If users of Ansible Tower 3.2.0, 3.2.1, or 3.2.2 upgrade to Ansible version 2.5 (including beta releases) or higher, run cloud inventory updates, then subsequently upgrade to Ansible Tower 3.2.3, they may find that changes in group-level and inventory-level variables fail to take effect in playbook runs after an inventory update. Refer to the Upgrade Planning section of the Ansible Tower Upgrade and Migration Guide for further detail, or Remediation Steps for a workaround.
Any custom credential type attached to an inventory source cannot use an
extra_vars injector as it will cause inventory imports to fail.
If you start an isolated job, then kill the instance managing it, Tower will be unable to determine the status of the job, and manual intervention will be necessary. Contact Ansible via the Red Hat Customer portal at https://access.redhat.com/ for instructions specific to your scenario.
If placing Tower nodes behind some sort of proxy, this may pose a security issue. This approach assumes traffic is always flowing exclusively through your load balancer, and that traffic that circumvents the load balancer is suspect to
X-Forwarded-For header spoofing. See Proxy Support.
If you add a license to an unlicensed Tower Instance, websocket events are not available for the duration of that session. To make websockets available again, refresh or re-authenticate your browser.
When Tower is accessed via hostname only (e.g. https://my-little-tower), trying to read the SAML metadata from /sso/metadata/saml/ generates a
sp_acs_url_invalid server error.
A configuration in which uses SAML when accessing Tower via hostname only instead of an FQDN, is not supported. Doing so will generate an error that is captured in the tower.log file and in the browser with full traceback information.
At this time, Tower does not support running when the operating system is configured to operate in FIPS mode.
Live events status dots are either seen as a red or orange dot at the top of the Tower Dashboard when something goes wrong. They are not seen at all when the system is in a healthy state. If you encounter a red or orange live events status indicator, even when your system seems fine, the following suggestions may offer a solution:
Live event status dots are used for troubleshooting problems with your Tower instance and the
socketio logs can point out anything problematic. You can collect troubleshooting help by running a
sosreport. As root, run the command
sosreport from your system to automatically generate a diagnostic tar file, then contact Ansible’s Support team with the collected information for further assistance.
Starting with Ansible Tower 2.2.0, live events status indicators only appear if Tower detects a problem. In earlier releases, a green status dot was shown to indicate a healthy system.
If you have a vmware instance that uses a self-signed certificate, then you will need to add the followig to the Source Vars configuration of the Cloud Group:
"source_vars": "---\nvalidate_certs: False",
If celery is not cleanly shutdown, it leaves a
/var/lib/awx/beat.db file on disk.
If you observe the traceback in the initial comment, you must manually delete the
/var/lib/awx/beat.db file and restart Tower.
The following connection error displays in Tower:
This error is the result of Safari silently refusing to establish a connection to a web socket that is using a self-signed certificate. To resolve this issue, you must set Safari to always trust the website upon first visiting it:
If you click Continue without checking the checkbox, this error will persist.
Ansible Tower 3.2 contains bindings for Microsoft Azure compatible with Ansible 2.4. However, these bindings will not work with Ansible 2.3, Tower 3.1, and earlier. If you are using Azure with Ansible Tower 3.2 or later, you must use Ansible 2.4 or later.
Instances have been reported that
su commands do not work when using an entirely local playbook or a playbook with some local_actions cases. This is likely due to PRoot being enabled. To use
su commands with local playbooks or those with local_actions, PRoot must be disabled. You can disable PRoot through the Jobs tab of the Configure Tower screen by setting the Enable Job Isolation toggle to OFF:
Click Save to save your changes and restart services.
The PRoot functionality in Ansible Tower limits which directories on the Tower file system are available for playbooks to see and use during playbook runs. If you are attempting to customize SSH behavior by using a custom SSH configuration in the Tower user’s home directory, this directory must be added to the list of directories exposed by PRoot.
For example, to add a custom SSH config in
/var/lib/awx/.ssh/config and make it available for Tower jobs, you can specify the path in the Job Execution Isolation Path field accessed from the Jobs tab of the Configure Tower screen:
If you are using the bundled installer for Ansible Tower, note that only Red Hat Enterprise Linux and CentOS are supported at this time. Ubuntu support has not yet been added to the bundled installer. Ubuntu users can continue to use the unbundled installer.
Proactive session limits will kick the user out when the session is idle. It is strongly recommended that you do not set the session limit to anything less than 1 minute, as doing so will break your Ansible Tower instance.
Ansible 2.0 introduces strategies, such as
strategy: free, but Ansible Tower support for these new strategies is not yet available in Tower version 2.4.0. This Ansible feature will not be added to Tower until a later release.
If you attempt to use
strategy: free or the
serial keyword in Ansible Tower, jobs will run, but they will not display properly in the Job Detail page.
Refer to the following link for more information: https://docs.ansible.com/ansible/playbooks_strategies.html
Once a user who logs in using social authentication has been deleted, the user will not be able to login again or be recreated until the system administrator runs a
cleanup_deleted action with
days=0 to allow users to login again. Once
cleanup_deleted has been run, Tower must be restarted using the
ansible-tower-service restart command. Accounts which have been deleted prior to having the
cleanup_deleted action run will receive a “Your account is inactive” message upon trying to login.
When using inventory from a source control project, vaulted variables are not currently supported.
When installing on a Red Hat Enterprise Linux 7.2 or 7.3 EUS system, installation may fail on the step “Install the Tower RPM” with a dependency error.
In this case, you will need to manually apply https://access.redhat.com/errata/RHBA-2017:1929 before installing Ansible Tower.