Ansible Tower 3.5.1 平台部署和破解

原创

Ansible Tower 3.5.1 平台部署和破解

Ansible Tower (以前叫’AWX’)是能够帮助任何IT团队更容易使用Ansible的解决方案。该方案基于web。

Tower允许对用户进行权限控制，即使某用户不能传送某SSH凭证，你也可以通过Tower来对该用户共享该凭证。我们可以通过图形化界面来管理Inventory，也可以对各种各样的云资源做同步。Tower可以记录所有job的日志，也可以与LDAP集成，并且拥有强大的可浏览的REST API。Tower也提供了命令行工具，可以与Jenkins轻松集成。Provisioning回调对自动伸缩拓扑图提供了强大的支持。

• 官方网站：https://www.ansible.com/products/tower
• 中文指南：http://www.ansible.com.cn/docs/tower.html
• 官方安装文档：http://docs.ansible.com/ansible-tower/latest/html/quickinstall/index.html
• 官方源地址：http://releases.ansible.com/ansible-tower/setup-bundle/

请使用系统原生Python安装，否则很多依赖包会找不到

更新yum源

更新阿里云YUM源
1、备份
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
2、下载新的CentOS-Base.repo 到/etc/yum.repos.d/

## CentOS 6
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-6.repo

##CentOS 7
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo

3、清理并重建缓存

yum clean all
yum makecache

更新阿里云EPEL源
1、备份(如有配置其他epel源)

mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.backup
mv /etc/yum.repos.d/epel-testing.repo /etc/yum.repos.d/epel-testing.repo.backup

2、下载新repo 到/etc/yum.repos.d/

## epel(RHEL 7)
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

## epel(RHEL 6)
wget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-6.repo

安装、配置PostgreSQL

1、添加RPM

yum install https://download.postgresql.org/pub/repos/yum/9.6/redhat/rhel-7-x86_64/pgdg-centos96-9.6-3.noarch.rpm

2、安装PostgreSQL 9.6
yum install postgresql96-server postgresql96-contrib
3、初始化数据库
/usr/pgsql-9.6/bin/postgresql96-setup initdb
4、设置开机自启动
systemctl enable postgresql-9.6.service
5、启动服务
systemctl start postgresql-9.6.service
6、查看版本
psql --version
7、检查服务状态

systemctl status postgresql-9.6.service
netstat -anp|grep 5432

如果遇到启动失败，删除/var/lib/pgsql/9.6/data/pg_log
再重新初始化数据库
#/usr/pgsql-9.6/bin/postgresql96-setup initdb
Initializing database … OK

8、用户配置

su - postgres
psql -U postgres
postgres=# ALTER USER postgres WITH PASSWORD '123456';
postgres=# CREATE ROLE tower CREATEDB PASSWORD 'admin' LOGIN;
postgres=# \q

#修改配置

sed -i 's#peer#md5#g' /var/lib/pgsql/9.6/data/pg_hba.conf
sed -i 's#ident#md5#g' /var/lib/pgsql/9.6/data/pg_hba.conf

9、开启远程访问

vi /var/lib/pgsql/9.6/data/postgresql.conf

#修改listen_addresses = 'localhost' 为 ：
listen_addresses='*' 

#退出postgres用户
exit

10、信任远程连接

# vi /var/lib/pgsql/9.6/data/pg_hba.conf

###修改如下内容，信任指定服务器连接
# IPv4 local connections:
host    all            all      127.0.0.1/32      ident
host    all            all      192.168.137.1/32（需要连接的服务器IP）  trust

11、重启服务

systemctl restart postgresql-9.6.service

12、测试用户连接
输入密码连接，并创建数据库

# psql -U tower -d postgres -h 127.0.0.1
\\ 输入密码
postgres=> create database tower;
CREATE DATABASE
postgres=> \q

安装、配置rabbitmq

1、下载rabbitmq
下载地址：https://www.rabbitmq.com/install-rpm.html#downloads
wget http://www.rabbitmq.com/releases/rabbitmq-server/v3.6.6/rabbitmq-server-3.6.6-1.el7.noarch.rpm
wget https://github.com/rabbitmq/rabbitmq-server/releases/download/v3.7.15/rabbitmq-server-3.7.15-1.el7.noarch.rpm

2、下载erlang
下载地址：http://www.rabbitmq.com/releases/erlang
wget https://www.rabbitmq.com/releases/erlang/erlang-19.0.4-1.el7.centos.x86_64.rpm

3、安装（注意顺序，不要颠倒）
安装erlang

rpm -ivh erlang-19.0.4-1.el7.centos.x86_64.rpm
yum install erlang

测试是否安装成功

安装rabbitmq

rpm -ivh rabbitmq-server-3.6.6-1.el7.noarch.rpm

//在安装rabbitmq时提示依赖
//在安装rabbitmq时提示依赖socat
yum install socat
然后再次安装rabbitmq

4、启动服务

systemctl enable rabbitmq-server
systemctl start rabbitmq-server

如果报错，执行journalctl -xe 检查报错信息，一般是hostname问题

5、添加用户admin，密码admin123，并将admin添加至管理员组

rabbitmqctl add_user admin admin123
rabbitmqctl set_user_tags admin administrator

6、然后，我们启用WEB管理。

rabbitmq-plugins enable rabbitmq_management

至此，就可以用过浏览器访问rabbitmq了。

http://ip:15672

用户就是刚才创建的admin

安装准备

开始安装

cd /opt/
wget https://releases.ansible.com/ansible-tower/setup/ansible-tower-setup-3.5.1-1.tar.gz
tar zxvf ansible-tower-setup-3.5.1-1.tar.gz
cd ansible-tower-setup-3.5.1-1/

复制以下内容覆盖 /opt/ansible-tower-setup-3.5.1-1/inventory 文件 (安装配置的清单文件)

[tower]
localhost ansible_connection=local

[database]

[all:vars]
admin_password='admin'

pg_host='127.0.0.1'
pg_port='5432'

pg_database='tower'
pg_username='tower'
pg_password='admin'

rabbitmq_port=5672
rabbitmq_vhost=localhost
rabbitmq_username=admin
rabbitmq_password='admin123'
rabbitmq_cookie=cookiemonster

# Needs to be true for fqdns and ip addresses
rabbitmq_use_long_name=false

# Isolated Tower nodes automatically generate an RSA key for authentication;
# To disable this behavior, set this value to false
# isolated_key_generation=true

修改yum源

#修改yum源
sed -i 's#dl.fedoraproject.org/pub#mirrors.ustc.edu.cn#g' roles/repos_el/defaults/main.yml

yum -y install centos-release-scl-rh centos-release-scl
sed -i 's#mirror.centos.org#centos.ustc.edu.cn#g' /etc/yum.repos.d/CentOS-SCLo-scl.repo
sed -i 's#mirror.centos.org#centos.ustc.edu.cn#g' /etc/yum.repos.d/CentOS-SCLo-scl-rh.repo
yum -y install supervisor

#根据 /etc/supervisord.conf 修改 supervisor.sock 位置
sed -i 's#/var/run/supervisor/supervisor.sock#/var/run/supervisor.sock#g' roles/supervisor/vars/RedHat.yml

运行安装 ./setup.py

# 手动创建nginx用户和组 ，否则会报错。
groupadd nginx
useradd -r -g nginx -s /sbin/nologin -M nginx

运行安装程序

cd /opt/ansible-tower-setup-3.5.1-1/
./setup.sh

全程大约10分钟左右，如无报错，看到如下信息，说明安装成功了。

默认用户为admin,密码为inventory文件admin_password字段配置的密码,我这里配置的密码也为admin.

报错1

TASK [postgres : create the postgres user and set the password] *************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Failed to import the required Python library (psycopg2) on admin1-ops-prod-bj2's Python /usr/bin/python. Please read module documentation and install in the appropriate location"}

解决方法：

pip install psycopg2

报错2

TASK [repos_el : Install yum repos that arrive via release packages] ********************************************************
[DEPRECATION WARNING]: Invoking "yum" only once while using a loop via squash_actions is deprecated. Instead of using a loop
 to supply multiple items and specifying `name: "{{ item }}"`, please use `name: '{{ yum_repo_packages }}'` and remove the
loop. This feature will be removed in version 2.11. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
failed: [localhost] (item=[u'centos-release-scl']) => {"ansible_loop_var": "item", "changed": false, "item": ["centos-release-scl"], "msg": "The Python 2 bindings for rpm are needed for this module. If you require Python 3 support use the `dnf` Ansible module instead.. The Python 2 yum module is needed for this module. If you require Python 3 support use the `dnf` Ansible module instead."}

解决方法：
#使用python导入模块失败：https://blog.51cto.com/qiangsh/2091266

[ root@tower-server ]# python
Python 3.6.8 (default, Jul 25 2019, 15:22:10)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-36)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import yum
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ModuleNotFoundError: No module named 'yum'
>>>

#在group_vars/all中加入以下配置
ansible_python_interpreter: '/usr/bin/python2.6'

报错3

TASK [packages_el : Install the Tower RPM.] *********************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "No package matching 'ansible-tower == 3.5.1' found available, installed or updated", "rc": 126, "results": ["No package matching 'ansible-tower == 3.5.1' found available, installed or updated"]}

ansible-tower包找不到,根据自动生成的repo，发现http://releases.ansible.com/ansible-tower/setup/ 该仓库是有对应版本的包的。只是enable=0被禁用了。

解决办法:

手动建一个repo,避免修改后被覆盖

cat >/etc/yum.repos.d/Ansible-Tower.repo <<EOF
[Ansible-Tower]
name=Ansible Tower Repository - $releasever $basearch
baseurl=http://releases.ansible.com/ansible-tower/rpm/epel-7-$basearch
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-ansible-release
EOF

再次执行setup.sh后成功安装并运行ansible-tower

报错4
#我的安装完成后，页面502错误，检查发现nginx没权限读取/var/run/tower/uwsgi.sock
解决方法：

# ll /var/run/tower/uwsgi.sock
srw-rw---- 1 awx nginx 0 Jul  9 11:30 /var/run/tower/uwsgi.sock

# 修改nginx配置字段
# vim /etc/nginx/nginx.conf
user awx nginx;

破解

HOSTS限制破解

反汇编init.pyc

pip install uncompyle6

cd /var/lib/awx/venv/awx/lib/python3.6/site-packages/tower_license
uncompyle6 __init__.pyc >__init__.py
rm -f __init__.pyc __init__.pyo

更改文件init.py

cd /var/lib/awx/venv/awx/lib/python3.6/site-packages/tower_license/

vim __init__.py

# _check_cloudforms_subscription方法修改如下内容,特别需要注意格式,如下:
 81     def _check_cloudforms_subscription(self):
 # 添加下面一行直接返回 True
 82         return True
 83         if os.path.exists('/var/lib/awx/i18n.db'):
 84             return True
 85         else:
 86             if os.path.isdir('/opt/rh/cfme-appliance'):
 87                 if os.path.isdir('/opt/rh/cfme-gemset'):
 88                     pass
 89             try:
 90                 has_rpms = subprocess.call(['rpm', '--quiet', '-q', 'cfme', 'cfme-appliance', 'cfme-gemset'])
 91                 if has_rpms == 0:
 92                     return True
 93             except OSError:
 94                 pass
 95
 96             return False

修改 license_date=253370764800L 为 license_date=253370764800

 74     def _generate_cloudforms_subscription(self):
 75         self._attrs.update(dict(company_name='Red Hat CloudForms License', instance_count=9999999,
 76           license_date=253370764800,
 77           #license_date=253370764800L,
 78           license_key='xxxx',
 79           license_type='enterprise',
 80           subscription_name='Red Hat CloudForms License'))

修改完重新编译一下:

python -m py_compile __init__.py
python -O -m py_compile __init__.py

重启服务:
ansible-tower-service restart

打开https://your_ip/#/license ,发现"Hosts Available"变成了9999999台,说明破解成功,如下:

查看日志：

/var/log/tower/setup-***********.log           # 安装报错
tail -100f /var/log/tower/tower.log
tail -100f /var/log/supervisor/supervisord.log

©著作权归作者所有：来自51CTO博客作者qianghong000的原创作品，如需转载，请注明出处，否则将追究法律责任