Merge branch 'main' into feat/templatetf

Author: sjpb

.github/workflows/fatimage.yml

@@ -47,7 +47,9 @@ jobs:
           . environments/.stackhpc/activate
           cd packer/
           packer init .
-          PACKER_LOG=1 packer build -only openstack.openhpc -on-error=ask -var-file=$PKR_VAR_environment_root/${{ vars.CI_CLOUD }}.pkrvars.hcl openstack.pkr.hcl
+          PACKER_LOG=1 packer build -only openstack.openhpc -on-error=${{ vars.PACKER_ON_ERROR }} -var-file=$PKR_VAR_environment_root/${{ vars.CI_CLOUD }}.pkrvars.hcl openstack.pkr.hcl
+        env:
+          TESTUSER_PASSWORD: ${{ secrets.TEST_USER_PASSWORD }}
 
       - name: Get created image name from manifest
         id: manifest

ansible.cfg

@@ -0,0 +1,19 @@
+# Only used for Azimuth running the caas environment
+[defaults]
+any_errors_fatal = True
+gathering = smart
+forks = 30
+host_key_checking = False
+remote_tmp = /tmp
+collections_path = ansible/collections
+roles_path = ansible/roles
+filter_plugins = ansible/filter_plugins
+callbacks_enabled = ansible.posix.profile_tasks
+
+[ssh_connection]
+ssh_args = -o ControlMaster=auto -o ControlPersist=240s -o PreferredAuthentications=publickey -o UserKnownHostsFile=/dev/null
+pipelining = True
+# This is important because we are using one of the hosts in the play as a jump host
+# This ensures that if the proxy connection is interrupted, rendering the other hosts
+# unreachable, the connection is retried instead of failing the entire play
+retries = 10

ansible/.gitignore

@@ -28,8 +28,6 @@ roles/*
 !roles/firewalld/**
 !roles/etc_hosts/
 !roles/etc_hosts/**
-!roles/cloud_init/
-!roles/cloud_init/**
 !roles/mysql/
 !roles/mysql/**
 !roles/systemd/
@@ -42,5 +40,18 @@ roles/*
 !roles/proxy/**
 !roles/resolv_conf/
 !roles/resolv_conf/**
-!roles/terraform/
-!roles/terraform/**
+!roles/cve-2023-41914
+!roles/cve-2023-41914/**
+!roles/cluster_infra/
+!roles/cluster_infra/**
+!roles/image_build_infra/
+!roles/image_build_infra/**
+!roles/persist_openhpc_secrets/
+!roles/persist_openhpc_secrets/**
+!roles/zenith_proxy/
+!roles/zenith_proxy/**
+!roles/image_build/
+!roles/image_build/**
+!roles/persist_hostkeys/
+!roles/persist_hostkeys/**
+!roles/requirements.yml

ansible/adhoc/backup-keytabs.yml

@@ -0,0 +1,11 @@
+# Use ONE of the following tags on this playbook:
+#   - retrieve: copies keytabs out of the state volume to the environment
+#   - deploy: copies keytabs from the environment to the state volume
+
+- hosts: freeipa_client
+  become: yes
+  gather_facts: no
+  tasks:
+    - import_role:
+        name: freeipa
+        tasks_from: backup-keytabs.yml

ansible/adhoc/cve-2023-41914.yml

@@ -0,0 +1,6 @@
+- hosts: openhpc
+  gather_facts: no
+  become: yes
+  tasks:
+    - import_role:
+        name: cve-2023-41914

ansible/adhoc/template-cloud-init.yml

@@ -82,6 +82,21 @@
         policy: "{{ selinux_policy }}"
       register: sestatus
 
+- hosts: freeipa_server
+  # Done here as it might be providing DNS
+  tags:
+    - freeipa
+    - freeipa_server
+  gather_facts: yes
+  become: yes
+  tasks:
+    - name: Install FreeIPA server
+      import_role:
+        name: freeipa
+        tasks_from: server.yml
+
+# --- tasks after here require access to package repos ---
+
 - hosts: firewalld
   gather_facts: false
   become: yes
@@ -99,6 +114,7 @@
         name: fail2ban
 
 - name: Setup podman
+  gather_facts: false
   hosts: podman
   tags: podman
   tasks:
@@ -112,16 +128,6 @@
         tasks_from: config.yml
       tags: config
 
-- name: Setup EESSI
-  hosts: eessi
-  tags: eessi
-  become: true
-  gather_facts: false
-  tasks:
-    - name: Install and configure EESSI
-      import_role:
-        name: eessi
-
 - hosts: update
   gather_facts: false
   become: yes

ansible/bootstrap.yml

@@ -7,7 +7,8 @@
   gather_facts: no
   vars:
     cluster_prefix: "{{ undef(hint='cluster_prefix must be defined') }}" # e.g. ci4005969475
-    cluster_network: WCDC-iLab-60
+    ci_vars_file: "{{ appliances_environment_root + '/terraform/' + lookup('env', 'CI_CLOUD') }}.tfvars"
+    cluster_network: "{{ lookup('ansible.builtin.ini', 'cluster_net', file=ci_vars_file, type='properties') | trim('\"') }}"
   tasks:
     - name: Get control host IP
       set_fact:

ansible/ci/retrieve_inventory.yml

@@ -1,4 +1,25 @@
-- hosts: cuda
+- hosts: basic_users:!builder
+  become: yes
+  tags:
+    - basic_users
+    - users
+  gather_facts: yes
+  tasks:
+    - import_role:
+        name: basic_users
+
+- name: Setup EESSI
+  hosts: eessi
+  tags: eessi
+  become: true
+  gather_facts: false
+  tasks:
+    - name: Install and configure EESSI
+      import_role:
+        name: eessi
+
+- name: Setup CUDA
+  hosts: cuda
   become: yes
   gather_facts: no
   tags: cuda

ansible/extras.yml

@@ -1,5 +1,12 @@
 # Builder version of site.yml just installing binaries
 
+- hosts: builder
+  become: no
+  gather_facts: no
+  tasks:
+    - name: Report hostname (= final image name)
+      command: hostname
+
 - name: Run pre.yml hook
   vars:
     appliances_environment_root: "{{ lookup('env', 'APPLIANCES_ENVIRONMENT_ROOT') }}"
@@ -27,6 +34,13 @@
         state: stopped
         enabled: false
 
+    # - import_playbook: iam.yml
+    - name: Install FreeIPA client
+      import_role:
+        name: freeipa
+        tasks_from: client-install.yml
+      when: "'freeipa_client' in group_names"
+
     # - import_playbook: filesystems.yml
     - name: nfs
       dnf:
@@ -142,8 +156,6 @@
         name: cloudalchemy.grafana
         tasks_from: install.yml
 
-    # - import_playbook: iam.yml - nothing to do
-
 - name: Run post.yml hook
   vars:
     appliances_environment_root: "{{ lookup('env', 'APPLIANCES_ENVIRONMENT_ROOT') }}"