diff --git a/roles/enable_modules/tasks/main.yml b/roles/enable_modules/tasks/main.yml
index f6e4b9c1b66d2f60a6bd07a037c86719f716d5e1..f7d6e4adae679c1439d76d41c665c99b44e1b1bd 100644
--- a/roles/enable_modules/tasks/main.yml
+++ b/roles/enable_modules/tasks/main.yml
@@ -13,25 +13,25 @@
when: default_modules == "lmod"
- name: remove modulecmd bash
- file: path=/etc/profile.d/modulecmd.sh state=absent
+ file: path=/etc/profile.d/zz_modulecmd.sh state=absent
become: true
become_user: root
when: default_modules == "lmod"
- name: remove modulcmd csh
- file: path=/etc/profile.d/modulecmd.csh state=absent
+ file: path=/etc/profile.d/zz_modulecmd.csh state=absent
become: true
become_user: root
when: default_modules == "lmod"
- name: template modulecmd bash
- template: src=modulecmd.sh.j2 dest=/etc/profile.d/modulecmd.sh
+ template: src=modulecmd.sh.j2 dest=/etc/profile.d/zz_modulecmd.sh
become: true
become_user: root
when: default_modules == "modulecmd"
- name: template modulecmd csh
- template: src=modulecmd.csh.j2 dest=/etc/profile.d/modulecmd.csh
+ template: src=modulecmd.csh.j2 dest=/etc/profile.d/zz_modulecmd.csh
become: true
become_user: root
when: default_modules == "modulecmd"
diff --git a/roles/enable_modules/templates/modulecmd.sh.j2 b/roles/enable_modules/templates/modulecmd.sh.j2
index 30adea3527df89867728e18ee83b628866175d83..9112e4117950951fd3f2fb263967d5d2a307f6a2 100644
--- a/roles/enable_modules/templates/modulecmd.sh.j2
+++ b/roles/enable_modules/templates/modulecmd.sh.j2
@@ -1,5 +1,5 @@
-module() { eval `/usr/bin/modulecmd bash $*`; /usr/local/hpcusr/latest/bin/modulelog $*;}
+module() { eval `/usr/bin/modulecmd bash $*`; /usr/local/bin/modulelog $*;}
export -f module
MODULESHOME=/usr/share/Modules
diff --git a/roles/etcHosts/tasks/main.yml b/roles/etcHosts/tasks/main.yml
index cb1d84a09812405cdb84cebabc03a802522e871b..bc86805d85725fa88bd71bd0136e91b153417553 100644
--- a/roles/etcHosts/tasks/main.yml
+++ b/roles/etcHosts/tasks/main.yml
@@ -21,7 +21,10 @@
when: ansible_distribution == "Debian" and ansible_distribution_major_version == "8"
- name: set preserve hostname on CentOS
- lineinfile: dest=/etc/cloud/cloud.cfg line='preserve_hostname=True'
+ lineinfile:
+ args:
+ dest: /etc/cloud/cloud.cfg
+ line: "preserve_hostname: True"
sudo: true
when: ansible_distribution == "CentOS" and ansible_distribution_major_version == "7"
diff --git a/roles/extra_packages/tasks/main.yml b/roles/extra_packages/tasks/main.yml
index d171790309167e86a0f78b73d4920d1a5f635858..66f8ea0fa694e0331345f001583960c1f622b084 100644
--- a/roles/extra_packages/tasks/main.yml
+++ b/roles/extra_packages/tasks/main.yml
@@ -8,11 +8,6 @@
sudo: true
when: ansible_os_family == 'RedHat'
-- name: "Make yum cache"
- command: yum makecache
- sudo: true
- when: ansible_os_family == 'RedHat'
-
- name: "Install extra packages"
yum: "name={{ item }} exclude={{ excludes|join(',') }} update_cache=yes state=present"
with_items: "{{ extra_packages }}"
diff --git a/roles/mellanox_drivers/tasks/main.yml b/roles/mellanox_drivers/tasks/main.yml
index 4588f6a846a30105dbc2cc4269ef24f1fb181e11..6cfb5d12dadec32316ba71a4879772be8996ead3 100644
--- a/roles/mellanox_drivers/tasks/main.yml
+++ b/roles/mellanox_drivers/tasks/main.yml
@@ -73,6 +73,6 @@
when: reboot_now
- name: waiting for server to come back
- local_action: wait_for host={{ ansible_host }} state=started port=22 delay=10 search_regex=OpenSSH
+ local_action: wait_for host={{ ansible_host }} state=started port=22 delay=60 timeout=600 search_regex=OpenSSH
sudo: false
when: reboot_now
diff --git a/roles/nagios_server/templates/nagios3.conf.j2 b/roles/nagios_server/templates/nagios3.conf.j2
new file mode 100644
index 0000000000000000000000000000000000000000..76bc11b7d2810b01b75b206da5a65f4badd94698
--- /dev/null
+++ b/roles/nagios_server/templates/nagios3.conf.j2
@@ -0,0 +1,76 @@
+# apache configuration for nagios 3.x
+# note to users of nagios 1.x and 2.x:
+# throughout this file are commented out sections which preserve
+# backwards compatibility with bookmarks/config for older nagios versios.
+# simply look for lines following "nagios 1.x:" and "nagios 2.x" comments.
+
+ScriptAlias /cgi-bin/nagios3 /usr/lib/cgi-bin/nagios3
+ScriptAlias /nagios3/cgi-bin /usr/lib/cgi-bin/nagios3
+# nagios 1.x:
+#ScriptAlias /cgi-bin/nagios /usr/lib/cgi-bin/nagios3
+#ScriptAlias /nagios/cgi-bin /usr/lib/cgi-bin/nagios3
+# nagios 2.x:
+#ScriptAlias /cgi-bin/nagios2 /usr/lib/cgi-bin/nagios3
+#ScriptAlias /nagios2/cgi-bin /usr/lib/cgi-bin/nagios3
+Alias /nagios3/stylesheets /etc/nagios3/stylesheets
+# nagios 1.x:
+#Alias /nagios/stylesheets /etc/nagios3/stylesheets
+# nagios 2.x:
+#Alias /nagios2/stylesheets /etc/nagios3/stylesheets
+
+# Where the HTML pages live
+Alias /nagios3 /usr/share/nagios3/htdocs
+# nagios 2.x:
+#Alias /nagios2 /usr/share/nagios3/htdocs
+# nagios 1.x:
+#Alias /nagios /usr/share/nagios3/htdocs
+
+
+LDAPTrustedGlobalCert CA_BASE64 /etc/ssl/certs/cacert.crt
+
+<DirectoryMatch (/usr/share/nagios3/htdocs|/usr/lib/cgi-bin/nagios3|/etc/nagios3/stylesheets)>
+ Options FollowSymLinks
+
+ DirectoryIndex index.php index.html
+
+ AllowOverride AuthConfig
+
+
+ <IfVersion < 2.3>
+ Order Allow,Deny
+ Allow From All
+ </IfVersion>
+
+ <IfVersion >= 2.3>
+ Require all denied
+ </IfVersion>
+
+ AuthType Basic
+ AuthName "Authentication"
+ AuthBasicProvider ldap
+ AuthLDAPURL {{ ldapURI }}/{{ ldapBase }}?uid?sub?{{ ldap_access_filter }}
+ AuthLDAPBindDN {{ ldapBindDN }}
+ AuthLDAPBindPassword {{ ldapBindDNPassword }}
+ AuthLDAPBindAuthoritative off
+ AuthLDAPGroupAttributeIsDN off
+ AuthLDAPGroupAttribute memberUid
+ <RequireAll>
+ Require valid-user
+ Require ldap-group cn={{ sudo_group }},{{ ldapGroupBase }}
+ </RequireAll>
+
+</DirectoryMatch>
+
+<Directory /usr/share/nagios3/htdocs>
+ Options +ExecCGI
+</Directory>
+
+# Enable this ScriptAlias if you want to enable the grouplist patch.
+# See http://apan.sourceforge.net/download.html for more info
+# It allows you to see a clickable list of all hostgroups in the
+# left pane of the Nagios web interface
+# XXX This is not tested for nagios 2.x use at your own peril
+#ScriptAlias /nagios3/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi
+# nagios 1.x:
+#ScriptAlias /nagios/side.html /usr/lib/cgi-bin/nagios3/grouplist.cgi
+
diff --git a/roles/nat_server/tasks/main.yml b/roles/nat_server/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3d1ecc49ed17d0231ce62c0e9c2702f89b16d75d
--- /dev/null
+++ b/roles/nat_server/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+# make sure firewalld is not installed
+- name: make sure firewalld is not installed
+ yum: name={{ item }} state=absent
+ become: true
+ become_user: root
+ with_items:
+ - firewalld
+ - firewall-config
+
+# make sure iptables is installed
+- name: make sure iptables-services is installed
+ yum: name=iptables-services state=present
+ become: true
+ become_user: root
+
+- name: make sure iptables service is running
+ service: name=iptables state=started enabled=yes
+ become: true
+ become_user: root
+
+
+# template ip tables rules or add rules on startup?
+- name: template rules
+ template: dest=/etc/sysconfig/iptables src=iptables.j2
+ become: true
+ become_user: root
+ register: rule_changed
+
+- name: restore rules
+ shell: iptables-restore
+ become: true
+ become_user: root
+ when: rule_changed | changed
+
+# make sure ip forwarding is enabled
diff --git a/roles/nat_server/templates/iptables.j2 b/roles/nat_server/templates/iptables.j2
new file mode 100644
index 0000000000000000000000000000000000000000..1decc94e170256b136a56b0dfc609b1fc89bc0fd
--- /dev/null
+++ b/roles/nat_server/templates/iptables.j2
@@ -0,0 +1,33 @@
+# Generated by iptables-save v1.4.21 on Mon Nov 7 16:34:03 2016
+*mangle
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
+COMMIT
+# Completed on Mon Nov 7 16:34:03 2016
+# Generated by iptables-save v1.4.21 on Mon Nov 7 16:34:03 2016
+*nat
+:PREROUTING ACCEPT [0:0]
+:INPUT ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+:POSTROUTING ACCEPT [0:0]
+-A POSTROUTING -o eth2 -j MASQUERADE
+COMMIT
+# Completed on Mon Nov 7 16:34:03 2016
+# Generated by iptables-save v1.4.21 on Mon Nov 7 16:34:03 2016
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+-A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
+-A INPUT -j REJECT --reject-with icmp-host-prohibited
+-A FORWARD -i mlx0 -j ACCEPT
+-A FORWARD -i eth1 -j ACCEPT
+COMMIT
+# Completed on Mon Nov 7 16:34:03 2016
diff --git a/roles/provision_homedir/templates/provision_homedir.py.j2 b/roles/provision_homedir/templates/provision_homedir.py.j2
index 1d711face7bc0a926cc0d027f318c1e875eb0a0d..ddbf09ba1492d803b929b834fe5fa230aee0f5b4 100644
--- a/roles/provision_homedir/templates/provision_homedir.py.j2
+++ b/roles/provision_homedir/templates/provision_homedir.py.j2
@@ -53,6 +53,7 @@ def mk_homedir(path,uidNumber,gidNumber):
if 'No such file or directory' in e:
shutil.copytree(skelpath, path)
statinfo = os.stat(path)
+ os.chown(path,uidNumber,gidNumber)
recursive_chown(path, uidNumber, gidNumber)
# adapted from http://stackoverflow.com/questions/5994840/how-to-change-the-user-and-group-permissions-for-a-directory-by-name
@@ -67,13 +68,23 @@ def recursive_chown(path,uidNumber,gidNumber):
for fname in files:
os.chown(os.path.join(root, fname), uidNumber, gidNumber)
+def check_homedir(path,uidNumber,gidNumber):
+ try:
+ si = os.stat(path)
+ if si.st_uid != uidNumber or si.st_gid != gidNumber:
+ raise Exception("user home %s uid %d != %d, gid %d != %d mismatch" % (path,si.st_uid,uidNumber,si.st_gid,gidNumber))
+ return True
+ except:
+ return False
+
+
s=ldapSearchConfig()
s.ldapserver="{{ ldapURI }}"
s.binddn="{{ ldapBindDN }}"
s.bindpw="{{ ldapBindDNPassword }}"
s.baseDN="{{ ldapBase }}"
-s.searchFilter = "{{ search_filter }}"
+s.searchFilter = "{{ ldap_access_filter }}"
homeDirEntry= "{{ homeDirEntry }}"
mnthome = "{{ mnthome }}"
@@ -84,7 +95,8 @@ for user in users:
path=mnthome+"/"+users[user].entry[homeDirEntry][0].rsplit("/",1)[1]
else:
path=users[user].entry[homeDirEntry][0]
- mk_homedir(path,int(users[user].entry['uidNumber'][0]),int(users[user].entry['gidNumber'][0]))
+ if not check_homedir(path,int(users[user].entry['uidNumber'][0]),int(users[user].entry['gidNumber'][0])):
+ mk_homedir(path,int(users[user].entry['uidNumber'][0]),int(users[user].entry['gidNumber'][0]))
except:
print traceback.format_exc()
pass
diff --git a/roles/provision_slurm/templates/provision_slurm.py.j2 b/roles/provision_slurm/templates/provision_slurm.py.j2
index 3639d3430bb1d059c583dbec994467665a32550b..0d30d93db6ca656cd2faa82418ae3b72b39dd640 100644
--- a/roles/provision_slurm/templates/provision_slurm.py.j2
+++ b/roles/provision_slurm/templates/provision_slurm.py.j2
@@ -67,7 +67,7 @@ s.ldapserver="{{ ldapURI }}"
s.binddn="{{ ldapBindDN }}"
s.bindpw="{{ ldapBindDNPassword }}"
s.baseDN="{{ ldapBase }}"
-s.searchFilter = "{{ search_filter }}"
+s.searchFilter = "{{ ldap_access_filter }}"
users=get_users(s)
mk_slurmaccount("default")
diff --git a/roles/slurm_config/tasks/main.yml b/roles/slurm_config/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8a6768ab999e1b30bade948452f4e5f5f2f9b6f0
--- /dev/null
+++ b/roles/slurm_config/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+- name: install slurm.conf
+ copy: src=files/slurm.conf dest={{ slurm_dir }}/etc/slurm.conf
+ sudo: true