diff --git a/roles/openssh/handlers/main.yml b/roles/openssh/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..484369b0bda79ad51a5cd93a13319259d25a6949
--- /dev/null
+++ b/roles/openssh/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+ - name: restart openssh
+ service: name={{ sshd_name }} enabled=yes state=restarted
+ sudo: true
diff --git a/roles/openssh/tasks/installSsh.yml b/roles/openssh/tasks/installSsh.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b7b9a696b6a1beb3de648c60edb300e27e635676
--- /dev/null
+++ b/roles/openssh/tasks/installSsh.yml
@@ -0,0 +1,58 @@
+- name: install deps
+ apt: name={{ item }} state=installed update_cache=yes
+ sudo: true
+ with_items:
+ - gcc
+ - make
+ - libssl-dev
+ - zlib1g-dev
+ - libpam0g-dev
+ when: ansible_os_family == "Debian"
+
+- name: get ssh source
+ shell: wget http://mirror.aarnet.edu.au/pub/OpenBSD/OpenSSH/portable/openssh-{{ ssh_version }}.tar.gz
+ args:
+ chdir: /tmp
+ creates: /tmp/openssh-{{ ssh_version }}.tar.gz
+
+- name: untar ssh
+ shell: tar zxf /tmp/openssh-{{ ssh_version }}.tar.gz
+ args:
+ chdir: /tmp
+
+- name: build ssh
+ shell: ./configure --prefix={{ ssh_dir }} --with-ipv4-default --with-md5-passwords --with-pam && make
+ args:
+ chdir: /tmp/openssh-{{ ssh_version }}
+ creates: /tmp/openssh-{{ ssh_version }}/ssh
+
+- name: install ssh
+ shell: make install
+ sudo: true
+ args:
+ chdir: /tmp/openssh-{{ ssh_version }}
+ creates: "{{ ssh_dir }}/bin/ssh"
+
+- name: copy init script
+ template: dest=/etc/init.d/{{ sshd_name }} src=ssh.initd.centos.j2 mode=755
+ sudo: true
+ when: ansible_os_family == "RedHat"
+
+- name: copy config script
+ template: dest={{ ssh_dir }}/etc/sshd_config src=sshd_config_centos.j2 mode=644
+ notify: restart openssh
+ sudo: true
+ when: ansible_os_family == "RedHat"
+
+- name: copy init script
+ template: dest=/etc/init.d/{{ sshd_name }} src=ssh.initd.debian.j2 mode=755
+ sudo: true
+ when: ansible_os_family == "Debian"
+
+- name: copy config script
+ template: dest={{ ssh_dir }}/etc/sshd_config src=sshd_config_debian.j2 mode=644
+ notify: restart openssh
+ sudo: true
+ when: ansible_os_family == "Debian"
+
+
diff --git a/roles/openssh/tasks/main.yml b/roles/openssh/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f7d83008a498acb3670b406a1843e0daf985d66b
--- /dev/null
+++ b/roles/openssh/tasks/main.yml
@@ -0,0 +1,4 @@
+---
+- include_vars: "{{ ansible_os_family }}_{{ ansible_architecture }}.yml"
+- include: installSsh.yml
+
diff --git a/roles/openssh/templates/ssh.initd.centos.j2 b/roles/openssh/templates/ssh.initd.centos.j2
new file mode 100755
index 0000000000000000000000000000000000000000..efc7e38dd40e223a45129db4cf6434357eace7d0
--- /dev/null
+++ b/roles/openssh/templates/ssh.initd.centos.j2
@@ -0,0 +1,245 @@
+#!/bin/bash
+#
+# sshd Start up the OpenSSH server daemon
+#
+# chkconfig: 2345 55 25
+# description: SSH is a protocol for secure remote shell access. \
+# This service starts up the OpenSSH server daemon.
+#
+# processname: sshd
+# config: /etc/ssh/ssh_host_key
+# config: /etc/ssh/ssh_host_key.pub
+# config: /etc/ssh/ssh_random_seed
+# config: /etc/ssh/sshd_config
+# pidfile: /var/run/sshd.pid
+
+### BEGIN INIT INFO
+# Provides: sshd
+# Required-Start: $local_fs $network $syslog
+# Required-Stop: $local_fs $syslog
+# Should-Start: $syslog
+# Should-Stop: $network $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Start up the OpenSSH server daemon
+# Description: SSH is a protocol for secure remote shell access.
+# This service starts up the OpenSSH server daemon.
+### END INIT INFO
+
+# source function library
+. /etc/rc.d/init.d/functions
+
+# pull in sysconfig settings
+[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
+[ -f /etc/profile.d/modules.sh ] && . /etc/profile.d/modules.sh
+module load openssh
+RETVAL=0
+prog="ssh"
+lockfile=${SSH_HOME}/var/lock/subsys/${prog}
+
+# Some functions to make the below more readable
+KEYGEN=${SSH_HOME}/bin/ssh-keygen
+SSHD=${SSH_HOME}/sbin/sshd
+SSHD_CONFIG=${SSH_HOME}/etc/sshd_config
+RSA1_KEY=${SSH_HOME}/etc/ssh_host_key
+RSA_KEY=${SSH_HOME}/etc/ssh_host_rsa_key
+DSA_KEY=${SSH_HOME}/etc/ssh_host_dsa_key
+PID_FILE=/var/run/sshd.pid
+##PID_FILE=${SSH_HOME}/var/run/sshd.pid
+SSHD_LOG="${SSH_HOME}/var/log/sshd.log"
+OPTIONS="-E ${SSHD_LOG} -f ${SSHD_CONFIG}"
+runlevel=$(set -- $(runlevel); eval "echo \$$#" )
+
+[ -f ${SSHD_LOG} ] || touch ${SSHD_LOG}
+
+fips_enabled() {
+ if [ -r /proc/sys/crypto/fips_enabled ]; then
+ cat /proc/sys/crypto/fips_enabled
+ else
+ echo 0
+ fi
+}
+
+do_rsa1_keygen() {
+ if [ ! -s $RSA1_KEY -a `fips_enabled` -eq 0 ]; then
+ echo -n $"Generating SSH1 RSA host key: "
+ rm -f $RSA1_KEY
+ if test ! -f $RSA1_KEY && $KEYGEN -q -t rsa1 -f $RSA1_KEY -C '' -N '' >&/dev/null; then
+ chmod 600 $RSA1_KEY
+ chmod 644 $RSA1_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $RSA1_KEY.pub
+ fi
+ success $"RSA1 key generation"
+ echo
+ else
+ failure $"RSA1 key generation"
+ echo
+ exit 1
+ fi
+ fi
+}
+
+do_rsa_keygen() {
+ if [ ! -s $RSA_KEY ]; then
+ echo -n $"Generating SSH2 RSA host key: "
+ rm -f $RSA_KEY
+ if test ! -f $RSA_KEY && $KEYGEN -q -t rsa -f $RSA_KEY -C '' -N '' >&/dev/null; then
+ chmod 600 $RSA_KEY
+ chmod 644 $RSA_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $RSA_KEY.pub
+ fi
+ success $"RSA key generation"
+ echo
+ else
+ failure $"RSA key generation"
+ echo
+ exit 1
+ fi
+ fi
+}
+
+do_dsa_keygen() {
+ if [ ! -s $DSA_KEY -a `fips_enabled` -eq 0 ]; then
+ echo -n $"Generating SSH2 DSA host key: "
+ rm -f $DSA_KEY
+ if test ! -f $DSA_KEY && $KEYGEN -q -t dsa -f $DSA_KEY -C '' -N '' >&/dev/null; then
+ chmod 600 $DSA_KEY
+ chmod 644 $DSA_KEY.pub
+ if [ -x /sbin/restorecon ]; then
+ /sbin/restorecon $DSA_KEY.pub
+ fi
+ success $"DSA key generation"
+ echo
+ else
+ failure $"DSA key generation"
+ echo
+ exit 1
+ fi
+ fi
+}
+
+do_restart_sanity_check()
+{
+ $SSHD -t
+ RETVAL=$?
+ if [ $RETVAL -ne 0 ]; then
+ failure $"Configuration file or keys are invalid"
+ echo
+ fi
+}
+
+start()
+{
+ [ -x $SSHD ] || exit 5
+ [ -f ${SSHD_CONFIG} ] || exit 6
+ # Create keys if necessary
+ if [ "x${AUTOCREATE_SERVER_KEYS}" != xNO ]; then
+ do_rsa_keygen
+ if [ "x${AUTOCREATE_SERVER_KEYS}" != xRSAONLY ]; then
+ do_rsa1_keygen
+ do_dsa_keygen
+ fi
+ fi
+
+ echo -n $"Starting $prog: "
+ $SSHD $OPTIONS && success || failure
+ RETVAL=$?
+ echo "return $RETVAL"
+ [ $RETVAL -eq 0 ] && touch $lockfile
+ echo "Start OK"
+ sleep 2
+ cp -f /var/run/sshd.pid ${PID_FILE}; cp -f /var/run/sshd.pid.ori /var/run/sshd.pid
+ return $RETVAL
+}
+
+stop()
+{
+ echo -n $"Stopping $prog: "
+ killproc -p $PID_FILE $SSHD
+ RETVAL=$?
+ # if we are in halt or reboot runlevel kill all running sessions
+ # so the TCP connections are closed cleanly
+ if [ "x$runlevel" = x0 -o "x$runlevel" = x6 ] ; then
+ trap '' TERM
+ killall $prog 2>/dev/null
+ trap TERM
+ fi
+ [ $RETVAL -eq 0 ] && rm -f $lockfile
+ echo
+}
+
+reload()
+{
+ echo -n $"Reloading $prog: "
+ killproc -p $PID_FILE $SSHD -HUP
+ RETVAL=$?
+ echo
+}
+
+restart() {
+ stop
+ start
+}
+
+force_reload() {
+ restart
+}
+
+rh_status() {
+ status -p $PID_FILE openssh-daemon
+}
+
+rh_status_q() {
+ rh_status >/dev/null 2>&1
+}
+
+case "$1" in
+ start)
+ rh_status_q && exit 0
+ start
+ ;;
+ stop)
+ if ! rh_status_q; then
+ rm -f $lockfile
+ exit 0
+ fi
+ stop
+ ;;
+ restart)
+ restart
+ ;;
+ reload)
+ rh_status_q || exit 7
+ reload
+ ;;
+ force-reload)
+ force_reload
+ ;;
+ condrestart|try-restart)
+ rh_status_q || exit 0
+ if [ -f $lockfile ] ; then
+ do_restart_sanity_check
+ if [ $RETVAL -eq 0 ] ; then
+ stop
+ # avoid race
+ sleep 3
+ start
+ else
+ RETVAL=6
+ fi
+ fi
+ ;;
+ status)
+ rh_status
+ RETVAL=$?
+ if [ $RETVAL -eq 3 -a -f $lockfile ] ; then
+ RETVAL=2
+ fi
+ ;;
+ *)
+ echo $"Usage: $0 {start|stop|restart|reload|force-reload|condrestart|try-restart|status}"
+ RETVAL=2
+esac
+exit $RETVAL
diff --git a/roles/openssh/templates/ssh.initd.debian.j2 b/roles/openssh/templates/ssh.initd.debian.j2
new file mode 100755
index 0000000000000000000000000000000000000000..ed562faf160ae3a25e9907f05e2a580069427910
--- /dev/null
+++ b/roles/openssh/templates/ssh.initd.debian.j2
@@ -0,0 +1,196 @@
+#! /bin/sh
+
+### BEGIN INIT INFO
+# Provides: sshd
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop:
+# Short-Description: OpenBSD Secure Shell server
+### END INIT INFO
+
+set -e
+
+# /etc/init.d/ssh: start and stop the OpenBSD "secure shell(tm)" daemon
+
+test -x /usr/sbin/sshd || exit 0
+( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0
+
+umask 022
+
+if test -f /etc/default/ssh; then
+ . /etc/default/ssh
+fi
+
+. /lib/lsb/init-functions
+
+SSH_HOME="{{ ssh_dir }}"
+SSHD_LOG_DIR="${SSH_HOME}/var/log"
+SSHD_LOG="${SSHD_LOG_DIR}/sshd.log"
+PID_DIR="{{ ssh_pid_dir }}"
+###PID_DIR="${SSH_HOME}/var/run"
+PID_FILE=${PID_DIR}/sshd.pid
+SSHD_CONFIG=${SSH_HOME}/etc/sshd_config
+SSHD="${SSH_HOME}/sbin/sshd"
+SSHD_OPTS="-f ${SSHD_CONFIG}"
+
+if [ ! -d ${PID_DIR} ]; then
+ mkdir -p ${PID_DIR}
+fi
+
+if [ ! -d ${SSH_LOG_DIR} ]; then
+ mkdir -p ${SSH_LOG_DIR}
+fi
+
+if [ ! -f ${SSH_LOG} ]; then
+ touch ${SSH_LOG}
+fi
+
+if [ -n "$2" ]; then
+ SSHD_OPTS="$SSHD_OPTS $2"
+fi
+
+# Are we running from init?
+run_by_init() {
+ ([ "$previous" ] && [ "$runlevel" ]) || [ "$runlevel" = S ]
+}
+
+check_for_upstart() {
+ if init_is_upstart; then
+ exit $1
+ fi
+}
+
+check_for_no_start() {
+ # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
+ if [ -e /etc/ssh/sshd_not_to_be_run ]; then
+ if [ "$1" = log_end_msg ]; then
+ log_end_msg 0 || true
+ fi
+ if ! run_by_init; then
+ log_action_msg "OpenBSD Secure Shell server not in use (/etc/ssh/sshd_not_to_be_run)" || true
+ fi
+ exit 0
+ fi
+}
+
+check_dev_null() {
+ if [ ! -c /dev/null ]; then
+ if [ "$1" = log_end_msg ]; then
+ log_end_msg 1 || true
+ fi
+ if ! run_by_init; then
+ log_action_msg "/dev/null is not a character device!" || true
+ fi
+ exit 1
+ fi
+}
+
+check_privsep_dir() {
+ # Create the PrivSep empty dir if necessary
+ if [ ! -d /var/run/sshd ]; then
+ mkdir /var/run/sshd
+ chmod 0755 /var/run/sshd
+ fi
+}
+
+check_config() {
+ if [ ! -e /etc/ssh/sshd_not_to_be_run ]; then
+ /usr/sbin/sshd $SSHD_OPTS -t || exit 1
+ fi
+}
+
+export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"
+
+case "$1" in
+ start)
+ check_for_upstart 1
+ check_privsep_dir
+ check_for_no_start
+ check_dev_null
+ log_daemon_msg "Starting OpenBSD Secure Shell server" "sshd" || true
+ if start-stop-daemon --start --quiet --oknodo --pidfile ${PID_FILE} --exec ${SSHD} -- $SSHD_OPTS; then
+ log_end_msg 0 || true
+ else
+ log_end_msg 1 || true
+ fi
+ ;;
+ stop)
+ check_for_upstart 0
+ log_daemon_msg "Stopping OpenBSD Secure Shell server" "sshd" || true
+ if start-stop-daemon --stop --quiet --oknodo --pidfile ${PID_FILE}; then
+ log_end_msg 0 || true
+ else
+ log_end_msg 1 || true
+ fi
+ ;;
+
+ reload|force-reload)
+ check_for_upstart 1
+ check_for_no_start
+ check_config
+ log_daemon_msg "Reloading OpenBSD Secure Shell server's configuration" "sshd" || true
+ if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile ${PID_FILE} --exec ${SSHD}; then
+ log_end_msg 0 || true
+ else
+ log_end_msg 1 || true
+ fi
+ ;;
+
+ restart)
+ check_for_upstart 1
+ check_privsep_dir
+ check_config
+ log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
+ start-stop-daemon --stop --quiet --oknodo --retry 30 --pidfile ${PID_FILE}
+ check_for_no_start log_end_msg
+ check_dev_null log_end_msg
+ if start-stop-daemon --start --quiet --oknodo --pidfile ${PID_FILE} --exec ${SSHD} -- $SSHD_OPTS; then
+ log_end_msg 0 || true
+ else
+ log_end_msg 1 || true
+ fi
+ ;;
+
+ try-restart)
+ check_for_upstart 1
+ check_privsep_dir
+ check_config
+ log_daemon_msg "Restarting OpenBSD Secure Shell server" "sshd" || true
+ RET=0
+ start-stop-daemon --stop --quiet --retry 30 --pidfile ${PID_FILE} || RET="$?"
+ case $RET in
+ 0)
+ # old daemon stopped
+ check_for_no_start log_end_msg
+ check_dev_null log_end_msg
+ if start-stop-daemon --start --quiet --oknodo --pidfile ${PID_FILE} --exec ${SSHD} -- $SSHD_OPTS; then
+ log_end_msg 0 || true
+ else
+ log_end_msg 1 || true
+ fi
+ ;;
+ 1)
+ # daemon not running
+ log_progress_msg "(not running)" || true
+ log_end_msg 0 || true
+ ;;
+ *)
+ # failed to stop
+ log_progress_msg "(failed to stop)" || true
+ log_end_msg 1 || true
+ ;;
+ esac
+ ;;
+
+ status)
+ check_for_upstart 1
+ status_of_proc -p ${PID_FILE} ${SSHD} sshd && exit 0 || exit $?
+ ;;
+
+ *)
+ log_action_msg "Usage: $0 {start|stop|reload|force-reload|restart|try-restart|status}" || true
+ exit 1
+esac
+
+exit 0
diff --git a/roles/openssh/templates/sshd_config_centos.j2 b/roles/openssh/templates/sshd_config_centos.j2
new file mode 100644
index 0000000000000000000000000000000000000000..0e6611a0a48ffbfad18282d6552a111eb5c4d736
--- /dev/null
+++ b/roles/openssh/templates/sshd_config_centos.j2
@@ -0,0 +1,138 @@
+# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
+
+# This is the sshd server system-wide configuration file. See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented. Uncommented options change a
+# default value.
+
+Port {{ ssh_port }}
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+# Disable legacy (protocol version 1) support in the server for new
+# installations. In future the default will change to require explicit
+# activation of protocol 1
+Protocol 2
+
+# HostKey for protocol version 1
+#HostKey /etc/ssh/ssh_host_key
+# HostKeys for protocol version 2
+#HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_dsa_key
+
+# Lifetime and size of ephemeral version 1 server key
+#KeyRegenerationInterval 1h
+#ServerKeyBits 1024
+
+# Logging
+# obsoletes QuietMode and FascistLogging
+#SyslogFacility AUTH
+SyslogFacility AUTHPRIV
+#LogLevel INFO
+
+# Authentication:
+
+#LoginGraceTime 2m
+#PermitRootLogin yes
+#StrictModes yes
+#MaxAuthTries 6
+#MaxSessions 10
+
+#RSAAuthentication yes
+#PubkeyAuthentication yes
+#AuthorizedKeysFile .ssh/authorized_keys
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandRunAs nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#RhostsRSAAuthentication no
+# similar for protocol version 2
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# RhostsRSAAuthentication and HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+PasswordAuthentication no
+
+# Change to no to disable s/key passwords
+#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+#KerberosUseKuserok yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPIAuthentication yes
+#GSSAPICleanupCredentials yes
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+#UsePAM no
+UsePAM yes
+
+# Accept locale-related environment variables
+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
+AcceptEnv XMODIFIERS
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+#X11Forwarding no
+X11Forwarding yes
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PrintMotd yes
+#PrintLastLog yes
+#TCPKeepAlive yes
+#UseLogin no
+#UsePrivilegeSeparation yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#ShowPatchLevel no
+#UseDNS yes
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+
+# no default banner path
+#Banner none
+
+# override default of no subsystems
+Subsystem sftp /usr/libexec/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+# X11Forwarding no
+# AllowTcpForwarding no
+# ForceCommand cvs server
diff --git a/roles/openssh/templates/sshd_config_debian.j2 b/roles/openssh/templates/sshd_config_debian.j2
new file mode 100644
index 0000000000000000000000000000000000000000..32684fa6ad0219fc16dcee7b541b6fce66518651
--- /dev/null
+++ b/roles/openssh/templates/sshd_config_debian.j2
@@ -0,0 +1,88 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port {{ ssh_port }}
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin without-password
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+Banner /etc/ssh/sshd_banner
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication. Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
diff --git a/roles/openssh/vars/Debian_x86_64.yml b/roles/openssh/vars/Debian_x86_64.yml
new file mode 100644
index 0000000000000000000000000000000000000000..dab5767eff4ff8af6dbf92d8ff95241e2b085c1e
--- /dev/null
+++ b/roles/openssh/vars/Debian_x86_64.yml
@@ -0,0 +1,2 @@
+sshd_name: "ssh"
+
diff --git a/roles/openssh/vars/Redhat_x86_64.yml b/roles/openssh/vars/Redhat_x86_64.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6c1671efa53e4a0f1d231d98ac0799f99e336470
--- /dev/null
+++ b/roles/openssh/vars/Redhat_x86_64.yml
@@ -0,0 +1,2 @@
+sshd_name: "sshd"
+
diff --git a/roles/openssh/vars/readme.txt b/roles/openssh/vars/readme.txt
new file mode 100644
index 0000000000000000000000000000000000000000..96847e78d42babf68e2b85fdaa4db5cdbfc68e0f
--- /dev/null
+++ b/roles/openssh/vars/readme.txt
@@ -0,0 +1,6 @@
+ssh_version: "6.8p1"
+ssh_dir: "/opt/openssh-{{ ssh_version }}"
+ssh_port: "22"
+ssh_pid_dir: "/var/run"
+sshd_name: "ssh"
+
diff --git a/roles/slurm-from-source/tasks/main.yml b/roles/slurm-from-source/tasks/main.yml
index 28d6fcad8ce901a6f0a467d6a469d52410d5198a..1fa874cbab3f8a106551190f33ce070447435880 100644
--- a/roles/slurm-from-source/tasks/main.yml
+++ b/roles/slurm-from-source/tasks/main.yml
@@ -35,6 +35,7 @@
- name: create state directory
file: path={{ slurmstatedir }} state=directory owner=slurm group=slurm mode=750
+
sudo: true
when: slurmstatedir is defined
@@ -65,6 +66,8 @@
- bzip2-devel
- hwloc
- hwloc-devel
+ - lua
+ - lua-devel
sudo: true
when: ansible_os_family == "RedHat"
@@ -131,7 +134,7 @@
template: src=slurm.conf.j2 dest={{ slurm_dir }}/etc/slurm.conf
sudo: true
notify: restart slurm
- when: slurm_use_vpn==False and slurm_gres_list is defined
+ when: slurm_use_vpn==False
- name: install slurm.conf
template: src=slurm-vpn.conf.j2 dest={{ slurm_dir }}/etc/slurm.conf
@@ -143,6 +146,13 @@
sudo: true
when: ansible_os_family == 'RedHat'
+- name: setup plugin
+ template: src=job_submit.lua.j2 dest={{ slurm_dir }}/etc/job_submit.lua
+ delegate_to: "{{ slurmctrl }}"
+ run_once: true
+ sudo: true
+ when: slurm_lua
+
- include: installCgroup.yml
- include: installNhc.yml
diff --git a/roles/slurm-from-source/templates/gres.conf.j2 b/roles/slurm-from-source/templates/gres.conf.j2
index 6ff44e6bbfe6a88eecaf49a271f25aa0b6e036cc..a3bbf7199baffd6c7e154e898d36cf2857afdc57 100644
--- a/roles/slurm-from-source/templates/gres.conf.j2
+++ b/roles/slurm-from-source/templates/gres.conf.j2
@@ -1,3 +1,3 @@
{% for gr in slurm_gres_list %}
-Name={{ gr.name }} Type={{ slurm_generic_resource.stdout }} File={{ gr.file }}
+Name={{ gr.name }} File={{ gr.file }}
{% endfor %}
diff --git a/roles/slurm-from-source/templates/job_submit.lua.j2 b/roles/slurm-from-source/templates/job_submit.lua.j2
new file mode 100644
index 0000000000000000000000000000000000000000..3914cb4ab28d75795d029e7351365c9999ebeab8
--- /dev/null
+++ b/roles/slurm-from-source/templates/job_submit.lua.j2
@@ -0,0 +1,35 @@
+--[[
+
+ Example lua script demonstrating the SLURM job_submit/lua interface.
+ This is only an example, not meant for use in its current form.
+
+ Leave the function names, arguments, local varialbes and setmetatable
+ set up logic in each function unchanged. Change only the logic after
+ the lSUCCESSine containing "*** YOUR LOGIC GOES BELOW ***".
+
+ For use, this script should be copied into a file name "job_submit.lua"
+ in the same directory as the SLURM configuration file, slurm.conf.
+
+--]]
+
+function slurm_job_submit(job_desc, part_list, submit_uid)
+
+ if (job_desc.gres and string.find(job_desc.gres,"gpu")) then
+ slurm.log_info("generic resource GPU")
+ job_desc.partition = "vis"
+ return slurm.SUCCESS
+ end
+end
+
+function slurm_job_modify(job_desc, job_rec, part_list, modify_uid)
+ return slurm.SUCCESS
+end
+
+
+log_msg = slurm.log_info
+log_verbose = slurm.log_verbose
+log_debug = slurm.log_debug
+log_err = slurm.error
+log_user = slurm.log_user
+
+return slurm.SUCCESS
diff --git a/roles/slurm-from-source/templates/slurm.conf.j2 b/roles/slurm-from-source/templates/slurm.conf.j2
index e43478b84967c0d5657a21fad8801032da02a80a..949730f6e30bc6c0edfc56c40c7544c51347c690 100644
--- a/roles/slurm-from-source/templates/slurm.conf.j2
+++ b/roles/slurm-from-source/templates/slurm.conf.j2
@@ -46,7 +46,9 @@ ReturnToService=1
TaskPlugin=task/cgroup
#TaskPlugin=task/affinity
#TaskPlugin=task/affinity,task/cgroup
-#JobSubmitPlugins=lua
+{% if slurm_lua %}
+JobSubmitPlugins=lua
+{% endif %}
OverTimeLimit=1
CompleteWait=10
@@ -69,6 +71,9 @@ SchedulerType={{ slurmschedulertype }}
#SchedulerPort=
#SchedulerRootFilter=
SelectType={{ slurmselecttype }}
+{% if slurmselecttype.find("cons_res") > 0 %}
+SelectTypeParameters=CR_Core_Memory
+{% endif %}
FastSchedule={{ slurmfastschedule }}
#PriorityType=priority/multifactor
#PriorityFlags=Ticket_Based
@@ -141,7 +146,7 @@ MpiParams=ports=12000-12999
{% endfor %}
{% endfor %}
{% for node in nodelist|unique %}
-NodeName={{ node }} Procs={{ hostvars[node]['ansible_processor_vcpus'] }} RealMemory={{ hostvars[node].ansible_memory_mb.real.total }} Sockets={{ hostvars[node]['ansible_processor_vcpus'] }} CoresPerSocket=1 ThreadsPerCore={{ hostvars[node].ansible_processor_threads_per_core }} {% if hostvars[node].ansible_hostname.find('vis') != -1 %}Gres=gpu{% if hostvars[node].ansible_hostname.find('k1') > 0 %}:k1{% endif %}{% if hostvars[node].ansible_hostname.find('k2') > 0 %}:k2{% endif %}:1{% endif %} {% if hostvars[node]['ansible_processor_vcpus'] == 1 %}Weight=1{% endif %}{% if hostvars[node]['ansible_processor_vcpus'] > 1 and hostvars[node]['ansible_processor_vcpus'] <= 16 %}Weight=3{% endif %}{% if hostvars[node]['ansible_processor_vcpus'] > 16 and hostvars[node]['ansible_processor_vcpus'] <= 20 %}Weight=5{% endif %}{% if hostvars[node]['ansible_processor_vcpus'] > 20 and hostvars[node]['ansible_processor_vcpus'] <= 40 %}Weight=7{% endif %}{% if hostvars[node]['ansible_processor_vcpus'] > 40 and hostvars[node]['ansible_processor_vcpus'] <= 64 %}Weight=8{% endif %}{% if hostvars[node]['ansible_processor_vcpus'] > 64 and hostvars[node]['ansible_processor_vcpus'] <= 128 %}Weight=9{% endif %}{% if hostvars[node]['ansible_processor_vcpus'] > 128 %}Weight=10{% endif %} Feature=stage1 State=UNKNOWN
+NodeName={{ node }} Procs={{ hostvars[node]['ansible_processor_vcpus'] }} RealMemory={{ hostvars[node].ansible_memory_mb.real.total }} Sockets={{ hostvars[node]['ansible_processor_vcpus'] }} CoresPerSocket=1 ThreadsPerCore={{ hostvars[node].ansible_processor_threads_per_core }} {% if hostvars[node].ansible_hostname.find('vis') != -1 %}Gres=gpu:1{% endif %} {% if hostvars[node]['ansible_processor_vcpus'] == 1 %}Weight=1{% endif %}{% if hostvars[node]['ansible_processor_vcpus'] > 1 and hostvars[node]['ansible_processor_vcpus'] <= 16 %}Weight=3{% endif %}{% if hostvars[node]['ansible_processor_vcpus'] > 16 and hostvars[node]['ansible_processor_vcpus'] <= 20 %}Weight=5{% endif %}{% if hostvars[node]['ansible_processor_vcpus'] > 20 and hostvars[node]['ansible_processor_vcpus'] <= 40 %}Weight=7{% endif %}{% if hostvars[node]['ansible_processor_vcpus'] > 40 and hostvars[node]['ansible_processor_vcpus'] <= 64 %}Weight=8{% endif %}{% if hostvars[node]['ansible_processor_vcpus'] > 64 and hostvars[node]['ansible_processor_vcpus'] <= 128 %}Weight=9{% endif %}{% if hostvars[node]['ansible_processor_vcpus'] > 128 %}Weight=10{% endif %} Feature=stage1 State=UNKNOWN
{% endfor %}
{% for queue in slurmqueues %}