1. Installation Guide
  2. Preparing the Database and Hosts

3 Preparing the Database and Hosts

The following chapter provides information about setting up the network firewalls, database, and hosts for your Oracle Linux Automation Manager installation. This chapter also discusses how to enable the repositories to install the Oracle Linux Automation Manager packages.

Setting Up the Network

This section contains information about the generic networking requirements for an Oracle Linux Automation Manager hosts, the database host and shows you an example of how to set up the network to enable the communication between the Oracle Linux Automation Manager host and the inventory hosts in an environment.

Setting Up the Firewall Rules

Oracle Linux 8 installs and enables firewalld, by default. Example commands to open the ports and to set up the firewall rules are provided below.

On the Oracle Linux Automation Manager hosts, run the following firewalld commands: 

sudo firewall-cmd --add-port=27199/tcp --permanent
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

Note:

Port 27199 provides a TCP listener port for the Oracle Linux Automation Manager service mesh and must be open on each node in the mesh. The HTTP and HTTPS ports are for the Nginx server.

If you choose to install a remote database, open the following port on the host running the database: 

sudo firewall-cmd --add-port=5432/tcp --permanent
sudo firewall-cmd --reload

Enabling Access to the Oracle Linux Automation Manager Packages

This section contains information on setting up the locations for the operating system on which you want to install the Oracle Linux Automation Manager software packages.

Enabling Channels with ULN

If you are registered to use ULN, use the ULN web interface to subscribe the system to the appropriate channels.

To subscribe to the ULN channels:

  1. Log in to https://linux.oracle.com with your ULN user name and password.

  2. On the Systems tab, click the link named for the system in the list of registered machines.

  3. On the System Details page, click Manage Subscriptions.

  4. On the System Summary page, select each required channel from the list of available channels and click the right arrow to move the channel to the list of subscribed channels. Subscribe the system to the following channels:

    • ol8_x86_64_automation2

    • ol8_x86_64_addons

    • ol8_x86_64_baseos_latest

    • ol8_x86_64_UEKR6 or ol8_x86_64_UEKR7

    • ol8_x86_64_appstream

  5. Click Save Subscriptions.

Enabling Repositories with the Oracle Linux Yum Server

If you are using the Oracle Linux yum server for system updates, enable the required yum repositories.

To enable the yum repositories:

  1. Use the dnf config-manager tool to enable the ol8_baseos_latest repository. 

    sudo dnf config-manager --enable ol8_baseos_latest

    Note:

    This repository is typically enabled by default.

  2. Install oraclelinux-automation-manager-release-el8: 

    sudo dnf install oraclelinux-automation-manager-release-el8-2.1

  3. Enable the following yum repositories including the Oracle Linux Automation Manager release 2 repository:

    • ol8_addons

    • ol8_UEKR6 or ol8_UEKR7

    • ol8_appstream

    Use the dnf config-manager tool to enable the yum repositories and do one of the following:
    • If you are using ol8_UEK6, use the following command:
      sudo dnf config-manager --enable ol8_addons ol8_UEKR6 ol8_appstream
    • If you are using ol8_UEK7, use the following command: 
      sudo dnf config-manager --enable ol8_addons ol8_UEKR7 ol8_appstream

Setting Up a Local or Remote Database

To setup a local or remote Postgresql database instance on Oracle Linux 8 for Oracle Linux Automation Manager single host or multi-host configurations, do the following:

  1. Install and configure Oracle Linux 8 on a host.
  2. If the database is remote, open the database port in the firewall as described in Setting Up the Firewall Rules.
  3. Enable the postgresql 12 or postgresql 13 module stream.
    sudo dnf module reset postgresql
sudo dnf module enable postgresql:12

    or

    sudo dnf module reset postgresql
sudo dnf module enable postgresql:13

    Note:

    For more information about the Postgresql 12 and 13 life cycle, see the appendix discussing the application life cycle for stream modules in Oracle Linux: Managing Software on Oracle Linux.
  4. Install the database.
    sudo dnf install postgresql-server
  5. Initialize the database: 
    sudo postgresql-setup --initdb
  6. In the /var/lib/pgsql/data/postgresql.conf file, switch the password storage mechanism from md5 to scram-sha-256. For example, the following command makes the switch for you: 
    sudo sed -i "s/#password_encryption.*/password_encryption = scram-sha-256/"  /var/lib/pgsql/data/postgresql.conf
  7. Start the database using the following command that also ensures that the database restarts in case the host restarts:
    sudo systemctl enable --now postgresql
  8. Ensure the database is running: 
    sudo systemctl status postgresql
  9. Create the database user accounts. For example: 
    sudo su - postgres -c "createuser -S -P awx"
  10. Enter and confirm the password for the awx user.
    Enter password for new role: 
Enter it again:
  11. Create the database.
    sudo su - postgres -c "createdb -O awx awx"
  12. As the root user, in the /var/lib/pgsql/data/pg_hba.conf file add the following line:
    host  all  all 0.0.0.0/0 scram-sha-256
  13. As the root user, in the /var/lib/pgsql/data/postgresql.conf file in the # CONNECTIONS AND AUTHENTICATION section, a line with the text listen_addresses = followed by the IP address or host name of your database in single quotes. For example:
    listen_addresses = '<IP address or host name>'

#listen_addresses = 'localhost'         # what IP address(es) to listen on;
                                        # comma-separated list of addresses;
                                        # defaults to 'localhost'; use '*' for all
                                        # (change requires restart)
#port = 5432                            # (change requires restart)

    In the previous example, <IP address or hostname> is the IP address or host name of the database.

  14. Restart the database.
    sudo systemctl restart postgresql

  15. You are now ready to setup your hosts as described in Setting up Hosts.

Setting up Hosts

This section provides information for setting up one or more hosts intended to run Oracle Linux Automation Manager in any of the configurations listed in Installation Options.

To set up one or more hosts:

  1. Install Oracle Linux Automation Manager.

    sudo dnf install ol-automation-manager
  2. If you are creating a cluster, choose the /etc/tower/SECRET_KEY from one node and replace the value of the /etc/tower/SECRET_KEY on all other nodes with the value from your chosen node. Ensure the file user and group ownership is awx:awx on all nodes. The end result should be that all nodes have the same value in their /etc/tower/SECRET_KEY file.

  3. Edit the /etc/redis.conf file to include the following lines: 

    unixsocket /var/run/redis/redis.sock 
unixsocketperm 775

  4. Edit the /etc/tower/settings.py file configure the CLUSTER_HOST_ID field: 

    CLUSTER_HOST_ID = "hostname or ip address"

    In the previous example, hostname or ip address is the hostname or IP address of the system running Oracle Linux Automation Manager. If hostname is used, the host must be resolvable.

  5. Replace the existing DATABASES fields with the following fields: 

    DATABASES = {
    'default': {
        'ATOMIC_REQUESTS': True,
        'ENGINE': 'awx.main.db.profiled_pg',
        'NAME': 'awx',
        'USER': 'awx',
        'PASSWORD': 'password',
        'HOST': 'database hostname or ip address',
        'PORT': '5432',
    }
}
    In the previous example, database hostname or ip address is the hostname or IP address of the local or remote database. If hostname is used, the host must be resolvable. password is the password for your database, if you have configured one.
  6. If you have playbooks designed to run longer than the default reaper timeout of 60 seconds, change the REAPER_TIMEOUT_SEC parameter to increase the timeout. For example, 
    REAPER_TIMEOUT_SEC=<longest_playbook_time>

    In the previous example, <longest_playbook_time> is number of seconds that exceeds the duration of the longest playbook runtime.

  7. Run the following commands on all hosts: 

    sudo su -l awx -s /bin/bash
podman system migrate
podman pull container-registry.oracle.com/oracle_linux_automation_manager/olam-ee:latest
exit

    Note:

    After you finish installing Oracle Linux Automation Manager, you can configure whether you want your Execution Environments to always pull the latest olam-ee container image when running playbooks, or use some other option or custom image. For more information about these options, see Oracle Linux Automation Manager 2.1: User's Guide. For more information about Private Automation Hub, see Oracle Linux Automation Manager 2.1: Private Automation Hub User's Guide .

    Note:

    The previous command assumes that you are pulling the olam-ee image directly from the Oracle Container Registry. If you are using Private Automation Hub or have setup a custom container registry, you can pull the image from there instead. In addition, you can configure Oracle Linux Automation Manager to always pull from that container registry by replacing Oracle Container Registry path to your custom container registry path in the following fields in the /etc/tower/settings.py file: 
    GLOBAL_JOB_EXECUTION_ENVIRONMENTS = [{'name': 'OLAM EE (latest)', 'image': 'container-registry.oracle.com/oracle_linux_automation_manager/olam-ee:latest'}]
CONTROL_PLANE_EXECUTION_ENVIRONMENT = 'container-registry.oracle.com/oracle_linux_automation_manager/olam-ee:latest'

  8. Run the following commands on one control host (in a clustered deployment) or on the single host (in single host deployment): 

    sudo su -l awx -s /bin/bash
awx-manage migrate
awx-manage createsuperuser --username admin --email email

    In the previous example, email is the email address of the admin user.

  9. Enter and repeat the password for the admin user. 

    Password: 
Password (again):
  10. Exit the awx user . 
    exit

  11. On all hosts, generate SSL certificates for NGINX:

    Note:

    The following instruction explains how to create a self-signed certificate for use by NGINX as part of Oracle Linux Automation Manager. It is recommended that on production systems you use CA signed certificates for this purpose. For more information on working with SSL certificates, see Oracle Linux: Managing Certificates and Public Key Infrastructure. 

    sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/tower/tower.key -out /etc/tower/tower.crt

  12. Remove any default configuration for NGINX. Edit /etc/nginx/nginx.conf to contain the following configuration: 

    user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
}

    Note:

    For advanced NGINX users, the Oracle Linux Automation Manager NGINX configuration file is located in /etc/nginx/conf.d/ol-automation-manager-nginx.conf. For example, you may use a different version of TLS or have different ciphers configured. If you have an existing customized NGINX setup, ensure that you also apply the ol-automation-manager-nginx.conf settings.

  13. You are now ready to install Oracle Linux Automation Manager in a cluster or on a single host. For more information, see Installing Oracle Linux Automation Manager on a Single-Host Deployment and Installing Oracle Linux Automation Manager in a Clustered Deployment.