Support sssd and sshd in compute-init (#571)

* add sssd configuration to compute init script

* fix export.yml for inactive configs

* add sssd oddjobd service to compute-init script

* refactor config export task, enable sshd

* document

* fix oddjobd condition

* fix task guarding, improve compute-init script

* remove redundant compute-init playbook vars

Author: bertiethorpe

ansible/roles/compute_init/README.md

@@ -46,7 +46,7 @@ it also requires an image build with the role name added to the
 | bootstrap.yml            | (system users)          | None required - use image build | No                  |
 | bootstrap.yml            | systemd                 | None required - use image build | No                  |
 | bootstrap.yml            | selinux                 | None required - use image build | Maybe [1]           |
-| bootstrap.yml            | sshd                    | None at present                 | No                  |
+| bootstrap.yml            | sshd                    | Fully supported                 | No                  |
 | bootstrap.yml            | dnf_repos               | None at present [2]             | -                   |
 | bootstrap.yml            | squid                   | Not relevant for compute nodes  | n/a                 |
 | bootstrap.yml            | tuned                   | Fully supported                 | No                  |         
@@ -63,7 +63,7 @@ it also requires an image build with the role name added to the
 | hooks/post-bootstrap.yml | ?                       | None at present                 | n/a                 |
 | iam.yml                  | freeipa_client          | None at present [3]             | Yes                 |
 | iam.yml                  | freeipa_server          | Not relevant for compute nodes  | n/a                 |
-| iam.yml                  | sssd                    | None at present                 | No                  |
+| iam.yml                  | sssd                    | Fully supported                 | No                  |
 | filesystems.yml          | block_devices           | None required - role deprecated | n/a                 |
 | filesystems.yml          | nfs                     | All client functionality        | No                  |
 | filesystems.yml          | manila                  | All functionality               | No [4]              |

ansible/roles/compute_init/files/compute-init.yml

@@ -9,6 +9,8 @@
     enable_compute: "{{ os_metadata.meta.compute | default(false) | bool }}"
     enable_resolv_conf: "{{ os_metadata.meta.resolv_conf | default(false) | bool }}"
     enable_etc_hosts: "{{ os_metadata.meta.etc_hosts | default(false) | bool }}"
+    enable_sssd: "{{ os_metadata.meta.sssd | default(false) | bool }}"
+    enable_sshd: "{{ os_metadata.meta.sshd | default(false) | bool }}"
     enable_tuned:  "{{ os_metadata.meta.tuned | default(false) | bool }}"
     enable_nfs: "{{ os_metadata.meta.nfs | default(false) | bool }}"
     enable_manila: "{{ os_metadata.meta.manila | default(false) | bool }}"
@@ -132,6 +134,21 @@
         mode: 0644
       when: enable_etc_hosts
 
+    - name: Configure sssd
+      ansible.builtin.include_role:
+        name: sssd
+        tasks_from: configure.yml
+      vars:
+        sssd_conf_src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf"
+      when: enable_sssd
+
+    - name: Configure sshd
+      ansible.builtin.include_role:
+        name: sshd
+      vars:
+        sshd_conf_src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sshd.conf"
+      when: enable_sshd
+
     - name: Configure tuned
       include_tasks: tasks/tuned.yml
       when: enable_tuned

ansible/roles/compute_init/tasks/export.yml

@@ -71,3 +71,24 @@
     remote_src: true
   run_once: true
   delegate_to: "{{ groups['control'] | first }}"
+
+- name: Create hostconfig directory
+  file:
+    path: "/exports/cluster/hostconfig/{{ inventory_hostname }}/"
+    state: directory
+    owner: root
+    group: root
+    mode: u=rw,go=
+  delegate_to: "{{ groups['control'] | first }}"
+
+- name: Template sssd config 
+  import_role:
+    name: sssd
+    tasks_from: export.yml
+  when: "'sssd' in group_names"
+
+- name: Template sshd config 
+  import_role:
+    name: sshd
+    tasks_from: export.yml
+  when: "'sshd' in group_names"

ansible/roles/compute_init/tasks/install.yml

@@ -13,6 +13,7 @@
     - library
     - filter_plugins
     - tasks
+    - roles
 
 - name: Inject files from roles
   copy:
@@ -32,6 +33,10 @@
       dest: files/NetworkManager-dns-none.conf
     - src: ../../basic_users/filter_plugins/filter_keys.py
       dest: filter_plugins/filter_keys.py
+    - src: ../../sssd
+      dest: roles/
+    - src: ../../sshd
+      dest: roles/
     - src: ../../tuned/tasks/configure.yml
       dest: tasks/tuned.yml
     - src: ../../stackhpc.nfs/tasks/nfs-clients.yml

ansible/roles/sshd/tasks/export.yml

@@ -0,0 +1,9 @@
+# Exclusively used for compute-init
+- name: Inject host specific config template
+  template:
+    src: "{{ sshd_conf_src }}"
+    dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/sshd.conf"
+    owner: root
+    group: root
+    mode: u=rw,go=
+  delegate_to: "{{ groups['control'] | first }}"

ansible/roles/sssd/tasks/configure.yml

@@ -30,5 +30,6 @@
 - name: "Ensure oddjob is started"
   service:
     name: oddjobd
-    state: "{{ sssd_enable_mkhomedir }}"
-    enabled: "{{ sssd_enable_mkhomedir }}"
+    state: 'started'
+    enabled: true
+  when: sssd_enable_mkhomedir | bool

ansible/roles/sssd/tasks/export.yml

@@ -0,0 +1,9 @@
+# Exclusively used for compute-init
+- name: Inject host specific config template
+  template:
+    src: "{{ sssd_conf_src }}"
+    dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/sssd.conf"
+    owner: root
+    group: root
+    mode: u=rw,go=
+  delegate_to: "{{ groups['control'] | first }}"