Joining thousands of hosts to IPA/IdM is super easy with the ansible roles. I assign the role to a few top-level hostgroups and configure variables. They are now inherited by all sub-groups and all hosts. Nice.
The problem is, a few hosts in a few different hostgroups are IPA/IdM servers. Running the client role on them can be fatal and take down the IPA/IdM services.
This issue is obviously not exclusive to the IPA ansible roles. I have this issue with many other roles that need to be the same everywhere, excluding 1-2, maybe 3 hosts.
Simplified view of the hostgroups:
top_group << ipaclient role assigned top_group/RHEL-7/ top_group/RHEL-7/env1 top_group/RHEL-7/env1/subnet1 top_group/RHEL-7/env1/subnet2 << IPA servers here top_group/RHEL-7/env1/subnet3 top_group/RHEL-7/env1/subnet4 top_group/RHEL-7/env2 top_group/RHEL-7/env2/subnet1 top_group/RHEL-7/env2/subnet2 top_group/RHEL-7/env2/subnet3 << IPA servers here top_group/RHEL-7/env2/subnet4 top_group/RHEL-7/env3 top_group/RHEL-7/env3/subnet1 << IPA servers here top_group/RHEL-7/env3/subnet2 top_group/RHEL-7/env3/subnet3 top_group/RHEL-7/env3/subnet4 etc...
There are 3-10 subnets in each environment and each set of environments repeats for RHEL6, RHEL7, RHEL8, and RHEL9. A total of ~100 hostgroups.
Maybe a feature to exclude roles from hosts that inherit them?
I’m not sure how to handle this other than wrapping all roles in custom roles that include/import the main role where I can set a “dont_run” parameter that I can assign to the hosts I don’t want them to run on.
Foreman and Proxy versions:
Foreman and Proxy plugin versions:
Distribution and version:
Red Hat Enterprise Linux release 8.7 (Ootpa)
Other relevant data: