Notes:
- These notes are intended for RH AAP upgrades from AAP 2.4.x to AAP 2.5. This is working document of our current 2.4 to 2.5 upgrades, and likely does not cover all issues that will arise. Make sure you have good cold snapshots and backups.
- - Previous 2.x AAP upgrades have additional requirements before upgrading to version 2.5. Subsequently, upgrade to the latest AAP 2.4 before upgrading to AAP 2.5.
- AAP 2.5 includes the addition of a gateway node. The AAP Gateway VM is a new component.
- - Verify you have your LDAP set-up information for use with the new AAP Gateway VM.
- If AAP installation uses an embedded database, AAP 2.5 does not support it. Before the upgrade, the embedded database must be migrated to a separate PostgreSQL server/database.
- Verify you have your new certificates if updating certificates / extending expiration dates. The AAP EDA VM will need to be recreated -- it cannot be upgraded.
- For the FQDNs of the VMs, do not use _ or -, and do not use localhost.
- In the inventory file, the pg_password only supports a subset of special characters: !, #, 0, and @ are allowed.
- In the inventory file, the registry_username and registry_password are required if using the non bundle installer.
- If not using the bundled installer (local file), make sure the system is registered (subscription-manager register --username <useridname> or subscription-manager register --org <orgid> --activationkey <orgactkey>). Note that subscription-manager attach --auto and --pool are obsolete and no longer used.) Make sure the OS updates are all up-to-date/patched before performing upgrade, so only one thing is happening - the AAP install/upgrade. Likewise, after conversion to SCA (Simple Content Access) subscriptions, use subscription-manager identity, instead of subscription-manager status.
In this scenario, this is our AAP environment:
The RHEL 9.x AAP Gateway is: aapgw.mindwatering.net (10.5.35.150)
The RHEL 9.x AAP Controller is aap.mindwatering.net (10.5.35.153)
The RHEL 9.x AAP Hub is aaphub.mindwatering.net (10.5.35.156)
The RHEL 9.x AAP EDA is aapeda.mindwatering.net (10.5.35.158)
The RHEL 9.x PostgreSQL server is aapdb.mindwatering.net (10.5.35.155)
---
Overview:
Parts A - D are all preparations for the migration to AAP 2.5.
Part E begins the AAP 2.5 upgrade. This part E commits us to performing the rest of the upgrade.
A. Confirm the controller still has the existing AAP 2.4 inventory file and the extracted 2.4.x setup bundle (offline) last used with the current 2.4 environment.
B. Perform setup.sh -b backup, and VM cold snapshots.
C. If applicable, migrate the embedded database to a separate PostgreSQL server/database.
D. Remove the existing AAP 2.4 EDA server.
E. Upgrade the external PostgreSQL 13 to PostgreSQL 15.
F. Create the new AAP 2.5 Gateway VM, and EDA, if applicable.
G. Download AAP 2.5 installation (offline) setup bundle and prepare for upgrade.
H. Run the AAP 2.5 installation to upgrade AAP 2.4 to 2.5.
I. Perform Post Upgrade Tasks and Validation
Other:
- Additional Notes
- Enterprise Cluster Installation Example with Example Inventory
- Additional Cluster Notes
- Red Hat Sample Enterprise Inventory File
- AAP 2.4 to 2.5 Issues
Embedded Database WARNING:
- If running a non clustered AAP installation with an embedded database, the existing AAP 2.4 environment has to have the database "un" embedded.
- Pre-AAP 2.1, RH Enterprise Linux and the AAP Controller upgrades require back-up of the AAP controller data, and then restoration of it.
Automation Controller Upgrade WARNING:
- Credentials or the subscription manifest is required after performing the upgrade on the license page
- Pre-AAP 2.1, RH Enterprise Linux and the AAP Controller upgrades require back-up of the AAP controller data, and then restoration of it.
Automation Hub Upgrade WARNING:
- If you generate a new token instead of adding an existing token, this will invalidate any existing tokens with the hub.
Event-Driven Ansible WARNING:
- Upgrading from Event-Driven Ansible 2.4 is not supported. If using in production, contact Red Hat support before you upgrade.
- The AAP 2.4 EDA will be removed, its database dropped (if external), and a new AAP 2.5 EDA has to be created.
Gateway WARNING:
- When using the gateway behind a reverse proxy/load balancer, connections will likely fail with error: Error connecting to Controller API.
- - On the controller VM, update the settings.py file and add the CSRF_TRUSTED_ORIGIN setting specifying the proxy/load balancer FQDN, and restart VM.
Prerequisites:
A. Confirm the controller still has the existing AAP 2.4 inventory file and the extracted 2.4.x setup bundle (offline) last used with the current 2.4 environment.
1. On the primary AAP Controller node, backup the current environment.
In this case, the location is: /users/myadminid/aapinstall/ansible-automation-platform-setup-bundle-2.4-1-x86_64/
a. Navigate to the last install location still containing the extracted installation folder with the inventory file and the apitoken.
$ ssh myadminid@aap.mindwatering.net
$ sudo su -
# cd /users/myadminid/aapinstall/ansible-automation-platform-setup-bundle-2.4-1-x86_64/
# ls
<confirm installation and inventory files still located in install folder. Confirm the apitoken.>
2. Verify Current VMs Still Meeting New 2.5 Version Requirements:
Notes:
- The best time to increase memory or number of CPUs is after the cold snapshots are taken during backups.
- The exception is disk, in general we cannot extend the size of a VM's disk and expand the OS while snapshots are there. Confirm "last night's backup is good", and perform the disk expansion before the snapshots.
- Note increases for each VM, and perform it during the snapshot section below.
General:
Memory, vCPU, and Disk I/O recommendation:
- RAM: 16 GB
- vCPU: 4
- Disk IOPS: 3000
RedHat recommends that if vCPU or Memory is inadequate, use increments of 2x when increasing either one.
(e.g. 16 GB RAM becomes 32, or 4 vCPU becomes 8.)
Platform Gateway:
- Disk: 60 GB
Controller:
- RedHat recommends 1 GB memory/10 forks, and an additional 2 GB reservation for the AAP controller software. Increase memory using 2x rule above, if needed.
- Disk: 80 GB minimum, with 20 GB minimum in /var/lib/awx/
- Forks:
- - The forks parameters are in the job template or the system ansible.cfg. Red Hat example is 400 forks requires 42 GB of VM memory for the Controller software and the forks. Add this to the 2 -8 GB or so overhead for RHEL.
Execution Nodes:
- Disk: 60 GB
Hub:
- Disk: 60 GB minimum, with 40 GB minimum in /var/lib/pulp/
Database:
- Disk: 140 GB, with 100 GB minimum in /var/lib/pgsql/
EDA:
- Disk: 60 GB
IMPORTANT:
If you have any new VMs replacing old ones (e.g. the EDA), make sure you have the OS pre-requisites completed.
AAP requires the OS umask be set to 0022. If is not set, the AAP controller setup.sh will fail.
Note: Although this is the default for most Linux environments for normal users, we will explicitly set it.
- To change for all users, create the following new file with umask 022:
$ sudo vi /etc/profile.d/set-umask-for-all-users.sh
- To adjust just the "current" user
$ vi ~/.bashrc
<a, to append>
umask 022
<esc>:wq, to save and close
Perform Backups:
B. Perform setup.sh -b backup, and VM cold snapshots.
1. Initiate AAP backup:
# mkdir /users/myadminid/aapinstall/aap2.4-1backup/
# ./setup.sh -e 'backup_dest=/users/myadminid/aapinstall/aap2.4-1backup/' -b
# exit
Note:
The files created:
- /users/myadminid/aapinstall/aap2.4-1backup/automation-platform-backup-yyyy-mm-dd-hh:mm:ss.tar.gz and automation-platform-backup-latest.tar.gz
- Copy the file via SCP/SSH for offline storage. Leave on the controller for use with the embedded database restoration.
2. If running VMs, perform COLD snapshots.
- Shutdown the AAP VMs:
Important:
- If running an external database already, shutdown the database VM(s) last. And start the database VM(s) first.
- While the OS is shutdown is the most opportune time to increase the number of CPUs, the memory, and extend the disks.
- We use hosts with dual socket CPUs; therefore, we add CPU cores in even increments, and we open the CPU advanced twistie and set the CPUs/socket to 2.
vSphere --> cluster --> select each VM
--> click Actions --> Power --> Shut Down Guest OS
- Take cold snapshots:
--> click Actions --> Snapshots --> click Take Snapshot ... --> In the Description field, enter AAP upgrade, click CREATE
- Repeat on next VMs.
- Start-up VMs:
--> click Actions --> Power --> Power On
Restore/Migrate Embedded database to External Database:
C. If applicable, restore the backup to migrate the embedded database to the new separate PostgreSQL server/database.
Notes:
- If the current environment already has an external database, this step is skipped.
- The database restore occurs from the controller, this requires the AAP environment to be up-and-running.
- If the gateway VMs are not yet included for AAP 2.4, so there is no pg_host variable for them, yet.
1. We need to backup and restore the database. The backup has already been performed with the ./setup.sh -b command above.
Our environment uses an embedded database. We know we have an embedded database because our inventory file either does not have the [database] entry, or has an empty database host underneath.
[database]
pg_host=''
Deploy a new VM called aapdb.mindwatering.net to be our PostgreSQL server. Our new and updated entries are:
[database]
pg_host='aapdb.mindwatering.net'
...
automationhub_pg_host='aapdb.mindwatering.net'
...
automationedacontroller_pg_host = 'aapdb.mindwatering.net'
Note:
Ensure to update the pg_host variants, as the hub, and future eda will all use appdb.mindwatering.net now instead of their individual embedded databases.
2. Create a new PostgreSQL VM:
vSphere --> cluster --> New Virtual Machine
- RHEL 9, Rocky 9, or Ubuntu 24.04 (64-bit)
- Minimal Server
- Add SSH
- Add PostgreSQL 13
Important:
- PostgreSQL 13.x is required for AAP 2.4
- PostgreSQL 15.x is required for AAP 2.5
- To be more conservative, install PostgreSQL 13.x now, and wait to upgrade to PostgreSQL 15.x at the point AAP is upgrade.
If RHEL/Rocky, use the following commands to install the PostgreSQL 13 database server:
$ sudo dnf install postgresql13 postgresql13-server
Initialize db:
$ sudo /usr/pgsql-13/bin/postgresql-13-setup initdb
Enable and verify the service:
$ sudo systemctl enable --now postgresql-13
$ systemctl status postgresql-13
Set the PostgreSQL admin user password:
$ sudo su - postgres
$ psql -c "ALTER USER postgres WITH PASSWORD 'postgresUSERStrongPwd'"
Still as the postgre user, create the awx user and empty awx database:
$ psql -c "CREATE USER awx WITH ENCRYPTED PASSWORD 'awxpassword'"
$ psql -c "CREATE DATABASE awx OWNER awx"
Exit postgres user:
$ exit
Enable remote connections:
Update the listen_addresses line to either the IP address or '*' for all interfaces. Update the IP subnet to your environment.
$ sudo vi /var/lib/pgsql/13/data/postgresql.conf
...
listen_address = '10.5.35.155'
...
<esc>:wq (to save, and close)
$ sudo vi /var/lib/pgsql/13/data/pg_hba.conf
...
host all all 10.5.35.0/24
...
<esc>:wq (to save, and close)
Restart the db service:
$ sudo systemctl restart postgresql-13
3. Update the inventory updating the database entry.
$ sudo vi inventory
[automationcontroller]
aap.mindwatering.net
[automationhub]
aaphub.mindwatering.net
[automationedacontroller]
aapeda.mindwatering.net
[database]
aapdb.mindwatering.net
[all:vars]
admin_password='guiadminpassword'
pg_host='aapdb.mindwatering.net'
pg_port=5432
pg_database='awx'
pg_username='awx'
pg_password='<awxpassword>'
registry_url='registry.readhat.io'
registry_username='reguserid'
registry_password='regpassword'
automationcontroller_main_url= 'https://aap.mindwatering.net'
automationhub_main_url= 'https://aaphub.mindwatering.net'
automationhub_pg_host='aapdb.mindwatering.net'
automationhub_pg_port=5432
automationhub_pg_database="automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password='HubReallyAmazingPassword'
automationhub_pg_sslmode = 'prefer'
automationhub_authentication_backend = "ldap"
automationhub_ldap_server_uri = "ldaps://ldapserverint.mindwatering.net"
automationhub_ldap_bind_dn = "cn=myldapadmin, dc=mindwatering, dc=net"
automationhub_ldap_bind_password = "MyBetterThanGoodPassword"
automationhub_ldap_user_search_base_dn = "ou=people, dc=mindwatering, dc=net"
automationhub_ldap_group_search_base_dn = "ou=aapgroup, dc=mindwatering, dc=net"
automationedacontroller_admin_password='EDAUIReallyAmazingPassword'
automationedacontroller_pg_host = 'aapdb.mindwatering.net'
automationedacontroller_pg_port=5432
automationedacontroller_pg_database ='automationedacontroller'
automationedacontroller_pg_username='automationedacontroller'
automationedacontroller_pg_password='EDAReallyAmazingPassword'
automationedacontroller_pg_sslmode='prefer'
...
# if the server has a non generic name, it can be left out, if there is only one name and it is specified under the [automationedacontroller] heading, it can be left out
# automationedacontroller_allowed_hostnames = 'aapeda.mindwatering.net'
...
<esc>:wq to save and close
4. After the modifications of the inventory are complete, re-run the setup.sh installer to restore the database.
$ cd /users/myadminid/aapinstall/aap2.4-1backup/
$ sudo su -
# ./setup.sh -e 'backup_dest=/users/myadminid/aapinstall/aap2.4-1backup/' -r
# exit
5. Verify login works for the controllers:
https://aap.mindwatering.net
Delete EDA Server or Remove Existing 2.4 Version and Re-use VM:
D. Remove the existing AAP 2.4 EDA server.
Perform one of the two options:
- Remove the VM (after running setup.sh installer) and create a new EDA VM.
or
- Keep the VM but remove the current AAP EDA VM EDA software. We chose to perform the latter, and it seems to have worked for us.
1. We are going to keep the current VM:
a. Login to the AAP EDA server:
$ ssh myadminid@aapeda.mindwatering.net
<enter password>
$ sudo su -
<enter password>
b. Stop the services and remove the packages:
# systemctl stop automation-eda-controller nginx.service
Verify what was installed for EDA and get repository ID of the EDA repo ID/name:
# dnf list installed | grep automation-eda-controller
<review report and note the repository ID>
Remove the packages using the repo ID:
# rpm -e --noscripts $(repoquery --repoid=<eda_repository_id> --installed)
Remove the config files or move them to another location (e.g. /users/myadminid/):
# rm -rf /var/lib/ansible-automation-platform/
# rm -rf /etc/ansible-automation-platform
Reboot EDA VM:
# reboot
2. On the AAP (primary) controller, edit the inventory and remove or comment out the EDA section.
Notes:
- Save a copy so the EDA entries can be re-used with the 2.5 version upgrade.
- The parts to remove are in red below.
$ sudo cp inventory inventory_backup_yyyy-mm-dd
$ sudo vi inventory
[automationcontroller]
aap.mindwatering.net
[automationhub]
aaphub.mindwatering.net
[automationedacontroller]
aapeda.mindwatering.net
[database]
aapdb.mindwatering.net
[all:vars]
admin_password='guiadminpassword'
pg_host='aapdb.mindwatering.net'
pg_port=5432
pg_database='awx'
pg_username='awx'
pg_password='<awxpassword>'
registry_url='registry.readhat.io'
registry_username='reguserid'
registry_password='regpassword'
automationcontroller_main_url= 'https://aap.mindwatering.net'
automationhub_main_url= 'https://aaphub.mindwatering.net'
automationhub_pg_host='aapdb.mindwatering.net'
automationhub_pg_port=5432
automationhub_pg_database="automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password='HubReallyAmazingPassword'
automationhub_pg_sslmode = 'prefer'
automationhub_authentication_backend = "ldap"
automationhub_ldap_server_uri = "ldaps://ldapserverint.mindwatering.net"
automationhub_ldap_bind_dn = "cn=myldapadmin, dc=mindwatering, dc=net"
automationhub_ldap_bind_password = "MyBetterThanGoodPassword"
automationhub_ldap_user_search_base_dn = "ou=people, dc=mindwatering, dc=net"
automationhub_ldap_group_search_base_dn = "ou=aapgroup, dc=mindwatering, dc=net"
automationedacontroller_admin_password='EDAUIReallyAmazingPassword'
automationedacontroller_pg_host = 'aapeda.mindwatering.net'
automationedacontroller_pg_port=5432
automationedacontroller_pg_database ='automationedacontroller'
automationedacontroller_pg_username='automationedacontroller'
automationedacontroller_pg_password='EDAReallyAmazingPassword'
automationedacontroller_pg_sslmode='prefer'
...
3. Re-run the setup to remove the EDA server from the AAP nodes.
$ cd /users/myadminid/aapinstall/aap2.4-1backup/
$ sudo su -
# ./setup.sh
# exit
4. Manually drop the EDA database on the PostgreSQL server.
$ ssh myadminid@aapdb.mindwatering.net
<enter pwd>
$ sudo su postgres -
Enter either of the following to drop the EDA db:
$ psql -c "DROP DATABASE automationedacontroller
- or -
$ psql;
> DROP DATABASE automationedacontroller;
> \q
Upgrade an External PostgreSQL Database:
E. Upgrade the external PostgreSQL 13 to PostgreSQL 15.
Notes:
- Assuming you are using an external database, the postgreSQL database must be upgraded from to PostgreSQL 15.x. On RHEL 9, this upgrade became available May 5, 2024, with RHEL 9.2.
- The automation hub database still needs the hstore extension.
- AAP 2.5 requires the ICU support which PostgreSQL-15 delivers. The AAP 2.5 setup.sh installation should attempt to add the locale entries using it.
1. If not already completed above, SSH into the DB VM and remove/drop the EDA database:
$ ssh myadminid@aapdb.mindwatering.net
$ sudo su -
<enter pwd>
$ su postgres -
b. Drop the EDA database:
$ dropdb "automationedacontroller"
<verify output>
or
$ psql -c "DROP DATABASE automationedacontroller"
Note:
If the database is still in use, restart the PostgreSQL service and perform the drop again.
2. Perform full data dump (export) and stop the db server:
$ cd ~/
$ pg_dumpall > aap2.4backup_yyyymmdd
or
$ pg_dumpall -h aapdb.mindwatering.net -p 5432 -U postgres > aap2.4backupall_yyyymmdd.sql
<wait>
$ pg_ctl stop
<wait>
$ exit
3. Disable and uninstall the current version:
# systemctl disable --now postgresql-13
or
# systemctl disable --now postgresql-14
# dnf remove postgresql-server postgresql-contrib postgresql-devel
or
# dnf remove postgresql13-server postgresql13-contrib postgresql13-devel
<wait>
# dnf autoremove
<wait>
Note:
- This will not remove the /var/lib/pgsql/data folder. In our case, we like keeping it, just-in-case.
- if you have restricted DNF update/upgrade commands to exclude PostreSQL in your dnf config, update the conf restriction line for version 15 instead of 13.
Ensure all updates applied:
# dnf upgrade
<wait>
<continue updates, until there dnf reports Nothing to do.>
4a. If self-managing (creating the Postgres DB w/o using the setup.sh installer), install the new version, otherwise skip this step:
# dnf install postgresql15-server postgresql15-devel postgresql15-contrib
<wait until complete>
Enable, confirm service enabled:
# systemctl enable postgresql-15
To be safe, we are enabling hstore;
# su postgres -
$ cd ~/
$ psql
> CREATE EXTENSION hstore;
> \q
$ exit
4b. If not self-managing (creating), disable the subscription-manager if enabled so the 2.5 bundle installer will install it via bundle.
# dnf list postgres*
<should be nothing because we uninstalled above>
# dnf clean all
# dnf makecache
5. If self-managing, restore the databases:
# su postgres -
$ cd ~/
$ psql -X -f aap2.4backupall_yyyymmdd.sql
$ exit
6. Confirm the db service is running:
# systemctl status postgresql-15
or
# systemctl status postgresql.service
Create VMs for the New AAP 2.5 Components:
F. Create the new AAP 2.5 Gateway VM, and EDA, if applicable.
1. Create the new AAP Gateway VM:
a. Deploy a RHEL 9 VM, 16 GB RAM, 4 CPU, 60 GB (/ drive)
- vSphere --> Datacenter --> Cluster --> Deploy from template --> Next
- Name: AAPGW
- Deploy.
2. Create the AAP EDA VM:
Note: SKIP IF EDA SOFTWARE WAS REMOVED AND EXISTING VM TO BE REUSED
a. Deploy a RHEL 9 VM, 16 GB RAM, 4 CPU, 60 GB (/ drive)
- vSphere --> Datacenter --> Cluster --> Deploy from template --> Next
- Name: AAPEDA
- Template: Choose RHEL9 60 GB template
- Deploy.
b. Add an extra disk for the /var/awx path, via Edit Settings --> Add New Device --> Disk (e.g. 60 GB)
- $ ssh myadminid@aapeda@mindwatering.net
<enter pwd>
- - Make awx folder:
- - - $ sudo mkdir /var/awx/
- - Confirm the device id:
- - - $ sudo lsblk
<view output and confirm entry /dev/sdb 40 GB>
- - Format the new disk:
- - - $ sudo fdisk /dev/sdb
- - - - Command: n -> p 1 -> nnnn - nnnnnnnnnn <enter>
- - - - Command: w
- - Format the OS:
- - - $ sudo mkfs.xfs -f /dev/sdb1
- - Test the /dev/sdb1 partition:
- - - $ sudo mount /dev/sdb1 /var/awx/
- - - $ sudo lsblk
<verify drive mapped: sdc1 ... part /var/awx >
- - - $ systemctl daemon-reload
- - - $ sudo lsblk
<verify drive mapped: sdc1 ... part /var/awx >
- - Get the UUID of the partition for /etc/fstab for the permanent mapping:
- - - $ sudo blkid /dev/sdb1
<view output - /dev/sdb1: UUID12345abc-...12a" TYPE="XFS" PARTUUID="a12b12cd-01" >
- - Map the new disk via fstab as/var/awx using either the UUID or the dev mapping (both entries are listed below, just use one of the lines)
- - - $ sudo vi /etc/fstab
. . .
UUID=12345abc-...12a /var/awx xfs defaults 0 0
/dev/sdb1 /var/awx xfs defaults 0 0
. . .
<esc>:wq (to save)
c. We'll perform the UMASK and other checks for the new VMs further below.
3. Update /etc/hosts on all VMs if AAP hostnames are not in DNS or if the traffic defaults to IPv6.
e.g.
# vi /etc/hosts
...
10.5.35.150 aapgw.mindwatering.net
10.5.35.151 aap.mindwatering.net
10.5.35.153 aaphub.mindwatering.net
10.5.35.158 aapeda.mindwatering.net
10.5.35.155 aapdb.mindwatering.net
...
<esc>:wq (to save)
Prepare for AAP 2.5 Upgrade:
G. Download AAP 2.5 installation (offline) setup bundle and prepare for upgrade.
1. Download the newest AAP 2.5 RPM bundle file. The bundle file is used for cases w/o internet access, but we've had issues using the normal installer that installs the dependencies from online repos.
a. Go to the Red Hat Ansible Automation Platform download page.
(e.g. access.redhat.com/downloads/content/480/ver=2.5/rhel---9/2.5/x86_64/product-software )
Product software (tab) --> click Download Now next to the Ansible Automation Platform <latest-version-number> Setup Bundle
Note:
At the time of this writing, the latest installation is:
ansible-automation-platform-setup-bundle-2.5-12-x86_64.tar.gz
b. Copy to the AAP Controller node the installation ansible-automation-platform-setup-bundle-<latest-version-number>.tar.gz file:
- Using Filezilla or SCP, copy the install program to the /users/myadminid/aapinstall/ folder
2. Back in the primary AAP Controller, extract the tar file:
# tar xvzf ansible-automation-platform-setup-bundle-<latest-version-number>.tar.gz
<wait for extract>
Note:
This will create a folder with the version number: e.g. ansible-automation-platform-setup-bundle-2.5-12-x86_64 in the /myadminid/aapinstall/ folder. We'll change to this folder to copy the inventory file, and eventually update the inventory file, and finally run the upgrade.
3. Enable the RHEL 9 x86-64 repo. For us, this seems to be necessary even with using the bundle download:
# dnf install --enablerepo=ansible-automation-platform-2.5-for-rhel-9-x86_64-rpms ansible-automation-platform-installer
4. Backup the inventory file extracted from the tar file, and then copy the previous inventory file and api-token for reuse:
# cd /users/myadmin/aapinstall/ansible-automation-platform-setup-bundle-2.5-12-x86_64/
# mv inventory inventory_backup
# cp ../ansible-automation-platform-setup-bundle-2.4-12-x86_64/inventory ./
5. Copy the previous Hub token file for re-use:
# cp ../ansible-automation-platform-setup-bundle-2.4-12-x86_64/apitoken ./
6. Update the inventory file.
Miscellaneous Notes:
- The use of localhost for any [automationhub] or [automationcontroller] sections of the file is not allowed.
- Add node_state-deprovision to the end of the node line to deprovision only isolated nodes, not execution nodes.
e.g. hostname.domain ansible_host=192.168.111.115 node_type=hybrid node_state=deprovision
- pg_password can only contains the special characters: !, #, 0, and @. The admin username cannot be changed.
- If you didn't reuse the existing/previous inventory file, reuse the existing token like: automationhub_api_token=<api_token>
- The following example inventory file uses an embedded (non external database). With an embedded database, the host under the [database] heading is left out, the pg_host is an empty string (e.g. pg_host='') and the port 5432 is still populated (e.g. pg_port=5432).
- The following example shows the registry_url, and the registry_username, and its registry_password completed for a machine on a RedHat subscription. If this upgrade is being performed outside of using subscription manager (e.g. with a local repo), then the URL, username, and password fields can be left empty strings. The repo will have to have the AAP available, and the setup.sh script will auto disable the AAP repo afterwards.
- The following is the 2.4 inventory file with the [automationgateway] additions.
a. We start with the following updated inventory file:
# vi inventory
[automationgateway]
aapgw.mindwatering.net
[automationcontroller]
aap.mindwatering.net
[automationhub]
aaphub.mindwatering.net
[automationedacontroller]
aapeda.mindwatering.net
[database]
aapdb.mindwatering.net
[all:vars]
admin_password='guiadminpassword'
ansible_become = true
ansible_user= ansibleuser
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
ansible_private_key_file=/users/ansibleuser/.ssh/id_rsa
pg_host='aapdb.mindwatering.net'
pg_port=5432
pg_database='awx'
pg_username='awx'
pg_password='<awxpassword>'
registry_url='registry.readhat.io'
registry_username='reguserid'
registry_password='regpassword'
automationcontroller_main_url= 'https://aap.mindwatering.net'
automationhub_main_url= 'https://aaphub.mindwatering.net'
automationhub_pg_host='aapdb.mindwatering.net'
automationhub_pg_port=5432
automationhub_pg_database="automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password='HubReallyAmazingPassword'
automationhub_pg_sslmode = 'prefer'
automationhub_authentication_backend = "ldap"
automationhub_ldap_server_uri = "ldaps://ldapserverint.mindwatering.net"
automationhub_ldap_bind_dn = "cn=myldapadmin, dc=mindwatering, dc=net"
automationhub_ldap_bind_password = "MyBetterThanGoodPassword"
automationhub_ldap_user_search_base_dn = "ou=people, dc=mindwatering, dc=net"
automationhub_ldap_group_search_base_dn = "ou=aapgroup, dc=mindwatering, dc=net"
automationhub_api_token=<api_token>
automationgateway_admin_password='GWUIReallyAmazingPassword'
automationgateway_pg_host='aapdb.mindwatering.net'
automationgateway_pg_port=5432
automationgateway_pg_database='automationgateway'
automationgateway_pg_username='automationgateway'
automationgateway_pg_password='GWReallyAmazingPassword'
automationgateway_pg_sslmode='prefer'
automationgateway_main_url = 'https://aapgw.mindwatering.net'
automationedacontroller_admin_password='EDAUIReallyAmazingPassword'
automationedacontroller_pg_host = 'aapdb.mindwatering.net'
automationedacontroller_pg_port=5432
automationedacontroller_pg_database ='automationedacontroller'
automationedacontroller_pg_username='automationedacontroller'
automationedacontroller_pg_password='EDAReallyAmazingPassword'
automationedacontroller_pg_sslmode='prefer'
...
# if there is only one name and it is specified under the [automationedacontroller] heading above, enter the same name is not necessary again
# automationedacontroller_allowed_hostnames = 'aapeda.mindwatering.net'
...
<esc>:wq to save and close
b. Next, we can edit the inventory again to add any external certificates so self-cert ones are not created used.
- In our case the existing certificates are still valid, but since the EDA is replaced, and the Gateway is new, we have set-up those certs.
- - We create the certificates and transfer them to the primary controller into the folder /users/myadminid/tlscerts/. We update the inventory and add the cert lines under their respective sections.
# vi inventory
...
automationgateway_main_url = 'https://aapgw.mindwatering.net'
automationgateway_ssl_cert=/users/myadminid/tlscerts/automationgateway.cert
automationgateway_ssl_key=/users/myadminid/tlscerts/automationgateway.key
...
automationedacontroller_pg_sslmode='prefer'
automationedacontroller_ssl_cert=/users/myadminid/tlscerts/automationeda.crt
automationedacontroller_ssl_key=/users/myadminid/tlscerts/automationeda.key
7. Re-verify the RAM on the controllers
RedHat recommends 1GB memory/10 forks, and a 2GB reservation for the AAP controller.
Note: You cannot increase disk resource settings if you performed a cold snapshot as your backup before starting.
- - Ensure you have a real back-up.
- - Remove the cold snapshot.
- - Increase the settings as needed.
- - Create another cold snapshot.
8. Ensure the VMs have the UMASK properly set and the sudo/visudo enabled.
a. AAP Controller VM(s) requires umask be set to 0022. If not set, the setup.sh run will fail.
This is the default for most Linux environments for normal users. In addition, this should already be done for the controllers since this is an upgrade. However, below are the steps if needed.
$ ssh myadminid@aap.mindwatering.net
- To change for all users:
$ sudo vi /etc/profile.d/set-umask-for-all-users.sh
- To adjust just the current user
$ vi ~/.bashrc
<a to append>
umask022
<esc>:wq to save and close
$ sudo visudo
...
%wheel ALL=(ALL) NOPASSWD:ALL
...
<esc>:wq to save and close
b. The new Gateway VM requires umask be set to 0022. If not set, the setup.sh run will fail. Repeat the above instructions.
( ssh myadminid@aapgw.mindwatering.net )
c. The new EDA VM requires umask be set to 0022. If not set, the setup.sh run will fail. Repeat the above instructions.
( ssh myadminid@aapeda.mindwatering.net )
9. Verify access to the AAP Controller updated PostgreSQL 15 db:
$ sudo awx-manage check_db
10. As applicable, ensure your ansibleuser account set-up in the inventory file is not expired and that the ansible_private_key_file private key is still working.
e.g. if expired:
$ sudo chage -M <max_days> ansibleuser
11. Set-up the ansibleuser account on the new EDA and Gateway VMs:
- Add the public key to the VM so that this user from the AAP Controller appliance/VM can remotely log-in/ssh. Test a SSH session from the main AAP Controller.
a. Create the ansible_user on the AAP EDA controller:
Note: SKIP IF EDA WAS REMOVED AND EXISTING VM TO BE REUSED, BUT PERFORM STEPS for AAP Gateway VM
$ ssh myadminid@aapeda.mindwatering.net
<enter pwd>
$ sudo useradd -d /users/ansibleuser -m ansibleuser
- OR -
$ sudo useradd -d /users/ansibleuser -m ansibleuser
$ sudo usermod -a -G wheel ansibleuser
$ sudo passwd ansibleuser
<enter new pwd>
<enter new pwd confirmation>
$ exit
b. Copy the key to the AAP EDA controller:
$ ssh ansibleuser@aap.mindwatering.net
<enter pwd>
$ ssh-copy-id ansibleuser@aapeda.mindwatering.net
<enter pwd>
c. Test the ssh using the key copied:
$ ssh aapeda.mindwatering.net
<verify auto login worked>
$ exit
(to exit aapeda)
$ exit
(to exit app controller)
d. Repeat steps a through c above for the gateway VM
( ssh myadminid@aapgw.mindwatering.com )
12. Ensure that /tmp and /var/tmp are mounted as exec
a. Update the AAP Controller VM:
$ ssh myadminid@aap.mindwatering.net
$ sudo vi /etc/fstab
...
mount -o remount,exec /tmp
mount -o remount,exec /var/tmp
...
<esc>:wq to save and close
b. Repeat above on the aaphub.mindwatering.net VM
c. Repeat above on the aapeda.mindwatering.net VM
d. Repeat above on the aapgw.mindwatering.net VM
13. Ensure that /var/tmp is 755
a. Ensure on the controller VM:
$ ssh myadminid@aap.mindwatering.net
$ sudo chmod 755 /var/log
b. Repeat above on the aaphub.mindwatering.net VM
c. Repeat above on the aapeda.mindwatering.net VM
d. Repeat above on the aapgw.mindwatering.net VM
14. If you have your system with yum updates disabled, then you need to enable yum to update RH packages. Update yum.conf before the upgrade, remove the following (if you have it) and then re-add it back afterwards
a. Update yum.conf on the AAP Controller VM:
$ ssh myadminid@aap.mindwatering.net
$ sudo vi /etc/yum.conf
Remove the line: exclude=kernel* redhat-release*
...
<esc>:wq to save and close
b. Update dnf.conf:
$ sudo vi /etc/dnf/dnf.conf
Remove the line: exclude=kernel* redhat-release*
...
<esc>:wq to save and close
c. Repeat above on the aaphub.mindwatering.net
d. Repeat above on the aapeda.mindwatering.net
e. Repeat above on the aapgw.mindwatering.net
15. The upgrade will likely override custom cert/keys. If applicable, perform backups of those files:
a. Backup the main AAP controller tower.key and tower.cert files:
$ ssh myadminid@aap.mindwatering.net
$ <enter pwd>
$ sudo vi /etc/nginx/conf.d/automation-controller.nginx.conf
<read location e.g. /etc/tower/tower.cert and /etc/tower/tower.key>
$ sudo cp /etc/tower/tower.cert /etc/tower/tower_backup_yyyymmdd.cert
$ sudo cp /etc/tower/tower.key /etc/tower/tower_backup_yyyymmdd.key
$ exit
b. Backup the AAP Hub key and cert files:
Repeat above on the aaphub.mindwatering.net but also backup the custom cert in the pulp config folder
$ ssh myadminid@aaphub.mindwatering.net
<enter pwd>
$ sudo cp /etc/pulp/certs/pulp_webserver.crt /etc/pulp/certs/pulp_webserver.crt_backup_yyyymmdd.crt
$ sudo cp /etc/pulp/certs/pulp_webserver.key /etc/pulp/certs/pulp_webserver.key_backup_yyyymmdd.key
$ exit
Notes:
- aapeda.mindwatering.net cert and key do not need to be backed up since the EDA was deleted and recreated with this upgrade.
- aapgw.mindwatering.net cert and key do not need to be backed up since the Gateway is new.
TANGENT: These are the following year steps to update the certificate:
- The current (old) server.cert and server.key are in /etc/ansible-automation-platform/eda/
- Backup the old cert and key files:
$ cd /etc/ansible-automation-platform/eda/
$ sudo cp server.cert server.cert_yyyymmdd
$ sudo cp server.key server.key_yyyymmdd
- Transfer the new files onto the EDA appliance and replace the old cert/key files:
$ cp /users/myloginid/newserver.cert ./etc/ansible-automation-platform/eda/server.cert
$ cp /users/myloginid/newserver.key ./etc/ansible-automation-platform/eda/server.key
- If using SELinux, update the context for the files:
$ sudo restorecon -v /etc/ansible-automation-platform/eda/server.cert /etc/ansible-automation-platform/eda/server.key
- Set the ownership and rights:
$ sudo chown root:eda /etc/ansible-automation-platform/eda/server.cert /etc/ansible-automation-platform/eda/server.key
$ sudo chmod 0600 /etc/ansible-automation-platform/eda/server.cert /etc/ansible-automation-platform/eda/server.key
- Test and restart the nginx.service afterwards:
$ sudo nginx -t
<verify both syntax and test are successful>
$ sudo systemctl reload nginx.service
$ sudo systemctl status nginx.service
<verify service running and no errors>
16. On the AAP controllers, verify the file, /etc/tower/uwsgi.ini. is readable by others/all:
(so the user account on the gateway has access to read the file)
e.g. -rw-r--r--
a. If not readable, like above, update with:
# chmod 0644 /etc/tower/uwsgi.ini
b. Repeat on any other controllers, as applicable.
c. Re-verify that the umask default value for users is 0022 / 022.
(Step A, number 2 above)
Perform AAP 2.5 Upgrade:
H. Run the AAP 2.5 installation to upgrade AAP 2.4 to 2.5.
1. Review the inventory file:
$ ssh myadminid@aap.mindwatering.net
$ <enter pwd>
$ sudo su -
<enter pwd>
# cd /users/myadmin/aapinstall/ansible-automation-platform-setup-bundle-2.5-12-x86_64/
# vi inventory
<review file>
<esc>:wq to save and close
or
<esc>:q to close w/no changes
2. After the modifications of the inventory are complete, run the installer:
$ ./setup.sh
Note:
If there are errors, the reason will be listed. View the log, and then re-run after making the update/fix/changes required.
Post Upgrade.
I. Perform Post Upgrade Tasks and Validation
1. Verify the AAP Gateway UI works:
Open a web browser and navigate to: aapgw.mindwatering.net
1. Verify the AAP UI works:
Open a web browser and navigate to: aap.mindwatering.net
2. Verify the AAP Hub UI works:
Open a web browser and navigate to: aaphub.mindwatering.net
3. Verify the AAP EDA UI works:
Open a web browser and navigate to: aapeda.mindwatering.net
4. If you had custom certificates that you neglected to add to the inventory, and they were overwritten, you can restore the custom certs if you backed them up.
SSH back into the main AAP Controller, and the AAP Hub, and restore the certificates back on the main AAP controller and hub, as needed. Generic example steps are below.
a. Update certificate back on the main AAP controller:
$ ssh myadminid@aap.mindwatering.net
<enter pwd>
$ sudo mv /etc/tower/tower.cert /etc/tower/tower_backup_post2-4upgrade.cert
$ sudo mv /etc/tower/tower.key /etc/tower/tower_backup_post2-4upgrade.key
$ sudo mv /etc/tower/tower_backup_yyyymmdd.cert /etc/tower/tower.cert
$ sudo cp /etc/tower/tower_backup_yyyymmdd.key /etc/tower/tower.key
$ sudo systemctl restart nginx.service
Verify the GUI works in the web browser.
$ exit
b. Update the certificate back on the main AAP Hub
$ ssh myadminid@aaphub.mindwatering.net
<enter pwd>
$ sudo mv /etc/pulp/certs/pulp_webserver.crt /etc/pulp/certs/pulp_webserver_backup_post2-4upgrade.crt
$ sudo mv /etc/pulp/certs/pulp_webserver.key /etc/pulp/certs/pulp_webserver_backup_post2-4upgrade.key
$ sudo mv /etc/pulp/certs/pulp_webserver.crt_backup_yyyymmdd.crt /etc/pulp/certs/pulp_webserver.crt
$ sudo mv /etc/pulp/certs/pulp_webserver.crt_backup_yyyymmdd.key /etc/pulp/certs/pulp_webserver.key
$ sudo systemctl restart nginx.service
Verify the GUI works in the web browser.
$ exit
5. Re-enable any scheduled jobs disabled before upgrade.
6. Removal of snapshots.
After jobs are confirmed running okay remove the snapshots by deleting them. (Ensure you delete the snapshot and not revert.)
______________
Additional Notes:
/etc/tower/con.d/postgres.py contains the Ansible PostgreSQL pwd.
______________
Enterprise "cluster" Installation:
The enterprise cluster config from Red Hat is 2 Controllers, 2 Hubs, 2 EDAs, and 2 Gateways.
The latter 6 nodes are running REDIS.
In this scenario, this is our AAP environment:
The RHEL 9.x AAP Gateways are:
- aapgw1.mindwatering.net
- aapgw2.mindwatering.net
- with virtual DNS/IP aapgw.mindwatering.net
The RHEL 9.x AAP Controllers are:
- aap1.mindwatering.net
- aap2.mindwatering.net
- with virtual DNS/IP aap.mindwatering.net
The RHEL 9.x AAP Hubs are:
- aaphub1.mindwatering.net
- aaphub2.mindwatering.net
- with virtual DNS/IP aaphub.mindwatering.net
The RHEL 9.x AAP EDA are:
- aapeda1.mindwatering.net
- aapeda2.mindwatering.net
- with virtual DNS/IP aapeda.mindwatering.net
The RHEL 9.x PostgreSQL server is:
- aapdb.mindwatering.net
The following are the installation parameter additions for the inventory file:
# vi inventory
[automationgateway]
aapgw1.mindwatering.net
aapgw2.mindwatering.net
[automationcontroller]
aap1.mindwatering.net
aap2.mindwatering.net
[automationhub]
aaphub1.mindwatering.net ansible_user=ansibleuser
aaphub2.mindwatering.net ansible_user=ansibleuser
[automationedacontroller]
aapeda1.mindwatering.net
aapeda2.mindwatering.net
[database]
aapdb.mindwatering.net
[redis]
aapgw1.mindwatering.net
aapgw2.mindwatering.net
aaphub1.mindwatering.net
aaphub2.mindwatering.net
aapeda1.mindwatering.net
aapeda2.mindwatering.net
[all:vars]
admin_password='guiadminpassword'
ansible_become = true
ansible_user= ansibleuser
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
ansible_private_key_file=/users/ansibleuser/.ssh/id_rsa
pg_host='aapdb.mindwatering.net'
pg_port=5432
pg_database='awx'
pg_username='awx'
pg_password='<awxpassword>'
registry_url='registry.readhat.io'
registry_username='reguserid'
registry_password='regpassword'
redis_mode='cluster'
automationcontroller_main_url= 'https://aap.mindwatering.net'
automationhub_main_url= 'https://aaphub.mindwatering.net'
automationhub_pg_host='aapdb.mindwatering.net'
automationhub_pg_port=5432
automationhub_pg_database="automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password='HubReallyAmazingPassword'
automationhub_pg_sslmode = 'prefer'
automationhub_authentication_backend = "ldap"
automationhub_ldap_server_uri = "ldaps://ldapserverint.mindwatering.net"
automationhub_ldap_bind_dn = "cn=myldapadmin, dc=mindwatering, dc=net"
automationhub_ldap_bind_password = "MyBetterThanGoodPassword"
automationhub_ldap_user_search_base_dn = "ou=people, dc=mindwatering, dc=net"
automationhub_ldap_group_search_base_dn = "ou=aapgroup, dc=mindwatering, dc=net"
automationhub_api_token=<api_token>
automationgateway_admin_password='GWUIReallyAmazingPassword'
automationgateway_pg_host='aapdb.mindwatering.net'
automationgateway_pg_port=5432
automationgateway_pg_database='automationgateway'
automationgateway_pg_username='automationgateway'
automationgateway_pg_password='GWReallyAmazingPassword'
automationgateway_pg_sslmode='prefer'
automationgateway_main_url = 'https://aapgw.mindwatering.net'
automationgateway_ssl_cert=/users/myadminid/tlscerts/automationgateway.cert
automationgateway_ssl_key=/users/myadminid/tlscerts/automationgateway.key
automationedacontroller_admin_password='EDAUIReallyAmazingPassword'
automationedacontroller_pg_host = 'aapdb.mindwatering.net'
automationedacontroller_pg_port=5432
automationedacontroller_pg_database ='automationedacontroller'
automationedacontroller_pg_username='automationedacontroller'
automationedacontroller_pg_password='EDAReallyAmazingPassword'
automationedacontroller_pg_sslmode='prefer'
automationedacontroller_ssl_cert=/users/myadminid/tlscerts/automationeda.crt
automationedacontroller_ssl_key=/users/myadminid/tlscerts/automationeda.key
# if there is only one name and it is specified under the [automationedacontroller] heading above, enter the same name is not necessary again
# automationedacontroller_allowed_hostnames = 'aapeda.mindwatering.net aapeda1.mindwatering.net aapeda2.mindwatering.net'
...
<esc>:wq to save and close
On each of the AAP Hub servers, edit the /etc/pulp/settings.py file and allowing forwarding:
# vi /etc/pulp/setttings.py
...
USE_X_FORWARDED_PORT = True
USE_X_FORWARDED_HOST = True
...
<esc>:wq to save and close
______________
Additional Cluster Notes:
- AAP Content Signing Config:
a. Update inventory file again, and add the signing inventory variables:
[all:vars]
...
automationhub_create_default_collection_signing_service = True
automationhub_auto_sign_collections = True
automationhub_require_content_approval = True
automationhub_collection_signing_service_key = /absolute/path/to/galaxy_signing_service.gpg
automationhub_collection_signing_service_script = /absolute/path/to/collection_signing.sh
...
<esc>:wq to save and close
b. On the AAP Hubs, creating a signing script:
Red Hat sample:
#!/usr/bin/env bash
FILE_PATH=$1
SIGNATURE_PATH="$1.asc"
ADMIN_ID="$PULP_SIGNING_KEY_FINGERPRINT"
PASSWORD="password"
# Create a detached signature
gpg --quiet --batch --pinentry-mode loopback --yes --passphrase \
$PASSWORD --homedir ~/.gnupg/ --detach-sign --default-key $ADMIN_ID \
--armor --output $SIGNATURE_PATH $FILE_PATH
# Check the exit status
STATUS=$?
if [ $STATUS -eq 0 ]; then
echo {\"file\": \"$FILE_PATH\", \"signature\": \"$SIGNATURE_PATH\"}
else
exit $STATUS
fi
- Enterprise set-up w/REDIS standalone or distributed:
- - If you specify, redis servers on your 6 nodes (2 GW, 2 Hub, and 2 EDA), than you cannot set redis_mode='standalone'.
- - If the redis servers are the 6 non Controller VMs, then we should not need separate certs as we re-use the main DNS certs of the VMs.
a. Edit the inventory file, and do either b (standalone) or c (cluster) option:
# vi ./inventory
b. The 6 VMs/nodes running REDIS standalone:
...
[redis]
#gw1.example.local
#gw2.example.local
#hub1.example.local
#hub2.example.local
#eda1.example.local
#eda2.example.local
...
[all:vars]
...
redis_mode='standalone'
...
c. The 6 VMs/Nodes running REDIS cluster:
...
[redis]
gw1.example.local
gw2.example.local
hub1.example.local
hub2.example.local
eda1.example.local
eda2.example.local
...
[all:vars]
...
redis_mode='cluster'
...
---
Red Hat Sample Enterprise Inventory File:
# This is the Ansible Automation Platform installer inventory file intended for the RPM growth deployment topology.
# Consult the Ansible Automation Platform product documentation about this topology's tested hardware configuration.
# https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/tested_deployment_models/rpm-topologies
#
# Consult the docs if you are unsure what to add
# For all optional variables consult the Ansible Automation Platform documentation:
# https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/rpm_installation
# This section is for your platform gateway hosts
# -----------------------------------------------------
[automationgateway]
gateway1.example.org
gateway2.example.org
# This section is for your automation controller hosts
# -----------------------------------------------------
[automationcontroller]
controller1.example.org
controller2.example.org
[automationcontroller:vars]
peers=execution_nodes
# This section is for your Ansible Automation Platform execution hosts
# -----------------------------------------------------
[execution_nodes]
hop1.example.org node_type='hop'
exec1.example.org
exec2.example.org
# This section is for your automation hub hosts
# -----------------------------------------------------
[automationhub]
hub1.example.org
hub2.example.org
# This section is for your Event-Driven Ansible controller hosts
# -----------------------------------------------------
[automationedacontroller]
eda1.example.org
eda2.example.org
# This section is for the Ansible Automation Platform database
# -----------------------------------------------------
[database]
db.example.org
[redis]
gateway1.example.org
gateway2.example.org
hub1.example.org
hub2.example.org
eda1.example.org
eda2.example.org
[all:vars]
# Common variables
# https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/rpm_installation/appendix-inventory-files-vars#general-variables
# -----------------------------------------------------
registry_username=<your RHN username>
registry_password=<your RHN password>
redis_mode=standalone
# Platform gateway
# https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/rpm_installation/appendix-inventory-files-vars#platform-gateway-variables
# -----------------------------------------------------
automationgateway_admin_password=<set your own>
automationgateway_pg_host=<set your own>
automationgateway_pg_database=<set your own>
automationgateway_pg_username=<set your own>
automationgateway_pg_password=<set your own>
# Automation controller # https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/rpm_installation/appendix-inventory-files-vars#controller-variables
# -----------------------------------------------------
admin_password=<set your own>
pg_host=<set your own>
pg_database=<set your own>
pg_username=<set your own>
pg_password=<set your own>
# Automation hub
# https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/rpm_installation/appendix-inventory-files-vars#hub-variables
# -----------------------------------------------------
automationhub_admin_password=<set your own>
automationhub_pg_host=<set your own>
automationhub_pg_database=<set your own>
automationhub_pg_username=<set your own>
automationhub_pg_password=<set your own>
# Event-Driven Ansible controller
# https://docs.redhat.com/en/documentation/red_hat_ansible_automation_platform/2.5/html/rpm_installation/appendix-inventory-files-vars#event-driven-ansible-variables
# -----------------------------------------------------
automationedacontroller_admin_password=<set your own>
automationedacontroller_pg_host=<set your own>
automationedacontroller_pg_database=<set your own>
automationedacontroller_pg_username=<set your own>
automationedacontroller_pg_password=<set your own>
---
AAP 2.4 to AAP 2.5 Upgrade Issues:
1. Job run issue with sudo.
... fatal: ... Missing sudo password ...
Credential passwords added back but the Privilege Escalation and Privilege Escalation Method was also cleared.
(e.g. sudo, pbrun)
2. List Schedules jobs issue
... "unhandled exception occurred while running the lookup plugin 'ansible.controller.controller.api' ... Failed to get token: HTTP Error 403: Forbidden ...
Fixed in later RH AAP 2.5 version. See RHBA-2025:14709.
Issue is with controller_oauthtoken, so switching to a local AAP user seems to be a working workaround.
3. API Access Point/Path Issue:
/api/v2/tokens/ not returning tokens from controllers
Solution:
This is an architecture change. Redirect/update controller API calls through the Gateway with AAP 2.5. So for the above issue, use aapgwdev.mindwatering.net/api/controller/v2/tokens/ instead.
See RH tech note: 7131069
previous page
|