Open jabl opened 1 year ago
rjeffman
commented
1 year ago The deployment roles are not idempotent, you should not re-run the playbook to update settings.
Did the deployment failed and you had to try it again? If that's the case, you should "undeploy" and then deploy it again.
If it is to change the settings on a fully deployed IPA client, I'd suggest using some plugin that deal with Network Manager, as the network Linux System Role
t-woerner
commented
1 year ago For ipaclient role, you can enable ipaclient_allow_repair. This will try to repair and apply configuration changes.
jabl
commented
1 year ago Yes, we do have ipaclient_allow_repair enabled. Unfortunately it didn't help with this particular issue.
t-woerner
commented
1 year ago It seems you found a bug.
t-woerner
commented
3 months ago That was the wrong issue :-)
When updating the ipaclient settings, e.g. adding another DNS server, and rerunning the playbook, the updated settings aren't applied. The reason seems to be that ansible-freeipa only checks that the file
/etc/NetworkManager/conf.d/zzz-ipa.confexists and not that the contents reflect the variables defined in ansible. E.g. for the DNS setting, https://github.com/freeipa/ansible-freeipa/blob/cf779e43bb8aa6c244d4daefa3d58e81577c10bc/roles/ipaclient/library/ipaclient_configure_dns_resolver.py#L198(IIRC we saw the same issue with some other setting (DNS domain maybe), so it's not only the list of DNS servers, but I no longer remember exactly what it was)