Blacklist specific hosts or groups in a role or playbook?

[Andrew Martin]

Hello,

Is it possible to prevent a playbook, role, or even specific task from being run on a certain list of hostnames (or group)? I have a generic playbook for configuring postfix for sending emails, however I don't want this playbook to ever be run against a mail server (which has a different postfix configuration). The idea behind blacklisting it in the playbook itself is so that if someone accidentally runs "ansible-playbook all postfix.yml" it won't override the configuration on the mail servers. Can this be done?

Thanks,

Andrew

[Serge van Ginderachter]

Is it possible to prevent a playbook, role, or even specific task from being run on a certain list of hostnames (or group)? I have a generic playbook for configuring postfix for sending emails, however I don't want this playbook to ever be run against a mail server (which has a different postfix configuration). The idea behind blacklisting it in the playbook itself is so that if someone accidentally runs "ansible-playbook all postfix.yml" it won't override the configuration on the mail servers. Can this be done?

Yes, see http://www.ansibleworks.com/docs/intro_patterns.html :

You can exclude groups as well, for instance, all machines must be in the group webservers but not in the group phoenix:

webservers:!phoenix

[Andrew Martin]

Serge,

Thanks for the information. In order to exclude a hostname called "mailserver", would I simply add a hosts line like this to the top of the postfix role's tasks/main.yml?

  - hosts:!mailserver

  - name: task1

  ...

  - name: task2

  ...

Will this override the list of hosts that I provide to the playbooks that include this role?

Thanks,

Andrew

[Serge van Ginderachter]

On 6 December 2013 20:40, Andrew Martin <andrew....@gmail.com> wrote:

Thanks for the information. In order to exclude a hostname called "mailserver", would I simply add a hosts line like this to the top of the postfix role's tasks/main.yml?

  - hosts:!mailserver

  - name: task1

  ...

  - name: task2

  ...

Will this override the list of hosts that I provide to the playbooks that include this role?

​No. the hosts: keyword is ​to be set at play level, not at task level:

​- name: mailserver play​
​  hosts:

​ postfixservers:​

!mailserver
  tasks:
  - ...
  roles:
  - ...

[Andrew Martin]

Okay, so the only way to exclude a host is at the play level, not the role level? 

It would be more ideal for my setup to exclude at the role level, that way I can ensure that any new play that is written that includes a particular role won't run it against blacklisted hosts. Moreover, having hosts excluded at the play level means that entire play will be skipped on blacklisted hosts, but perhaps only 1 of the roles in the play is blacklisted, and so if the blacklist/exclusion happened at the role level then the play would run on the blacklisted host and just complete all of the roles that were allowed.

For example, say I have a play called common.yml which sets up several common features on hosts. It is defined as follows:

  roles:

    - ntp

    - postfix

    - smartmontools

It would be nice to be able to just run the common.yml play against all hosts, and have it configure ntp and smartmontools on all hosts but only postfix on the hosts which aren't mailservers. Is this possible? If I add "- hosts: !mailserver" to common.yml, then the complete play will be skipped on "mailserver".

[Serge van Ginderachter]

On 6 December 2013 20:56, Andrew Martin <andrew....@gmail.com> wrote:

Okay, so the only way to exclude a host is at the play level, not the role level? 

Yes. Roles are basically just some automation around a set of tasks​​.

It would be more ideal for my setup to exclude at the role level, that way I can ensure that any new play that is written that includes a particular role won't run it against blacklisted hosts.

If you really want to be sure, add a conditional to the role tasks:

   when: inventory_hostname != mailserver

Moreover, having hosts excluded at the play level means that entire play will be skipped on blacklisted hosts, but perhaps only 1 of the roles in the play is blacklisted,

Yes, that is by design. You need to model playbooks to include roles and target a particular set of hosts.

​​

and so if the blacklist/exclusion happened at the role level then the play would run on the blacklisted host and just complete all of the roles that were allowed.

For example, say I have a play called common.yml which sets up several common features on hosts. It is defined as follows:

  roles:

    - ntp

    - postfix

    - smartmontools

It would be nice to be able to just run the common.yml play against all hosts, and have it configure ntp and smartmontools on all hosts but only postfix on the hosts which aren't mailservers.

Then you need to split this up in multiple plays. Take the postfix role out of 'common', as it is not common to all your hosts.

​​

Is this possible? If I add "- hosts: !mailserver" to common.yml, then the complete play will be skipped on "mailserver".

should be   hosts: all:!mailserver​​   but yes

Serge

[Kahlil Hodgson]

Serge's suggestion is more elegant, but if you are paranoid, you can
also add an early check to a task list:

---
- fail: msg="Don't accidentally run this on my mailserver"
when: inventory_hostname == 'mailserver'

- ... other tasks

just in case you inadvertently include the task list without checking
at a higher level.

K

Kahlil (Kal) Hodgson GPG: C9A02289
Head of Technology (m) +61 (0) 4 2573 0382
DealMax Pty Ltd (w) +61 (0) 3 9008 5281

Suite 1415
401 Docklands Drive
Docklands VIC 3008 Australia

"All parts should go together without forcing. You must remember that
the parts you are reassembling were disassembled by you. Therefore,
if you can't get them together again, there must be a reason. By all
means, do not use a hammer." -- IBM maintenance manual, 1925



On 7 December 2013 07:12, Serge van Ginderachter

> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[Andrew Martin]

Thanks, both of these responses are very helpful. I've restructured my playbooks a bit as per Serge's suggestions and also added this extra fail check for extra protection. Note that you can do some limited wildcard matching using the Jinja2 "in" expression:

- fail: msg="Don't accidentally run this on any of my mailservers" 
  when: "'mail' in inventory_hostname" 

This should match hostnames "mail", "emailserver", "mail0", etc.