Yes, you’re right! Finally a documentation on how to deploy AWX isolated node!
I could not find a proper documentation on AWX isolated node deployment due to AWX opensource community not supporting this particular feature which i don’t really know why, i decided to spend some time cracking my head on how to get it done since AWX is the upstream of Ansible Tower.
Background
AWX is the upstream and open source version of Ansible Tower. Ansible engine does not have the capability to store passwords securely, RBAC relies on the OS level , there’s no centralized way of managing inventory or any APIs to bring automation to the next level.
As AWX or Ansible Tower comprise of many different features, here are some main feature:
- Store sensitive information securely
- Role-based access control (RBAC)
- Grab playbooks or scripts from git
- Grab inventory from existing inventory software
AWX runs the playbook on the host server which it’s installed on but this could be a challenge when it comes to an actual production environment where there can be different domains or zones and allowing opening firewall ports from one server to all managed nodes (can be network devices or servers) could be a challenge.
Ansible Tower has this feature called isolated node where there can be 1 centralized Tower running the playbook but execution is performed on another server. This feature provides multi-tenancy capabilities to any Tower deployment.
Quoted from the original blog post on redhat’s website
“A Tower Isolated Node is a headless Ansible Tower node that can be used for local execution capacity, either in a constrained networking environment such as a DMZ or VPC, or in a remote data center for local execution capacity. The only prerequisite is that there is SSH connectivity from the Tower Cluster to the Isolated Node. The Tower Cluster will send all jobs for the relevant inventory to the Isolated Node, run them there, and then pull the job details back into Ansible Tower for viewing and reporting.”
https://developers.redhat.com/blog/2017/12/20/understanding-ansible-tower-isolated-nodes/
Prerequisites…..
- Existing AWX deployed
- You can follow the following AWX installation guide and install in your preferred platform. I’ll be using the docker-compose method
- https://github.com/ansible/awx/blob/devel/INSTALL.md
- Take note to expose your awx_tasks /root/.ssh folder to the host folder so that you could import the ssh keys into container
- A Rhel/Centos7 server (Not tested on other linux OS)
- Internet connection / you can find your own way to deliver the packages dependencies
- SSH connection from AWX to isolated node
- SSH Passwordless key login configure from AWX to isolated node
Overview
The following diagram will illustrate the whole process and data flow to give you an overview on how isolated node works with AWX.
Setup – Isolated Node
Perform initial update
sudo yum update -y
Install other dependencies packages
P.S I’m using python2 for this POC, you could change to Python3 if required)
sudo yum install epel-release python-pip python-devel -y
Install Ansible
yum install ansible rsync -y
Install ansible_runner
pip install ansible-runner pywinrm –user
Setup file system folders
mkdir /var/lib/awxx
chown awx:awx /var/lib/awx
Note : The user default user login is “awx” << change it to your own if required
Configure- AWX
You’ll need to access the container image which has ansible installed to do use the awx-manage command.
I’m using the docker-compose method to deploy AWX
List the running containers
docker ps
Access into awx_task container
docker exec -it 07694949d898 /bin/bash
Create a instance in awx
awx-manage provision_instance –hostname <hostname/ip of isolated node>
Add newly created instance into a isolated group
awx-manage register_queue –queuename <your queue name> –hostname <hostname/ ip of isolated node> –controller <controller tower name e.g. tower>
Congratulations! You’ve successfully created a isolated node with AWX and do note to access the AWX web ui -> instance groups to view your newly created isolated instance group!!