To troubleshoot communication between the controller nodes and execution nodes in Ansible Automation Platform, you can follow these steps: <\/p>\n\n\n\n
Receptor is a networking layer that provides a mechanism for the Ansible Platform to communicate with execution nodes (formerly known as managed nodes). When working with the newer versions of Ansible Automation Platform, Receptor serves as the underlying communication backbone. <\/p>\n\n\n\n
Here are some steps and commands you can use to troubleshoot Receptor communication between an Ansible Controller and execution nodes: <\/p>\n\n\n\n
receptorctl --socket \/var\/run\/awx-receptor\/receptor.sock status <\/code><\/pre>\n\n\n\nExample output:<\/p>\n\n\n\n
Node ID: aap01.example.net \n
\nVersion: 1.4.1 \n
\nSystem CPU Count: 2 \n
\nSystem Memory MiB: 7761 \n
\n
\n
\nConnection Cost \n
\naap02.example.net 1 \n
\naap03.example.net 1 \n
\naap01gcp.example.net 1 \n
\n
\n
\nKnown Node Known Connections \n
\naap01.example.net aap02.example.net: 1 aap03.example.net: 1 aap01gcp.example.net: 1 \n
\naap02.example.net aap01.example.net: 1 aap03.example.net: 1 aap01gcp.example.net: 1 \n
\naap03.example.net aap01.example.net: 1 aap02.example.net: 1 aap01gcp.example.net: 1 \n
\naap01gcp.example.net aap01.example.net: 1 aap02.example.net: 1 aap03.example.net: 1 \n
\n
\n
\nRoute Via \n
\naap02.example.net aap02.example.net \n
\naap03.example.net aap03.example.net \n
\naap01gcp.example.net aap01gcp.example.net \n
\n
\n
\nNode Service Type Last Seen Tags \n
\naap01.example.net control StreamTLS 2023-09-13 14:26:18 {'type': 'Control Service'} \n
\naap01gcp.example.net control StreamTLS 2023-09-13 14:25:54 {'type': 'Control Service'} \n
\naap03.example.net control StreamTLS 2023-09-13 14:25:24 {'type': 'Control Service'} \n
\naap02.example.net control StreamTLS 2023-09-13 14:25:54 {'type': 'Control Service'} \n
\n
\n
\nNode Secure Work Types \n
\naap01.example.net local, kubernetes-runtime-auth, kubernetes-incluster-auth \n
\naap01gcp.example.net ansible-runner \n
\naap03.example.net local, kubernetes-runtime-auth, kubernetes-incluster-auth \n
\naap02.example.net local, kubernetes-runtime-auth, kubernetes-incluster-auth <\/code><\/pre>\n\n\n\nReview Receptor Logs. Logs can be found in the system’s journal. You can view them using: <\/p>\n\n\n\n
journalctl -u receptor <\/code><\/pre>\n\n\n\nVerify mesh level communication. From the Ansible Controller, you can try pinging the execution node using the receptor command to see if it’s reachable: <\/p>\n\n\n\n
[root@aap01 receptor]# receptorctl --socket \/var\/run\/awx-receptor\/receptor.sock ping aap02.example.net \n
\nReply from aap02.example.net in 811.135\u00b5s \n
\nReply from aap02.example.net in 814.871\u00b5s \n
\nReply from aap02.example.net in 852.096\u00b5s \n
\nReply from aap02.example.net in 848.816\u00b5s \n
\n[root@aap01 receptor]# receptorctl --socket \/var\/run\/awx-receptor\/receptor.sock ping aap01gcp.example.net \n
\nReply from aap01gcp.example.net in 4.143774ms \n
\nReply from aap01gcp.example.net in 4.049415ms \n
\nReply from aap01gcp.example.net in 7.643543ms \n
\nReply from aap01gcp.example.net in 4.131193ms <\/code><\/pre>\n\n\n\nRepeat the test from the execution node to the controller nodes: <\/p>\n\n\n\n
[root@aap01gcp ~]# receptorctl --socket \/var\/run\/awx-receptor\/receptor.sock ping aap01.example.net \n
\nReply from aap01.example.net in 3.998636ms \n
\nReply from aap01.example.net in 4.07025ms \n
\nReply from aap01.example.net in 4.053869ms \n
\nReply from aap01.example.net in 4.43546ms \n
\n
\n
\n[root@aap01gcp ~]# receptorctl --socket \/var\/run\/awx-receptor\/receptor.sock ping aap02.example.net \n
\nReply from aap02.example.net in 3.131143ms \n
\nReply from aap02.example.net in 3.118211ms \n
\nReply from aap02.example.net in 3.35466ms \n
\nReply from aap02.example.net in 3.120776ms <\/code><\/pre>\n\n\n\n\n- The receptor\u2019s configuration should not change. If you suspect that the configuration has changed, review the receptor configuration. Ensure that the receptor configuration files on both the Controllers and the execution node(s) are correctly configured. The configuration is in \/etc\/receptor\/receptor.conf. Review this file for any misconfigurations. The following configuration file has been configured during the installation:<\/li>\n<\/ul>\n\n\n\n
[root@aap01 receptor]# cat receptor.conf \n
\n--- \n
\n- node: \n
\n id: aap01.example.net \n
\n firewallrules: \n
\n - action: \"reject\" \n
\n tonode: \"aap01.example.net\" \n
\n toservice: \"control\" \n
\n
\n
\n- work-signing: \n
\n privatekey: \/etc\/receptor\/work_private_key.pem \n
\n tokenexpiration: 1m \n
\n
\n
\n- work-verification: \n
\n publickey: \/etc\/receptor\/work_public_key.pem \n
\n
\n
\n
\n
\n# Log Level \n
\n- log-level: info \n
\n
\n
\n# Control Service \n
\n- control-service: \n
\n service: control \n
\n filename: \/var\/run\/awx-receptor\/receptor.sock \n
\n permissions: 0660 \n
\n tls: tls_server \n
\n
\n
\n# TLS \n
\n- tls-server: \n
\n name: tls_server \n
\n cert: \/etc\/receptor\/tls\/aap01.example.net.crt \n
\n key: \/etc\/receptor\/tls\/aap01.example.net.key \n
\n clientcas: \/etc\/receptor\/tls\/ca\/mesh-CA.crt \n
\n requireclientcert: true \n
\n
\n
\n- tls-client: \n
\n name: tls_client \n
\n cert: \/etc\/receptor\/tls\/aap01.example.net.crt \n
\n key: \/etc\/receptor\/tls\/aap01.example.net.key \n
\n rootcas: \/etc\/receptor\/tls\/ca\/mesh-CA.crt \n
\n insecureskipverify: false \n
\n
\n
\n
\n
\n# Peers \n
\n- tcp-peer: \n
\n address: aap02.example.net:27199 \n
\n redial: true \n
\n tls: tls_client \n
\n- tcp-peer: \n
\n address: aap03.example.net:27199 \n
\n redial: true \n
\n tls: tls_client \n
\n- tcp-peer: \n
\n address: aap01gcp.example.net:27199 \n
\n redial: true \n
\n tls: tls_client \n
\n
\n
\n# Work-commands \n
\n- work-command: \n
\n worktype: local \n
\n command: \/var\/lib\/awx\/venv\/awx\/bin\/ansible-runner \n
\n params: worker \n
\n allowruntimeparams: true \n
\n verifysignature: true \n
\n
\n
\n- work-kubernetes: \n
\n worktype: kubernetes-runtime-auth \n
\n authmethod: runtime \n
\n allowruntimeauth: true \n
\n allowruntimepod: true \n
\n allowruntimeparams: true \n
\n verifysignature: true \n
\n
\n
\n- work-kubernetes: \n
\n worktype: kubernetes-incluster-auth \n
\n authmethod: incluster \n
\n allowruntimeauth: true \n
\n allowruntimepod: true \n
\n allowruntimeparams: true \n
\n verifysignature: true <\/code><\/pre>\n\n\n\n\n- Restart Receptor. Sometimes simply restarting the Receptor can help resolve minor issues:<\/li>\n<\/ul>\n\n\n\n
systemctl restart receptor <\/code><\/pre>\n\n\n\n\n- Ensure there aren\u2019t any firewall rules or networking issues preventing communication. Check firewall settings on both the Controller and execution nodes to ensure the required ports for Receptor are open. The receptor is using port 27199. You can use the receptor status or ping commands to verify the communication. If the receptor ping does not work, that might indicate routing or firewall issues. Things to check: \n
\n- firewall-cmd –list-all (if the firewalld is used on the host)<\/li>\n\n\n\n
- firewall configuration at the network level<\/li>\n\n\n\n
- routing – use system level trouceroute command or receptor level traceroute.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
[root@aap01 receptor]# receptorctl --socket \/var\/run\/awx-receptor\/receptor.sock traceroute aap01gcp.example.net \n
\n0: aap01.example.net in 249.524\u00b5s \n
\n1: aap01gcp.example.net in 4.00961ms <\/code><\/pre>\n\n\n\nReceptor TLS\/SSL Issues<\/h3>\n\n\n\n
When verifying TLS\/SSL configurations, especially in the context of Receptor communications in Ansible Automation Platform, you can follow the steps below to ensure everything is in order: <\/p>\n\n\n\n
\n- Check Certificate Expiry. You can use the openssl tool to inspect a certificate’s details, including its expiration date. Check if \u2018Not Before\u2019 and \u2018Not After\u2019 are correct and the certificate is still valid:<\/li>\n<\/ul>\n\n\n\n
[root@aap01 receptor]# openssl x509 -in \/etc\/receptor\/tls\/aap01.example.net.crt -noout -text \n
\nCertificate: \n
\n Data: \n
\n Version: 3 (0x2) \n
\n Serial Number: 1676526891 (0x63edc52b) \n
\n Signature Algorithm: sha256WithRSAEncryption \n
\n Issuer: CN = Ansible Automation Controller Nodes Mesh ROOT CA \n
\n Validity \n
\n Not Before: Feb 16 05:54:51 2023 GMT \n
\n Not After : Feb 6 05:54:32 2033 GMT \n
\n Subject: CN = aap01.example.net \n
\n Subject Public Key Info: \n
\n Public Key Algorithm: rsaEncryption \n
\n RSA Public-Key: (4096 bit) \n
\n Modulus: \n
\n 87:82:34:3d:3d:3b:7a:c7:bd:7f:0d:4f:b6:cf:ea: \n
\n 26:36:01:94:b5:87:02:b4:4c:00:98:ba:6b:4c:6f: \n
\n 7f:2a:4b:f7:6f:b9:50:af:43:80:ea:f7:4b:b5:68: \n
\n e2:75:de:93:e0:df:dd:90:72:5e:45:8d:5a:4e:35: \n
\n b7:12:3c:2f:f2:c4:22:1f:87:d8:ca:6f:ae:84:1e: \n
\n 2e:f8:01:4c:a2:22:fd:fd:4c:2b:ea:31:b8:a7:5b: \n
\n d0:8d:08:4f:a7:58:25:b3:6d:15:11:67:b7:b1:51: \n
\n da:39:ed:61:3a:77:15:9a:cd:e2:4e:4c:ee:97:17: \n
\n 31:cf:13:df:e8:5a:ee:8e:35:3e:3c:60:dc:7e:10: \n
\n c2:23:2f:37:c8:72:75:aa:79:26:c1:c0:83:76:33: \n
\n a2:a8:63:de:e8:cd:07:46:3d:66:3b:3e:63:71:ed: \n
\n a9:d9:7e:ba:79:db:ab:dd:66:a0:6f:27:88:79:7a: \n
\n 51:cc:fe:76:1e:94:d4:ac:dc:8c:d6:70:56:67:cc: \n
\n 47:4c:ba:58:e3:e9:50:c3:69:73:b6:a0:5e:e0:1a: \n
\n ef:6e:91:15:08:41:b5:9c:d4:e5:2b:97:cf:db:22: \n
\n 53:48:fa:50:28:a8:6e:17:3f:dd:0b:4e:b1:0e:6a: \n
\n dc:28:6d:ec:eb:5f:16:f0:eb:33:ac:d2:f9:60:2a: \n
\n ba:02:44:89:b5:80:3e:d9:0f:21:08:cd:3e:e2:f4: \n
\n 4d:04:11:8f:f6:d2:af:23:ed:9f:5c:a2:87:2a:52: \n
\n 81:c0:f0:81:64:7f:47:13:2c:18:40:9b:88:25:47: \n
\n 3a:d4:a8:5c:43:26:27:7f:7f:1f:40:4f:7f:1d:38: \n
\n 00:fa:de:47:c6:16:58:a5:54:a7:86:cc:e3:df:43: \n
\n 72:40:d2:09:4b:47:77:05:4b:9f:23:d9:62:ce:70: \n
\n 35:0c:05:09:1a:79:d2:9b:0d:6f:d4:6e:db:97:89: \n
\n 1a:0b:fb:ed:ae:c8:2d:fb:7c:8d:b3:47:38:78:36: \n
\n 5a:0b:b5:37:9d:f8:de:d0:81:6f:76:bf:75:30:40: \n
\n b1:6c:71 \n
\n Exponent: 65537 (0x10001) \n
\n X509v3 extensions: \n
\n X509v3 Key Usage: critical \n
\n Digital Signature \n
\n X509v3 Extended Key Usage: \n
\n TLS Web Client Authentication, TLS Web Server Authentication \n
\n X509v3 Authority Key Identifier: \n
\n
keyid:B3:59:0F:79:B2:41:78:5C:7D:31:9F:95:DD:98:0F:6E:B6:7B:C8:FC \n
\n
\n
\n X509v3 Subject Alternative Name: \n
\n DNS:aap01.example.net, IP Address:10.29.32.222, othername:<unsupported> \n
\n Signature Algorithm: sha256WithRSAEncryption <\/code><\/pre>\n\n\n\n\n- Ensure private key matches the certificate. You can check that the private key corresponds to the certificate: <\/li>\n<\/ul>\n\n\n\n
openssl x509 -noout -modulus -in \/path\/to\/certificate.crt | openssl md5 \n
\nopenssl rsa -noout -modulus -in \/path\/to\/private.key | openssl md5 <\/code><\/pre>\n\n\n\nThe MD5 hashes from both commands should match. <\/p>\n\n\n\n
[root@aap01 receptor]# openssl x509 -noout -modulus -in \/etc\/receptor\/tls\/aap01.example.net.crt | openssl md5 \n
\n(stdin)= 8baa6271452a553a492cb79f70586100 \n
\n[root@aap01 receptor]# openssl rsa -noout -modulus -in \/etc\/receptor\/tls\/aap01.example.net.key | openssl md5 \n
\n(stdin)= 8baa6271452a553a492cb79f70586100 <\/code><\/pre>\n\n\n\n\n- Test TLS Connection. You can use openssl to manually establish a connection to the Receptor service to check the TLS handshake <\/li>\n<\/ul>\n\n\n\n
openssl s_client -connect receptor-node-ip:port -CAfile \/path\/to\/ca.crt \n
\n[root@aap01 receptor]# openssl s_client -connect aap02.example.net:27199 -CAfile \/etc\/receptor\/tls\/ca\/mesh-CA.crt \n
\nCONNECTED(00000003) \n
\ndepth=1 CN = Ansible Automation Controller Nodes Mesh ROOT CA \n
\nverify return:1 \n
\ndepth=0 CN = aap02.example.net \n
\nverify return:1 \n
\n--- \n
\nCertificate chain \n
\n 0 s:CN = aap02.example.net \n
\n i:CN = Ansible Automation Controller Nodes Mesh ROOT CA \n
\n--- \n
\nServer certificate \n
\n <\/code><\/pre>\n\n\n\nTroubleshooting Execution Environments<\/h3>\n\n\n\n
Troubleshooting execution environments (EE) on Ansible Controller involves several steps, as execution environments play a vital role in encapsulating resources needed to run playbooks. Here’s a structured approach: <\/p>\n\n\n\n
\n- Verify EE Image<\/strong>: \n
\n- Ensure that the EE image exists and is correctly specified. Use podman to list images:<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
podman images <\/code><\/pre>\n\n\n\n\n- Run EE Image Manually<\/strong>: \n
\n- Try to run the image manually to see if there are any issues:<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
podman run -it --rm <image_name_or_id> \/bin\/bash <\/code><\/pre>\n\n\n\nThis will allow you to enter the EE container. You can inspect its content and check if all required tools, libraries, and Ansible collections or roles are present. <\/p>\n\n\n\n
\n- Verify Resources<\/strong>:\n
\n- Ensure that the host running the Ansible Controller has sufficient resources (CPU, memory, disk space). Running out of resources can cause unexpected issues with execution environments. For example, verify if there is free space on \/var\/lib\/awx file system. Note that the controller keeps its container images under \/var\/lib\/awx\/.local<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
df -h <\/code><\/pre>\n\n\n\n\n- Ansible Configuration<\/strong>: \n
\n- Check the Ansible configuration inside the EE. The ansible.cfg file should have the right parameters. If you’re inside the EE container, you can display it using:<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
cat \/etc\/ansible\/ansible.cfg <\/code><\/pre>\n\n\n\n\n- EE Specific Errors<\/strong>: \n
\n- If your playbooks refer to custom modules, roles, or collections, ensure they are available within the EE. Remember, EEs should encapsulate all the required dependencies to run the playbook. <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
\n- Network Access<\/strong>: \n
\n- Ensure the EE has appropriate network access to reach target nodes, any required repositories, or other resources. <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
\n- Security Contexts and Privileges<\/strong>: \n
\n- If the Controller runs on a system with SELinux, ensure that your EE is granted the necessary contexts or privileges to operate. <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
\n- Dependencies and Pipelines<\/strong>: \n
\n- If your EE has dependencies on external systems or services, ensure they are operational. This could include SCM repositories, credential stores, or third-party services.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Validate Playbooks<\/strong>: \n
\n- It might be an issue with the playbook rather than the EE. Try running the playbook with verbosity:<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
ansible-playbook -vvv your_playbook.yml <\/code><\/pre>\n\n\n\n\n- This might give more insights into where and why the playbook is failing <\/li>\n<\/ul>\n\n\n\n
\n- Custom EE Builds<\/strong>: \n
\n- If you’re building your own EE images, ensure that the build process completes without errors. Check the Containerfile for any issues. <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
\n- Controller Configuration<\/strong>: \n
\n- Ensure that Ansible Controller itself is correctly configured to use EEs. This includes verifying paths, image names, or any other settings specific to EEs.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
By following these steps, you can systematically identify and resolve issues with execution environments on the Ansible Controller. If you’re still encountering problems, consult the official Ansible documentation or reach out to Red Hat support.<\/p>\n\n\n\n
Troubleshooting Communication between AAP Controller and Hub<\/h2>\n\n\n\n\n- Basic Connectivity<\/strong>: \n
\n- Check if the Controller node can reach Automation Hub:<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
ping <automation_hub_host> <\/code><\/pre>\n\n\n\n\n- Check Ports<\/strong>: \n
\n- Automation Hub typically listens on port 443 for SSL traffic. Ensure this port is open and reachable:<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
ssh -vp 443 <automation_hub_host> <\/code><\/pre>\n\n\n\n\n- View Logs on Controller Node<\/strong>: \n
\n- For the Controller services:<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
journalctl -u automation-controller <\/code><\/pre>\n\n\n\n\n- Also, refer to the logs located in \/var\/log\/tower\/. <\/li>\n<\/ul>\n\n\n\n
\n- View Logs on Automation Hub<\/strong>: \n
\n- For the Pulp services, which back Automation Hub: <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
journalctl -u pulpcore-worker@*.service <\/code><\/pre>\n\n\n\n\n- Check the Pulp logs typically located in \/var\/log\/pulp\/. <\/li>\n<\/ul>\n\n\n\n
\n- Verify SSL\/TLS<\/strong>: \n
\n- Ensure certificates are correctly configured, valid, and trusted on both ends. <\/li>\n\n\n\n
- If self-signed certificates are in use, ensure they’re added to the trust store on the Controller nodes. <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
\n- API Authentication<\/strong>: \n
\n- The controller communicates with Automation Hub using token-based authentication. Ensure tokens are valid and not expired. <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
\n- Proxy Issues<\/strong>: \n
\n- If a proxy is in use, ensure its correctly configured. Check proxy logs for denied requests. <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
\n- Firewall Rules<\/strong>: \n
\n- Check if there are firewall rules blocking communication between the Controller and Automation Hub. <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
\n- DNS Issues<\/strong>: \n
\n- Ensure DNS resolution works correctly from Controller to Automation Hub:<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
nslookup <automation_hub_host> <\/code><\/pre>\n\n\n\n\n- Network Configuration<\/strong>: \n
\n- Check for changes in network configurations that might have affected communication.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Automation Hub Health<\/strong>: \n
\n- Check that Automation Hub’s services and processes are running and healthy.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Database Connectivity for Automation Hub<\/strong>: \n
\n- Ensure the database backend for Automation Hub (Pulp) can connect without issues. <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Controller Version Compatibility<\/strong>: \n
\n- Ensure Controller and Automation Hub versions are compatible.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Updates\/Patches<\/strong>: \n
\n- Check for any updates or patches that might address communication issues.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
SAML authentication issues between Ansible Controller and Microsoft Azure AD <\/h3>\n\n\n\n\n- Configuration Check<\/strong>:\n
\n- Ensure that the configuration on both Ansible Controller and Azure AD side matches. This includes Entity IDs, Assertion Consumer Service URLs, and other key SAML attributes.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Certificate Validation<\/strong>: \n
\n- Ensure the certificate used for signing the SAML assertion in Azure AD is still valid and has not expired. Note that the on AAP side you are using the certificate used for tower.cert; tower.key <\/li>\n\n\n\n
- The same certificate should be configured in Ansible Controller’s SAML settings. <\/li>\n\n\n\n
- If you’re using encrypted assertions, make sure you’ve provided the correct<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Assertion Content<\/strong>: \n
\n- Using tools like SAML Tracer for Firefox or the SAML Chrome Panel for Chrome can help you capture the SAML assertion sent from Azure AD to Ansible Controller. <\/li>\n\n\n\n
- Check if the attributes in the assertion match what’s expected by Ansible Controller.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Azure AD Configuration<\/strong>: \n
\n- Ensure that the user trying to authenticate is part of the Azure AD user group that’s allowed to log into Ansible Controller. <\/li>\n\n\n\n
- Confirm that the SAML configuration on Azure AD side, especially the claim rules, are correctly set up to provide the necessary claims to Ansible Controller.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Endpoint URLs<\/strong>: \n
\n- Ensure that the SSO URL and Entity ID on both Azure AD and Ansible Controller match. Any discrepancies here will cause authentication to fail.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Clock Skew<\/strong>: \n
\n- SAML assertions are time sensitive. Ensure that the system clocks on both Ansible Controller and Azure AD (Azure’s end will typically be accurate) are synchronised. <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Role and Attribute Mapping<\/strong>: \n
\n- In Ansible Controller’s SAML settings, ensure that you’ve correctly mapped Azure AD attributes to Controller’s user attributes and roles. <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Network Issues<\/strong>: \n
\n- Confirm there are no network issues preventing Ansible Controller from reaching Azure AD or vice versa. <\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Session and Cookie Issues<\/strong>: \n
\n- Clear cookies and session data in your browser or try a different browser to rule out any session-specific issues.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
AWX-MANAGE Tool<\/h3>\n\n\n\n\n- Configuration<\/strong>: \n
\n- View current AAP configuration: <\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
awx-manage print_settings <\/code><\/pre>\n\n\n\n\n- Check for pending migrations. This command can be used after the upgrade, to verify the progress of the DB migrations<\/li>\n<\/ul>\n\n\n\n
awx-manage showmigrations <\/code><\/pre>\n\n\n\n\n- Database<\/strong>: \n
\n- Check DB (if the database responds, version etc)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
awx-manage check_db <\/code><\/pre>\n\n\n\n\n- Clean up old job history (this will remove old jobs and preserve space): <\/li>\n<\/ul>\n\n\n\n
awx-manage cleanup_jobs <\/code><\/pre>\n\n\n\n\n- Verify the instances (controller nodes and execution nodes) <\/li>\n<\/ul>\n\n\n\n
awx-manage list_instances <\/code><\/pre>\n\n\n\nAWX Tool<\/h3>\n\n\n\n
Remember to add the following after each command: <\/p>\n\n\n\n
--conf.host https:\/\/aap_fqdn --conf.username admin --conf.password \u2018password\u2019 --conf.insecure <\/code><\/pre>\n\n\n\n\n- Get Configuration<\/strong>:<\/li>\n<\/ol>\n\n\n\n
awx config <\/code><\/pre>\n\n\n\n\n- List All Jobs<\/strong>: <\/li>\n<\/ol>\n\n\n\n
awx jobs list <\/code><\/pre>\n\n\n\n\n