On Thu, Aug 3, 2017 at 4:39 PM, Tomas Krizek via FreeIPA-devel
On 08/02/2017 01:36 PM, Florence Blanc-Renaud via FreeIPA-devel
The first version of a new design document is available at
The feature will allow to deploy IPA clients using Ansible. Please feel free
to send your comments, suggestions or concerns.
Hi Flo, finally got to responding. In general the design seems good to me.
Thanks for the design. I'd like to share some thoughts.
1. I find it confusing that ipaclient module will just check the domain and
realm if it is already configured. I can imagine a situation where an admin
modifies the installargs, re-runs the playbook and expects the changes to be
applied. Unfortunately, I can't think of a good solution for this. I
wouldn't expect this behavior as a user of this module. At the very least,
this should be very well documented.
I would treat it as next step.
2a. I think ipaclient role should support at least Fedora, RHEL and Debian.
Do we know about any distribution specifics besides the different package
Commands and API are IMO the same. So we might be ok.
2b. Since the packages names are different and we have to have
distro-specific code anyway, is there any advantage to using the `package`
module instead of `dnf`, `yum` and `apt` modules?
3. The ipaclient role state=absent could uninstall the packages by default,
but provide a variable to override this behavior.
What is the best practice in Ansible modules?
4. I'd appreciate to see comprehensive documentation of all the options for
the modules -- similar to Ansible documentation for modules (e.g. ). Some
options were mentioned in the text and examples, but I'm not sure whether
the list is exhaustive and an overview of all options would be nice.
5. Regarding the minimum version of ipa-client-install: 4.4+ has to be
supported, as that's the version in current Fedora and also in Debian. It
might be worth investigating how difficult would it be to support the
version of ipa-client-install that's in RHEL 6.9. If the complexity is high,
I wouldn't support it.
There should not be noticible differences in 4.4+. With RHEL 6.x
(FreeIPA <= 3.2) it might be a different story. Mainly because ipalib
behaves a bit differently. We can try it. If it works then great if
not then we should look at the problem as see if it is worth fixing
As a next step. We can leverage the fact that for uninstallation we
can use account with higher privileges then host (standard client
uninstaller can work only with host keytab). This advantage allows us
to solve problems like
[RFE] ipa-client-install: need
an option to completely remove client from idm server
e.g. by calling `host-del --update-dns` or other command.