Chapter 3. Ansible Automation Platform Controller Configuration Details
This reference architecture focuses on the deployment of Ansible Automation Platform 2.1 using automation mesh on Red Hat Enterprise Linux 8.4 x86_64. The configuration is intended to provide a comprehensive Ansible Automation Platform solution. The key solution components covered within this reference archtiecture consists of:
- Red Hat Enterprise Linux 8.4
- Ansible Automation Platform 2.1
- automation mesh
- private automation hub
3.1. Network Configuration
3.1.1. Chrony Configuration
Each Ansible Automation Platform node in the cluster must have access to an NTP server. The chronyd
is a daemon for synchronization of the system clock. It can synchronize the clock with NTP servers. This ensures that when cluster nodes use SSL certificates that require validation, they don’t fail if the date and time between the nodes are not in sync.
On all the nodes,
If not installed, install
chrony
as follows# dnf install chrony --assumeyes
Edit the
/etc/chrony.conf
file with a text editor such asvi
.# vi /etc/chrony.conf
Locate the following public server pool section, and modify to include the appropriate servers. Only one server is required, but three is recommended. The iburst option is added to speed up the time that it takes to properly sync with the servers.
# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). server <ntp-server-address> iburst
-
Save all the changes within the
/etc/chrony.conf
file. Start and enable that the
chronyd
daemon is started when the host is booted.# systemctl --now enable chronyd.service
Verify the chronyd daemon status.
# systemctl status chronyd.service
3.2. OS Configuration
3.2.1. Red Hat Subscription Manager
The subscription-manager
command registers a system to the Red Hat Network (RHN) and manages the subscription entitlements for a system. The --help
option specifies on the command line to query the command for the available options. If the --help
option is issued along with a command directive, then options available for the specific command directive are listed.
To use Red Hat Subscription Management for providing packages to a system, the system must first register with the service. In order to register a system, use the subscription-manager
command and pass the register
command directive. If the --username
and --password
options are specified, then the command does not prompt for the RHN Network authentication credentials.
An example of registering a system using subscription-manager
is shown below.
# subscription-manager register --username [User] --password '[Password]' The system has been registered with id: abcd1234-ab12-ab12-ab12-481ba8187f60
After a system is registered, it must be attached to an entitlement pool. For the purposes of this reference environment, the Red Hat Ansible Automation Platform is the pool chosen. Identify and subscribe to the Red Hat Ansible Automation Platform entitlement pool, the following command directives are required.
# subscription-manager list --available | grep -A8 "Red Hat Ansible Automation Platform" --- Subscription Name: Red Hat Ansible Automation Platform, Premium (5000 Managed Nodes) Provides: Red Hat Ansible Engine Red Hat Single Sign-On Red Hat Ansible Automation Platform SKU: MCT3695 Contract: <contract> Pool ID: <pool_id> Provides Management: No Available: 9990 Suggested: 1 Service Type: L1-L3 Roles:
# subscription-manager attach --pool <pool_id>
Successfully attached a subscription for: Red Hat Ansible Automation Platform, Premium (5000 Managed Nodes)
# subscription-manager repos --enable=ansible-automation-platform-2.1-for-rhel-8-x86_64-rpms
3.2.2. User Accounts
Prior to the installation of Ansible Automation Platform 2.1, it is recommended to create a non-root user with sudo
privileges for the deployment process. This user is used for:
- SSH connectivity
- passwordless authentication during installation
For the purposes of this reference environment, the user ansible
was chosen, however, any user name would suffice.
On all nodes, create a user named ansible
and generate an ssh
key.
Create a non-root user
# useradd ansible
Set a password for your
ansible
user.# passwd ansible
Generate an
ssh
key as theansible
user.$ ssh-keygen -t rsa
Disable password requirements when using
sudo
as theansible
user# echo "ansible ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/ansible
3.2.3. Copying SSH keys to all nodes
With the ansible
user created, as the ansible
user, copy the ssh
key to all the nodes. This ensures that when the Ansible Automation Platform installation runs, it can ssh
to all the nodes without a password.
This can be done using the ssh-copy-id
command as follows:
$ ssh-copy-id ansible@hostname.example.com
If running within a cloud provider, you may need to instead create an ~/.ssh/authorized_keys
file containing the public key for the ansible
user on all your nodes and set the permissions to the authorized_keys
file to only the owner (ansible
) having read and write access (permissions 644).
3.2.4. Configuring Firewall Settings
Firewall access and restrictions play a critical role in securing Ansible Automation Platform 2.1 environment. The use of Red Hat Enterprise Linux 8.4 defaults to using firewalld
, a dynamic firewall daemon. firewalld
works by assigning network zones to assign a level of trust to a network and its associated connections and interfaces.
It is recommended that firewall settings be configured to permit access to the appropriate services and ports for a success Ansible Automation Platform 2.1 installation.
On all nodes, ensure that firewalld
is installed, started and enabled.
Install the
firewalld
package# dnf install firewalld --assumeyes
Start the
firewalld
service# systemctl start firewalld
Enable the
firewalld
service# systemctl enable firewalld