From 3fbdff4b7353312df832c9da61e932317e79e90a Mon Sep 17 00:00:00 2001 From: bertiethorpe Date: Tue, 11 Feb 2025 16:38:22 +0000 Subject: [PATCH 1/8] add sssd configuration to compute init script --- .../roles/compute_init/files/compute-init.yml | 37 +++++++++++++++++++ ansible/roles/compute_init/tasks/export.yml | 23 ++++++++++++ 2 files changed, 60 insertions(+) diff --git a/ansible/roles/compute_init/files/compute-init.yml b/ansible/roles/compute_init/files/compute-init.yml index 430e2cf65..a5b0bfe1c 100644 --- a/ansible/roles/compute_init/files/compute-init.yml +++ b/ansible/roles/compute_init/files/compute-init.yml @@ -17,6 +17,11 @@ # TODO: "= role defaults" - could be moved to a vars_file: on play with similar precedence effects resolv_conf_nameservers: [] + sssd_enable_mkhomedir: false + sssd_conf_dest: /etc/sssd/sssd.conf + sssd_started: true + sssd_enabled: true + nfs_client_mnt_point: "/mnt" nfs_client_mnt_options: nfs_client_mnt_state: mounted @@ -125,6 +130,38 @@ mode: 0644 when: enable_etc_hosts + - name: Configure sssd + block: + - name: Manage sssd.conf configuration + copy: + src: "/exports/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf" + dest: "{{ sssd_conf_dest }}" + + - name: Restart sssd + systemd: + name: sssd + state: restarted + when: sssd_started | bool + + - name: Ensure sssd service state + systemd: + name: sssd + state: "{{ 'started' if sssd_started | bool else 'stopped' }}" + enabled: "{{ sssd_enabled | bool }}" + + - name: Get current authselect configuration + command: authselect current --raw + changed_when: false + failed_when: + - _authselect_current.rc != 0 + - "'No existing configuration detected' not in _authselect_current.stdout" + register: _authselect_current # stdout: sssd with-mkhomedir + + - name: Configure nsswitch and PAM for SSSD + command: "authselect select sssd --force{% if sssd_enable_mkhomedir | bool %} with-mkhomedir{% endif %}" + when: "'sssd' not in _authselect_current.stdout" + when: enable_sssd + # NFS client mount - name: If nfs-clients is present include_tasks: tasks/nfs-clients.yml diff --git a/ansible/roles/compute_init/tasks/export.yml b/ansible/roles/compute_init/tasks/export.yml index d1682208f..d9800b7eb 100644 --- a/ansible/roles/compute_init/tasks/export.yml +++ b/ansible/roles/compute_init/tasks/export.yml @@ -71,3 +71,26 @@ remote_src: true run_once: true delegate_to: "{{ groups['control'] | first }}" + +- name: Create hostconfig directory + file: + path: "/exports/cluster/hostconfig/{{ inventory_hostname }}/" + state: directory + owner: root + group: root + mode: u=rw,go= + delegate_to: "{{ groups['control'] | first }}" + +- name: Inject host specific config template files + template: + src: "{{ item.src }}" + dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/{{ item.dest }}" + owner: root + group: root + mode: u=rw,go= + loop: + - src: "{{ sssd_conf_src }}" + dest: sssd.conf + - src: "{{ sshd_conf_src }}" + dest: sshd.conf + delegate_to: "{{ groups['control'] | first }}" \ No newline at end of file From 9c29df99dfc0928276e3c0dac77d3cd24bf8985c Mon Sep 17 00:00:00 2001 From: bertiethorpe Date: Wed, 12 Feb 2025 13:50:12 +0000 Subject: [PATCH 2/8] fix export.yml for inactive configs --- ansible/roles/compute_init/files/compute-init.yml | 8 ++++++-- ansible/roles/compute_init/tasks/export.yml | 14 ++++++++------ 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/ansible/roles/compute_init/files/compute-init.yml b/ansible/roles/compute_init/files/compute-init.yml index a9db52527..0f9dd1c30 100644 --- a/ansible/roles/compute_init/files/compute-init.yml +++ b/ansible/roles/compute_init/files/compute-init.yml @@ -9,6 +9,7 @@ enable_compute: "{{ os_metadata.meta.compute | default(false) | bool }}" enable_resolv_conf: "{{ os_metadata.meta.resolv_conf | default(false) | bool }}" enable_etc_hosts: "{{ os_metadata.meta.etc_hosts | default(false) | bool }}" + enable_sssd: "{{ os_metadata.meta.sssd | default(false) | bool }}" enable_tuned: "{{ os_metadata.meta.tuned | default(false) | bool }}" enable_nfs: "{{ os_metadata.meta.nfs | default(false) | bool }}" enable_manila: "{{ os_metadata.meta.manila | default(false) | bool }}" @@ -140,9 +141,12 @@ - name: Configure sssd block: - name: Manage sssd.conf configuration - copy: - src: "/exports/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf" + ansible.builtin.template: + src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf.j2" dest: "{{ sssd_conf_dest }}" + owner: root + group: root + mode: "0600" - name: Restart sssd systemd: diff --git a/ansible/roles/compute_init/tasks/export.yml b/ansible/roles/compute_init/tasks/export.yml index d9800b7eb..5883f900f 100644 --- a/ansible/roles/compute_init/tasks/export.yml +++ b/ansible/roles/compute_init/tasks/export.yml @@ -82,15 +82,17 @@ delegate_to: "{{ groups['control'] | first }}" - name: Inject host specific config template files - template: + copy: src: "{{ item.src }}" dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/{{ item.dest }}" owner: root group: root mode: u=rw,go= loop: - - src: "{{ sssd_conf_src }}" - dest: sssd.conf - - src: "{{ sshd_conf_src }}" - dest: sshd.conf - delegate_to: "{{ groups['control'] | first }}" \ No newline at end of file + - src: "{{ sssd_conf_src | default('') }}" + dest: sssd.conf.j2 + - src: "{{ sshd_conf_src | default('') }}" + dest: sshd.conf.j2 + when: + - item.src != '' + delegate_to: "{{ groups['control'] | first }}" From fbc47d6a1fdc6fd3a788499c5900ec8d69e2c347 Mon Sep 17 00:00:00 2001 From: bertiethorpe Date: Wed, 12 Feb 2025 16:50:21 +0000 Subject: [PATCH 3/8] add sssd oddjobd service to compute-init script --- ansible/roles/compute_init/files/compute-init.yml | 6 ++++++ ansible/roles/sssd/tasks/configure.yml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ansible/roles/compute_init/files/compute-init.yml b/ansible/roles/compute_init/files/compute-init.yml index 0f9dd1c30..0386c9b45 100644 --- a/ansible/roles/compute_init/files/compute-init.yml +++ b/ansible/roles/compute_init/files/compute-init.yml @@ -171,6 +171,12 @@ - name: Configure nsswitch and PAM for SSSD command: "authselect select sssd --force{% if sssd_enable_mkhomedir | bool %} with-mkhomedir{% endif %}" when: "'sssd' not in _authselect_current.stdout" + + - name: "Ensure oddjob is started" + service: + name: oddjobd + state: "{{ 'started' if sssd_enable_mkhomedir else 'stopped' }}" + enabled: "{{ sssd_enable_mkhomedir }}" when: enable_sssd - name: Configure tuned diff --git a/ansible/roles/sssd/tasks/configure.yml b/ansible/roles/sssd/tasks/configure.yml index 94760730a..41848da3a 100644 --- a/ansible/roles/sssd/tasks/configure.yml +++ b/ansible/roles/sssd/tasks/configure.yml @@ -30,5 +30,5 @@ - name: "Ensure oddjob is started" service: name: oddjobd - state: "{{ sssd_enable_mkhomedir }}" + state: "{{ 'started' if sssd_enable_mkhomedir else 'stopped' }}" enabled: "{{ sssd_enable_mkhomedir }}" From 2a6240ab8f5224ece92063809ed0981107717030 Mon Sep 17 00:00:00 2001 From: bertiethorpe Date: Thu, 13 Feb 2025 13:27:22 +0000 Subject: [PATCH 4/8] refactor config export task, enable sshd --- .../roles/compute_init/files/compute-init.yml | 53 ++++++++++++++++++- ansible/roles/compute_init/tasks/export.yml | 24 ++++----- ansible/roles/sshd/tasks/export.yml | 10 ++++ ansible/roles/sssd/tasks/export.yml | 10 ++++ 4 files changed, 80 insertions(+), 17 deletions(-) create mode 100644 ansible/roles/sshd/tasks/export.yml create mode 100644 ansible/roles/sssd/tasks/export.yml diff --git a/ansible/roles/compute_init/files/compute-init.yml b/ansible/roles/compute_init/files/compute-init.yml index 0386c9b45..cdd716c9e 100644 --- a/ansible/roles/compute_init/files/compute-init.yml +++ b/ansible/roles/compute_init/files/compute-init.yml @@ -10,6 +10,7 @@ enable_resolv_conf: "{{ os_metadata.meta.resolv_conf | default(false) | bool }}" enable_etc_hosts: "{{ os_metadata.meta.etc_hosts | default(false) | bool }}" enable_sssd: "{{ os_metadata.meta.sssd | default(false) | bool }}" + enable_sshd: "{{ os_metadata.meta.sshd | default(false) | bool }}" enable_tuned: "{{ os_metadata.meta.tuned | default(false) | bool }}" enable_nfs: "{{ os_metadata.meta.nfs | default(false) | bool }}" enable_manila: "{{ os_metadata.meta.manila | default(false) | bool }}" @@ -24,6 +25,9 @@ sssd_started: true sssd_enabled: true + sshd_password_authentication: false + sshd_conf_dest: /etc/ssh/sshd_config.d/10-ansible.conf + tuned_profile_baremetal: hpc-compute tuned_profile_vm: virtual-guest tuned_profile: "{{ tuned_profile_baremetal if ansible_virtualization_role != 'guest' else tuned_profile_vm }}" @@ -141,8 +145,8 @@ - name: Configure sssd block: - name: Manage sssd.conf configuration - ansible.builtin.template: - src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf.j2" + copy: + src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf" dest: "{{ sssd_conf_dest }}" owner: root group: root @@ -179,6 +183,51 @@ enabled: "{{ sssd_enable_mkhomedir }}" when: enable_sssd + - name: Configure sshd + block: + - name: Grab facts to determine distribution + setup: + + - name: Ensure drop in directory exists + file: + path: /etc/ssh/sshd_config.d/*.conf + state: directory + owner: root + group: root + mode: "0700" + + - name: Ensure drop in directory is included + blockinfile: + dest: /etc/ssh/sshd_config + content: | + # To modify the system-wide sshd configuration, create a *.conf file under + # /etc/ssh/sshd_config.d/ which will be automatically included below + Include /etc/ssh/sshd_config.d/*.conf + state: present + insertafter: "# default value." + validate: sshd -t -f %s + when: ansible_facts.distribution_major_version == '8' + + - name: Restart sshd + systemd: + name: sshd + state: restarted + + - name: Manage sshd.conf configuration + copy: + src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sshd.conf" + dest: "{{ sshd_conf_dest }}" + owner: root + group: root + mode: "0600" + validate: sshd -t -f %s + + - name: Restart sshd + systemd: + name: sshd + state: restarted + when: enable_sshd + - name: Configure tuned include_tasks: tasks/tuned.yml when: enable_tuned diff --git a/ansible/roles/compute_init/tasks/export.yml b/ansible/roles/compute_init/tasks/export.yml index 5883f900f..0d967e48b 100644 --- a/ansible/roles/compute_init/tasks/export.yml +++ b/ansible/roles/compute_init/tasks/export.yml @@ -81,18 +81,12 @@ mode: u=rw,go= delegate_to: "{{ groups['control'] | first }}" -- name: Inject host specific config template files - copy: - src: "{{ item.src }}" - dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/{{ item.dest }}" - owner: root - group: root - mode: u=rw,go= - loop: - - src: "{{ sssd_conf_src | default('') }}" - dest: sssd.conf.j2 - - src: "{{ sshd_conf_src | default('') }}" - dest: sshd.conf.j2 - when: - - item.src != '' - delegate_to: "{{ groups['control'] | first }}" +- name: Template sssd config + import_role: + name: sssd + tasks_from: export.yml + +- name: Template sshd config + import_role: + name: sshd + tasks_from: export.yml diff --git a/ansible/roles/sshd/tasks/export.yml b/ansible/roles/sshd/tasks/export.yml new file mode 100644 index 000000000..7315451d0 --- /dev/null +++ b/ansible/roles/sshd/tasks/export.yml @@ -0,0 +1,10 @@ +- name: Inject host specific config template + template: + src: "{{ sshd_conf_src | default('') }}" + dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/sshd.conf" + owner: root + group: root + mode: u=rw,go= + when: + - sshd_conf_src != '' + delegate_to: "{{ groups['control'] | first }}" diff --git a/ansible/roles/sssd/tasks/export.yml b/ansible/roles/sssd/tasks/export.yml new file mode 100644 index 000000000..959f03f48 --- /dev/null +++ b/ansible/roles/sssd/tasks/export.yml @@ -0,0 +1,10 @@ +- name: Inject host specific config template + template: + src: "{{ sssd_conf_src | default('') }}" + dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/sssd.conf" + owner: root + group: root + mode: u=rw,go= + when: + - sssd_conf_src != '' + delegate_to: "{{ groups['control'] | first }}" \ No newline at end of file From 39396ef4a373b5598b1b6c20cbb37fba06ce94cd Mon Sep 17 00:00:00 2001 From: bertiethorpe Date: Thu, 13 Feb 2025 13:33:57 +0000 Subject: [PATCH 5/8] document --- ansible/roles/compute_init/README.md | 4 ++-- ansible/roles/sshd/tasks/export.yml | 1 + ansible/roles/sssd/tasks/export.yml | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ansible/roles/compute_init/README.md b/ansible/roles/compute_init/README.md index 70fa82229..e18a3a7ee 100644 --- a/ansible/roles/compute_init/README.md +++ b/ansible/roles/compute_init/README.md @@ -46,7 +46,7 @@ it also requires an image build with the role name added to the | bootstrap.yml | (system users) | None required - use image build | No | | bootstrap.yml | systemd | None required - use image build | No | | bootstrap.yml | selinux | None required - use image build | Maybe [1] | -| bootstrap.yml | sshd | None at present | No | +| bootstrap.yml | sshd | Fully supported | No | | bootstrap.yml | dnf_repos | None at present [2] | - | | bootstrap.yml | squid | Not relevant for compute nodes | n/a | | bootstrap.yml | tuned | Fully supported | No | @@ -63,7 +63,7 @@ it also requires an image build with the role name added to the | hooks/post-bootstrap.yml | ? | None at present | n/a | | iam.yml | freeipa_client | None at present [3] | Yes | | iam.yml | freeipa_server | Not relevant for compute nodes | n/a | -| iam.yml | sssd | None at present | No | +| iam.yml | sssd | Fully supported | No | | filesystems.yml | block_devices | None required - role deprecated | n/a | | filesystems.yml | nfs | All client functionality | No | | filesystems.yml | manila | All functionality | No [4] | diff --git a/ansible/roles/sshd/tasks/export.yml b/ansible/roles/sshd/tasks/export.yml index 7315451d0..e756ab11b 100644 --- a/ansible/roles/sshd/tasks/export.yml +++ b/ansible/roles/sshd/tasks/export.yml @@ -1,3 +1,4 @@ +# Exclusively used for compute-init - name: Inject host specific config template template: src: "{{ sshd_conf_src | default('') }}" diff --git a/ansible/roles/sssd/tasks/export.yml b/ansible/roles/sssd/tasks/export.yml index 959f03f48..906fb12fe 100644 --- a/ansible/roles/sssd/tasks/export.yml +++ b/ansible/roles/sssd/tasks/export.yml @@ -1,3 +1,4 @@ +# Exclusively used for compute-init - name: Inject host specific config template template: src: "{{ sssd_conf_src | default('') }}" From c18450d478596e5b634cca2672daebb7ea625402 Mon Sep 17 00:00:00 2001 From: bertiethorpe Date: Thu, 13 Feb 2025 13:41:11 +0000 Subject: [PATCH 6/8] fix oddjobd condition --- ansible/roles/compute_init/files/compute-init.yml | 5 +++-- ansible/roles/sssd/tasks/configure.yml | 7 +++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/ansible/roles/compute_init/files/compute-init.yml b/ansible/roles/compute_init/files/compute-init.yml index cdd716c9e..2549fdde3 100644 --- a/ansible/roles/compute_init/files/compute-init.yml +++ b/ansible/roles/compute_init/files/compute-init.yml @@ -179,8 +179,9 @@ - name: "Ensure oddjob is started" service: name: oddjobd - state: "{{ 'started' if sssd_enable_mkhomedir else 'stopped' }}" - enabled: "{{ sssd_enable_mkhomedir }}" + state: 'started' + enabled: true + when: sssd_enable_mkhomedir | bool when: enable_sssd - name: Configure sshd diff --git a/ansible/roles/sssd/tasks/configure.yml b/ansible/roles/sssd/tasks/configure.yml index 41848da3a..0bacf9a01 100644 --- a/ansible/roles/sssd/tasks/configure.yml +++ b/ansible/roles/sssd/tasks/configure.yml @@ -32,3 +32,10 @@ name: oddjobd state: "{{ 'started' if sssd_enable_mkhomedir else 'stopped' }}" enabled: "{{ sssd_enable_mkhomedir }}" + +- name: "Ensure oddjob is started" + service: + name: oddjobd + state: 'started' + enabled: true + when: sssd_enable_mkhomedir | bool \ No newline at end of file From a6d580a2ea214660df078f51141d80903f3e0ab2 Mon Sep 17 00:00:00 2001 From: bertiethorpe Date: Thu, 13 Feb 2025 17:09:07 +0000 Subject: [PATCH 7/8] fix task guarding, improve compute-init script --- .../roles/compute_init/files/compute-init.yml | 92 ++----------------- ansible/roles/compute_init/tasks/export.yml | 2 + ansible/roles/compute_init/tasks/install.yml | 5 + ansible/roles/sshd/tasks/export.yml | 4 +- ansible/roles/sssd/tasks/configure.yml | 6 -- ansible/roles/sssd/tasks/export.yml | 4 +- 6 files changed, 19 insertions(+), 94 deletions(-) diff --git a/ansible/roles/compute_init/files/compute-init.yml b/ansible/roles/compute_init/files/compute-init.yml index 2549fdde3..a6f61947e 100644 --- a/ansible/roles/compute_init/files/compute-init.yml +++ b/ansible/roles/compute_init/files/compute-init.yml @@ -143,90 +143,18 @@ when: enable_etc_hosts - name: Configure sssd - block: - - name: Manage sssd.conf configuration - copy: - src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf" - dest: "{{ sssd_conf_dest }}" - owner: root - group: root - mode: "0600" - - - name: Restart sssd - systemd: - name: sssd - state: restarted - when: sssd_started | bool - - - name: Ensure sssd service state - systemd: - name: sssd - state: "{{ 'started' if sssd_started | bool else 'stopped' }}" - enabled: "{{ sssd_enabled | bool }}" - - - name: Get current authselect configuration - command: authselect current --raw - changed_when: false - failed_when: - - _authselect_current.rc != 0 - - "'No existing configuration detected' not in _authselect_current.stdout" - register: _authselect_current # stdout: sssd with-mkhomedir - - - name: Configure nsswitch and PAM for SSSD - command: "authselect select sssd --force{% if sssd_enable_mkhomedir | bool %} with-mkhomedir{% endif %}" - when: "'sssd' not in _authselect_current.stdout" - - - name: "Ensure oddjob is started" - service: - name: oddjobd - state: 'started' - enabled: true - when: sssd_enable_mkhomedir | bool - when: enable_sssd + ansible.builtin.include_role: + name: sssd + tasks_from: configure.yml + vars: + sssd_conf_src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf" + when: enable_sshd - name: Configure sshd - block: - - name: Grab facts to determine distribution - setup: - - - name: Ensure drop in directory exists - file: - path: /etc/ssh/sshd_config.d/*.conf - state: directory - owner: root - group: root - mode: "0700" - - - name: Ensure drop in directory is included - blockinfile: - dest: /etc/ssh/sshd_config - content: | - # To modify the system-wide sshd configuration, create a *.conf file under - # /etc/ssh/sshd_config.d/ which will be automatically included below - Include /etc/ssh/sshd_config.d/*.conf - state: present - insertafter: "# default value." - validate: sshd -t -f %s - when: ansible_facts.distribution_major_version == '8' - - - name: Restart sshd - systemd: - name: sshd - state: restarted - - - name: Manage sshd.conf configuration - copy: - src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sshd.conf" - dest: "{{ sshd_conf_dest }}" - owner: root - group: root - mode: "0600" - validate: sshd -t -f %s - - - name: Restart sshd - systemd: - name: sshd - state: restarted + ansible.builtin.include_role: + name: sshd + vars: + sshd_conf_src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sshd.conf" when: enable_sshd - name: Configure tuned diff --git a/ansible/roles/compute_init/tasks/export.yml b/ansible/roles/compute_init/tasks/export.yml index 0d967e48b..124a03510 100644 --- a/ansible/roles/compute_init/tasks/export.yml +++ b/ansible/roles/compute_init/tasks/export.yml @@ -85,8 +85,10 @@ import_role: name: sssd tasks_from: export.yml + when: "'sssd' in group_names" - name: Template sshd config import_role: name: sshd tasks_from: export.yml + when: "'sshd' in group_names" diff --git a/ansible/roles/compute_init/tasks/install.yml b/ansible/roles/compute_init/tasks/install.yml index 77cddf0a8..292b2e57c 100644 --- a/ansible/roles/compute_init/tasks/install.yml +++ b/ansible/roles/compute_init/tasks/install.yml @@ -13,6 +13,7 @@ - library - filter_plugins - tasks + - roles - name: Inject files from roles copy: @@ -32,6 +33,10 @@ dest: files/NetworkManager-dns-none.conf - src: ../../basic_users/filter_plugins/filter_keys.py dest: filter_plugins/filter_keys.py + - src: ../../sssd + dest: roles/ + - src: ../../sshd + dest: roles/ - src: ../../tuned/tasks/configure.yml dest: tasks/tuned.yml - src: ../../stackhpc.nfs/tasks/nfs-clients.yml diff --git a/ansible/roles/sshd/tasks/export.yml b/ansible/roles/sshd/tasks/export.yml index e756ab11b..0c153ca94 100644 --- a/ansible/roles/sshd/tasks/export.yml +++ b/ansible/roles/sshd/tasks/export.yml @@ -1,11 +1,9 @@ # Exclusively used for compute-init - name: Inject host specific config template template: - src: "{{ sshd_conf_src | default('') }}" + src: "{{ sshd_conf_src }}" dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/sshd.conf" owner: root group: root mode: u=rw,go= - when: - - sshd_conf_src != '' delegate_to: "{{ groups['control'] | first }}" diff --git a/ansible/roles/sssd/tasks/configure.yml b/ansible/roles/sssd/tasks/configure.yml index 0bacf9a01..c8ebd829e 100644 --- a/ansible/roles/sssd/tasks/configure.yml +++ b/ansible/roles/sssd/tasks/configure.yml @@ -27,12 +27,6 @@ command: "authselect select sssd --force{% if sssd_enable_mkhomedir | bool %} with-mkhomedir{% endif %}" when: "'sssd' not in _authselect_current.stdout" -- name: "Ensure oddjob is started" - service: - name: oddjobd - state: "{{ 'started' if sssd_enable_mkhomedir else 'stopped' }}" - enabled: "{{ sssd_enable_mkhomedir }}" - - name: "Ensure oddjob is started" service: name: oddjobd diff --git a/ansible/roles/sssd/tasks/export.yml b/ansible/roles/sssd/tasks/export.yml index 906fb12fe..0be66749e 100644 --- a/ansible/roles/sssd/tasks/export.yml +++ b/ansible/roles/sssd/tasks/export.yml @@ -1,11 +1,9 @@ # Exclusively used for compute-init - name: Inject host specific config template template: - src: "{{ sssd_conf_src | default('') }}" + src: "{{ sssd_conf_src }}" dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/sssd.conf" owner: root group: root mode: u=rw,go= - when: - - sssd_conf_src != '' delegate_to: "{{ groups['control'] | first }}" \ No newline at end of file From 026fce1a94a013a4551c8892e59eebd5f92a06c5 Mon Sep 17 00:00:00 2001 From: bertiethorpe Date: Fri, 14 Feb 2025 10:33:39 +0000 Subject: [PATCH 8/8] remove redundant compute-init playbook vars --- ansible/roles/compute_init/files/compute-init.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/ansible/roles/compute_init/files/compute-init.yml b/ansible/roles/compute_init/files/compute-init.yml index a6f61947e..4d95aede2 100644 --- a/ansible/roles/compute_init/files/compute-init.yml +++ b/ansible/roles/compute_init/files/compute-init.yml @@ -20,14 +20,6 @@ # TODO: "= role defaults" - could be moved to a vars_file: on play with similar precedence effects resolv_conf_nameservers: [] - sssd_enable_mkhomedir: false - sssd_conf_dest: /etc/sssd/sssd.conf - sssd_started: true - sssd_enabled: true - - sshd_password_authentication: false - sshd_conf_dest: /etc/ssh/sshd_config.d/10-ansible.conf - tuned_profile_baremetal: hpc-compute tuned_profile_vm: virtual-guest tuned_profile: "{{ tuned_profile_baremetal if ansible_virtualization_role != 'guest' else tuned_profile_vm }}" @@ -148,7 +140,7 @@ tasks_from: configure.yml vars: sssd_conf_src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf" - when: enable_sshd + when: enable_sssd - name: Configure sshd ansible.builtin.include_role: