Groups in Foreman Ansible inventories

domq · March 2, 2021, 4:50pm

Hi everyone, a few weeks ago I set out to use Foreman, Ansible and Kubespray together (and Docker for good measure). The result of my efforts is here: GitHub - epfl-si/idevfsd.foreman: Installation / inventory server for IDEV-FSD VMs

Today I seem to have hit a snag: there doesn’t seem to be a way to put groups into the Foreman-computed inventory. As Kubespray wants to exchange secrets inbetween etcd quorum members etc. it relies heavily on groups and on Ansible’s hostvars feature.

This comment in ansible_runner.rb makes it pretty clear that the idea of running Ansible with nontrivial inventory was bolted to the side at the time ansible-runner was adopted. This means that my use case seems unsupported as of now

Is there any roadmap for more complex use cases for the inventory (and groups) than what ansible_runner.rb currently provides? For instance, being able to use a theforeman.foreman.foreman inventory source in the future (like in https://docs.ansible.com/ansible/2.9/collections/theforeman/foreman/foreman_inventory.html) would be very helpful to me.

Thanks in advance for any feedback!

ezr-ondrej · March 3, 2021, 7:48pm

Hi @domq,

this is very good idea and as promissed offline, we’ve discussed this internally and came up with few issues, that would need to get solved before we can use the global repository, the main issue is, that the Foreman permissions control what host can each user see, but the global inventory would expose all hosts to any user who can run Ansible jobs.

I believe we can get that solved as it still make sense to me to consume our own inventory, but we will need to solve this issue, for starters it could be optional an just for jobs run by admins as PoC.

I’ll keep pushing it forward.

domq · March 4, 2021, 6:51am

Then perhaps a better approach is to make it possible to fashion an Ansible inventory out of a template?

ezr-ondrej · March 4, 2021, 12:48pm

That would probably make sense, then you’d manually enable whatever inventory you like on the smart-proxy and you’d be responsible to take care of the access rights, what wouldn’t be an issue in cases like yours I guess

domq · March 4, 2021, 7:24pm

I’m seeing a light at the end of the tunnel with this trick — I can edit the inventory file out of the Ansible template itself, and then call meta: refresh_inventory. This lets me piggy-back templating the inventory into the “main” job template, and thus (almost¹) obviates the need for any change in Foreman.

Here is an example playbook (that can be used as an Ansible job template):

- name: homemade inventory
  hosts: localhost
  connection: local
  gather_facts: no
  tasks:
    - debug:
        var: ansible_inventory_sources
    - copy:
        dest: "{{ ansible_inventory_sources[0] }}/hosts"
        mode: "0644"
        content: |
           all:
               hosts:
                 itsidevfsd0009.xaas.epfl.ch: {}
                 itsidevfsd0010.xaas.epfl.ch: {}
    - meta: refresh_inventory

- name: Test new inventory
  hosts: all
  tasks:
    - debug:
        var: inventory_hostname

¹ I’m hitting a bug whence hosts: localhost causes a crash, because foreman-tasks-core in the smart proxy cannot publish_data_for a hostname that it doesn’t know about (here, localhost). Bug report and PR upcoming, perhaps this weekend.

domq · March 7, 2021, 10:59am

As promised, #32030 and Fixes #32030 - Guard against sending logs for unknown hosts by domq · Pull Request #391 · theforeman/foreman_ansible · GitHub

domq · March 7, 2021, 11:01pm

Happy to report success! \o/