From 7413c08fe8c7267bdc6b467d2368d52a828bf65b Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Wed, 11 Sep 2024 20:53:48 +0000 Subject: [PATCH 01/23] support sssd configuration --- ansible/.gitignore | 3 ++- ansible/iam.yml | 9 +++++++++ ansible/roles/sssd/README.md | 2 ++ ansible/roles/sssd/defaults/main.yml | 7 +++++++ ansible/roles/sssd/handlers/main.yml | 5 +++++ ansible/roles/sssd/tasks/configure.yml | 16 ++++++++++++++++ ansible/roles/sssd/tasks/install.yml | 3 +++ ansible/roles/sssd/tasks/main.yml | 2 ++ .../inventory/group_vars/builder/defaults.yml | 2 ++ environments/common/inventory/groups | 5 ++++- environments/common/layouts/everything | 5 ++++- 11 files changed, 56 insertions(+), 3 deletions(-) create mode 100644 ansible/roles/sssd/README.md create mode 100644 ansible/roles/sssd/defaults/main.yml create mode 100644 ansible/roles/sssd/handlers/main.yml create mode 100644 ansible/roles/sssd/tasks/configure.yml create mode 100644 ansible/roles/sssd/tasks/install.yml create mode 100644 ansible/roles/sssd/tasks/main.yml diff --git a/ansible/.gitignore b/ansible/.gitignore index 2ceeb596b..837c314a9 100644 --- a/ansible/.gitignore +++ b/ansible/.gitignore @@ -58,4 +58,5 @@ roles/* !roles/squid/** !roles/tuned/ !roles/tuned/** - +!roles/sssd/ +!roles/sssd/** diff --git a/ansible/iam.yml b/ansible/iam.yml index 0286b9df3..857b8f840 100644 --- a/ansible/iam.yml +++ b/ansible/iam.yml @@ -40,3 +40,12 @@ import_role: name: freeipa tasks_from: users.yml + +- hosts: sssd + become: yes + gather_facts: no + tags: sssd + tasks: + - name: Configure sssd + import_role: + name: sssd diff --git a/ansible/roles/sssd/README.md b/ansible/roles/sssd/README.md new file mode 100644 index 000000000..390dcae9e --- /dev/null +++ b/ansible/roles/sssd/README.md @@ -0,0 +1,2 @@ +# sssd + diff --git a/ansible/roles/sssd/defaults/main.yml b/ansible/roles/sssd/defaults/main.yml new file mode 100644 index 000000000..43a16ee50 --- /dev/null +++ b/ansible/roles/sssd/defaults/main.yml @@ -0,0 +1,7 @@ +sssd_packages: + - sssd-common + - sssd-ldap # TODO: maybe should be in ldap role ?? +sssd_conf_src: "{{ appliances_environment_root }}/files/sssd.conf.j2" +sssd_conf_dest: /etc/sssd/sssd.conf +sssd_started: true +sssd_enabled: true diff --git a/ansible/roles/sssd/handlers/main.yml b/ansible/roles/sssd/handlers/main.yml new file mode 100644 index 000000000..a3e1c0699 --- /dev/null +++ b/ansible/roles/sssd/handlers/main.yml @@ -0,0 +1,5 @@ +- name: Restart sssd + service: + name: sssd + state: restarted + when: sssd_started | bool diff --git a/ansible/roles/sssd/tasks/configure.yml b/ansible/roles/sssd/tasks/configure.yml new file mode 100644 index 000000000..400ef599e --- /dev/null +++ b/ansible/roles/sssd/tasks/configure.yml @@ -0,0 +1,16 @@ +- name: Write sssd.conf + template: + src: "{{ sssd_conf_src }}" + dest: "{{ sssd_conf_dest }}" + owner: root + group: root + mode: u=rw,go= + notify: "Restart sssd" + +- meta: flush_handlers + +- name: Ensure sssd service state + systemd: + name: sssd + state: "{{ 'started' if sssd_started | bool else 'stopped' }}" + enabled: "{{ true if sssd_enabled else false }}" diff --git a/ansible/roles/sssd/tasks/install.yml b/ansible/roles/sssd/tasks/install.yml new file mode 100644 index 000000000..8e55ff1c8 --- /dev/null +++ b/ansible/roles/sssd/tasks/install.yml @@ -0,0 +1,3 @@ +- name: Install packages + dnf: + name: "{{ sssd_packages }}" diff --git a/ansible/roles/sssd/tasks/main.yml b/ansible/roles/sssd/tasks/main.yml new file mode 100644 index 000000000..2b65e84b4 --- /dev/null +++ b/ansible/roles/sssd/tasks/main.yml @@ -0,0 +1,2 @@ +- import_tasks: install.yml +- import_tasks: configure.yml diff --git a/environments/common/inventory/group_vars/builder/defaults.yml b/environments/common/inventory/group_vars/builder/defaults.yml index 22042c1bf..7b6a6d00e 100644 --- a/environments/common/inventory/group_vars/builder/defaults.yml +++ b/environments/common/inventory/group_vars/builder/defaults.yml @@ -22,3 +22,5 @@ squid_cache_disk: 0 # just needs to be defined squid_cache_mem: 0 tuned_started: false tuned_enabled: false +sssd_started: false +sssd_enabled: false diff --git a/environments/common/inventory/groups b/environments/common/inventory/groups index ea0bebebc..663aa331d 100644 --- a/environments/common/inventory/groups +++ b/environments/common/inventory/groups @@ -134,4 +134,7 @@ freeipa_client # Hosts to run TuneD configuration [ansible_init] -# Hosts to run linux-anisble-init \ No newline at end of file +# Hosts to run linux-anisble-init + +[sssd] +# Hosts to configure sssd on diff --git a/environments/common/layouts/everything b/environments/common/layouts/everything index 85af46c06..988a8fe42 100644 --- a/environments/common/layouts/everything +++ b/environments/common/layouts/everything @@ -81,4 +81,7 @@ openhpc [ansible_init:children] # Hosts to run ansible-init -cluster \ No newline at end of file +cluster + +[sssd] +# Hosts to configure sssd on From 7d1bd692857ff850fc754de0585b58f09f93e273 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Thu, 12 Sep 2024 11:15:49 +0000 Subject: [PATCH 02/23] make sssd-ldap optional --- ansible/roles/sssd/README.md | 14 ++++++++++++++ ansible/roles/sssd/defaults/main.yml | 4 +++- ansible/roles/sssd/tasks/install.yml | 4 ++-- 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/ansible/roles/sssd/README.md b/ansible/roles/sssd/README.md index 390dcae9e..e2af20cd1 100644 --- a/ansible/roles/sssd/README.md +++ b/ansible/roles/sssd/README.md @@ -1,2 +1,16 @@ # sssd +Install and configure [sssd](https://sssd.io/docs/introduction.html). + + +## Role variables + +The only required configuration is to create a [sssd.conf](https://www.mankier.com/5/sssd.conf) template at the location specified by `sssd_conf_src`. + +- `sssd_packages`: Optional list. Packages to install. +- `sssd_ldap_install`: Optional bool. Whether to install packages enabling SSSD to authenticate against LDAP. Default `false`. +- `sssd_ldap_packages`: Optional list. Packages to install when using `sssd_ldap_install`. +- `sssd_conf_src`: Optional string. Path to `sssd.conf` template. Default (which must be created) is `{{ appliances_environment_root }}/files/sssd.conf.j2`. +- `sssd_conf_dest`: Optional string. Path to destination for `sssd.conf`. Default `/etc/sssd/sssd.conf`. +- `sssd_started`: Optional bool. Whether `sssd` service should be started. +- `sssd_enabled`: Optional bool. Whether `sssd` service should be enabled. diff --git a/ansible/roles/sssd/defaults/main.yml b/ansible/roles/sssd/defaults/main.yml index 43a16ee50..6952b9e45 100644 --- a/ansible/roles/sssd/defaults/main.yml +++ b/ansible/roles/sssd/defaults/main.yml @@ -1,6 +1,8 @@ sssd_packages: - sssd-common - - sssd-ldap # TODO: maybe should be in ldap role ?? +sssd_install_ldap: false +sssd_ldap_packages: + - sssd-ldap sssd_conf_src: "{{ appliances_environment_root }}/files/sssd.conf.j2" sssd_conf_dest: /etc/sssd/sssd.conf sssd_started: true diff --git a/ansible/roles/sssd/tasks/install.yml b/ansible/roles/sssd/tasks/install.yml index 8e55ff1c8..f93dc59b7 100644 --- a/ansible/roles/sssd/tasks/install.yml +++ b/ansible/roles/sssd/tasks/install.yml @@ -1,3 +1,3 @@ -- name: Install packages +- name: Install sssd packages dnf: - name: "{{ sssd_packages }}" + name: "{{ sssd_packages + sssd_ldap_packages if (sssd_install_ldap | bool) else [] }}" From be0278022b14eebc34218170ad00946963f16f0a Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Thu, 12 Sep 2024 14:44:54 +0000 Subject: [PATCH 03/23] SSSD PR review tweaks --- ansible/roles/sssd/tasks/configure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/sssd/tasks/configure.yml b/ansible/roles/sssd/tasks/configure.yml index 400ef599e..64f6fb461 100644 --- a/ansible/roles/sssd/tasks/configure.yml +++ b/ansible/roles/sssd/tasks/configure.yml @@ -13,4 +13,4 @@ systemd: name: sssd state: "{{ 'started' if sssd_started | bool else 'stopped' }}" - enabled: "{{ true if sssd_enabled else false }}" + enabled: "{{ sssd_enabled | bool }}" From 70e630dd2b2db79861b616c8790f8e358e88494b Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Fri, 13 Sep 2024 19:49:04 +0000 Subject: [PATCH 04/23] enable installing sssd in fatimage --- ansible/fatimage.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ansible/fatimage.yml b/ansible/fatimage.yml index 58e1d72c7..922062902 100644 --- a/ansible/fatimage.yml +++ b/ansible/fatimage.yml @@ -33,6 +33,11 @@ name: freeipa tasks_from: client-install.yml when: "'freeipa_client' in group_names" + - name: Install sssd + import_role: + name: sssd + tasks_from: install.yml + when: "'sssd' in group_names" # - import_playbook: filesystems.yml: - name: Install nfs packages From ae16669da0e4dd6306dbaf9abc122bd1b6b592f3 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Fri, 13 Sep 2024 19:51:03 +0000 Subject: [PATCH 05/23] install sssd and sssd-ldap packages in stackhpc fatimage --- environments/.stackhpc/inventory/extra_groups | 4 ++++ environments/.stackhpc/inventory/group_vars/builder.yml | 1 + 2 files changed, 5 insertions(+) diff --git a/environments/.stackhpc/inventory/extra_groups b/environments/.stackhpc/inventory/extra_groups index 7c9a7c774..2531b803e 100644 --- a/environments/.stackhpc/inventory/extra_groups +++ b/environments/.stackhpc/inventory/extra_groups @@ -31,3 +31,7 @@ compute [squid:children] # Install squid into fat image builder + +[sssd:children] +# Install sssd into fat image +builder diff --git a/environments/.stackhpc/inventory/group_vars/builder.yml b/environments/.stackhpc/inventory/group_vars/builder.yml index 8d7ee98d2..23b1ecf01 100644 --- a/environments/.stackhpc/inventory/group_vars/builder.yml +++ b/environments/.stackhpc/inventory/group_vars/builder.yml @@ -1 +1,2 @@ #update_enable: false # Can uncomment for speed debugging non-update related build issues +sssd_install_ldap: true # include sssd-ldap package in fatimage From 7ea7709c3b03f596f24ff4e6a219fe226cfbc63e Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Tue, 17 Sep 2024 09:01:59 +0000 Subject: [PATCH 06/23] fix sssd being enabled in fatimage --- ansible/roles/sssd/handlers/main.yml | 2 +- ansible/roles/sssd/tasks/install.yml | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ansible/roles/sssd/handlers/main.yml b/ansible/roles/sssd/handlers/main.yml index a3e1c0699..72c36e736 100644 --- a/ansible/roles/sssd/handlers/main.yml +++ b/ansible/roles/sssd/handlers/main.yml @@ -1,5 +1,5 @@ - name: Restart sssd - service: + systemd: name: sssd state: restarted when: sssd_started | bool diff --git a/ansible/roles/sssd/tasks/install.yml b/ansible/roles/sssd/tasks/install.yml index f93dc59b7..a292065a8 100644 --- a/ansible/roles/sssd/tasks/install.yml +++ b/ansible/roles/sssd/tasks/install.yml @@ -1,3 +1,9 @@ - name: Install sssd packages dnf: name: "{{ sssd_packages + sssd_ldap_packages if (sssd_install_ldap | bool) else [] }}" + +- name: Control if sssd should start on boot + # Needs to be done here to prevent starting after image build, is enabled by default + systemd: + name: sssd + enabled: "{{ sssd_enabled | bool }}" From c45146085a8462dc0f6fc12bba3cd5a753fd7705 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Tue, 17 Sep 2024 10:57:41 +0000 Subject: [PATCH 07/23] bump CI image --- environments/.stackhpc/terraform/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/environments/.stackhpc/terraform/main.tf b/environments/.stackhpc/terraform/main.tf index 0b34a4947..d2b7d2e7d 100644 --- a/environments/.stackhpc/terraform/main.tf +++ b/environments/.stackhpc/terraform/main.tf @@ -29,9 +29,9 @@ variable "cluster_image" { description = "single image for all cluster nodes, keyed by os_version - a convenience for CI" type = map(string) default = { - # https://github.com/stackhpc/ansible-slurm-appliance/pull/427 - RL8: "openhpc-ofed-RL8-240906-1042-32568dbb" - RL9: "openhpc-ofed-RL9-240906-1041-32568dbb" + # https://github.com/stackhpc/ansible-slurm-appliance/pull/438 + RL8: "openhpc-ofed-RL8-240917-0908-7ea7709c" + RL9: "openhpc-ofed-RL9-240917-0908-7ea7709c" } } From ab45c2a8a8cd05ab0fa4db265411e682a6151930 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Wed, 18 Sep 2024 07:27:41 +0000 Subject: [PATCH 08/23] simplify sssd-ldap package installation in fatimage --- environments/.stackhpc/inventory/group_vars/builder.yml | 1 - environments/common/inventory/group_vars/builder/defaults.yml | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/environments/.stackhpc/inventory/group_vars/builder.yml b/environments/.stackhpc/inventory/group_vars/builder.yml index 23b1ecf01..8d7ee98d2 100644 --- a/environments/.stackhpc/inventory/group_vars/builder.yml +++ b/environments/.stackhpc/inventory/group_vars/builder.yml @@ -1,2 +1 @@ #update_enable: false # Can uncomment for speed debugging non-update related build issues -sssd_install_ldap: true # include sssd-ldap package in fatimage diff --git a/environments/common/inventory/group_vars/builder/defaults.yml b/environments/common/inventory/group_vars/builder/defaults.yml index 7b6a6d00e..a84cdcc9d 100644 --- a/environments/common/inventory/group_vars/builder/defaults.yml +++ b/environments/common/inventory/group_vars/builder/defaults.yml @@ -24,3 +24,4 @@ tuned_started: false tuned_enabled: false sssd_started: false sssd_enabled: false +sssd_install_ldap: true # include sssd-ldap package in fatimage From 243be0f1e2fdf8cde6d3226aeb2c8630c1e51f14 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Wed, 18 Sep 2024 09:10:10 +0000 Subject: [PATCH 09/23] bump CI image --- environments/.stackhpc/terraform/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/environments/.stackhpc/terraform/main.tf b/environments/.stackhpc/terraform/main.tf index d2b7d2e7d..1f599fb53 100644 --- a/environments/.stackhpc/terraform/main.tf +++ b/environments/.stackhpc/terraform/main.tf @@ -30,8 +30,8 @@ variable "cluster_image" { type = map(string) default = { # https://github.com/stackhpc/ansible-slurm-appliance/pull/438 - RL8: "openhpc-ofed-RL8-240917-0908-7ea7709c" - RL9: "openhpc-ofed-RL9-240917-0908-7ea7709c" + RL8: "openhpc-ofed-RL8-240918-0730-15373e10" + RL9: "openhpc-ofed-RL9-240918-0730-15373e10" } } From 701da11ffb6897465e7cdf169cfd6c95c590fc76 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Wed, 18 Sep 2024 15:07:19 +0000 Subject: [PATCH 10/23] enable mkhomedir --- ansible/roles/sssd/README.md | 2 ++ ansible/roles/sssd/defaults/main.yml | 3 +++ ansible/roles/sssd/tasks/configure.yml | 14 +++++++++++++- ansible/roles/sssd/tasks/install.yml | 6 +++++- 4 files changed, 23 insertions(+), 2 deletions(-) diff --git a/ansible/roles/sssd/README.md b/ansible/roles/sssd/README.md index e2af20cd1..da4e63f31 100644 --- a/ansible/roles/sssd/README.md +++ b/ansible/roles/sssd/README.md @@ -10,6 +10,8 @@ The only required configuration is to create a [sssd.conf](https://www.mankier.c - `sssd_packages`: Optional list. Packages to install. - `sssd_ldap_install`: Optional bool. Whether to install packages enabling SSSD to authenticate against LDAP. Default `false`. - `sssd_ldap_packages`: Optional list. Packages to install when using `sssd_ldap_install`. +- `sssd_enable_mkhomedir`: Optional bool. Whether to enable creation of home directories on login. Default `false`. +- `sssd_mkhomedir_packages`: Optional list. Packages to install when using `sssd_enable_mkhomedir`. - `sssd_conf_src`: Optional string. Path to `sssd.conf` template. Default (which must be created) is `{{ appliances_environment_root }}/files/sssd.conf.j2`. - `sssd_conf_dest`: Optional string. Path to destination for `sssd.conf`. Default `/etc/sssd/sssd.conf`. - `sssd_started`: Optional bool. Whether `sssd` service should be started. diff --git a/ansible/roles/sssd/defaults/main.yml b/ansible/roles/sssd/defaults/main.yml index 6952b9e45..5bc58c990 100644 --- a/ansible/roles/sssd/defaults/main.yml +++ b/ansible/roles/sssd/defaults/main.yml @@ -3,6 +3,9 @@ sssd_packages: sssd_install_ldap: false sssd_ldap_packages: - sssd-ldap +sssd_enable_mkhomedir: false +sssd_mkhomedir_packages: + - oddjob-mkhomedir sssd_conf_src: "{{ appliances_environment_root }}/files/sssd.conf.j2" sssd_conf_dest: /etc/sssd/sssd.conf sssd_started: true diff --git a/ansible/roles/sssd/tasks/configure.yml b/ansible/roles/sssd/tasks/configure.yml index 64f6fb461..ae636e9dd 100644 --- a/ansible/roles/sssd/tasks/configure.yml +++ b/ansible/roles/sssd/tasks/configure.yml @@ -1,4 +1,4 @@ -- name: Write sssd.conf +- name: Manage sssd.conf configuration template: src: "{{ sssd_conf_src }}" dest: "{{ sssd_conf_dest }}" @@ -14,3 +14,15 @@ name: sssd state: "{{ 'started' if sssd_started | bool else 'stopped' }}" enabled: "{{ sssd_enabled | bool }}" + +- name: Get current authselect configuration + command: authselect current --raw + changed_when: false + failed_when: + - _authselect_current.rc != 0 + - "'No existing configuration detected' not in _authselect_current.stdout" + register: _authselect_current # stdout: sssd with-mkhomedir + +- name: Configure nsswitch and PAM for SSSD + command: "authselect select sssd --force{% if sssd_enable_mkhomedir | bool %} with-mkhomedir{% endif %}" + when: "'sssd' not in _authselect_current.stdout" diff --git a/ansible/roles/sssd/tasks/install.yml b/ansible/roles/sssd/tasks/install.yml index a292065a8..97aa82a2f 100644 --- a/ansible/roles/sssd/tasks/install.yml +++ b/ansible/roles/sssd/tasks/install.yml @@ -1,4 +1,4 @@ -- name: Install sssd packages +- name: Ensure sssd packages are installed dnf: name: "{{ sssd_packages + sssd_ldap_packages if (sssd_install_ldap | bool) else [] }}" @@ -7,3 +7,7 @@ systemd: name: sssd enabled: "{{ sssd_enabled | bool }}" + +- name: Ensure mkhomedir packages are installed if required + dnf: + name: "{{ sssd_mkhomedir_packages }}" From e6db5fa21ede496f2d53a980ec6dfdb67cff7366 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Wed, 18 Sep 2024 15:38:06 +0000 Subject: [PATCH 11/23] add sshd role --- ansible/roles/sshd/README.md | 7 +++++++ ansible/roles/sshd/defaults/main.yml | 1 + ansible/roles/sshd/handlers/main.yml | 4 ++++ ansible/roles/sshd/tasks/configure.yml | 16 ++++++++++++++++ ansible/roles/sshd/tasks/main.yml | 1 + environments/common/layouts/everything | 3 +++ 6 files changed, 32 insertions(+) create mode 100644 ansible/roles/sshd/README.md create mode 100644 ansible/roles/sshd/defaults/main.yml create mode 100644 ansible/roles/sshd/handlers/main.yml create mode 100644 ansible/roles/sshd/tasks/configure.yml create mode 100644 ansible/roles/sshd/tasks/main.yml diff --git a/ansible/roles/sshd/README.md b/ansible/roles/sshd/README.md new file mode 100644 index 000000000..8fa59db74 --- /dev/null +++ b/ansible/roles/sshd/README.md @@ -0,0 +1,7 @@ +# sshd + +Configure sshd. + +## Role variables + +- `sshd_password_authentication`: Optional bool. Whether to enable password login. Default `false`. diff --git a/ansible/roles/sshd/defaults/main.yml b/ansible/roles/sshd/defaults/main.yml new file mode 100644 index 000000000..19c3b4375 --- /dev/null +++ b/ansible/roles/sshd/defaults/main.yml @@ -0,0 +1 @@ +sshd_password_authentication: false # Whether to enable password login diff --git a/ansible/roles/sshd/handlers/main.yml b/ansible/roles/sshd/handlers/main.yml new file mode 100644 index 000000000..e11aa7801 --- /dev/null +++ b/ansible/roles/sshd/handlers/main.yml @@ -0,0 +1,4 @@ +- name: Restart sshd + systemd: + name: sshd + state: restarted diff --git a/ansible/roles/sshd/tasks/configure.yml b/ansible/roles/sshd/tasks/configure.yml new file mode 100644 index 000000000..70ea8dfd0 --- /dev/null +++ b/ansible/roles/sshd/tasks/configure.yml @@ -0,0 +1,16 @@ +- name: Configure SSH password authentication + # NB: If parameters are defined multiple times the first value wins; + # The default /etc/ssh/sshd_config has + # Include /etc/ssh/sshd_config.d/*.conf + # early on, which is generally held to be the correct approach, so adding + # values to the end of that file won't work + lineinfile: + dest: /etc/ssh/sshd_config.d/10-ansible.conf # will beat 50-cloud-init and 50-redhat + regexp: "^PasswordAuthentication" + line: "PasswordAuthentication {{ 'yes' if sshd_password_authentication | bool else 'no' }}" + state: present + create: true + validate: sshd -t -f %s + notify: + - Restart sshd + \ No newline at end of file diff --git a/ansible/roles/sshd/tasks/main.yml b/ansible/roles/sshd/tasks/main.yml new file mode 100644 index 000000000..84f493457 --- /dev/null +++ b/ansible/roles/sshd/tasks/main.yml @@ -0,0 +1 @@ +- import_tasks: configure.yml diff --git a/environments/common/layouts/everything b/environments/common/layouts/everything index 988a8fe42..252818fb7 100644 --- a/environments/common/layouts/everything +++ b/environments/common/layouts/everything @@ -85,3 +85,6 @@ cluster [sssd] # Hosts to configure sssd on + +[sshd] +# Hosts where the OpenSSH server daemon should be configured From 2ab2adaff65719cfe3d296873680c059456e4a7b Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Fri, 20 Sep 2024 13:32:40 +0000 Subject: [PATCH 12/23] auto enable ssh passwords if using ldap --- environments/common/inventory/group_vars/all/sshd.yaml | 1 + 1 file changed, 1 insertion(+) create mode 100644 environments/common/inventory/group_vars/all/sshd.yaml diff --git a/environments/common/inventory/group_vars/all/sshd.yaml b/environments/common/inventory/group_vars/all/sshd.yaml new file mode 100644 index 000000000..5d4ed228f --- /dev/null +++ b/environments/common/inventory/group_vars/all/sshd.yaml @@ -0,0 +1 @@ +sshd_password_authentication: "{{ sssd_install_ldap | default(false) | bool }}" From 793fa69efacba7ec5d2db2e0d2ecb26db05b9f87 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Wed, 18 Sep 2024 15:45:27 +0000 Subject: [PATCH 13/23] actually run sshd role --- ansible/.gitignore | 2 ++ ansible/bootstrap.yml | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/ansible/.gitignore b/ansible/.gitignore index 837c314a9..97248f914 100644 --- a/ansible/.gitignore +++ b/ansible/.gitignore @@ -60,3 +60,5 @@ roles/* !roles/tuned/** !roles/sssd/ !roles/sssd/** +!roles/sshd/ +!roles/sshd/** diff --git a/ansible/bootstrap.yml b/ansible/bootstrap.yml index c43d614db..c4a1b1d5b 100644 --- a/ansible/bootstrap.yml +++ b/ansible/bootstrap.yml @@ -110,6 +110,15 @@ policy: "{{ selinux_policy }}" register: sestatus +- hosts: sshd + tags: sshd + gather_facts: no + become: yes + tasks: + - name: Configure sshd + import_role: + name: sshd + # --- tasks after here require access to package repos --- - hosts: squid tags: squid From 2ee20c7728672d2358a46b776b4f6891a170b1a4 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Thu, 19 Sep 2024 10:29:21 +0000 Subject: [PATCH 14/23] make sshd config more flexible --- ansible/roles/sshd/README.md | 2 ++ ansible/roles/sshd/defaults/main.yml | 4 +++- ansible/roles/sshd/tasks/configure.yml | 15 +++++++-------- ansible/roles/sshd/templates/sshd.conf.j2 | 2 ++ 4 files changed, 14 insertions(+), 9 deletions(-) create mode 100644 ansible/roles/sshd/templates/sshd.conf.j2 diff --git a/ansible/roles/sshd/README.md b/ansible/roles/sshd/README.md index 8fa59db74..0fac1d189 100644 --- a/ansible/roles/sshd/README.md +++ b/ansible/roles/sshd/README.md @@ -5,3 +5,5 @@ Configure sshd. ## Role variables - `sshd_password_authentication`: Optional bool. Whether to enable password login. Default `false`. +- `sshd_conf_src`: Optional string. Path to sshd configuration template. Default is in-role template. +- `sshd_conf_dest`: Optional string. Path to destination for sshd configuration file. Default is `/etc/ssh/sshd_config.d/10-ansible.conf` which overides `50-{cloud-init,redhat}` files, if present. diff --git a/ansible/roles/sshd/defaults/main.yml b/ansible/roles/sshd/defaults/main.yml index 19c3b4375..672305799 100644 --- a/ansible/roles/sshd/defaults/main.yml +++ b/ansible/roles/sshd/defaults/main.yml @@ -1 +1,3 @@ -sshd_password_authentication: false # Whether to enable password login +sshd_password_authentication: false +sshd_conf_src: sshd.conf.j2 +sshd_conf_dest: /etc/ssh/sshd_config.d/10-ansible.conf diff --git a/ansible/roles/sshd/tasks/configure.yml b/ansible/roles/sshd/tasks/configure.yml index 70ea8dfd0..8aafb5c19 100644 --- a/ansible/roles/sshd/tasks/configure.yml +++ b/ansible/roles/sshd/tasks/configure.yml @@ -1,16 +1,15 @@ -- name: Configure SSH password authentication +- name: Template sshd configuration # NB: If parameters are defined multiple times the first value wins; # The default /etc/ssh/sshd_config has # Include /etc/ssh/sshd_config.d/*.conf # early on, which is generally held to be the correct approach, so adding # values to the end of that file won't work - lineinfile: - dest: /etc/ssh/sshd_config.d/10-ansible.conf # will beat 50-cloud-init and 50-redhat - regexp: "^PasswordAuthentication" - line: "PasswordAuthentication {{ 'yes' if sshd_password_authentication | bool else 'no' }}" - state: present - create: true + template: + src: "{{ sshd_conf_src }}" + dest: "{{ sshd_conf_dest }}" + owner: root + group: root + mode: u=rw,go= validate: sshd -t -f %s notify: - Restart sshd - \ No newline at end of file diff --git a/ansible/roles/sshd/templates/sshd.conf.j2 b/ansible/roles/sshd/templates/sshd.conf.j2 new file mode 100644 index 000000000..2746f0642 --- /dev/null +++ b/ansible/roles/sshd/templates/sshd.conf.j2 @@ -0,0 +1,2 @@ +# {{ ansible_managed }} +PasswordAuthentication {{ 'yes' if sshd_password_authentication | bool else 'no' }} From 7362b7be8d895234a6348467a1c1011b52283e66 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Fri, 4 Oct 2024 15:16:08 +0000 Subject: [PATCH 15/23] add basic_users_override_sssd flag --- ansible/roles/basic_users/README.md | 1 + ansible/roles/basic_users/defaults/main.yml | 1 + ansible/roles/basic_users/tasks/main.yml | 17 ++++++++++++++++- 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/ansible/roles/basic_users/README.md b/ansible/roles/basic_users/README.md index 4b75100ca..fac129984 100644 --- a/ansible/roles/basic_users/README.md +++ b/ansible/roles/basic_users/README.md @@ -24,6 +24,7 @@ Role Variables - An additional key `sudo` may optionally be specified giving a string (possibly multiline) defining sudo rules to be templated. - Any other keys may present for other purposes (i.e. not used by this role). - `basic_users_groups`: Optional, default empty list. A list of mappings defining information for each group. Mapping keys/values are passed through as parameters to [ansible.builtin.group](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/group_module.html) and default values are as given there. +- `basic_users_override_sssd`: Optional bool, default false. Whether to disable `sssd` when ensuring users/groups exist with this role. Permits creating local users/groups even if they clash with users provided via sssd (e.g. from LDAP). Ignored if host is not in group `sssd` as well. Note with this option active `sssd` will be stopped and restarted on every run. Dependencies ------------ diff --git a/ansible/roles/basic_users/defaults/main.yml b/ansible/roles/basic_users/defaults/main.yml index 9f34bdf4c..e6c6eafaa 100644 --- a/ansible/roles/basic_users/defaults/main.yml +++ b/ansible/roles/basic_users/defaults/main.yml @@ -7,3 +7,4 @@ basic_users_userdefaults: shell: "{{'/sbin/nologin' if 'control' in group_names else omit }}" basic_users_users: [] basic_users_groups: [] +basic_users_override_sssd: false diff --git a/ansible/roles/basic_users/tasks/main.yml b/ansible/roles/basic_users/tasks/main.yml index c27d024b4..6692eeffc 100644 --- a/ansible/roles/basic_users/tasks/main.yml +++ b/ansible/roles/basic_users/tasks/main.yml @@ -7,7 +7,16 @@ label: "{{ item.name }}" when: - "item.state | default('present') == 'absent'" - + +- name: Stop sssd if required + systemd: + name: sssd + state: stopped + register: _stop_sssd + when: + - "'sssd' in group_names" + - basic_users_override_sssd | bool + - name: Create groups ansible.builtin.group: "{{ item }}" loop: "{{ basic_users_groups }}" @@ -19,6 +28,12 @@ label: "{{ item.name }} [{{ item.state | default('present') }}]" register: basic_users_info +- name: Restart sssd if required + systemd: + name: sssd + state: started + when: _stop_sssd.changed | default(false) + - name: Write supplied public key as authorized for SSH access authorized_key: user: "{{ item.name }}" From cfe8defa6fa83194404e4873d24421d1a4de5e89 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Fri, 11 Oct 2024 10:41:27 +0000 Subject: [PATCH 16/23] port PR comment re. basic_users docs --- ansible/roles/basic_users/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/basic_users/README.md b/ansible/roles/basic_users/README.md index fac129984..65fdd2c4c 100644 --- a/ansible/roles/basic_users/README.md +++ b/ansible/roles/basic_users/README.md @@ -24,7 +24,7 @@ Role Variables - An additional key `sudo` may optionally be specified giving a string (possibly multiline) defining sudo rules to be templated. - Any other keys may present for other purposes (i.e. not used by this role). - `basic_users_groups`: Optional, default empty list. A list of mappings defining information for each group. Mapping keys/values are passed through as parameters to [ansible.builtin.group](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/group_module.html) and default values are as given there. -- `basic_users_override_sssd`: Optional bool, default false. Whether to disable `sssd` when ensuring users/groups exist with this role. Permits creating local users/groups even if they clash with users provided via sssd (e.g. from LDAP). Ignored if host is not in group `sssd` as well. Note with this option active `sssd` will be stopped and restarted on every run. +- `basic_users_override_sssd`: Optional bool, default false. Whether to disable `sssd` when ensuring users/groups exist with this role. Permits creating local users/groups even if they clash with users provided via sssd (e.g. from LDAP). Ignored if host is not in group `sssd` as well. Note with this option active `sssd` will be stopped and restarted each time this role is run. Dependencies ------------ From bcf593c44eeedfb3b488ce62d6cc68244b8757be Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Wed, 30 Oct 2024 09:49:00 +0000 Subject: [PATCH 17/23] add sssd-ldap package during stackhpc build only --- environments/.stackhpc/inventory/group_vars/builder.yml | 1 + environments/common/inventory/group_vars/builder/defaults.yml | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/environments/.stackhpc/inventory/group_vars/builder.yml b/environments/.stackhpc/inventory/group_vars/builder.yml index 8d7ee98d2..23b1ecf01 100644 --- a/environments/.stackhpc/inventory/group_vars/builder.yml +++ b/environments/.stackhpc/inventory/group_vars/builder.yml @@ -1 +1,2 @@ #update_enable: false # Can uncomment for speed debugging non-update related build issues +sssd_install_ldap: true # include sssd-ldap package in fatimage diff --git a/environments/common/inventory/group_vars/builder/defaults.yml b/environments/common/inventory/group_vars/builder/defaults.yml index a84cdcc9d..7b6a6d00e 100644 --- a/environments/common/inventory/group_vars/builder/defaults.yml +++ b/environments/common/inventory/group_vars/builder/defaults.yml @@ -24,4 +24,3 @@ tuned_started: false tuned_enabled: false sssd_started: false sssd_enabled: false -sssd_install_ldap: true # include sssd-ldap package in fatimage From 09e7bda1ef22f36c7a4f0d3efadf99315c11a489 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Wed, 30 Oct 2024 11:28:16 +0000 Subject: [PATCH 18/23] bump CI image --- .../.stackhpc/terraform/cluster_image.auto.tfvars.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json b/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json index 9f396e964..dcf35f6b5 100644 --- a/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json +++ b/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json @@ -1,7 +1,7 @@ { "cluster_image": { - "RL8": "openhpc-RL8-241024-1439-177083b1", - "RL9": "openhpc-RL9-241024-1438-177083b1", - "RL9-cuda": "openhpc-cuda-RL9-241024-1628-177083b1" + "RL8": "openhpc-RL8-241030-0950-bcf593c4", + "RL9": "openhpc-RL9-241030-0950-bcf593c4", + "RL9-cuda": "openhpc-cuda-RL9-241030-1033-bcf593c4" } } \ No newline at end of file From a1c8a7751f31c7c88128c4836e70f63733b083a9 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Fri, 1 Nov 2024 10:27:15 +0000 Subject: [PATCH 19/23] add missing empty sssd group --- environments/common/inventory/groups | 3 +++ 1 file changed, 3 insertions(+) diff --git a/environments/common/inventory/groups b/environments/common/inventory/groups index 47bfd591e..b5e698758 100644 --- a/environments/common/inventory/groups +++ b/environments/common/inventory/groups @@ -139,5 +139,8 @@ freeipa_client [sssd] # Hosts to configure sssd on +[sshd] +# Hosts where the OpenSSH server daemon should be configured + [lustre] # Hosts to run lustre client From 73329ff2bf942715c726af5c8566478b0ec2fba3 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Fri, 1 Nov 2024 10:35:04 +0000 Subject: [PATCH 20/23] remove deprecated & empty block_devices group --- environments/common/inventory/groups | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/environments/common/inventory/groups b/environments/common/inventory/groups index b5e698758..5a4c3cbd3 100644 --- a/environments/common/inventory/groups +++ b/environments/common/inventory/groups @@ -13,7 +13,7 @@ login control compute -[eessi:children] +[eessi] # Hosts on which EESSI stack should be configured [hpctests:children] @@ -79,9 +79,6 @@ cluster # Hosts to install firewalld on - see ansible/roles/filewalld fail2ban -[block_devices] -# Superset of hosts to configure filesystems on - see ansible/roles/block_devices/README.md - [basic_users] # Add `openhpc` group to add slurm users via creation of users on each node. From ff40ff248b933bda99cfa50a7c66c09aa50f305b Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Fri, 1 Nov 2024 10:37:50 +0000 Subject: [PATCH 21/23] regularise common groups & everything groups template a bit --- environments/common/inventory/groups | 9 ++++++--- environments/common/layouts/everything | 3 ++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/environments/common/inventory/groups b/environments/common/inventory/groups index 5a4c3cbd3..ac3d0f77f 100644 --- a/environments/common/inventory/groups +++ b/environments/common/inventory/groups @@ -13,9 +13,6 @@ login control compute -[eessi] -# Hosts on which EESSI stack should be configured - [hpctests:children] # Login group to use for running mpi-based testing. login @@ -115,12 +112,18 @@ freeipa_client [cuda] # Hosts to install NVIDIA CUDA on - see ansible/roles/cuda/README.md +[eessi] +# Hosts on which EESSI stack should be configured + [resolv_conf] # Allows defining nameservers in /etc/resolv.conf - see ansible/roles/resolv_conf/README.md [proxy] # Hosts to configure http/s proxies - see ansible/roles/proxy/README.md +[manila] +# Hosts to configure for manila fileshares + [persist_hostkeys] # Hosts to persist hostkeys for across reimaging. NB: Requires appliances_state_dir on hosts. diff --git a/environments/common/layouts/everything b/environments/common/layouts/everything index 110c74d2c..a826888a7 100644 --- a/environments/common/layouts/everything +++ b/environments/common/layouts/everything @@ -58,6 +58,7 @@ compute # Hosts to install NVIDIA CUDA on - see ansible/roles/cuda/README.md [eessi:children] +# Hosts on which EESSI stack should be configured openhpc [resolv_conf] @@ -79,7 +80,7 @@ openhpc # Hosts to run TuneD configuration [ansible_init:children] -# Hosts to run ansible-init +# Hosts to run linux-anisble-init cluster [sssd] From fa1297ea24928221ae9e9e21a04c8a19c92be788 Mon Sep 17 00:00:00 2001 From: Steve Brasier Date: Thu, 9 Jan 2025 15:23:55 +0000 Subject: [PATCH 22/23] bumb CI image --- .../.stackhpc/terraform/cluster_image.auto.tfvars.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json b/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json index 47681ea8a..3c1e19058 100644 --- a/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json +++ b/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json @@ -1,6 +1,6 @@ { "cluster_image": { - "RL8": "openhpc-RL8-250108-1703-e515b902", - "RL9": "openhpc-RL9-250108-1703-e515b902" + "RL8": "openhpc-RL8-250109-1444-ecea8219", + "RL9": "openhpc-RL9-250109-1444-ecea8219" } } From a3b73032543042ee67942775afe45c56167ce8c8 Mon Sep 17 00:00:00 2001 From: Steve Brasier <33413598+sjpb@users.noreply.github.com> Date: Thu, 9 Jan 2025 20:25:48 +0000 Subject: [PATCH 23/23] sssd review comments Co-authored-by: Will Szumski --- ansible/roles/basic_users/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/basic_users/tasks/main.yml b/ansible/roles/basic_users/tasks/main.yml index 6692eeffc..c6733fb89 100644 --- a/ansible/roles/basic_users/tasks/main.yml +++ b/ansible/roles/basic_users/tasks/main.yml @@ -32,7 +32,7 @@ systemd: name: sssd state: started - when: _stop_sssd.changed | default(false) + when: _stop_sssd is changed - name: Write supplied public key as authorized for SSH access authorized_key: