AAP failed to create container EE


Continuing the discussion from Initial instalation AWX 24.0.0:

Did you get this to work? I have AAP 2.4 installed and running and a separate host has Private Hub running.

But a simple ad-hoc job is failing to create the EE.
I have setup the API token in Credentials pointing to the Private Hub but the Control Plain EE just does get created to do a simple ping or uptime ad-hoc job.

I don’t know what I am missing.

AAP supports more deployment options than AWX does, so could you tell us how yours is deployed? For e.g. did you use an operator in OCP after subscribing to the catalog, or did you install the rpm based bundle to a standalone RHEL 8/9 vm?

Also, is the Control Plain EE downloaded to Private Hub already? Unfortunately, I don’t have experience with using the container registry feature of AH/Galaxy.

In my case, we’re subscribed to the operator in OCP 4.12, and pull all of our images from a local Quay Enterprise that proxies the upstream Red Hat registries.

Installed with the bundle as a standalone disconnected to have its own database I deleted the EE’s and setup ansible private hub on a separate box and have the EE’s from the Private Hub to be pulled on jobs. My issue today is when I run an ad-hoc job against a test box from an inventory it spits out "Error container create failed ( no logs from conmon ) common bytes “”: readObjectStart: expect … I have seen some github issues related to this error but referring to podman, my issue is happening using the WebUI.


Okay, so I don’t have any experience with the standalone bundle, but from what I recall, it does use podman. If that’s the case, maybe podman itself is unaware of your private hub or the credentials you provided. I would try configuring podman so that the host’s aap unix user can manually pull EE images from the private hub without needing to manually login first, and then see if AAP works.

So this is what I did:

  1. on the command line as my self on the AAP

  2. sudo podman login --username myusername --password ( myldap-password ) “private.hub.url”
    3.Login Succeeded!

  3. Went to the AAP WebUI

  4. Re-Run my ad-hoc job I used a machine ssh credential with a different password

  5. ERROR Initializing source docker://private.hub.url/ee-supported-rhel8:latest: Requesting bearer token: Invalid status code from registry 403 (forbidden)

Yeah no, AAP is running as UID:1000 or UID:1001 I presume, which is probably named either awx/aap. You need to create an auth.json file for that user to implicitly login to your private hub. Logging into private hub under your user or as root won’t help.


  "auths": {
    "private.hub.url": {
      "auth": "base64encoded<username:password>",
      "email": ""

So before doing the auth.json just to let you know awx id is 997 password is set to never expire. Should I have the awx user have an account on the Ansible Private Hub ?

Interesting. It may make sense to do that as a permanent solution, but at the moment, I’m just curious to know if this resolves the underlying problem. I haven’t had any time to really review the docs: Red Hat Ansible Automation Platform Installation Guide Red Hat Ansible Automation Platform 2.4 - Disconnected Installation to see what you’re expected to do for this scenerio.

So when I create the auth.json content I am not sure what the password would be for awx so should I try awx-manage and generate a password for awx username ?

Under the awx/997 user’s home directory, create the auth.json file with any valid private hub credential, whether it’s yours or a service account specifically for AAP to use. I would not generate a password for the awx username from awx-manage because I have no idea what the consequences would be.

I will let you know what happens I am at home and it’s a work related project so thanks for the advice can’t wait to get this working.

I tried to run a job but got an error regarding the base64 username and password. Not sure if the auth.json username and password format. I see in your example you have username:password separated with a colon is that correct?

Yes, you could copy and paste the following into bash to generate the base64 string, and just that base64 string would be the value for “auth”.

read -p "UserName: " user 
read -p "Password: " -s pass
echo "${user}:${pass}" | base64

I get ./script.sh line 2: read `-p’: not a valid identifier.

I finally just wrote in a bash script:


echo “${user}:${pass}” | base64

I put that base64 string in the auth.json

Error now is Error: initializing source docker://private.automation.hub/ee-supported-rhel8:latest: Requesting bearer token: invalid status code from registry 403 (forbidden)

That’s what I get for going off memory. I have edited the post and tested. You’ll have to copy line-by-line since the prompt interrupts the clipboard.

I’m out of ideas then. Unless someone else here is familiar with this sort of scenario, I suggest you go make a support ticket with RedHat since you are already paying them for it.

I appreciate it all the things you suggested. I know it will get up and authentication just gotta keep reading and it will happen.