Setup Ansible Tower 2.2 via Proxy

The Ansible Tower is a really nice piece of visual “control center” for your Ansible installation. Ansible itself describes it as:

Centralize and control your Ansible infrastructure with a visual dashboard, role-based access control, job scheduling, and graphical inventory management. Tower’s REST API and CLI make it easy to embed Tower into existing tools and processes. Delegate automation jobs to non-Ansible users with portal mode.

Ansible Inc. recently released the new version 2.2 of the Tower, which has really nice features for enterprise environments.

Internet access required

By default the setup procedure of the Ansible Tower 2.2 requires direct internet access. Unfortunately if you’re working in an environment with security guidelines in place, you might have no direct access to the internet.

To work around on this issue we had to use a HTTP proxy server for the Tower setup. If you’re used to Linux, you know you can set the proxy via http_proxy environment variable. Sadly these environment variables won’t be passed to Ansible, so that doesn’t help at all. Setting the proxy option in the YUM config will help yum, but the setup procedure is still using Ansible modules like pip or get_url. So eventually we found another solution, by adding the proxy environment directly to the Ansible setup tasks / roles.

Here’s the patch for that:

--- ansible-tower-setup-2.2.0.orig/group_vars/all       2015-07-14 22:12:14.000000000 +0200
+++ ansible-tower-setup-2.2.0.patched/group_vars/all    2015-08-11 15:18:10.288466492 +0200
@@ -48,3 +48,11 @@
 # Celery Settings
 # This takes the form of: max,min
 # celery_autoscale: 50,4
+
+# Proxy settings
+# ==============
+
+# Specify the proxy environment.
+proxy_environment:
+  http_proxy: http://proxy.example.net
+  https_proxy: http://proxy.example.net
diff -U3 -r ansible-tower-setup-2.2.0.orig/roles/packages_el/tasks/main.yml ansible-tower-setup-2.2.0.patched/roles/packages_el/tasks/main.yml
--- ansible-tower-setup-2.2.0.orig/roles/packages_el/tasks/main.yml     2015-07-14 22:12:13.000000000 +0200
+++ ansible-tower-setup-2.2.0.patched/roles/packages_el/tasks/main.yml  2015-08-11 15:09:33.828084523 +0200
@@ -18,6 +18,7 @@
     name: '{{ item }}'
     state: present
   with_items: yum_repo_rpms
+  environment: proxy_environment

 - name: determine if rhui repository exists
   stat:
@@ -28,6 +29,7 @@
 - name: update rh-amazon-rhui-client (RHEL EC2 only)
   yum: name=rh-amazon-rhui-client state=latest
   when: ansible_distribution == 'RedHat' and rhui_repo.stat.exists
+  environment: proxy_environment

 - name: enable rhui repositories
   ini_file:
@@ -67,6 +69,7 @@
 - name: install playbook dependencies
   yum: name={{ item }} state=installed
   with_items: el_dependencies
+  environment: proxy_environment

 - name: Remove obsolete packages.
   yum:
@@ -80,12 +83,14 @@
     url: '{{ item }}'
   when: yum_repo_urls is defined
   with_items: yum_repo_urls
+  environment: proxy_environment

 - name: Upgrade pip using pip.
   pip:
     name: pip>=1.5,<1.6
     state: latest
     extra_args: "--no-deps {{ pip_extra_args }}"
+  environment: proxy_environment

 - name: Install pip dependencies
   pip:
@@ -93,6 +98,7 @@
     state: latest
     extra_args: "--no-deps {{ pip_extra_args }}"
   with_items: pip_dependencies
+  environment: proxy_environment

 - name: Install the Tower yum repository.
   template:
@@ -106,3 +112,4 @@
     enablerepo: ansible-tower
     disable_gpg_check: '{{not gpgcheck|bool}}'
     state: latest
+  environment: proxy_environment
diff -U3 -r ansible-tower-setup-2.2.0.orig/roles/packages_ubuntu/tasks/main.yml ansible-tower-setup-2.2.0.patched/roles/packages_ubuntu/tasks/main.yml
--- ansible-tower-setup-2.2.0.orig/roles/packages_ubuntu/tasks/main.yml 2015-07-14 22:12:13.000000000 +0200
+++ ansible-tower-setup-2.2.0.patched/roles/packages_ubuntu/tasks/main.yml      2015-08-11 15:11:13.995231422 +0200
@@ -23,6 +23,7 @@
     name: python-pip
     state: present
     update_cache: yes
+  environment: proxy_environment

 - name: Install pip dependencies
   pip:
@@ -30,24 +31,28 @@
     state: latest
     extra_args: "--no-deps {{ pip_extra_args }}"
   with_items: pip_dependencies
+  environment: proxy_environment

 - name: install apt repository keys
   apt_key:
     url: '{{ item }}'
   when: apt_keys is defined
   with_items: apt_keys
+  environment: proxy_environment

 - name: install apt repositories
   apt_repository:
     repo: '{{ item }}'
   when: apt_repos is defined
   with_items: apt_repos
+  environment: proxy_environment

 - name: install playbook dependencies
   apt:
     name: '{{ item }}'
     state: installed
   with_items: ubuntu_dependencies
+  environment: proxy_environment

 - name: Remove obsolete packages.
   apt:
@@ -55,6 +60,7 @@
     state: absent
   with_items:
     - rabbitmq-server
+  environment: proxy_environment

 - name: A secret key may already exist; test if it does.
   stat:
@@ -79,16 +85,19 @@
     force: yes
   when: ansible_version is defined and ansible_version.full|version_compare('1.8', '>=')
   register: apt_install
+  environment: proxy_environment

 - name: update apt cache when using the apt-get command
   apt: update_cache=yes
   when: apt_install|skipped
+  environment: proxy_environment

 - name: Install Tower package with the apt-get command.
   command: "apt-get {{ (not gpgcheck|bool) and '--allow-unauthenticated' or '' }} -y install '{{tower_package_deb}}'"
   changed_when: "'0 upgraded, 0 newly installed' not in result.stdout"
   register: result
   when: apt_install|skipped
+  environment: proxy_environment

 - name: Restore the secret key.
   copy:
@@ -102,3 +111,4 @@

 - name: update apt cache
   apt: update_cache=yes
+  environment: proxy_environment

Just download the patch and store it in /tmp/ansible-tower-setup.patch.

Setup the Tower

Here’s the full guide to setup the Ansible Tower 2.2.

Install Ansible

First of all, you’ve to install Ansible itself. You’ve two options:

  • install Ansible via pip
  • install Ansible via package manager

We recommend using pip, because it’s Pythons own package manager.

For Debian, that’s quite easy:

apt-get install python-pip
pip install ansible

Unfortunately RedHat does no longer provide pip in RHEL 7, so you’ve to install it all by yourself:

wget https://pypi.python.org/packages/source/s/setuptools/setuptools-7.0.tar.gz --no-check-certificate
tar xfz setuptools-7.0.tar.gz
cd setuptools-7.0
python setup.py install

wget https://bootstrap.pypa.io/get-pip.py
python get-pip.py

pip install ansible

Alternatively you can install Ansible from Fedora’s EPEL channels, though this isn’t supported from RedHat as well:

wget https://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm
yum install epel-release-7-5.noarch.rpm
yum install ansible

Please note that Fedora supports ansible out of the box!

Install the Tower

Browse to the official Ansible Tower page and get your personal copy of the Tower.

When you got your ansible-tower-setup-latest.gz, you’re ready to configure the Tower setup:

# Unpack the tower setup.
tar xfz ansible-tower-setup-latest.gz
cd ansible-tower-setup-2.2.0/

# Configure the tower setup.
./configure

Now if you’re using a proxy, you should really patch your Tower setup roles / tasks by executing:

patch -p1 </tmp/ansible-tower-setup.patch

After you’ve patched the setup procedure, edit the proxy environment in group_vars/all, and then start the setup:

./setup.sh

 

 

3 Comments

  • luv Reply

    Will this be helpful in hosting ansible behind nginx ?

    • Dominique Barton Reply

      Hosting the Tower WebUI behind nginx? Of coruse you can do that (by using nginx’s proxy features), but why do you want that?

  • 8 ball pool Reply

    Great! Thanks for sharing the information.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.