-
-
Notifications
You must be signed in to change notification settings - Fork 102
Ansible AWX
Old pre-Kubernetes process
apt-get update
apt install git docker.io python3-pip libffi-dev
useradd -G docker -m awx
As the new awx
user:
-
git clone https://github.com/ansible/awx -b 15.0.1
(latest branch at time of writing) - (If you have your own SSL certificate for the web server you can bypass this self-signed certificate generation step - since the adopt one is fronted by CloudFlare it isn't a problem for us to use this one):
openssl req -x509 -nodes -days 1000 -newkey rsa:4096 -keyout server.key -out server.crt -subj "/C=GB/ST=UK/L=London/O=AdoptOpenJDK/CN=awx.adoptopenjdk.net"
- Edit
awx/installer/inventory
and updatessl_certificate
andssl_certificate_key
to the full path to the two files created from the openssl command above (or ones from your own certificate). Also changeadmin_password
to something other thanpassword
and also changepg_password
export PATH=$HOME/.local/bin:$PATH
-
pip3 install docker-compose ansible
(This will take a few minutes) cd awx/installer
If you are going to be running via a cloudflare proxy, modify awx/installer/roles/local_docker/templates/nginx.conf.j2
to comment out the Content-Security-Policy
header, otherwise you will fall foul of HSTS violations.
ansible-playbook -i inventory install.yml
You may receive a deprecation error concerning the docker_service
module used in roles/local_docker/tasks/upgrade_postgres.yml
causing the playbook to come to a halt. In this file, simply replace docker_service:
with docker_compose:
and re run the playbook.
- Needed due to AWX bug: Wait 2½ minutes then run the playbook again
-
docker logs -f awx_task
(Don't skip this - it should have a message with127.0.0.1 | SUCCESS
fairly quickly then after five minutes or so) - If anything goes wrong - clear it out
docker stop awx_task awx_web awx_postgres awx_redis
thendocker rm awx_task awx_web awx_postgres awx_redis
Wipe out~awx/.awx
(will likely need root) and re-run the playbook after fixing anything obvious :-) - If we still need to connect to any macos 10.10 boxes you will need to enable the
aes128-ctr
Cipher in the/etc/ssh/ssh_config
of theawx_task
container
Once ansible is running, connect to it on the standard SSL port (443)
TBC since some of this has been moved: Some of the playbooks we use reference the /Vendor_Files
directory. This needs to be present in the ansible/awx_task
docker container: Put the Vendor_Files
directory on the host and run docker cp Vendor_Files awx_task:/Vendor_Files
Installation steps:
- Run the installation script from https://get.k3s.io/ as root with --write-kubeconfig-mode 644 as a parameter
apt install git make
- useradd -m awx
- chgrp awx /etc/rancher/k3s/k3s.yaml
- Edit /etc/systemd/system/k3s.service to add --write-kubeconfig-mode=640 to the startup command (Note it may be possible to https://github.com/k3s-io/k3s/issues/389#issuecomment-503616742)
- Add export KUBECONFIG=/etc/rancher/k3s/k3s.yaml to awx's .bashrc
As the awx user:
- git checkout https://github.com/ansible/awx-operator -b 2.19.1 (Latest version at the time of writing)
- cd awx-operator
- make deploy 2>&1 | tee awx-deploy.log
- Create kustomization.yaml as per the docs then run
kubectl apply -k .
- Create awx-adoptium.yaml (e.g. copy from awx-demo.yml), reference it from kustomization.yml in the resources section after the github line and run kubectl apply -k . again.
- Run kubectl logs -f deployments/awx-operator-controller-manager -c awx-manager -n awx to check deployment status or kubectl -n awx get pods to see what has been created. For any problems, kubectl describe pod ... may be useful. It should complete in about 15 minutes.
- Run kubectl get secret awx-adoptium-admin-password -n awx -o jsonpath='{.data.password}' | base64 --decode to get the password for the admin user, and kubectl -n awx get service to determine the port number fo the awx-adoptium-service or kubectl -n awx get all to get more information about the deployment. 8.Get /Vendor_Files into the container - Login, go to Settings -> Jobs Settings -> EDIT and add "/Vendor_Files:/Vendor_Files:O" to the Paths to expose to isolated jobs section. Then ensure that Expose host paths for Container Group is checked. doc link 1 doc link 2
Further notes:
-
collections/requirements.ymlin the repository ensures that the
community.general
andcommunity.windows
galaxy collections are available - bastillion needs to be configured to put the (now passphrase-enabled) key on all of the target machines
- SSL is configured via the
ingress_type: ingress
options on k3s.Various references for setting this up are in this comment
I will run through each of the concepts that AWX provides and explain how each of these are configured:
Create a new organisation called AdoptOpenJDK
Either
- Create users manually in the "Users" section
- Go to Settings -> Authentication -> Github and set up a GitHub team (Instructions here) with team ID 2342525 and organization map:
{"AdoptOpenJDK":{"admins":true}}
and team map{"AdoptOpenJDK":{"organization":"AdoptOpenJDK","users":true,"remove":false}}
- The team ID in the previous paragraph can be retrieved via [the API]( but it is simpler to go to the web page for the team, look at the URL of the team icon which will have something like
/t/2342525?s=280&v=4
in it where the ID is visible. That one is from infrastructure-secret
The project connects AWX with a github repository. Multiple ones can be created if you want to run things from your own fork/branch of the openjdk-infrastructure repository, but most of the time we want to run from the default one. Set up the project as follows:
- NAME: adoptopenjdk/openjdk-infrastructure
- ORGANIZATION: AdoptOpenJDK
- SCM TYPE: Git
- SCM URL: https://github.com/adoptopenjdk/openjdk-infrastructure
- SCM UPDATE OPTIONS:
CLEAN
andUPDATE REVISION ON LAUNCH
Inventories define the set of machines that we run against. For the openjdk-infrastructure repository the master list of machines is stored in the ansible/inventory.yml
file. This is not in the format which AWX expects, so we another script to parse it. Create an inventory as follows:
- NAME: Dynamic inventory from github
- ORGANISATION: Adoptium (Was AdoptOpenJDK)
The save, and under the SOURCES
tab you will need to create a new entry, which I have called Dynamic inventory source
which specifies how to populate the inventory. Use the following settings:
- NAME: Dynamic inventory source
- SOURCE: Sourced from a Project
- PROJECT: adoptium/infrastructure (Was adoptopenjdk/openjdk-infrastructure)
- INVENTORY FILE:
ansible/plugins/inventory/adoptopenjdk_yaml.py
- UPDATE OPTIONS:
OVERWRITE
andOVERWRITE_VARIABLES
You can also use the SCHEDULES
tab within the source definition to tell AWX to resync periodically with github, or you can re-run when you update the entries.
Once the inventory source is saved and refreshed (click the recycle
icon in the actions for the source) you should see the GROUPS
an HOSTS
tabs of the inventory populated with all of the machines. GROUPS
will have sections for build
, docker
, infrastructure
and test
(at the time of writing) and HOSTS
will show each system as well as the group they are in. Each host can be enabled or disabled using the switches to the left of the hostname.
We now need to give the AdoptOpenJDK team access to the projects listed above. To do this, go to Teams -> AdoptOpenJDK -> Permissions and click the green + icon. Select all of our newly created templates and give "Admin" privileges to the team. Then do the same for the inventories.
Credentials allow AWX to connect to other systems. We will need at least one ssh credential to allow it to connect to the UNIX-based machines which it is going to deploy onto (this will be put on the machines via Bastillion). Create the credential with the following parameters:
- NAME:
ssh admin key
- DESCRIPTION: log into machines over ssh
- ORGANISATION: AdoptOpenJDK
- CREDENTIAL TYPE: Machine
- USERNAME: root
- SSH PRIVATE KEY: <Obviously this is private!>
- PRIVATE KEY PASSPHRASE: <This is private too!>
For Windows machiens we need to authenticate with a password. Since our passwords are different across each machine we create a credential which will prompt on each template deployment as follows:
- NAME:
Windows credential
- DESCRIPTION: Select password on launch
- ORGANISATION: AdoptOpenJDK
- CREDENTIAL TYPE: Machine
- USERNAME: Administrator
- PASSWORD: Blank with
Prompt on launch
checked.
Templates are the entities that do the work of deploying playbooks. We create one as follows:
- NAME: Deploy UNIX playbook
- JOB TYPE: Run
- INVENTORY: Dynamic Inventory from Github
- PROJECT: adoptopenjdk/openjdk-infrastructure
- PLAYBOOK: ansible/playbooks/AdoptOpenJDK_Unix_Playbook/main.yml
- CREDENTIALS:
ssh admin key
- SKIP TAGS:
nagios_master_config
nagios_tunnel
(for now) - EXTRA_VARIABLES:
ansible_ssh_user: root
The template can also have a schedule associated with it if you want to run it periodically, or you can run it manually by clicking the rocket ship icon next to it in the list.
An equivalent template Deploy AIX template
has the same values other then PLAYBOOK
is set to ansible/playbooks/AdopyOpenJDK_AIX_Playbook/main.yml
For Windows deployments, we have the following template defined:
- NAME: Deploy Windows playbook
- JOB TYPE: Run
- INVENTORY: Dynamic Inventory from Github
- PROJECT: AdoptOpenJDK/openjdk-infrastructure
- PLAYBOOK: ansible/playbooks/AdoptOpenJDK_Windows_Playbook/main.yml
- CREDENTIALS:
Windows credential
- SKIP TAGS:
basic_config
(for now)
Schedules are used within AWX to run particular jobs or tasks on a recurring basis. The existing scheduled jobs are used to automate clean-up tasks, and perform a daily automated synchronisation of the ansible inventory (Link).
Each of our platform playbooks, Unix, Windows and AIX, are scheduled to run on our machines on a weekly basis within AWX. This way the machines are patched regularly and our playbooks are tested for error.
Some of our roles expect to be able to access the /Vendor_Files
directory for some private information (alternatively it can be sourced from the secrets
repo for those who have access. For the purposes of AWX, the /Vendor_Files
directory should be located within the awx_task
container - use docker cp
if you need to update something within the container
Three options:
- Back up the docker containers
- Using
./tower-cli receive --all -h localhost -u admin -p ASK --insecure
(pip3 install ansible_tower_cli
if you don't have it) - Or
./awx --conf.insecure export
(after pip3 install awxkit`)
Enter the awx_task
docker container
docker exec -it awx_task /bin/bash
The version of Ansible used by the AWX server is the version of Ansible installed in this container. Updating Ansible is as easy on the AWX server as it is anywhere else.
pip3 install --upgrade ansible
You can specify a version of Ansible to upgrade to by using
pip3 install --upgrade "ansible=x.x.x"
If this doesn't work, you can try uninstalling and reinstalling Ansible in the docker container
pip3 uninstall ansible
pip3 install ansible
This will reinstall Ansible to the latest version
Note:
The update to a later Ansible version may cause an unexpected failure when you try to sync your inventory (this may not affect later versions of AWX)
While syncing your inventory, you may hit this error
File "/var/lib/awx/venv/awx/lib/python3.6/site-packages/awx/main/management/commands/inventory_import.py", line 142, in get_base_args
if this_version >= Version('2.5'):
File "/usr/lib64/python3.6/distutils/version.py", line 70, in __ge__
c = self._cmp(other)
File "/usr/lib64/python3.6/distutils/version.py", line 337, in _cmp
if self.version < other.version:
TypeError: '<' not supported between instances of 'str' and 'int'
If so, go back into the awx_task
container. Open up /var/lib/awx/venv/awx/lib/python3.6/site-packages/awx/main/management/commands/inventory_import.py
Look for the get_base_args()
method. Locate this line within that method
ansible_version = _get_ansible_version(ansible_inventory_path[:-len('-inventory')])
Comment it out and replace it with
ansible_version = "2.11.1"