Inventories and Hosts

Official Tower Docs

An Inventory is a set of hosts your playbook will be run against. Groups are a way of organizing/tagging your inventory to be able to limit the hosts in inventory run in a job and overriding variables for hosts in specific groups.

NOTE FOR ALL: In order for Tower to communicate with your server, the server must be able to receive traffic to port 22 from the subnet in the description of the ansible-tower slack channel.

NOTE FOR OIT JOINTLY MANAGED VM RHEL 7 USERS:

DevEx manages initial setup of the awx_user and SSH keys on your servers. Please fill out email devex@umn.edu with a list of hosts and your cesi unit to have the awx_user added to more jointly managed VMs. RHEL 9 servers have this added automatically according to cesi unit.

Import Inventory from Project

To import an inventory file from your project:

1. Create a blank inventory. Give it a name and assign it to your organization.
2. Select the new inventory to see details
3. Click the 'Sources' Tab
4. Add
5. Name the inventory source
6. Select your source project and enter the path to the inventory file.
   • Note: If your inventory file does not autopopulate in the dropdown, add the path directly and select 'Set source path to "<your path>" in the dropdown below the field. Do not start with a slash. ex: environment/prod.yml
7. Select 'Override' update option to keep hosts in Tower in sync with your inventory files.
8. Save

Inventories can also be built manually adding hosts and groups.

Validate vm is ready

In order for tower to be able to communicate/manage a vm, 3 things are required:

• Python installed
• SSH working and firewall port 22 (SSH) open to IPs
  • ssh into vm as yourself
  • run sudo iptables -S | grep 22
  • SUBNET = Moved to Description in ansible-tower slack channel.
  • output:

Text Only

    -A INPUT -p tcp -m multiport --dports 22 -j f2b-ssh
    -A INPUT -p tcp -m set --match-set ssh_allowed src -m tcp --dport 22 -j ACCEPT
    -A INPUT -s <SUBNET> -p tcp -m tcp --dport 22 -m state --state NEW -m comment --comment "awx ssh" -j ACCEPT
    -A INPUT -s <SUBNET> -p tcp -m tcp --dport 22 -m state --state NEW -m comment --comment "awx ssh" -j ACCEPT
    -A INPUT -s <SUBNET> -p tcp -m tcp --dport 22 -m state --state NEW -m comment --comment "awx ssh" -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m comment --comment "trusted local SSH only" -j tc_trusted_medium
    -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m comment --comment "InsightVM scan access" -j InsightVM
    -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m comment --comment "awx access" -j awx
    -A awx -s <SUBNET> -p tcp -m tcp --dport 22 -m state --state NEW -m comment --comment "awx ssh" -j ACCEPT

- User on system with public key that matches the Machine credential - Out of the box, if it is a vm provided by OIT/LPT it should have a awx_user - cut -d: -f1 /etc/passwd | sort or - cut -d: -f1 /etc/passwd | sort | grep awx_user