From c2530541f1c63c246148b2aab41a0823681b6f9e Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Fri, 19 Feb 2021 12:13:20 +0100 Subject: [PATCH] ipa/client: Ignore hosts still hooked up with FAS This is necessary because: - The ipa/client role is pulled in if only one host is in the play which uses it. - The prepare-ipa-info tasks operate on all hosts in the play in order to gather together operations on the IPA server which would otherwise be (potentially, unnecessarily) repeated for many hosts in the play and which have to be serialized to avoid race conditions when changing data in IPA. For now, we set `primary_auth_source` to `fas` for `all`, and to `ipa` for the `staging` group. We can set this to `ipa` for individual host groups in prod to enable this piece meal while we roll out the change. Fixes: https://pagure.io/fedora-infrastructure/issue/9674 Signed-off-by: Nils Philippsen --- inventory/group_vars/all | 2 ++ inventory/group_vars/staging | 2 ++ roles/ipa/client/tasks/prepare-ipa-info.yml | 12 +++++++++++- 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 15e447a778..7b1a719693 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -355,6 +355,8 @@ additional_host_keytabs: [] ipa_server: ipa01.iad2.fedoraproject.org ipa_realm: FEDORAPROJECT.ORG ipa_admin_password: "{{ ipa_prod_admin_password }}" +# Let this become "ipa" at some point +primary_auth_source: fas # Normal default sshd port is 22 sshd_port: 22 diff --git a/inventory/group_vars/staging b/inventory/group_vars/staging index 79e35ac99a..4a414c6e34 100644 --- a/inventory/group_vars/staging +++ b/inventory/group_vars/staging @@ -26,3 +26,5 @@ deployment_type: stg ipa_server: ipa01.stg.iad2.fedoraproject.org ipa_realm: STG.FEDORAPROJECT.ORG ipa_admin_password: "{{ ipa_stg_admin_password }}" +# RIP, FAS +primary_auth_source: ipa diff --git a/roles/ipa/client/tasks/prepare-ipa-info.yml b/roles/ipa/client/tasks/prepare-ipa-info.yml index cf8df73849..5686ee9dc9 100644 --- a/roles/ipa/client/tasks/prepare-ipa-info.yml +++ b/roles/ipa/client/tasks/prepare-ipa-info.yml @@ -1,5 +1,10 @@ --- # NOTE: configuration is based on host groups, i.e. set the ipa_* vars only in group_vars +# +# NOTE^2: This will be "active" if only one host with the role is in the play, so we need to filter +# on something, this something is the `primary_auth_source` variable which can be either +# `fas` or `ipa`. Only hosts that have it set to `ipa` should be listed in the following +# variables. # Thanks to having two environments, staging and prod, this has to deal with the "responsible" IPA # server for individual hosts. @@ -82,7 +87,12 @@ }} ipa_servers: "{{ ipa_servers | default([]) | union([hostvars[item]['ipa_server']]) }}" loop: "{{ ansible_play_hosts }}" - when: hostvars[item]['ipa_server'] is defined and hostvars[item]['ipa_host_group'] is defined + when: >- + (hostvars[item]['primary_auth_source'] | default("fas")) == "ipa" + and + hostvars[item]['ipa_server'] is defined + and + hostvars[item]['ipa_host_group'] is defined # ipa_server_host_groups -> # [