Browse Source
This was made for the OpenOndemand machine which needs the peregrine users and filesystems. For other machines, it may be nessecary to make this playbook more versatile.pull/8/head
12 changed files with 424 additions and 0 deletions
@ -0,0 +1,5 @@
@@ -0,0 +1,5 @@
|
||||
--- |
||||
- hosts: all |
||||
become: true |
||||
roles: |
||||
- ldap |
@ -0,0 +1,5 @@
@@ -0,0 +1,5 @@
|
||||
--- |
||||
- hosts: all |
||||
become: true |
||||
roles: |
||||
- lustre_client |
@ -0,0 +1,10 @@
@@ -0,0 +1,10 @@
|
||||
--- |
||||
firewall_allowed_tcp_ports: |
||||
- "22" |
||||
ldap_port: 389 |
||||
ldaps_port: 636 |
||||
uri_ldap: '' |
||||
uri_ldaps: '' |
||||
ldap_base: '' |
||||
ldap_binddn: '' |
||||
... |
@ -0,0 +1,100 @@
@@ -0,0 +1,100 @@
|
||||
#!/bin/bash |
||||
|
||||
set -u |
||||
|
||||
# |
||||
## |
||||
### Variables. |
||||
## |
||||
# |
||||
SLURM_ACCOUNT='users' |
||||
# Set a tag for the log entries. |
||||
LOGGER='logger --tag login_checks' |
||||
|
||||
# |
||||
## |
||||
### Functions. |
||||
## |
||||
# |
||||
|
||||
# |
||||
# Usage: run_with_timeout N cmd args... |
||||
# or: run_with_timeout cmd args... |
||||
# In the second case, cmd cannot be a number and the timeout will be 10 seconds. |
||||
# |
||||
run_with_timeout () { |
||||
local time=10 |
||||
if [[ $1 =~ ^[0-9]+$ ]]; then time=$1; shift; fi |
||||
# |
||||
# Run in a subshell to avoid job control messages. |
||||
# |
||||
( "$@" & |
||||
child=$! |
||||
# |
||||
# Avoid default notification in non-interactive shell for SIGTERM. |
||||
# |
||||
trap -- "" SIGTERM |
||||
( sleep $time |
||||
kill $child 2> /dev/null |
||||
) & |
||||
wait $child |
||||
) |
||||
} |
||||
|
||||
login_actions () { |
||||
# |
||||
# Check if login user exists as SLURM user in the SLURM accounting DB. |
||||
# |
||||
if [ "$(sacctmgr -p list user "${PAM_USER}" format=User | grep -o "${PAM_USER}")" == "${PAM_USER}" ]; then |
||||
if [ "${PAM_USER}" != 'root' ]; then |
||||
# Only log for users other than root to prevend flooding the logs... |
||||
$LOGGER "User ${PAM_USER} already exists in SLURM DB." |
||||
fi |
||||
else |
||||
# |
||||
# Create account in SLURM accounting DB. |
||||
# |
||||
local _log_message="Creating user ${PAM_USER} in SLURM accounting DB..." |
||||
local _status="$(sacctmgr -iv create user name=${PAM_USER} account=${SLURM_ACCOUNT} fairshare=1 2>&1)" |
||||
# |
||||
# Checking for exit status does not work when executed by pam-script :( |
||||
# Therefore we explicitly re-check if the user now exists in the SLURM DB... |
||||
# |
||||
#if [ $? -eq 0 ]; then |
||||
if [ "$(sacctmgr -p list user "${PAM_USER}" format=User | grep -o "${PAM_USER}")" == "${PAM_USER}" ]; then |
||||
_log_message="${_log_message}"' done!' |
||||
else |
||||
_log_message="${_log_message}"' FAILED. You cannot submit jobs. Contact an admin!' |
||||
$LOGGER "${_status}" |
||||
fi |
||||
$LOGGER -s "${_log_message}" |
||||
fi |
||||
} |
||||
|
||||
# |
||||
## |
||||
### Main. |
||||
## |
||||
# |
||||
|
||||
# |
||||
# Make sure we execute this file only for interactive sessions with a real shell. |
||||
# Hence not for SFTP connections, |
||||
# which will terminate instantly when anything that is not a valid FTP command is printed on STDOUT or STDERR. |
||||
# For SFTP connections as well as SLURM jobs the TERM type is dumb, |
||||
# but in the first case there are no SLURM related environment variables defined. |
||||
# |
||||
|
||||
# SOURCE_HPC_ENV variable checking disabled (it is not set ) Egon 30-10-2018 |
||||
#if [ ${TERM} == 'dumb' ] && [ -z ${SOURCE_HPC_ENV} ]; then |
||||
if [ ${TERM} == 'dumb' ]; then |
||||
$LOGGER "debug: exiting because of dumb terminal" |
||||
exit 0 |
||||
fi |
||||
|
||||
# |
||||
# Run the desired login actions with a timeout of 10 seconds. |
||||
# |
||||
run_with_timeout 10 login_actions |
||||
|
||||
exit 0 |
@ -0,0 +1,19 @@
@@ -0,0 +1,19 @@
|
||||
# |
||||
# /etc/nsswitch.conf |
||||
# |
||||
passwd: ldap files |
||||
shadow: ldap files |
||||
group: ldap files |
||||
hosts: files dns |
||||
bootparams: nisplus [NOTFOUND=return] files |
||||
ethers: files |
||||
netmasks: files |
||||
networks: files |
||||
protocols: files |
||||
rpc: files |
||||
services: files |
||||
netgroup: nisplus |
||||
publickey: nisplus |
||||
automount: files nisplus |
||||
aliases: files nisplus |
||||
|
@ -0,0 +1,27 @@
@@ -0,0 +1,27 @@
|
||||
#%PAM-1.0 |
||||
# This file is auto-generated. |
||||
# User changes will be destroyed the next time authconfig is run. |
||||
auth required pam_env.so |
||||
auth sufficient pam_ldap.so nullok try_first_pass |
||||
auth requisite pam_succeed_if.so uid >= 500 quiet |
||||
auth sufficient pam_unix.so use_first_pass |
||||
auth required pam_deny.so |
||||
|
||||
account required pam_unix.so broken_shadow |
||||
account sufficient pam_localuser.so |
||||
account sufficient pam_succeed_if.so uid < 500 quiet |
||||
account [default=bad success=ok user_unknown=ignore] pam_ldap.so |
||||
account required pam_permit.so |
||||
|
||||
password requisite pam_cracklib.so try_first_pass retry=3 type= |
||||
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok |
||||
password sufficient pam_ldap.so use_authtok |
||||
password required pam_deny.so |
||||
|
||||
session optional pam_keyinit.so revoke |
||||
session required pam_limits.so |
||||
session optional pam_oddjob_mkhomedir.so umask=0077 skel=/etc/skel |
||||
session optional pam_script.so onsessionopen=/usr/local/libexec/login_checks.sh |
||||
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid |
||||
session required pam_unix.so |
||||
session optional pam_ldap.so |
@ -0,0 +1,88 @@
@@ -0,0 +1,88 @@
|
||||
# Register a machine to our ldap |
||||
--- |
||||
- name: Install yum dependencies |
||||
yum: |
||||
state: latest |
||||
update_cache: yes |
||||
disable_gpg_check: yes |
||||
name: |
||||
- openldap-clients |
||||
- nss-pam-ldapd |
||||
- openssh-ldap |
||||
- pam_script |
||||
- oddjob-mkhomedir |
||||
|
||||
- name: Deploy nslcd.conf |
||||
template: |
||||
src: nslcd.conf |
||||
dest: /etc/nslcd.conf |
||||
owner: root |
||||
group: root |
||||
mode: '0600' |
||||
tags: [ conf ] |
||||
|
||||
- name: Deploy nsswitch.conf |
||||
copy: |
||||
src: nsswitch.conf |
||||
dest: /etc/nsswitch.conf |
||||
owner: root |
||||
group: root |
||||
mode: '0644' |
||||
tags: [ conf ] |
||||
|
||||
- name: Create /etc/pam-script.d/ dir. |
||||
file: |
||||
name: /etc/pam-script.d |
||||
state: directory |
||||
|
||||
- name: Enable pam_script. |
||||
file: |
||||
src: pam_script |
||||
dest: "/etc/{{ item }}" |
||||
owner: root |
||||
group: root |
||||
state: link |
||||
with_items: |
||||
- pam_script_acct |
||||
- pam_script_auth |
||||
- pam_script_passwd |
||||
- pam_script_ses_close |
||||
- pam_script_ses_open |
||||
|
||||
- name: Deploy password-auth-ac for PAM. |
||||
copy: |
||||
src: password-auth-ac |
||||
dest: /etc/pam.d/password-auth-ac |
||||
owner: root |
||||
group: root |
||||
mode: '0600' |
||||
|
||||
- name: Deploy sshd config. |
||||
template: |
||||
src: templates/sshd_config |
||||
dest: /etc/ssh/sshd_config |
||||
tags: [ conf ] |
||||
|
||||
- name: Enable services. |
||||
systemd: |
||||
name: "{{ item }}" |
||||
enabled: yes |
||||
with_items: |
||||
- nslcd |
||||
- dbus.service |
||||
- oddjobd.service |
||||
|
||||
- name: Run authconfig update. |
||||
shell: "authconfig --enablemkhomedir --update" |
||||
|
||||
- name: Restart services. |
||||
service: |
||||
name: "{{item}}" |
||||
state: restarted |
||||
with_items: |
||||
- nslcd |
||||
- dbus |
||||
- oddjobd |
||||
- sshd |
||||
tags: [restart] |
||||
... |
@ -0,0 +1,10 @@
@@ -0,0 +1,10 @@
|
||||
uid nslcd |
||||
gid ldap |
||||
uri ldap://172.23.47.249 |
||||
base ou=Peregrine,o=asds |
||||
ssl no |
||||
tls_cacertdir /etc/openldap/cacerts |
||||
binddn cn=clusteradminperegrine,o=asds |
||||
bindpw {{ bindpw }} |
||||
map passwd loginShell "/bin/bash" |
||||
map passwd gecos mail |
@ -0,0 +1,93 @@
@@ -0,0 +1,93 @@
|
||||
Port 22 |
||||
UseDNS no |
||||
|
||||
# |
||||
# Disable protocol version 1 |
||||
# |
||||
Protocol 2 |
||||
|
||||
# |
||||
# Supported HostKey algorithms by order of preference. |
||||
# Do not use (EC)DSA keys! |
||||
# |
||||
HostKey /etc/ssh/ssh_host_ed25519_key |
||||
HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub |
||||
HostKey /etc/ssh/ssh_host_rsa_key |
||||
HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub |
||||
|
||||
# |
||||
# Supported KEX (Key Exchange) algorithms. |
||||
# |
||||
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 |
||||
|
||||
# ToDo: All Diffie-Hellman moduli used for diffie-hellman-group-exchange-sha256 should be at least 3072-bit-long |
||||
# See also man moduli. Moduli are stored in file: /etc/ssh/moduli |
||||
# The 5th column od this file contains the length of the moduli. |
||||
# To remove short moduli: |
||||
# if [[ ! -e /etc/ssh/moduli.original ]]; then |
||||
# cp /etc/ssh/moduli > /etc/ssh/moduli.original |
||||
# fi |
||||
# awk '$5 >= 3071' /etc/ssh/moduli.original > /etc/ssh/moduli |
||||
# |
||||
|
||||
# |
||||
# Supported ciphers. |
||||
# |
||||
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr |
||||
#RekeyLimit default none |
||||
|
||||
# |
||||
# Supported MAC (message authentication code) algorithms. |
||||
# Ciphers and MACs can be combined in multiple ways, |
||||
# but only Encrypt-then-MAC (EtM) should be used. |
||||
# |
||||
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com |
||||
|
||||
# |
||||
# Logging |
||||
# |
||||
# LogLevel VERBOSE logs user's key fingerprint on login. |
||||
# Required to have a clear audit trail of which key was used to log in. |
||||
# |
||||
SyslogFacility AUTHPRIV |
||||
LogLevel VERBOSE |
||||
|
||||
# Authentication: |
||||
# |
||||
# Never allow this. We have admin users who can sudo |
||||
# (see users.yml in the gearshift repo) |
||||
PermitRootLogin no |
||||
|
||||
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2, |
||||
# but we disable this by default as public keys for regular users come from LDAP. |
||||
AuthorizedKeysFile /dev/null |
||||
|
||||
PasswordAuthentication no |
||||
PermitEmptyPasswords no |
||||
|
||||
ChallengeResponseAuthentication no |
||||
|
||||
GSSAPIAuthentication yes |
||||
GSSAPICleanupCredentials no |
||||
|
||||
UsePAM yes |
||||
|
||||
X11Forwarding yes |
||||
ClientAliveInterval 300 |
||||
|
||||
# |
||||
# Override default of no subsystems |
||||
# and log sftp level file access that would not be easily logged otherwise. |
||||
# |
||||
Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO |
||||
|
||||
PubkeyAuthentication yes |
||||
|
||||
AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper |
||||
AuthorizedKeysCommandUser root |
||||
# |
||||
# 129.125.249.0/24 # RUG BeheersWerkPlek |
||||
# 172.23.40.1/24 # Management VLAN 983 |
||||
# |
||||
Match Group admin |
||||
AuthorizedKeysFile .ssh/authorized_keys |
@ -0,0 +1,65 @@
@@ -0,0 +1,65 @@
|
||||
--- |
||||
|
||||
# This role is as of now highly opinated. |
||||
# It mounts the peregrine lustre filesystems over tcp on eth1. |
||||
|
||||
- name: install lustre client |
||||
yum: |
||||
name: lustre-client-2.10.5-1.el7.x86_64 |
||||
state: present |
||||
update_cache: yes |
||||
disable_gpg_check: yes |
||||
become: true |
||||
|
||||
- name: make endpoints to mount datahandling storage on. |
||||
file: |
||||
path: "{{ item }}" |
||||
mode: 0777 |
||||
state: directory |
||||
with_items: |
||||
- /home |
||||
- /data |
||||
- /scratch |
||||
|
||||
- name: load the lustre kernel module. |
||||
modprobe: |
||||
name: lustre |
||||
state: present |
||||
|
||||
- name: set lustre.conf |
||||
template: |
||||
src: templates/lustre.conf |
||||
dest: /etc/modprobe.d/lustre.conf |
||||
mode: 0644 |
||||
owner: root |
||||
group: root |
||||
backup: no |
||||
|
||||
- name: Mount /home |
||||
mount: |
||||
path: /home |
||||
src: 172.23.59.211@tcp10:172.23.59.212@tcp10:/home |
||||
fstype: lustre |
||||
opts: ro,seclabel,lazystatfs |
||||
state: present |
||||
|
||||
- name: Mount /data |
||||
mount: |
||||
path: /data |
||||
src: 172.23.59.211@tcp10:172.23.59.212@tcp10:/data |
||||
fstype: lustre |
||||
opts: rw,seclabel,lazystatfs |
||||
state: present |
||||
|
||||
- name: Mount /scratch |
||||
mount: |
||||
path: /scratch |
||||
src: 172.23.59.211@tcp10:172.23.59.212@tcp10:/scratch |
||||
fstype: lustre |
||||
opts: rw,seclabel,lazystatfs |
||||
state: present |
||||
|
||||
- name: mount all mountpoints in fstab |
||||
command: mount -a |
||||
args: |
||||
warn: false |
Loading…
Reference in new issue