Fixes in Ansible Tower:
Analytics collection no longer cause lost job events when Tower is under load
Analytics collection now handles null characters in job event output
Pending jobs in /api/v2/metrics
show correct counts
Project updates are no longer delayed when projects contain large files
Status for hosts are properly counted in notification payloads
SAML organization creation now properly assigns a default Galaxy credential
SAML configuration now properly denotes required SAML contact fields
Fixed a race condition in settings updates that previously lead to incorrect behavior
Log messages are updated to be more clear when rsyslog is unresponsive
Fixes in the platform installer:
Updated to include Ansible 2.9.20
Updated to use a PostgreSQL secret when deploying in OpenShift
Updated to remove RabbitMQ on upgrade only on Tower nodes
Fixes in the ansible.tower collection:
The tower_user
module now updates the system auditor and superuser flags
The workflow_launch
and job_launch
modules now properly send survey-only variables
A number of defaults corrected to no longer set to an empty string
Updated the project module to support spawning project updates
Fixed job_template
and worfklow_job_template
to properly error on incorrect survey formats
Enhanced job_template
and workflow_job_template
to use identical survey_spec
arguments
Updated inventory plugin to properly add child groups
Upgraded to the latest oVirt inventory plugin to resolve a number of inventory syncing issues that can occur on RHEL7
Upgraded to the latest theforeman.foreman
inventory plugin to resolve a few bugs and performance regressions
Upgraded to a more recent version of Django to address CVE-2021-3281
Upgraded to a more recent version of autobahn to address CVE-2020-35678
Fixed a security issue that allowed a malicious playbook author to elevate to the awx user from outside the isolated environment (CVE-2021-20253)
Fixed several issues related to how Tower rotates its log files
Fixed the installer to no longer prevent Tower from installing on RHEL8 with certain non-en_US.UTF-8 locales
Fixed unanticipated delays in certain playbook output
Fixed job runs to no longer fail for playbooks that print certain types of raw binary data
Fixed the generation of unnecessary records in the Activity Stream when Ansible Automation data is collected
Fixed PostgreSQL backups to no longer fail when a non-default PostgreSQL username is specified
Fixed access to encrypted Tower settings to prevent intermittent failures that caused failed job launches
Fixed unexpected failures on certain long-running jobs running on isolated nodes
Deprecated the global /api/v2/job_events/
endpoint, which will be removed in a future release
Improved analytics collection to collect the playbook status for all hosts in a playbook run
Updated nginx on RHEL 7 to address CVE-2019-20372
Updated autobahn to address CVE-2020-35678
Updated the installer to ensure Automation Hub repositories are only enabled while running the installer
Updated the installer to allow it to pin a specific version of Automation Hub that needs to be installed
Added aggregation support for applying multiple subscriptions to a single Tower installation
Fixed the installer to only install the DB where it belongs and not on all nodes
Fixed the installer to only check the RHSM Automation Hub repository when not using a bundled installer
Fixed Tower to properly handle certain uploaded subscription manifests
Fixed Tower to properly respect the configured destination port when interacting with Red Hat Satellite 6 to obtain licensing/entitlement data
Fixed an error in the module documentation for the tower_license module
Fixed inventory updates from Satellite 6 and Tower to no longer fail unexpectedly
Fixed AWS inventory hosts to now properly track across inventory updates
Updated the Tower installer to include Automation Hub, which collectively serves as the Ansible Automation Platform installer
Updated the minimum system required Ansible version to 2.9
Updated Tower licenses to a subscriptions-based model that requires customer credentials or a subscriptions manifest. Even if you already have valid licenses from previous versions, you must still provide your credentials or a subscriptions manifest again upon upgrading to Tower 3.8.
Updated inventory sources to allow configuration via full YAML inventory plugin configuration
Updated Tower to utilize a version of certifi that auto-discovers certificates in the system certificate store
Added several optimizations to improve performance for a variety of high-load simultaneous job launch use cases
Added fields: /api/v2/inventory_source/
host_filter
, enabled_var
, enabled_value
Added new Remote Archive SCM type for use in projects
Added an optional setting to disable the auto-creation of organizations and teams on successful SAML login
Added the ability to use an OAuth2 token in an Ansible Tower credential
Added the ability to use !include
and !import
constructors when constructing YAML for use with the AWX CLI
Added the ability to associate Kubernetes/OpenShift credentials to Job Template for playbook interaction with Kubernetes/OpenShift modules
Added the ability to include HTML in the Custom Login Info presented on the login page
Introduced Automation Hub as the content provider for Ansible Tower
Introduced the ability to configure content sources, including Automation Hub, on a per-organization basis
Introduced the import/export feature for ansible.tower
collections
Introduced the import/export feature for awx-cli
Deprecated Red Hat Enterprise Linux 7 as a supported operating system for a Tower node, which will be removed in a future release
Deprecated CentOS as a supported operating system for a Tower node, which will be removed in a future release
Deprecated Mercurial project updates, which will be removed in a future release
Deprecated Insights integration for applying remediation playbooks, and will be changed and/or removed in a future release
Removed memcached as a caching service for Tower
Removed support for Red Hat CloudForms as an inventory source and credential type
Removed fields: /api/v2/inventory_source/
source_regions
, instance_filters
, group_by
Removed support for the PRIMARY_GALAXY_USERNAME and PRIMARY_GALAXY_PASSWORD settings. We recommend using API tokens to access Galaxy or Automation Hub
Removed support for HipChat notifications and therefore, all previously-created HipChat notification templates will be deleted due to this removal
Fixed PagerDuty notifications to properly send workflow job template approvals
Fixed notification messages that contain certain unicode characters
Fixed errors rendering stdout that contained UTF-16 surrogate pairs
Fixed workflows so Workflow Approval records can now be deleted
Fixed workflows so that certain users can now edit approval nodes
Fixed social auth logins across distinct browser tabs to no longer exhibit a confusing behavior
Fixed an HTTP 500 error when certain LDAP group parameters are not properly set
Fixed Tower’s handling of the auth_path
argument for the HashiVault KeyValue credential plugin
Fixed custom Credential Types so they allow creation and editing of boolean fields
Fixed password prompting for credentials in certain cases
Fixed PostgreSQL to no longer deadlock when running many parallel playbooks against large shared inventories
Fixed a race condition that can lead to missing hosts when running parallel inventory syncs
Fixed performance associated with playbooks that store large amounts of data using the set_stats
module
Improved analytics collection to collect the playbook status for all hosts in a playbook run
Upgraded to a more recent version of Django to address CVE-2021-3281
Upgraded to a more recent version of autobahn to address CVE-2020-35678
Upgraded to a more recent version of nginx to address CVE-2019-20372
Fixed a security issue that allowed a malicious playbook author to elevate to the awx user from outside the isolated environment (CVE-2021-20253)
Fixed access to encrypted Tower settings to prevent intermittent failures that caused failed job launches
Improved Ansible Tower’s web service configuration to allow for processing more simultaneous HTTP(s) requests by default
Updated several dependencies of Ansible Tower’s User Interface to address:
CVE-2020-7720
CVE-2020-7743
CVE-2020-7676
Updated to the latest version of python-psutil to address CVE-2019-18874
Updated translations
Added several optimizations to improve performance for a variety of high-load simultaneous job launch use cases
Fixed workflows to no longer prevent certain users from being able to edit approval nodes
Fixed confusing behavior for social auth logins across distinct browser tabs
Fixed launching of Job Templates that use prompt-at-launch Ansible Vault credentials
Updated to the latest version of the git-python
library to no longer cause certain jobs to fail
Updated to the latest version of the ovirt.ovirt
collection to no longer cause connections to hang when syncing inventory from oVirt/RHV
Added a number of optimizations to Ansible Tower’s callback receiver to improve the speed of stdout processing for simultaneous playbooks runs
Added an optional setting to disable the auto-creation of organizations and teams on successful SAML login
Fixed an XSS vulnerability (CVE-2020-25626)
Fixed a slow memory leak in the Daphne process
Fixed Automation Analytics data gathering to no longer fail for customers with large datasets
Fixed scheduled jobs that run every X minute(s) or hour(s) to no longer fail to run at the proper time
Fixed delays in Ansible Tower’s task manager when large numbers of simultaneous jobs are scheduled
Fixed the performance for playbooks that store large amounts of data using the set_stats
module
Fixed the awx-manage remove_from_queue
tool when used with isolated nodes
Fixed an issue that prevented jobs from being properly marked as canceled when Tower is backed up and then restored to another environment
Added local caching for downloaded roles and collections so they are not re-downloaded on nodes where they are up to date with the project
Deprecated PRIMARY_GALAXY_USERNAME
and PRIMARY_GALAXY_PASSWORD
. We recommend using tokens to access Galaxy or Automation Hub.
Fixed Tower Server Side Request Forgery on Credentials (CVE-2020-14327)
Fixed Tower Server Side Request Forgery on Webhooks (CVE-2020-14328)
Fixed Tower sensitive data exposure on labels (CVE-2020-14329)
Fixed Named URLs to allow for testing the presence or absence of objects (CVE-2020-14337)
Fixed Tower’s task scheduler to no longer deadlock for clustered installations with large numbers of nodes
Fixed the Credential Type definitions to no longer allow superusers to run unsafe Python code
Fixed credential lookups from CyberArk AIM to no longer fail unexpectedly
Fixed upgrades from 3.5 to 3.6 on RHEL8 in order for PostgreSQL client libraries to be upgraded on Tower nodes, which fixes the backup/restore function
Fixed backup/restore for PostgreSQL usernames that include capital letters
Fixed manually added host variables to no longer be removed on VMWare vCenter inventory syncs
Fixed Red Hat Satellite inventory syncs to allow Tower to properly respect the verify_ssl flag
Updated rsyslog integration to not write world-readable configuration files (CVE-2020-10782)
Updated the included foreman/satellite inventory plugin to add the host_filters
and want_ansible_ssh_host
options
Updated Foreman/Satellite inventory to properly use group_prefix
for all groups
Updated the Satellite inventory script to disable the reports option
Updated bundled installer to properly include all dependencies
Updated translations
Fixed the all_parents_must_converge
property of workflow nodes to set properly
Fixed labels so organization administrators could remove them from a workflow
Fixed Mattermost workflow approval notifications
Fixed the notifications for management jobs so administrators could enable it
Fixed event processing for inventories with very large numbers of hosts to prevent Tower to slow down
Fixed the VMware inventory to properly detect the Instance UUID to no longer cause hosts to be removed and re-added
Fixed (reverted) a change to follow symlinks when discovering playbooks, as it could lead to an infinite loop
Fixed analytics gathering to not attempt to gather data if there is not a valid configuration for sending it
Fixed Tower to no longer break when virtual environments are created with incorrect permissions
Fixed the Sumologic logging integration associated with parsing the URL path
Fixed incorrectly configured logging so that it would no longer block Tower operation
Fix multiple websocket broadcast issues in OpenShift
Fixed instance registration in OpenShift
Fixed an issue where the redis socket in OpenShift deployments was world-writable
Improved the performance (time to execute, and memory consumption) of the periodic job cleanup system job
Improved performance in the User Interface for various job views when many simultaneous users are logged into Tower
Improved job run performance and the write speed of stdout for running playbooks and parallel jobs through optimization of the job dependency/scheduling algorithm
Improved running jobs to no longer block associated inventory updates
Updated the schema for main_jobevent
so that primary keys now use the bigint
datatype versus integer
. Depending on the amount of job events stored, the migration task may take some time to complete. Job history may show up as incomplete until the migration finishes.
Updated Tower’s external log aggregator feature with a more robust implementation based on rsyslogd
amazon.aws.aws_ec2
community.vmware.vmware_vm_inventory
azure.azcollection.azure_rm
google.cloud.gcp_compute
theforeman.foreman.foreman
openstack.cloud.openstack
ovirt.ovirt.ovirt
awx.awx.tower
Updated the Red Hat Virtualization (ovirt) inventory source so that requests check certificates by default
Updated OpenShift-based deployments to use a Deployment rather than a StatefulSet
Updated Activity Stream logs to include Summary fields for related objects
Updated Tower CLI to no longer support Python 2 (it requires at least Python 3.6)
Updated the Tower CLI environment variable used to specify an OAuth2 token from TOWER_TOKEN
to TOWER_OAUTH_TOKEN
in order to align with the Tower collection. The old environment variable is still accepted, but it is recommended to use TOWER_OAUTH_TOKEN
.
Updated Tower to no longer rely on RabbitMQ; Redis is added as a new dependency
Updated redis/websocket implementation and are now served under port 443/80 respectively for live events across a cluster
Updated the job templates API to show a read-only organization field, which is inferred from the associated project
Updated to ansible-runner 1.4.6 to address various bugs
Updated Django to address CVE-2020-9402
Updated pyyaml version to address CVE-2017-18342
Updated the bundled version of OpenStack SDK to address a known issue
Added a new Project (Domain Name) field to OpenStack Credentials to properly support the OpenStack Keystone v3 API
Added the ability to monitor stdout in the CLI for running jobs and workflow jobs
Added the ability to specify an OAuth2 token description in the Tower CLI
Added the ability to launch jobs (and workflows) using the --monitor
flag in the Tower CLI to return a non-zero exit code on job failures
Added the ability to discover playbooks in project clones from symlinked directories
Added the ability to configure the convergence behavior of workflow nodes with the implementation of the ALL node, which requires that every single parent meets the “run on” conditions before continuing (refer to the Ansible Tower User Guide for detail)
Added a default maximum limit of 200 forks to job templates (this default is configurable)
Added the ability to specify AZURE_PUBLIC_CLOUD
(for e.g., Azure Government KeyVault support) for the Azure credential plugin
Added a new field to jobs for tracking the date/time a job is canceled
Added the ability for Tower to use any environment variables in AWX_TASK_ENV
when connecting to Red Hat Insights, Red Hat Subscription Manager, and when sending data to Automation Analytics
Introduced ansible.tower
Ansible collection to be distributed on Automation Hub with a corresponding version number
Removed project update lock, allowing projects to update while a related job is running
Removed the limitation on the maximum number of events Tower can store as a result of playbook runs by expanding event tables to allow more than ~2 billion total events
Removed a number of pre-computed fields from the Host and Group models to improve Tower performance. As part of this change, inventory group UIs throughout the interface no longer display status icons.
Fixed the Tower CLI to properly install with newer versions of pip
Fixed the Tower CLI to save the JSON-type settings properly
Fixed a race condition that caused task container crashes when pods are quickly brought down and back up
Fixed a bug that prevented the use of ANSIBLE_SSH_ARGS for ad-hoc-commands
Fixed an unexpected deadlock during playbook execution in container groups
Fixed schedules containing RRULES with very old DTSTART dates to no longer break
Fixed OpenShift-based installs on older versions of Ansible packaged with RHEL 7
Fixed the Activity Stream to report the correct actor when associating user membership on SAML login
Fixed searching for Source Control credentials in the Tower user interface
Fixed disassociating orphaned users from credentials
Fixed the new scm_branch
field to be used in custom notification templates
Fixed a race condition that sometimes causes success/failure notifications to include an incomplete list of hosts
Fixed playbook launches to no longer lose unsaved form edits on certain setting pages
Fixed the “Use TLS/SSL” field to properly save when editing email notification templates
Fixed a race condition that sometimes broke event/stdout processing for jobs launched in container groups
Fixed delays in project update stdout for certain large SCM clones (as of Ansible 2.9+)
Fixed certain smart inventory filters to not mistakenly return duplicate hosts
Fixed broken Grafana notification support in a newer version of Grafana
Fixed the Tower User Interface to allow users with read access to an organization to edit credentials for that organization
Fixed 404 errors when attempting to view the second page of the workflow approvals view
Fixed workflow approval records to properly record a started and elapsed date
Fixed workflow nodes to no longer have a confusing option for verbosity
Fixed RBAC so that projects and inventory schedules can be created by certain users in certain contexts
Fixed the role_path
in a project’s config to be respected despite an error processing /etc/ansible/ansible.cfg
Fixed inventory updates for installs with custom home directories for the Tower user
Fixed fact data collection when Tower encounters invalid/unexpected fact data
Upgraded to a more recent version of nginx to address CVE-2019-20372
Upgraded to a more recent version of jquery to address CVE-2020-11022 and CVE-2020-11023
Fixed a security issue that allowed a malicious playbook author to elevate to the awx user from outside the isolated environment (CVE-2021-20253)
Fixed an XSS vulnerability (CVE-2020-25626)
Fixed the Red Hat sosreport tool to no longer include the Ansible Tower SECRET_KEY
value
Fixed the Ansible Tower installer so that it is now compatible with the latest supported Red Hat OpenShift Container Platforms 3.x and 4.x
Removed reports option for Satellite inventory script
Fixed Tower Server Side Request Forgery on Credentials (CVE-2020-14327)
Fixed the Job Type
field to render properly when editing a Job Template
Fixed a notable delay running large project update clones
Fixed Tower to properly sync host facts for Red Hat Satellite 6.7 inventories
Fixed installations on Red Hat OpenShift 4.3 to no longer fail
Fixed the usage of certain SSH keys on RHEL8 when FIPS is enabled to work properly
Fixed upgrades from 3.5 to 3.6 on RHEL8 in order for PostgreSQL client libraries to be upgraded on Tower nodes, which fixes the backup/restore function
Fixed credential lookups from CyberArk AIM to no longer fail unexpectedly
Fixed the ability to add a user to an organization when they already had roles in the organization
Fixed manually added host variables to no longer be removed on VMWare vCenter inventory syncs
Fixed a number of issues related to Tower’s reporting of metrics to Red Hat Automation Analytics
Added additional metrics to the Prometheus /api/v2/metrics/
endpoint for reporting remaining instance capacity
Fixed Tower to allow users to subscribe to playbook output in organizations they do not have RBAC access to via Tower’s websocket interface (CVE-2020-10698)
Fixed OAuth2 refresh tokens to properly respect custom expiration settings (CVE-2020-10709)
Fixed event hostnames to be recorded for playbooks run on isolated nodes
Fixed a PostgreSQL issue that caused upgrade failures in certain situations
Fixed the search for Source Control credentials in the Tower user interface
Fixed a performance issue to no longer delay the output of project updates for certain users
Fixed the installations to no longer fail with admin passwords that contain certain special characters
Fixed the start time to correctly set for approval notifications
Fixed an inconsistency in gathered inventory analytics
Improved memcached in OpenShift deployments to listen on a more secure domain socket (CVE-2020-10697)
Updated Tower’s single sign-on integration to address several upcoming GitHub API deprecations
Updated the Twisted library to address CVE-2020-10108 and CVE-2020-10109
Updated translations
Added a number of notable performance improvements to event processing to drastically speed up stdout ingestion speed
Added support for certain Job Template and Workflow launch-time arguments to the official Tower CLI
Deprecated the CloudForms inventory source, which will be removed in a future release
Support for running Ansible Tower on all versions older than Red Hat Enterprise Linux 7.7 is deprecated. Future versions of Ansible Tower will require a minimum of RHEL 7.7.
Fixed an issue which can cause certain git authentication failures to expose HTTP Basic auth credentials to configured loggers (such as Splunk or Logstash)
Fixed the SSL certificate formatting issue that can cause the Tower UI to fail to load in certain versions of Mac OSX Chrome
Fixed Tower installs hosted at domains that end with numbers
Fixed certain nested workflows to no longer be stuck in Running
forever
Fixed copied credentials that omitted lookup sources
Fixed isolated nodes that reported incorrect capacity in certain failure scenarios
Fixed a number of issues related to the frequency of cloud.redhat.com analytics collection
Fixed Tower licenses to apply correctly when /etc/tower/conf.d/custom.py
contains a custom TOWER_URL_BASE
value
Fixed awx.api logs to properly send to external log aggregrator in OpenShift installs
Fixed Slack notifications to correctly show the Slack Bot username
Fixed official AMIs to not leave behind a randomized public SSH key from the build process
Fixed a number of issues related to the Red Hat Satellite 6 inventory script
Fixed Tower to not report an error when an OAuth2 token is used to delete itself
Fixed saml_admin_attr to work properly
Fixed the memcached service that resulted in degraded performance of some Tower systems, to correctly start at install time
Updated the pytz package to the latest version to reflect the latest available timezone data
Updated Tower’s translations to include more translated strings
Added a command to generate a new SECRET_KEY
and rekey the database
Removed the guest user from the optionally-configured RabbitMQ admin interface (CVE-2019-19340)
Fixed slow queries for /api/v2/instances
and /api/v2/instance_groups
when smart inventories are used
Fixed assorted issues with preserving permissions in the Ansible Tower backup playbook (CVE-2019-19341)
Fixed a partial password disclosure when special characters existed in the RabbitMQ password (CVE-2019-19342)
Fixed hang in error handling for source control checkouts
Fixed an error on subsequent job runs that override the branch of a project on an instance that did not have a prior project checkout
Fixed an issue where supervisord would not shut down correctly
Fixed an issue where jobs launched in isolated or container groups would incorrectly timeout
Fixed link to instance groups documentation in the user interface
Fixed retrieval of Red Hat subscription data when running in OpenShift
Fixed editing of inventory on Workflow templates
Fixed multiple issues with OAuth2 token cleanup system jobs
Fixed custom email notifications for workflow approve and deny
Updated SAML implementation to automatically log if authorization exists
Updated AngularJS to 1.7.9 for CVE-2019-10768
Updated installer to not install PostgreSQL server on all nodes
Updated bundled installer to contain both Red Hat Enterprise Linux 7 and 8 builds
Fixed accidental disclosure of Red Hat username and password in /api/v2/config (CVE-2019-14890)
Fixed upgrade failure with bundled installer
Fixed license check error when reinstalling over a partially-installed Tower
Fixed database restore when using a PostgreSQL pod
Fixed error when CA data was missing for a container group credential
Fixed error when a container group job was launched when Tower was out of capacity
Fixed a few minor issues in the AWX modules collection
Fixed an error which prevented the usage of certain special characters in PostgreSQL passwords
Updated bundled Ansible to version 2.9
Added the ability to activate Tower Licenses and subscriptions by entering a Red Hat username and password
Added the the ability to run Tower jobs in a remote OpenShift or Kubernetes cluster with ephemeral containers
Added a new CLI tool
Added the ability to listen for webhooks sent by events in GitHub or GitLab, using them to launch job templates or workflow templates
Added the ability to disable SSL verification for webhook notifications
Added the ability to enable SSL for PostgreSQL and RabbitMQ (not on by default)
Added the ability to emit verbose file-based logs using a setting in the UI
Added the ability to disable hosts from dynamic inventory sources in the UI
Added the ability to allow specifying project branch in job template, or prompting for project branch
Added the ability to copy the project source (shallow clone in case of git) for every job run
Added the ability to allow using a custom refspec with git projects
Added the ability to install Collections specified in collections/requirements.yml
file
Added support for custom notification content
Added the ability to create approval nodes in workflow job templates
Added the ability to collect performance data in the SOS report
Added the ability to map org auditors in the same way org admins can
Deprecated the Administrator Alert functionality in the Tower settings, which will be removed in a later release
Deprecated Inventory Scripts. Users who use custom inventory scripts should migrate to sourcing these scripts from a project.
Removed the deprecated ask_
fields in the Job Details view to reduce confusion. This does not affect the functionality of prompting.
Removed the ability to use Ubuntu as a Tower platform
Removed the OAuth2 Implicit
grant type. Existing “implicit” Applications will persist, but new ones cannot be created.
Removed v1 of the api (/api/v1). All queries must be made in /api/v2.
Removed the following API endpoints:
Job template credential field (in either v1 or v2)
Corresponding credential field on workflow job template nodes
Removed restriction of automation when license expires or host count is over the license count
Fixed the OpenStack credential type so that it applies to SCM inventory updates as well
Updated PostgreSQL to version 10
Updated Django to version 2.2.4 and Django REST Framework to 3.9.4
Updated OAuth2 implicit grant type applications as it is no longer recommended to use them
Updated the Automation Analytics data collection feature
Updated job template runs to use a private copy of the project for each run. Attempting to store state between playbook runs by writing to the project repository will no longer work.
Deprecated the CloudForms inventory source, which will be removed in a future release
Fixed job stdout to stop auto-scrolling (requires a page reload to see new output)
Fixed official AMIs to not leave behind a randomized SSH key from the build process
Fixed the memcached service that resulted in degraded performance of some Tower systems, to correctly start at install time
Fixed a number of issues related to the frequency of cloud.redhat.com analytics collection
Added a command to generate a new SECRET_KEY
and rekey the database
Removed the guest user from the optionally-configured RabbitMQ admin interface (CVE-2019-19340)
Fixed assorted issues with preserving permissions in the Ansible Tower backup playbook (CVE-2019-19341)
Fixed a partial password disclosure when special characters existed in the RabbitMQ password (CVE-2019-19342)
Fixed a file descriptor leak in the Tower service during project updates
Fixed an issue where AUTHORIZATION_CODE_EXPIRE_SECONDS
and ACCESS_TOKEN_EXPIRE_SECONDS
were not properly honored
Fixed an issue where some timezones in schedules could not be parsed
Fixed isolated execution of playbooks with blanks in the filename
Fixed saving of workflow extra_vars
Updated Ansible Tower to disallow Jinja in inventory hostnames
Updated analytics data collection to match Ansible Tower 3.6
Updated bundled oVirt SDK to version 4.3.0
Fixed slow transactions in requests made with OAuth2 tokens
Fixed broken image icon in error message for failed test notifications
Fixed a potential XSS when canceling a project update
Fixed the Extra Variables field to display in UI
Fixed keyboard navigation on the Job Launch Survey so that the Preview tab no longer displays an empty survey
Updated Tower to allow relaunching of other user jobs with public vars
Updated Tower to collect and send data directly to cloud.redhat.com, rather than using the insights-client. This also fixes errors in the logs when INSIGHTS_TRACKING_STATE
is enabled.
Updated Tower to include various automation analytics-related enhancements:
Insights credentials and upload URL
improved analytics data collection for jobs in organizations
added version tracking and metadata to the data bundle generated
de-duplication of data
Fixed license application on Ubuntu
Fixed schedules to properly appear when toggled off
Fixed setting of system auditor for LDAP users
Fixed settings menu so it could be properly viewed by system auditors
Fixed SSH signed certificate support
Fixed assorted issues with Azure inventory import
Fixed passing of Google Cloud credentials for module usage
Fixed Hashicorp Vault credential plugin to handle keys in subfolders
Fixed previous and next page buttons in the Job Output screen
Fixed the base_packages.txt in the bundled installer
Fixed cleanup of runner temporary directories
Fixed credential plugins when used with ad-hoc commands
Fixed duplication of instance groups when users are members of multiple organizations
Fixed system auditors to no longer be able to create credentials for organizations
Updated Django for CVE-2019-14234
Updated requests-credssp
to version 1.0.2
Updated translations
Added rsync requirement to the ansible-tower-isolated package
Fixed the recent notifications list to display properly
Fixed handling of quotes in the task name in job output display
Fixed slow event processing when using smart inventories
Fixed slow startup time of the dispatcher in the presence of many schedules
Fixed GCE inventory to not import hosts as disabled due to GCE API change
Fixed dashboard error when user is in multiple organizations but no teams
Fixed license error when attempting to apply a basic license
Fixed LDAP upgrade failure from 3.3.x
Fixed handling of the OPT_X_TLS_CACERTFILE
LDAP option
Fixed analytics gathering to not throw spurious errors
Fixed analytics gathering to properly remove processed analytics
Updated urllib3 for CVE-2019-9740
Updated ansible for CVE-2019-10156
Added Automation Insights, which makes use of the Insights client
Added the use of inventory plugins for inventory updates running in Ansible version 2.8 and higher, for Azure RM, GCE, OpenStack, and Tower sources
Added support for pulling credentials from external credential vaults:
CyberArk Application Identity Manager (AIM)
CyberArk Conjur
HashiCorp Vault Key-Value Store (KV)
HashiCorp Vault SSH Secrets Engine
Microsoft Azure Key Management System (KMS)
Added index for job event created fields (adds a few minutes to the upgrade)
Added Grafana notification type
Added the ability for users to specify a custom virtual environment where an inventory update will run
Added the ability for users to use a custom path for custom virtual environments
Added source_project
field to SCM inventory updates detail endpoint in the API
Added support for CORS via django-cors-header middleware
Added the last login time to the user details view
Added a metrics endpoint (/api/v2/metrics
) which can be used with tools like Prometheus to monitor Tower
Added activity stream entries for changes in user system auditor status
Added support for new playbook host summary fields (ignore
and rescued
) available in Ansible 2.5 and later
Added tech-preview support for installing into an ipv6 environment
Added the ansible-runner
library to run tasks
Added the new Red Hat Insights API for retrieving plans and alerts
Added a warning when closing the workflow editor if there are unsaved changes
Added the ability to set the job template timeout on the job template edit screen
Added the job details to show execution node, virtual environment, and job artifacts
Added a Launch button on the job template view/edit screen
Deprecated a number of inventory computed fields:
groups_with_active_failures
has_active_failures
has_inventory_sources
hosts_with_active_failures
total_groups
total_hosts
Deprecated support for installing Tower on Ubuntu, which will be removed in a future release
Deprecated the HipChat notification plugin, and will be removed when support for HipChat from Atlassian ends
Deprecated the dashboard endpoint (/api/v2/dashboard
) in favor of new metrics endpoint (/api/v2/metrics
)
Fixed JobTemplates
and AdHocCommands
to no longer have an arbitrary 1024 character restriction on the --limit
argument
Fixed WorkflowJobTemplates
that launch automatically on a schedule to now respect settings.SCHEDULE_MAX_JOBS
Fixed the created_by
extra_var
field from jobs spawned by a workflow to the user who launched the workflow
Fixed the isolated nodes heartbeat task to now respect the AWX_ISOLATED_PERIODIC_CHECK
setting when set in /etc/tower/conf.d
Fixed numerical survey answers to allow empty default values
Improved the job counts in the Dashboard to represent more accurately user-created jobs instead of implicit jobs
Updated Tower to run under Python 3.6
Updated Tower to allow using custom virtual environments with a Python 3 interpreter
Updated /api/v2/hosts/<id>/
to no longer have the fact_version
or the fact_view
endpoints
Updated Tower to no longer support system tracking
Updated Tower to no longer recognize the following awx-manage
commands:
cleanup_facts
user_info
Updated Tower to no longer allow inventory updates to use Ansible versions 2.2 and 2.3
Updated Tower to now record the virtualenv used when running jobs and inventory updates
Updated Tower Project admins so they can now create a manual project
Updated Tower to allow Org admins to assign non-membership roles (e.g. workflow_admin_role
) to users and teams while MANAGE_ORGANIZATION_AUTH
is turned off and at the same time, forbid assigning membership
Updated Tower to allow system administrators to set the maximum license usage for an organization
Updated Tower to no longer discover playbook files from SCM with filenames that cannot be represented using UTF-8
Updated Schedules to be created with the same name if they reference a different Job Template, Inventory Update, or Project Update
Updated Views that have Project lists, Template lists, and Jobs lists to show Compact, Expanded, and sorting by various attributes
Updated Tower to return empty groups from SCM and custom inventory updates by default
Updated Django for CVE-2019-14234
Updated bubblewrap for CVE-2019-12439
Fixed the heartbeat check to not re-enable disabled isolated nodes
Fixed the dispatcher to avoid deadlock when external logging is present
Updated urllib3 for CVE-2019-9740
Updated ansible for CVE-2019-10156
Fixed an issue to no longer expose Tower service credentials to playbook runs via environment variables when running in OpenShift (CVE-2019-3869)
Added a number of notable improvements to translations
Fixed the Notifications tab to properly appear when viewing a Job Template
Fixed the total host count to be correct when viewing job output
Fixed the awx_workflow_job_name
extra variable to be correct for jobs launched via nested workflows
Fixed scheduled jobs to no longer run twice in clustered Tower installations
Fixed the display of playbooks that utilize Ansible’s serial
keyword
Fixed instance group assignments to restore correctly after Tower is backed up and restored
Fixed a number of workflow builder user interface issues
Fixed the Job Template credential selection to display all available options when large numbers of Credential Types are in use
Fixed the stdout display to no longer delay when Smart Inventories are in use
Fixed a bug that prevented Ansible to upgrade when Tower is updated with -e upgrade_ansible_with_tower=1
Fixed the installer to properly upgrade Tower dependencies on upgrade
Fixed a performance issue in Ansible Tower 3.4.0 which caused a notable delay in job start time for large inventories (>1000 hosts).
Fixed Tower logs to now properly record failed logins
Updated settings.SCHEDULE_MAX_JOBS
so that it also limits workflow Job Templates
Fixed an issue which could cause a running job to not be marked as “failed” during a database outage
Fixed an issue where X-Frame-Options was not set for OpenShift installations
Fixed a potential deadlock when LDAP authentication backends are in use
Fixed an issue where Insights configuration would be broken on upgrade
Fixed an issue where the callback receiver would crash with an InterfaceError
Fixed an issue where the proper hashed PostgreSQL password would not be used when installing on a FIPS-enabled system
Fixed an issue with OS version detection when used with Ansible 2.8pre
Updated social-auth-core dependency to fix Google OAuth when Google+ is deactivated
Added the ability for workflow templates to have workflows as nodes
Added to workflow templates the ability to allow edges/links to have mix of always, success, or failure, therefore, removing edge conflicts to improve workflow behavior
Added job slicing feature to job templates, where a job template will launch a workflow of a certain number of jobs, distributing inventory evenly amongst those jobs, and allowing work to execute in parallel among Tower instances
Added optional and promptable inventory field to Workflow job templates (WFJTs)- the selected inventory will override the inventory of any Job Template node that prompts for an inventory, which includes inventory prompt-on-launch for standalone WFJTs, nested WFJT nodes, and WFJT schedules
Added the ability to run Ansible Tower when Red Hat Enterprise Linux is configured in FIPS mode
Added job event entries for runner_on_start
, since it was introduced in Ansible core
Deprecated several read-only API fields, pending removal in future release:
ask_xxx_on_launch
fields in jobs API, duplicated with job template valuesInventory and groups
groups_with_active_failures
, not used by the Tower user interface
Removed previously-deprecated read-only project field scm_delete_on_next_update
Removed the restriction that workflows cannot be used in workflows
Removed backwards-compatible support for deprecated legacy Auth Tokens. Starting in Ansible Tower 3.4, users who wish to authenticate with tokens must use the new OAuth 2.0 authentication mechanism introduced in Tower 3.3.
Removed deprecated cluster management commands: deprovision_node
→ deprovision_instance
and register_instance
→ provision_instance
Removed deprecated --name
option from deprovision_instance
Fixed a deadlock scenario where new websocket connections would get 502’s until daphne and runworker services were restarted
Fixed the Workflow job templates to return a 400 response if a client attempts to launch without providing required survey variables using the API
Improved the task runner by replacing celery with a custom Kombu-based dispatcher
Improved validation survey specs on save, returning a 400 response in many new cases
Improved the Workflow job nodes with missing unified_job_template
to no longer unconditionally fail a workflow. Instead, the workflow job node is treated as a job that ran with status result of failure.
Improved the Workflow job failure semantics. Before, if any leaf node failed then the workflow job was considered failed, else success. Now, if any node in the workflow fails without a failure handle path, then the workflow job is considered failed; else success.
Improved workflows to now allow convergence nodes (nodes with multiple parents)
Updated the environment variables used in job runs, which include the removal of INVENTORY_HOSTVARS
and the ability for the inventory plugin and inventory unparsed behavior to be configurable
Updated how project “sync” jobs (as opposed to project updates) work
Updated the behavior of the Activity Stream associated with deleted inventory and displayed list of credentials used in job creation entry
Updated the creation of schedules from the API to allow global schedules lists
Updated GCE instances by moving from GCE_PEM_FILE_PATH
to GCE_CREDENTIALS_FILE_PATH
Updated Tower to allow use of organization roles with teams in the user interface
Updated Configure Tower from the Settings menu to contain sub-menus and access to sub-tasks
Fixed an issue where X-Frame-Options was not set for OpenShift installations
Fixed a potential deadlock when LDAP authentication backends are in use
Fixed an issue where the callback receiver would crash with an InterfaceError
Updated social-auth-core dependency to fix Google OAuth when Google+ is deactivated
Updated asgi_amqp dependency to fix an issue with websockets
Fixed a RabbitMQ misconfiguration that decreased cluster stability and could allow for unauthorized access (CVE-2018-16879)
Fixed RabbitMQ HA policy when deployed in OpenShift
Fixed external loggers to send activity stream to send changes as raw JSON, instead of JSON-ified string
Fixed MANAGE_ORGANIZATION_AUTH
settings to allow superusers to make changes
Fixed an XSS issue when viewing application tokens
Fixed permissions to allow project admins to create projects
Fixed permissions to allow job template admins to delegate permissions to certain users/teams
Fixed Tower to allow selecting credential types when running in a non-English language
Fixed the Activity Stream to properly note credentials and custom credentials
Fixed an error resulting from a credential lookup where there are multiple custom credential types defined
Fixed certain certificate validation issues
Fixed templates to allow filtering by template type
Fixed events with no output to no longer render excess blank lines in the job display
Fixed detailed events to show hosts that were added during a playbook run
Fixed the inability to properly mark Tower nodes as disabled when rabbitmq was offline
Fixed the job output to correctly display certain job events
Fixed the job events to properly line-wrap in the job output
Fixed the pagination to no longer redirect to the dashboard when selecting multiple credentials
Fixed a potential deadlock on inventory deletion
Fixed the job relaunch operation to use the correct credentials when the defined credentials were changed
Improved the Schedules view to more clearly denote which resource was being scheduled
Updated Google Cloud credentials to be passed as GCE_PEM_FILE_PATH
to GCE_CREDENTIALS_FILE_PATH
in accordance with recent Ansible versions
Fixed event callback error when in-line vaulted variables are used with include_vars
Fixed HSTS and X-Frame-Options to properly be set in nginx configuration
Fixed isolated node setup to no longer fail when ansible_host
is used
Fixed selection of custom virtual environments in job template creation
Fixed display of extra_vars
for scheduled jobs
Fixed websockets for job details to properly work
Fixed the /api/v2/authtoken
compatibility shim.
Fixed page size selection on the jobs screen
Fixed instances in an instance group to properly be disabled in the user interface
Fixed the job template selection in workflow creation to properly render
Fixed member_attr
to properly set on some LDAP configurations during upgrade, preventing login
Fixed PosixUIDGroupType
LDAP configurations
Improved the RAM requirement in the installer preflight check
Updated Tower to properly report an error when relaunch was used on a set of failed hosts that is too large
Updated sosreport configuration to gather more python environment, nginx, and supervisor configuration
Added support for container-based clusters using OpenShift or Kubernetes
Added support for multiple or no credential assignment in Job Templates
Added support for multiple Vault credential assignment in Job Templates
Added support for multiple LDAP server configurations
Added support fact caching for isolated instances
Added the ability to schedule configurations of a job template using job template prompts
Added deprecation note to the Tower REST API for Version 1 (/api/v1/
), which will be removed in a future release of Ansible Tower
Added the ability to make a copy of existing Tower objects (inventory, project, etc.) as a template for creating a new one
Added the ability to relaunch jobs on a subset of hosts by status
Added validation to prevent string "$encrypted$"
from becoming a literal survey question default
Added support for more job template prompts at workflow node creation time
Added ask_variables_on_launch
to workflow job templates (WFJT)
Added diff_mode
and verbosity
fields to WFJT nodes
Added Saved Launch-time configurations feature - added WFJT node promptable fields to schedules, added extra_data
to WFJT nodes, and added “schedule this job” endpoint.
Added block creation of schedules when variables not allowed are given. Block similar cases for WFJT nodes.
Added the ability to create instance groups and associate instances at runtime via the user interface and API
Added the ability to group instances based on policy, such as such as “50% of instances” and “at least three instances”
Added additional organizational roles for administration of projects, job templates, inventories, workflows and more
Added support for custom virtual environments for customizing Ansible execution
Added OAuth2 support for token based authentication
Added support for OAuth2 applications and access token generation
Added the ability to forcibly expire sessions through awx-manage expire_sessions
Added support for making inventory parsing errors fatal, and only enable the script
inventory plugin for job runs and vendored inventory updates
Added inventory
field to inventory updates
Added related credentials endpoint for inventory updates to be more internally consistent with job templates, model changes
Added the ability to show all teams to organization admins if the ORG_ADMINS_CAN_SEE_ALL_USERS
setting is enabled
Added the ability to create schedules and workflow nodes from job templates that use credentials which prompt for passwords if ask_credential_on_launch
is set.
Deprecated the fact_versions
and fact_view
endpoints from the API, including OPTIONS
Deprecated fact tables
Deprecated the awx-manage cleanup_facts
command for fact cleanup
Deprecated the /api/v2/authtoken/
endpoint in the API and replaced it with /api/v2/tokens/
Fixed a conflict with Tower credential type by removing TOWER_HOST
as a default environment variable in job running environments. Playbook authors should replace their use with AWX_HOST
.
Fixed a behavior in Tower to prevent it from deleting jobs when event processing is still ongoing
Fixed a behavior in Tower to disallow relaunching jobs with execute_role
if another user provided prompts
Improved project updates so that previously synced git projects do not attempt to contact the server if they are already at the proper revision
Improved WFJT node credential
to many-to-many credentials
Improved stricter criteria to admin users where organization admin role now necessary for all organizations of which the target user is a member. Additionally, removed unused admin_role
associated with users
Improved logs to consistently catch task exceptions
Improved external loggers to passively create handler from settings on every log emission, replacing server restart, allowing use in OpenShift deployments
Improved Tower to automatically run a project update if sensitive fields change like scm_url
Improved queuing logic through setting execution_node
in task manager and submitting waiting jobs to only the queue for the specific instance job is targeted to run on
Updated the auth-token-timeout
header name to Session-Timeout
Updated the AUTH_TOKEN_EXPIRATION
setting name to change to SESSION_COOKIE_AGE
and AUTH_TOKEN_PER_USER
changed to SESSIONS_PER_USER
Updated source-control based inventory to allow for vaulted variable values
Updated the minimum required version of Red Hat Enterprise Linux to 7.4
Updated the minimum required RAM for standalone Tower to 4GB
Updated Ansible Tower to set ANSIBLE_DISPLAY_ARGS_TO_STDOUT
to False
by default for all playbook runs to match Ansible’s default behavior. See Jobs for more information.
Updated all job and tasks to generate consistent output events and make job output available on all cluster nodes
Updated external logging to default to HTTPS unless http:// is explicitly specified in the log aggregator hostname
Updated the behavior of a job template to prohibit configuring callbacks on job templates without an inventory
Updated the boolean fields for custom credential types to always default extra_vars
and environment variables to False
when a value is not provided
Updated to disallow using HTTP PUT/PATCH methods to modify existing jobs in Job Details API endpoint
Fixed using include_vars
with vaulted variables to properly handle AnsibleVaultEncryptedUnicode
objects in the callback receiver
Fixed Smart Inventory filters to no longer filter by the content of sensitive fields
Fixed Tower callback plugin handling of v2_playbook_on_notify
events
Fixed potential information leakage via websocket
Fixed a CSRF vulnerability in Tower (CVE-2018-10884)
Fixed editing a job template to no longer overwrite API-only settings
Fixed certain cluster topologies to no longer cause duplicate project updates
Fixed unauthorized credentials to no longer be associated with projects and inventory sources
Updated oVirt client libraries to work with Ansible 2.5 or later
Fixed a RabbitMQ configuration issue that would affect cluster recovery on network interruptions
Added UI_LIVE_UPDATES_ENABLED
setting for disabling websocket updates outside of job output
Fixed organization admins to no longer be able to modify users by adding them to their organization (CVE-2018-1101)
Fixed Tower to disable usage of Jinja templates in launch-time variables for security reasons (CVE-2018-1104). This release introduces the ALLOW_JINJA_IN_EXTRA_VARS
configuration parameter for Tower. This parameter has three values: template
to allow usage of Jinja saved directly on a job template definition (the default), never
to disable all Jinja usage (recommended), and always
to always allow Jinja (strongly discouraged, but an option for prior compatibility).
Fixed sanitization of module arguments with implicit no_log
Fixed Smart Inventories to no longer run on hosts marked as disabled
Fixed Fact Caching documentation to no longer refer to memcached
Updated bundled python-saml for CVE-2017-11427
Updated memcached to now listen on a local Unix socket instead of a TCP socket
Added deprecation warning when installing on certain older operating systems, such as Ubuntu 14.04, which will be removed in a future release
Fixed Inventory Updates to properly save group_vars
inside of Tower group variables when used with Ansible 2.5 or later
Fixed certain Inventory Updates to no longer fail when running against isolated nodes
Fixed the ability to customize ANSIBLE_LIBRARY
when Job Template fact caching is enabled
Fixed fact cache data to no longer prematurely expire for Job Templates with large amounts of fact data
Fixed isolated job runs to no longer fail when the playbook contained certain Unicode characters
Fixed the installer to use the correct package version when running isolated Tower nodes
Fixed Slack notification issues
Fixed workflow artifacts to no longer periodically go missing in subsequent workflow nodes
Fixed the Tower web interface to support large numbers of custom Credential Types
Fixed the “Test” button when configuring UDP-based external logging
Fixed the database restoration process that affected users with embedded PostgreSQL databases
Fixed a few XSS vulnerabilities in the Tower web interface
Fixed the ability to provide the admin password in the MOTD file for the Vagrant and AMI images
Added support for Ansible Tower and Red Hat Virtualization credentials.
Added dynamic inventory scripts for Ansible Tower and Red Hat Virtualization
Added awx_*
extra variables to job runs in addition to tower_*
Added a setting for maximum user interface job events to show to Tower configuration
Added support for setting the Azure Cloud Environment in Azure credentials
Added retry for cleaning up job artifacts from isolated nodes
Added python-crypto requirement to RPM packaging for GCE inventory script
Added rsync requirement to RPM packaging for isolated nodes
Added error handling in installation for PostgreSQL 9.4 to 9.6 migration failures
Removed unused CALLBACK_CONNECTION, CALLBACK_QUEUE, and JOB_CALLBACK_DEBUG environment variables from the job environment
Fixed multiple issues where survey passwords were not properly encrypted in the database
Fixed an issue where cleanup jobs could run slowly and exhaust system memory when large job output was present
Fixed an issue where cleanup jobs could fail due to a race condition
Fixed an issue where use of remove: True and remove_users: True in LDAP configuration would cause an excessive number of activity stream entries
Fixed an issue where the GCE inventory script would erroneously cache information
Fixed an issue when using Ipsilon as a SAML IdP
Fixed an issue when using SAML authentication behind a load-balancer
Fixed an issue where ‘+’ in a search string was not handled properly
Fixed an issue where non-alphanumeric characters were stripped from SAML usernames
Fixed an issue where credential_type information appeared in api/v1
output
Fixed a styling issue for Host Config Key in the Job Template display
Fixed an issue where it was impossible to remove an organization from a credential
Fixed an issue where overwrite_vars
on an inventory source would overwrite inventory toplevel variables
Fixed an issue where some credential kinds were not properly shown in the user interface
Fixed calculation of isolated instance capacity
Fixed an issue where the ‘Workflow Editor’ and ‘Survey Editor’ buttons were incorrectly shown in some states
Fixed navigation to additional pages of hosts in the Smart Inventory view
Fixed an issue where CloudForms inventory would not work with process isolation
Fixed an issue where job output would not properly word wrap
Fixed a migration issue with unicode inventory source names
Fixed an issue when launching an ad-hoc command with forbidden extra variables
Fixed an issue with symlinked manual projects when used with process isolation
Fixed an issue where some host_filter queries could not be removed
Fixed an issue where non-ascii characters could not be used in a LDAP bind DN
Fixed sizing of the ad-hoc command launch dialog
Fixed an issue where https://github.com/ansible/ansible/issues/30064 would prevent project sync
Fixed an issue where a Smart Inventory host_filter query would be improperly encoded when saved
Fixed month name on dashboard chart
Fixed scheduling error when browser is in UTC timezone
Fixed autocompletion of SCM inventory file dropdown
Fixed modal state handling when a modal dialog was closed by clicking outside of it
Fixed assorted migration errors on upgrade
Fixed a user interface error when rapidly deleting inventory groups
Fixed an issue where the system auditor would get a 404 error when viewing job results
Fixed assorted issues when cascading job cancellation to dependent jobs
Fixed opacity of disabled ‘Run Commands’ and ‘Smart Inventory’ buttons
Fixed ‘total_hosts’ field of Smart Inventories
Fixed virtualenv paths in sosreport plugins
Fixed installation with Ansible 2.2
Fixed ownership on ha.py on installation
Fixed django superuser check in installation
Fixed setting of custom RabbitMQ AMQP ports during installation
Fixed an issue where LDAP authentication could timeout or cause a Tower error
Improved callback worker’s ability to deal with idle or disconnected database connections
Improved activity stream output for Tower configuration changes
Improved deletion of inventory sources to properly delete imported hosts and groups
Improved various error messages
Improved initial zoom setting of workflow view
Improved inline help popovers for credential types
Improved configuration for SSH key handling for isolated nodes. This is now configurable during setup
Improved preflight checks for cluster installation
Improved backup/restore playbooks to be cluster-aware
Improved error handling in backup/restore playbooks
Updated translations for Dutch, French, Japanese, and Spanish
Added support to enforce Tower software version consistency across clustered environments
Fixed an issue where, when using Tower 3.2.0 + Ansible 2.4.0, creating a Job Template that used an inventory with fact caching enabled could cause the job to run against a host which should have been removed
Fixed a problem where ad-hoc permissions could be used to run commands against the Tower server
Fixed an issue where the migration of scan jobs failed due to an organization having a unicode character in the name
Fixed an issue where database migrations failed for upgrades
Removed system tracking data (historical facts) feature starting with Ansible Tower 3.2. However, you can collect facts by using the fact caching feature. Refer to Fact Caching for more detail.
Removed system tracking views in favor of directly viewing facts on hosts. Comparisons are best done with external data analytics systems.
Removed Rackspace as a supported inventory source type and credential type.
Removed the storing of ansible_env
in job event data.
Removed Job launching capability from /api/v2/jobs
. Job template launching and job relaunching are the only support launch options.
Deprecated the group
field for InventorySource, which has been renamed to deprecated_group
and will be removed from InventorySource completely in Tower 3.3. As a result, the related field on Group, inventory_source
has been renamed deprecated_inventory_source
and will also be removed in Ansible Tower 3.3.
Deprecated requirement that inventory sources be associated with a group.
Deprecated the /api/v1
heirarchy with the introduction of /api/v2
. /api/v1
will be removed in a future Ansible Tower release to be determined.
Deprecated the /api/v2/authtoken
endpoint, which will be removed in Ansible Tower 3.3.
Updated the job environment variables for AWS credentials. Refer to Amazon Web Services section of the Ansible Tower User Guide for new variable names.
Added support for connecting to external log aggregators via direct TCP and UDP connections.
Added the ability to test logging configurations through the Configure Tower UI.
Updated the Ansible Tower Rest API to version 2 which include added endpoints: instances
, instance_groups
, credential_types
, and inventory_sources
.
Added ability to create inventory sources and create Smart Inventories.
Added the ability to access Tower resources via resource-specific human-readable identifiers.
Added the ability to create and modify credential types.
Added ability to create and modify instance groups and isolated nodes.
Added the ability to enable and disable SSL certification verification through the Configure Tower UI. You no longer have to manually set an environment variable in your local settings.py
file to achieve this.
Updated upstream Azure libraries will require users who use Ansible Tower with Azure to use Ansible 2.4 or later.
Fixed an outstanding issue regarding variable precedence so that the variable value is derived from the survey (survey variables take precedence over Job Template variables).
Added Insights project remediation, which allows you to run the Insights maintenance plan associated with an inventory.
Added a new API endpoint - /api/v2/settings/logging/test/
- for testing external log aggregrator connectivity.
Updated passing -e create_preload_data=False
to skip creating default organization/project/inventory/credential/job_template during Tower installation.
Added support for sourcing inventory from a file inside of a source control project.
Added support for custom cloud and network credential types, which give you the ability to modify environment variables, extra vars, and generate file-based credentials (such as file-based certificates or .ini files) at ansible-playbook
runtime.
Added support for assigning multiple cloud and network credential types on job templates. Job templates can now prompt for “extra credentials” at launch time in the same manner as promptable machine credentials.
Updated custom inventory sources to now specify a Credential
; you can store third-party credentials encrypted within Tower and use their values from within your custom inventory script (for example - by reading an environment variable or a file’s contents).
Added support for configuring groups of instance nodes to run tower jobs. Instance groups can be assigned to an organization, inventory, or job template.
Fixed an issue installing Tower on multiple nodes where cluster internal node references are used.
Updated Tower to now use a modified version of [Fernet](https://github.com/fernet/spec/blob/master/Spec.md) for encrypting sensitive fields such as credentials. Our Fernet256 class uses AES-256-CBC instead of AES-128-CBC for all encrypted fields.
Added the ability to set custom environment variables globally for all playbook runs, inventory updates, project updates, and notification sending, via AWX_TASK_ENV configuration setting.
Added –diff mode to Job Templates and Ad-Hoc Commands. The diff can be found in the standard out when diff mode is enabled.
Added support for accessing some Tower resources via their name-related unique identifiers apart from primary keys.
Added support for authentication to Tower via TACACS+.
Updated names of tower-mange commands register_instance
-> provision_instance
, deprovision_node
-> deprovision_instance
, and instance_group_remove
-> remove_from_queue
, with backward compatibility support for 3.1 command names.
Improved handling of workflow logic errors.
Updated Azure bindings, and therefore, removed support for the old Azure classic modules.
Fixed system auditor permissions.
Updated Tower to explicitly prevent non-json bodies from being accepted in the API.
Improved handling of default values in Tower Configuration.
Improved handling of sensitive environment variables in job details.
Added the ability to set the system auditor with AUTH_LDAP_USER_FLAGS_BY_GROUP
.
Fixed some minor UTF-8 handling issues.
Fixed the system to no longer allow using password fields with the order_by
query parameter in the API.
Improved censoring of Ansible no_log
in job output.
Fixed handling project repository URLs with spaces and special characters.
Improved explanation when canceling jobs that are dependencies of other jobs.
Updated the ansible-playbook
parameters to pass through the setup.sh
script.
Added translations for Dutch; updated translations for Japanese, French, and Spanish.
Improved ability to update org admin/member roles on the user detail page.
Added force shutdown of cluster nodes that are not at the same version as the rest of the cluster.
Added configuration options in Tower Configuration UI.
Updated PostgreSQL to 9.6.
Updated Tower by separating Vault credentials from machine credentials.
Added more prompting options to job templates.
Added the ability to prevent IDP user from assuming a local admin role.
Improved the display of SCM revision hashes by abbreviating them, and added ability to easily copy revision to clipboard.
Fixed a potential issue showing encrypted values in the activity stream instead of obfuscation characters.
Added the ability to set an enabled/disabled flag on all supported cloud inventory sources.
Added support for vmware host_filters
and groupby_patterns
.
Fixed an issue where Tower wouldn’t redirect the user to the right URL after clicking a link and logging in.
Fixed tower to preserve stderr
from custom inventory scripts.
Updated Tower to now act as a fact cache source for jobs.
Improved handling of related resources when inventories are deleted.
Added the ability to show an indicator during background inventory delete.
Updated supported cloud regions for some inventories.
Improved SAML configurations.
Improved LDAP settings validation.
Added support for providing SSL cert for log aggregator service.
Added the ability to set proxy IP whitelists for trusted vs. untrusted load balancers.
Improved the efficiency in generating entries in the activity stream.
Added support for upgrading Ansible during setup playbook run (-e upgrade_ansible_with_tower=1
).
Fixed downloading ad-hoc command stdout.
Fixed job launch dependency handling.
Fixed some xss vulnerabilities.
Added runas privilege escalation support.
Improved handling of instance capacity calculation.
Fixed SSL certificate handling for LDAP.
Updated the Job detail event modals to now be resizeable.
Improved yaml/json editor views.
Improved job list performance.
Fixed a minor XSS vulnerability in the scheduling page
Fixed potential information leakage via websocket
Fixed a CSRF vulnerability in Tower (CVE-2018-10884)
Fixed a RabbitMQ configuration issue that would affect cluster recovery on network interruptions
Fixed organization admins to no longer be able to modify users by adding them to their organization (CVE-2018-1101)
Fixed Tower to disable usage of Jinja templates in launch-time variables for security reasons (CVE-2018-1104). This release introduces the
ALLOW_JINJA_IN_EXTRA_VARS
configuration parameter for Tower. This parameter has three values:template
to allow usage of Jinja saved directly on a job template definition (the default),never
to disable all Jinja usage (recommended), andalways
to always allow Jinja (strongly discouraged, but an option for prior compatibility).Updated memcached to now listen on a local Unix socket instead of a TCP socket
Fixed an issue where certain API endpoints were unreasonably slow when jobs contained large amounts of output
Enhanced Tower to properly show stdout for ad-hoc commands run on other cluster nodes
Fixed an issue where a user, who could modify playbooks, could potentially compromise Tower via an injection of git hooks in SCM repositories (CVE-2017-12148)
Fixed an issue where a specially crafted ad-hoc command could compromise Tower (CVE-2017-12148)
Upgraded the available and bundled versions of RabbitMQ to 3.6.9, which addresses various RabbitMQ CVEs (CVE-2017-4965, CVE-2017-4966, CVE-2017-4967)
Added the ability to customize the log format and the
job_events
payload will mirror the API structure with minor differences when upgrading from version 3.1.3 to 3.1.4.Added the ability to configure known proxies in order to allow certain load balancers and hosts when setting up proxy server support.
Added Spanish translations for Ansible Tower
Fixed a problem where survey password defaults of a certain length could prevent a job from launching
Fixed truncation of long job run results causing an excessive number of blank lines
Fixed a problem where running two different jobs in parallel from the same project could cause an error
Fixed a problem where Splunk HTTP event collectors did not send job_event data
Fixed a problem where email notifications could send survey password values in plain text in extra_vars
Fixed handling of job output from certain modules
Fixed a problem where setting “Required” for a Multiple Choice (Single Select) survey question could prevent changing the default
Fixed a problem where provisioning callbacks configured to prompt for extra variables could return an error
Fixed a problem where modifying team permissions when using a basic license would return an error
Fixed a problem in LDAP configuration where adding values to the database caused users to lose permanent access to Tower
Fixed an issue where a database restore could fail
Fixed an issue where setup could fail if there was no firewall installed
Fixed an issue where Insights projects could cause project syncs to fail
Fixed an issue applying Tower configuration across cluster nodes
Added the ability to disable SSL certificate verification for hosted Splunk logging
Improved Ansible Tower to allow for passing extra_vars on ad_hoc commands
Updated Ansible Tower so that it can process facts output from Ansible 2.3
Added subpackaging for sever, UI, and setup packages
Added support for Red Hat Insights project type
Added support for explicitly specifying the host descriptor used for RabbitMQ config via rabbitmq_host
Adjusted search on the Job Details screen to match the behavior across Tower
Adjusted Tower logging to log asynchronously
Fixed various and minor UI bugs
Fixed a callback bug which was causing a task_args leak between job events
Fixed an issue where jobs were not able to be sorted by descending ID
Fixed an issue where, when working with Splunk, the log aggregator type shows as Logstash instead of Splunk
Fixed an issue where, when a user has two groups in an inventory (one using a VMware script and one using a custom script), clicking sync on the custom script group caused the sync icon to link to the wrong inventory sync
Fixed a problem where users were not able to put multi-line text in a Text Area-type field in a survey
Fixed a problem where users who had admin access on Workflows, but were not Org level admins, could not add or remove job templates from Workflows
Fixed a problem with job templates that include a multiple choice survey response, where, even when multiple selections are required, the job template ran with an empty array
Fixed a problem where surveys were passing a variable as empty instead of null when they included text or a text area field that had a minimum length >0 and was not filled in
Fixed a problem where Tower jobs hang and do not run when the Splunk server is unresponsive or unavailable
Fixed a problem where users with admin level permissions on projects could not modify project details
Fixed a problem in multiple choice survey inputs where, when selecting a string that had similar characters or words at the beginning or end of the string, a similar but smaller version of that string was rendered as the user’s selection (even though the correct value was still passed to extra-vars on launch)
Fixed an issue around Git project updates failing when the username was specified
Fixed a problem where job templates from mercurial project updates failed to run
Fixed a problem with provisioning callbacks where they failed with ‘400’ responses when extra_vars were passed to the API through curl in the callback
Fixed a problem where running the installer again anytime after successfully creating the rabbitmq user caused the installation program to fail
Fixed an issue where Windows package scan jobs fail when targeting a Windows 2012R2 host
Fixed an issue where users with admin access to Workflow Templates could not modify the workflow
Fixed an issue where a warning was incorrectly displayed for the output of a canceled job
Fixed an issue where Mercurial project revisions were not read correctly for Projects
Fixed an issue where Tower upgrades would fail when applying rabbitmq_user in a cluster
Fixed an issue where certain characters in a Project SCM URL would cause updates to fail
Improved custom inventory scripts support by ensuring that newlines added to the script are not trimmed
Relaxed the SELinux policy dependency to allow Tower to be installed on older Enterprise Linux 7 releases
Updated Ansible Tower so that the host config key is marked as required when provisioning callbacks are selected
Updated Ansible Tower so that PostgreSQL Server is no longer installed on Tower nodes not hosting the database
Updated Ansible Tower so that Tower shows extra_vars for ad-hoc commands in the UI
Added a preflight check for password and pre-3.1.0 active/passive (HA) inventory setups prior to installation
Fixed a problem where, while running a clustered Tower deployment configuration, there were some instances where realtime job event data did not flow through the channel layer
Fixed a problem with searching where an invalid search term was entered and the error dialog continued to persist
Fixed a problem with Slack notifications where they were not emitted if only ‘Failure’ was selected
Fixed a problem where logging out via Tower logout button caused subsequent login attempts to fail
Fixed an issue where, when logging was enabled, a missing logging UUID setting would cause a startup error, making the system unresponsive
Added support for configuring most aspects of Ansible Tower directly from the Tower user interface (and Tower API), rather than editing Tower configuration files
Added support for “Scale-Out” Clusters, which replaces the HA/Redundancy method from prior Tower releases
Added support for Workflows, a chain of job templates executed in order
Added support for sending event and log messages to various logging services (Elastic, Splunk, Sumologic, Loggly, generic REST endpoint)
Added support for a new Tower Search feature which supports GitHub-style “key:value” searching
Added support for Ubuntu 16.04
Added support for a New Project Sync Architecture, where projects are now checked out at job runtime
Added support for setting timeouts on job runs
Added support for internationalization and localization (French and Japanese)
Added support for multi-playbook Workflows
Added
/api/v1/settings
for Tower managed settings. This corresponds to the in-Tower configuration UIAdded support for windows scan jobs
Added support so that the SCM Revision used is now stored on Job
Added support for API endpoints to now show
__search
filter fields for broader searching of objectsAdded support so that system jobs are now shown in
/api/v1/unified_jobs
Added support for the new Ansible vmware_inventory script
Added support for Job stdout downloads, which may generate and cache on the fly
Added support for
/api/v1/inventory_updates
and/api/v1/project_updates
to view those specific job typesAdded support for user_capabilities API elements in various places to allow API consumers to know if their user can perform the referenced actions on the object
Added support for
set_stats
for Workflow jobs to persist data between Workflow job runs, support added in Ansible core alsoAdded support for Tower callbacks so that they can now resolve
ansible_host
as well asansible_ssh_host
Added support for Tower callbacks so that they now filter out
ansible_
variables on POSTAdded support for notifications so that they are emitted on jobs marked as failed by the dead job detector
Added eu-west-2 and ca-central-1 to the list of supported EC2 regions
Added support for
format=ansi_download
when downloading stdoutDeprecated support for Rackspace inventories
Fixed an issue where manual projects could be launched/updated
Fixed various unicode issues
Fixed various issues dealing with self signed certificatesvalue.
Fixed Jobs so that they now show
$encrypted
for these variables, where they previously did notImproved performance for viewing job and job template lists
Improved Tower virtualenv so that it is purged on upgrade
Improved setup playbook so that it is more tolerant of various iptables/firewalld configurations
Improved the optimization of PostgreSQL installation to improve overall performance
Improved database migrations through consolidation to make upgrades/installs faster
Improved hardening for web server configuration (SSL, HSTS)
Removed zeromq as a communications channel between dependent services in favor of rabbitmq
Removed
/api/v1/jobs/n/job_plays
and/api/v1/jobs/n/job_tasks
Removed proot in favor of bubblewrap for process isolation
Removed the ability to make POST requests on the
/api/v1/jobs/
endpointRemoved has_schedules from various endpoints, as it was never populated
Removed support for Red Hat Enterprise Linux 6/CentOS 6 and Ubuntu 12.04
Updated surveys so that a blank value for a survey question default value now passes an empty string as a value
Updated surveys so that previously existing surveys with blank default question values now pass empty strings as an extra variable
Updated Websockets, moving them from socket.io to django channels and are now served under port 443/80 along with the regular web service. Port 8080 is no longer needed.
Updated Job results so that they are now driven by job events and thus provides clickable context
Updated Tower so that it now uses the system time zone by default
Updated Tower requirements for Ansible–Tower now requires Ansible 2.1 or later
Updated Ansible inventory plugins to the latest versions
Updated Web server to NGINX from Apache
Updated survey passwords so that they are now encrypted when stored in the database
Updated
request_tower_configuration.sh
Added support for new AWS regions, including an update to the boto version included with Tower
Fixed various minor UI and API related bugs
Fixed a regression with authentication restrictions
Fixed an issue where restoring the database failed when using the RHEL6 bundled installation method
Fixed an issue where, when viewing a host, “extra vars” were not initially formatted properly
Fixed an issue where users were able to relaunch jobs they did not have permission to initially launch
Fixed an issue where, after editing a Job Template, retrieving Job Templates failed when filtered
Fixed an issue where Satellite 6 inventory marked all hosts as disabled
Fixed an issue where Inventory variables were displayed incorrectly when editing hosts
Fixed a rendering issue with the Host Event details window
Fixed an issue where, when launching an inventory update, users were navigated away from the inventory manage view
Fixed an issue where organization auditors could see the user permissions of other users in their organization
Fixed an issue where canceling a Windows job in Tower left an orphaned process running on the control machine
Fixed an issue where empty Host Variable Data produces a 500 error in the API browser after upgrading from 2.4.5
Fixed an issue when using an Azure Service Principal in conjunction with Microsoft Azure inventory
Fixed an issue where Inventory syncs fail against a resource group if it contains a non-standard virtual machine size when using Azure
Fixed an issue where navigating to the admin or users from the organizations view in Tower caused 404 errors
Fixed an issue where, when updating a Rackspace inventory, TypeError messages appeared
Improved the run time performance for playbooks in Tower
Improved support around how YAML is handled with Tower’s variable parser
Improved the population of manual projects in Tower
Improved Event Summary status badge counts
Improved PostgreSQL configuration with regard to authentication (CVE-2016-7070)
Updated PostgreSQL repository location for installation methods
Added support for IAM Roles when configuring an EC2 Inventory Sync
Added support for backing up and restoring Databases created when installing 3.0.x
Added the display of a “working” indicator when toggling Tower components on/off
Added the ability to toggle the view of job labels (view less/view more)
Added the ability to add skip tags to job templates (which may also be prompted for at launch time)
Added documentation around resetting the Tower URL provided in Notification links
Fixed an issue where users could not remove inventory or credentials from job template
Fixed an issue where admins were not properly allowed to copy or edit to Job Templates via the API
Fixed an issue where Home/Host column views were not sortable
Fixed the display of schedules to only show those with future activity
Fixed an error where clicking to a different page number while editing a resource and making a new selections indicated an item other than the one currently selected/being edited
Fixed an issue where relaunching a job ignored search filters
Fixed an issue where searching for a user on an inventory permission page queried a project access list URL instead of the inventory access list URL
Fixed an issue where pressing the Enter key (instead of clicking ‘Ok’ with your mouse) closes a pop up error message and, unexpectedly, navigates the user back to the Tower home page
Fixed an issue where system job templates were not being included when viewing unified job template results
Fixed an issue related to relaunching ad hoc commands
Fixed an issue preventing projects from being deleted during an SCM update
Fixed an issue where, when viewing the “Event Summary” field, filtering by task status summary dots returned incorrect tasks information
Fixed an issue where selecting a host on one page, then going to the next page and selecting another host, did not save the prior selection as expected
Fixed an issue where processing extra_vars in a survey caused errors
Fixed an issue regarding how passwords are stored with surveys
Fixed an issue where, when running a playbook with an ignored task, the ignored task was incorrectly marked as failing
Fixed an issue so that Webhook notifications properly display the host summary information
Fixed an issue where provisioning callbacks were running multiple times in a row
Fixed various minor issues related to RBAC permissions and credentials
Fixed various minor API bugs
Fixed various minor UI and tooltips bugs
Fixed an issue related to SAML logins hanging after multiple authorization attempts
Fixed an issue where the “start date” header and schedule preview do not match what is set by the browser locale
Fixed an issue where users could not properly edit their profile
Fixed an issue related to backup/restoring with the setup.sh script
Improved Tower installer compatibility with RHUI repos on RHEL non-AWS instances
Improved upon what the auditor role can view (organization auditors can view inventory script contents in their own organizations, view notification templates in the activity stream, team credentials views)
Improved the consistency of how scheduling is displayed within the Tower UI
Improved how credentials are handled in that they should only be shareable when the organization field is not “null”
Improved how teams are displayed for different organizations when viewing permissions
Improved support for CloudForms and Red Hat Satellite 6 with Tower 3.0.x
Reorganized activity stream views/access for organization admins and auditors
Removed the requirement of needing a password for the network credential when using an SSH key
Removed the requirement of needing AUTH with Email notifications using SMTP
Added a stock schedule job for the ‘Cleanup Fact Details’ management job
Fixed an issue with inventory syncs using Red Hat Satellite 6 credentials
Fixed an issue which incorrectly allowed users assigned to a system auditor role to be able to escalate privileges to teams
Fixed an issue with Webhook notifications where the content-type was being set incorrectly
Fixed an issue where canceling a new job failed to change state from “new” to “canceled”
Fixed an upgrade and credential migration issue which involved null inventory fields in job templates
Fixed an upgrade and migration issue where hosts which had previously been deleted were not skipped during the upgrade process
Fixed an upgrade and migration issue where job templates linked to deleted inventories caused migrations to fail
Fixed an upgrade and migration issue where job templates without inventories caused migrations to fail
Fixed an error related to the logging of RBAC migration data which caused installations to fail
Fixed an issue related to license checks
Fixed other various issues related to upgrading and migration
Fixed the need for elevated permissions to make changes to job templates under some scenarios
Fixed an issue where Organization-level admins could not edit scan jobs that were created prior to upgrading to Tower 3.0
Fixed an issue regarding Software Collections (SCL) installation on EL6
Fixed a problem with subsequent logins after upgrading to Tower 3.0 when using Google OAuth or SAML authentication
Discovered an issue with MS Azure inventory imports using new-style credentials being unsupported on distributions that ship python-2.7 (e.g. not EL6)
Updated the UI to display new jobs in the Jobs overview screen and added a cancellation method for these new jobs
Added a notifications system for Tower which supports services like Slack, HipChat, IRC, etc.
Added support for the new Azure inventory system and the latest Ansible Azure modules (legacy Azure inventory and credentials are still supported)
Azure inventory imports using new-style credentials are only supported on distributions that ship python-2.7 (e.g. not EL6)
Added support for keystone v3 which supports the latest Openstack versions
Added counts and more detail to Organization endpoints (API)
Added prompting for Job Templates
Added labels for Job Templates
Added support for user customization as Ansible tasks now run in their own environment
Added support for new Ansible Network Credentials
Added inventory support for Red Hat Cloudforms and Red Hat Satellite 6
Added SUSE, OpenSuse, and Debian support for scan jobs
Added a link to the schedule in the job detail view if the job was started as a result of a schedule
Added survey spec management without requiring that surveys be enabled on job templates
Added additional strict extra_vars validation. extra_vars passed to the job launch API are only honored if one of the following is true:
they correspond to variables in an enabled survey
ask_variables_on_launch is set to True
Added a deprecation notice for Ubuntu 12 and RHEL 6
Changed how Projects are linked so that they now tie singularly to an Organization
Changed how system tracking and scan data are stored–now in postgres. MongoDB dependency removed.
Discovered an issue with ECDSA credentials–if your Tower server has a version of OpenSSH that predates 5.7, jobs will fail when launched jobs with ECDSA credentials
Fixed issues with scan jobs on RHEL5
Fixed an issue with the websocket service when Tower is run on CentOS or RHEL 7.2
Fixed issues with Ansible’s no_log causing errors or not hiding data when running jobs
Fixed the way setting a license is done so that it propagates to standby Tower nodes in an HA configuration
Fixed GCE credential handling and inventory filtering
Improved (through a complete rewrite to expand and simplify) the Role-Based Access Control system in Tower
Improved job templates so that multiple invocations of the same job template will only block if the job templates used the same inventory
Improved the setup playbook so that it now hides potentially sensitive information from stdout and the setup log
Improved the Setup process now supports installing and configuring PostgreSQL on a remote system
Removed MongoDB and changed view queries to use a PostgreSQL implementation
Removed soft-deletes: Tower now permanently deletes removed objects and the utilities to manage the cleanup of those soft-deleted objects have been removed
Removed Munin monitoring
Updated the look and feel of the entire Tower UI for a more approachable and intuitive user experience
Updated and simplified the Tower setup process so that new Tower installs are now preloaded with Organization, Inventory, Project, and Job Template demo data
Updated the setup process to support installing and configuring PostgreSQL on a remote system
Updated dependencies
Updated Red Hat Enterprise Linux 6/CentOS 6 to use python 2.7 (for Tower only)
Updated the minimum open file descriptor check and configuration by raising it from 1024 to 4096
Corrected an issue where inventory syncs using Rackspace credentials failed
Corrected an issue where the Host Events display provided different results depending on the version of Ansible used
Corrected an issue which caused an error when calling the Ansible yum
module on ansible-1.9.4 (or newer)
Improved display for Ansible loops on the job detail page by recognizing new Ansible callback events (v2_runner_item_on_*
)
Improved the efficiency of the stdout dump database migration for better memory handling
Updated the Boto release included with Tower to version 2.39.0
Corrected an issue related to Ansible 2.0.0.x job callback events
Corrected an issue where YAML extra_vars were ignored when launching a job template
Corrected an issue where running scan jobs against Red Hat Enterprise Linux 5 inventory failed
Corrected an issue where the Services tab was not populating in scan jobs on SLES 11 or RHEL 5
Corrected an issue with log output filtering
Corrected an issue where the Rackspace module had caching on by default
Corrected an issue where Tower was not working properly on Centos 7.2 with Python 2.7.5
Corrected an issue where OpenStack modules were not running correctly on systems with Python 2.7 (bumping shade and pyrax versions to allow Ansible 2.0 OpenStack modules to run correctly)
Corrected an issue where the setup/upgrade playbook failed if being run from Ansible 2.X
Note
Ansible 2.0 OpenStack modules will not work on Red Hat Enterprise Linux 6 or CentOS 6.
Added sample configurations for LDAP connection options and disable referrals by default, which corrects a problems with queries hanging with AD
Corrected an issue where the UI does not enable provisioning callbacks properly
Improved performance of user and group queries though better caching
Corrected a problem with EC2 inventories which were not working correctly when instance filters were in use
Corrected an issue when accessing Tower using IE11 web browsers
Corrected an issue where clicking on a job in the activities stream did not show the correct job detail page
Corrected an issue where custom login information was not properly displayed at login
Corrected an issue with scan jobs against Amazon Linux machines throwing error messages instead of warnings
Corrected an API-related problem dealing with sparkline data which corrects the ordering of recent jobs as associated with job templates
Corrected an issue in the UI where cloud credentials associated with an inventory source were not being properly displayed
Corrected an issue where org admins did not have the proper permissions to delete project updates
Corrected several small UI issues
Resolved a failure that, when not connected to the Internet (such as being behind a restrictive firewall), prevented Tower from functioning
Added custom rebranding support
Added the ability to enable and disable basic authentication
Added support for authentication via SAML 2.0 servers, Google Apps, GitHub, and RADIUS
Added support for session limits
Added support for EC2 STS tokens
Added default schedules for system jobs on new installs
Added support to allow multiple scheduled system jobs
Added an example “request_tower_configuration.ps1” PowerShell for use with Tower’s provisioning callbacks
Added analytics and data collection for improving the UI experience of Ansible Tower
Changed the behavior of config.js handling and introduced support for the local_settings.json file for specific variable changes
Changed the way Job Templates work so that they launch using an extra variables hierarchy
Changed session timeout to be set in session.py and no longer in the UI local_config.js file
Changed the local_config.js file to local_settings.json and made it more flexible to override configuration settings
Corrected some Tower features when using Ansible 2.0
Corrected an issue where ‘Overwrite’ in an inventory update would imply ‘Overwrite Variables’
Corrected an issue where Tower-cli ignored default answers when trying to launch a job with a survey
Corrected an issue that prevented LDAP logging from working correctly
Corrected an issue where Null errors were returned after deleting an Organization associated with a Custom Inventory Script with an Inventory
Incorporated a feature which adds an Auth-Token-Timeout to every responses that include a valid user-supplied token
Noted a known issue where using the strategies feature of Ansible 2.0 in Ansible Tower causes jobs to not display properly (support for the strategies feature will be added in a future release of Tower)
Removed the ability to delete the default set Organization for Basic-level license users
Corrected an issue where PRoot being enabled caused jobs to fail on systems using SSH ControlPersist.
Caution
If Ansible’s Customer Support recommended that you disable PRoot to solve the failing jobs problem (setting AWX_PROOT_ENABLED=False
), consult with Support to determine if re-enabling PRoot is appropriate for your particular use case.
Added support for bundled installations
Added improvements for preflight free disk space check
Added Ansible installation support where the Ansible Tower installer now attempts to install Ansible as part of the installation process
Corrected an issue where launching a JT with a Survey attached failed if you had survey data types other than “text” or “text area”
Corrected an issue where scan jobs fail on large file scans
Corrected an issue where projects were not included in system backups
Corrected an issue where downloading stdout in text format would return JSON instead
Corrected an issue where downloading stdout in text format would incorrectly escape characters
Corrected a performance issue when accessing jobs and job_templates
Corrected an issue where unicode credential passwords caused migrations to fail
Corrected a performance issue when Tower redacts sensitive data from job output
Fixed performance issues when job stdout was very large
Corrected an issue where stdout display in Tower would fail on some unicode output
Corrected an issue where EC2 inventory sync would fail if instances had blank tags
Corrected an issue where jobs would not cancel properly on user cancellation (applies to EL6 platforms where PRoot was enabled by default)
Corrected an issue when restoring a Tower database backup to a remote PostgreSQL database
Added support for newer OpenSSH private key format
Fixed display of Tower version in ‘About Tower’
Fixed links to Ansible GitHub repository in dynamic inventory online help
Added System Tracking job scan (available for Enterprise and Premium licenses only)
Simplified Dashboard and Interface with new Setup Menu
Added inventory support for OpenStack
Added data cleanup and snapshot retention scheduling
Added Ansible Galaxy integration
Added support for Remote Command Execution
Added Status widget for easily viewing the 10 most recent jobs run on a job template
Added integration for easier backups and restorations into the Tower setup playbook
Adjusted dates to display in the user’s locale format
Simplified password/passphrase entry
Added more configurable verbosity levels for job templates
Assorted other bugfixes and enhancements
API change: Formatting of extra_vars
attached to Job Template records is preserved. Previously, YAML would be converted to JSON and returned as JSON. In 2.2.0 and newer, YAML is returned as YAML with formatting and comments preserved, and JSON is returned as JSON.
Corrected Tower’s Live Events feature, again. Really.
Corrected an issue where Tower Live Events would attempt to endlessly reconnect
Corrected issues when running with Ansible 1.9.0.1
Corrected multiple issues with Tower’s Live Events feature
Corrected an issue where Tower would become stuck if a job was killed due to memory exhaustion
Improved the response time of Project queries
Corrected an error that caused users to be unable to relaunch jobs
Multi-tenancy security enabled by default for new installs
Added support for setting VPC id for RDS instances to EC2 dynamic inventory
Added the ability for organization admins to create surveys
Added support for scheduling of custom inventory scripts
Corrected an error when parsing extra_vars as YAML
Corrected an error when configuring a remote database
Added EULA agreement when updating license
Corrected the sending of live events in some cases
Corrected a potential XSS issue
New simplified Portal Mode view for users, access at https://<Tower server name>/portal/
New surveys on job templates allow easy prompting of users for job parameters
Tower can now use an external PostgreSQL instance as the Tower database, including Amazon’s RDS
Added support for active/passive High Availability Tower deployments
Custom dynamic inventory scripts can be pasted in using the admin user menu
Limit Amazon EC2 inventory imports into Tower based on tags, keys, and more
Tower data cleanup jobs can now be scheduled and run directly from the Tower interface versus logging into the Tower instance
The /etc/awx Tower configuration directory has moved to /etc/tower
Non-admin api users must now use the /launch endpoint for a job template and can no longer call a job’s /start endpoint directly.
Many assorted improvements and fixes
Ensured websocket connection uses user’s RBAC credentials
Corrected a potential CSRF issue when using the REST API graphical browser
Corrected a privilege escalation related to user account levels
Further corrections for job execution with certain 0mq library versions
Changes to AMI license logic to allow bring-your-own-license usage
Corrected a job execution issue due to 0mq library versions on certain platforms
Reduced logfile verbosity and retention for some Tower subcomponents
Adjusted setup playbook for the release of EPEL 7
New dashboard that provides at-a-glance status of your Ansible deployment
Completely redesigned job status page featuring real-time playbook output and progress updates
Added support for multiple new cloud providers - Azure, Google Compute Engine, and VMware vSphere
New user interface look and feel
Integrated monitoring support for checking the health of your Tower install
Tower now requires a license to run. 10 machine free licenses, as well as free large trial licenses, are available at http://ansible.com/license
Support added for Red Hat Enterprise Linux 7 and CentOS 7
Upgrades will reuse password information, not requiring reentry in group\_vars/all
of setup playbook
Many assorted improvements and fixes
Corrected an issue handling Unicode output from ansible-playbook
Corrected an issue displaying job details for some jobs
Performance improvements to inventory import and deletion
Groups UI under inventory tab is now paginated
Updated UI options for moving and copying groups (and host contents)
Added the ability to optionally prompt for job variables when launching jobs to the job template detail pages
Correctly handle schedule creation when browser timezone cannot be detected.
Corrected pagination on job_events page.
Corrected a provisioning callback issue on Enterprise Linux.
Added a sample provisioning callback script.
Various backend and UI improvements.
Scheduling for Jobs, SCM updates, and Inventory synchronization has been added. The UI for each of these objects has changed to accommodate this new scheduling feature.
The jobs page has been overhauled to show completed, active, queued, and scheduled jobs.
Inventory and project synchronization jobs are now also shown on the jobs page.
Added support for Ansible Vault to Credentials. For more information on how to use Ansible Vault, please visit: http://docs.ansible.com/playbooks_vault.html.