第 3 章 安装 Red Hat Ansible Automation Platform
Ansible Automation Platform 是一个模块化平台,您可以使用其他自动化平台组件(如自动化中心)部署自动化控制器。如需有关 Ansible Automation Platform 提供的组件的更多信息,请参阅 Red Hat Ansible Automation Platform 计划指南中的 Red Hat Ansible Automation Platform 平台组件。
Red Hat Ansible Automation Platform 有很多支持的安装场景。要安装 Red Hat Ansible Automation Platform,您必须编辑 inventory 文件参数,以使用以下示例之一指定您的安装场景:
3.1. 编辑 Red Hat Ansible Automation Platform 安装程序清单文件
您可以使用 Red Hat Ansible Automation Platform 安装程序清单文件指定您的安装场景。
流程
进入安装程序:
[RPM 安装的软件包]
$ cd /opt/ansible-automation-platform/installer/
[Bundled installer]
$ cd ansible-automation-platform-setup-bundle-<latest-version>
[Online installer]
$ cd ansible-automation-platform-setup-<latest-version>
-
使用文本编辑器打开
清单文件。 -
编辑
清单文件参数,以指定您的安装场景。使用其中一个支持的 安装场景示例来更新清单文件。
其他资源
如需 Ansible 安装清单文件中使用的预定义变量的完整列表,请参阅清单文件变量。
3.1.1. 基于安装场景的清单文件示例
红帽支持多个 Ansible Automation Platform 安装场景。查看以下示例,并选择适合您首选安装场景的用户。
- Red Hat Ansible Automation Platform 或自动化中心:在 [automationhub] 组中添加一个自动化中心主机。
- 对于内部数据库: [database] 不能用于指向 Ansible Automation Platform 集群中的另一主机。安装程序要安装的数据库主机需要是唯一的主机。
- 对于生产环境或客户环境中的 Ansible Automation Platform 版本,不要在同一节点上安装自动化控制器和自动化中心。这可能导致争用问题和大量资源的使用。
- 为 [automationhub] 和 [automationcontroller] 主机提供可访问 IP 地址或完全限定域名 (FDQN),以确保用户可以从不同节点从自动化中心同步和安装内容。不要使用 'localhost'。
-
对于
forpg_password,不要使用特殊字符。可能会导致设置失败。 -
在
registry_username和registry_password中输入 Red Hat Registry Service account 凭证以链接到 Red Hat 容器 registry。 -
只有在使用非捆绑包安装程序时,才需要清单文件变量
registry_username和registry_password。
3.1.1.1. 带有内部数据库的独立自动化控制器
使用本示例填充清单文件来安装 Red Hat Ansible Automation Platform。此安装清单文件包含一个带有内部数据库的自动化控制器节点。
[automationcontroller] controller.acme.org [all:vars] admin_password='<password>' pg_host='' pg_port='5432' pg_database='awx' pg_username='awx' pg_password='<password>' pg_sslmode='prefer' # set to 'verify-full' for client-side enforced SSL registry_url='registry.redhat.io' registry_username='<registry username>' registry_password='<registry password>' # SSL-related variables # If set, this will install a custom CA certificate to the system trust store. # custom_ca_cert=/path/to/ca.crt # Certificate and key to install in nginx for the web UI and API # web_server_ssl_cert=/path/to/tower.cert # web_server_ssl_key=/path/to/tower.key # Server-side SSL settings for PostgreSQL (when we are installing it). # postgres_use_ssl=False # postgres_ssl_cert=/path/to/pgsql.crt # postgres_ssl_key=/path/to/pgsql.key
3.1.1.2. 带有外部(安装程序管理的)数据库的单一自动化控制器
使用本示例填充清单文件来安装 Red Hat Ansible Automation Platform。此安装清单文件包含单一自动化控制器节点,单独节点上具有外部数据库。
[automationcontroller] controller.acme.org [database] data.acme.org [all:vars] admin_password='<password>' pg_host='data.acme.org' pg_port='5432' pg_database='awx' pg_username='awx' pg_password='<password>' pg_sslmode='prefer' # set to 'verify-full' for client-side enforced SSL registry_url='registry.redhat.io' registry_username='<registry username>' registry_password='<registry password>' # SSL-related variables # If set, this will install a custom CA certificate to the system trust store. # custom_ca_cert=/path/to/ca.crt # Certificate and key to install in nginx for the web UI and API # web_server_ssl_cert=/path/to/tower.cert # web_server_ssl_key=/path/to/tower.key # Server-side SSL settings for PostgreSQL (when we are installing it). # postgres_use_ssl=False # postgres_ssl_cert=/path/to/pgsql.crt # postgres_ssl_key=/path/to/pgsql.key
3.1.1.3. 单个带有外部的自动化控制器(客户提供)数据库
使用本示例填充清单文件来安装 Red Hat Ansible Automation Platform。此安装清单文件包含一个单独的自动化控制器节点,它带有一个在不是由平台安装程序管理的单独节点上的外部数据库。
本例没有数据库组下的主机。这表示数据库已存在,并在其他位置被管理。
[automationcontroller] controller.acme.org [database] [all:vars] admin_password='<password>' pg_host='data.acme.org' pg_port='5432' pg_database='awx' pg_username='awx' pg_password='<password>' pg_sslmode='prefer' # set to 'verify-full' for client-side enforced SSL registry_url='registry.redhat.io' registry_username='<registry username>' registry_password='<registry password>' # SSL-related variables # If set, this will install a custom CA certificate to the system trust store. # custom_ca_cert=/path/to/ca.crt # Certificate and key to install in nginx for the web UI and API # web_server_ssl_cert=/path/to/tower.cert # web_server_ssl_key=/path/to/tower.key # Server-side SSL settings for PostgreSQL (when we are installing it). # postgres_use_ssl=False # postgres_ssl_cert=/path/to/pgsql.crt # postgres_ssl_key=/path/to/pgsql.key
3.1.1.4. 带有外部(安装程序管理的)数据库的 Ansible Automation Platform
使用本示例填充清单文件来安装 Ansible Automation Platform。此安装清单文件包含两个自动化控制器节点、两个执行节点,以及带有外部管理数据库的自动化中心。
# Automation Controller Nodes # There are two valid node_types that can be assigned for this group. # A node_type=control implies that the node will only be able to run # project and inventory updates, but not regular jobs. # A node_type=hybrid will have the ability to run everything. # If you do not define the node_type, it defaults to hybrid. # # control.example node_type=control # hybrid.example node_type=hybrid # hybrid2.example <- this will default to hybrid [automationcontroller] controller1.acme.org node_type=control controller2.acme.org node_type=control # Execution Nodes # There are two valid node_types that can be assigned for this group. # A node_type=hop implies that the node will forward jobs to an execution node. # A node_type=execution implies that the node will be able to run jobs. # If you do not define the node_type, it defaults to execution. # # hop.example node_type=hop # execution.example node_type=execution # execution2.example <- this will default to execution [execution_nodes] execution1.acme.org node_type=execution execution2.acme.org node_type=execution [automationhub] automationhub.acme.org [database] data.acme.org [all:vars] admin_password='<password>' pg_host='data.acme.org' pg_port='5432' pg_database='awx' pg_username='awx' pg_password='<password>' pg_sslmode='prefer' # set to 'verify-full' for client-side enforced SSL registry_url='registry.redhat.io' registry_username='<registry username>' registry_password='<registry password>' # Receptor Configuration # receptor_listener_port=27199 # Automation Hub Configuration # automationhub_admin_password='<password>' automationhub_pg_host='data.acme.org' automationhub_pg_port='5432' automationhub_pg_database='automationhub' automationhub_pg_username='automationhub' automationhub_pg_password='<password>' automationhub_pg_sslmode='prefer' # The default install will deploy a TLS enabled Automation Hub. # If for some reason this is not the behavior wanted one can # disable TLS enabled deployment. # # automationhub_disable_https = False # The default install will generate self-signed certificates for the Automation # Hub service. If you are providing valid certificate via automationhub_ssl_cert # and automationhub_ssl_key, one should toggle that value to True. # # automationhub_ssl_validate_certs = False # SSL-related variables # If set, this will install a custom CA certificate to the system trust store. # custom_ca_cert=/path/to/ca.crt # Certificate and key to install in nginx for the web UI and API # web_server_ssl_cert=/path/to/tower.cert # web_server_ssl_key=/path/to/tower.key # Certificate and key to install in Automation Hub node # automationhub_ssl_cert=/path/to/automationhub.cert # automationhub_ssl_key=/path/to/automationhub.key # Server-side SSL settings for PostgreSQL (when we are installing it). # postgres_use_ssl=False # postgres_ssl_cert=/path/to/pgsql.crt # postgres_ssl_key=/path/to/pgsql.key
3.1.1.5. 带有外部(客户提供的)数据库的 Ansible Automation Platform
使用本示例填充清单文件来安装 Red Hat Ansible Automation Platform。此安装清单文件包括每个节点类型之一:control、hybrid、hop 和 execution,以及带有不由平台安装程序管理的外部管理数据库的自动化中心。
本例没有数据库组下的主机。这表示数据库已存在,并在其他位置被管理。
# Automation Controller Nodes # There are two valid node_types that can be assigned for this group. # A node_type=control implies that the node will only be able to run # project and inventory updates, but not regular jobs. # A node_type=hybrid will have the ability to run everything. # If you do not define the node_type, it defaults to hybrid. # # control.example node_type=control # hybrid.example node_type=hybrid # hybrid2.example <- this will default to hybrid [automationcontroller] hybrid1.acme.org node_type=hybrid controller1.acme.org node_type=control # Execution Nodes # There are two valid node_types that can be assigned for this group. # A node_type=hop implies that the node will forward jobs to an execution node. # A node_type=execution implies that the node will be able to run jobs. # If you do not define the node_type, it defaults to execution. # # hop.example node_type=hop # execution.example node_type=execution # execution2.example <- this will default to execution [execution_nodes] hop1.acme.org node_type=hop execution1.acme.org node_type=execution [automationhub] automationhub.acme.org [database] [all:vars] admin_password='<password>' pg_host='data.acme.org' pg_port='5432' pg_database='awx' pg_username='awx' pg_password='<password>' pg_sslmode='prefer' # set to 'verify-full' for client-side enforced SSL registry_url='registry.redhat.io' registry_username='<registry username>' registry_password='<registry password>' # Receptor Configuration # receptor_listener_port=27199 # Automation Hub Configuration # automationhub_admin_password='<password>' automationhub_pg_host='data.acme.org' automationhub_pg_port='5432' automationhub_pg_database='automationhub' automationhub_pg_username='automationhub' automationhub_pg_password='<password>' automationhub_pg_sslmode='prefer' # The default install will deploy a TLS enabled Automation Hub. # If for some reason this is not the behavior wanted one can # disable TLS enabled deployment. # # automationhub_disable_https = False # The default install will generate self-signed certificates for the Automation # Hub service. If you are providing valid certificate via automationhub_ssl_cert # and automationhub_ssl_key, one should toggle that value to True. # # automationhub_ssl_validate_certs = False # SSL-related variables # If set, this will install a custom CA certificate to the system trust store. # custom_ca_cert=/path/to/ca.crt # Certificate and key to install in nginx for the web UI and API # web_server_ssl_cert=/path/to/tower.cert # web_server_ssl_key=/path/to/tower.key # Certificate and key to install in Automation Hub node # automationhub_ssl_cert=/path/to/automationhub.cert # automationhub_ssl_key=/path/to/automationhub.key # Server-side SSL settings for PostgreSQL (when we are installing it). # postgres_use_ssl=False # postgres_ssl_cert=/path/to/pgsql.crt # postgres_ssl_key=/path/to/pgsql.key
3.1.1.6. 带有内部数据库的独立自动化中心
使用本例填充清单文件,以使用内部数据库部署独立自动化中心实例。
[automationcontroller] [automationhub] automationhub.acme.org ansible_connection=local [all:vars] registry_url='registry.redhat.io' registry_username='<registry username>' registry_password='<registry password>' automationhub_admin_password= <PASSWORD> automationhub_pg_host='' automationhub_pg_port='5432' automationhub_pg_database='automationhub' automationhub_pg_username='automationhub' automationhub_pg_password=<PASSWORD> automationhub_pg_sslmode='prefer' # The default install will deploy a TLS enabled Automation Hub. # If for some reason this is not the behavior wanted one can # disable TLS enabled deployment. # # automationhub_disable_https = False # The default install will generate self-signed certificates for the Automation # Hub service. If you are providing valid certificate via automationhub_ssl_cert # and automationhub_ssl_key, one should toggle that value to True. # # automationhub_ssl_validate_certs = False # SSL-related variables # If set, this will install a custom CA certificate to the system trust store. # custom_ca_cert=/path/to/ca.crt # Certificate and key to install in Automation Hub node # automationhub_ssl_cert=/path/to/automationhub.cert # automationhub_ssl_key=/path/to/automationhub.key
3.1.1.7. 带有外部(安装程序管理的)数据库的单一自动化中心
使用本示例填充清单文件,以使用外部(安装程序管理)数据库部署单一自动化中心实例。
[automationcontroller] [automationhub] automationhub.acme.org [database] data.acme.org [all:vars] registry_url='registry.redhat.io' registry_username='<registry username>' registry_password='<registry password>' automationhub_admin_password= <PASSWORD> automationhub_pg_host='data.acme.org' automationhub_pg_port='5432' automationhub_pg_database='automationhub' automationhub_pg_username='automationhub' automationhub_pg_password=<PASSWORD> automationhub_pg_sslmode='prefer' # The default install will deploy a TLS enabled Automation Hub. # If for some reason this is not the behavior wanted one can # disable TLS enabled deployment. # # automationhub_disable_https = False # The default install will generate self-signed certificates for the Automation # Hub service. If you are providing valid certificate via automationhub_ssl_cert # and automationhub_ssl_key, one should toggle that value to True. # # automationhub_ssl_validate_certs = False # SSL-related variables # If set, this will install a custom CA certificate to the system trust store. # custom_ca_cert=/path/to/ca.crt # Certificate and key to install in Automation Hub node # automationhub_ssl_cert=/path/to/automationhub.cert # automationhub_ssl_key=/path/to/automationhub.key
3.1.1.8. 带有外部(客户提供的)数据库的单一自动化中心
使用本示例填充清单文件,部署一个单独的自动化中心实例,它带有一个不是由平台安装程序管理的数据中心。
本例没有数据库组下的主机。这表示数据库已存在,并在其他位置被管理。
[automationcontroller] [automationhub] automationhub.acme.org [database] [all:vars] registry_url='registry.redhat.io' registry_username='<registry username>' registry_password='<registry password>' automationhub_admin_password= <PASSWORD> automationhub_pg_host='data.acme.org' automationhub_pg_port='5432' automationhub_pg_database='automationhub' automationhub_pg_username='automationhub' automationhub_pg_password=<PASSWORD> automationhub_pg_sslmode='prefer' # The default install will deploy a TLS enabled Automation Hub. # If for some reason this is not the behavior wanted one can # disable TLS enabled deployment. # # automationhub_disable_https = False # The default install will generate self-signed certificates for the Automation # Hub service. If you are providing valid certificate via automationhub_ssl_cert # and automationhub_ssl_key, one should toggle that value to True. # # automationhub_ssl_validate_certs = False # SSL-related variables # If set, this will install a custom CA certificate to the system trust store. # custom_ca_cert=/path/to/ca.crt # Certificate and key to install in Automation Hub node # automationhub_ssl_cert=/path/to/automationhub.cert # automationhub_ssl_key=/path/to/automationhub.key
3.1.1.9. 私有自动化中心上的 LDAP 配置
您必须在 Red Hat Ansible Automation Platform 安装程序清单文件中设置以下六个变量,以配置用于 LDAP 身份验证的私有自动化中心:
-
automationhub_authentication_backend -
automationhub_ldap_server_uri -
automationhub_ldap_bind_dn -
automationhub_ldap_bind_password -
automationhub_ldap_user_search_base_dn -
automationhub_ldap_group_search_base_dn
如果缺少其中的任何变量,Ansible Automation 安装程序将无法完成安装。
3.1.1.9.1. 设置清单文件变量
当使用 LDAP 身份验证配置私有自动化中心时,您必须在安装过程中在清单文件中设置正确的变量。
流程
- 根据编辑 Red Hat Ansible Automation Platform 安装程序清单文件中的步骤访问您的清单文件。
使用以下示例来设置 Ansible Automation Platform 清单文件:
automationhub_authentication_backend = "ldap" automationhub_ldap_server_uri = "ldap://ldap:389" (for LDAPs use automationhub_ldap_server_uri = "ldaps://ldap-server-fqdn") automationhub_ldap_bind_dn = "cn=admin,dc=ansible,dc=com" automationhub_ldap_bind_password = "GoodNewsEveryone" automationhub_ldap_user_search_base_dn = "ou=people,dc=ansible,dc=com" automationhub_ldap_group_search_base_dn = "ou=people,dc=ansible,dc=com"
注意以下变量将使用默认值设置,除非您使用其他选项进行了设置。
auth_ldap_user_search_scope= `SUBTREE' auth_ldap_user_search_filter= `(uid=%(user)s)` auth_ldap_group_search_scope= 'SUBTREE' auth_ldap_group_search_filter= '(objectClass=Group)` auth_ldap_group_type_class= 'django_auth_ldap.config:GroupOfNamesType'
- 如果您计划在私有自动化中心中设置额外的参数(如用户组、超级用户访问、镜像等),请继续下一部分。
3.1.1.9.2. 配置额外的 LDAP 参数
如果您计划设置超级用户访问权限、用户组、镜像或其他额外参数,您可以创建一个在 ldap_extra_settings 字典中组成它们的 YAML 文件。
流程
创建一个包含
ldap_extra_settings的 YAML 文件,如下所示:#ldapextras.yml --- ldap_extra_settings: AUTH_LDAP_USER_ATTR_MAP: '{"first_name": "givenName", "last_name": "sn", "email": "mail"}' ...然后在私有自动化中心安装过程中运行
setup.sh -e @ldapextras.yml。使用本示例根据 LDAP 组中的成员资格设置超级用户标志。
#ldapextras.yml --- ldap_extra_settings: AUTH_LDAP_USER_FLAGS_BY_GROUP: {"is_superuser": "cn=pah-admins,ou=groups,dc=example,dc=com",} ...然后在私有自动化中心安装过程中运行
setup.sh -e @ldapextras.yml。使用本示例设置超级用户访问权限。
#ldapextras.yml --- ldap_extra_settings: AUTH_LDAP_USER_FLAGS_BY_GROUP: {"is_superuser": "cn=pah-admins,ou=groups,dc=example,dc=com",} ...然后在私有自动化中心安装过程中运行
setup.sh -e @ldapextras.yml。使用本示例来镜像(mirror)您属于的所有 LDAP 组。
#ldapextras.yml --- ldap_extra_settings: AUTH_LDAP_MIRROR_GROUPS: True ...
然后在私有自动化中心安装过程中运行
setup.sh -e @ldapextras.yml。使用本示例映射 LDAP 用户属性(如用户名、姓氏和电子邮件地址)。
#ldapextras.yml --- ldap_extra_settings: AUTH_LDAP_USER_ATTR_MAP: {"first_name": "givenName", "last_name": "sn", "email": "mail",} ...然后在私有自动化中心安装过程中运行
setup.sh -e @ldapextras.yml。使用以下示例根据 LDAP 组成员资格授予或拒绝访问权限。
要授予私有自动化中心访问权限(例如,
cn=pah-nosoupforyou,ou=groups,dc=example,dc=com组的成员):#ldapextras.yml --- ldap_extra_settings: AUTH_LDAP_REQUIRE_GROUP: 'cn=pah-users,ou=groups,dc=example,dc=com' ...
拒绝私有自动化中心访问(例如,
cn=pah-nosoupforyou,ou=groups,dc=example,dc=com组的成员):#ldapextras.yml --- ldap_extra_settings: AUTH_LDAP_DENY_GROUP: 'cn=pah-nosoupforyou,ou=groups,dc=example,dc=com' ...
然后在私有自动化中心安装过程中运行
setup.sh -e @ldapextras.yml。
使用本示例启用 LDAP 调试日志记录。
#ldapextras.yml --- ldap_extra_settings: GALAXY_LDAP_LOGGING: True ...
然后在私有自动化中心安装过程中运行
setup.sh -e @ldapextras.yml。注意如果重新运行
setup.sh或在短时间内启用了调试日志,则可以将包含GALAXY_LDAP_LOGGING: True的行手动添加到私有自动化中心上的/etc/pulp/settings.py文件。重启pulpcore-api.service和nginx.service以使更改生效。为了避免因为人为错误而失败,请仅在需要时使用此方法。通过设置变量
AUTH_LDAP_CACHE_TIMEOUT,使用本示例配置 LDAP 缓存。#ldapextras.yml --- ldap_extra_settings: AUTH_LDAP_CACHE_TIMEOUT: 3600 ...
然后在私有自动化中心安装过程中运行
setup.sh -e @ldapextras.yml。
您可以查看私有自动化中心上的 /etc/pulp/settings.py 文件中的所有设置。