Help with callback to tower from AWS auto scaling script

[Adrian Black]

Trying to put the bits together to get an auto scaling group in aws to come on line and create a vm that does a callback to tower for provisionment.

The bit im getting stuck with is the callback part

According to http://docs.ansible.com/ansible-tower/2.2.0/html/userguide/job_templates.html

you use the /usr/share/awx/request_tower_configuration.sh script as a basis

this script looks like it takes arguments so should be called somethig like 

./scripts/request_tower_configuration.sh  ansible.myco.com 84e2d9d26c5977c1b12eb353f1a97aa1 94

I have seen the launch config script snippet like

- name: create launch config

     ec2_lc:

       name: "{{ site_prefix }}-lc"

...

       user_data: "{{ lookup('file', './scripts/request_tower_configuration.sh')}}"

that takes the contents of that file as pastes it as a blob in the user_data field on a created vm but without the arguments you need its useless.

i did try this too but that doesnt work

user_data: "{{ lookup('file', './scripts/site_callback.sh')  ansible.idg.co.uk 84e2d9d26c5977c1b12eb353f1a97aa1 94 }}"

anyone got a working example of how this works?

thanks

[Brian Coca]

for tower related issues please go to http://support.ansible.com or email sup...@ansible.com.

--

Brian Coca

[Adrian Black]

Thanks Brian

I have sent them an email however i think the issue was i was using the private aws ip of the box rather than domain name. I changed that and now its not erroring but also doesnt seem to be executing the callback script as that job no longer shows up, however it does seem to be calling the inventory script. So that's a new issue.

[Adrian Black]

Actually seemed to be not related to the use of ip. In fact changing it to use domain didnt execute the callback as the new calling machine wasnt in the inventory (we set tower to use to use private ips of AWS instances for inventory)

It was proot settings in the ansible tower settings file we had to change to be false 

Here is Ansibles response to my email.

This is a local action on the Tower host, yes? Tower is constricted with proot from executing outside a narrow range of directories. /tmp wouldn't be available. Tower also executes as the awx user locally and out of the box does not have sudo access at all.

So two things are preventing this playbook from running on your Tower host: 1) sudo to root on a local run and proot prevents execution outside the playbook directory locally.

I don't advise giving the awx user the ability to become root locally on Tower: that could lead to users running playbooks against localhost that could essentially do anything. Since you don't need root access to modify things in temp directories, I'd remove the "sudo: true line from your playbook.

As for the inability to execute outside your playbook directories (ie: manipulate files in /tmp) Tower is designed to control other hosts, but sometimes needs to access directories outside that playbook, so you can loosen these security restraints by changing the PROOT setting in /etc/tower/settings.py to "False" and restarting the Tower service:

vi /etc/tower/settings.py

change:

AWX_PROOT_ENABLED = True

to:

AWX_PROOT_ENABLED = False

then issue this command to restart the service (as root):

ansible-tower-service restart

Let us know if you have any questions.