Merge branch 'main' into ci/test-compute-init

Author: bertiethorpe

.github/workflows/nightlybuild.yml

@@ -10,8 +10,8 @@ on:
             - LEAFCLOUD
             - SMS
             - ARCUS
-  schedule:
-    - cron: '0 0 * * *'  # Run at midnight on default branch
+  # schedule:
+  #   - cron: '0 0 * * *'  # Run at midnight on default branch
 
 jobs:
   openstack:

README.md

@@ -31,8 +31,7 @@ It requires an OpenStack cloud, and an Ansible "deploy host" with access to that
 
 Before starting ensure that:
 - You have root access on the deploy host.
-- You can create instances using a Rocky 9 GenericCloud image (or an image based on that).
-    - **NB**: In general it is recommended to use the [latest released image](https://github.com/stackhpc/ansible-slurm-appliance/releases) which already contains the required packages. This is built and tested in StackHPC's CI.
+- You can create instances from the [latest Slurm appliance image](https://github.com/stackhpc/ansible-slurm-appliance/releases), which already contains the required packages. This is built and tested in StackHPC's CI.
 - You have an SSH keypair defined in OpenStack, with the private key available on the deploy host.
 - Created instances have access to internet (note proxies can be setup through the appliance if necessary).
 - Created instances have accurate/synchronised time (for VM instances this is usually provided by the hypervisor; if not or for bare metal instances it may be necessary to configure a time service via the appliance).
@@ -50,6 +49,7 @@ These instructions assume the deployment host is running Rocky Linux 8:
     sudo yum install -y git python38
     git clone https://github.com/stackhpc/ansible-slurm-appliance
     cd ansible-slurm-appliance
+    git checkout ${latest-release-tag}
     ./dev/setup-env.sh
 
 You will also need to install [OpenTofu](https://opentofu.org/docs/intro/install/rpm/).

ansible/.gitignore

@@ -86,3 +86,5 @@ roles/*
 !roles/rebuild/**
 !roles/slurm_tools/
 !roles/slurm_tools/**
+!roles/gateway/
+!roles/gateway/**

ansible/bootstrap.yml

@@ -52,6 +52,19 @@
     - import_role:
         name: proxy
 
+- hosts: chrony
+  tags: chrony
+  become: yes
+  tasks:
+    - import_role:
+        name: mrlesmithjr.chrony
+        # skip install tasks as might not have network yet
+        tasks_from: config_chrony.yml
+      vars:
+        # workaround for set_facts.yml:
+        chrony_config: /etc/chrony.conf
+        chrony_service: chronyd
+
 - hosts: cluster
   gather_facts: false
   become: yes
@@ -306,10 +319,11 @@
     - include_role:
         name: azimuth_cloud.image_utils.linux_ansible_init
 
-- hosts: k3s
+- hosts: k3s:&builder
   become: yes
   tags: k3s
   tasks:
-    - ansible.builtin.include_role:
+    - name: Install k3s
+      ansible.builtin.include_role:
         name: k3s
         tasks_from: install.yml

ansible/cleanup.yml

@@ -38,7 +38,21 @@
 
 - name: Cleanup /tmp
   command : rm -rf /tmp/*
-    
+
+- name: Delete files triggering vulnerability scans
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop: # NB: items here MUST have a justification!
+    # ondemand install: raised at https://github.com/OSC/ondemand/security/advisories/GHSA-f7j8-ppqm-m5vw
+    # All declared not to be an issue by Open Ondemand as relevant packages not installed
+    - "/opt/ood/ondemand/root/usr/share/gems/3.1/ondemand/{{ ondemand_package_version }}-1/gems/bootstrap_form-2.7.0/test/dummy/Gemfile.lock"
+    - "/opt/ood/ondemand/root/usr/share/gems/3.1/ondemand/{{ ondemand_package_version }}-1/gems/bootstrap_form-4.5.0/demo/yarn.lock"
+    - /var/www/ood/apps/sys/dashboard/node_modules/data-confirm-modal/Gemfile.lock
+    # chrony role: only used for role dev, venv never created on disk
+    - /etc/ansible-init/playbooks/roles/mrlesmithjr.chrony/poetry.lock
+    - /etc/ansible-init/playbooks/roles/mrlesmithjr.chrony/requirements.txt
+
 - name: Get package facts
   package_facts:
 

ansible/extras.yml

@@ -1,3 +1,23 @@
+- hosts: k3s_server:!builder
+  become: yes
+  tags: k3s
+  tasks:
+    - name: Start k3s server
+      ansible.builtin.include_role:
+        name: k3s
+        tasks_from: server-runtime.yml
+
+# technically should be part of bootstrap.yml but hangs waiting on failed mounts
+# if runs before filesystems.yml after the control node has been reimaged
+- hosts: k3s_agent:!builder
+  become: yes
+  tags: k3s
+  tasks:
+    - name: Start k3s agents
+      ansible.builtin.include_role:
+        name: k3s
+        tasks_from: agent-runtime.yml
+
 - hosts: basic_users:!builder
   become: yes
   tags:

ansible/fatimage.yml

@@ -79,7 +79,7 @@
 - import_playbook: extras.yml
 
 # TODO: is this the right place?
-- name: Install compute_init script
+- name: Install compute_init playbook
   hosts: compute_init
   tags: compute_init # tagged to allow running on cluster instances for dev
   become: yes
@@ -88,6 +88,15 @@
         name: compute_init
         tasks_from: install.yml
 
+- name: Install gateway playbook
+  hosts: gateway
+  tags: gateway
+  become: yes
+  gather_facts: no
+  tasks:
+    - include_role:
+        name: gateway
+
 - hosts: builder
   become: yes
   gather_facts: yes

ansible/roles/basic_users/README.md

@@ -2,26 +2,58 @@
 basic_users
 ===========
 
-Setup users on cluster nodes using `/etc/passwd` and manipulating `$HOME`, i.e. without requiring LDAP etc. Features:
+Setup users on cluster nodes using `/etc/passwd` and manipulating `$HOME`, i.e.
+without requiring LDAP etc. Features:
 - UID/GID is consistent across cluster (and explicitly defined).
-- SSH key generated and propagated to all nodes to allow login between cluster nodes.
+- SSH key generated and propagated to all nodes to allow login between cluster
+  nodes.
 - An "external" SSH key can be added to allow login from elsewhere.
-- Login to the control node is prevented.
+- Login to the control node is prevented (by default).
 - When deleting users, systemd user sessions are terminated first.
 
-Requirements
-------------
-- $HOME (for normal users, i.e. not `centos`) is assumed to be on a shared filesystem.
+> [!IMPORTANT] The defaults for this role assumes that `$HOME` for users
+managed by this role (e.g. not `rocky` and other system users) is on a shared
+filesystem. The export of this shared filesystem may be root squashed if its
+server is in the `basic_user` group - see configuration examples below.
 
 Role Variables
 --------------
 
-- `basic_users_users`: Optional, default empty list. A list of mappings defining information for each user. In general, mapping keys/values are passed through as parameters to [ansible.builtin.user](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/user_module.html) and default values are as given there. However:
-  - `create_home`, `generate_ssh_key` and `ssh_key_comment` are set automatically; this assumes home directories are on a cluster-shared filesystem.
-  - `uid` should be set, so that the UID/GID is consistent across the cluster (which Slurm requires).
-  - `shell` if *not* set will be `/sbin/nologin` on the `control` node and the default shell on other users. Explicitly setting this defines the shell for all nodes.
-  - An additional key `public_key` may optionally be specified to define a key to log into the cluster.
-  - An additional key `sudo` may optionally be specified giving a string (possibly multiline) defining sudo rules to be templated.
+- `basic_users_homedir_server`: Optional inventory hostname in the `basic_users`
+  group defining the host to use to create home directories. If the home
+  directory export is root squashed, this host *must* be the home directory
+  server. Default is the `control` node which is appropriate for the default
+  appliance configuration. Not relevant if `create_home` is false for all users.
+- `basic_users_homedir_server_path`: Optional path prefix for home directories on
+   the `basic_users_homedir_server`, i.e. on the "server side". Default is
+   `/exports/home` which is appropriate for the default appliance configuration.
+- `basic_users_homedir_client`: Optional inventory hostname in the `basic_users`
+  group defining the host to use to create ssh keys etc in home directories.
+  This should be a host mounting the home directories. Default is the first
+  node in the `login` group which is appropriate for the default appliance
+  configuration.
+- `basic_users_users`: Optional, default empty list. A list of mappings defining
+   information for each user. In general, mapping keys/values are passed through
+   as parameters to [ansible.builtin.user](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/user_module.html)
+   and default values are as given there, with the following differences:
+  - `generate_ssh_key`: Default is `true`, and the generated key is added to
+     the user's authorized keys.
+  - `ssh_key_comment`: Default is user name.
+  - `home`: Set automatically based on the user name and
+    `basic_users_homedir_server_path`. Can be overriden for users with
+     non-standard home directory paths.
+  - `uid`: Should be set, so that the UID/GID is consistent across the cluster
+    (which Slurm requires).
+  - `shell`: If *not* set will be `/sbin/nologin` on the `control` node to
+     prevent users logging in to this node, and the default shell on other
+     nodes. Explicitly setting this defines the shell for all nodes and if the
+     shared home directories are mounted on the control node will allow the
+     user to log in to the control node.
+  - `public_key`: Optional, define a key to log into the cluster with.
+  - `sudo`: Optional, a (possibly multiline) string defining sudo rules for the
+     user.
+  - `ssh_key_type` defaults to `ed25519` instead of the `ansible.builtin.user`
+     default of `rsa`.
   - Any other keys may present for other purposes (i.e. not used by this role).
 - `basic_users_groups`: Optional, default empty list. A list of mappings defining information for each group. Mapping keys/values are passed through as parameters to [ansible.builtin.group](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/group_module.html) and default values are as given there.
 - `basic_users_override_sssd`: Optional bool, default false. Whether to disable `sssd` when ensuring users/groups exist with this role. Permits creating local users/groups even if they clash with users provided via sssd (e.g. from LDAP). Ignored if host is not in group `sssd` as well. Note with this option active `sssd` will be stopped and restarted each time this role is run.
@@ -31,29 +63,67 @@ Dependencies
 
 None.
 
-Example Playbook
-----------------
+Example Configurations
+----------------------
 
-```yaml
-- hosts: basic_users
-  become: yes
-  gather_facts: yes
-  tasks:
-    - import_role:
-        name: basic_users
-```
-
-Example variables, to create user `alice` and delete user `bob`:
+With default appliance NFS configuration, create user `alice` with access
+to all nodes except the control node, and delete user `bob`:
 
 ```yaml
 basic_users_users:
   - comment: Alice Aardvark
     name: alice
     uid: 2005
-    public_key: ssh-rsa ...
+    public_key: ssh-ed25519 ...
   - comment: Bob Badger
     name: bob
     uid: 2006
-    public_key: ssh-rsa ...
+    public_key: ssh-ed25519 ...
     state: absent
 ```
+
+Using an external share which:
+  - does not root squash (so this role can create directories on it)
+  - is mounted to all nodes including the control node (so this role can set
+    authorized keys there)
+
+Create user `Carol`:
+
+```yaml
+basic_users_homedir_host: "{{ ansible_play_hosts | first }}" # doesn't matter which host is used
+basic_users_homedir_host_path: /home # homedir_host is client not server
+basic_users_user:
+  - comment: Carol Crane
+    name: carol
+    uid: 2007
+    public_key: ssh-ed25519 ...
+```
+
+Using an external share which *does* root squash, so home directories cannot be
+created by this role and must already exist, create user `Dan`:
+
+```yaml
+basic_users_homedir_host: "{{ ansible_play_hosts | first }}"
+basic_users_homedir_host_path: /home
+basic_users_users:
+  - comment: Dan Deer
+    create_home: false
+    name: dan
+    uuid: 2008
+    public_key: ssh-ed25519 ...
+```
+
+Using NFS exported from the control node, but mounted to all nodes (so that
+authorized keys applies to all nodes), create user `Erin` with passwordless sudo:
+
+```yaml
+basic_users_users:
+  - comment: Erin Eagle
+    name: erin
+    uid: 2009
+    shell: /bin/bash # override default nologin on control
+    groups:
+      - adm # enables ssh to compute nodes even without a job running
+    sudo: erin ALL=(ALL) NOPASSWD:ALL
+    public_key: ssh-ed25519 ...
+```

ansible/roles/basic_users/defaults/main.yml

@@ -1,9 +1,11 @@
-basic_users_manage_homedir: "{{ (ansible_hostname == (ansible_play_hosts | first)) }}"
+basic_users_homedir_server: "{{ groups['control'] | first }}" # no way, generally, to find the nfs_server
+basic_users_homedir_server_path: /exports/home
+basic_users_homedir_client: "{{ groups['login'] | first }}"  
 basic_users_userdefaults:
-  state: present
-  create_home: "{{ basic_users_manage_homedir }}"
-  generate_ssh_key:  "{{ basic_users_manage_homedir }}"
+  state: present # need this here so don't have to add default() everywhere
+  generate_ssh_key:  true
   ssh_key_comment: "{{ item.name }}"
+  ssh_key_type: ed25519
   shell: "{{'/sbin/nologin' if 'control' in group_names else omit }}"
 basic_users_users: []
 basic_users_groups: []