• Zach Biles

AWX Isolated Node

Isolated nodes in AWX/Tower are used to do work in remote or secured networks. The only connection required is SSH between the "controller" node (the main AWX/Tower instance), and your remote node. This device can now do work for you in this remote network.

The problem with setting these up is that I have yet to find a complete step-by-step guide on how to get this setup. I'm hoping this will help others get this working for them. This is a bit different than just adding "worker" nodes to AWX/Tower, as there's limited connectivity. Otherwise, for normal "worker" nodes for AWX/Tower, they require full connectivity to the "control" node.


On your isolated node, create a user called awx with a strong password. (should be able to use whatever username you want, but I haven't had time to test this)

Log into your "controller" node, and we will use some awx-manage commands to provision this new worker node. Make sure to save they key generated in command one in a vault or safe for use later.

awx-manage generate_isolated_key

awx-manage provision_instance --hostname <isolated_node_hostname> --is-isolated

awx-manage register_queue --queuename <queue_name> --hostname <isolated_node_hostname> --controller <controller_name>

Log back into your isolated node, and add that key to ssh authorized hosts for the awx user.

Once this key is added, there is a testing command from the control node you can run to verify connectivity. Remember, permissions are always still in play, so make sure your awx user has rights to whatever it might need to do locally on that box, for thing like installing packages or creating files/directories. You can also use a user in your actual jobs that has these rights as well.

awx-manage test_isolated_connection --hostname <isolated_node_hostname>

Assuming this test is successful, you should now see a new instance group in AWX:

If you look inside it you can see your worker nodes assigned to this instance.

You can now tweak how many forks you want to do and view capacity as jobs are running to see if you need to add more nodes to comply with the load.

Now you can assign templates to your instance groups to do work from these nodes.

Now whatever templates you assign to this new instance group will be run from any nodes as part of this instance group. Keep this in mind when building new instance nodes and assigning templates. Make sure your isolated node can reach the devices you intend to manage when you're assigning templates.

158 views0 comments

Recent Posts

See All

MikroTik RouterOS v7

Just a collection of changes/quirks I'm noticing so far in RouterOS v7 beta releases. I plan to keep this updated as I continue to play more with v7. When importing public keys you can now use passwor

AWX Isolated Nodes Broken after AWX Upgrade

tl;dr: Python2 strikes back! Always use Python3. Ran into this issue after an upgrade of AWX from 14.0.0 to 15.0.1, where jobs will just fail with no output in AWX showing what happened. Just a blank