AWX
Ansible Tower is centered around the idea of organizing Projects (which run your playbooks via Jobs) and Inventories (which describe the servers on which your playbooks should be run) inside of Organizations. Organizations can then be set up with different levels of access based on Users and Credentials grouped in different Teams.
Configuration
LDAP Authentication
- Go to
Settings→Authentication
and chooseLDAP
as sub category - Set the LDAP Server URI
ldaps://ldap.in.tum.de:636
- Set Group type to PosixGroupType
- If you wish to restrict logins to a certain group set LDAP require group to the DN:
cn=il11admin,ou=Gruppen,ou=IN,o=TUM,c=DE
- Tell AWX how to search for users and groups by setting the User and group search options respectively
[ "ou=Personen, ou=IN, o=TUM, c=de", "SCOPE_SUBTREE", "(uid=%(user)s)" ]
[ "ou=Gruppen, ou=IN, o=TUM, c=de", "SCOPE_SUBTREE", "(objectClass=posixGroup)" ]
The first line is the base DN, the second line tells awx to search subtrees and the third line filters the results.
- Tell AWX which groups have superuser access
{ "is_superuser": "cn=il11admin,ou=Gruppen,ou=IN, o=TUM,c=DE" }
- Map groups to Organizations and Teams. The following example adds all users in il11 to the Organization I11 with all users in il11admins being added to the organizations admins as well as the Admin Team within the organization:
{ "I11": { "admins": "cn=il11admin,ou=Gruppen,ou=IN, o=TUM,c=DE", "remove_users": false, "remove_admins": false, "users": "cn=il11,ou=Gruppen,ou=IN,o=TUM,c=DE" } }
{ "Admin": { "organization": "I11", "users": "cn=il11admin,ou=Gruppen,ou=IN,o=TUM,c=DE", "remove": true } }
SSL and Reverse Proxy
The default awx Port listens to 8080. In order to access awx on the standard ports an nginx proxy is used to relay the traffic from 80/443 to 8080. Also ssl certificates can be configured in nginx to secure the traffic.
For callbacks to work with this proxy setup a configuration option needs to be enabled:
- Go to Settings → System
- Under “Remote Host Headers” the entry should look like this
HTTP_X_FORWARDED_FOR, REMOTE_ADDR, REMOTE_HOST
- Callbacks can now be made with remote_host and remote_addr in the post header
curl -H "remote-host: <host>" -H "remote-ip: $(ip addr show | grep 'inet ' | head -2 | tail -1 | awk '{print $2}' | cut -f1 -d'/')" --noproxy "*" -k -XPOST --data "host_config_key=d1d1092f-1638-4ac3-aca6-a76dd5156fc9" https://awx.cm.in.tum.de/api/v2/job_templates/16/callback/
Building custom docker images
In order to use some ansible modules it may be necessary to install extra packages in the awx_task container. The best way to do this is to build custom images for the containers, which can be done with the official installer:
- edit the
inventory
file inawx/installer
directory (whereawx
is the root of the cloned awx repository) and remove the following line:dockerhub_base=ansible
- add packages to be installed in
awx/installer/roles/image_build/templates/Dockerfile.j2
. Note that as AWX uses centos for its base image package names may differ from those in Ubuntu. - For additional python modules follow the instructions in
awx/requirements/README
and add the modules toawx/requirements/requirements_ansible.in
before executing pip-compile - in
awx/installer
execute the following# ansible-playbook -i inventory install.yml
Inventory Scripts
AWX can use scripts to automatically update inventories. They can be written in any scripting language installed in the awx_task
container and must produce output in json format:
{ "_meta": { "hostvars": { "host1": { "var1": "value1", "var2": "value2" }, "host2": ... } }, "group1": [ "host1", "host2",... ], "group2": ... }
To use an inventory script add it as a source to an existing regular inventory.
Custom credential types
AWX does not provide credential types for all services. It is however possible to create new custom types under Credential Types→+
- Specify the input fields. typically this will be username and password. Fields marked as secret will get a password entry textfield while others get a regular entry. Required fields must be listed separately.
fields: - id: username type: string label: Username - id: password type: string label: Password secret: true required: - username - password
- Specify how the credentials will be injected. This can be done using either environment variables or awx extra vars.
env: MARIADB_PASSWORD: '{{ password }}' MARIADB_USER: '{{ username }}' extra_vars: MARIADB_PASSWORD: '{{ password }}' MARIADB_USER: '{{ username }}'
Backup & Restore
- Install ansible-tower-cli tool
sudo pip3 install ansible-tower-cli
- Configure Tower-cli for usage with untrusted hosts (wrong certificate)
sudo vim /home/i11/.tower_cli.cfg --- [general] host = one-awx.cm.in.tum.de insecure = True verify_ssl = False
- Don't forget to unset the local proxy variables, otherwise the connection times out
unset http_proxy HTTP_PROXY https_proxy HTTPS_PROXY
- Login as user
tower-cli login cmadmin
- Get Backup from AWX object as json (takes some minutes)
tower-cli receive --all > awx_backup.json
- Change the host and delete the token from the config file, login on the host where to restore the backup
- Restore to another AWX host with
tower-cli send awx_backup.json
Develop New Playbook
Developing new playbooks and roles includes a lot of testing. AWX uses git to get the latest project / file changes. During development it is unfeasible to commit every small change to git, therefore a different procedure and pipeline is used.
- Main: awx.cm.in.tum.de
- Development: dev-awx.cm.in.tum.de
The project on dev-awx.cm.in.tum.de is checked out manually on the VM itself. Log in on the VM dev-awx and go to the project directory /var/lib/awx/projects/manual-ansible-scripts
and check out the latest changes:
sudo git fetch origin sudo git merge origin/master
Now you can locally make changes to the project on the VM and immediately start playbooks on dev-awx that use/test these changes. After you are finished adopt the changes to the project on your laptop/pc and commit them to git.