Merge branch 'main' into ci/cleanup-previous

Author: sjpb

ansible/roles/cacerts/tasks/export.yml

@@ -3,9 +3,9 @@
   ansible.builtin.copy:
     src: "{{ item }}"
     dest: /exports/cluster/cacerts/
-    owner: slurm
-    group: root
-    mode: "0644"
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rw,go=
   with_fileglob:
     - "{{ cacerts_cert_dir }}/*"
   delegate_to: "{{ groups['control'] | first }}"

ansible/roles/compute_init/files/compute-init.yml

@@ -83,7 +83,7 @@
         - ansible.builtin.meta: end_play
     - name: Check if hostvars exist
       become: true
-      become_user: slurm
+      become_user: ansible-init # share is root-squashed
       ansible.builtin.stat:
         path: "/mnt/cluster/hostvars/{{ ansible_hostname }}/hostvars.yml"
       register: hostvars_stat
@@ -98,7 +98,7 @@
         - ansible.builtin.meta: end_play
     - name: Sync /mnt/cluster to /var/tmp
       become: true
-      become_user: slurm
+      become_user: ansible-init # share is root-squashed
       ansible.posix.synchronize:
         src: "/mnt/cluster/"
         dest: "/var/tmp/cluster/"

ansible/roles/compute_init/tasks/export.yml

@@ -1,41 +1,47 @@
 ---
-- name: Ensure the /exports/cluster directory exists
+- name: Ensure /exports/cluster directory structure exists
   ansible.builtin.file:
-    path: /exports/cluster
+    path: "{{ item }}"
     state: directory
-    owner: slurm
-    group: root
+    owner: ansible-init
+    group: ansible-init
     mode: u=rX,g=rwX,o=
   run_once: true
+  loop:
+    - /exports/cluster
+    - /exports/cluster/hostvars
+    - /exports/cluster/cacerts
+    - /exports/cluster/cvmfs
+    - /exports/cluster/hostconfig
   delegate_to: "{{ groups['control'] | first }}"
 
 - name: Copy /etc/hosts to /exports/cluster
   ansible.builtin.copy:
     src: /etc/hosts
     dest: /exports/cluster/hosts
-    owner: slurm
-    group: root
-    mode: u=r,g=rw,o=
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rw,go=r
     remote_src: true
   run_once: true
   delegate_to: "{{ groups['control'] | first }}"
 
-- name: Create hostvars directory
+- name: Create per-host hostvars directory
   ansible.builtin.file:
     path: /exports/cluster/hostvars/{{ inventory_hostname }}/
     state: directory
-    owner: slurm
-    group: root
-    mode: u=rX,g=rwX,o=
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rwX,go=
   delegate_to: "{{ groups['control'] | first }}"
 
 - name: Template out hostvars
   ansible.builtin.template:
     src: hostvars.yml.j2
     dest: /exports/cluster/hostvars/{{ inventory_hostname }}/hostvars.yml
-    owner: slurm
-    group: root
-    mode: u=r,g=rw,o=
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rw,go=
   delegate_to: "{{ groups['control'] | first }}"
 
 - name: Copy manila share info to /exports/cluster
@@ -52,29 +58,19 @@
     os_manila_mount_share_info_var:
       os_manila_mount_share_info: "{{ os_manila_mount_share_info }}"
 
-- name: Ensure /exports/cluster/cvmfs directory exists
-  ansible.builtin.file:
-    path: /exports/cluster/cvmfs
-    state: directory
-    owner: slurm
-    group: root
-    mode: "0755"
-  run_once: true
-  delegate_to: "{{ groups['control'] | first }}"
-
 - name: Export cacerts
   ansible.builtin.include_role:
     name: cacerts
     tasks_from: export.yml
   when: "'cacerts' in group_names"
 
-- name: Create hostconfig directory
+- name: Create per-host hostconfig directory
   ansible.builtin.file:
     path: "/exports/cluster/hostconfig/{{ inventory_hostname }}/"
     state: directory
-    owner: slurm
-    group: root
-    mode: u=rX,g=rwX,o=
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rwX,go=
   delegate_to: "{{ groups['control'] | first }}"
 
 - name: Template sssd config

ansible/roles/cuda/defaults/main.yml

@@ -4,7 +4,7 @@ cuda_repo_url: "https://developer.download.nvidia.com/compute/cuda/repos/rhel{{
 cuda_nvidia_driver_stream: '580-open'
 cuda_nvidia_driver_version: '580.105.08-1'
 cuda_nvidia_driver_pkg: "nvidia-open-3:{{ cuda_nvidia_driver_version }}.el{{ ansible_distribution_major_version }}"
-cuda_package_version: '13.0.2-1'
+cuda_package_version: '13.1.0-1'
 cuda_version_short: "{{ (cuda_package_version | split('.'))[0:2] | join('.') }}" # major.minor
 cuda_packages_default:
   - "cuda-toolkit-{{ cuda_package_version }}"

ansible/roles/nhc/tasks/export.yml

@@ -3,5 +3,7 @@
   ansible.builtin.template:
     src: "{{ nhc_config_template }}"
     dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/nhc.conf"
-    mode: "0644"
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rw,go=
   delegate_to: "{{ groups['control'] | first }}"

ansible/roles/sssd/tasks/export.yml

@@ -4,7 +4,7 @@
   ansible.builtin.template:
     src: "{{ sssd_conf_src }}"
     dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/sssd.conf"
-    owner: root
-    group: root
+    owner: ansible-init
+    group: ansible-init
     mode: u=rw,go=
   delegate_to: "{{ groups['control'] | first }}"

dev/ansible-ssh

@@ -1,65 +1,64 @@
 #!/usr/bin/env python3
+"""
+SSH to a cluster host using connection properties from Ansible inventory.
 
-# This tool allows you to ssh into a host using the ansible inventory.
-# Example: ansible-ssh compute[0] -o GlobalKnownHostsFile=/dev/null -o
-# UserKnownHostsFile=/dev/null
+Usage:
+   ansible-ssh [-n] PATTERN
+
+where PATTERN can be any of:
+    - host e.g. mycluster-login-0
+    - group e.g. login
+    - group[index] e.g. compute[0]
+options:
+    -n      Disable strict host key checking and do not store accepted keys
+"""
 
 import json
 import os
 import shlex
 import subprocess
 import sys
-from collections import defaultdict
-
-
-def _optional_arg(prototype, *values):
-    # returns empty string if any of the values are falsey
-    filtered = [value for value in values if value]
-    return prototype.format(*values) if len(values) == len(filtered) else ""
 
+NO_HOSTKEY_CHECK_OPTS = [
+    '-o', 'StrictHostKeyChecking=no',
+    '-o', 'GlobalKnownHostsFile=/dev/null',
+    '-o', 'UserKnownHostsFile=/dev/null'
+]
 
 if __name__ == "__main__":
-    if len(sys.argv) < 2:
-        msg = (
-            f"Usage: {sys.argv[0]} <inventory_hostname> [args to pass to ssh]")
-        print(msg, file=sys.stderr)
+    no_known_hosts = '-n' in sys.argv
+    if sys.argv[-1] in (sys.argv[0], '-n'):
+        print(__doc__, file=sys.stderr)
         sys.exit(-1)
 
-    # Quote to prevent shell injection
-    host = shlex.quote(sys.argv[1])
+    pattern = sys.argv[-1]
 
+    template_str = ("ssh "
+                   "{% if ansible_ssh_port | default(false) %}-p {{ ansible_ssh_port }} {% endif %}"
+                   "{% if ansible_ssh_private_key_file | default(false) %} -i {{ ansible_ssh_private_key_file }} {% endif %}"
+                   "{{ ansible_ssh_common_args | default('') }} "
+                   "{{ ansible_user }}@{{ ansible_host }}")
+    module_args = json.dumps({'msg':template_str})
+    ansible_cmd = ['ansible', pattern, '-o', '-m', 'debug', '-a', module_args]
     try:
-        output = subprocess.check_output(
-            f'ansible-inventory --host {host}', shell=True)
-    except (subprocess.CalledProcessError) as e:
-        msg = (f"[ERROR]: Is {host} missing from the inventory?")
+        output = subprocess.check_output(ansible_cmd, text=True)
+    except (subprocess.CalledProcessError):
+        msg = ("[ERROR]: ansible exited in error")
         print(msg, file=sys.stderr)
         sys.exit(-1)
+    # output looks like e.g.
+    # stg-login-0 | SUCCESS => {    "changed": false,    ...
+    # one line per host
+    if not output:
+        sys.exit(1)
+    result = output.splitlines()[0].split('>', 1)[-1]
+    expanded = json.loads(result)['msg']
+    # can assume ansible_host exists b/c defined by terraform
+    # can assume ansible_user exists b/c defined in common inventory
 
-    meta = defaultdict(str, json.loads(output))
-
-    ansible_ssh_host = meta['ansible_ssh_host'] or meta['ansible_host']
-    ansible_ssh_user = meta['ansible_ssh_user'] or meta['ansible_user']
-    ansible_ssh_port = meta['ansible_ssh_port']
-    ansible_ssh_private_key_file = meta['ansible_ssh_private_key_file']
-
-    port = _optional_arg("-p {}", ansible_ssh_port)
-    identity = _optional_arg("-i {}", ansible_ssh_private_key_file)
-    host = _optional_arg("{}@{}", ansible_ssh_user, ansible_ssh_host)
-    opts = meta['ansible_ssh_common_args']
-
-    # Handle case where user is not set
-    if not host:
-        host = ansible_ssh_host
-
-    if not host:
-        # if we get here, "ansible_ssh_host" is not set.
-        msg = f"Could not determine the host"
-        print(msg, file=sys.stderr)
-        sys.exit(-1)
+    cmd = shlex.split(expanded)
+    if no_known_hosts:
+        cmd = cmd[0:1] + NO_HOSTKEY_CHECK_OPTS + cmd[1:]
 
-    base = shlex.split(f'ssh {port} {identity} {opts}')
-    extras = sys.argv[2:]
-    cmd = base + extras + [host]
     print(f"[INFO]: Running: {subprocess.list2cmdline(cmd)}")
     os.execvp(cmd[0], cmd)

dev/image-set-properties.sh

@@ -17,7 +17,6 @@ openstack image set \
 --property hw_architecture=x86_64 \
 --property hw_vif_multiqueue_enabled=true \
 --property hw_firmware_type=uefi \
---property os_distro=rocky \
 --property os_type=linux \
 --property os_admin_user=rocky \
 "$image"

environments/.caas/README.md

@@ -12,7 +12,9 @@ Non-standard things for this environment:
         azimuth_caas_stackhpc_slurm_appliance_template:
         ...
         envVars:
-            ANSIBLE_INVENTORY: environments/common/inventory,environments/.caas/inventory
+            ANSIBLE_INVENTORY: environments/common/inventory,environments/site/inventory,environments/.caas/inventory
+
+  ([Source](https://github.com/azimuth-cloud/ansible-collection-azimuth-ops/blob/main/roles/azimuth_caas_operator/defaults/main.yml#L199))
 
   Ansible then defines `ansible_inventory_sources` which contains absolute paths, and
   that is used to derive the `appliances_environment_root` and

environments/.stackhpc/tofu/cluster_image.auto.tfvars.json

@@ -1,6 +1,6 @@
 {
   "cluster_image": {
-    "RL8": "openhpc-RL8-251211-0951-51b93e3f",
-    "RL9": "openhpc-RL9-251211-0951-51b93e3f"
+    "RL8": "openhpc-RL8-251213-1133-31273766",
+    "RL9": "openhpc-RL9-251213-1133-31273766"
   }
 }