diff --git a/roles/enable_lmod/tasks/main.yml b/roles/enable_lmod/tasks/main.yml
deleted file mode 100644
index 4676f706030c27b4b86e35a342e26fb3ae9ad74b..0000000000000000000000000000000000000000
--- a/roles/enable_lmod/tasks/main.yml
+++ /dev/null
@@ -1,33 +0,0 @@
----
-- include_vars: "{{ ansible_os_family }}.yml"
-
-- name: install lua
- yum: name={{ item }} state=installed
- with_items:
- - lua
- - lua-filesystem
- - lua-posix
- sudo: true
- when: ansible_os_family == 'RedHat'
-
-- name: install lua
- apt: name={{ item }} state=installed
- with_items:
- - lua5.2
- - lua5.2
- - lua-filesystem
- - lua-bitop
- - lua-posix
- - liblua5.2-0
- - liblua5.2-dev
- - tcl
- sudo: true
- when: ansible_os_family == 'Debian'
-
-- name: link bash
- file: src={{ soft_dir }}/lmod/lmod/init/bash dest=/etc/profile.d/lmod.sh state=link
- sudo: true
-
-- name: link csh
- file: src={{ soft_dir }}/lmod/lmod/init/cshrc dest=/etc/profile.d/lmod.csh state=link
- sudo: true
diff --git a/roles/enable_lmod/vars/Debian.yml b/roles/enable_lmod/vars/Debian.yml
deleted file mode 100644
index f1a8d1448746c5492a52b1e29983120d6faf9831..0000000000000000000000000000000000000000
--- a/roles/enable_lmod/vars/Debian.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-lua_include: /usr/include/lua5.2
diff --git a/roles/enable_lmod/vars/RedHat.yml b/roles/enable_lmod/vars/RedHat.yml
deleted file mode 100644
index 533e08b0df15750498e38a23db460db834944a9b..0000000000000000000000000000000000000000
--- a/roles/enable_lmod/vars/RedHat.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-lua_include: /usr/local
diff --git a/roles/enable_lmod/vars/main.yml b/roles/enable_lmod/vars/main.yml
deleted file mode 100644
index b6b95b3ccc9b22614562a7e1024d76d10802f4a4..0000000000000000000000000000000000000000
--- a/roles/enable_lmod/vars/main.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-source_dir: /tmp
-soft_dir: /opt/lmod/
-lmod_version: 5.8.6
diff --git a/roles/enable_modules/tasks/main.yml b/roles/enable_modules/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f6e4b9c1b66d2f60a6bd07a037c86719f716d5e1
--- /dev/null
+++ b/roles/enable_modules/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+
+- name: template lmod bash
+ template: src=lmod.sh.j2 dest=/etc/profile.d/lmod.sh
+ become: true
+ become_user: root
+ when: default_modules == "lmod"
+
+- name: template lmod csh
+ template: src=lmod.csh.j2 dest=/etc/profile.d/lmod.csh
+ become: true
+ become_user: root
+ when: default_modules == "lmod"
+
+- name: remove modulecmd bash
+ file: path=/etc/profile.d/modulecmd.sh state=absent
+ become: true
+ become_user: root
+ when: default_modules == "lmod"
+
+- name: remove modulcmd csh
+ file: path=/etc/profile.d/modulecmd.csh state=absent
+ become: true
+ become_user: root
+ when: default_modules == "lmod"
+
+- name: template modulecmd bash
+ template: src=modulecmd.sh.j2 dest=/etc/profile.d/modulecmd.sh
+ become: true
+ become_user: root
+ when: default_modules == "modulecmd"
+
+- name: template modulecmd csh
+ template: src=modulecmd.csh.j2 dest=/etc/profile.d/modulecmd.csh
+ become: true
+ become_user: root
+ when: default_modules == "modulecmd"
+
+- name: remove lmod bash
+ file: path=/etc/profile.d/lmod.sh state=absent
+ become: true
+ become_user: root
+ when: default_modules == "modulecmd"
+
+- name: remove modulcmd csh
+ file: path=/etc/profile.d/lmod.csh state=absent
+ become: true
+ become_user: root
+ when: default_modules == "modulecmd"
diff --git a/roles/enable_modules/templates/lmod.csh.j2 b/roles/enable_modules/templates/lmod.csh.j2
new file mode 100755
index 0000000000000000000000000000000000000000..c4fa65640197c3125218bfeec8ff92a1eafe8dd3
--- /dev/null
+++ b/roles/enable_modules/templates/lmod.csh.j2
@@ -0,0 +1,50 @@
+#!/bin/csh
+# -*- shell-script -*-
+########################################################################
+# This is the system wide source file for setting up
+# modules:
+#
+########################################################################
+
+set MY_NAME="{{ lmoddir }}/lmod/lmod/init/cshrc"
+
+
+
+if ( ! $?MODULEPATH_ROOT ) then
+ if ( $?USER) then
+ setenv USER $LOGNAME
+ endif
+
+ set UNAME = `uname`
+ setenv LMOD_sys $UNAME
+
+ setenv LMOD_arch `uname -m`
+ if ( "x$UNAME" == xAIX ) then
+ setenv LMOD_arch rs6k
+ endif
+
+ setenv TARG_TITLE_BAR_PAREN " "
+ setenv LMOD_FULL_SETTARG_SUPPORT no
+ setenv LMOD_SETTARG_CMD :
+ setenv LMOD_COLORIZE yes
+ setenv LMOD_PREPEND_BLOCK normal
+ setenv MODULEPATH_ROOT "{{ lmoddir }}/modulefiles"
+ setenv MODULEPATH `{{ lmoddir }}/lmod/lmod/libexec/addto --append MODULEPATH $MODULEPATH_ROOT/$LMOD_sys $MODULEPATH_ROOT/Core`
+ setenv MODULEPATH `{{ lmoddir }}/lmod/lmod/libexec/addto --append MODULEPATH {{ lmoddir }}/lmod/lmod/modulefiles/Core`
+ setenv MODULEPATH "/usr/local/Modules/modulefiles"
+ setenv MODULESHOME "{{ lmoddir }}/lmod/lmod"
+ setenv BASH_ENV "$MODULESHOME/init/bash"
+
+ #
+ # If MANPATH is empty, Lmod is adding a trailing ":" so that
+ # the system MANPATH will be found
+ if ( ! $?MANPATH ) then
+ setenv MANPATH :
+ endif
+ setenv MANPATH `{{ lmoddir }}/lmod/lmod/libexec/addto MANPATH {{ lmoddir }}/lmod/lmod/share/man`
+
+endif
+
+if ( -f {{ lmoddir }}/lmod/lmod/init/csh ) then
+ source {{ lmoddir }}/lmod/lmod/init/csh
+endif
diff --git a/roles/enable_modules/templates/lmod.sh.j2 b/roles/enable_modules/templates/lmod.sh.j2
new file mode 100755
index 0000000000000000000000000000000000000000..fbfd5d22d90d91795acb582d18629b6f9b883448
--- /dev/null
+++ b/roles/enable_modules/templates/lmod.sh.j2
@@ -0,0 +1,131 @@
+#!/bin/bash
+# -*- shell-script -*-
+
+
+LMOD_PKG={{ lmoddir}}/lmod/lmod
+LMOD_DIR={{ lmoddir }}/lmod/lmod/libexec
+LMOD_CMD={{ lmoddir }}/lmod/lmod/libexec/lmod
+MODULESHOME={{ lmoddir }}/lmod/lmod
+MODULEPATH=/usr/local/Modules/modulefiles
+export LMOD_PKG
+export LMOD_CMD
+export LMOD_DIR
+export MODULESHOME
+
+########################################################################
+# Define the module command: The first line runs the "lmod" command
+# to generate text:
+# export PATH="..."
+# then the "eval" converts the text into changes in the current shell.
+#
+# The second command is the settarg command. Normally LMOD_SETTARG_CMD
+# is undefined or is ":". Either way the eval does nothing. When the
+# settarg module is loaded, it defines LMOD_SETTARG_CMD. The settarg
+# command knows how to read the ModuleTable that Lmod maintains and
+# generates a series of env. vars that describe the current state of
+# loaded modules. So if one is on a x86_64 linux computer with gcc/4.7.2
+# and openmpi/1.6.3 loaded, then settarg will assign:
+#
+# TARG=_x86_64_gcc-4.7.2_openmpi-1.6.3
+# TARG_COMPILER=gcc-4.7.2
+# TARG_COMPILER_FAMILY=gcc
+# TARG_MACH=x86_64
+# TARG_MPI=openmpi-1.6.3
+# TARG_MPI_FAMILY=openmpi
+# TARG_SUMMARY=x86_64_gcc-4.7.2_openmpi-1.6.3
+# TARG_TITLE_BAR=gcc-4.7.2 O-1.6.3
+# TARG_TITLE_BAR_PAREN=(gcc-4.7.2 O-1.6.3)
+#
+# unloading openmpi/1.6.3 automatically changes these vars to be:
+#
+# TARG=_x86_64_gcc-4.6.3
+# TARG_COMPILER=gcc-4.6.3
+# TARG_COMPILER_FAMILY=gcc
+# TARG_MACH=x86_64
+# TARG_SUMMARY=x86_64_gcc-4.6.3
+# TARG_TITLE_BAR=gcc-4.6.3
+# TARG_TITLE_BAR_PAREN=(gcc-4.6.3)
+#
+# See Lmod web site for more details.
+
+module()
+{
+ eval $($LMOD_CMD bash "$@")
+ [ $? = 0 ] && eval $(${LMOD_SETTARG_CMD:-:} -s sh)
+}
+
+
+if [ "${LMOD_SETTARG_CMD:-:}" != ":" ]; then
+ settarg () {
+ eval $(${LMOD_SETTARG_CMD:-:} -s sh "$@" )
+ }
+fi
+
+
+########################################################################
+# ml is a shorthand tool for people who can't type moduel, err, module
+# It is also a combination command:
+# ml -> module list
+# ml gcc -> module load gcc
+# ml -gcc intel -> module unload gcc; module load intel
+# It does much more do: "ml --help" for more information.
+
+
+unalias ml > /dev/null 2>&1
+ml()
+{
+ eval $($LMOD_DIR/ml_cmd "$@")
+}
+
+export_module=$(echo "YES" | tr '[:upper:]' '[:lower:]')
+if [ -n "$BASH_VERSION" -a "$export_module" != no ]; then
+ export -f module
+ export -f ml
+fi
+unset export_module
+
+########################################################################
+# clearMT removes the ModuleTable from your environment. It is rarely
+# needed but it useful sometimes.
+
+clearMT()
+{
+ eval $($LMOD_DIR/clearMT_cmd bash)
+}
+
+########################################################################
+# The following make the action of the settarg available to the titlebar
+# for both xterm's and screen but only for interactive shells.
+if [ "$PS1" ]; then
+ if [ -n "$LMOD_FULL_SETTARG_SUPPORT" -a "$LMOD_FULL_SETTARG_SUPPORT" != no ]; then
+ xSetTitleLmod()
+ {
+ builtin echo -n -e "\033]2;$1\007";
+ }
+ SET_TITLE_BAR=:
+
+ case $TERM in
+ xterm*)
+ SET_TITLE_BAR=xSetTitleLmod
+ ;;
+ esac
+
+ SHOST=${SHOST-${HOSTNAME%%.*}}
+ precmd()
+ {
+ eval $(${LMOD_SETTARG_CMD:-:} -s bash)
+ ${SET_TITLE_BAR:-:} "${TARG_TITLE_BAR_PAREN}${USER}@${SHOST}:${PWD/#$HOME/~}"
+ ${USER_PROMPT_CMD:-:}
+ }
+
+ # define the PROMPT_COMMAND to be precmd iff it isn't defined already.
+ : ${PROMPT_COMMAND:=precmd}
+ fi
+fi
+
+########################################################################
+# Make tab completions available to bash users.
+
+if [ ${BASH_VERSINFO:-0} -ge 3 ] && [ -r {{ lmoddir }}/lmod/lmod/init/lmod_bash_completions ] && [ -n "$PS1" ]; then
+ . {{ lmoddir }}/lmod/lmod/init/lmod_bash_completions
+fi
diff --git a/roles/enable_modules/templates/modulecmd.csh.j2 b/roles/enable_modules/templates/modulecmd.csh.j2
new file mode 100644
index 0000000000000000000000000000000000000000..3bc4c38935e9b59e738c24a5cb3f3197a40b5131
--- /dev/null
+++ b/roles/enable_modules/templates/modulecmd.csh.j2
@@ -0,0 +1,45 @@
+if ($?tcsh) then
+ set modules_shell="tcsh"
+else
+ set modules_shell="csh"
+endif
+set exec_prefix='/usr/bin'
+
+set prefix=""
+set postfix=""
+
+if ( $?histchars ) then
+ set histchar = `echo $histchars | cut -c1`
+ set _histchars = $histchars
+
+ set prefix = 'unset histchars;'
+ set postfix = 'set histchars = $_histchars;'
+else
+ set histchar = \!
+endif
+
+if ($?prompt) then
+ set prefix = "$prefix"'set _prompt="$prompt";set prompt="";'
+ set postfix = "$postfix"'set prompt="$_prompt";unset _prompt;'
+endif
+
+if ($?noglob) then
+ set prefix = "$prefix""set noglob;"
+ set postfix = "$postfix""unset noglob;"
+endif
+set postfix = "set _exit="'$status'"; $postfix; /usr/bin/test 0 = "'$_exit;'
+
+alias module $prefix'eval `'$exec_prefix'/modulecmd '$modules_shell' '$histchar'*`; '$postfix
+unset exec_prefix
+unset prefix
+unset postfix
+
+setenv MODULESHOME /usr/share/Modules
+
+if (! $?MODULEPATH ) then
+ setenv MODULEPATH `sed -n 's/[ #].*$//; /./H; $ { x; s/^\n//; s/\n/:/g; p; }' ${MODULESHOME}/init/.modulespath`:/usr/local/Modules/modulefiles
+endif
+
+if (! $?LOADEDMODULES ) then
+ setenv LOADEDMODULES ""
+endif
diff --git a/roles/enable_modules/templates/modulecmd.sh.j2 b/roles/enable_modules/templates/modulecmd.sh.j2
new file mode 100644
index 0000000000000000000000000000000000000000..30adea3527df89867728e18ee83b628866175d83
--- /dev/null
+++ b/roles/enable_modules/templates/modulecmd.sh.j2
@@ -0,0 +1,20 @@
+
+module() { eval `/usr/bin/modulecmd bash $*`; /usr/local/hpcusr/latest/bin/modulelog $*;}
+export -f module
+
+MODULESHOME=/usr/share/Modules
+export MODULESHOME
+
+if [ "${LOADEDMODULES:-}" = "" ]; then
+ LOADEDMODULES=
+ export LOADEDMODULES
+fi
+
+if [ "${MODULEPATH:-}" = "" ]; then
+ MODULEPATH=`sed -n 's/[ #].*$//; /./H; $ { x; s/^\n//; s/\n/:/g; p; }' ${MODULESHOME}/init/.modulespath`:/usr/local/Modules/modulefiles
+ export MODULEPATH
+fi
+
+if [ ${BASH_VERSINFO:-0} -ge 3 ] && [ -r ${MODULESHOME}/init/bash_completion ]; then
+ . ${MODULESHOME}/init/bash_completion
+fi
diff --git a/roles/enable_modules/vars/main.yml b/roles/enable_modules/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..de6283efbd0f6268d50c3856e1cd7869560412d9
--- /dev/null
+++ b/roles/enable_modules/vars/main.yml
@@ -0,0 +1,5 @@
+---
+source_dir: /tmp
+lmoddir: /opt/lmod
+modulecmddir: /usr/share
+lmod_version: 5.8.6
diff --git a/roles/ldapclient/tasks/configLdapClient.yml b/roles/ldapclient/tasks/configLdapClient.yml
index 5b667f2e4f348690bf4993b29539557f3d8907c4..3a85550ea67a81696eb526e575665524c29da6f3 100644
--- a/roles/ldapclient/tasks/configLdapClient.yml
+++ b/roles/ldapclient/tasks/configLdapClient.yml
@@ -2,7 +2,6 @@
- name: "Copy configuration files to ldap client"
template: src={{ item }}.j2 dest=/etc/{{ item }}
with_items:
- - pam_ldap.conf
- nsswitch.conf
become: true
become_user: root
diff --git a/roles/ldapserver/tasks/main.yml b/roles/ldapserver/tasks/main.yml
index c007a12a85efccafa53b2520c6928f5f73e94953..be3d545b546e8bcbb2a16344b10ea8a5f499d528 100644
--- a/roles/ldapserver/tasks/main.yml
+++ b/roles/ldapserver/tasks/main.yml
@@ -51,6 +51,21 @@
- name: template ssl.ldif
template: src=ssl_ldif.j2 dest=/tmp/ssl.ldif mode=600
+- name: template acl_groups.ldif
+ template: src=acl_groups_ldif.j2 dest=/tmp/acl_groups.ldif mode=600
+
+- name: template load_memberof.ldif
+ template: src=load_memberof_ldif.j2 dest=/tmp/load_memberof.ldif mode=600
+
+- name: template load_refint.ldif
+ template: src=load_refint_ldif.j2 dest=/tmp/load_refint.ldif mode=600
+
+- name: template memberOfConfig.ldif
+ template: src=memberOfConfig_ldif.j2 dest=/tmp/memberOfConfig.ldif mode=600
+
+- name: template refint_config.ldif
+ template: src=refint_config_ldif.j2 dest=/tmp/refint_config.ldif mode=600
+
- name: template manager.ldif
template: src=manager_ldif.j2 dest=/tmp/manager.ldif mode=600
sudo: true
@@ -147,6 +162,46 @@
sudo: true
when: ppolicyOverlayConfigured|failed
+- name: check refint module loaded
+ shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}refint"
+ sudo: true
+ ignore_errors: true
+ register: refintModuleLoaded
+
+- name: load refint module
+ shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_refint.ldif -D cn=config
+ sudo: true
+ when: refintModuleLoaded|failed
+
+- name: check memberof module loaded
+ shell: slapcat -b cn=config | grep "olcModuleLoad. {.*}memberof"
+ sudo: true
+ ignore_errors: true
+ register: memberofModuleLoaded
+
+- name: load memberof module
+ shell: ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/load_memberof.ldif -D cn=config
+ sudo: true
+ when: memberofModuleLoaded|failed
+
+- name: check member of config
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=olcMemberOf"
+ ignore_errors: true
+ register: memberOfConfigured
+
+- name: add member of config
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/memberOfConfig.ldif
+ when: memberOfConfigured|failed
+
+- name: check refinit config
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapGroupBase }} -x -H ldap://localhost objectClass=olcRefintConfig"
+ ignore_errors: true
+ register: refintConfigured
+
+- name: add refint config
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/refint_config.ldif
+ when: refintConfigured|failed
+
- name: check Manager config
shell: "slapcat -b cn=config | grep 'olcRootDN: {{ ldapManager }}'"
ignore_errors: true
@@ -210,6 +265,16 @@
shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/groups.ldif
when: groupsConfigured|failed
+- name: check aclroups config
+ shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapAclGroupBase }} -x -H ldap://localhost objectClass=*"
+ ignore_errors: true
+ register: aclgroupsConfigured
+
+- name: add aclgroups OU
+ shell: ldapadd -x -D {{ ldapManager }} -w {{ ldapManagerPassword }} -x -H ldap://localhost -f /tmp/acl_groups.ldif
+ when: aclgroupsConfigured|failed
+
+
- name: check Accounts config
shell: "ldapsearch -D {{ ldapManager }} -w {{ ldapManagerPassword }} -b {{ ldapUserBase }} -x -H ldap://localhost objectClass=*"
ignore_errors: true
diff --git a/roles/ldapserver/templates/acl_groups_ldif.j2 b/roles/ldapserver/templates/acl_groups_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..980f11d890556c8d64b0ef65c5c2b844846e9aae
--- /dev/null
+++ b/roles/ldapserver/templates/acl_groups_ldif.j2
@@ -0,0 +1,2 @@
+dn: {{ ldapAclGroupBase }}
+objectClass: organizationalUnit
diff --git a/roles/ldapserver/templates/load_memberof_ldif.j2 b/roles/ldapserver/templates/load_memberof_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..c47d42097a1b477454c370d40da90508ab00f911
--- /dev/null
+++ b/roles/ldapserver/templates/load_memberof_ldif.j2
@@ -0,0 +1,4 @@
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: memberof.la
diff --git a/roles/ldapserver/templates/load_refint_ldif.j2 b/roles/ldapserver/templates/load_refint_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..746194ac1bfde224e18b13360ddfc82190d695fe
--- /dev/null
+++ b/roles/ldapserver/templates/load_refint_ldif.j2
@@ -0,0 +1,4 @@
+dn: cn=module{0},cn=config
+changetype: modify
+add: olcModuleLoad
+olcModuleLoad: refint.la
diff --git a/roles/ldapserver/templates/memberOfConfig_ldif.j2 b/roles/ldapserver/templates/memberOfConfig_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..61f8685e69dcbc48ad623cf49f0ffa8be87f46ef
--- /dev/null
+++ b/roles/ldapserver/templates/memberOfConfig_ldif.j2
@@ -0,0 +1,11 @@
+dn: olcOverlay=memberof,olcDatabase={2}bdb,cn=config
+objectClass: olcConfig
+objectClass: olcMemberOf
+objectClass: olcOverlayConfig
+objectClass: top
+olcOverlay: memberof
+olcMemberOfDangling: ignore
+olcMemberOfRefInt: TRUE
+olcMemberOfGroupOC: groupOfNames
+olcMemberOfMemberAD: member
+olcMemberOfMemberOfAD: memberOf
diff --git a/roles/ldapserver/templates/refint_config_ldif.j2 b/roles/ldapserver/templates/refint_config_ldif.j2
new file mode 100644
index 0000000000000000000000000000000000000000..343e4006320c959ce84d54fefcb54ff6c3181cc3
--- /dev/null
+++ b/roles/ldapserver/templates/refint_config_ldif.j2
@@ -0,0 +1,7 @@
+dn: olcOverlay=refint,olcDatabase={2}bdb,cn=config
+objectClass: olcConfig
+objectClass: olcOverlayConfig
+objectClass: olcRefintConfig
+objectClass: top
+olcOverlay: refint
+olcRefintAttribute: memberof member manager owner
diff --git a/roles/pam_slurm/tasks/main.yml b/roles/pam_slurm/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8a13ab12a174e0fbb953a12ffcdaae7eccf8a060
--- /dev/null
+++ b/roles/pam_slurm/tasks/main.yml
@@ -0,0 +1,11 @@
+---
+- name: "Copy access.conf"
+ template: src=access.conf.j2 dest=/etc/security/access.conf
+ become: true
+ become_user: root
+
+- name: "Copy password sshd pam config"
+ template: src=sshd.j2 dest=/etc/pam.d/sshd
+ become: true
+ become_user: root
+
diff --git a/roles/pam_slurm/templates/access.conf.j2 b/roles/pam_slurm/templates/access.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..684f5e79748e52b82d8a7e2dfa77708bbc2befa4
--- /dev/null
+++ b/roles/pam_slurm/templates/access.conf.j2
@@ -0,0 +1 @@
+-:ALL EXCEPT root systems ec2-user debian ubuntu admin :ALL
diff --git a/roles/pam_slurm/templates/sshd.j2 b/roles/pam_slurm/templates/sshd.j2
new file mode 100644
index 0000000000000000000000000000000000000000..a1218458728bb47fea1d4f73194191a516cb6214
--- /dev/null
+++ b/roles/pam_slurm/templates/sshd.j2
@@ -0,0 +1,22 @@
+#%PAM-1.0
+auth required pam_sepermit.so
+auth substack password-auth
+auth include postlogin
+# Used with polkit to reauthorize users in remote sessions
+-auth optional pam_reauthorize.so prepare
+account required pam_nologin.so
+account include password-auth
+account sufficient pam_slurm.so
+account required pam_access.so
+password include password-auth
+# pam_selinux.so close should be the first session rule
+session required pam_selinux.so close
+session required pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session required pam_selinux.so open env_params
+session required pam_namespace.so
+session optional pam_keyinit.so force revoke
+session include password-auth
+session include postlogin
+# Used with polkit to reauthorize users in remote sessions
+-session optional pam_reauthorize.so prepare
diff --git a/roles/provision_homedir/templates/provision_homedir.py.j2 b/roles/provision_homedir/templates/provision_homedir.py.j2
index 07563cab82a647a84d9a39df47df86cc583419ee..1d711face7bc0a926cc0d027f318c1e875eb0a0d 100644
--- a/roles/provision_homedir/templates/provision_homedir.py.j2
+++ b/roles/provision_homedir/templates/provision_homedir.py.j2
@@ -3,7 +3,7 @@ import ldap
import traceback
import os
import stat
-#import shutil
+import shutil
import subprocess
class ldapSearchConfig:
@@ -44,17 +44,16 @@ def get_users(server):
return allusers
def mk_homedir(path,uidNumber,gidNumber):
+ skelroot = path.rsplit("/", 1)[0]
+ # fix this later if your common/skel is located elsewhere
+ skelpath = os.path.join(skelroot, 'common', 'skel')
try:
statinfo = os.stat(path)
except OSError as e:
if 'No such file or directory' in e:
- os.mkdir(path,0700)
+ shutil.copytree(skelpath, path)
statinfo = os.stat(path)
- if stat.S_ISDIR(statinfo.st_mode):
- if statinfo.st_gid != gidNumber or statinfo.st_uid!=uidNumber:
- os.chown(path,uidNumber,gidNumber)
- else:
- raise Exception("users homedirectory is not a directory %s"%path)
+ recursive_chown(path, uidNumber, gidNumber)
# adapted from http://stackoverflow.com/questions/5994840/how-to-change-the-user-and-group-permissions-for-a-directory-by-name
def recursive_chown(path,uidNumber,gidNumber):
@@ -68,24 +67,6 @@ def recursive_chown(path,uidNumber,gidNumber):
for fname in files:
os.chown(os.path.join(root, fname), uidNumber, gidNumber)
-def cp_skel(skelroot, path, uidNumber, gidNumber):
- if skelroot is None:
- # assumes NO trailing / on the home path or dead meat
- skelroot = path.rsplit("/", 1)[0]
- # fix this later if your common/skel is located elsewhere
- skelpath = os.path.join(skelroot, 'common', 'skel')
- if os.path.isdir(skelpath):
- # copy the skel into the user $HOME
- # os.system("/bin/cp -r %s/* %s" % (skelpath, path))
- subprocess.call(['/bin/cp', '-r', "%s/*" % skelpath, path])
- # os.system("/bin/cp %s/\.* %s" % (skelpath, path))
- subprocess.call(['/bin/cp', "%s/.*" % skelpath, path])
- # ideally use this, but it assumes 'path' does not exist
- # shutil.copytree(skelpath, path)
- # chown to user ownership
- recursive_chown(path, uidNumber, gidNumber)
- else:
- raise Exception("skel path is missing %s" % skelpath)
s=ldapSearchConfig()
s.ldapserver="{{ ldapURI }}"
@@ -103,8 +84,7 @@ for user in users:
path=mnthome+"/"+users[user].entry[homeDirEntry][0].rsplit("/",1)[1]
else:
path=users[user].entry[homeDirEntry][0]
- mk_homedir(None, path,int(users[user].entry['uidNumber'][0]),int(users[user].entry['gidNumber'][0]))
- cp_skel(None, path,int(users[user].entry['uidNumber'][0]),int(users[user].entry['gidNumber'][0]))
+ mk_homedir(path,int(users[user].entry['uidNumber'][0]),int(users[user].entry['gidNumber'][0]))
except:
print traceback.format_exc()
pass
diff --git a/roles/slurm-common/scripts/nvidia-probe.py b/roles/slurm-common/scripts/nvidia-probe.py
new file mode 100755
index 0000000000000000000000000000000000000000..1a47f11fba85278e9a430a5ab79e37f0af175245
--- /dev/null
+++ b/roles/slurm-common/scripts/nvidia-probe.py
@@ -0,0 +1,59 @@
+#!/bin/env python
+# prints a list of NIDIA devices and their type in json format for
+# parsing by ansible program;
+# fields are 'name':'gpu' (fixed)
+# 'file': devicePath, (i.e. /dev/nvidia0)
+# 'type':typeOfDevice (i.e. 80 parsed from nvidia-smi outout)
+# program returns nothing upon error (i.e. no error messages)
+# Also checks for existance of /dev/nvidia? where ? is number from nvidia-smi GPU count
+# nvidia-smi -L produces output like
+#GPU 0: Tesla K80 (UUID: GPU-8bdb2956-4c10-7bd0-80d4-46da054663b4)
+#GPU 1: Tesla K80 (UUID: GPU-19ed5f7c-435a-036e-54f0-f64209c3cede)
+#GPU 2: Tesla K80 (UUID: GPU-a2f8cfe2-5bbc-de2a-8adc-4038f3379b5e)
+#GPU 3: Tesla K80 (UUID: GPU-1c9c0d02-4590-c915-18d2-d709efb56d8d)
+#GPU 4: Tesla K80 (UUID: GPU-b0f290c8-3b69-a518-ac77-22718f43e946)
+#GPU 5: Tesla K80 (UUID: GPU-565ebca2-6b37-3bc0-a355-72330049a349)
+#GPU 6: Tesla K80 (UUID: GPU-d8096845-d8a1-e3ef-ad00-c1d069c1b685)
+#GPU 7: Tesla K80 (UUID: GPU-20ee0841-22b5-9974-66c0-b49e5be3e469)
+
+import subprocess
+import sys
+import re
+import os
+import json
+
+try:
+ #run nvidia-smi -L to parse output
+ p = subprocess.Popen(['nvidia-smi', '-L'], stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE)
+ out, err = p.communicate()
+ lines=out.strip().split('\n')
+ numberOfDevices=len(lines)
+ typeofDevice=""
+ deviceList=[] #return list
+ for line in lines:
+ if not line :
+ break
+ #print "Line is ",line
+ pe=re.compile('GPU\s*(\d*).*Tesla\s*(\S*)')
+ m=pe.search(line)
+ if not m:
+ #print "No match found"
+ break
+ numberOfDevice=m.group(1)
+ typeOfDevice=m.group(2)
+ #print "Number of Devics is "+numberOfDevice+" Type of device is "+typeOfDevice
+ #check device file existance
+ devicePath="/dev/nvidia"+numberOfDevice
+ if os.path.exists(devicePath):
+ #print "OK"
+ deviceList.append( { 'name':'gpu' , 'file': devicePath, 'type':typeOfDevice } )
+ else:
+ #print "Error file not found ",devicePath
+ sys.exit(0)
+ #now convert list to json
+ output=json.dumps(deviceList)
+ print output
+except OSError:
+#if nvidia-smi is not installed on computer then this error is thrown by subprocess.Popen
+ sys.exit(0)
diff --git a/roles/slurm-common/tasks/installSlurmFromSource.yml b/roles/slurm-common/tasks/installSlurmFromSource.yml
index be136da92000e764e613bb1c040c52f3f497e73e..167994b2dc000568ee739480d28a07679f86685c 100644
--- a/roles/slurm-common/tasks/installSlurmFromSource.yml
+++ b/roles/slurm-common/tasks/installSlurmFromSource.yml
@@ -15,14 +15,27 @@
src: "http://consistency0/src/slurm-{{ slurm_version }}.tar.bz2"
copy: no
dest: /tmp
- creates: /tmp/slurm-{{ slurm_version }}
+ creates: "{{ slurm_dir }}/bin/srun"
+
+- name: stat srun
+ stat: path="{{ slurm_dir }}/bin/srun"
+ register: stat_srun
+
+
+- name: configure slurm
+ command: /tmp/slurm-{{ slurm_version }}/configure --prefix={{ slurm_dir }} --with-munge={{ munge_dir }} --enable-pam
+ args:
+ creates: "{{ slurm_dir }}/bin/srun"
+ chdir: /tmp/slurm-{{ slurm_version }}
+ when: force_slurm_recompile is defined or not stat_srun.stat.exists
- name: build slurm
- shell: ./configure --prefix={{ slurm_dir }} --with-munge={{ munge_dir }} && make
+ command: make
args:
+ creates: "{{ slurm_dir }}/bin/srun"
chdir: /tmp/slurm-{{ slurm_version }}
- creates: /tmp/slurm-{{ slurm_version }}/src/srun/srun
+ when: force_slurm_recompile is defined or not stat_srun.stat.exists
- name: install slurm
shell: make install
@@ -30,6 +43,20 @@
args:
chdir: /tmp/slurm-{{ slurm_version }}
creates: "{{ slurm_dir }}/bin/srun"
+ when: force_slurm_recompile is defined or not stat_srun.stat.exists
+
+- name: build pam_slurm
+ command: make
+ args:
+ chdir: /tmp/slurm-{{ slurm_version }}/contribs/pam
+ when: force_slurm_recompile is defined or not stat_srun.stat.exists
+
+- name: install pam_slurm
+ shell: make install
+ sudo: true
+ args:
+ chdir: /tmp/slurm-{{ slurm_version }}/contribs/pam
+ when: force_slurm_recompile is defined or not stat_srun.stat.exists
- name: add slurm log rotate config
template: src=slurmlog.j2 dest=/etc/logrotate.d/slurm mode=644
diff --git a/roles/slurm-common/tasks/main.yml b/roles/slurm-common/tasks/main.yml
index 3df46241dd2d971c0c7c05cb760130a52b780081..9f15c287e301eacc2e30b488ad9dac690f0336cb 100644
--- a/roles/slurm-common/tasks/main.yml
+++ b/roles/slurm-common/tasks/main.yml
@@ -143,15 +143,19 @@
ignore_errors: true
when: slurm_gres_check is defined
-- name: install gres config file
- template: src=gres.conf.j2 dest={{ slurm_dir }}/etc/gres.conf mode=644
- sudo: true
- when: slurm_generic_resource is defined and slurm_generic_resource.stdout
+- name: Gres - Test for Nvidia devices
+ script: ./nvidia-probe.py
+ register: probeOutput
+
+- set_fact: slurm_gres_list= "[ ]"
+
+- name: "set nvidiaprobe slurm_gres_list"
+ set_fact: slurm_gres_list={{ probeOutput.stdout | from_json }}
+ when: probeOutput.stdout is defined and ( probeOutput.stdout|length !=0 )
-- name: install gres sub config file
- template: src=gres_sub.conf.j2 dest={{ slurm_dir }}/etc/gres/gres.conf mode=644
+- name: template gres.conf file
+ template: src="gres.conf.j2" dest={{ slurm_dir }}/etc/gres/gres.conf mode=644
sudo: true
- when: slurm_gres_list is defined
- name: install slurm prolog
template: src=slurm.prolog.j2 dest={{ slurm_dir }}/bin/slurm.prolog mode=755
diff --git a/roles/slurm-common/templates/gres.conf.j2 b/roles/slurm-common/templates/gres.conf.j2
index a3bbf7199baffd6c7e154e898d36cf2857afdc57..f0e374cedb88a2c67a16b7a3a12042cafb964618 100644
--- a/roles/slurm-common/templates/gres.conf.j2
+++ b/roles/slurm-common/templates/gres.conf.j2
@@ -1,3 +1,5 @@
+#slurm gres file for {{ ansible_hostname }}
+#No Of Devices={{ slurm_gres_list | length }}
{% for gr in slurm_gres_list %}
-Name={{ gr.name }} File={{ gr.file }}
+Name={{ gr.name }} Type={{ gr.type }} File={{ gr.file }}
{% endfor %}