Red Hat SummitUnderstand metrics service architecture
Learn the architectural components and deployment topology of metrics service to make informed infrastructure decisions and ensure successful integration with Ansible Automation Platform.
Metrics service overview
Metrics service is a Django-based application component of Ansible Automation Platform 2.7. It collects anonymized usage and performance data from your automation controller. The service runs as containerized workloads managed by either systemd (containerized installer) or Kubernetes (operator). It maintains its own PostgreSQL database and read-only access to the controller database.
Default behavior in Ansible Automation Platform 2.7
Metrics service is enabled by default in Ansible Automation Platform 2.7 for both operator-based (OpenShift) and containerized installations that include automation controller. It is deployed automatically as a required component when you install automation controller.
- Containerized installations: [automationmetrics] inventory group is required when installing Ansible Automation Platform if automationcontroller is present in the inventory file
- Operator installations: Enabled when
metrics.disabled: falseis set in the AnsibleAutomationPlatform custom resource
Key characteristics
- Django-based application: Built on Django framework with database migrations managed through /app/scripts/init.sh
- Containerized deployment: Runs as three containers (
automation-metrics-web,automation-metrics-tasks,automation-metrics-scheduler) managed by systemd (containerized installer) or Kubernetes (operator) - Automatic anonymization: Customer-defined object names are replaced with "Custom" before transmission. Only built-in object names and publicly available collection names are sent in their original form
- Auto-configured ingress: Establishes secure connection to Red Hat Data Ingress without manual setup
- Read-only access: Accesses automation controller database in read-only mode to prevent operational impact
- Isolated database: Maintains its own
metrics_servicedatabase for metrics processing and storage - Health monitoring: Provides health check endpoint (returns
"status": "good"when healthy) - HTTP proxy support: Supports HTTP/HTTPS proxy configuration for environments without direct internet access
- Startup validation: Validates required production environment variables at startup. Containers exit immediately with validation errors if required variables are missing or invalid
- Deployment flexibility: Supports both RHEL-based containerized deployments and OpenShift operator-based deployments with different configuration approaches
Relationship to automation dashboard
Metrics service serves as the unified backend for automation dashboard, a Technology Preview feature in Ansible Automation Platform 2.7. When dashboard collection is enabled (FEATURE_DASHBOARD_COLLECTION_ENABLED: true), metrics service collects additional dashboard-specific metrics, including:
- Cost and pricing data for ROI calculations
- Automation savings metrics
- Executive reporting data
Dashboard collection is disabled by default and must be enabled separately. Dashboard collection runs on a 6-hourly schedule to minimize database impact.
Dashboard collection feature flag
Automation dashboard data collection is controlled by the FEATURE_DASHBOARD_COLLECTION_ENABLED feature flag. This is an official Ansible Automation Platform feature flag that customers can configure during installation or post-installation.
Default: false (dashboard collection disabled)
Purpose: When enabled, metrics service collects additional dashboard-specific metrics (cost data, ROI calculations, pricing information) in addition to standard anonymized metrics.
Architecture components
Core components
| Component | Container Name | Purpose |
|---|---|---|
| Metrics service (web) | automation-metrics-web |
Nginx reverse proxy + Gunicorn serving the Django application. Internal Gunicorn port: 8006. External via nginx: 8087 (HTTP) / 8450 (HTTPS). Health endpoint:/health/ (returns HTTP 2** for healthy, 50* for unhealthy) |
| Metrics service (tasks) | automation-metrics-tasks |
Dispatcherd async task worker for background job execution |
| Metrics service (scheduler) | automation-metrics-scheduler |
APScheduler process that triggers periodic data collection tasks |
| Init container | automation-metrics-init |
One-shot container that runs Django database migrations and system initialization via/app/scripts/init.sh. Exits on completion. |
| metrics_service database | PostgreSQL database | Stores processed metrics data and configuration. Created with usermetrics_service (ALL privileges) |
| awx/automation controller database (read-only) | PostgreSQL database | Source of automation controller usage data. Accessed via userms_awx_readonly (SELECT-only privileges on all tables in schema) |
| Red Hat Data Ingress | External endpoint | Receives anonymized data from customer environments via Segment write key. Data flows through Gateway/api/metrics/ endpoint (no direct customer-facing endpoints in 2.7 GA) |
Database architecture
| Database | User | Privileges | Purpose |
|---|---|---|---|
metrics_service |
metrics_service |
ALL | Metrics service own data storage, schema migrations, configuration |
| awx/automation controller | ms_awx_readonly |
SELECT ON ALL TABLES IN SCHEMA public | Read-only access to controller data for metrics collection |
The two-database model ensures metrics service cannot modify controller data. The ms_awx_readonly user has only SELECT privileges on the awx/automation controller database, preventing any writes to automation controller tables.
When FEATURE_DASHBOARD_COLLECTION_ENABLED: true, the metrics_service database includes additional tables from apps/dashboard_reports/migrations/ for dashboard-specific data. These tables are created automatically during database migration if the feature flag is enabled.
Database schema architecture
Collection phase
- Metrics service queries automation controller/
awxdatabase (read-only connection usingms_awx_readonlyuser) - Raw usage data extracted from the following tables: jobs, job host summaries, credentials, execution environments, controller versions, and feature flags
What is NOT collected:
- Event data
- Host inventory data
- Customer-defined template names, playbook names, or workflow names
Host and inventory data collection is handled separately by the metrics-utility CLI for CCSP reports only. Metrics service does not collect this data.
Complete task schedule
Metrics service uses three task groups controlled by feature flags:
METRICS_COLLECTION group
Gated by METRICS_COLLECTION feature flag (default: true). When disabled, all tasks in this group skip execution.
| Task | Schedule | Description |
|---|---|---|
collect_hourly_metrics (job_host_summary) |
Every hour at XX:05 | Collects job host summary metrics from controller database |
collect_hourly_metrics (unified_jobs) |
Every hour at XX:10 | Collects unified jobs metrics from controller database |
collect_hourly_metrics (credentials) |
Every hour at XX:15 | Collects credentials usage metrics from controller database |
collect_snapshot_metrics (execution_environments) |
Daily at 1:00 AM | Snapshot of execution environment configuration |
collect_snapshot_metrics (config) |
Daily at 1:30 AM | Snapshot of system configuration |
collect_snapshot_metrics (controller_version) |
Daily at 1:35 AM | Snapshot of controller version information |
collect_snapshot_metrics (table_metadata) |
Daily at 1:40 AM | Snapshot of database table metadata |
collect_snapshot_metrics (feature_flags) |
Daily at 1:45 AM | Snapshot of feature flag states |
collect_daily_metrics (task_executions) |
Daily at 1:50 AM | Pipeline health metrics (task execution observability) |
daily_metrics_rollup |
Daily at 2:00 AM | Aggregates hourly data into daily summaries |
cleanup_metrics_data |
Daily at 4:00 AM | Purges expired data based on retention policies |
ANONYMIZATION group
Gated by ANONYMIZED_DATA_COLLECTION feature flag (default: true). When disabled, anonymization and transmission skip execution.
| Task | Schedule | Description |
|---|---|---|
daily_anonymize_and_prepare |
Daily at 3:00 AM | Anonymizes collected data and transmits to Segment.com |
SYSTEM group
Always enabled regardless of feature flag state. System maintenance tasks continue even when all collection is disabled.
| Task | Schedule | Description |
|---|---|---|
cleanup_old_tasks |
Daily at 5:00 AM | Purges old task execution records from database |
hello_world |
Every hour | Health check heartbeat for monitoring |
Task dependencies
Tasks are scheduled in dependency order:
- Hourly collection (XX:05, XX:10, XX:15) - provides raw data
- Daily snapshots (1:00 AM - 1:50 AM) - supplements hourly data
- Daily rollup (2:00 AM) - aggregates hourly data (depends on hourly collectors completing)
- Anonymization (3:00 AM) - anonymizes aggregated data (depends on rollup completing)
- Cleanup (4:00 AM, 5:00 AM) - purges old data (runs after rollup/anonymization to avoid race conditions)
If hourly collectors fail, daily rollup will have incomplete data. Always verify hourly collection completed before troubleshooting rollup issues.
To ensure the readonly user can access tables created in the future, we recommend setting the following default privileges: ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT ON TABLES TO ms_awx_readonly;
Anonymization phase
No personal data leaves the customer environment. Only publicly available collection names (for example from Galaxy) and built-in object names (such as built-in credential types and execution environments) are transmitted.
Anonymization method: Statistics and counts only
Metrics service transmits only aggregated statistics, counts, and built-in/public object names. Customer-defined object names are never transmitted. For example, if you have 3 custom credentials, metrics service sends the count "3" but does not send the credential names.
What data is sent:
- Job statistics: Aggregated job execution data grouped by job type, launch type, and version (success/failure counts, duration statistics, timestamps). Job template names are NOT included.
- Job host summary statistics: Aggregated job execution results per host (success/failure counts, execution performance metrics).
- Credential type statistics: Built-in credential type names (e.g., "Machine", "Source Control", "Vault") and count of customer-defined credentials (e.g., "3 custom credentials"). Customer-defined credential names are NOT sent.
- Execution environment statistics: Built-in EE names (e.g., "ee-minimal-rhel9", "ee-supported-rhel9") and count of customer-defined EEs (e.g., "5 custom EEs"). Customer-defined EE names are NOT sent.
- Collection statistics: Public collection names from Galaxy or Red Hat Certified Collections (e.g., "ansible.builtin", "ansible.posix") and count of customer-defined collections. Customer-defined collection names are NOT sent.
- Project SCM types: Source control management types for projects (e.g., Git, SVN).
- Organization counts: Total number of organizations configured.
- Version information: Controller version, Ansible core version, installed collection versions.
- Warnings and deprecations: Statistics on deprecation warnings encountered.
- Feature flag states: Boolean status of enabled/disabled feature flags.
What data is NOT sent:
- Job template names (not collected at all)
- Customer-defined credential names (only counts transmitted, e.g., "3 custom credentials")
- Customer-defined execution environment names (only counts transmitted, e.g., "5 custom EEs")
- Customer-defined collection names (only counts transmitted)
- Event data (removed from metrics service in February 2026)
- Host inventory data (not queried by metrics service; handled separately by metrics-utility CLI for CCSP reports only)
- Playbook names (customer-defined content)
- Variable names and values (customer-defined content)
- Workflow template names (customer-defined content)
Customer-defined object names are never transmitted. Metrics service sends only counts (e.g., "3 custom credentials") and statistics (e.g., "50 jobs executed"). There is no way to identify which specific custom objects belong to which customer, and no individual object names can be recovered from the transmitted data.
Transmission phase
- Anonymized data packaged for transmission
- Secure HTTPS connection established to Red Hat Data Ingress endpoint using Segment (a third-party data pipeline service)
- Data transmitted through the Gateway /api/metrics/ endpoint (no direct customer-facing endpoints in 2.7 GA)
- Transmission status logged in
metrics_servicedatabase - HTTP/HTTPS proxy supported for environments without direct internet access
Segment is a third-party data pipeline service that securely routes anonymized metrics from your environment to Red Hat analytics infrastructure. The Segment write key is pre-configured during installation.
Message size handling
Metrics service splits anonymized data deterministically into separate messages. If any message exceeds 32 KB, the service splits it further. This ensures reliable transmission of large datasets without message size errors.
Deployment topology options
AIO Growth (All-in-One) topology
A single host runs all Ansible Automation Platform components, including metrics service. The [automationmetrics] inventory group points to the same host as [automationcontroller].
Characteristics:
- All components share the same host
- Simplest deployment for small to medium environments
- Metrics service, controller, and databases on one node
- Suitable for development, testing, or small production environments
Enterprise / Multi-Node topology
Metrics service runs on a dedicated node or alongside Gateway. Key design decision: metrics service is NOT required to be co-located with automation controller. You define which node hosts metrics service by using the [automationmetrics] inventory group.
Characteristics:
- Flexible topology: metrics service can run on any node
- Scaled independently from controller
- Metrics processing isolated from automation execution
- Suitable for large-scale production environments
Deployment method comparison
Metrics service supports two deployment methods with different configuration complexity and automation levels:
| Aspect | Containerized Installer | Operator (OpenShift) |
|---|---|---|
| Deployment method | Ansible role (automationmetrics) in containerized installation program |
Kubernetes operator (automation-metrics-operator) managed by AAP gateway operator |
| Configuration complexity | Manual: requires inventory file edits, database passwords, network variables | Automatic: single CR field (metrics.disabled: false) |
| Database provisioning | Administrator provisions databases and configures credentials in inventory | Operator automatically provisions databases and manages credentials via Kubernetes secrets |
| Container management | Podman with systemd user-scope units | Kubernetes deployments managed by operator |
| Network configuration | Manual firewall rules, port configuration in inventory | Automatic Kubernetes services and Envoy routing through gateway |
| OAuth integration | Manual configuration if needed | Automatic integration with platform gateway OAuth |
| Upgrades | Re-run installer with updated inventory | Operator handles upgrades automatically via CR updates |
| Backup/restore | Manual playbook execution | Operator-managed backup/restore via AutomationMetricsBackup CR (when available) |
For OpenShift deployments, use the operator method for simplified configuration and automatic lifecycle management. For RHEL-based containerized deployments, use the containerized installer method.
Containerized installer deployment details
Metrics service is deployed through the automationmetrics Ansible role included in the Ansible Automation Platform 2.7 containerized installation program:
- Container runtime: Podman with host networking mode (rootless, user namespace)
- Service management: Three systemd user-scope units:
automation-metrics-web.service,automation-metrics-tasks.service,automation-metrics-scheduler.service - Data persistence: Host volumes mounted from
{{ aap_volumes_dir }}/automationmetricsinto container path /var/lib/ansible-automation-platform/metrics - Secrets management: Four Podman secrets:
automationmetrics_pg_password,automationmetrics_controller_read_pg_password,automationmetrics_secret_key,automationmetrics_resource_server - Firewall integration: Ports 8087/tcp (HTTP) and 8450/tcp (HTTPS) opened in configured firewall zone (default: public)
Configuration requirements:
- Hosts must be added to
[automationmetrics]inventory group - Database connection variables must be configured (
automationmetrics_pg_host,automationmetrics_pg_password, etc.) - Read-only controller database user must be provisioned manually or by installer
- Segment write key must be provided for data transmission
Operator-based deployment details
Metrics service is deployed through the automation-metrics-operator running on OpenShift. The AAP gateway operator manages the metrics operator lifecycle:
- Container runtime: Kubernetes pods managed by operator deployments
- Service management: Three Kubernetes deployments:
metrics-api,metrics-tasks,metrics-scheduler - Data persistence: Kubernetes persistent volumes managed by operator
- Secrets management: Kubernetes secrets automatically created and managed by operator (database credentials, OAuth tokens, Segment write key)
- Network integration: Kubernetes services and Envoy routing through platform gateway
- Database provisioning: Operator automatically creates and configures both
metrics_servicedatabase and read-only controller database user
Configuration simplicity:
- Single CR field:
spec.metrics.disabled: falsein AnsibleAutomationPlatform CR - Zero manual database configuration required
- Zero manual network configuration required
- Automatic OAuth integration with platform gateway
- Operator handles all credential rotation and secret management
Operator-managed resources:
- MetricsService CR: Created as
<aap-name>-automationmetricsservicein same namespace as AnsibleAutomationPlatform CR - Database: PostgreSQL database for metrics service, automatically provisioned with credentials stored in Kubernetes secrets
- Read-only user: Automatically created in controller database with SELECT privileges
- Services: Kubernetes Service resources for metrics API, tasks, and scheduler pods
- Routes/Ingress: Traffic routing through platform gateway Envoy proxy (no direct external endpoints)
In AAP 2.7, the operator removes ownerReferences from the MetricsService CR. This means the CR is not automatically deleted when you set metrics.disabled: true. You must manually delete the CR if you want to fully remove metrics service from your cluster.
In standard operator deployments, database provisioning is fully automatic. The operator creates all required databases and users. This includes the metrics service database and the read-only user for the controller database.
Externally managed databases: If you use a fully externally managed database such as RDS or Cloud SQL, you must manually provision databases and configure credentials before deploying metrics service. See the related information for external database configuration procedures.
Network architecture
Required network connectivity
| Source | Destination | Protocol/Port | Purpose |
|---|---|---|---|
automation-metrics-tasks /automation-metrics-scheduler containers |
Automation controller database | PostgreSQL (5432) | Read-only data collection viams_awx_readonly user |
automation-metrics-tasks /automation-metrics-scheduler containers |
metrics_service database |
PostgreSQL (5432) | Read-write metrics storage viametrics_service user |
automation-metrics-tasks container |
Red Hat Data Ingress (via Segment) | HTTPS (443) | Anonymized data transmission authenticated via Segment write key |
| Monitoring systems (optional) | automation-metrics-web container |
HTTP (8087) | Health check endpoint at/health/ via nginx |
Firewall requirements
- Protocol: HTTPS (TLS 1.2 or higher); supported TLS versions: TLSv1.2, TLSv1.3
- Direction: Outbound from metrics service container to Red Hat Data Ingress
- Nginx ports: 8087/tcp (HTTP) and 8450/tcp (HTTPS) opened in firewall (default zone: public)
- Internal Gunicorn port: 8006 (localhost only, not opened in firewall)
- Proxy support: HTTP/HTTPS proxy configuration supported via standard environment variables (
HTTP_PROXY,HTTPS_PROXY,NO_PROXY)
Naming conventions
| Element | Value |
|---|---|
| Role name | automationmetrics |
| Inventory group | [automationmetrics] |
| Web container | automation-metrics-web |
| Tasks container | automation-metrics-tasks |
| Scheduler container | automation-metrics-scheduler |
| Init container | automation-metrics-init |
| Variable prefix | automationmetrics_ |
| Gunicorn port (internal) | 8006 (localhost only) |
| Nginx HTTP port | 8087 |
| Nginx HTTPS port | 8450 |
| Health endpoint | http://localhost:8087/health/ |
| Host volume path | {{ aap_volumes_dir }}/automationmetrics |
| Container data path | /var/lib/ansible-automation-platform/metrics |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}