Yes, you’re right! Finally a documentation on how to deploy AWX isolated node!
I could not find a proper documentation on AWX isolated node deployment due to AWX opensource community not supporting this particular feature which i don’t really know why, i decided to spend some time cracking my head on how to get it done since AWX is the upstream of Ansible Tower.
Background
AWX is the upstream and open source version of Ansible Tower. Ansible engine does not have the capability to store passwords securely, RBAC relies on the OS level , there’s no centralized way of managing inventory or any APIs to bring automation to the next level.
As AWX or Ansible Tower comprise of many different features, here are some main feature:
- Store sensitive information securely
- Role-based access control (RBAC)
- Grab playbooks or scripts from git
- Grab inventory from existing inventory software
AWX runs the playbook on the host server which it’s installed on but this could be a challenge when it comes to an actual production environment where there can be different domains or zones and allowing opening firewall ports from one server to all managed nodes (can be network devices or servers) could be a challenge.
Ansible Tower has this feature called isolated node where there can be 1 centralized Tower running the playbook but execution is performed on another server. This feature provides multi-tenancy capabilities to any Tower deployment.
Quoted from the original blog post on redhat’s website
“A Tower Isolated Node is a headless Ansible Tower node that can be used for local execution capacity, either in a constrained networking environment such as a DMZ or VPC, or in a remote data center for local execution capacity. The only prerequisite is that there is SSH connectivity from the Tower Cluster to the Isolated Node. The Tower Cluster will send all jobs for the relevant inventory to the Isolated Node, run them there, and then pull the job details back into Ansible Tower for viewing and reporting.”
https://developers.redhat.com/blog/2017/12/20/understanding-ansible-tower-isolated-nodes/
Prerequisites…..
- Existing AWX deployed
- You can follow the following AWX installation guide and install in your preferred platform. I’ll be using the docker-compose method
- https://github.com/ansible/awx/blob/devel/INSTALL.md
- Take note to expose your awx_tasks /root/.ssh folder to the host folder so that you could import the ssh keys into container
- A Rhel/Centos7 server (Not tested on other linux OS)
- Internet connection / you can find your own way to deliver the packages dependencies
- SSH connection from AWX to isolated node
- SSH Passwordless key login configure from AWX to isolated node
Overview
The following diagram will illustrate the whole process and data flow to give you an overview on how isolated node works with AWX.
Setup – Isolated Node
Perform initial update
sudo yum update -y
Install other dependencies packages
P.S I’m using python2 for this POC, you could change to Python3 if required)
sudo yum install epel-release python-pip python-devel -y
Install Ansible
yum install ansible rsync -y
Install ansible_runner
pip install ansible-runner pywinrm –user
Setup file system folders
mkdir /var/lib/awxx
chown awx:awx /var/lib/awx
Note : The user default user login is “awx” << change it to your own if required
Configure- AWX
You’ll need to access the container image which has ansible installed to do use the awx-manage command.
I’m using the docker-compose method to deploy AWX
List the running containers
docker ps
Access into awx_task container
docker exec -it 07694949d898 /bin/bash
Create a instance in awx
awx-manage provision_instance –hostname <hostname/ip of isolated node>
Add newly created instance into a isolated group
awx-manage register_queue –queuename <your queue name> –hostname <hostname/ ip of isolated node> –controller <controller tower name e.g. tower>
Congratulations! You’ve successfully created a isolated node with AWX and do note to access the AWX web ui -> instance groups to view your newly created isolated instance group!!
WeiXiangKoh 
Hey Mate,
Thanks a lot for creating this post.
Are you sure it is working?
I think there is a little bit more than this to configure the isolated node.
I think the post skipped a few steps:
When you are provisioning the node with awx-manage i think you should add –is-isolated.
When you specify the queue – the controller has to be the tower (default) instance group.
You also need to generate the pub for the awx-manage generate_isolated_key and add it to the authorized_keys on the isolated node.
Tested on CentOS8 – one note – AWX by default will try to call python…
LikeLike
Yup! As there’s too many components in this tutorial, for this topic i specifically drafted it to focus on the AWX configurations and skipped the host configurations
LikeLike
Thanks, it’s quite easy to follow.
But, after doing this my node appears as unavailable. Any idea why?
Thanks.
LikeLiked by 1 person
You could first verify if AWX could communicate with isolated node using the following command “awx-manage test_isolated_connection . if everything looks good then attempt to run a job on the isolated node’s instance group and if the job is stuck at pending state, you could proceed to navigate to “instance groups” -> -> toggle the isolated node “on” “off” and “on” via the web ui to reinstate connection.
LikeLike
Thanks for your answer.
The problem was the i had 2 AWX instances and while testing only one was setup with keyless ssh user.
After i fixed that everything was ok 🙂
Thanks again 🙂
LikeLike