DO467 - ch01s03

Bookmark this page

Installing Automation Controller and Private Automation Hub

Objectives

Install automation controller and private automation hub on individual servers.

Planning the Installation

The components of Red Hat Ansible Automation Platform can be deployed in different ways depending on the resources that you have available and the number of hosts that you want to support.

Standalone Automation Controller with a Database on the Same Node

The simplest deployment installs a single instance of automation controller with its supporting PostgreSQL database on the same node. This includes a web UI and REST API to operate automation controller. The same instance also executes your Ansible jobs.

Figure 1.5: Standalone automation controller with database on the same node

This installation mode does have scaling limitations, but it is useful for a small environment that does not have a large number of managed systems or high availability requirements.

Standalone Private Automation Hub with a Database on the Same Node

You can deploy private automation hub with its database on the same node in a similar way. This is a simple deployment mode, with the same advantages and limitations as the similar automation controller deployment.

Important

You cannot install automation controller and private automation hub on the same node.

Automation Controller and Private Automation Hub with External Database Servers

To improve performance, you can install the PostgreSQL databases used by automation controller and private automation hub on an external database server. By separating the functions to separate servers, you can spread the load and tune the servers for their particular functions.

Figure 1.6: Automation controller and private automation hub with external databases

Advanced Deployment Scenarios

More advanced deployment scenarios are available to enable further scaling and availability, but those are not covered in this section. For more information, see the Red Hat Ansible Automation Platform Installation Guide or other sections of this course.

Installation Requirements

You can install automation controller and private automation hub on systems that run the 64-bit x86_64 version of Red Hat Enterprise Linux, or by using the platform operator in an OpenShift environment. Ensure you satisfy the following requirements before installing automation controller and private automation hub on Red Hat Enterprise Linux systems.

Requirement	Description
Operating System	For Red Hat Enterprise Linux installations, the automation controller and the private automation hub are supported on systems running Red Hat Enterprise Linux 8.4 or later on the 64-bit x86_64 processor architecture.
Web Browser	To connect to the web UI for the automation controller or the private automation hub, use the current supported version of Mozilla Firefox or Google Chrome web browsers.
Memory	The automation controller requires systems with a minimum of 16 GB of RAM. The private automation hub requires systems with a minimum of 8 GB of RAM. The actual memory requirement for the automation controller depends on the maximum number of hosts that it is expected to configure in parallel. This is managed by the `forks` configuration parameter in the job template or system configuration. You have to increase memory to grow the capacity for running more forks. Red Hat recommends 1 GB of memory per 10 forks, and 2 GB for the automation controller services. If you set the `forks` parameter to 400, then the automation controller requires 42 GB of RAM.
CPU	The automation controller requires a minimum of 4 CPUs. The private automation hub requires 2 CPUs. You have to increase the number of CPUs to grow the capacity based on forks.
Disk Storage	Servers that run either the automation controller or the private automation hub need at least 40 GB of dedicated hard disk space. In the case of the automation controller, 20 GB of this space must be available to the `/var` directory. If you are installing automation controller or private automation hub with the database on the same server, then consider an additional 20 GB of hard disk space.

Database Storage

You might need more database storage based on the following factors:

The number of hosts managed by the automation controller.
The number of Ansible Content Collections and automation execution environments stored by the private automation hub.

Red Hat recommends at least 150 GB for database storage.

The storage volume must have a high baseline input/output operations per second (IOPS) rating (1500 or more).

If you are installing in an Amazon EC2 instance, then use at least the m5.large instance type. Use m4.xlarge if you are managing more than 100 hosts.

Subscription and Support

You need a Red Hat Ansible Automation Platform subscription and you must enable the Red Hat Ansible Automation Platform 2 repository.

Use the following procedure to register your systems and enable the repositories:

As the root user, use Red Hat Subscription Manager to register each of your systems.

[root@host ~]# subscription-manager register

Enable the Red Hat Ansible Automation Platform 2 repository on all systems that need to use packages from that channel. This includes all automation controller and private automation hub nodes. The following example is for a Red Hat Enterprise Linux 8 system.

[root@host ~]# subscription-manager repos \
> --enable ansible-automation-platform-2.2-for-rhel-8-x86_64-rpms

Installing Red Hat Ansible Automation Platform

The current installation process executes a shell script that runs an Ansible Playbook. This process automatically attempts to install the latest ansible-core release package.

One way is to download an archive file from Red Hat Customer Portal (https://access.redhat.com/) and unpack it into a directory on your workstation.

The other way is to enable access to the Ansible Automation Platform repository (such as ansible-automation-platform-2.2-for-rhel-8-x86_64-rpms for RHEL 8) on one of your systems, and then install the ansible-automation-platform-installer RPM package on that system. That will unpack the installer into the /opt/ansible-automation-platform/installer directory on that system.

If you download the archive file instead, two different installation files are available:

Red Hat Ansible Automation Platform installer
Red Hat Ansible Automation Platform Bundle installer

The Red Hat Ansible Automation Platform installer file is smaller, but requires internet connectivity to download the required repositories, packages, and dependencies.

The Red Hat Ansible Automation Platform Bundle installer file includes an initial set of RPM packages, so that you can install it on systems disconnected from the internet. This file also includes .tar files for the supported, minimal, and compatibility automation execution environments. These automation execution environments can be uploaded to the private automation hub or added to the automation controller rather than pulling them down from the Red Hat Ecosystem Catalog available at https://catalog.redhat.com.

Use the following procedure to install automation controller and/or automation hub:

Download and extract the installation .tar file, or install the ansible-automation-platform-installer RPM package.
Change to the directory containing the installer files.
Edit the inventory file to configure the installation process.
Run the setup.sh script, which uses Ansible to install and configure the servers.
Log in to the web UI of the new servers and complete their configuration.

Installing Automation Controller

The following procedure describes how to install a single automation controller and supporting PostgreSQL database server. That database server can be on the same host as the automation controller, but for better scaling and performance might be on a system other than the automation controller.

Download the installer from https://access.redhat.com/downloads/content/480.

Extract the files from the installer and change to the directory containing the extracted contents.

For the Red Hat Ansible Automation Platform installer:

[user@host ~]$ tar xzf ansible-automation-platform-setup-2.2.0-6.1.tar.gz
[user@host ~]$ cd ansible-automation-platform-setup-2.2.0-6.1/

For the Red Hat Ansible Automation Platform Bundle installer:

[user@host ~]$ tar xzf ansible-automation-platform-setup-bundle-2.2.0-6.1.tar.gz
[user@host ~]$ cd ansible-automation-platform-setup-bundle-2.2.0-6.1/

Edit the inventory file. At a minimum, specify the fully qualified domain name of the automation controller (automationcontroller).
```
[automationcontroller]
fqdn-for-the-controller-server
```
If you install the PostgreSQL database in an external server, then specify the fully qualified domain name of the database server.
```
[database]
fqdn-for-the-database-server
```
You can set additional required variables by either modifying the inventory file or by creating a separate variables file that you can pass to the setup.sh installation script.
Note
Creating a separate variables file makes sense if you plan to override additional installation variables that are not found in the inventory file, such as the control_plane_execution_environment variable or the global_job_execution_environments variable.
Set the passwords for the automation controller admin account (admin_password) and for the PostgreSQL database user account (pg_password).
For installing the automation controller with the PostgreSQL database on the same server, leave the values for the pg_host and pg_port variables empty.
```
admin_password='password'

pg_host=''
pg_port=''

pg_database='awx'
pg_username='awx'
pg_password='password'
```
For installing the automation controller’s PostgreSQL database on a separate server, specify the fully qualified domain name of the database server (pg_host) and the port to communicate with the database server (pg_port). Unless you configure it differently, the PostgreSQL database server uses port 5432.
```
admin_password='password'

pg_host='fqdn-for-the-database-server'
pg_port=5432

pg_database='awx'
pg_username='awx'
pg_password='password'
```
Important
You should set the passwords to something secure. To prevent the installation from failing, do not use special characters for the database password.
Set the registry_url, registry_username, and registry_password variables. The installation script uses these variables to create the Default Execution Environment Registry Credential resource in the automation controller.
If you use the default registry_url variable value of registry.redhat.io, then specify the registry credentials (registry_username and registry_password) that you use to pull container images from that URL.
```
registry_url='registry.redhat.io'
registry_username='username'
registry_password='password'
```
Note
If you plan to host automation execution environment images on the private automation hub, then set the registry_url variable to the fully qualified domain name of the private automation hub, such as hub.lab.example.com, and set the registry credentials (registry_username and registry_password) to a user who can pull container images from the registry server.
If desired, then specify values for additional variables defined in the inventory file, such as variables related to certificates.
Run the setup.sh installation script.
```
[user@host ansible-automation-platform-setup-2.2.0-6.1]$ ./setup.sh
...output omitted...
The setup process completed successfully.
[warn] /var/log/tower does not exist. Setup log saved to setup.log.
```
Important
You need root access to the automation controller to run the install playbook. You can achieve this in different ways:
- Creating an ansible.cfg configuration file in the same directory as the setup.sh installation script with the configuration directives for privilege escalation.
- Defining inventory host variables, inventory group variables, or environment variables prior to running the setup.sh installation script.
In the references at the end of this section you can find more information about privilege escalation.
After the installer finishes successfully, connect to the web UI for the automation controller with a web browser. If you did not specify variables for certificates, then the web browser generates a warning message regarding a self-signed security certificate presented by the automation controller website. Accept the risk and continue.
Log in to the automation controller web UI with the admin account and the password you set in the inventory file.
After you log in for the first time, the web UI prompts you to activate your subscription. Activating your subscription is a three step process and the web UI displays your progress through the steps.
In the first step, you can either request a subscription or select your subscription. You have two choices for selecting your subscription:
- Upload a subscription manifest. You can download a subscription manifest from your Subscription Allocations page on the customer portal. More details can be found in the references section.
- Enter your Red Hat customer credentials or Red Hat Satellite username and password.
  Figure 1.7: Activating your Red Hat subscription
  In the second step, you can enable or disable integration with user analytics and automation analytics.
  Figure 1.8: Options for user analytics and automation analytics
  In the third step, you must review and accept the end user license agreement. After accepting, the web UI displays the automation controller dashboard.
  Figure 1.9: End user license agreement

Upcoming sections provide a more detailed orientation to the automation controller interface.

Installing Private Automation Hub

The following procedure describes how to install a single private automation hub and supporting PostgreSQL database server. That database server can be on the same host as the private automation hub, but for better scaling and performance might be on a system other than the private automation hub.

The installer for the private automation hub is the same that you downloaded for the automation controller. The first two steps are the same as installing the automation controller. Download the installer and extract the contents.
Edit the inventory file. At a minimum, specify the fully qualified domain name of the private automation hub (automationhub).
```
[automationhub]
fqdn-for-the-hub-server
```
As with the automation controller, if you install the PostgreSQL database on an external server, then specify the fully qualified domain name of the database server.
```
[database]
fqdn-for-the-database-server
```
You can set additional required variables by either modifying the inventory file or by creating a separate variables file that you can pass to the setup.sh installation script.
Set the passwords for the private automation hub admin account (automationhub_admin_password) and for the PostgreSQL database user account (automationhub_pg_password).
For installing the private automation hub with the PostgreSQL database on the same node, leave the values for the automationhub_pg_host and automationhub_pg_port variables empty.
```
automationhub_admin_password='password'

automationhub_pg_host=''
automationhub_pg_port=''

automationhub_pg_database='automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password='password'
```
For an installation with the PostgreSQL database on a separate server, specify the fully qualified domain name of the database server (automationhub_pg_host) and the port used to communicate with the database server (automationhub_pg_port). Unless you configure it differently, the PostgreSQL database server uses port 5432.
```
automationhub_admin_password='password'

automationhub_pg_host='fqdn-for-the-database-server'
automationhub_pg_port=5432

automationhub_pg_database='automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password='password'
```
Set the registry_username and registry_password variables to pull container images from registry.redhat.io. If you use a different registry resource, set the registry_url variable and the registry credentials accordingly.
```
registry_url='registry.redhat.io'
registry_username='username'
registry_password='password'
```
If desired, then specify values for additional variables defined in the inventory file, such as variables related to certificates.
Run the setup.sh installation script.
```
[user@host ansible-automation-platform-setup-2.2.0-6.1]$ ./setup.sh
...output omitted...
The setup process completed successfully.
[warn] /var/log/tower does not exist. Setup log saved to setup.log.
```
Important
You need root access to the server to run the playbook to install the private automation hub. Choose the privilege escalation setting you prefer to achieve this access.
After the installer finishes successfully, connect to the web UI for the private automation hub with a web browser. If you did not specify variables for certificates, then the web browser generates a warning message regarding a self-signed security certificate presented by the private automation hub website. Accept the risk and continue.
Log in to the private automation hub web UI with the admin account and the password you set in the inventory file.

Important

You can install the automation controller and the private automation hub at the same time by editing the inventory file with the data for both of them.

Installing this way helps create assets in automation controller and private automation hub automatically as part of the installation. For example:

Credentials and links between automation controller and private automation hub.
Download of three execution environments to private automation hub.

You cannot install the automation controller and the private automation hub components on the same server.

If you set the private automation hub as a registry for the automation controller and you install using the Red Hat Ansible Automation Platform Bundle installer, then the three automation execution environments in the bundle upload to the private automation hub during the installation process.

Replacing the CA Certificate

You can configure automation controller, private automation hub, and the database server to use valid certificates. These certificates could be signed by a publicly recognizable certificate authority or by a corporate or enterprise certificate authority that is trusted by your company.

Gathering Certificates and Private Keys

Before replacing certificates, ensure that you have the following files:

The certificate authority (CA) certificate if using a corporate or enterprise CA. This is not needed for a public certificate authority that is already configured as trusted by Red Hat Enterprise Linux.
The signed certificate for the automation controller, private automation hub, or database server.
The associated private key for each signed certificate.

Preparing the Systems

To configure the certificates during the installation process, edit the inventory file prior to running the setup.sh installation script. If the certificate was signed by a corporate or enterprise certificate authority, then specify the location of the CA certificate (custom_ca_cert) in the inventory file.

custom_ca_cert=/etc/pki/tls/certs/third-party-ca.pem

Depending on the server, uncomment the variables related to certificates and specify the correct values for them:

For the automation controller, specify the signed certificate (web_server_ssl_cert) and the private key (web_server_ssl_key).

web_server_ssl_cert=/etc/pki/tls/certs/controller.lab.example.com.crt
web_server_ssl_key=/etc/pki/tls/private/controller.lab.example.com.key

For the private automation hub, set the value for the automationhub_ssl_validate_certs variable to True, and then specify the signed certificate (automationhub_ssl_cert) and the private key (automationhub_ssl_key).

automationhub_ssl_validate_certs = True

automationhub_ssl_cert=/etc/pki/tls/certs/hub.lab.example.com.crt
automationhub_ssl_key=/etc/pki/tls/private/hub.lab.example.com.key

For the PostgreSQL database server, set the value for the postgres_use_ssl variable to True, and then specify the signed certificate (postgres_ssl_cert) and the private key (postgres_ssl_key).

postgres_use_ssl=True

postgres_ssl_cer=/etc/pki/tls/certs/hub.lab.example.com.crt
postgres_ssl_key=/etc/pki/tls/private/hub.lab.example.com.key

Trusting Custom CA Certificates

If you specify the custom_ca_cert variable, then the installation script configures the servers targeted by the playbook to trust any certificate signed by that certificate authority.

You can configure additional servers in your environment to trust certificates signed by that certificate authority. As the root user, copy the CA certificate to the /etc/pki/ca-trust/source/anchors/ directory and then run the update-ca-trust command to add the trusted CA certificate.

[root@host ~]$ update-ca-trust

Note

You can configure Ansible Automation Platform to use custom certificates either before or after the installation.

Updating RPM Packages on Ansible Automation Platform Servers

Do not use dnf to update RPM packages on servers installed with Ansible Automation Platform by using the setup.sh installation script.

Instead, to upgrade packages on automation controller or private automation hub systems, you must run the setup.sh installation script again. Both services must be updated with the installation script in order to perform database migrations and other operations correctly, and the installation script will take care of other RPM package updates as well.

Warning

Using dnf to update RPM packages on automation controller or private automation hub can cause issues with your installation. For more information, see the Knowledgebase article at https://access.redhat.com/solutions/4566711.

References

What is included in Red Hat Ansible Automation Platform subscription?

Red Hat Ansible Automation Platform Installation Guide

Deploying Ansible Automation Platform 2.1

Ansible Documentation: Understanding Privilege Escalation

Ansible Documentation: Obtaining a subscriptions manifest

How Do I Perform Security Patching / OS Package Upgrades On Ansible Tower/Automation Controller Nodes Without Breaking Any Ansible Tower/Automation Controller Functionality?

Discuss Managing Enterprise Automation with Red Hat Ansible Automation Platform

Go to community

Welcome to the Managing Enterprise Automation with Red Hat Ansible Automation Platform group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Managing Enterprise Automation with Red Hat Ansible Automation Platform! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO467.Read more about Managing Enterprise Automation with Red Hat Ansible Automation Platform here.

312

Revision: do467-2.2-08877c1