🗼 Howto setup AWX (a.k.a Ansible Tower)

3/11/2020

If we want to execute ansible playbooks centrally and at scheduled dates it is recommended to use a software like AWX for this purpose.

The following article describes how to install AWX on CentOS8 as containerized application and the initial configuration of a ldap-connect to a ldap/ad server.

Install AWX

All steps here get executed via ssh on the selected server which runs CentOS8, user must have root privileges.

Install needed tools

Install epel repo and then install jq yum install -y epel-release -y && yum install jq

Install docker-ce related packages yum install -y yum-utils device-mapper-persistent-data lvm2

Install docker-ce for this we need to remove podman :((( dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo Adding repo from: https://download.docker.com/linux/centos/docker-ce.repo dnf list docker-ce dnf install docker-ce --nobest -y dnf remove podman dnf install docker-ce --nobest -y systemctl start docker systemctl enable docker docker --version Docker version 19.03.8, build afacb8b dnf install curl -y dnf install make -y

Install docker-compose LATEST_VERSION=$(curl -s https://api.github.com/repos/docker/compose/releases/latest | jq -r '.tag_name') curl -L "https://github.com/docker/compose/releases/download/$LATEST_VERSION/docker-compose-$(uname -s)-$(uname -m)" > /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose docker-compose --version docker-compose version 1.25.4, build 8d51620a

dnf install python3
dnf install ansible
dnf install python3-pip
python3 -m pip install docker-compose
cp /bin/user

Configure stuff

Configure Firewall firewall-cmd --get-zone-of-interface=docker0 sudo firewall-cmd --zone=work --change-interface=docker0

firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --reload
systemctl status firewalld.service
systemctl restart docker

Change dir to the home directory. cd ~

Get the latest release of ansible awx tarball and extract it. LATEST_AWX=$(curl -s https://api.github.com/repos/ansible/awx/tags |egrep name |head -1 |awk '{print $2}' |tr -d '"|,') curl -L -o ansible-awx-$LATEST_AWX.tar.gz https://github.com/ansible/awx/archive/$LATEST_AWX.tar.gz &&
tar xvfz ansible-awx-$LATEST_AWX.tar.gz &&
rm -f ansible-awx-$LATEST_AWX.tar.gz

Enter awx folder. cd awx-$LATEST_AWX

Create a folder in /opt/ to hold awx psql data mkdir -p /opt/awx-psql-data

Disable dockerhub reference in order to build local images. sed -i "s|^dockerhub_base=ansible|#dockerhub_base=ansible|g" installer/inventory

Provide psql data path to installer. sed -i "s|^postgres_data_dir.*|postgres_data_dir=/opt/awx-psql-data|g" installer/inventory

Create awx-ssl folder in /etc. mkdir -p /etc/awx-ssl/

Make a self-signed ssl certificate openssl req -subj '/CN=/O=/L=/ST=/C='
-new -newkey rsa:2048
-sha256 -days 1365
-nodes -x509
-keyout /etc/awx-ssl/awx.key
-out /etc/awx-ssl//awx.crt

Merge awx.key and awx.crt files cat /etc/awx-ssl/awx.key /etc/awx-ssl/awx.crt > /etc/awx-ssl/awx-bundled-key.crt

Pass the full path of awx-bundled-key.crt file to ssl_certificate variable in inventory. sed -i -E "s|^#([[:space:]]?)ssl_certificate=|ssl_certificate=/etc/awx-ssl/awx-bundled-key.crt|g" installer/inventory

Change dir to where awx main folder is placed: cd ~

Download and extract awx-logos repository. (We could use git to clone the repo; but it requires git to be installed on the host.) curl -L -o awx-logos.tar.gz https://github.com/ansible/awx-logos/archive/master.tar.gz tar xvfz awx-logos.tar.gz

UPDATE 21.01.2021: The logos have gotten replaces with.. blanks? If you want to get the old version then download https://github.com/ansible/awx-logos/archive/7064a4635a3f857c67a5f5a8608ca52c27cdf26c.zip

Rename awx-logos-master folder as awx-logos mv awx-logos-master awx-logos

Remove archive rm -f awx.tar.gz

Set AWX parameters

Change dir to awx and replace awx_official parameter cd awx-$LATEST_AWX sed -i -E "s|^#([[:space:]]?)awx_official=false|awx_official=true|g" installer/inventory

Define the default admin username sed -i "s|^admin_user=.*|admin_user=|g" installer/inventory

Set a password for the admin sed -i "s|^admin_password=.*|admin_password=|g" installer/inventory

Set awx secret_key sed -i "s|^secret_key=.*|secret_key=|g" installer/inventory

Set password for rabbitmq sed -i "s|^rabbitmq_password=.*|rabbitmq_password=|g" installer/inventory

Set postgresql username sed -i "s|^pg_username=.*|pg_username=|g" installer/inventory

Set postgresql password sed -i "s|^pg_password=.*|pg_password=|g" installer/inventory

Start AWX Installation

stop firewall for installation (otherwise docker containers cant access internet) systemctl stop firewalld systemctl restart docker

Enter the installer directory. cd ~/awx-$LATEST_AWX/installer

Initiate install.yml ansible-playbook -i inventory install.yml

Great! The playbook will now start to build the docker-containers and launch them.

After this you can log in with the admin user credentials at https://servername/#/login

start firewall again after installation is finished!! systemctl start firewalld

Optional: Configure LDAP connect to AD-Server

Login to the UI via https:/// and the credentials of admin user from above

Go to Seetings → Auth → LDAP

LDAP SERVER URI ldap://: or better laps://:

LDAP BIND DN CN=,OU=,OU=,DC=,DC=

LDAP Bind Password

LDAP REQUIRE GROUP CN=,OU=,OU=,DC=,DC=

LDAP USER SEARCH [ "DC=,DC=", "SCOPE_SUBTREE", "(sAMAccountName=%(user)s)" ]

LDAP GROUP SEARCH [ "DC=,DC=", "SCOPE_SUBTREE", "(objectClass=group)" ]

LDAP USER ATTRIBUTE MAP { "first_name": "givenName", "last_name": "sn", "email": "mail" }

Awesome! Now you can grant your Users in your LDAP Group access to AWX!