Fix "upgrade in progress" status page not showing up while migration is in progress (#14579)

Web container does not need to wait for migration

if the database is running and responsive, but migrations have not finished, it will start serving, and users will get the upgrading page

wait-for-migration prevent nginix and uwsgi from starting up to serve the "upgrade in progress" status page

.pip-tools.toml

@@ -0,0 +1,5 @@
+[tool.pip-tools]
+resolver = "backtracking"
+allow-unsafe = true
+strip-extras = true
+quiet = true

README.md

@@ -30,7 +30,7 @@ If you're experiencing a problem that you feel is a bug in AWX or have ideas for
 Code of Conduct
 ---------------
 
-We ask all of our community members and contributors to adhere to the [Ansible code of conduct](http://docs.ansible.com/ansible/latest/community/code_of_conduct.html). If you have questions or need assistance, please reach out to our community team at [codeofconduct@ansible.com](mailto:codeofconduct@ansible.com)   
+We ask all of our community members and contributors to adhere to the [Ansible code of conduct](http://docs.ansible.com/ansible/latest/community/code_of_conduct.html). If you have questions or need assistance, please reach out to our community team at [codeofconduct@ansible.com](mailto:codeofconduct@ansible.com)
 
 Get Involved
 ------------
@@ -39,4 +39,3 @@ We welcome your feedback and ideas. Here's how to reach us with feedback and que
 
 - Join the [Ansible AWX channel on Matrix](https://matrix.to/#/#awx:ansible.com)
 - Join the [Ansible Community Forum](https://forum.ansible.com)
-- Join the [mailing list](https://groups.google.com/forum/#!forum/awx-project)

awx/main/credential_plugins/dsv.py

@@ -2,7 +2,11 @@ from .plugin import CredentialPlugin
 
 from django.conf import settings
 from django.utils.translation import gettext_lazy as _
-from thycotic.secrets.vault import SecretsVault
+
+try:
+    from delinea.secrets.vault import SecretsVault
+except ImportError:
+    from thycotic.secrets.vault import SecretsVault
 
 
 dsv_inputs = {

awx/main/management/commands/cleanup_activitystream.py

@@ -24,6 +24,9 @@ class Command(BaseCommand):
     def add_arguments(self, parser):
         parser.add_argument('--days', dest='days', type=int, default=90, metavar='N', help='Remove activity stream events more than N days old')
         parser.add_argument('--dry-run', dest='dry_run', action='store_true', default=False, help='Dry run mode (show items that would be removed)')
+        parser.add_argument(
+            '--batch-size', dest='batch_size', type=int, default=500, metavar='X', help='Remove activity stream events in batch of X events. Defaults to 500.'
+        )
 
     def init_logging(self):
         log_levels = dict(enumerate([logging.ERROR, logging.INFO, logging.DEBUG, 0]))
@@ -48,7 +51,7 @@ class Command(BaseCommand):
                 else:
                     pks_to_delete.add(asobj.pk)
             # Cleanup objects in batches instead of deleting each one individually.
-            if len(pks_to_delete) >= 500:
+            if len(pks_to_delete) >= self.batch_size:
                 ActivityStream.objects.filter(pk__in=pks_to_delete).delete()
                 n_deleted_items += len(pks_to_delete)
                 pks_to_delete.clear()
@@ -63,4 +66,5 @@ class Command(BaseCommand):
         self.days = int(options.get('days', 30))
         self.cutoff = now() - datetime.timedelta(days=self.days)
         self.dry_run = bool(options.get('dry_run', False))
+        self.batch_size = int(options.get('batch_size', 500))
         self.cleanup_activitystream()

awx/main/management/commands/cleanup_jobs.py

@@ -9,6 +9,7 @@ import re
 
 
 # Django
+from django.apps import apps
 from django.core.management.base import BaseCommand, CommandError
 from django.db import transaction, connection
 from django.db.models import Min, Max
@@ -150,6 +151,9 @@ class Command(BaseCommand):
     def add_arguments(self, parser):
         parser.add_argument('--days', dest='days', type=int, default=90, metavar='N', help='Remove jobs/updates executed more than N days ago. Defaults to 90.')
         parser.add_argument('--dry-run', dest='dry_run', action='store_true', default=False, help='Dry run mode (show items that would be removed)')
+        parser.add_argument(
+            '--batch-size', dest='batch_size', type=int, default=100000, metavar='X', help='Remove jobs in batch of X jobs. Defaults to 100000.'
+        )
         parser.add_argument('--jobs', dest='only_jobs', action='store_true', default=False, help='Remove jobs')
         parser.add_argument('--ad-hoc-commands', dest='only_ad_hoc_commands', action='store_true', default=False, help='Remove ad hoc commands')
         parser.add_argument('--project-updates', dest='only_project_updates', action='store_true', default=False, help='Remove project updates')
@@ -195,39 +199,58 @@ class Command(BaseCommand):
         delete_meta.delete_jobs()
         return (delete_meta.jobs_no_delete_count, delete_meta.jobs_to_delete_count)
 
-    def _handle_unpartitioned_events(self, model, pk_list):
-        """
-        If unpartitioned job events remain, it will cascade those from jobs in pk_list
-        if the unpartitioned table is no longer necessary, it will drop the table
-        """
+    def has_unpartitioned_table(self, model):
         tblname = unified_job_class_to_event_table_name(model)
-        rel_name = model().event_parent_key
         with connection.cursor() as cursor:
             cursor.execute(f"SELECT 1 FROM pg_tables WHERE tablename = '_unpartitioned_{tblname}';")
             row = cursor.fetchone()
             if row is None:
-                self.logger.debug(f'Unpartitioned table for {rel_name} does not exist, you are fully migrated')
-                return
-        if pk_list:
-            with connection.cursor() as cursor:
-                pk_list_csv = ','.join(map(str, pk_list))
-                cursor.execute(f"DELETE FROM _unpartitioned_{tblname} WHERE {rel_name} IN ({pk_list_csv})")
+                return False
+        return True
+
+    def _delete_unpartitioned_table(self, model):
+        "If the unpartitioned table is no longer necessary, it will drop the table"
+        tblname = unified_job_class_to_event_table_name(model)
+        if not self.has_unpartitioned_table(model):
+            self.logger.debug(f'Table _unpartitioned_{tblname} does not exist, you are fully migrated.')
+            return
+
         with connection.cursor() as cursor:
             # same as UnpartitionedJobEvent.objects.aggregate(Max('created'))
-            cursor.execute(f'SELECT MAX("_unpartitioned_{tblname}"."created") FROM "_unpartitioned_{tblname}"')
+            cursor.execute(f'SELECT MAX("_unpartitioned_{tblname}"."created") FROM "_unpartitioned_{tblname}";')
             row = cursor.fetchone()
             last_created = row[0]
-            if last_created:
-                self.logger.info(f'Last event created in _unpartitioned_{tblname} was {last_created.isoformat()}')
-            else:
-                self.logger.info(f'Table _unpartitioned_{tblname} has no events in it')
-            if (last_created is None) or (last_created < self.cutoff):
-                self.logger.warning(f'Dropping table _unpartitioned_{tblname} since no records are newer than {self.cutoff}')
-                cursor.execute(f'DROP TABLE _unpartitioned_{tblname}')
+
+        if last_created:
+            self.logger.info(f'Last event created in _unpartitioned_{tblname} was {last_created.isoformat()}')
+        else:
+            self.logger.info(f'Table _unpartitioned_{tblname} has no events in it')
+
+        if (last_created is None) or (last_created < self.cutoff):
+            self.logger.warning(
+                f'Dropping table _unpartitioned_{tblname} since no records are newer than {self.cutoff}\n'
+                'WARNING - this will happen in a separate transaction so a failure will not roll back prior cleanup'
+            )
+            with connection.cursor() as cursor:
+                cursor.execute(f'DROP TABLE _unpartitioned_{tblname};')
+
+    def _delete_unpartitioned_events(self, model, pk_list):
+        "If unpartitioned job events remain, it will cascade those from jobs in pk_list"
+        tblname = unified_job_class_to_event_table_name(model)
+        rel_name = model().event_parent_key
+
+        # Bail if the unpartitioned table does not exist anymore
+        if not self.has_unpartitioned_table(model):
+            return
+
+        # Table still exists, delete individual unpartitioned events
+        if pk_list:
+            with connection.cursor() as cursor:
+                self.logger.debug(f'Deleting {len(pk_list)} events from _unpartitioned_{tblname}, use a longer cleanup window to delete the table.')
+                pk_list_csv = ','.join(map(str, pk_list))
+                cursor.execute(f"DELETE FROM _unpartitioned_{tblname} WHERE {rel_name} IN ({pk_list_csv});")
 
     def cleanup_jobs(self):
-        batch_size = 100000
-
         # Hack to avoid doing N+1 queries as each item in the Job query set does
         # an individual query to get the underlying UnifiedJob.
         Job.polymorphic_super_sub_accessors_replaced = True
@@ -242,13 +265,14 @@ class Command(BaseCommand):
         deleted = 0
         info = qs.aggregate(min=Min('id'), max=Max('id'))
         if info['min'] is not None:
-            for start in range(info['min'], info['max'] + 1, batch_size):
-                qs_batch = qs.filter(id__gte=start, id__lte=start + batch_size)
+            for start in range(info['min'], info['max'] + 1, self.batch_size):
+                qs_batch = qs.filter(id__gte=start, id__lte=start + self.batch_size)
                 pk_list = qs_batch.values_list('id', flat=True)
 
                 _, results = qs_batch.delete()
                 deleted += results['main.Job']
-                self._handle_unpartitioned_events(Job, pk_list)
+                # Avoid dropping the job event table in case we have interacted with it already
+                self._delete_unpartitioned_events(Job, pk_list)
 
         return skipped, deleted
 
@@ -271,7 +295,7 @@ class Command(BaseCommand):
                 deleted += 1
 
         if not self.dry_run:
-            self._handle_unpartitioned_events(AdHocCommand, pk_list)
+            self._delete_unpartitioned_events(AdHocCommand, pk_list)
 
         skipped += AdHocCommand.objects.filter(created__gte=self.cutoff).count()
         return skipped, deleted
@@ -299,7 +323,7 @@ class Command(BaseCommand):
                 deleted += 1
 
         if not self.dry_run:
-            self._handle_unpartitioned_events(ProjectUpdate, pk_list)
+            self._delete_unpartitioned_events(ProjectUpdate, pk_list)
 
         skipped += ProjectUpdate.objects.filter(created__gte=self.cutoff).count()
         return skipped, deleted
@@ -327,7 +351,7 @@ class Command(BaseCommand):
                 deleted += 1
 
         if not self.dry_run:
-            self._handle_unpartitioned_events(InventoryUpdate, pk_list)
+            self._delete_unpartitioned_events(InventoryUpdate, pk_list)
 
         skipped += InventoryUpdate.objects.filter(created__gte=self.cutoff).count()
         return skipped, deleted
@@ -351,7 +375,7 @@ class Command(BaseCommand):
                 deleted += 1
 
         if not self.dry_run:
-            self._handle_unpartitioned_events(SystemJob, pk_list)
+            self._delete_unpartitioned_events(SystemJob, pk_list)
 
         skipped += SystemJob.objects.filter(created__gte=self.cutoff).count()
         return skipped, deleted
@@ -396,12 +420,12 @@ class Command(BaseCommand):
         skipped += Notification.objects.filter(created__gte=self.cutoff).count()
         return skipped, deleted
 
-    @transaction.atomic
     def handle(self, *args, **options):
         self.verbosity = int(options.get('verbosity', 1))
         self.init_logging()
         self.days = int(options.get('days', 90))
         self.dry_run = bool(options.get('dry_run', False))
+        self.batch_size = int(options.get('batch_size', 100000))
         try:
             self.cutoff = now() - datetime.timedelta(days=self.days)
         except OverflowError:
@@ -423,19 +447,29 @@ class Command(BaseCommand):
                 del s.receivers[:]
                 s.sender_receivers_cache.clear()
 
-        for m in model_names:
-            if m not in models_to_cleanup:
-                continue
+        with transaction.atomic():
+            for m in models_to_cleanup:
+                skipped, deleted = getattr(self, 'cleanup_%s' % m)()
 
-            skipped, deleted = getattr(self, 'cleanup_%s' % m)()
+                func = getattr(self, 'cleanup_%s_partition' % m, None)
+                if func:
+                    skipped_partition, deleted_partition = func()
+                    skipped += skipped_partition
+                    deleted += deleted_partition
 
-            func = getattr(self, 'cleanup_%s_partition' % m, None)
-            if func:
-                skipped_partition, deleted_partition = func()
-                skipped += skipped_partition
-                deleted += deleted_partition
+                if self.dry_run:
+                    self.logger.log(99, '%s: %d would be deleted, %d would be skipped.', m.replace('_', ' '), deleted, skipped)
+                else:
+                    self.logger.log(99, '%s: %d deleted, %d skipped.', m.replace('_', ' '), deleted, skipped)
 
-            if self.dry_run:
-                self.logger.log(99, '%s: %d would be deleted, %d would be skipped.', m.replace('_', ' '), deleted, skipped)
-            else:
-                self.logger.log(99, '%s: %d deleted, %d skipped.', m.replace('_', ' '), deleted, skipped)
+        # Deleting unpartitioned tables cannot be done in same transaction as updates to related tables
+        if not self.dry_run:
+            with transaction.atomic():
+                for m in models_to_cleanup:
+                    unified_job_class_name = m[:-1].title().replace('Management', 'System').replace('_', '')
+                    unified_job_class = apps.get_model('main', unified_job_class_name)
+                    try:
+                        unified_job_class().event_class
+                    except (NotImplementedError, AttributeError):
+                        continue  # no need to run this for models without events
+                    self._delete_unpartitioned_table(unified_job_class)

awx/main/tasks/jobs.py

@@ -1873,6 +1873,8 @@ class RunSystemJob(BaseTask):
             if system_job.job_type in ('cleanup_jobs', 'cleanup_activitystream'):
                 if 'days' in json_vars:
                     args.extend(['--days', str(json_vars.get('days', 60))])
+                if 'batch_size' in json_vars:
+                    args.extend(['--batch-size', str(json_vars['batch_size'])])
                 if 'dry_run' in json_vars and json_vars['dry_run']:
                     args.extend(['--dry-run'])
             if system_job.job_type == 'cleanup_jobs':

awx/main/tests/functional/test_credential_plugins.py

@@ -76,3 +76,24 @@ def test_hashivault_handle_auth_kubernetes():
 def test_hashivault_handle_auth_not_enough_args():
     with pytest.raises(Exception):
         hashivault.handle_auth()
+
+
+class TestDelineaImports:
+    """
+    These module have a try-except for ImportError which will allow using the older library
+    but we do not want the awx_devel image to have the older library,
+    so these tests are designed to fail if these wind up using the fallback import
+    """
+
+    def test_dsv_import(self):
+        from awx.main.credential_plugins.dsv import SecretsVault  # noqa
+
+        # assert this module as opposed to older thycotic.secrets.vault
+        assert SecretsVault.__module__ == 'delinea.secrets.vault'
+
+    def test_tss_import(self):
+        from awx.main.credential_plugins.tss import DomainPasswordGrantAuthorizer, PasswordGrantAuthorizer, SecretServer, ServerSecret  # noqa
+
+        for cls in (DomainPasswordGrantAuthorizer, PasswordGrantAuthorizer, SecretServer, ServerSecret):
+            # assert this module as opposed to older thycotic.secrets.server
+            assert cls.__module__ == 'delinea.secrets.server'

awx/ui/src/screens/Inventory/shared/ConstructedInventoryHint.js

@@ -302,9 +302,9 @@ function HostsByProcessorTypeExample() {
 
   const hostsByProcessorLimit = `intel_hosts`;
   const hostsByProcessorSourceVars = `plugin: constructed
-  strict: true
-  groups:
-    intel_hosts: "GenuineIntel" in ansible_processor`;
+strict: true
+groups:
+  intel_hosts: "'GenuineIntel' in ansible_processor"`;
 
   return (
     <FormFieldGroupExpandable

awx/ui/src/screens/Inventory/shared/ConstructedInventoryHint.test.js

@@ -45,7 +45,7 @@ describe('<ConstructedInventoryHint />', () => {
     );
     expect(navigator.clipboard.writeText).toHaveBeenCalledWith(
       expect.stringContaining(
-        'intel_hosts: "GenuineIntel" in ansible_processor'
+        `intel_hosts: \"'GenuineIntel' in ansible_processor\"`
       )
     );
   });

awx_collection/plugins/modules/execution_environment.py

@@ -33,7 +33,6 @@ options:
     image:
       description:
         - The fully qualified url of the container image.
-      required: True
       type: str
     description:
       description:
@@ -79,7 +78,7 @@ def main():
     argument_spec = dict(
         name=dict(required=True),
         new_name=dict(),
-        image=dict(required=True),
+        image=dict(),
         description=dict(),
         organization=dict(),
         credential=dict(),

docs/docsite/requirements.in

@@ -0,0 +1,7 @@
+# This requirements file is used for AWX latest doc builds.
+
+sphinx # Tooling to build HTML from RST source.
+sphinx-ansible-theme # Ansible community theme for Sphinx doc builds.
+docutils # Tooling for RST processing and the swagger extension.
+Jinja2 # Requires investiation. Possibly inherited from previous repo with a custom theme.
+PyYaml # Requires investigation. Possibly used as tooling for swagger API reference content.

docs/docsite/requirements.txt

@@ -1,5 +1,74 @@
-sphinx==5.1.1
-sphinx-ansible-theme==0.9.1
+#
+# This file is autogenerated by pip-compile with Python 3.11
+# by the following command:
+#
+#    pip-compile --allow-unsafe --output-file=docs/docsite/requirements.txt --strip-extras docs/docsite/requirements.in
+#
+alabaster==0.7.13
+    # via sphinx
+ansible-pygments==0.1.1
+    # via sphinx-ansible-theme
+babel==2.12.1
+    # via sphinx
+certifi==2023.7.22
+    # via requests
+charset-normalizer==3.2.0
+    # via requests
 docutils==0.16
-Jinja2<3.1
-PyYaml
+    # via
+    #   -r docs/docsite/requirements.in
+    #   sphinx
+    #   sphinx-rtd-theme
+idna==3.4
+    # via requests
+imagesize==1.4.1
+    # via sphinx
+jinja2==3.0.3
+    # via
+    #   -r docs/docsite/requirements.in
+    #   sphinx
+markupsafe==2.1.3
+    # via jinja2
+packaging==23.1
+    # via sphinx
+pygments==2.16.1
+    # via
+    #   ansible-pygments
+    #   sphinx
+pyyaml==6.0.1
+    # via -r docs/docsite/requirements.in
+requests==2.31.0
+    # via sphinx
+snowballstemmer==2.2.0
+    # via sphinx
+sphinx==5.1.1
+    # via
+    #   -r docs/docsite/requirements.in
+    #   sphinx-ansible-theme
+    #   sphinx-rtd-theme
+    #   sphinxcontrib-applehelp
+    #   sphinxcontrib-devhelp
+    #   sphinxcontrib-htmlhelp
+    #   sphinxcontrib-jquery
+    #   sphinxcontrib-qthelp
+    #   sphinxcontrib-serializinghtml
+sphinx-ansible-theme==0.9.1
+    # via -r docs/docsite/requirements.in
+sphinx-rtd-theme==1.3.0
+    # via sphinx-ansible-theme
+sphinxcontrib-applehelp==1.0.7
+    # via sphinx
+sphinxcontrib-devhelp==1.0.5
+    # via sphinx
+sphinxcontrib-htmlhelp==2.0.4
+    # via sphinx
+sphinxcontrib-jquery==4.1
+    # via sphinx-rtd-theme
+sphinxcontrib-jsmath==1.0.1
+    # via sphinx
+sphinxcontrib-qthelp==1.0.6
+    # via sphinx
+sphinxcontrib-serializinghtml==1.1.9
+    # via sphinx
+urllib3==2.0.4
+    # via requests

docs/docsite/rst/userguide/credential_types.rst

@@ -37,6 +37,7 @@ Additionally, post-upgrade, these settings are not be visible (or editable) from
 AWX should still continue to fetch roles directly from public Galaxy even if galaxy.ansible.com is not the first credential in the list for the Organization. The global "Galaxy" settings are no longer configured at the jobs level, but at the Organization level in the User Interface. The Organization's Add and Edit windows have an optional **Credential** lookup field for credentials of ``kind=galaxy``. 
 
 .. image:: ../common/images/organizations-galaxy-credentials.png
+    :alt: Create a new Organization with Galaxy Credentials
 
 It is very important to specify the order of these credentials as order sets precedence for the sync and lookup of the content.
 For more information, see :ref:`ug_organizations_create`.
@@ -99,6 +100,7 @@ Access the Credentials from clicking **Credential Types** from the left navigati
 |Credential Types - home empty|
 
 .. |Credential Types - home empty| image:: ../common/images/credential-types-home-empty.png
+    :alt: Credential Types view without any credential types populated
 
 
 If credential types have been created, this page displays a list of all existing and available Credential Types. 
@@ -106,10 +108,12 @@ If credential types have been created, this page displays a list of all existing
 |Credential Types - home with example credential types|
 
 .. |Credential Types - home with example credential types| image:: ../common/images/credential-types-home-with-example-types.png
+    :alt: Credential Types list view with example credential types
 
 To view more information about a credential type, click on its name or the Edit (|edit|) button from the **Actions** column.
 
 .. |edit| image:: ../common/images/edit-button.png
+    :alt: Edit button
 
 Each credential type displays its own unique configurations in the **Input Configuration** field and the **Injector Configuration** field, if applicable. Both YAML and JSON formats are supported in the configuration fields. 
 
@@ -127,6 +131,7 @@ To create a new credential type:
 |Create new credential type|
 
 .. |Create new credential type| image:: ../common/images/credential-types-create-new.png
+    :alt: Create new credential type form
 
 2. Enter the appropriate details in the **Name** and **Description** field.
 
@@ -302,6 +307,7 @@ An example of referencing multiple files in a custom credential template is as f
 |New credential type|
 
 .. |New credential type| image:: ../common/images/credential-types-new-listed.png
+    :alt: Credential Types list view with newly created credential type shown
 
 Click |edit| to modify the credential type options under the Actions column.
 
@@ -310,6 +316,7 @@ Click |edit| to modify the credential type options under the Actions column.
   In the Edit screen, you can modify the details or delete the credential. If the **Delete** button is grayed out, it is indication that the credential type that is being used by a credential, and you must delete the credential type from all the credentials that use it before you can delete it. Below is an example of such a message:
 
   .. image:: ../common/images/credential-types-delete-confirmation.png
+    :alt: Credential type delete confirmation
 
 
 7. Verify that the newly created credential type can be selected from the **Credential Type** selection window when creating a new credential:
@@ -317,5 +324,6 @@ Click |edit| to modify the credential type options under the Actions column.
 |Verify new credential type|
 
 .. |Verify new credential type| image:: ../common/images/credential-types-new-listed-verify.png
+    :alt: Newly created credential type selected from the credentials drop-down menu
 
 For details on how to create a new credential, see :ref:`ug_credentials`.

docs/docsite/rst/userguide/credentials.rst

@@ -41,6 +41,7 @@ Click **Credentials** from the left navigation bar to access the Credentials pag
 |Credentials - home with example credentials|
 
 .. |Credentials - home with example credentials| image:: ../common/images/credentials-demo-edit-details.png
+    :alt: Credentials - home with example credentials
 
 Credentials added to a Team are made available to all members of the Team, whereas credentials added to a User are only available to that specific User by default.
 
@@ -51,6 +52,7 @@ Clicking on the link for the **Demo Credential** takes you to the **Details** vi
 |Credentials - home with demo credential details|
 
 .. |Credentials - home with demo credential details| image:: ../common/images/credentials-home-with-demo-credential-details.png
+    :alt: Credentials - Demo credential details
 
 
 Clicking the **Access** tab shows you users and teams associated with this Credential and their granted roles (owner, admin, auditor, etc.)
@@ -59,6 +61,7 @@ Clicking the **Access** tab shows you users and teams associated with this Crede
 |Credentials - home with permissions credential details|
 
 .. |Credentials - home with permissions credential details| image:: ../common/images/credentials-home-with-permissions-detail.png
+    :alt: Credentials - Access tab for Demo credential containing two users with their roles
 
 .. note::
 
@@ -71,6 +74,7 @@ Clicking the **Job Templates** tab shows you the job templates associated with t
 
 
 .. image:: ../common/images/credentials-home-with-jt-detail.png
+    :alt: Credentials - Job Template tab for Demo credential with example job template
 
 You can click the **Add** button to assign this **Demo Credential** to additional job templates. Refer to the :ref:`ug_JobTemplates` section for further detail on creating a new job template.
 
@@ -89,6 +93,7 @@ To create a new credential:
 |Create credential|
 
 .. |Create credential| image:: ../common/images/credentials-create-credential.png
+    :alt: Create credential form
 
 2. Enter the name for your new credential in the **Name** field.
 
@@ -102,6 +107,7 @@ To create a new credential:
 4. Enter or select the credential type you want to create. 
 
 .. image:: ../common/images/credential-types-drop-down-menu.png
+    :alt: Credential types drop down menu
 
 5. Enter the appropriate details depending on the type of credential selected, as described in the next section, :ref:`ug_credentials_cred_types`.
 
@@ -146,6 +152,7 @@ AWX uses the following environment variables for AWS credentials and are fields
 |Credentials - create AWS credential|
 
 .. |Credentials - create AWS credential| image:: ../common/images/credentials-create-aws-credential.png
+    :alt: Credentials - create AWS credential form
 
 Traditional Amazon Web Services credentials consist of the AWS **Access Key** and **Secret Key**. 
 
@@ -171,10 +178,12 @@ Selecting this credential allows AWX to access Galaxy or use a collection publis
 |Credentials - create galaxy credential|
 
 .. |Credentials - create galaxy credential| image:: ../common/images/credentials-create-galaxy-credential.png
+    :alt: Credentials - create galaxy credential form
 
 To populate the **Galaxy Server URL** and the **Auth Server URL** fields, look for the corresponding fields of the |ah| section of the `Red Hat Hybrid Cloud Console <https://console.redhat.com/ansible/automation-hub/token>`_ labeled **Server URL** and **SSO URL**, respectively.
 
 .. image:: ../common/images/hub-console-tokens-page.png
+    :alt: Hub console tokens page
 
 
 Centrify Vault Credential Provider Lookup
@@ -194,6 +203,7 @@ Aside from specifying a name, the **Authentication URL** is the only required fi
 |Credentials - create container credential|
 
 .. |Credentials - create container credential| image:: ../common/images/credentials-create-container-credential.png
+    :alt: Credentials - create container credential form
 
 
 CyberArk Central Credential Provider Lookup
@@ -218,6 +228,7 @@ Selecting this credential allows you to access GitHub using a Personal Access To
 |Credentials - create GitHub credential|
 
 .. |Credentials - create GitHub credential| image:: ../common/images/credentials-create-webhook-github-credential.png
+    :alt: Credentials - create GitHub credential form
 
 GitHub PAT credentials require a value in the **Token** field, which is provided in your GitHub profile settings. 
 
@@ -236,6 +247,7 @@ Selecting this credential allows you to access GitLab using a Personal Access To
 |Credentials - create GitLab credential|
 
 .. |Credentials - create GitLab credential| image:: ../common/images/credentials-create-webhook-gitlab-credential.png
+    :alt: Credentials - create GitLab credential form
 
 GitLab PAT credentials require a value in the **Token** field, which is provided in your GitLab profile settings. 
 
@@ -261,6 +273,7 @@ AWX uses the following environment variables for GCE credentials and are fields
 |Credentials - create GCE credential|
 
 .. |Credentials - create GCE credential| image:: ../common/images/credentials-create-gce-credential.png
+    :alt: Credentials - create GCE credential form
 
 GCE credentials have the following inputs that are required:
 
@@ -270,6 +283,7 @@ GCE credentials have the following inputs that are required:
 -  **RSA Private Key**: The PEM file associated with the service account email.
 
 .. |file-browser| image:: ../common/images/file-browser-button.png
+    :alt: File browser button
 
 
 GPG Public Key
@@ -283,6 +297,7 @@ Selecting this credential type allows you to create a credential that gives AWX
 |Credentials - create GPG credential|
 
 .. |Credentials - create GPG credential| image:: ../common/images/credentials-create-gpg-credential.png
+    :alt: Credentials - create GPG credential form
 
 See :ref:`ug_content_signing` for detailed information on how to generate a valid keypair, use the CLI tool to sign content, and how to add the public key to AWX.
 
@@ -308,6 +323,7 @@ Selecting this credential type enables synchronization of cloud inventory with R
 |Credentials - create Insights credential|
 
 .. |Credentials - create Insights credential| image:: ../common/images/credentials-create-insights-credential.png
+    :alt: Credentials - create Insights credential form
 
 Insights credentials consist of the Insights **Username** and **Password**, which is the user’s Red Hat Customer Portal Account username and password.
 
@@ -326,6 +342,7 @@ Machine/SSH credentials do not use environment variables. Instead, they pass the
 |Credentials - create machine credential|
 
 .. |Credentials - create machine credential| image:: ../common/images/credentials-create-machine-credential.png
+    :alt: Credentials - create machine credential form
 
 Machine credentials have several attributes that may be configured:
 
@@ -336,6 +353,7 @@ Machine credentials have several attributes that may be configured:
 - **Privilege Escalation Method**: Specifies the type of escalation privilege to assign to specific users. This is equivalent to specifying the ``--become-method=BECOME_METHOD`` parameter, where ``BECOME_METHOD`` could be any of the typical methods described below, or a custom method you've written. Begin entering the name of the method, and the appropriate name auto-populates.
 
 .. image:: ../common/images/credentials-create-machine-credential-priv-escalation.png
+    :alt: Credentials - create machine credential privilege escalation drop-down menu
 
 
 - empty selection: If a task/play has ``become`` set to ``yes`` and is used with an empty selection, then it will default to ``sudo``
@@ -381,6 +399,7 @@ Selecting this credential type enables synchronization of cloud inventory with M
 |Credentials - create Azure credential|
 
 .. |Credentials - create Azure credential| image:: ../common/images/credentials-create-azure-credential.png
+    :alt: Credentials - create Azure credential form
 
 Microsoft Azure Resource Manager credentials have several attributes that may be configured:
 
@@ -449,6 +468,7 @@ AWX uses the following environment variables for Network credentials and are fie
 |Credentials - create network credential|
 
 .. |Credentials - create network credential| image:: ../common/images/credentials-create-network-credential.png
+    :alt: Credentials - create network credential form
 
 
 Network credentials have several attributes that may be configured:
@@ -480,6 +500,7 @@ Selecting this credential type allows you to create instance groups that point t
 |Credentials - create Containers credential|
 
 .. |Credentials - create Containers credential| image:: ../common/images/credentials-create-containers-credential.png
+    :alt: Credentials - create Containers credential form
 
 Container credentials have the following inputs:
 
@@ -503,6 +524,7 @@ Selecting this credential type enables synchronization of cloud inventory with O
 |Credentials - create OpenStack credential|
 
 .. |Credentials - create OpenStack credential| image:: ../common/images/credentials-create-openstack-credential.png
+    :alt: Credentials - create OpenStack credential form
 
 OpenStack credentials have the following inputs that are required:   
 
@@ -525,6 +547,7 @@ Red Hat Ansible Automation Platform
 Selecting this credential allows you to access a Red Hat Ansible Automation Platform instance. 
 
 .. image:: ../common/images/credentials-create-at-credential.png
+    :alt: Credentials - create Red Hat Ansible Automation Platform credential form
 
 The Red Hat Ansible Automation Platform credentials have the following inputs that are required:
 
@@ -551,6 +574,7 @@ AWX writes a Satellite configuration file based on fields prompted in the user i
 |Credentials - create Red Hat Satellite 6 credential|
 
 .. |Credentials - create Red Hat Satellite 6 credential| image:: ../common/images/credentials-create-rh-sat-credential.png
+    :alt: Credentials - create Red Hat Satellite 6 credential form
 
 
 Satellite credentials have the following inputs that are required:   
@@ -581,6 +605,7 @@ AWX uses the following environment variables for Red Hat Virtualization credenti
 |Credentials - create rhv credential|
 
 .. |Credentials - create rhv credential| image:: ../common/images/credentials-create-rhv-credential.png
+    :alt: Credentials - create Red Hat Virtualization credential form
 
 RHV credentials have the following inputs that are required:
 
@@ -601,6 +626,7 @@ SCM (source control) credentials are used with Projects to clone and update loca
 |Credentials - create SCM credential|
 
 .. |Credentials - create SCM credential| image:: ../common/images/credentials-create-scm-credential.png
+    :alt: Credentials - create SCM credential form
 
 
 Source Control credentials have several attributes that may be configured:
@@ -637,6 +663,7 @@ Selecting this credential type enables synchronization of inventory with Ansible
 |Credentials - create Vault credential|
 
 .. |Credentials - create Vault credential| image:: ../common/images/credentials-create-vault-credential.png
+    :alt: Credentials - create Vault credential form
 
 
 Vault credentials require the **Vault Password** and an optional **Vault Identifier** if applying multi-Vault credentialing. For more information on AWX Multi-Vault support, refer to the :ref:`ag_multi_vault` section of the |ata|.
@@ -671,6 +698,7 @@ AWX uses the following environment variables for VMware vCenter credentials and
 |Credentials - create VMware credential|
 
 .. |Credentials - create VMware credential| image:: ../common/images/credentials-create-vmware-credential.png
+    :alt: Credentials - create VMware credential form
 
 VMware credentials have the following inputs that are required:
 

docs/docsite/rst/userguide/ee_reference.rst

@@ -2,304 +2,8 @@
 Execution Environment Setup Reference
 =======================================
 
-This section contains reference information associated with the definition of an |ee|.
-
-You define the content of your execution environment in a YAML file. By default, this file is called ``execution_environment.yml``. This file tells Ansible Builder how to create the build instruction file (Containerfile for Podman, Dockerfile for Docker) and build context for your container image.
-
-.. note::
-
-  This page documents the definition schema for Ansible Builder 3.x. If you are running an older version of Ansible Builder, you need an older schema version. Please consult older versions of the docs for more information. We recommend using version 3, which offers substantially more configurable options and functionality than previous versions.
-
-.. _ref_ee_definition:
-
-Execution environment definition
----------------------------------
-
-A definition file is a ``.yml`` file that is required to build an image for an |ee|. Below is a sample version 3 |ee| definition schema file. To use Ansible Builder 3.x, you must specify the schema version. If your |ee| file does not specify ``version: 3``, Ansible Builder will assume you want version 1. 
-
-::
-
-  ---
-  version: 3
-
-  build_arg_defaults:
-    ANSIBLE_GALAXY_CLI_COLLECTION_OPTS: '--pre'
-
-  dependencies:
-    galaxy: requirements.yml
-    python:
-      - six
-      - psutil
-    system: bindep.txt
-
-  images:
-    base_image:
-      name: registry.redhat.io/ansible-automation-platform-24/ee-minimal-rhel8:latest
-
-  additional_build_files:
-      - src: files/ansible.cfg
-        dest: configs
-
-  additional_build_steps:
-    prepend_galaxy:
-      - ADD _build/configs/ansible.cfg ~/.ansible.cfg
-
-    prepend_final: |
-      RUN whoami
-      RUN cat /etc/os-release
-    append_final:
-      - RUN echo This is a post-install command!
-      - RUN ls -la /etc
-
-
-Configuration options
-----------------------
-
-You may use the configuration YAML keys listed here in your v3 |ee| definition file. The Ansible Builder 3.x execution environment definition file accepts seven top-level sections:
-
-.. contents::
-    :local:
-
-additional_build_files
-~~~~~~~~~~~~~~~~~~~~~~~
-
-Specifies files to be added to the build context directory. These can then be referenced or copied by ``additional_build_steps`` during any build stage. The format is a list of dictionary values, each with a ``src`` and ``dest`` key and value. 
-
-Each list item must be a dictionary containing the following (non-optional) keys:
-
-**src**
-  Specifies the source file(s) to copy into the build context directory. This may either be an absolute path (e.g., ``/home/user/.ansible.cfg``), or a path that is relative to the |ee| file. Relative paths may be a glob expression matching one or more files (e.g. ``files/*.cfg``). Note that an absolute path may **not** include a regular expression. If ``src`` is a directory, the entire contents of that directory are copied to ``dest``.
-
-**dest**
-  Specifies a subdirectory path underneath the ``_build`` subdirectory of the build context directory that should contain the source file(s) (e.g., ``files/configs``). This may not be an absolute path or contain ``..`` within the path. This directory will be created for you if it does not exist.
-
-.. note::
-  When using an ``ansible.cfg`` file to pass a token and other settings for a private account to an |ah| server, listing the config file path here (as a string) will enable it to be included as a build argument in the initial phase of the build.
-
-
-additional_build_steps
-~~~~~~~~~~~~~~~~~~~~~~~
-
-Specifies custom build commands for any build phase. These commands will be inserted directly into the build instruction file for the container runtime (e.g., Containerfile or Dockerfile). The commands must conform to any rules required by the containerization tool.
-
-You can add build steps before or after any stage of the image creation process. For example, if you need ``git`` to be installed before you install your dependencies, you can add a build step at the end of the base build stage.
-
-Below are the valid keys for this section. Each supports either a multi-line string, or a list of strings.
-
-**prepend_base**
-  Commands to insert before building of the base image.
-
-**append_base**
-  Commands to insert after building of the base image.
-
-**prepend_galaxy**
-  Commands to insert before building of the galaxy image.
-
-**append_galaxy**
-  Commands to insert after building of the galaxy image.
-
-**prepend_builder**
-  Commands to insert before building of the builder image.
-
-**append_builder**
-  Commands to insert after building of the builder image.
-
-**prepend_final**
-  Commands to insert before building of the final image.
-
-**append_final**
-  Commands to insert after building of the final image.
-
-
-build_arg_defaults
-~~~~~~~~~~~~~~~~~~~
-Specifies default values for build args as a dictionary. This is an alternative to using the ``--build-arg`` CLI flag.
-
-Build arguments used by ``ansible-builder`` are the following:
-
-**ANSIBLE_GALAXY_CLI_COLLECTION_OPTS** 
-  Allows the user to pass the ``–pre`` flag (or others) to enable the installation of pre-release collections.
-
-**ANSIBLE_GALAXY_CLI_ROLE_OPTS**
-  This allows the user to pass any flags, such as --no-deps, to the role installation.
-
-**PKGMGR_PRESERVE_CACHE**
-  This controls how often the package manager cache is cleared during the image build process. If this value is not set, which is the default, the cache is cleared frequently. If it is set to the string ``always``, the cache is never cleared. Any other value forces the cache to be cleared only after the system dependencies are installed in the final build stage.
-
-Ansible Builder hard-codes values given inside of ``build_arg_defaults`` into the build instruction file, so they will persist if you run your container build manually.
-
-If you specify the same variable in the |ee| definition and at the command line with the CLI ``build-arg`` flag, the CLI value will take higher precedence (the CLI value will override the value in the |ee| definition).
-
-.. _ref_collections_metadata:
-
-dependencies
-~~~~~~~~~~~~~
-
-Specifies dependencies to install into the final image, including ``ansible-core``, ``ansible-runner``, Python packages, system packages, and Ansible Collections. Ansible Builder automatically installs dependencies for any Ansible Collections you install.
-
-In general, you can use standard syntax to constrain package versions. Use the same syntax you would pass to ``dnf``, ``pip``, ``ansible-galaxy``, or any other package management utility. You can also define your packages or collections in separate files and reference those files in the ``dependencies`` section of your |ee| definition file.
-
-The following keys are valid for this section:
-
-**ansible_core**
-  The version of the ``ansible-core`` Python package to be installed. This value is a dictionary with a single key, ``package_pip``. The ``package_pip`` value is passed directly to pip for installation and can be in any format that pip supports. Below are some example values:
-  ::
-
-    ansible_core:
-        package_pip: ansible-core
-    ansible_core:
-        package_pip: ansible-core==2.14.3
-    ansible_core:
-        package_pip: https://github.com/example_user/ansible/archive/refs/heads/ansible.tar.gz
-
-**ansible_runner**
-  The version of the Ansible Runner Python package to be installed. This value is a dictionary with a single key, package_pip. The package_pip value is passed directly to pip for installation and can be in any format that pip supports. Below are some example values:
-  ::
-
-    ansible_runner:
-        package_pip: ansible-runner
-    ansible_runner:
-        package_pip: ansible-runner==2.3.2
-    ansible_runner:
-        package_pip: https://github.com/example_user/ansible-runner/archive/refs/heads/ansible-runner.tar.gz
-
-
-**galaxy**
-  Ansible Collections to be installed from Galaxy. This may be a filename, a dictionary, or a multi-line string representation of an Ansible Galaxy ``requirements.yml`` file (see below for examples). Read more about the requirements file format in the `Galaxy user guide <https://docs.ansible.com/ansible/latest/galaxy/user_guide.html#install-multiple-collections-with-a-requirements-file>`_.
-
-**python**
-  The Python installation requirements. This may either be a filename, or a list of requirements (see below for an example). Ansible Builder combines all the Python requirements files from all collections into a single file using the ``requirements-parser`` library. This library supports complex syntax, including references to other files. If multiple collections require the same *package name*, Ansible Builder combines them into a single entry and combines the constraints. Certain package names are specifically *ignored* by ``ansible-builder``, meaning that Ansible Builder does not include them in the combined file of Python dependencies, even if a collection lists them as dependencies. These include test packages and packages that provide Ansible itself. The full list can be found in ``EXCLUDE_REQUIREMENTS`` in ``src/ansible_builder/_target_scripts/introspect.py``. If you need to include one of these ignored package names, use the ``--user-pip`` option of the ``introspect`` command to list it in the user requirements file. Packages supplied this way are not processed against the list of excluded Python packages.
-
-**python_interpreter**
-  A dictionary that defines the Python system package name to be installed by dnf (``package_system``) and/or a path to the Python interpreter to be used (``python_path)``.
-
-**system**
-  The system packages to be installed, in bindep format. This may either be a filename, or a list of requirements (see below for an example). For more information about bindep, refer to the `OpenDev documentation <https://docs.opendev.org/opendev/bindep/latest/readme.html>`_.
-  For system packages, use the ``bindep`` format to specify cross-platform requirements, so they can be installed by whichever package management system the execution environment uses. Collections should specify necessary requirements for ``[platform:rpm]``. Ansible Builder combines system package entries from multiple collections into a single file. Only requirements with *no* profiles (runtime requirements) are installed to the image. Entries from multiple collections which are outright duplicates of each other may be consolidated in the combined file. 
-
-The following example uses filenames that contain the various dependencies:
-
-  ::
-
-    dependencies:
-      python: requirements.txt
-      system: bindep.txt
-      galaxy: requirements.yml
-      ansible_core:
-          package_pip: ansible-core==2.14.2
-      ansible_runner:
-          package_pip: ansible-runner==2.3.1
-      python_interpreter:
-          package_system: "python310"
-          python_path: "/usr/bin/python3.10"
-
-And this example uses inline values:
-
-  ::
-
-    dependencies:
-      python:
-        - pywinrm
-      system:
-        - iputils [platform:rpm]
-      galaxy:
-        collections:
-          - name: community.windows
-          - name: ansible.utils
-            version: 2.10.1
-      ansible_core:
-          package_pip: ansible-core==2.14.2
-      ansible_runner:
-          package_pip: ansible-runner==2.3.1
-      python_interpreter:
-          package_system: "python310"
-          python_path: "/usr/bin/python3.10"
-
-
-.. note::
-
-  If any of these dependency files (``requirementa.txt,bindep.txt, and requirements.yml``) are in the ``build_ignore`` of the collection, it will not work correctly.
-
-  Collection maintainers can verify that ansible-builder recognizes the requirements they expect by using the ``introspect`` command, for example:
-
-  ::
-
-    ansible-builder introspect --sanitize ~/.ansible/collections/
-
-The ``--sanitize`` option reviews all of the collection requirements and removes duplicates. It also removes any Python requirements that should normally be excluded. Use the ``-v3`` option to ``introspect`` to see logging messages about requirements that are being excluded. 
-
-
-images
-~~~~~~~
-
-Specifies the base image to be used. At a minimum you **MUST** specify a source, image, and tag for the base image. The base image provides the operating system and may also provide some packages. We recommend using the standard ``host/namespace/container:tag`` syntax to specify images. You may use Podman or Docker shortcut syntax instead, but the full definition is more reliable and portable.
-
-Valid keys for this section are:
-
-**base_image**
-  A dictionary defining the parent image for the execution environment. A ``name`` key must be supplied with the container image to use. Use the ``signature_original_name`` key if the image is mirrored within your repository, but signed with the original image's signature key.
-
-image verification
-^^^^^^^^^^^^^^^^^^^
-You can verify signed container images if you are using the ``podman`` container runtime. Set the ``container-policy`` CLI option to control how this data is used in relation to a Podman ``policy.json`` file for container image signature validation.
-
-- ``ignore_all`` policy: Generate a ``policy.json`` file in the build ``context directory <context>`` where no signature validation is performed.
-- ``system`` policy: Signature validation is performed using pre-existing ``policy.json`` files in standard system locations. ``ansible-builder`` assumes no responsibility for the content within these files, and the user has complete control over the content.
-- ``signature_required`` policy: ``ansible-builder`` will use the container image definitions here to generate a ``policy.json`` file in the build ``context directory <context>`` that will be used during the build to validate the images.
-
-
-options
-~~~~~~~~
-
-A dictionary of keywords/options that can affect builder runtime functionality. Valid keys for this section are:
-
-**container_init**
-  A dictionary with keys that allow for customization of the container ``ENTRYPOINT`` and ``CMD`` directives (and related behaviors). Customizing these behaviors is an advanced task, and may result in subtle, difficult-to-debug failures. As the provided defaults for this section control a number of intertwined behaviors, overriding any value will skip all remaining defaults in this dictionary. Valid keys are:
-
-  **cmd**
-    Literal value for the ``CMD`` Containerfile directive. The default value is ``["bash"]``.
-
-  **entrypoint**
-    Literal value for the ``ENTRYPOINT`` Containerfile directive. The default entrypoint behavior handles signal propagation to subprocesses, as well as attempting to ensure at runtime that the container user has a proper environment with a valid writeable home directory, represented in ``/etc/passwd``, with the ``HOME`` environment variable set to match. The default entrypoint script may emit warnings to ``stderr`` in cases where it is unable to suitably adjust the user runtime environment. This behavior can be ignored or elevated to a fatal error; consult the source for the ``entrypoint`` target script for more details. The default value is ``["/opt/builder/bin/entrypoint", "dumb-init"]``.
-
-  **package_pip**
-    Package to install via pip for entrypoint support. This package will be installed in the final build image. The default value is ``dumb-init==1.2.5``.
-
-**package_manager_path**
-  A string with the path to the package manager (dnf or microdnf) to use. The default is ``/usr/bin/dnf``. This value will be used to install a Python interpreter, if specified in ``dependencies``, and during the build phase by the ``assemble`` script.
-
-**skip_ansible_check**
-  This boolean value controls whether or not the check for an installation of Ansible and Ansible Runner is performed on the final image. Set this value to ``True`` to not perform this check. The default is ``False``.
-
-**relax_passwd_permissions**
-  This boolean value controls whether the ``root`` group (GID 0) is explicitly granted write permission to ``/etc/passwd`` in the final container image. The default entrypoint script may attempt to update ``/etc/passwd`` under some container runtimes with dynamically created users to ensure a fully-functional POSIX user environment and home directory. Disabling this capability can cause failures of software features that require users to be listed in ``/etc/passwd`` with a valid and writeable home directory (eg, ``async`` in ansible-core, and the ``~username`` shell expansion). The default is ``True``.
-
-**workdir**
-  Default current working directory for new processes started under the final container image. Some container runtimes also use this value as ``HOME`` for dynamically-created users in the ``root`` (GID 0) group. When this value is specified, the directory will be created (if it doesn't already exist), set to ``root`` group ownership, and ``rwx`` group permissions recursively applied to it. The default value is ``/runner``.
-
-**user**
-  This sets the username or UID to use as the default user for the final container image. The default value is ``1000``.
-
-Example options section:
-::
-
-  options:
-      container_init:
-          package_pip: dumb-init>=1.2.5
-          entrypoint: '["dumb-init"]'
-          cmd: '["csh"]'
-      package_manager_path: /usr/bin/microdnf
-      relax_password_permissions: false
-      skip_ansible_check: true
-      workdir: /myworkdir
-      user: bob
-
-
-version
-~~~~~~~~
-
-An integer value that sets the schema version of the execution environment definition file. Defaults to ``1``. Must be ``3`` if you are using Ansible Builder 3.x.
-
+For detailed information about the |ee| definition,
+refer to the `Ansible Builder documentation <https://ansible.readthedocs.io/projects/builder/en/latest/definition/#execution-environment-definition>`_.
 
 Default execution environment for AWX
 --------------------------------------

docs/docsite/rst/userguide/execution_environments.rst

@@ -16,7 +16,7 @@ Execution Environments
 Building an Execution Environment
 ---------------------------------
 
-The `Getting started with Execution Environments guide` will give you a brief technology overview and show you how to build and test your first |ee| in a few easy steps.
+The `Getting started with Execution Environments guide <https://ansible.readthedocs.io/en/latest/getting_started_ee/index.html>`_ will give you a brief technology overview and show you how to build and test your first |ee| in a few easy steps.
 
 Use an execution environment in jobs
 ------------------------------------
@@ -48,16 +48,19 @@ In order to use an |ee| in a job, a few components are required:
 -  **Registry credential**: If the image has a protected container registry, provide the credential to access it.
 
 .. image:: ../common/images/ee-new-ee-form-filled.png
+   :alt: Create new Execution Environment form
 
 4. Click **Save**. 
 
 Now your newly added |ee| is ready to be used in a job template. To add an |ee| to a job template, specify it in the **Execution Environment** field of the job template, as shown in the example below. For more information on setting up a job template, see :ref:`ug_JobTemplates` in the |atu|.
 
 .. image:: ../common/images/job-template-with-example-ee-selected.png
+   :alt: Job template using newly created Execution Environment
 
 Once you added an |ee| to a job template, you can see those templates listed in the **Templates** tab of the |ee|:
 
 .. image:: ../common/images/ee-details-templates-list.png
+   :alt: Templates tab of the Execution Environment showing one job associated with it 
 
 
 Execution environment mount options
@@ -82,7 +85,8 @@ If you encounter this error, or have upgraded from an older version of AWX, perf
 2. In the **Paths to expose to isolated jobs** field of the Job Settings page, using the current example, expose the path as such:
 
 .. image:: ../common/images/settings-paths2expose-iso-jobs.png
-
+   :alt: Jobs Settings page showing Paths to expose to isolated jobs field with defaults
+   
 .. note::
 
 	The ``:O`` option is only supported for directories. It is highly recommended that you be as specific as possible, especially when specifying system paths. Mounting ``/etc`` or ``/usr`` directly have impact that make it difficult to troubleshoot. 
@@ -99,10 +103,11 @@ This informs podman to run a command similar to the example below, where the con
 To expose isolated paths in OpenShift or Kubernetes containers as HostPath, assume the following configuration:
 
 .. image:: ../common/images/settings-paths2expose-iso-jobs-mount-containers.png
+   :alt: Jobs Settings page showing Paths to expose to isolated jobs field with assumed configuration and Expose host paths for Container Group toggle enabled 
 
 Use the **Expose host paths for Container Groups** toggle to enable it. 
 
 Once the playbook runs, the resulting Pod spec will display similar to the example below. Note the details of the ``volumeMounts`` and ``volumes`` sections.
 
 .. image:: ../common/images/mount-containers-playbook-run-podspec.png
-
+   :alt: Pod spec for the playbook run showing volumeMounts and volumes details

docs/docsite/rst/userguide/instance_groups.rst

@@ -11,6 +11,7 @@ An :term:`Instance Group` provides the ability to group instances in a clustered
 |Instance Group policy example|
 
 .. |Instance Group policy example| image:: ../common/images/instance-groups_list_view.png
+   :alt: Instance groups list view showing example instance groups and one with capacity levels
 
 For more information about the policy or rules associated with instance groups, see the :ref:`ag_instance_groups` section of the |ata|.
 
@@ -34,6 +35,7 @@ To create a new instance group:
 |IG - create new IG|
 
 .. |IG - create new IG| image:: ../common/images/instance-group-create-new-ig.png
+   :alt: Create instance group form
 
 3. Enter the appropriate details into the following fields:
 
@@ -57,11 +59,12 @@ To create a new instance group:
 Once the instance group is successfully created, the **Details** tab of the newly created instance group remains, allowing you to review and edit your instance group information. This is the same screen that opens when the **Edit** (|edit-button|) button is clicked from the **Instance Groups** list view. You can also edit **Instances** and review **Jobs** associated with this instance group.
 
 .. |edit-button| image:: ../common/images/edit-button.png
+   :alt: Edit button
 
 |IG - example IG successfully created|
 
 .. |IG - example IG successfully created| image:: ../common/images/instance-group-example-ig-successfully-created.png
-
+	   :alt: Instance group details showing how to view instances and jobs associated with an instance group
 
 Associate instances to an instance group
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -75,6 +78,7 @@ To associate instances to an instance group:
 |IG - select instances|
 
 .. |IG - select instances| image:: ../common/images/instance-group-assoc-instances.png
+   :alt: Associating an instance with an instance group
 
 3. In the following example, the instances added to the instance group displays along with information about their capacity.
 
@@ -83,6 +87,7 @@ This view also allows you to edit some key attributes associated with the instan
 |IG - instances in IG callouts|
 
 .. |IG - instances in IG callouts| image:: ../common/images/instance-group-instances-example-callouts.png
+   :alt: Edit attributes associated with instances in an instance group
 
 
 View jobs associated with an instance group
@@ -93,6 +98,7 @@ To view the jobs associated with the instance group, click the **Jobs** tab of t
 |IG - instances jobs|
 
 .. |IG - instances jobs| image:: ../common/images/instance-group-jobs-list.png
+   :alt: Viewing jobs associated with an instance group
 
 Each job displays the job status, ID, and name; type of job, time started and completed, who started the job; and applicable resources associated with it, such as template, inventory, project, |ee|, etc.
 

docs/docsite/rst/userguide/job_branching.rst

@@ -3,10 +3,12 @@
 Projects specify the branch, tag, or reference to use from source control in the ``scm_branch`` field. These are represented by the values specified in the Project Details fields as shown.
 
 .. image:: ../common/images/projects-create-scm-project-branching-emphasized.png
+   :alt: Create New Project page with SCM branching options emphasized
 
 Projects have the option to "Allow Branch Override". When checked, project admins can delegate branch selection to the job templates that use that project (requiring only project ``use_role``). 
 
 .. image:: ../common/images/projects-create-scm-project-branch-override-checked.png
+   :alt: Allow Branch Override checkbox option in Project selected
 
 
 
@@ -22,6 +24,7 @@ If **Clean** is checked, AWX discards modified files in its local copy of the re
 .. _`Subversion`: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/subversion_module.html#parameters
 
 .. image:: ../common/images/projects-create-scm-project-clean-checked.png
+   :alt: Clean checkbox option in Project selected
 
 
 Project revision behavior
@@ -32,6 +35,7 @@ is stored when updated, and jobs using that project will employ this revision. P
 This revision is shown in the **Source Control Revision** field of the job and its respective project update.
 
 .. image:: ../common/images/jobs-output-branch-override-example.png
+   :alt: Project's Source Control Revision value
 
 Consequently, offline job runs are impossible for non-default branches. To be sure that a job is running a static version from source control, use tags or commit hashes. Project updates do not save the revision of all branches, only the project default branch.
 

docs/docsite/rst/userguide/job_capacity.rst

@@ -106,4 +106,5 @@ The instance field ``capacity_adjustment`` allows you to select how much of one
 
 To view or edit the capacity in the user interface, select the **Instances** tab of the Instance Group.
 
-.. image:: ../common/images/instance-group-instances-capacity-callouts.png
+.. image:: ../common/images/instance-group-instances-capacity-callouts.png
+    :alt: Instances tab of Instance Group showing sliders for capacity adjustment.

docs/docsite/rst/userguide/job_slices.rst

@@ -28,6 +28,7 @@ Consider the following when setting up job slices:
 - When executed, a sliced job splits each inventory into a number of "slice size" chunks. It then queues jobs of ansible-playbook runs on each chunk of the appropriate inventory. The inventory fed into ansible-playbook is a pared-down version of the original inventory that only contains the hosts in that particular slice. The completed sliced job that displays on the Jobs list are labeled accordingly, with the number of sliced jobs that have run:
 
 .. image:: ../common/images/sliced-job-shown-jobs-list-view.png
+    :alt: Sliced job shown in Jobs list view
 
 
 - These sliced jobs follow normal scheduling behavior (number of forks, queuing due to capacity, assignation to instance groups based on inventory mapping).
@@ -54,6 +55,7 @@ Job slice execution behavior
 When jobs are sliced, they can run on any node and some may not run at the same time (insufficient capacity in the system, for example). When slice jobs are running, job details display the workflow and job slice(s) currently running, as well as a link to view their details individually.
 
 .. image:: ../common/images/sliced-job-shown-jobs-output-view.png
+    :alt: Sliced job shown in Jobs output view
 
 By default, job templates are not normally configured to execute simultaneously (``allow_simultaneous`` must be checked in the API or **Enable Concurrent Jobs** in the UI). Slicing overrides this behavior and implies ``allow_simultaneous`` even if that setting is unchecked. See :ref:`ug_JobTemplates` for information on how to specify this, as well as the number of job slices on your job template configuration.
 

docs/docsite/rst/userguide/job_templates.rst

@@ -17,13 +17,16 @@ The **Templates** menu opens a list of the job templates that are currently avai
 |Job templates - home with example job template|
 
 .. |Job templates - home with example job template| image:: ../common/images/job-templates-home-with-example-job-template.png
+    :alt: Job templates - home with example job template
 
 
 From this screen, you can launch (|launch|), edit (|edit|), and copy (|copy|) a job template. To delete a job template, you must select one or more templates and click the **Delete** button. Before deleting a job template, be sure it is not used in a workflow job template.  
 
 .. |edit| image:: ../common/images/edit-button.png
+    :alt: Edit button
 
-.. |delete| image:: ../common/images/delete-button.png 
+.. |delete| image:: ../common/images/delete-button.png
+    :alt: Delete button
 
 
 .. include:: ../common/work_items_deletion_warning.rst
@@ -33,6 +36,7 @@ From this screen, you can launch (|launch|), edit (|edit|), and copy (|copy|) a
       Job templates can be used to build a workflow template. For templates that show the Workflow Visualizer (|wf-viz-icon|) icon next to them are workflow templates. Clicking it allows you to graphically build a workflow. Many parameters in a job template allow you to enable **Prompt on Launch** that can be modified at the workflow level, and do not affect the values assigned at the job template level. For instructions, see the :ref:`ug_wf_editor` section. 
 
 .. |wf-viz-icon| image:: ../common/images/wf-viz-icon.png
+    :alt: Workflow Visualizer icon
 
 Create a Job Template
 -----------------------
@@ -153,10 +157,13 @@ To create a new job template:
      - Yes
 
 .. |search| image:: ../common/images/search-button.png
+    :alt: Search button
 
 .. |x-circle| image:: ../common/images/x-delete-button.png
+    :alt: Delete button
 
 .. |x| image:: ../common/images/x-button.png
+    :alt: X button
 
 
 3. **Options**: Specify options for launching this template, if necessary.
@@ -170,6 +177,7 @@ To create a new job template:
   If you enable webhooks, other fields display, prompting for additional information:
 
     .. image:: ../common/images/job-templates-options-webhooks.png
+        :alt: Job templates - options - webhooks
 
     - **Webhook Service**: Select which service to listen for webhooks from
     - **Webhook URL**: Automatically populated with the URL for the webhook service to POST requests to.
@@ -184,16 +192,19 @@ To create a new job template:
   - **Prevent Instance Group Fallback**: Check this option to allow only the instance groups listed in the **Instance Groups** field above to execute the job. If unchecked, all available instances in the execution pool will be used based on the hierarchy described in :ref:`ag_instance_groups_control_where_job_runs`.  Click the |help| icon for more information.
 
 .. |help| image:: ../common/images/tooltips-icon.png
+    :alt: Tooltip
 
 |Job templates - create new job template|
 
 .. |Job templates - create new job template| image:: ../common/images/job-templates-create-new-job-template.png
+    :alt: Job templates - create new job template
 
 4. When you have completed configuring the details of the job template, click **Save**. 
 
 Saving the template does not exit the job template page but advances to the Job Template Details tab for viewing. After saving the template, you can click **Launch** to launch the job, or click **Edit** to add or change the attributes of the template, such as permissions, notifications, view completed jobs, and add a survey (if the job type is not a scan). You must first save the template prior to launching, otherwise, the **Launch** button remains grayed-out.
 
 .. image:: ../common/images/job-templates-job-template-details.png
+    :alt: Job templates - job template details
 
 You can verify the template is saved when the newly created template appears on the Templates list view. 
 
@@ -211,6 +222,7 @@ Work with Notifications
 Clicking the **Notifications** tab allows you to review any notification integrations you have setup and their statuses, if they have ran. 
 
 .. image:: ../common/images/job-template-completed-notifications-view.png
+    :alt: Job templates - completed notifications view
 
 Use the toggles to enable or disable the notifications to use with your particular template. For more detail, see :ref:`ug_notifications_on_off`. 
 
@@ -223,11 +235,13 @@ View Completed Jobs
 The **Completed Jobs** tab provides the list of job templates that have ran. Click **Expanded** to view details of each job, including its status, ID, and name; type of job, time started and completed, who started the job; and which template, inventory, project, and credential were used. You can filter the list of completed jobs using any of these criteria.
 
 .. image:: ../common/images/job-template-completed-jobs-view.png
+    :alt: Job templates - completed jobs view
 
 
 Sliced jobs that display on this list are labeled accordingly, with the number of sliced jobs that have run:
 
 .. image:: ../common/images/sliced-job-shown-jobs-list-view.png
+    :alt: Sliced job shown in jobs list view
 
 
 Scheduling
@@ -242,6 +256,7 @@ Access the schedules for a particular job template from the **Schedules** tab.
 |Job Templates - schedule launch|
 
 .. |Job Templates - schedule launch| image:: ../common/images/job-templates-schedules.png
+    :alt: Job Templates - schedule launch
 
 
 Schedule a Job Template
@@ -316,6 +331,7 @@ To create a survey:
 -  **Default answer**: The default answer to the question. This value is pre-filled in the interface and is used if the answer is not provided by the user.
 
 .. image:: ../common/images/job-template-create-survey.png
+    :alt: Job templates - create survey
 
 
 3. Once you have entered the question information, click **Save** to add the question.
@@ -325,11 +341,13 @@ The survey question displays in the Survey list. For any question, you can click
 |job-template-completed-survey|
 
 .. |job-template-completed-survey| image:: ../common/images/job-template-completed-survey.png
+    :alt: Job templates - completed survey
 
 
 If you have more than one survey question, use the **Edit Order** button to rearrange the order of the questions by clicking and dragging on the grid icon. 
 
 .. image:: ../common/images/job-template-rearrange-survey.png
+    :alt: Job templates - rearrange survey
 
 
 4. To add more questions, click the **Add** button to add additional questions.
@@ -369,10 +387,12 @@ Launch a job template by any of the following ways:
 - Access the job template list from the **Templates** menu on the left navigation bar or while in the Job Template Details view, scroll to the bottom to access the |launch| button from the list of templates.
 
 .. image:: ../common/images/job-templates-home-with-example-job-template-launch.png
+    :alt: Job templates - home with example job template - launch
 
 - While in the Job Template Details view of the job template you want to launch, click **Launch**. 
 
 .. |launch| image:: ../common/images/launch-button.png
+    :alt: Launch button
 
 A job may require additional information to run. The following data may be requested at launch:
 
@@ -392,10 +412,12 @@ Below is an example job launch that prompts for Job Tags, and runs the example s
 |job-launch-with-prompt-job-tags|
 
 .. |job-launch-with-prompt-job-tags| image:: ../common/images/job-launch-with-prompt-at-launch-jobtags.png
+    :alt: Job launch with prompt job tags
 
 |job-launch-with-prompt-survey|
 
 .. |job-launch-with-prompt-survey| image:: ../common/images/job-launch-with-prompt-at-launch-survey.png
+    :alt: Job launch with prompt survey
 
 .. note::
 
@@ -445,6 +467,7 @@ Upon launch, AWX automatically redirects the web browser to the Job Status page
 When slice jobs are running, job lists display the workflow and job slices, as well as a link to view their details individually.
 
 .. image:: ../common/images/sliced-job-shown-jobs-list-view.png
+    :alt: Sliced job shown in jobs list view
 
 .. _ug_JobTemplates_bulk_api:
 
@@ -465,6 +488,7 @@ If you choose to copy Job Template, it **does not** copy any associated schedule
 2. Click the |copy| button associated with the template you want to copy.
 
 .. |copy| image:: ../common/images/copy-button.png
+    :alt: Copy button
 
 The new template with the name of the template from which you copied and a timestamp displays in the list of templates.
 
@@ -517,6 +541,7 @@ The ``scan_files`` fact module is the only module that accepts parameters, passe
 Scan job templates should enable ``become`` and use credentials for which ``become`` is a possibility. You can enable become by checking the **Enable Privilege Escalation** from the Options menu:
 
 .. image:: ../common/images/job-templates-create-new-job-template-become.png
+    :alt: Job template with Privilege Escalation checked from the Options field.
 
 
 Supported OSes for ``scan_facts.yml``
@@ -631,6 +656,7 @@ Fact Caching
 AWX can store and retrieve facts on a per-host basis through an Ansible Fact Cache plugin. This behavior is configurable on a per-job template basis. Fact caching is turned off by default but can be enabled to serve fact requests for all hosts in an inventory related to the job running. This allows you to use job templates with ``--limit`` while still having access to the entire inventory of host facts. A global timeout setting that the plugin enforces per-host, can be specified (in seconds) through the Jobs settings menu:
 
 .. image:: ../common/images/configure-awx-jobs-fact-cache-timeout.png
+    :alt: Jobs Settings window showing the location of the Per-Host Ansible Fact Cache Timeout parameter from the Edit Details screen.
 
 Upon launching a job that uses fact cache (``use_fact_cache=True``), AWX will store all ``ansible_facts`` associated with each host in the inventory associated with the job.  The Ansible Fact Cache plugin that ships with AWX will only be enabled on jobs with fact cache enabled (``use_fact_cache=True``).
 
@@ -659,7 +685,8 @@ Fact caching saves a significant amount of time over running fact gathering. If
 
 You can choose to use cached facts in your job by enabling it in the **Options** field of the Job Templates window.
 
-.. image:: ../common/images/job-templates-options-use-factcache.png  
+.. image:: ../common/images/job-templates-options-use-factcache.png
+    :alt: Job templates - options - use factcache
 
 To clear facts, you need to run the Ansible ``clear_facts`` `meta task`_. Below is an example playbook that uses the Ansible ``clear_facts`` meta task.
 
@@ -836,6 +863,7 @@ To enable callbacks, check the *Provisioning Callbacks* checkbox in the Job Temp
     If you intend to use AWX's provisioning callback feature with a dynamic inventory, Update on Launch should be set for the inventory group used in the Job Template.
 
 .. image:: ../common/images/provisioning-callbacks-config.png
+    :alt: Provisioning callbacks config
 
 Callbacks also require a Host Config Key, to ensure that foreign hosts with the URL cannot request configuration. Please provide a custom value for Host Config Key. The host key may be reused across multiple hosts to apply this job template against multiple hosts. Should you wish to control what hosts are able to request configuration, the key may be changed at any time.
 
@@ -978,6 +1006,7 @@ The following table notes the behavior (hierarchy) of variable precedence in AWX
 **AWX Variable Precedence Hierarchy (last listed wins)**
 
 .. image:: ../common/images/Architecture-AWX_Variable_Precedence_Hierarchy.png
+    :alt: AWX Variable Precedence Hierarchy
 
 
 Relaunching Job Templates

docs/docsite/rst/userguide/notifications.rst

@@ -68,6 +68,7 @@ To create a Notification Template:
 2. Click the **Add** button.
 
 .. image:: ../common/images/notifications-template-add-new.png
+   :alt: Create new notification template
 
 3. Enter the name of the notification and a description in their respective fields, and specify the organization (required) it belongs to.
 
@@ -115,6 +116,7 @@ You must provide the following details to setup an email notification:
 - Timeout (in seconds): allows you to specify up to 120 seconds, the length of time AWX may attempt connecting to the email server before giving up.
 
 .. image:: ../common/images/notification-template-email.png
+   :alt: Email notification template
 
 Grafana
 ------------
@@ -136,7 +138,7 @@ The other options of note are:
 - Disable SSL Verification: SSL verification is on by default, but you can choose to turn off verification the authenticity of the target's certificate. Environments that use internal or private CA's should select this option to disable verification.
 
 .. image:: ../common/images/notification-template-grafana.png
-
+   :alt: Grafana notification template
 
 IRC
 -----
@@ -154,6 +156,7 @@ Connectivity information is straightforward:
 
 
 .. image:: ../common/images/notification-template-irc.png
+   :alt: IRC notification template
 
 Mattermost
 ------------
@@ -167,6 +170,7 @@ The Mattermost notification type provides a simple interface to Mattermost's mes
 - Disable SSL Verification: Turns off verification of the authenticity of the target's certificate. Environments that use internal or private CA's should select this option to disable verification.
 
 .. image:: ../common/images/notification-template-mattermost.png
+   :alt: Mattermost notification template
 
 
 PagerDuty
@@ -182,6 +186,8 @@ PagerDuty is a fairly straightforward integration. First, create an API Key in t
 - Client Identifier: This will be sent along with the alert content to the pagerduty service to help identify the service that is using the api key/service. This is helpful if multiple integrations are using the same API key and service.
 
 .. image:: ../common/images/notification-template-pagerduty.png
+   :alt: PagerDuty notification template
+
 
 Rocket.Chat
 -------------
@@ -194,6 +200,7 @@ The Rocket.Chat notification type provides an interface to Rocket.Chat's collabo
 - Disable SSL Verification: Turns off verification of the authenticity of the target's certificate. Environments that use internal or private CA's should select this option to disable verification.
 
 .. image:: ../common/images/notification-template-rocketchat.png
+   :alt: Rocket.Chat notification template
 
 
 Slack
@@ -212,6 +219,7 @@ Once you have a bot/app set up, you must navigate to "Your Apps", click on the n
 You must also invite the notification bot to join the channel(s) in question in Slack. Note that private messages are not supported.
 
 .. image:: ../common/images/notification-template-slack.png
+   :alt: Slack notification template
 
 
 Twilio
@@ -231,6 +239,8 @@ To setup Twilio, provide the following details:
 - Account SID 
 
 .. image:: ../common/images/notification-template-twilio.png
+   :alt: Twilio notification template
+
 
 
 Webhook
@@ -257,6 +267,8 @@ The parameters for configuring webhooks are:
 
 
 .. image:: ../common/images/notification-template-webhook.png
+   :alt: Webhook notification template
+
 
 
 Webhook payloads
@@ -333,6 +345,8 @@ Create custom notifications
 You can :ref:`customize the text content <ir_notifications_reference>` of each of the :ref:`ug_notifications_types` by enabling the **Customize Messages** portion at the bottom of the notifications form using the toggle button. 
 
 .. image:: ../common/images/notification-template-customize.png
+   :alt: Custom notification template
+
 
 You can provide a custom message for various job events: 
 
@@ -347,10 +361,12 @@ You can provide a custom message for various job events:
 The message forms vary depending on the type of notification you are configuring. For example, messages for email and PagerDuty notifications have the appearance of a typical email form with a subject and body, in which case, AWX displays the fields as **Message** and **Message Body**. Other notification types only expect a **Message** for each type of event:
 
 .. image:: ../common/images/notification-template-customize-simple.png
+   :alt: Custom notification template example
 
 The **Message** fields are pre-populated with a template containing a top-level variable, ``job`` coupled with an attribute, such as ``id`` or ``name``, for example. Templates are enclosed in curly braces and may draw from a fixed set of fields provided by AWX, as shown in the pre-populated **Messages** fields. 
 
 .. image:: ../common/images/notification-template-customize-simple-syntax.png
+   :alt: Custom notification template example syntax
 
 This pre-populated field suggests commonly displayed messages to a recipient who is notified of an event. You can, however, customize these messages with different criteria by adding your own attribute(s) for the job as needed. Custom notification messages are rendered using Jinja - the same templating engine used by Ansible playbooks. 
 
@@ -474,8 +490,8 @@ If you create a notification template that uses invalid syntax or references unu
 
    If you save the notifications template without editing the custom message (or edit and revert back to the default values), the **Details** screen assumes the defaults and will not display the custom message tables. If you edit and save any of the values, the entire table displays in the **Details** screen.
 
-   .. image:: ../common/images/notifications-with-without-messages.png
-
+.. image:: ../common/images/notifications-with-without-messages.png
+   :alt: Notification template with and without a custom message
 
 .. _ug_notifications_on_off:
 
@@ -498,11 +514,12 @@ You can enable notifications on job start, job success, and job failure, or any
 - Organizations
 
 .. image:: ../common/images/projects-notifications-example-list.png
-
+   :alt: List of project notifications
 
 For workflow templates that have approval nodes, in addition to *Start*, *Success*, and *Failure*, you can enable or disable certain approval-related events: 
 
 .. image:: ../common/images/wf-template-completed-notifications-view.png
+   :alt: List of project notifications with approval nodes option
 
 Refer to :ref:`ug_wf_approval_nodes` for additional detail on working with these types of nodes.
 
@@ -516,6 +533,7 @@ Configure the ``host`` hostname for notifications
 In the :ref:`System Settings <configure_awx_system>`, you can replace the default value in the **Base URL of the service** field with your preferred hostname to change the notification hostname.     
 
 .. image:: ../common/images/configure-awx-system-misc-baseurl.png
+   :alt: Configuring base URL with preferred hostname
 
 Refreshing your license also changes the notification hostname. New installations of AWX should not have to set the hostname for notifications.
 

docs/docsite/rst/userguide/organizations.rst

@@ -11,6 +11,7 @@ An :term:`Organization` is a logical collection of **Users**, **Teams**, **Proje
 |awx hierarchy|
 
 .. |awx hierarchy| image:: ../common/images/AWXHierarchy.png
+   :alt: AWX Hierarchy
 
 Access the Organizations page by clicking **Organizations** from the left navigation bar. The Organizations page displays all of the existing organizations for your installation. Organizations can be searched by **Name** or **Description**. Modify and remove organizations using the **Edit** and **Delete** buttons.
 
@@ -20,10 +21,12 @@ Access the Organizations page by clicking **Organizations** from the left naviga
 |Organizations - home showing example organization|
 
 .. |Organizations - home showing example organization| image:: ../common/images/organizations-home-showing-example-organization.png
+   :alt: Example of organizations home page
 
 From this list view, you can edit the details of an organization (|edit button|) from the **Actions** menu.
 
 .. |edit button| image:: ../common/images/edit-button.png
+   :alt: Edit button
 
 .. _ug_organizations_create:
 
@@ -35,6 +38,7 @@ Creating a New Organization
 |Organizations - new organization form|
 
 .. |Organizations - new organization form| image:: ../common/images/organizations-new-organization-form.png
+   :alt: Create new organization form
 
 2. An organization has several attributes that may be configured:
 
@@ -51,7 +55,7 @@ Once created, AWX displays the Organization details, and allows for the managing
 |Organizations - show record for example organization|
 
 .. |Organizations - show record for example organization| image:: ../common/images/organizations-show-record-for-example-organization.png
-
+   :alt: Organization details tab with edit, delete options
 
 From the **Details** tab, you can edit or delete the organization. 
 
@@ -73,6 +77,7 @@ Clicking on **Access** (beside **Details** when viewing your organization), disp
 |Organizations - show users for example organization|
 
 .. |Organizations - show users for example organization| image:: ../common/images/organizations-show-users-permissions-organization.png
+   :alt: Organization Access tab with user permissions
 
 As you can manage the user membership for this Organization here, you can manage user membership on a per-user basis from the Users page by clicking **Users** from the left navigation bar. Organizations have a unique set of roles not described here. You can assign specific users certain levels of permissions within your organization, or allow them to act as an admin for a particular resource. Refer to :ref:`rbac-ug` for more information. 
 
@@ -102,12 +107,14 @@ Work with Notifications
 Clicking the **Notifications** tab allows you to review any notification integrations you have setup. 
 
 .. image:: ../common/images/organizations-notifications-samples-list.png
+   :alt: List of sample organization notifications
 
 Use the toggles to enable or disable the notifications to use with your particular organization. For more detail, see :ref:`ug_notifications_on_off`. 
 
 If no notifications have been set up, you must create them from the **Notifications** option on the left navigation bar.
 
 .. image:: ../common/images/organization-notifications-empty.png
+   :alt: Empty organization notifications list
 
 Refer to :ref:`ug_notifications_types` for additional details on configuring various notification types.
 

docs/docsite/rst/userguide/project-sign.rst

@@ -24,6 +24,7 @@ Assuming that the repository has already been configured for signing and verific
 4. When the user syncs the project, AWX (already configured, in this scenario) pulls in the new changes, checks that the public key associated with the project in AWX matches the private key that the checksum manifest was signed with (this prevents tampering with the checksum manifest itself), then re-calculates checksums of each file in the manifest to ensure that the checksum matches (and thus that no file has changed). It also looks to ensure that all files are accounted for: They must have been either included in, or excluded from, the ``MANIFEST.in`` file discussed below; if files have been added or removed unexpectedly, verification will fail.
 
 .. image:: ../common/images/content-sign-diagram.png
+   :alt: Content signing process diagram
 
 
 Prerequisites
@@ -68,16 +69,19 @@ In order to use the GPG key for content singing and validation in AWX, you must
 5. Click **Save** when done.
 
 .. image:: ../common/images/credentials-gpg-details.png
+   :alt: Example GPG credential details
 
 This credential can now be selected in :ref:`projects <ug_projects_add>`, and content verification will automatically take place on future project syncs.
 
 .. image:: ../common/images/project-create-with-gpg-creds.png
+   :alt: Create project with example GPG credentials
 
 .. note::
 
   Use the project cache SCM timeout to control how often you want AWX to re-validate the signed content. When a project is configured to update on launch (of any job template configured to use that project), you can enable the cache timeout setting, which tells it to update after N seconds have passed since the last update. If validation is running too frequently, you can slow down how often project updates occur by specifying the time in the **Cache Timeout** field of the Option Details pane of the project.
 
   .. image:: ../common/images/project-update-launch-cache-timeout.png
+	 :alt: Checked Update Revision on Launch option with Cache Timeout value specified from the Create new project page
 
 
 

docs/docsite/rst/userguide/projects.rst

@@ -19,18 +19,24 @@ The Projects page displays the list of the projects that are currently available
 |Projects - home with example project|
 
 .. |Projects - home with example project| image:: ../common/images/projects-list-all.png
+   :alt: Compact Projects list view with two projects shown.
 
 .. image:: ../common/images/projects-list-all-expanded.png
+   :alt: Projects list view showing arrows used to expand and collapse projects in the view.
 
 For each project listed, you can get the latest SCM revision (|refresh|), edit the project (|edit|), or copy the project attributes (|copy|), using the respective icons next to each project. Projects are allowed to be updated while a related job is running.  In cases where you have a big project (around 10 GB), disk space on ``/tmp`` may be an issue.
 
 .. |edit-icon| image:: ../common/images/edit-button.png
+   :alt: edit button
 
 .. |copy| image:: ../common/images/copy-button.png
+   :alt: copy button
 
 .. |refresh| image:: ../common/images/refresh-gray.png
+   :alt: Refresh button 
 
 .. |edit| image:: ../common/images/edit-button.png
+   :alt: edit button
 
 
 **Status** indicates the state of the project and may be one of the following (note that you can also filter your view by specific status types):
@@ -72,6 +78,7 @@ To create a new project:
 |Projects - create new project|
 
 .. |Projects - create new project| image:: ../common/images/projects-create-new-project.png
+   :alt: Create New Project form
 
 2. Enter the appropriate details into the following required fields:
 
@@ -119,6 +126,7 @@ If you have trouble adding a project path, check the permissions and SELinux con
   Correct this issue by creating the appropriate playbook directories and checking out playbooks from your SCM or otherwise copying playbooks into the appropriate playbook directories.
 
   .. |Projects - create new warning| image:: ../common/images/projects-create-manual-warning.png
+     :alt: Create New Project form showing warning associated with selecting Source Control Credential Type of Manual
 
 
 .. _ug_projects_scm_types:
@@ -147,12 +155,14 @@ To configure playbooks to use source control, in the Project **Details** tab:
   |Projects - create SCM project|
 
   .. |Projects - create SCM project| image:: ../common/images/projects-create-scm-project.png
+     :alt: Create New Project form for Git Source Control Credential Type.
 
 2. Enter the appropriate details into the following fields:
 
   -  **SCM URL** - See an example in the tooltip |tooltip|.
 
   .. |tooltip| image:: ../common/images/tooltips-icon.png
+     :alt: tooltips icon
 
   -  **SCM Branch/Tag/Commit** - Optionally enter the SCM branch, tags, commit hashes, arbitrary refs, or revision number (if applicable) from the source control (Git or Subversion) to checkout. Some commit hashes and refs may not be available unless you also provide a custom refspec in the next field. If left blank, the default is HEAD which is the last checked out Branch/Tag/Commit for this project.
   -  **SCM Refspec** - This field is an option specific to git source control and only advanced users familiar and comfortable with git should specify which references to download from the remote repository. For more detail, see :ref:`job branch overriding <ug_job_branching>`.
@@ -168,6 +178,7 @@ To configure playbooks to use source control, in the Project **Details** tab:
   -  **Allow Branch Override** - Allows a job template or an inventory source that uses this project to launch with a specified SCM branch or revision other than that of the project's. For more detail, see :ref:`job branch overriding <ug_job_branching>`.
 
     .. image:: ../common/images/projects-create-scm-project-branch-override-checked.png
+       :alt: create scm project branch override checked
 
 4. Click **Save** to save your project.
 
@@ -198,6 +209,7 @@ To configure playbooks to use Red Hat Insights, in the Project **Details** tab:
   -  **Update Revision on Launch** - Updates the revision of the project to the current revision in the remote source control, as well as cache the roles directory from :ref:`Galaxy <ug_galaxy>` or :ref:`Collections <ug_collections>`. AWX ensures that the local revision matches and that the roles and collections are up-to-date with the last update. Also, to avoid job overflows if jobs are spawned faster than the project can sync, selecting this allows you to configure a Cache Timeout to cache prior project syncs for a certain number of seconds.
 
   .. image:: ../common/images/projects-create-scm-insights.png
+     :alt: Create New Project form for Red Hat Insights Source Control Credential Type.
 
 
 3. Click **Save** to save your project.
@@ -230,6 +242,7 @@ To configure playbooks to use a remote archive, in the Project **Details** tab:
   -  **Allow Branch Override** - Not recommended, as this option allows a job template that uses this project to launch with a specified SCM branch or revision other than that of the project's.
 
   .. image:: ../common/images/projects-create-scm-rm-archive.png
+     :alt: Create New Project form for Remote Archive Source Control Credential Type.
 
 .. note::
   Since this SCM type is intended to support the concept of unchanging artifacts, it is advisable to disable Galaxy integration (for roles, at minimum).
@@ -253,15 +266,18 @@ Updating projects from source control
 |projects - list all|
 
 .. |projects - list all| image:: ../common/images/projects-list-all.png
+   :alt: Projects list view with the latest revision information of the projects that synched.
 
 2. Click on project's status under the **Status** column to get further details about the update process.
 
 .. image:: ../common/images/projects-list-status-more.png
+   :alt: Projects list view with example project with a successful status.
 
 
 |Project - update status|
 
 .. |Project - update status| image:: ../common/images/projects-update-status.png
+   :alt: Example project with real-time standard output details.
 
 
 Work with Permissions
@@ -276,6 +292,7 @@ You can access the project permissions via the **Access** tab next to the **Deta
 |Projects - permissions list for example project|
 
 .. |Projects - permissions list for example project| image:: ../common/images/projects-permissions-example.png
+   :alt: Access tab of a sample project that shows list of users who have permissions to this project.
 
 
 Add Permissions
@@ -290,12 +307,14 @@ Work with Notifications
 Clicking the **Notifications** tab allows you to review any notification integrations you have setup.
 
 .. image:: ../common/images/projects-notifications-example-list.png
+   :alt: List of notifications configured for this project.
 
 Use the toggles to enable or disable the notifications to use with your particular project. For more detail, see :ref:`ug_notifications_on_off`.
 
 If no notifications have been set up, you can configure them from the  **Notifications** link from the left navigation bar to create a new notification.
 
 .. image:: ../common/images/project-notifications-empty.png
+   :alt: Notifications Templates page with no notification templates found.
 
 Refer to :ref:`ug_notifications_types` for additional details on configuring various notification types.
 
@@ -306,14 +325,17 @@ Work with Job Templates
 Clicking on **Job Templates** allows you to add and review any job templates or workflow templates associated with this project.
 
 .. image:: ../common/images/projects-templates-example-list.png
+   :alt: List of job templates associated with this project.
 
 Click on the recent jobs that ran using that template to see its details and other useful information. You can sort this list by various criteria, and perform a search to filter the templates of interest.
 
 .. image:: ../common/images/projects-templates-search-dropdown.png
+   :alt: Job Templates tab of the project showing an example drop-down menu that can be used to filter your search.
 
 From this view, you can also launch (|launch|),  edit (|edit|), or copy (|copy|) the template configuration.
 
 .. |launch| image:: ../common/images/launch-button.png
+   :alt: launch button
 
 
 Work with Schedules
@@ -326,6 +348,7 @@ Work with Schedules
 Clicking on **Schedules** allows you to review any schedules set up for this project.
 
 .. image:: ../common/images/generic-schedules-list-configured.png
+   :alt: List of configured schedules that may be used with this project.
 
 
 Schedule a Project
@@ -358,12 +381,14 @@ At the end of a Project update, AWX searches for a file called ``requirements.ym
 This file allows you to reference Galaxy roles or roles within other repositories which can be checked out in conjunction with your own project. The addition of this Ansible Galaxy support eliminates the need to create git submodules for achieving this result. Given that SCM projects (along with roles/collections) are pulled into and executed from a private job environment, a <private job directory> specific to the project within ``/tmp`` is created by default. However, you can specify another **Job Execution Path** based on your environment in the Jobs Settings tab of the Settings window:
 
 .. image:: ../common/images/configure-awx-jobs-execution-path.png
+   :alt: Job Settings page showing where to configure the Job execution path.
 
 The cache directory is a subdirectory inside the global projects folder. The content may be copied from the cache location to ``<job private directory>/requirements_roles`` location.
 
 By default, AWX has a system-wide setting that allows roles to be dynamically downloaded from the ``roles/requirements.yml`` file for SCM projects. You may turn off this setting in the **Jobs settings** screen of the Settings menu by switching the **Enable Role Download** toggle button to **OFF**.
 
 .. image:: ../common/images/configure-awx-jobs-download-roles.png
+   :alt: Job Settings page showing the option to Enable Role Download.
 
 
 Whenever a project sync runs, AWX determines if the project source and any roles from Galaxy and/or Collections are out of date with the project. Project updates will download the roles inside the update.
@@ -377,6 +402,7 @@ In short, jobs would download the most recent roles before every job run. Roles
 |update-on-launch|
 
 .. |update-on-launch| image:: ../common/images/projects-scm-update-options-update-on-launch-checked.png
+   :alt: SCM update options Update Revision on Launch checked.
 
 .. end reused section
 
@@ -405,6 +431,7 @@ In the User Interface, you can configure these settings in the Jobs settings win
 
 
 .. image:: ../common/images/configure-awx-jobs-path-to-expose.png
+   :alt: Job Settings page showing example paths to expose to isolated jobs.
 
 
 .. _ug_collections:
@@ -421,6 +448,7 @@ AWX supports project-specific `Ansible collections <https://docs.ansible.com/ans
 By default, AWX has a system-wide setting that allows collections to be dynamically downloaded from the ``collections/requirements.yml`` file for SCM projects. You may turn off this setting in the **Jobs settings** tab of the Settings menu by switching the **Enable Collections Download** toggle button to **OFF**.
 
   .. image:: ../common/images/configure-awx-jobs-download-collections.png
+     :alt: Job Settings page showing where to enable collection(s) download.
 
 Roles and collections are locally cached for performance reasons, and you will need to select **Update Revision on Launch** in the project SCM Update Options to ensure this:
 
@@ -439,6 +467,7 @@ Before AWX can use |ah| as the default source for collections content, you need
 2. Click the copy icon to copy the API token to the clipboard.
 
 .. image:: ../common/images/projects-ah-loaded-token-shown.png
+   :alt: Connect to Hub page showing where to copy the offline token.
 
 3. To use the public |ah|, create an |ah| credential using the copied token and pointing to the URLs shown in the **Server URL** and **SSO URL** fields of the token page:
 
@@ -449,15 +478,19 @@ Before AWX can use |ah| as the default source for collections content, you need
 4. To use a private |ah|, create an |ah| credential using a token retrieved from the Repo Management dashboard of your local |ah| and pointing to the published repo URL as shown:
 
 .. image:: ../common/images/projects-ah-repo-mgmt-get-token.png
+   :alt: The Repo Management dashboard of your local Automation Hub.
 .. image:: ../common/images/projects-ah-repo-mgmt-repos-published.png
+   :alt: The Get token button next to the published repo URL in the Repo Management dashboard of your local Automation Hub.
 
 You can create different repos with different namespaces/collections in them. But for each repo in |ah| you need to create a different |ah| credential. Copy the **Ansible CLI URL** from the |ah| UI in the format of ``https://$<hub_url>/api/galaxy/content/<repo you want to pull from>`` into the **Galaxy Server URL** field of the *Create Credential* form:
 
 .. image:: ../common/images/projects-create-ah-credential.png
+   :alt: Create New Credential form for Ansible Galaxy/Automation Hub API Token Credential Type.
 
 5. Navigate to the organization for which you want to be able to sync content from |ah| and add the new |ah| credential to the organization. This step allows you to associate each organization with the |ah| credential (i.e. repo) that you want to be able to use content from.
 
 .. image:: ../common/images/projects-organizations-add-ah-credential.png
+   :alt: Edit example default organizations form with Ansible Galaxy and Automation Hub credentials.
 
 .. note::
 
@@ -472,14 +505,17 @@ You can create different repos with different namespaces/collections in them. Bu
 6. If the |ah| has self-signed certificates, click the toggle to enable the setting **Ignore Ansible Galaxy SSL Certificate Verification**. For **public Automation Hub**, which uses a signed certificate, click the toggle to disable it instead. Note this is a global setting:
 
 .. image:: ../common/images/settings-jobs-ignore-galaxy-certs.png
+   :alt: Job Settings page showing where to enable the option to ignore Ansible Galaxy SSL Certificate Verification.
 
 7. Create a project, where the source repository specifies the necessary collections in a requirements file located in the ``collections/requirements.yml`` file. Refer to the syntax described in the corresponding `Ansible documentation <https://docs.ansible.com/ansible/latest/user_guide/collections_using.html#install-multiple-collections-with-a-requirements-file>`_.
 
 .. image:: ../common/images/projects-add-ah-source-repo.png
+   :alt: The URL for the Source Control URL in the Type Details section of the Create New Project form.
 
 8. In the Projects list view, click |update| to run an update against this project. AWX fetches the Galaxy collections from the ``collections/requirements.yml`` file and report it as changed; and the collections will now be installed for any job template using this project.
 
 .. |update| image:: ../common/images/refresh-gray.png
+   :alt: Refresh button.
 
 .. note::
 

docs/docsite/rst/userguide/security.rst

@@ -1,3 +1,4 @@
+ 
 .. _ug_security:
 
 Security
@@ -197,7 +198,7 @@ The following table lists the RBAC system roles and a brief description of the h
 +-----------------------------------------------------------------------+------------------------------------------------------------------------------------------+
 | Admin Role - Organizations, Teams, Inventory, Projects, Job Templates | Manages all aspects of a defined Organization, Team, Inventory, Project, or Job Template |
 +-----------------------------------------------------------------------+------------------------------------------------------------------------------------------+
-| Auditor Role - All                                                    | Views all aspects of a defined Organization, Project, Inventory, or Job Template         |
+| Auditor Role - All                                                    | Views all aspects of a defined Organization, Team, Inventory, Project, or Job Template   |
 +-----------------------------------------------------------------------+------------------------------------------------------------------------------------------+
 | Execute Role - Job Templates                                          | Runs assigned Job Template                                                               |
 +-----------------------------------------------------------------------+------------------------------------------------------------------------------------------+

docs/docsite/rst/userguide/teams.rst

@@ -14,10 +14,12 @@ Access the Teams page by clicking **Teams** from the left navigation bar. The te
 
 
 .. image:: ../common/images/organizations-teams-list.png
+   :alt: Teams page containing a list of teams and the organizations they belong to.
 
 Clicking the Edit (|edit-button|) button next to the list of **Teams** allows you to edit details about the team. You can also review **Users** and  **Permissions** associated with this Team.
 
 .. |edit-button| image:: ../common/images/edit-button.png
+   :alt: Edit Button
 
 
 .. _ug_team_create:
@@ -33,6 +35,7 @@ To create a new Team:
 |Teams - create new team|
 
 .. |Teams - create new team| image:: ../common/images/teams-create-new-team.png
+   :alt: Create New Team Form
 
 2. Enter the appropriate details into the following fields:
 
@@ -47,6 +50,7 @@ Once the Team is successfully created, AWX opens the **Details** dialog, which a
 |Teams - example team successfully created|
 
 .. |Teams - example team successfully created| image:: ../common/images/teams-example-team-successfully-created.png
+   :alt: Example Team Successfully Created
 
 
 Team Access
@@ -60,6 +64,7 @@ This tab displays the list of Users that are members of this Team. This list may
 |Teams - users list|
 
 .. |Teams - users list| image:: ../common/images/teams-users-list.png
+   :alt: Teams list showing the Access tab displaying a list of users and their roles.
 
 
 .. _ug_teams_permissions:
@@ -78,10 +83,12 @@ In order to add a user to a team, the user must already be created. Refer to :re
 To remove roles for a particular user, click the disassociate (x) button next to its resource.
 
 .. image:: ../common/images/permissions-disassociate.png
+   :alt: Access tab with list of users and an arrow pointing to the disassociate button next to a user's role.
 
 This launches a confirmation dialog, asking you to confirm the disassociation.
  
 .. image:: ../common/images/permissions-disassociate-confirm.png
+   :alt: Disassociation Confirmation
 
 
 Team Roles
@@ -97,6 +104,7 @@ Selecting the **Roles** view displays a list of the permissions that are current
 |Teams - permissions list|
 
 .. |Teams - permissions list| image:: ../common/images/teams-permissions-sample-roles.png
+   :alt: Permissions list with resource names, type and their associated roles.
 
 The set of privileges assigned to Teams that provide the ability to read, modify, and administer projects, inventories, and other AWX elements are permissions. By default, the Team is given the "read" permission (also called a role).
 
@@ -111,33 +119,28 @@ To add permissions to a Team:
 1. Click the **Add** button, which opens the Add Permissions Wizard.
 
 .. image:: ../common/images/teams-users-add-permissions-form.png 
-   :alt: Add Permissions Form
+   :alt: Add Teams Permissions Wizard step 1, choose the resource type.
 
 2. Click to select the object for which the team will have access and click **Next**.
 
 3. Click to select the resource to assign team roles and click **Next**.
 
 .. image:: ../common/images/teams-permissions-templates-select.png
+   :alt: Add Teams Permissions Wizard step 2, choose the resources from the list, Demo Job template selected.
 
 4. Click the checkbox beside the role to assign that role to your chosen type of resource. Different resources have different options available.
 
 .. image:: ../common/images/teams-permissions-template-roles.png
+   :alt: Add Teams Permissions Wizard step 3, choose the roles to apply to the previously selected resource.
 
 
-5. Click **Save** when done, and the Add Permissions Wizard closes to display the updated profile for the user with the roles assigned for each selected resource.
+5. Click **Save** when done, and the Add Permissions Wizard closes to display the updated profile for the team with the roles assigned for each selected resource.
 
 .. image:: ../common/images/teams-permissions-sample-roles.png
-  
-To remove Permissions for a particular resource, click the disassociate (x) button next to its resource. This launches a confirmation dialog, asking you to confirm the disassociation.
+   :alt: Updated profile for each team's resources and their roles.
 
+To remove Permissions for a particular resource, click the disassociate (x) button next to its resource. This launches a confirmation dialog, asking you to confirm the disassociation.
 
 .. note:: 
 
    You can also add teams, individual, or multiple users and assign them permissions at the object level (projects, inventories, job templates, and workflow templates) as well. This feature reduces the time for an organization to onboard many users at one time. 
-
-
-
-
-
-
-

docs/docsite/rst/userguide/users.rst

@@ -1,11 +1,10 @@
- .. _ug_users:
+.. _ug_users:
 
 Users
 -----
 
 .. index:: 
    single: users
-   
 
 A :term:`User` is someone who has access to AWX with associated permissions and credentials. Access the Users page by clicking **Users** from the left navigation bar. The User list may be sorted and searched by **Username**, **First Name**, or **Last Name** and click the headers to toggle your sorting preference. 
 
@@ -14,7 +13,6 @@ A :term:`User` is someone who has access to AWX with associated permissions and
 
 You can easily view permissions and user type information by looking beside their user name in the User overview screen.
 
-
 .. _ug_users_create:    
     
 Create a User
@@ -50,6 +48,7 @@ Three types of Users can be assigned:
 Once the user is successfully created, the **User** dialog opens for that newly created User. 
 
 .. |edit-button| image:: ../common/images/edit-button.png
+                 :alt: Edit button
 
 .. image:: ../common/images/users-edit-user-form.png
    :alt: Edit User Form
@@ -63,10 +62,12 @@ The same window opens whether you click on the user's name, or the Edit (|edit-b
    If the user is not a newly-created user, the user's details screen displays the last login activity of that user. 
 
    .. image:: ../common/images/users-last-login-info.png
+      :alt: User details with last login information
 
 When you log in as yourself, and view the details of your own user profile, you can manage tokens from your user profile. See :ref:`ug_users_tokens` for more detail.
 
 .. image:: ../common/images/user-with-token-button.png
+   :alt: User details with Tokens tab highlighted
 
 .. _ug_users_delete:
     
@@ -80,10 +81,10 @@ Before you can delete a user, you must have user permissions. When you delete a
 2. Select the check box(es) for the user(s) that you want to remove and click **Delete**.
 
 .. image:: ../common/images/users-home-users-checked-delete.png
+   :alt: Users list view with two users checked
 
 3. Click **Delete** in the confirmation warning message to permanently delete the user.
 
-
 Users - Organizations
 ~~~~~~~~~~~~~~~~~~~~~
 
@@ -96,6 +97,7 @@ Organization membership cannot be modified from this display panel.
 |Users - Organizations list for example user|
 
 .. |Users - Organizations list for example user| image:: ../common/images/users-organizations-list-for-example-user.png
+                                              :alt: Users - Organizations list for example user
 
 Users - Teams
 ~~~~~~~~~~~~~
@@ -110,7 +112,7 @@ Until a Team has been created and the user has been assigned to that team, the a
 |Users - teams list for example user|
 
 .. |Users - teams list for example user| image:: ../common/images/users-teams-list-for-example-user.png
-
+                                      :alt: Users - teams list for example user - empty
 
 .. _ug_users_roles:
 
@@ -121,7 +123,6 @@ Users - Roles
    pair: users; permissions
    pair: users; roles
 
-
 The set of permissions assigned to this user (role-based access controls) that provide the ability to read, modify, and administer projects, inventories, job templates, and other AWX elements are Roles. 
 
 .. note::
@@ -133,6 +134,7 @@ This screen displays a list of the roles that are currently assigned to the sele
 |Users - permissions list for example user|
 
 .. |Users - permissions list for example user| image:: ../common/images/users-permissions-list-for-example-user.png
+                                            :alt: Users - permissions list for example user
 
 .. _ug_users_permissions:
 
@@ -144,31 +146,31 @@ To add permissions to a particular user:
 1. Click the **Add** button, which opens the Add Permissions Wizard.
 
 .. image:: ../common/images/users-add-permissions-form.png
-   :alt: Add Permissions Form
+   :alt: Add User Permissions Form, first step, Add resource type
 
 2. Click to select the object for which the user will have access and click **Next**.
 
 3. Click to select the resource to assign team roles and click **Next**.
 
 .. image:: ../common/images/users-permissions-IG-select.png
+   :alt: Add User Permissions Form, second step, Select items from list - instance group checked
 
 4. Click the checkbox beside the role to assign that role to your chosen type of resource. Different resources have different options available.
 
 .. image:: ../common/images/users-permissions-IG-roles.png
-
+   :alt: Add User Permissions Form, final step, Select roles to apply - "Use" role checked
 
 5. Click **Save** when done, and the Add Permissions Wizard closes to display the updated profile for the user with the roles assigned for each selected resource.
 
 .. image:: ../common/images/users-permissions-sample-roles.png
+   :alt: Users - Permissions Sample Roles
   
 To remove Permissions for a particular resource, click the disassociate (x) button next to its resource. This launches a confirmation dialog, asking you to confirm the disassociation.
 
-
 .. note:: 
 
    You can also add teams, individual, or multiple users and assign them permissions at the object level (templates, credentials, inventories, projects, organizations, or instance groups) as well. This feature reduces the time for an organization to onboard many users at one time. 
 
-
 .. _ug_users_tokens:
 
 Users - Tokens
@@ -179,4 +181,3 @@ The **Tokens** tab will only be present for your user (yourself). Before you add
 1. If not already selected, click on your user from the Users list view to configure your OAuth 2 tokens.
 
 .. include:: ../common/add-token.rst
-

licenses/dataclasses.txt

@@ -1,201 +0,0 @@
- Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.

requirements/README.md

@@ -49,19 +49,6 @@ Make sure to delete the old tarball if it is an upgrade.
 Anything pinned in `*.in` files involves additional manual work in
 order to upgrade. Some information related to that work is outlined here.
 
-### Django
-
-For any upgrade of Django, it must be confirmed that
-we don't regress on FIPS support before merging.
-
-See internal integration test knowledge base article `how_to_test_FIPS`
-for instructions.
-
-If operating in a FIPS environment, `hashlib.md5()` will raise a `ValueError`,
-but will support the `usedforsecurity` keyword on RHEL and Centos systems.
-This used to be a problem with `names_digest` function in Django, but
-was fixed upstream in Django 4.1.
-
 ### django-split-settings
 
 When we attemed to upgrade past 1.0.0 the build process in GitHub failed on the docker build step with the following error:

requirements/requirements.in

@@ -12,7 +12,7 @@ cryptography>=41.0.2  # CVE-2023-38325
 Cython<3 # Since the bump to PyYAML 5.4.1 this is now a mandatory dep
 daphne
 distro
-django==4.2.5  # see UPGRADE BLOCKERs, CVE-2023-41164
+django==4.2.6  # CVE-2023-43665
 django-auth-ldap
 django-cors-headers
 django-crum
@@ -42,11 +42,11 @@ pygerduty
 pyopenssl>=23.2.0  # resolve dep conflict from cryptography pin above
 pyparsing==2.4.6  # Upgrading to v3 of pyparsing introduce errors on smart host filtering: Expected 'or' term, found 'or'  (at char 15), (line:1, col:16)
 python-daemon>3.0.0
-python-dsv-sdk
-python-tss-sdk==1.2.1
+python-dsv-sdk>=1.0.4
+python-tss-sdk>=1.2.1
 python-ldap
 pyyaml>=6.0.1
-receptorctl==1.3.0
+receptorctl
 social-auth-core[openidconnect]==4.3.0  # see UPGRADE BLOCKERs
 social-auth-app-django==5.0.0  # see UPGRADE BLOCKERs
 sqlparse >= 0.4.4   # Required by django https://github.com/ansible/awx/security/dependabot/96

requirements/requirements.txt

@@ -93,8 +93,6 @@ daphne==3.0.2
     # via
     #   -r /awx_devel/requirements/requirements.in
     #   channels
-dataclasses==0.6
-    # via python-dsv-sdk
 defusedxml==0.7.1
     # via
     #   python3-openid
@@ -103,7 +101,7 @@ deprecated==1.2.13
     # via jwcrypto
 distro==1.8.0
     # via -r /awx_devel/requirements/requirements.in
-django==4.2.5
+django==4.2.6
     # via
     #   -r /awx_devel/requirements/requirements.in
     #   channels
@@ -323,7 +321,7 @@ python-dateutil==2.8.2
     #   botocore
     #   kubernetes
     #   receptorctl
-python-dsv-sdk==1.0.1
+python-dsv-sdk==1.0.4
     # via -r /awx_devel/requirements/requirements.in
 python-jose==3.3.0
     # via social-auth-core
@@ -351,7 +349,7 @@ pyyaml==6.0.1
     #   djangorestframework-yaml
     #   kubernetes
     #   receptorctl
-receptorctl==1.3.0
+receptorctl==1.4.2
     # via -r /awx_devel/requirements/requirements.in
 redis==4.3.5
     # via -r /awx_devel/requirements/requirements.in

tools/ansible/roles/dockerfile/files/launch_awx_web.sh

@@ -15,6 +15,4 @@ fi
 
 set -e
 
-wait-for-migrations
-
 exec supervisord -c /etc/supervisord_web.conf

tools/ansible/roles/dockerfile/files/wait-for-migrations

@@ -7,7 +7,6 @@ readonly CMDNAME=$(basename "$0")
 
 readonly MIN_SLEEP=0.5
 readonly MAX_SLEEP=30
-readonly ATTEMPTS=30
 readonly TIMEOUT=60
 
 log_message() { echo "[${CMDNAME}]" "$@" >&2; }
@@ -25,7 +24,7 @@ wait_for() {
     local check=1
 
     while true; do
-        log_message "Attempt ${attempt} of ${ATTEMPTS}"
+        log_message "Attempt ${attempt}"
 
         timeout "${TIMEOUT}" \
                 /bin/bash -c "awx-manage check" &>/dev/null
@@ -37,8 +36,7 @@ wait_for() {
                 && return || rc=$?
         fi
 
-        (( ++attempt > ATTEMPTS )) && break
-
+        attempt=$((attempt + 1))
         log_message "Waiting ${next_sleep} seconds before next attempt"
         sleep "${next_sleep}"
         next_sleep=$(next_sleep ${next_sleep})

tools/docker-compose/ansible/roles/sources/tasks/main.yml

@@ -48,7 +48,7 @@
   vars:
     new_error_page:
       error_code: "{{ item | basename() | regex_replace('custom_(\\d+).html', '\\1') }}"
-      web_path: "{{ item | regex_replace('^.*\/static', '/static') }}"
+      web_path: "{{ item | regex_replace('^.*/static', '/static') }}"
   loop: "{{ lookup('ansible.builtin.fileglob', playbook_dir + '/../../../awx/static/custom_*.html', wantlist=True) }}"
   when: (item | basename()) is regex("custom_\d+\.html")
 

tools/sosreport/controller.py

@@ -74,3 +74,24 @@ class Controller(Plugin, RedHatPlugin):
             self.add_forbidden_path(path)
 
         self.add_cmd_output(SOSREPORT_CONTROLLER_COMMANDS)
+
+    def postproc(self):
+        # remove database password
+        jreg = r"(\s*\'PASSWORD\'\s*:(\s))(?:\"){1,}(.+)(?:\"){1,}"
+        repl = r"\1********"
+        self.do_path_regex_sub("/etc/tower/conf.d/postgres.py", jreg, repl)
+
+        # remove email password
+        jreg = r"(EMAIL_HOST_PASSWORD\s*=)\'(.+)\'"
+        repl = r"\1********"
+        self.do_path_regex_sub("/etc/tower/settings.py", jreg, repl)
+
+        # remove email password (if customized)
+        jreg = r"(EMAIL_HOST_PASSWORD\s*=)\'(.+)\'"
+        repl = r"\1********"
+        self.do_path_regex_sub("/etc/tower/conf.d/custom.py", jreg, repl)
+
+        # remove websocket secret
+        jreg = r"(BROADCAST_WEBSOCKET_SECRET\s*=\s*)\"(.+)\""
+        repl = r"\1********"
+        self.do_path_regex_sub("/etc/tower/conf.d/channels.py", jreg, repl)

tox.ini

@@ -19,8 +19,20 @@ commands =
 select = F401,F402,F821,F823,F841,F811,E265,E266,F541,W605,E722,F822,F523,W291,F405
 exclude = awx/ui/node_modules,awx/ui/node_modules,env,awx_collection_build
 
+[testenv:pip-compile-docs]
+description = Compile docs build lockfiles
+deps =
+  # pip-tools config file support was introduced in v7
+  pip-tools >= 7
+commands =
+  {envpython} -m piptools compile \
+    --output-file=docs/docsite/requirements.txt \
+    docs/docsite/requirements.in
+
 [testenv:docs]
 description = Build documentation
-deps = -r{toxinidir}/docs/docsite/requirements.txt
+deps =
+  -r{toxinidir}/docs/docsite/requirements.in
+  -c{toxinidir}/docs/docsite/requirements.txt
 commands =
   sphinx-build -T -E -W -n --keep-going {tty:--color} -j auto -c docs/docsite -d docs/docsite/build/doctrees -b html docs/docsite/rst docs/docsite/build/html