Support sssd and sshd in compute-init

ansible/roles/compute_init/files/compute-init.yml

@@ -9,6 +9,7 @@
     enable_compute: "{{ os_metadata.meta.compute | default(false) | bool }}"
     enable_resolv_conf: "{{ os_metadata.meta.resolv_conf | default(false) | bool }}"
     enable_etc_hosts: "{{ os_metadata.meta.etc_hosts | default(false) | bool }}"
+    enable_sssd: "{{ os_metadata.meta.sssd | default(false) | bool }}"
     enable_tuned:  "{{ os_metadata.meta.tuned | default(false) | bool }}"
     enable_nfs: "{{ os_metadata.meta.nfs | default(false) | bool }}"
     enable_manila: "{{ os_metadata.meta.manila | default(false) | bool }}"
@@ -18,6 +19,11 @@
     # TODO: "= role defaults" - could be moved to a vars_file: on play with similar precedence effects
     resolv_conf_nameservers: []
 
+    sssd_enable_mkhomedir: false
+    sssd_conf_dest: /etc/sssd/sssd.conf
+    sssd_started: true
+    sssd_enabled: true
+
     tuned_profile_baremetal: hpc-compute
     tuned_profile_vm: virtual-guest
     tuned_profile: "{{ tuned_profile_baremetal if ansible_virtualization_role != 'guest' else tuned_profile_vm }}"
@@ -132,6 +138,47 @@
         mode: 0644
       when: enable_etc_hosts
 
+    - name: Configure sssd
+      block:
+        - name: Manage sssd.conf configuration
+          ansible.builtin.template:
+            src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf.j2"
+            dest: "{{ sssd_conf_dest }}"
+            owner: root
+            group: root
+            mode: "0600"
+
+        - name: Restart sssd
+          systemd:
+            name: sssd
+            state: restarted
+          when: sssd_started | bool
+
+        - name: Ensure sssd service state
+          systemd:
+            name: sssd
+            state: "{{ 'started' if sssd_started | bool else 'stopped' }}"
+            enabled: "{{ sssd_enabled | bool }}"
+
+        - name: Get current authselect configuration
+          command: authselect current --raw
+          changed_when: false
+          failed_when:
+            - _authselect_current.rc != 0
+            - "'No existing configuration detected' not in _authselect_current.stdout"
+          register: _authselect_current # stdout: sssd with-mkhomedir
+
+        - name: Configure nsswitch and PAM for SSSD
+          command: "authselect select sssd --force{% if sssd_enable_mkhomedir | bool %} with-mkhomedir{% endif %}"
+          when: "'sssd' not in _authselect_current.stdout"
+
+        - name: "Ensure oddjob is started"
+          service:
+            name: oddjobd
+            state: "{{ 'started' if sssd_enable_mkhomedir else 'stopped' }}"
+            enabled: "{{ sssd_enable_mkhomedir }}"
+      when: enable_sssd
+
     - name: Configure tuned
       include_tasks: tasks/tuned.yml
       when: enable_tuned

ansible/roles/compute_init/tasks/export.yml

@@ -71,3 +71,28 @@
     remote_src: true
   run_once: true
   delegate_to: "{{ groups['control'] | first }}"
+
+- name: Create hostconfig directory
+  file:
+    path: "/exports/cluster/hostconfig/{{ inventory_hostname }}/"
+    state: directory
+    owner: root
+    group: root
+    mode: u=rw,go=
+  delegate_to: "{{ groups['control'] | first }}"
+
+- name: Inject host specific config template files
+  copy:
+    src: "{{ item.src }}"
+    dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/{{ item.dest }}"
+    owner: root
+    group: root
+    mode: u=rw,go=
+  loop:
+    - src: "{{ sssd_conf_src | default('') }}"
+      dest: sssd.conf.j2
+    - src: "{{ sshd_conf_src | default('') }}"
+      dest: sshd.conf.j2
+  when:
+    - item.src != ''
+  delegate_to: "{{ groups['control'] | first }}"

ansible/roles/sssd/tasks/configure.yml

@@ -30,5 +30,5 @@
 - name: "Ensure oddjob is started"
   service:
     name: oddjobd
-    state: "{{ sssd_enable_mkhomedir }}"
+    state: "{{ 'started' if sssd_enable_mkhomedir else 'stopped' }}"
     enabled: "{{ sssd_enable_mkhomedir }}"