The previous implementation didn't work because of a chicken-and-egg
problem: To add the batcave shell groups to those specifically for
bastion, it needs to look them up, but they aren't set yet (probably
because `batcave` comes after `bastion`).
Now, one can (optionally) set `ipa_client_shell_groups_inherit_from`, a
list of Ansible group names whose `ipa_client_shell_groups` will be
combined with that of the host itself. This is more robust because it's
done late, after variables are set from the inventory.
Signed-off-by: Nils Philippsen <nils@redhat.com>
This requires the canonical names of IPA servers to be mapped to their
IP addresses on the VPN as well as specifying the IPA server explicitly
when enrolling clients.
Signed-off-by: Nils Philippsen <nils@redhat.com>
- changed deploymentconfig to a template, to adapt to stg-sensitive PV name
- tweaked debuginfod command line
- to match expected PV mount points
- to reduce verbosity
- to specify scanning parallelism
- specified a requested cpu (8) & ram (24GB) allocation
We want to add another ipa server host in case the load gets large when
we migrate from fas. We can always nuke this one or add more.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
In IAD2 the prod and stg hosts are on different VLANs, so we thought we
didn't need this. However, we are still seeing some odd mixing of prod
and stg fedmsgs, so likely some fedmsg port has become enabled accross
all the VLANS. In any case this should do no harm, it just adds 2
subnets on all prod hosts to block staging, except for a small number of
staging_friendly hosts (in the staging_friendly ansible group).
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
SSSD caches information, some types for hours by default. When changing
anything in IPA pertaining to a host this role is applied to, clean out
the caches on the host so the changes are effective immediately.
Signed-off-by: Nils Philippsen <nils@redhat.com>
nb found that one user was blocking the cronjob from running.
After looking closely, the problem was the creation date is
similar to 2017-02-01 09:10:20+00:00 , so without any dot,
as it was created at the exact microsecond the second started.
The usual format is 2017-02-01 09:10:20.012+00:00, where
split('.') work fine.
Since the traceback stop the whole cronjob, this prevented all
people whose login was after m from having the lifecycle badges.
