Appendix B. Getting Started with Ansible Tower

In this book you’ve learned how to work with Ansible from the command line, or Ansible Engine as Red Hat refers to it. Although working with Ansible from the command line offers you all that you may ever need, there is an alternative that enables you to manage Ansible from a web-based environment. This solution is known as Ansible Tower. You won’t find one single question about Ansible Tower on the exam, but the solution is too important to completely ignore it, which is why in this appendix I introduce you to working with Ansible Tower. This appendix covers the following topics:

• Understanding Ansible Tower

• Installing Ansible Tower

• Installing AWX

• Managing Nodes with Ansible Tower

• Understanding Ansible Tower Core Components

• Running a Project in Ansible Tower

Understanding Ansible Tower

Ansible Tower offers a web-based environment to manage Ansible in large environments. From this dashboard you can easily get an overview of the current status of Ansible, the job activity, and the success and failure of recent jobs. It offers other benefits as well:

• Workflow design: Using Ansible Tower workflows enables you to model complex processes in Ansible Tower. Different playbooks can be connected together and use different inventories as well as different credentials to run the playbooks.

• Activity logging: Ansible Tower provides activity logging. You can easily find out which user ran which job at what specific time.

• Scalability: You can build clusters with Ansible Tower. In a cluster, up to 20 cluster nodes can work together to provide Ansible control node functionality in a scalable way and service up to 200,000 nodes.

• Notifications: Ansible Tower can be configured to send notifications to specific users.

• Scheduling: In Ansible Tower you are able to schedule jobs to run at a specific time.

• Integrated inventory: In Ansible Tower, multiple sources of inventory can be used and presented as one big inventory, no matter where the inventory hosts come from.

• Self-service: Using Ansible Tower makes it easy to delegate jobs to specific users. Ansible Tower enables you to create user accounts and grant specific Tower users permissions to specific jobs.

• Remote execution: The Ansible Tower run command interface provides an easy-to-use interface for remote command execution, which in fact runs ad hoc commands on selected nodes.

• REST API and Tower CLI tool: Apart from the web interface, Ansible Tower provides a REST API and the towercli command-line tool, which allows users to address the API directly without using the web interface.

Ansible Tower is a Red Hat product that comes with an enterprise license for updates and support. You can request a limited evaluation version of Tower at ansible.com, or you can use the open-source upstream project AWX instead.

Once they are configured, there is no difference between Tower and AWX. The setup procedure for both solutions is quite different, which is why the following sections contain instructions for setting up both environments. To install either solution, you need a dedicated node that meets the following requirements:

• 4 GB RAM (8 GB recommended)

• 2 vCPUs

• 20 GB disk space, much more when used to manage many nodes

• RHEL 7 or 8

The managed machines have no specific requirements. Even when used with Ansible Tower, Ansible is still agentless, which means that normal access mechanisms are used for the managed machines.

Installing Ansible Tower

To install the Ansible Tower software, you need to obtain a free evaluation version from www.ansible.com. This installation version gives access to a tarball, as well as a license. You can use the Ansible Tower license with your current Red Hat account or use a license file. The following procedure explains how to install Ansible Tower on a virtual machine that has CentOS 8.x installed.

1. Go to https://ansible.com/products/tower and request access to the free evaluation of Ansible Tower.

2. Store the tarball containing the Ansible software in your home directory. The name of the tarball should be ansible-tower-setup-latest.tar.

3. Use tar xvf ansible-tower-setup-latest.tar to extract the tar archive to the current directory.

4. Use cd ansible[Tab] to change into the directory that was created by extracting the tarball.

5. Type vim inventory to open the inventory file that is provided. Make sure to set your passwords as follows:

admin_password=’password’
pg_password=’password’
rabbitmq_password=’password’

6. Run the setup.sh file by using sudo ./setup.sh. Completion will take about 15 minutes.

7. When setup is complete, access the Ansible Tower main web page, using https://localhost. Log in with the provided credentials.

8. You now see a screen where you are prompted for a license (see Figure B-1). There are three options to access the license:

• If you don’t have a license, click the Request License link to request one.

• If you have a license file, use the Browse button to browse to the location of that file.

• If your current Red Hat ID is entitled to use a license, log in using your Red Hat username and password.

9. After entering the license details, click the check box to agree with the license conditions and click Submit. This gives you access to the Ansible Tower web page.

Installing AWX

The installation of AWX is very different. AWX is provided as a container in OpenShift, Kubernetes, or Docker-Compose. Of these methods, the Docker-Compose method is the most accessible method because it doesn’t require a complete container orchestration platform like OpenShift or Kubernetes to be set up. For that reason, in this procedure you learn how to set up AWX on top of Docker-Compose. Make sure you use a dedicated system for installing AWX (so don’t try to run it on the machine where you just installed Ansible Tower).

1. Use sudo systemctl disable --now firewalld to disable the firewall—not because you have to, but just because it makes it easier to get started with AWX.

2. Disable SELinux by using sudo setenforce 0. Make this persistent as well by including the line SELINUX=disabled in the /etc/sysconfig/selinux configuration file.

3. Install the EPEL repository using sudo yum install epel-release.

4. Install Ansible using sudo yum install ansible.

5. After installing Ansible, clone the AWX GitHub repository by using git clone https://github.com/ansible/awx.

6. Now you need to install some supporting packages. To do so, use sudo yum install yum-utils device-mapper-persistent-data lvm2.

7. Add the Docker repository by using sudo yum config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo.

8. Remove the default CentOS/RHEL 8 container management tool podman by using sudo yum remove podman -y.

9. Install the Docker Community Edition Software by using sudo yum install docker-ce docker-ce-cli containerd.io --nobest -y.

10. Enable the Docker daemon. To do so, use sudo systemctl enable --now docker.

11. Make your current user account a member of the group docker. Use sudo usermod -aG $(whoami).

12. Make your new group membership effective by using newgrp docker.

13. Create a symbolic link to start Python. Use sudo ln -s /usr/bin/python3 /usr/bin/python.

14. Install the Docker compose software. Use sudo pip3 install docker-compose.

15. Edit ~/awx/installer/inventory and ensure it contains the line pg_admin_password=password. Look up the existing pg_admin_password line and remove the comment sign to ensure it is at the right location in the file.

16. Start the installer. First, use cd ~/awx/installer to get into the right directory, and from there, type ansible-playbook -i inventory install.yml to start the installation.

17. After completing the installation, type docker ps to verify that the Docker containers have been started.

18. Use docker logs -f awx_task and make sure it shows completed. This process can take about five minutes.

19. After the task is complete, access the AWX web page at http://localhost. Log in using the username admin and the password password.

At this point you should have access to the main web page in either AWX or Ansible Tower. In the following sections you learn how to start performing your management tasks from there.

Managing Nodes with Ansible Tower

To manage machines with Ansible Tower, you must do something to reach out to these machines. Because Ansible Tower is still Ansible, there is no fundamental difference in how you reach out to the managed machines from Ansible Tower:

• You need to set up name resolution for managed machines.

• You must ensure that the managed machines are running an SSH process that is accessible through the firewall.

• You need a user account with sudo privileges.

• You need to set up a password and SSH keys.

If you’re reading this appendix after working through the other chapters in this book, setting up Tower is easy. It consists of the following tasks, which are all executed on the Tower node:

• Create an ansible user.

• Use ssh-keygen to generate an SSH key pair.

• Use ssh-copy-id to copy the public key to the managed machines.

Because the managed hosts were set up previously, no additional configuration is required. If you still need to set up the managed hosts, read Chapter 2, “Installing Ansible,” for more information about that procedure. You don’t need to configure an inventory or an ansible.cfg file; this functionality is taken over by Ansible Tower.

Understanding Ansible Tower Core Components

To work with Ansible Tower, you use a few key resources. Working with Ansible Tower means you need to be able to configure these key resources the appropriate way. Let’s start with an overview:

• Organization: In Ansible Tower, an organization is a collection of managed devices. Notice that in the evaluation version of Ansible Tower, only one organization is available.

• Users: Different users can be created, and RBAC can be configured for these users.

• Inventories: Inventories are the managed servers. They can be created statically or dynamically.

• Credentials: Credentials are what you need to log in to a managed machine. They typically consist of the Ansible control node user account, including SSH public key and sudo privileges.

• Project: A project is a collection of playbooks that is obtained from a certain location, such as GitHub.

• Template: A template is a job definition with all of its parameters. Jobs must be launched and scheduled from the template.

Running a Project in Ansible Tower

Now that you know which elements are required for working with Ansible Tower, let’s set up a project in Tower. To get started with this project, you need to make sure that some Ansible managed machines are available. The machines you used throughout this book will do fine, or you can install new machines. Just make sure that on the managed machines you have set up a dedicated Ansible user account, and this user account is configured for sudo privilege escalation and SSH remote access.

1. Log in to the Tower web interface. From the pane on the left, select Inventories and click the + sign to add a new inventory. Select the Inventory option.

2. Enter webservers as the name for this inventory project. Click Save in the lower-right corner to save the new project (see Figure B-2).

3. After saving the new inventory, click Hosts. From the interface that shows up, click the + sign to add a new host. From there, add the name of the host you want to add and an optional description; then click Save to save the new host (see Figure B-3). Repeat this procedure for any other host you want to add.

4. From the Hosts interface, scroll down to verify that the hosts were added successfully (see Figure B-4).

5. After adding the hosts, you must add credentials. The credentials contain your user account and everything else that is needed to successfully connect to the managed hosts. To add credentials, select Credentials from the Resources section in the pane on the left (see Figure B-5).

6. From the Credentials interface, click + to add new credentials. Different items need to be provided. To start with, specify a name for the credential. Next, ensure that Machine is selected as the Credential Type (see Figure B-6).

7. After entering the credentials name and type, you must specify the username. This is the name of the remote user you set up on the managed hosts. Next, you must specify how to connect as this user. Different connection options are available. To authenticate with an SSH public/private key pair, you need to ensure the SSH private key is in the SSH PRIVATE KEY field. The easiest way to do so is to use the Files tool from the GNOME graphical interface and drag the id_rsa file to this field. (Set the View Hidden Files option in the Files tool.) See Figure B-7.

8. After specifying the name of the remote user and the SSH key, you need to configure privilege escalation. Set this to sudo and enter the username root as the privilege escalation user. Assuming that no password is required to run sudo commands on the managed hosts, you do not need to enter anything else. So at this point you can click Save to save the credentials to your system (see Figure B-8).

9. Now that the credentials have been created, you can create a project. In the Ansible Tower project, you connect to the YAML files you want to use in your Ansible project. The standard is to provide these source files through some version control system, such as GitHub. To configure the project, from the Resources section in the pane on the left, click Projects to open the screen you see in Figure B-9.

10. From the Projects interface shown in Figure B-9, click + to add a new project. Enter the name webservers and ensure that the Organization name is set to Default. Next, from the SCM TYPE field, select Git. This adds a few new items to connect to the Git repository you want to use. If you have your own Git repository, feel free to use it; otherwise, use https://github.com/sandervanvugt/ansible-demoproject as the sample project to connect to. Notice that your SCM might require additional credentials to connect; these are not included in Figure B-10. In Figure B-10 you see an overview of all settings entered so far. Click Save to save the project to Tower.

11. Now you are going to create a template. The template is the place where everything is connected and the actual job is going to be configured. From the Resources section in the pane on the left, click Templates, and from there click + to add a template. Select Job Template to open the interface that you see in Figure B-11.

12. To define the template, you start with its name. Next, set the Job type to Run. Notice that you can also select Check, which will perform a dry run and syntax check based on the selected project. Next, use the drop-down list for the Inventory option to select the inventory you created earlier. Then use the drop-down list for the Project option to select the project that you previously created. After selecting the project, you get access to the playbooks it provides. Next, select the credentials you created earlier, and then select the option Enable Privilege Escalation to complete required settings for this template. See Figure B-12 for an overview of selected options. Scroll down to select the Save button to write the job settings to your system.

13. After you specify all template options, they are stored to the system. Scroll the template all the way to the bottom of the current screen (see Figure B-13). From there, click the rocket icon to launch a job based on this template.

14. After you launch a job, the Job status screen opens. From this screen you can see whether the job was able to run successfully. Notice the output in the right pane, which really is similar to the output you’ll see when running Ansible commands directly from the command line. In case the process does go wrong (which is the case in the Figure B-14 output), read the command output; then try to understand and fix it.

15. After you fix the problems, launch the rocket again to restart your job template. If all goes well, at this point it should show a Successful status. (In case you missed it, the problem shown in Figure B-14 is that host name resolution for the short hostname ansible1 is not set up in the /etc/hosts file on the Ansible Tower server.)

Summary

In this appendix you learned how to work with Ansible Tower. You read why using Tower may be convenient and how to set up an environment that is managed with Ansible Tower. You also learned how to run a project in Ansible Tower. Ansible Tower has many more features to offer, but the introduction in this appendix should be helpful to get you started.