Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

第 3 章 安装 Red Hat Ansible Automation Platform

Ansible Automation Platform 是一个模块化平台,您可以使用其他自动化平台组件(如自动化中心)部署自动化控制器。如需有关 Ansible Automation Platform 提供的组件的更多信息,请参阅 Red Hat Ansible Automation Platform 计划指南中的 Red Hat Ansible Automation Platform 平台组件。

Red Hat Ansible Automation Platform 有很多支持的安装场景。要安装 Red Hat Ansible Automation Platform,您必须编辑 inventory 文件参数,以使用以下示例之一指定您的安装场景:

3.1. 编辑 Red Hat Ansible Automation Platform 安装程序清单文件

您可以使用 Red Hat Ansible Automation Platform 安装程序清单文件指定您的安装场景。

流程

  1. 进入安装程序:

    1. [RPM 安装的软件包]

      Copy to Clipboard Toggle word wrap 
      $ cd /opt/ansible-automation-platform/installer/

    2. [Bundled installer]

      Copy to Clipboard Toggle word wrap 
      $ cd ansible-automation-platform-setup-bundle-<latest-version>

    3. [Online installer]

      Copy to Clipboard Toggle word wrap 
      $ cd ansible-automation-platform-setup-<latest-version>
  2. 使用文本编辑器打开清单文件。
  3. 编辑清单文件参数,以指定您的安装场景。使用其中一个支持的 安装场景示例来更新清单文件。

其他资源

如需 Ansible 安装清单文件中使用的预定义变量的完整列表,请参阅清单文件变量

3.1.1. 基于安装场景的清单文件示例

红帽支持多种 Ansible Automation Platform 安装场景。查看以下示例并选择适合您首选安装场景的用户。

重要
  • Red Hat Ansible Automation Platform 或 Automation hub:在 [automationhub] 组中添加一个 Automation hub 主机。
  • 对于内部数据库: [database] 不能被用来指向 Ansible Automation Platform 集群中的另一主机。要安装的数据库主机需要是唯一的主机。
  • 对于生产环境或客户环境中的 Ansible Automation Platform 版本,不要在同一节点上安装自动化控制器和自动化中心。这可能导致争用问题和大量资源的使用。

  • [automationhub][automationcontroller] 主机提供可访问 IP 地址或完全限定域名(FQDN),以确保用户可以从不同节点从自动化中心同步和安装内容。

    FQDN 不得包含 -_ 符号,因为它无法正确处理。

    不要使用 localhost

  • 对于 forpg_password,不要使用特殊字符。可能会导致设置失败。
  • registry_usernameregistry_password 中输入 Red Hat Registry Service account 凭证以链接到 Red Hat 容器 registry。
  • 只有在使用非捆绑包安装程序时,才需要清单文件变量 registry_usernameregistry_password

3.1.1.1. 带有内部数据库的独立自动化控制器

使用本示例填充清单文件来安装 Red Hat Ansible Automation Platform。此安装清单文件包含一个带有内部数据库的自动化控制器节点。

Copy to Clipboard Toggle word wrap 
[automationcontroller]
controller.acme.org

[all:vars]
admin_password='<password>'
pg_host=''
pg_port='5432'
pg_database='awx'
pg_username='awx'
pg_password='<password>'
pg_sslmode='prefer'  # set to 'verify-full' for client-side enforced SSL

registry_url='registry.redhat.io'
registry_username='<registry username>'
registry_password='<registry password>'


# SSL-related variables
# If set, this will install a custom CA certificate to the system trust store.
# custom_ca_cert=/path/to/ca.crt
# Certificate and key to install in nginx for the web UI and API
# web_server_ssl_cert=/path/to/tower.cert
# web_server_ssl_key=/path/to/tower.key
# Server-side SSL settings for PostgreSQL (when we are installing it).
# postgres_use_ssl=False
# postgres_ssl_cert=/path/to/pgsql.crt
# postgres_ssl_key=/path/to/pgsql.key

3.1.1.2. 带有外部(安装程序管理的)数据库的单一自动化控制器

使用本示例填充清单文件来安装 Red Hat Ansible Automation Platform。此安装清单文件包含单一自动化控制器节点,单独节点上具有外部数据库。

Copy to Clipboard Toggle word wrap 
[automationcontroller]
controller.acme.org

[database]
data.acme.org

[all:vars]
admin_password='<password>'
pg_host='data.acme.org'
pg_port='5432'
pg_database='awx'
pg_username='awx'
pg_password='<password>'
pg_sslmode='prefer'  # set to 'verify-full' for client-side enforced SSL

registry_url='registry.redhat.io'
registry_username='<registry username>'
registry_password='<registry password>'

# SSL-related variables
# If set, this will install a custom CA certificate to the system trust store.
# custom_ca_cert=/path/to/ca.crt
# Certificate and key to install in nginx for the web UI and API
# web_server_ssl_cert=/path/to/tower.cert
# web_server_ssl_key=/path/to/tower.key
# Server-side SSL settings for PostgreSQL (when we are installing it).
# postgres_use_ssl=False
# postgres_ssl_cert=/path/to/pgsql.crt
# postgres_ssl_key=/path/to/pgsql.key

3.1.1.3. 单个带有外部的自动化控制器(客户提供)数据库

使用本示例填充清单文件来安装 Red Hat Ansible Automation Platform。此安装清单文件包含一个单独的自动化控制器节点,它带有一个在不是由平台安装程序管理的单独节点上的外部数据库。

重要

本例没有数据库组下的主机。这表示数据库已存在,并在其他位置被管理。

Copy to Clipboard Toggle word wrap 
[automationcontroller]
controller.acme.org

[database]

[all:vars]
admin_password='<password>'

pg_host='data.acme.org'
pg_port='5432'
pg_database='awx'
pg_username='awx'
pg_password='<password>'
pg_sslmode='prefer'  # set to 'verify-full' for client-side enforced SSL

registry_url='registry.redhat.io'
registry_username='<registry username>'
registry_password='<registry password>'


# SSL-related variables
# If set, this will install a custom CA certificate to the system trust store.
# custom_ca_cert=/path/to/ca.crt
# Certificate and key to install in nginx for the web UI and API
# web_server_ssl_cert=/path/to/tower.cert
# web_server_ssl_key=/path/to/tower.key
# Server-side SSL settings for PostgreSQL (when we are installing it).
# postgres_use_ssl=False
# postgres_ssl_cert=/path/to/pgsql.crt
# postgres_ssl_key=/path/to/pgsql.key

3.1.1.4. 带有外部(安装程序管理的)数据库的 Ansible Automation Platform

使用本示例填充清单文件来安装 Ansible Automation Platform。此安装清单文件包含两个自动化控制器节点、两个执行节点,以及带有外部管理数据库的自动化中心。

Copy to Clipboard Toggle word wrap 
# Automation Controller Nodes
# There are two valid node_types that can be assigned for this group.
# A node_type=control implies that the node will only be able to run
# project and inventory updates, but not regular jobs.
# A node_type=hybrid will have the ability to run everything.
# If you do not define the node_type, it defaults to hybrid.
#
# control.example node_type=control
# hybrid.example  node_type=hybrid
# hybrid2.example <- this will default to hybrid

[automationcontroller]
controller1.acme.org node_type=control
controller2.acme.org node_type=control

# Execution Nodes
# There are two valid node_types that can be assigned for this group.
# A node_type=hop implies that the node will forward jobs to an execution node.
# A node_type=execution implies that the node will be able to run jobs.
# If you do not define the node_type, it defaults to execution.
#
# hop.example node_type=hop
# execution.example  node_type=execution
# execution2.example <- this will default to execution

[execution_nodes]
execution1.acme.org node_type=execution
execution2.acme.org node_type=execution

[automationhub]
automationhub.acme.org

[database]
data.acme.org

[all:vars]
admin_password='<password>'
pg_host='data.acme.org'
pg_port='5432'
pg_database='awx'
pg_username='awx'
pg_password='<password>'
pg_sslmode='prefer'  # set to 'verify-full' for client-side enforced SSL

registry_url='registry.redhat.io'
registry_username='<registry username>'
registry_password='<registry password>'

# Receptor Configuration
#
receptor_listener_port=27199

# Automation Hub Configuration
#
automationhub_admin_password='<password>'
automationhub_pg_host='data.acme.org'
automationhub_pg_port='5432'
automationhub_pg_database='automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password='<password>'
automationhub_pg_sslmode='prefer'

# The default install will deploy a TLS enabled Automation Hub.
# If for some reason this is not the behavior wanted one can
# disable TLS enabled deployment.
#
# automationhub_disable_https = False
# The default install will generate self-signed certificates for the Automation
# Hub service. If you are providing valid certificate via automationhub_ssl_cert
# and automationhub_ssl_key, one should toggle that value to True.
#
# automationhub_ssl_validate_certs = False
# SSL-related variables
# If set, this will install a custom CA certificate to the system trust store.
# custom_ca_cert=/path/to/ca.crt
# Certificate and key to install in nginx for the web UI and API
# web_server_ssl_cert=/path/to/tower.cert
# web_server_ssl_key=/path/to/tower.key
# Certificate and key to install in Automation Hub node
# automationhub_ssl_cert=/path/to/automationhub.cert
# automationhub_ssl_key=/path/to/automationhub.key
# Server-side SSL settings for PostgreSQL (when we are installing it).
# postgres_use_ssl=False
# postgres_ssl_cert=/path/to/pgsql.crt
# postgres_ssl_key=/path/to/pgsql.key

3.1.1.5. 带有外部(客户提供的)数据库的 Ansible Automation Platform

使用本示例填充清单文件来安装 Red Hat Ansible Automation Platform。此安装清单文件包括每个节点类型之一:control、hybrid、hop 和 execution,以及带有不由平台安装程序管理的外部管理数据库的自动化中心。

重要

本例没有数据库组下的主机。这表示数据库已存在,并在其他位置被管理。

Copy to Clipboard Toggle word wrap 
# Automation Controller Nodes
# There are two valid node_types that can be assigned for this group.
# A node_type=control implies that the node will only be able to run
# project and inventory updates, but not regular jobs.
# A node_type=hybrid will have the ability to run everything.
# If you do not define the node_type, it defaults to hybrid.
#
# control.example node_type=control
# hybrid.example  node_type=hybrid
# hybrid2.example <- this will default to hybrid

[automationcontroller]
hybrid1.acme.org node_type=hybrid
controller1.acme.org node_type=control

# Execution Nodes
# There are two valid node_types that can be assigned for this group.
# A node_type=hop implies that the node will forward jobs to an execution node.
# A node_type=execution implies that the node will be able to run jobs.
# If you do not define the node_type, it defaults to execution.
#
# hop.example node_type=hop
# execution.example  node_type=execution
# execution2.example <- this will default to execution

[execution_nodes]
hop1.acme.org node_type=hop
execution1.acme.org node_type=execution

[automationhub]
automationhub.acme.org

[database]

[all:vars]
admin_password='<password>'
pg_host='data.acme.org'
pg_port='5432'
pg_database='awx'
pg_username='awx'
pg_password='<password>'
pg_sslmode='prefer'  # set to 'verify-full' for client-side enforced SSL

registry_url='registry.redhat.io'
registry_username='<registry username>'
registry_password='<registry password>'

# Receptor Configuration
#
receptor_listener_port=27199

# Automation Hub Configuration
#
automationhub_admin_password='<password>'
automationhub_pg_host='data.acme.org'
automationhub_pg_port='5432'
automationhub_pg_database='automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password='<password>'
automationhub_pg_sslmode='prefer'

# The default install will deploy a TLS enabled Automation Hub.
# If for some reason this is not the behavior wanted one can
# disable TLS enabled deployment.
#
# automationhub_disable_https = False
# The default install will generate self-signed certificates for the Automation
# Hub service. If you are providing valid certificate via automationhub_ssl_cert
# and automationhub_ssl_key, one should toggle that value to True.
#
# automationhub_ssl_validate_certs = False
# SSL-related variables
# If set, this will install a custom CA certificate to the system trust store.
# custom_ca_cert=/path/to/ca.crt
# Certificate and key to install in nginx for the web UI and API
# web_server_ssl_cert=/path/to/tower.cert
# web_server_ssl_key=/path/to/tower.key
# Certificate and key to install in Automation Hub node
# automationhub_ssl_cert=/path/to/automationhub.cert
# automationhub_ssl_key=/path/to/automationhub.key
# Server-side SSL settings for PostgreSQL (when we are installing it).
# postgres_use_ssl=False
# postgres_ssl_cert=/path/to/pgsql.crt
# postgres_ssl_key=/path/to/pgsql.key

3.1.1.6. 带有内部数据库的独立自动化中心

使用本例填充清单文件,以使用内部数据库部署独立自动化中心实例。

Copy to Clipboard Toggle word wrap 
[automationcontroller]


[automationhub]
automationhub.acme.org ansible_connection=local

[all:vars]
registry_url='registry.redhat.io'
registry_username='<registry username>'
registry_password='<registry password>'

automationhub_admin_password= <PASSWORD>

automationhub_pg_host=''
automationhub_pg_port='5432'

automationhub_pg_database='automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password=<PASSWORD>
automationhub_pg_sslmode='prefer'

# The default install will deploy a TLS enabled Automation Hub.
# If for some reason this is not the behavior wanted one can
# disable TLS enabled deployment.
#
# automationhub_disable_https = False
# The default install will generate self-signed certificates for the Automation
# Hub service. If you are providing valid certificate via automationhub_ssl_cert
# and automationhub_ssl_key, one should toggle that value to True.
#
# automationhub_ssl_validate_certs = False
# SSL-related variables
# If set, this will install a custom CA certificate to the system trust store.
# custom_ca_cert=/path/to/ca.crt
# Certificate and key to install in Automation Hub node
# automationhub_ssl_cert=/path/to/automationhub.cert
# automationhub_ssl_key=/path/to/automationhub.key

3.1.1.7. 带有外部(安装程序管理的)数据库的单一自动化中心

使用本示例填充清单文件,以使用外部(安装程序管理)数据库部署单一自动化中心实例。

Copy to Clipboard Toggle word wrap 
[automationcontroller]

[automationhub]
automationhub.acme.org

[database]
data.acme.org

[all:vars]
registry_url='registry.redhat.io'
registry_username='<registry username>'
registry_password='<registry password>'

automationhub_admin_password= <PASSWORD>

automationhub_pg_host='data.acme.org'
automationhub_pg_port='5432'

automationhub_pg_database='automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password=<PASSWORD>
automationhub_pg_sslmode='prefer'

# The default install will deploy a TLS enabled Automation Hub.
# If for some reason this is not the behavior wanted one can
# disable TLS enabled deployment.
#
# automationhub_disable_https = False
# The default install will generate self-signed certificates for the Automation
# Hub service. If you are providing valid certificate via automationhub_ssl_cert
# and automationhub_ssl_key, one should toggle that value to True.
#
# automationhub_ssl_validate_certs = False
# SSL-related variables
# If set, this will install a custom CA certificate to the system trust store.
# custom_ca_cert=/path/to/ca.crt
# Certificate and key to install in Automation Hub node
# automationhub_ssl_cert=/path/to/automationhub.cert
# automationhub_ssl_key=/path/to/automationhub.key

3.1.1.8. 带有外部(客户提供的)数据库的单一自动化中心

使用本示例填充清单文件,部署一个单独的自动化中心实例,它带有一个不是由平台安装程序管理的数据中心。

重要

本例没有数据库组下的主机。这表示数据库已存在,并在其他位置被管理。

Copy to Clipboard Toggle word wrap 
[automationcontroller]

[automationhub]
automationhub.acme.org

[database]

[all:vars]
registry_url='registry.redhat.io'
registry_username='<registry username>'
registry_password='<registry password>'

automationhub_admin_password= <PASSWORD>

automationhub_pg_host='data.acme.org'
automationhub_pg_port='5432'

automationhub_pg_database='automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password=<PASSWORD>
automationhub_pg_sslmode='prefer'

# The default install will deploy a TLS enabled Automation Hub.
# If for some reason this is not the behavior wanted one can
# disable TLS enabled deployment.
#
# automationhub_disable_https = False
# The default install will generate self-signed certificates for the Automation
# Hub service. If you are providing valid certificate via automationhub_ssl_cert
# and automationhub_ssl_key, one should toggle that value to True.
#
# automationhub_ssl_validate_certs = False
# SSL-related variables
# If set, this will install a custom CA certificate to the system trust store.
# custom_ca_cert=/path/to/ca.crt
# Certificate and key to install in Automation Hub node
# automationhub_ssl_cert=/path/to/automationhub.cert
# automationhub_ssl_key=/path/to/automationhub.key

3.1.1.9. 私有自动化中心上的 LDAP 配置

您必须在 Red Hat Ansible Automation Platform 安装程序清单文件中设置以下六个变量,以配置用于 LDAP 身份验证的私有自动化中心:

  • automationhub_authentication_backend
  • automationhub_ldap_server_uri
  • automationhub_ldap_bind_dn
  • automationhub_ldap_bind_password
  • automationhub_ldap_user_search_base_dn
  • automationhub_ldap_group_search_base_dn

如果缺少其中的任何变量,Ansible Automation 安装程序将无法完成安装。

3.1.1.9.1. 设置清单文件变量

当使用 LDAP 身份验证配置私有自动化中心时,您必须在安装过程中在清单文件中设置正确的变量。

流程

  1. 根据编辑 Red Hat Ansible Automation Platform 安装程序清单文件中的步骤访问您的清单文件。

  2. 使用以下示例来设置 Ansible Automation Platform 清单文件:

    Copy to Clipboard Toggle word wrap 
    automationhub_authentication_backend = "ldap"

automationhub_ldap_server_uri = "ldap://ldap:389"   (for LDAPs use  automationhub_ldap_server_uri = "ldaps://ldap-server-fqdn")
automationhub_ldap_bind_dn = "cn=admin,dc=ansible,dc=com"
automationhub_ldap_bind_password = "GoodNewsEveryone"
automationhub_ldap_user_search_base_dn = "ou=people,dc=ansible,dc=com"
automationhub_ldap_group_search_base_dn = "ou=people,dc=ansible,dc=com"
    注意

    以下变量将使用默认值设置,除非您使用其他选项进行了设置。

    Copy to Clipboard Toggle word wrap 
    auth_ldap_user_search_scope= 'SUBTREE'
auth_ldap_user_search_filter= '(uid=%(user)s)'
auth_ldap_group_search_scope= 'SUBTREE'
auth_ldap_group_search_filter= '(objectClass=Group)'
auth_ldap_group_type_class= 'django_auth_ldap.config:GroupOfNamesType'
  3. 可选:在私有自动化中心中设置额外的参数,如用户组、超级用户访问或镜像。前往 配置额外的 LDAP 参数 以完成此可选步骤。
3.1.1.9.2. 配置额外的 LDAP 参数

如果您计划设置超级用户访问权限、用户组、镜像或其他额外参数,您可以创建一个在 ldap_extra_settings 字典中组成它们的 YAML 文件。

流程

  1. 创建一个包含 ldap_extra_settings 的 YAML 文件。

    • Example:

      Copy to Clipboard Toggle word wrap 
      #ldapextras.yml
---
ldap_extra_settings:
 <LDAP_parameter>: <Values>

...

  2. 添加设置所需的任何参数。以下示例描述了您可以在 ldap_extra_settings 中设置的 LDAP 参数:

    • 使用本示例根据 LDAP 组中的成员资格设置超级用户标志。

      Copy to Clipboard Toggle word wrap 
      #ldapextras.yml
---
ldap_extra_settings:
  AUTH_LDAP_USER_FLAGS_BY_GROUP: {"is_superuser": "cn=pah-admins,ou=groups,dc=example,dc=com",}
...

    • 使用本示例设置超级用户访问权限。

      Copy to Clipboard Toggle word wrap 
      #ldapextras.yml
---
ldap_extra_settings:
  AUTH_LDAP_USER_FLAGS_BY_GROUP: {"is_superuser": "cn=pah-admins,ou=groups,dc=example,dc=com",}
...

    • 使用本示例来镜像(mirror)您属于的所有 LDAP 组。

      Copy to Clipboard Toggle word wrap 
      #ldapextras.yml
---
ldap_extra_settings:
  AUTH_LDAP_MIRROR_GROUPS: True
...

    • 使用本示例映射 LDAP 用户属性(如用户名、姓氏和电子邮件地址)。

      Copy to Clipboard Toggle word wrap 
      #ldapextras.yml
---
ldap_extra_settings:
  AUTH_LDAP_USER_ATTR_MAP: {"first_name": "givenName", "last_name": "sn", "email": "mail",}
...

    • 使用以下示例根据 LDAP 组成员资格授予或拒绝访问权限:

      • 要授予私有自动化中心访问权限(例如,cn=pah-nosoupforyou,ou=groups,dc=example,dc=com 组的成员):

        Copy to Clipboard Toggle word wrap 
        #ldapextras.yml
---
ldap_extra_settings:
  AUTH_LDAP_REQUIRE_GROUP: 'cn=pah-nosoupforyou,ou=groups,dc=example,dc=com'
...

      • 拒绝私有自动化中心访问(例如,cn=pah-nosoupforyou,ou=groups,dc=example,dc=com 组的成员):

        Copy to Clipboard Toggle word wrap 
        #ldapextras.yml
---
ldap_extra_settings:
  AUTH_LDAP_REQUIRE_GROUP: 'cn=pah-nosoupforyou,ou=groups,dc=example,dc=com'
...

    • 使用本示例启用 LDAP 调试日志记录。

      Copy to Clipboard Toggle word wrap 
      #ldapextras.yml
---
ldap_extra_settings:
  GALAXY_LDAP_LOGGING: True
...
      注意

      如果重新运行 setup.sh 或在短时间内启用了调试日志,则可以将包含 GALAXY_LDAP_LOGGING: True 的行手动添加到私有自动化中心上的 /etc/pulp/settings.py 文件。重启 pulpcore-api.servicenginx.service 以使更改生效。为了避免因为人为错误而失败,请仅在需要时使用此方法。

    • 通过设置变量 AUTH_LDAP_CACHE_TIMEOUT,使用本示例配置 LDAP 缓存。

      Copy to Clipboard Toggle word wrap 
      #ldapextras.yml
---
ldap_extra_settings:
  AUTH_LDAP_CACHE_TIMEOUT: 3600
...
  3. 在私有自动化中心安装过程中运行 setup.sh -e @ldapextras.yml。验证您已正确设置,请确认您可以在私有自动化中心上的 /etc/pulp/settings.py 文件中查看所有设置。
返回顶部
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

Theme

© 2025 Red Hat, Inc.