Browse Source

ldap and lustre-client roles.

This was made for the OpenOndemand machine which needs the peregrine
users and filesystems.
For other machines, it may be nessecary to make this playbook more
versatile.
pull/8/head
Egon Rijpkema 3 years ago
parent
commit
e2a3d6c6e5
  1. 5
      ldap_client.yml
  2. 5
      lustre_client.yml
  3. 10
      roles/ldap/defaults/main.yml
  4. 100
      roles/ldap/files/login_checks.sh
  5. 19
      roles/ldap/files/nsswitch.conf
  6. 27
      roles/ldap/files/password-auth-ac
  7. 1
      roles/ldap/meta/main.yml
  8. 88
      roles/ldap/tasks/main.yml
  9. 10
      roles/ldap/templates/nslcd.conf
  10. 93
      roles/ldap/templates/sshd_config
  11. 65
      roles/lustre_client/tasks/main.yml
  12. 1
      roles/lustre_client/templates/lustre.conf

5
ldap_client.yml

@ -0,0 +1,5 @@
---
- hosts: all
become: true
roles:
- ldap

5
lustre_client.yml

@ -0,0 +1,5 @@
---
- hosts: all
become: true
roles:
- lustre_client

10
roles/ldap/defaults/main.yml

@ -0,0 +1,10 @@
---
firewall_allowed_tcp_ports:
- "22"
ldap_port: 389
ldaps_port: 636
uri_ldap: ''
uri_ldaps: ''
ldap_base: ''
ldap_binddn: ''
...

100
roles/ldap/files/login_checks.sh

@ -0,0 +1,100 @@
#!/bin/bash
set -u
#
##
### Variables.
##
#
SLURM_ACCOUNT='users'
# Set a tag for the log entries.
LOGGER='logger --tag login_checks'
#
##
### Functions.
##
#
#
# Usage: run_with_timeout N cmd args...
# or: run_with_timeout cmd args...
# In the second case, cmd cannot be a number and the timeout will be 10 seconds.
#
run_with_timeout () {
local time=10
if [[ $1 =~ ^[0-9]+$ ]]; then time=$1; shift; fi
#
# Run in a subshell to avoid job control messages.
#
( "$@" &
child=$!
#
# Avoid default notification in non-interactive shell for SIGTERM.
#
trap -- "" SIGTERM
( sleep $time
kill $child 2> /dev/null
) &
wait $child
)
}
login_actions () {
#
# Check if login user exists as SLURM user in the SLURM accounting DB.
#
if [ "$(sacctmgr -p list user "${PAM_USER}" format=User | grep -o "${PAM_USER}")" == "${PAM_USER}" ]; then
if [ "${PAM_USER}" != 'root' ]; then
# Only log for users other than root to prevend flooding the logs...
$LOGGER "User ${PAM_USER} already exists in SLURM DB."
fi
else
#
# Create account in SLURM accounting DB.
#
local _log_message="Creating user ${PAM_USER} in SLURM accounting DB..."
local _status="$(sacctmgr -iv create user name=${PAM_USER} account=${SLURM_ACCOUNT} fairshare=1 2>&1)"
#
# Checking for exit status does not work when executed by pam-script :(
# Therefore we explicitly re-check if the user now exists in the SLURM DB...
#
#if [ $? -eq 0 ]; then
if [ "$(sacctmgr -p list user "${PAM_USER}" format=User | grep -o "${PAM_USER}")" == "${PAM_USER}" ]; then
_log_message="${_log_message}"' done!'
else
_log_message="${_log_message}"' FAILED. You cannot submit jobs. Contact an admin!'
$LOGGER "${_status}"
fi
$LOGGER -s "${_log_message}"
fi
}
#
##
### Main.
##
#
#
# Make sure we execute this file only for interactive sessions with a real shell.
# Hence not for SFTP connections,
# which will terminate instantly when anything that is not a valid FTP command is printed on STDOUT or STDERR.
# For SFTP connections as well as SLURM jobs the TERM type is dumb,
# but in the first case there are no SLURM related environment variables defined.
#
# SOURCE_HPC_ENV variable checking disabled (it is not set ) Egon 30-10-2018
#if [ ${TERM} == 'dumb' ] && [ -z ${SOURCE_HPC_ENV} ]; then
if [ ${TERM} == 'dumb' ]; then
$LOGGER "debug: exiting because of dumb terminal"
exit 0
fi
#
# Run the desired login actions with a timeout of 10 seconds.
#
run_with_timeout 10 login_actions
exit 0

19
roles/ldap/files/nsswitch.conf

@ -0,0 +1,19 @@
#
# /etc/nsswitch.conf
#
passwd: ldap files
shadow: ldap files
group: ldap files
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus
aliases: files nisplus

27
roles/ldap/files/password-auth-ac

@ -0,0 +1,27 @@
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_ldap.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_unix.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so umask=0077 skel=/etc/skel
session optional pam_script.so onsessionopen=/usr/local/libexec/login_checks.sh
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

1
roles/ldap/meta/main.yml

@ -0,0 +1 @@
---

88
roles/ldap/tasks/main.yml

@ -0,0 +1,88 @@
# Register a machine to our ldap
---
- name: Install yum dependencies
yum:
state: latest
update_cache: yes
disable_gpg_check: yes
name:
- openldap-clients
- nss-pam-ldapd
- openssh-ldap
- pam_script
- oddjob-mkhomedir
- name: Deploy nslcd.conf
template:
src: nslcd.conf
dest: /etc/nslcd.conf
owner: root
group: root
mode: '0600'
tags: [ conf ]
- name: Deploy nsswitch.conf
copy:
src: nsswitch.conf
dest: /etc/nsswitch.conf
owner: root
group: root
mode: '0644'
tags: [ conf ]
- name: Create /etc/pam-script.d/ dir.
file:
name: /etc/pam-script.d
state: directory
- name: Enable pam_script.
file:
src: pam_script
dest: "/etc/{{ item }}"
owner: root
group: root
state: link
with_items:
- pam_script_acct
- pam_script_auth
- pam_script_passwd
- pam_script_ses_close
- pam_script_ses_open
- name: Deploy password-auth-ac for PAM.
copy:
src: password-auth-ac
dest: /etc/pam.d/password-auth-ac
owner: root
group: root
mode: '0600'
- name: Deploy sshd config.
template:
src: templates/sshd_config
dest: /etc/ssh/sshd_config
tags: [ conf ]
- name: Enable services.
systemd:
name: "{{ item }}"
enabled: yes
with_items:
- nslcd
- dbus.service
- oddjobd.service
- name: Run authconfig update.
shell: "authconfig --enablemkhomedir --update"
- name: Restart services.
service:
name: "{{item}}"
state: restarted
with_items:
- nslcd
- dbus
- oddjobd
- sshd
tags: [restart]
...

10
roles/ldap/templates/nslcd.conf

@ -0,0 +1,10 @@
uid nslcd
gid ldap
uri ldap://172.23.47.249
base ou=Peregrine,o=asds
ssl no
tls_cacertdir /etc/openldap/cacerts
binddn cn=clusteradminperegrine,o=asds
bindpw {{ bindpw }}
map passwd loginShell "/bin/bash"
map passwd gecos mail

93
roles/ldap/templates/sshd_config

@ -0,0 +1,93 @@
Port 22
UseDNS no
#
# Disable protocol version 1
#
Protocol 2
#
# Supported HostKey algorithms by order of preference.
# Do not use (EC)DSA keys!
#
HostKey /etc/ssh/ssh_host_ed25519_key
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
HostKey /etc/ssh/ssh_host_rsa_key
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
#
# Supported KEX (Key Exchange) algorithms.
#
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
# ToDo: All Diffie-Hellman moduli used for diffie-hellman-group-exchange-sha256 should be at least 3072-bit-long
# See also man moduli. Moduli are stored in file: /etc/ssh/moduli
# The 5th column od this file contains the length of the moduli.
# To remove short moduli:
# if [[ ! -e /etc/ssh/moduli.original ]]; then
# cp /etc/ssh/moduli > /etc/ssh/moduli.original
# fi
# awk '$5 >= 3071' /etc/ssh/moduli.original > /etc/ssh/moduli
#
#
# Supported ciphers.
#
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
#RekeyLimit default none
#
# Supported MAC (message authentication code) algorithms.
# Ciphers and MACs can be combined in multiple ways,
# but only Encrypt-then-MAC (EtM) should be used.
#
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
#
# Logging
#
# LogLevel VERBOSE logs user's key fingerprint on login.
# Required to have a clear audit trail of which key was used to log in.
#
SyslogFacility AUTHPRIV
LogLevel VERBOSE
# Authentication:
#
# Never allow this. We have admin users who can sudo
# (see users.yml in the gearshift repo)
PermitRootLogin no
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2,
# but we disable this by default as public keys for regular users come from LDAP.
AuthorizedKeysFile /dev/null
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
ClientAliveInterval 300
#
# Override default of no subsystems
# and log sftp level file access that would not be easily logged otherwise.
#
Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO
PubkeyAuthentication yes
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
AuthorizedKeysCommandUser root
#
# 129.125.249.0/24 # RUG BeheersWerkPlek
# 172.23.40.1/24 # Management VLAN 983
#
Match Group admin
AuthorizedKeysFile .ssh/authorized_keys

65
roles/lustre_client/tasks/main.yml

@ -0,0 +1,65 @@
---
# This role is as of now highly opinated.
# It mounts the peregrine lustre filesystems over tcp on eth1.
- name: install lustre client
yum:
name: lustre-client-2.10.5-1.el7.x86_64
state: present
update_cache: yes
disable_gpg_check: yes
become: true
- name: make endpoints to mount datahandling storage on.
file:
path: "{{ item }}"
mode: 0777
state: directory
with_items:
- /home
- /data
- /scratch
- name: load the lustre kernel module.
modprobe:
name: lustre
state: present
- name: set lustre.conf
template:
src: templates/lustre.conf
dest: /etc/modprobe.d/lustre.conf
mode: 0644
owner: root
group: root
backup: no
- name: Mount /home
mount:
path: /home
src: 172.23.59.211@tcp10:172.23.59.212@tcp10:/home
fstype: lustre
opts: ro,seclabel,lazystatfs
state: present
- name: Mount /data
mount:
path: /data
src: 172.23.59.211@tcp10:172.23.59.212@tcp10:/data
fstype: lustre
opts: rw,seclabel,lazystatfs
state: present
- name: Mount /scratch
mount:
path: /scratch
src: 172.23.59.211@tcp10:172.23.59.212@tcp10:/scratch
fstype: lustre
opts: rw,seclabel,lazystatfs
state: present
- name: mount all mountpoints in fstab
command: mount -a
args:
warn: false

1
roles/lustre_client/templates/lustre.conf

@ -0,0 +1 @@
options lnet networks=tcp11(eth1),tcp12(eth1),tcp13(eth1),tcp10(eth1)
Loading…
Cancel
Save