Product SiteDocumentation Site

6.9. Managing Host Groups

Host groups are a way of centralizing control over important management tasks, particularly access control.
All groups in FreeIPA are essentially static groups, meaning that the members of the group are manually and explicitly added to the group. Tangentially, FreeIPA allows nested groups, where a group is a member of another group. In that case, all of the group members of the member group automatically belong to the parent group, as well.
Because groups are easy to create, it is possible to be very flexible in what groups to create and how they are organized. Groups can be defined around organizational divisions like departments, physical locations, or FreeIPA or infrastructure usage guidelines for access controls.

6.9.1. Creating Host Groups

6.9.1.1. Creating Host Groups from the Web UI

  1. Open the Identity tab, and select the Host Groups subtab.
  2. Click the Add link at the top of the groups list.
  3. Enter the name and a description for the group.
  4. Click the Add and Edit button to go immediately to the member selection page.

6.9.1.2. Creating Host Groups from the Command Line

New groups are created using the hostgroup-add command. (This adds only the group; members are added separately.)
Two attributes are always required: the group name and the group description. If those attributes are not given as arguments, then the script prompts for them.
$ ipa hostgroup-add groupName --desc="description"

6.9.2. Adding Group Members

6.9.2.1. Adding Group Members from the Web UI

  1. Open the Identity tab, and select the Host Groups subtab.
  2. Click the name of the group to which to add members.
  3. Click the Enroll link at the top of the task area.
  4. Click the checkbox by the names of the hosts to add, and click the right arrows button, >>, to move the hosts to the selection box.
  5. Click the Enroll button.

6.9.2.2. Adding Group Members from the Command Line

Members are added to a host group using the hostgroup-add-member command. This command can add both hosts as group members and other groups as group members.
The syntax of the hostgroup-add-member command requires only the group name and a comma-separated list of hosts to add:
$ ipa hostgroup-add-member groupName [--hosts=list] [--hostgroups=list]
For example, this adds three hosts to the caligroup group:
$ ipa hostgroup-add-member caligroup --hosts=ipaserver.example.com,client1.example.com,client2.example.com
  Group name: caligroup
  Description: for machines in california
  GID: 387115842
  Member hosts: ipaserver.example.com,client1.example.com,client2.example.com
-------------------------
Number of members added 3
-------------------------
Likewise, other groups can be added as members, which creates nested groups:
$ ipa hostgroup-add-member caligroup --groups=mountainview,sandiego
  Group name: caligroup
  Description: for machines in california
  GID: 387115842
  Member groups: mountainview,sandiego
  -------------------------
  Number of members added 2
  -------------------------