problem where users who had admin access on Workflows, but were not Org level admins, could not add or remove job templates from Workflows
- Fixed a problem with job templates that include a multiple choice survey response, where, even when multiple selections are required, the job template ran with an empty array
- Fixed a problem where surveys were passing a variable as empty instead of null when they included text or a text area field that had a minimum length >0 and was not filled in
- Fixed a problem where Tower jobs hang and do not run when the Splunk server is unresponsive or unavailable
- Fixed a problem where users with admin level permissions on projects could not modify project details
- Fixed a problem in multiple choice survey inputs where, when selecing a string that had similar characters or words at the beginning or end of the string, a similar but smaller version of that string was rendered as the user’s selection (even though the correct value was still passed to extra-vars on launch)
- Fixed an issue around Git project updates failing when the username was specified
- Fixed a problem where job templates from mercurial project updates failed to run
- Fixed a problem with provisoning callbacks where they failed with ‘400’ responses when extra_vars were passed to the API through curl in the callback
- Fixed a problem where running the installer again anytime after successfully creating the rabbitmq user caused the installation program to fail
- Fixed an issue where Windows package scan jobs fail when targetting a Windows 2012R2 host
- Fixed an issue where users with admin access to Workflow Templates could not modify the workflow
- Fixed an issue where a warning was incorrectly displayed for the output of a cancelled job
- Fixed an issue where Mercurial project revisions were not read correctly for Projects
- Fixed an issue where Tower upgrades would fail when applying rabbitmq_user in a cluster
- Fixed an issue where certain characters in a Project SCM URL would cause updates to fail
- Improved custom inventory scripts support by ensuring that newlines added to the script are not trimmed
- Relaxed the SELinux policy dependency to allow Tower to be installed on older Enterprise Linux 7 releases
- Updated Ansible Tower so that the host config key is marked as required when provisioning callbacks are selected
- Updated Ansible Tower so that PostgreSQL Server is no longer installed on Tower nodes not hosting the database
- Updated Ansible Tower so that Tower shows extra_vars for ad-hoc commands in the UI
- Added a preflight check for password and pre-3.1.0 active/passive (HA) inventory setups prior to installation
- Fixed a problem where, while running a clustered Tower deployment configuration, there were some instances where realtime job event data did not flow through the channel layer
- Fixed a problem with searching where an invalid search term was entered and the error dialog continued to persist
- Fixed a problem with Slack notifications where they were not emitted if only ‘Failure’ was selected
- Fixed a problem where logging out via Tower logout button caused subsequent login attempts to fail
- Fixed an issue where, when logging was enabled, a missing logging UUID setting would cause a startup error, making the system unresponsive
- Added support for configuring most aspects of Ansible Tower directly from the Tower user interface (and Tower API), rather than editing Tower configuration files
- Added support for “Scale-Out” Clusters, which replaces the HA/Redundancy method from prior Tower releases
- Added support for Workflows, a chain of job templates executed in order
- Added support for sending event and log messages to various logging services (Elastic, Splunk, Sumologic, Loggly, generic REST endpoint)
- Added support for a new Tower Search feature which supports GitHub-style “key:value” searching
- Added support for Ubuntu 16.04
- Added support for a New Project Sync Architecture, where projects are now checked out at job runtime
- Added support for setting timeouts on job runs
- Added support for internationalization and localization (French and Japanese)
- Added support for multi-playbook Workflows
- Added
/api/v1/settings
for Tower managed settings. This corresponds to the in-Tower configuration UI- Added support for windows scan jobs
- Added support so that the SCM Revision used is now stored on Job
- Added support for API endpoints to now show
__search
filter fields for broader searching of objects- Added support so that system jobs are now shown in
/api/v1/unified_jobs
- Added support for the new Ansible vmware_inventory script
- Added support for Job stdout downloads, which may generate and cache on the fly
- Added support for
/api/v1/inventory_updates
and/api/v1/project_updates
to view those specific job types- Added support for user_capabilities API elements in various places to allow API consumers to know if their user can perform the referenced actions on the object
- Added support for
set_stats
for Workflow jobs to persist data between Workflow job runs, support added in ansible core also- Added support for Tower callbacks so that they can now resolve
ansible_host
as well asansible_ssh_host
- Added support for Tower callbacks so that they now filter out
ansible_
variables on POST- Added support for notifications so that they are emitted on jobs marked as failed by the dead job detector
- Added eu-west-2 and ca-central-1 to the list of supported EC2 regions
- Added support for
format=ansi_download
when downloading stdout- Deprecated support for Rackspace inventories
- Fixed an issue where manual projects could be launched/updated
- Fixed various unicode issues
- Fixed various issues dealing with self signed certificatesvalue.
- Fixed Jobs so that they now show
$encrypted
for these variables, where they previously did not- Improved performance for viewing job and job template lists
- Improved Tower virtualenv so that it is purged on upgrade
- Improved setup playbook so that it is more tolerant of various iptables/firewalld configurations
- Improved the optimization of PostgreSQL installation to improve overall performance
- Improved database migrations through consolidation to make upgrades/installs faster
- Improved hardening for web server configuration (SSL, HSTS)
- Removed zeromq as a communications channel between dependent services in favor of rabbitmq
- Removed
/api/v1/jobs/n/job_plays
and/api/v1/jobs/n/job_tasks
- Removed proot in favor of bubblewrap for process isolation
- Removed the ability to make POST requests on the
/api/v1/jobs/
endpoint- Removed has_schedules from various endpoints, as it was never populated
- Removed support for Red Hat Enterprise Linux 6/CentOS 6 and Ubuntu 12.04
- Updated surveys so that a blank value for a survey question default value now passes an empty string as a value
- Updated surveys so that previously existing surveys with blank default question values now pass empty strings as an extra variable
- Updated Websockets, moving them from socket.io to django channels and are now served under port 443/80 along with the regular web service. Port 8080 is no longer needed.
- Updated Job results so that they are now driven by job events and thus provides clickable context
- Updated Tower so that it now uses the system time zone by default
- Updated Tower requirements for Ansible–Tower now requires Ansible 2.1 or later
- Updated Ansible inventory plugins to the latest versions
- Updated Web server to NGINX from Apache
- Updated survey passwords so that they are now encrypted when stored in the database
- Updated
request_tower_configuration.sh
- Added support for new AWS regions, including an update to the boto version included with Tower
- Fixed various minor UI and API related bugs
- Fixed a regression with authentication restrictions
- Fixed an issue where restoring the database failed when using the RHEL6 bundled installation method
- Fixed an issue where, when viewing a host, “extra vars” were not initially formatted properly
- Fixed an issue where users were able to relaunch jobs they did not have permission to initially launch
- Fixed an issue where, after editing a Job Template, retrieving Job Templates failed when filtered
- Fixed an issue where Satellite 6 inventory marked all hosts as disabled
- Fixed an issue where Inventory variables were displayed incorrectly when editing hosts
- Fixed a rendering issue with the Host Event details window
- Fixed an issue where, when launching an inventory update, users were navigated away from the inventory manage view
- Fixed an issue where organization auditors could see the user permissions of other users in their organization
- Fixed an issue where canceling a Windows job in Tower left an orphaned process running on the control machine
- Fixed an issue where empty Host Variable Data produces a 500 error in the API browser after upgrading from 2.4.5
- Fixed an issue when using an Azure Service Principal in conjunction with Microsoft Azure inventory
- Fixed an issue where Inventory syncs fail against a resource group if it contains a non-standard virtual machine size when using Azure
- Fixed an issue where navigating to the admin or users from the organizations view in Tower caused 404 errors
- Fixed an issue where, when updating a Rackspace inventory, TypeError messages appeared
- Improved the run time performance for playbooks in Tower
- Improved support around how YAML is handled with Tower’s variable parser
- Improved the population of manual projects in Tower
- Improved Event Summary status badge counts
- Improved PostgreSQL configuration with regard to authentication (CVE-2016-7070)
- Updated PostgreSQL repository location for installation methods
- Added support for IAM Roles when configuring an EC2 Inventory Sync
- Added support for backing up and restoring Databases created when installing 3.0.x
- Added the display of a “working” indicator when toggling Tower components on/off
- Added the ability to toggle the view of job labels (view less/view more)
- Added the ability to add skip tags to job templates (which may also be prompted for at launch time)
- Added documentation around resetting the Tower URL provided in Notification links
- Fixed an issue where users could not remove inventory or credentials from job template
- Fixed an issue where admins were not properly allowed to copy or edit to Job Templates via the API
- Fixed an issue where Home/Host column views were not sortable
- Fixed the display of schedules to only show those with future activity
- Fixed an error where clicking to a different page number while editing a resource and making a new selections indicated an item other than the one currently selected/being edited
- Fixed an issue where relaunching a job ignored search filters
- Fixed an issue where searching for a user on an inventory permission page queried a project access list URL instead of the inventory access list URL
- Fixed an issue where pressing the Enter key (instead of clicking ‘Ok’ with your mouse) closes a pop up error message and, unexpectedly, navigates the user back to the Tower home page
- Fixed an issue where system job templates were not being included when viewing unified job template results
- Fixed an issue related to relaunching ad hoc commands
- Fixed an issue preventing projects from being deleted during an SCM update
- Fixed an issue where, when viewing the “Event Summary” field, filtering by task status summary dots returned incorrect tasks information
- Fixed an issue where selecting a host on one page, then going to the next page and selecting another host, did not save the prior selection as expected
- Fixed an issue where processing extra_vars in a survey caused errors
- Fixed an issue regarding how passwords are stored with surveys
- Fixed an issue where, when running a playbook with an ignored task, the ignored task was incorrectly marked as failing
- Fixed an issue so that Webhook notifications properly display the host summary information
- Fixed an issue where provisioning callbacks were running multiple times in a row
- Fixed various minor issues related to RBAC permissions and credentials
- Fixed various minor API bugs
- Fixed various minor UI and tooltips bugs
- Fixed an issue related to SAML logins hanging after multiple authorization attempts
- Fixed an issue where the “start date” header and schedule preview do not match what is set by the browser locale
- Fixed an issue where users could not properly edit their profile
- Fixed an issue related to backup/restoring with the setup.sh script
- Improved Tower installer compatibility with RHUI repos on RHEL non-AWS instances
- Improved upon what the auditor role can view (organization auditors can view inventory script contents in their own organizations, view notification templates in the activity stream, team credentials views)
- Improved the consistency of how scheduling is displayed within the Tower UI
- Improved how credentials are handled in that they should only be shareable when the organization field is not “null”
- Improved how teams are displayed for different organizations when viewing permissions
- Improved support for CloudForms and Red Hat Satellite 6 with Tower 3.0.x
- Reorganized activity stream views/access for organization admins and auditors
- Removed the requirement of needing a password for the network credential when using an SSH key
- Removed the requirement of needing AUTH with Email notifications using SMTP
- Added a stock schedule job for the ‘Cleanup Fact Details’ management job
- Fixed an issue with inventory syncs using Red Hat Satellite 6 credentials
- Fixed an issue which incorrectly allowed users assigned to a system auditor role to be able to escalate privileges to teams
- Fixed an issue with Webhook notifications where the content-type was being set incorrectly
- Fixed an issue where canceling a new job failed to change state from “new” to “canceled”
- Fixed an upgrade and credential migration issue which involved null inventory fields in job templates
- Fixed an upgrade and migration issue where hosts which had previously been deleted were not skipped during the upgrade process
- Fixed an upgrade and migration issue where job templates linked to deleted inventories caused migrations to fail
- Fixed an upgrade and migration issue where job templates without inventories caused migrations to fail
- Fixed an error related to the logging of RBAC migration data which caused installations to fail
- Fixed an issue related to license checks
- Fixed other various issues related to upgrading and migration
- Fixed the need for elevated permissions to make changes to job templates under some scenarios
- Fixed an issue where Organization-level admins could not edit scan jobs that were created prior to upgrading to Tower 3.0
- Fixed an issue regarding Software Collections (SCL) installation on EL6
- Fixed a problem with subsequent logins after upgrading to Tower 3.0 when using Google OAuth or SAML authentication
- Discovered an issue with MS Azure inventory imports using new-style credentials being unsupported on distributions that ship python-2.7 (e.g. not EL6)
- Updated the UI to display new jobs in the Jobs overview screen and added a cancellation method for these new jobs
Added a notifications system for Tower which supports services like Slack, HipChat, IRC, etc.
Added support for the new Azure inventory system and the latest Ansible Azure modules (legacy Azure inventory and credentials are still supported)
- Azure inventory imports using new-style credentials are only supported on distributions that ship python-2.7 (e.g. not EL6)
Added support for keystone v3 which supports the latest Openstack versions
Added counts and more detail to Organization endpoints (API)
Added prompting for Job Templates
Added labels for Job Templates
Added support for user customization as Ansible tasks now run in their own environment
Added support for new Ansible Network Credentials
Added inventory support for Red Hat Cloudforms and Red Hat Satellite 6
Added SUSE, OpenSuse, and Debian support for scan jobs
Added a link to the schedule in the job detail view if the job was started as a result of a schedule
Added survey spec management without requiring that surveys be enabled on job templates
Added additional strict extra_vars validation. extra_vars passed to the job launch API are only honored if one of the following is true:
- they correspond to variables in an enabled survey
- ask_variables_on_launch is set to True
Added a deprecation notice for Ubuntu 12 and RHEL 6
Changed how Projects are linked so that they now tie singularly to an Organization
Changed how system tracking and scan data are stored–now in postgres. MongoDB dependency removed.
Discovered an issue with ECDSA credentials–if your Tower server has a version of OpenSSH that predates 5.7, jobs will fail when launched jobs with ECDSA credentials
Fixed issues with scan jobs on RHEL5
Fixed an issue with the websocket service when Tower is run on CentOS or RHEL 7.2
Fixed issues with Ansible’s no_log causing errors or not hiding data when running jobs
Fixed the way setting a license is done so that it propagates to standby Tower nodes in an HA configuration
Fixed GCE credential handling and inventory filtering
Improved (through a complete rewrite to expand and simplify) the Role-Based Access Control system in Tower
Improved job templates so that multiple invocations of the same job template will only block if the job templates used the same inventory
Improved the setup playbook so that it now hides potentially sensitive information from stdout and the setup log
Improved the Setup process now supports installing and configuring postgres on a remote system
Removed MongoDB and changed view queries to use a Postgres implementation
Removed soft-deletes: Tower now permanently deletes removed objects and the utilities to manage the cleanup of those soft-deleted objects have been removed
Removed Munin monitoring
Updated the look and feel of the entire Tower UI for a more approachable and intuitive user experience
Updated and simplifed the Tower setup process so that new Tower installs are now preloaded with Organization, Inventory, Project, and Job Template demo data
Updated the setup process to support installing and configuring Postgres on a remote system
Updated dependencies
Updated Red Hat Enterprise Linux 6/CentOS 6 to use python 2.7 (for Tower only)
Updated the minimum open file descriptor check and configuration by raising it from 1024 to 4096
yum
module on ansible-1.9.4 (or newer)v2_runner_item_on_*
)Note
Ansible 2.0 OpenStack modules will not work on Red Hat Enterprise Linux 6 or CentOS 6.
Caution
If Ansible’s Customer Support recommended that you disable PRoot to solve the failing jobs problem (setting AWX_PROOT_ENABLED=False
), consult with Support to determine if re-enabling PRoot is appropriate for your particular use case.
extra_vars
attached to Job Template records is preserved. Previously, YAML would be converted to JSON and returned as JSON. In 2.2.0 and newer, YAML is returned as YAML with formatting and comments preserved, and JSON is returned as JSON.https://<Tower server name>/portal/
group\_vars/all
of setup playbook
- Groups UI under inventory tab is now paginated
- Updated UI options for moving and copying groups (and host contents)
- The jobs page has been overhauled to show completed, active, queued, and scheduled jobs.
- Inventory and project synchronization jobs are now also shown on the jobs page.