Setting up Ansible AWX using a docker environment - Part 2 (the docker-compose approach)
In a previous post I wrote about setting up Ansible AWX using a docker environment.
This used Ansible to read in an inventory file, dynamically generate scripts which stored environment variables as well as an overall docker-compose file.
In this post I shall include further details on the files generated using the Ansible approach of setting up AWX.
Then use docker-compose to create the AWX environment.
Files generated using Ansible
When running Ansible to setup AWX. The following files are generated.
- credentials.py
- docker-compose.yml
- environment.sh
- nginx.conf
- SECRET_KEY
Note
As these hold environment specific details you will need to modify these files first to match your environment setup.
These files were generated using the stock inventory file - https://github.com/ansible/awx/blob/devel/installer/inventory
The inventory file tells Ansible where to store the following files. This is identified by the following line.
A user’s home directory under a hidden directory called .awx
docker_compose_dir="~/.awx/awxcompose"
credentials.py
DATABASES = {
'default': {
'ATOMIC_REQUESTS': True,
'ENGINE': 'django.db.backends.postgresql',
'NAME': "awx",
'USER': "awx",
'PASSWORD': "awxpass",
'HOST': "postgres",
'PORT': "5432",
}
}
BROKER_URL = 'amqp://{}:{}@{}:{}/{}'.format(
"guest",
"awxpass",
"rabbitmq",
"5672",
"awx")
CHANNEL_LAYERS = {
'default': {'BACKEND': 'asgi_amqp.AMQPChannelLayer',
'ROUTING': 'awx.main.routing.channel_routing',
'CONFIG': {'url': BROKER_URL}}
}
CACHES = {
'default': {
'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
'LOCATION': '{}:{}'.format("memcached", "11211")
},
'ephemeral': {
'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
},
}
environment.sh
DATABASE_USER=awx
DATABASE_NAME=awx
DATABASE_HOST=postgres
DATABASE_PORT=5432
DATABASE_PASSWORD=awxpass
MEMCACHED_HOST=memcached
MEMCACHED_PORT=11211
RABBITMQ_HOST=rabbitmq
RABBITMQ_PORT=5672
AWX_ADMIN_USER=admin
AWX_ADMIN_PASSWORD=password
SECRET_KEY
awxsecret
Note
It’s very important that this stay the same between upgrades or you will lose the ability to decrypt your credentials
docker-compose.yml
In the example below some of the volumes require changing.
- /volume1/docker-data = should match the path to where you would want to host static AWX projects (rather than remotely via a Git repository) * ~/.awx/awx-compose = should match the location where you have all your files
version: '2'
services:
web:
image: ansible/awx_web:9.2.0
container_name: awx_web
depends_on:
- rabbitmq
- memcached
- postgres
ports:
- "80:8052"
hostname: awxweb
user: root
restart: unless-stopped
volumes:
- "~/.awx/awxcompose/SECRET_KEY:/etc/tower/SECRET_KEY"
- "~/.awx/awxcompose/environment.sh:/etc/tower/conf.d/environment.sh"
- "~/.awx/awxcompose/credentials.py:/etc/tower/conf.d/credentials.py"
- "~/.awx/awxcompose/nginx.conf:/etc/nginx/nginx.conf:ro"
- "/volume1/docker-data/awx/projects:/var/lib/awx/projects:rw"
- "/etc/localtime:/etc/localtime:ro"
environment:
http_proxy:
https_proxy:
no_proxy:
task:
image: ansible/awx_task:9.2.0
container_name: awx_task
depends_on:
- rabbitmq
- memcached
- web
- postgres
hostname: awx
user: root
restart: unless-stopped
volumes:
- "~/.awx/awxcompose/SECRET_KEY:/etc/tower/SECRET_KEY"
- "~/.awx/awxcompose/environment.sh:/etc/tower/conf.d/environment.sh"
- "~/.awx/awxcompose/credentials.py:/etc/tower/conf.d/credentials.py"
- "/volume1/docker-data/awx/projects:/var/lib/awx/projects:rw"
- "/etc/localtime:/etc/localtime:ro"
environment:
http_proxy:
https_proxy:
no_proxy:
rabbitmq:
image: ansible/awx_rabbitmq:3.7.4
container_name: awx_rabbitmq
restart: unless-stopped
environment:
RABBITMQ_DEFAULT_VHOST: "awx"
RABBITMQ_DEFAULT_USER: "guest"
RABBITMQ_DEFAULT_PASS: "awxpass"
RABBITMQ_ERLANG_COOKIE: cookiemonster
http_proxy:
https_proxy:
no_proxy:
memcached:
image: "memcached:alpine"
container_name: awx_memcached
restart: unless-stopped
environment:
http_proxy:
https_proxy:
no_proxy:
postgres:
image: postgres:10
container_name: awx_postgres
restart: unless-stopped
volumes:
- /volume1/docker-data/awx/postgres/10/data/:/var/lib/postgresql/data/pgdata:Z
environment:
POSTGRES_USER: awx
POSTGRES_PASSWORD: awxpass
POSTGRES_DB: awx
PGDATA: /var/lib/postgresql/data/pgdata
http_proxy:
https_proxy:
no_proxy:
nginx.conf
If you were using nginx then the awx_web docker container makes use of this conf file.
#user awx;
worker_processes 1;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_tokens off;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /dev/stdout main;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
sendfile on;
#tcp_nopush on;
#gzip on;
upstream uwsgi {
server 127.0.0.1:8050;
}
upstream daphne {
server 127.0.0.1:8051;
}
server {
listen 8052 default_server;
# If you have a domain name, this is where to add it
server_name _;
keepalive_timeout 65;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
# Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
add_header X-Frame-Options "DENY";
location /nginx_status {
stub_status on;
access_log off;
allow 127.0.0.1;
deny all;
}
location /static/ {
alias /var/lib/awx/public/static/;
}
location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; }
location /websocket {
# Pass request to the upstream alias
proxy_pass http://daphne;
# Require http version 1.1 to allow for upgrade requests
proxy_http_version 1.1;
# We want proxy_buffering off for proxying to websockets.
proxy_buffering off;
# http://en.wikipedia.org/wiki/X-Forwarded-For
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# enable this if you use HTTPS:
proxy_set_header X-Forwarded-Proto https;
# pass the Host: header from the client for the sake of redirects
proxy_set_header Host $http_host;
# We've set the Host header, so we don't need Nginx to muddle
# about with redirects
proxy_redirect off;
# Depending on the request value, set the Upgrade and
# connection headers
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
}
location / {
# Add trailing / if missing
rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
uwsgi_read_timeout 120s;
uwsgi_pass uwsgi;
include /etc/nginx/uwsgi_params; proxy_set_header X-Forwarded-Port 443;
uwsgi_param HTTP_X_FORWARDED_PORT 443;
}
}
}
Using docker-compose
Once you have validated that the files shown above are correct and match your environment.
This assumes you have all the files stored within your home directory
~/.awx/docker-compose
cd ~/.awx/docker-compose
docker-compose up -d
Docker containers
This will setup and run the 5 docker containers.
- awx_web
- awx_task
- awx_postgres
- awx_memcached
- awx_rabbitmq