Appendix A. Inventory file variables

The following tables contain information about the pre-defined variables used in Ansible installation inventory files. Not all of these variables are required.

A.1. General variables

VariableDescription

enable_insights_collection

The default install registers the node to the Red Hat Insights for Red Hat Ansible Automation Platform Service if the node is registered with Subscription Manager. Set to False to disable.

Default = true

nginx_user_http_config

List of nginx configurations for /etc/nginx/nginx.conf under the http section.

Each element in the list is provided into http nginx config as a separate line.

Default = empty list

registry_password

registry_password is only required if a non-bundle installer is used.

Password credential for access to registry_url.

Used for both [automationcontroller] and [automationhub] groups.

Enter your Red Hat Registry Service Account credentials in registry_username and registry_password to link to the Red Hat container registry.

When registry_url is registry.redhat.io, username and password are required if not using a bundle installer.

registry_url

Used for both [automationcontroller] and [automationhub] groups.

Default = registry.redhat.io.

registry_username

registry_username is only required if a non-bundle installer is used.

User credential for access to registry_url.

Used for both [automationcontroller] and [automationhub] groups, but only if the value of registry_url is registry.redhat.io.

Enter your Red Hat Registry Service Account credentials in registry_username and registry_password to link to the Red Hat container registry.

routable_hostname

routable hostname is used if the machine running the installer can only route to the target host through a specific URL, for example, if you use shortnames in your inventory, but the node running the installer can only resolve that host using FQDN.

If routable_hostname is not set, it should default to ansible_host. If you do not set ansible_host, inventory_hostname is used as a last resort.

This variable is used as a host variable for particular hosts and not under the [all:vars] section. For further information, see Assigning a variable to one machine:host variables.

A.2. Ansible automation hub variables

VariableDescription

automationhub_admin_password

Required

Passwords must be enclosed in quotes when they are provided in plain text in the inventory file.

automationhub_api_token

If upgrading from Ansible Automation Platform 2.0 or earlier, you must either:

  • provide an existing Ansible automation hub token as automationhub_api_token, or
  • set generate_automationhub_token to true to generate a new token

Generating a new token invalidates the existing token.

automationhub_authentication_backend

This variable is not set by default. Set it to ldap to use LDAP authentication.

When this is set to ldap, you must also set the following variables:

  • automationhub_ldap_server_uri
  • automationhub_ldap_bind_dn
  • automationhub_ldap_bind_password
  • automationhub_ldap_user_search_base_dn
  • automationhub_ldap_group_search_base_dn

If any of these are absent, the installation will be halted.

automationhub_auto_sign_collections

If a collection signing service is enabled, collections are not signed automatically by default.

Setting this parameter to true signs them by default.

Default = false.

automationhub_backup_collections

Optional

Ansible automation hub provides artifacts in /var/lib/pulp. Automation controller automatically backs up the artifacts by default.

You can also set automationhub_backup_collections to false and the backup/restore process does not then backup or restore /var/lib/pulp.

Default = true.

automationhub_collection_download_count

Optional

Determines whether download count is displayed on the UI.

Default = false.

automationhub_collection_seed_repository

When you run the bundle installer, validated content is uploaded to the validated repository, and certified content is uploaded to the rh-certified repository.

By default, both certified and validated content are uploaded.

Possible values of this variable are 'certified' or 'validated'.

If you do not want to install content, set automationhub_seed_collections to false to disable the seeding.

If you only want one type of content, set automationhub_seed_collections to true and automationhub_collection_seed_repository to the type of content you do want to include.

automationhub_collection_signing_service_key

If a collection signing service is enabled, you must provide this variable to ensure that collections can be properly signed.

/absolute/path/to/key/to/sign

automationhub_collection_signing_service_script

If a collection signing service is enabled, you must provide this variable to ensure that collections can be properly signed.

/absolute/path/to/script/that/signs

automationhub_create_default_collection_signing_service

Set this variable to true to create a collection signing service.

Default = false.

automationhub_container_signing_service_key

If a container signing service is enabled, you must provide this variable to ensure that containers can be properly signed.

/absolute/path/to/key/to/sign

automationhub_container_signing_service_script

If a container signing service is enabled, you must provide this variable to ensure that containers can be properly signed.

/absolute/path/to/script/that/signs

automationhub_create_default_container_signing_service

Set this variable to true to create a container signing service.

Default = false.

automationhub_disable_hsts

The default installation deploys a TLS enabled Ansible automation hub. Use this variable if you deploy automation hub with HTTP Strict Transport Security (HSTS) web-security policy enabled. This variable disables, the HSTS web-security policy mechanism.

Default = false.

automationhub_disable_https

Optional

If Ansible automation hub is deployed with HTTPS enabled.

Default = false.

automationhub_enable_api_access_log

When set to true, this variable creates a log file at /var/log/galaxy_api_access.log that logs all user actions made to the platform, including their username and IP address.

Default = false.

automationhub_enable_analytics

A Boolean indicating whether to enable pulp analytics for the version of pulpcore used in automation hub in Ansible Automation Platform 2.4.

To enable pulp analytics, set automationhub_enable_analytics to true.

Default = false.

automationhub_enable_unauthenticated_collection_access

Set this variable to true to enable unauthorized users to view collections.

Default = false.

automationhub_enable_unauthenticated_collection_download

Set this variable to true to enable unauthorized users to download collections.

Default = false.

automationhub_importer_settings

Optional

Dictionary of setting to pass to galaxy-importer.

At import time collections can go through a series of checks.

Behavior is driven by galaxy-importer.cfg configuration.

Examples are ansible-doc, ansible-lint, and flake8.

This parameter enables you to drive this configuration.

automationhub_main_url

The main automation hub URL that clients connect to.

For example, https://<load balancer host>.

Use automationhub_main_url to specify the main automation hub URL that clients connect to if you are implementing Red Hat Single Sign-On on your automation hub environment.

If not specified, the first node in the [automationhub] group is used.

automationhub_pg_database

Required

The database name.

Default = automationhub.

automationhub_pg_host

Required if not using an internal database.

The hostname of the remote PostgreSQL database used by automation hub.

Default = 127.0.0.1.

automationhub_pg_password

The password for the automation hub PostgreSQL database.

Use of special characters for automationhub_pg_password is limited. The !, #, 0 and @ characters are supported. Use of other special characters can cause the setup to fail.

automationhub_pg_port

Required if not using an internal database.

Default = 5432.

automationhub_pg_sslmode

Required.

Default = prefer.

automationhub_pg_username

Required

Default = automationhub.

automationhub_require_content_approval

Optional

Value is true if automation hub enforces the approval mechanism before collections are made available.

By default when you upload collections to automation hub an administrator must approve it before they are made available to the users.

If you want to disable the content approval flow, set the variable to false.

Default = true.

automationhub_seed_collections

A Boolean that defines whether or not preloading is enabled.

When you run the bundle installer, validated content is uploaded to the validated repository, and certified content is uploaded to the rh-certified repository.

By default, both certified and validated content are uploaded.

If you do not want to install content, set automationhub_seed_collections to false to disable the seeding.

If you only want one type of content, set automationhub_seed_collections to true and automationhub_collection_seed_repository to the type of content you do want to include.

Default = true.

automationhub_ssl_cert

Optional

/path/to/automationhub.cert Same as web_server_ssl_cert but for automation hub UI and API.

automationhub_ssl_key

Optional

/path/to/automationhub.key.

Same as web_server_ssl_key but for automation hub UI and API

automationhub_ssl_validate_certs

For Red Hat Ansible Automation Platform 2.2 and later, this value is no longer used.

Set value to true if automation hub must validate certificates when requesting itself because by default, Ansible Automation Platform deploys with self-signed certificates.

Default = false.

automationhub_upgrade

Deprecated

For Ansible Automation Platform 2.2.1 and later, the value of this has been fixed at true.

Automation hub always updates with the latest packages.

automationhub_user_headers

List of nginx headers for Ansible automation hub’s web server.

Each element in the list is provided to the web server’s nginx configuration as a separate line.

Default = empty list

ee_from_hub_only

When deployed with automation hub the installer pushes execution environment images to automation hub and configures automation controller to pull images from the automation hub registry.

To make automation hub the only registry to pull execution environment images from, set this variable to true.

If set to false, execution environment images are also taken directly from Red Hat.

Default = true when the bundle installer is used.

generate_automationhub_token

If upgrading from Red Hat Ansible Automation Platform 2.0 or earlier, choose one of the following options:

  • provide an existing Ansible automation hub token as automationhub_api_token
  • set generate_automationhub_token to true to generate a new token. Generating a new token will invalidate the existing token.

nginx_hsts_max_age

This variable specifies how long, in seconds, the system should be considered as a HTTP Strict Transport Security (HSTS) host. That is, how long HTTPS is used exclusively for communication.

Default = 63072000 seconds, or two years.

nginx_tls_protocols

Defines support for ssl_protocols in Nginx.

Default = TLSv1.2.

pulp_db_fields_key

Relative or absolute path to the Fernet symmetric encryption key that you want to import. The path is on the Ansible management node. It is used to encrypt certain fields in the database, such as credentials. If not specified, a new key will be generated.

sso_automation_platform_login_theme

Optional

Used for Ansible Automation Platform managed and externally managed Red Hat Single Sign-On.

Path to the directory where theme files are located. If changing this variable, you must provide your own theme files.

Default = ansible-automation-platform.

sso_automation_platform_realm

Optional

Used for Ansible Automation Platform managed and externally managed Red Hat Single Sign-On.

The name of the realm in SSO.

Default = ansible-automation-platform.

sso_automation_platform_realm_displayname

Optional

Used for Ansible Automation Platform managed and externally managed Red Hat Single Sign-On.

Display name for the realm.

Default = Ansible Automation Platform.

sso_console_admin_username

Optional

Used for Ansible Automation Platform managed and externally managed Red Hat Single Sign-On.

SSO administration username.

Default = admin.

sso_console_admin_password

Required

Used for Ansible Automation Platform managed and externally managed Red Hat Single Sign-On.

SSO administration password.

sso_custom_keystore_file

Optional

Used for Ansible Automation Platform managed Red Hat Single Sign-On only.

Customer-provided keystore for SSO.

sso_host

Required

Used for Ansible Automation Platform externally managed Red Hat Single Sign-On only.

Automation hub requires SSO and SSO administration credentials for authentication.

If SSO is not provided in the inventory for configuration, then you must use this variable to define the SSO host.

sso_keystore_file_remote

Optional

Used for Ansible Automation Platform managed Red Hat Single Sign-On only.

Set to true if the customer-provided keystore is on a remote node.

Default = false.

sso_keystore_name

Optional

Used for Ansible Automation Platform managed Red Hat Single Sign-On only.

Name of keystore for SSO.

Default = ansible-automation-platform.

sso_keystore_password

Password for keystore for HTTPS enabled SSO.

Required when using Ansible Automation Platform managed SSO and when HTTPS is enabled. The default install deploys SSO with sso_use_https=true.

sso_redirect_host

Optional

Used for Ansible Automation Platform managed and externally managed Red Hat Single Sign-On.

If sso_redirect_host is set, it is used by the application to connect to SSO for authentication.

This must be reachable from client machines.

sso_ssl_validate_certs

Optional

Used for Ansible Automation Platform managed and externally managed Red Hat Single Sign-On.

Set to true if the certificate must be validated during connection.

Default = true.

sso_use_https

Optional

Used for Ansible Automation Platform managed and externally managed Red Hat Single Sign-On if Single Sign On uses HTTPS.

Default = true.

For Ansible automation hub to connect to LDAP directly, you must configure the following variables: A list of additional LDAP related variables that can be passed using the ldap_extra_settings variable, see the Django reference documentation.

VariableDescription

automationhub_ldap_bind_dn

The name to use when binding to the LDAP server with automationhub_ldap_bind_password.

Must be set when integrating private automation hub with LDAP, or the installation will fail.

automationhub_ldap_bind_password

Required

The password to use with automationhub_ldap_bind_dn.

Must be set when integrating private automation hub LDAP, or the installation will fail.

automationhub_ldap_group_search_base_dn

An LDAP Search object that finds all LDAP groups that users might belong to.

If your configuration makes any references to LDAP groups, you must set this variable and automationhub_ldap_group_type.

Must be set when integrating private automation hub with LDAP, or the installation will fail.

Default = None

automatiohub_ldap_group_search_filter

Optional

Search filter for finding group membership.

Variable identifies what objectClass type to use for mapping groups with automation hub and LDAP. Used for installing automation hub with LDAP.

Default = (objectClass=Group)

automationhub_ldap_group_search_scope

Optional

Scope to search for groups in an LDAP tree using the django framework for LDAP authentication. Used for installing automation hub with LDAP.

Default = SUBTREE

automationhub_ldap_group_type

Describes the type of group returned by automationhub_ldap_group_search.

This is set dynamically based on the the values of automationhub_ldap_group_type_params and automationhub_ldap_group_type_class, otherwise it is the default value coming from django-ldap which is 'None'

Default = django_auth_ldap.config:GroupOfNamesType

automationhub_ldap_group_type_class

Optional

The importable path for the django-ldap group type class.

Variable identifies the group type used during group searches within the django framework for LDAP authentication. Used for installing automation hub with LDAP.

Default =django_auth_ldap.config:GroupOfNamesType

automationhub_ldap_server_uri

The URI of the LDAP server.

Use any URI that is supported by your underlying LDAP libraries.

Must be set when integrating private automation hub LDAP, or the installation will fail.

automationhub_ldap_user_search_base_dn

An LDAP Search object that locates a user in the directory. The filter parameter must contain the placeholder %(user)s for the username. It must return exactly one result for authentication to succeed.

Must be set when integrating private automation hub with LDAP, or the installation will fail.

automationhub_ldap_user_search_filter

Optional

Default = '(uid=%(user)s)'

automationhub_ldap_user_search_scope

Optional

Scope to search for users in an LDAP tree by using the django framework for LDAP authentication. Used for installing automation hub with LDAP.

Default = SUBTREE

A.3. Automation controller variables

VariableDescription

admin_password

The password for an administration user to access the UI when the installation is complete.

Passwords must be enclosed in quotes when they are provided in plain text in the inventory file.

automation_controller_main_url

For an alternative front end URL needed for SSO configuration, provide the URL.

automationcontroller_password

Password for your automation controller instance.

Passwords must be enclosed in quotes when they are provided in plain text in the inventory file.

automationcontroller_username

Username for your automation controller instance.

nginx_http_port

The nginx HTTP server listens for inbound connections.

Default = 80

nginx_https_port

The nginx HTTPS server listens for secure connections.

Default = 443

nginx_hsts_max_age

This variable specifies how long, in seconds, the system must be considered as a HTTP Strict Transport Security (HSTS) host. That is, how long HTTPS is used exclusively for communication.

Default = 63072000 seconds, or two years.

nginx_tls_protocols

Defines support for ssl_protocols in Nginx.

Default = TLSv1.2.

nginx_user_headers

List of nginx headers for the automation controller web server.

Each element in the list is provided to the web server’s nginx configuration as a separate line.

Default = empty list

node_state

Optional

The status of a node or group of nodes. Valid options are active, deprovision to remove a node from a cluster, or iso_migrate to migrate a legacy isolated node to an execution node.

Default = active.

node_type

For [automationcontroller] group.

Two valid node_types can be assigned for this group.

A node_type=control means that the node only runs project and inventory updates, but not regular jobs.

A node_type=hybrid can run everything.

Default for this group = hybrid

For [execution_nodes] group:

Two valid node_types can be assigned for this group.

A node_type=hop implies that the node forwards jobs to an execution node.

A node_type=execution implies that the node can run jobs.

Default for this group = execution.

peers

Optional

The peers variable is used to indicate which nodes a specific host or group connects to. Wherever this variable is defined, an outbound connection to the specific host or group is established.

This variable is used to add tcp-peer entries in the receptor.conf file used for establishing network connections with other nodes.

The peers variable can be a comma-separated list of hosts and groups from the inventory. This is resolved into a set of hosts that is used to construct the receptor.conf file.

pg_database

The name of the postgreSQL database.

Default = awx.

pg_host

The postgreSQL host, which can be an externally managed database.

pg_password

The password for the postgreSQL database.

Use of special characters for pg_password is limited. The !, #, 0 and @ characters are supported. Use of other special characters can cause the setup to fail.

NOTE

You no longer have to provide a pg_hashed_password in your inventory file at the time of installation because PostgreSQL 13 can now store user passwords more securely.

When you supply pg_password in the inventory file for the installer, PostgreSQL uses the SCRAM-SHA-256 hash to secure that password as part of the installation process.

pg_port

The postgreSQL port to use.

Default = 5432

pg_ssl_mode

Choose one of the two available modes: prefer and verify-full.

Set to verify-full for client-side enforced SSL.

Default = prefer.

pg_username

Your postgreSQL database username.

Default = awx.

postgres_ssl_cert

Location of the postgreSQL SSL certificate.

/path/to/pgsql_ssl.cert

postgres_ssl_key

Location of the postgreSQL SSL key.

/path/to/pgsql_ssl.key

postgres_use_cert

Location of the postgreSQL user certificate.

/path/to/pgsql.crt

postgres_use_key

Location of the postgreSQL user key.

/path/to/pgsql.key

postgres_use_ssl

Use this variable if postgreSQL uses SSL.

receptor_listener_port

Port to use for recptor connection.

Default = 27199

supervisor_start_retry_count

When specified, it adds startretries = <value specified> to the supervisor config file (/etc/supervisord.d/tower.ini).

See program:x Section Values for more information about startretries.

No default value exists.

web_server_ssl_cert

Optional

/path/to/webserver.cert

Same as automationhub_ssl_cert but for web server UI and API.

web_server_ssl_key

Optional

/path/to/webserver.key

Same as automationhub_server_ssl_key but for web server UI and API.

A.4. Ansible variables

The following variables control how Ansible Automation Platform interacts with remote hosts.

For more information about variables specific to certain plugins, see the documentation for Ansible.Builtin.

For a list of global configuration options, see Ansible Configuration Settings.

VariableDescription

ansible_connection

The connection plugin used for the task on the target host.

This can be the name of any of Ansible connection plugin. SSH protocol types are smart, ssh or paramiko.

Default = smart

ansible_host

The ip or name of the target host to use instead of inventory_hostname.

ansible_port

The connection port number.

Default: 22 for ssh

ansible_user

The user name to use when connecting to the host.

ansible_password

The password to authenticate to the host.

Never store this variable in plain text.

Always use a vault.

ansible_ssh_private_key_file

Private key file used by SSH. Useful if using multiple keys and you do not want to use an SSH agent.

ansible_ssh_common_args

This setting is always appended to the default command line for sftp, scp, and ssh. Useful to configure a ProxyCommand for a certain host or group.

ansible_sftp_extra_args

This setting is always appended to the default sftp command line.

ansible_scp_extra_args

This setting is always appended to the default scp command line.

ansible_ssh_extra_args

This setting is always appended to the default ssh command line.

ansible_ssh_pipelining

Determines if SSH pipelining is used. This can override the pipelining setting in ansible.cfg. If using SSH key-based authentication, the key must be managed by an SSH agent.

ansible_ssh_executable

Added in version 2.2.

This setting overrides the default behavior to use the system SSH. This can override the ssh_executable setting in ansible.cfg.

ansible_shell_type

The shell type of the target system. Do not use this setting unless you have set the ansible_shell_executable to a non-Bourne (sh) compatible shell. By default commands are formatted using sh-style syntax. Setting this to csh or fish causes commands executed on target systems to follow the syntax of those shells instead.

ansible_shell_executable

This sets the shell that the Ansible controller uses on the target machine, and overrides the executable in ansible.cfg which defaults to /bin/sh.

Do not change this variable unless /bin/sh is not installed on the target machine or cannot be run from sudo.

inventory_hostname

This variable takes the hostname of the machine from the inventory script or the Ansible configuration file.

You cannot set the value of this variable.

Because the value is taken from the configuration file, the actual runtime hostname value can vary from what is returned by this variable.

A.5. Event-Driven Ansible controller variables

VariableDescription

automationedacontroller_admin_password

The admin password used by the Event-Driven Ansible controller instance.

Passwords must be enclosed in quotes when they are provided in plain text in the inventory file.

automationedacontroller_admin_username

Username used by django to identify and create the admin superuser in Event-Driven Ansible controller.

Default = admin

automationedacontroller_admin_email

Email address used by django for the admin user for Event-Driven Ansible controller.

Default = admin@example.com

automationedacontroller_allowed_hostnames

List of additional addresses to enable for user access to Event-Driven Ansible controller.

Default = empty list

automationedacontroller_controller_verify_ssl

Boolean flag used to verify automation controller’s web certificates when making calls from Event-Driven Ansible controller. Verified is true; not verified is false.

Default = false

automationedacontroller_disable_https

Boolean flag to disable HTTPS Event-Driven Ansible controller.

Default = false

automationedacontroller_disable_hsts

Boolean flag to disable HSTS Event-Driven Ansible controller.

Default = false

automationedacontroller_nginx_tls_files_remote

Boolean flag to specify whether cert sources are on the remote host (true) or local (false).

Default = false

automationedacontroller_user_headers

List of additional nginx headers to add to Event-Driven Ansible controller’s nginx configuration.

Default = empty list

automationedacontroller_gunicorn_workers

Number of workers for the API served through gunicorn.

Default = (# of cores or threads) * 2 + 1

automationedacontroller_pg_database

The Postgres database used by Event-Driven Ansible controller.

Default = automtionedacontroller.

automationnedacontroller_pg_host

The hostname of the Postgres database used by Event-Driven Ansible controller, which can be an externally managed database.

automationedacontroller_pg_password

The password for the Postgres database used by Event-Driven Ansible controller.

Use of special characters for automationedacontroller_pg_password is limited. The !, #, 0 and @ characters are supported. Use of other special characters can cause the setup to fail.

automationedacontroller_pg_port

The port number of the Postgres database used by Event-Driven Ansible controller.

Default = 5432.

automationedacontroller_pg_username

The username for your Event-Driven Ansible controller Postgres database.

Default = automationedacontroller.

automationedacontroller_rq_workers

Number of Redis Queue (RQ) workers used by Event-Driven Ansible controller. RQ workers are Python processes that run in the background.

Default = 2 * (# of cores or threads) + 1