Merge branch 'main' into feature/k3s-monitoring

Author: sjpb

ansible/roles/compute_init/README.md

@@ -72,7 +72,7 @@ it also requires an image build with the role name added to the
 | filesystems.yml          | block_devices           | None required - role deprecated | n/a                 |
 | filesystems.yml          | nfs                     | All client functionality        | No                  |
 | filesystems.yml          | manila                  | All functionality               | No [5]              |
-| filesystems.yml          | lustre                  | None at present                 | Yes                 |
+| filesystems.yml          | lustre                  | All functionality               | Yes                 |
 | extras.yml               | basic_users             | All functionality [6]           | No                  |
 | extras.yml               | eessi                   | All functionality [7]           | No                  |
 | extras.yml               | cuda                    | None required - use image build | Yes [8]             |

ansible/roles/compute_init/files/compute-init.yml

@@ -15,6 +15,7 @@
     enable_tuned:  "{{ os_metadata.meta.tuned | default(false) | bool }}"
     enable_nfs: "{{ os_metadata.meta.nfs | default(false) | bool }}"
     enable_manila: "{{ os_metadata.meta.manila | default(false) | bool }}"
+    enable_lustre: "{{ os_metadata.meta.lustre | default(false) | bool }}"
     enable_basic_users: "{{ os_metadata.meta.basic_users | default(false) | bool }}"
     enable_eessi: "{{ os_metadata.meta.eessi | default(false) | bool }}"
     enable_chrony: "{{ os_metadata.meta.chrony | default(false) | bool }}"
@@ -247,6 +248,12 @@
         - enable_manila
         - os_manila_mount_shares | length > 0
 
+    - name: Configure lustre
+      ansible.builtin.include_role:
+        name: lustre
+        tasks_from: configure.yml
+      when: enable_lustre
+
     - name: Basic users
       block:
         - name: Create groups

ansible/roles/compute_init/tasks/install.yml

@@ -45,6 +45,8 @@
       dest: tasks/nfs-clients.yml
     - src: ../../mrlesmithjr.chrony
       dest: roles/
+    - src: ../../lustre
+      dest: roles/
 
 - name: Add filter_plugins to ansible.cfg
   lineinfile:

ansible/roles/sshd/README.md

@@ -5,5 +5,6 @@ Configure sshd.
 ## Role variables
 
 - `sshd_password_authentication`: Optional bool. Whether to enable password login. Default `false`.
+- `sshd_disable_forwarding`: Optional bool. Whether to disable all forwarding features (X11, ssh-agent, TCP and StreamLocal). Default `true`.
 - `sshd_conf_src`: Optional string. Path to sshd configuration template. Default is in-role template.
 - `sshd_conf_dest`: Optional string. Path to destination for sshd configuration file. Default is `/etc/ssh/sshd_config.d/10-ansible.conf` which overides `50-{cloud-init,redhat}` files, if present.

ansible/roles/sshd/defaults/main.yml

@@ -1,3 +1,4 @@
 sshd_password_authentication: false
+sshd_disable_forwarding: true
 sshd_conf_src: sshd.conf.j2
 sshd_conf_dest: /etc/ssh/sshd_config.d/10-ansible.conf

ansible/roles/sshd/templates/sshd.conf.j2

@@ -1,2 +1,3 @@
 # {{ ansible_managed }}
 PasswordAuthentication {{ 'yes' if sshd_password_authentication | bool else 'no' }}
+DisableForwarding {{ 'yes' if sshd_disable_forwarding | bool else 'no' }}

docs/networks.md

@@ -14,6 +14,15 @@ as an SSH proxy to access the other nodes, this can create problems in recoverin
 the cluster if the login node is unavailable and can make Ansible problems harder
 to debug.
 
+> [!WARNING]
+> If home directories are on a shared filesystem with no authentication (such
+> as the default NFS share) then the network(s) the fileserver is attached to
+> form a security boundary. If an untrusted user can access these networks they
+> could mount the home directories setting any desired uid/gid.
+>
+> Ensure there is no external access to these networks and that no untrusted
+> instances are attached to them.
+
 This page describes supported configurations and how to implement them using
 the OpenTofu variables. These will normally be set in
 `environments/site/tofu/terraform.tfvars` for the site base environment. If they

environments/.stackhpc/inventory/group_vars/all/nfs.yml

@@ -0,0 +1,17 @@
+nfs_configurations:
+  - comment: Export /exports/home from Slurm control node as /home
+    nfs_enable:
+        server:  "{{ inventory_hostname in groups['control'] }}"
+        # Don't mount share on server where it is exported from...
+        # Could do something like `nfs_clients: "{{ 'nfs_servers' not in group_names }}"` instead.
+        clients: "{{ inventory_hostname in groups['cluster'] and inventory_hostname not in groups['control'] }}"
+    nfs_server: "{{ nfs_server_default }}"
+    nfs_export: "/exports/home" # assumes skeleton TF is being used
+    nfs_client_mnt_point: "/home"
+
+  # EXPERIMENTAL - not generally secure
+  - comment: Export /exports/cluster from Slurm control node
+    nfs_enable:
+        server: "{{ inventory_hostname in groups['control'] }}"
+        clients: false
+    nfs_export: "/exports/cluster"

environments/common/inventory/group_vars/all/nfs.yml

@@ -16,8 +16,6 @@ nfs_configurations:
     nfs_export: "/exports/home" # assumes skeleton TF is being used
     nfs_client_mnt_point: "/home"
 
-  - comment: Export /exports/cluster from Slurm control node
-    nfs_enable:
-        server: "{{ inventory_hostname in groups['control'] }}"
-        clients: false
-    nfs_export: "/exports/cluster"
+# Set 'secure' to prevent tunneling nfs mounts
+# Cannot set 'root_squash' due to home directory creation
+nfs_export_options: 'rw,secure,no_root_squash'

environments/skeleton/{{cookiecutter.environment}}/tofu/network.tf

@@ -13,14 +13,22 @@ data "openstack_networking_subnet_v2" "cluster_subnet" {
   name = each.value.subnet
 }
 
+data "openstack_identity_auth_scope_v3" "scope" {
+  # This is an arbitrary name which is only used as a unique identifier so an
+  # actual token isn't used as the ID.
+  name = "scope"
+}
+
 data "openstack_networking_secgroup_v2" "login" {
   for_each = toset(var.login_security_groups)
 
   name = each.key
+  tenant_id = data.openstack_identity_auth_scope_v3.scope.project_id
 }
 
 data "openstack_networking_secgroup_v2" "nonlogin" {
   for_each = toset(var.nonlogin_security_groups)
 
   name = each.key
+  tenant_id = data.openstack_identity_auth_scope_v3.scope.project_id
 }