A Project is a logical collection of Ansible playbooks, represented in Tower.
You can manage playbooks and playbook directories by either placing them manually under the Project Base Path on your Tower server, or by placing your playbooks into a source code management (SCM) system supported by Tower, including Git, Subversion, Mercurial, and Red Hat Insights. To create a Red Hat Insights project, refer to Setting up an Insights Project.
Note
By default, the Project Base Path is /var/lib/awx/projects
, but this may have been modified by the Tower administrator. It is configured in /etc/tower/conf.d/custom.py
. Use caution when editing this file, as incorrect settings can disable your installation.
This menu displays the list of the projects that are currently available. The default view is collapsed (Compact) with project name and its status, but you can expand to see more information. You can sort this list by various criteria, and perform a search to filter the projects of interest.
For each project listed, you can get the latest SCM revision (), copy the project attributes (), or delete () the project, using the respective icons next to each project. Starting with Ansible Tower 3.7, projects are allowed to be updated while a related job is running. In cases where you have a big project (around 10 GB), disk space on /tmp
may be an issue.
Status indicates the state of the project and may be one of the following (note that you can also filter your view by specific status types):
Pending - The source control update has been created, but not queued or started yet. Any job (not just source control updates) will stay in pending until it’s actually ready to be run by the system. Reasons for it not being ready because it has dependencies that are currently running so it has to wait until they are done, or there is not enough capacity to run in the locations it is configured to.
Waiting - The source control update is in the queue waiting to be executed.
Running - The source control update is currently in progress.
Successful - The last source control update for this project succeeded.
Failed - The last source control update for this project failed.
Error - The last source control update job failed to run at all. (To be deprecated.)
Canceled - The last source control update for the project was canceled.
Never updated - The project is configured for source control, but has never been updated.
OK - The project is not configured for source control, and is correctly in place. (To be deprecated.)
Missing - Projects are absent from the project base path of /var/lib/awx/projects
(applicable for manual or source control managed projects).
Note
Projects of credential type Manual cannot update or schedule source control-based actions without being reconfigured as an SCM type credential.
Note
If deleting items that are used by other work items, a message opens listing the items are affected by the deletion and prompts you to confirm the deletion. Some screens will contain items that are invalid or previously deleted, so they will fail to run. Below is an example of such a message:
To create a new project:
Click the button, which launches the Create Project window.
Enter the appropriate details into the following required fields:
Name
Description (optional)
Organization - A project must have at least one organization. Pick one organization now to create the project, and then after the project is created you can add additional organizations.
Ansible Environment (optional) - Select from the drop-down menu list a custom virtual environment on which to run this project. This field is only present if custom environments were previously created. See Using virtualenv with Ansible Tower in the Ansible Tower Upgrade and Migration Guide.
SCM Type - Select from the drop-down menu list an SCM type associated with this project. The options in the subsequent section become available depend on the type you choose. Refer to Manage playbooks manually and Manage playbooks using Source Control in the subsequent sections for more detail.
Note
If adding a manual project, each project path inside of the project root folder can only be assigned to one project. If you receive the following message, ensure that you have not already assigned the project path to an existing project:
All of the project paths have been assigned to existing projects, or there are no directories found in the base path.
You will need to add a project path before creating a new project.
Click Save when done.
Create one or more directories to store playbooks under the Project Base Path (for example, /var/lib/awx/projects/)
Create or copy playbook files into the playbook directory.
Ensure that the playbook directory and files are owned by the same UNIX user and group that the Tower service runs as.
Ensure that the permissions are appropriate for the playbook directories and files.
If you have trouble adding a project path, check the permissions and SELinux context settings for the project directory and files.
Warning
If you have not added any Ansible playbook directories to the base project path, you will receive the following message from Tower:
Correct this issue by creating the appropriate playbook directories and checking out playbooks from your SCM or otherwise copying playbooks into the appropriate playbook directories.
To configure playbooks to use source control, in the Project Details tab:
Select the appropriate option from the SCM Type drop-down menu list.
Enter the appropriate details into the following fields:
SCM URL - See an example in the help text.
SCM Branch/Tag/Commit - Optionally enter the SCM branch, tags, commit hashes, arbitrary refs, or revision number (if applicable) from the source control (Git, Subversion, or Mercurial) to checkout. Some commit hashes and refs may not be available unless you also provide a custom refspec in the next field.
SCM Refspec - This field is an option specific to git source control and only advanced users familiar and comfortable with git should specify which references to download from the remote repository. For more detail, see job branch overriding.
SCM Credential - If authentication is required, select the appropriate SCM credential
SCM Update Options:
Clean - Removes any local modifications prior to performing an update.
Delete on Update - Deletes the local repository in its entirety prior to performing an update. Depending on the size of the repository this may significantly increase the amount of time required to complete an update.
Update Revision on Launch - Updates the revision of the project to the current revision in the remote source control, as well as cache the roles directory from Galaxy or Collections. Tower ensures that the local revision matches and that the roles and collections are up-to-date with the last update. Also, to avoid job overflows if jobs are spawned faster than the project can sync, selecting this allows you to configure a Cache Timeout to cache prior project syncs for a certain number of seconds.
Allow Branch Override - Allows a job template that uses this project to launch with a specified SCM branch or revision other than that of the project’s. For more detail, see job branch overriding.
Click Save to save your project.
Tip
Using a GitHub link offers an easy way to use a playbook. To help get you started, use the
helloworld.yml
file available at: https://github.com/ansible/tower-example.gitThis link offers a very similar playbook to the one created manually in the instructions found in the Ansible Tower Quick Start Guide. Using it will not alter or harm your system in anyway.
Update an existing SCM-based project by selecting the project and clicking the button.
Note
Please note that immediately after adding a project setup to use source control, a “Sync” starts that fetches the project details from the configured source control.
Click on the dot under Status (far left, beside the name of the Project) to get further details about the update process.
The set of Permissions assigned to this project (role-based access controls) that provide the ability to read, modify, and administer projects, inventories, job templates, and other Tower elements are Privileges.
You can access the project permissions via the Permissions tab next to the Details tab. This screen displays a list of users that currently have permissions to this project. The list may be sorted and searched by User, Role, or Team Role.
The Permissions tab allows you to review, grant, edit, and remove associated permissions for users as well as team members. To assign permissions to a particular user for this resource:
Click the Permissions tab.
Click the button to open the Add Users/Teams window.
Specify the users or teams that will have access then assign them specific roles:
Click to select one or multiple check boxes beside the name(s) of the user(s) or team(s) to select them.
Note
You can select multiple users and teams at the same time by navigating between the Users and Teams tabs without saving.
After selections are made, the window expands to allow you to select a role from the drop-down menu list for each user or team you chose.
The example above shows options associated with inventories. Different resources have different options available:
Admin allows read, run, and edit privileges (applies to all resources)
Use allows use of a resource in a job template (applies all resources except job templates)
Update allows updating of project via the SCM Update (applies to projects and inventories)
Ad Hoc allows use of Ad Hoc commands (applies to inventories)
Execute allows launching of a job template (applies to job templates)
Read allows view-only access (applies to all resources)
Tip
Use the Key button in the roles selection pane to display a description of each of the roles. For more information, refer to the Roles section of this guide.
Select the role to apply to the selected user or team.
Note
You can assign roles to multiple users and teams by navigating between the Users and Teams tabs without saving.
Review your role assignments for each user and team.
Click Save when done, and the Add Users/Teams window closes to display the updated roles assigned for each user and team.
To remove Permissions for a particular user, click the Disassociate (x) button next to its resource.
This launches a confirmation dialog, asking you to confirm the disassociation.
Clicking the Notifications tab allows you to review any notification integrations you have setup.
Use the toggles to enable or disable the notifications to use with your particular project. For more detail, see Enable and Disable Notifications.
If no notifications have been set up, click the NOTIFICATIONS link from inside the gray box to create a new notification.
Refer to Notification Types for additional details on configuring various notification types.
Clicking on Job Templates allows you to add and review any job templates or workflow templates associated with this project. Click Expanded to view details about each template, including the statuses of the jobs that ran using that template, and other useful information. You can sort this list by various criteria, and perform a search to filter the templates of interest.
From this view, you can also launch (), copy (), or delete () the template configuration. Note, the example above shows the expanded view.
Clicking on Schedules allows you to review any schedules set up for this project.
At the end of a Project update, Tower searches for a file called requirements.yml
in the roles
directory, located at <project-top-level-directory>/roles/requirements.yml
. If this file is found, the following command automatically runs:
ansible-galaxy install -r roles/requirements.yml -p <project-specific cache location>/requirements_roles -vvv
This file allows you to reference Galaxy roles or roles within other repositories which can be checked out in conjunction with your own project. The addition of this Ansible Galaxy support eliminates the need to create git submodules for achieving this result. Given that SCM projects (along with roles/collections) are pulled into and executed from a private job environment, a <private job directory> specific to the project within /tmp
is created by default. However, you can specify another Job Execution Path based on your environment in the Jobs Settings tab of the Configure Tower window:
In Ansible Tower 3.7.2 and after, the cache directory is a subdirectory inside the global projects folder. The content may be copied from the cache location to <job private directory>/requirements_roles
location.
By default, Ansible Tower has a system-wide setting that allows roles to be dynamically downloaded from the roles/requirements.yml
file for SCM projects. You may turn off this setting in the Jobs tab of the Settings () menu by switching the Enable Role Download toggle button to OFF.
Whenever a project sync runs, Tower determines if the project source and any roles from Galaxy and/or Collections are out of date with the project. Before Ansible Tower 3.6 and after 3.7.2, project updates will download the roles inside the update.
If jobs need to pick up a change made to an upstream role, updating the project will ensure this happens. A change to the role means that a new commit was pushed to the provision-role source control. To make this change take effect in a job, you do not need to push a new commit to the playbooks repo, but you do need to update the project, which downloads roles to a local cache. For instance, say you have two git repositories in source control. The first one is playbooks and the project in Tower points to this URL. The second one is provision-role and it is referenced by the roles/requirements.yml
file inside of the playbooks git repo.
In short, in Ansible Tower 3.6, jobs would download the most recent roles before every job run. Starting in 3.7.2, roles and collections are locally cached for performance reasons, and you will need to select Update Revision on Launch in the project SCM Update Options to ensure that the upstream role is re-downloaded before each job run:
The update happens much earlier in the process than the sync, so this surfaces errors and details faster and in a more logic place.
For more information and examples on the syntax of the requirements.yml
file, refer to the role requirements section in the Ansible documentation.
If there are any directories that should specifically be exposed, you can specify those in the Configure Tower screen in the Paths to Expose to Isolated Jobs or by updating the following entry in the settings file:
AWX_PROOT_SHOW_PATHS = ['/list/of/', '/paths']
Note
The primary file you may want to add to
AWX_PROOT_SHOW_PATHS
is/var/lib/awx/.ssh
, if your playbooks need to use keys or settings defined there.
If you made changes in the settings file, be sure to restart services with the ansible-tower-service restart
command after your changes have been saved.
In the Tower User Interface, you can configure these settings in the Jobs settings window. Click the () icon in each of the fields for further detail.
Note
The Primary Galaxy Server Username and Primary Galaxy Server Password fields are being deprecated in Ansible Tower 3.7.2. We recommend using tokens to access Galaxy or Automation Hub instead.
Tower supports project-specific Ansible collections in job runs. If you specify a collections requirements file in the SCM at collections/requirements.yml
, Tower will install collections in that file in the implicit project sync before a job run. To specify a collections requirement:
ansible-galaxy collection install -r requirements.yml -p <job tmp location>
By default, Ansible Tower has a system-wide setting that allows collections to be dynamically downloaded from the collections/requirements.yml
file for SCM projects. You may turn off this setting in the Jobs tab of the Settings () menu by switching the Enable Collections Download toggle button to OFF.
In Ansible Tower 3.6, jobs would download the most recent roles before every job run. Starting in 3.7.2, roles and collections are locally cached for performance reasons, and you will need to select Update Revision on Launch in the project SCM Update Options to ensure this:
For more information, refer to Using Collections.
Note
If updates are needed from Galaxy or Collections, a sync is performed that downloads the required roles, consuming that much more space in your /tmp file. In cases where you have a big project (around 10 GB), disk space on /tmp
may be an issue.