From f64ca36cc5e5ebd168e6062819a06b63009c1ff5 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Fri, 7 Mar 2025 15:11:05 +0000 Subject: [PATCH 1/2] restrict all nfs shares to nfs group IPs --- .../common/inventory/group_vars/all/nfs.yml | 13 ++++++++++--- requirements.yml | 5 +++-- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/environments/common/inventory/group_vars/all/nfs.yml b/environments/common/inventory/group_vars/all/nfs.yml index 511dd0da3..ad3821937 100644 --- a/environments/common/inventory/group_vars/all/nfs.yml +++ b/environments/common/inventory/group_vars/all/nfs.yml @@ -5,12 +5,15 @@ nfs_server_default: "{{ groups['control'] | first }}" # avoid using hostvars for compute-init +# only allow the nfs group IPs to mount nfs exports: +nfs_export_clients_default: "{{ groups['nfs'] | map('extract', hostvars, 'ansible_host') | join(' ') }}" +nfs_export_clients: "{{ nfs_export_clients_default }}" + nfs_configurations: - comment: Export /exports/home from Slurm control node as /home nfs_enable: server: "{{ inventory_hostname in groups['control'] }}" - # Don't mount share on server where it is exported from... - # Could do something like `nfs_clients: "{{ 'nfs_servers' not in group_names }}"` instead. + # Don't mount share on control node: clients: "{{ inventory_hostname in groups['cluster'] and inventory_hostname not in groups['control'] }}" nfs_server: "{{ nfs_server_default }}" nfs_export: "/exports/home" # assumes skeleton TF is being used @@ -18,4 +21,8 @@ nfs_configurations: # prevent tunnelling and setuid binaries: # NB: this is stackhpc.nfs role defaults but are set here to prevent being # accidently overriden via default options - nfs_export_options: 'rw,secure,root_squash' + nfs_export_options: 'rw,secure,root_squash' + # prevent other IPs mounting the share: + # NB: this is set as default for all shares above but is repeated here + # to prevevent being accidently overriden when adding shares + nfs_export_clients: "{{ nfs_export_clients_default }}" diff --git a/requirements.yml b/requirements.yml index 06da8ca7c..b6ea78dab 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,7 +1,8 @@ --- roles: - - src: stackhpc.nfs - version: v25.2.1 + - src: https://github.com/stackhpc/ansible-role-cluster-nfs.git + version: fix/export-defaults # TODO: bump on release + name: stackhpc.nfs - src: https://github.com/stackhpc/ansible-role-openhpc.git version: v0.27.0 name: stackhpc.openhpc From 8d77cebcc3b500db1266571e450272c75dd786cd Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Tue, 11 Mar 2025 15:00:01 +0000 Subject: [PATCH 2/2] try to clarify nfs export intents --- .../common/inventory/group_vars/all/nfs.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/environments/common/inventory/group_vars/all/nfs.yml b/environments/common/inventory/group_vars/all/nfs.yml index ad3821937..09a3203a0 100644 --- a/environments/common/inventory/group_vars/all/nfs.yml +++ b/environments/common/inventory/group_vars/all/nfs.yml @@ -5,9 +5,11 @@ nfs_server_default: "{{ groups['control'] | first }}" # avoid using hostvars for compute-init -# only allow the nfs group IPs to mount nfs exports: -nfs_export_clients_default: "{{ groups['nfs'] | map('extract', hostvars, 'ansible_host') | join(' ') }}" -nfs_export_clients: "{{ nfs_export_clients_default }}" +# create a space-separated list of nfs group IPs: +_nfs_node_ips: "{{ groups['nfs'] | map('extract', hostvars, 'ansible_host') | join(' ') }}" + +# default *all* entries in nfs_configurations to only permitting mounts from above IPs: +nfs_export_clients: "{{ _nfs_node_ips }}" nfs_configurations: - comment: Export /exports/home from Slurm control node as /home @@ -22,7 +24,7 @@ nfs_configurations: # NB: this is stackhpc.nfs role defaults but are set here to prevent being # accidently overriden via default options nfs_export_options: 'rw,secure,root_squash' - # prevent other IPs mounting the share: + # prevent non-cluster IPs mounting the share: # NB: this is set as default for all shares above but is repeated here - # to prevevent being accidently overriden when adding shares - nfs_export_clients: "{{ nfs_export_clients_default }}" + # in case nfs_export_clients is overriden + nfs_export_clients: "{{ _nfs_node_ips }}"