Ansible for IBM Z - Group home

Red Hat Ansible Automation Platform installation on IBM Z and IBM LinuxONE (s390x architecture)

  

Authors: Seeman Mannan, Anastasia Ntogka

Red Hat® Ansible® Automation Platform is available on IBM® Z® and IBM® LinuxONE since December 7th, 2023. This marked an important step towards more centralized and efficient operations management on IBM Z / IBM® LinuxONE.

It alleviates the need to maintain multiple tools and frameworks and allows for an easy automation of system setup and maintenance.

Giving the ability to build on available Ansible Certified Content Collections (see list of collections below), any team that uses it will have an easy starting point.

The Ansible Automation Platform introduces a range of useful features, including Event-Driven Ansible, enabling events to be received from third-party tools and subsequent responsive actions based on predefined rules.

In this blog, we lead you through the step-by-step installation and configuration of the Ansible Automation Platform as a standalone system on IBM Z and IBM LinuxONE (s390x architecture) to help you get it up and running.

Architecture diagram

Component LPAR Hostname
AAC + Installer LPAR 1 aac.example.com
PAH LPAR 2 pah.example.com
EDA LPAR 3 eda.example.com
DATA LPAR 4 data.example.com
    1. For the ansible automation platform installer to be able to connect to the other LPARs, make sure that LPAR 1 can connect with SSH to LPAR 2, 3 and 4.
    2. Make sure all four hostnames are resolvable from each LPAR.

Ansible Automation Platform consists of the following three components,

    • Ansible Automation controller
    • Private Automation Hub
    • Event-Driven Ansible controller

Prerequisites

    1. Registry Service Account
      The Registry Service Account is used to consume container images from registry.redhat.io. Follow the steps below to retrieve the token and username, which will be used while installing the Ansible Automation Platform .

      Login to the URL https://access.redhat.com/RegistryAuthentication#creating-registry-service-accounts-6 by using your RedHat admin credentials. Then click New Service Account
      Provide the Name and Description as per the requirements and click Create.

      Registry Service Account has been created. Click the Account Name to retrieve the token.


      Note: The above username and token from the Registry Service Account will be used in our upcoming Ansible Automation Platform

       installation.

    2. Ansible Automation Platform installation and registration

      Prepare your Red Hat Enterprise Linux (RHEL) machine by registering with Red Hat and installing the "Ansible Automation Platform" on LPAR 1.

      • Register your RHEL system with your username and password 
        subscription-manager register --username <rhel_username> --password <password> --auto-attach
      • Then execute the below command to find the pool id for Ansible Automation Platform 
        subscription-manager list --available --all | grep "Ansible Automation Platform" -B 3 -A 6 | grep Pool
      • Attach the "Ansible Automation Platform" pool to the subscription manager 
        subscription-manager attach --pool= <Ansible Pool-Id from the previous step>


      • System requirements

    Installing multiple LPARs

    Connect to LPAR 1 and run these steps:

      1. Install the AAP installer:

        dnf install --enablerepo=ansible-automation-platform-2.4-for-rhel-9-s390x-rpms ansible-automation-platform-installer

      2. After you have installed Ansible Automation Platform on the LPAR 1, the installed files are located under:

        cd /opt/ansible-automation-platform/installer
ls

        Output:

      3. Replace the existing inventory file with the content below:

        • admin_password: Provide the AAC login password of your choice.
        • pg_password: Provide the database password for AAC of your choice
        • registry_username: Update the username from the Registry Service Account
        • registry_password: Update the token from theRegistry Service Account
        • automationhub_admin_password: Provide the PAH login password of your choice
        • automationhub_pg_password: Provide the database password for PAH of your choice
        • automationedacontroller_admin_password: Provide the EDA login password of your choice
        • automationedacontroller_pg_password: Provide the database password for EDA of your choice

        [automationcontroller]
aac.example.com

[automationhub]
pah.example.com

[automationedacontroller]
eda.example.com

[database]
data.example.com

[all:vars]
admin_password='<AAC-ADMIN-PASSWORD>'
pg_host='data.example.com'
pg_port='5432'
pg_database='awx'
pg_username='awx'
pg_password='<PG-PASSWORD>'
pg_sslmode='prefer'  # set to 'verify-full' for client-side enforced SSL

registry_url='registry.redhat.io'
registry_username='<Registry-Username>'
registry_password='<Registry-Service-Account-Password>'

# {HubNameStart} configuration

automationhub_admin_password='<HUB-ADMIN-PASSWORD>'

automationhub_pg_host='data.example.com'
automationhub_pg_port=5432

automationhub_pg_database='automationhub'
automationhub_pg_username='automationhub'
automationhub_pg_password='<PG-HUB-PASSWORD>'
automationhub_pg_sslmode='prefer'

# Automation {EDAController} configuration

automationedacontroller_admin_password='<EDA-ADMIN-PASSWORD>'

automationedacontroller_pg_host='data.example.com'
automationedacontroller_pg_port=5432

automationedacontroller_pg_database='automationedacontroller'
automationedacontroller_pg_username='automationedacontroller'
automationedacontroller_pg_password='<PG-EDA-PASSWORD>'

# Keystore file to install in SSO node
# sso_custom_keystore_file='/path/to/sso.jks'

# This install will deploy SSO with sso_use_https=True
# Keystore password is required for https enabled SSO
sso_keystore_password=''

# This install will deploy a TLS enabled Automation Hub.
# If for some reason this is not the behavior wanted one can
# disable TLS enabled deployment.
#
# automationhub_disable_https = False
# The default install will generate self-signed certificates for the Automation
# Hub service. If you are providing valid certificate via automationhub_ssl_cert
# and automationhub_ssl_key, one should toggle that value to True.
#
# automationhub_ssl_validate_certs = False
# SSL-related variables
# If set, this will install a custom CA certificate to the system trust store.
# custom_ca_cert=/path/to/ca.crt
# Certificate and key to install in Automation Hub node
# automationhub_ssl_cert=/path/to/automationhub.cert
# automationhub_ssl_key=/path/to/automationhub.key

# Certificate and key to install in nginx for the web UI and API
# web_server_ssl_cert=/path/to/tower.cert
# web_server_ssl_key=/path/to/tower.key
# Server-side SSL settings for PostgreSQL (when we are installing it).
# postgres_use_ssl=False
# postgres_ssl_cert=/path/to/pgsql.crt
# postgres_ssl_key=/path/to/pgsql.key

# Boolean flag used to verify Automation Controller's
# web certificates when making calls from Automation {EDAcontroller}.
# automationedacontroller_controller_verify_ssl = true
#
# Certificate and key to install in Automation {EDAcontroller} node
# automationedacontroller_ssl_cert=/path/to/automationeda.crt
# automationedacontroller_ssl_key=/path/to/automationeda.key

        You can find more information about the inventory file here: Single automation controller, single automation hub, and single Event-Driven Ansible controller node with external (installer managed ) database.

      4. After you have completed the inventory file, run the setup.sh script. The installation begins. Wait until it is completed.

        ./setup.sh

      5. After the installation is completed, use your web browser to open the automationcontroller login URL defined in your inventory file.

        https://aac.example.com/login

      6. Use admin as username and as password use the one you provided under admin_password in the inventory file.

      7. Activate your AAP subscription, then click Next to go through the dialogs:

      8. Now you can see the Ansible Automation Controller (AAC) dashboard :

      9. Check the other two components and log in with the passwords you defined in the inventory file:

        https://pah.example.com/login
https://eda.example.com/login



        Note: If you use local-port-forwarding to connect to the Event Driven Ansible Controller (EDA) make sure you change /etc/hosts to use the FQDN of the EDA (eda.example.com) you defined in the inventory file to point to 127.0.0.1. Otherwise, EDA might reject your requests.

    Available Ansible collections to build from