Snapshot of current Waldur Slurm PoC config

Author: sd109

ansible/roles/openondemand/defaults/main.yml

@@ -56,7 +56,7 @@ openondemand_auth_defaults:
       - 'ProxyPreserveHost On' # see under https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes/
     user_map_cmd: /opt/ood/ood_auth_map/bin/ood_auth_map.mapfile
     user_map_match: none
-  
+
   # Defaults for basic/PAM auth - see https://osc.github.io/ood-documentation/latest/authentication/pam.html
   basic_pam:
     httpd_auth: # ood_portal.yml.j2
@@ -91,7 +91,7 @@ openondemand_osc_ood_defaults:
     - SSLHonorCipherOrder On
     - SSLCompression off
     - SSLSessionTickets Off
-  
+
   # User mapping:
   user_map_cmd: "{{ openondemand_auth_defaults[openondemand_auth | lower].user_map_cmd }}"
   user_map_match: "{{ openondemand_auth_defaults[openondemand_auth | lower].user_map_match }}"

environments/.stackhpc/hooks/pre.yml renamed to environments/.stackhpc/hooks/pre.yml.bak

@@ -1,5 +1,5 @@
-[basic_users:children]
-cluster
+# [basic_users:children]
+# cluster
 
 [rebuild:children]
 control

environments/.stackhpc/inventory/extra_groups

@@ -10,3 +10,5 @@ freeipa_users:
 # freeipa_client hosts must use a FreeIPA server for name resolution - requires hosts to be in group `resolv_conf`.
 resolv_conf_nameservers:
   - "{{ hostvars[groups['freeipa_server'].0].ansible_host }}"
+
+node_fqdn: "{{ [inventory_hostname, openhpc_cluster_name, cluster_domain_suffix ] | join('.') }}"

environments/.stackhpc/inventory/group_vars/all/freeipa.yml

@@ -1,6 +1,66 @@
-openondemand_auth: basic_pam
+openondemand_auth: oidc # or basic_pam
 openondemand_jupyter_partition: standard
 openondemand_desktop_partition: standard
-#openondemand_dashboard_support_url: 
+#openondemand_dashboard_support_url:
 #openondemand_dashboard_docs_url:
 #openondemand_filesapp_paths:
+
+openondemand_servername: 128.232.226.209
+openondemand_oidc_provider_url: https://identity.apps.hpc.cam.ac.uk/realms/az-rcp-cloud-portal-demo
+openondemand_oidc_crypto_passphrase: <redacted>
+openondemand_oidc_client_id: ondemand
+openondemand_oidc_client_secret: <redacted>
+openondemand_oidc_scope: "openid profile email"
+openondemand_oidc_remote_user_claim: preferred_username
+# openondemand_oidc_remote_user_claim: email
+
+# add openondemand_apps.shell.env.ood_ssh_wrapper:
+openondemand_apps:
+  files:
+    env:
+      ood_shell: ""
+  shell:
+    env:
+      ood_shell_origin_check: "https://{{ openondemand_servername }}"
+      ood_ssh_wrapper: /usr/bin/ood_shell_wrapper # TODO: changeme?
+      # this is bash --login -c "cd && exec bash"
+      # #!/usr/bin/bash
+  dashboard:
+    env:
+      motd_path: /etc/motd
+      motd_format: markdown
+      ood_dashboard_support_url: "{{ openondemand_dashboard_support_url }}"
+      ood_dashboard_docs_url: "{{ openondemand_dashboard_docs_url }}"
+      ood_brand_bg_color: "#0e6ec8"
+      ood_dashboard_title: "{{ openhpc_cluster_name }}"
+
+user_map_match: '.*' # map remote user to local user, as-is
+user_map_cmd: null # need to set this to override the default "openondemand" role behaviour of using file-based mapping
+
+# user_map_match: 'waldur_user_.*'
+
+# user_map_cmd:
+# user_map_cmd: "echo waldur_user_$1"
+# user_map_cmd: "echo -e waldur_user_$1 | tr -d '[:space:]'"
+
+# Script manually created on login node with contents:
+# ```
+# #!/bin/bash
+# echo waldur_user_$1
+# ```
+# user_map_cmd: /opt/user-mapper-test.sh
+
+# openondemand_mapping_users:
+#   - name: waldur_user_scott-test-user
+#     openondemand_username: scott-test-user
+
+# lua_log_level: debug
+
+# user_map_match: 'waldur_user_.*'
+# openondemand_oidc_remote_user_claim: email
+
+
+# oidc_session_inactivity_timeout: 28800
+# oidc_session_max_duration: 28800
+# oidc_state_max_number_of_cookies: "10 true"
+# oidc_cookie_same_site: On

environments/.stackhpc/inventory/group_vars/openondemand/overrides.yml

@@ -0,0 +1,37 @@
+all:
+    vars:
+        openhpc_cluster_name: scott-slurm-dev
+        cluster_domain_suffix: invalid
+
+control:
+    hosts:
+        scott-slurm-dev-control:
+            ansible_host: 192.168.3.37
+            instance_id: dfe0f2bc-d874-433c-a91d-0fa73b51d581
+    vars:
+        appliances_state_dir: /var/lib/state # NB needs to be set on group not host otherwise it is ignored in packer build!
+
+login:
+    hosts:
+        scott-slurm-dev-login-0:
+            ansible_host: 192.168.3.4
+            instance_id: fd4e85fd-7fd3-4a4e-ae62-29003b8a1468
+
+scott-slurm-dev_standard:
+    hosts:
+        scott-slurm-dev-compute-0:
+            ansible_host: 192.168.3.89
+            instance_id: ec2683b4-4c9b-41d8-b645-e13d082a9286
+        scott-slurm-dev-compute-1:
+            ansible_host: 192.168.3.144
+            instance_id: 608844bd-ba76-4d99-9b12-925f7e682f8f
+
+compute:
+    children:
+        scott-slurm-dev_standard:
+
+# freeipa_server:
+#     hosts:
+#         scott-slurm-dev-freeipa:
+#             ansible_host: 192.168.3.119
+#             instance_id: d53dc420-b0b5-492c-ad92-de4ca5da55b8

environments/.stackhpc/inventory/hosts.yml

@@ -0,0 +1,37 @@
+all:
+    vars:
+        openhpc_cluster_name: scott-slurm-dev
+        cluster_domain_suffix: invalid
+
+control:
+    hosts:
+        scott-slurm-dev-control:
+            ansible_host: 192.168.3.37
+            instance_id: dfe0f2bc-d874-433c-a91d-0fa73b51d581
+    vars:
+        appliances_state_dir: /var/lib/state # NB needs to be set on group not host otherwise it is ignored in packer build!
+
+login:
+    hosts:
+        scott-slurm-dev-login-0:
+            ansible_host: 192.168.3.4
+            instance_id: fd4e85fd-7fd3-4a4e-ae62-29003b8a1468
+
+scott-slurm-dev_standard:
+    hosts:
+        scott-slurm-dev-compute-0:
+            ansible_host: 192.168.3.89
+            instance_id: ec2683b4-4c9b-41d8-b645-e13d082a9286
+        scott-slurm-dev-compute-1:
+            ansible_host: 192.168.3.144
+            instance_id: 608844bd-ba76-4d99-9b12-925f7e682f8f
+
+compute:
+    children:
+        scott-slurm-dev_standard:
+
+freeipa_server:
+    hosts:
+        scott-slurm-dev-freeipa:
+            ansible_host: 192.168.3.199
+            instance_id: d53dc420-b0b5-492c-ad92-de4ca5da55b8

environments/.stackhpc/inventory/hosts.yml.bak

@@ -2,3 +2,5 @@ cluster_net = "portal-internal"
 cluster_subnet = "portal-internal"
 control_node_flavor = "vm.ska.cpu.general.eighth"
 other_node_flavor = "vm.ska.cpu.general.small"
+
+cluster_name = "scott-slurm-dev"

environments/.stackhpc/terraform/ARCUS.tfvars

@@ -89,9 +89,9 @@ module "cluster" {
         #     flavor: var.other_node_flavor
         # }
     }
-    
+
     volume_backed_instances = var.volume_backed_instances
-    
+
     environment_root = var.environment_root
     # Can reduce volume size a lot for short-lived CI clusters:
     state_volume_size = 10
@@ -101,3 +101,24 @@ module "cluster" {
     home_volume_type = var.home_volume_type
 
 }
+
+resource "openstack_compute_instance_v2" "freeipa" {
+    name            = "${var.cluster_name}-freeipa"
+    image_id        = "3d20681e-38a6-4563-a80e-f1762f6cdce8" # == Rocky-8-GenericCloud-Base-8.9-20231119.0.x86_64.qcow2
+    flavor_id       = "c8b72062-5d52-4590-9d7a-68a670b44442"
+    key_pair        = "slurm-app-ci"
+    security_groups = ["default", "SSH"]
+
+    network {
+    name = var.cluster_net
+    }
+
+    metadata = {
+    environment_root = var.environment_root
+    }
+
+    user_data = <<-EOF
+        #cloud-config
+        fqdn: ${var.cluster_name}-freeipa.${var.cluster_name}.invalid
+    EOF
+}

environments/.stackhpc/terraform/main.tf

@@ -39,7 +39,7 @@ appliances_local_users_default:
         home: /var/lib/{{ appliances_local_users_ansible_user_name }}
         move_home: true
         local: true
-    
+
     - user: "{{ appliances_local_users_podman }}"
       enable: "{{ 'podman' in group_names }}"
 
@@ -50,7 +50,7 @@ appliances_local_users_default:
         shell: /sbin/nologin
         uid: 202
         system: true
-    
+
     - group:
         name: prometheus
         gid: 976
@@ -61,7 +61,7 @@ appliances_local_users_default:
         shell: /usr/sbin/nologin
         system: true
       enable: "{{ 'prometheus' in group_names }}"
-    
+
     - group:
         name: grafana
         gid: 979