ldap and lustre-client roles.

This was made for the OpenOndemand machine which needs the peregrine
users and filesystems.
For other machines, it may be nessecary to make this playbook more
versatile.

ldap_client.yml

@@ -0,0 +1,5 @@
+---
+- hosts: all
+  become: true
+  roles:
+    - ldap

lustre_client.yml

@@ -0,0 +1,5 @@
+---
+- hosts: all
+  become: true
+  roles:
+    - lustre_client

roles/ldap/defaults/main.yml

@@ -0,0 +1,10 @@
+---
+firewall_allowed_tcp_ports:
+  - "22"
+ldap_port: 389
+ldaps_port: 636
+uri_ldap: ''
+uri_ldaps: ''
+ldap_base: ''
+ldap_binddn: ''
+...

roles/ldap/files/login_checks.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+
+set -u
+
+#
+##
+### Variables.
+##
+#
+SLURM_ACCOUNT='users'
+# Set a tag for the log entries.
+LOGGER='logger --tag login_checks'
+
+#
+##
+### Functions.
+##
+#
+
+#
+# Usage: run_with_timeout N cmd args...
+#    or: run_with_timeout cmd args...
+# In the second case, cmd cannot be a number and the timeout will be 10 seconds.
+#
+run_with_timeout () {
+    local time=10
+    if [[ $1 =~ ^[0-9]+$ ]]; then time=$1; shift; fi
+    #
+    # Run in a subshell to avoid job control messages.
+    #
+    ( "$@" &
+        child=$!
+        #
+        # Avoid default notification in non-interactive shell for SIGTERM.
+        #
+        trap -- "" SIGTERM
+        ( sleep $time
+            kill $child 2> /dev/null
+        ) &
+        wait $child
+    )
+}
+
+login_actions () {
+    #
+    # Check if login user exists as SLURM user in the SLURM accounting DB.
+    #
+    if [ "$(sacctmgr -p list user "${PAM_USER}" format=User | grep -o "${PAM_USER}")" == "${PAM_USER}" ]; then
+      if [ "${PAM_USER}" != 'root' ]; then
+        # Only log for users other than root to prevend flooding the logs...
+        $LOGGER "User ${PAM_USER} already exists in SLURM DB."
+      fi
+    else
+        #
+        # Create account in SLURM accounting DB.
+        #
+        local _log_message="Creating user ${PAM_USER} in SLURM accounting DB..."
+        local _status="$(sacctmgr -iv create user name=${PAM_USER} account=${SLURM_ACCOUNT} fairshare=1 2>&1)"
+        #
+        # Checking for exit status does not work when executed by pam-script :(
+        # Therefore we explicitly re-check if the user now exists in the SLURM DB...
+        #
+        #if [ $? -eq 0 ]; then
+        if [ "$(sacctmgr -p list user "${PAM_USER}" format=User | grep -o "${PAM_USER}")" == "${PAM_USER}" ]; then
+            _log_message="${_log_message}"' done!'
+        else
+            _log_message="${_log_message}"' FAILED. You cannot submit jobs. Contact an admin!'
+            $LOGGER "${_status}"
+        fi
+        $LOGGER -s "${_log_message}"
+    fi
+}
+
+#
+##
+### Main.
+##
+#
+
+#
+# Make sure we execute this file only for interactive sessions with a real shell.
+# Hence not for SFTP connections,
+# which will terminate instantly when anything that is not a valid FTP command is printed on STDOUT or STDERR.
+# For SFTP connections as well as SLURM jobs the TERM type is dumb,
+# but in the first case there are no SLURM related environment variables defined.
+#
+
+# SOURCE_HPC_ENV variable checking disabled (it is not set ) Egon 30-10-2018
+#if [ ${TERM} == 'dumb' ] && [ -z ${SOURCE_HPC_ENV} ]; then
+if [ ${TERM} == 'dumb' ]; then
+    $LOGGER "debug: exiting because of dumb terminal"
+    exit 0
+fi
+
+#
+# Run the desired login actions with a timeout of 10 seconds.
+#
+run_with_timeout 10 login_actions
+
+exit 0

roles/ldap/files/nsswitch.conf

@@ -0,0 +1,19 @@
+#
+# /etc/nsswitch.conf
+#
+passwd:     ldap files
+shadow:     ldap files
+group:      ldap files
+hosts:      files dns
+bootparams: nisplus [NOTFOUND=return] files
+ethers:     files
+netmasks:   files
+networks:   files
+protocols:  files
+rpc:        files
+services:   files
+netgroup:   nisplus
+publickey:  nisplus
+automount:  files nisplus
+aliases:    files nisplus
+

roles/ldap/files/password-auth-ac

@@ -0,0 +1,27 @@
+#%PAM-1.0
+# This file is auto-generated.
+# User changes will be destroyed the next time authconfig is run.
+auth        required      pam_env.so
+auth        sufficient    pam_ldap.so nullok try_first_pass
+auth        requisite     pam_succeed_if.so uid >= 500 quiet
+auth        sufficient    pam_unix.so use_first_pass
+auth        required      pam_deny.so
+
+account     required      pam_unix.so broken_shadow
+account     sufficient    pam_localuser.so
+account     sufficient    pam_succeed_if.so uid < 500 quiet
+account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
+account     required      pam_permit.so
+
+password    requisite     pam_cracklib.so try_first_pass retry=3 type=
+password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
+password    sufficient    pam_ldap.so use_authtok
+password    required      pam_deny.so
+
+session     optional      pam_keyinit.so revoke
+session     required      pam_limits.so
+session     optional      pam_oddjob_mkhomedir.so umask=0077 skel=/etc/skel
+session     optional      pam_script.so onsessionopen=/usr/local/libexec/login_checks.sh
+session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
+session     required      pam_unix.so
+session     optional      pam_ldap.so

roles/ldap/meta/main.yml

@@ -0,0 +1 @@
+---

roles/ldap/tasks/main.yml

@@ -0,0 +1,88 @@
+# Register a machine to our ldap
+---
+- name: Install yum dependencies
+  yum:
+    state: latest
+    update_cache: yes
+    disable_gpg_check: yes
+    name:
+      - openldap-clients
+      - nss-pam-ldapd
+      - openssh-ldap
+      - pam_script
+      - oddjob-mkhomedir
+
+- name: Deploy nslcd.conf
+  template:
+    src: nslcd.conf
+    dest: /etc/nslcd.conf
+    owner: root
+    group: root
+    mode: '0600'
+  tags: [ conf ]
+
+- name: Deploy nsswitch.conf
+  copy:
+    src: nsswitch.conf
+    dest: /etc/nsswitch.conf
+    owner: root
+    group: root
+    mode: '0644'
+  tags: [ conf ]
+
+- name: Create /etc/pam-script.d/ dir.
+  file:
+    name: /etc/pam-script.d
+    state: directory
+
+- name: Enable pam_script.
+  file:
+    src: pam_script
+    dest: "/etc/{{ item }}"
+    owner: root
+    group: root
+    state: link
+  with_items:
+    - pam_script_acct
+    - pam_script_auth
+    - pam_script_passwd
+    - pam_script_ses_close
+    - pam_script_ses_open
+
+- name: Deploy password-auth-ac for PAM.
+  copy:
+    src: password-auth-ac
+    dest: /etc/pam.d/password-auth-ac
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: Deploy sshd config.
+  template:
+    src: templates/sshd_config
+    dest: /etc/ssh/sshd_config
+  tags: [ conf ]
+
+- name: Enable services.
+  systemd:
+    name: "{{ item }}"
+    enabled: yes
+  with_items:
+    - nslcd
+    - dbus.service
+    - oddjobd.service
+
+- name: Run authconfig update.
+  shell: "authconfig --enablemkhomedir --update"
+
+- name: Restart services.
+  service:
+    name: "{{item}}"
+    state: restarted
+  with_items:
+    - nslcd
+    - dbus
+    - oddjobd
+    - sshd
+  tags: [restart]
+...

roles/ldap/templates/nslcd.conf

@@ -0,0 +1,10 @@
+uid nslcd
+gid ldap
+uri ldap://172.23.47.249
+base ou=Peregrine,o=asds
+ssl no
+tls_cacertdir /etc/openldap/cacerts
+binddn cn=clusteradminperegrine,o=asds
+bindpw {{ bindpw }}
+map    passwd loginShell       "/bin/bash"
+map    passwd gecos            mail

roles/ldap/templates/sshd_config

@@ -0,0 +1,93 @@
+Port 22
+UseDNS no
+
+#
+# Disable protocol version 1
+#
+Protocol 2
+
+#
+# Supported HostKey algorithms by order of preference.
+# Do not use (EC)DSA keys!
+#
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+HostKey /etc/ssh/ssh_host_rsa_key
+HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
+
+#
+# Supported KEX (Key Exchange) algorithms.
+#
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+
+# ToDo: All Diffie-Hellman moduli used for diffie-hellman-group-exchange-sha256 should be at least 3072-bit-long
+#       See also man moduli. Moduli are stored in file: /etc/ssh/moduli
+#       The 5th column od this file contains the length of the moduli.
+#       To remove short moduli:
+# if [[ ! -e /etc/ssh/moduli.original ]]; then
+#     cp /etc/ssh/moduli > /etc/ssh/moduli.original
+# fi
+# awk '$5 >= 3071' /etc/ssh/moduli.original > /etc/ssh/moduli
+#
+
+#
+# Supported ciphers.
+#
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+#RekeyLimit default none
+
+#
+# Supported MAC (message authentication code) algorithms.
+# Ciphers and MACs can be combined in multiple ways,
+# but only Encrypt-then-MAC (EtM) should be used.
+#
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
+
+#
+# Logging
+#
+# LogLevel VERBOSE logs user's key fingerprint on login.
+# Required to have a clear audit trail of which key was used to log in.
+#
+SyslogFacility AUTHPRIV
+LogLevel VERBOSE
+
+# Authentication:
+#
+# Never allow this. We have admin users who can sudo
+# (see users.yml in the gearshift repo)
+PermitRootLogin no
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2,
+# but we disable this by default as public keys for regular users come from LDAP.
+AuthorizedKeysFile /dev/null
+
+PasswordAuthentication no
+PermitEmptyPasswords no
+
+ChallengeResponseAuthentication no
+
+GSSAPIAuthentication yes
+GSSAPICleanupCredentials no
+
+UsePAM yes
+
+X11Forwarding yes
+ClientAliveInterval 300
+
+#
+# Override default of no subsystems
+# and log sftp level file access that would not be easily logged otherwise.
+#
+Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO
+
+PubkeyAuthentication yes
+
+AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
+AuthorizedKeysCommandUser root
+#
+# 129.125.249.0/24   # RUG BeheersWerkPlek
+# 172.23.40.1/24     # Management VLAN 983
+#
+Match Group admin
+    AuthorizedKeysFile .ssh/authorized_keys

roles/lustre_client/tasks/main.yml

@@ -0,0 +1,65 @@
+---
+
+# This role is as of now highly opinated.
+# It mounts the peregrine lustre filesystems over tcp on eth1.
+
+- name: install lustre client
+  yum:
+    name: lustre-client-2.10.5-1.el7.x86_64
+    state: present
+    update_cache: yes
+    disable_gpg_check: yes
+  become: true
+
+- name: make endpoints to mount datahandling storage on.
+  file:
+    path: "{{ item }}"
+    mode: 0777
+    state: directory
+  with_items:
+    - /home
+    - /data
+    - /scratch
+
+- name: load the lustre kernel module.
+  modprobe:
+    name: lustre
+    state: present
+
+- name: set lustre.conf
+  template:
+    src: templates/lustre.conf
+    dest: /etc/modprobe.d/lustre.conf
+    mode: 0644
+    owner: root
+    group: root
+    backup: no
+
+- name: Mount /home
+  mount:
+    path: /home
+    src: 172.23.59.211@tcp10:172.23.59.212@tcp10:/home
+    fstype: lustre
+    opts: ro,seclabel,lazystatfs
+    state: present
+
+- name: Mount /data
+  mount:
+    path: /data
+    src: 172.23.59.211@tcp10:172.23.59.212@tcp10:/data
+    fstype: lustre
+    opts: rw,seclabel,lazystatfs
+    state: present
+
+- name: Mount /scratch
+  mount:
+    path: /scratch
+    src: 172.23.59.211@tcp10:172.23.59.212@tcp10:/scratch
+    fstype: lustre
+    opts: rw,seclabel,lazystatfs
+    state: present
+
+- name: mount all mountpoints in fstab
+  command: mount -a
+  args:
+    warn: false

roles/lustre_client/templates/lustre.conf

@@ -0,0 +1 @@
+options lnet networks=tcp11(eth1),tcp12(eth1),tcp13(eth1),tcp10(eth1)