From 1cc6a254718c95d966887390d6c1c9e5bc2e2bb8 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Fri, 1 Aug 2025 11:55:02 +0000 Subject: [PATCH 01/10] fixup additional inventory group --- environments/common/inventory/groups | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/environments/common/inventory/groups b/environments/common/inventory/groups index 0f9e204d5..2396fa66a 100644 --- a/environments/common/inventory/groups +++ b/environments/common/inventory/groups @@ -17,9 +17,14 @@ compute # Login group to use for running mpi-based testing. login +[additional] +# Additional nodes to include in "cluster" group +# Automatically populated from OpenTofu variable additional_nodegroups + [cluster:children] # All nodes in the appliance - add e.g. service nodes not running Slurm here. openhpc +additional [builder] # Do not add hosts here manually - used as part of Packer image build pipeline. See packer/README.md. From 671713ecb18ff462004f77f7a6b88f0a2ad024b7 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Tue, 5 Aug 2025 20:32:23 +0000 Subject: [PATCH 02/10] WIP: add cvmfs_server role --- ansible/.gitignore | 2 + ansible/extras.yml | 11 ++ ansible/roles/cvmfs_server/README.md | 105 ++++++++++++++++++ ansible/roles/cvmfs_server/defaults/main.yml | 4 + ansible/roles/cvmfs_server/tasks/main.yml | 7 ++ .../inventory/group_vars/all/cvmfs_server.yml | 85 ++++++++++++++ environments/common/inventory/groups | 5 + environments/common/layouts/everything | 4 + requirements.yml | 3 + 9 files changed, 226 insertions(+) create mode 100644 ansible/roles/cvmfs_server/README.md create mode 100644 ansible/roles/cvmfs_server/defaults/main.yml create mode 100644 ansible/roles/cvmfs_server/tasks/main.yml create mode 100644 environments/common/inventory/group_vars/all/cvmfs_server.yml diff --git a/ansible/.gitignore b/ansible/.gitignore index 62c9a543c..bdf71fcb8 100644 --- a/ansible/.gitignore +++ b/ansible/.gitignore @@ -98,3 +98,5 @@ roles/* !roles/eessi/** !roles/topology/ !roles/topology/** +!roles/cvmfs_server/ +!roles/cvmfs_server/** diff --git a/ansible/extras.yml b/ansible/extras.yml index 08892e4ec..e00f4aee0 100644 --- a/ansible/extras.yml +++ b/ansible/extras.yml @@ -28,6 +28,17 @@ - import_role: name: basic_users +- name: Setup CernVM-FS server + hosts: cvmfs_server + tags: cvmfs_server + become: true + gather_facts: true + tasks: + - name: Install/configure CernVM-FS server + ansible.builtin.include_role: + name: cvmfs_server + tasks_from: main.yml + - name: Setup EESSI hosts: eessi tags: eessi diff --git a/ansible/roles/cvmfs_server/README.md b/ansible/roles/cvmfs_server/README.md new file mode 100644 index 000000000..744964dbc --- /dev/null +++ b/ansible/roles/cvmfs_server/README.md @@ -0,0 +1,105 @@ +# cvmfs_server + +Install a CernVM-FS Stratum 1 server replicating the EESSI repository. + +By default, the appliance `eessi` role configures EESSI clients to use EESSI's +Stratum 1 servers. If EESSI is in production use, the `squid` role should normally +be configured to provide an http proxy for those clients to reduce the load +on the upstream stratum 1 servers. However both of those approaches assume that +there is outbound http access. If this is not the case, this role can be used +to provide a private, in-cluster server replicating the EESSI repository from +an upstream server over https. + +This feature is enabled by adding a node to the `cvmfs_server` group. The +defaults provided are sufficent to implement the above configuration. + +Guidance on configuring a *public* Stratum 1 server for EESSI is provided [here](https://multixscale.github.io/cvmfs-tutorial-hpc-best-practices/access/stratum1/). +Compared to those links, the defaults provided for this role: +- Use https URLs for both dnf repositories and for the EESSI repository replication. +- Use the `aws-eu-west-s1-sync` EESSI server (which is the only one providing + https replication). +- Does not configure a squid proxy in front of the Stratum 1 server, because this + is considered unnecessary for a private Stratum 1. +- Does not configure a firewall, as OpenStack security groups are expected to be + sufficent. +- Does not configure the Geo API service, which is not needed for a private server. + +# Requirements + +See also the example configuration below. + +1. The node used requires ["a few cores and a couple gigabytes of memory"](https://cvmfs-contrib.github.io/cvmfs-tutorial-2021/02_stratum0_client/#21-setting-up-the-stratum-0) + and typically 50 GB of space in `/srv`. +2. The node used must have outbound connectivity for dnf package installs + and to replicate the EESSI repository. +3. If this role is used to provide EESSI for an [isolated cluster](../../../docs/experimental/isolated-clusters.md) + where cluster users have no outbound internet connectivity, ensure those users + cannot access this node, i.e. it is not in groups `basic_user`, `ldap` or + `freeipa`. +4. The node is automatically added to the `dnf_repos` group to enable yum + repositories so this role can install dependencies. It therefore requires + either configuring Ark credentials or a local Pulp server - see links in + [adding additional packages](../../../docs/operations.md#adding-additional-packages). + Note the former will also require setting `dnf_repos_allow_insecure_creds: true` + to allow Ark credentials to be templated into repofiles - this also requires 3. + to avoid exposing these to cluster users. + +## Role variables + +This role wraps the [EESSI ansible-cvmfs role](https://github.com/EESSI/ansible-cvmfs) +role and any variables described there may be used. The defaults in +`environments/common/inventory/group_vars/all/cvmfs_server.yml` +should be generally be satisfactory, except that `cvmfs_srv_device` will be +required if CVMFS data should not be stored on the root filesystem. + +## Example configuration + +The below OpenTofu configuration creates a new node in the `cvmfs_server` group +with a new 50 GB volume attached: + +```terraform +# environments/production/tofu/main.tf: +module "cluster" { + + ... + + additional_nodegroups = { + cvmfs_server = { + nodes = ["eessi"] + flavor = "m2.medium" + extra_volumes = { + srv = { + size = 50 # GB + } + } + } + } + + ... +} +``` + +Configure the role to use the volume for CVMFS data: + +``` +# environments/site/inventory/group_vars/all/cvmfs_server.yml: +cvmfs_srv_device: /dev/vdb +``` + +**NB:** This is only safe if a single volume is attached, else the ordering of +devices is not guaranteed. + +Note Ark credentials or a local Pulp server must also be configured as referenced +above. + +## Client configuration + +Configuration for EESSI clients is provided by the [eessi](../eessi/README.md) +role. To use the Stratum 1 server provided by this role requires overriding +the default configuration (NB: not adding additional configuration): + +``` +# environments/site/inventory/group_vars/all/eessi.yml: +cvmfs_config: + CVMFS_SERVER_URL: "http://{{ hostvars[groups['cvmfs_server'] | first].ansible_host }}/cvmfs/@fqrn@" +``` diff --git a/ansible/roles/cvmfs_server/defaults/main.yml b/ansible/roles/cvmfs_server/defaults/main.yml new file mode 100644 index 000000000..8598974ac --- /dev/null +++ b/ansible/roles/cvmfs_server/defaults/main.yml @@ -0,0 +1,4 @@ +# NB: Most defaults are set in +# environments/common/inventory/group_vars/all/cvmfs_server.yml +# as the wrapped role does not pick up defaults from here +cvmfs_role: stratum1 diff --git a/ansible/roles/cvmfs_server/tasks/main.yml b/ansible/roles/cvmfs_server/tasks/main.yml new file mode 100644 index 000000000..56ee85aaa --- /dev/null +++ b/ansible/roles/cvmfs_server/tasks/main.yml @@ -0,0 +1,7 @@ +- ansible.builtin.import_role: + name: eessi.cvmfs + tasks_from: "{{ cvmfs_role }}.yml" + vars: + # from ansible-cvmfs/vars/redhat.yml + cvmfs_apache_service_name: httpd + cvmfs_apache_conf_file: /etc/httpd/conf/httpd.conf diff --git a/environments/common/inventory/group_vars/all/cvmfs_server.yml b/environments/common/inventory/group_vars/all/cvmfs_server.yml new file mode 100644 index 000000000..972eb86c8 --- /dev/null +++ b/environments/common/inventory/group_vars/all/cvmfs_server.yml @@ -0,0 +1,85 @@ +# See ansible/roles/cvmfs_server/README.md + +# cvmfs_srv_device: # block device to use for CVMFS data. /srv/cvmfs is used if not set. + +cvmfs_dnf_repo_protocol: https + +cvmfs_dnf_repos: + - name: cernvm + file: cernvm + baseurl: "{{ cvmfs_dnf_repo_protocol }}://cvmrepo.web.cern.ch/cvmrepo/yum/cvmfs/EL/$releasever/$basearch/" + description: CernVM packages + - name: cernvm-config + file: cernvm + baseurl: "{{ cvmfs_dnf_repo_protocol }}://cvmrepo.web.cern.ch/cvmrepo/yum/cvmfs-config/EL/$releasever/$basearch/" + description: CernVM-FS extra config packages + +cvmfs_keys: + - path: /etc/cvmfs/keys/eessi.io/eessi.io.pub + # from /cvmfs/cvmfs-config.cern.ch/etc/cvmfs/keys/eessi.io/eessi.io.pub on client + key: | + -----BEGIN PUBLIC KEY----- + MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyau1UFUcoiqpE5U9StON + W0Trc3PM02AA5kYgknrqZJdusj5PcNg7rhOnrd+SX8BIiVtVMr6mqORXsJ2FNydJ + lfm512GcmurM154m6Hz4I+UttcpVLe1CvlyxjjCrN0siSiPnLDONy3Ih1PWyRlA/ + sobSaIhx3Vyn1IzC0nbjstKObAYJs2kjokS+cipX2oIXJSoxkhvXcxmiMCi2GQIs + KTQDT+bATs9eK+ZqY4n5x8VX87AlMBQuSCP5mA8VQPx4aCf8AjHWAn3qmPrhk3od + Z/Cl9vrYzoWJT1HOyumv7aEv7UlY81++3w/AwYKXLJI6ioop2AotjrUm3w2U3+k7 + WQIDAQAB + -----END PUBLIC KEY----- + +cvmfs_stratum1_http_ports: + - 80 + - 8000 + +cvmfs_repositories: + - stratum0: aws-eu-west-s1-sync.eessi.science + stratum0_url_scheme: https + repository: software.eessi.io + key_dir: /etc/cvmfs/keys/eessi.io + owner: root + + +# Below taken from ansible-cvmfs/vars/redhat.yml and are needed because the +# cvmfs_server role does not run ansible-cvmfs/tasks/main.yml: +cvmfs_dnf_repo_key: + content: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: GnuPG v2.0.14 (GNU/Linux) + + mQGiBEuGP6YRBADV89cbF4uoEX89Q8uxOklIDVJhOJAFKZ33LSdzHv3iObnjo5w4 + wbb8FiSir4oWgarAco4u0kR1yKjHJ33oVB2xmPOzW3NWoHI7aPF7tCgo7FY9hNoC + 4NEkNycvbfSoCScsv2yY5qz2q2sY1LWGZGbUXjBvKbmASe9sJFKJV7NsmwCg76W/ + aMazleHyDtooD8tk3ZWvpKcD/Rg51Oad+ZLc7h45wDMHpaDvOBeGoyp+k7JgQd87 + HfXiJtg/Q6zyTwrV3vCQvMpw3GRjRkZBcPgRWb6rUk68dL8fa2cTxhISX5/DIQzc + mmuDa0EgCGGAKUZ4bHqaexFFnp/B+VKBPvJuxLa0cBDd6eewxNwtHJ90EaMeBzGd + 6zU2BADO9YbXiEMqRkfVLnuvD5G31/WJZvffXCxspnSfg923DbILWa4vNW9MLMsK + IVHvyVr0mZF8xdyQNVPUX3/4uahKM4hwuFqdbyjuLGEIF3U73aIJ0+YDep/+I6yU + JGHnxy8Ex+a1XIhJ1hSI7+oalSdt+w/pE3+2MQyUfSDPSXVA3LQ+Q2VyblZNIEFk + bWluaXN0cmF0b3IgKGN2bWFkbWluKSA8Y2VybnZtLmFkbWluaXN0cmF0b3JAY2Vy + bi5jaD6IZAQTEQIAJAIbAwYLCQgHAwIDFQIDAxYCAQIeAQIXgAUCT18LigUJBbn/ + ZAAKCRAjDTidiuRc5/BFAKCb13G8yxG75r3s63mHo5l9PNUKGwCfZpSlZrhBsVZ4 + 2DsKfLG1VQ+X8HW5Ag0ES4Y/qBAIAL3sWKXQKpbIOpwX+mNX2IV2XxNBM3KYjYOE + ii66i9apPo3BA39a9Wm9vh1kYIHTkh9Qqb8w53hc4ANkVT+cYzxXythGBjWoLtwC + zKCPrIb7RQJRc956Ot0q4qmlcUEGi5zefSIoJZR5jyR7rZS+1PNJYI05xY2+Eah1 + u9UxrlzBH5DCsvUqTNK12WrPIibmLo8u+yIDJjwgh9O5YITC+et/g47NLfZdiAGP + LEjvJFRi7Ju+8ywO32dSVBPJQDktr5BC950DKZHA9n+sJ63iF3lP/aCTECpxxUqX + VVqioobwg5ytl60hw9I9sfwBP6z9PR90RcyT1l4giiBz9LV+KpcAAwUIAKeAxArG + aJxzWziKs7D8TTuE50Nw+S3RGhVzwSKy7183Z11iOEMqbm2/zwp65wFkntCKmLKD + nGsTgFNpstIyFwJmj34Axp7N3KGqXnTI+SIQd6VmzQ1phxfCOw8IGueOR6YI7S1G + YWt7DoseZKz4EWdvXCOkQAhbxq/HT2c3ihxsuxrErxz7QtNaYOFXiuLj3mYH9XaM + eEe8Pkl+yyRTvyUNlMIu/i79qf+QUlsi10nCUm88cSXQiKWOJ4GiUoT+jD7pN4oh + dALRVl0tl/EyPTw+asG3lQhPZ+solvJXp+i7KF7nwnyXDB63WNH15S1pQLMnqCuG + CFyegf6jnOJU0AqITwQYEQIADwIbDAUCT18MOQUJBboAEQAKCRAjDTidiuRc53P2 + AJ9e1y70yIKwx6YmpDnwqWSE07Q6lACdEnem0DbLg9t+gkX/98driCP9Ifg= + =S7Dt + -----END PGP PUBLIC KEY BLOCK----- + dest: /etc/pki/rpm-gpg/RPM-GPG-KEY-CernVM + +cvmfs_packages: + stratum1-disk: + - httpd + - "{{ 'mod_wsgi' if ansible_distribution_major_version is version('8', '<') else 'python3-mod_wsgi' }}" + - "{{ 'squid' if cvmfs_stratum1_squid else omit }}" + - cvmfs-server + - cvmfs-config-default diff --git a/environments/common/inventory/groups b/environments/common/inventory/groups index 2396fa66a..8f0745bc1 100644 --- a/environments/common/inventory/groups +++ b/environments/common/inventory/groups @@ -187,6 +187,7 @@ k3s_agent # Warning: when using Ark directly rather than a local Pulp server, adding hosts other than `builder` will leak Ark creds to users builder extra_packages +cvmfs_server [pulp] # Add builder to this group to enable automatically syncing of pulp during image build @@ -202,3 +203,7 @@ extra_packages [nhc] # Hosts to configure for node health checks - either entire 'compute' group or empty + +[cvmfs_server] +# Hosts to configure as a CernVM-FS Stratum 1 replica server for EESSI. +# See ansible/roles/cvmfs_server/README.md diff --git a/environments/common/layouts/everything b/environments/common/layouts/everything index 0f4253758..859f5e762 100644 --- a/environments/common/layouts/everything +++ b/environments/common/layouts/everything @@ -146,3 +146,7 @@ compute # Note that this feature currently assumes all compute nodes are VMs, enabling # when the cluster contains baremetal compute nodes may lead to unexpected scheduling behaviour compute + +[cvmfs_server] +# Hosts to configure as a CernVM-FS Stratum 1 replica server for EESSI. +# See ansible/roles/cvmfs_server/README.md diff --git a/requirements.yml b/requirements.yml index 5e2493bad..61d9fb546 100644 --- a/requirements.yml +++ b/requirements.yml @@ -25,6 +25,9 @@ roles: version: v25.3.1 - src: mrlesmithjr.chrony version: v0.1.4 + - src: https://github.com/stackhpc/ansible-cvmfs.git + name: eessi.cvmfs + version: stackhpc # TODO: bump to release collections: - name: containers.podman From c182b97162622034eb1cae50c3f901c06b3ea8ee Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Wed, 6 Aug 2025 10:29:42 +0000 Subject: [PATCH 03/10] reload eessi client on config changes --- ansible/roles/eessi/tasks/configure.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ansible/roles/eessi/tasks/configure.yml b/ansible/roles/eessi/tasks/configure.yml index b3083761c..c496e997b 100644 --- a/ansible/roles/eessi/tasks/configure.yml +++ b/ansible/roles/eessi/tasks/configure.yml @@ -8,9 +8,16 @@ value: "{{ item.value }}" no_extra_spaces: true loop: "{{ cvmfs_config | dict2items }}" + register: _cvmfs_config_ini # NOTE: Not clear how to make this idempotent -- name: Ensure CVMFS config is setup +- name: Ensure CVMFS is setup command: cmd: "cvmfs_config setup" + when: _cvmfs_config_ini.changed | default(false) + +- name: Reload CVMFS config + command: + cmd: "cvmfs_config reload" + when: _cvmfs_config_ini.changed | default(false) From 5265a137cae4ad7c50bb92d3c5dd418b1f69510d Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Wed, 6 Aug 2025 10:42:03 +0000 Subject: [PATCH 04/10] update stratum 1 docs now found better link --- ansible/roles/cvmfs_server/README.md | 72 ++++++++++++++-------------- 1 file changed, 37 insertions(+), 35 deletions(-) diff --git a/ansible/roles/cvmfs_server/README.md b/ansible/roles/cvmfs_server/README.md index 744964dbc..658c6d7b5 100644 --- a/ansible/roles/cvmfs_server/README.md +++ b/ansible/roles/cvmfs_server/README.md @@ -8,54 +8,56 @@ be configured to provide an http proxy for those clients to reduce the load on the upstream stratum 1 servers. However both of those approaches assume that there is outbound http access. If this is not the case, this role can be used to provide a private, in-cluster server replicating the EESSI repository from -an upstream server over https. +an EESSI synchronisation server. This feature is enabled by adding a node to the `cvmfs_server` group. The defaults provided are sufficent to implement the above configuration. -Guidance on configuring a *public* Stratum 1 server for EESSI is provided [here](https://multixscale.github.io/cvmfs-tutorial-hpc-best-practices/access/stratum1/). -Compared to those links, the defaults provided for this role: -- Use https URLs for both dnf repositories and for the EESSI repository replication. -- Use the `aws-eu-west-s1-sync` EESSI server (which is the only one providing +This role wraps the [EESSI ansible-cvmfs](https://github.com/EESSI/ansible-cvmfs) +role which provides additional functionality. Because of the intended use of +this role by default it: +- Uses https URLs for both dnf repositories and for the EESSI repository replication. +- Uses the `aws-eu-west-s1-sync` EESSI server (which is the only one providing https replication). -- Does not configure a squid proxy in front of the Stratum 1 server, because this - is considered unnecessary for a private Stratum 1. -- Does not configure a firewall, as OpenStack security groups are expected to be - sufficent. -- Does not configure the Geo API service, which is not needed for a private server. +- Does not configure a squid proxy in front of the Stratum 1 server. +- Does not configure a firewall (OpenStack security groups are expected to be + sufficent). +- Does not configure the Geo API service. + +Guidance on configuring a private Stratum 1 server for EESSI is provided [here](https://www.eessi.io/docs/filesystem_layer/stratum1/#requirements-for-a-stratum-1). # Requirements See also the example configuration below. -1. The node used requires ["a few cores and a couple gigabytes of memory"](https://cvmfs-contrib.github.io/cvmfs-tutorial-2021/02_stratum0_client/#21-setting-up-the-stratum-0) - and typically 50 GB of space in `/srv`. -2. The node used must have outbound connectivity for dnf package installs - and to replicate the EESSI repository. -3. If this role is used to provide EESSI for an [isolated cluster](../../../docs/experimental/isolated-clusters.md) - where cluster users have no outbound internet connectivity, ensure those users - cannot access this node, i.e. it is not in groups `basic_user`, `ldap` or - `freeipa`. -4. The node is automatically added to the `dnf_repos` group to enable yum - repositories so this role can install dependencies. It therefore requires - either configuring Ark credentials or a local Pulp server - see links in - [adding additional packages](../../../docs/operations.md#adding-additional-packages). - Note the former will also require setting `dnf_repos_allow_insecure_creds: true` - to allow Ark credentials to be templated into repofiles - this also requires 3. - to avoid exposing these to cluster users. +1. See the [EESSI Stratum 1 requirements](https://www.eessi.io/docs/filesystem_layer/stratum1/#requirements-for-a-stratum-1) + for the server specification. +3. The node used must have outbound connectivity for dnf package installs + and to replicate the EESSI repository. +4. If this role is used to provide EESSI for an [isolated cluster](../../../docs/experimental/isolated-clusters.md) + where cluster users have no outbound internet connectivity, ensure those users + cannot access this node, i.e. it is not in groups `basic_user`, `ldap` or + `freeipa`. +5. The node is automatically added to the `dnf_repos` group to enable yum + repositories so this role can install dependencies. It therefore requires + either configuring Ark credentials or a local Pulp server - see links in + [adding additional packages](../../../docs/operations.md#adding-additional-packages). + Note the former will also require setting `dnf_repos_allow_insecure_creds: true` + to allow Ark credentials to be templated into repofiles - this also requires 3. + to avoid exposing these to cluster users. ## Role variables -This role wraps the [EESSI ansible-cvmfs role](https://github.com/EESSI/ansible-cvmfs) -role and any variables described there may be used. The defaults in -`environments/common/inventory/group_vars/all/cvmfs_server.yml` -should be generally be satisfactory, except that `cvmfs_srv_device` will be -required if CVMFS data should not be stored on the root filesystem. +Any variables from the [EESSI ansible-cvmfs role](https://github.com/EESSI/ansible-cvmfs) +may be used. Due to wrapping that role, this role's defaults are mostly in +`environments/common/inventory/group_vars/all/cvmfs_server.yml`. The only +override likely to be be needed is to set `cvmfs_srv_device` if CVMFS data +should be be stored on a specific block device (e.g. a mounted volume). ## Example configuration The below OpenTofu configuration creates a new node in the `cvmfs_server` group -with a new 50 GB volume attached: +with a new 1TB volume attached: ```terraform # environments/production/tofu/main.tf: @@ -69,7 +71,7 @@ module "cluster" { flavor = "m2.medium" extra_volumes = { srv = { - size = 50 # GB + size = 1000 # GB } } } @@ -86,8 +88,8 @@ Configure the role to use the volume for CVMFS data: cvmfs_srv_device: /dev/vdb ``` -**NB:** This is only safe if a single volume is attached, else the ordering of -devices is not guaranteed. +**NB:** Hardcoding the path is only safe if a single volume is attached, else +the ordering of devices is not guaranteed after reboots etc. Note Ark credentials or a local Pulp server must also be configured as referenced above. @@ -96,7 +98,7 @@ above. Configuration for EESSI clients is provided by the [eessi](../eessi/README.md) role. To use the Stratum 1 server provided by this role requires overriding -the default configuration (NB: not adding additional configuration): +the default configuration (NB: not adding additional configuration) using: ``` # environments/site/inventory/group_vars/all/eessi.yml: From 3fd33657a37390e3ba0e8a627090c400a2ae2e2d Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Wed, 6 Aug 2025 12:43:35 +0000 Subject: [PATCH 05/10] add explanation of dnf repo snaphots format --- .../inventory/group_vars/all/timestamps.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/environments/common/inventory/group_vars/all/timestamps.yml b/environments/common/inventory/group_vars/all/timestamps.yml index 971515d2f..95d2edbe0 100644 --- a/environments/common/inventory/group_vars/all/timestamps.yml +++ b/environments/common/inventory/group_vars/all/timestamps.yml @@ -1,3 +1,18 @@ +# In the below: +# - Top-level key (e.g. appstream) is arbitrary +# - 2nd level key (e.g. '8.10') is `distribution_version` or `distribution_major_version` +# as required from ansible_facts +# - path is the base_path parameter from stackhpc-release-train/ansible/inventory/group_vars/all/package-repos +# WITHOUT the trailing slash +# - timestamp is the the Ark timestamp to use + +# See also ansible/roles/pulp_site/defaults/main.yml + +# Note that with Ark creds in the active environment all timestamps can be +# updated to the latest avaialble using +# ansible-playbook ansible/ci/update_timestamps.yml +# but it doesn't check they are functional! + appliances_pulp_repos: appstream: '8.10': From 76fc24d4fee6604bdd66d2e14485dea29c61529c Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Wed, 6 Aug 2025 12:52:45 +0000 Subject: [PATCH 06/10] add recovery notes for eessi sync failing --- ansible/roles/cvmfs_server/README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ansible/roles/cvmfs_server/README.md b/ansible/roles/cvmfs_server/README.md index 658c6d7b5..c8c4d28c6 100644 --- a/ansible/roles/cvmfs_server/README.md +++ b/ansible/roles/cvmfs_server/README.md @@ -26,6 +26,12 @@ this role by default it: Guidance on configuring a private Stratum 1 server for EESSI is provided [here](https://www.eessi.io/docs/filesystem_layer/stratum1/#requirements-for-a-stratum-1). +**NB**: The initial replication will take a considerable amount of time. If +this fails due to e.g. a network glitch you can recover it by sshing to the +server node and running: + + sudo cvmfs_server snapshot software.eessi.io + # Requirements See also the example configuration below. From ed065bc004f209097629a751fe91fbbb406fe8c4 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Wed, 6 Aug 2025 15:30:58 +0000 Subject: [PATCH 07/10] fix incorrect templating for grafana pulp sync --- ansible/roles/pulp_site/defaults/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/pulp_site/defaults/main.yml b/ansible/roles/pulp_site/defaults/main.yml index d30d1bdff..a25e06c2b 100644 --- a/ansible/roles/pulp_site/defaults/main.yml +++ b/ansible/roles/pulp_site/defaults/main.yml @@ -28,7 +28,7 @@ pulp_site_rpm_info: subpath: "{{ appliances_pulp_repos.openhpc_updates[pulp_site_target_distribution_version_major] | appliances_repo_to_subpath }}" - name: "ceph-{{ pulp_site_target_distribution_version_major }}-{{ appliances_pulp_repos.ceph[pulp_site_target_distribution_version_major].timestamp }}" subpath: "{{ appliances_pulp_repos.ceph[pulp_site_target_distribution_version_major] | appliances_repo_to_subpath }}" -- name: "grafana-{{ pulp_site_target_distribution_version_major }}-{{ appliances_pulp_repos.grafana.timestamp[pulp_site_target_distribution_version_major].timestamp }} +- name: "grafana-{{ pulp_site_target_distribution_version_major }}-{{ appliances_pulp_repos.grafana[pulp_site_target_distribution_version_major].timestamp }}" subpath: "{{ appliances_pulp_repos.grafana[pulp_site_target_distribution_version_major] | appliances_repo_to_subpath }}" pulp_site_rpm_repo_defaults: From fe98b91a24622571ce78941118409e4cbe0b79c8 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Thu, 7 Aug 2025 09:48:32 +0000 Subject: [PATCH 08/10] use ark repos for cernvm-fs and fixup defaults approach --- ansible/roles/cvmfs_server/README.md | 33 +++++------ ansible/roles/cvmfs_server/defaults/main.yml | 57 +++++++++++++++++- ansible/roles/cvmfs_server/tasks/main.yml | 4 -- ansible/roles/dnf_repos/defaults/main.yml | 7 +++ ansible/roles/pulp_site/defaults/main.yml | 5 ++ .../inventory/group_vars/all/cvmfs_server.yml | 59 +------------------ .../inventory/group_vars/all/timestamps.yml | 20 ++++++- 7 files changed, 100 insertions(+), 85 deletions(-) diff --git a/ansible/roles/cvmfs_server/README.md b/ansible/roles/cvmfs_server/README.md index c8c4d28c6..b289c849e 100644 --- a/ansible/roles/cvmfs_server/README.md +++ b/ansible/roles/cvmfs_server/README.md @@ -14,27 +14,24 @@ This feature is enabled by adding a node to the `cvmfs_server` group. The defaults provided are sufficent to implement the above configuration. This role wraps the [EESSI ansible-cvmfs](https://github.com/EESSI/ansible-cvmfs) -role which provides additional functionality. Because of the intended use of -this role by default it: -- Uses https URLs for both dnf repositories and for the EESSI repository replication. -- Uses the `aws-eu-west-s1-sync` EESSI server (which is the only one providing +role, which provides additional functionality. The defaults here: +- Use https URLs for both dnf repositories and for the EESSI repository replication. +- Use the `aws-eu-west-s1-sync` EESSI server (which is the only one providing https replication). -- Does not configure a squid proxy in front of the Stratum 1 server. -- Does not configure a firewall (OpenStack security groups are expected to be +- Do not configure a squid proxy in front of the Stratum 1 server. +- Do not configure a firewall (OpenStack security groups are expected to be sufficent). -- Does not configure the Geo API service. +- Do not configure the Geo API service. Guidance on configuring a private Stratum 1 server for EESSI is provided [here](https://www.eessi.io/docs/filesystem_layer/stratum1/#requirements-for-a-stratum-1). **NB**: The initial replication will take a considerable amount of time. If this fails due to e.g. a network glitch you can recover it by sshing to the -server node and running: +`cvmfs_server` node and running: sudo cvmfs_server snapshot software.eessi.io -# Requirements - -See also the example configuration below. +## Requirements 1. See the [EESSI Stratum 1 requirements](https://www.eessi.io/docs/filesystem_layer/stratum1/#requirements-for-a-stratum-1) for the server specification. @@ -51,14 +48,14 @@ See also the example configuration below. Note the former will also require setting `dnf_repos_allow_insecure_creds: true` to allow Ark credentials to be templated into repofiles - this also requires 3. to avoid exposing these to cluster users. - + +See also the example configuration below. + ## Role variables Any variables from the [EESSI ansible-cvmfs role](https://github.com/EESSI/ansible-cvmfs) -may be used. Due to wrapping that role, this role's defaults are mostly in -`environments/common/inventory/group_vars/all/cvmfs_server.yml`. The only -override likely to be be needed is to set `cvmfs_srv_device` if CVMFS data -should be be stored on a specific block device (e.g. a mounted volume). +may set. Generally only `cvmfs_srv_device` is likely to be required, if CVMFS +data should be be stored on a specific block device (e.g. a mounted volume). ## Example configuration @@ -94,8 +91,8 @@ Configure the role to use the volume for CVMFS data: cvmfs_srv_device: /dev/vdb ``` -**NB:** Hardcoding the path is only safe if a single volume is attached, else -the ordering of devices is not guaranteed after reboots etc. +**NB:** Hardcoding the device path is only safe if a single volume is attached, +else the ordering of devices is not guaranteed after reboots etc. Note Ark credentials or a local Pulp server must also be configured as referenced above. diff --git a/ansible/roles/cvmfs_server/defaults/main.yml b/ansible/roles/cvmfs_server/defaults/main.yml index 8598974ac..18cd5c71c 100644 --- a/ansible/roles/cvmfs_server/defaults/main.yml +++ b/ansible/roles/cvmfs_server/defaults/main.yml @@ -1,4 +1,55 @@ -# NB: Most defaults are set in -# environments/common/inventory/group_vars/all/cvmfs_server.yml -# as the wrapped role does not pick up defaults from here +# NB: Most eessi.cvmfs variables cannot be set here, because they are not +# applied when this role calls it via import_role. +# Instead they are set in environments/common/inventory/group_vars/all/cvmfs_server.yml + cvmfs_role: stratum1 + +# Vars from eessi.cvmfs:vars/redhat.yml - required because *this* role does +# not run eessi.cvmfs:tasks/main.yml which loads those vars. These therefore +# *can* be set here, as they are not otherwise set at all. + +cvmfs_apache_service_name: httpd +cvmfs_apache_conf_file: /etc/httpd/conf/httpd.conf +cvmfs_dnf_repos: [] # provided by dnf_repos instead + +cvmfs_dnf_repo_key: + content: | + -----BEGIN PGP PUBLIC KEY BLOCK----- + Version: GnuPG v2.0.14 (GNU/Linux) + + mQGiBEuGP6YRBADV89cbF4uoEX89Q8uxOklIDVJhOJAFKZ33LSdzHv3iObnjo5w4 + wbb8FiSir4oWgarAco4u0kR1yKjHJ33oVB2xmPOzW3NWoHI7aPF7tCgo7FY9hNoC + 4NEkNycvbfSoCScsv2yY5qz2q2sY1LWGZGbUXjBvKbmASe9sJFKJV7NsmwCg76W/ + aMazleHyDtooD8tk3ZWvpKcD/Rg51Oad+ZLc7h45wDMHpaDvOBeGoyp+k7JgQd87 + HfXiJtg/Q6zyTwrV3vCQvMpw3GRjRkZBcPgRWb6rUk68dL8fa2cTxhISX5/DIQzc + mmuDa0EgCGGAKUZ4bHqaexFFnp/B+VKBPvJuxLa0cBDd6eewxNwtHJ90EaMeBzGd + 6zU2BADO9YbXiEMqRkfVLnuvD5G31/WJZvffXCxspnSfg923DbILWa4vNW9MLMsK + IVHvyVr0mZF8xdyQNVPUX3/4uahKM4hwuFqdbyjuLGEIF3U73aIJ0+YDep/+I6yU + JGHnxy8Ex+a1XIhJ1hSI7+oalSdt+w/pE3+2MQyUfSDPSXVA3LQ+Q2VyblZNIEFk + bWluaXN0cmF0b3IgKGN2bWFkbWluKSA8Y2VybnZtLmFkbWluaXN0cmF0b3JAY2Vy + bi5jaD6IZAQTEQIAJAIbAwYLCQgHAwIDFQIDAxYCAQIeAQIXgAUCT18LigUJBbn/ + ZAAKCRAjDTidiuRc5/BFAKCb13G8yxG75r3s63mHo5l9PNUKGwCfZpSlZrhBsVZ4 + 2DsKfLG1VQ+X8HW5Ag0ES4Y/qBAIAL3sWKXQKpbIOpwX+mNX2IV2XxNBM3KYjYOE + ii66i9apPo3BA39a9Wm9vh1kYIHTkh9Qqb8w53hc4ANkVT+cYzxXythGBjWoLtwC + zKCPrIb7RQJRc956Ot0q4qmlcUEGi5zefSIoJZR5jyR7rZS+1PNJYI05xY2+Eah1 + u9UxrlzBH5DCsvUqTNK12WrPIibmLo8u+yIDJjwgh9O5YITC+et/g47NLfZdiAGP + LEjvJFRi7Ju+8ywO32dSVBPJQDktr5BC950DKZHA9n+sJ63iF3lP/aCTECpxxUqX + VVqioobwg5ytl60hw9I9sfwBP6z9PR90RcyT1l4giiBz9LV+KpcAAwUIAKeAxArG + aJxzWziKs7D8TTuE50Nw+S3RGhVzwSKy7183Z11iOEMqbm2/zwp65wFkntCKmLKD + nGsTgFNpstIyFwJmj34Axp7N3KGqXnTI+SIQd6VmzQ1phxfCOw8IGueOR6YI7S1G + YWt7DoseZKz4EWdvXCOkQAhbxq/HT2c3ihxsuxrErxz7QtNaYOFXiuLj3mYH9XaM + eEe8Pkl+yyRTvyUNlMIu/i79qf+QUlsi10nCUm88cSXQiKWOJ4GiUoT+jD7pN4oh + dALRVl0tl/EyPTw+asG3lQhPZ+solvJXp+i7KF7nwnyXDB63WNH15S1pQLMnqCuG + CFyegf6jnOJU0AqITwQYEQIADwIbDAUCT18MOQUJBboAEQAKCRAjDTidiuRc53P2 + AJ9e1y70yIKwx6YmpDnwqWSE07Q6lACdEnem0DbLg9t+gkX/98driCP9Ifg= + =S7Dt + -----END PGP PUBLIC KEY BLOCK----- + dest: /etc/pki/rpm-gpg/RPM-GPG-KEY-CernVM + +cvmfs_packages: + stratum1-disk: + - httpd + - "{{ 'mod_wsgi' if ansible_distribution_major_version is version('8', '<') else 'python3-mod_wsgi' }}" + - "{{ 'squid' if cvmfs_stratum1_squid else omit }}" + - cvmfs-server + - cvmfs-config-default diff --git a/ansible/roles/cvmfs_server/tasks/main.yml b/ansible/roles/cvmfs_server/tasks/main.yml index 56ee85aaa..15fe90a37 100644 --- a/ansible/roles/cvmfs_server/tasks/main.yml +++ b/ansible/roles/cvmfs_server/tasks/main.yml @@ -1,7 +1,3 @@ - ansible.builtin.import_role: name: eessi.cvmfs tasks_from: "{{ cvmfs_role }}.yml" - vars: - # from ansible-cvmfs/vars/redhat.yml - cvmfs_apache_service_name: httpd - cvmfs_apache_conf_file: /etc/httpd/conf/httpd.conf diff --git a/ansible/roles/dnf_repos/defaults/main.yml b/ansible/roles/dnf_repos/defaults/main.yml index 9302eff84..8977c15c8 100644 --- a/ansible/roles/dnf_repos/defaults/main.yml +++ b/ansible/roles/dnf_repos/defaults/main.yml @@ -19,6 +19,7 @@ dnf_repos_filenames: dnf_repos_version_filenames: "{{ dnf_repos_filenames[ansible_distribution_major_version] }}" # epel installed separately +# NB: 'name' cannot have spaces dnf_repos_default_repolist: - file: "{{ dnf_repos_version_filenames.baseos }}" name: baseos @@ -38,6 +39,12 @@ dnf_repos_default_repolist: - file: "{{ dnf_repos_version_filenames.grafana }}" name: grafana base_url: "{{ dnf_repos_pulp_content_url }}/{{ appliances_pulp_repos.grafana[ansible_distribution_major_version] | appliances_repo_to_subpath }}" +- file: cernvm + name: cernvmfs_pkgs + base_url: "{{ dnf_repos_pulp_content_url }}/{{ appliances_pulp_repos.cernvmfs_pkgs[ansible_distribution_major_version] | appliances_repo_to_subpath }}" +- file: cernvm + name: cernvmfs_cfg + base_url: "{{ dnf_repos_pulp_content_url }}/{{ appliances_pulp_repos.cernvmfs_cfg[ansible_distribution_major_version] | appliances_repo_to_subpath }}" dnf_repos_openhpc_repolist: - name: OpenHPC diff --git a/ansible/roles/pulp_site/defaults/main.yml b/ansible/roles/pulp_site/defaults/main.yml index a25e06c2b..8365deb8a 100644 --- a/ansible/roles/pulp_site/defaults/main.yml +++ b/ansible/roles/pulp_site/defaults/main.yml @@ -30,6 +30,11 @@ pulp_site_rpm_info: subpath: "{{ appliances_pulp_repos.ceph[pulp_site_target_distribution_version_major] | appliances_repo_to_subpath }}" - name: "grafana-{{ pulp_site_target_distribution_version_major }}-{{ appliances_pulp_repos.grafana[pulp_site_target_distribution_version_major].timestamp }}" subpath: "{{ appliances_pulp_repos.grafana[pulp_site_target_distribution_version_major] | appliances_repo_to_subpath }}" +- name: "cernvmfs_pkgs-{{ pulp_site_target_distribution_version_major }}-{{ appliances_pulp_repos.cernvmfs_pkgs.timestamp[pulp_site_target_distribution_version_major].timestamp }} + subpath: "{{ appliances_pulp_repos.cernvmfs_pkgs[pulp_site_target_distribution_version_major] | appliances_repo_to_subpath }}" +- name: "cernvmfs_cfg-{{ pulp_site_target_distribution_version_major }}-{{ appliances_pulp_repos.cernvmfs_pkgs.timestamp[pulp_site_target_distribution_version_major].timestamp }} + subpath: "{{ appliances_pulp_repos.cernvmfs_cfg[pulp_site_target_distribution_version_major] | appliances_repo_to_subpath }}" + pulp_site_rpm_repo_defaults: remote_username: "{{ pulp_site_upstream_username }}" diff --git a/environments/common/inventory/group_vars/all/cvmfs_server.yml b/environments/common/inventory/group_vars/all/cvmfs_server.yml index 972eb86c8..977fa8f30 100644 --- a/environments/common/inventory/group_vars/all/cvmfs_server.yml +++ b/environments/common/inventory/group_vars/all/cvmfs_server.yml @@ -2,21 +2,9 @@ # cvmfs_srv_device: # block device to use for CVMFS data. /srv/cvmfs is used if not set. -cvmfs_dnf_repo_protocol: https - -cvmfs_dnf_repos: - - name: cernvm - file: cernvm - baseurl: "{{ cvmfs_dnf_repo_protocol }}://cvmrepo.web.cern.ch/cvmrepo/yum/cvmfs/EL/$releasever/$basearch/" - description: CernVM packages - - name: cernvm-config - file: cernvm - baseurl: "{{ cvmfs_dnf_repo_protocol }}://cvmrepo.web.cern.ch/cvmrepo/yum/cvmfs-config/EL/$releasever/$basearch/" - description: CernVM-FS extra config packages - cvmfs_keys: - - path: /etc/cvmfs/keys/eessi.io/eessi.io.pub # from /cvmfs/cvmfs-config.cern.ch/etc/cvmfs/keys/eessi.io/eessi.io.pub on client + - path: /etc/cvmfs/keys/eessi.io/eessi.io.pub key: | -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyau1UFUcoiqpE5U9StON @@ -38,48 +26,3 @@ cvmfs_repositories: repository: software.eessi.io key_dir: /etc/cvmfs/keys/eessi.io owner: root - - -# Below taken from ansible-cvmfs/vars/redhat.yml and are needed because the -# cvmfs_server role does not run ansible-cvmfs/tasks/main.yml: -cvmfs_dnf_repo_key: - content: | - -----BEGIN PGP PUBLIC KEY BLOCK----- - Version: GnuPG v2.0.14 (GNU/Linux) - - mQGiBEuGP6YRBADV89cbF4uoEX89Q8uxOklIDVJhOJAFKZ33LSdzHv3iObnjo5w4 - wbb8FiSir4oWgarAco4u0kR1yKjHJ33oVB2xmPOzW3NWoHI7aPF7tCgo7FY9hNoC - 4NEkNycvbfSoCScsv2yY5qz2q2sY1LWGZGbUXjBvKbmASe9sJFKJV7NsmwCg76W/ - aMazleHyDtooD8tk3ZWvpKcD/Rg51Oad+ZLc7h45wDMHpaDvOBeGoyp+k7JgQd87 - HfXiJtg/Q6zyTwrV3vCQvMpw3GRjRkZBcPgRWb6rUk68dL8fa2cTxhISX5/DIQzc - mmuDa0EgCGGAKUZ4bHqaexFFnp/B+VKBPvJuxLa0cBDd6eewxNwtHJ90EaMeBzGd - 6zU2BADO9YbXiEMqRkfVLnuvD5G31/WJZvffXCxspnSfg923DbILWa4vNW9MLMsK - IVHvyVr0mZF8xdyQNVPUX3/4uahKM4hwuFqdbyjuLGEIF3U73aIJ0+YDep/+I6yU - JGHnxy8Ex+a1XIhJ1hSI7+oalSdt+w/pE3+2MQyUfSDPSXVA3LQ+Q2VyblZNIEFk - bWluaXN0cmF0b3IgKGN2bWFkbWluKSA8Y2VybnZtLmFkbWluaXN0cmF0b3JAY2Vy - bi5jaD6IZAQTEQIAJAIbAwYLCQgHAwIDFQIDAxYCAQIeAQIXgAUCT18LigUJBbn/ - ZAAKCRAjDTidiuRc5/BFAKCb13G8yxG75r3s63mHo5l9PNUKGwCfZpSlZrhBsVZ4 - 2DsKfLG1VQ+X8HW5Ag0ES4Y/qBAIAL3sWKXQKpbIOpwX+mNX2IV2XxNBM3KYjYOE - ii66i9apPo3BA39a9Wm9vh1kYIHTkh9Qqb8w53hc4ANkVT+cYzxXythGBjWoLtwC - zKCPrIb7RQJRc956Ot0q4qmlcUEGi5zefSIoJZR5jyR7rZS+1PNJYI05xY2+Eah1 - u9UxrlzBH5DCsvUqTNK12WrPIibmLo8u+yIDJjwgh9O5YITC+et/g47NLfZdiAGP - LEjvJFRi7Ju+8ywO32dSVBPJQDktr5BC950DKZHA9n+sJ63iF3lP/aCTECpxxUqX - VVqioobwg5ytl60hw9I9sfwBP6z9PR90RcyT1l4giiBz9LV+KpcAAwUIAKeAxArG - aJxzWziKs7D8TTuE50Nw+S3RGhVzwSKy7183Z11iOEMqbm2/zwp65wFkntCKmLKD - nGsTgFNpstIyFwJmj34Axp7N3KGqXnTI+SIQd6VmzQ1phxfCOw8IGueOR6YI7S1G - YWt7DoseZKz4EWdvXCOkQAhbxq/HT2c3ihxsuxrErxz7QtNaYOFXiuLj3mYH9XaM - eEe8Pkl+yyRTvyUNlMIu/i79qf+QUlsi10nCUm88cSXQiKWOJ4GiUoT+jD7pN4oh - dALRVl0tl/EyPTw+asG3lQhPZ+solvJXp+i7KF7nwnyXDB63WNH15S1pQLMnqCuG - CFyegf6jnOJU0AqITwQYEQIADwIbDAUCT18MOQUJBboAEQAKCRAjDTidiuRc53P2 - AJ9e1y70yIKwx6YmpDnwqWSE07Q6lACdEnem0DbLg9t+gkX/98driCP9Ifg= - =S7Dt - -----END PGP PUBLIC KEY BLOCK----- - dest: /etc/pki/rpm-gpg/RPM-GPG-KEY-CernVM - -cvmfs_packages: - stratum1-disk: - - httpd - - "{{ 'mod_wsgi' if ansible_distribution_major_version is version('8', '<') else 'python3-mod_wsgi' }}" - - "{{ 'squid' if cvmfs_stratum1_squid else omit }}" - - cvmfs-server - - cvmfs-config-default diff --git a/environments/common/inventory/group_vars/all/timestamps.yml b/environments/common/inventory/group_vars/all/timestamps.yml index 95d2edbe0..26a574810 100644 --- a/environments/common/inventory/group_vars/all/timestamps.yml +++ b/environments/common/inventory/group_vars/all/timestamps.yml @@ -6,10 +6,12 @@ # WITHOUT the trailing slash # - timestamp is the the Ark timestamp to use -# See also ansible/roles/pulp_site/defaults/main.yml +# See also: +# - ansible/roles/dnf_repos/defaults/main.yml +# - ansible/roles/pulp_site/defaults/main.yml # Note that with Ark creds in the active environment all timestamps can be -# updated to the latest avaialble using +# updated to the latest available using # ansible-playbook ansible/ci/update_timestamps.yml # but it doesn't check they are functional! @@ -89,3 +91,17 @@ appliances_pulp_repos: '9': path: OpenHPC/3/updates/EL_9 timestamp: 20250510T003301 + cernvmfs_pkgs: + '8': + path: cvmfs/EL/8/x86_64 + timestamp: 20250806T121654 + '9': + path: cvmfs/EL/9/x86_64 + timestamp: 20250806T121654 + cernvmfs_cfg: + '8': + path: cvmfs-config/EL/8/x86_64 + timestamp: 20250805T130249 + '9': + path: cvmfs-config/EL/9/x86_64 + timestamp: 20250805T130249 From c4d925469bde417c66f72a995b215c94ce89c0cf Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Thu, 7 Aug 2025 09:49:29 +0000 Subject: [PATCH 09/10] bump cernvmfs role to release --- requirements.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.yml b/requirements.yml index 61d9fb546..7579d7ebd 100644 --- a/requirements.yml +++ b/requirements.yml @@ -27,7 +27,7 @@ roles: version: v0.1.4 - src: https://github.com/stackhpc/ansible-cvmfs.git name: eessi.cvmfs - version: stackhpc # TODO: bump to release + version: 2025.08.1 collections: - name: containers.podman From 19f37b284f49cf84959fb98f522e442dd2f955bc Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Thu, 7 Aug 2025 10:30:21 +0000 Subject: [PATCH 10/10] document support for cvmfs_server role --- ansible/roles/compute_init/README.md | 1 + docs/experimental/isolated-clusters.md | 11 +++++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ansible/roles/compute_init/README.md b/ansible/roles/compute_init/README.md index 7a95d2b74..6e20a2746 100644 --- a/ansible/roles/compute_init/README.md +++ b/ansible/roles/compute_init/README.md @@ -73,6 +73,7 @@ it also requires an image build with the role name added to the | filesystems.yml | manila | All functionality | No [5] | | filesystems.yml | lustre | All functionality | Yes | | extras.yml | basic_users | All functionality [6] | No | +| extras.yml | cvmfs_server | Not relevant for compute nodes | n/a | | extras.yml | eessi | All functionality [7] | No | | extras.yml | cuda | None required - use image build | Yes [8] | | extras.yml | vgpu | All functionality | Yes | diff --git a/docs/experimental/isolated-clusters.md b/docs/experimental/isolated-clusters.md index 304b625d2..6da463854 100644 --- a/docs/experimental/isolated-clusters.md +++ b/docs/experimental/isolated-clusters.md @@ -20,10 +20,13 @@ network is shown in the table below. Note that: ``` 2. Using [EESSI](https://www.eessi.io/docs/) necessarily requires outbound - network access for the CernVM File System. However this can be provided - via an authenticated proxy. While the proxy configuration on the cluster node - is readable by all users, this proxy could be limited via acls to only provide - access to EESSI's CVMFS Stratum 1 servers. + network access for the CernVM File System. If security groups are not + sufficent to restrict this: + a. If outbound http is available, an authenticated proxy could be used, + limited via acls to only provide access to EESSI's CVMFS Stratum 1 servers, + The proxy configuration should be via the `eessi` role variables. + b. If only outbound https is available, the [cvmfs_server](../../ansible/roles/cvmfs_server/README.md) + role can be used to provide a Stratum 1 server on the cluster network. ## Support by feature for isolated networks