This guide helps you get your Ansible Tower installation up and running as quickly as possible.
At the end of the installation, using your web browser, you can access and fully utilize Tower.
While this guide covers the basics, you may find that you need the more detailed information available in the Installation and Reference Guide.
You should also review the General Installation Notes before starting the installation.
For platform information, refer to Installation Notes in the Ansible Tower Installation and Reference Guide.
Tower is a full application and the installation process installs several dependencies such as PostgreSQL, Django, NGINX, and others. It is required that you install Tower on a standalone VM or cloud instance and do not co-locate any other applications on that machine (beyond possible monitoring or logging software). Although Tower and Ansible are written in Python, they are not just simple Python libraries. Therefore, Tower cannot be installed in a Python virtualenv or any similar subsystem; you must install it as described in the installation instructions in this guide. For OpenShift-based deployments, refer to OpenShift Deployment and Configuration.
Ansible Tower has the following requirements:
Supported Operating Systems:
- Red Hat Enterprise Linux 8.0 or later 64-bit (only Ansible Tower 3.5 and greater can be installed)
- Red Hat Enterprise Linux 7.4 or later 64-bit
- CentOS 7.4 or later 64-bit
- Ubuntu 16.04 LTS 64-bit (Ubuntu support is deprecated and will be removed in a future release)
Support for Ubuntu 14.04 as a Tower platform has been removed as of Ansible Tower version 3.4.
A currently supported version of Mozilla Firefox or Google Chrome
- Other HTML5 compliant web browsers may work but are not fully tested or supported.
2 CPUs minimum for Tower installations. Refer to the capacity algorithm section of the Ansible Tower User Guide for determining the CPU capacity required for the number of forks in your particular configuration.
4 GB RAM minimum for Tower installations
- 4 GB RAM (minimum and recommended for Vagrant trial installations)
- 4 GB RAM (minimum for external standalone Postgres databases)
- For specific RAM needs, refer to the capacity algorithm section of the Ansible Tower User Guide for determining capacity required based on the number of forks in your particular configuration
20 GB of dedicated hard disk space for Tower service nodes
- 10 GB of the 20 GB requirement must be dedicated to
/var/, where Tower stores its files and working directories
- The storage volume should be rated for a minimum baseline of 750 IOPS.
20 GB of dedicated hard disk space for nodes containing a database (150 GB+ recommended)
- The storage volume should be rated for a high baseline IOPS (1000 or more.)
- All Tower data is stored in the database. Database storage increases with the number of hosts managed, number of jobs run, number of facts stored in the fact cache, and number of tasks in any individual job. For example, a playbook run every hour (24 times a day) across 250, hosts, with 20 tasks will store over 800000 events in the database every week.
- If not enough space is reserved in the database, old job runs and facts will need cleaned on a regular basis. Refer to Management Jobs in the Ansible Tower Administration Guide for more information
64-bit support required (kernel and runtime)
PostgreSQL version 9.6.X required to run Ansible Tower 3.2 and later
Ansible version 2.2 (at minimum) required to run Ansible Tower versions 3.2 and later
You cannot use versions of PostgreSQL and Ansible older than those stated above and be able to run Ansible Tower 3.2 and later. Both are installed by the install script if they aren’t already present.
For Amazon EC2:
- Instance size of m4.large or larger
- An instance size of m4.xlarge or larger if there are more than 100 hosts
While other operating systems may technically function, currently only the above list is supported to host an Ansible Tower installation. If you have a firm requirement to run Tower on an unsupported operating system, please contact Ansible via the Red Hat Customer portal at https://access.redhat.com/. Management of other operating systems (nodes) is documented by the Ansible project itself and allows for a wider list.
Actual RAM requirements vary based on how many hosts Tower will manage simultaneously (which is controlled by the
forks parameter in the job template or the system
ansible.cfg file). To avoid possible resource conflicts, Ansible recommends 1 GB of memory per 10 forks + 2GB reservation for Tower, see the capacity algorithm for further details. If
forks is set to 400, 40 GB of memory is recommended.
For the hosts on which we install Ansible Tower, Tower checks whether or not
umask is set to 0022. If not, the setup fails. Be sure to set
umask=0022 to avoid encountering this error.
A larger number of hosts can of course be addressed, though if the fork number is less than the total host count, more passes across the hosts are required. These RAM limitations are avoided when using rolling updates or when using the provisioning callback system built into Tower, where each system requesting configuration enters a queue and is processed as quickly as possible; or in cases where Tower is producing or deploying images such as AMIs. All of these are great approaches to managing larger environments. For further questions, please contact Ansible via the Red Hat Customer portal at https://access.redhat.com/.
The requirements for systems managed by Tower are the same as for Ansible at: http://docs.ansible.com/intro_getting_started.html
While Ansible Tower depends on Ansible Playbooks and requires the installation of the latest stable version of Ansible before installing Tower, manual installations of Ansible are no longer required.
Beginning with Ansible Tower version 2.3, the Tower installation program attempts to install Ansible as part of the installation process. Previously, Tower required manual installations of the Ansible software release package before running the Tower installation program. Now, Tower attempts to install the latest stable Ansible release package.
If performing a bundled Tower installation, the installation program attempts to install Ansible (and its dependencies) from the bundle for you (refer to Using the Bundled Tower Installation Program for more information).
If you choose to install Ansible on your own, the Tower installation program will detect that Ansible has been installed and will not attempt to reinstall it. Note that you must install Ansible using a package manager like
yum and that the latest stable version must be installed for Ansible Tower to work properly. At minimum, Ansible version 2.2 is required for Ansible Tower versions 3.2 and later.
For convenience, summaries of those instructions are in the following sections.
Tower can run on systems where FIPS mode is enabled, though there are a few limitations to keep in mind:
Only Enterprise Linux 7+ is supported. The standard python that ships with RHEL must be used for Ansible Tower to work in FIPS mode. Using any non-standard, non-system python for Tower is therefore, unsupported.
By default, Tower configures PostgreSQL using password-based authentication, and this process relies on the usage of
CREATE USER is run at install time. If you intend to run the Tower installer from a FIPS-enabled system, you’ll need to pre-compute an
md5 hash yourself at install time and add its value to the inventory file described in Setting up the Inventory File.
Specifically, you must pre-compute the hashed value on a system without FIPS enabled:
$ python -c 'from hashlib import md5; print("md5" + md5("choose-a-password" + "awx").hexdigest())' md57d08dde7e95e862eaadfff09565e92e6
...and specify both
pg_hashed_password in your inventory file:
ssh-keygen command generates keys in a format (RFC4716) which uses the
md5 digest algorithm at some point in the process (as part of a transformation performed on the input passphrase). On a FIPS-enforcing system,
md5 is completely disabled, so these types of encrypted SSH keys (RFC4716 private keys protected by a passphrase) will not be usable. When FIPS mode is enabled, any encrypted SSH key you import into Ansible Tower must be a
PKCS8-formatted key. Existing
AES128 keys can be converted to
PKCS8 by running the following
$ openssl pkcs8 -topk8 -v2 aes128 -in <INPUT_KEY> -out <NEW_OUTPUT_KEY>
For more details, see: https://access.redhat.com/solutions/1519083
paramikolibrary will not be FIPS compliant. This includes setting
ansible_connection=paramikoas a transport and using network modules that utilize the
md5to obfuscate the content of authorization packets; TACACS+ Authentication is not supported for systems where FIPS mode is enabled.
md5to encrypt passwords in
Access-Requestqueries; RADIUS Authentication is not supported for systems where FIPS mode is enabled.
setup.sh, any repositories needed by Tower are installed automatically.
Ubuntu support is deprecated in Ansible Tower 3.5, and will be removed in a future release. Refer to previous versions of the Ansible Tower Installation and Reference Guide for details on Ubuntu.
Tower can be installed using one of the following scenarios:
1). Tower will not configure replication or failover for the database that it uses, although Tower should work with any replication that you have. 2). The database server should be on the same network or in the same datacenter as the Tower server for performance reasons.
High Availability Multi-Machine Cluster:
Tower can be installed in a high availability cluster mode. In this mode, multiple Tower nodes are installed and active. Any node can receive HTTP requests and all nodes can execute jobs.
Running in a cluster setup requires any database that Tower uses to be external–Postgres must be installed on a machine that is not one of the primary or secondary tower nodes. When in a redundant setup, the remote Postgres version requirements is PostgreSQL 9.6.