Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

RPM installation

Red Hat Ansible Automation Platform 2.6

Install the RPM version of Ansible Automation Platform

Red Hat Customer Content Services

Abstract

This guide shows you how to install Red Hat Ansible Automation Platform based on supported installation scenarios.
Note
The Ansible Automation Platform RPM installer was deprecated in 2.5 and will be removed in Ansible Automation Platform 2.7. The RPM installer will be supported for RHEL 9 during the lifecycle of Ansible Automation Platform 2.6 to support migrations to existing supported topologies. For more information on upgrade and migration paths, see the Support matrix for upgrade scenarios.

Preface
Copy link

Thank you for your interest in Red Hat Ansible Automation Platform. Ansible Automation Platform is a commercial offering that helps teams manage complex multi-tier deployments by adding control, knowledge, and delegation to Ansible-powered environments.

This guide helps you to understand the installation requirements and processes behind installing Ansible Automation Platform. This document has been updated to include information for the latest release of Ansible Automation Platform.

Note

The Ansible Automation Platform RPM installer was deprecated in 2.5 and will be removed in Ansible Automation Platform 2.7. The RPM installer will be supported for RHEL 9 during the lifecycle of Ansible Automation Platform 2.6 to support migrations to existing supported topologies. For more information on upgrade and migration paths, see the Support matrix for upgrade scenarios.

Providing feedback on Red Hat documentation
Copy link

If you have a suggestion to improve this documentation, or find an error, you can contact technical support at https://access.redhat.com to open a request.

The Red Hat Ansible Automation Platform installation program offers you flexibility, allowing you to install Ansible Automation Platform by using several supported installation scenarios.

Regardless of the installation scenario you choose, installing Ansible Automation Platform involves the following steps:

Editing the Red Hat Ansible Automation Platform installer inventory file
The Ansible Automation Platform installer inventory file allows you to specify your installation scenario and describe host deployments to Ansible. The examples provided in this document show the parameter specifications needed to install that scenario for your deployment.
Running the Red Hat Ansible Automation Platform installer setup script
The setup script installs Ansible Automation Platform by using the required parameters defined in the inventory file.
Verifying your Ansible Automation Platform installation
After installing Ansible Automation Platform, you can verify that the installation has been successful by logging in to the platform UI and seeing the relevant functionality.

1.1. Prerequisites
Copy link

Warning

To prevent errors, upgrade your RHEL nodes fully before installing Ansible Automation Platform.

Ansible is an open source software project and is licensed under the GNU General Public License version 3, as described in the Ansible Source Code.

You must have valid subscriptions attached before installing Ansible Automation Platform.

1.2.1. Trial and evaluation
Copy link

You need a subscription to run Ansible Automation Platform. You can start by signing up for a free trial subscription.

  • Trial subscriptions for Ansible Automation Platform are available at the Red Hat product trial center.
  • Support is not included in a trial subscription or during an evaluation of the Ansible Automation Platform.

1.2.2. Node counting in subscriptions
Copy link

The Ansible Automation Platform subscription defines the number of Managed Nodes that can be managed as part of your subscription.

For more information about managed node requirements for subscriptions, see How are "managed nodes" defined as part of the Red Hat Ansible Automation Platform offering.

Note

Ansible does not recycle node counts or reset automated hosts.

1.2.3. Subscription Types
Copy link

Red Hat Ansible Automation Platform is provided at various levels of support and number of machines as an annual subscription.

All subscription levels include regular updates and releases of automation controller, Ansible, and any other components of the Ansible Automation Platform.

For more information, contact Ansible through the Red Hat Customer Portal or at the Ansible site.

You must have valid subscriptions on all nodes before installing Red Hat Ansible Automation Platform.

Note

Simple Content Access (SCA) is now the default subscription method for all Red Hat accounts. With SCA, you must register your systems to Red Hat Subscription Management (RHSM) or Satellite to access content. Traditional pool-based subscription attachment commands (such as subscription-manager attach --pool or subscription-manager attach --auto) are no longer required. For more information, see Simple Content Access.

Procedure

  1. Register your system with Red Hat Subscription Management: 

    $ sudo subscription-manager register --username <$INSERT_USERNAME_HERE> --password <$INSERT_PASSWORD_HERE>
    Copy to Clipboard Toggle word wrap

    With Simple Content Access (SCA), registration is the only step required to access Ansible Automation Platform content.

    Note

    For accounts still using legacy subscription pools, you might have to manually attach subscriptions using the commands shown in the troubleshooting section.

Verification

  1. Refresh the subscription information on your system: 

    $ sudo subscription-manager refresh
    Copy to Clipboard Toggle word wrap

  2. Verify your registration: 

    $ sudo subscription-manager identity
    Copy to Clipboard Toggle word wrap

    This command displays your system identity, name, organization name, and organization ID, confirming successful registration.

Troubleshooting

  • For legacy accounts not using SCA, you might have to manually attach subscriptions: 

    $ sudo subscription-manager list --available --all | grep "Ansible Automation Platform" -B 3 -A 6
$ sudo subscription-manager attach --pool=<pool_id>
    Copy to Clipboard Toggle word wrap
    Note

    Do not use MCT4022 as a pool_id as it can cause subscription attachment to fail.

  • For legacy accounts not using SCA, if you are unable to locate certain packages that came bundled with the Ansible Automation Platform installer, or if you are seeing a Repositories disabled by configuration message, use the following steps to identify and enable the required repository:

    1. List available repositories: 

      $ sudo subscription-manager repos --list | grep -i ansible-automation-platform
      Copy to Clipboard Toggle word wrap
    2. Identify the repository name that matches your RHEL version, Ansible Automation Platform version, and architecture (for example, ansible-automation-platform-2.6-for-rhel-9-x86_64-rpms).

    3. Enable the repository: 

      $ sudo subscription-manager repos --enable <repository_name>
      Copy to Clipboard Toggle word wrap

1.2.5. Obtaining a manifest file
Copy link

You can obtain a subscription manifest in the Subscription Allocations section of Red Hat Subscription Management.

After you obtain a subscription allocation, you can download its manifest file and upload it to activate Ansible Automation Platform.

To begin, log in to the Red Hat Customer Portal by using your administrator user account and follow the procedures listed.

1.2.5.1. Create a subscription allocation
Copy link

With a new subscription allocation you can set aside subscriptions and entitlements for a system that is currently offline or air-gapped. This is necessary before you can download its manifest and upload it to Ansible Automation Platform.

Procedure

  1. From the Subscription Allocations page, click New Subscription Allocation.
  2. Enter a name for the allocation so that you can find it later.
  3. Select Type: Satellite 6.16 as the management application.
  4. Click Create.

After you create an allocation, you can add the subscriptions you need for Ansible Automation Platform to run properly. This step is necessary before you can download the manifest and add it to Ansible Automation Platform.

Procedure

  1. From the Subscription Allocations page, click the name of the Subscription Allocation to which you want to add a subscription.
  2. Click the Subscriptions tab.
  3. Click Add Subscriptions.
  4. Enter the number of Ansible Automation Platform Entitlements you plan to add.
  5. Click Submit.
1.2.5.3. Downloading a manifest file
Copy link

After you create an allocation with the appropriate subscriptions on it, you can download the manifest file from Red Hat Subscription Management.

Procedure

  1. From the Subscription Allocations page, click the name of the Subscription Allocation to which you want to generate a manifest.
  2. Click the Subscriptions tab.

  3. Click Export Manifest to download the manifest file.

    This downloads a file manifest_<allocation name>_<date>.zip to your default downloads folder.

Red Hat Ansible Automation Platform uses available subscriptions or a subscription manifest to allow the use of Ansible Automation Platform.

To obtain a subscription, you can do either of the following:

  1. Use your Red Hat username and password, service account credentials, or Satellite credentials when you launch Ansible Automation Platform.
  2. Upload a subscriptions manifest file either using the Red Hat Ansible Automation Platform interface or manually in an Ansible Playbook.
1.2.6.1. Activate with credentials
Copy link

Organization Administrators can activate their Ansible Automation Platform subscription on first launch by using a Red Hat service account’s client ID and client secret to automatically retrieve and import the license.

If you do not have administrative access, you can enter your Red Hat username and password in the Username and password tab to locate and add your subscription to your Ansible Automation Platform instance.

Note

You are opted in for Automation Analytics by default when you activate the platform on first login. This helps Red Hat improve the product by delivering you a much better user experience. You can opt out after activating Ansible Automation Platform by taking the following steps:

  1. From the navigation panel, select SettingsAutomation ExecutionSystem.
  2. Clear the Gather data for Automation Analytics option.
  3. Click Save.

Procedure

  1. Log in to Red Hat Ansible Automation Platform.
  2. Select the Service Account tab in the subscription wizard.
  3. Enter your Client ID and Client secret.

  4. Select your subscription from the Subscription list.

    Note

    You can also enter your Satellite username and password in the Satellite tab if your cluster nodes are registered to Satellite through Subscription Manager.

  5. Review the End User License Agreement and select I agree to the End User License Agreement.
  6. Click Finish.

Verification

After your subscription has been accepted, subscription details are displayed. A status of Compliant indicates your subscription is in compliance with the number of hosts you have automated within your subscription count. Otherwise, your status shows as Out of Compliance, indicating you have exceeded the number of hosts in your subscription. Other important information displayed include the following:

Hosts automated
Host count automated by the job, which consumes the license count
Hosts imported
Host count considering all inventory sources (does not impact hosts remaining)
Hosts remaining
Total host count minus hosts automated
1.2.6.2. Activate with a manifest file
Copy link

If you have a subscriptions manifest, you can upload the manifest file by using the Red Hat Ansible Automation Platform interface.

Note

You are opted in for Automation Analytics by default when you activate the platform on first login. This helps Red Hat improve the product by delivering you a much better user experience. You can opt out after activating Ansible Automation Platform by taking the following steps:

  1. From the navigation panel, select SettingsAutomation ExecutionSystem.
  2. Clear the Gather data for Automation Analytics option.
  3. Click Save.

Prerequisites

You must have a Red Hat subscription manifest file exported from the Red Hat Customer Portal. For more information, see Obtaining a manifest file.

Procedure

  1. Log in to Red Hat Ansible Automation Platform.

    1. If you are not immediately taken to the subscription wizard, go to SettingsSubscription.
  2. Select the Subscription manifest tab.
  3. Click Browse and select your manifest file.
  4. Review the End User License Agreement and select I agree to the End User License Agreement.

  5. Click Finish.

    Note

    If the BROWSE button is disabled on the subscription wizard page, clear the USERNAME and PASSWORD fields.

Verification

After your subscription has been accepted, subscription details are displayed. A status of Compliant indicates your subscription is in compliance with the number of hosts you have automated within your subscription count. Otherwise, your status shows as Out of Compliance, indicating you have exceeded the number of hosts in your subscription. Other important information displayed include the following:

Hosts automated
Host count automated by the job, which uses the subscription count
Hosts imported
Host count considering all inventory sources (does not impact hosts remaining)
Hosts remaining
Total host count minus hosts automated

Chapter 2. System requirements
Copy link

Use this information when planning your Red Hat Ansible Automation Platform installations and designing automation mesh topologies that fit your use case.

2.1. Prerequisites
Copy link

  • Obtain root access either through the sudo command, or through privilege escalation.

    • De-escalate privileges from root to users such as: AWX, PostgreSQL, Event-Driven Ansible, or Pulp.
  • Configured an NTP client on all nodes.

Your system must meet the following minimum system requirements to install and run Red Hat Ansible Automation Platform. A resilient deployment requires 10 virtual machines with a minimum of 16 gigabytes (GB) of RAM and 4 virtual CPUs (vCPU). See Tested deployment models for more information on topology options.

Expand
Table 2.1. Base system
TypeDescriptionNotes

Subscription

Valid Red Hat Ansible Automation Platform subscription

 

Operating system

  • Red Hat Enterprise Linux 9.4 or later minor versions of Red Hat Enterprise Linux 9

Red Hat Ansible Automation Platform are also supported on OpenShift, see Installing on OpenShift Container Platform for more information.

CPU architecture

x86_64, AArch64, s390x (IBM Z), ppc64le (IBM Power)

 

Ansible-core

Ansible-core version 2.16 or later

Ansible Automation Platform uses the system-wide ansible-core package to install the platform, but uses ansible-core 2.16 for both its control plane and built-in execution environments.

Browser

A currently supported version of Mozilla Firefox or Google Chrome.

 

Database

  • For Ansible Automation Platform managed databases: PostgreSQL 15.
  • For customer provided (external) databases: PostgreSQL 15, 16, or 17.
  • External (customer supported) databases require ICU support.
  • External databases using PostgreSQL 16 or 17 must rely on external backup and restore processes. Backup and restore functionality is dependent on utilities provided with PostgreSQL 15.
Expand
Table 2.2. Virtual machine requirements
ComponentRAMvCPUDisk IOPSStorage

Platform gateway

16GB

4

3000

60GB minimum

Control nodes

16GB

4

3000

80GB minimum with at least 20GB available under /var/lib/awx

Execution nodes

16GB

4

3000

60GB minimum

Hop nodes

16GB

4

3000

60GB minimum

Automation hub

16GB

4

3000

60GB minimum with at least 40GB allocated to /var/lib/pulp

Database

16GB

4

3000

100GB minimum allocated to /var/lib/pgsql

Event-Driven Ansible controller

16GB

4

3000

60GB minimum

Note

These are minimum requirements and can be increased for larger workloads in increments of 2x (for example 16GB becomes 32GB and 4 vCPU becomes 8vCPU). See the horizontal scaling guide for more information.

2.2.1. Repository requirements
Copy link

Enable the following repositories only when installing Red Hat Ansible Automation Platform:

  • RHEL BaseOS
  • RHEL AppStream
Note

If you enable repositories besides those mentioned above, the Red Hat Ansible Automation Platform installation could fail unexpectedly.

The following are necessary for you to work with project updates and collections:

  • Ensure that the Network ports and protocols listed in Table 6.3. Automation Hub are available for successful connection and download of collections from automation hub or Ansible Galaxy server.
  • The Ansible Automation Platform database backups are staged on each node at /var/backups/automation-platform through the variable backup_dir. You might need to mount a new volume to /var/backups or change the staging location with the variable backup_dir to prevent issues with disk space before running the ./setup.sh -b script.
  • If performing a bundled Ansible Automation Platform installation, the installation setup.sh script attempts to install ansible-core (and its dependencies) from the bundle for you.
  • If you have installed Ansible-core manually, the Ansible Automation Platform installation setup.sh script detects that Ansible has been installed and does not attempt to reinstall it.
Note

You must use Ansible-core, which is installed by using DNF. Ansible-core version 2.16 is required for versions 2.6 and later.

2.3. Platform gateway system requirements
Copy link

Platform gateway is the service that handles authentication and authorization for Ansible Automation Platform. It provides a single entry into the platform and serves the platform’s user interface.

2.4. Automation controller system requirements
Copy link

Automation controller is a distributed system, where different software components can be co-located or deployed across many compute nodes. The installation program provides four node types as abstractions to help you design the topology appropriate for your use case: control, hybrid, execution, and hop nodes.

Use the following recommendations for node sizing:

Expand
Table 2.3. Recommended Resource Sizing for Automation controller Node Types
Node TypeRAM (Minimum)vCPU (Minimum)Disk IOPS (Minimum)Storage and Notes

Execution Node

16 GB

4 vCPU

3000

Runs automation. Increase RAM/CPU to increase capacity for concurrent job forks. Performance depends heavily on the number of jobs run simultaneously.

Control Node

16 GB

4 vCPU

3000

Processes events and runs cluster jobs (e.g., project updates). * Storage: 80GB minimum, with at least 20GB available under /var/lib/awx. * Storage Requirement: Volume must be rated for a minimum baseline of 3000 IOPS.

Hybrid Node

16 GB

4 vCPU

3000

A combination of Control and Execution node functions. Storage requirements generally match the Control Node.

Hop Node

16 GB

4 vCPU

3000

Routes traffic within the automation mesh (e.g., bastion host). RAM can affect throughput, but CPU activity is typically low. Network latency is a more important factor than RAM or CPU.

  • Actual RAM requirements vary based on how many hosts automation controller manages simultaneously (which is controlled by the forks parameter in the job template or the system ansible.cfg file). To avoid possible resource conflicts, Ansible recommends 1 GB of memory per 10 forks and 2 GB reservation for automation controller. See Automation controller capacity determination and job impact. If forks is set to 400, 42 GB of memory is recommended.

  • A larger number of hosts can be addressed, but if the fork number is less than the total host count, more passes across the hosts are required. You can avoid these RAM limitations by using any of the following approaches:

    • Use rolling updates.
    • Use the provisioning callback system built into automation controller, where each system requesting configuration enters a queue and is processed as quickly as possible.
    • In cases where automation controller is producing or deploying images.

2.5. Automation hub system requirements
Copy link

With Automation hub you can discover and use new certified automation content from Red Hat Ansible and Certified Partners.

On Ansible automation hub, you can discover and manage Ansible Collections, which are supported automation content developed by Red Hat and its partners for use cases such as cloud automation, network automation, and security automation.

Note

Private automation hub

If you install private automation hub from an internal address with a certificate that only encompasses the external address, this can result in an installation that cannot be used as container registry without certificate issues.

To avoid this, use the automationhub_main_url inventory variable with a value such as https://pah.example.com linking to the private automation hub node in the installation inventory file.

This adds the external address to /etc/pulp/settings.py. This implies that you only want to use the external address.

For information about inventory file variables, see Inventory file variables.

Before deploying a high availability (HA) automation hub, ensure that you have a shared storage file system installed in your environment and that you have configured your network storage system, if applicable.

2.5.1.1. Required shared storage
Copy link

Shared storage is required when installing more than one Automation hub with a file storage backend. The supported shared storage type for RPM-based installations is Network File System (NFS).

Before you run the Red Hat Ansible Automation Platform installer, verify that you installed the /var/lib/pulp directory across your cluster as part of the shared storage file system installation. The Red Hat Ansible Automation Platform installer returns an error if /var/lib/pulp is not detected in one of your nodes, causing your high availability automation hub setup to fail.

If you receive an error stating /var/lib/pulp is not detected in one of your nodes, ensure /var/lib/pulp is properly mounted in all servers and re-run the installation program.

If you intend to install a HA automation hub using a network storage on the automation hub nodes itself, you must first install and use firewalld to open the necessary ports as required by your shared storage system before running the Ansible Automation Platform installer.

Install and configure firewalld by executing the following commands:

  1. Install the firewalld daemon: 

    $ dnf install firewalld
    Copy to Clipboard Toggle word wrap

  2. Add your network storage under <service> using the following command: 

    $ firewall-cmd --permanent --add-service=<service>
    Copy to Clipboard Toggle word wrap
    Note

    For a list of supported services, use the $ firewall-cmd --get-services command

  3. Reload to apply the configuration: 

    $ firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

The Event-Driven Ansible controller is a single-node system capable of handling a variable number of long-running processes (such as rulebook activations) on-demand, depending on the number of CPU cores.

Use the following minimum requirements for Event-Driven Ansible controller:

Expand
RequirementRequired

RAM

16 GB

CPUs

4

Local disk

  • Hard drive must be 40 GB minimum with at least 20 GB available under /var.
  • Storage volume must be rated for a minimum baseline of 3000 IOPS.
  • If the cluster has many large projects or decision environment images, consider doubling the GB in /var to avoid disk space errors.
Important

When you activate an Event-Driven Ansible rulebook under standard conditions, it uses about 250 MB of memory. However, the actual memory consumption can vary significantly based on the complexity of your rules and the volume and size of the events processed. In scenarios where a large number of events are anticipated or the rulebook complexity is high, conduct a preliminary assessment of resource usage in a staging environment. This ensures that your maximum number of activations is based on the capacity of your resources.

2.7. PostgreSQL requirements
Copy link

Red Hat Ansible Automation Platform 2.6 requires the external (customer supported) databases to have ICU support. PostgreSQL user passwords are hashed with SCRAM-SHA-256 secure hashing algorithm before storing in the database.

To determine if your automation controller instance has access to the database, you can do so with the command, awx-manage check_db command.

Note
  • Automation controller data is stored in the database. Database storage increases with the number of hosts managed, number of jobs run, number of facts stored in the fact cache, and number of tasks in any individual job. For example, a playbook runs every hour (24 times a day) across 250 hosts, with 20 tasks, stores over 800000 events in the database every week.
  • If not enough space is reserved in the database, the old job runs and facts must be cleaned on a regular basis. For more information, see Management Jobs in the Configuring automation execution guide.

2.7.1. PostgreSQL Configurations
Copy link

Optionally, you can configure the PostgreSQL database as separate nodes that are not managed by the Red Hat Ansible Automation Platform installer. When the Ansible Automation Platform installer manages the database server, it configures the server with defaults that are generally recommended for most workloads. For more information about the settings you can use to improve database performance, see PostgreSQL database configuration and maintenance for automation controller in the Configuring automation execution guide.

Important
  • When using an external database with Ansible Automation Platform, you must create and maintain that database. Ensure that you clear your external database when uninstalling Ansible Automation Platform.
  • Red Hat Ansible Automation Platform 2.6 requires the external (customer supported) databases to have ICU support.
  • During configuration of an external database, you must check the external database coverage. For more information, see Red Hat Ansible Automation Platform Database Scope of Coverage.

Red Hat Ansible Automation Platform 2.6 requires the external (customer supported) databases to have ICU support. Use the following procedure to configure an external PostgreSQL compliant database for use with an Ansible Automation Platform component, for example automation controller, Event-Driven Ansible, automation hub, and platform gateway.

Procedure

  1. Connect to a PostgreSQL compliant database server with superuser privileges. 

    # psql -h <hostname> -U superuser -p 5432 -d postgres <password_for_user_superuser>
    Copy to Clipboard Toggle word wrap

  2. Where the default value for <hostname> is hostname: 

    -h hostname
--host=hostname
    Copy to Clipboard Toggle word wrap

  3. Specify the hostname of the machine on which the server is running. If the value begins with a slash, it is used as the directory for the UNIX-domain socket. 

    -d dbname
--dbname=dbname
    Copy to Clipboard Toggle word wrap

  4. Specify the name of the database to connect to. This is equal to specifying dbname as the first non-option argument on the command line. The dbname can be a connection string. If so, connection string parameters override any conflicting command line options. 

    -U username
--username=username
    Copy to Clipboard Toggle word wrap
  5. Connect to the database as the user username instead of the default (you must have permission to do so).
  6. Create the user, database, and password with the createDB or administrator role assigned to the user. For further information, see Database Roles.
  7. Run the installation program. If you are using a PostgreSQL database, the database is owned by the connecting user and must have a createDB or administrator role assigned to it.
  8. Check that you can connect to the created database with the credentials provided in the inventory file.
  9. Check the permission of the user. The user should have the createDB or administrator role.

  10. After you create the PostgreSQL users and databases for each component, add the database credentials and host details in the inventory file under the [all:vars] group. 

    # Automation controller
pg_host=data.example.com
pg_database=<database name>
pg_port=<port_number>
pg_username=<set your own>
pg_password=<set your own>

# Platform gateway
automationgateway_pg_host=aap.example.org
automationgateway_pg_database=<set your own>
automationgateway_pg_port=<port_number>
automationgateway_pg_username=<set your own>
automationgateway_pg_password=<set your own>

# Automation hub
automationhub_pg_host=data.example.com
automationhub_pg_database=<database_name>
automationhub_pg_port=<port_number>
automationhub_pg_username=<username>
automationhub_pg_password=<password>

# Event-Driven Ansible
automationedacontroller_pg_host=data.example.com
automationedacontroller_pg_database=<database_name>
automationedacontroller_pg_port=<port_number>
automationedacontroller_pg_username=<username>
automationedacontroller_pg_password=<password>
    Copy to Clipboard Toggle word wrap

2.7.3. Enabling mutual TLS (mTLS) authentication
Copy link

Enable mutual TLS authentication to secure PostgreSQL database connections with certificate-based verification. This protects against unauthorized access and man-in-the-middle attacks while meeting enterprise security and compliance requirements.

Procedure

  • To configure each component’s database with mTLS authentication, add the following variables to your inventory file under the [all:vars] group and ensure each component has a different TLS certificate and key: 

    # Automation controller
pgclient_sslcert=/path/to/awx.cert
pgclient_sslkey=/path/to/awx.key
pg_sslmode=verify-full or verify-ca

# Platform gateway
automationgateway_pgclient_sslcert=/path/to/gateway.cert
automationgateway_pgclient_sslkey=/path/to/gateway.key
automationgateway_pg_sslmode=verify-full or verify-ca

# Automation hub
automationhub_pgclient_sslcert=/path/to/pulp.cert
automationhub_pgclient_sslkey=/path/to/pulp.key
automationhub_pg_sslmode=verify-full or verify-ca

# Event-Driven Ansible
automationedacontroller_pgclient_sslcert=/path/to/eda.cert
automationedacontroller_pgclient_sslkey=/path/to/eda.key
automationedacontroller_pg_sslmode=verify-full or verify-ca
    Copy to Clipboard Toggle word wrap

2.7.4. Using custom TLS certificates
Copy link

By default, the installation program generates self-signed TLS certificates and keys for all Ansible Automation Platform services. However, you can optionally use custom TLS certificates.

Procedure

  • To replace these with your own custom certificate and key, set the following inventory file variables: 

    aap_ca_cert_file=<path_to_ca_tls_certificate>
aap_ca_key_file=<path_to_ca_tls_key>
    Copy to Clipboard Toggle word wrap

  • If any of your certificates are signed by a custom Certificate Authority (CA), then you must specify the Certificate Authority’s certificate by using the custom_ca_cert inventory file variable: 

    custom_ca_cert=<path_to_custom_ca_certificate>
    Copy to Clipboard Toggle word wrap
    Note

    If you have more than one custom CA certificate, combine them into a single file, then reference the combined certificate with the custom_ca_cert inventory file variable.

2.7.5. Receptor certificate considerations
Copy link

When using a custom certificate for Receptor nodes, the certificate requires the otherName field specified in the Subject Alternative Name (SAN) of the certificate with the value 1.3.6.1.4.1.2312.19.1. For more information, see Above the mesh TLS.

Receptor does not support the usage of wildcard certificates. Additionally, each Receptor certificate must have the host FQDN specified in its SAN for TLS hostname validation to be correctly performed.

The database migration script uses hstore fields to store information, therefore the hstore extension must be enabled in the automation hub PostgreSQL database.

This process is automatic when using the Ansible Automation Platform installer and a managed PostgreSQL server.

If the PostgreSQL database is external, you must enable the hstore extension in the automation hub PostgreSQL database manually before installation.

If the hstore extension is not enabled before installation, a failure raises during database migration.

Procedure

  1. Check if the extension is available on the PostgreSQL server (automation hub database). 

    $ psql -d <automation hub database> -c "SELECT * FROM pg_available_extensions WHERE name='hstore'"
    Copy to Clipboard Toggle word wrap

  2. Where the default value for <automation hub database> is automationhub.

    Example output with hstore available: 

    name  | default_version | installed_version |comment
------+-----------------+-------------------+---------------------------------------------------
 hstore | 1.7           |                   | data type for storing sets of (key, value) pairs
(1 row)
    Copy to Clipboard Toggle word wrap

    Example output with hstore not available: 

     name | default_version | installed_version | comment
------+-----------------+-------------------+---------
(0 rows)
    Copy to Clipboard Toggle word wrap

  3. On a RHEL based server, the hstore extension is included in the postgresql-contrib RPM package, which is not installed automatically when installing the PostgreSQL server RPM package.

    To install the RPM package, use the following command: 

    dnf install postgresql-contrib
    Copy to Clipboard Toggle word wrap

  4. Load the hstore PostgreSQL extension into the automation hub database with the following command: 

    $ psql -d <automation hub database> -c "CREATE EXTENSION hstore;"
    Copy to Clipboard Toggle word wrap

    In the following output, the installed_version field lists the hstore extension used, indicating that hstore is enabled. 

    name | default_version | installed_version | comment
-----+-----------------+-------------------+------------------------------------------------------
hstore  |     1.7      |       1.7         | data type for storing sets of (key, value) pairs
(1 row)
    Copy to Clipboard Toggle word wrap

Use the Flexible I/O Tester (FIO) tool to verify that your storage system meets minimum Ansible Automation Platform PostgreSQL database requirements. FIO benchmarks read and write IOPS performance to help you evaluate storage capabilities.

Prerequisites

  • You have installed the Flexible I/O Tester (fio) storage performance benchmarking tool.

    To install fio, run the following command as the root user: 

    # yum -y install fio
    Copy to Clipboard Toggle word wrap

  • You have adequate disk space to store the fio test data log files.

    The examples shown in the procedure require at least 60GB disk space in the /tmp directory:

    • numjobs sets the number of jobs run by the command.
    • size=10G sets the file size generated by each job.
  • You have adjusted the value of the size parameter. Adjusting this value reduces the amount of test data.

Procedure

  1. Run a random write test: 

    $ fio --name=write_iops --directory=/tmp --numjobs=3 --size=10G \
--time_based --runtime=60s --ramp_time=2s --ioengine=libaio --direct=1 \
--verify=0 --bs=4K --iodepth=64 --rw=randwrite \
--group_reporting=1 > /tmp/fio_benchmark_write_iops.log \
2>> /tmp/fio_write_iops_error.log
    Copy to Clipboard Toggle word wrap

  2. Run a random read test: 

    $ fio --name=read_iops --directory=/tmp \
--numjobs=3 --size=10G --time_based --runtime=60s --ramp_time=2s \
--ioengine=libaio --direct=1 --verify=0 --bs=4K --iodepth=64 --rw=randread \
--group_reporting=1 > /tmp/fio_benchmark_read_iops.log \
2>> /tmp/fio_read_iops_error.log
    Copy to Clipboard Toggle word wrap

  3. Review the results:

    In the log files written by the benchmark commands, search for the line beginning with iops. This line shows the minimum, maximum, and average values for the test.

    The following example shows the line in the log file for the random read test: 

    $ cat /tmp/fio_benchmark_read_iops.log
read_iops: (g=0): rw=randread, bs=(R) 4096B-4096B, (W) 4096B-4096B, (T) 4096B-4096B, ioengine=libaio, iodepth=64
[…]
   iops        : min=50879, max=61603, avg=56221.33, stdev=679.97, samples=360
[…]
    Copy to Clipboard Toggle word wrap
    Note

    The above is a baseline to help evaluate the best case performance on your systems. Systems can and will change and performance may vary depending on what else is happening on your systems, storage or network at the time of testing. You must review, monitor, and revisit the log files according to your own business requirements, application workloads, and new demands.

Ansible Automation Platform is a modular platform. The platform gateway deploys automation platform components, such as automation controller, automation hub, and Event-Driven Ansible controller.

For more information about the components provided with Ansible Automation Platform, see Red Hat Ansible Automation Platform components in Planning your installation.

There are several supported installation scenarios for Red Hat Ansible Automation Platform. To install Red Hat Ansible Automation Platform, you must edit the inventory file parameters to specify your installation scenario. You can use the enterprise installer as a basis for your own inventory file.

You can use the Red Hat Ansible Automation Platform installer inventory file to specify your installation scenario.

3.2.1. For an RPM installation
Copy link

Procedure

RPM installed package 

$ cd /opt/ansible-automation-platform/installer/
Copy to Clipboard Toggle word wrap

Bundled installer 

$ cd ansible-automation-platform-setup-bundle-<latest-version>
Copy to Clipboard Toggle word wrap

Online installer 

$ cd ansible-automation-platform-setup-<latest-version>
Copy to Clipboard Toggle word wrap
  1. Open the inventory file with a text editor.

  2. Edit the inventory file parameters to specify your installation scenario.

    For containerized installation, see Configuring the inventory file You can use one of the supported Installation scenario examples as the basis for your inventory file.

Red Hat supports several installation scenarios for Ansible Automation Platform. You can develop your own inventory files using the example files as a basis, or you can use the example closest to your preferred installation scenario.

Before selecting your installation method for Ansible Automation Platform, review the following recommendations. Familiarity with these recommendations will streamline the installation process.

  • Provide a reachable IP address or fully qualified domain name (FQDN) for hosts to ensure users can sync and install content from automation hub from a different node.

    The FQDN must not contain either the - or the _ symbols, as it will not be processed correctly.

    Do not use localhost.

  • admin is the default user ID for the initial log in to Ansible Automation Platform and cannot be changed in the inventory file.
  • Use of special characters for pg_password is limited. The !, #, 0 and @ characters are supported. Use of other special characters can cause the setup to fail.
  • Enter your Red Hat Registry Service Account credentials in registry_username and registry_password to link to the Red Hat container registry.
  • The inventory file variables registry_username and registry_password are only required if a non-bundle installer is used.

Use this example to see what is minimally needed within the inventory file to deploy single instances of platform gateway and automation controller with an external (installer managed) database. 

[automationcontroller]
controller.example.com

[automationgateway]
gateway.example.com

[database]
data.example.com

[all:vars]
admin_password='<password>'
redis_mode=standalone
pg_host='data.example.com'
pg_port=5432
pg_database='awx'
pg_username='awx'
pg_password='<password>'
pg_sslmode='prefer' # set to 'verify-full' for client-side enforced SSL

registry_url='registry.redhat.io'
registry_username='<registry username>'
registry_password='<registry password>'

# Automation Gateway configuration
automationgateway_admin_password=''

automationgateway_pg_host='data.example.com'
automationgateway_pg_port=5432

automationgateway_pg_database='automationgateway'
automationgateway_pg_username='automationgateway'
automationgateway_pg_password=''
automationgateway_pg_sslmode='prefer'

# The main automation gateway URL that clients will connect to (e.g. https://<load balancer host>).
# If not specified, the first node in the [automationgateway] group will be used when needed.
# automationgateway_main_url = ''

# Certificate and key to install in Automation Gateway
# automationgateway_ssl_cert=/path/to/automationgateway.cert
# automationgateway_ssl_key=/path/to/automationgateway.key

# SSL-related variables
# If set, this will install a custom CA certificate to the system trust store.
# custom_ca_cert=/path/to/ca.crt
# Certificate and key to install in nginx for the web UI and API
# web_server_ssl_cert=/path/to/tower.cert
# web_server_ssl_key=/path/to/tower.key
# Server-side SSL settings for PostgreSQL (when we are installing it).
# postgres_use_ssl=False
# postgres_ssl_cert=/path/to/pgsql.crt
# postgres_ssl_key=/path/to/pgsql.key
Copy to Clipboard Toggle word wrap

Use this example to populate the inventory file to deploy single instances of platform gateway, automation controller, and automation hub with an external (installer managed) database. 

[automationcontroller]
controller.example.com

[automationhub]
automationhub.example.com

[automationgateway]
gateway.example.com

[database]
data.example.com

[all:vars]
admin_password='<password>'
redis_mode=standalone
pg_host='data.example.com'
pg_port='5432'
pg_database='awx'
pg_username='awx'
pg_password='<password>'
pg_sslmode='prefer'  # set to 'verify-full' for client-side enforced SSL

registry_url='registry.redhat.io'
registry_username='<registry username>'
registry_password='<registry password>'

automationhub_admin_password= <PASSWORD>

automationhub_pg_host='data.example.com'
automationhub_pg_port=5432

automationhub_pg_database='automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password=<PASSWORD>
automationhub_pg_sslmode='prefer'

# The default install will deploy a TLS enabled Automation Hub.
# If for some reason this is not the behavior wanted one can
# disable TLS enabled deployment.
#
# automationhub_disable_https = False
# The default install will generate self-signed certificates for the Automation
# Hub service. If you are providing valid certificate via automationhub_ssl_cert
# and automationhub_ssl_key, one should toggle that value to True.
#
# automationhub_ssl_validate_certs = False
# SSL-related variables
# If set, this will install a custom CA certificate to the system trust store.
# custom_ca_cert=/path/to/ca.crt
# Certificate and key to install in Automation Hub node
# automationhub_ssl_cert=/path/to/automationhub.cert
# automationhub_ssl_key=/path/to/automationhub.key

# Automation Gateway configuration
automationgateway_admin_password=''

automationgateway_pg_host=''
automationgateway_pg_port=5432

automationgateway_pg_database='automationgateway'
automationgateway_pg_username='automationgateway'
automationgateway_pg_password=''
automationgateway_pg_sslmode='prefer'

# The main automation gateway URL that clients will connect to (e.g. https://<load balancer host>).
# If not specified, the first node in the [automationgateway] group will be used when needed.
# automationgateway_main_url = ''

# Certificate and key to install in Automation Gateway
# automationgateway_ssl_cert=/path/to/automationgateway.cert
# automationgateway_ssl_key=/path/to/automationgateway.key

# Certificate and key to install in nginx for the web UI and API
# web_server_ssl_cert=/path/to/tower.cert
# web_server_ssl_key=/path/to/tower.key
# Server-side SSL settings for PostgreSQL (when we are installing it).
# postgres_use_ssl=False
# postgres_ssl_cert=/path/to/pgsql.crt
# postgres_ssl_key=/path/to/pgsql.key
Copy to Clipboard Toggle word wrap

Use this example to populate the inventory file to deploy single instances of platform gateway, automation controller, automation hub, and Event-Driven Ansible controller with an external (installer managed) database.

Important
  • This scenario requires a minimum of automation controller 2.4 for successful deployment of Event-Driven Ansible controller.
  • Event-Driven Ansible controller must be installed on a separate server and cannot be installed on the same host as automation hub and automation controller.
  • When an Event-Driven Ansible rulebook is activated under standard conditions, it uses approximately 250 MB of memory. However, the actual memory consumption can vary significantly based on the complexity of the rules and the volume and size of the events processed. In scenarios where a large number of events are anticipated or the rulebook complexity is high, conduct a preliminary assessment of resource usage in a staging environment. This ensures that the maximum number of activations is based on the resource capacity. 
[automationcontroller]
controller.example.com

[automationhub]
automationhub.example.com

[automationedacontroller]
automationedacontroller.example.com

[automationgateway]
gateway.example.com

[database]
data.example.com

[all:vars]
admin_password='<password>'
redis_mode=standalone
pg_host='data.example.com'
pg_port='5432'
pg_database='awx'
pg_username='awx'
pg_password='<password>'
pg_sslmode='prefer'  # set to 'verify-full' for client-side enforced SSL

registry_url='registry.redhat.io'
registry_username='<registry username>'
registry_password='<registry password>'

# Automation hub configuration

automationhub_admin_password= <PASSWORD>

automationhub_pg_host='data.example.com'
automationhub_pg_port=5432

automationhub_pg_database='automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password=<PASSWORD>
automationhub_pg_sslmode='prefer'

# Automation Event-Driven Ansible controller configuration

automationedacontroller_admin_password='<eda-password>'

automationedacontroller_pg_host='data.example.com'
automationedacontroller_pg_port=5432

automationedacontroller_pg_database='automationedacontroller'
automationedacontroller_pg_username='automationedacontroller'
automationedacontroller_pg_password='<password>'

# Keystore file to install in SSO node
# sso_custom_keystore_file='/path/to/sso.jks'

# This install will deploy SSO with sso_use_https=True
# Keystore password is required for https enabled SSO
sso_keystore_password=''

# This install will deploy a TLS enabled Automation Hub.
# If for some reason this is not the behavior wanted one can
# disable TLS enabled deployment.
#
# automationhub_disable_https = False
# The default install will generate self-signed certificates for the Automation
# Hub service. If you are providing valid certificate via automationhub_ssl_cert
# and automationhub_ssl_key, one should toggle that value to True.
#
# automationhub_ssl_validate_certs = False
# SSL-related variables
# If set, this will install a custom CA certificate to the system trust store.
# custom_ca_cert=/path/to/ca.crt
# Certificate and key to install in Automation Hub node
# automationhub_ssl_cert=/path/to/automationhub.cert
# automationhub_ssl_key=/path/to/automationhub.key

# Automation Gateway configuration
automationgateway_admin_password=''

automationgateway_pg_host=''
automationgateway_pg_port=5432

automationgateway_pg_database='automationgateway'
automationgateway_pg_username='automationgateway'
automationgateway_pg_password=''
automationgateway_pg_sslmode='prefer'

# The main automation gateway URL that clients will connect to (e.g. https://<load balancer host>).
# If not specified, the first node in the [automationgateway] group will be used when needed.
# automationgateway_main_url = ''

# Certificate and key to install in Automation Gateway
# automationgateway_ssl_cert=/path/to/automationgateway.cert
# automationgateway_ssl_key=/path/to/automationgateway.key

# Certificate and key to install in nginx for the web UI and API
# web_server_ssl_cert=/path/to/tower.cert
# web_server_ssl_key=/path/to/tower.key
# Server-side SSL settings for PostgreSQL (when we are installing it).
# postgres_use_ssl=False
# postgres_ssl_cert=/path/to/pgsql.crt
# postgres_ssl_key=/path/to/pgsql.key

# Boolean flag used to verify Automation Controller's
# web certificates when making calls from Automation Event-Driven Ansible controller.
# automationedacontroller_controller_verify_ssl = true
#
# Certificate and key to install in Automation Event-Driven Ansible controller node
# automationedacontroller_ssl_cert=/path/to/automationeda.crt
# automationedacontroller_ssl_key=/path/to/automationeda.key
Copy to Clipboard Toggle word wrap

Additional resources

For more information about these inventory variables, see Ansible automation hub variables in the Red Hat Ansible Automation Platform Installation Guide.

3.3.1.4. High availability automation hub
Copy link

Configure inventory files to deploy high availability automation hub with clustered nodes, database hosts, and load balancing for enterprise-scale automation.

Use the following examples to populate the inventory file to install a highly available automation hub. This inventory file includes a highly available automation hub with a clustered setup.

You can configure your HA deployment further to enable a high availability deployment of automation hub on SELinux.

Specify database host IP

  • Specify the IP address for your database host, using the automation_pg_host and automation_pg_port inventory variables. For example: 
automationhub_pg_host='192.0.2.10'
automationhub_pg_port=5432
Copy to Clipboard Toggle word wrap
  • Also specify the IP address for your database host in the [database] section, using the value in the automationhub_pg_host inventory variable: 
[database]
192.0.2.10
Copy to Clipboard Toggle word wrap

List all instances in a clustered setup

  • If installing a clustered setup, replace localhost ansible_connection=local in the [automationhub] section with the hostname or IP of all instances. For example: 
[automationhub]
automationhub1.testing.ansible.com ansible_user=cloud-user
automationhub2.testing.ansible.com ansible_user=cloud-user
automationhub3.testing.ansible.com ansible_user=cloud-user
Copy to Clipboard Toggle word wrap

Next steps

Check that the following directives are present in /etc/pulp/settings.py in each of the private automation hub servers: 

USE_X_FORWARDED_PORT = True
USE_X_FORWARDED_HOST = True
Copy to Clipboard Toggle word wrap
Note

If you are using a load balancer, configure automationgateway_main_url to point to your load balancer. If automationgateway_main_url is not specified, the first node in the [automationgateway] group will be used as default.

You can configure the inventory file to enable high availability deployment of automation hub on SELinux. You must create two mount points for /var/lib/pulp and /var/lib/pulp/pulpcore_static, and then assign the appropriate SELinux contexts to each mount point.

Note

You must add the context for /var/lib/pulp pulpcore_static and run the Ansible Automation Platform installer before adding the context for /var/lib/pulp.

Prerequisites

  • You have already configured a NFS export on your server.

    Note

    The NFS share is hosted on an external server and is not a part of high availability automation hub deployment.

Procedure

  1. Create a mount point at /var/lib/pulp: 

    $ mkdir /var/lib/pulp/
    Copy to Clipboard Toggle word wrap

  2. Open /etc/fstab using a text editor, then add the following values: 

    srv_rhel8:/data /var/lib/pulp nfs defaults,_netdev,nosharecache,context="system_u:object_r:var_lib_t:s0" 0 0
srv_rhel8:/data/pulpcore_static /var/lib/pulp/pulpcore_static nfs defaults,_netdev,nosharecache,context="system_u:object_r:httpd_sys_content_rw_t:s0" 0 0
    Copy to Clipboard Toggle word wrap

  3. Run the reload systemd manager configuration command: 

    $ systemctl daemon-reload
    Copy to Clipboard Toggle word wrap

  4. Run the mount command for /var/lib/pulp: 

    $ mount /var/lib/pulp
    Copy to Clipboard Toggle word wrap

  5. Create a mount point at /var/lib/pulp/pulpcore_static: 

    $ mkdir /var/lib/pulp/pulpcore_static
    Copy to Clipboard Toggle word wrap

  6. Run the mount command: 

    $ mount -a
    Copy to Clipboard Toggle word wrap

  7. With the mount points set up, run the Ansible Automation Platform installer: 

    $ setup.sh -- -b --become-user root
    Copy to Clipboard Toggle word wrap
  8. After the installation is complete, unmount the /var/lib/pulp/ mount point.

Next steps

  1. Apply the appropriate SELinux context.
  2. Configure the pulpcore.serivce.
3.3.1.5.1. Configuring pulpcore.service
Copy link

After you have configured the inventory file and applied the SELinux context, configure the pulp service. This ensures that automation hub services start only after starting the network and mounting the remote mount points.

Procedure

  1. With the two mount points set up, shut down the Pulp service to configure pulpcore.service: 

    $ systemctl stop pulpcore.service
    Copy to Clipboard Toggle word wrap

  2. Edit pulpcore.service using systemctl: 

    $ systemctl edit pulpcore.service
    Copy to Clipboard Toggle word wrap

  3. Add the following entry to pulpcore.service to ensure that automation hub services starts only after starting the network and mounting the remote mount points: 

    [Unit]
After=network.target var-lib-pulp.mount
    Copy to Clipboard Toggle word wrap

  4. Enable remote-fs.target: 

    $ systemctl enable remote-fs.target
    Copy to Clipboard Toggle word wrap

  5. Reboot the system: 

    $ systemctl reboot
    Copy to Clipboard Toggle word wrap

Troubleshooting

A bug in the pulpcore SELinux policies can cause the token authentication public/private keys in etc/pulp/certs/ to not have the proper SELinux labels, causing the pulp process to fail. When this occurs, run the following command to temporarily attach the proper labels: 

$ chcon system_u:object_r:pulpcore_etc_t:s0 /etc/pulp/certs/token_{private,public}_key.pem
Copy to Clipboard Toggle word wrap

Repeat this command to reattach the proper SELinux labels whenever you relabel your system.

3.3.1.5.2. Applying the SELinux context
Copy link

Apply the correct SELinux context to the Pulp directories to ensure proper file access permissions and security policy compliance.

After you have configured the inventory file, you must now apply the context to enable the high availability (HA) deployment of automation hub on SELinux.

Procedure

  1. Shut down the Pulp service: 

    $ systemctl stop pulpcore.service
    Copy to Clipboard Toggle word wrap

  2. Unmount /var/lib/pulp/pulpcore_static: 

    $ umount /var/lib/pulp/pulpcore_static
    Copy to Clipboard Toggle word wrap

  3. Unmount /var/lib/pulp/: 

    $ umount /var/lib/pulp/
    Copy to Clipboard Toggle word wrap

  4. Open /etc/fstab using a text editor, then replace the existing value for /var/lib/pulp with the following: 

    srv_rhel8:/data /var/lib/pulp nfs defaults,_netdev,nosharecache,context="system_u:object_r:pulpcore_var_lib_t:s0" 0 0
    Copy to Clipboard Toggle word wrap

  5. Run the mount command: 

    $ mount -a
    Copy to Clipboard Toggle word wrap

To successfully sign and publish Ansible Certified Content Collections, you must configure private automation hub for signing.

Prerequisites

  • Your GnuPG key pairs have been securely set up and managed by your organization.
  • Your public-private key pair has proper access for configuring content signing on private automation hub.

Procedure

  1. Create a signing script that accepts only a filename.

    Note

    This script acts as the signing service and must generate an ascii-armored detached gpg signature for that file using the key specified through the PULP_SIGNING_KEY_FINGERPRINT environment variable.

    The script prints out a JSON structure with the following format. 

    {"file": "filename", "signature": "filename.asc"}
    Copy to Clipboard Toggle word wrap

    All the file names are relative paths inside the current working directory. The file name must remain the same for the detached signature.

    Example: The following script produces signatures for content: 

    #!/usr/bin/env bash

FILE_PATH=$1
SIGNATURE_PATH="$1.asc"

ADMIN_ID="$PULP_SIGNING_KEY_FINGERPRINT"
PASSWORD="password"

# Create a detached signature
gpg --quiet --batch --pinentry-mode loopback --yes --passphrase \
   $PASSWORD --homedir ~/.gnupg/ --detach-sign --default-key $ADMIN_ID \
   --armor --output $SIGNATURE_PATH $FILE_PATH

# Check the exit status
STATUS=$?
if [ $STATUS -eq 0 ]; then
   echo {\"file\": \"$FILE_PATH\", \"signature\": \"$SIGNATURE_PATH\"}
else
   exit $STATUS
fi
    Copy to Clipboard Toggle word wrap

    After you deploy a private automation hub with signing enabled to your Ansible Automation Platform cluster, new UI additions are displayed in collections.

  2. Review the Ansible Automation Platform installer inventory file for options that begin with automationhub_*. 

    [all:vars]
.
.
.
automationhub_create_default_collection_signing_service = True
automationhub_auto_sign_collections = True
automationhub_require_content_approval = True
automationhub_collection_signing_service_key = /abs/path/to/galaxy_signing_service.gpg
automationhub_collection_signing_service_script = /abs/path/to/collection_signing.sh
    Copy to Clipboard Toggle word wrap

    The two new keys (automationhub_auto_sign_collections and automationhub_require_content_approval) indicate that the collections must be signed and approved after they are uploaded to private automation hub.

When using redhat.insights_eda or similar plugins to run rulebook activations in Event-Driven Ansible controller, you must add a safe plugin variable to a directory in Ansible Automation Platform. This ensures connection between Event-Driven Ansible controller and the source plugin, and displays port mappings correctly.

Procedure

  1. Create a directory for the safe plugin variable: mkdir -p ./group_vars/automationedacontroller
  2. Create a file within that directory for your new setting (for example, touch ./group_vars/automationedacontroller/custom.yml)

  3. Add the variable automationedacontroller_additional_settings to extend the default settings.yaml template for Event-Driven Ansible controller and add the SAFE_PLUGINS field with a list of plugins to enable. For example: 

    automationedacontroller_additional_settings:
   SAFE_PLUGINS:
     - ansible.eda.webhook
     - ansible.eda.alertmanager
    Copy to Clipboard Toggle word wrap
    Note

    You can also extend the automationedacontroller_additional_settings variable beyond SAFE_PLUGINS in the Django configuration file /etc/ansible-automation-platform/eda/settings.yaml.

When using the registry_username and registry_password variables for an online non-bundled installation, you need to create a new registry service account.

Registry service accounts are named tokens that you can use in environments where you share credentials, such as deployment systems.

Procedure

  1. Go to https://access.redhat.com/terms-based-registry/accounts.
  2. On the Registry Service Accounts page click New Service Account.
  3. Enter a name for the account using only the allowed characters.
  4. Optionally enter a description for the account.
  5. Click Create.
  6. Find the created account in the list by searching for your name in the search field.
  7. Click the name of the account that you created.

  8. Alternatively, if you know the name of your token, you can go directly to the page by entering the URL: 

    https://access.redhat.com/terms-based-registry/token/<name-of-your-token>
    Copy to Clipboard Toggle word wrap

  9. A token page opens, displaying a generated username (different from the account name) and a token.

    1. If no token is displayed, click Regenerate Token. You can also click this to generate a new username and token.
  10. Copy the username (for example "1234567|testuser") and use it to set the variable registry_username.
  11. Copy the token and use it to set the variable registry_password.
3.3.2.1. Configuring Redis
Copy link

Ansible Automation Platform offers a centralized Redis instance in both standalone and clustered topologies.

In RPM deployments, the Redis mode is set to cluster by default. You can change this setting in the inventory file [all:vars] section as in the following example: 

[all:vars]
admin_password='<password>'
pg_host='data.example.com'
pg_port='5432'
pg_database='awx'
pg_username='awx'
pg_password='<password>'
pg_sslmode='prefer'  # set to 'verify-full' for client-side enforced SSL

registry_url='registry.redhat.io'
registry_username='<registry username>'
registry_password='<registry password>'

redis_mode=cluster
Copy to Clipboard Toggle word wrap

For more information about Redis, see Caching and queueing system in Planning your installation.

After you update the inventory file with required parameters, run the installation program setup script.

RPM installer

Procedure

  • Run the setup.sh script 

    $ sudo ./setup.sh
    Copy to Clipboard Toggle word wrap
    Note

    If you are running the setup as a non-root user with sudo privileges, you can use the following command: 

    $ ANSIBLE_BECOME_METHOD='sudo'
ANSIBLE_BECOME=True ./setup.sh
    Copy to Clipboard Toggle word wrap

    Installation of Red Hat Ansible Automation Platform will begin.

Additional resources

Upon a successful login, your installation of Red Hat Ansible Automation Platform is complete.

Important

If the installation fails and you are a customer who has purchased a valid license for Red Hat Ansible Automation Platform, contact Ansible through the Red Hat Customer portal.

Back up an existing Ansible Automation Platform instance by running the .setup.sh script with the backup_dest flag. This saves the content and configuration of your current environment.

Use the compression flags use_archive_compression and use_db_compression to compress the backup artifacts before they are sent to the host running the backup operation.

Procedure

  1. Navigate to your Ansible Automation Platform installation directory.

  2. Run the ./setup.sh script following the example below: 

    $ ./setup.sh -e 'backup_dest=/ansible/mybackup' -e
'use_archive_compression=true' 'use_db_compression=true @credentials.yml -b
    Copy to Clipboard Toggle word wrap

    Where:

    • backup_dest: Specifies a directory to save your backup to.

    • use_archive_compression=true and use_db_compression=true: Compresses the backup artifacts before they are sent to the host running the backup operation.

      You can use the following variables to customize the compression:

      • For global control of compression for filesystem related backup files: use_archive_compression=true

      • For component-level control of compression for filesystem related backup files: <componentName>_use_archive_compression

        For example:

        • automationgateway_use_archive_compression=true
        • automationcontroller_use_archive_compression=true
        • automationhub_use_archive_compression=true
        • automationedacontroller_use_archive_compression=true
      • For global control of compression for database related backup files: use_db_compression=true

      • For component-level control of compression for database related backup files: <componentName>_use_db_compression=true

        For example:

        • automationgateway_use_db_compression=true
        • automationcontroller_use_db_compression=true
        • automationhub_use_db_compression=true
        • automationedacontroller_use_db_compression=true

Result

After a successful backup, a backup file is created at /ansible/mybackup/automation-platform-backup-<date/time>.tar.gz.

Before you first log in, you must add your subscription information to the platform. To add a subscription to Ansible Automation Platform, see Obtaining a manifest file in the Access management and authentication guide.

You can set up multi-node deployments for components across Ansible Automation Platform. Whether you require horizontal scaling for Automation Execution, Automation Decisions, or automation mesh, you can scale your deployments based on your organization’s needs.

With Event-Driven Ansible controller, you can set up horizontal scaling for your events automation. This multi-node deployment enables you to define as many nodes as you prefer during the installation process. You can also increase or decrease the number of nodes at any time according to your organizational needs.

The following node types are used in this deployment:

API node type
Responds to the HTTP REST API of Event-Driven Ansible controller.
Worker node type
Runs an Event-Driven Ansible worker, which is the component of Event-Driven Ansible that not only manages projects and activations, but also executes the activations themselves.
Hybrid node type
Is a combination of the API node and the worker node.

The following example shows how you can set up an inventory file for horizontal scaling of Event-Driven Ansible controller on Red Hat Enterprise Linux VMs using the host group name [automationedacontroller] and the node type variable eda_node_type: 

[automationedacontroller]

3.88.116.111 routable_hostname=automationedacontroller-api.example.com eda_node_type=api

# worker node
3.88.116.112 routable_hostname=automationedacontroller-api.example.com eda_node_type=worker
Copy to Clipboard Toggle word wrap

4.1.1. Sizing and scaling guidelines
Copy link

API nodes process user requests (interactions with the UI or API) while worker nodes process the activations and other background tasks required for Event-Driven Ansible to function properly. The number of API nodes you require correlates to the required number of users of the application and the number of worker nodes correlates to the required number of activations you want to run.

Since activations are variable and controlled by worker nodes, the supported approach for scaling is to use separate API and worker nodes instead of hybrid nodes due to the efficient allocation of hardware resources by worker nodes. By separating the nodes, you can scale each type independently based on specific needs, leading to better resource utilization and cost efficiency.

An example of an instance in which you might consider scaling up your node deployment is when you want to deploy Event-Driven Ansible for a small group of users who will run a large number of activations. In this case, one API node is adequate, but if you require more, you can scale up to three additional worker nodes.

To scale up (add more nodes) or scale down (remove nodes), you must update the content of the inventory file to add or remove nodes and rerun the installation program.

Procedure

  1. Update the inventory to add two more worker nodes: 

    [automationedacontroller]

3.88.116.111 routable_hostname=automationedacontroller-api.example.com eda_node_type=api

3.88.116.112 routable_hostname=automationedacontroller-api.example.com eda_node_type=worker

# two more worker nodes
3.88.116.113 routable_hostname=automationedacontroller-api.example.com eda_node_type=worker

3.88.116.114 routable_hostname=automationedacontroller-api.example.com eda_node_type=worker
    Copy to Clipboard Toggle word wrap
  2. Re-run the installer.

Chapter 5. Disconnected installation
Copy link

If you are not connected to the internet or do not have access to online repositories, you can install Red Hat Ansible Automation Platform without an active internet connection.

5.1. Prerequisites
Copy link

Before installing Ansible Automation Platform on a disconnected network, you must meet the following prerequisites:

  • A subscription manifest that you can upload to the platform.

For more information, see Obtaining a manifest file.

  • The Ansible Automation Platform setup bundle at Customer Portal is downloaded.
  • The DNS records for the automation controller and private automation hub servers are created.

You can install Ansible Automation Platform without an internet connection by using the installer-managed database located on the automation controller. The setup bundle is recommended for disconnected installation because it includes additional components that make installing Ansible Automation Platform easier in a disconnected environment. These include the Ansible Automation Platform Red Hat package managers (RPMs) and the default execution environment (EE) images.

Ensure that your system has all the hardware requirements before performing a disconnected installation of Ansible Automation Platform. You can find these in system requirements.

5.2.2. RPM Source
Copy link

RPM dependencies for Ansible Automation Platform that come from the BaseOS and AppStream repositories are not included in the setup bundle. To add these dependencies, you must first obtain access to BaseOS and AppStream repositories. Use Satellite to sync repositories and add dependencies. If you prefer an alternative tool, you can choose between the following options:

  • Reposync
  • The RHEL Binary DVD
Note

The RHEL Binary DVD method requires the DVD for supported versions of RHEL. See Red Hat Enterprise Linux Life Cycle for information on which versions of RHEL are currently supported.

5.3. Synchronizing RPM repositories using reposync
Copy link

To perform a reposync you need a Red Hat Enterprise Linux host that has access to the internet. After the repositories are synced, you can move the repositories to the disconnected network hosted from a web server.

When downloading RPM, ensure you use the applicable distro.

Procedure

  1. Attach the BaseOS and AppStream required repositories: 

    # subscription-manager repos \
    --enable rhel-9-for-x86_64-baseos-rpms \
    --enable rhel-9-for-x86_64-appstream-rpms
    Copy to Clipboard Toggle word wrap

  2. Perform the reposync: 

    # dnf install yum-utils
# reposync -m --download-metadata --gpgcheck \
    -p /path/to/download
    Copy to Clipboard Toggle word wrap

    1. Use reposync with --download-metadata and without --newest-only. See RHEL 8 Reposync.

      • If you are not using --newest-only, the repos downloaded may take an extended amount of time to sync due to the large number of GB.
      • If you are using --newest-only, the repos downloaded may take an extended amount of time to sync due to the large number of GB.

    After the reposync is completed, your repositories are ready to use with a web server.

  3. Move the repositories to your disconnected network.

If you do not have an existing web server to host your repositories, you can create one with your synced repositories. This web server will host the repositories for your disconnected environment.

Procedure

  1. Install prerequisites: 

    $ sudo dnf install httpd
    Copy to Clipboard Toggle word wrap

  2. Configure httpd to serve the repo directory: 

    /etc/httpd/conf.d/repository.conf

DocumentRoot '/path/to/repos'

<LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /.noindex.html
</LocationMatch>

<Directory '/path/to/repos'>
    Options All Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>
    Copy to Clipboard Toggle word wrap

  3. Ensure that the directory is readable by an apache user: 

    $ sudo chown -R apache /path/to/repos
    Copy to Clipboard Toggle word wrap

  4. Configure SELinux: 

    $ sudo semanage fcontext -a -t httpd_sys_content_t "/path/to/repos(/.*)?"
$ sudo restorecon -ir /path/to/repos
    Copy to Clipboard Toggle word wrap

  5. Enable httpd: 

    $ sudo systemctl enable --now httpd.service
    Copy to Clipboard Toggle word wrap

  6. Open firewall: 

    $ sudo firewall-cmd --zone=public --add-service=http –add-service=https --permanent
$ sudo firewall-cmd --reload
    Copy to Clipboard Toggle word wrap

  7. On automation services, add a repo file at /etc/yum.repos.d/local.repo, and add the optional repos if needed: 

    [Local-BaseOS]
name=Local BaseOS
baseurl=http://<webserver_fqdn>/rhel-8-for-x86_64-baseos-rpms
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

[Local-AppStream]
name=Local AppStream
baseurl=http://<webserver_fqdn>/rhel-8-for-x86_64-appstream-rpms
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
    Copy to Clipboard Toggle word wrap

In disconnected or air-gapped environments, you can install Ansible Automation Platform by using packages from a locally mounted RHEL DVD or ISO image. Learn how to mount the media and configure yum repositories to access BaseOS and AppStream packages for offline installation.

If you plan to access the repositories from the RHEL binary DVD, you must first set up a local repository.

Procedure

  1. Mount DVD or ISO:

    1. DVD 

      # mkdir /media/rheldvd && mount /dev/sr0 /media/rheldvd
      Copy to Clipboard Toggle word wrap

    2. ISO 

      # mkdir /media/rheldvd && mount -o loop rhrhel-8.6-x86_64-dvd.iso /media/rheldvd
      Copy to Clipboard Toggle word wrap

  2. Create yum repo file at /etc/yum.repos.d/dvd.repo 

    [dvd-BaseOS]
name=DVD for RHEL - BaseOS
baseurl=file:///media/rheldvd/BaseOS
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

[dvd-AppStream]
name=DVD for RHEL - AppStream
baseurl=file:///media/rheldvd/AppStream
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
    Copy to Clipboard Toggle word wrap

  3. Import the gpg key: 

    # rpm --import /media/rheldvd/RPM-GPG-KEY-redhat-release
    Copy to Clipboard Toggle word wrap
    Note

    If the key is not imported you will see an error similar to 

    # Curl error (6): Couldn't resolve host name for
https://www.redhat.com/security/data/fd431d51.txt [Could not resolve host:
www.redhat.com]
    Copy to Clipboard Toggle word wrap

Choose the setup bundle to download Ansible Automation Platform for disconnected installations. This bundle includes the RPM content for Ansible Automation Platform and the default execution environment images that will be uploaded to your private automation hub during the installation process.

Procedure

  1. Download the Ansible Automation Platform setup bundle package by navigating to the Red Hat Ansible Automation Platform download page and clicking Download Now for the Ansible Automation Platform 2.6 Setup Bundle.

  2. On control node, untar the bundle: 

    $ tar xvf \
   ansible-automation-platform-setup-bundle-2.6-1.tar.gz
$ cd ansible-automation-platform-setup-bundle-2.6-1
    Copy to Clipboard Toggle word wrap
  3. Edit the inventory file to include variables based on your host names and desired password values.

5.7. Completing post installation tasks
Copy link

After you have completed the installation of Ansible Automation Platform, ensure that automation hub and automation controller deploy properly.

Before your first login, you must add your subscription information to the platform. To obtain your subscription information in uploadable form, see Obtaining a manifest file.

Once you have obtained your subscription manifest, see Getting started with Ansible Automation Platform for instructions on how to upload your subscription information.

Now that you have successfully installed Ansible Automation Platform, to begin using its features, see the following guides for your next steps:

Getting started with Ansible Automation Platform.

Managing automation content.

Creating and using execution environments.

Resolve common installation issues and errors that can occur when installing RPM-based Ansible Automation Platform. Learn how to generate diagnostic logs to identify problems.

6.1. Gathering Ansible Automation Platform logs
Copy link

With the sos utility, you can collect configuration, diagnostic, and troubleshooting data, and give those files to Red Hat Technical Support.

An sos report is a common starting point for Red Hat technical support engineers when performing analysis of a service request for the Ansible Automation Platform.

As part of the troubleshooting with Red Hat Support, you can collect the sos report for each node in your RPM-based installation of Ansible Automation Platform using the installation inventory and the installation program.

Procedure

  1. Access the installation program folder with the inventory file and run the installation program setup script the following command:

    $ ./setup.sh -s

    With this command, you can connect to each node present in the inventory, install the sos tool, and generate new logs.

    Note

    If you are running the setup as a non-root user with sudo privileges, you can use the following command: 

    $ ANSIBLE_BECOME_METHOD='sudo'
ANSIBLE_BECOME=True ./setup.sh -s
    Copy to Clipboard Toggle word wrap

  2. Optional: If required, change the location of the sos report files.

    The sos report files are copied to the /tmp folder for the current server. To change the location, specify the new location by using the following command: 

    $ ./setup.sh -e 'target_sos_directory=/path/to/files' -s
    Copy to Clipboard Toggle word wrap

    Where target_sos_directory=/path/to/files is used to specify the destination directory where the sos report will be saved. In this case, the sos report is stored in the directory /path/to/files.

  3. Gather the files described on the playbook output and share with the support engineer or directly upload the sos report to Red Hat.

    To create an sos report with additional information or directly upload the data to Red Hat, use the following command: 

    $ ./setup.sh -e 'case_number=0000000' -e 'clean=true' -e 'upload=true' -s
    Copy to Clipboard Toggle word wrap
    Expand
    Table 6.1. Parameter Reference Table
    ParameterDescriptionDefault value

    case_number

    Specifies the support case number that you want.

    -

    clean

    Obfuscates sensitive data that might be present on the sos report.

    false

    upload

    Automatically uploads the sos report data to Red Hat.

    false

    To learn more about the sos report tool, see: What is an SOS report and how to create one in Red Hat Enterprise Linux?

Appendix A. Inventory file variables
Copy link

The following tables contain information about the variables used in Ansible Automation Platform’s installation inventory files. The tables include the variables that you can use for RPM-based installation and container-based installation.

A.1. Ansible variables
Copy link

The following variables control how Ansible Automation Platform interacts with remote hosts.

Expand
Table A.1. Ansible variables
VariableDescription

ansible_connection

The connection plugin used for the task on the target host. This can be the name of any Ansible connection plugin.

SSH protocol types are smart, ssh, or paramiko. You can also use local to run tasks on the control node itself.

Default = smart

ansible_host

The IP address or name of the target host to use instead of inventory_hostname.

ansible_password

The password to authenticate to the host.

Do not store this variable in plain text. Always use a vault.

ansible_port

The connection port number.

The default for SSH is 22.

ansible_scp_extra_args

This setting is always appended to the default scp command line.

ansible_sftp_extra_args

This setting is always appended to the default sftp command line.

ansible_shell_executable

This sets the shell that the Ansible controller uses on the target machine and overrides the executable in ansible.cfg which defaults to /bin/sh.

ansible_shell_type

The shell type of the target system.

Do not use this setting unless you have set the ansible_shell_executable to a non-Bourne (sh) compatible shell. By default commands are formatted using sh-style syntax. Setting this to csh or fish causes commands executed on target systems to follow the syntax of those shells instead.

ansible_ssh_common_args

This setting is always appended to the default command line for sftp, scp, and ssh. Useful to configure a ProxyCommand for a certain host or group.

ansible_ssh_executable

This setting overrides the default behavior to use the system ssh. This can override the ssh_executable setting in ansible.cfg.

ansible_ssh_extra_args

This setting is always appended to the default ssh command line.

ansible_ssh_pipelining

Determines if SSH pipelining is used.

This can override the pipelining setting in ansible.cfg. If using SSH key-based authentication, the key must be managed by an SSH agent.

ansible_ssh_private_key_file

Private key file used by SSH.

Useful if using multiple keys and you do not want to use an SSH agent.

ansible_user

The user name to use when connecting to the host.

Do not change this variable unless /bin/sh is not installed on the target machine or cannot be run from sudo.

inventory_hostname

This variable takes the hostname of the machine from the inventory script or the Ansible configuration file. You cannot set the value of this variable. Because the value is taken from the configuration file, the actual runtime hostname value can vary from what is returned by this variable.

A.2. Automation hub variables
Copy link

Inventory file variables for automation hub.

Expand
RPM variable nameContainer variable nameDescriptionRequired or optionalDefault

automationhub_admin_password

hub_admin_password

Automation hub administrator password. Use of special characters for this variable is limited. The password can include any printable ASCII character except /, , or @.

Required

 

automationhub_api_token

 

Set the existing token for the installation program. For example, a regenerated token in the automation hub UI will invalidate an existing token. Use this variable to set that token in the installation program the next time you run the installation program.

Optional

 

automationhub_auto_sign_collections

hub_collection_auto_sign

If a collection signing service is enabled, collections are not signed automatically by default. Set this variable to true to sign collections by default.

Optional

false

automationhub_backup_collections

 

Ansible automation hub provides artifacts in /var/lib/pulp. These artifacts are automatically backed up by default. Set this variable to false to prevent backup or restore of /var/lib/pulp.

Optional

true

automationhub_client_max_body_size

hub_nginx_client_max_body_size

Maximum allowed size for data sent to automation hub through NGINX.

Optional

20m

automationhub_collection_download_count

 

Denote whether or not the collection download count should be displayed in the UI.

Optional

false

automationhub_collection_seed_repository

 

Controls the type of content to upload when hub_seed_collections is set to true. Valid options include: certified, validated

Optional

Both certified and validated are enabled by default.

automationhub_collection_signing_service_key

hub_collection_signing_key

Path to the collection signing key file.

Required if a collection signing service is enabled.

 

automationhub_container_repair_media_type

 

Denote whether or not to run the command pulpcore-manager container-repair-media-type. Valid options include: true, false, auto

Optional

auto

automationhub_container_signing_service_key

hub_container_signing_key

Path to the container signing key file.

Required if a container signing service is enabled.

 

automationhub_create_default_collection_signing_service

hub_collection_signing

Set this variable to true to enable a collection signing service.

Optional

false

automationhub_create_default_container_signing_service

hub_container_signing

Set this variable to true to enable a container signing service.

Optional

false

 

hub_data_path_exclude

automation hub backup path to exclude.

Optional

[]

automationhub_disable_hsts

hub_nginx_disable_hsts

Controls whether HTTP Strict Transport Security (HSTS) is enabled or disabled for automation hub. Set this variable to true to disable HSTS.

Optional

false

automationhub_disable_https

hub_nginx_disable_https

Controls whether HTTPS is enabled or disabled for automation hub. Set this variable to true to disable HTTPS.

Optional

false

automationhub_enable_api_access_log

 

Controls whether logging is enabled or disabled at /var/log/galaxy_api_access.log. The file logs all user actions made to the platform, including username and IP address. Set this variable to true to enable this logging.

Optional

false

automationhub_enable_unauthenticated_collection_access

 

Controls whether read-only access is enabled or disabled for unauthorized users viewing collections or namespaces for automation hub. Set this variable to true to enable read-only access.

Optional

false

automationhub_enable_unauthenticated_collection_download

 

Controls whether or not unauthorized users can download read-only collections from automation hub. Set this variable to true to enable download of read-only collections.

Optional

false

automationhub_firewalld_zone

hub_firewall_zone

The firewall zone where automation hub related firewall rules are applied. This controls which networks can access automation hub based on the zone’s trust level.

Optional

RPM = no default set. Container = public.

automationhub_force_change_admin_password

 

Denote whether or not to require the change of the default administrator password for automation hub during installation. Set to true to require the user to change the default administrator password during installation.

Optional

false

automationhub_importer_settings

hub_galaxy_importer

Dictionary of settings to pass to the galaxy-importer.cfg configuration file. These settings control how the galaxy-importer service processes and validates Ansible content. Example values include: ansible-doc, ansible-lint, and flake8.

Optional

 

automationhub_nginx_tls_files_remote

 

Denote whether the web certificate sources are local to the installation program (false) or on the remote component server (true).

Optional

The value defined in automationhub_tls_files_remote.

automationhub_pg_cert_auth

hub_pg_cert_auth

Controls whether client certificate authentication is enabled or disabled on the automation hub PostgreSQL database. Set this variable to true to enable client certificate authentication.

Optional

false

automationhub_pg_database

hub_pg_database

Name of the PostgreSQL database used by automation hub.

Optional

RPM = automationhub. Container = pulp

automationhub_pg_host

hub_pg_host

Hostname of the PostgreSQL database used by automation hub.

Required

RPM = 127.0.0.1. Container = no default.

automationhub_pg_password

hub_pg_password

Password for the automation hub PostgreSQL database user. Use of special characters for this variable is limited. The !, #, 0 and @ characters are supported. Use of other special characters can cause the setup to fail.

Optional

 

automationhub_pg_port

hub_pg_port

Port number for the PostgreSQL database used by automation hub.

Optional

5432

automationhub_pg_sslmode

hub_pg_sslmode

Controls the SSL/TLS mode to use when automation hub connects to the PostgreSQL database. Valid options include verify-full, verify-ca, require, prefer, allow, disable.

Optional

prefer

automationhub_pg_username

hub_pg_username

Username for the automation hub PostgreSQL database user.

Optional

RPM = automationhub. Container = pulp.

automationhub_pgclient_sslcert

hub_pg_tls_cert

Path to the PostgreSQL SSL/TLS certificate file for automation hub.

Required if using client certificate authentication.

 

automationhub_pgclient_sslkey

hub_pg_tls_key

Path to the PostgreSQL SSL/TLS key file for automation hub.

Required if using client certificate authentication.

 

automationhub_pgclient_tls_files_remote

 

Denote whether the PostgreSQL client certificate sources are local to the installation program (false) or on the remote component server (true).

Optional

The value defined in automationhub_tls_files_remote.

automationhub_require_content_approval

 

Controls whether content signing is enabled or disabled for automation hub. By default when you upload collections to automation hub, an administrator must approve it before they are made available to users. To disable the content approval flow, set the variable to false.

Optional

true

automationhub_restore_signing_keys

 

Controls whether or not existing signing keys should be restored from a backup. Set to false to disable restoration of existing signing keys.

Optional

true

automationhub_seed_collections

hub_seed_collections

Controls whether or not pre-loading of collections is enabled. When you run the bundle installer, validated content is uploaded to the validated repository, and certified content is uploaded to the rh-certified repository. By default, certified content and validated content are both uploaded. If you do not want to pre-load content, set this variable to false. For the RPM-based installer, if you only want one type of content, set this variable to true and set the automationhub_collection_seed_repository variable to the type of content you want to include.

Optional

true

automationhub_ssl_cert

hub_tls_cert

Path to the SSL/TLS certificate file for automation hub.

Optional

 

automationhub_ssl_key

hub_tls_key

Path to the SSL/TLS key file for automation hub.

Optional

 

automationhub_tls_files_remote

hub_tls_remote

Denote whether the automation hub provided certificate files are local to the installation program (false) or on the remote component server (true).

Optional

false

automationhub_use_archive_compression

hub_use_archive_compression

Controls whether archive compression is enabled or disabled for automation hub. You can control this functionality globally by using use_archive_compression.

Optional

true

automationhub_use_db_compression

hub_use_db_compression

Controls whether database compression is enabled or disabled for automation hub. You can control this functionality globally by using use_db_compression.

Optional

true

automationhub_user_headers

hub_nginx_user_headers

List of additional NGINX headers to add to automation hub’s NGINX configuration.

Optional

[]

ee_from_hub_only

 

Controls whether automation hub is the only registry for execution environment images. If set to true, automation hub is the exclusive registry. If set to false, images are also pulled directly from Red Hat.

Optional

true when using the bundle installer, otherwise false.

generate_automationhub_token

 

Controls whether or not a token is generated for automation hub during installation. By default, a token is automatically generated during a fresh installation. If set to true, a token is regenerated during installation.

Optional

false

 

hub_extra_settings

Defines additional settings for use by automation hub during installation.

For example: 

hub_extra_settings:
  - setting: REDIRECT_IS_HTTPS
    value: True
Copy to Clipboard Toggle word wrap

Optional

[]

nginx_hsts_max_age

hub_nginx_hsts_max_age

Maximum duration (in seconds) that HTTP Strict Transport Security (HSTS) is enforced for automation hub.

Optional

63072000

pulp_secret

hub_secret_key

Secret key value used by automation hub to sign and encrypt data.

Optional

 
 

hub_azure_account_key

Azure blob storage account key.

Required if using an Azure blob storage backend.

 
 

hub_azure_account_name

Account name associated with the Azure blob storage.

Required when using an Azure blob storage backend.

 
 

hub_azure_container

Name of the Azure blob storage container.

Optional

pulp

 

hub_azure_extra_settings

Defines extra parameters for the Azure blob storage backend. For more information about the list of parameters, see django-storages documentation - Azure Storage.

Optional

{}

 

hub_collection_signing_pass

Password for the automation content collection signing service.

Required if the collection signing service is protected by a passphrase.

 
 

hub_collection_signing_service

Service for signing collections.

Optional

ansible-default

 

hub_container_signing_pass

Password for the automation content container signing service.

Required if the container signing service is protected by a passphrase.

 
 

hub_container_signing_service

Service for signing containers.

Optional

container-default

 

hub_nginx_http_port

Port number that automation hub listens on for HTTP requests.

Optional

8081

 

hub_nginx_https_port

Port number that automation hub listens on for HTTPS requests.

Optional

8444

nginx_tls_protocols

hub_nginx_https_protocols

Protocols that automation hub will support when handling HTTPS traffic.

Optional

[TLSv1.2, TLSv1.3]

 

hub_pg_socket

UNIX socket used by automation hub to connect to the PostgreSQL database.

Optional

 
 

hub_s3_access_key

AWS S3 access key.

Required if using an AWS S3 storage backend.

 
 

hub_s3_bucket_name

Name of the AWS S3 storage bucket.

Optional

pulp

 

hub_s3_extra_settings

Used to define extra parameters for the AWS S3 storage backend. For more information about the list of parameters, see django-storages documentation - Amazon S3.

Optional

{}

 

hub_s3_secret_key

AWS S3 secret key.

Required if using an AWS S3 storage backend.

 
 

hub_shared_data_mount_opts

Mount options for the Network File System (NFS) share.

Optional

rw,sync,hard

 

hub_shared_data_path

Path to the Network File System (NFS) share with read, write, and execute (RWX) access. The value must match the format host:dir, for example nfs-server.example.com:/exports/hub.

Required if installing more than one instance of automation hub with a file storage backend. When installing a single instance of automation hub, it is optional.

 
 

hub_storage_backend

Automation hub storage backend type. Possible values include: azure, file, s3.

Optional

file

 

hub_workers

Number of automation hub workers.

Optional

2

A.3. Automation controller variables
Copy link

Inventory file variables for automation controller.

Expand
RPM variable nameContainer variable nameDescriptionRequired or optionalDefault

admin_email

controller_admin_email

Email address used by Django for the admin user for automation controller.

Optional

admin@example.com

admin_password

controller_admin_password

Automation controller administrator password. Use of special characters for this variable is limited. The password can include any printable ASCII character except /, , or @.

Required

 

admin_username

controller_admin_user

Username used to identify and create the administrator user in automation controller.

Optional

admin

automationcontroller_client_max_body_size

controller_nginx_client_max_body_size

Maximum allowed size for data sent to automation controller through NGINX.

Optional

5m

automationcontroller_use_archive_compression

controller_use_archive_compression

Controls whether archive compression is enabled or disabled for automation controller. You can control this functionality globally by using use_archive_compression.

Optional

true

automationcontroller_use_db_compression

controller_use_db_compression

Controls whether database compression is enabled or disabled for automation controller. You can control this functionality globally by using use_db_compression.

Optional

true

awx_pg_cert_auth

controller_pg_cert_auth

Controls whether client certificate authentication is enabled or disabled on the automation controller PostgreSQL database. Set this variable to true to enable client certificate authentication.

Optional

false

controller_firewalld_zone

controller_firewall_zone

The firewall zone where automation controller related firewall rules are applied. This controls which networks can access automation controller based on the zone’s trust level.

Optional

public

controller_nginx_tls_files_remote

 

Denote whether the web certificate sources are local to the installation program (false) or on the remote component server (true).

Optional

The value defined in controller_tls_files_remote.

controller_pgclient_tls_files_remote

 

Denote whether the PostgreSQL client certificate sources are local to the installation program (false) or on the remote component server (true).

Optional

The value defined in controller_tls_files_remote.

controller_tls_files_remote

controller_tls_remote

Denote whether the automation controller provided certificate files are local to the installation program (false) or on the remote component server (true).

Optional

false

nginx_disable_hsts

controller_nginx_disable_hsts

Controls whether HTTP Strict Transport Security (HSTS) is enabled or disabled for automation controller. Set this variable to true to disable HSTS.

Optional

false

nginx_disable_https

controller_nginx_disable_https

Controls whether HTTPS is enabled or disabled for automation controller. Set this variable to true to disable HTTPS.

Optional

false

nginx_hsts_max_age

controller_nginx_hsts_max_age

Maximum duration (in seconds) that HTTP Strict Transport Security (HSTS) is enforced for automation controller.

Optional

63072000

nginx_http_port

controller_nginx_http_port

Port number that automation controller listens on for HTTP requests.

Optional

RPM = 80. Container = 8080

nginx_https_port

controller_nginx_https_port

Port number that automation controller listens on for HTTPS requests.

Optional

RPM = 443. Container = 8443

nginx_tls_protocols

controller_nginx_https_protocols

Protocols that automation controller supports when handling HTTPS traffic.

Optional

[TLSv1.2, TLSv1.3]

nginx_user_headers

controller_nginx_user_headers

List of additional NGINX headers to add to automation controller’s NGINX configuration.

Optional

[]

 

controller_create_preload_data

Controls whether or not to create preloaded content during installation.

Optional

true

node_state

 

The status of a node or group of nodes. Valid options include active, deprovision to remove a node from a cluster, or iso_migrate to migrate a legacy isolated node to an execution node.

Optional

active

node_type

See receptor_type for the container equivalent variable.

For the [automationcontroller] group the two options are:

  • node_type=control - The node only runs project and inventory updates, but not regular jobs.
  • node_type=hybrid - The node runs everything.

For the [execution_nodes] group the two options are:

  • node_type=hop - The node forwards jobs to an execution node.
  • node_type=execution - The node can run jobs.

Optional

For [automationcontroller] = hybrid, for [execution_nodes] = execution

peers

See receptor_peers for the container equivalent variable.

Used to indicate which nodes a specific host or group connects to. Wherever this variable is defined, an outbound connection to the specific host or group is established. This variable can be a comma-separated list of hosts and groups from the inventory. This is resolved into a set of hosts that is used to construct the receptor.conf file.

Optional

 

pg_database

controller_pg_database

Name of the PostgreSQL database used by automation controller.

Optional

awx

pg_host

controller_pg_host

Hostname of the PostgreSQL database used by automation controller.

Required

 

pg_password

controller_pg_password

Password for the automation controller PostgreSQL database user. Use of special characters for this variable is limited. The !, #, 0 and @ characters are supported. Use of other special characters can cause the setup to fail.

Required if not using client certificate authentication.

 

pg_port

controller_pg_port

Port number for the PostgreSQL database used by automation controller.

Optional

5432

pg_sslmode

controller_pg_sslmode

Controls the SSL/TLS mode to use when automation controller connects to the PostgreSQL database. Valid options include verify-full, verify-ca, require, prefer, allow, disable.

Optional

prefer

pg_username

controller_pg_username

Username for the automation controller PostgreSQL database user.

Optional

awx

pgclient_sslcert

controller_pg_tls_cert

Path to the PostgreSQL SSL/TLS certificate file for automation controller.

Required if using client certificate authentication.

 

pgclient_sslkey

controller_pg_tls_key

Path to the PostgreSQL SSL/TLS key file for automation controller.

Required if using client certificate authentication.

 

precreate_partition_hours

 

Number of hours worth of events table partitions to pre-create before starting a backup to avoid pg_dump locks.

Optional

3

uwsgi_listen_queue_size

controller_uwsgi_listen_queue_size

Number of requests uwsgi allows in the queue on automation controller until uwsgi_processes can serve them.

Optional

2048

web_server_ssl_cert

controller_tls_cert

Path to the SSL/TLS certificate file for automation controller.

Optional

 

web_server_ssl_key

controller_tls_key

Path to the SSL/TLS key file for automation controller.

Optional

 
 

controller_event_workers

Number of event workers that handle job-related events inside automation controller.

Optional

4

 

controller_extra_settings

Defines additional settings for use by automation controller during installation.

For example: 

controller_extra_settings:
  - setting: USE_X_FORWARDED_HOST
    value: true
Copy to Clipboard Toggle word wrap

Optional

[]

 

controller_license_file

Path to the automation controller license file.

  
 

controller_percent_memory_capacity

Memory allocation for automation controller.

Optional

1.0 (allocates 100% of the total system memory to automation controller)

 

controller_pg_socket

UNIX socket used by automation controller to connect to the PostgreSQL database.

Optional

 
 

controller_secret_key

Secret key value used by automation controller to sign and encrypt data.

Optional

 

A.4. Database variables
Copy link

Inventory file variables for the database used with Ansible Automation Platform.

Expand
RPM variable nameContainer variable nameDescriptionRequired or optionalDefault

install_pg_port

postgresql_port

Port number for the PostgreSQL database.

Optional

5432

postgres_extra_settings

postgresql_extra_settings

Defines additional settings for use by PostgreSQL.

Example usage for RPM: 

postgresql_extra_settings:
   ssl_ciphers: 'HIGH:!aNULL:!MD5'
Copy to Clipboard Toggle word wrap

Example usage for containerized: 

postgresql_extra_settings:
  - setting: ssl_ciphers
    value: 'HIGH:!aNULL:!MD5'
Copy to Clipboard Toggle word wrap

Optional

 

postgres_firewalld_zone

postgresql_firewall_zone

The firewall zone where PostgreSQL related firewall rules are applied. This controls which networks can access PostgreSQL based on the zone’s trust level.

Optional

RPM = no default set. Container = public.

postgres_max_connections

postgresql_max_connections

Maximum number of concurrent connections to the database if you are using an installer-managed database. For more information see PostgreSQL database configuration and maintenance for automation controller.

Optional

1024

postgres_ssl_cert

postgresql_tls_cert

Path to the PostgreSQL SSL/TLS certificate file.

Optional

 

postgres_ssl_key

postgresql_tls_key

Path to the PostgreSQL SSL/TLS key file.

Optional

 

postgres_use_ssl

postgresql_disable_tls

Controls whether SSL/TLS is enabled or disabled for the PostgreSQL database.

Optional

false

 

postgresql_admin_database

Database name used for connections to the PostgreSQL database server.

Optional

postgres

 

postgresql_admin_password

Password for the PostgreSQL admin user. When used, the installation program creates each component’s database and credentials.

Required if using postgresql_admin_username.

 
 

postgresql_admin_username

Username for the PostgreSQL admin user. When used, the installation program creates each component’s database and credentials.

Optional

postgres

 

postgresql_effective_cache_size

Memory allocation available (in MB) for caching data.

Optional

 
 

postgresql_keep_databases

Controls whether or not to keep databases during uninstall. This variable applies to databases managed by the installation program only, and not external (customer-managed) databases. Set to true to keep databases during uninstall.

Optional

false

 

postgresql_log_destination

Destination for server log output.

Optional

/dev/stderr

 

postgresql_password_encryption

The algorithm for encrypting passwords.

Optional

scram-sha-256

 

postgresql_shared_buffers

Memory allocation (in MB) for shared memory buffers.

Optional

 
 

postgresql_tls_remote

Denote whether the PostgreSQL provided certificate files are local to the installation program (false) or on the remote component server (true).

Optional

false

 

postgresql_use_archive_compression

Controls whether archive compression is enabled or disabled for PostgreSQL. You can control this functionality globally by using use_archive_compression.

Optional

true

A.5. Event-Driven Ansible controller variables
Copy link

Inventory file variables for Event-Driven Ansible controller.

Expand
RPM variable nameContainer variable nameDescriptionRequired or optionalDefault

automationedacontroller_activation_workers

eda_activation_workers

Number of workers used for ansible-rulebook activation pods in Event-Driven Ansible.

Optional

RPM = (# of cores or threads) * 2 + 1. Container = 2

automationedacontroller_admin_email

eda_admin_email

Email address used by Django for the admin user for Event-Driven Ansible.

Optional

admin@example.com

automationedacontroller_admin_password

eda_admin_password

Event-Driven Ansible administrator password. Use of special characters for this variable is limited. The password can include any printable ASCII character except /, , or @.

Required

 

automationedacontroller_admin_username

eda_admin_user

Username used to identify and create the administrator user in Event-Driven Ansible.

Optional

admin

automationedacontroller_backend_gunicorn_workers

 

Number of workers for handling the API served through Gunicorn on worker nodes.

Optional

2

automationedacontroller_cache_tls_files_remote

 

Denote whether the cache cert sources are local to the installation program (false) or on the remote component server (true).

Optional

false

automationedacontroller_client_regen_cert

 

Controls whether or not to regenerate Event-Driven Ansible client certificates for the platform cache. Set to true to regenerate Event-Driven Ansible client certificates.

Optional

false

automationedacontroller_default_workers

eda_workers

Number of workers used in Event-Driven Ansible for application work.

Optional

Number of cores or threads

automationedacontroller_disable_hsts

eda_nginx_disable_hsts

Controls whether HTTP Strict Transport Security (HSTS) is enabled or disabled for Event-Driven Ansible. Set this variable to true to disable HSTS.

Optional

false

automationedacontroller_disable_https

eda_nginx_disable_https

Controls whether HTTPS is enabled or disabled for Event-Driven Ansible. Set this variable to true to disable HTTPS.

Optional

false

automationedacontroller_event_stream_mtls

eda_event_stream_mtls

Controls whether event stream mutual TLS (mTLS) authentication is enabled or disabled for Event-Driven Ansible. Set this variable to false to disable mTLS authentication.

Optional

true

automationedacontroller_event_stream_mtls_path

eda_event_stream_mtls_prefix_path

The prefix path for the event stream mTLS URLs.

Optional

/mtls/eda-event-streams

automationedacontroller_event_stream_path

eda_event_stream_prefix_path

API prefix path used for Event-Driven Ansible event-stream through platform gateway.

Optional

/eda-event-streams

automationedacontroller_firewalld_zone

eda_firewall_zone

The firewall zone where Event-Driven Ansible related firewall rules are applied. This controls which networks can access Event-Driven Ansible based on the zone’s trust level.

Optional

RPM = no default set. Container = public.

automationedacontroller_gunicorn_event_stream_workers

 

Number of workers for handling event streaming for Event-Driven Ansible.

Optional

2

automationedacontroller_gunicorn_workers

eda_gunicorn_workers

Number of workers for handling the API served through Gunicorn.

Optional

(Number of cores or threads) * 2 + 1

automationedacontroller_http_port

eda_nginx_http_port

Port number that Event-Driven Ansible listens on for HTTP requests.

Optional

RPM = 80. Container = 8082.

automationedacontroller_https_port

eda_nginx_https_port

Port number that Event-Driven Ansible listens on for HTTPS requests.

Optional

RPM = 443. Container = 8445.

automationedacontroller_nginx_tls_files_remote

 

Denote whether the web cert sources are local to the installation program (false) or on the remote component server (true).

Optional

false

automationedacontroller_pg_cert_auth

eda_pg_cert_auth

Controls whether client certificate authentication is enabled or disabled on the Event-Driven Ansible PostgreSQL database. Set this variable to true to enable client certificate authentication.

Optional

false

automationedacontroller_pg_database

eda_pg_database

Name of the PostgreSQL database used by Event-Driven Ansible.

Optional

RPM = automationedacontroller. Container = eda.

automationedacontroller_pg_host

eda_pg_host

Hostname of the PostgreSQL database used by Event-Driven Ansible.

Required

 

automationedacontroller_pg_password

eda_pg_password

Password for the Event-Driven Ansible PostgreSQL database user. Use of special characters for this variable is limited. The !, #, 0 and @ characters are supported. Use of other special characters can cause the setup to fail.

Required if not using client certificate authentication.

 

automationedacontroller_pg_port

eda_pg_port

Port number for the PostgreSQL database used by Event-Driven Ansible.

Optional

5432

automationedacontroller_pg_sslmode

eda_pg_sslmode

Determines the level of encryption and authentication for client server connections. Valid options include verify-full, verify-ca, require, prefer, allow, disable.

Optional

prefer

automationedacontroller_pg_username

eda_pg_username

Username for the Event-Driven Ansible PostgreSQL database user.

Optional

RPM = automationedacontroller. Container = eda.

automationedacontroller_pgclient_sslcert

eda_pg_tls_cert

Path to the PostgreSQL SSL/TLS certificate file for Event-Driven Ansible.

Required if using client certificate authentication.

 

automationedacontroller_pgclient_sslkey

eda_pg_tls_key

Path to the PostgreSQL SSL/TLS key file for Event-Driven Ansible.

Required if using client certificate authentication.

 

automationedacontroller_pgclient_tls_files_remote

 

Denote whether the PostgreSQL client cert sources are local to the installation program (false) or on the remote component server (true).

Optional

false

automationedacontroller_public_event_stream_url

eda_event_stream_url

URL for connecting to the event stream. The URL must start with the http:// or https:// prefix

Optional

 

automationedacontroller_redis_host

eda_redis_host

Hostname of the Redis host used by Event-Driven Ansible.

Optional

First node in the [automationgateway] inventory group

automationedacontroller_redis_password

eda_redis_password

Password for Event-Driven Ansible Redis.

Optional

Randomly generated string

automationedacontroller_redis_port

eda_redis_port

Port number for the Redis host for Event-Driven Ansible.

Optional

RPM = The value defined in platform gateway’s implementation (automationgateway_redis_port). Container = 6379

automationedacontroller_redis_username

eda_redis_username

Username for Event-Driven Ansible Redis.

Optional

eda

automationedacontroller_secret_key

eda_secret_key

Secret key value used by Event-Driven Ansible to sign and encrypt data.

Optional

 

automationedacontroller_ssl_cert

eda_tls_cert

Path to the SSL/TLS certificate file for Event-Driven Ansible.

Optional

 

automationedacontroller_ssl_key

eda_tls_key

Path to the SSL/TLS key file for Event-Driven Ansible.

Optional

 

automationedacontroller_tls_files_remote

eda_tls_remote

Denote whether the Event-Driven Ansible provided certificate files are local to the installation program (false) or on the remote component server (true).

Optional

false

automationedacontroller_trusted_origins

 

List of host addresses in the form: <scheme>//:<address>:<port> for trusted Cross-Site Request Forgery (CSRF) origins.

Optional

[]

automationedacontroller_use_archive_compression

eda_use_archive_compression

Controls whether archive compression is enabled or disabled for Event-Driven Ansible. You can control this functionality globally by using use_archive_compression.

Optional

true

automationedacontroller_use_db_compression

eda_use_db_compression

Controls whether database compression is enabled or disabled for Event-Driven Ansible. You can control this functionality globally by using use_db_compression.

Optional

true

automationedacontroller_user_headers

eda_nginx_user_headers

List of additional NGINX headers to add to Event-Driven Ansible’s NGINX configuration.

Optional

[]

automationedacontroller_websocket_ssl_verify

 

Controls whether or not to perform SSL verification for the Daphne WebSocket used by Podman to communicate from the pod to the host. Set to false to disable SSL verification.

Optional

true

eda_node_type

eda_type

Event-Driven Ansible node type. Valid options include api, event-stream, hybrid, worker.

Optional

hybrid

 

eda_debug

Controls whether debug mode is enabled or disabled for Event-Driven Ansible. Set to true to enable debug mode for Event-Driven Ansible.

Optional

false

 

eda_extra_settings

Defines additional settings for use by Event-Driven Ansible during installation.

For example: 

eda_extra_settings:
  - setting: RULEBOOK_READINESS_TIMEOUT_SECONDS
    value: 120
Copy to Clipboard Toggle word wrap

Optional

[]

 

eda_nginx_client_max_body_size

Maximum allowed size for data sent to Event-Driven Ansible through NGINX.

Optional

1m

 

eda_nginx_hsts_max_age

Maximum duration (in seconds) that HTTP Strict Transport Security (HSTS) is enforced for Event-Driven Ansible.

Optional

63072000

nginx_tls_protocols

eda_nginx_https_protocols

Protocols that Event-Driven Ansible supports when handling HTTPS traffic.

Optional

[TLSv1.2, TLSv1.3]

 

eda_pg_socket

UNIX socket used by Event-Driven Ansible to connect to the PostgreSQL database.

Optional

 

redis_disable_tls

eda_redis_disable_tls

Controls whether TLS is enabled or disabled for Event-Driven Ansible Redis. Set this variable to true to disable TLS.

Optional

false

 

eda_redis_tls_cert

Path to the Event-Driven Ansible Redis certificate file.

Optional

 
 

eda_redis_tls_key

Path to the Event-Driven Ansible Redis key file.

Optional

 
 

eda_safe_plugins

List of plugins that are allowed to run within Event-Driven Ansible.

For more information, see Adding a safe plugin variable to Event-Driven Ansible controller.

Optional

[]

A.6. General variables
Copy link

General inventory file variables for Ansible Automation Platform.

Expand
RPM variable nameContainer variable nameDescriptionRequired or optionalDefault

aap_ca_cert_file

ca_tls_cert

Path to the user provided CA certificate file used to generate SSL/TLS certificates for all Ansible Automation Platform services. For more information, see Optional: Using custom TLS certificates.

Optional

 

aap_ca_cert_files_remote

ca_tls_remote

Denote whether the CA certificate files are local to the installation program (false) or on the remote component server (true).

Optional

false

aap_ca_cert_size

 

Bit size of the internally managed CA certificate private key.

Optional

4096

aap_ca_key_file

ca_tls_key

Path to the key file for the CA certificate provided in aap_ca_cert_file (RPM) and ca_tls_cert (Container). For more information, see Optional: Using custom TLS certificates.

Optional

 

aap_ca_passphrase_cipher

 

Cipher used for signing the internally managed CA certificate private key.

Optional

aes256

aap_ca_regenerate

 

Denotes whether or not to regenerate the internally managed CA certificate key pair.

Optional

false

aap_service_cert_size

 

Bit size of the component key pair managed by the internal CA.

Optional

4096

aap_service_regen_cert

 

Denotes whether or not to regenerate the component key pair managed by the internal CA.

Optional

false

aap_service_san_records

 

A list of additional SAN records for signing a service. Assign these to components in the inventory file as host variables rather than group or all variables. All strings must also contain their corresponding SAN option prefix such as DNS: or IP:.

Optional

[]

backup_dest

 

Directory local to setup.sh for the final backup file.

Optional

The value defined in setup_dir.

backup_dir

backup_dir

Directory used to store backup files.

Optional

RPM = /var/backups/automation-platform/. Container = ~/backups

backup_file_prefix

 

Prefix used for the file backup name for the final backup file.

Optional

automation-platform-backup

bundle_install

bundle_install

Controls whether or not to perform an offline or bundled installation. Set this variable to true to enable an offline or bundled installation.

Optional

false if using the setup installation program. true if using the setup bundle installation program.

bundle_install_folder

bundle_dir

Path to the bundle directory used when performing a bundle install.

Required if bundle_install=true

RPM = /var/lib/ansible-automation-platform-bundle. Container = <current_dir>/bundle.

custom_ca_cert

custom_ca_cert

Path to the custom CA certificate file. This is required if any of the TLS certificates you manually provided are signed by a custom CA. For more information, see Optional: Using custom TLS certificates.

Optional

 

enable_insights_collection

 

The default install registers the node to the Red Hat Insights for Red Hat Ansible Automation Platform for the Red Hat Ansible Automation Platform Service if the node is registered with Subscription Manager. Set to false to disable this functionality.

Optional

true

registry_password

registry_password

Password credential for access to the registry source defined in registry_url. For more information, see Setting registry_username and registry_password.

RPM = Required if you need a password to access registry_url. Container = Required for online installations if registry_auth=true. Not required for disconnected installations.

 

registry_url

registry_url

URL of the registry source from which to pull execution environment images.

Optional

registry.redhat.io

registry_username

registry_username

Username credential for access to the registry source defined in registry_url. For more information, see Setting registry_username and registry_password.

RPM = Required if you need a password to access registry_url. Container = Required for online installations if registry_auth=true. Not required for disconnected installations.

 

registry_verify_ssl

registry_tls_verify

Controls whether SSL/TLS certificate verification is enabled or disabled when making HTTPS requests.

Optional

true

restore_backup_file

 

Path to the tar file used for the platform restore.

Optional

{{ setup_dir }}/automation-platform-backup-latest.tar.gz

restore_file_prefix

 

Path prefix for the staged restore components.

Optional

automation-platform-restore

routable_hostname

routable_hostname

Used if the machine running the installation program can only route to the target host through a specific URL. For example, if you use short names in your inventory, but the node running the installation program can only resolve that host by using a FQDN. If routable_hostname is not set, it defaults to ansible_host. If you do not set ansible_host, inventory_hostname is used as a last resort. This variable is used as a host variable for particular hosts and not under the [all:vars] section.

Optional

 

use_archive_compression

use_archive_compression

Controls at a global level whether the filesystem-related backup files are compressed before being sent to the host to run the backup operation. If set to true, a tar.gz file is generated on each Ansible Automation Platform host and then gzip compression is used. If set to false, a simple tar file is generated.

You can control this functionality at a component level by using the <component_name>_use_archive_compression variables.

Optional

true

use_db_compression

use_db_compression

Controls at a global level whether the database-related backup files are compressed before being sent to the host to run the backup operation.

You can control this functionality at a component level by using the <component_name>_use_db_compression variables.

Optional

true

 

ca_tls_key_passphrase

Passphrase used to decrypt the key provided in ca_tls_key.

Optional

 
 

client_request_timeout

Sets the HTTP timeout for end-user requests. The minimum value is 10 seconds.

Optional

30

 

container_compress

Compression software to use for compressing container images.

Optional

gzip

 

container_keep_images

Controls whether or not to keep container images when uninstalling Ansible Automation Platform. Set to true to keep container images when uninstalling Ansible Automation Platform.

Optional

false

 

container_pull_images

Controls whether or not to pull newer container images during installation. Set to false to prevent pulling newer container images during installation.

Optional

true

 

images_tmp_dir

The directory where the installation program temporarily stores container images during installation.

Optional

The system’s temporary directory.

 

pcp_firewall_zone

The firewall zone where Performance Co-Pilot related firewall rules are applied. This controls which networks can access Performance Co-Pilot based on the zone’s trust level.

Optional

public

 

pcp_use_archive_compression

Controls whether archive compression is enabled or disabled for Performance Co-Pilot. You can control this functionality globally by using use_archive_compression.

Optional

true

 

registry_auth

Controls whether to use registry authentication. When set to true, registry_username and registry_password are required. Not applicable for disconnected (bundled) installations.

Optional

true

 

registry_ns_aap

Ansible Automation Platform registry namespace.

Optional

ansible-automation-platform-26

 

registry_ns_rhel

RHEL registry namespace.

Optional

rhel8

A.7. Image variables
Copy link

Inventory file variables for images.

Expand
RPM variable nameContainer variable nameDescriptionRequired or optionalDefault

extra_images

 

Additional container images to pull from the configured container registry during deployment.

Optional

ansible-builder-rhel8

 

controller_image

Container image for automation controller.

Optional

controller-rhel9:latest

 

de_extra_images

Additional decision environment container images to pull from the configured container registry during deployment.

Optional

[]

 

de_supported_image

Supported decision environment container image.

Optional

de-supported-rhel9:latest

 

eda_image

Backend container image for Event-Driven Ansible.

Optional

eda-controller-rhel9:latest

 

eda_web_image

Front-end container image for Event-Driven Ansible.

Optional

eda-controller-ui-rhel9:latest

 

ee_extra_images

Additional execution environment container images to pull from the configured container registry during deployment.

Optional

[]

 

ee_minimal_image

Minimal execution environment container image.

Optional

ee-minimal-rhel9:latest

 

ee_supported_image

Supported execution environment container image.

Optional

ee-supported-rhel9:latest

 

gateway_image

Container image for platform gateway.

Optional

gateway-rhel9:latest

 

gateway_proxy_image

Container image for platform gateway proxy.

Optional

gateway-proxy-rhel9:latest

 

hub_image

Backend container image for automation hub.

Optional

hub-rhel9:latest

 

hub_web_image

Front-end container image for automation hub.

Optional

hub-web-rhel9:latest

 

pcp_image

Container image for Performance Co-Pilot.

Optional

pcp:latest

 

postgresql_image

Container image for PostgreSQL.

Optional

postgresql-15:latest

 

receptor_image

Container image for receptor.

Optional

receptor-rhel9:latest

 

redis_image

Container image for Redis.

Optional

redis-6:latest

A.8. Platform gateway variables
Copy link

Inventory file variables for platform gateway.

Expand
RPM variable nameContainer variable nameDescriptionRequired or optionalDefault

automationgateway_admin_email

gateway_admin_email

Email address used by Django for the admin user for platform gateway.

Optional

admin@example.com

automationgateway_admin_password

gateway_admin_password

Platform gateway administrator password. Use of special characters for this variable is limited. The password can include any printable ASCII character except /, , or @.

Required

 

automationgateway_admin_username

gateway_admin_user

Username used to identify and create the administrator user in platform gateway.

Optional

admin

automationgateway_cache_cert

gateway_redis_tls_cert

Path to the platform gateway Redis certificate file.

Optional

 

automationgateway_cache_key

gateway_redis_tls_key

Path to the platform gateway Redis key file.

Optional

 

automationgateway_cache_tls_files_remote

 

Denote whether the cache client certificate files are local to the installation program (false) or on the remote component server (true).

Optional

The value defined in automationgateway_tls_files_remote which defaults to false.

automationgateway_client_regen_cert

 

Controls whether or not to regenerate platform gateway client certificates for the platform cache. Set to true to regenerate platform gateway client certificates.

Optional

false

automationgateway_control_plane_port

gateway_control_plane_port

Port number for the platform gateway control plane.

Optional

50051

automationgateway_disable_hsts

gateway_nginx_disable_hsts

Controls whether HTTP Strict Transport Security (HSTS) is enabled or disabled for platform gateway. Set this variable to true to disable HSTS.

Optional

false

automationgateway_disable_https

gateway_nginx_disable_https

Controls whether HTTPS is enabled or disabled for platform gateway. Set this variable to true to disable HTTPS.

Optional

RPM = The value defined in disable_https which defaults to false. Container = false.

automationgateway_firewalld_zone

gateway_proxy_firewall_zone

The firewall zone where platform gateway related firewall rules are applied. This controls which networks can access platform gateway based on the zone’s trust level.

Optional

RPM = no default set. Container = 'public'.

automationgateway_grpc_auth_service_timeout

gateway_grpc_auth_service_timeout

Timeout duration (in seconds) for requests made to the gRPC service on platform gateway.

Optional

30s

automationgateway_grpc_server_max_threads_per_process

gateway_grpc_server_max_threads_per_process

Maximum number of threads that each gRPC server process can create to handle requests on platform gateway.

Optional

10

automationgateway_grpc_server_processes

gateway_grpc_server_processes

Number of processes for handling gRPC requests on platform gateway.

Optional

5

automationgateway_http_port

gateway_nginx_http_port

Port number that platform gateway listens on for HTTP requests.

Optional

RPM = 8080. Container = 8083.

automationgateway_https_port

gateway_nginx_https_port

Port number that platform gateway listens on for HTTPS requests.

Optional

RPM = 8443. Container = 8446.

automationgateway_main_url

gateway_main_url

URL of the main instance of platform gateway that clients connect to. Use if you are performing a clustered deployment and you need to use the URL of the load balancer instead of the component’s server. The URL must start with http:// or https:// prefix.

Optional

 

automationgateway_nginx_tls_files_remote

 

Denote whether the web cert sources are local to the installation program (false) or on the remote component server (true).

Optional

The value defined in automationgateway_tls_files_remote which defaults to false.

automationgateway_pg_cert_auth

gateway_pg_cert_auth

Controls whether client certificate authentication is enabled or disabled on the platform gateway PostgreSQL database. Set this variable to true to enable client certificate authentication.

Optional

false

automationgateway_pg_database

gateway_pg_database

Name of the PostgreSQL database used by platform gateway.

Optional

RPM = automationgateway. Container = gateway.

automationgateway_pg_host

gateway_pg_host

Hostname of the PostgreSQL database used by platform gateway.

Required

 

automationgateway_pg_password

gateway_pg_password

Password for the platform gateway PostgreSQL database user. Use of special characters for this variable is limited. The !, #, 0 and @ characters are supported. Use of other special characters can cause the setup to fail.

Optional

 

automationgateway_pg_port

gateway_pg_port

Port number for the PostgreSQL database used by platform gateway.

Optional

5432

automationgateway_pg_sslmode

gateway_pg_sslmode

Controls the SSL mode to use when platform gateway connects to the PostgreSQL database. Valid options include verify-full, verify-ca, require, prefer, allow, disable.

Optional

prefer

automationgateway_pg_username

gateway_pg_username

Username for the platform gateway PostgreSQL database user.

Optional

RPM = automationgateway. Container = gateway

automationgateway_pgclient_sslcert

gateway_pg_tls_cert

Path to the PostgreSQL SSL/TLS certificate file for platform gateway.

Required if using client certificate authentication.

 

automationgateway_pgclient_sslkey

gateway_pg_tls_key

Path to the PostgreSQL SSL/TLS key file for platform gateway.

Required if using client certificate authentication.

 

automationgateway_pgclient_tls_files_remote

 

Denote whether the PostgreSQL client cert sources are local to the installation program (false) or on the remote component server (true).

Optional

The value defined in automationgateway_tls_files_remote which defaults to false.

automationgateway_redis_host

gateway_redis_host

Hostname of the Redis host used by platform gateway.

Optional

First node in the [automationgateway] inventory group.

automationgateway_redis_password

gateway_redis_password

Password for platform gateway Redis.

Optional

Randomly generated string.

automationgateway_redis_username

gateway_redis_username

Username for platform gateway Redis.

Optional

gateway

automationgateway_secret_key

gateway_secret_key

Secret key value used by platform gateway to sign and encrypt data.

Optional

 

automationgateway_ssl_cert

gateway_tls_cert

Path to the SSL/TLS certificate file for platform gateway.

Optional

 

automationgateway_ssl_key

gateway_tls_key

Path to the SSL/TLS key file for platform gateway.

Optional

 

automationgateway_tls_files_remote

gateway_tls_remote

Denote whether the platform gateway provided certificate files are local to the installation program (false) or on the remote component server (true).

Optional

false

automationgateway_uwsgi_processes

gateway_uwsgi_processes

The number of uwsgi processes for the platform gateway container. The value is calculated based on the number of available vCPUs (virtual CPUs).

Optional

The number of vCPUs multiplied by two, plus one.

automationgateway_use_archive_compression

gateway_use_archive_compression

Controls whether archive compression is enabled or disabled for platform gateway. You can control this functionality globally by using use_archive_compression.

Optional

true

automationgateway_use_db_compression

gateway_use_db_compression

Controls whether database compression is enabled or disabled for platform gateway. You can control this functionality globally by using use_db_compression.

Optional

true

automationgateway_user_headers

gateway_nginx_user_headers

List of additional NGINX headers to add to platform gateway’s NGINX configuration.

Optional

[]

automationgateway_verify_ssl

 

Denotes whether or not to verify platform gateway’s web certificates when making calls from platform gateway to itself during installation. Set to false to disable web certificate verification.

Optional

true

automationgatewayproxy_disable_https

envoy_disable_https

Controls whether or not HTTPS is disabled when accessing the platform UI. Set to true to disable HTTPS (HTTP is used instead).

Optional

RPM = The value defined in disable_https which defaults to false. Container = false.

automationgatewayproxy_http_port

envoy_http_port

Port number on which the Envoy proxy listens for incoming HTTP connections.

Optional

80

automationgatewayproxy_https_port

envoy_https_port

Port number on which the Envoy proxy listens for incoming HTTPS connections.

Optional

443

nginx_tls_protocols

gateway_nginx_https_protocols

Protocols that platform gateway will support when handling HTTPS traffic.

Optional

[TLSv1.2, TLSv1.3]

redis_disable_tls

gateway_redis_disable_tls

Controls whether TLS is enabled or disabled for platform gateway Redis. Set this variable to true to disable TLS.

Optional

false

redis_port

gateway_redis_port

Port number for the Redis host for platform gateway.

Optional

6379

 

gateway_extra_settings

Defines additional settings for use by platform gateway during installation.

For example: 

gateway_extra_settings:
  - setting: OAUTH2_PROVIDER['ACCESS_TOKEN_EXPIRE_SECONDS']
    value: 600
Copy to Clipboard Toggle word wrap

Optional

[]

 

gateway_nginx_client_max_body_size

Maximum allowed size for data sent to platform gateway through NGINX.

Optional

5m

 

gateway_nginx_hsts_max_age

Maximum duration (in seconds) that HTTP Strict Transport Security (HSTS) is enforced for platform gateway.

Optional

63072000

 

gateway_uwsgi_listen_queue_size

Number of requests uwsgi will allow in the queue on platform gateway until uwsgi_processes can serve them.

Optional

4096

A.9. Receptor variables
Copy link

Inventory file variables for Receptor.

Expand
RPM variable nameContainer variable nameDescriptionRequired or optionalDefault

receptor_datadir

 

The directory where receptor stores its runtime data and local artifacts. The target directory must be accessible to awx users. If the target directory is a temporary file system tmpfs, ensure it is remounted correctly after a reboot. Failure to do so results in the receptor no longer having a working directory.

Optional

/tmp/receptor

receptor_listener_port

receptor_port

Port number that receptor listens on for incoming connections from other receptor nodes.

Optional

27199

receptor_listener_protocol

receptor_protocol

Protocol that receptor will support when handling traffic.

Optional

tcp

receptor_log_level

receptor_log_level

Controls the verbosity of logging for receptor. Valid options include: error, warning, info, or debug.

Optional

info

receptor_tls

 

Controls whether TLS is enabled or disabled for receptor. Set this variable to false to disable TLS.

Optional

true

See node_type for the RPM equivalent variable.

receptor_type

For the [automationcontroller] group the two options are:

  • receptor_type=control - The node only runs project and inventory updates, but not regular jobs.
  • receptor_type=hybrid - The node runs everything.

For the [execution_nodes] group the two options are:

  • receptor_type=hop - The node forwards jobs to an execution node.
  • receptor_type=execution - The node can run jobs.

Optional

For the [automationcontroller] group: hybrid. For the [execution_nodes] group: execution.

See peers for the RPM equivalent variable

receptor_peers

Used to indicate which nodes a specific host connects to. Wherever this variable is defined, an outbound connection to the specific host is established. The value must be a comma-separated list of hostnames. Do not use inventory group names.

This is resolved into a set of hosts that is used to construct the receptor.conf file.

Optional

[]

 

receptor_disable_signing

Controls whether signing of communications between receptor nodes is enabled or disabled. Set this variable to true to disable communication signing.

Optional

false

 

receptor_disable_tls

Controls whether TLS is enabled or disabled for receptor. Set this variable to true to disable TLS.

Optional

false

 

receptor_firewall_zone

The firewall zone where receptor related firewall rules are applied. This controls which networks can access receptor based on the zone’s trust level.

Optional

public

 

receptor_mintls13

Controls whether or not receptor only accepts connections that use TLS 1.3 or higher. Set to true to only accept connections that use TLS 1.3 or higher.

Optional

false

 

receptor_signing_private_key

Path to the private key used by receptor to sign communications with other receptor nodes in the network.

Optional

 
 

receptor_signing_public_key

Path to the public key used by receptor to sign communications with other receptor nodes in the network.

Optional

 
 

receptor_signing_remote

Denote whether the receptor signing files are local to the installation program (false) or on the remote component server (true).

Optional

false

 

receptor_tls_cert

Path to the TLS certificate file for receptor.

Optional

 
 

receptor_tls_key

Path to the TLS key file for receptor.

Optional

 
 

receptor_tls_remote

Denote whether the receptor provided certificate files are local to the installation program (false) or on the remote component server (true).

Optional

false

 

receptor_use_archive_compression

Controls whether archive compression is enabled or disabled for receptor. You can control this functionality globally by using use_archive_compression.

Optional

true

A.10. Redis variables
Copy link

Inventory file variables for Redis.

Expand
RPM variable nameContainer variable nameDescriptionRequired or optionalDefault

redis_cluster_ip

redis_cluster_ip

The IPv4 address used by the Redis cluster to identify each host in the cluster. When defining hosts in the [redis] group, use this variable to identify the IPv4 address if the default is not what you want. Specific to container: Redis clusters cannot use hostnames or IPv6 addresses.

Optional

RPM = Discovered IPv4 address from Ansible facts. If IPv4 address is not available, IPv6 address is used. Container = Discovered IPv4 address from Ansible facts.

redis_disable_mtls

 

Controls whether mTLS is enabled or disabled for Redis. Set this variable to true to disable mTLS.

Optional

false

redis_firewalld_zone

redis_firewall_zone

The firewall zone where Redis related firewall rules are applied. This controls which networks can access Redis based on the zone’s trust level.

Optional

RPM = no default set. Container = public.

redis_hostname

 

Hostname used by the Redis cluster when identifying and routing the host. By default routable_hostname is used.

Optional

The value defined in routable_hostname

redis_mode

redis_mode

The Redis mode to use for your Ansible Automation Platform installation. Valid options include: standalone and cluster. For more information about Redis, see Caching and queueing system in Planning your installation.

Optional

cluster

redis_server_regen_cert

 

Denotes whether or not to regenerate the Ansible Automation Platform managed TLS key pair for Redis.

Optional

false

redis_tls_cert

redis_tls_cert

Path to the Redis server TLS certificate.

Optional

 

redis_tls_files_remote

redis_tls_remote

Denote whether the Redis provided certificate files are local to the installation program (false) or on the remote component server (true).

Optional

false

redis_tls_key

redis_tls_key

Path to the Redis server TLS certificate key.

Optional

 
 

redis_use_archive_compression

Controls whether archive compression is enabled or disabled for Redis. You can control this functionality globally by using use_archive_compression.

Optional

true

A.11. Red Hat Ansible Lightspeed variables
Copy link

Configure Red Hat Ansible Lightspeed by setting inventory file variables during installation. Use this reference to determine which variables to set for your deployment requirements.

A.11.1. Red Hat Ansible Lightspeed variables
Copy link

Inventory file variables for Red Hat Ansible Lightspeed.

Expand
RPM variable nameContainer variable nameDescriptionRequired or optionalDefault

N/A

lightspeed_admin_password

Red Hat Ansible Lightspeed administrator password. Use of special characters for this variable is limited. The password can include any printable ASCII character except /, ", or @.

Required

 

N/A

lightspeed_admin_user

Username used to identify and create the Red Hat Ansible Lightspeed admin user.

Optional

admin

N/A

lightspeed_chat_rate_throttle

Chat rate throttle.

Optional

10/minute

N/A

lightspeed_nginx_client_max_body_size

Maximum allowed size for data sent to Red Hat Ansible Lightspeed through NGINX.

Optional

5m

N/A

lightspeed_nginx_disable_hsts

Controls whether HTTP Strict Transport Security (HSTS) is enabled or disabled for Red Hat Ansible Lightspeed. Set this variable to true to disable HSTS.

Optional

false

N/A

lightspeed_nginx_disable_https

Controls whether HTTPS is enabled or disabled for Red Hat Ansible Lightspeed. Set this variable to true to disable HTTPS.

Optional

false

N/A

lightspeed_nginx_hsts_max_age

Maximum duration (in seconds) that HTTP Strict Transport Security (HSTS) is enforced for Red Hat Ansible Lightspeed.

Optional

63072000

N/A

lightspeed_nginx_http_port

Port number that Red Hat Ansible Lightspeed listens on for HTTP requests.

Optional

8084

N/A

lightspeed_nginx_https_port

Port number that Red Hat Ansible Lightspeed listens on for HTTPS requests.

Optional

8447

N/A

lightspeed_nginx_https_protocols

Protocols that Red Hat Ansible Lightspeed will support when handling HTTPS traffic.

Optional

[TLSv1.2, TLSv1.3]

N/A

lightspeed_nginx_user_headers

Custom Nginx headers. List of additional NGINX headers to add to Red Hat Ansible Lightspeed’s NGINX configuration.

Optional

[]

N/A

lightspeed_nginx_read_timeout

Sets the HTTP timeout for end-user requests. The minimum value is 10 seconds.

Optional

3600

N/A

lightspeed_pg_cert_auth

Controls whether client certificate authentication is enabled or disabled on the Red Hat Ansible Lightspeed PostgreSQL database. Set this variable to true to enable client certificate authentication.

Optional

false

N/A

lightspeed_pg_database

Name of the PostgreSQL database used by Red Hat Ansible Lightspeed.

Optional

lightspeed

N/A

lightspeed_pg_host

Hostname of the PostgreSQL database used by Red Hat Ansible Lightspeed.

Required

 

N/A

lightspeed_pg_password

Password for the Red Hat Ansible Lightspeed PostgreSQL database user. Use of special characters for this variable is limited. The !, #, 0 and @ characters are supported. Use of other special characters can cause the setup to fail.

Optional

 

N/A

lightspeed_pg_port

Port number for the PostgreSQL database used by Red Hat Ansible Lightspeed.

Optional

5432

N/A

lightspeed_pg_sslmode

Controls the SSL mode to use when platform gateway connects to the PostgreSQL database. Valid options include verify-full, verify-ca, require, prefer, allow, disable.

Optional

prefer

N/A

lightspeed_pg_tls_cert

Path to the PostgreSQL SSL/TLS certificate file for Red Hat Ansible Lightspeed.

Optional

 

N/A

lightspeed_pg_tls_key

Path to the PostgreSQL SSL/TLS key file for Red Hat Ansible Lightspeed.

Optional

 

N/A

lightspeed_pg_username

Username for the Red Hat Ansible Lightspeed PostgreSQL database user.

Optional

lightspeed

N/A

lightspeed_secret_key

Secret key value used by Red Hat Ansible Lightspeed to sign and encrypt data.

Optional

 

N/A

lightspeed_tls_cert

Path to the SSL/TLS certificate file for Red Hat Ansible Lightspeed.

Optional

 

N/A

lightspeed_tls_key

Path to the SSL/TLS key file for Red Hat Ansible Lightspeed.

Optional

 

N/A

lightspeed_tls_remote

Denote whether the Red Hat Ansible Lightspeed provided certificate files are local to the installation program (false) or on the remote component server (true).

Optional

false

N/A

lightspeed_use_archive_compression

Controls whether archive compression is enabled or disabled for Red Hat Ansible Lightspeed. You can control this functionality globally by using use_archive_compression.

Optional

true

N/A

lightspeed_use_db_compression

Controls whether database compression is enabled or disabled for Red Hat Ansible Lightspeed. You can control this functionality globally by using use_db_compression.

Optional

false

Inventory file variables for Ansible Lightspeed coding assistant.

Expand
RPM variable nameContainer variable nameDescriptionRequired or optionalDefault

N/A

lightspeed_wca_model_type

IBM watsonx Code Assistant model deployment mode, cloud (wca) or on-premise (wca-onprem).

Optional

wca

N/A

lightspeed_wca_model_url

URL of the IBM watsonx Code Assistant model. For cloud deployment, the URL could be https://api.dataplatform.test.cloud.ibm.com.

Optional

 

N/A

lightspeed_wca_model_api_key

API key of the IBM watsonx Code Assistant model that was generated during the model installation.

Required

 

N/A

lightspeed_wca_model_id

ID of the IBM watsonx Code Assistant model.

Optional

 

N/A

lightspeed_wca_model_verify_ssl

Denotes whether or not to verify IBM watsonx Code Assistant’s web certificates when making calls from Red Hat Ansible Lightspeed to itself during installation. Set to false to disable web certificate verification.

Optional

true

N/A

lightspeed_wca_model_enable_anonymization

Controls whether the anonymization of Personally Identifiable Information (PII) is enabled. PII information includes passwords, IP addresses, email addresses, and other sensitive data.

When PII anonymization is enabled, users' personal information is modified to some generic values to protect their data and reduce the risk of data leaks.

You can turn off the anonymization by specifying the value as false if you want to retain all original information as entered by users and improve the quality of the answers.

If you set the value to false and the Ansible administrator is using Red Hat Ansible Lightspeed in hybrid mode (where the model is in IBM watsonx Code Assistant in IBM Cloud) then their users' PII is sent to IBM Cloud.

Optional

true

N/A

lightspeed_wca_model_username

For on-premise deployment only. The username you use to connect to an IBM Cloud Pak for Data deployment.

Optional

 

N/A

lightspeed_wca_health_check

Enables or disables IBM watsonx Code Assistant health check.

Optional

true

N/A

lightspeed_wca_idp_url

For cloud deployment only. The IBM watsonx Code Assistant Identity Provider (IdP) URL.

Optional

 

N/A

lightspeed_wca_idp_login

For cloud deployment only. The IBM watsonx Code Assistant Identity Provider (IdP) username.

Optional

 

N/A

lightspeed_wca_idp_password

For cloud deployment only. The IBM watsonx Code Assistant Identity Provider (IdP) password.

Optional

 

Inventory file variables for Ansible Lightspeed intelligent assistant.

Expand
RPM variable nameContainer variable nameDescriptionRequired or optionalDefault

N/A

lightspeed_chatbot_model_url

The inference API base URL on your LLM setup. For example, https://your_inference_api/v1.

Optional

 

N/A

lightspeed_chatbot_model_verify_ssl

Controls whether SSL/TLS certificate verification is enabled or disabled when making HTTPS requests.

Optional

true

N/A

lightspeed_chatbot_default_provider

The provider type of your LLM setup by using one of the following values:

  • Red Hat Enterprise Linux AI: rhelai
  • Red Hat OpenShift AI: rhoai
  • OpenAI: openai
  • Microsoft Azure OpenAI: azure

Optional

rhoai

N/A

lightspeed_chatbot_model_extra_settings

Use this parameter to pass a JSON dictionary of extra parameters to pass directly to the model provider, for settings not covered by other standard fields.

If you want to use Microsoft Azure OpenAI as the LLM provider, specify the value as '{"api_type": ""}'.

Optional

{}

N/A

lightspeed_chatbot_chatbot_max_tokens

Maximum number of tokens to generate a chat response.

Optional

4096

N/A

lightspeed_chatbot_http_port

Port number that Ansible Lightspeed intelligent assistant listens on for HTTP requests.

Optional

8085

N/A

lightspeed_chatbot_model_id

The ID of the LLM model that is configured on your LLM setup.

Optional

 

N/A

lightspeed_chatbot_model_api_key

The API token or the API key of your LLM setup. This token is sent along with the authorization header when an inference API is called.

Optional

 

Inventory file variables for Ansible Lightspeed intelligent assistant integration with Model Context Protocol (MCP) server.

Expand
RPM variable nameContainer variable nameDescriptionRequired or optionalDefault

N/A

lightspeed_mcp_controller_enabled

Controls whether the Ansible Lightspeed MCP controller is enabled or disabled.

Optional

false

N/A

lightspeed_mcp_controller_port

Ansible Lightspeed MCP controller port.

Optional

8004

N/A

lightspeed_mcp_lightspeed_enabled

Ansible Lightspeed MCP lightspeed enabled.

Optional

false

N/A

lightspeed_mcp_lightspeed_port

Ansible Lightspeed MCP lightspeed port.

Optional

8005

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat