From de1dfbf941f2d24aff244f2cb3bacdadc8ce199b Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Mon, 11 Nov 2024 15:00:57 +0000 Subject: [PATCH 01/15] cookiecutter environment now has working defaults --- .../common/inventory/group_vars/all/basic_users.yml | 7 ++++++- .../common/inventory/group_vars/all/openondemand.yml | 7 ++++++- environments/common/layouts/everything | 6 ++++-- .../{{cookiecutter.environment}}/terraform/variables.tf | 2 +- 4 files changed, 17 insertions(+), 5 deletions(-) diff --git a/environments/common/inventory/group_vars/all/basic_users.yml b/environments/common/inventory/group_vars/all/basic_users.yml index 0cecf4b78..5ebf5da72 100644 --- a/environments/common/inventory/group_vars/all/basic_users.yml +++ b/environments/common/inventory/group_vars/all/basic_users.yml @@ -3,5 +3,10 @@ # See: ansible/roles/basic_users/README.md # for variable definitions. +ondemand_user_password: "{{ vault_openondemand_default_user_password }}" + basic_users_homedir: /home -basic_users_users: [] +basic_users_users: + - name: ood_user + password: "{{ ondemand_user_password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}" # idempotent + uid: 1006 diff --git a/environments/common/inventory/group_vars/all/openondemand.yml b/environments/common/inventory/group_vars/all/openondemand.yml index 5e85392ca..cce923fcc 100644 --- a/environments/common/inventory/group_vars/all/openondemand.yml +++ b/environments/common/inventory/group_vars/all/openondemand.yml @@ -5,7 +5,12 @@ # NB: Variables prefixed ood_ are all from https://github.com/OSC/ood-ansible -# openondemand_servername: '' # Must be defined when using openondemand +openondemand_servername: "{{ hostvars[groups['openondemand'].0].ansible_host if groups['openondemand'] else '' }}" + +openondemand_auth: basic_pam + +openondemand_jupyter_partition: "{{ openhpc_slurm_partitions[0]['name'] }}" +openondemand_desktop_partition: "{{ openhpc_slurm_partitions[0]['name'] }}" # Regex defining hosts which openondemand can proxy; the default regex is compute nodes (for apps) and grafana host, # e.g. if the group `compute` has hosts `compute-{0,1,2,..}` this will be '(compute-\d+)|(control)'. diff --git a/environments/common/layouts/everything b/environments/common/layouts/everything index 878bebbf3..ad9fa536a 100644 --- a/environments/common/layouts/everything +++ b/environments/common/layouts/everything @@ -36,8 +36,9 @@ login [block_devices:children] # Environment-specific so not defined here -[basic_users] +[basic_users:children] # Add `openhpc` group to add Slurm users via creation of users on each node. +openhpc [openondemand:children] # Host to run Open Ondemand server on - subset of login @@ -51,8 +52,9 @@ compute # Subset of compute to run a Jupyter Notebook servers on via Open Ondemand compute -[etc_hosts] +[etc_hosts:children] # Hosts to manage /etc/hosts e.g. if no internal DNS. See ansible/roles/etc_hosts/README.md +cluster [cuda] # Hosts to install NVIDIA CUDA on - see ansible/roles/cuda/README.md diff --git a/environments/skeleton/{{cookiecutter.environment}}/terraform/variables.tf b/environments/skeleton/{{cookiecutter.environment}}/terraform/variables.tf index 0f5eefa18..0a5dde56b 100644 --- a/environments/skeleton/{{cookiecutter.environment}}/terraform/variables.tf +++ b/environments/skeleton/{{cookiecutter.environment}}/terraform/variables.tf @@ -6,7 +6,7 @@ variable "cluster_name" { variable "cluster_domain_suffix" { type = string description = "Domain suffix for cluster" - default = "invalid" + default = "internal" } variable "cluster_net" { From 373cd60c8b4446814b0ee898553275dfebfa083f Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Mon, 11 Nov 2024 15:41:10 +0000 Subject: [PATCH 02/15] updated docs --- docs/openondemand.README.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/openondemand.README.md b/docs/openondemand.README.md index 5daba3408..ef4016872 100644 --- a/docs/openondemand.README.md +++ b/docs/openondemand.README.md @@ -30,11 +30,10 @@ The above functionality is configured by running the `ansible/portal.yml` playbo See the [ansible/roles/openondemand/README.md](../ansible/roles/openondemand/README.md) for more details on the variables described below. -At minimum the following must be defined: -- `openondemand_servername` - this must be defined for both `openondemand` and `grafana` hosts (when Grafana is enabled). It is suggested to place it groupvars for `all`. -- `openondemand_auth` and any corresponding options. -- `openondemand_desktop_partition` and `openondemand_jupyter_partition` if the corresponding inventory groups are defined. -- `openondemand_host_regex` if `openondemand_desktop` or `openondemand_jupyter` inventory groups are defined and/or proxying Grafana via Open Ondemand is required. +The following variables have been given default values to allow OOD to run in a newly created environment without additional configuration, but are likely to be overriden with site-specific values: +- `openondemand_servername` - this must be defined for both `openondemand` and `grafana` hosts (when Grafana is enabled). It is suggested to place it groupvars for `all`. Defaults to the IP address of the first host in the `openondemand` group. +- `openondemand_auth` and any corresponding options. Defaults to `basic_pam`. +- `openondemand_desktop_partition` and `openondemand_jupyter_partition` if the corresponding inventory groups are defined. Defaults to the first compute group defined in the `compute` Terraform variable in `environments/{ENV}/terraform`. It is also recommended to set: - `openondemand_dashboard_support_url` @@ -45,3 +44,6 @@ If shared filesystems other than `$HOME` are available, add paths to `openondema The appliance automatically configures Open Ondemand to proxy Grafana and adds a link to it on the Open Ondemand dashboard. This means no external IP (or SSH proxying etc) is required to access Grafana (which by default is deployed on the control node). To allow users to authenticate to Grafana, the simplest option is to enable anonymous (View-only) login by setting `grafana_auth_anonymous` (see [environments/common/inventory/group_vars/all/grafana.yml](../environments/common/inventory/group_vars/all/grafana.yml)[^1]). [^1]: Note that if `openondemand_auth` is `basic_pam` and anonymous Grafana login is enabled, the appliance will (by default) configure Open Ondemand's Apache server to remove the Authorisation header from proxying of all `node/` addresses. This is done as otherwise Grafana tries to use this header to authenticate, which fails with the default configuration where only the admin Grafana user `grafana` is created. Note that the removal of this header in this configuration means it cannot be used to authenticate proxied interactive applications - however the appliance-deployed remote desktop and Jupyter Notebook server applications use other authentication methods. An alternative if using `basic_pam` is not to enable anonymous Grafana login and to create Grafana users matching the local users (e.g. in `environments//hooks/post.yml`). + +# Access +By default the appliance authenticates against OOD with basic auth through PAM. If the `basic_users` group is enabled, by default it will create a user with username `ood_user` and its password is found under `vault_openondemand_default_user` in the appliance secrets store in `environments/{ENV}/inventory/group_vars/all/secrets.yml`. Other users can be defined by overriding the variables in `environments/common/inventory/group_vars/all/basic_users.yml`. From 92cb18abab5ccecfdac869d71f8a8a108af517d5 Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Thu, 2 Jan 2025 14:29:15 +0000 Subject: [PATCH 03/15] refactored ood demo user into cookiecutter --- docs/openondemand.README.md | 2 +- .../common/inventory/group_vars/all/basic_users.yml | 8 ++------ .../inventory/group_vars/all/basic_users.yml | 4 ++++ 3 files changed, 7 insertions(+), 7 deletions(-) create mode 100644 environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/basic_users.yml diff --git a/docs/openondemand.README.md b/docs/openondemand.README.md index ef4016872..aedf729c9 100644 --- a/docs/openondemand.README.md +++ b/docs/openondemand.README.md @@ -46,4 +46,4 @@ The appliance automatically configures Open Ondemand to proxy Grafana and adds a [^1]: Note that if `openondemand_auth` is `basic_pam` and anonymous Grafana login is enabled, the appliance will (by default) configure Open Ondemand's Apache server to remove the Authorisation header from proxying of all `node/` addresses. This is done as otherwise Grafana tries to use this header to authenticate, which fails with the default configuration where only the admin Grafana user `grafana` is created. Note that the removal of this header in this configuration means it cannot be used to authenticate proxied interactive applications - however the appliance-deployed remote desktop and Jupyter Notebook server applications use other authentication methods. An alternative if using `basic_pam` is not to enable anonymous Grafana login and to create Grafana users matching the local users (e.g. in `environments//hooks/post.yml`). # Access -By default the appliance authenticates against OOD with basic auth through PAM. If the `basic_users` group is enabled, by default it will create a user with username `ood_user` and its password is found under `vault_openondemand_default_user` in the appliance secrets store in `environments/{ENV}/inventory/group_vars/all/secrets.yml`. Other users can be defined by overriding the variables in `environments/common/inventory/group_vars/all/basic_users.yml`. +By default the appliance authenticates against OOD with basic auth through PAM. When creating a new environment, a new user with username `demo_user` will be created. Its password is found under `vault_openondemand_default_user` in the appliance secrets store in `environments/{ENV}/inventory/group_vars/all/secrets.yml`. Other users can be defined by overriding the `basic_users_users` variable in your environment (templated into `environments/{ENV}/inventory/group_vars/all/basic_users.yml` by default). diff --git a/environments/common/inventory/group_vars/all/basic_users.yml b/environments/common/inventory/group_vars/all/basic_users.yml index 5ebf5da72..bcc61eb4b 100644 --- a/environments/common/inventory/group_vars/all/basic_users.yml +++ b/environments/common/inventory/group_vars/all/basic_users.yml @@ -3,10 +3,6 @@ # See: ansible/roles/basic_users/README.md # for variable definitions. -ondemand_user_password: "{{ vault_openondemand_default_user_password }}" - basic_users_homedir: /home -basic_users_users: - - name: ood_user - password: "{{ ondemand_user_password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}" # idempotent - uid: 1006 +basic_users_users: [] + diff --git a/environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/basic_users.yml b/environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/basic_users.yml new file mode 100644 index 000000000..490d1305b --- /dev/null +++ b/environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/basic_users.yml @@ -0,0 +1,4 @@ +basic_users_users: + - name: demo_user + password: "{% raw %}{{ vault_openondemand_default_user_password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}{% endraw %}" # idempotent + uid: 1006 From 4518e56ddc31e921bd1044dc01f8566fd2a402de Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Thu, 2 Jan 2025 15:00:58 +0000 Subject: [PATCH 04/15] updated docs --- docs/production.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/production.md b/docs/production.md index 7219ee7fc..60dc860c8 100644 --- a/docs/production.md +++ b/docs/production.md @@ -7,3 +7,4 @@ This page contains some brief notes about differences between the default/demo c - Ensure created instances have accurate/synchronised time. For VM instances this is usually provided by the hypervisor, but if not (or for bare metal instances) it may be necessary to configure or proxy `chronyd` via an environment hook. - Remove production volumes from OpenTofu control. In the default OpenTofu configuration, deleting the resources also deletes the volumes used for persistent state and home directories. This is usually undesirable for production, so these resources should be removed from the OpenTofu configurations and manually deployed once. However note that for development environments leaving them under OpenTofu control is usually best. - Configure Open OpenOndemand - see [specific documentation](openondemand.README.md). +- You may wish to remove the `demo_user` user from `environments/{ENV}/inventory/group_vars/all/basic_users.yml` From 1d7dfa326895c7d39fd15b3e6c24bd0f3a8b83e7 Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Thu, 2 Jan 2025 15:13:59 +0000 Subject: [PATCH 05/15] changed secret name --- ansible/roles/passwords/defaults/main.yml | 1 + .../inventory/group_vars/all/basic_users.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible/roles/passwords/defaults/main.yml b/ansible/roles/passwords/defaults/main.yml index 2587e8499..929aac465 100644 --- a/ansible/roles/passwords/defaults/main.yml +++ b/ansible/roles/passwords/defaults/main.yml @@ -10,6 +10,7 @@ slurm_appliance_secrets: vault_freeipa_admin_password: "{{ vault_freeipa_admin_password | default(lookup('password', '/dev/null')) }}" vault_k3s_token: "{{ vault_k3s_token | default(lookup('ansible.builtin.password', '/dev/null', length=64)) }}" vault_pulp_admin_password: "{{ vault_pulp_admin_password | default(lookup('password', '/dev/null', chars=['ascii_letters', 'digits'])) }}" + vault_demo_user_password: "{{ vault_demo_user_password | default(lookup('password', '/dev/null')) }}" secrets_openhpc_mungekey_default: content: "{{ lookup('pipe', 'dd if=/dev/urandom bs=1 count=1024 2>/dev/null | base64') }}" diff --git a/environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/basic_users.yml b/environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/basic_users.yml index 490d1305b..f366d92b6 100644 --- a/environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/basic_users.yml +++ b/environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/basic_users.yml @@ -1,4 +1,4 @@ basic_users_users: - name: demo_user - password: "{% raw %}{{ vault_openondemand_default_user_password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}{% endraw %}" # idempotent + password: "{% raw %}{{ vault_demo_user_password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}{% endraw %}" # idempotent uid: 1006 From db646f1dda20ad74d530b6214c4608e23ecce3be Mon Sep 17 00:00:00 2001 From: wtripp180901 <78219569+wtripp180901@users.noreply.github.com> Date: Mon, 6 Jan 2025 09:18:33 +0000 Subject: [PATCH 06/15] Doc changes Co-authored-by: Steve Brasier <33413598+sjpb@users.noreply.github.com> --- docs/openondemand.README.md | 6 +++--- docs/production.md | 2 +- .../common/inventory/group_vars/all/basic_users.yml | 1 - 3 files changed, 4 insertions(+), 5 deletions(-) diff --git a/docs/openondemand.README.md b/docs/openondemand.README.md index aedf729c9..3bd6c9e9f 100644 --- a/docs/openondemand.README.md +++ b/docs/openondemand.README.md @@ -30,10 +30,10 @@ The above functionality is configured by running the `ansible/portal.yml` playbo See the [ansible/roles/openondemand/README.md](../ansible/roles/openondemand/README.md) for more details on the variables described below. -The following variables have been given default values to allow OOD to run in a newly created environment without additional configuration, but are likely to be overriden with site-specific values: -- `openondemand_servername` - this must be defined for both `openondemand` and `grafana` hosts (when Grafana is enabled). It is suggested to place it groupvars for `all`. Defaults to the IP address of the first host in the `openondemand` group. +The following variables have been given default values to allow Open Ondemand to work in a newly created environment without additional configuration, but generally should be overridden in `environment/site/inventory/group_vars/all/` with site-specific values: +- `openondemand_servername` - this must be defined for both `openondemand` and `grafana` hosts (when Grafana is enabled). Default is `ansible_host` (i.e. the IP address) of the first host in the `openondemand` group. - `openondemand_auth` and any corresponding options. Defaults to `basic_pam`. -- `openondemand_desktop_partition` and `openondemand_jupyter_partition` if the corresponding inventory groups are defined. Defaults to the first compute group defined in the `compute` Terraform variable in `environments/{ENV}/terraform`. +- `openondemand_desktop_partition` and `openondemand_jupyter_partition` if the corresponding inventory groups are defined. Defaults to the first compute group defined in the `compute` Terraform variable in `environments/$ENV/terraform`. It is also recommended to set: - `openondemand_dashboard_support_url` diff --git a/docs/production.md b/docs/production.md index 60dc860c8..e636e8321 100644 --- a/docs/production.md +++ b/docs/production.md @@ -7,4 +7,4 @@ This page contains some brief notes about differences between the default/demo c - Ensure created instances have accurate/synchronised time. For VM instances this is usually provided by the hypervisor, but if not (or for bare metal instances) it may be necessary to configure or proxy `chronyd` via an environment hook. - Remove production volumes from OpenTofu control. In the default OpenTofu configuration, deleting the resources also deletes the volumes used for persistent state and home directories. This is usually undesirable for production, so these resources should be removed from the OpenTofu configurations and manually deployed once. However note that for development environments leaving them under OpenTofu control is usually best. - Configure Open OpenOndemand - see [specific documentation](openondemand.README.md). -- You may wish to remove the `demo_user` user from `environments/{ENV}/inventory/group_vars/all/basic_users.yml` +- Remove the `demo_user` user from `environments/$ENV/inventory/group_vars/all/basic_users.yml` diff --git a/environments/common/inventory/group_vars/all/basic_users.yml b/environments/common/inventory/group_vars/all/basic_users.yml index bcc61eb4b..0cecf4b78 100644 --- a/environments/common/inventory/group_vars/all/basic_users.yml +++ b/environments/common/inventory/group_vars/all/basic_users.yml @@ -5,4 +5,3 @@ basic_users_homedir: /home basic_users_users: [] - From 1601fd87b02c5f8e4495acc6cdd263c1c920f91a Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Mon, 6 Jan 2025 09:21:13 +0000 Subject: [PATCH 07/15] rename --- docs/{openondemand.README.md => openondemand.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/{openondemand.README.md => openondemand.md} (100%) diff --git a/docs/openondemand.README.md b/docs/openondemand.md similarity index 100% rename from docs/openondemand.README.md rename to docs/openondemand.md From 13664a680eaa8ad9c5435a11938281bd9af55730 Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Mon, 6 Jan 2025 09:40:08 +0000 Subject: [PATCH 08/15] replaced testuser with demo_user --- .github/workflows/stackhpc.yml | 10 +++++----- ansible/roles/passwords/tasks/validate.yml | 2 +- .../.stackhpc/inventory/group_vars/all/basic_users.yml | 6 +++--- .../.stackhpc/inventory/group_vars/all/freeipa.yml | 4 ++-- .../inventory/group_vars/all/basic_users.yml | 2 +- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/stackhpc.yml b/.github/workflows/stackhpc.yml index b08854adb..eaca3a3ae 100644 --- a/.github/workflows/stackhpc.yml +++ b/.github/workflows/stackhpc.yml @@ -99,9 +99,9 @@ jobs: . venv/bin/activate . environments/.stackhpc/activate ansible-playbook ansible/adhoc/generate-passwords.yml - echo vault_testuser_password: "$TESTUSER_PASSWORD" > $APPLIANCES_ENVIRONMENT_ROOT/inventory/group_vars/all/test_user.yml + echo vault_demo_user_password: "$DEMO_USER_PASSWORD" > $APPLIANCES_ENVIRONMENT_ROOT/inventory/group_vars/all/test_user.yml env: - TESTUSER_PASSWORD: ${{ secrets.TEST_USER_PASSWORD }} + DEMO_USER_PASSWORD: ${{ secrets.TEST_USER_PASSWORD }} - name: Provision nodes using fat image id: provision_servers @@ -163,12 +163,12 @@ jobs: --spider \ --server-response \ --no-check-certificate \ - --http-user=testuser \ - --http-password=${TESTUSER_PASSWORD} https://${openondemand_servername} \ + --http-user=demo_user \ + --http-password=${DEMO_USER_PASSWORD} https://${openondemand_servername} \ 2>&1) (echo $statuscode | grep "200 OK") || (echo $statuscode && exit 1) env: - TESTUSER_PASSWORD: ${{ secrets.TEST_USER_PASSWORD }} + DEMO_USER_PASSWORD: ${{ secrets.TEST_USER_PASSWORD }} # - name: Build environment-specific compute image # id: packer_build diff --git a/ansible/roles/passwords/tasks/validate.yml b/ansible/roles/passwords/tasks/validate.yml index 9279ffdbf..b30b0696e 100644 --- a/ansible/roles/passwords/tasks/validate.yml +++ b/ansible/roles/passwords/tasks/validate.yml @@ -1,4 +1,4 @@ - name: Assert secrets created assert: - that: (hostvars[inventory_hostname].keys() | select('contains', 'vault_') | length) > 1 # 1 as may have vault_testuser_password defined in dev + that: (hostvars[inventory_hostname].keys() | select('contains', 'vault_') | length) > 1 # 1 as may have vault_demo_user_password defined in dev fail_msg: "No inventory variables 'vault_*' found: Has ansible/adhoc/generate-passwords.yml been run?" diff --git a/environments/.stackhpc/inventory/group_vars/all/basic_users.yml b/environments/.stackhpc/inventory/group_vars/all/basic_users.yml index ae416cf72..e2088ffd9 100644 --- a/environments/.stackhpc/inventory/group_vars/all/basic_users.yml +++ b/environments/.stackhpc/inventory/group_vars/all/basic_users.yml @@ -1,6 +1,6 @@ -test_user_password: "{{ lookup('env', 'TESTUSER_PASSWORD') | default(vault_testuser_password, true) }}" # CI uses env, debug can set vault_testuser_password +test_demo_user_password: "{{ lookup('env', 'DEMO_USER_PASSWORD') | default(vault_demo_user_password, true) }}" # CI uses env, debug can set vault_demo_user_password basic_users_users: - - name: testuser # can't use rocky as $HOME isn't shared! - password: "{{ test_user_password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}" # idempotent + - name: demo_user # can't use rocky as $HOME isn't shared! + password: "{{ test_demo_user_password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}" # idempotent uid: 1005 diff --git a/environments/.stackhpc/inventory/group_vars/all/freeipa.yml b/environments/.stackhpc/inventory/group_vars/all/freeipa.yml index 4b3750650..9a979ab16 100644 --- a/environments/.stackhpc/inventory/group_vars/all/freeipa.yml +++ b/environments/.stackhpc/inventory/group_vars/all/freeipa.yml @@ -2,8 +2,8 @@ # NB: Users defined this way have expired passwords freeipa_users: - - name: testuser # can't use rocky as $HOME isn't shared! - password: "{{ test_user_password }}" + - name: demo_user # can't use rocky as $HOME isn't shared! + password: "{{ test_demo_user_password }}" givenname: test sn: test diff --git a/environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/basic_users.yml b/environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/basic_users.yml index f366d92b6..dc993c3b8 100644 --- a/environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/basic_users.yml +++ b/environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/basic_users.yml @@ -1,4 +1,4 @@ basic_users_users: - name: demo_user password: "{% raw %}{{ vault_demo_user_password | password_hash('sha512', 65534 | random(seed=inventory_hostname) | string) }}{% endraw %}" # idempotent - uid: 1006 + uid: 1005 From 1f3298d9264549670fd79164215a664ec844d46c Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Mon, 6 Jan 2025 10:05:10 +0000 Subject: [PATCH 09/15] selinux now defaults to disabled --- environments/.caas/inventory/group_vars/all/selinux.yml | 1 - .../.stackhpc/inventory/group_vars/selinux/overrides.yml | 1 - environments/common/inventory/group_vars/all/selinux.yml | 2 +- 3 files changed, 1 insertion(+), 3 deletions(-) delete mode 100644 environments/.caas/inventory/group_vars/all/selinux.yml delete mode 100644 environments/.stackhpc/inventory/group_vars/selinux/overrides.yml diff --git a/environments/.caas/inventory/group_vars/all/selinux.yml b/environments/.caas/inventory/group_vars/all/selinux.yml deleted file mode 100644 index 1f1098126..000000000 --- a/environments/.caas/inventory/group_vars/all/selinux.yml +++ /dev/null @@ -1 +0,0 @@ -selinux_state: disabled \ No newline at end of file diff --git a/environments/.stackhpc/inventory/group_vars/selinux/overrides.yml b/environments/.stackhpc/inventory/group_vars/selinux/overrides.yml deleted file mode 100644 index c3b28b913..000000000 --- a/environments/.stackhpc/inventory/group_vars/selinux/overrides.yml +++ /dev/null @@ -1 +0,0 @@ -selinux_state: disabled diff --git a/environments/common/inventory/group_vars/all/selinux.yml b/environments/common/inventory/group_vars/all/selinux.yml index 25fbbd68f..fef5c3f58 100644 --- a/environments/common/inventory/group_vars/all/selinux.yml +++ b/environments/common/inventory/group_vars/all/selinux.yml @@ -1,4 +1,4 @@ --- -selinux_state: permissive +selinux_state: disabled selinux_policy: targeted From cd02270abe7b5f85e9e7349f81373f14dc94d453 Mon Sep 17 00:00:00 2001 From: wtripp180901 <78219569+wtripp180901@users.noreply.github.com> Date: Mon, 6 Jan 2025 12:13:33 +0000 Subject: [PATCH 10/15] bump images --- .../.stackhpc/terraform/cluster_image.auto.tfvars.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json b/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json index f9e568c3f..e73475616 100644 --- a/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json +++ b/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json @@ -1,6 +1,6 @@ { "cluster_image": { - "RL8": "openhpc-RL8-250102-1138-77cfc703", - "RL9": "openhpc-RL9-250102-1139-77cfc703" + "RL8": "openhpc-RL8-250106-1030-1f3298d9", + "RL9": "openhpc-RL9-250106-1112-1f3298d9" } } From 072a37d242a24e27afe9078afd5091965d876829 Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Wed, 8 Jan 2025 15:34:43 +0000 Subject: [PATCH 11/15] updated readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f66441915..593837ccd 100644 --- a/README.md +++ b/README.md @@ -104,6 +104,7 @@ To deploy this infrastructure, ensure the venv and the environment are [activate export OS_CLOUD=openstack cd environments/$ENV/terraform/ + tofu init tofu apply and follow the prompts. Note the OS_CLOUD environment variable assumes that OpenStack credentials are defined using a [clouds.yaml](https://docs.openstack.org/python-openstackclient/latest/configuration/index.html#clouds-yaml) file in a default location with the default cloud name of `openstack`. From 1fc2407a9e30cd3e146f0b9cd230b97cdf40896a Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Wed, 8 Jan 2025 16:06:18 +0000 Subject: [PATCH 12/15] moved files and removed redundant ood config --- .../{grafana/overrides.yml => all/grafana.yml} | 0 .../{openhpc/overrides.yml => all/openhpc.yml} | 0 .../.stackhpc/inventory/group_vars/all/openondemand.yml | 9 ++++++++- .../inventory/group_vars/openondemand/overrides.yml | 8 -------- 4 files changed, 8 insertions(+), 9 deletions(-) rename environments/.stackhpc/inventory/group_vars/{grafana/overrides.yml => all/grafana.yml} (100%) rename environments/.stackhpc/inventory/group_vars/{openhpc/overrides.yml => all/openhpc.yml} (100%) delete mode 100644 environments/.stackhpc/inventory/group_vars/openondemand/overrides.yml diff --git a/environments/.stackhpc/inventory/group_vars/grafana/overrides.yml b/environments/.stackhpc/inventory/group_vars/all/grafana.yml similarity index 100% rename from environments/.stackhpc/inventory/group_vars/grafana/overrides.yml rename to environments/.stackhpc/inventory/group_vars/all/grafana.yml diff --git a/environments/.stackhpc/inventory/group_vars/openhpc/overrides.yml b/environments/.stackhpc/inventory/group_vars/all/openhpc.yml similarity index 100% rename from environments/.stackhpc/inventory/group_vars/openhpc/overrides.yml rename to environments/.stackhpc/inventory/group_vars/all/openhpc.yml diff --git a/environments/.stackhpc/inventory/group_vars/all/openondemand.yml b/environments/.stackhpc/inventory/group_vars/all/openondemand.yml index 11d475664..72b6cf476 100644 --- a/environments/.stackhpc/inventory/group_vars/all/openondemand.yml +++ b/environments/.stackhpc/inventory/group_vars/all/openondemand.yml @@ -1 +1,8 @@ -openondemand_servername: "{{ hostvars[ groups['openondemand'] | first].ansible_host }}" # Use a SOCKS proxy to acccess +openondemand_auth: basic_pam +openondemand_jupyter_partition: standard +openondemand_desktop_partition: standard +#openondemand_dashboard_support_url: +#openondemand_dashboard_docs_url: +#openondemand_filesapp_paths: +ondemand_package: ondemand-"{{ ondemand_package_version }}" +ondemand_package_version: '3.1.10' diff --git a/environments/.stackhpc/inventory/group_vars/openondemand/overrides.yml b/environments/.stackhpc/inventory/group_vars/openondemand/overrides.yml deleted file mode 100644 index 72b6cf476..000000000 --- a/environments/.stackhpc/inventory/group_vars/openondemand/overrides.yml +++ /dev/null @@ -1,8 +0,0 @@ -openondemand_auth: basic_pam -openondemand_jupyter_partition: standard -openondemand_desktop_partition: standard -#openondemand_dashboard_support_url: -#openondemand_dashboard_docs_url: -#openondemand_filesapp_paths: -ondemand_package: ondemand-"{{ ondemand_package_version }}" -ondemand_package_version: '3.1.10' From 1baf8bdacf9d51890219bb8343e00fe4f3852b9e Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Wed, 8 Jan 2025 16:09:20 +0000 Subject: [PATCH 13/15] environments now have grafana anonymous auth by default --- docs/production.md | 2 ++ .../inventory/group_vars/all/grafana.yml | 1 + 2 files changed, 3 insertions(+) create mode 100644 environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/grafana.yml diff --git a/docs/production.md b/docs/production.md index aeb0eefbb..6b6ef321a 100644 --- a/docs/production.md +++ b/docs/production.md @@ -100,6 +100,8 @@ and referenced from the `site` and `production` environments, e.g.: - Remove the `demo_user` user from `environments/$ENV/inventory/group_vars/all/basic_users.yml` +- Disable `grafana_auth_anonymous` in `environments/$ENV/inventory/group_vars/all/grafana.yml` + - Modify `environments/site/terraform/nodes.tf` to provide fixed IPs for at least the control node, and (if not using FIPs) the login node(s): diff --git a/environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/grafana.yml b/environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/grafana.yml new file mode 100644 index 000000000..521616a1b --- /dev/null +++ b/environments/skeleton/{{cookiecutter.environment}}/inventory/group_vars/all/grafana.yml @@ -0,0 +1 @@ +grafana_auth_anonymous: true \ No newline at end of file From 0c8efbc38438038ca992f819f28be71cba2c5979 Mon Sep 17 00:00:00 2001 From: wtripp180901 Date: Wed, 8 Jan 2025 15:58:52 +0000 Subject: [PATCH 14/15] fixed ohpc not using ark repos --- .../.stackhpc/inventory/group_vars/all/openhpc.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/environments/.stackhpc/inventory/group_vars/all/openhpc.yml b/environments/.stackhpc/inventory/group_vars/all/openhpc.yml index 858dfd9d3..5aac5f8ad 100644 --- a/environments/.stackhpc/inventory/group_vars/all/openhpc.yml +++ b/environments/.stackhpc/inventory/group_vars/all/openhpc.yml @@ -1,13 +1,3 @@ openhpc_config_extra: SlurmctldDebug: debug SlurmdDebug: debug - -ohpc_default_extra_repos: - "9": [] #overriding to ensure doesn't overwrite ark epel repo - "8": - - name: epel - file: epel - description: "Extra Packages for Enterprise Linux 8 - $basearch" - metalink: "https://mirrors.fedoraproject.org/metalink?repo=epel-8&arch=$basearch&infra=$infra&content=$contentdir" - gpgcheck: true - gpgkey: "https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8" From e63c133e5364404a4aba644cca2fd41dc8e8b432 Mon Sep 17 00:00:00 2001 From: wtripp180901 <78219569+wtripp180901@users.noreply.github.com> Date: Thu, 9 Jan 2025 09:22:06 +0000 Subject: [PATCH 15/15] bump images --- .../.stackhpc/terraform/cluster_image.auto.tfvars.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json b/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json index 9c72b07ce..47681ea8a 100644 --- a/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json +++ b/environments/.stackhpc/terraform/cluster_image.auto.tfvars.json @@ -1,6 +1,6 @@ { "cluster_image": { - "RL8": "openhpc-RL8-250107-1534-b03caaf3", - "RL9": "openhpc-RL9-250107-1535-b03caaf3" + "RL8": "openhpc-RL8-250108-1703-e515b902", + "RL9": "openhpc-RL9-250108-1703-e515b902" } }