Merge branch 'main' into feat/lustre-compute-init

Author: bertiethorpe

.github/workflows/stackhpc.yml

@@ -182,9 +182,8 @@ jobs:
         run: |
           . venv/bin/activate
           . environments/.stackhpc/activate
-          ansible-playbook -v --limit compute ansible/adhoc/rebuild.yml
-          ansible-playbook -v ansible/ci/check_slurm.yml
           ansible-playbook -v ansible/adhoc/reboot_via_slurm.yml
+          ansible-playbook -v ansible/ci/check_slurm.yml
 
       - name: Check sacct state survived reimage
         run: |

ansible/bootstrap.yml

@@ -52,6 +52,13 @@
     - import_role:
         name: proxy
 
+- hosts: chrony
+  tags: chrony
+  become: yes
+  tasks:
+    - import_role:
+        name: mrlesmithjr.chrony
+
 - hosts: cluster
   gather_facts: false
   become: yes

ansible/roles/basic_users/README.md

@@ -2,16 +2,19 @@
 basic_users
 ===========
 
-Setup users on cluster nodes using `/etc/passwd` and manipulating `$HOME`, i.e. without requiring LDAP etc. Features:
+Setup users on cluster nodes using `/etc/passwd` and manipulating `$HOME`, i.e.
+without requiring LDAP etc. Features:
 - UID/GID is consistent across cluster (and explicitly defined).
 - SSH key generated and propagated to all nodes to allow login between cluster nodes.
 - An "external" SSH key can be added to allow login from elsewhere.
-- Login to the control node is prevented.
+- Login to the control node is prevented (by default)
 - When deleting users, systemd user sessions are terminated first.
 
 Requirements
 ------------
-- $HOME (for normal users, i.e. not `centos`) is assumed to be on a shared filesystem.
+- `$HOME` (for normal users, i.e. not `rocky`) is assumed to be on a shared
+  filesystem. Actions affecting that shared filesystem are run on a single host,
+  see `basic_users_manage_homedir` below.
 
 Role Variables
 --------------
@@ -22,9 +25,15 @@ Role Variables
   - `shell` if *not* set will be `/sbin/nologin` on the `control` node and the default shell on other users. Explicitly setting this defines the shell for all nodes.
   - An additional key `public_key` may optionally be specified to define a key to log into the cluster.
   - An additional key `sudo` may optionally be specified giving a string (possibly multiline) defining sudo rules to be templated.
+  - `ssh_key_type` defaults to `ed25519` instead of the `ansible.builtin.user` default of `rsa`.
   - Any other keys may present for other purposes (i.e. not used by this role).
 - `basic_users_groups`: Optional, default empty list. A list of mappings defining information for each group. Mapping keys/values are passed through as parameters to [ansible.builtin.group](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/group_module.html) and default values are as given there.
 - `basic_users_override_sssd`: Optional bool, default false. Whether to disable `sssd` when ensuring users/groups exist with this role. Permits creating local users/groups even if they clash with users provided via sssd (e.g. from LDAP). Ignored if host is not in group `sssd` as well. Note with this option active `sssd` will be stopped and restarted each time this role is run.
+- `basic_users_manage_homedir`: Optional bool, must be true on a single host to
+  determine which host runs tasks affecting the shared filesystem. The default
+  is to use the first play host which is not the control node, because the
+  default NFS configuration does not have the shared `/home` directory mounted
+  on the control node.
 
 Dependencies
 ------------

ansible/roles/basic_users/defaults/main.yml

@@ -1,9 +1,10 @@
-basic_users_manage_homedir: "{{ (ansible_hostname == (ansible_play_hosts | first)) }}"
+basic_users_manage_homedir: "{{ ansible_hostname == (ansible_play_hosts | difference(groups['control']) | first) }}"
 basic_users_userdefaults:
   state: present
   create_home: "{{ basic_users_manage_homedir }}"
   generate_ssh_key:  "{{ basic_users_manage_homedir }}"
   ssh_key_comment: "{{ item.name }}"
+  ssh_key_type: ed25519
   shell: "{{'/sbin/nologin' if 'control' in group_names else omit }}"
 basic_users_users: []
 basic_users_groups: []

ansible/roles/basic_users/tasks/main.yml

@@ -46,21 +46,21 @@
     - item.state | default('present') == 'present'
     - item.public_key is defined
     - basic_users_manage_homedir
-  run_once: true
 
 - name: Write generated public key as authorized for SSH access
+  # this only runs on the basic_users_manage_homedir so has registered var
+  # from that host too
   authorized_key:
     user: "{{ item.name }}"
     state: present
     manage_dir: no
     key: "{{ item.ssh_public_key }}"
-  loop: "{{ hostvars[ansible_play_hosts | first].basic_users_info.results }}"
+  loop: "{{ basic_users_info.results }}"
   loop_control:
     label: "{{ item.name }}"
   when:
   - item.ssh_public_key is defined
   - basic_users_manage_homedir
-  run_once: true
 
 - name: Write sudo rules
   blockinfile:

ansible/roles/compute_init/README.md

@@ -3,10 +3,13 @@
 Experimental functionality to allow compute nodes to rejoin the cluster after
 a reboot without running the `ansible/site.yml` playbook.
 
+**CAUTION:** The approach used here of exporting cluster secrets over NFS
+is considered to be a security risk due to the potential for cluster users to
+mount the share on a user-controlled machine by tunnelling through a login
+node. This feature should not be enabled on production clusters at this time.
+
 To enable this:
-1. Add the `compute` group (or a subset) into the `compute_init` group. This is
-   the default when using cookiecutter to create an environment, via the
-   "everything" template.
+1. Add the `compute` group (or a subset) into the `compute_init` group.
 2. Build an image which includes the `compute_init` group. This is the case
    for StackHPC-built release images.
 3. Enable the required functionalities during boot, by setting the
@@ -40,6 +43,7 @@ it also requires an image build with the role name added to the
 | bootstrap.yml            | (wait for ansible-init) | Not relevant during boot        | n/a                 |
 | bootstrap.yml            | resolv_conf             | Fully supported                 | No                  |
 | bootstrap.yml            | etc_hosts               | Fully supported                 | No                  |
+| bootstrap.yml            | chrony                  | Fully supported                 | No                  |
 | bootstrap.yml            | proxy                   | None at present                 | No                  |
 | bootstrap.yml            | (/etc permissions)      | None required - use image build | No                  |
 | bootstrap.yml            | (ssh /home fix)         | None required - use image build | No                  |

ansible/roles/compute_init/files/compute-init.yml

@@ -18,6 +18,7 @@
     enable_lustre: "{{ os_metadata.meta.lustre | default(false) | bool }}"
     enable_basic_users: "{{ os_metadata.meta.basic_users | default(false) | bool }}"
     enable_eessi: "{{ os_metadata.meta.eessi | default(false) | bool }}"
+    enable_chrony: "{{ os_metadata.meta.chrony | default(false) | bool }}"
 
     # TODO: "= role defaults" - could be moved to a vars_file: on play with similar precedence effects
     resolv_conf_nameservers: []
@@ -101,6 +102,11 @@
 
       # TODO: should /mnt/cluster now be UNMOUNTED to avoid future hang-ups?
 
+    - name: Run chrony role
+      ansible.builtin.include_role:
+        name: mrlesmithjr.chrony
+      when: enable_chrony | bool
+
     - name: Configure resolve.conf
       block:
         - name: Set nameservers in /etc/resolv.conf

ansible/roles/compute_init/tasks/install.yml

@@ -45,6 +45,8 @@
       dest: tasks/nfs-clients.yml
     - src: ../../lustre
       dest: roles/
+    - src: ../../mrlesmithjr.chrony
+      dest: roles/
 
 - name: Add filter_plugins to ansible.cfg
   lineinfile:

ansible/roles/hpctests/README.md

@@ -29,9 +29,22 @@ Role Variables
 - `hpctests_ucx_net_devices`: Optional. Control which network device/interface to use, e.g. `mlx5_1:0`. The default of `all` (as per UCX) may not be appropriate for multi-rail nodes with different bandwidths on each device. See [here](https://openucx.readthedocs.io/en/master/faq.html#what-is-the-default-behavior-in-a-multi-rail-environment) and [here](https://github.com/openucx/ucx/wiki/UCX-environment-parameters#setting-the-devices-to-use). Alternatively a mapping of partition name (as `hpctests_partition`) to device/interface can be used. For partitions not defined in the mapping the default of `all` is used.
 - `hpctests_outdir`: Optional. Directory to use for test output on local host. Defaults to `$HOME/hpctests` (for local user).
 - `hpctests_hpl_NB`: Optional, default 192. The HPL block size "NB" - for Intel CPUs see [here](https://software.intel.com/content/www/us/en/develop/documentation/onemkl-linux-developer-guide/top/intel-oneapi-math-kernel-library-benchmarks/intel-distribution-for-linpack-benchmark/configuring-parameters.html).
-- `hpctests_hpl_mem_frac`: Optional, default 0.8. The HPL problem size "N" will be selected to target using this fraction of each node's memory.
+- `hpctests_hpl_mem_frac`: Optional, default 0.3. The HPL problem size "N" will
+   be selected to target using this fraction of each node's memory -
+   **CAUTION: see note below**.
 - `hpctests_hpl_arch`: Optional, default 'linux64'. Arbitrary architecture name for HPL build. HPL is compiled on the first compute node of those selected (see `hpctests_nodes`), so this can be used to create different builds for different types of compute node.
 
+
+---
+**CAUTION**
+
+> The default of `hpctests_hpl_mem_frac=0.3` will not significantly load nodes.
+Values up to ~0.8 may be appropriate for a stress test but ensure cloud
+operators are aware in case this overloads e.g. power supplies or cooling.
+Values > 0.8 require longer runtimes and increase the risk of out-of-memory
+errors without normally significantly increasing the stress on the node.
+---
+
 The following variables should not generally be changed:
 - `hpctests_pre_cmd`: Optional. Command(s) to include in sbatch templates before module load commands.
 - `hpctests_pingmatrix_modules`: Optional. List of modules to load for pingmatrix test. Defaults are suitable for OpenHPC 2.x cluster using the required packages.

ansible/roles/hpctests/defaults/main.yml

@@ -9,7 +9,7 @@ hpctests_outdir: "{{ lookup('env', 'APPLIANCES_ENVIRONMENT_ROOT') }}/hpctests"
 hpctests_ucx_net_devices: all
 hpctests_hpl_version: "2.3"
 hpctests_hpl_NB: 192
-hpctests_hpl_mem_frac: 0.8
+hpctests_hpl_mem_frac: 0.3
 hpctests_hpl_arch: linux64
 #hpctests_nodes:
 #hpctests_partition: