Documentation

7. Installing Ansible Automation Platform

Ansible Automation Platform can be installed in various ways by choosing the best mode for your environment and making any necessary modifications to the inventory file. For OpenShift-based deployments, you can only deploy Tower on OpenShift. Deployment of Automation Hub on OpenShift is not supported. However, you can deploy Automation Hub in a virtual environment that points to OpenShift. For more detail, refer to OpenShift Deployment and Configuration.

7.1. Ansible Automation Platform Installation Scenarios

Ansible Automation Platform can be installed using one of the following scenarios:

Single Machine:

  • Standalone Tower with database on the same node as Tower or non-installer managed database. This is a single machine install of Tower - the web frontend, REST API backend, and database are all on a single machine. This is the standard installation of Tower. It also installs PostgreSQL from your OS vendor repository, and configures the Tower service to use that as its database.

    [tower]
    host
    
  • Standalone Tower with an external managed database. This installs the Tower server on a single machine and configures it to talk to a remote instance of PostgreSQL 10 as its database. This remote PostgreSQL can be a server you manage, or can be provided by a cloud service such as Amazon RDS:

    [tower]
    host
    
    [database]
    host2
    
  • Standalone Automation Hub with a database on the same node as Automation Hub or non-installer managed database:

    [automationhub]
    host
    
  • Standalone Automation Hub with an external managed database. This installs the Automation Hub server on a single machine and installs a remote PostgreSQL database via the playbook installer (managed by Automation Platform Installer).

    [automationhub]
    host
    
    [database]
    host2
    

Platform Installation:

Platform installation involves Tower and Automation Hub. The Platform installer allows you to deploy 1 and only 1 Automation Hub per inventory. Given the installer can be used as an Automation Hub standalone installer, you can run the installer any number of times with any number of different inventories if you want to deploy multiple Automation Hub nodes. The 2 options supported for the Platform installation are:

  • Platform (Tower + Automation Hub) with a database on the same node as Tower or non-installer managed database:

    [tower]
    host1
    
    [automationhub]
    host2
    
  • Platform (Tower + Automation Hub) with an external managed database:

    [tower]
    host1
    
    [automationhub]
    host2
    
    [database]
    host3
    

Multi-Machine Cluster

This scenario involves Platform (Clustered Tower + Automation Hub) installation with an external managed database. In this mode, multiple Tower nodes are installed and active. Any node can receive HTTP requests and all nodes can execute jobs. This installs the Platform server on a single machine and configures it to talk to a remote instance of PostgreSQL as its database. This remote PostgreSQL can be a server you manage, or can be provided by a cloud service such as Amazon RDS:

[tower]
host1
host11
host12

[automationhub]
host2

[database]
host3

注解

Running in a cluster setup requires any database that Tower uses to be external--PostgreSQL must be installed on a machine that is not one of the primary or secondary tower nodes. When in a redundant setup, the remote PostgreSQL version requirements is PostgreSQL 10.

For more information on configuring a clustered setup, refer to 集群.

注解

1). Tower will not configure replication or failover for the database that it uses, although Tower should work with any replication that you have. 2). The database server should be on the same network or in the same datacenter as the Tower server for performance reasons. 3). Tower and Automation Hub can not run on the same node, this is a scenario that is not supported. It means that any deployment of the Platform becomes at least a 2-node deployment topology.

Settings available for an Automation Platform install:

  • automationhub_importer_settings: Dictionary of settings/configuration to pass to galaxy-importer. It will end up in /etc/galaxy-importer/galaxy-importer.cfg

  • automationhub_require_content_approval: Whether or not Automation Hub enforces the approval mechanism before collections are made available

  • automationhub_disable_https: Whether or not Automation Hub should be deployed with TLS enabled

  • automationhub_disable_hsts: Whether or not Automation Hub should be deployed with the HTTP Strict Transport Security (HSTS) web-security policy mechanism enabled

  • automationhub_ssl_validate_certs: Whether or not Automation Hub should validate certificate when requesting itself (default = False) because by default, Platform deploys with self-signed certificates

  • automationhub_ssl_cert: Same as web_server_ssl_cert but for Automation Hub UI and API

  • automationhub_ssl_key: Same as web_server_ssl_key but for Automation Hub UI and API

  • automationhub_backup_collections: Automation Hub provides artifacts in /var/lib/pulp. By default, this is set to true so Tower automatically backs up the artifacts by default. If a partition (e.g., LVM, NFS, CephFS, etc.) was mounted there, an enterprise organization would ensure it is always backed up. If this is the case, you can set automationhub_backup_collections = false and the backup/restore process will not have to backup/restore /var/lib/pulp.

For OpenShift-based deployments, refer to OpenShift Deployment and Configuration.

7.2. 设置清单(Inventory)文件

在编辑清单(inventory)文件时,您必须记住以下几点:

  • 清单文件的内容应该在 ./inventory 中定义,并由 ./setup.sh 安装程序 playbook 引用。

  • 安装和升级:如果需要使用外部数据库,您必须确保清单文件中的数据库部分被正确设置。在运行设置脚本前,编辑此文件以添加外部数据库信息。

  • For Ansible Automation Platform or Automation Hub: Be sure to add an automation hub host in the [automationhub] group (Tower and Automation Hub cannot be installed on the same node).

  • Tower will not configure replication or failover for the database that it uses, although Tower should work with any replication that you have.

  • The database server should be on the same network or in the same data center as the Tower server for performance reasons.

  • 升级现有集群:当升级集群时,您可能需要重新配置集群以忽略现有的实例或实例组。从清单文件中删除这些实例或实例组不足以从集群中删除它们。除了在清单文件中删除它们以外,在开始升级前,请参阅 deprovision instances or instance groups 的内容进行需要的操作。否则,忽略的实例或实例组将继续与集群通信,这可能会导致 tower 服务在升级过程中出现问题。

  • 集群安装:如果您要创建集群设置,则必须使用所有实例的主机名或 IP 地址替换 localhost。所有节点/实例都必须能够使用这个主机名或 IP 地址访问其他节点。换句话说,您不能在其中一个节点上使用``localhost ansible_connection=local`` *并且*所有节点都应该使用相同的主机名格式。

    因此,这将*不能*工作:

    [tower]
    localhost ansible_connection=local
    hostA
    hostB.example.com
    172.27.0.4
    

    需要使用以下格式:

    [tower]
    hostA
    hostB
    hostC
    

    或者

    hostA.example.com
    hostB.example.com
    hostC.example.com
    

    或者

    [tower]
    172.27.0.2
    172.27.0.3
    172.27.0.4
    
  • 所有标准安装:当执行安装时,您必须在清单文件中提供所需的密码。

注解

对安装过程所做的更改现在需要填写清单文件中的所有密码字段。它们应该和以下类似:。它们应该和以下类似:

admin_password='' <-- Tower 本地 admin 密码

pg_password='' <---- 在 /etc/tower/conf.d/postgres.py 中

警告

不要在 pg_password 中使用特殊字符, 因为它可能导致设置失败。

7.2.1. 清单文件示例

  • 置备新节点:当置备新节点时,将节点添加到清单文件,确保所有密码都包含在清单文件中。

  • 升级一个节点:当升级时,将清单文件与当前版本进行比较。推荐即使在升级时,也在清单文件中保存密码。

7.2.1.1. 独立 Automation Hub 清单文件示例

[automationhub]
automationhub.acme.org
[all:vars]
automationhub_admin_password='<password>'
automationhub_pg_host=''
automationhub_pg_port=''
automationhub_pg_database='automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password='<password>'
automationhub_pg_sslmode='prefer'
# The default install will deploy a TLS enabled Automation Hub.
# If for some reason this is not the behavior wanted one can
# disable TLS enabled deployment.
#
# automationhub_disable_https = False
# The default install will generate self-signed certificates for the Automation
# Hub service. If you are providing valid certificate via automationhub_ssl_cert
# and automationhub_ssl_key, one should toggle that value to True.
#
# automationhub_ssl_validate_certs = False
# SSL-related variables
# If set, this will install a custom CA certificate to the system trust store.
# custom_ca_cert=/path/to/ca.crt
# Certificate and key to install in Automation Hub node
# automationhub_ssl_cert=/path/to/automationhub.cert
# automationhub_ssl_key=/path/to/automationhub.key

7.2.1.2. 平台清单文件示例

[tower]
tower.acme.org
[automationhub]
automationhub.acme.org
[database]
database-01.acme.org
[all:vars]
admin_password='<password>'
pg_host='database-01.acme.org'
pg_port='5432'
pg_database='awx'
pg_username='awx'
pg_password='<password>'
pg_sslmode='prefer'  # set to 'verify-full' for client-side enforced SSL
# Automation Hub Configuration
#
automationhub_admin_password='<password>'
automationhub_pg_host='database-01.acme.org'
automationhub_pg_port='5432'
automationhub_pg_database='automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password='<password>'
automationhub_pg_sslmode='prefer'
# The default install will deploy a TLS enabled Automation Hub.
# If for some reason this is not the behavior wanted one can
# disable TLS enabled deployment.
#
# automationhub_disable_https = False
# The default install will generate self-signed certificates for the Automation
# Hub service. If you are providing valid certificate via automationhub_ssl_cert
# and automationhub_ssl_key, one should toggle that value to True.
#
# automationhub_ssl_validate_certs = False
# Isolated Tower nodes automatically generate an RSA key for authentication;
# To disable this behavior, set this value to false
# isolated_key_generation=true
# SSL-related variables
# If set, this will install a custom CA certificate to the system trust store.
# custom_ca_cert=/path/to/ca.crt
# Certificate and key to install in nginx for the web UI and API
# web_server_ssl_cert=/path/to/tower.cert
# web_server_ssl_key=/path/to/tower.key
# Certificate and key to install in Automation Hub node
# automationhub_ssl_cert=/path/to/automationhub.cert
# automationhub_ssl_key=/path/to/automationhub.key
# Server-side SSL settings for PostgreSQL (when we are installing it).
# postgres_use_ssl=False
# postgres_ssl_cert=/path/to/pgsql.crt
# postgres_ssl_key=/path/to/pgsql.key

7.2.1.3. 单一节点清单文件示例

[tower]
localhost ansible_connection=local

[database]

[all:vars]
admin_password='password'

pg_host=''
pg_port=''

pg_database='awx'
pg_username='awx'
pg_password='password'

警告

不要在 pg_password 中使用特殊字符, 因为它可能导致设置失败。

7.2.1.4. 多节点集群清单文件示例

[tower]
clusternode1.example.com
clusternode2.example.com
clusternode3.example.com

[database]
dbnode.example.com

[all:vars]
ansible_become=true

admin_password='password'

pg_host='dbnode.example.com'
pg_port='5432'

pg_database='tower'
pg_username='tower'
pg_password='password'

警告

不要在 pg_password 中使用特殊字符, 因为它可能导致设置失败。

7.2.1.5. 外部数据库的清单文件示例

[tower]
node.example.com ansible_connection=local

[database]

[all:vars]
admin_password='password'
pg_password='password'


pg_host='database.example.com'
pg_port='5432'

pg_database='awx'
pg_username='awx'

警告

不要在 pg_password 中使用特殊字符, 因为它可能导致设置失败。

7.2.1.6. 需要安装外部数据库的清单文件示例

[tower]
node.example.com ansible_connection=local


[database]
database.example.com

[all:vars]
admin_password='password'
pg_password='password'

pg_host='database.example.com'
pg_port='5432'

pg_database='awx'
pg_username='awx'

警告

不要在 pg_password 中使用特殊字符, 因为它可能导致设置失败。

一旦进行了必要的修改,就可以运行 ./setup.sh

注解

需要对远程机器的 root 访问权限。在 Ansible 中,可以通过以下不同方式实现:

  • ansible_user=root ansible_ssh_pass="your_password_here" inventory host or group variables

  • ansible_user=root ansible_ssh_private_key_file="path_to_your_keyfile.pem" inventory host or group variables

  • ANSIBLE_BECOME_METHOD='sudo' ANSIBLE_BECOME=True ./setup.sh

  • ANSIBLE_SUDO=True ./setup.sh(只适用于 Ansible 2.7)

DEFAULT_SUDO Ansible 配置参数在 Ansible 2.8 中被删除,这会导致使用 ANSIBLE_SUDO=True ./setup.sh 进行权限升级的方法无法正常工作。如需了解关于 become 插件的更多信息,请参考 Understanding Privilege Escalationlist of become plugins

7.3. Playbook setup

The Tower setup playbook script uses the inventory file and is invoked as ./setup.sh from the path where you unpacked the Tower installer tarball.

[email protected]:~$ ./setup.sh

The setup script takes the following arguments:

  • -h -- Show this help message and exit

  • -i INVENTORY_FILE -- Path to Ansible inventory file (default: inventory)

  • -e EXTRA_VARS -- Set additional Ansible variables as key=value or YAML/JSON (i.e. -e bundle_install=false forces an online installation)

  • -b -- Perform a database backup in lieu of installing

  • -r -- Perform a database restore in lieu of installing (a default restore path is used unless EXTRA_VARS are provided with a non-default path, as shown in the code example below)

./setup.sh -e 'restore_backup_file=/path/to/nondefault/location' -r

After calling ./setup.sh with the appropriate parameters, Tower is installed on the appropriate machines as has been configured. Setup installs Tower from RPM packages using repositories hosted on ansible.com.

Once setup is complete, use your web browser to access the Tower server and view the Tower login screen. Your Tower server is accessible from port 80 (https://<TOWER_SERVER_NAME>/) but will redirect to port 443 so 443 needs to be available also.

Login form

If the installation of Tower fails and you are a customer who has purchased a valid license for Ansible Tower, please contact Ansible via the Red Hat Customer portal at https://access.redhat.com/.

7.4. Changing the Password

Once installed, if you log into the Tower instance via SSH, the default admin password is provided in the prompt. You can then change it with the following command (as root or as AWX user):

awx-manage changepassword admin

After that, the password you have entered will work as the admin password in the web UI.