Chapter 1. Ansible Automation Platform containerized installation
Ansible Automation Platform is a commercial offering that helps teams manage complex multi-tier deployments by adding control, knowledge, and delegation to Ansible-powered environments.
This guide helps you to understand the installation requirements and processes behind the containerized version of Ansible Automation Platform.
Upgrades from 2.4 Containerized Ansible Automation Platform Tech Preview to 2.5 Containerized Ansible Automation Platform are unsupported at this time.
Prerequisites
- A Red Hat Enterprise Linux (RHEL) 9.2 based host. Use a minimal operating system base install.
- A non-root user for the Red Hat Enterprise Linux host, with sudo or other Ansible supported privilege escalation (sudo recommended). This user is responsible for the installation of containerized Ansible Automation Platform.
SSH public key authentication for the non-root user. For guidelines on setting up SSH public key authentication for the non-root user, see How to configure SSH public key authentication for passwordless login.
-
SSH keys are only required when installing on remote hosts. If doing a self contained local VM based installation, you can use
ansible_connection=local
.
-
SSH keys are only required when installing on remote hosts. If doing a self contained local VM based installation, you can use
- Internet access from the Red Hat Enterprise Linux host if you are using the default online installation method.
- The appropriate network ports are open if a firewall is in place. For more information about the ports to open, see Container topologies in Tested deployment models.
1.1. Tested deployment topologies
Red Hat tests Ansible Automation Platform 2.5 with a defined set of topologies to give you opinionated deployment options. The supported topologies include infrastructure topology diagrams, tested system configurations, example inventory files, and network ports information.
For containerized Ansible Automation Platform, there are two infrastructure topology shapes:
- Growth - (All-in-one) Intended for organizations that are getting started with Ansible Automation Platform. This topology allows for smaller footprint deployments.
- Enterprise - Intended for organizations that require Ansible Automation Platform deployments to have redundancy or higher compute for large volumes of automation. This is a more future-proofed scaled out architecture.
For more information about the tested deployment topologies for containerized Ansible Automation Platform, see Container topologies in Tested deployment models.
1.2. System requirements
Each virtual machine (VM) has the following system requirements:
Requirement | Minimum requirement |
---|---|
RAM | 16 GB |
CPUs | 4 |
Local disk | 60 GB |
Disk IOPS | 3000 |
1.3. Preparing the Red Hat Enterprise Linux host for containerized installation
Containerized Ansible Automation Platform runs the component services as Podman based containers on top of a Red Hat Enterprise Linux host. Prepare the Red Hat Enterprise Linux host to ensure a successful installation.
Procedure
- Log in to the Red Hat Enterprise Linux host as your non-root user.
Set a hostname that is a fully qualified domain name (FQDN):
sudo hostnamectl set-hostname <your_hostname>
Register your Red Hat Enterprise Linux host with
subscription-manager
:sudo subscription-manager register
Run
sudo dnf repolist
to validate that only the BaseOS and AppStream repositories are setup and enabled on the host:$ sudo dnf repolist Updating Subscription Management repositories. repo id repo name rhel-9-for-x86_64-appstream-rpms Red Hat Enterprise Linux 9 for x86_64 - AppStream (RPMs) rhel-9-for-x86_64-baseos-rpms Red Hat Enterprise Linux 9 for x86_64 - BaseOS (RPMs)
- Ensure that only these repositories are available to the Red Hat Enterprise Linux host. For more information about managing custom repositories, see: Managing custom software repositories.
- Ensure that the host has DNS configured and can resolve host names and IP addresses by using a fully qualified domain name (FQDN). This is essential to ensure services can talk to one another.
Install
ansible-core
:sudo dnf install -y ansible-core
Optional: You can install additional utilities that can be useful for troubleshooting purposes, for example
wget
,git-core
,rsync
, andvim
:sudo dnf install -y wget git-core rsync vim
- Optional: To have the installer automatically pick up and apply your Ansible Automation Platform subscription manifest license, follow the steps in Obtaining a manifest file.
Additional resources
- For more information about registering your RHEL system, see Getting Started with RHEL System Registration.
- For information about configuring unbound DNS, see Setting up an unbound DNS server.
- For information about configuring DNS using BIND, see Setting up and configuring a BIND DNS server.
1.4. Downloading Ansible Automation Platform
Choose the installer you need based on your Red Hat Enterprise Linux environment internet connectivity and download the installer to your Red Hat Enterprise Linux host.
Procedure
Download the latest installer .tar file from the Ansible Automation Platform download page.
- For online installations: Ansible Automation Platform 2.5 Containerized Setup
- For offline or bundled installations: Ansible Automation Platform 2.5 Containerized Setup Bundle
- Copy the installer .tar file and the optional manifest .zip file onto your Red Hat Enterprise Linux host.
- Decide where you want the installer to reside on the file system. Installation related files are created under this location and require at least 10 GB for the initial installation.
Unpack the installer .tar file into your installation directory, and go to the unpacked directory.
To unpack the online installer:
$ tar xfvz ansible-automation-platform-containerized-setup-<version>.tar.gz
To unpack the offline or bundled installer:
$ tar xfvz ansible-automation-platform-containerized-setup-bundle-<version>-<arch_name>.tar.gz
1.5. Installing containerized Ansible Automation Platform
You can control the installation of Ansible Automation Platform with inventory files. Inventory files define the hosts and containers used and created, variables for components, and other information needed to customize the installation.
Example inventory files are provided in this document that you can copy and change to quickly get started.
Inventory files for the growth and enterprise topology are also found in the downloaded installer package:
-
The default one named
inventory
is for the enterprise topology pattern. -
If you want to deploy the growth or all-in-one pattern you need to copy over or use the
inventory-growth
file instead.
Additionally, you can find example inventory files in Container topologies in Tested deployment models.
To use the example inventory files, replace the < >
placeholders with your specific variables, and update the host names. Refer to the README.md
file in the installation directory for more information about optional and required variables.
1.5.1. Inventory file for online installation for containerized growth topology (all-in-one)
Use the following example inventory file to perform an online installation for the containerized growth topology (all-in-one):
# This is the Ansible Automation Platform growth installer inventory file # Please consult the docs if you are unsure what to add # For all optional variables please consult the included README.md # or the Red Hat documentation: # https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/containerized_installation # This section is for your platform gateway hosts # ----------------------------------------------------- [automationgateway] aap.example.org # This section is for your automation controller hosts # ----------------------------------------------------- [automationcontroller] aap.example.org # This section is for your automation hub hosts # ----------------------------------------------------- [automationhub] aap.example.org # This section is for your Event-Driven Ansible controller hosts # ----------------------------------------------------- [automationeda] aap.example.org # This section is for the Ansible Automation Platform database # ----------------------------------------------------- [database] aap.example.org [all:vars] # Common variables # https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/containerized_installation/appendix-inventory-files-vars#ref-general-inventory-variables # ----------------------------------------------------- postgresql_admin_username=postgres postgresql_admin_password=<set your own> registry_username=<your RHN username> registry_password=<your RHN password> redis_mode=standalone # Platform gateway # https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/containerized_installation/appendix-inventory-files-vars#ref-gateway-variables # ----------------------------------------------------- gateway_admin_password=<set your own> gateway_pg_host=aap.example.org gateway_pg_password=<set your own> # Automation controller # https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/containerized_installation/appendix-inventory-files-vars#ref-controller-variables # ----------------------------------------------------- controller_admin_password=<set your own> controller_pg_host=aap.example.org controller_pg_password=<set your own> # Automation hub # https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/containerized_installation/appendix-inventory-files-vars#ref-hub-variables # ----------------------------------------------------- hub_admin_password=<set your own> hub_pg_host=aap.example.org hub_pg_password=<set your own> # Event-Driven Ansible controller # https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/containerized_installation/appendix-inventory-files-vars#event-driven-ansible-controller # ----------------------------------------------------- eda_admin_password=<set your own> eda_pg_host=aap.example.org eda_pg_password=<set your own>
1.5.2. Inventory file for online installation for containerized enterprise topology
Use the following example inventory file to perform an online installation for the containerized enterprise topology:
# This is the Ansible Automation Platform enterprise installer inventory file # Please consult the docs if you are unsure what to add # For all optional variables please consult the included README.md # or the Red Hat documentation: # https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/containerized_installation # This section is for your platform gateway hosts # ----------------------------------------------------- [automationgateway] gateway1.example.org gateway2.example.org # This section is for your automation controller hosts # ----------------------------------------------------- [automationcontroller] controller1.example.org controller2.example.org # This section is for your Ansible Automation Platform execution hosts # ----------------------------------------------------- [execution_nodes] hop1.example.org receptor_type='hop' exec1.example.org exec2.example.org # This section is for your automation hub hosts # ----------------------------------------------------- [automationhub] hub1.example.org hub2.example.org # This section is for your Event-Driven Ansible controller hosts # ----------------------------------------------------- [automationeda] eda1.example.org eda2.example.org [redis] gateway1.example.org gateway2.example.org hub1.example.org hub2.example.org eda1.example.org eda2.example.org [all:vars] # Common variables # https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/containerized_installation/appendix-inventory-files-vars#ref-general-inventory-variables # ----------------------------------------------------- registry_username=<your RHN username> registry_password=<your RHN password> # Platform gateway # https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/containerized_installation/appendix-inventory-files-vars#ref-gateway-variables # ----------------------------------------------------- gateway_admin_password=<set your own> gateway_pg_host=externaldb.example.org gateway_pg_database=<set your own> gateway_pg_username=<set your own> gateway_pg_password=<set your own> # Automation controller # https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/containerized_installation/appendix-inventory-files-vars#ref-controller-variables # ----------------------------------------------------- controller_admin_password=<set your own> controller_pg_host=externaldb.example.org controller_pg_database=<set your own> controller_pg_username=<set your own> controller_pg_password=<set your own> # Automation hub # https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/containerized_installation/appendix-inventory-files-vars#ref-hub-variables # ----------------------------------------------------- hub_admin_password=<set your own> hub_pg_host=externaldb.example.org hub_pg_database=<set your own> hub_pg_username=<set your own> hub_pg_password=<set your own> # Event-Driven Ansible controller # https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/containerized_installation/appendix-inventory-files-vars#event-driven-ansible-controller # ----------------------------------------------------- eda_admin_password=<set your own> eda_pg_host=externaldb.example.org eda_pg_database=<set your own> eda_pg_username=<set your own> eda_pg_password=<set your own>
Redis configuration for an enterprise topology
- Redis can be colocated with any other node in a clustered installation.
By default the
redis_mode
is set tocluster
.-
redis_mode=cluster
-
- For more information about Redis, see Caching and queueing system in Planning your installation.
1.5.3. Additional information for configuring your inventory file
Offline or bundled installation
-
To perform an offline installation, add the following under the
[all:vars]
group:
bundle_install=true # The bundle directory must include /bundle in the path bundle_dir=<full path to the bundle directory>
Configuring a HAProxy load balancer
-
To configure a HAProxy load balancer in front of platform gateway with a custom CA cert, set the following inventory file variables under the
[all:vars]
group:
custom_ca_cert=<path_to_cert_crt> gateway_main_url=<https://load_balancer_url>
HAProxy SSL passthrough mode is not supported with platform gateway.
Loading an automation controller license file
- To define the location of your automation controller license file, set the following variable in the inventory file:
controller_license_file=<full_path_to_your_manifest_zip_file>
1.5.4. Running the installation command
Use the following command to install containerized Ansible Automation Platform:
ansible-playbook -i inventory ansible.containerized_installer.install
-
If your privilege escalation requires you to enter a password, append
-K
to the command line. You are then prompted for theBECOME
password. -
You can use increasing verbosity, up to 4 v’s (
-vvvv
) to see the details of the installation process. However, it is important to note that this can significantly increase installation time, so it is recommended that you use it only as needed or requested by Red Hat support.
1.6. Accessing Ansible Automation Platform
After the installation completes, the default protocol and ports used for Ansible Automation Platform are 80 (HTTP) and 443 (HTTPS).
You can customize the ports with the following variables:
envoy_http_port=80 envoy_https_port=443
If you want to disable HTTPS, set envoy_disable_https
to true
:
envoy_disable_https=true
Accessing the platform UI
The platform UI is available by default at:
https://<gateway-node>:443
Log in as the admin user with the password you created for gateway_admin_password
.
1.7. Using custom TLS certificates
By default, the installer generates TLS certificates and keys for all services that are signed by a custom Certificate Authority (CA). You can provide a custom TLS certificate and key for each service. If that certificate is signed by a custom CA, you must provide the CA TLS certificate and key.
- Certificate Authority
ca_tls_cert=/full/path/to/tls/certificate ca_tls_key=/full/path/to/tls/key
- Platform gateway
gateway_tls_cert=/full/path/to/tls/certificate gateway_tls_key=/full/path/to/tls/key
- Automation controller
controller_tls_cert=/full/path/to/tls/certificate controller_tls_key=/full/path/to/tls/key
- Automation hub
hub_tls_cert=/full/path/to/tls/certificate hub_tls_key=/full/path/to/tls/key
- Event-Driven Ansible
eda_tls_cert=/full/path/to/tls/certificate eda_tls_key=/full/path/to/tls/key
- PostgreSQL
postgresql_tls_cert=/full/path/to/tls/certificate postgresql_tls_key=/full/path/to/tls/key
- Receptor
receptor_tls_cert=/full/path/to/tls/certificate receptor_tls_key=/full/path/to/tls/key
1.8. Using custom Receptor signing keys
Receptor signing is enabled by default unless receptor_disable_signing=true
is set, and an RSA key pair (public and private) is generated by the installer. However, you can give custom RSA public and private keys by setting the path variables:
receptor_signing_private_key=<full_path_to_private_key> receptor_signing_public_key=<full_path_to_public_key>
1.9. Enabling Automation hub collection and container signing
With automation hub you can sign Ansible collections and container images. This feature is not enabled by default, and you must provide the GPG key.
hub_collection_signing=true hub_collection_signing_key=<full_path_to_collections_gpg_key> hub_container_signing=true hub_container_signing_key=<full_path_to_containers_gpg_key>
When the GPG key is protected by a passphrase, you must provide the passphrase.
hub_collection_signing_pass=<collections_gpg_key_passphrase> hub_container_signing_pass=<containers_gpg_key_passphrase>
1.10. Adding execution nodes
The containerized installer can deploy remote execution nodes. The execution_nodes
group in the inventory file handles this.
[execution_nodes] <fqdn_of_your_execution_host>
An execution node is by default configured as an execution type running on port 27199 (TCP). This can be changed by the following variables:
receptor_port=27199 receptor_protocol=tcp receptor_type=hop
The receptor_type
value can be either execution
or hop
, while the receptor_protocol
is either tcp
or udp
. By default, the nodes in the execution_nodes
group are added as peers for the controller node. However, you can change the peers configuration by using the receptor_peers
variable.
[execution_nodes] fqdn_of_your_execution_host fqdn_of_your_hop_host receptor_type=hop receptor_peers='["<fqdn_of_your_execution_host>"]'
1.11. Adding a safe plugin variable to Event-Driven Ansible controller
When using redhat.insights_eda or similar plugins to run rulebook activations in Event-Driven Ansible controller, you must add a safe plugin variable to a directory in Ansible Automation Platform. This ensures connection between Event-Driven Ansible controller and the source plugin, and displays port mappings correctly.
Procedure
-
Create a directory for the safe plugin variable:
mkdir -p ./group_vars/automationedacontroller
-
Create a file within that directory for your new setting (for example,
touch ./group_vars/automationedacontroller/custom.yml
) Add the variable
automationedacontroller_additional_settings
to extend the defaultsettings.yaml
template for Event-Driven Ansible controller and add the SAFE_PLUGINS field with a list of plugins to enable. For example:automationedacontroller_additional_settings: SAFE_PLUGINS: - ansible.eda.webhook - ansible.eda.alertmanager
NoteYou can also extend the
automationedacontroller_additional_settings
variable beyond SAFE_PLUGINS in the Django configuration file, /etc/ansible-automation-platform/eda/settings.yaml
1.12. Uninstalling containerized Ansible Automation Platform
To uninstall a containerized deployment, run the uninstall.yml
playbook:
$ ansible-playbook -i inventory ansible.containerized_installer.uninstall
This stops all systemd units and containers and then deletes all resources used by the containerized installer such as:
- config and data directories and files
- systemd unit files
- Podman containers and images
- RPM packages
To keep container images, you can set the container_keep_images
variable to true
.
$ ansible-playbook -i inventory ansible.containerized_installer.uninstall -e container_keep_images=true
To keep PostgreSQL databases, you can set the postgresql_keep_databases
variable to true
.
$ ansible-playbook -i inventory ansible.containerized_installer.uninstall -e postgresql_keep_databases=true
Use the Ansible Automation Platform secret key values rather than the autogenerated ones.