From 1c7e08ede4708086a95ec5c97b3e1405dd0ebbab Mon Sep 17 00:00:00 2001 From: Steven Basart <130421631+steven-basart@users.noreply.github.com> Date: Sun, 21 Apr 2024 20:12:08 -0400 Subject: [PATCH 1/3] Add libaio to cais-compute Needed for huggingface accelerate it seems. --- playbooks/roles/cais-compute/tasks/ol-7.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/playbooks/roles/cais-compute/tasks/ol-7.yml b/playbooks/roles/cais-compute/tasks/ol-7.yml index 24659871..ca31bb46 100644 --- a/playbooks/roles/cais-compute/tasks/ol-7.yml +++ b/playbooks/roles/cais-compute/tasks/ol-7.yml @@ -110,13 +110,13 @@ include_role: name: safe_yum ignore_errors: true +- name: Install libaio for asynchronous I/O + vars: + package_name: + - libaio-devel + package_state: latest + package_repo: "epel,ol7_developer_EPEL" + include_role: + name: safe_yum + ignore_errors: true -# Used for local storage -- name: Create local storage location for all compute nodes - become: true - file: - path: /mnt/localdisk/slurm_tmp - state: directory - owner: root - group: slurm - mode: '0770' From e8f769288a66505dd14db03cd6317d44a724048d Mon Sep 17 00:00:00 2001 From: Steven Basart <130421631+steven-basart@users.noreply.github.com> Date: Thu, 23 May 2024 16:02:00 -0400 Subject: [PATCH 2/3] Add MaxArraySize=10000 --- playbooks/roles/slurm/templates/slurm.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/playbooks/roles/slurm/templates/slurm.conf.j2 b/playbooks/roles/slurm/templates/slurm.conf.j2 index 8491a1f9..76fd289a 100755 --- a/playbooks/roles/slurm/templates/slurm.conf.j2 +++ b/playbooks/roles/slurm/templates/slurm.conf.j2 @@ -25,6 +25,7 @@ TaskPlugin=task/affinity,task/cgroup InactiveLimit=0 KillWait=120 MaxJobCount=100000 +MaxArraySize=10000 MinJobAge=21600 SlurmctldTimeout=300 SlurmdTimeout=600 From cd342838ef7e0c93af6566ddefe78f5600a74368 Mon Sep 17 00:00:00 2001 From: Andriy Novykov Date: Mon, 10 Jun 2024 19:29:55 -0700 Subject: [PATCH 3/3] Added playbooks to enable and disable passwordless ssh for root user. --- playbooks/README.md | 16 +++++- .../passwordless_ssh_for_root_disable.yml | 57 +++++++++++++++++++ .../passwordless_ssh_for_root_enable.yml | 51 +++++++++++++++++ 3 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 playbooks/passwordless_ssh_for_root_disable.yml create mode 100644 playbooks/passwordless_ssh_for_root_enable.yml diff --git a/playbooks/README.md b/playbooks/README.md index 5abcb56f..26fb820f 100644 --- a/playbooks/README.md +++ b/playbooks/README.md @@ -16,4 +16,18 @@ To install notifications run the notifications_install.yml and enter the slack_b For the webhooks go to [slack bot app](https://app.slack.com/app-settings/T04PVJTPVCJ/A05AGQ7HNBX) then Incoming Webhooks. Press Add new Webhook to Workspace at the bottom and select the channel you want notified for admin notifications. Copy the webhook and enter it when prompted during the above install -To uninstall notifications run notifications_uninstall.yml. Note that this does not remove the MailProg entry from the slurm.conf. This won't cause problems but will be silently erroring in the slurmctld.log. So if you want to be clean you can remove that from the config. \ No newline at end of file +To uninstall notifications run notifications_uninstall.yml. Note that this does not remove the MailProg entry from the slurm.conf. This won't cause problems but will be silently erroring in the slurmctld.log. So if you want to be clean you can remove that from the config. + +## Passwordless SSH for Root User + +We provide playbooks to enable and disable passwordless SSH for the root user. This feature is typically required for automated administrative tasks such as software upgrades, for example with Weka. Caution: Enabling passwordless SSH for the root user poses significant security risks. Be sure to disable it as soon as it is no longer necessary. + +Prerequisites: +- Ensure that SSH key pairs (root and root.pub) are created. If you haven’t already, you can generate them using the following command: `ssh-keygen -f /home/opc/.ssh/root -N ''` +- Place the keys in the /home/opc/.ssh/ directory. + +Enabling Passwordless SSH: `ansible-playbook passwordless_ssh_for_root_enable.yml` + +Disabling Passwordless SSH: `ansible-playbook passwordless_ssh_for_root_disable.yml` + +Note: Always ensure that passwordless SSH is disabled when not actively needed to maintain the security integrity of your system. diff --git a/playbooks/passwordless_ssh_for_root_disable.yml b/playbooks/passwordless_ssh_for_root_disable.yml new file mode 100644 index 00000000..c9b6f6f1 --- /dev/null +++ b/playbooks/passwordless_ssh_for_root_disable.yml @@ -0,0 +1,57 @@ +--- +- name: Disable passwordless SSH for root user + hosts: all + become: true + tasks: + - name: Ensure the SSH directory exists + file: + path: /root/.ssh + state: directory + owner: root + group: root + mode: '0700' + ignore_errors: true + + - name: Ensure the authorized_keys file exists + file: + path: /root/.ssh/authorized_keys + state: touch + owner: root + group: root + mode: '0600' + ignore_errors: true + + - name: Remove the root's public key from the authorized_keys file + lineinfile: + path: /root/.ssh/authorized_keys + state: absent + line: "{{ lookup('file', '/home/{{ ansible_user }}/.ssh/root.pub') }}" + ignore_errors: true + + - name: Remove the private key file + file: + path: "/root/.ssh/root" + state: absent + ignore_errors: true + + - name: Ensure there is at least one newline at the end of the file + lineinfile: + path: "/root/.ssh/authorized_keys" + line: '' + create: no + insertafter: EOF + + - name: Remove extra newlines from the end of the file + command: sed -i -e :a -e '/^\n*$/{$d;N;};/\n$/ba' /root/.ssh/authorized_keys + args: + warn: false + +- name: Remove specific warning from /etc/issue.net file + hosts: bastion + become: true # Ensure you have administrative privileges + tasks: + - name: Remove warning message from /etc/issue.net + lineinfile: + path: /etc/issue.net + line: 'Warning: Passwordless SSH is enabled for root user.' + state: absent \ No newline at end of file diff --git a/playbooks/passwordless_ssh_for_root_enable.yml b/playbooks/passwordless_ssh_for_root_enable.yml new file mode 100644 index 00000000..91672f3b --- /dev/null +++ b/playbooks/passwordless_ssh_for_root_enable.yml @@ -0,0 +1,51 @@ +--- +- name: Update /etc/issue.net file + hosts: bastion + become: true # Ensure you have administrative privileges + tasks: + - name: Add warning message to /etc/issue.net + lineinfile: + path: /etc/issue.net + line: 'Warning: Passwordless SSH is enabled for root user.' + create: yes # Create the file if it does not exist + state: present + +- name: Setup passwordless SSH for root user + hosts: all + become: true + tasks: + - name: Ensure the SSH directory exists + file: + path: "/root/.ssh" + state: directory + owner: root + group: root + mode: '0700' + + - name: Read the public key from the file + slurp: + src: "/home/{{ ansible_user }}/.ssh/root.pub" + register: public_key + + - name: Convert the public key to a string + set_fact: + pubkey_content: "{{ public_key['content'] | b64decode }}" + + - name: Append the public key to the authorized_keys file + lineinfile: + path: "/root/.ssh/authorized_keys" + line: "{{ pubkey_content }}" + create: yes + owner: root + group: root + mode: '0600' + state: present + + - name: Copy the private key to the SSH directory + copy: + src: "/home/{{ ansible_user }}/.ssh/root" + dest: "/root/.ssh/id_rsa" + owner: root + group: root + mode: '0600' +