Merge branch 'main' into fix/dashboard-angular

sjpb · sjpb · commit 104f0b20c206 · 2025-10-30T13:20:28.000Z
diff --git a/.github/workflows/fatimage.yml b/.github/workflows/fatimage.yml
@@ -118,6 +118,11 @@ jobs:
           . venv/bin/activate
           openstack image unset --property signature_verified "${{ steps.manifest.outputs.image-id }}" || true
 
+      - name: Set image properties
+        run: |
+          . venv/bin/activate
+          . dev/image-set-properties.sh "${{ steps.manifest.outputs.image-id }}"
+
       - name: Upload manifest artifact
         uses: actions/upload-artifact@v4
         with:
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -143,7 +143,6 @@ jobs:
     name: Trivy scan image for vulnerabilities
     needs: files_changed
     if: |
-      github.event_name == 'pull_request' &&
       needs.files_changed.outputs.trivyscan == 'true'
     uses: ./.github/workflows/trivyscan.yml
     secrets: inherit
diff --git a/.github/workflows/s3-image-sync.yml b/.github/workflows/s3-image-sync.yml
@@ -168,6 +168,11 @@ jobs:
           . venv/bin/activate
           bash .github/bin/get-s3-image.sh ${{ env.TARGET_IMAGE }} ${{ env.S3_BUCKET }}
 
+      - name: Set Glance image properties correctly for Slurm images
+        run: |
+          . venv/bin/activate
+          . dev/image-set-properties.sh "${{ env.TARGET_IMAGE }}"
+
       - name: Cleanup OpenStack Image (on error or cancellation)
         if: cancelled() || failure()
         run: |
diff --git a/.github/workflows/trivyscan.yml b/.github/workflows/trivyscan.yml
@@ -102,7 +102,7 @@ jobs:
         run: sudo guestmount -a /mnt/images/${{ steps.manifest.outputs.image-name }}.qcow2 -i --ro -o allow_other './${{ steps.manifest.outputs.image-name }}'
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.24.0
+        uses: aquasecurity/trivy-action@v0.33.1
         with:
           scan-type: fs
           scan-ref: "${{ steps.manifest.outputs.image-name }}"
@@ -116,13 +116,13 @@ jobs:
           TRIVY_DB_REPOSITORY: ghcr.io/azimuth-cloud/trivy-db:2
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: "${{ steps.manifest.outputs.image-name }}.sarif"
           category: "${{ matrix.build }}"
 
       - name: Fail if scan has CRITICAL vulnerabilities
-        uses: aquasecurity/trivy-action@0.24.0
+        uses: aquasecurity/trivy-action@v0.33.1
         with:
           scan-type: fs
           scan-ref: "${{ steps.manifest.outputs.image-name }}"
@@ -132,6 +132,8 @@ jobs:
           severity: 'CRITICAL'
           ignore-unfixed: true
           timeout: 15m
+          # On a subsequent call to the action we know trivy is already installed so can skip this
+          skip-setup-trivy: true
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           TRIVY_DB_REPOSITORY: ghcr.io/azimuth-cloud/trivy-db:2
diff --git a/ansible/roles/cuda/defaults/main.yml b/ansible/roles/cuda/defaults/main.yml
@@ -2,17 +2,22 @@
 # yamllint disable-line rule:line-length
 cuda_repo_url: "https://developer.download.nvidia.com/compute/cuda/repos/rhel{{ ansible_distribution_major_version }}/{{ ansible_architecture }}/cuda-rhel{{ ansible_distribution_major_version }}.repo"
 cuda_nvidia_driver_stream: '580-open'
-cuda_nvidia_driver_pkg: "nvidia-open-3:580.82.07-1.el{{ ansible_distribution_major_version }}"
+cuda_nvidia_driver_version: '580.82.07-1'
+cuda_nvidia_driver_pkg: "nvidia-open-3:{{ cuda_nvidia_driver_version }}.el{{ ansible_distribution_major_version }}"
 cuda_package_version: '13.0.1-1'
 cuda_version_short: "{{ (cuda_package_version | split('.'))[0:2] | join('.') }}" # major.minor
-cuda_packages:
+cuda_packages_default:
   - "cuda-toolkit-{{ cuda_package_version }}"
   - nvidia-gds
   - cmake
+cuda_packages_fabricmanager:
+  - "nvidia-fabricmanager-{{ cuda_nvidia_driver_version }}"
+cuda_packages: "{{ cuda_packages_default + ( cuda_packages_fabricmanager if cuda_install_nvidiafabricmanger | bool else [] ) }}"
 cuda_samples_release_url: "https://github.com/NVIDIA/cuda-samples/archive/refs/tags/v{{ cuda_version_short }}.tar.gz"
 cuda_samples_path: "/var/lib/{{ ansible_user }}/cuda_samples"
 cuda_samples_programs:
   - deviceQuery
   - bandwidthTest
 # cuda_devices: # discovered from deviceQuery run
 cuda_persistenced_state: started
+cuda_install_nvidiafabricmanger: false
diff --git a/ansible/roles/dnf_repos/tasks/disable_repos.yml b/ansible/roles/dnf_repos/tasks/disable_repos.yml
@@ -10,9 +10,10 @@
   loop: "{{ dnf_repos_repos | dict2items }}"
   loop_control:
     label: "{{ repo_name }}[{{ repo_os }}]: {{ repo_values }}"
+  when: repo_values | length > 0
   vars:
     repo_os: "{{ ansible_distribution_version if ansible_distribution_version in item.value else ansible_distribution_major_version }}"
-    repo_values: "{{ item.value[repo_os] }}"
+    repo_values: "{{ item.value.get(repo_os, {}) }}"
     repo_name: "{{ repo_values.repo_name | default(item.key) }}"
     repo_content_url: "{{ repo_values.pulp_content_url | default(dnf_repos_pulp_content_url) }}"
 
diff --git a/ansible/roles/dnf_repos/tasks/set_repos.yml b/ansible/roles/dnf_repos/tasks/set_repos.yml
@@ -12,10 +12,12 @@
   loop: "{{ dnf_repos_repos | dict2items }}"
   loop_control:
     label: "{{ repo_name }}[{{ repo_os }}]: {{ repo_values }}"
-  when: repo_name != 'epel'
+  when:
+    - repo_name != 'epel'
+    - repo_values | length > 0
   vars:
     repo_os: "{{ ansible_distribution_version if ansible_distribution_version in item.value else ansible_distribution_major_version }}"
-    repo_values: "{{ item.value[repo_os] }}"
+    repo_values: "{{ item.value.get(repo_os, {}) }}"
     repo_name: "{{ repo_values.repo_name | default(item.key) }}"
     repo_content_url: "{{ repo_values.pulp_content_url | default(dnf_repos_pulp_content_url) }}"
 
@@ -36,9 +38,11 @@
   loop: "{{ dnf_repos_repos | dict2items }}"
   loop_control:
     label: "{{ repo_name }}[{{ repo_os }}]: {{ repo_values }}"
-  when: repo_name == 'epel'
+  when:
+    - repo_name == 'epel'
+    - repo_values | length > 0
   vars:
     repo_os: "{{ ansible_distribution_version if ansible_distribution_version in item.value else ansible_distribution_major_version }}"
-    repo_values: "{{ item.value[repo_os] }}"
+    repo_values: "{{ item.value.get(repo_os, {}) }}"
     repo_name: "{{ repo_values.repo_name | default(item.key) }}"
     repo_content_url: "{{ repo_values.pulp_content_url | default(dnf_repos_pulp_content_url) }}"
diff --git a/ansible/roles/eessi/tasks/install.yml b/ansible/roles/eessi/tasks/install.yml
@@ -11,9 +11,7 @@
 - name: Import downloaded GPG key # noqa: no-changed-when
   ansible.builtin.command: rpm --import cvmfs-key.gpg # noqa: command-instead-of-module
 
-- name: Add CVMFS repo
-  ansible.builtin.dnf:
-    name: "https://ecsft.cern.ch/dist/cvmfs/cvmfs-release/cvmfs-release-{{ cvmfs_release_version }}.noarch.rpm"
+# cvmfs repo provided by dnf_repos role
 
 - name: Install CVMFS
   ansible.builtin.dnf:
diff --git a/ansible/roles/openondemand/README.md b/ansible/roles/openondemand/README.md
@@ -73,6 +73,10 @@ This role enables SSL on the Open Ondemand server, using the following self-sign
 - `openondemand_desktop_screensaver`: Optional. Whether to enable screen locking/screensaver. **NB:** Users must have passwords if this is enabled. Bool, default `false`.
 - `openondemand_filesapp_paths`: List of paths (in addition to $HOME, which is always added) to include shortcuts to within the Files dashboard app.
 - `openondemand_jupyter_partition`: Required. Name of Slurm partition to use for Jupyter Notebook servers. Requires a corresponding group named "openondemand_jupyter" and entry in openhpc_partitions.
+- `openondemand_gres_options`: Optional. A list of `[label, value]` items used
+  to provide a drop-down for resource/GRES selection in application forms. The
+  default constructs a list from all GRES definitions in the cluster. See the
+  `option` attribute of the Select Field [form widget](https://osc.github.io/ood-documentation/latest/how-tos/app-development/interactive/form-widgets.html#form-widgets).
 
 ### Monitoring
 
diff --git a/ansible/roles/openondemand/defaults/main.yml b/ansible/roles/openondemand/defaults/main.yml
@@ -102,6 +102,12 @@ openondemand_osc_ood_defaults:
   ood_auth_openidc: "{{ openondemand_auth_defaults.oidc.ood_auth_openidc if (openondemand_auth | lower) == 'oidc' else none }}"
   httpd_auth: "{{ openondemand_auth_defaults[openondemand_auth | lower].httpd_auth }}"
 
+  # Use repo file provided by dnf_repos by default
+  ood_use_existing_repo_file: true
+
+# Apps:
 openondemand_code_server_version: 4.102.2
 openondemand_rstudio_version: 2025.05.1-513
 openondemand_matlab_version: ''
+# Below is automatically calculated during role run:
+openondemand_gres_options: "{{ _openondemand_sinfo_gres.stdout | to_gres_options }}"
diff --git a/ansible/roles/openondemand/filter_plugins/filters.py b/ansible/roles/openondemand/filter_plugins/filters.py
@@ -0,0 +1,87 @@
+#!/usr/bin/python
+# pylint: disable=missing-module-docstring
+
+# Copyright: (c) 2025, StackHPC
+# Apache 2 License
+
+
+def to_gres_options(stdout):
+    """Convert sinfo output into a list of GRES options for an Ondemand `select`
+    widget.
+
+    Parameters:
+      stdout: Text from `sinfo --noheader --format "%R %G"`
+
+    Returns a list of [label, value] items. This is the format required for
+    the `options` attribute of a `select` widget [1] where:
+      - value (str) is a valid entry for the srun/sbatch --gres option [2].
+      - label (str) is a user-friendly label with gres name, gres type and
+        maximum gres count where relevant.
+    The returned list will always include an entry for no GRES request.
+
+    For example with a single GRES defined of `gpu:H200:8' the following
+    entries are returned:
+      - ['None', 'none']
+      - ['Any gpu (max count=8, partitions=standard,long)', 'gpu']
+      - ['H200 gpu (max count=8, partitions=standard,long)', 'gpu:H200']
+
+    [1] https://osc.github.io/ood-documentation/latest/how-tos/app-development/interactive/form-widgets.html#form-widgets
+    [2] https://slurm.schedmd.com/srun.html#OPT_gres
+    """  # noqa: E501 pylint: disable=line-too-long
+
+    gres_data = {}
+    # key=gres_opt - 'name' or 'name:type', i.e. what would be passed to --gres
+    # value={label:str, max_count: int, partitions=[]}
+    gres_data["none"] = {"label": "None", "max_count": 0, "partitions": ["all"]}
+
+    for line in stdout.splitlines():
+        # line examples:
+        # 'part1 gpu:H200:8(S:0-1),test:foo:1'
+        # 'part2 (null)'
+        # - First example shows multiple GRES per partition
+        # - Core suffix e.g. '(S:0-1)' only exists for auto-detected gres
+        # - stackhpc.openhpc role guarantees that name:type:count all exist
+        partition, gres_definitions = line.split()
+        for gres in gres_definitions.split(","):
+            if "(null)" in gres:
+                continue
+            gres_name, gres_type, gres_count_cores = gres.split(":", maxsplit=2)
+            gres_count = gres_count_cores.split("(")[0]
+            for gres_opt in [gres_name, f"{gres_name}:{gres_type}"]:
+                if gres_opt not in gres_data:
+                    label = (
+                        f"{gres_type} {gres_name}"
+                        if ":" in gres_opt
+                        else f"Any {gres_opt}"
+                    )
+                    gres_data[gres_opt] = {
+                        "label": label,
+                        "max_count": gres_count,
+                        "partitions": [partition],
+                    }
+                else:
+                    gres_data[gres_opt]["partitions"].append(partition)
+                    if gres_count > gres_data[gres_name]["max_count"]:
+                        gres_data[gres_opt]["max_count"] = gres_count
+
+    gres_options = []
+    for gres_opt in gres_data:  # pylint: disable=consider-using-dict-items
+        max_count = gres_data[gres_opt]["max_count"]
+        partitions = gres_data[gres_opt]["partitions"]
+        label = gres_data[gres_opt]["label"]
+        if gres_opt != "none":
+            label += f" (max count={max_count}, partitions={','.join(partitions)})"
+        gres_options.append((label, gres_opt))
+    return gres_options
+
+
+# pylint: disable=useless-object-inheritance
+# pylint: disable=too-few-public-methods
+class FilterModule(object):
+    """Ansible core jinja2 filters"""
+
+    # pylint: disable=missing-function-docstring
+    def filters(self):
+        return {
+            "to_gres_options": to_gres_options,
+        }
diff --git a/ansible/roles/openondemand/tasks/main.yml b/ansible/roles/openondemand/tasks/main.yml
@@ -39,6 +39,12 @@
     vars_from: main.yml
     public: true
 
+- name: Get GRES information
+  ansible.builtin.command:
+    cmd: sinfo --noheader --format "%R %G" # can't use , or : as separator
+  changed_when: true
+  register: _openondemand_sinfo_gres
+
 - ansible.builtin.include_role:
     name: osc.ood
     tasks_from: install-apps.yml
diff --git a/ansible/roles/openondemand/tasks/vnc_compute.yml b/ansible/roles/openondemand/tasks/vnc_compute.yml
@@ -1,16 +1,7 @@
 ---
 # Should be run on compute nodes you want to run the graphical desktop on
-- name: Enable TurboVNC repo
-  tags: install
-  ansible.builtin.get_url:
-    url: https://raw.githubusercontent.com/TurboVNC/repo/main/TurboVNC.repo
-    dest: /etc/yum.repos.d/TurboVNC.repo
-    mode: "0644"
 
-- name: Install EPEL
-  tags: install
-  ansible.builtin.dnf:
-    name: epel-release
+# EPEL and TurboVNC repos are provided by dnf_repos role
 
 - name: Check /etc/init.d
   ansible.builtin.stat:
diff --git a/docs/mig.md b/docs/mig.md
@@ -214,10 +214,6 @@ openhpc_nodegroups:
       - conf: "gpu:nvidia_h100_80gb_hbm3:2"
       - conf: "gpu:nvidia_h100_80gb_hbm3_4g.40gb:2"
       - conf: "gpu:nvidia_h100_80gb_hbm3_1g.10gb:6"
-
-openhpc_config:
-  GresTypes:
-    - gpu
 ```
 
 Making sure the types (the identifier after `gpu:`) match those collected with `slurmd -G`. Substrings
diff --git a/environments/.caas/inventory/group_vars/all/openhpc.yml b/environments/.caas/inventory/group_vars/all/openhpc.yml
@@ -4,3 +4,6 @@ openhpc_cluster_name: "{{ cluster_name }}"
 # Provision a single "standard" compute nodegroup using the supplied
 # node count and flavor
 openhpc_nodegroups: "{{ hostvars[groups['openstack'][0]]['openhpc_nodegroups'] }}"
+
+# Enable autoconfiguration of NVIDIA GPUs, if using a suitable (`cuda`) image:
+openhpc_gres_autodetect: nvml
diff --git a/environments/common/inventory/group_vars/all/dnf_repo_timestamps.yml b/environments/common/inventory/group_vars/all/dnf_repo_timestamps.yml
@@ -124,6 +124,11 @@ dnf_repos_default:
       pulp_path: epel/9/Everything/source
       pulp_timestamp: 20250923T001717
       repo_file: epel
+  epel-cisco-openh264:
+    '9':
+      pulp_path: openh264/epel/9/x86_64/os
+      pulp_timestamp: 20250925T130153
+      repo_file: epel-cisco-openh264
   extras:
     '8.10':
       pulp_path: rocky/8.10/extras/x86_64/os
@@ -160,3 +165,48 @@ dnf_repos_default:
       pulp_path: grafana/oss/rpm
       pulp_timestamp: 20250917T024714
       repo_file: grafana
+  ondemand-web:
+    '8':
+      pulp_path: ondemand/4.0/web/el8/x86_64
+      pulp_timestamp: 20250925T130153
+      repo_file: ondemand-web
+    '9':
+      pulp_path: ondemand/4.0/web/el9/x86_64
+      pulp_timestamp: 20250925T130153
+      repo_file: ondemand-web
+  TurboVNC:
+    '8':
+      pulp_path: turbovnc/x86_64
+      pulp_timestamp: 20251009T091906
+      repo_file: TurboVNC
+    '9':
+      pulp_path: turbovnc/x86_64
+      pulp_timestamp: 20251009T091906
+      repo_file: TurboVNC
+  TurboVNC-source:
+    '8':
+      pulp_path: turbovnc/srpms
+      pulp_timestamp: 20251009T091906
+      repo_file: TurboVNC
+    '9':
+      pulp_path: turbovnc/srpms
+      pulp_timestamp: 20251009T091906
+      repo_file: TurboVNC
+  cernvmfs_pkgs:
+    '8':
+      pulp_path: cvmfs/EL/8/x86_64
+      pulp_timestamp: 20250816T005446
+      repo_file: cvmfs
+    '9':
+      pulp_path: cvmfs/EL/9/x86_64
+      pulp_timestamp: 20250816T005446
+      repo_file: cvmfs
+  cernvmfs_cfg:
+    '8':
+      pulp_path: cvmfs-config/EL/8/x86_64
+      pulp_timestamp: 20250805T130249
+      repo_file: cvmfs
+    '9':
+      pulp_path: cvmfs-config/EL/9/x86_64
+      pulp_timestamp: 20250805T130249
+      repo_file: cvmfs
diff --git a/environments/common/inventory/group_vars/all/openondemand.yml b/environments/common/inventory/group_vars/all/openondemand.yml
diff --git a/requirements.yml b/requirements.yml
