From 536a31ceaddfa4c2400373ba76e888fd6433fa25 Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Fri, 14 Mar 2025 16:00:56 +0000
Subject: [PATCH 1/8] cope with root-squashed nfs clients

---
 ansible/roles/cacerts/tasks/export.yml        |  2 +-
 .../roles/compute_init/files/compute-init.yml | 63 ++++++++++++-------
 ansible/roles/compute_init/tasks/export.yml   | 12 ++--
 3 files changed, 49 insertions(+), 28 deletions(-)

diff --git a/ansible/roles/cacerts/tasks/export.yml b/ansible/roles/cacerts/tasks/export.yml
index 7345b8573..c9c64713b 100644
--- a/ansible/roles/cacerts/tasks/export.yml
+++ b/ansible/roles/cacerts/tasks/export.yml
@@ -2,7 +2,7 @@
   copy:
     src: "{{ item }}"
     dest: /exports/cluster/cacerts/
-    owner: root
+    owner: slurm
     group: root
     mode: 0644
   with_fileglob:
diff --git a/ansible/roles/compute_init/files/compute-init.yml b/ansible/roles/compute_init/files/compute-init.yml
index bf486f5b2..fbd85e009 100644
--- a/ansible/roles/compute_init/files/compute-init.yml
+++ b/ansible/roles/compute_init/files/compute-init.yml
@@ -30,7 +30,7 @@
     tuned_started: true
 
     nfs_client_mnt_point: "/mnt"
-    nfs_client_mnt_options:
+    nfs_client_mnt_options: "defaults,nosuid,nodev"
     nfs_client_mnt_state: mounted
     nfs_configurations:
     nfs_enable:
@@ -48,14 +48,12 @@
       - _netdev # prevents mount blocking early boot before networking available
       - rw
 
-    basic_users_groups: []
-    basic_users_manage_homedir: false # homedir must already exist on shared filesystem
     basic_users_userdefaults:
       state: present
-      create_home: "{{ basic_users_manage_homedir }}"
-      generate_ssh_key:  "{{ basic_users_manage_homedir }}"
+      generate_ssh_key: true
       ssh_key_comment: "{{ item.name }}"
     basic_users_users: []
+    basic_users_groups: []
 
   tasks:
     - block:
@@ -96,6 +94,7 @@
       when: _mount_mnt_cluster.failed
 
     - name: Check if hostvars exist
+      become_user: slurm
       stat:
         path: "/mnt/cluster/hostvars/{{ ansible_hostname }}/hostvars.yml"
       register: hostvars_stat
@@ -109,17 +108,34 @@
         - meta: end_play
       when: not hostvars_stat.stat.exists
 
-    - name: Load hostvars from NFS
+    - name: Sync /mnt/cluster to /tmp
+      become_user: slurm
+      synchronize:
+        src: "/mnt/cluster/"
+        dest: "/tmp/cluster/"
+        archive: yes
+        recursive: yes
+
+    - name: Unmount /mnt/cluster after sync
+      become_user: slurm
+      mount:
+        path: /mnt/cluster
+        state: unmounted
+
+    - name: Load hostvars
       # this is higher priority than vars block = normal ansible's hostvars
       include_vars:
-        file: "/mnt/cluster/hostvars/{{ ansible_hostname }}/hostvars.yml" # can't use inventory_hostname
-
-      # TODO: should /mnt/cluster now be UNMOUNTED to avoid future hang-ups?
+        file: "/tmp/cluster/hostvars/{{ ansible_hostname }}/hostvars.yml"
 
     - name: Run chrony role
       ansible.builtin.include_role:
         name: mrlesmithjr.chrony
-      when: enable_chrony | bool
+        tasks_from: config_chrony.yml
+      vars:
+        # workaround for set_facts.yml:
+        chrony_config: /etc/chrony.conf
+        chrony_service: chronyd
+      when: enable_chrony
 
     - name: Configure resolve.conf
       block:
@@ -149,7 +165,7 @@
 
     - name: Copy cluster /etc/hosts
       copy:
-        src: /mnt/cluster/hosts
+        src: /tmp/cluster/hosts
         dest: /etc/hosts
         owner: root
         group: root
@@ -160,14 +176,14 @@
       ansible.builtin.include_role:
         name: cacerts
       vars:
-        cacerts_cert_dir: "/mnt/cluster/cacerts"
+        cacerts_cert_dir: "/tmp/cluster/cacerts"
       when: enable_cacerts
 
     - name: Configure sshd
       ansible.builtin.include_role:
         name: sshd
       vars:
-        sshd_conf_src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sshd.conf"
+        sshd_conf_src: "/tmp/cluster/hostconfig/{{ ansible_hostname }}/sshd.conf"
       when: enable_sshd
 
     - name: Configure tuned
@@ -179,7 +195,7 @@
         name: sssd
         tasks_from: configure.yml
       vars:
-        sssd_conf_src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf"
+        sssd_conf_src: "/tmp/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf"
       when: enable_sssd
 
     # NFS client mount
@@ -194,7 +210,7 @@
       block:
         - name: Read manila share info from nfs file
           include_vars:
-            file: /mnt/cluster/manila_share_info.yml
+            file: /tmp/cluster/manila_share_info.yml
           no_log: true # contains secrets
         
         - name: Ensure Ceph configuration directory exists
@@ -275,28 +291,33 @@
           loop:  "{{ basic_users_groups }}"
 
         - name: Create users
-          user: "{{ basic_users_userdefaults | combine(item) | filter_user_params() }}"
+          user: "{{ basic_users_userdefaults | combine(item) | filter_user_params() | combine(_disable_homedir) }}"
           loop: "{{ basic_users_users }}"
           loop_control:
-            label: "{{ item.name }} [{{ item.state | default('present') }}]"
-          register: basic_users_info
+            label: "{{ item.name }}"
+          vars:
+            _disable_homedir: # ensure this task doesn't touch $HOME
+              create_home: false
+              generate_ssh_key: false
 
         - name: Write sudo rules
           blockinfile:
-            path: /etc/sudoers.d/80-{{ item.name}}-user
+            path: /etc/sudoers.d/80-{{ item.name }}-user
             block: "{{ item.sudo }}"
             create: true
           loop: "{{ basic_users_users }}"
           loop_control:
             label: "{{ item.name }}"
-          when: "'sudo' in item"
+          when:
+            - item.state | default('present') == 'present'
+            - "'sudo' in item"
       when: enable_basic_users
 
     - name: EESSI
       block:
         - name: Copy cvmfs config
           copy:
-            src: /mnt/cluster/cvmfs/default.local
+            src: /tmp/cluster/cvmfs/default.local
             dest: /etc/cvmfs/default.local
             owner: root
             group: root
diff --git a/ansible/roles/compute_init/tasks/export.yml b/ansible/roles/compute_init/tasks/export.yml
index 68fcf4be3..18da6a7fc 100644
--- a/ansible/roles/compute_init/tasks/export.yml
+++ b/ansible/roles/compute_init/tasks/export.yml
@@ -12,7 +12,7 @@
   copy:
     src: /etc/hosts
     dest: /exports/cluster/hosts
-    owner: root
+    owner: slurm
     group: root
     mode: u=rw,go=
     remote_src: true
@@ -41,7 +41,7 @@
   copy:
     content: "{{ os_manila_mount_share_info_var | to_nice_yaml }}"
     dest: /exports/cluster/manila_share_info.yml
-    owner: root
+    owner: slurm
     group: root
     mode: u=rw,g=r
   run_once: true
@@ -55,7 +55,7 @@
   file:
     path: /exports/cluster/cvmfs
     state: directory
-    owner: root
+    owner: slurm
     group: root
     mode: 0755
   run_once: true
@@ -65,7 +65,7 @@
   copy:
     src: /etc/cvmfs/default.local
     dest: /exports/cluster/cvmfs/default.local
-    owner: root
+    owner: slurm
     group: root
     mode: 0644
     remote_src: true
@@ -82,9 +82,9 @@
   file:
     path: "/exports/cluster/hostconfig/{{ inventory_hostname }}/"
     state: directory
-    owner: root
+    owner: slurm
     group: root
-    mode: u=rw,go=
+    mode: u=rX,g=rwX,o=
   delegate_to: "{{ groups['control'] | first }}"
 
 - name: Template sssd config 

From 2f99bf33f333d5564a839fcf5cb6ce3231f9681c Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Mon, 17 Mar 2025 10:42:36 +0000
Subject: [PATCH 2/8] knock down ansible-init wait to fail to 5 mins

---
 environments/common/inventory/group_vars/all/ansible_init.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/environments/common/inventory/group_vars/all/ansible_init.yml b/environments/common/inventory/group_vars/all/ansible_init.yml
index af30f37d6..df4060f94 100644
--- a/environments/common/inventory/group_vars/all/ansible_init.yml
+++ b/environments/common/inventory/group_vars/all/ansible_init.yml
@@ -1,4 +1,4 @@
-ansible_init_wait: 1200 # seconds
+ansible_init_wait: 300 # seconds
 
 ansible_init_pip_packages:
   # role defaults:

From c66ade8ef193198899d24071a391539b12f0a13d Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Mon, 17 Mar 2025 10:57:51 +0000
Subject: [PATCH 3/8] harden manila mount options for compute-init

---
 ansible/roles/compute_init/files/compute-init.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ansible/roles/compute_init/files/compute-init.yml b/ansible/roles/compute_init/files/compute-init.yml
index fbd85e009..b7c1c6392 100644
--- a/ansible/roles/compute_init/files/compute-init.yml
+++ b/ansible/roles/compute_init/files/compute-init.yml
@@ -47,6 +47,8 @@
       - noatime
       - _netdev # prevents mount blocking early boot before networking available
       - rw
+      - nodev
+      - nosuid
 
     basic_users_userdefaults:
       state: present

From 41c3fcd8f9336993fb32dbf73e4a3fb2e757ef06 Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Mon, 17 Mar 2025 11:30:41 +0000
Subject: [PATCH 4/8] move export cluster nfs group_var to common

---
 environments/.stackhpc/inventory/group_vars/all/nfs.yml | 7 -------
 environments/common/inventory/group_vars/all/nfs.yml    | 6 ++++++
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/environments/.stackhpc/inventory/group_vars/all/nfs.yml b/environments/.stackhpc/inventory/group_vars/all/nfs.yml
index af3861ee9..0808890e3 100644
--- a/environments/.stackhpc/inventory/group_vars/all/nfs.yml
+++ b/environments/.stackhpc/inventory/group_vars/all/nfs.yml
@@ -8,10 +8,3 @@ nfs_configurations:
     nfs_server: "{{ nfs_server_default }}"
     nfs_export: "/exports/home" # assumes skeleton TF is being used
     nfs_client_mnt_point: "/home"
-
-  # EXPERIMENTAL - not generally secure
-  - comment: Export /exports/cluster from Slurm control node
-    nfs_enable:
-        server: "{{ inventory_hostname in groups['control'] }}"
-        clients: false
-    nfs_export: "/exports/cluster"
diff --git a/environments/common/inventory/group_vars/all/nfs.yml b/environments/common/inventory/group_vars/all/nfs.yml
index 09a3203a0..d8f53ec30 100644
--- a/environments/common/inventory/group_vars/all/nfs.yml
+++ b/environments/common/inventory/group_vars/all/nfs.yml
@@ -28,3 +28,9 @@ nfs_configurations:
     # NB: this is set as default for all shares above but is repeated here
     # in case nfs_export_clients is overriden
     nfs_export_clients: "{{ _nfs_node_ips }}"
+
+  - comment: Export /exports/cluster from Slurm control node
+    nfs_enable:
+        server: "{{ inventory_hostname in groups['control'] }}"
+        clients: false
+    nfs_export: "/exports/cluster"

From 4a641ff283142b59976e8c8c8c31e921d08b9c69 Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Mon, 17 Mar 2025 15:35:00 +0000
Subject: [PATCH 5/8] fix nfs_configurations bug

---
 ansible/roles/compute_init/files/compute-init.yml      |  1 -
 .../.stackhpc/inventory/group_vars/all/nfs.yml         | 10 ----------
 environments/common/inventory/group_vars/all/nfs.yml   |  4 ----
 3 files changed, 15 deletions(-)
 delete mode 100644 environments/.stackhpc/inventory/group_vars/all/nfs.yml

diff --git a/ansible/roles/compute_init/files/compute-init.yml b/ansible/roles/compute_init/files/compute-init.yml
index b7c1c6392..3687692cb 100644
--- a/ansible/roles/compute_init/files/compute-init.yml
+++ b/ansible/roles/compute_init/files/compute-init.yml
@@ -119,7 +119,6 @@
         recursive: yes
 
     - name: Unmount /mnt/cluster after sync
-      become_user: slurm
       mount:
         path: /mnt/cluster
         state: unmounted
diff --git a/environments/.stackhpc/inventory/group_vars/all/nfs.yml b/environments/.stackhpc/inventory/group_vars/all/nfs.yml
deleted file mode 100644
index 0808890e3..000000000
--- a/environments/.stackhpc/inventory/group_vars/all/nfs.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-nfs_configurations:
-  - comment: Export /exports/home from Slurm control node as /home
-    nfs_enable:
-        server:  "{{ inventory_hostname in groups['control'] }}"
-        # Don't mount share on server where it is exported from...
-        # Could do something like `nfs_clients: "{{ 'nfs_servers' not in group_names }}"` instead.
-        clients: "{{ inventory_hostname in groups['cluster'] and inventory_hostname not in groups['control'] }}"
-    nfs_server: "{{ nfs_server_default }}"
-    nfs_export: "/exports/home" # assumes skeleton TF is being used
-    nfs_client_mnt_point: "/home"
diff --git a/environments/common/inventory/group_vars/all/nfs.yml b/environments/common/inventory/group_vars/all/nfs.yml
index d8f53ec30..abde7c76e 100644
--- a/environments/common/inventory/group_vars/all/nfs.yml
+++ b/environments/common/inventory/group_vars/all/nfs.yml
@@ -24,10 +24,6 @@ nfs_configurations:
     # NB: this is stackhpc.nfs role defaults but are set here to prevent being
     # accidently overriden via default options
     nfs_export_options: 'rw,secure,root_squash'
-    # prevent non-cluster IPs mounting the share:
-    # NB: this is set as default for all shares above but is repeated here
-    # in case nfs_export_clients is overriden
-    nfs_export_clients: "{{ _nfs_node_ips }}"
 
   - comment: Export /exports/cluster from Slurm control node
     nfs_enable:

From 3227599b85b4ec684f5f08143ba110f5c506a983 Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Mon, 17 Mar 2025 16:26:53 +0000
Subject: [PATCH 6/8] bump images

---
 environments/.stackhpc/tofu/cluster_image.auto.tfvars.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json b/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json
index 6e87c5d58..d82be8378 100644
--- a/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json
+++ b/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json
@@ -1,6 +1,6 @@
 {
     "cluster_image": {
-        "RL8": "openhpc-RL8-250312-1522-7e5c051d",
-        "RL9": "openhpc-RL9-250312-1435-7e5c051d"
+        "RL8": "openhpc-RL8-250317-1544-4a641ff2",
+        "RL9": "openhpc-RL9-250317-1545-4a641ff2"
     }
 }

From 69713f2317f5217fcf6cd9ffac20498ec9d9e355 Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Tue, 18 Mar 2025 16:53:20 +0000
Subject: [PATCH 7/8] enable basic_users, nfs roles to be used directly

---
 ansible/roles/basic_users/tasks/main.yml      | 10 +--
 .../roles/compute_init/files/compute-init.yml | 65 +++++--------------
 ansible/roles/compute_init/tasks/export.yml   |  4 +-
 ansible/roles/compute_init/tasks/install.yml  |  8 +--
 .../inventory/group_vars/all/basic_users.yml  |  4 ++
 .../common/inventory/group_vars/all/nfs.yml   |  8 +++
 6 files changed, 38 insertions(+), 61 deletions(-)

diff --git a/ansible/roles/basic_users/tasks/main.yml b/ansible/roles/basic_users/tasks/main.yml
index 23d160850..6abba9cc0 100644
--- a/ansible/roles/basic_users/tasks/main.yml
+++ b/ansible/roles/basic_users/tasks/main.yml
@@ -66,7 +66,7 @@
   when:
     - item.state | default('present') == 'present'
     - item.create_home | default(true) | bool
-    - inventory_hostname == basic_users_homedir_server
+    - ansible_hostname == basic_users_homedir_server
 
 # The following tasks run on a single *client* node, so that home directory
 # paths are easily constructed, becoming each user so that root-squash
@@ -85,7 +85,7 @@
   when:
     - item.state | default('present') == 'present'
     - item.generate_ssh_key | default(true) | bool or item.public_key is defined
-    - inventory_hostname == basic_users_homedir_client
+    - ansible_hostname == basic_users_homedir_client
 
 - name: Generate cluster ssh key
   community.crypto.openssh_keypair:
@@ -101,7 +101,7 @@
   when:
     - item.state | default('present') == 'present'
     - item.generate_ssh_key | default(true)
-    - inventory_hostname == basic_users_homedir_client
+    - ansible_hostname == basic_users_homedir_client
   register: _cluster_ssh_keypair
 
 - name: Write generated cluster ssh key to authorized_keys
@@ -118,7 +118,7 @@
   when:
     - item.item.state | default('present') == 'present'
     - item.item.generate_ssh_key | default(true)
-    - inventory_hostname == basic_users_homedir_client
+    - ansible_hostname == basic_users_homedir_client
     - item.public_key is defined # NB this is the *returned* public key
 
 - name: Write supplied public key to authorized_keys
@@ -134,5 +134,5 @@
     label: "{{ item.name }}"
   when:
     - item.state | default('present') == 'present'
-    - inventory_hostname == basic_users_homedir_client
+    - ansible_hostname == basic_users_homedir_client
     - item.public_key is defined # NB this is the *provided* public key
diff --git a/ansible/roles/compute_init/files/compute-init.yml b/ansible/roles/compute_init/files/compute-init.yml
index 3687692cb..e97b5918d 100644
--- a/ansible/roles/compute_init/files/compute-init.yml
+++ b/ansible/roles/compute_init/files/compute-init.yml
@@ -29,15 +29,9 @@
     tuned_enabled: true
     tuned_started: true
 
-    nfs_client_mnt_point: "/mnt"
-    nfs_client_mnt_options: "defaults,nosuid,nodev"
-    nfs_client_mnt_state: mounted
-    nfs_configurations:
     nfs_enable:
       clients: false
 
-    # openhpc: no defaults required
-
     os_manila_mount_shares: []
     os_manila_mount_ceph_conf_path: /etc/ceph
     os_manila_mount_state: mounted
@@ -50,13 +44,6 @@
       - nodev
       - nosuid
 
-    basic_users_userdefaults:
-      state: present
-      generate_ssh_key: true
-      ssh_key_comment: "{{ item.name }}"
-    basic_users_users: []
-    basic_users_groups: []
-
   tasks:
     - block:
         - name: Report skipping initialization if not compute node
@@ -110,11 +97,11 @@
         - meta: end_play
       when: not hostvars_stat.stat.exists
 
-    - name: Sync /mnt/cluster to /tmp
+    - name: Sync /mnt/cluster to /var/tmp
       become_user: slurm
       synchronize:
         src: "/mnt/cluster/"
-        dest: "/tmp/cluster/"
+        dest: "/var/tmp/cluster/"
         archive: yes
         recursive: yes
 
@@ -126,7 +113,7 @@
     - name: Load hostvars
       # this is higher priority than vars block = normal ansible's hostvars
       include_vars:
-        file: "/tmp/cluster/hostvars/{{ ansible_hostname }}/hostvars.yml"
+        file: "/var/tmp/cluster/hostvars/{{ ansible_hostname }}/hostvars.yml"
 
     - name: Run chrony role
       ansible.builtin.include_role:
@@ -166,7 +153,7 @@
 
     - name: Copy cluster /etc/hosts
       copy:
-        src: /tmp/cluster/hosts
+        src: /var/tmp/cluster/hosts
         dest: /etc/hosts
         owner: root
         group: root
@@ -177,14 +164,14 @@
       ansible.builtin.include_role:
         name: cacerts
       vars:
-        cacerts_cert_dir: "/tmp/cluster/cacerts"
+        cacerts_cert_dir: "/var/tmp/cluster/cacerts"
       when: enable_cacerts
 
     - name: Configure sshd
       ansible.builtin.include_role:
         name: sshd
       vars:
-        sshd_conf_src: "/tmp/cluster/hostconfig/{{ ansible_hostname }}/sshd.conf"
+        sshd_conf_src: "/var/tmp/cluster/hostconfig/{{ ansible_hostname }}/sshd.conf"
       when: enable_sshd
 
     - name: Configure tuned
@@ -196,22 +183,24 @@
         name: sssd
         tasks_from: configure.yml
       vars:
-        sssd_conf_src: "/tmp/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf"
+        sssd_conf_src: "/var/tmp/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf"
       when: enable_sssd
 
     # NFS client mount
     - name: If nfs-clients is present
-      include_tasks: tasks/nfs-clients.yml
+      ansible.builtin.include_role:
+        name: stackhpc.nfs
+        tasks_from: nfs-clients.yml
       when:
         - enable_nfs
-        - nfs_enable.clients | bool or ('nfs_enable' in item and item.nfs_enable.clients | bool)
+        - nfs_enable.clients | default(item.nfs_enable.clients) | bool
       loop: "{{ nfs_configurations }}"
 
     - name: Manila mounts
       block:
         - name: Read manila share info from nfs file
           include_vars:
-            file: /tmp/cluster/manila_share_info.yml
+            file: /var/tmp/cluster/manila_share_info.yml
           no_log: true # contains secrets
         
         - name: Ensure Ceph configuration directory exists
@@ -286,39 +275,15 @@
       when: enable_lustre
 
     - name: Basic users
-      block:
-        - name: Create groups
-          ansible.builtin.group: "{{ item }}"
-          loop:  "{{ basic_users_groups }}"
-
-        - name: Create users
-          user: "{{ basic_users_userdefaults | combine(item) | filter_user_params() | combine(_disable_homedir) }}"
-          loop: "{{ basic_users_users }}"
-          loop_control:
-            label: "{{ item.name }}"
-          vars:
-            _disable_homedir: # ensure this task doesn't touch $HOME
-              create_home: false
-              generate_ssh_key: false
-
-        - name: Write sudo rules
-          blockinfile:
-            path: /etc/sudoers.d/80-{{ item.name }}-user
-            block: "{{ item.sudo }}"
-            create: true
-          loop: "{{ basic_users_users }}"
-          loop_control:
-            label: "{{ item.name }}"
-          when:
-            - item.state | default('present') == 'present'
-            - "'sudo' in item"
+      ansible.builtin.include_role: 
+        name: basic_users
       when: enable_basic_users
 
     - name: EESSI
       block:
         - name: Copy cvmfs config
           copy:
-            src: /tmp/cluster/cvmfs/default.local
+            src: /var/tmp/cluster/cvmfs/default.local
             dest: /etc/cvmfs/default.local
             owner: root
             group: root
diff --git a/ansible/roles/compute_init/tasks/export.yml b/ansible/roles/compute_init/tasks/export.yml
index 18da6a7fc..3226e13b8 100644
--- a/ansible/roles/compute_init/tasks/export.yml
+++ b/ansible/roles/compute_init/tasks/export.yml
@@ -14,7 +14,7 @@
     dest: /exports/cluster/hosts
     owner: slurm
     group: root
-    mode: u=rw,go=
+    mode: u=r,g=rw,o=
     remote_src: true
   run_once: true
   delegate_to: "{{ groups['control'] | first }}"
@@ -43,7 +43,7 @@
     dest: /exports/cluster/manila_share_info.yml
     owner: slurm
     group: root
-    mode: u=rw,g=r
+    mode: u=r,g=rw,o=
   run_once: true
   delegate_to: "{{ groups['control'] | first }}"
   when: os_manila_mount_share_info is defined
diff --git a/ansible/roles/compute_init/tasks/install.yml b/ansible/roles/compute_init/tasks/install.yml
index 8288b65fe..0638f7011 100644
--- a/ansible/roles/compute_init/tasks/install.yml
+++ b/ansible/roles/compute_init/tasks/install.yml
@@ -33,8 +33,8 @@
       dest: templates/ceph.keyring.j2
     - src: ../../resolv_conf/files/NetworkManager-dns-none.conf
       dest: files/NetworkManager-dns-none.conf
-    - src: ../../basic_users/filter_plugins/filter_keys.py
-      dest: filter_plugins/filter_keys.py
+    - src: ../../basic_users
+      dest: roles/
     - src: ../../cacerts
       dest: roles/
     - src: ../../sssd
@@ -43,8 +43,8 @@
       dest: roles/
     - src: ../../tuned/tasks/configure.yml
       dest: tasks/tuned.yml
-    - src: ../../stackhpc.nfs/tasks/nfs-clients.yml
-      dest: tasks/nfs-clients.yml
+    - src: ../../stackhpc.nfs
+      dest: roles/
     - src: ../../mrlesmithjr.chrony
       dest: roles/
     - src: ../../lustre
diff --git a/environments/common/inventory/group_vars/all/basic_users.yml b/environments/common/inventory/group_vars/all/basic_users.yml
index a7b9359b7..d94d12982 100644
--- a/environments/common/inventory/group_vars/all/basic_users.yml
+++ b/environments/common/inventory/group_vars/all/basic_users.yml
@@ -3,3 +3,7 @@
 # See ansible/roles/basic_users/README.md for variable definitions.
 
 basic_users_users: []
+
+# The following are defined for the purpose of compute-init
+basic_users_homedir_server: "{{ groups['control'] | first }}"
+basic_users_homedir_client: "{{ groups['login'] | first }}"
\ No newline at end of file
diff --git a/environments/common/inventory/group_vars/all/nfs.yml b/environments/common/inventory/group_vars/all/nfs.yml
index abde7c76e..39c264576 100644
--- a/environments/common/inventory/group_vars/all/nfs.yml
+++ b/environments/common/inventory/group_vars/all/nfs.yml
@@ -24,9 +24,17 @@ nfs_configurations:
     # NB: this is stackhpc.nfs role defaults but are set here to prevent being
     # accidently overriden via default options
     nfs_export_options: 'rw,secure,root_squash'
+    # prevent non-cluster IPs mounting the share:
+    # NB: this is set as default for all shares above but is repeated here
+    # in case nfs_export_clients is overriden
+    nfs_export_clients: "{{ _nfs_node_ips }}"
 
   - comment: Export /exports/cluster from Slurm control node
     nfs_enable:
         server: "{{ inventory_hostname in groups['control'] }}"
         clients: false
     nfs_export: "/exports/cluster"
+    # prevent non-cluster IPs mounting the share:
+    # NB: this is set as default for all shares above but is repeated here
+    # in case nfs_export_clients is overriden
+    nfs_export_clients: "{{ _nfs_node_ips }}"

From 74deca818625b893d42e5b0a053db0c4dfd290e3 Mon Sep 17 00:00:00 2001
From: bertiethorpe <bertie443@gmail.com>
Date: Wed, 19 Mar 2025 11:35:49 +0000
Subject: [PATCH 8/8] bump images

---
 environments/.stackhpc/tofu/cluster_image.auto.tfvars.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json b/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json
index d82be8378..a56dda976 100644
--- a/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json
+++ b/environments/.stackhpc/tofu/cluster_image.auto.tfvars.json
@@ -1,6 +1,6 @@
 {
     "cluster_image": {
-        "RL8": "openhpc-RL8-250317-1544-4a641ff2",
-        "RL9": "openhpc-RL9-250317-1545-4a641ff2"
+        "RL8": "openhpc-RL8-250319-1045-69713f23",
+        "RL9": "openhpc-RL9-250319-1045-69713f23"
     }
 }