From cd1fe70a66b34d52f1cd34578b01b9c41d16d85d Mon Sep 17 00:00:00 2001 From: "Gerbenvandervries@gmail.com" Date: Fri, 11 Jan 2019 13:06:00 +0000 Subject: [PATCH 01/76] small changes to inventory --- hyperchicken_hosts | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/hyperchicken_hosts b/hyperchicken_hosts index 711ddfa28..372cff47e 100644 --- a/hyperchicken_hosts +++ b/hyperchicken_hosts @@ -1,20 +1,21 @@ [slurm] hc-slurm +[jumphost] +hc-headnode + [user-interface] hc-headnode [administration] hc-slurm -hc-headnode [compute-vm] hc-vcompute[01:04] -hc-slurm [cluster:children] compute-vm administration -[hyperchicken:children] +[hyperchicken-cluster:children] cluster From b7a53986b6f6accebadc855101c831704740ba19 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Sun, 27 Jan 2019 19:07:34 +0100 Subject: [PATCH 02/76] Improved SSHD config: ensure only strong keys can be used. --- roles/ldap/files/ssh-ldap-wrapper | 34 +++++++++++++++++++++ roles/ldap/tasks/main.yml | 12 ++++++++ roles/ldap/templates/sshd_config | 49 ++++++++++++++++--------------- 3 files changed, 71 insertions(+), 24 deletions(-) create mode 100755 roles/ldap/files/ssh-ldap-wrapper diff --git a/roles/ldap/files/ssh-ldap-wrapper b/roles/ldap/files/ssh-ldap-wrapper new file mode 100755 index 000000000..26a61f7ed --- /dev/null +++ b/roles/ldap/files/ssh-ldap-wrapper @@ -0,0 +1,34 @@ +#!/bin/bash + +# +# Custom ssh-ldap-wrapper script. +# * Fetches public keys from LDAP using default ssh-ldap-helper and +# * Filters the public keys by dropping unsupported key types or short key sizes considered weak. +# We accept fixed size ed25519 keys and >= 4096 bits rsa keys. +# +declare user="${1}" +declare regex='^([0-9][0-9]*) .* \((.*)\)$' +declare ssh_ldap_helper='/usr/libexec/openssh/ssh-ldap-helper' +declare ssh_keygen='/usr/bin/ssh-keygen' +declare rsa_key_size='4096' + +while read -r authorized_keys_line; do + declare fingerprint="$("${ssh_keygen}" -l -f /dev/stdin <<< "${authorized_keys_line}")" + if [[ "${fingerprint}" =~ ${regex} ]]; then + declare key_size="${BASH_REMATCH[1]}" + declare key_type="${BASH_REMATCH[2]}" + if [[ "${key_type}" == 'ED25519' ]]; then + printf '%s\n' "${authorized_keys_line}" + elif [[ "${key_type}" == 'RSA' ]]; then + if [[ "${key_size}" -ge ${rsa_key_size} ]]; then + printf '%s\n' "${authorized_keys_line}" + else + echo "WARN: Skipping key with unsupported key size ${key_size}. "${key_type}" key size must be >= ${rsa_key_size}." 1>&2 + fi + else + echo "WARN: Skipping unsupported key type ${key_type}." 1>&2 + fi + else + echo "ERROR: Failed to parse key fingerprint ${fingerprint}." 1>&2 + fi +done <<< "$("${ssh_ldap_helper}" -s "${user}")" \ No newline at end of file diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml index 5b5eefd97..40afee9e6 100644 --- a/roles/ldap/tasks/main.yml +++ b/roles/ldap/tasks/main.yml @@ -85,6 +85,18 @@ src: templates/sshd_config dest: /etc/ssh/sshd_config +# +# ToDo: patch /etc/ssh/moduli +# + +- name: Deploy custom ssh-ldap-wrapper. + copy: + src: ssh-ldap-wrapper + dest: /usr/libexec/openssh/ssh-ldap-wrapper + owner: root + group: root + mode: '0755' + - name: Enable services. systemd: name: "{{ item }}" diff --git a/roles/ldap/templates/sshd_config b/roles/ldap/templates/sshd_config index 4cd5cb55a..d07faffa3 100644 --- a/roles/ldap/templates/sshd_config +++ b/roles/ldap/templates/sshd_config @@ -7,22 +7,25 @@ UseDNS no Protocol 2 # -# Supported HostKey algorithms by order of preference. +# Supported (Host)Key algorithms by order of preference. # Do not use (EC)DSA keys! # HostKey /etc/ssh/ssh_host_ed25519_key HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub HostKey /etc/ssh/ssh_host_rsa_key HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub +HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com +PubkeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com # # Supported KEX (Key Exchange) algorithms. # KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 +# # ToDo: All Diffie-Hellman moduli used for diffie-hellman-group-exchange-sha256 should be at least 3072-bit-long # See also man moduli. Moduli are stored in file: /etc/ssh/moduli -# The 5th column od this file contains the length of the moduli. +# The 5th column of this file contains the length of the moduli. # To remove short moduli: # if [[ ! -e /etc/ssh/moduli.original ]]; then # cp /etc/ssh/moduli > /etc/ssh/moduli.original @@ -41,7 +44,7 @@ Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh. # Ciphers and MACs can be combined in multiple ways, # but only Encrypt-then-MAC (EtM) should be used. # -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com # # Logging @@ -52,26 +55,33 @@ MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@op SyslogFacility AUTHPRIV LogLevel VERBOSE -# Authentication: # -# Never allow this. We have admin users who can sudo -# (see users.yml in the gearshift repo) +# Authentication methods. +# +# * Never allow direct root login: We have admin users who can sudo. +# (see users.yml in the league-of-robots repo) +# * Disable password based auth. +# * Enable key pair based auth. +# * Fetch public keys from LDAP +# * Disable local keys stored in ~/.ssh/ folders except for local admin accounts. +# +UsePAM yes PermitRootLogin no - -# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2, -# but we disable this by default as public keys for regular users come from LDAP. -AuthorizedKeysFile /dev/null - PasswordAuthentication no PermitEmptyPasswords no - ChallengeResponseAuthentication no - GSSAPIAuthentication yes GSSAPICleanupCredentials no +PubkeyAuthentication yes +AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper +AuthorizedKeysCommandUser root +AuthorizedKeysFile /dev/null +Match Group admin + AuthorizedKeysFile .ssh/authorized_keys -UsePAM yes - +# +# Connection settings. +# X11Forwarding yes ClientAliveInterval 300 @@ -81,13 +91,4 @@ ClientAliveInterval 300 # Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO -PubkeyAuthentication yes -AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper -AuthorizedKeysCommandUser root -# -# 129.125.249.0/24 # RUG BeheersWerkPlek -# 172.23.40.1/24 # Management VLAN 983 -# -Match Group admin - AuthorizedKeysFile .ssh/authorized_keys From d3543a53660b5213d2289490ed8315d92c1904af Mon Sep 17 00:00:00 2001 From: pneerincx Date: Mon, 28 Jan 2019 10:38:00 +0100 Subject: [PATCH 03/76] Bugfixes and added handlers for LDAP role including nslcd, dbusd, oddjobd and sshd. --- roles/ldap/defaults/main.yml | 1 + roles/ldap/handlers/main.yml | 35 +++++++++++++++++++++++++ roles/ldap/tasks/main.yml | 44 +++++++++++++++++++++----------- roles/ldap/templates/sshd_config | 5 ++-- 4 files changed, 68 insertions(+), 17 deletions(-) create mode 100644 roles/ldap/handlers/main.yml diff --git a/roles/ldap/defaults/main.yml b/roles/ldap/defaults/main.yml index 89105e686..7dcfda70c 100644 --- a/roles/ldap/defaults/main.yml +++ b/roles/ldap/defaults/main.yml @@ -7,4 +7,5 @@ uri_ldap: '' uri_ldaps: '' ldap_base: '' ldap_binddn: '' +sshd_moduli_minimum: 3072 ... diff --git a/roles/ldap/handlers/main.yml b/roles/ldap/handlers/main.yml new file mode 100644 index 000000000..437d3e901 --- /dev/null +++ b/roles/ldap/handlers/main.yml @@ -0,0 +1,35 @@ +--- +# +# Important: maintain correct handler order. +# Handlers are executed in the order in which they are defined +# and not in the order in whch they are listed in a "notify: handler_name" statement! +# +- name: Restart nslcd service. + service: + name: nslcd + state: restarted + become: yes + listen: restart_nslcd + +# OddJob has a dependency on DBus. +- name: Run authconfig update. + shell: "authconfig --enablemkhomedir --update" + become: yes + listen: restart_oddjobd +- name: Restart dbusd and oddjobd services. + service: + name: "{{item}}" + state: restarted + with_items: + - dbus + - oddjobd + become: yes + listen: restart_oddjobd + +- name: Restart sshd service. + service: + name: sshd + state: restarted + become: yes + listen: restart_sshd +... \ No newline at end of file diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml index 40afee9e6..4227e45b1 100644 --- a/roles/ldap/tasks/main.yml +++ b/roles/ldap/tasks/main.yml @@ -10,6 +10,10 @@ - openssh-ldap - pam_script - oddjob-mkhomedir + notify: + - restart_nslcd + - restart_oddjobd + - restart_sshd - name: Deploy nslcd.conf template: @@ -18,6 +22,8 @@ owner: root group: root mode: '0600' + notify: + - restart_nslcd - name: Deploy ldap.conf template: @@ -26,6 +32,8 @@ owner: root group: root mode: '0644' + notify: + - restart_nslcd - name: Deploy nsswitch.conf copy: @@ -34,6 +42,8 @@ owner: root group: root mode: '0644' + notify: + - restart_nslcd - name: Create /etc/pam-script.d/ dir. file: @@ -79,15 +89,27 @@ owner: root group: root mode: '0600' + notify: + - restart_oddjobd - name: Deploy sshd config. template: src: templates/sshd_config dest: /etc/ssh/sshd_config + validate: '/usr/sbin/sshd -T -f %s' + notify: restart_sshd -# -# ToDo: patch /etc/ssh/moduli -# +- name: Check if /etc/ssh/moduli contains weak (small) values. + shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli + register: sshd_register_moduli + changed_when: false + check_mode: no + +- name: Remove weak (small) values from /etc/ssh/moduli. + shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ; + [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true + when: sshd_register_moduli.stdout + notify: restart_sshd - name: Deploy custom ssh-ldap-wrapper. copy: @@ -105,17 +127,9 @@ - nslcd - dbus.service - oddjobd.service + notify: + - restart_nslcd + - restart_oddjobd -- name: Run authconfig update. - shell: "authconfig --enablemkhomedir --update" - -- name: Reload services. - service: - name: "{{item}}" - state: reloaded - with_items: - - nslcd - - dbus - - oddjobd - - sshd +- meta: flush_handlers ... \ No newline at end of file diff --git a/roles/ldap/templates/sshd_config b/roles/ldap/templates/sshd_config index d07faffa3..bb2273344 100644 --- a/roles/ldap/templates/sshd_config +++ b/roles/ldap/templates/sshd_config @@ -70,7 +70,7 @@ PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no -GSSAPIAuthentication yes +GSSAPIAuthentication no GSSAPICleanupCredentials no PubkeyAuthentication yes AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper @@ -78,11 +78,12 @@ AuthorizedKeysCommandUser root AuthorizedKeysFile /dev/null Match Group admin AuthorizedKeysFile .ssh/authorized_keys +Match all # # Connection settings. # -X11Forwarding yes +X11Forwarding no ClientAliveInterval 300 # From a82550e9e81ee1313f1471be9756a281704cc95c Mon Sep 17 00:00:00 2001 From: pneerincx Date: Mon, 28 Jan 2019 17:38:08 +0100 Subject: [PATCH 04/76] Bugfixes and simplified syntax for creating local admin accounts. --- users.yml | 136 ++++++++++++++++++++++++------------------------------ 1 file changed, 60 insertions(+), 76 deletions(-) diff --git a/users.yml b/users.yml index 9d74d9834..09c6d5bf3 100644 --- a/users.yml +++ b/users.yml @@ -5,100 +5,84 @@ # Team HPC players. - import_playbook: roles/HPCplaybooks/users.yml -- name: Initial setup +- name: Create local sysadmin accounts on all hosts. hosts: all become: True tasks: - - name: Determine available groups - getent: - database: group +# +# getent group is not usefull as it may fail with: +# The conditional check 'item in ansible_facts.getent_group' failed. +# The error was: error while evaluating conditional (item in ansible_facts.getent_group): 'ansible_facts' is undefined +# and the required groups are not created if they are missing... +# +# - name: Determine available groups. +# getent: +# database: group - - user: - name: remco - comment: "Remco Rohde" - group: admin - groups: "{{ item }}" - append: yes - when: item in ansible_facts.getent_group - with_items: - - admin - - docker - - - authorized_key: - user: remco - key: 'ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAA+J5Kn81H0o8tr8W+m31E6OOmPpEqH5/48XRKy/qa6x1phGwobFAdLO8VtnsidjVEb1fpbHCArPQM3T2xjRBnCPAF7XNTm6S/nyrBk522yYOz1dTYUc7mTKACvKTqwEPwtA7sUZz61u+joFY4UajcVszJAuaLZCNRaSzLO1vx3ML571w== remco@tnt7' + - name: Check if required groups are present. + group: + name: "{{ item.name }}" state: present + with_items: + - name: admin + - name: docker -- hosts: sugarsnax - become: True - tasks: - - user: - name: pieter - comment: "Pieter Neerincx" - group: admin - groups: "{{ item }}" + - name: Create local sys admin users and append them to relevant groups. + user: + name: "{{ item.name }}" + comment: "{{ item.comment }}" + group: 'admin' + groups: ['admin', 'docker'] append: yes - when: item in ansible_facts.getent_group with_items: - - admin - - docker + - name: 'remco' + comment: 'Remco Rohde' - - authorized_key: - user: pieter - key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdOt9U8m3oa/ka8vRTOWxU9uh13hR9F5FoW7SRbrQMWX3XYCEF1mFSTU0WHqYlkOm5atbkqRnR2WUOuG2YjCDJ6KqvpYGjITqHilBCINkWuXozoT5HkGbMtcN1nYDh4b+lGhg3ttfTBKBPusLz0Mca68EL6MjmSsgbRSIceNqFrfbjcc/YhJo7Kn769RW6W/ToClVHNHqgC47ZGXDc5acUrcfiaPNFSlyUjqCMKyO7sGOm/o4TTLffznH4A4iNn+/IX+7dGZRlwcmPjsBlpMk8zjQQqDE6l/UykbwKgYBJRO02PeNg3bqDAwSGR5+e4raJ3/mN3tkQqC/cAD3h4eWaRTBJdnLltkOFFeXux4jvuMFCjLYslxHK/LH//GziarA0OQVqA+9LWkwtLx1rKtNW6OaZd45iandwUuDVzlbADxwXtqjjnoy1ZUsAR83YVyhN/fqgOe2i34Q48h27rdkwRwAINuqnoJLufaXyZdYi4QintKOScp3ps/lSXUJq+zn7yh54JCz2l/MhDNUBpBWvZevJTXxqQBszAp5gv0KE2VuPOyrmzo+QeBxKqglMSonguoVolfb9sEYT5Xhu1zR6thRtoBT813kzpeVSzMUAr/KOD+ILSjWKUNT0JuiCXsEDD7Zqx/kspTsHpi/+2irAdcXgAEA+fiJqxsNfV4cpQw== pneerincx' + - name: Deploy authorized keys for admins. + authorized_key: + user: "{{ item.user }}" + key: "{{ item.key }}" state: present + exclusive: yes + with_items: + - user: 'remco' + key: 'ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAA+J5Kn81H0o8tr8W+m31E6OOmPpEqH5/48XRKy/qa6x1phGwobFAdLO8VtnsidjVEb1fpbHCArPQM3T2xjRBnCPAF7XNTm6S/nyrBk522yYOz1dTYUc7mTKACvKTqwEPwtA7sUZz61u+joFY4UajcVszJAuaLZCNRaSzLO1vx3ML571w== remco@tnt7' -- hosts: +- name: Create local deploy admin accounts on subset of hosts. + hosts: - talos-cluster - imperator - - reception + - sugarsnax become: True tasks: - - user: - name: pieter - comment: "Pieter Neerincx" - group: admin - groups: "{{ item }}" - append: yes - when: item in ansible_facts.getent_group - with_items: - - admin - - docker - - - authorized_key: - user: pieter - key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdOt9U8m3oa/ka8vRTOWxU9uh13hR9F5FoW7SRbrQMWX3XYCEF1mFSTU0WHqYlkOm5atbkqRnR2WUOuG2YjCDJ6KqvpYGjITqHilBCINkWuXozoT5HkGbMtcN1nYDh4b+lGhg3ttfTBKBPusLz0Mca68EL6MjmSsgbRSIceNqFrfbjcc/YhJo7Kn769RW6W/ToClVHNHqgC47ZGXDc5acUrcfiaPNFSlyUjqCMKyO7sGOm/o4TTLffznH4A4iNn+/IX+7dGZRlwcmPjsBlpMk8zjQQqDE6l/UykbwKgYBJRO02PeNg3bqDAwSGR5+e4raJ3/mN3tkQqC/cAD3h4eWaRTBJdnLltkOFFeXux4jvuMFCjLYslxHK/LH//GziarA0OQVqA+9LWkwtLx1rKtNW6OaZd45iandwUuDVzlbADxwXtqjjnoy1ZUsAR83YVyhN/fqgOe2i34Q48h27rdkwRwAINuqnoJLufaXyZdYi4QintKOScp3ps/lSXUJq+zn7yh54JCz2l/MhDNUBpBWvZevJTXxqQBszAp5gv0KE2VuPOyrmzo+QeBxKqglMSonguoVolfb9sEYT5Xhu1zR6thRtoBT813kzpeVSzMUAr/KOD+ILSjWKUNT0JuiCXsEDD7Zqx/kspTsHpi/+2irAdcXgAEA+fiJqxsNfV4cpQw== pneerincx' - state: present - - - user: - name: gerben - comment: "Gerben van der Vries" - group: admin - groups: "{{ item }}" + - name: Create local deploy admin users and append them to relevant groups. + user: + name: "{{ item.name }}" + comment: "{{ item.comment }}" + group: 'admin' + groups: ['admin', 'docker'] append: yes - when: item in ansible_facts.getent_group with_items: - - admin - - docker + - name: 'gerben' + comment: 'Gerben van der Vries' + - name: 'marieke' + comment: 'Marieke Bijlsma' + - name: 'pieter' + comment: 'Pieter Neerincx' - - authorized_key: - user: gerben - key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCUfwAhBD4vCDYgsr04Kxn1e+vIcx7EzOEJrwi4Bv1Fc329TAifMTLeXXjPlehNvDvxq1Eb6I0v0CA01OwtD2QH+jnKGK7/RXwOfKHZQDsfZ1qL725So8z2rLfTOiIBn01zwSZTPoMC0NoDEj1H7RUpuSTSWazRmZJAi4S9aWU7DK+aWp0vR4UzvxWNFuzhhSJPOrHBx0O6st67oVRyhhIFo67dIfgI/fDwuT7+hAfAzGtuWAW1SI33ucDtaSSs3CT6ndPIU1jzRwrK/Xoq2vzyso6ptj9N/qJfauVUtwhQs//9hGjIP7H2m4maUDR60qDveUy4QNbRoJQuT28FrZxdYjEWyU7E3/yuBSX5Lggk9GuolpGBTj3EDLth0LUsB/hjjGNSebNL/pF5wQR9Usu9omXf4f3dPfU/X0SaWjeY1ukU4saRefn9FIu1ZV3w6TQUybM/2ZcHzbS2JDieirMTZ2uGUVZyAX4TID40Pc84bcFbfQULkqBGPmp2X3rrfJgg8GmmX92qT/OEEPQ6tsA909dxvXGMYzb/7B5MjiAjdkhhIlRzjFz8zy0dkTAMopxwHPI4Fr1z/LhP8Or7pv31HfG/RIW8pOcanvvRRzqoSohDrfxobzczce42S/qrD0sE2gQdwbnAh0JlPmB7erSrqhxEjw0pHXd8CWx4yH3oJQ== gvdvries@local.macbook' + - name: Deploy authorized keys for admins. + authorized_key: + user: "{{ item.user }}" + key: "{{ item.key }}" state: present - - - user: - name: marieke - comment: "Marieke Bijlsma" - group: admin - groups: "{{ item }}" - append: yes - when: item in ansible_facts.getent_group + exclusive: yes with_items: - - admin - - docker - - - authorized_key: - user: marieke - key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb8ulPLVGL78KJ8Egg7i2V9JLsge4m4+G6kdCuX7p7T7WRFH54DjaBl52UnkgbuTML/2r6c1gk3pXF2wlOtyHKqhD4AyvY1l/NyLSn1kkgY3XaWp64pFmmEydqOOrPX6L9cMGEyPjnfjr/GWbihzFn7E9Hc0kkp7CPbbdAlmwnKTk1m87CtKHVVV7rg7t7tI+pwoBhAGq1KpwxvNyKQT9Duwo+0eP/xZPZ/b12j7edxjjgpEtV+mCldsbXS+JyMVAScJXYV6TYcSyZhNhLnhzZIikjvV8/LcFxt4sURMeWLkiw3EqQOpDazJT6p6zo0KFfglvYG7ps8ijsnYuz4BkvMGx5bJQZVT4RdzQASisEUhJY1t0ZLGfs4bix2yMNmwCkypNZq72G2p/e2A9n1NhVSyOXfzHonQBFbL5xUX/1PNKXt027wTCbnl0OA/gLdez0NeanRzVjfDJGLOueC93rAJRIAWk+UOUBWAmHvL7XdnrgPq2puxk3sKCijUgxEkh1xqgMST5MTq3DMzese4jeuAQErhs5WnkOiythn4i4ydJ0oUwAjZhSFnGBSzol0Iar6chxfsp2U/pcl97QKXGLXkIvlZ7vMtYdbxopJ8uYQaOdkDycU1upR6pylZ6LnP8mF+iTqcHry4rmQ5rp46m2L5Cbp3eJZ7LFPXTVLUvWWw== mbijlsma' - state: present + - user: 'gerben' + key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCUfwAhBD4vCDYgsr04Kxn1e+vIcx7EzOEJrwi4Bv1Fc329TAifMTLeXXjPlehNvDvxq1Eb6I0v0CA01OwtD2QH+jnKGK7/RXwOfKHZQDsfZ1qL725So8z2rLfTOiIBn01zwSZTPoMC0NoDEj1H7RUpuSTSWazRmZJAi4S9aWU7DK+aWp0vR4UzvxWNFuzhhSJPOrHBx0O6st67oVRyhhIFo67dIfgI/fDwuT7+hAfAzGtuWAW1SI33ucDtaSSs3CT6ndPIU1jzRwrK/Xoq2vzyso6ptj9N/qJfauVUtwhQs//9hGjIP7H2m4maUDR60qDveUy4QNbRoJQuT28FrZxdYjEWyU7E3/yuBSX5Lggk9GuolpGBTj3EDLth0LUsB/hjjGNSebNL/pF5wQR9Usu9omXf4f3dPfU/X0SaWjeY1ukU4saRefn9FIu1ZV3w6TQUybM/2ZcHzbS2JDieirMTZ2uGUVZyAX4TID40Pc84bcFbfQULkqBGPmp2X3rrfJgg8GmmX92qT/OEEPQ6tsA909dxvXGMYzb/7B5MjiAjdkhhIlRzjFz8zy0dkTAMopxwHPI4Fr1z/LhP8Or7pv31HfG/RIW8pOcanvvRRzqoSohDrfxobzczce42S/qrD0sE2gQdwbnAh0JlPmB7erSrqhxEjw0pHXd8CWx4yH3oJQ== gvdvries' + - user: 'marieke' + key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb8ulPLVGL78KJ8Egg7i2V9JLsge4m4+G6kdCuX7p7T7WRFH54DjaBl52UnkgbuTML/2r6c1gk3pXF2wlOtyHKqhD4AyvY1l/NyLSn1kkgY3XaWp64pFmmEydqOOrPX6L9cMGEyPjnfjr/GWbihzFn7E9Hc0kkp7CPbbdAlmwnKTk1m87CtKHVVV7rg7t7tI+pwoBhAGq1KpwxvNyKQT9Duwo+0eP/xZPZ/b12j7edxjjgpEtV+mCldsbXS+JyMVAScJXYV6TYcSyZhNhLnhzZIikjvV8/LcFxt4sURMeWLkiw3EqQOpDazJT6p6zo0KFfglvYG7ps8ijsnYuz4BkvMGx5bJQZVT4RdzQASisEUhJY1t0ZLGfs4bix2yMNmwCkypNZq72G2p/e2A9n1NhVSyOXfzHonQBFbL5xUX/1PNKXt027wTCbnl0OA/gLdez0NeanRzVjfDJGLOueC93rAJRIAWk+UOUBWAmHvL7XdnrgPq2puxk3sKCijUgxEkh1xqgMST5MTq3DMzese4jeuAQErhs5WnkOiythn4i4ydJ0oUwAjZhSFnGBSzol0Iar6chxfsp2U/pcl97QKXGLXkIvlZ7vMtYdbxopJ8uYQaOdkDycU1upR6pylZ6LnP8mF+iTqcHry4rmQ5rp46m2L5Cbp3eJZ7LFPXTVLUvWWw== mbijlsma' + - user: 'pieter' + key: | + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdOt9U8m3oa/ka8vRTOWxU9uh13hR9F5FoW7SRbrQMWX3XYCEF1mFSTU0WHqYlkOm5atbkqRnR2WUOuG2YjCDJ6KqvpYGjITqHilBCINkWuXozoT5HkGbMtcN1nYDh4b+lGhg3ttfTBKBPusLz0Mca68EL6MjmSsgbRSIceNqFrfbjcc/YhJo7Kn769RW6W/ToClVHNHqgC47ZGXDc5acUrcfiaPNFSlyUjqCMKyO7sGOm/o4TTLffznH4A4iNn+/IX+7dGZRlwcmPjsBlpMk8zjQQqDE6l/UykbwKgYBJRO02PeNg3bqDAwSGR5+e4raJ3/mN3tkQqC/cAD3h4eWaRTBJdnLltkOFFeXux4jvuMFCjLYslxHK/LH//GziarA0OQVqA+9LWkwtLx1rKtNW6OaZd45iandwUuDVzlbADxwXtqjjnoy1ZUsAR83YVyhN/fqgOe2i34Q48h27rdkwRwAINuqnoJLufaXyZdYi4QintKOScp3ps/lSXUJq+zn7yh54JCz2l/MhDNUBpBWvZevJTXxqQBszAp5gv0KE2VuPOyrmzo+QeBxKqglMSonguoVolfb9sEYT5Xhu1zR6thRtoBT813kzpeVSzMUAr/KOD+ILSjWKUNT0JuiCXsEDD7Zqx/kspTsHpi/+2irAdcXgAEA+fiJqxsNfV4cpQw== pneerincx + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzwniHWpMcGx0Pj3rZvXuaJbZa+iNbNpIhuARXW/GV0 pneerincx ED25519 From c32d861971bd84257919e6fcebb0950b83c8c284 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Mon, 28 Jan 2019 17:50:37 +0100 Subject: [PATCH 05/76] ... --- users.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/users.yml b/users.yml index 09c6d5bf3..7ec72b35c 100644 --- a/users.yml +++ b/users.yml @@ -86,3 +86,4 @@ key: | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdOt9U8m3oa/ka8vRTOWxU9uh13hR9F5FoW7SRbrQMWX3XYCEF1mFSTU0WHqYlkOm5atbkqRnR2WUOuG2YjCDJ6KqvpYGjITqHilBCINkWuXozoT5HkGbMtcN1nYDh4b+lGhg3ttfTBKBPusLz0Mca68EL6MjmSsgbRSIceNqFrfbjcc/YhJo7Kn769RW6W/ToClVHNHqgC47ZGXDc5acUrcfiaPNFSlyUjqCMKyO7sGOm/o4TTLffznH4A4iNn+/IX+7dGZRlwcmPjsBlpMk8zjQQqDE6l/UykbwKgYBJRO02PeNg3bqDAwSGR5+e4raJ3/mN3tkQqC/cAD3h4eWaRTBJdnLltkOFFeXux4jvuMFCjLYslxHK/LH//GziarA0OQVqA+9LWkwtLx1rKtNW6OaZd45iandwUuDVzlbADxwXtqjjnoy1ZUsAR83YVyhN/fqgOe2i34Q48h27rdkwRwAINuqnoJLufaXyZdYi4QintKOScp3ps/lSXUJq+zn7yh54JCz2l/MhDNUBpBWvZevJTXxqQBszAp5gv0KE2VuPOyrmzo+QeBxKqglMSonguoVolfb9sEYT5Xhu1zR6thRtoBT813kzpeVSzMUAr/KOD+ILSjWKUNT0JuiCXsEDD7Zqx/kspTsHpi/+2irAdcXgAEA+fiJqxsNfV4cpQw== pneerincx ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzwniHWpMcGx0Pj3rZvXuaJbZa+iNbNpIhuARXW/GV0 pneerincx ED25519 +... From 2e3c53075453a70470b82552276128cb4967e133 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Tue, 29 Jan 2019 18:38:43 +0100 Subject: [PATCH 06/76] Bugfix: parse public keys correctly for OpenSSH no matter in which order they are supplied from the LDAP. --- roles/ldap/files/ssh-ldap-wrapper | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/roles/ldap/files/ssh-ldap-wrapper b/roles/ldap/files/ssh-ldap-wrapper index 26a61f7ed..84fa93245 100755 --- a/roles/ldap/files/ssh-ldap-wrapper +++ b/roles/ldap/files/ssh-ldap-wrapper @@ -11,17 +11,19 @@ declare regex='^([0-9][0-9]*) .* \((.*)\)$' declare ssh_ldap_helper='/usr/libexec/openssh/ssh-ldap-helper' declare ssh_keygen='/usr/bin/ssh-keygen' declare rsa_key_size='4096' +declare -a authorized_keys=() -while read -r authorized_keys_line; do - declare fingerprint="$("${ssh_keygen}" -l -f /dev/stdin <<< "${authorized_keys_line}")" +while read -r public_keys_line; do + test -z "${public_keys_line:-}" && continue + declare fingerprint="$("${ssh_keygen}" -l -f /dev/stdin <<< "${public_keys_line}")" if [[ "${fingerprint}" =~ ${regex} ]]; then declare key_size="${BASH_REMATCH[1]}" declare key_type="${BASH_REMATCH[2]}" if [[ "${key_type}" == 'ED25519' ]]; then - printf '%s\n' "${authorized_keys_line}" + authorized_keys=("${authorized_keys[@]}" "${public_keys_line}") elif [[ "${key_type}" == 'RSA' ]]; then if [[ "${key_size}" -ge ${rsa_key_size} ]]; then - printf '%s\n' "${authorized_keys_line}" + authorized_keys=("${authorized_keys[@]}" "${public_keys_line}") else echo "WARN: Skipping key with unsupported key size ${key_size}. "${key_type}" key size must be >= ${rsa_key_size}." 1>&2 fi @@ -29,6 +31,10 @@ while read -r authorized_keys_line; do echo "WARN: Skipping unsupported key type ${key_type}." 1>&2 fi else - echo "ERROR: Failed to parse key fingerprint ${fingerprint}." 1>&2 + echo "ERROR: Failed to parse key fingerprint ${fingerprint:-}." 1>&2 fi -done <<< "$("${ssh_ldap_helper}" -s "${user}")" \ No newline at end of file +done < <("${ssh_ldap_helper}" -s "${user}") + +for authorized_key in "${authorized_keys[@]}"; do + printf '%s\n' "${authorized_key}" +done \ No newline at end of file From 68db8239679af29ebb7f15b440a2438c35ad2ec1 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Wed, 30 Jan 2019 13:26:38 +0100 Subject: [PATCH 07/76] Fixed perms on /local. --- roles/compute-vm/tasks/main.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/roles/compute-vm/tasks/main.yml b/roles/compute-vm/tasks/main.yml index ae185e9d4..254712e4a 100644 --- a/roles/compute-vm/tasks/main.yml +++ b/roles/compute-vm/tasks/main.yml @@ -1,23 +1,25 @@ --- -- name: Make local mountpoint +- name: Make /local mount point. file: path: "/local" - mode: 0777 + mode: 0755 state: directory + owner: root + group: root -- name: "check mount point /local" +- name: Check /local mount point. command: mountpoint /local register: mount_local failed_when: false -- name: Create an ext4 filesystem on /dev/vdb +- name: Create an ext4 filesystem on /dev/vdb. filesystem: fstype: ext4 dev: /dev/vdb when: mount_local.rc == 1 -- name: Mount /dev/vdb on /local +- name: Mount /dev/vdb on /local. mount: path: /local src: /dev/vdb @@ -25,9 +27,10 @@ opts: rw,relatime state: present -- name: mount all mountpoints in fstab +- name: Mount all mountpoints from fstab. command: mount -a args: warn: false when: mount_local.rc == 1 +... From a3b1c9d41d16018b2e591b5a84a65c110935c58d Mon Sep 17 00:00:00 2001 From: Egon Rijpkema Date: Wed, 30 Jan 2019 14:04:08 +0100 Subject: [PATCH 08/76] One '-i' was missing,,, --- roles/slurm/files/configure_slurm_accounting_db.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/slurm/files/configure_slurm_accounting_db.bash b/roles/slurm/files/configure_slurm_accounting_db.bash index 97fc90792..9fdc2d60c 100644 --- a/roles/slurm/files/configure_slurm_accounting_db.bash +++ b/roles/slurm/files/configure_slurm_accounting_db.bash @@ -5,7 +5,7 @@ ### Create Slurm DB for the accounting info of this cluster. ## # -sacctmgr add cluster {{ slurm_cluster_name }} +sacctmgr -i add cluster {{ slurm_cluster_name }} # ## From 4be724a5eaccea58a6e774547b5d25cb18fed9eb Mon Sep 17 00:00:00 2001 From: pneerincx Date: Wed, 30 Jan 2019 15:31:16 +0100 Subject: [PATCH 09/76] Re-ordered RPMs in alphabetic order. --- roles/cluster/tasks/main.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/roles/cluster/tasks/main.yml b/roles/cluster/tasks/main.yml index 70fecadb6..278c7c2af 100644 --- a/roles/cluster/tasks/main.yml +++ b/roles/cluster/tasks/main.yml @@ -24,21 +24,22 @@ state: latest update_cache: yes name: + - bzip2 - curl + - figlet - git - git-core + - lsof - nano - ncdu + - ncurses-static + - readline-static - screen + - tcl-devel - telnet - tmux - tree - vim - - bzip2 - - ncurses-static - - readline-static - - tcl-devel - - figlet tags: - software ... From 89c3529f519a0fb9b6574f40d10d326780159ad0 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Wed, 30 Jan 2019 15:54:48 +0100 Subject: [PATCH 10/76] Making spacewalk role idempotent... --- roles/spacewalk_client/handlers/main.yml | 13 +++++++++++ roles/spacewalk_client/tasks/main.yml | 29 ++++++++++++++++++------ 2 files changed, 35 insertions(+), 7 deletions(-) create mode 100644 roles/spacewalk_client/handlers/main.yml diff --git a/roles/spacewalk_client/handlers/main.yml b/roles/spacewalk_client/handlers/main.yml new file mode 100644 index 000000000..f0db8780e --- /dev/null +++ b/roles/spacewalk_client/handlers/main.yml @@ -0,0 +1,13 @@ +--- +# +# Important: maintain correct handler order. +# Handlers are executed in the order in which they are defined +# and not in the order in whch they are listed in a "notify: handler_name" statement! +# +- name: Restart spacewalk service. + service: + name: rhnsd + state: restarted + become: yes + listen: restart_rhnsd +... \ No newline at end of file diff --git a/roles/spacewalk_client/tasks/main.yml b/roles/spacewalk_client/tasks/main.yml index b0471e951..d955f751c 100644 --- a/roles/spacewalk_client/tasks/main.yml +++ b/roles/spacewalk_client/tasks/main.yml @@ -13,11 +13,19 @@ - rhnsd - m2crypto - yum-rhn-plugin + notify: + - restart_rhnsd -- name: Restart spacewalk daemon. +- name: Enable spacewalk service. systemd: - name: rhnsd.service - state: restarted + name: "{{ item }}" + enabled: yes + with_items: + - rhnsd.service + notify: + - restart_rhnsd + +- meta: flush_handlers - name: Register client at the spacewalk server. rhn_register: @@ -32,10 +40,16 @@ ignore_errors: yes no_log: True -- name: Disable gpgcheck. - command: sed -i 's/gpgcheck = 1/gpgcheck = 0/g' /etc/yum/pluginconf.d/rhnplugin.conf - args: - warn: false +#- name: Disable gpgcheck. +# command: sed -i 's/gpgcheck = 1/gpgcheck = 0/g' /etc/yum/pluginconf.d/rhnplugin.conf +# args: +# warn: false + +- name: Disable gpgcheck for spacewalk repo. + lineinfile: + path: '/etc/yum/pluginconf.d/rhnplugin.conf' + regexp: '^gpgcheck = [0-9].*' + line: 'gpgcheck = 0' - name: Remove all current repo config files. shell: "rm -rf /etc/yum.repos.d/*" @@ -52,3 +66,4 @@ yum: name: '*' state: latest +... From a824382ee4d2757ee3b0d960acdb0d0a94bf22e2 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Wed, 30 Jan 2019 16:44:44 +0100 Subject: [PATCH 11/76] Cleanup. --- roles/spacewalk_client/tasks/main.yml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/roles/spacewalk_client/tasks/main.yml b/roles/spacewalk_client/tasks/main.yml index d955f751c..77ff5cebc 100644 --- a/roles/spacewalk_client/tasks/main.yml +++ b/roles/spacewalk_client/tasks/main.yml @@ -40,18 +40,13 @@ ignore_errors: yes no_log: True -#- name: Disable gpgcheck. -# command: sed -i 's/gpgcheck = 1/gpgcheck = 0/g' /etc/yum/pluginconf.d/rhnplugin.conf -# args: -# warn: false - - name: Disable gpgcheck for spacewalk repo. lineinfile: path: '/etc/yum/pluginconf.d/rhnplugin.conf' regexp: '^gpgcheck = [0-9].*' line: 'gpgcheck = 0' -- name: Remove all current repo config files. +- name: Remove all (non-spacewalk) repo config files from /etc/yum.repos.d/. shell: "rm -rf /etc/yum.repos.d/*" args: warn: false From e6e8222c79d6cd647036dd95d0b8e3141cb7cf6a Mon Sep 17 00:00:00 2001 From: pneerincx Date: Thu, 31 Jan 2019 15:45:26 +0100 Subject: [PATCH 12/76] Cleanup: removed commented code. --- users.yml | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/users.yml b/users.yml index 7ec72b35c..2751ed300 100644 --- a/users.yml +++ b/users.yml @@ -8,18 +8,7 @@ - name: Create local sysadmin accounts on all hosts. hosts: all become: True - tasks: -# -# getent group is not usefull as it may fail with: -# The conditional check 'item in ansible_facts.getent_group' failed. -# The error was: error while evaluating conditional (item in ansible_facts.getent_group): 'ansible_facts' is undefined -# and the required groups are not created if they are missing... -# -# - name: Determine available groups. -# getent: -# database: group - - name: Check if required groups are present. group: name: "{{ item.name }}" @@ -27,7 +16,6 @@ with_items: - name: admin - name: docker - - name: Create local sys admin users and append them to relevant groups. user: name: "{{ item.name }}" @@ -38,7 +26,6 @@ with_items: - name: 'remco' comment: 'Remco Rohde' - - name: Deploy authorized keys for admins. authorized_key: user: "{{ item.user }}" @@ -70,7 +57,6 @@ comment: 'Marieke Bijlsma' - name: 'pieter' comment: 'Pieter Neerincx' - - name: Deploy authorized keys for admins. authorized_key: user: "{{ item.user }}" From fc60737ea3bdb5d5e49cd084733fb4651ec35baa Mon Sep 17 00:00:00 2001 From: pneerincx Date: Thu, 31 Jan 2019 15:46:32 +0100 Subject: [PATCH 13/76] Added version number check for Ansible version to main cluster.yml playbook. --- cluster.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cluster.yml b/cluster.yml index 7da05e880..cdaa9df11 100644 --- a/cluster.yml +++ b/cluster.yml @@ -1,6 +1,11 @@ --- - name: Sign host keys of all cluster hosts. hosts: all + pre_tasks: + - name: Verify Ansible version meets requirements. + assert: + that: "ansible_version.full | version_compare('2.4', '>=')" + msg: 'You must update Ansible to at least 2.4.x to use this playbook.' roles: - ssh_host_signer - ssh_known_hosts @@ -82,3 +87,4 @@ - nfs_home_client - import_playbook: users.yml +... From b966b53ed137112bb7f046a11cccdfd97c86fcad Mon Sep 17 00:00:00 2001 From: gerbenvandervries Date: Wed, 6 Feb 2019 11:08:12 +0100 Subject: [PATCH 14/76] fixed user ids, and admin and user group for local users. wget --- hc-users.yml | 147 +++++++++++++++++++++-------------- roles/cluster/tasks/main.yml | 1 + 2 files changed, 88 insertions(+), 60 deletions(-) diff --git a/hc-users.yml b/hc-users.yml index 58739bf6e..2dee7851e 100644 --- a/hc-users.yml +++ b/hc-users.yml @@ -1,4 +1,3 @@ -# SSH keys of HPC colleagues. # for more advanced examples, see: # http://docs.ansible.com/ansible/latest/authorized_key_module.html --- @@ -7,76 +6,104 @@ become: True tasks: - - group: - name: admin + - name: Check if required groups are present. + group: + name: "{{ item.name }}" + gid: "{{ item.gid }}" state: present + with_items: + - name: admin + gid: 1001 + - name: user + gid: 1002 - name: Passwordless sudo for admins lineinfile: dest=/etc/sudoers line="%admin ALL=(ALL:ALL) NOPASSWD:ALL" - - user: - name: pieter - comment: "Pieter Neerincx" - group: admin - - - authorized_key: - user: pieter - key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdOt9U8m3oa/ka8vRTOWxU9uh13hR9F5FoW7SRbrQMWX3XYCEF1mFSTU0WHqYlkOm5atbkqRnR2WUOuG2YjCDJ6KqvpYGjITqHilBCINkWuXozoT5HkGbMtcN1nYDh4b+lGhg3ttfTBKBPusLz0Mca68EL6MjmSsgbRSIceNqFrfbjcc/YhJo7Kn769RW6W/ToClVHNHqgC47ZGXDc5acUrcfiaPNFSlyUjqCMKyO7sGOm/o4TTLffznH4A4iNn+/IX+7dGZRlwcmPjsBlpMk8zjQQqDE6l/UykbwKgYBJRO02PeNg3bqDAwSGR5+e4raJ3/mN3tkQqC/cAD3h4eWaRTBJdnLltkOFFeXux4jvuMFCjLYslxHK/LH//GziarA0OQVqA+9LWkwtLx1rKtNW6OaZd45iandwUuDVzlbADxwXtqjjnoy1ZUsAR83YVyhN/fqgOe2i34Q48h27rdkwRwAINuqnoJLufaXyZdYi4QintKOScp3ps/lSXUJq+zn7yh54JCz2l/MhDNUBpBWvZevJTXxqQBszAp5gv0KE2VuPOyrmzo+QeBxKqglMSonguoVolfb9sEYT5Xhu1zR6thRtoBT813kzpeVSzMUAr/KOD+ILSjWKUNT0JuiCXsEDD7Zqx/kspTsHpi/+2irAdcXgAEA+fiJqxsNfV4cpQw== pneerincx' - state: present - -- hosts: +### ADMIN ### +- name: Create local deploy admin accounts on subset of hosts. + hosts: - cluster become: True tasks: - - user: - name: pieter - comment: "Pieter Neerincx" - group: admin - - - authorized_key: - user: pieter - key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdOt9U8m3oa/ka8vRTOWxU9uh13hR9F5FoW7SRbrQMWX3XYCEF1mFSTU0WHqYlkOm5atbkqRnR2WUOuG2YjCDJ6KqvpYGjITqHilBCINkWuXozoT5HkGbMtcN1nYDh4b+lGhg3ttfTBKBPusLz0Mca68EL6MjmSsgbRSIceNqFrfbjcc/YhJo7Kn769RW6W/ToClVHNHqgC47ZGXDc5acUrcfiaPNFSlyUjqCMKyO7sGOm/o4TTLffznH4A4iNn+/IX+7dGZRlwcmPjsBlpMk8zjQQqDE6l/UykbwKgYBJRO02PeNg3bqDAwSGR5+e4raJ3/mN3tkQqC/cAD3h4eWaRTBJdnLltkOFFeXux4jvuMFCjLYslxHK/LH//GziarA0OQVqA+9LWkwtLx1rKtNW6OaZd45iandwUuDVzlbADxwXtqjjnoy1ZUsAR83YVyhN/fqgOe2i34Q48h27rdkwRwAINuqnoJLufaXyZdYi4QintKOScp3ps/lSXUJq+zn7yh54JCz2l/MhDNUBpBWvZevJTXxqQBszAp5gv0KE2VuPOyrmzo+QeBxKqglMSonguoVolfb9sEYT5Xhu1zR6thRtoBT813kzpeVSzMUAr/KOD+ILSjWKUNT0JuiCXsEDD7Zqx/kspTsHpi/+2irAdcXgAEA+fiJqxsNfV4cpQw== pneerincx' - state: present - - - user: - name: gerben - comment: "Gerben van der Vries" - group: admin - - - authorized_key: - user: gerben - key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCUfwAhBD4vCDYgsr04Kxn1e+vIcx7EzOEJrwi4Bv1Fc329TAifMTLeXXjPlehNvDvxq1Eb6I0v0CA01OwtD2QH+jnKGK7/RXwOfKHZQDsfZ1qL725So8z2rLfTOiIBn01zwSZTPoMC0NoDEj1H7RUpuSTSWazRmZJAi4S9aWU7DK+aWp0vR4UzvxWNFuzhhSJPOrHBx0O6st67oVRyhhIFo67dIfgI/fDwuT7+hAfAzGtuWAW1SI33ucDtaSSs3CT6ndPIU1jzRwrK/Xoq2vzyso6ptj9N/qJfauVUtwhQs//9hGjIP7H2m4maUDR60qDveUy4QNbRoJQuT28FrZxdYjEWyU7E3/yuBSX5Lggk9GuolpGBTj3EDLth0LUsB/hjjGNSebNL/pF5wQR9Usu9omXf4f3dPfU/X0SaWjeY1ukU4saRefn9FIu1ZV3w6TQUybM/2ZcHzbS2JDieirMTZ2uGUVZyAX4TID40Pc84bcFbfQULkqBGPmp2X3rrfJgg8GmmX92qT/OEEPQ6tsA909dxvXGMYzb/7B5MjiAjdkhhIlRzjFz8zy0dkTAMopxwHPI4Fr1z/LhP8Or7pv31HfG/RIW8pOcanvvRRzqoSohDrfxobzczce42S/qrD0sE2gQdwbnAh0JlPmB7erSrqhxEjw0pHXd8CWx4yH3oJQ== gvdvries@local.macbook' - state: present - - - user: - name: marieke - comment: "Marieke Bijlsma" - group: admin - - - authorized_key: - user: marieke - key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb8ulPLVGL78KJ8Egg7i2V9JLsge4m4+G6kdCuX7p7T7WRFH54DjaBl52UnkgbuTML/2r6c1gk3pXF2wlOtyHKqhD4AyvY1l/NyLSn1kkgY3XaWp64pFmmEydqOOrPX6L9cMGEyPjnfjr/GWbihzFn7E9Hc0kkp7CPbbdAlmwnKTk1m87CtKHVVV7rg7t7tI+pwoBhAGq1KpwxvNyKQT9Duwo+0eP/xZPZ/b12j7edxjjgpEtV+mCldsbXS+JyMVAScJXYV6TYcSyZhNhLnhzZIikjvV8/LcFxt4sURMeWLkiw3EqQOpDazJT6p6zo0KFfglvYG7ps8ijsnYuz4BkvMGx5bJQZVT4RdzQASisEUhJY1t0ZLGfs4bix2yMNmwCkypNZq72G2p/e2A9n1NhVSyOXfzHonQBFbL5xUX/1PNKXt027wTCbnl0OA/gLdez0NeanRzVjfDJGLOueC93rAJRIAWk+UOUBWAmHvL7XdnrgPq2puxk3sKCijUgxEkh1xqgMST5MTq3DMzese4jeuAQErhs5WnkOiythn4i4ydJ0oUwAjZhSFnGBSzol0Iar6chxfsp2U/pcl97QKXGLXkIvlZ7vMtYdbxopJ8uYQaOdkDycU1upR6pylZ6LnP8mF+iTqcHry4rmQ5rp46m2L5Cbp3eJZ7LFPXTVLUvWWw== mbijlsma' - state: present - - - user: - name: morris - comment: "Morris swertz" - group: admin + - name: Create local deploy admin users and append them to relevant groups. + user: + name: "{{ item.name }}" + comment: "{{ item.comment }}" + group: 'admin' + home: "/admin/{{ item.name }}" + uid: "{{ item.uid }}" + groups: ['admin'] + append: yes + with_items: + - name: 'pieter' + comment: 'Pieter Neerincx' + uid: 1001 + - name: 'gerben' + comment: 'Gerben van der Vries' + uid: 1002 + - name: 'marieke' + comment: 'Marieke Bijlsma' + uid: 1003 + - name: egon + comment: "Egon Rijpkema" + uid: 1004 + - name: morris + comment: "Morris swertz" + uid: 1005 + - name: roan + comment: "Roan Kanninga" + uid: 1006 - - authorized_key: - user: morris - key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfKxBNTqlsoTt1DloXbsRDqUyZgYbAGFsSOKhkHfjTD7zotloUwsd7388J/Ip9dOE5xPySWMSqmjcY8FLYIsEnKaC2LKJya6ck0sOrW+kynV+H9VxLsdnErw5bh8Uga3cGeHX+NKRw9dyNkvFB5B690PidBmSXRRTvXVUBvUeYAAdaoVGSQFtgV/lri2ojWR0yVpy2oCqI/eoXO13NJZS8hyoMDTI1QmnuqarNPIIvYmrAr/bO0fNJuzLqzoAcfw6I4rOw/iE8Zuo2Tl9Erjh1J9nJ91Q+78/VY1H7etltNZe4zxtipaB0HfjkHmhTW2xNMNi5D9FkzHbPhlpShzwsajP0xRpQ8JIgsOli/OHnVU0Mzd6WQf43CliNQMj5Qh50TUYdd0IW0ypjz/h2QEmh560R0NHbvRJ6BDHACceszAMPQjj4zlJLxZJejQ2GijWtvL2Yq2XyVlE7rPH3GA1x3Fy29yBNrgkWsH5CKLMudqBiQ6Js9rHJwQx/WjMA6hLiNqxbHW8t5UHNA4C/tppT12qLWvQkAUUOh9ij/aRnT69V4DlZ/nfbtcJWSjiIToCX++GATm1JrlmzGYoqZy5OMGp5SIdd6+CT+D8E01q9nZYkWokT2EeL3r6I1b8CwIVpmDb5cx6d60tOLjh09jeQMc0PcxeRs6Jo6lQj3L4sZw== m.a.swertz@rug.nl' + - name: Deploy authorized keys for admins. + authorized_key: + user: "{{ item.user }}" + key: "{{ item.key }}" state: present + exclusive: yes + with_items: + - user: 'gerben' + key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCUfwAhBD4vCDYgsr04Kxn1e+vIcx7EzOEJrwi4Bv1Fc329TAifMTLeXXjPlehNvDvxq1Eb6I0v0CA01OwtD2QH+jnKGK7/RXwOfKHZQDsfZ1qL725So8z2rLfTOiIBn01zwSZTPoMC0NoDEj1H7RUpuSTSWazRmZJAi4S9aWU7DK+aWp0vR4UzvxWNFuzhhSJPOrHBx0O6st67oVRyhhIFo67dIfgI/fDwuT7+hAfAzGtuWAW1SI33ucDtaSSs3CT6ndPIU1jzRwrK/Xoq2vzyso6ptj9N/qJfauVUtwhQs//9hGjIP7H2m4maUDR60qDveUy4QNbRoJQuT28FrZxdYjEWyU7E3/yuBSX5Lggk9GuolpGBTj3EDLth0LUsB/hjjGNSebNL/pF5wQR9Usu9omXf4f3dPfU/X0SaWjeY1ukU4saRefn9FIu1ZV3w6TQUybM/2ZcHzbS2JDieirMTZ2uGUVZyAX4TID40Pc84bcFbfQULkqBGPmp2X3rrfJgg8GmmX92qT/OEEPQ6tsA909dxvXGMYzb/7B5MjiAjdkhhIlRzjFz8zy0dkTAMopxwHPI4Fr1z/LhP8Or7pv31HfG/RIW8pOcanvvRRzqoSohDrfxobzczce42S/qrD0sE2gQdwbnAh0JlPmB7erSrqhxEjw0pHXd8CWx4yH3oJQ== gvdvries' + - user: 'marieke' + key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb8ulPLVGL78KJ8Egg7i2V9JLsge4m4+G6kdCuX7p7T7WRFH54DjaBl52UnkgbuTML/2r6c1gk3pXF2wlOtyHKqhD4AyvY1l/NyLSn1kkgY3XaWp64pFmmEydqOOrPX6L9cMGEyPjnfjr/GWbihzFn7E9Hc0kkp7CPbbdAlmwnKTk1m87CtKHVVV7rg7t7tI+pwoBhAGq1KpwxvNyKQT9Duwo+0eP/xZPZ/b12j7edxjjgpEtV+mCldsbXS+JyMVAScJXYV6TYcSyZhNhLnhzZIikjvV8/LcFxt4sURMeWLkiw3EqQOpDazJT6p6zo0KFfglvYG7ps8ijsnYuz4BkvMGx5bJQZVT4RdzQASisEUhJY1t0ZLGfs4bix2yMNmwCkypNZq72G2p/e2A9n1NhVSyOXfzHonQBFbL5xUX/1PNKXt027wTCbnl0OA/gLdez0NeanRzVjfDJGLOueC93rAJRIAWk+UOUBWAmHvL7XdnrgPq2puxk3sKCijUgxEkh1xqgMST5MTq3DMzese4jeuAQErhs5WnkOiythn4i4ydJ0oUwAjZhSFnGBSzol0Iar6chxfsp2U/pcl97QKXGLXkIvlZ7vMtYdbxopJ8uYQaOdkDycU1upR6pylZ6LnP8mF+iTqcHry4rmQ5rp46m2L5Cbp3eJZ7LFPXTVLUvWWw== mbijlsma' + - user: 'pieter' + key: | + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdOt9U8m3oa/ka8vRTOWxU9uh13hR9F5FoW7SRbrQMWX3XYCEF1mFSTU0WHqYlkOm5atbkqRnR2WUOuG2YjCDJ6KqvpYGjITqHilBCINkWuXozoT5HkGbMtcN1nYDh4b+lGhg3ttfTBKBPusLz0Mca68EL6MjmSsgbRSIceNqFrfbjcc/YhJo7Kn769RW6W/ToClVHNHqgC47ZGXDc5acUrcfiaPNFSlyUjqCMKyO7sGOm/o4TTLffznH4A4iNn+/IX+7dGZRlwcmPjsBlpMk8zjQQqDE6l/UykbwKgYBJRO02PeNg3bqDAwSGR5+e4raJ3/mN3tkQqC/cAD3h4eWaRTBJdnLltkOFFeXux4jvuMFCjLYslxHK/LH//GziarA0OQVqA+9LWkwtLx1rKtNW6OaZd45iandwUuDVzlbADxwXtqjjnoy1ZUsAR83YVyhN/fqgOe2i34Q48h27rdkwRwAINuqnoJLufaXyZdYi4QintKOScp3ps/lSXUJq+zn7yh54JCz2l/MhDNUBpBWvZevJTXxqQBszAp5gv0KE2VuPOyrmzo+QeBxKqglMSonguoVolfb9sEYT5Xhu1zR6thRtoBT813kzpeVSzMUAr/KOD+ILSjWKUNT0JuiCXsEDD7Zqx/kspTsHpi/+2irAdcXgAEA+fiJqxsNfV4cpQw== pneerincx + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzwniHWpMcGx0Pj3rZvXuaJbZa+iNbNpIhuARXW/GV0 pneerincx ED25519 + - user: morris + key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfKxBNTqlsoTt1DloXbsRDqUyZgYbAGFsSOKhkHfjTD7zotloUwsd7388J/Ip9dOE5xPySWMSqmjcY8FLYIsEnKaC2LKJya6ck0sOrW+kynV+H9VxLsdnErw5bh8Uga3cGeHX+NKRw9dyNkvFB5B690PidBmSXRRTvXVUBvUeYAAdaoVGSQFtgV/lri2ojWR0yVpy2oCqI/eoXO13NJZS8hyoMDTI1QmnuqarNPIIvYmrAr/bO0fNJuzLqzoAcfw6I4rOw/iE8Zuo2Tl9Erjh1J9nJ91Q+78/VY1H7etltNZe4zxtipaB0HfjkHmhTW2xNMNi5D9FkzHbPhlpShzwsajP0xRpQ8JIgsOli/OHnVU0Mzd6WQf43CliNQMj5Qh50TUYdd0IW0ypjz/h2QEmh560R0NHbvRJ6BDHACceszAMPQjj4zlJLxZJejQ2GijWtvL2Yq2XyVlE7rPH3GA1x3Fy29yBNrgkWsH5CKLMudqBiQ6Js9rHJwQx/WjMA6hLiNqxbHW8t5UHNA4C/tppT12qLWvQkAUUOh9ij/aRnT69V4DlZ/nfbtcJWSjiIToCX++GATm1JrlmzGYoqZy5OMGp5SIdd6+CT+D8E01q9nZYkWokT2EeL3r6I1b8CwIVpmDb5cx6d60tOLjh09jeQMc0PcxeRs6Jo6lQj3L4sZw== m.a.swertz@rug.nl' + - user: egon + key: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUBdTEHUj6MxvfEU7KcI+UPAvqJ9jGJ7hHm3e7XFTb9 egon@egon-pc' + - user: roan + key: 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA0sBFGi/Xjwctvu7otklJzoQDAVVSSMmK4KlJOSB9wivGA0lWnd4+ycxh3dteZ43WYqawGrn937telmoIs6EhiwijqEWYPVXFHUcHjc62sYYPSYrHzgEsCAZ6L0ELZIfl5g8oc5T/Jo6MNdnjDai+EKMnjy8wWzmQu2jBUfzPL95zwYVgM5Sr9j5qQ7Oi+YhIarBUjmuv0ECQXR9mf2YTUhSagSOlyjDK/gGxbJcJTJVHJOhUzkfvG0Rlom5lfHZHan32yNkObbbWtKp0wgTyuG31m2viOKq2qgevgJVK6IsXLw3BXsxoZEYsHbwA5ErFI3v4ivJue+yUBEzRoNGd4w== rkanninga@laptop' - - user: - name: egon - comment: "Egon Rijpkema" - group: admin +#### USER ### UID 2000+ +- name: Create local deploy admin accounts on subset of hosts. + hosts: + - cluster + become: True + tasks: + - name: Create local deploy admin users and append them to relevant groups. + user: + name: "{{ item.name }}" + comment: "{{ item.comment }}" + group: 'user' + home: "/home/{{ item.name }}" + uid: "{{ item.uid }}" + groups: ['user'] + append: yes + with_items: + - name: 'gvdvries' + comment: 'Gerben van der Vries' + uid: 2001 - - authorized_key: - user: egon - key: '{{ item }}' + - name: Deploy authorized keys for users. + authorized_key: + user: "{{ item.user }}" + key: "{{ item.key }}" state: present + exclusive: yes with_items: - - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUBdTEHUj6MxvfEU7KcI+UPAvqJ9jGJ7hHm3e7XFTb9 egon@egon-pc' - - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDStPUPXkcu81onUm/le54JCu174yXJJDsthDr96Mv8irBVBWuy5FxnaASuDpmC4QE4s0UAIg1iq/SWrr8qdBQ4OVuYFiW0S7ZJvcoKr/40Wh+T5MeltGQfmkDp6kBsfaMSo6M4tF1c8i+XgOgxb4fxHYb8mFhseztRLx6McxJJJLB0nu+T12WQ01nl0XtwD+3EsZWfxRH0KA59VHZSe3Anc5z+Fm7WU+1Vzy6/pkiIhVReI1L6VVhZsIdSu3fQK6fHQcujtfuw6RKEpisZQqnxMUviWQ98yeQXHk6Nx840WCh3vvKveEAoC4Y/UEZa1TMe6PczfUaLjaidUkpulJsP egon@egon-pc' + - user: 'gvdvries' + key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCUfwAhBD4vCDYgsr04Kxn1e+vIcx7EzOEJrwi4Bv1Fc329TAifMTLeXXjPlehNvDvxq1Eb6I0v0CA01OwtD2QH+jnKGK7/RXwOfKHZQDsfZ1qL725So8z2rLfTOiIBn01zwSZTPoMC0NoDEj1H7RUpuSTSWazRmZJAi4S9aWU7DK+aWp0vR4UzvxWNFuzhhSJPOrHBx0O6st67oVRyhhIFo67dIfgI/fDwuT7+hAfAzGtuWAW1SI33ucDtaSSs3CT6ndPIU1jzRwrK/Xoq2vzyso6ptj9N/qJfauVUtwhQs//9hGjIP7H2m4maUDR60qDveUy4QNbRoJQuT28FrZxdYjEWyU7E3/yuBSX5Lggk9GuolpGBTj3EDLth0LUsB/hjjGNSebNL/pF5wQR9Usu9omXf4f3dPfU/X0SaWjeY1ukU4saRefn9FIu1ZV3w6TQUybM/2ZcHzbS2JDieirMTZ2uGUVZyAX4TID40Pc84bcFbfQULkqBGPmp2X3rrfJgg8GmmX92qT/OEEPQ6tsA909dxvXGMYzb/7B5MjiAjdkhhIlRzjFz8zy0dkTAMopxwHPI4Fr1z/LhP8Or7pv31HfG/RIW8pOcanvvRRzqoSohDrfxobzczce42S/qrD0sE2gQdwbnAh0JlPmB7erSrqhxEjw0pHXd8CWx4yH3oJQ== gvdvries' + diff --git a/roles/cluster/tasks/main.yml b/roles/cluster/tasks/main.yml index 70fecadb6..4ab42f11f 100644 --- a/roles/cluster/tasks/main.yml +++ b/roles/cluster/tasks/main.yml @@ -39,6 +39,7 @@ - readline-static - tcl-devel - figlet + - wget tags: - software ... From b4b233d02ff46d5ec55c73f9cd275ae082ab3b7c Mon Sep 17 00:00:00 2001 From: Wim Nap Date: Wed, 6 Feb 2019 14:08:34 +0100 Subject: [PATCH 15/76] changed clusterdesign drawing --- documentation/Gearshift_technical_design.md | 2 +- documentation/media/media/image6a.jpg | Bin 0 -> 30558 bytes 2 files changed, 1 insertion(+), 1 deletion(-) create mode 100644 documentation/media/media/image6a.jpg diff --git a/documentation/Gearshift_technical_design.md b/documentation/Gearshift_technical_design.md index de7334476..5c895e28b 100644 --- a/documentation/Gearshift_technical_design.md +++ b/documentation/Gearshift_technical_design.md @@ -103,7 +103,7 @@ Figure 4. Network design for gs-compute[0-9] node Figure 5. Network design for gs-vcompute[0-9] virtual compute node - ![](./media/media/image6.jpg) + ![](./media/media/image6a.jpg) ### Compute cluster design diff --git a/documentation/media/media/image6a.jpg b/documentation/media/media/image6a.jpg new file mode 100644 index 0000000000000000000000000000000000000000..a7820eca1036ecb6826ff569f8d5569afad0c229 GIT binary patch literal 30558 zcmeFZ1yo#LvnP7c#t8}T!Gi`TI7#rJ!QBZE9D;j*;1(c38iKpKyM*8t8u#GcXyeoW znR)l!Pu5#=->g|{zB|*ss@JOO-RD%Dv%6~VUsavQ-;Zm+69pN082||h2{1vtfyYJQ z4S<1;4njx60D(Z5m>5_%gt$1^*f?ZQpWzcyk<(C9kyBFAGH^1}(y`N1QnCoXV1LQY z$Hzy*{7OuSN0gJ7kLRz0AYo!+;$Y*D;^LC>Jg0ol^B;aab^!z!NR23iC`fbwG650_ z0n%e1Km!0sXb5fpQux2WkdRSO(a=E{m{{0|0rgJ+WF!<6WKgH}_8-o?hM|pF_jKzeGePCVfp#N&WUcEhjfG zzo4+FxTL1GuD+qMskx=6x37O-aA^4F)bz~k-2Cqa$oj_S*7nZspS^w9>Dl?k_SFGML`AqWfu~%2ZB%tP|==qqd%2W1DQHMqvHv}Abg$h zqq-ZDo>v`8Wacu7Ma;mr&ItR) zP9WC*fh08kC4j)~B>YChRfVj%qiLw2UTfgc-Ae4Mg*KI4<(=Kk;i6h2^fJK_8yBXp zays37>dY6 zN?NO`NGf^72EmN{0@f?Ph^pLwOR3#UpA-7rI{QUZBPnRPQ{glQ-8fwMA%y=Ch`p2b zV~*g2yq@A2Tag^bZnPy5Z`#7yL=F@$EcpIJU}~TAk~!@ZKNzx8x{(!5-jL~4tVns; ze^h=_`<+fJE^JsdnIQqLO|h|xd&fF`&ha*jXlWJxS^9aTtCO{jHIS?Y$(Lk68@~I4 zvL`HKY24Ojv6*BfwRUf+a!GKR$9+4%Y2gQKefysbIGC`YSmsB){HwP32VW1)c} zPH9N}oB(ay528&8l4JTuAha-7A6|RZ2@U`9#{Tom*IPo&^rh&F;9LK;3u1EFPrb%4`E1}YM!5)RvtF@w| ziL=p9G_{vMidf-Ey;mL_&gkETF|fHscno!L&W+=rh*;cAfb5``_|!f8TyUjh4y$Fl zbQNYR$z6|S!2Y&rT+D9#s6LLu_cc6egNj!k_G04D?K`#5BprUM-B&V7i;Sl(o_nJf zcc|0zeR}vYbv`2z{q0*$GKVo|xEm(FcoUL>#zeGKdIQ4sj2dAiMpfWr82!X?MB|5r zH{!!`6sMhsvEQ=sU1mi6>R z3%{F4dGKbCR^KZYndAqWPduAzvUygIZ_3q z37p}^a0!v5y5W}r(44&j_xi-SWv*!2 zN1*i76Gv8>xzZt|9q^fI5&y)~AiTEI%%M0qm*&`~B-lM}DYCTsno%*-v|4t&n<^mi z!F|w|Z_1xy=|G?*E2N&SiR);x?e+yHDPPHZo0XWWKz2Os=pX}{$PP-IH=D`f;T`in zmxhLV$2Qo-3A)jFp(4(4U)@nJvhfRFXgoWXWo4{Qg5db?f5IQt$9*io%b;GU9UgNBQUhES$T6E_Xx-+Ns@a@^xx~hgW)y=ZQi4~rI!YydZ=bC zyEtK@f_Vql2B~0%Kz%8ZNu6lfwFmr`&dEV(I8iihnldO8`I zO;)ePghOd>1-e1<92N~#zeUYxGu}sR`4r3ab zV9v1&83^4;7S!&8moh(|rz>7a>Aa7NOpzCL%-$*kZ3FXWxY+gIF;@7RMD>!h3p9I=x()Win;Hpybn2L@=Bj0qqPV?Yy8zjA9o71EGQs01Jgt16 z6DWjF=2>x|IFmnhfsbNKz7r=ZnKu{jwLf~NuosPAED`EtgbuZ8c0@#Z@{kYHdviDa z(XhQ6JCq%l8Y07X89_9%tuv!*ggVw;N;K~$eKEbzOAD8EMw#*%qKJMeQ4pPOlJx@4 z$r8!dcO;Yi_RM_`e5q>FTeN5Bqz&qecOuZcPL}QIqk8L0E}zlq!%(4@(5ru zUv?yWneNor3|@ZI6T9_YUUYed;Onp0`V=&U(G3b^f^TmPIZyVJD@W!j}lm<-T;k^Qo&d(Qy#8X1{xEHN5a6HB*tG=~1hMOo;;kY-Q?>p*zrd+z=X<u!5n*FSwn8W}iAW6F3y`LdQU z8f|@y@_Y|ZwEbp^AgP6Aj1;POFq=apz_v4vX=}s< z57;n%ItmJ`kCErcPO48?(NHB?3dV>DL22no$_W&uJLvHjgqLsFiDVJmY)V7#zb`d_ zO_r{2m+?F(&6!E5KzjQRFYko22EbJHevHp<6_waczBEj-Ti_1iOM0qfo)40ZdRr1A ztwXf?@xP?`eHAu*1bUZW->QE0V%n0WWB=?#8u-~yPDsp?s2GMk(%*8`%^0UK^{eGP z6_a5ug@6pJ@|zQKg$j0~XxasY1*NABKZ2TXqD`b=kAB_1_GL{&?2>}{caI}g-Z+*` zp^M57lPAnGZu%69rGhn0O^xyv4M`$DtW*^!16?o&Y2Eg;KV&0Eviyq@+pz!3JE>Vd zwsMJ{2XeEPl^l)hASnwi`;tvGT0 z&hAHm@{J?WA9#{)OIndD0Z*IHz2J9o(=5&1spdxjg6o(n4Sl^I9aDtu)jutJ^{&-q zMYiE^0yOzmi?elO8NZkJw^W&Nl#SyS_aaxyv4x4Ggd3&b_STx~`-6w)Q+M3?0)=IU zercm*s>9p0r^+BK%zG9T<;cNim{z#;deNP83;?mo%qYw$Yq@e!r z-gY}t)!>QHFd60$s;g0cp=Xx#tgo=BlueP0TVlnkZ9M5$GzM;wE_zhzI;2Wzr@2m2 zUyxTZ<7d5df7gzF>#(=416El{V54qEbTFBibtQg&Du;7Dh-ffl(unoQ6FGo|Ih(oA z7MRaz9uoCfFRdgB=;3!Pk>xB8_Wi0wPwPPcNni_5<^{9mBIeWXv8dyEtCGW&Z1XI_ zl?>q5Ee+Dul&RenG7c@?*$udkE99>~0ukURFqz!@th@tEjs-HgyqFEHZe|Clpc7_S zHeN&I$b6e@F5Fz@_ET*DZf1v5!JCl`YpmQ9@h#0~j;1gWa!j_A!MTUbXMOgn6&UC!e zyZ$N2!$Z_bzc*jm(PzthX&VX8gTp} zn=(4~t16N-;lDl^OL*>k9!l64;~N-JO7<+;I7kj#f);lwv+X{^lc7`N8$_XTb#U)SwiTwg#ad1VxzBaY3DLm`szTP~bhV_wIvM9~h{Qp4Byp!ssZ^3Hp+ z4~)$G5Wx5dOsrLeZ0_DAE@s`_gg*kW%kd*S@fJ7G!|jR6`&4ZOl*b)TL#jgnGI=su z$`@n!3LEu~hOgi9TL_zmI`)Z)Xu_0ILN>UtI3qS#Jp7W=kQzng zMC5@2nKj{Hkdb6XSO6ZpQw6FLUiS##*)|A3z~3DywXua$g4bBl=tW%6Wu&?!6#6DR zs6Erw;UPAg_++-iJ_b4i^o@CRI=Mnq{V-B{%edT_ z?hJ}=Wpv$r`m3p%A!zu#^bw#*;lS=9*NV%R!cEEIUtdLQGkp?>ZH^Mx=6X>+{so}~ z|B+9>w{@g1SBd_@ev0##YUlWDW)WK2q_)*;ePq> z5T%Liw)xJQ{(XftuW2O)k;oI#nEuFnT#?tX!dQ1)hpB0GC}9e*%W#8!u50U0>Zblr z{*==elWp92d#=L69LZk=j`yx~a?lv88;J@fX@m~Q#bP^eHHHiJRWXkk+&sR3DJ;{P zK#QzABD3RPTByITS4LA~q`s{QSLR)M&7i13P~7)Z{Lf~5AB~z}LYzeSMfI!8ijGf-wC zfz3O6R3rNPoI8me+eqeVv%r^)jxEab@mn6lnxGjRjnz8p(EPmz;;9Qe3N|18KPOXY zDHwhBRk;m3VpzdqY{l>h=+sGHOMhI1s6;WYh;cQNdBRzZWM1+ZQa38N?}?MNsi7|q ztTD!2qyz*{5;JTF(?05a@po7_0KwMy& z-B_tbpX0p}14QKMGZ4)S`h+VfRJVTToB5u~FGgGwD-zEA%Xd*J zVg1}>?G7*E1M1XCRJ#=c6-gC6J%A-A@}E#brmE#PmJ4P=piUJ}Mpi*`U#G}KZXan+ z68oRVK#Sj=S#M`9e9D;yH5#&1>y~#HbGJ7ki~97x3pk2TbRI7zJw^k(nZqC0|D^4-r7>LU zffI@pkb*fBkVw)q5QvcHN%Up8q4r>!R>GzsZ%-=&6+}+2r z1YPkv^IO#zY_^zY=2v6*@0{my?(-R=KL}GYy**Q!u2Nd%R&8RY&WIZ;dzfUESU0x8 z4Qjo8&7Bc2{elIh7@F1Zhu;UGt_(mW|7?>3iHfQfmBYp@Q(i7}@s~M>olSR!opfK` ze9H2uRW_maW@DyO!XbB)J;p!=O$|(Z9&43C&te1{=T8r@vsG#k8 zjN4!@i)T;Nl?5h7QCe_Kvk$_u@nv9fvFBVUy0Xq?1}_s0t_7eKdyInyc!55NAThh| zQyqeEJJmUpX)X?aB_^A$Q}6@YTQgz>rm-YUKJCVjm-$fi3Vw!iMh%HG6%rVZ*5pBgr;HD8QQMb)4 zO~-l|hbCps-isv|>vdv~v04WTc|NB%crUi5{o7IfiP=q1W?w*;-MGI{{i5fa^-ber z!LXh;&aGr;qOE=lgH*1DyMtn^J=5#Lz4q2PY70xR8}`2dUtF4~GsuC9FI)0C^5!N( z`(!%Q7-G1d<44cP$8+G`m`qOwnX)zW99se_1ZfKFCjDs={i!_dm?dEBjgP>josrG0 zLcmacPQd);Bk+e1iK`o*!05M;Ef|Lp+M~ss7IhZx9)MD06Id^Xq`+l2z<_J427n z)d+rlre#NuLeU}>RqXEWD=HS0Nnb^n;v493?R|90O;~9O%Q9m{Iw)-t$9iWAUs?E+ zbv{&_?vFobeS6}NLAR?J>C(c|V8e&5acHpXboHfBB^lgHB6; zO>up>y2+e@)PczosTwZngsyUrq!I}JFJl`!nQ(Nh^4e&D2S*J%qR$&+Jr zC5dRp-W?AO0HO(_&cax-j{vUh1|e&!e}C5?&Hj4vBk+Mrz|K!Z3MQTQ2;|vlo5~LY z0%Y=+IDr9OMJP?M#y-DiUFtea6{!yM`3-(){PsVbQ$AL0?oja{mWWYp=J{~0-bY|j zI5m^8RjxWmlCUj$De%V^P@sxY;CvW-9n?=lWP7EBZo|PBfY11gQJ629SQYtVSew4U zrK9J^>_rMZDCdqB+UCMn`HIF~{W{*ue%p~*Vp&&zW&+f*ZzMFyXN;u>kJ3!hXVWj5 z+=#TehjF$Be=1`?X1X9v>$&4U^XtJWDo>a`hMiZmZblOiu5%Vxyj_0QWioVIzLUNAfUFlN%tZp< zm4_OKugz7?ZEQ?!Xhd?=ur{0h)FDVgAys!x8<`eo_jJ^O^}w~dmXzFXdzM)78ET5H zR9(TyVCPu2p*E9w`&(X5$(7?X|CJve=Jz`Kaa@JB6n2mY%Dof;34C8+`|{@zSt`L+ zmQsl)q*fnq5|sci?Vc%;%g?Y{ZUD(wUaWH}v0bs3hJY`CHt6S zp$mYuSR=m``wB?Ap4$=oWK82LOO8SyL{hM>Y6-!wXM%QwQ{E$?BpJ;@!8-$vpV=M( zjQlnNTjy@NpGlO*ZP-_N^qFO!68>Hy^aj&29v3P;0nD`iUlpiL1(;7 zquZGou%uX>EBr z7rByMk+h$9Y8eDa%FppCa7>b(Hsh&WH>$nb4Dddd=GAxsK=i+6{Awc{vaa z-=OE}717-D(R`HTjREphP@*F`)sw4%lkYk*NE6Q0~%_SZm(_`?Hec z-)jVk&19qu=3)mW2>kM_*BG}Rm!?;EC#D!)aiyW8FtN~QiQ6zMz;hQlwz_gCxu#Xv zn}zb%-xzN+FGg~e%pq;-r|D^xLdhmY+!e_GVt!JRQZTNA%;rHT5pwOYGwmKFiAqw1 z6OS~6YGDnEmqLA}gIJ!UbMjMJO+5kw;;gMO)KA||?en6{e8NTqq`Jnq5lN#tmTWxG zhDtBX1061lKoP{VipQzSE4}w{=(d;ix0v@_XPhsssPnpwn@Xc!ly5O@`p+}&x?Ktv ziA=Y1RdmPj^U6amJewBT%-#D)h)95-!}6^L&L%V2;JdV4ae7}dl`mT4etBt0I{9Tg zT5R~=3QO-{h`sP zxT5UpM3nlit;y+K9Xsjnjz|QgJzT~6JdFkA*TwkfO0GyI7)fZGwCnoqZ3>4AUEHr& zb??k(DisFG=(8Yw>Zeev+8o<6+qBiF3tZdv^_OMJ9R@6zAQ2v!lhjHoyE?@EXdR%z zV3=<+T49>>m3PmveVVNcW;D|Y#los-Nxqgu^{6P-gMReh?cIUqZ{JNN*-=W^e|3y+ zF^Rwz&HRZ;wwsW)_a_?OX3^QS7a7iPC>z|^sE5eL8xH2 zh%uUH4|1L*^yQ|l(4jxP;AOVi57~GsgJ58)%`acp&VL-O54FC1 zMv^!hoC_++z=<<8(Dx;p<+rMBgvlbd(E3XCB8l@OEb>=oM~n1A8#M~F*EaFZWmE*ilf^d~AQ#N7O8_|l$D@)7#uY10I|{v0MP#ao!>HKaHxP8Y z+n;{>-m&M-*@rS6|7x%t@R1FUN_48r*9~BqpBRYNQ06?i27Q zf}`1#8z*h)WBxALbgjA zS%k9ip;Dp^UT8|v)4i$hBl}f|puG4afxuC|{5gnOY;dl~)4Y%7*#+U`h2k>v>nzzB z(L(q7gsBfXNi=QO-$Lq@<+d)f@j{H?aXE000X^$5F8Wr%w6M`cSyJwTOP1DH*I}xl zijKC@ffeDb*YMW$Of-bT?(d!x0e3td{$3`wfG^Ts6?7vR~n$xWp$a&L#%%CMzQ0m?LM<6K_s(s(| z2<+)kKhUnC!Z&R%z1zeo+iR!0A0}HVa*S6h^?YN-&6>xur3t;-nah|$en8cS#=Qy`Xl^MUbvr@8J^`+ z*yN+@J8#S$h9jf}oFZ+JFa3*VH~&?$vj11_|2;D5VHBl45sb0eU-CWmElOfBWzJ26 zY08!U)5e^Ch^ItvH0H|qJQGeFkom$1-j*22tK`s*aNl6X~leN2btE{bFD`H|h*0*;{rDv3|ow75RZ|;k+_B*@UytpiAuSwI#-n^>d7@~kJ%xoJ3 zv|&>OUsHvAzf!n3JGsWmrmunHD!yLvnxIs6Rg+=S zO?m{lvFqr#N|wf2P5L5`7khAx^F|4MS)cPsqDH|{gq06c;`Anau1ZG26ENP3$P(AW1#N3L{1E>F_ zMwvf7y{yHZD||qSH;T;#t9`eYxeDc6r*Ic~&fj$6#l&($hre{g z%WV&fFDDxco#Q{|TBA-V4u3U$)xWeGSBpkahBxf?wT92oKNji=;1=cKp7T z$-sZ;+|*Svm@d65NCl#2>)csX?^#%k&v|^*N^&pf#K@USlHt0GvNUwD=bV}iy*K_8j`JUPPKj8 z`~0OoE1QmSyPqc1FL}GS9AQ3jEi`@OwD$58w1a2rN*k66C6Q@G~WZ92uhRMW2c}A>m9?z@M4G) zKADL4x-?_H*H~~5Owfgy$#-l~F^xHYp1YydzT;=H}n0?T}Qp*MOJU>OAC{Ej}KZR)2G? zZxS+%mD~vA|4`xO`<^YoE3UVt)j(1W{QDZ~K_8usNl&#&L~g(XZ=X$p!|JCJI)_E8 ztR(}s6WL4{mW(Ww>$r*@&?)VTx#=St`%3%WOj}m!5zp5+;`EH{GjU(A)L7SV$_&kA z*}nKaNQq8;^3v*lbglIE;b(>ICso!sE?sfS`uTvpnl41S7QKq|*UP2;OPjke5`ycG z%CjFsMFZd9Wz*P>Mh$4ywC*a;q|h-4OkFGV9E{kPS8GP$$=&X^xlTNjZ?*0E^QWv- z$wj0$U(`u>abIh|Gjj;15UU%5Y^&IO93{( z>a^YTG3a}Yu9K=B%#Xmlk?$&5J+ax`1A3>Y%Ce2almPv*lk@dlK*Y8q;hkoS?De6q z7}guC0L-R%2kV=l&^t8!Tl{)=wI5_Mr`G&>Q_%eUtwn znF%nx%smvJt(-0Purk&uU3ePMvo$C2=MBPHbO#5(`2LpVr}^zygg6h4R{nDM9P8!V zENC--+|85YPN+%Nof6I8aI%*)w&J}QUPQJhFyC=1nLm6Msk|danD|WgZ&|hb za7bL$t=fgH;cq{)N{j!1_A`EZsh?>6$CM|Q3X`Qhr;969Kkhvs@}X0K8>9{1V|W$5-8T6NQJG?er}!c>i@RHK@Izw+ zS8LZWAR5Pp%K|3C-5-Gv)JI_B!`};RB@h<>b(zW)Tk*>@4MipDzcjbxXk0 z{+5dS`B7@*l$3<02BKqW5pI%Y5bs%3Ec2DxNrtTrvDK_*L8s`&zwf!CdQMmLiN&7ov|q zmo(7`%V{gsi)DjL1(uvV)BotQ)_^Ism_Ic_R5I=tZqZ%u#I@QfTWcjB&FM>c$U_h4 z5s;SE)wGxSQ^Zy~VQ!Ja@A;djYKXpF#NH+C(+`d$Q~wXc*YS^liuXQ8g=uS?uTqw# znDmph_-*3wqg;FWNN#O2IYhwD>nF|Wl5L2oXJY9mMi#5HFXmP1eWV@&iWn1 zT~i+Z9H@=E^_hyR9jw$c7Q0kUk@*yjzGNvJiM}*?1m5dR&FYIu)S!-Ju+*(IV{6YKi2(0ZmK1k;tff0M1Y~palr2F1^P27UT*3`B8u&{}L zgY+Q){tAKgBz*YWpHu`#0{;s}*cOy@yqr0YTEsu}!;`4%f}T9ge>+;rv!=1yEq6z> zaikc-dHd%Dy~{4=TEuErz3?gJOP5%}bhdbS(dCG$4qYTIUk#7*Qz3vTKMSmWlCYjJ zGr{zF>}K*el;yOnQ}jGZO(9L44Q#W2e%Mrrsfg50wAtZRi!JxZg>N@nw#elu$ym7Q zZfSq)jCTz#BvqS-lt`^RQhdvfy_xQP&r!1|?eM%U?Im596fGVOM|121&r6Vy-uVrS zp5C%VsVzQ?}pEj@Xhl1G6zHRt;|%~#Z+I8*~0RZK!$J2v*FvS2mYimaKQo!~%e?(h zwGdsnv;9%Sm*MvGBN1f#)94(aL(TD9wj}S#sCPLb%FG!e$!SB)Kgr3tnHY#>kQec@PZ(thLg;za`et6$MbL2ed| ziH2LkdptaNhidq{nwn%jQhVUDhnzy2AS4y|3g?K{pAr0Ue+HGpC4F0Bf0UUtuM}PC z3r+?+Nm@&VP5MCYKtR+r?f1hl%zYpMFSTe7qBL8^-CsX%)Dr1RM|r|ihSYLI>m2Q( z?0Nhr8=tif>KNnp$GWyAPDY<%0N0E1ru^4wGmgqI{hQ>Wo{X?Do|p3c*6*QLarI() zkOxIa9QK4fsjQ<^be-?Y28*4^x0##4FBd4E$`b8;RRv`(eCQBaE{@Tfmja6{CO0GZ zYPZ#R{$?!@%(F-cH4@qt@6wFwrREFKX`fx2Y_2 zkUHyN(^rov6`CU&538Pov&$2UyhRo zOklr3EFgZZ-bERr5h*ns_a(;${GDHlYw+xS2-Kr_z_WS;w)Fn6PsW1s zztfNbQR2kqeR0m#Ho46fd+&``^s<~K8Z2FANc0nHerWDlR&g`hG?vdNA86r&it$7? zTv|60GP)X1WhbC^K1UB13(6e*I@`qzdB-+>X%cEu_0iE!U)l*CJ)HY>uGDQMP{Lll zw0!7w#P&M5JUQYzTxUA#JbVNWJa#K@z`O_gE0kZvi#PbJ8O>*2XEO^?zm-KfE9&Sr zM}YG9mpe2^V3nk+4g>2G^V{E>;>qND6S76)KDf(UT%tKP>aVJzyO4$kbAnWhe^uI` zpc}dj`+ndjC|x{Kd;|`2EiXftx6RR&zK`D=!*6rS^i{;aZ*pj>rtQd1Gt6l9xLGlp zGOG;}XcB z(5#R;gGEA5ETb19*)?@!)iQA>$eHUH;8T$Ks;$4l%Ia*`Fux~WZm|hv2sB-;6=|0~ zO5eMq<4`ZF_NlTEGg4tckx*VYs2f6vr@{yyu846fdOmH>&QW=Cbaa$^8W?7uKYyPa z+p∨pT(Pft!~~%w>Za%v_&jLy%#qEQM-;GX5(6ut37*X?}aOwm;VNw!nPLR`Iif zAXYZA37T!WX~cIxgViWYj;+o>EXty;i3L^wSwT1%VT_JfY7lyT`)tSx&2 zP>7VhjZeUb1oYuB*YDU*bsD6G8Ir(lb1~ry=Od&ak4P*Ca99|U_T`xq<%dVr3%P|8 z=qHaaIE?o7^AuUm^P5x9w3c^Y#(WptEoATXpc0ug4z48KYan-id%8Jg){Hx*Na8*? zy-nmWuhLLEL%qMUbIj+ZXa12%TT}z>S13$_j`8T zu{rt%*P-sMGsQ&HaUiKrFyJ?Y3P#+JU<`@aZ2>cTnz|5v7LkMC?OcCbvp;!fukZ*c z&-to(IEy~pyYXvtEyF5L6m2je+(i*06WWE8$>-@cBs&%`ZXasJFGiVDx~$1lbBAqC zH+Ao1+$e*ul2mRdDK9r5K2DE7OEPjYMR=8&5TDCCu{^9Q&y>42MSOFUid!~QMhw-9 zN>Ayt9|4WU!O;w;6d3?zGn;x)wC7=K|JYAq@MKcf2DRp+IufK0B~i=?O)XA2;-drm zc4uc(uqXLa-ZVNS`la)rfyXQUVxp;D9OvgEYOkYjuxy__%fP{`$JJM9fmv><*z-4J zk)-2rP{dtZHp{MTuEr{RYeipqCs#zF^)JsQ*||HjoX#f7BNrPSV&UykQl57W3Kem= zrHkyHY7Z%Y5;|Z$` zbKlC5YF~MXGfeR5A}>^?mr~elrZ8K?=L&&rXpcmAG|r}{vTN&v{lAwOEiKwiOI-GS z%I<$A(}lVD&O+c*APM$#tgHUqjb>|pW`Dcw@iSZ?48nJ}Hk_F{v zy&KJ6j)>Fkz_di(k7#rWU6)w*N2FQx&wT(bd;)Ni6x!u4zkCF|^D!gF&|3efi-~W~ zoK|y_-jE;heVC)dSBY@0=g3uylgw$mRIFxKp`fNx$Qo!3z+NsN59QnY9=PC8J%nhu z#x1`oF0<<|DovYA^r+r(egtyv%%F>dMlL7}^doE&If)?xrDJCigcd)e^? z`Z$y#0*~Y%j3$&QMkOL`&>T{f6B!)*A8mDPn+O={-N3)apt&ca@;3BB%&vs+KAOuX z5;v^E1D#z4g2dCB)5j-;HI41T`lYTBrm|>B`)pRrD}p%Dn&Hky?>AP%Q`K$lH@L8u z_!~+{hhXRs28V4GGoO&|@m-0}{_Oh0JbOm0ZwhVIvN#IdAkp5wy>R@!`9g)C+*2@) zj_AupLs=*6m%Fz;bwtSn8o^?vnGJ4<{D}hEGC=8zA^I7uuc)z7{f=bf1@`1ZxrBZ3 zn_!#Ue%)2)mo=>dhQ0FSehV;8SNhk|-0G+ow=dKZO44r{te z8NFN%qm-f%9l5&qiKYCy2r{LA`_`@!?)V7M85m#O`aJ^quG+MJFVXs~67hX@fy$Cl z&2ZpoPgUJ;FE&{^jlLu0@>2OO~>LK~O;_l)sdHQBim(5#8? z2_j^2tlne$KSwNEToE|QzvJd73Dqu2f-ZDu{=c;%^s~+O`#(&nnQG5QBYn0QL6r$# z8M78<_s&Z%q+wEeXBrlfF zxm4vuGe|xHHJIZU10O1OBD-5#Yu(DT)uagn|9P{@KWkw5Z!)$~&|S1R?ITbXgeXB* zo6nz5!@nl=m3jnBQ4p>ux6JMit=C0l)C`yBlGNenAYt{%Ge?jW1;}&1bb4pYdoz06 zdF=$(Gx3rlQ~zD?&W8bW7lq?<94U(M>Wvb3YR?>)ajHD;sXXG@8^kXSyPO#i2oJy5 z;AsW&c)##`&wuh#ES+G!7D2twu%bgJ3 zLO@%-^9_HT_KDMoVmeA)8ihYQl`Or>4R?Aaaqs=9mf6=vO4NL1yLhI_Sezi2%b}K1si?0{*qTU|ip_t9oc>G7{uYcfN;Uc*v1JMa-G9b^h>WeSgp%NnOp4Hl zy?%qYku!5{XJ|Dimlw;GVY-pvO7RGUpWbLhXl)$nNd2CYgOzKqALr*S30|`25H5Ef z3Yz=Ay~%Z_Q5$bJo)Tv|0Fx!NU;N1rbkpoyX0U(Q+Q-I+KS9L01_9~MufdBWd3_#NbneCM;WF(x>VdA&HEY0(&spXNCPM!N7ks|x5K zZUxrA^2AG#p;FgxtuVngvwQRQg)__ZTKr~+r-m4+zm_x*W)N+eY@z}}l}a^^=h%)n zTb)DikiSaw#S9*1FW?Fwr>fC|NtM?y`aMkAPyh@)4(FJ<|-|r3oiWPsCQRmm35L z((bev3o^Jk6x5a(P)khd-Im)8le3ie%u|nz<{?8=$9um|#rmNEWSaoO8u~@c(t~Cq z1^r8_Ct15{j(Kg4=L?U(s>E3Kvg%4cgU+hVO=U~Wi~+mOs+>Mu_Fql`8yB%!(YAO+ zq@Wi;80n&ERm!7jRmOn8JQ27!qLgk+G3ueyvGcsbb_@6KC5xCaUg1{yvYbc+i1`ok zpsY23z(!kH9lPqVF~&@00983VF+5IE*_(PWZ3awuM>#&sTdyq zmd!bUh%JEHyQc$IAKrek)WjKXasalFWq)+v#fS%Du~M`aeY9t4Y4(fn30O-Hl;e%V%{%B&JLZ@ZM`~?gDJ;Y)MsK15^ zyL#O&b|>@-%9S>eh(4D)e3&~mDnt6tU|wk8zgB^HCiAPm z8^qNZ0?wEn)i`4*-4lk{_tm`>3A!~}XKk%E}sfW4Ly&#T@Q z=_kpXnhdPqECFt?)PQR+-b-n%^gf7EL*9RB@4KU#`nGkWfGAZ#ic*EpJ4lD1BB6;$ zuR)MrLKhH(CM6a&*t06W*?~bEW@VtP?elM@%`LW1{b`-76t` zBo1P}h!l9VVdCDSY)**pv)nodE%_0EpvVWnU>Q*@OVqSP;E?Mf z?LaIHh){hbdUOyk2RomG#DMBSTWx>e%|VLVGI!5Gp&b9bxqtAJdkW^b(aK@@FtPA; z9@Pe@4=yRT{QU)O=d=(o#>T(w%1slbmA88zBuAbqR|~#deWY=+CxyT2d6$`#{TTy& zM>hrb@k`H2fhK+;Ur`U(=YDc028WC=F-ZKn&v|s+Axg7~Bk#P?TA{}$`QH2)25`xsv0cfaX>ZMaSKF_x!n^47B`-(BGPU3sMiDi? zI~>I7-iUk~TP%Nrl%xC0;J>~#a%~X!LTG`-qEZz=uCXcvBaYpyV-;dV3vluhF!ymr zBLLhd|3lPX2m{Op*AW0T+X6o_sQ>R*`d)wZ|Eye!@^IuElP|4xxXMT_RFIeS+&Rb@ z>R)=ho7XDj_eq1YB<eJ-LjB?75mOn+xF*X6H>kvIwKPxC1u6nZ1G^66SYoYAfB&BEDW zSx;Bu)p!ZHR7G5Ix2WxF=v9l7m5UHXh_l`vKY*IwiI#1a5s0ir7e;}cf8qT$<^7Rx-Nc`HxFcyZtHE? zXz%Gy68AkW8>1G)a2=f+5SLXM`SW>GCOoJ;sz{BlhDogSj@1=?W6u(O=AKjx%9PBK zMtm}#r6b8XO$H9wzf@>dmd?7mqnjVyQW+4E_uuZ_aRmF?gjZbSt61mxO|$6`n^He@O_C1YEdmaU8Ou(S|dLbkKb88ZVm1 zxE=1X@+RjXQfY-VDJgc*|E=Cw`_x7XZ*`%?oGA=&$(Stx=vn0c{EufD-_%%RR+|M$ z$evu*FJuW^|B$hwo-BZETT&jeYiW&G7s`Alt%%^dC7I3r^e#8tK9;%%8}@a}s$NZT z+mqN<*}V76{kc2?v1Io+r^Ce0AfI<={@_RBDqzGk?NgQkf_q{=89g~xt&8TMS?HZ{Fq)QC^4U^sFo zy%^Ab&=pv4T|{J+w)k5Di?Npw~&t50^vb<0hhvqBXrAm$tH2YN1s zxqKb>AWfo!okbX&NGET7QSidc>1^fbXoVj%bkp6fENPuymOlVyUwH0#r}yOpIW!k` zF|o`Ki&{JQdfE~1>OrJ$BL`f0(;omHLpKLe5J|zm<+0sReirigE=p24fK%~T`#ES| zdJ}Oh0hmwGdH+hSB>z7b>uTm%-BtiHQJw7KoeHPyqvi9g`!`?SOH|hjYp*E$$vxHx zzhv;~xUDRZXyrRr=kVH=`iy#k>fx_I$owx8 z=W7AhU@*)xWqYE+PwC8 zi!GfcKZWPdI8W=T@n#BpcjKWj%aTNY&{uqN;6$zDo0mbIq3d(qfE@E(#t*>?C{*Jk z)Rh4#>w~%Io?V8>pkmB4gl^2eraM|he|ZaDpn07EZz$&rc~NBxNeR>ug&Y4K+kj=y zty-vYc+6{0Vfeh^ zTivqwkGK}sd#L*|>;kP*W!Oo^_4!daTB*$Yi~ex?4bmd8SDzAIb&GzXWnwPtr z@|@bC+=C~#cxBs!HGRT2M)Yg%qSMos&diStl5JdzG((<@qb>4NNui-DA3u_TKKCMi z`Lg28*{?Rp7JWRjKsL0V3Jxe|O@2hZOJI4;ay^j-`t16)j@YC4y(w(a=`E4CJd}B6 z(7mvAkbO5kQ6}N7_0!U;voK4{K+!gnOg%MQHAIw564lu->;#sTw=N_dEM5<;FFwtqnN)q0~9sf*QY(!F5KRUdz4#n|Ss9 zOCSubo1uAY8ryp2S&sdsbh1)+vFmj~Zza0f{Hm5BEBCq-hPu}~Oe6MK4wA*bs5yJ` z-W$_g!_F;LxAP2nQ!74PZWb0+II9`6=sTpW8OORq2FdVld-HvBa`O!W+@Pc_jG&H` zi9+rBBR`}v{_YKXD8v+>W#Mc@)}n6kvVFa}+*h&4x_Z1|f-9J}f7Mcz`9+k4tGk-R zeC(y3yF=tH50Uqy7EgS^tuxr6`4Ng@hx~*x6g)XH> zlscoSeu;GNtWjPs<~6#vDy zqbm7)Vj^q2Zn}TUc;#YumGy~>w)lY9y~|36T~6kvnx&i6_P4LzWh>as9$c-qGy5$0 zAhB`2&ygHVKb7`N%;q#wHxI2^MwxF44qcwo6?L)`)Ji6~NRfP*GpxN_<#U2o@91dF z3|Kw>n~eXEaCvh|w_@!3oWRjj{}yuto`(Np`cmvNVyAnnvjMm#yy8HJaIGD&W^832 zwwS1>Mb57ng#pY02sMDGyfJw=gy->q}C2VY+0q7X^)QR`xS3=YW_CE-@32Hw*S^&KP64PxYRIEipspwS?O;71%+?Elg!J>66!>9N(r6WPV3-+`!GhV4D0k$JOpq5?ukx3{SpgA1!j54*H$9!l0S84bi%=DtTEHHORu z`-$tpXhyFYd5F$Xtfr!n%0f{6jl&ePj3?;4Ise`bRoKmBN-o(tMWAL3AA}+8W^0 zZ%%3zC0{BY1gL=X18I@LAoki9*kwm9K9JwQ;+(MUI;=jbC=twyd>~& zry(evVtbM;bYH&#-Xt-#Uy5{@Y7Ez+a6kI8%CVaY@MZUzJ_D|ex96anDoetEZ(>sn z81F9yh|=3_yP*Lp#Bdz|%8&t=<_}f*%HlcbH^Xfe0uum+I;Yw!f@6tAP1$My_Hjr! z2i*;#C0xtp+8AN~77``_rJ(!}Sw)uX;FnU|%7E=9%E_=xm6 zbI$isMAKk3xsyVJri%a!_qUT|qK-(t+mgSfTpzI?;Gmk4tjL`5_VjAA;Q;;jvSmYY zEDc7TY4=S>niu6S1{c3UI3zcUI;AQ0woLJn&!*|($_)FyN#UsFU>$boRaqH8+xX8r zaV%+S3$;IDj{L`-A2Q*ilz=rx*iNvt_Uyu(IJ%IW)xE#UU4enTILG%XAox64A!8J8%sSA3rr5{&ld=O!!j{9e{vJ;J90Y%6NAPajF|ZjcH|If) zcnoG};%TcT``m#gh9rex;(S!n5Y<*&EA&vBnhUBo<;sLl!|9U{LDFv6-a(tQO3Uiy z^>37$J%pMngvjt&b>a%34=ep8TR>b06G`N)M;y$yWf{&JUee0Wzd$d^tJ_^ zd)`y^3@NQeO=R38yNj4|KJt_&pKcy~Ey?2|)>@HKiIn~4ouf~0+2wj^ zQ%G1f`p2!gQyT8q=b*YXrmcZM5{o(iP(EZQa%YGeBV5iJ4lKKU9kQc-@jadu-BVNO z?m0zQ4X)73-E{nkf<=cUFJX^54wBxM_{qanzK%k8rwc8nFd|nO>K{K*=sO2p1lDF> z6U&mK=+_^Npch}hAQNF2OV;Y`t2+XAsds;w@AFsrLI0KI(}nd0>AM7llaMLCUWs21 zNd2$><|m1qAgK6%bkEd@w-{6`wID&7s{9xhZToq)gi^Yog-YxMc)o$Zd?V>o%E2r} zQT75^7_3Q{K$_!nxYRdfYk8EYzq4Ot6TfRDd%t(_fm?Q$n&0n-;h#2>Bu!DI{yphJ zbYq%CJiG4x4($5w;5N5_k+yBp_;Z#b42%6_fh(oY@NBN9gU#lUobJcf-{KYH566D` zX6nIhT-ln<`YuCoSWV#FP`bS3qp+k`Ps(B~JUl-}3%>fRcI$tq@(e=@0enzo(nei8 zOku50L?q@UC<@!xFL7kgixlLq{kp`rTmQOT5?)az&3r1{KQ(rNxQi}BkTGNlxum9_ zdPE+`y&&@2TD%AedpU1 zTfHH?rUzn-n+gnv57T|vI`_Ulq+8ec29E=#WP`(#!mt`gxw1C}vo3QEZMjb7*LDx~ z%9{q^;_-^lCcaoxeEpd#XAI?Z=Zswi3Dr*e!c{ElEQ0U-(0aYBF(bv@y^_aWOckqa z7-nd@8xh0S@*Se{Jz@=TC%VqAW(pip^bf)O@Ns1lZ?^Bv_)8LG%bbyZSw*OGkhN~! zpsi=|QyY8t>C0vP6gAou@AIfw!>znE$mL<`-QHViCgmcn+s5N+>+j>Jl5~V3W=5-8 zFDqsUQ<30J)Cx8a6>ih1+0$2M5bdh8g$BTJG- z%pUO7^USz;jqF09cjV-6kc>rE9<1_w2>*m>1y4#-zT<+6-ul!>#pDc@bXZossT9tv zf}J1-*+Dc)JeCLT%w$@lY|dgc(q`iF?gJtYf_!^a*$z9ozfS6YZgv0M->d)xz^yQm zdKu`)H8R6e0}V;sX*T^QNu{K3*y>48V|na!qfCYhuWP&{a&~xCYBX0*X3jxotJuAx zqxpLI4f*vPAcd`RdyghkoG64-z2ec7g%r<+q+Q$y#(r6*U>^f-u5_FLHs~h zAyGsQBKZ$J$gL^gE$MBM`!kmFGtPOBB3zxUt9=F*0GveB;z4=ee2%PkyM}O9zQ9W2)D%C z1v$$_J6vDMAv?`T&FrfYvnDN(xe4X2@732RZ6(%b2s!-U_E}eM$b%~~_Rcs?DjVpl z+YZJFIcV>#Md|4OtN!Gjd^e?SVQwj0{_$^O zl7w;e(A=|9emby4(4!FNYM@)wW$O!P<>iHLhojBJ56lFo-liXDHT5HEaUXO@?3a^VU?> zaW*yW_%vHkMy&`M{?{q}h;*2#w z_pL4#t?u`MlXXb`y#jEZB@y0W_|qtr8pw}VJ5MLDMuv1(9);?B(9}!mrn#g>AE2$7 zV*z`jyF*)lOA+=|F~x{9)R6OylfI$7SJ=y>`@U;?Z7T@;6<35}2q5jq?G0Gt|45?m OKkNQ$N-N~&v;PB_7E0y- literal 0 HcmV?d00001 From 48d19109242e345155a5d48f56f2dbfe8d4b78d2 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Wed, 6 Feb 2019 17:54:41 +0100 Subject: [PATCH 16/76] Added new resolver role, which configures dnsmasq to use the nameservers listed in group_vars for a cluster. --- cluster.yml | 1 + group_vars/gearshift-cluster/vars.yml | 5 +++ group_vars/hyperchicken-cluster/vars.yml | 5 +++ group_vars/talos-cluster/vars.yml | 5 +++ resolver.yml | 5 +++ roles/resolver/handlers/main.yml | 13 ++++++++ roles/resolver/tasks/main.yml | 39 ++++++++++++++++++++++++ roles/resolver/templates/dnsmasq.conf.j2 | 3 ++ 8 files changed, 76 insertions(+) create mode 100644 resolver.yml create mode 100644 roles/resolver/handlers/main.yml create mode 100644 roles/resolver/tasks/main.yml create mode 100644 roles/resolver/templates/dnsmasq.conf.j2 diff --git a/cluster.yml b/cluster.yml index cdaa9df11..eabd16e31 100644 --- a/cluster.yml +++ b/cluster.yml @@ -19,6 +19,7 @@ - ldap - node_exporter - cluster + - resolver - name: Install ansible on admin interfaces (DAI & SAI). hosts: diff --git a/group_vars/gearshift-cluster/vars.yml b/group_vars/gearshift-cluster/vars.yml index f9cd8fb2f..0fd9eb6b2 100644 --- a/group_vars/gearshift-cluster/vars.yml +++ b/group_vars/gearshift-cluster/vars.yml @@ -23,4 +23,9 @@ ldap_port: 389 ldaps_port: 636 ldap_base: ou=umcg,o=asds ldap_binddn: cn=clusteradminumcg,o=asds +nameservers: [ + '172.23.40.244', # Order is important: local DNS for Isilon storage first! + '8.8.4.4', # Google DNS. + '8.8.8.8', # Google DNS. +] ... diff --git a/group_vars/hyperchicken-cluster/vars.yml b/group_vars/hyperchicken-cluster/vars.yml index b010e2cdf..364e66e7e 100644 --- a/group_vars/hyperchicken-cluster/vars.yml +++ b/group_vars/hyperchicken-cluster/vars.yml @@ -32,4 +32,9 @@ security_group_id: SSH-and-ping-2 slurm_ldap: false availability_zone: AZ_1 local_volume_size: 1 +nameservers: [ + '/em-isi-3126.ebi.ac.uk/10.35.126.201', # Local DNS lookups for shared storage. + '8.8.4.4', # Google DNS. + '8.8.8.8', # Google DNS. +] ... diff --git a/group_vars/talos-cluster/vars.yml b/group_vars/talos-cluster/vars.yml index 74d738673..3c61ba520 100644 --- a/group_vars/talos-cluster/vars.yml +++ b/group_vars/talos-cluster/vars.yml @@ -23,4 +23,9 @@ ldap_port: 389 ldaps_port: 636 ldap_base: ou=umcg,o=asds ldap_binddn: cn=clusteradminumcg,o=asds +nameservers: [ + '172.23.40.244', # Order is important: local DNS for Isilon storage first! + '8.8.4.4', # Google DNS. + '8.8.8.8', # Google DNS. +] ... \ No newline at end of file diff --git a/resolver.yml b/resolver.yml new file mode 100644 index 000000000..ab99aeb74 --- /dev/null +++ b/resolver.yml @@ -0,0 +1,5 @@ +--- +- hosts: cluster + roles: + - resolver +... \ No newline at end of file diff --git a/roles/resolver/handlers/main.yml b/roles/resolver/handlers/main.yml new file mode 100644 index 000000000..c7154496a --- /dev/null +++ b/roles/resolver/handlers/main.yml @@ -0,0 +1,13 @@ +--- +# +# Important: maintain correct handler order. +# Handlers are executed in the order in which they are defined +# and not in the order in whch they are listed in a "notify: handler_name" statement! +# +- name: Restart dnsmasq service. + service: + name: dnsmasq + state: restarted + become: true + listen: restart_dnsmasq +... \ No newline at end of file diff --git a/roles/resolver/tasks/main.yml b/roles/resolver/tasks/main.yml new file mode 100644 index 000000000..600578c80 --- /dev/null +++ b/roles/resolver/tasks/main.yml @@ -0,0 +1,39 @@ +--- +- name: Install dnsmasq + yum: + state: latest + update_cache: yes + name: + - dnsmasq + become: true + notify: restart_dnsmasq + +- name: Configure /etc/dnsmasq.conf to use nameservers as listed in group_vars for this cluster. + template: + dest: '/etc/dnsmasq.conf' + src: 'templates/dnsmasq.conf.j2' + owner: root + group: root + mode: 0644 + become: true + notify: restart_dnsmasq + +- name: Configure /etc/resolv.conf to use dnsmasq on localhost. + copy: + dest: '/etc/resolv.conf' + content: nameserver 127.0.0.1 + owner: root + group: root + mode: 0644 + become: true + notify: restart_dnsmasq + +- name: Enable dnsmasq service. + systemd: + name: 'dnsmasq.service' + enabled: yes + become: true + notify: restart_dnsmasq + +- meta: flush_handlers +... \ No newline at end of file diff --git a/roles/resolver/templates/dnsmasq.conf.j2 b/roles/resolver/templates/dnsmasq.conf.j2 new file mode 100644 index 000000000..5f774b96e --- /dev/null +++ b/roles/resolver/templates/dnsmasq.conf.j2 @@ -0,0 +1,3 @@ +{% for nameserver in nameservers %} +server={{ nameserver }} +{% endfor %} From f51ef785ac6858f6eac3db33e68f2735df8b4d19 Mon Sep 17 00:00:00 2001 From: Egon Rijpkema Date: Mon, 18 Feb 2019 13:43:19 +0000 Subject: [PATCH 17/76] Added ssh-host signer password. --- group_vars/gearshift-cluster/secrets.yml | 46 +++++++++++++----------- 1 file changed, 25 insertions(+), 21 deletions(-) diff --git a/group_vars/gearshift-cluster/secrets.yml b/group_vars/gearshift-cluster/secrets.yml index c3d2c0924..5e8f115e1 100644 --- a/group_vars/gearshift-cluster/secrets.yml +++ b/group_vars/gearshift-cluster/secrets.yml @@ -1,22 +1,26 @@ $ANSIBLE_VAULT;1.1;AES256 -66366630663835306636383866396162373361353765323165356330653435616438393535633833 -3938343064333736633335373133313234386362666162660a633835636637326566633038326132 -30633735373366663933383963666634376536666266356238613530386633353037336537326334 -3465626531626132360a316361653864633863323533363930633639383133303365373230623639 -31613739316365663061663530356533613739626233316631616339383530666465633036636634 -36646237343563633534663431623264646237306563373436663332396534306335653963373161 -30633038316538623437653661616534313131373833663765326138333364326539663535306137 -31373433373637356435343735333963383265306433633532363937353332636636393237383733 -65646166383432636433363530653866363537303334393937333032386431353134343630333363 -35393231393132333033363338396334663033373565653130386335316361333232623138343430 -35616163393831363265373239363963393462613834663363666164653735666431316439376239 -61656133326665326361346630306436626130303665613630613231363865336164643765333235 -30373930386361663965333864303032386337336264336332643739353662643833326464356637 -33633462393064316664356631386131613434326437353739643265373733336633646565303439 -63353364653334613835373664646437643961623130643935303539323438313034303832313539 -37386130376238656236663930383261313330303532383263653839626436363838363862653363 -34393339666535343632643435613633333465623030663031633932313365663138336331393564 -62303132333030643633313939633332393438343338613766366232326231663238616339373737 -34633866306562613233666138316133333933313838336464366635653838303366653238373238 -65313636383863383665613133623265303531626163623262386633346132383133336631303061 -61366363333363366165613766643239386434356362303238333865613331373130 +33643430356231336139353464616463633663386461336161396534383032613835373634343163 +3161613535303531313665323665646332306330306163300a353165386665643366383262363565 +64313937633133336534313935613333633231303363653832396166663736626338633338386662 +3839323734346138310a653338336332336431393935666364663063666364383939383131323930 +62323939303334313661313139653664356439373332303934613662623736303832653139356637 +64653064663234386262323330376362343336653833653533613034303238643737313837356564 +65396161343333363031343837613833346233333830323734343938623434356230643437393631 +39326539306338306232663966613765666666303463363064336635393837653032303563626437 +65613830656463306664383638653837613066623934613038303633366530633639663831356235 +34616364346362646662663137303031343536653466323530343537666435383830333333343864 +36663664613638666433393762373933343833666431343162343132306531636664653261666237 +38303439346135323361353136316364373564326461393766306136616434393834306665353935 +33306337353565363735363935653133326463346161383065363831643235303331366534643939 +32323530663537323436363266386437666137653538353563396365363038306234343063613264 +32383564623165393039643935303533393731366662633536353732326565396662353963663366 +30613135643864313161333237663232656666333533623462316439386233333064633131363934 +64376339346538366238663131396462653137383430323063356532613735383363316266306663 +63353734663161316138646362353865343037656137303962346230616232363166343536376465 +38653033393161366163316234343732663534363533343131356236613762653266653139306665 +39646138663164383435646331323331373963616535343965656637383137323565653530393162 +30326463366633623334646135353732323065623437306462656136326263626631353835313334 +63326439626462346562623136643363646535333265386435663838653839313031623936336465 +31656231333539396161646264646435333234396238636438656238666562306265363533376432 +63633839363362323765306138636661323736383433363365323831326266663436336563326438 +6235 From 9e46b636d5ee92f6873a270fc2e66abfe3fbbc73 Mon Sep 17 00:00:00 2001 From: Egon Rijpkema Date: Mon, 18 Feb 2019 15:30:41 +0100 Subject: [PATCH 18/76] Did a cleanup. #59 Removed all openstack related stuff Moved playbooks that install a single role that is also installed via the cluster.yml. This keeps the root of the repository less of a mess in my oppinion. As famous quote goes "There are only two hard things in Computer Science: cache invalidation and naming things" I'm very much open to suggestions for a better name. --- cinder-controller.yml | 9 ---- cinder-storage.yml | 9 ---- cluster.yml | 6 +++ gearshift_hosts.ini | 44 ------------------- glance-controller.yml | 9 ---- heat.yml | 9 ---- horizon.yml | 9 ---- keystone.yml | 9 ---- mariadb.yml | 13 ------ memcached.yml | 5 --- neutron-controller.yml | 9 ---- nova-compute.yml | 9 ---- nova-controller.yml | 9 ---- rabbitmq.yml | 7 --- requirements.yml | 6 --- settings.yml | 12 ----- dai.yml => single_roles/dai.yml | 0 figlet.yml => single_roles/figlet.yml | 0 firewall.yml => single_roles/firewall.yml | 0 monitoring.yml => single_roles/monitoring.yml | 0 resolver.yml => single_roles/resolver.yml | 0 rsyslog.yml => single_roles/rsyslog.yml | 0 .../slurm-client.yml | 0 slurm.yml => single_roles/slurm.yml | 0 .../ssh_host_signer.yml | 0 site.yml | 16 ------- vnode.yml | 11 ----- 27 files changed, 6 insertions(+), 195 deletions(-) delete mode 100644 cinder-controller.yml delete mode 100644 cinder-storage.yml delete mode 100644 glance-controller.yml delete mode 100644 heat.yml delete mode 100644 horizon.yml delete mode 100644 keystone.yml delete mode 100644 mariadb.yml delete mode 100644 memcached.yml delete mode 100644 neutron-controller.yml delete mode 100644 nova-compute.yml delete mode 100644 nova-controller.yml delete mode 100644 rabbitmq.yml delete mode 100644 settings.yml rename dai.yml => single_roles/dai.yml (100%) rename figlet.yml => single_roles/figlet.yml (100%) rename firewall.yml => single_roles/firewall.yml (100%) rename monitoring.yml => single_roles/monitoring.yml (100%) rename resolver.yml => single_roles/resolver.yml (100%) rename rsyslog.yml => single_roles/rsyslog.yml (100%) rename slurm-client.yml => single_roles/slurm-client.yml (100%) rename slurm.yml => single_roles/slurm.yml (100%) rename ssh_host_signer.yml => single_roles/ssh_host_signer.yml (100%) delete mode 100644 site.yml delete mode 100644 vnode.yml diff --git a/cinder-controller.yml b/cinder-controller.yml deleted file mode 100644 index 2ac183afc..000000000 --- a/cinder-controller.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- hosts: all - name: Dummy to gather facts - tasks: [] - -- hosts: cinder-controller - become: True - roles: - - hpc-cloud/roles/cinder-controller diff --git a/cinder-storage.yml b/cinder-storage.yml deleted file mode 100644 index 577a2fdd5..000000000 --- a/cinder-storage.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- hosts: all - name: Dummy to gather facts - tasks: [] - -- hosts: cinder-storage - become: True - roles: - - hpc-cloud/roles/cinder-storage diff --git a/cluster.yml b/cluster.yml index eabd16e31..387997ab6 100644 --- a/cluster.yml +++ b/cluster.yml @@ -55,6 +55,12 @@ - prom_server - cadvisor - slurm + vars: + # These variables are needed by the mariadb role. + # Which is a depencency of the slurm role. + # See roles/slurm/meta/main.yml + hostname_node0: "{{ ansible_hostname }}" + ip_node0: "{{ ansible_default_ipv4['address'] }}" - name: Install virtual compute nodes hosts: compute-vm diff --git a/gearshift_hosts.ini b/gearshift_hosts.ini index 07a7483d1..689b94092 100644 --- a/gearshift_hosts.ini +++ b/gearshift_hosts.ini @@ -1,43 +1,3 @@ -[databases] -gs-openstack -gs-compute10 -gs-compute11 - -[keystone] -gs-openstack - -[glance-controller] -gs-openstack - -[heat] -gs-openstack - -[horizon] -gs-openstack - -[rabbitmq] -gs-openstack -gs-compute10 -gs-compute11 - -[memcached] -gs-openstack - -[neutron-controller] -gs-openstack physical_interface_mappings=provider:enp130s0f0 - -[nova-controller] -gs-openstack - -[cinder-controller] -gs-openstack - -[cinder-storage] -gs-compute[01:11] storage_volume=/dev/sdb - -[nova-compute] -gs-compute[01:11] physical_interface_mappings=provider:enp130s0f0 - [jumphost] airlock @@ -68,7 +28,3 @@ administration [gearshift-cluster:children] cluster jumphost - -[metal] -gs-openstack -gs-compute[01:11] diff --git a/glance-controller.yml b/glance-controller.yml deleted file mode 100644 index 4d307f798..000000000 --- a/glance-controller.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- hosts: all - name: Dummy to gather facts - tasks: [] - -- hosts: glance-controller - become: True - roles: - - hpc-cloud/roles/glance-controller diff --git a/heat.yml b/heat.yml deleted file mode 100644 index a5e7eecd5..000000000 --- a/heat.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- hosts: all - name: Dummy to gather facts - tasks: [] - -- hosts: heat - become: True - roles: - - hpc-cloud/roles/heat diff --git a/horizon.yml b/horizon.yml deleted file mode 100644 index 2ea928605..000000000 --- a/horizon.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- hosts: all - name: Dummy to gather facts - tasks: [] - -- hosts: horizon - become: True - roles: - - hpc-cloud/roles/horizon diff --git a/keystone.yml b/keystone.yml deleted file mode 100644 index 1c930b30f..000000000 --- a/keystone.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- hosts: databases - name: Dummy to gather facts - tasks: [] - -- hosts: keystone - become: True - roles: - - hpc-cloud/roles/keystone diff --git a/mariadb.yml b/mariadb.yml deleted file mode 100644 index b0143909f..000000000 --- a/mariadb.yml +++ /dev/null @@ -1,13 +0,0 @@ ---- -# Run all plays as root. -- hosts: databases - become: True - roles: - - hpc-cloud/roles/mariadb - vars: - hostname_node0: "{{ hostvars[groups['databases'][0]]['ansible_hostname'] }}" - hostname_node1: "{{ hostvars[groups['databases'][1]]['ansible_hostname'] }}" - hostname_node2: "{{ hostvars[groups['databases'][2]]['ansible_hostname'] }}" - ip_node0: "{{ hostvars[groups['databases'][0]]['listen_ip'] | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}" - ip_node1: "{{ hostvars[groups['databases'][1]]['listen_ip'] | default(hostvars[groups['databases'][1]]['ansible_default_ipv4']['address']) }}" - ip_node2: "{{ hostvars[groups['databases'][2]]['listen_ip'] | default(hostvars[groups['databases'][2]]['ansible_default_ipv4']['address']) }}" diff --git a/memcached.yml b/memcached.yml deleted file mode 100644 index af6c17b11..000000000 --- a/memcached.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: memcached - become: True - roles: - - hpc-cloud/roles/memcached diff --git a/neutron-controller.yml b/neutron-controller.yml deleted file mode 100644 index 3992b6f0e..000000000 --- a/neutron-controller.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- hosts: all - name: Dummy to gather facts - tasks: [] - -- hosts: neutron-controller - become: True - roles: - - hpc-cloud/roles/neutron-controller diff --git a/nova-compute.yml b/nova-compute.yml deleted file mode 100644 index 308d32683..000000000 --- a/nova-compute.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- hosts: all - name: Dummy to gather facts - tasks: [] - -- hosts: nova-compute - become: True - roles: - - hpc-cloud/roles/nova-compute diff --git a/nova-controller.yml b/nova-controller.yml deleted file mode 100644 index 87a1db7f9..000000000 --- a/nova-controller.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -- hosts: all - name: Dummy to gather facts - tasks: [] - -- hosts: nova-controller - become: True - roles: - - hpc-cloud/roles/nova-controller diff --git a/rabbitmq.yml b/rabbitmq.yml deleted file mode 100644 index 0dc8cf16a..000000000 --- a/rabbitmq.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- hosts: rabbitmq - become: True - roles: - - hpc-cloud/roles/rabbitmq - vars: - hostname_node0: "{{ hostvars[groups['rabbitmq'][0]]['ansible_hostname'] }}" diff --git a/requirements.yml b/requirements.yml index bf8562e51..27b5324eb 100644 --- a/requirements.yml +++ b/requirements.yml @@ -1,10 +1,4 @@ --- -# pull down common roles from the HPC cloud repo -- src: ssh://git@git.webhosting.rug.nl:222/HPC/hpc-cloud.git - name: hpc-cloud - version: umcg-0.2 - scm: git - # Mostly user accounts of hpc playbooks. - src: ssh://git@git.webhosting.rug.nl:222/HPC/HPCplaybooks.git name: HPCplaybooks diff --git a/settings.yml b/settings.yml deleted file mode 100644 index 1017c9443..000000000 --- a/settings.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- allocation_pool: - start: 172.23.40.38 - end: 172.23.40.50 - -- dns_nameserver: 129.125.4.6 - -- gateway: 172.23.40.250 - -- subnet_range: 172.23.40.0/24 - -- rsa_pub: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDStPUPXkcu81onUm/le54JCu174yXJJDsthDr96Mv8irBVBWuy5FxnaASuDpmC4QE4s0UAIg1iq/SWrr8qdBQ4OVuYFiW0S7ZJvcoKr/40Wh+T5MeltGQfmkDp6kBsfaMSo6M4tF1c8i+XgOgxb4fxHYb8mFhseztRLx6McxJJJLB0nu+T12WQ01nl0XtwD+3EsZWfxRH0KA59VHZSe3Anc5z+Fm7WU+1Vzy6/pkiIhVReI1L6VVhZsIdSu3fQK6fHQcujtfuw6RKEpisZQqnxMUviWQ98yeQXHk6Nx840WCh3vvKveEAoC4Y/UEZa1TMe6PczfUaLjaidUkpulJsP egon@egon-pc diff --git a/dai.yml b/single_roles/dai.yml similarity index 100% rename from dai.yml rename to single_roles/dai.yml diff --git a/figlet.yml b/single_roles/figlet.yml similarity index 100% rename from figlet.yml rename to single_roles/figlet.yml diff --git a/firewall.yml b/single_roles/firewall.yml similarity index 100% rename from firewall.yml rename to single_roles/firewall.yml diff --git a/monitoring.yml b/single_roles/monitoring.yml similarity index 100% rename from monitoring.yml rename to single_roles/monitoring.yml diff --git a/resolver.yml b/single_roles/resolver.yml similarity index 100% rename from resolver.yml rename to single_roles/resolver.yml diff --git a/rsyslog.yml b/single_roles/rsyslog.yml similarity index 100% rename from rsyslog.yml rename to single_roles/rsyslog.yml diff --git a/slurm-client.yml b/single_roles/slurm-client.yml similarity index 100% rename from slurm-client.yml rename to single_roles/slurm-client.yml diff --git a/slurm.yml b/single_roles/slurm.yml similarity index 100% rename from slurm.yml rename to single_roles/slurm.yml diff --git a/ssh_host_signer.yml b/single_roles/ssh_host_signer.yml similarity index 100% rename from ssh_host_signer.yml rename to single_roles/ssh_host_signer.yml diff --git a/site.yml b/site.yml deleted file mode 100644 index fe79d8726..000000000 --- a/site.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -- import_playbook: hpc-cloud/common.yml -- import_playbook: hpc-cloud/rabbitmq.yml -- import_playbook: hpc-cloud/memcached.yml -- import_playbook: hpc-cloud/mariadb.yml -- import_playbook: hpc-cloud/keystone.yml -- import_playbook: hpc-cloud/glance-controller.yml -- import_playbook: hpc-cloud/nova-controller.yml -- import_playbook: hpc-cloud/neutron-controller.yml -- import_playbook: hpc-cloud/cinder-controller.yml -- import_playbook: hpc-cloud/cinder-storage.yml -- import_playbook: hpc-cloud/nova-compute.yml -- import_playbook: hpc-cloud/horizon.yml -- import_playbook: hpc-cloud/heat.yml -- import_playbook: hpc-cloud/post-install.yml -... diff --git a/vnode.yml b/vnode.yml deleted file mode 100644 index 2caed3adb..000000000 --- a/vnode.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -- name: Install Roles that are needed for the virtual cluster. - hosts: - - cluster - become: True - roles: - #- spacewalk_client - - cluster - #- ldap - -# - import_playbook: users.yml From 6436ea0eec72344bee1ae0fbdefd550355759444 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Thu, 21 Feb 2019 14:03:52 +0100 Subject: [PATCH 19/76] Minor fixes for single_role_playbooks so they will automagically pickup roles and callback_plugins now that they are in a subdir, improved playbooks to add local users and groups: moved all values from the playbooks to variables in group_vars, added stuff for shared storage (work in progress.) --- callback_plugins/homsaplog.py | 71 +++++++++++ callback_plugins/homsaplog.pyc | Bin 0 -> 2558 bytes group_vars/all/vars.yml | 75 +++++++++++- group_vars/gearshift-cluster/vars.yml | 6 + group_vars/hyperchicken-cluster/vars.yml | 25 +++- group_vars/talos-cluster/vars.yml | 75 +++++++++++- local_admin_users.yml | 31 +++++ local_regular_users.yml | 35 ++++++ roles/shared_storage/tasks/main.yml | 112 ++++++++++++++++++ single_role_playbooks/callback_plugins | 1 + .../dai.yml | 0 .../figlet.yml | 0 .../firewall.yml | 0 .../monitoring.yml | 0 .../resolver.yml | 0 single_role_playbooks/roles | 1 + .../rsyslog.yml | 0 single_role_playbooks/shared_storage.yml | 5 + .../slurm-client.yml | 0 .../slurm.yml | 0 .../ssh_host_signer.yml | 0 users.yml | 75 ------------ 22 files changed, 430 insertions(+), 82 deletions(-) create mode 100644 callback_plugins/homsaplog.py create mode 100644 callback_plugins/homsaplog.pyc create mode 100644 local_admin_users.yml create mode 100644 local_regular_users.yml create mode 100644 roles/shared_storage/tasks/main.yml create mode 120000 single_role_playbooks/callback_plugins rename {single_roles => single_role_playbooks}/dai.yml (100%) rename {single_roles => single_role_playbooks}/figlet.yml (100%) rename {single_roles => single_role_playbooks}/firewall.yml (100%) rename {single_roles => single_role_playbooks}/monitoring.yml (100%) rename {single_roles => single_role_playbooks}/resolver.yml (100%) create mode 120000 single_role_playbooks/roles rename {single_roles => single_role_playbooks}/rsyslog.yml (100%) create mode 100644 single_role_playbooks/shared_storage.yml rename {single_roles => single_role_playbooks}/slurm-client.yml (100%) rename {single_roles => single_role_playbooks}/slurm.yml (100%) rename {single_roles => single_role_playbooks}/ssh_host_signer.yml (100%) delete mode 100644 users.yml diff --git a/callback_plugins/homsaplog.py b/callback_plugins/homsaplog.py new file mode 100644 index 000000000..2fa73d79b --- /dev/null +++ b/callback_plugins/homsaplog.py @@ -0,0 +1,71 @@ + +from __future__ import (absolute_import, division, print_function) +__metaclass__ = type + +DOCUMENTATION = ''' + callback: homsaplog + type: stdout + short_description: Homo sapiens friendly formatted output. + description: + - Use this callback to sort though extensive debug output +''' + +from ansible.plugins.callback.default import CallbackModule as CallbackModule_default +from ansible.plugins.callback import CallbackBase + +try: + # Ansible 2.3 + from ansible.vars import strip_internal_keys +except ImportError: + try: + # Anisble2.4 + from ansible.vars.manager import strip_internal_keys + except ImportError: + # Ansible 2.5 + from ansible.vars.clean import strip_internal_keys + +try: + import simplejson as json +except ImportError: + import json +import sys +reload(sys).setdefaultencoding('utf-8') + +class CallbackModule(CallbackModule_default): # pylint: disable=too-few-public-methods,no-init + ''' + Override for the default callback module. + + Render std err/out outside of the rest of the result which it prints with + indentation. + ''' + CALLBACK_VERSION = 2.0 + CALLBACK_TYPE = 'stdout' + CALLBACK_NAME = 'homsaplog' + + def _dump_results(self, result, indent=4, sort_keys=True, keep_invocation=False): + '''Return the text to output for a result.''' + + if result.get('_ansible_no_log', False): + return json.dumps(dict(censored="The output has been hidden due to the fact that 'no_log: true' was specified for this result.")) + + # All result keys starting with _ansible_ are for internal use only, so remove them from the result before we output anything. + reformatted_result = strip_internal_keys(result) + + # remove invocation unless specifically wanting it + if not keep_invocation and self._display.verbosity < 3 and 'invocation' in result: + del reformatted_result['invocation'] + + # remove diff information from screen output + if self._display.verbosity < 3 and 'diff' in result: + del reformatted_result['diff'] + + # remove exception from screen output + if 'exception' in reformatted_result: + del reformatted_result['exception'] + + output = json.dumps(reformatted_result, indent=indent, ensure_ascii=False, sort_keys=sort_keys) + output = output.replace('\\r\\n\",', '",') + output = output.replace('\\r\\n', "\n\t") + output = output.replace('\\n\",', '",') + output = output.replace('\\n', "\n\t") + return output diff --git a/callback_plugins/homsaplog.pyc b/callback_plugins/homsaplog.pyc new file mode 100644 index 0000000000000000000000000000000000000000..ae752f722caa3b69b862c67ed90d04b0cdb0a15f GIT binary patch literal 2558 zcmcIl-EJF26h31+PU1MJn}n(tv|1`qeL-xAD-;208iJ^3Q?yC{te|DRJGM93AG0%? z)>3-a-u03vKuEwd@FF}2FTi)suH6(QuE2@MGvAzZ=KOqTrvB%8>zCHiNkG+S3BPx~ zS7fd#q7eUzVxmORKv7boL5-3+4eF$Hg9b|!0&0p}o#JImR%ozFiuD>4wz$o$MQY!^m4a{=r>O%*+zb;N#? z;;S^+q$lZ(h29@?J#23BCd;!OthZ>eMS7d`7QIq*`W}VLJW=5a=~Wsj3Rmeh(JP{7 zgB8{|>b8)ch*Q9+@ah?FJUpJW8!MD$>9LGQR_A zIrs#A91s2AY}c7&iSeg#HWu8@rh3;gHp~hufSJIq7itsa(UfiMI$vi==0GRXsc}X* ze!_U>jIuoOt<|9e)oEdSqJCLX0LR&J9vSV}Nn{pYI2HzR4$!O^PaOTi!gh47olp;p zab>a91uaOz+OOPykcCC8OT3NEIeynS6}kn~SorQC5js!(*gMlRb7+`sg&pmD>T)(0 z9Bg25mpS+eCYqRfs2HdRGJ<-{xdw%xA^6uI-6Xxtym$>{h1{cV6Kdv13=-|bbDif= zs5v_bj^i2mMQqTt4LTzNf{a1vtjY5WWO9i< zPjSTG~&Z%XMhJgRx^!q|%=F#u;jzI+G|w9i6a1(`0ha$Pc(xeCymU4edHMFZ6Ba zIdsfa2hk`(AC{a$n^i7Ea&5>hlAdRQ5ChfY8)GyQ9_SZ=mL?a1l>D*WSMagOwdb24 zibRsTRT{}Kl}_@L^w!6whADp7BqOqJt(NQg{z=+p###1dtS#6=^pzhQEuNej+*=HV zMKU#&bAfdkl5BZlWTvq{6DQDI!^}i>W|^(I#zvsKJQq!)J7+E#{R|@r)EtZ@9G}Rh+Z1AE#j%+{H{X3?BMe zbDOvMIptaVhUR Date: Thu, 21 Feb 2019 15:08:28 +0100 Subject: [PATCH 20/76] Bugfixes for creating local admin and regular users. And added feature to create private primary group for each local user with GID=UID for their home dirs. --- group_vars/all/vars.yml | 30 ++++++++++++++++++++++++++++-- local_admin_users.yml | 27 +++++++++++++++++++++++---- local_regular_users.yml | 12 ++++++------ 3 files changed, 57 insertions(+), 12 deletions(-) diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 5971f3dfc..614db9916 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -12,7 +12,7 @@ spacewalk_server_url: 'http://spacewalk.hpc.rug.nl/XMLRPC' # * In ../[name]-cluster/vars.yml we list which users are created locally on which cluster as regular and/or admin users. # * Never ever change nor recycle a UID value here unless you are in for a surprise... # -users: +auth_users: pieter: comment: 'Pieter Neerincx' uid: 1001 @@ -64,6 +64,32 @@ users: uid: 1010 pub_keys: | # Revoked: key format not compliant with requirements. + gvdvries: + comment: 'Gerben van der Vries' + uid: 1011 + pub_keys: | + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCUfwAhBD4vCDYgsr04Kxn1e+vIcx7EzOEJrwi4Bv1Fc329TAifMTLeXXjPlehNvDvxq1Eb6I0v0CA01OwtD2QH+jnKGK7/RXwOfKHZQDsfZ1qL725So8z2rLfTOiIBn01zwSZTPoMC0NoDEj1H7RUpuSTSWazRmZJAi4S9aWU7DK+aWp0vR4UzvxWNFuzhhSJPOrHBx0O6st67oVRyhhIFo67dIfgI/fDwuT7+hAfAzGtuWAW1SI33ucDtaSSs3CT6ndPIU1jzRwrK/Xoq2vzyso6ptj9N/qJfauVUtwhQs//9hGjIP7H2m4maUDR60qDveUy4QNbRoJQuT28FrZxdYjEWyU7E3/yuBSX5Lggk9GuolpGBTj3EDLth0LUsB/hjjGNSebNL/pF5wQR9Usu9omXf4f3dPfU/X0SaWjeY1ukU4saRefn9FIu1ZV3w6TQUybM/2ZcHzbS2JDieirMTZ2uGUVZyAX4TID40Pc84bcFbfQULkqBGPmp2X3rrfJgg8GmmX92qT/OEEPQ6tsA909dxvXGMYzb/7B5MjiAjdkhhIlRzjFz8zy0dkTAMopxwHPI4Fr1z/LhP8Or7pv31HfG/RIW8pOcanvvRRzqoSohDrfxobzczce42S/qrD0sE2gQdwbnAh0JlPmB7erSrqhxEjw0pHXd8CWx4yH3oJQ== gvdvries + pneerincx: + comment: 'Pieter Neerincx' + uid: 1012 + pub_keys: | + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdOt9U8m3oa/ka8vRTOWxU9uh13hR9F5FoW7SRbrQMWX3XYCEF1mFSTU0WHqYlkOm5atbkqRnR2WUOuG2YjCDJ6KqvpYGjITqHilBCINkWuXozoT5HkGbMtcN1nYDh4b+lGhg3ttfTBKBPusLz0Mca68EL6MjmSsgbRSIceNqFrfbjcc/YhJo7Kn769RW6W/ToClVHNHqgC47ZGXDc5acUrcfiaPNFSlyUjqCMKyO7sGOm/o4TTLffznH4A4iNn+/IX+7dGZRlwcmPjsBlpMk8zjQQqDE6l/UykbwKgYBJRO02PeNg3bqDAwSGR5+e4raJ3/mN3tkQqC/cAD3h4eWaRTBJdnLltkOFFeXux4jvuMFCjLYslxHK/LH//GziarA0OQVqA+9LWkwtLx1rKtNW6OaZd45iandwUuDVzlbADxwXtqjjnoy1ZUsAR83YVyhN/fqgOe2i34Q48h27rdkwRwAINuqnoJLufaXyZdYi4QintKOScp3ps/lSXUJq+zn7yh54JCz2l/MhDNUBpBWvZevJTXxqQBszAp5gv0KE2VuPOyrmzo+QeBxKqglMSonguoVolfb9sEYT5Xhu1zR6thRtoBT813kzpeVSzMUAr/KOD+ILSjWKUNT0JuiCXsEDD7Zqx/kspTsHpi/+2irAdcXgAEA+fiJqxsNfV4cpQw== pneerincx + ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzwniHWpMcGx0Pj3rZvXuaJbZa+iNbNpIhuARXW/GV0 pneerincx ED25519 + mbijlsma: + comment: 'Marieke Bijlsma' + uid: 1013 + pub_keys: | + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb8ulPLVGL78KJ8Egg7i2V9JLsge4m4+G6kdCuX7p7T7WRFH54DjaBl52UnkgbuTML/2r6c1gk3pXF2wlOtyHKqhD4AyvY1l/NyLSn1kkgY3XaWp64pFmmEydqOOrPX6L9cMGEyPjnfjr/GWbihzFn7E9Hc0kkp7CPbbdAlmwnKTk1m87CtKHVVV7rg7t7tI+pwoBhAGq1KpwxvNyKQT9Duwo+0eP/xZPZ/b12j7edxjjgpEtV+mCldsbXS+JyMVAScJXYV6TYcSyZhNhLnhzZIikjvV8/LcFxt4sURMeWLkiw3EqQOpDazJT6p6zo0KFfglvYG7ps8ijsnYuz4BkvMGx5bJQZVT4RdzQASisEUhJY1t0ZLGfs4bix2yMNmwCkypNZq72G2p/e2A9n1NhVSyOXfzHonQBFbL5xUX/1PNKXt027wTCbnl0OA/gLdez0NeanRzVjfDJGLOueC93rAJRIAWk+UOUBWAmHvL7XdnrgPq2puxk3sKCijUgxEkh1xqgMST5MTq3DMzese4jeuAQErhs5WnkOiythn4i4ydJ0oUwAjZhSFnGBSzol0Iar6chxfsp2U/pcl97QKXGLXkIvlZ7vMtYdbxopJ8uYQaOdkDycU1upR6pylZ6LnP8mF+iTqcHry4rmQ5rp46m2L5Cbp3eJZ7LFPXTVLUvWWw== mbijlsma + mswertz: + comment: 'Morris Swertz' + uid: 1014 + pub_keys: | + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfKxBNTqlsoTt1DloXbsRDqUyZgYbAGFsSOKhkHfjTD7zotloUwsd7388J/Ip9dOE5xPySWMSqmjcY8FLYIsEnKaC2LKJya6ck0sOrW+kynV+H9VxLsdnErw5bh8Uga3cGeHX+NKRw9dyNkvFB5B690PidBmSXRRTvXVUBvUeYAAdaoVGSQFtgV/lri2ojWR0yVpy2oCqI/eoXO13NJZS8hyoMDTI1QmnuqarNPIIvYmrAr/bO0fNJuzLqzoAcfw6I4rOw/iE8Zuo2Tl9Erjh1J9nJ91Q+78/VY1H7etltNZe4zxtipaB0HfjkHmhTW2xNMNi5D9FkzHbPhlpShzwsajP0xRpQ8JIgsOli/OHnVU0Mzd6WQf43CliNQMj5Qh50TUYdd0IW0ypjz/h2QEmh560R0NHbvRJ6BDHACceszAMPQjj4zlJLxZJejQ2GijWtvL2Yq2XyVlE7rPH3GA1x3Fy29yBNrgkWsH5CKLMudqBiQ6Js9rHJwQx/WjMA6hLiNqxbHW8t5UHNA4C/tppT12qLWvQkAUUOh9ij/aRnT69V4DlZ/nfbtcJWSjiIToCX++GATm1JrlmzGYoqZy5OMGp5SIdd6+CT+D8E01q9nZYkWokT2EeL3r6I1b8CwIVpmDb5cx6d60tOLjh09jeQMc0PcxeRs6Jo6lQj3L4sZw== m.a.swertz@rug.nl + rkanninga: + comment: 'Roan Kanninga' + uid: 1015 + pub_keys: | + # Revoked: key format not compliant with requirements. # # Local group specs. # Note: @@ -71,7 +97,7 @@ users: # * In ../[name]-cluster/vars.yml we list which groups are created locally on which cluster. # * Never ever change nor recycle a GID value here unless you are in for a surprise... # -groups: +auth_groups: admin: gid: 20000 docker: diff --git a/local_admin_users.yml b/local_admin_users.yml index b80f7105d..f3475ab98 100644 --- a/local_admin_users.yml +++ b/local_admin_users.yml @@ -3,19 +3,38 @@ hosts: all become: True tasks: + - name: "List contents of local_admin_groups var." + debug: + msg: "{{ local_admin_groups }}" + - name: "List contents of groups var." + debug: + msg: "{{ auth_groups }}" - name: Check if required groups are present. group: name: "{{ item }}" - gid: "{{ groups[item].gid }}" + gid: "{{ auth_groups[item].gid }}" state: present with_items: "{{ local_admin_groups }}" - name: 'Allow passwordless sudo for local admin users.' lineinfile: dest=/etc/sudoers line="%admin ALL=(ALL:ALL) NOPASSWD:ALL" + - name: "Check if required private groups for user's home dir are present." + group: + name: "{{ item }}" # Use same name as user's account name for user's private group. + gid: "{{ auth_users[item].uid }}" # Use same GID as user's UID for user's private group. + state: present + with_items: "{{ local_admin_users }}" + - name: 'Create /admin root dir for the home dirs of admin users.' + file: + path: '/admin' + owner: 'root' + group: 'root' + mode: 0755 + state: 'directory' - name: Create local admin users and append them to relevant groups. user: name: "{{ item }}" - uid: "{{ users[item].uid }}" - comment: "{{ users[item].comment }}" + uid: "{{ auth_users[item].uid }}" + comment: "{{ auth_users[item].comment }}" group: 'admin' groups: "{{ local_admin_groups }}" home: "/admin/{{ item }}" @@ -24,7 +43,7 @@ - name: 'Deploy authorized keys for admins.' authorized_key: user: "{{ item }}" - key: "{{ users[item].pub_keys }}" + key: "{{ auth_users[item].pub_keys }}" state: present exclusive: yes with_items: "{{ local_admin_users }}" diff --git a/local_regular_users.yml b/local_regular_users.yml index 78a09e929..fade29d5a 100644 --- a/local_regular_users.yml +++ b/local_regular_users.yml @@ -6,20 +6,20 @@ - name: 'Check if required groups are present.' group: name: "{{ item }}" - gid: "{{ groups[item].gid }}" + gid: "{{ auth_groups[item].gid }}" state: present with_items: "{{ local_regular_groups }}" - name: "Check if required private groups for user's home dir are present." group: - name: "{{ item }}" # Use same name as user's account name for user's private group. - gid: "{{ users[item].uid }}" # Use same GID as user's UID for user's private group. + name: "{{ item }}" # Use same name as user's account name for user's private group. + gid: "{{ auth_users[item].uid }}" # Use same GID as user's UID for user's private group. state: present with_items: "{{ local_regular_users }}" - name: 'Create local regular users and append them to relevant groups.' user: name: "{{ item }}" - uid: "{{ users[item].uid }}" - comment: "{{ users[item].comment }}" + uid: "{{ auth_users[item].uid }}" + comment: "{{ auth_users[item].comment }}" group: "{{ item }}" groups: "{{ item.groups }}" home: "/home/{{ item }}" @@ -28,7 +28,7 @@ - name: 'Deploy authorized keys for local regular users.' authorized_key: user: "{{ item }}" - key: "{{ users[item].pub_keys }}" + key: "{{ auth_users[item].pub_keys }}" state: present exclusive: yes with_items: "{{ local_users }}" From 604348fe7e96b3ca608da753b7019588f9a88ba9 Mon Sep 17 00:00:00 2001 From: Egon Rijpkema Date: Wed, 30 Jan 2019 10:44:57 +0100 Subject: [PATCH 21/76] Separating ldap tasks and other account amanagement tasks. This is needed for hyperchicken which has no ldap. --- roles/ldap/tasks/main.yml | 49 +--------------- .../files/login_checks.sh | 0 roles/user-interface/tasks/main.yml | 57 +++++++++++++++++++ 3 files changed, 58 insertions(+), 48 deletions(-) rename roles/{ldap => user-interface}/files/login_checks.sh (100%) diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml index 4227e45b1..0d21e93ad 100644 --- a/roles/ldap/tasks/main.yml +++ b/roles/ldap/tasks/main.yml @@ -45,53 +45,6 @@ notify: - restart_nslcd -- name: Create /etc/pam-script.d/ dir. - file: - name: /etc/pam-script.d - state: directory - -- name: Install login_checks.sh script. - copy: - src: login_checks.sh - dest: /etc/pam-script.d/login_checks.sh - owner: root - group: root - mode: '0755' - -- name: Enable pam_script. - file: - src: pam_script - dest: "/etc/{{ item }}" - owner: root - group: root - state: link - with_items: - - pam_script_acct - - pam_script_auth - - pam_script_passwd - - pam_script_ses_close - - pam_script_ses_open - -- name: Enable login_checks.sh script for ses_open. - file: - src: login_checks.sh - dest: "/etc/pam-script.d/{{ item }}" - owner: root - group: root - state: link - with_items: - - login_checks.sh_ses_open - -- name: Deploy password-auth-ac for PAM. - copy: - src: password-auth-ac - dest: /etc/pam.d/password-auth-ac - owner: root - group: root - mode: '0600' - notify: - - restart_oddjobd - - name: Deploy sshd config. template: src: templates/sshd_config @@ -132,4 +85,4 @@ - restart_oddjobd - meta: flush_handlers -... \ No newline at end of file +... diff --git a/roles/ldap/files/login_checks.sh b/roles/user-interface/files/login_checks.sh similarity index 100% rename from roles/ldap/files/login_checks.sh rename to roles/user-interface/files/login_checks.sh diff --git a/roles/user-interface/tasks/main.yml b/roles/user-interface/tasks/main.yml index ed97d539c..53aa0a4aa 100644 --- a/roles/user-interface/tasks/main.yml +++ b/roles/user-interface/tasks/main.yml @@ -1 +1,58 @@ --- +- name: Install login_checks.sh script. + copy: + src: login_checks.sh + dest: /etc/pam-script.d/login_checks.sh + owner: root + group: root + mode: '0755' + +- name: Deploy password-auth-ac for PAM. + copy: + src: password-auth-ac + dest: /etc/pam.d/password-auth-ac + owner: root + group: root + mode: '0600' + notify: + - restart_oddjobd + +- name: Enable pam_script. + file: + src: pam_script + dest: "/etc/{{ item }}" + owner: root + group: root + state: link + with_items: + - pam_script_acct + - pam_script_auth + - pam_script_passwd + - pam_script_ses_close + - pam_script_ses_open + +- name: Create /etc/pam-script.d/ dir. + file: + name: /etc/pam-script.d + state: directory + +- name: Enable login_checks.sh script for ses_open. + file: + src: login_checks.sh + dest: "/etc/pam-script.d/{{ item }}" + owner: root + group: root + state: link + with_items: + - login_checks.sh_ses_open + +- name: Enable services. + systemd: + name: "{{ item }}" + enabled: yes + with_items: + - dbus.service + - oddjobd.service + notify: + - restart_nslcd + - restart_oddjobd From 7c3924613c0b78d99a4b9460d26e2d36d037f8f4 Mon Sep 17 00:00:00 2001 From: Egon Rijpkema Date: Tue, 19 Feb 2019 15:49:19 +0100 Subject: [PATCH 22/76] Moved the sshd template to the cluster role #28. --- roles/cluster/handlers/main.yml | 9 +++ roles/cluster/tasks/main.yml | 8 +++ roles/cluster/templates/sshd_config | 100 ++++++++++++++++++++++++++++ roles/ldap/tasks/main.yml | 4 ++ roles/ldap/templates/sshd_config | 96 +------------------------- 5 files changed, 122 insertions(+), 95 deletions(-) create mode 100644 roles/cluster/handlers/main.yml create mode 100644 roles/cluster/templates/sshd_config mode change 100644 => 120000 roles/ldap/templates/sshd_config diff --git a/roles/cluster/handlers/main.yml b/roles/cluster/handlers/main.yml new file mode 100644 index 000000000..6a3f8639e --- /dev/null +++ b/roles/cluster/handlers/main.yml @@ -0,0 +1,9 @@ +--- + +- name: Restart sshd service. + service: + name: sshd + state: restarted + become: yes + listen: restart_sshd +... diff --git a/roles/cluster/tasks/main.yml b/roles/cluster/tasks/main.yml index 4183d77a0..46aee2df3 100644 --- a/roles/cluster/tasks/main.yml +++ b/roles/cluster/tasks/main.yml @@ -43,4 +43,12 @@ - wget tags: - software + +- name: Deploy sshd config. + template: + src: templates/sshd_config + dest: /etc/ssh/sshd_config + validate: '/usr/sbin/sshd -T -f %s' + notify: restart_sshd + ... diff --git a/roles/cluster/templates/sshd_config b/roles/cluster/templates/sshd_config new file mode 100644 index 000000000..5541fee71 --- /dev/null +++ b/roles/cluster/templates/sshd_config @@ -0,0 +1,100 @@ +Port 22 +UseDNS no + +# +# Disable protocol version 1 +# +Protocol 2 + +# +# Supported (Host)Key algorithms by order of preference. +# Do not use (EC)DSA keys! +# +HostKey /etc/ssh/ssh_host_ed25519_key +HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub +HostKey /etc/ssh/ssh_host_rsa_key +HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub +HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com +PubkeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com + +# +# Supported KEX (Key Exchange) algorithms. +# +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 + +# +# ToDo: All Diffie-Hellman moduli used for diffie-hellman-group-exchange-sha256 should be at least 3072-bit-long +# See also man moduli. Moduli are stored in file: /etc/ssh/moduli +# The 5th column of this file contains the length of the moduli. +# To remove short moduli: +# if [[ ! -e /etc/ssh/moduli.original ]]; then +# cp /etc/ssh/moduli > /etc/ssh/moduli.original +# fi +# awk '$5 >= 3071' /etc/ssh/moduli.original > /etc/ssh/moduli +# + +# +# Supported ciphers. +# +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr +#RekeyLimit default none + +# +# Supported MAC (message authentication code) algorithms. +# Ciphers and MACs can be combined in multiple ways, +# but only Encrypt-then-MAC (EtM) should be used. +# +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com + +# +# Logging +# +# LogLevel VERBOSE logs user's key fingerprint on login. +# Required to have a clear audit trail of which key was used to log in. +# +SyslogFacility AUTHPRIV +LogLevel VERBOSE + +# +# Authentication methods. +# +# * Never allow direct root login: We have admin users who can sudo. +# (see users.yml in the league-of-robots repo) +# * Disable password based auth. +# * Enable key pair based auth. +# * Fetch public keys from LDAP +# * Disable local keys stored in ~/.ssh/ folders except for local admin accounts. +# +UsePAM yes +PermitRootLogin no +PasswordAuthentication no +PermitEmptyPasswords no +ChallengeResponseAuthentication no +GSSAPIAuthentication no +GSSAPICleanupCredentials no +PubkeyAuthentication yes +AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper +AuthorizedKeysCommandUser root + +{% if hostvars.ssh_use_ldap %} +AuthorizedKeysFile /dev/null +Match Group admin + AuthorizedKeysFile .ssh/authorized_keys +Match all +{% else %} +AuthorizedKeysFile .ssh/authorized_keys +{% endif %} + +# +# Connection settings. +# +X11Forwarding no +ClientAliveInterval 300 + +# +# Override default of no subsystems +# and log sftp level file access that would not be easily logged otherwise. +# +Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO + + diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml index 0d21e93ad..19c8eb361 100644 --- a/roles/ldap/tasks/main.yml +++ b/roles/ldap/tasks/main.yml @@ -45,6 +45,10 @@ notify: - restart_nslcd +- name: Signal that sshd should use ldap. + set_fact: + ssh_use_ldap: true + - name: Deploy sshd config. template: src: templates/sshd_config diff --git a/roles/ldap/templates/sshd_config b/roles/ldap/templates/sshd_config deleted file mode 100644 index bb2273344..000000000 --- a/roles/ldap/templates/sshd_config +++ /dev/null @@ -1,95 +0,0 @@ -Port 22 -UseDNS no - -# -# Disable protocol version 1 -# -Protocol 2 - -# -# Supported (Host)Key algorithms by order of preference. -# Do not use (EC)DSA keys! -# -HostKey /etc/ssh/ssh_host_ed25519_key -HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub -HostKey /etc/ssh/ssh_host_rsa_key -HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub -HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -PubkeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com - -# -# Supported KEX (Key Exchange) algorithms. -# -KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256 - -# -# ToDo: All Diffie-Hellman moduli used for diffie-hellman-group-exchange-sha256 should be at least 3072-bit-long -# See also man moduli. Moduli are stored in file: /etc/ssh/moduli -# The 5th column of this file contains the length of the moduli. -# To remove short moduli: -# if [[ ! -e /etc/ssh/moduli.original ]]; then -# cp /etc/ssh/moduli > /etc/ssh/moduli.original -# fi -# awk '$5 >= 3071' /etc/ssh/moduli.original > /etc/ssh/moduli -# - -# -# Supported ciphers. -# -Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr -#RekeyLimit default none - -# -# Supported MAC (message authentication code) algorithms. -# Ciphers and MACs can be combined in multiple ways, -# but only Encrypt-then-MAC (EtM) should be used. -# -MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com - -# -# Logging -# -# LogLevel VERBOSE logs user's key fingerprint on login. -# Required to have a clear audit trail of which key was used to log in. -# -SyslogFacility AUTHPRIV -LogLevel VERBOSE - -# -# Authentication methods. -# -# * Never allow direct root login: We have admin users who can sudo. -# (see users.yml in the league-of-robots repo) -# * Disable password based auth. -# * Enable key pair based auth. -# * Fetch public keys from LDAP -# * Disable local keys stored in ~/.ssh/ folders except for local admin accounts. -# -UsePAM yes -PermitRootLogin no -PasswordAuthentication no -PermitEmptyPasswords no -ChallengeResponseAuthentication no -GSSAPIAuthentication no -GSSAPICleanupCredentials no -PubkeyAuthentication yes -AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper -AuthorizedKeysCommandUser root -AuthorizedKeysFile /dev/null -Match Group admin - AuthorizedKeysFile .ssh/authorized_keys -Match all - -# -# Connection settings. -# -X11Forwarding no -ClientAliveInterval 300 - -# -# Override default of no subsystems -# and log sftp level file access that would not be easily logged otherwise. -# -Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO - - diff --git a/roles/ldap/templates/sshd_config b/roles/ldap/templates/sshd_config new file mode 120000 index 000000000..634936566 --- /dev/null +++ b/roles/ldap/templates/sshd_config @@ -0,0 +1 @@ +../../cluster/templates/sshd_config \ No newline at end of file From dbb8a2de674ffca5f4338dd1ee63bf20a35318ba Mon Sep 17 00:00:00 2001 From: Egon Rijpkema Date: Thu, 21 Feb 2019 11:33:54 +0100 Subject: [PATCH 23/76] Work in progress... --- roles/ldap/handlers/main.yml | 2 +- roles/user-interface/tasks/main.yml | 10 +++++++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/roles/ldap/handlers/main.yml b/roles/ldap/handlers/main.yml index 437d3e901..58ae339dd 100644 --- a/roles/ldap/handlers/main.yml +++ b/roles/ldap/handlers/main.yml @@ -32,4 +32,4 @@ state: restarted become: yes listen: restart_sshd -... \ No newline at end of file +... diff --git a/roles/user-interface/tasks/main.yml b/roles/user-interface/tasks/main.yml index 53aa0a4aa..3d731720b 100644 --- a/roles/user-interface/tasks/main.yml +++ b/roles/user-interface/tasks/main.yml @@ -1,4 +1,12 @@ --- +- name: Install yum dependencies + yum: + state: latest + update_cache: yes + name: + - pam_script + - oddjob-mkhomedir + - name: Install login_checks.sh script. copy: src: login_checks.sh @@ -15,7 +23,7 @@ group: root mode: '0600' notify: - - restart_oddjobd + # Todo add authconfig --enablemkhomedir --update - name: Enable pam_script. file: From f01258a97ff8dbd3162ef6f231746f02e0442eca Mon Sep 17 00:00:00 2001 From: Egon Rijpkema Date: Thu, 21 Feb 2019 15:29:24 +0100 Subject: [PATCH 24/76] Added handlers --- roles/ldap/handlers/main.yml | 1 + roles/user-interface/handlers/main.yml | 16 ++++++++++++++++ roles/user-interface/tasks/main.yml | 4 ++-- 3 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 roles/user-interface/handlers/main.yml diff --git a/roles/ldap/handlers/main.yml b/roles/ldap/handlers/main.yml index 58ae339dd..eed14beb9 100644 --- a/roles/ldap/handlers/main.yml +++ b/roles/ldap/handlers/main.yml @@ -16,6 +16,7 @@ shell: "authconfig --enablemkhomedir --update" become: yes listen: restart_oddjobd + - name: Restart dbusd and oddjobd services. service: name: "{{item}}" diff --git a/roles/user-interface/handlers/main.yml b/roles/user-interface/handlers/main.yml new file mode 100644 index 000000000..8f374c44d --- /dev/null +++ b/roles/user-interface/handlers/main.yml @@ -0,0 +1,16 @@ +--- +# OddJob has a dependency on DBus. +- name: Run authconfig update. + shell: "authconfig --enablemkhomedir --update" + become: yes + listen: authconfig_update + +- name: Restart dbusd and oddjobd services. + service: + name: "{{item}}" + state: restarted + with_items: + - dbus + - oddjobd + become: yes + listen: restart_oddjobd diff --git a/roles/user-interface/tasks/main.yml b/roles/user-interface/tasks/main.yml index 3d731720b..a9911dd24 100644 --- a/roles/user-interface/tasks/main.yml +++ b/roles/user-interface/tasks/main.yml @@ -23,7 +23,7 @@ group: root mode: '0600' notify: - # Todo add authconfig --enablemkhomedir --update + - authconfig_update - name: Enable pam_script. file: @@ -62,5 +62,5 @@ - dbus.service - oddjobd.service notify: - - restart_nslcd + - authconfig_update - restart_oddjobd From f155190e2d12312f7a6d101d545882bf427cd12e Mon Sep 17 00:00:00 2001 From: gerbenvandervries Date: Fri, 22 Feb 2019 11:35:44 +0100 Subject: [PATCH 25/76] fix for slurm controleMachine name, added .bashrc and .screenrc for new user. missing ackages --- roles/cluster/tasks/main.yml | 13 +++++++++++++ roles/cluster/templates/.bashrc | 20 ++++++++++++++++++++ roles/cluster/templates/.screenrc | 6 ++++++ roles/slurm/files/slurm.conf | 4 ++-- single_roles/dai.yml | 2 ++ 5 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 roles/cluster/templates/.bashrc create mode 100644 roles/cluster/templates/.screenrc diff --git a/roles/cluster/tasks/main.yml b/roles/cluster/tasks/main.yml index 4183d77a0..5dc939d3b 100644 --- a/roles/cluster/tasks/main.yml +++ b/roles/cluster/tasks/main.yml @@ -10,6 +10,19 @@ become: true tags: ['etc_hosts'] +- name: Set /etc/skel/.bashrc .screenrc + template: + src: templates/{{ item }} + dest: /etc/skel/ + mode: 0644 + owner: root + group: root + backup: yes + become: true + with_items: + - '.bashrc' + - '.screenrc' + - name: Set hostname to inventory_hostname hostname: name: '{{ inventory_hostname }}' diff --git a/roles/cluster/templates/.bashrc b/roles/cluster/templates/.bashrc new file mode 100644 index 000000000..3d4d77dc5 --- /dev/null +++ b/roles/cluster/templates/.bashrc @@ -0,0 +1,20 @@ +# .bashrc + +# +# Source global definitions. (DO NOT EDIT!) +# +if [ -f /etc/bashrc ]; then + . /etc/bashrc +fi + +# +# Shared HPC environment. (DO NOT EDIT!) +# +if [ -f /apps/modules/modules.bashrc ]; then + . /apps/modules/modules.bashrc +fi + +# +# User specific personal settings, aliases and functions below this comment. +# Do *not* edit the global settings above! +# diff --git a/roles/cluster/templates/.screenrc b/roles/cluster/templates/.screenrc new file mode 100644 index 000000000..17664a06a --- /dev/null +++ b/roles/cluster/templates/.screenrc @@ -0,0 +1,6 @@ +# +# Enable scrolling using mouse or shift-PgUp and shift-PgDn. +# +termcapinfo xterm*|vt* ti@:te@ + +altscreen on \ No newline at end of file diff --git a/roles/slurm/files/slurm.conf b/roles/slurm/files/slurm.conf index 58758faf5..8343ac2d2 100644 --- a/roles/slurm/files/slurm.conf +++ b/roles/slurm/files/slurm.conf @@ -1,6 +1,6 @@ ClusterName={{ slurm_cluster_name }} -ControlMachine={{ hostvars[groups['slurm'][0]]['ansible_hostname'] }} -ControlAddr={{ hostvars[groups['slurm'][0]]['ansible_hostname'] }} +ControlMachine={{ groups['slurm'][0] }} +ControlAddr={{ groups['slurm'][0] }} #BackupController= #BackupAddr= # diff --git a/single_roles/dai.yml b/single_roles/dai.yml index 7e11107a0..36df42f2f 100644 --- a/single_roles/dai.yml +++ b/single_roles/dai.yml @@ -53,6 +53,8 @@ # - rdma-core-devel - libxml2-devel + - libXext-devel + - libX11-devel - name: Set lustre client source url. set_fact: From a1282fdc5a12a78c76f9e28c4f21800d63475867 Mon Sep 17 00:00:00 2001 From: pneerincx Date: Fri, 22 Feb 2019 16:11:26 +0100 Subject: [PATCH 26/76] Improved dynamic inventory.py script: 1. allow the use od groups of groups, 2. allow ranges of hostnames that will get expanded automagically and 3. do not prepend jumphost to jumphost itself. --- inventory.py | 113 ++++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 94 insertions(+), 19 deletions(-) diff --git a/inventory.py b/inventory.py index b258678e5..26fd544d0 100755 --- a/inventory.py +++ b/inventory.py @@ -8,9 +8,10 @@ Generates Ansible inventory with hostnames from a static inventory file located in the same dir as this script. By default this script looks for an inventory named inventory.ini - (default) or alternatively from a file defined in - export AI_INVENTORY='some_inventory.ini' -Optionally the hostnames can be prefixed with one of our proxy/jumphost servers. +or alternatively for an inventory file name as defined in + export AI_INVENTORY='some_inventory.ini + +The hostnames parsed from the static inventory file can be prefixed with the hostname of one of our proxy/jumphost servers. Note we only use hostnames and not FQDN nor IP addresses as those are managed together with usernames and other connection settings in our ~/.ssh/config files like this: @@ -30,7 +31,6 @@ ProxyCommand ssh -X -q prefix-youraccount@$(echo %h | sed 's/+[^+]*$//').hpc.rug.nl -W $(echo %h | sed 's/^[^+]*+//'):%p ######################################################################################################## - When the environment variable AI_PROXY is set like this: export AI_PROXY='lobby' then the hostname 'calculon' from inventory.ini will be prefixed with 'lobby' and a '+' @@ -41,14 +41,42 @@ ''' import os import argparse -import ConfigParser import re import sys +from test.test_sax import start try: import json except ImportError: import simplejson as json - +try: + # For Python >= 3.x + import configparser +except: + # For Python 2.x + import ConfigParser as configparser + +""" +Modified ConfigParser that allows ':' in keys and only uses '=' as separator. +We need the : to be able to specify groups of Ansible hosts like this: compute_nodes[01:16] +""" +class MyConfigParser(configparser.SafeConfigParser): + OPTCRE = re.compile( + r'(?P