Merge branch 'master' of gitlab.erc.monash.edu.au:hpc-team/ansible_cluster_in_a_box into numa-check

8baeda50 · Simon Michnowicz (Monash University) · d21ed3f0 · f4429bd8 · 8baeda50 · 8baeda50
Commit 8baeda50 authored 8 years ago by Simon Michnowicz (Monash University)
--- a/roles/enable_modules/tasks/main.yml
+++ b/roles/enable_modules/tasks/main.yml
@@ -13,25 +13,25 @@
  when: default_modules == "lmod"

 - name: remove modulecmd bash
-  file: path=/etc/profile.d/modulecmd.sh state=absent
+  file: path=/etc/profile.d/zz_modulecmd.sh state=absent
  become: true
  become_user: root
  when: default_modules == "lmod"

 - name: remove modulcmd csh
-  file: path=/etc/profile.d/modulecmd.csh state=absent
+  file: path=/etc/profile.d/zz_modulecmd.csh state=absent
  become: true
  become_user: root
  when: default_modules == "lmod"

 - name: template modulecmd bash
-  template: src=modulecmd.sh.j2 dest=/etc/profile.d/modulecmd.sh
+  template: src=modulecmd.sh.j2 dest=/etc/profile.d/zz_modulecmd.sh
  become: true
  become_user: root
  when: default_modules == "modulecmd"

 - name: template modulecmd csh
-  template: src=modulecmd.csh.j2 dest=/etc/profile.d/modulecmd.csh
+  template: src=modulecmd.csh.j2 dest=/etc/profile.d/zz_modulecmd.csh
  become: true
  become_user: root
  when: default_modules == "modulecmd"

--- a/roles/enable_modules/templates/modulecmd.sh.j2
+++ b/roles/enable_modules/templates/modulecmd.sh.j2

-module() { eval `/usr/bin/modulecmd bash $*`;  /usr/local/hpcusr/latest/bin/modulelog $*;}
+module() { eval `/usr/bin/modulecmd bash $*`;  /usr/local/bin/modulelog $*;}
 export -f module

 MODULESHOME=/usr/share/Modules

--- a/roles/etcHosts/tasks/main.yml
+++ b/roles/etcHosts/tasks/main.yml
@@ -21,7 +21,10 @@
  when: ansible_distribution == "Debian" and ansible_distribution_major_version == "8"

 - name: set preserve hostname on CentOS
-  lineinfile: dest=/etc/cloud/cloud.cfg line='preserve_hostname=True'
+  lineinfile: 
+  args:
+    dest: /etc/cloud/cloud.cfg 
+    line: "preserve_hostname: True"
  sudo: true
  when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"


--- a/roles/extra_packages/tasks/main.yml
+++ b/roles/extra_packages/tasks/main.yml
@@ -8,11 +8,6 @@
  sudo: true
  when: ansible_os_family == 'RedHat'
 
- name: "Make yum cache"
-  command: yum makecache
-  sudo: true
-  when: ansible_os_family == 'RedHat'
-
 - name: "Install extra packages"
  yum: "name={{ item }} exclude={{ excludes|join(',') }} update_cache=yes state=present"
  with_items: "{{ extra_packages }}"

--- a/roles/mellanox_drivers/tasks/main.yml
+++ b/roles/mellanox_drivers/tasks/main.yml
@@ -73,6 +73,6 @@
  when: reboot_now

 - name: waiting for server to come back
-  local_action: wait_for host={{ ansible_host }} state=started port=22 delay=10 search_regex=OpenSSH
+  local_action: wait_for host={{ ansible_host }} state=started port=22 delay=60 timeout=600 search_regex=OpenSSH
  sudo: false
  when: reboot_now
--- a/roles/nagios_server/templates/nagios3.conf.j2
+++ b/roles/nagios_server/templates/nagios3.conf.j2
+# apache configuration for nagios 3.x
+# note to users of nagios 1.x and 2.x:
+#	throughout this file are commented out sections which preserve
+#	backwards compatibility with bookmarks/config for older nagios versios.
+#	simply look for lines following "nagios 1.x:" and "nagios 2.x" comments.
+
+ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3
+ScriptAlias /nagios3/cgi-bin /usr/lib/cgi-bin/nagios3
+# nagios 1.x:
+#ScriptAlias /cgi-bin/nagios /usr/lib/cgi-bin/nagios3
+#ScriptAlias /nagios/cgi-bin /usr/lib/cgi-bin/nagios3
+# nagios 2.x: 
+#ScriptAlias /cgi-bin/nagios2 /usr/lib/cgi-bin/nagios3
+#ScriptAlias /nagios2/cgi-bin /usr/lib/cgi-bin/nagios3
+Alias /nagios3/stylesheets /etc/nagios3/stylesheets
+# nagios 1.x:
+#Alias /nagios/stylesheets /etc/nagios3/stylesheets
+# nagios 2.x:
+#Alias /nagios2/stylesheets /etc/nagios3/stylesheets
+
+# Where the HTML pages live
+Alias /nagios3 /usr/share/nagios3/htdocs
+# nagios 2.x: 
+#Alias /nagios2 /usr/share/nagios3/htdocs
+# nagios 1.x:
+#Alias /nagios /usr/share/nagios3/htdocs
+
+
+LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/cacert.crt
+
+<DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
+	Options FollowSymLinks
+
+	DirectoryIndex index.php index.html
+
+	AllowOverride AuthConfig
+
+
+    <IfVersion < 2.3>
+        Order Allow,Deny
+        Allow From All
+    </IfVersion>
+
+    <IfVersion >= 2.3>
+        Require all denied
+    </IfVersion>
+
+    AuthType Basic
+    AuthName "Authentication"
+    AuthBasicProvider ldap
+    AuthLDAPURL {{ ldapURI }}/{{ ldapBase }}?uid?sub?{{ ldap_access_filter }}
+    AuthLDAPBindDN {{ ldapBindDN }}
+    AuthLDAPBindPassword {{ ldapBindDNPassword }}
+    AuthLDAPBindAuthoritative off
+    AuthLDAPGroupAttributeIsDN off
+    AuthLDAPGroupAttribute memberUid
+    <RequireAll>
+    Require valid-user
+    Require ldap-group cn={{ sudo_group }},{{ ldapGroupBase }}
+    </RequireAll>
+
+</DirectoryMatch>
+
+<Directory /usr/share/nagios3/htdocs>
+	Options	+ExecCGI	
+</Directory>
+
+# Enable this ScriptAlias if you want to enable the grouplist patch.
+# See http://apan.sourceforge.net/download.html for more info
+# It allows you to see a clickable list of all hostgroups in the
+# left pane of the Nagios web interface
+# XXX This is not tested for nagios 2.x use at your own peril
+#ScriptAlias /nagios3/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi
+# nagios 1.x:
+#ScriptAlias /nagios/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi
+
--- a/roles/nat_server/tasks/main.yml
+++ b/roles/nat_server/tasks/main.yml
+---
+# make sure firewalld is not installed
+- name: make sure firewalld is not installed
+  yum: name={{ item }} state=absent
+  become: true
+  become_user: root
+  with_items:
+  - firewalld
+  - firewall-config
+
+# make sure iptables is installed
+- name: make sure iptables-services is installed
+  yum: name=iptables-services state=present
+  become: true
+  become_user: root
+
+- name: make sure iptables service is running
+  service: name=iptables state=started enabled=yes
+  become: true
+  become_user: root
+
+    
+# template ip tables rules or add rules on startup?
+- name: template rules
+  template: dest=/etc/sysconfig/iptables src=iptables.j2
+  become: true
+  become_user: root
+  register: rule_changed
+
+- name: restore rules
+  shell: iptables-restore
+  become: true
+  become_user: root
+  when: rule_changed | changed
+
+# make sure ip forwarding is enabled
--- a/roles/nat_server/templates/iptables.j2
+++ b/roles/nat_server/templates/iptables.j2
+# Generated by iptables-save v1.4.21 on Mon Nov  7 16:34:03 2016
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+COMMIT
+# Completed on Mon Nov  7 16:34:03 2016
+# Generated by iptables-save v1.4.21 on Mon Nov  7 16:34:03 2016
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -o eth2 -j MASQUERADE
+COMMIT
+# Completed on Mon Nov  7 16:34:03 2016
+# Generated by iptables-save v1.4.21 on Mon Nov  7 16:34:03 2016
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -i mlx0 -j ACCEPT
+-A FORWARD -i eth1 -j ACCEPT
+COMMIT
+# Completed on Mon Nov  7 16:34:03 2016
--- a/roles/provision_homedir/templates/provision_homedir.py.j2
+++ b/roles/provision_homedir/templates/provision_homedir.py.j2
@@ -53,6 +53,7 @@ def mk_homedir(path,uidNumber,gidNumber):
 		if 'No such file or directory' in e:
 		    shutil.copytree(skelpath, path)
 	statinfo = os.stat(path)
+	os.chown(path,uidNumber,gidNumber)
 	recursive_chown(path, uidNumber, gidNumber)

 # adapted from http://stackoverflow.com/questions/5994840/how-to-change-the-user-and-group-permissions-for-a-directory-by-name
@@ -67,13 +68,23 @@ def recursive_chown(path,uidNumber,gidNumber):
 		for fname in files:
 			os.chown(os.path.join(root, fname), uidNumber, gidNumber)

+def check_homedir(path,uidNumber,gidNumber):
+	try:
+		si = os.stat(path)
+		if si.st_uid != uidNumber or si.st_gid != gidNumber:
+			raise Exception("user home %s uid %d != %d, gid %d != %d mismatch" % (path,si.st_uid,uidNumber,si.st_gid,gidNumber))
+		return True
+	except:
+		return False
+
+

 s=ldapSearchConfig()
 s.ldapserver="{{ ldapURI }}"
 s.binddn="{{ ldapBindDN }}"
 s.bindpw="{{ ldapBindDNPassword }}"
 s.baseDN="{{ ldapBase }}"
-s.searchFilter = "{{ search_filter }}"
+s.searchFilter = "{{ ldap_access_filter }}"
 homeDirEntry= "{{ homeDirEntry }}"
 mnthome = "{{ mnthome }}"

@@ -84,7 +95,8 @@ for user in users:
 			path=mnthome+"/"+users[user].entry[homeDirEntry][0].rsplit("/",1)[1]
 		else:
 			path=users[user].entry[homeDirEntry][0]
-		mk_homedir(path,int(users[user].entry['uidNumber'][0]),int(users[user].entry['gidNumber'][0]))
+		if not check_homedir(path,int(users[user].entry['uidNumber'][0]),int(users[user].entry['gidNumber'][0])):
+			mk_homedir(path,int(users[user].entry['uidNumber'][0]),int(users[user].entry['gidNumber'][0]))
 	except:
 		print traceback.format_exc()
 		pass
--- a/roles/provision_slurm/templates/provision_slurm.py.j2
+++ b/roles/provision_slurm/templates/provision_slurm.py.j2
@@ -67,7 +67,7 @@ s.ldapserver="{{ ldapURI }}"
 s.binddn="{{ ldapBindDN }}"
 s.bindpw="{{ ldapBindDNPassword }}"
 s.baseDN="{{ ldapBase }}"
-s.searchFilter = "{{ search_filter }}"
+s.searchFilter = "{{ ldap_access_filter }}"

 users=get_users(s)
 mk_slurmaccount("default")

--- a/roles/slurm_config/tasks/main.yml
+++ b/roles/slurm_config/tasks/main.yml
+---
+- name: install slurm.conf
+  copy: src=files/slurm.conf dest={{ slurm_dir }}/etc/slurm.conf
+  sudo: true