Documentation

3. Installation Notes

  • If you need to access a HTTP proxy to install software from your OS vendor, ensure that the environment variable “HTTP_PROXY” is set accordingly before running setup.sh.

  • The Tower installer creates a self-signed SSL certificate and keyfile at /etc/tower/tower.cert and /etc/tower/tower.key for HTTPS communication. These can be replaced after install with your own custom SSL certificates if you desire, but the filenames are required to be the same.

  • If using Ansible version 1.8 or later, ensure that fact caching using Redis is not enabled in ansible.cfg on the Tower machine.

  • Note that the Tower installation must be run from an internet connected machine that can install software from trusted 3rd-party places such as Ansible’s software repository, and your OS vendor’s software repositories. In some cases, access to the Python Package Index (PyPI) is necessary as well. If you need to be able to install in a disconnected environment and the bundled installation program is not a solution for you (refer to Using the Bundled Tower Installation Program), please contact Ansible via the Red Hat Customer portal at https://access.redhat.com/.

  • If installing Tower on OpenShift, refer to OpenShift Deployment and Configuration.

3.1. Installing Tower on Systems with FIPS Mode Enabled

Tower can run on systems where FIPS mode is enabled, though there are a few limitations to keep in mind:

  • Only Enterprise Linux 7+ is supported. The standard python that ships with RHEL must be used for Ansible Tower to work in FIPS mode. Using any non-standard, non-system python for Tower is therefore, unsupported.

  • By default, Tower configures PostgreSQL using password-based authentication, and this process relies on the usage of md5 when CREATE USER is run at install time. If you intend to run the Tower installer from a FIPS-enabled system, you’ll need to pre-compute an md5 hash yourself at install time and add its value to the inventory file described in Setting up the Inventory File.

    Specifically, you must pre-compute the hashed value on a system without FIPS enabled:

    $ python -c 'from hashlib import md5; print("md5" + md5("choose-a-password" + "awx").hexdigest())'
    md57d08dde7e95e862eaadfff09565e92e6
    

    …and specify both pg_password and pg_hashed_password in your inventory file:

    pg_password='choose-a-password'
    pg_hashed_password='md57d08dde7e95e862eaadfff09565e92e6'
    

    The “awx” implies the Postgres username. If you have an alternative username, provide that rather than “awx”.

  • The ssh-keygen command generates keys in a format (RFC4716) which uses the md5 digest algorithm at some point in the process (as part of a transformation performed on the input passphrase). On a FIPS-enforcing system, md5 is completely disabled, so these types of encrypted SSH keys (RFC4716 private keys protected by a passphrase) will not be usable. When FIPS mode is enabled, any encrypted SSH key you import into Ansible Tower must be a PKCS8-formatted key. Existing AES128 keys can be converted to PKCS8 by running the following openssl command:

    $ openssl pkcs8 -topk8 -v2 aes128 -in <INPUT_KEY> -out <NEW_OUTPUT_KEY>
    
  • Use of Ansible features that use the paramiko library will not be FIPS compliant. This includes setting ansible_connection=paramiko as a transport and using network modules that utilize the ncclient NETCONF library.

  • The TACACS+ protocol uses md5 to obfuscate the content of authorization packets; TACACS+ Authentication is not supported for systems where FIPS mode is enabled.

  • The RADIUS protocol uses md5 to encrypt passwords in Access-Request queries; RADIUS Authentication is not supported for systems where FIPS mode is enabled.

3.2. Notes for Red Hat Enterprise Linux and CentOS setups

  • PackageKit can frequently interfere with the installation/update mechanism. Consider disabling or removing PackageKit if installed prior to running the setup process.

  • Only the “targeted” SELinux policy is supported. The targeted policy can be set to disabled, permissive, or enforcing.

  • When performing a bundled install (refer to Using the Bundled Tower Installation Program for more information), Red Hat Enterprise Linux customers must enable the following repositories which are disabled by default:

    • Red Hat Enterprise Linux 7 users must enable the extras repositories.

3.3. Configuration and Installation of Ansible with Red Hat Enterprise Linux and CentOS

The following steps help you configure access to the repository as well as install Ansible on older versions of Tower.

3.3.1. Configure Repository Access

Configure the EPEL repository and any others needed.

As the root user, for Red Hat Enterprise Linux 7 and CentOS 7

root@localhost:~$ yum install http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

Note

  • You may also need to enable the extras repository specific for your environment:
    • extras on CentOS 7

    • rhel-7-server-extras-rpms on Red Hat Enterprise Linux 7

    • rhui-REGION-rhel-server-extras when running in EC2.

  • When using the official Red Hat Enterprise Linux 7 marketplace AMI, ensure that the latest rh-amazon-rhui-client package that allows enabling the optional repository (named rhui-REGION-rhel-server-optional in EC2) is installed.

3.3.2. Install Ansible

Note

Tower is installed using Ansible playbooks; therefore, Ansible is required to complete the installation of Tower.

Beginning with Ansible Tower version 2.3.0, Ansible is installed automatically during the setup process.

If you are using an older version of Tower, prior to version 2.3.0, Ansible can be installed as detailed in the Ansible documentation at: http://docs.ansible.com/intro_installation.html

For convenience, those installation instructions are summarized below.

root@localhost:~$ yum install ansible

3.4. Configuration and Installation of Ansible with Ubuntu

The following steps help you configure access to the repository as well as install Ansible on older versions of Tower.

3.4.1. Configure Repository Access

As the root user, configure Ansible PPA:

root@localhost:~$ apt-get install software-properties-common
root@localhost:~$ apt-add-repository ppa:ansible/ansible

3.4.2. Install Ansible

Note

Tower is installed using Ansible playbooks; therefore, Ansible is required to complete the installation of Tower.

Beginning with Ansible Tower version 2.3.0, Ansible is installed automatically during the setup process.

If you are using an older version of Tower, prior to version 2.3.0, Ansible can be installed as detailed in the Ansible documentation at: http://docs.ansible.com/intro_installation.html

For convenience, those installation instructions are summarized below.

root@localhost:~$ apt-get update
root@localhost:~$ apt-get install ansible

3.5. Configuration and Installation on OpenShift

For OpenShift-based deployments, refer to OpenShift Deployment and Configuration.