Upgrading/Migrating AWX Ansible on CentOS 7

Posted: December 12, 2019 in ansible

Upgrade awx-cli:

pip install ansible-tower-cli --upgrade

awx-cli config verify_ssl False

Backup AWX

Make sure AWX containers are running and you can login to Web GUI

docker ps

Export Credentials, Inventories, Job templates and Workflows

awx-cli receive -u admin -p 'password' -h http://awx-old --credential all > credential.json
awx-cli receive -u admin -p 'password' -h http://awx-old --project all > project.json
awx-cli receive -u admin -p 'password' -h http://awx-old --inventory all > inventory.json
awx-cli receive -u admin -p 'password' -h http://awx-old --job_template all > job_template.json
awx-cli receive -u admin -p 'password' -h http://awx-old --workflow all > workflow.json

Installing new AWX (on new machine)

Install epel-relase, AWX prerequisites,Docker, docker-compose and Ansible

yum install -y epel-release 
yum -y install git gcc gcc-c++ nodejs gettext device-mapper-persistent-data lvm2 bzip2 python-pip
yum-config-manager --addrepo=https://download.docker.com/linux/centos/docker-ce.repo
yum install -y docker-ce
# Enable and start Docker service
systemctl enable --now docker.service
# install docker-compose
pip install docker-compose
# install Ansible
yum install ansible
# Start and enable Ansible
systemctl enable ansible && systemctl start ansible

Installing Ansible AWX 

git clone --depth 50 https://github.com/ansible/awx.git
#  set a custom admin_password for AWX and PostgreSQL in inventory file.
cd awx/installer
sed -i 's|admin_password=.*|admin_password=pass|g' inventory
# Add secret_key in inventory file.
openssl rand -base64 30
lE7TAtB/EGDfZp2vYJWY1jVwn3nDh3H+a0pqhXHZ
sed -i 's|secret_key=.*|secret_key=lE7TAtB/EGDfZp2vYJWY1jVwn3nDh3H+a0pqhXHZ|g' inventory

Customize other directives if needed in inventory file, for example host_port=9000 and postgres folder – postgres_data_dir = "/data"

Install AWX Ansible

ansible-playbook -i inventory install.yml

# Check if all 5 containers are installed
docker ps

Allow HTTP/HTTPS service in Linux firewall

firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

In this example, AWX will be available on port 9000

Try Logging in: http://awx-new:9000

Redirecting HTTP traffic to HTTPS

We’ll use nginx as reverse proxy to redirect HTTP traffic on port 9000 to HTTPS.

yum install nginx
systemctl enable nginx

Create self-signed certificate:

cd /etc/awx
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/awx/awx.key -out /etc/awx/awx.crt

Generating a 2048 bit RSA private key
.....................................+++
.........................................................+++
writing new private key to '/etc/awx/awx.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:SR
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:Zemoon
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:awx-new.test.com
Email Address []:

Edit /etc/nging/nginx.conf

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  awx-new.test.com;
        add_header Strict-Transport-Security max-age=2592000;
        rewrite ^ https://$server_name$request_uri? permanent;
        root         /example;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }


server
{
 listen 443 ssl http2;
 server_name awx-new.test.com;

location /
 {
   proxy_http_version 1.1;
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header X-Forwarded-Proto $scheme;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "upgrade";
   proxy_pass http://192.168.1.2:9000/;
 }

ssl on;
ssl_certificate /etc/awx/awx.crt;
ssl_certificate_key /etc/awx/awx.key;
ssl_session_timeout 5m;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5:HIGH:!aNULL;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

access_log /var/log/nginx/awx.access.log;
error_log /var/log/nginx/awx.error.log;
}

Start nginx (systemctl start nginx) and try accessing AWX https://awx-new.test.com

Restoring AWX

Install awx-cli

pip install ansible-tower-cli --upgrade

awx-cli config verify_ssl False

Manually create organization: Organizations-“plus” sign

Create Teams (if you had any on old AWX)

# Restore Credentials 

awx-cli send -u admin -p 'pass' -h http://awx-new.test.com:9000 credential.json

#P lease note that passwords won't be exported, you'll need to enter it # manually after usernames are imported (Credentials section in Web GUI)

 # restore project

awx-cli send -u admin -p 'pass' -h http://awx-new.test.com:9000 project.json

# restore inventories

awx-cli send -u admin -p 'pass' -h http://awx-new.test.com:9000 inventory.json

# before restoring job templates, remove line which contains string credential

sed -i '/\bcredential\b/d' job_template.json

# restore job templates

awx-cli send -u admin -p 'pass' -h http://awx-new.test.com:9000 job_template.json

# restore workflows

awx-cli send -u admin -p 'pass' -h http://awx-new.test.com:9000 workflow.json

Active Directory Authentication

LDAP config won’t be exported so we need to set it up manually: In Web portal click Settings-Authentication-LDAP

LDAP SERVER: default

LDAP SERVER URI: ldap://1.2.3.4:389

LDAP BIND DN: CN=Ansible,OU=ServiceUsers,OU=test,DC=com

LDAP BIND PASSWORD: password

LDAP GROUP TYPE: ActiveDirectoryGroupType

LDAP USER SEARCH: [
 "OU=Users,OU=test,DC=com",
 "SCOPE_SUBTREE",
 "(sAMAccountName=%(user)s)"
]
 
LDAP GROUP SEARCH: [
 "CN=Users,DC=test,DC=com",
 "SCOPE_SUBTREE",
 "(objectClass=group)"
]

LDAP ORGANIZATION MAP: {
 "My Organization": {
  "remove_admins": false,
  "admins": "CN=Ansible, OU=Security,OU=Groups,OU=test,DC=com"
 }
}

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s