
Ansible open-sources Ansible Tower with AWX - sciurus
https://www.jeffgeerling.com/blog/2017/ansible-open-sources-ansible-tower-awx
======
lima
If you're considering using this (or any similar) tool, please keep in mind
that you're adding a lot of attack surface.

Your Ansible master is one of the most critical (if not _the_ most critical)
machine in your network. It has unrestricted access to everything, including a
very detailed list of what and where everything is. If it's compromised, it's
over.

Something like Ansible Tower adds a LOT of attack surface. Instead of a
locked-down server exposing a public key-only SSH port, you suddenly have a
whole web application stack in there. Your browser and every Chrome extension
with full page access now has root access to your network (and don't get me
started on potential CSRF or XSS vulnerabilities...).

If you don't need any of the enterprise-ey features, just might be better off
with plain Ansible and Ara[1], with the latter running on a separate machine.
A "sudoers" rule is much more secure than any ACL in a web application
backend.

If you do want to use Tower, you need to think about these risks and how you
mitigate them. Of course, this also applies to any similar tool like Jenkins,
Rundeck, CircleCI or whatever if you give them production credentials.

[1]:
[https://ara.readthedocs.io/en/latest/](https://ara.readthedocs.io/en/latest/)

~~~
pm90
This is a great point. Although...other CI systems already have that kind of
privilege, right? e.g. Chef has a master node if I'm not mistaken.

In my experience, ansible playbooks are great when run from a more general
purpose task runner like jenkins, which then has permissions to access/modify
one's production environment. I don't think I would personally use tower
unless it provides something much much better than running ansible tasks in
Jenkins... it would be just too much of a hassle to get the
security/compliance aspects right.

~~~
eropple
Chef Server has a central server. Chef Zero doesn't, especially when using
tools like cfn-init/cfn-hup and S3-backed minimart to self-bootstrap. This is
the approach I take, and it's the approach I see becoming more and more
common. Letting nodes figure out how to deal with their own problems (better
able to auto-scale, more fault tolerant) is, to me, much better than having
Jenkins or whatever have to SSH into them in the first place.

You can do it with Ansible, if you're going home-roll it, but I haven't seen
too many people do so.

~~~
oblio
Does anyone actually use Ansible server-less? Can it even be done?

(Edit: my bad, ignore this comment, I misphrased my question; the real
question should have been: can you run Ansible locally on the target server,
just like chef-solo/chef-zero?)

~~~
eropple
You can run Ansible locally with `-c local`.

But, as far as serverless/self-bootstrapping deploys go, it's less common.
Ansible has less of a "culture of dependencies"; the simpler, more
approachable-looking nature of the Ansible playbook format seems to lend
itself to people one-offing whatever they need rather than looking for best-
practices solutions that already exist. Because of this, there's no real
Berkshelf equivalent for Ansible. The tooling doesn't exist, outside of Tower
(sorta), because nobody wants it, and nobody wants it because the tooling
doesn't exist. So the people who _are_ doing with Ansible something similar to
the Chef Zero stuff I mentioned above are mostly home-rolling it. (I just use
a S3 bucket as a Minimart berkshelf endpoint and move on with my day.)

Last-mile configuration is also tricky. In my Chef Zero stuff, I use
CloudFormation metadata to provide Chef attributes. You can do something
similar with Ansible...but it's duct-tapey. There are times when simple is
better; IMO, Ansible's core tooling errs too far on that side and the
ecosystem has not caught up to make more rigorous approaches really viable.

~~~
karlmdavis
Apologies if I'm wrong, but it sounds like you're not that familiar with
Ansible's roles and the public Ansible Galaxy repo for them?

[https://galaxy.ansible.com/intro](https://galaxy.ansible.com/intro)

There are tons of roles available, for just about everything, and the quality
isn't always great, but still higher on average than what I've found for most
Chef recipes and Puppet modules.

And that's not to mention the very high number of high quality modules that
are builtin to Ansible.

~~~
eropple
I am familiar with them, yeah. In practice, across a pretty wide spread of
clients, I have never seen them used or written by anyone who isn't me. This
is why I referred to it as a culture problem; the tooling problem is the lack
of a Berkshelf equivalent.

I would strongly, _strongly_ disagree as to the quality of most Ansible
modules that I have dealt with, but it's probably more based on exactly what
you need than anything else.

------
mattjaynes
Quick links:

\- Github Project:
[https://github.com/ansible/awx](https://github.com/ansible/awx)

\- Project FAQ: [https://www.ansible.com/awx-project-
faq](https://www.ansible.com/awx-project-faq)

\- Demo Video (10min): [https://www.ansible.com/tower-
demo](https://www.ansible.com/tower-demo)

\- Remove angry potato logo: [https://github.com/nanobeep/awx-
logos](https://github.com/nanobeep/awx-logos)

I do the curation for the 'Ansible & Friends' newsletter and we've been
following this closely for a few months...

If you're interested in alternatives to Tower/AWX, see our listing in issue
64: [https://hvops.com/news/ansible/64](https://hvops.com/news/ansible/64)

Kudos to Jeff, he's quite prolific in the community. We've highlighted him
recently in the "Community Heroes" section:
[https://hvops.com/news/ansible/64](https://hvops.com/news/ansible/64) And in
our September issue, we had to give Jeff his own section because there were
just too many great articles he had put out:
[https://hvops.com/news/ansible/67](https://hvops.com/news/ansible/67)

 _(Full disclosure: Ansible Inc hired me a few years ago to update and
automate the Tower documentation systems)_

------
richardfontana
"To be clear though, Ansible Tower itself will still be a licensed product
offering from Red Hat, but the code that builds Ansible Tower releases is open
sourced, and is available in the AWX Project."

This is strictly speaking correct but I think the author is implying that AWX
code will get proprietized in Ansible Tower, which is not correct. Normally,
Red Hat does not alter upstream open source licenses in its product offerings.

~~~
crymer11
As of today, there is at least one difference between AWX and Tower. One
supports high availability (Tower) and the other does not (AWX).

------
linsomniac
I was pretty excited about AWX, we had finally deployed a few things to
provide some of the functionality (Rundeck and some custom runners, also tried
but decided against StackStorm since it has no role based task limits in the
non-enterprise version).

I gave Jeff's (author of this piece) Ansible role a try and had an AWX system
up and running quickly. He's making some really nice Ansible roles.

But I had no luck with AWX. I think if you are using entirely platforms that
are supported directly by AWX (OpenStack/AWS/Azure), you might be fine. We run
80% of our stack on Ganeti, and have a custom inventory script that AWX seems
entirely unable to use. Even distiling that dynamic inventory down into a
static inventory isn't working in my testing because it wants our Vault
password to load the inventory, and the inventory task doesn't allow for
associating vault credentials. Nor does it seem to provide the boto
credentials needed by our dynamic inventory script, even though it has a spot
for providing AWS credentials.

I want to try it one more time to see if I can find a combination of static
inventory that doesn't need the Vault.

But at the moment, the Rundeck weirdness with our inventory is less than the
AWX weirdness, so that is our solution. I'm sure I'm just not getting
something about AWX, but I've spent a day with the docs and made no real
progress.

It's awesome to have available as an option. I wanted to get Tower but could
never secure the funding for it, largely because it was a big unknown.

~~~
geerlingguy
I'm still working on getting a Dockerless install up and running, because I
want to be able to tweak the innards that make it all work a little more (I
still don't fully grasp the AWX system architecture, because some of it is
masked by the Docker setup).

There are still a couple small bugs with my Docker image (if you're testing
with that) that I just haven't had the time to work out; you might be running
into one or two of them :(

~~~
linsomniac
Dockerless would be nice, but I don't hold out much hope for it on an Ubuntu
host. ;-) I'm guessing that it really wants to run on a RedHat variant.

------
jlgaddis
Since Jeff's book is mentioned a few times, I'd suggest going for the
(updateable) "e-book" if you're interested in purchasing it. I have the
hardcopy version of it (and another Ansible book or two) and, with the rate of
Ansible development, it got kinda out-of-date pretty quickly.

~~~
corford
Second this. I bought the PDF ebook years ago and still get an email once in a
while with an updated version. Best $20 something I've spent in a long time
(thanks Jeff!).

~~~
geerlingguy
You're welcome! Working on a chapter on Ansible Container right now :)

------
Androider
Maybe someone will finally offer a managed Ansible Tower service. I'm always
surprised that Red Hat hasn't to date. Between managed git and CI with
deployment to AWS, I have no desire to babysit, backup and patch a snowflake
Tower instance.

~~~
ghjm
Out of curiosity, would you be concerned with giving a managed service vendor
all the passwords to everything in your infrastructure?

~~~
rmenr
Yes. I would. Which is why I love the idea of having AWX to run within my own
infra, in the way that I'd want to run it.

Arrogant as it may sound, I'd much prefer to take ownership of that,
personally. I'd be happy to self-host it and take the operational pains that
come with it, and sleep (at least slightly more happily at night) knowing that
I'm managing my secrets myself.

------
jlgaddis
I'm curious to know how usage of AWX affects your ability to maintain
everything (inventory, roles, playbooks, etc.) in version control.

I'm guessing AWX wants to be the central "source of truth" for all of that
stuff instead of just keeping it all in a single git repo.

~~~
atgreen
You hook AWX up to git or similar. It will pull playbooks, etc, from git
before execution. I was a Tower sceptic at first, but it's actually really
great.

(edit: disclaimer .. I am a Red Hat employee!)

~~~
jlgaddis
Oh sweet, that's the best that I could have hoped for. Thanks!

------
rmetzler
I'm sorry, I need a video showing me, what Ansible Tower actually does.

I use Ansible in my day-to-day job (I'm a full stack dev learning how to do
sysadmin stuff in scale). We use Ansible in a custom webapp to orchestrate
bare metal clouds. We build and operate custom High Performance Computation
Clusters and this is our SaaS offering.

But the code relies heavily on cron and legacy perl code.

I wanted to rewrite the code and use a queue for a long time, but never found
enough time to actually do it. It works good enough and we have customers
relying on it.

~~~
jlgaddis
> _I 'm sorry, I need a video showing me, what Ansible Tower actually does._

Click on the first link in this article, "Ansible Tower" and you'll be taken
to a page [0] where (above the fold) there are two videos: a two-minute
overview and a 10-minute demo.

[0]: [https://www.ansible.com/tower](https://www.ansible.com/tower)

------
lamby
"Ansible" and "open source" don't go together that well in my head.

I used to send a whole bunch of fixes to Ansible as they were so responsive in
merging my stuff extremely quickly. But after they were bought (or
/incredibly/ close to the same timing..) my PRs stopped being merged in a
timely manner, often requiring many rounds of tedious rebasing as they looked
at it 2 months after submission when the code had moved on. Naturally, I
prefered to spend my time elsewhere...

------
crymer11
The one thing we're really missing from AWX (the open source version of Tower)
is the high availability support.

I've seen some discussion in GitHub issues about that; hoping we see it
supported soon!

------
RRRA
It'd be nice if there was a way to have ansible-pull verify GPG signatures
(like some puppet setup people use). That way, it doesn't matter as much if
AWX gets compromised.

------
bubblethink
Does someone have a quick summary of where this fits into Satellite/Katello
v/s puppet, which is already included in Katello.

~~~
MrOwen
Starting in Foreman 1.10 (Satellite 6.2 is based on Foreman 1.11[1]; Katello
is now officially a Foreman plugin), Foreman introduced the Ansible plugin in
a more/less primitive form. Essentially, the goal was/is to provide an Ansible
alternative for provisioning where Puppet was used previously. Before, you
could only specify Puppet classes to apply to initialized hosts but now
specifying Ansible roles is possible.

So in a very basic use case where you want to configure a new compute instance
in your environment, there's not much difference. However, in cases when you
need to do things like hardening enforcement and remediation, end-user self-
provisioning with surveys, workflows involving disparate tools which Ansible
can coordinate (which may not even involve your hosts), reviewing/analyzing
results of a play across 100s or 1000s of hosts, or auditing/rbac controls,
Tower/AWX will be your tool. These features will most likely not make their
way into Satellite because that's not really the focus of Satellite.

[1]:
[https://access.redhat.com/articles/1343683](https://access.redhat.com/articles/1343683)

Quick correction: after looking at some docs on the RH site, it seems the
Ansible Foreman plugin may not be included in Satellite at this time. I
suspect this will change in the upcoming versions, but not really a way to
tell at this point :(

Edit 3!!: Ansible support is coming but not for a while. See discussion
regarding the roadmap presentation from Summit here:
[https://www.reddit.com/r/redhat/comments/6lb460/satellite_63...](https://www.reddit.com/r/redhat/comments/6lb460/satellite_63_dates_and_confirmed_features/)

------
amq
What is the role of Ansible in the world of Docker, Kubernetes and Swarm?

~~~
zerkten
I was wondering the same thing and found this recent video on Ansible
Containers ([https://www.ansible.com/ansible-roles-as-
containers](https://www.ansible.com/ansible-roles-as-containers)). The project
overview is [https://www.ansible.com/ansible-
container](https://www.ansible.com/ansible-container). It'd be interesting to
hear from others with experience combining these.

~~~
alexnewman
ansible and containers do not mix well. Don't even bother. They take totally
different approaches. Use ansible for what it is good for. Using it to
automate all the things ... in container world... I mean why have docker-
compose or k8s at all. Just launch containers willy nilly and instead of

\- self healing \- automatic failover \- Docker centric tools

You can have a python s*it show where you use containers like processes. In
fact they are processes that probably can't handle signals or pipes. Maybe use
tini and that at least works, but it misses the point. Ansible and docker are
fundamentally at odds.

When ansible was created it had the promise of a simple layer of abstraction
over ssh. now It just does all the things because it jelly. Don't give into
the h8

~~~
mi100hael
Ansible works quite well for automating docker deployments. Something still
has to execute the docker commands to spin up a
container/swarm/cluster/whatever. Better to have those commands be idempotent
and checked in to version control.

[http://docs.ansible.com/ansible/latest/docker_container_modu...](http://docs.ansible.com/ansible/latest/docker_container_module.html)

~~~
geerlingguy
And if you control networking, Ansible can manage that... and if you control
local workstation management, Ansible can manage that... and if you need
something to manage things like CloudFormation with automation...

Ansible fits all the automation gaps that exist between all the different
infrastructure tools.

------
alexnewman
I am not sure, have they open sourced something i can even use

~~~
sud0er
[https://github.com/ansible/awx](https://github.com/ansible/awx)

~~~
alexnewman
Right but it's not clear how to deploy this

~~~
citruspi
The second sentence on that repository's readme is

> To install AWX, please view the Install guide.

which links to an installation guide[0] with information on setting it up with
OpenShift or Docker.

I'm not sure what part isn't clear.

[0]:
[https://github.com/ansible/awx/blob/devel/INSTALL.md](https://github.com/ansible/awx/blob/devel/INSTALL.md)

------
timwaagh
I worked on setting up ansible for running a setup playbook on our new
virtualised dev environments complete with VirtualBox bugs. Ansible has been a
bit of a pita for me to set up. Try pulling in a git repo with it. It fails
and does not even tell you what is up. Helpful error messages anyone? Maybe
this tower could help debug some issues. Although it is basically more added
complexity. I don't really understand the advantage over running a normal
script either, but it was not really my idea. Somehow my team thinks they
should not listen when I say something sucks and listen to this rude kid who
likes to talk fast, likes to interrupt and call themselves the best ever
instead. I might not look cool and my ways are not the latest in cool tech,
but I sure as f am experienced and know things. It will be the others problem
soon enough I guess. Maybe the advantage is that you get to run it on all
servers at the same time. Not that this is a big one when you have like two.
Oh well. I guess I'm not quite done with this software until my team realizes
maybe I'm not entirely bullshit when I say we should use simple scripts or go
straight to docker. Maybe this tower thing can help debug the mess.

~~~
corford
Strange,
[http://docs.ansible.com/ansible/latest/git_module.html](http://docs.ansible.com/ansible/latest/git_module.html)
is pretty robust. If you haven't already, try running the playbook with -vvv
to get extra debug info printed. You might be running in to a (possibly
obscure) local or remote SSH permission issue.

You can use ansible.verbose="vvvv" if you're calling the play via vagrant's
ansilbe provisioner.

~~~
timwaagh
Of course I tried -vvv and -vvvv. That did not tell me anything for this
issue. I also tried the option where you get a bunch of python scripts. That
told me a lot more than I wanted to know. The obvious option of seeing which
commands it has run and their in and output just does not seem to be in there.

~~~
corford
No idea then, sorry. The only time the git module has failed with me is due to
me fucking up my SSH settings in a convoluted environment (SSH Agent on
windows workstation -> ansible controller on vagrant ubuntu box -> remote AWS
bastion -> repo host with a very restrictive sshd config).

In that case, running ansible verbosely gave enough info to point me in the
direction of fixing what was wrong with my ssh setup (can't remember now what
it was).

