Merge branch 'main' into feat/sssd-sshd-compute-init

Author: bertiethorpe

ansible/bootstrap.yml

@@ -126,7 +126,9 @@
     ansible.builtin.assert:
       that: dnf_repos_password is undefined
       fail_msg: Passwords should not be templated into repofiles during configure, unset 'dnf_repos_password'
-    when: appliances_mode == 'configure'
+    when:
+      - appliances_mode == 'configure'
+      - not (dnf_repos_allow_insecure_creds | default(false)) # useful for development
 
 - hosts: squid
   tags: squid

ansible/roles/compute_init/README.md

@@ -49,7 +49,7 @@ it also requires an image build with the role name added to the
 | bootstrap.yml            | sshd                    | None at present                 | No                  |
 | bootstrap.yml            | dnf_repos               | None at present [2]             | -                   |
 | bootstrap.yml            | squid                   | Not relevant for compute nodes  | n/a                 |
-| bootstrap.yml            | tuned                   | None                            | -                   |         
+| bootstrap.yml            | tuned                   | Fully supported                 | No                  |         
 | bootstrap.yml            | freeipa_server          | Not relevant for compute nodes  | n/a                 |
 | bootstrap.yml            | cockpit                 | None required - use image build | No                  |
 | bootstrap.yml            | firewalld               | Not relevant for compute nodes  | n/a                 |

ansible/roles/compute_init/files/compute-init.yml

@@ -9,6 +9,7 @@
     enable_compute: "{{ os_metadata.meta.compute | default(false) | bool }}"
     enable_resolv_conf: "{{ os_metadata.meta.resolv_conf | default(false) | bool }}"
     enable_etc_hosts: "{{ os_metadata.meta.etc_hosts | default(false) | bool }}"
+    enable_tuned:  "{{ os_metadata.meta.tuned | default(false) | bool }}"
     enable_nfs: "{{ os_metadata.meta.nfs | default(false) | bool }}"
     enable_manila: "{{ os_metadata.meta.manila | default(false) | bool }}"
     enable_basic_users: "{{ os_metadata.meta.basic_users | default(false) | bool }}"
@@ -22,6 +23,12 @@
     sssd_started: true
     sssd_enabled: true
 
+    tuned_profile_baremetal: hpc-compute
+    tuned_profile_vm: virtual-guest
+    tuned_profile: "{{ tuned_profile_baremetal if ansible_virtualization_role != 'guest' else tuned_profile_vm }}"
+    tuned_enabled: true
+    tuned_started: true
+
     nfs_client_mnt_point: "/mnt"
     nfs_client_mnt_options:
     nfs_client_mnt_state: mounted
@@ -64,9 +71,9 @@
       file:
         path: /mnt/cluster
         state: directory
-        owner: root
+        owner: slurm
         group: root
-        mode: u=rwX,go= # is sensitive
+        mode: u=rX,g=rwX,o=
 
     - name: Mount /mnt/cluster
       mount:
@@ -162,6 +169,10 @@
           when: "'sssd' not in _authselect_current.stdout"
       when: enable_sssd
 
+    - name: Configure tuned
+      include_tasks: tasks/tuned.yml
+      when: enable_tuned
+
     # NFS client mount
     - name: If nfs-clients is present
       include_tasks: tasks/nfs-clients.yml
@@ -313,6 +324,27 @@
         enabled: true
         state: started
 
+    - name: Set locked memory limits on user-facing nodes
+      lineinfile:
+        path: /etc/security/limits.conf
+        regexp: '\* soft memlock unlimited'
+        line: "* soft memlock unlimited"
+
+    - name: Configure sshd pam module
+      blockinfile:
+        path: /etc/pam.d/sshd
+        insertafter: 'account\s+required\s+pam_nologin.so'
+        block: |
+          account    sufficient   pam_access.so
+          account    required     pam_slurm.so
+
+    - name: Configure login access control
+      blockinfile:
+        path: /etc/security/access.conf
+        block: |
+          +:adm:ALL
+          -:ALL:ALL
+
     - name: Ensure node is resumed
       # TODO: consider if this is always safe for all job states?
       command: scontrol update state=resume nodename={{ ansible_hostname }}

ansible/roles/compute_init/tasks/install.yml

@@ -32,6 +32,8 @@
       dest: files/NetworkManager-dns-none.conf
     - src: ../../basic_users/filter_plugins/filter_keys.py
       dest: filter_plugins/filter_keys.py
+    - src: ../../tuned/tasks/configure.yml
+      dest: tasks/tuned.yml
     - src: ../../stackhpc.nfs/tasks/nfs-clients.yml
       dest: tasks/nfs-clients.yml
 

ansible/roles/lustre/tasks/configure.yml

@@ -1,19 +1,18 @@
 - name: Gather Lustre interface info
   shell:
     cmd: |
-      ip r get {{ _lustre_mgs_ip }}
+      ip --json r get {{ _lustre_mgs_ip }}
   changed_when: false
   register: _lustre_ip_r_mgs
   vars:
     _lustre_mgs_ip: "{{ lustre_mgs_nid | split('@') | first }}"
 
 - name: Set facts for Lustre interface
   set_fact:
-    _lustre_interface: "{{ _lustre_ip_r_mgs_info[4] }}"
-    _lustre_ip: "{{ _lustre_ip_r_mgs_info[6] }}"
+    _lustre_interface: "{{ _lustre_ip_r_mgs_info.dev }}"
+    _lustre_ip: "{{ _lustre_ip_r_mgs_info.prefsrc }}"
   vars:
-    _lustre_ip_r_mgs_info: "{{ _lustre_ip_r_mgs.stdout_lines.0 | split }}"
-    # first line e.g. "10.167.128.1 via 10.179.0.2 dev eth0 src 10.179.3.149 uid 1000"
+    _lustre_ip_r_mgs_info: "{{ _lustre_ip_r_mgs.stdout | from_json | first }}"
 
 - name: Write LNet configuration file
   template:
@@ -44,4 +43,3 @@
     state: "{{ (item.mount_state | default(lustre_mount_state)) }}"
     opts: "{{ item.mount_options | default(lustre_mount_options) }}"
   loop: "{{ lustre_mounts }}"
- 

ansible/roles/sshd/tasks/configure.yml

@@ -1,3 +1,30 @@
+- name: Grab facts to determine distribution
+  setup:
+
+- name: Ensure drop in directory exists
+  file:
+    path: /etc/ssh/sshd_config.d/*.conf
+    state: directory
+    owner: root
+    group: root
+    mode: 700
+  become: true
+
+- name: Ensure drop in directory is included
+  blockinfile:
+    dest: /etc/ssh/sshd_config
+    content: | 
+      # To modify the system-wide sshd configuration, create a  *.conf  file under
+      #  /etc/ssh/sshd_config.d/  which will be automatically included below
+      Include /etc/ssh/sshd_config.d/*.conf
+    state: present
+    insertafter: "# default value."
+    validate: sshd -t -f %s
+  notify:
+    - Restart sshd
+  become: true
+  when: ansible_facts.distribution_major_version == '8'
+
 - name: Template sshd configuration
   # NB: If parameters are defined multiple times the first value wins;
   # The default /etc/ssh/sshd_config has

environments/.stackhpc/inventory/extra_groups

@@ -24,6 +24,10 @@ cluster
 login
 compute
 
+[tuned:children]
+# Install tuned into fat image
+builder
+
 [squid:children]
 # Install squid into fat image
 builder

environments/.stackhpc/tofu/cluster_image.auto.tfvars.json

@@ -1,6 +1,6 @@
 {
     "cluster_image": {
-        "RL8": "openhpc-RL8-250130-1126-8f2a7703",
-        "RL9": "openhpc-RL9-250130-1127-8f2a7703"
+        "RL8": "openhpc-RL8-250211-1540-a0b4a57e",
+        "RL9": "openhpc-RL9-250211-1540-a0b4a57e"
     }
 }

environments/.stackhpc/tofu/main.tf

@@ -80,7 +80,7 @@ module "cluster" {
         standard: { # NB: can't call this default!
             nodes: ["compute-0", "compute-1"]
             flavor: var.other_node_flavor
-            compute_init_enable: ["compute", "etc_hosts", "nfs", "basic_users", "eessi"]
+            compute_init_enable: ["compute", "etc_hosts", "nfs", "basic_users", "eessi", "tuned"]
             ignore_image_changes: true
         }
         # Example of how to add another partition: