Problem:
Joining thousands of hosts to IPA/IdM is super easy with the ansible roles. I assign the role to a few top-level hostgroups and configure variables. They are now inherited by all sub-groups and all hosts. Nice.
The problem is, a few hosts in a few different hostgroups are IPA/IdM servers. Running the client role on them can be fatal and take down the IPA/IdM services.
This issue is obviously not exclusive to the IPA ansible roles. I have this issue with many other roles that need to be the same everywhere, excluding 1-2, maybe 3 hosts.
Simplified view of the hostgroups:
top_group << ipaclient role assigned
top_group/RHEL-7/
top_group/RHEL-7/env1
top_group/RHEL-7/env1/subnet1
top_group/RHEL-7/env1/subnet2 << IPA servers here
top_group/RHEL-7/env1/subnet3
top_group/RHEL-7/env1/subnet4
top_group/RHEL-7/env2
top_group/RHEL-7/env2/subnet1
top_group/RHEL-7/env2/subnet2
top_group/RHEL-7/env2/subnet3 << IPA servers here
top_group/RHEL-7/env2/subnet4
top_group/RHEL-7/env3
top_group/RHEL-7/env3/subnet1 << IPA servers here
top_group/RHEL-7/env3/subnet2
top_group/RHEL-7/env3/subnet3
top_group/RHEL-7/env3/subnet4
etc...
There are 3-10 subnets in each environment and each set of environments repeats for RHEL6, RHEL7, RHEL8, and RHEL9. A total of ~100 hostgroups.
Expected outcome:
Maybe a feature to exclude roles from hosts that inherit them?
I’m not sure how to handle this other than wrapping all roles in custom roles that include/import the main role where I can set a “dont_run” parameter that I can assign to the hosts I don’t want them to run on.
Foreman and Proxy versions:
foreman-3.3.0.17
Foreman and Proxy plugin versions:
foreman-proxy-3.3.0
Distribution and version:
Red Hat Enterprise Linux release 8.7 (Ootpa)
Other relevant data: