I have a relatively simple Foreman infrastructure. For the purposes of this question:
- One product per OS and major version (for the purposes of this question a single Alma8 Product is applicable. The Alma 8 Product initially contains the essential Alma 8 repos and EPEL. I subsequently added the official NGINX repo as we need access to newer versions than are carried in the Alma repos for security fix purposes.
- Two lifecycles – pre-prod and prod.
- One content view with access to all repos.
The best practice advice I have been given specified that I should try to keep things as simple as possible at a Product and Content View Level, and primarily use Activation Keys to fine tune access to content based on server roles.
I’ve create a pair of basic, initial Activation Keys – lets call them “ak_prod” and “ak_preprod”, which I’ve assigned to a test pre-prod and prod host, and been able to successfully promote content through the lifecycles. So far, so good.
Next I want to create a small test group of nginx webservers, I want these to also have access to the NGINX repo. I have therefore created a this “ak_preprod_nginx” activation key, which also has access to the NGINX repo enabled. However, on the sticking with my basic “ak_preprod” host, I have:
- Disabled access to the NGINX repo on the two initial default keys.
- Created a new content view.
- Promoted it to pre-prod.
- Performed a subscription-manager refresh/dnf clean all/unregister and register the pre-prod host.
However the NGINX repo is still showing up on a dnf repolist on the pre-prod box, so it seems to be ignoring my exclusion of the repo.
–
Additionally, and hopefully still on a related note, as a requirement I also need to add content filters, some universal, some more specific. For example, through my environments to avoid conflicts I want to have a default exclude all on the EPEL repo, then include filters for a small number of required packages, mostly tools such as atop.
So my question is, am I going about this the right way? I’m starting to lean towards thinking the advice I’ve been given about sticking to configuring hosts/roles at a Activation Key level being incorrect, and I should instead be creating a content view for every server role (or at least, every server role that requires its own specific repo config)? Possibly the fact I want to use filters would push me in that direction regardless, although I think it would result in some duplication of effort to set up the default filters.
Otherwise, does anybody know why my client host seems to be ignoring the repo exclusions in the activation key?
Many thanks.
Foreman/Katello versions 3.6/4.8