Blacklist specific hosts or groups in a role or playbook?

Archives Ansible Project
1

Hello,

Is it possible to prevent a playbook, role, or even specific task from being run on a certain list of hostnames (or group)? I have a generic playbook for configuring postfix for sending emails, however I don’t want this playbook to ever be run against a mail server (which has a different postfix configuration). The idea behind blacklisting it in the playbook itself is so that if someone accidentally runs “ansible-playbook all postfix.yml” it won’t override the configuration on the mail servers. Can this be done?

Thanks,

Andrew

2

Is it possible to prevent a playbook, role, or even specific task from

being run on a certain list of hostnames (or group)? I have a generic
playbook for configuring postfix for sending emails, however I don't want
this playbook to ever be run against a mail server (which has a different
postfix configuration). The idea behind blacklisting it in the playbook
itself is so that if someone accidentally runs "ansible-playbook all
postfix.yml" it won't override the configuration on the mail servers. Can
this be done?

Yes, see http://www.ansibleworks.com/docs/intro_patterns.html :

You can exclude groups as well, for instance, all machines must be in the
group webservers but not in the group phoenix:

webservers:!phoenix

3

Serge,

Thanks for the information. In order to exclude a hostname called “mailserver”, would I simply add a hosts line like this to the top of the postfix role’s tasks/main.yml?

  • hosts:!mailserver
  • name: task1
  • name: task2

    Will this override the list of hosts that I provide to the playbooks that include this role?

Thanks,

Andrew

4

Thanks for the information. In order to exclude a hostname called
"mailserver", would I simply add a hosts line like this to the top of the
postfix role's tasks/main.yml?
  - hosts:!mailserver
  - name: task1
  ...
  - name: task2
  ...
Will this override the list of hosts that I provide to the playbooks that
include this role?

​No. the hosts: keyword is ​to be set at play level, not at task level:

​- name: mailserver play​

5

Okay, so the only way to exclude a host is at the play level, not the role level?

It would be more ideal for my setup to exclude at the role level, that way I can ensure that any new play that is written that includes a particular role won’t run it against blacklisted hosts. Moreover, having hosts excluded at the play level means that entire play will be skipped on blacklisted hosts, but perhaps only 1 of the roles in the play is blacklisted, and so if the blacklist/exclusion happened at the role level then the play would run on the blacklisted host and just complete all of the roles that were allowed.

For example, say I have a play called common.yml which sets up several common features on hosts. It is defined as follows:
roles:

  • ntp
  • postfix
  • smartmontools

It would be nice to be able to just run the common.yml play against all hosts, and have it configure ntp and smartmontools on all hosts but only postfix on the hosts which aren’t mailservers. Is this possible? If I add “- hosts: !mailserver” to common.yml, then the complete play will be skipped on “mailserver”.

6

Okay, so the only way to exclude a host is at the play level, not the role
level?

Yes. Roles are basically just some automation around a set of tasks​​.

It would be more ideal for my setup to exclude at the role level, that way

I can ensure that any new play that is written that includes a particular
role won't run it against blacklisted hosts.

If you really want to be sure, add a conditional to the role tasks:

   when: inventory_hostname != mailserver

Moreover, having hosts excluded at the play level means that entire play

will be skipped on blacklisted hosts, but perhaps only 1 of the roles in
the play is blacklisted,

Yes, that is by design. You need to model playbooks to include roles and
target a particular set of hosts.
​​

and so if the blacklist/exclusion happened at the role level then the play
would run on the blacklisted host and just complete all of the roles that
were allowed.

For example, say I have a play called common.yml which sets up several
common features on hosts. It is defined as follows:
  roles:
    - ntp
    - postfix
    - smartmontools

It would be nice to be able to just run the common.yml play against all
hosts, and have it configure ntp and smartmontools on all hosts but only
postfix on the hosts which aren't mailservers.

Then you need to split this up in multiple plays. Take the postfix role out
of 'common', as it is not common to all your hosts.
​​

Is this possible? If I add "- hosts: !mailserver" to common.yml, then the
complete play will be skipped on "mailserver".

should be hosts: all:!mailserver​​ but yes

Serge

7

Serge's suggestion is more elegant, but if you are paranoid, you can
also add an early check to a task list:

8

Thanks, both of these responses are very helpful. I’ve restructured my playbooks a bit as per Serge’s suggestions and also added this extra fail check for extra protection. Note that you can do some limited wildcard matching using the Jinja2 “in” expression:

  • fail: msg=“Don’t accidentally run this on any of my mailservers”
    when: “‘mail’ in inventory_hostname”

This should match hostnames “mail”, “emailserver”, “mail0”, etc.