enable basic_users, nfs roles to be used directly

Author: bertiethorpe

ansible/roles/basic_users/tasks/main.yml

@@ -66,7 +66,7 @@
   when:
     - item.state | default('present') == 'present'
     - item.create_home | default(true) | bool
-    - inventory_hostname == basic_users_homedir_server
+    - ansible_hostname == basic_users_homedir_server
 
 # The following tasks run on a single *client* node, so that home directory
 # paths are easily constructed, becoming each user so that root-squash
@@ -85,7 +85,7 @@
   when:
     - item.state | default('present') == 'present'
     - item.generate_ssh_key | default(true) | bool or item.public_key is defined
-    - inventory_hostname == basic_users_homedir_client
+    - ansible_hostname == basic_users_homedir_client
 
 - name: Generate cluster ssh key
   community.crypto.openssh_keypair:
@@ -101,7 +101,7 @@
   when:
     - item.state | default('present') == 'present'
     - item.generate_ssh_key | default(true)
-    - inventory_hostname == basic_users_homedir_client
+    - ansible_hostname == basic_users_homedir_client
   register: _cluster_ssh_keypair
 
 - name: Write generated cluster ssh key to authorized_keys
@@ -118,7 +118,7 @@
   when:
     - item.item.state | default('present') == 'present'
     - item.item.generate_ssh_key | default(true)
-    - inventory_hostname == basic_users_homedir_client
+    - ansible_hostname == basic_users_homedir_client
     - item.public_key is defined # NB this is the *returned* public key
 
 - name: Write supplied public key to authorized_keys
@@ -134,5 +134,5 @@
     label: "{{ item.name }}"
   when:
     - item.state | default('present') == 'present'
-    - inventory_hostname == basic_users_homedir_client
+    - ansible_hostname == basic_users_homedir_client
     - item.public_key is defined # NB this is the *provided* public key

ansible/roles/compute_init/files/compute-init.yml

@@ -29,15 +29,9 @@
     tuned_enabled: true
     tuned_started: true
 
-    nfs_client_mnt_point: "/mnt"
-    nfs_client_mnt_options: "defaults,nosuid,nodev"
-    nfs_client_mnt_state: mounted
-    nfs_configurations:
     nfs_enable:
       clients: false
 
-    # openhpc: no defaults required
-
     os_manila_mount_shares: []
     os_manila_mount_ceph_conf_path: /etc/ceph
     os_manila_mount_state: mounted
@@ -50,13 +44,6 @@
       - nodev
       - nosuid
 
-    basic_users_userdefaults:
-      state: present
-      generate_ssh_key: true
-      ssh_key_comment: "{{ item.name }}"
-    basic_users_users: []
-    basic_users_groups: []
-
   tasks:
     - block:
         - name: Report skipping initialization if not compute node
@@ -110,11 +97,11 @@
         - meta: end_play
       when: not hostvars_stat.stat.exists
 
-    - name: Sync /mnt/cluster to /tmp
+    - name: Sync /mnt/cluster to /var/tmp
       become_user: slurm
       synchronize:
         src: "/mnt/cluster/"
-        dest: "/tmp/cluster/"
+        dest: "/var/tmp/cluster/"
         archive: yes
         recursive: yes
 
@@ -126,7 +113,7 @@
     - name: Load hostvars
       # this is higher priority than vars block = normal ansible's hostvars
       include_vars:
-        file: "/tmp/cluster/hostvars/{{ ansible_hostname }}/hostvars.yml"
+        file: "/var/tmp/cluster/hostvars/{{ ansible_hostname }}/hostvars.yml"
 
     - name: Run chrony role
       ansible.builtin.include_role:
@@ -166,7 +153,7 @@
 
     - name: Copy cluster /etc/hosts
       copy:
-        src: /tmp/cluster/hosts
+        src: /var/tmp/cluster/hosts
         dest: /etc/hosts
         owner: root
         group: root
@@ -177,14 +164,14 @@
       ansible.builtin.include_role:
         name: cacerts
       vars:
-        cacerts_cert_dir: "/tmp/cluster/cacerts"
+        cacerts_cert_dir: "/var/tmp/cluster/cacerts"
       when: enable_cacerts
 
     - name: Configure sshd
       ansible.builtin.include_role:
         name: sshd
       vars:
-        sshd_conf_src: "/tmp/cluster/hostconfig/{{ ansible_hostname }}/sshd.conf"
+        sshd_conf_src: "/var/tmp/cluster/hostconfig/{{ ansible_hostname }}/sshd.conf"
       when: enable_sshd
 
     - name: Configure tuned
@@ -196,22 +183,24 @@
         name: sssd
         tasks_from: configure.yml
       vars:
-        sssd_conf_src: "/tmp/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf"
+        sssd_conf_src: "/var/tmp/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf"
       when: enable_sssd
 
     # NFS client mount
     - name: If nfs-clients is present
-      include_tasks: tasks/nfs-clients.yml
+      ansible.builtin.include_role:
+        name: stackhpc.nfs
+        tasks_from: nfs-clients.yml
       when:
         - enable_nfs
-        - nfs_enable.clients | bool or ('nfs_enable' in item and item.nfs_enable.clients | bool)
+        - nfs_enable.clients | default(item.nfs_enable.clients) | bool
       loop: "{{ nfs_configurations }}"
 
     - name: Manila mounts
       block:
         - name: Read manila share info from nfs file
           include_vars:
-            file: /tmp/cluster/manila_share_info.yml
+            file: /var/tmp/cluster/manila_share_info.yml
           no_log: true # contains secrets
 
         - name: Ensure Ceph configuration directory exists
@@ -286,39 +275,15 @@
       when: enable_lustre
 
     - name: Basic users
-      block:
-        - name: Create groups
-          ansible.builtin.group: "{{ item }}"
-          loop:  "{{ basic_users_groups }}"
-
-        - name: Create users
-          user: "{{ basic_users_userdefaults | combine(item) | filter_user_params() | combine(_disable_homedir) }}"
-          loop: "{{ basic_users_users }}"
-          loop_control:
-            label: "{{ item.name }}"
-          vars:
-            _disable_homedir: # ensure this task doesn't touch $HOME
-              create_home: false
-              generate_ssh_key: false
-
-        - name: Write sudo rules
-          blockinfile:
-            path: /etc/sudoers.d/80-{{ item.name }}-user
-            block: "{{ item.sudo }}"
-            create: true
-          loop: "{{ basic_users_users }}"
-          loop_control:
-            label: "{{ item.name }}"
-          when:
-            - item.state | default('present') == 'present'
-            - "'sudo' in item"
+      ansible.builtin.include_role: 
+        name: basic_users
       when: enable_basic_users
 
     - name: EESSI
       block:
         - name: Copy cvmfs config
           copy:
-            src: /tmp/cluster/cvmfs/default.local
+            src: /var/tmp/cluster/cvmfs/default.local
             dest: /etc/cvmfs/default.local
             owner: root
             group: root

ansible/roles/compute_init/tasks/export.yml

@@ -14,7 +14,7 @@
     dest: /exports/cluster/hosts
     owner: slurm
     group: root
-    mode: u=rw,go=
+    mode: u=r,g=rw,o=
     remote_src: true
   run_once: true
   delegate_to: "{{ groups['control'] | first }}"
@@ -43,7 +43,7 @@
     dest: /exports/cluster/manila_share_info.yml
     owner: slurm
     group: root
-    mode: u=rw,g=r
+    mode: u=r,g=rw,o=
   run_once: true
   delegate_to: "{{ groups['control'] | first }}"
   when: os_manila_mount_share_info is defined

ansible/roles/compute_init/tasks/install.yml

@@ -33,8 +33,8 @@
       dest: templates/ceph.keyring.j2
     - src: ../../resolv_conf/files/NetworkManager-dns-none.conf
       dest: files/NetworkManager-dns-none.conf
-    - src: ../../basic_users/filter_plugins/filter_keys.py
-      dest: filter_plugins/filter_keys.py
+    - src: ../../basic_users
+      dest: roles/
     - src: ../../cacerts
       dest: roles/
     - src: ../../sssd
@@ -43,8 +43,8 @@
       dest: roles/
     - src: ../../tuned/tasks/configure.yml
       dest: tasks/tuned.yml
-    - src: ../../stackhpc.nfs/tasks/nfs-clients.yml
-      dest: tasks/nfs-clients.yml
+    - src: ../../stackhpc.nfs
+      dest: roles/
     - src: ../../mrlesmithjr.chrony
       dest: roles/
     - src: ../../lustre

environments/common/inventory/group_vars/all/basic_users.yml

@@ -3,3 +3,7 @@
 # See ansible/roles/basic_users/README.md for variable definitions.
 
 basic_users_users: []
+
+# The following are defined for the purpose of compute-init
+basic_users_homedir_server: "{{ groups['control'] | first }}"
+basic_users_homedir_client: "{{ groups['login'] | first }}"

environments/common/inventory/group_vars/all/nfs.yml

@@ -24,9 +24,17 @@ nfs_configurations:
     # NB: this is stackhpc.nfs role defaults but are set here to prevent being
     # accidently overriden via default options
     nfs_export_options: 'rw,secure,root_squash'
+    # prevent non-cluster IPs mounting the share:
+    # NB: this is set as default for all shares above but is repeated here
+    # in case nfs_export_clients is overriden
+    nfs_export_clients: "{{ _nfs_node_ips }}"
 
   - comment: Export /exports/cluster from Slurm control node
     nfs_enable:
         server: "{{ inventory_hostname in groups['control'] }}"
         clients: false
     nfs_export: "/exports/cluster"
+    # prevent non-cluster IPs mounting the share:
+    # NB: this is set as default for all shares above but is repeated here
+    # in case nfs_export_clients is overriden
+    nfs_export_clients: "{{ _nfs_node_ips }}"