Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • hpc-team/HPCasCode
  • chines/ansible_cluster_in_a_box
2 results
Show changes
Hide whitespace changes
Inline Side-by-side
Showing
with 1761 additions and 155 deletions
roles/extra_packages/vars/CentOS_7.yml 0 → 100644
View file @ cae6bd7b
extra_packages:
- '@Development Tools'
- '@^Server with GUI'
- '@^GNOME Desktop'
- '@^KDE Plasma Workspaces'
- lzip
- screen
- mailx
- subversion
- mlocate
- finger
- python-devel
- python-pip
- python-wheel
- openldap-devel
- lapack
- blas
- gcc-c++
- psmisc
- iotop
#- @X Window System
- libX11-devel
- moreutils
- traceroute
- tmux
- git
- subversion
- numactl
- numactl-libs
- numactl-devel
#stuff for relion
- vim
- gedit
- m4
- flex
- flex-devel
- bison
- bison-devel
- zlib
- autogen
- rsync
- tcl-devel.x86_64
- tclx-devel.x86_64
- glibc-devel.i686
- zlib-devel
- pam-devel
- tk-devel
- texinfo
#- cpufrequtils-devel.x86_64
#- cpufrequtils.x86_64
- openssl
- openssl-devel
- gstreamer-devel.x86_64
- gstreamer-plugins-base-devel.x86_64
- libcurl-devel
- libXmu-devel.x86_64 # for matlab GUI
- xauth
- gtk+-devel
- gtk2-devel
- libidn-devel.x86_64
- libacl-devel.x86_64
- ncurses-devel.x86_64
- nasm.x86_64
- glibmm24-devel
- gtkmm24-devel
- gtkglext-devel
- gsl-devel
- mesa-libGL-devel
- mesa-libGLU-devel
- libpng
- texlive
- libjpeg-turbo-devel
- libjpeg-turbo
- libjpeg-turbo-utils
- libtiff
- libtiff-devel
- libtiff-tools
- levien-inconsolata-fonts.noarch
- java-1.7.0-openjdk
- java-1.7.0-openjdk-devel
- java-1.7.0-openjdk-javadoc
- java-1.8.0-openjdk
- java-1.8.0-openjdk-devel
- java-1.8.0-openjdk-javadoc
# stuff because bioinformatics need it for ubuntu
- ruby
- java-1.7.0-openjdk
- mysql-devel
- iptraf #for ip traffic monitoring
#- '"@GNOME Desktop"'
# lua stuff for lmod
- lua
- lua-filesystem
- lua-posix
- tcl
- rsync
- gcc
- lua-devel
# for physics c/o mark flegg
- cmake
- vtk-devel
- boost
- boost-devel
#- netcdf-devel
#- netcdf-cxx
- jsoncpp-devel.x86_64
- numpy
- vtk-python
- python-matplotlib
# jagmohan
- blas-static
- lapack-static
# James Venning (Water Channel)
- fftw-libs-single-3.3.3-8.el7
- fftw-libs-double-3.3.3-8.el7
- fftw-libs-long-3.3.3-8.el7
- fftw-libs-3.3.3-8.el7
- fftw2-2.1.5-26.el7
- fftw2-devel-2.1.5-26.el7
# ftp needed
- ftp
# gpm-libs for midnight commander
- gpm-libs
# jna for netcdf
- jna
- jna-javadoc
- jna-contrib
#underworld
- gl2ps
- gl2ps-devel
- SDL
- SDL-devel
- freeglut
- freeglut-devel
#
- qt-devel
# perf for Ehsan performance
- perf
- xorg-x11-server-Xvfb
# user request. login node only?
- nedit
#namd 2.9 needs 32 bit libraries
- libstdc++.i686
# eigen for yade
- eigen3-devel
- eigen3-doc.noarch
- sqlite
- vtk
- vtk-devel
- suitesparse
- suitesparse-devel
- mpfr
- mpfr-devel
- metis
- metis-devel
- metis64
- metis64-devel
- openblas
- openblas-devel
# for octopus
- libxc
- libxc-devel
# for atop
- atop
# for Andreas Ernst
- emacs
- zsh
# RT #9173
- gnuplot
# for linuxbrew
- perl-CPAN
roles/extra_packages/vars/Ubuntu_14.yml 0 → 100644
View file @ cae6bd7b
# all packages to be installed on centos 7
extra_packages:
- screen
- mailutils
- subversion
- finger
- python-dev
- python-pip
- python-wheel
- python-numpy
- python-matplotlib
- liblapack-dev
- liblapack-doc
#python-dev libldap2-dev libsasl2-dev libssl-dev
- libsasl2-dev
- libldap2-dev
- libsasl2-dev
- libssl-dev
- libblas-dev
- libblas-doc
- g++
- psmisc
- iotop
- xorg
- openbox
- libx11-dev
- moreutils
- traceroute
- tmux
- git
- subversion
- numactl
- libnuma1
- libnuma-dev
- libncurses5-dev
- ncurses-dev
- unzip
- libpng12-dev
- texlive
- openjdk-7-jdk
- libjpeg62
- libjpeg62-dev
#- libjpeg-turbo8-dev
#- libjpeg8-dev #for tiff
#- libtiff5
#- libtiff5-dev
#- libtiff-tools
- texlive-fonts-extra
# stuff because bioinformatics need it for ubuntu
- ruby
- openjdk-7-jre
- libmysqlclient-dev
- iptraf
- iptraf-ng #for ip traffic monitoring
# - gnome-shell
# - ubuntu-gnome-desktop #gnome desktop
- vim
#lua stuff for lmod
- lua5.2
- lua5.2
- lua-filesystem
- lua-bitop
- lua-posix
- liblua5.2-0
- liblua5.2-dev
- tcl
# for bioinformatics
- ant
- golang
- ipython
- htop
# yade for LOUIS KING * civil engineering
- yade
- zsh
# adele request (bioinformatics)
# linuxbrew
- build-essential
- curl
- git
- python-setuptools
- ruby
# adele
- ncbi-blast+
- bedtools
- cd-hit
- mcl
- parallel
- cpanminus
- prank
- mafft
- fasttree
- pandoc
# chris request utility packages
- liblzma-dev
- libpcre3-dev
- libcurl4-openssl-dev
roles/extra_rpms/vars/main.yml roles/extra_packages/vars/main.yml
View file @ cae6bd7b
...@@ -151,7 +151,7 @@ pkgs: ...@@ -151,7 +151,7 @@ pkgs:
- perl-ExtUtils-MakeMaker - perl-ExtUtils-MakeMaker
- perl-ExtUtils-ParseXS - perl-ExtUtils-ParseXS
- perl-HTML-Parser - perl-HTML-Parser
- perl-HTML-Tagset - perl-HTML-Tagset
- perl-Test-Harness - perl-Test-Harness
- perl-Time-HiRes - perl-Time-HiRes
- pexpect - pexpect
...@@ -189,7 +189,8 @@ pkgs: ...@@ -189,7 +189,8 @@ pkgs:
- qt-sqlite - qt-sqlite
- qt-x11 - qt-x11
- rhino - rhino
- rsync - rsync
- samba-client
- scipy - scipy
- spice-vdagent - spice-vdagent
- suitesparse - suitesparse
...@@ -208,7 +209,7 @@ pkgs: ...@@ -208,7 +209,7 @@ pkgs:
- util-linux-ng - util-linux-ng
- uuid - uuid
- vim-X11 - vim-X11
- vim-common - vim-common
- vim-enhanced - vim-enhanced
- vim-minimal - vim-minimal
- wacomexpresskeys - wacomexpresskeys
......
roles/extra_rpms/tasks/main.yml deleted 100644 → 0
View file @ 31f81930
---
- name: "Install extra packages"
yum: "name={{ item }} state=latest"
with_items:
pkgs
sudo: true
when: ansible_os_family == 'RedHat'
roles/fail2ban/handlers/main.yml 0 → 100644
View file @ cae6bd7b
---
- name: restart fail2ban
systemd:
name: fail2ban
enabled: yes
state: restarted
become: true
become_user: root
roles/fail2ban/tasks/main.yml 0 → 100644
View file @ cae6bd7b
---
- name: Install fail2ban on Red Hat system
yum:
name:
- fail2ban-server
- fail2ban-sendmail
state: present
become: true
become_user: root
when: ansible_os_family == "RedHat"
- name: Copy jail.conf.j2 to /etc/fail2ban/jail.conf
template:
src: jail.conf.j2
dest: /etc/fail2ban/jail.conf
backup: yes
mode: 0644
owner: root
group: root
become: true
become_user: root
notify:
- restart fail2ban
- name: Enable fail2ban service
systemd:
name: fail2ban
enabled: yes
state: started
become: true
become_user: root
roles/fail2ban/templates/jail.conf.j2 0 → 100644
View file @ cae6bd7b
#
# WARNING: heavily refactored in 0.9.0 release. Please review and
# customize settings for your setup.
#
# Changes: in most of the cases you should not modify this
# file, but provide customizations in jail.local file,
# or separate .conf files under jail.d/ directory, e.g.:
#
# HOW TO ACTIVATE JAILS:
#
# YOU SHOULD NOT MODIFY THIS FILE.
#
# It will probably be overwritten or improved in a distribution update.
#
# Provide customizations in a jail.local file or a jail.d/customisation.local.
# For example to change the default bantime for all jails and to enable the
# ssh-iptables jail the following (uncommented) would appear in the .local file.
# See man 5 jail.conf for details.
#
# [DEFAULT]
# bantime = 3600
#
# [sshd]
# enabled = true
#
# See jail.conf(5) man page for more information
# Comments: use '#' for comment lines and ';' (following a space) for inline comments
[INCLUDES]
#before = paths-distro.conf
before = paths-fedora.conf
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
#
# MISCELLANEOUS OPTIONS
#
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space (and/or comma) separator.
#ignoreip = 127.0.0.1/8
ignoreip = {{ fail2ban_whitelist_all }}
# External command that will take an tagged arguments to ignore, e.g. <ip>,
# and return true if the IP is to be ignored. False otherwise.
#
# ignorecommand = /path/to/command <ip>
ignorecommand =
# "bantime" is the number of seconds that a host is banned.
bantime = 600
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = 600
# "maxretry" is the number of failures before a host get banned.
maxretry = 5
# "backend" specifies the backend used to get files modification.
# Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
# This option can be overridden in each jail as well.
#
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
# If pyinotify is not installed, Fail2ban will use auto.
# gamin: requires Gamin (a file alteration monitor) to be installed.
# If Gamin is not installed, Fail2ban will use auto.
# polling: uses a polling algorithm which does not require external libraries.
# systemd: uses systemd python library to access the systemd journal.
# Specifying "logpath" is not valid for this backend.
# See "journalmatch" in the jails associated filter config
# auto: will try to use the following backends, in order:
# pyinotify, gamin, polling.
#
# Note: if systemd backend is chosen as the default but you enable a jail
# for which logs are present only in its own log files, specify some other
# backend for that jail (e.g. polling) and provide empty value for
# journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
backend = auto
# "usedns" specifies if jails should trust hostnames in logs,
# warn when DNS lookups are performed, or ignore all hostnames in logs
#
# yes: if a hostname is encountered, a DNS lookup will be performed.
# warn: if a hostname is encountered, a DNS lookup will be performed,
# but it will be logged as a warning.
# no: if a hostname is encountered, will not be used for banning,
# but it will be logged as info.
# raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)
usedns = warn
# "logencoding" specifies the encoding of the log files handled by the jail
# This is used to decode the lines from the log file.
# Typical examples: "ascii", "utf-8"
#
# auto: will use the system locale setting
logencoding = auto
# "enabled" enables the jails.
# By default all jails are disabled, and it should stay this way.
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
#
# true: jail will be enabled and log files will get monitored for changes
# false: jail is not enabled
enabled = false
# "filter" defines the filter to use by the jail.
# By default jails have names matching their filter name
#
filter = %(__name__)s
#
# ACTIONS
#
# Some options used for actions
# Destination email address used solely for the interpolations in
# jail.{conf,local,d/*} configuration files.
destemail = root@localhost
# Sender email address used solely for some actions
sender = root@localhost
# E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
# mailing. Change mta configuration parameter to mail if you want to
# revert to conventional 'mail'.
mta = sendmail
# Default protocol
protocol = tcp
# Specify chain where jumps would need to be added in iptables-* actions
chain = INPUT
# Ports to be banned
# Usually should be overridden in a particular jail
port = 0:65535
# Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
fail2ban_agent = Fail2Ban/%(fail2ban_version)s
#
# Action shortcuts. To be used to define action parameter
# Default banning action (e.g. iptables, iptables-new,
# iptables-multiport, shorewall, etc) It is used to define
# action_* variables. Can be overridden globally or per
# section within jail.local file
banaction = iptables-multiport
banaction_allports = iptables-allports
# The simplest action to take: ban only
action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report to the destemail.
action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# ban & send an e-mail with whois report and relevant log lines
# to the destemail.
action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
#
# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
# to the destemail.
action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
# to the destemail.
action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
# Report block via blocklist.de fail2ban reporting service API
#
# See the IMPORTANT note in action.d/blocklist_de.conf for when to
# use this action. Create a file jail.d/blocklist_de.local containing
# [Init]
# blocklist_de_apikey = {api key from registration]
#
action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
# Report ban via badips.com, and use as blacklist
#
# See BadIPsAction docstring in config/action.d/badips.py for
# documentation for this action.
#
# NOTE: This action relies on banaction being present on start and therefore
# should be last action defined for a jail.
#
action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
#
# Report ban via badips.com (uses action.d/badips.conf for reporting only)
#
action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
# Choose default action. To change, just override value of 'action' with the
# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
# globally (section [DEFAULT]) or per specific section
action = %(action_)s
#
# JAILS
#
#
# SSH servers
#
[sshd]
# To use more aggressive sshd filter (inclusive sshd-ddos failregex):
#filter = sshd-aggressive
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[sshd-ddos]
# This jail corresponds to the standard configuration in Fail2ban.
# The mail-whois action send a notification e-mail with a whois request
# in the body.
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
[dropbear]
port = ssh
logpath = %(dropbear_log)s
backend = %(dropbear_backend)s
[selinux-ssh]
port = ssh
logpath = %(auditd_log)s
#
# HTTP servers
#
[apache-auth]
port = http,https
logpath = %(apache_error_log)s
[apache-badbots]
# Ban hosts which agent identifies spammer robots crawling the web
# for email addresses. The mail outputs are buffered.
port = http,https
logpath = %(apache_access_log)s
bantime = 172800
maxretry = 1
[apache-noscript]
port = http,https
logpath = %(apache_error_log)s
[apache-overflows]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-nohome]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-botsearch]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-fakegooglebot]
port = http,https
logpath = %(apache_access_log)s
maxretry = 1
ignorecommand = %(ignorecommands_dir)s/apache-fakegooglebot <ip>
[apache-modsecurity]
port = http,https
logpath = %(apache_error_log)s
maxretry = 2
[apache-shellshock]
port = http,https
logpath = %(apache_error_log)s
maxretry = 1
[openhab-auth]
filter = openhab
action = iptables-allports[name=NoAuthFailures]
logpath = /opt/openhab/logs/request.log
[nginx-http-auth]
port = http,https
logpath = %(nginx_error_log)s
# To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`
# and define `limit_req` and `limit_req_zone` as described in nginx documentation
# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
# or for example see in 'config/filter.d/nginx-limit-req.conf'
[nginx-limit-req]
port = http,https
logpath = %(nginx_error_log)s
[nginx-botsearch]
port = http,https
logpath = %(nginx_error_log)s
maxretry = 2
# Ban attackers that try to use PHP's URL-fopen() functionality
# through GET/POST variables. - Experimental, with more than a year
# of usage in production environments.
[php-url-fopen]
port = http,https
logpath = %(nginx_access_log)s
%(apache_access_log)s
[suhosin]
port = http,https
logpath = %(suhosin_log)s
[lighttpd-auth]
# Same as above for Apache's mod_auth
# It catches wrong authentifications
port = http,https
logpath = %(lighttpd_error_log)s
#
# Webmail and groupware servers
#
[roundcube-auth]
port = http,https
logpath = %(roundcube_errors_log)s
[openwebmail]
port = http,https
logpath = /var/log/openwebmail.log
[horde]
port = http,https
logpath = /var/log/horde/horde.log
[groupoffice]
port = http,https
logpath = /home/groupoffice/log/info.log
[sogo-auth]
# Monitor SOGo groupware server
# without proxy this would be:
# port = 20000
port = http,https
logpath = /var/log/sogo/sogo.log
[tine20]
logpath = /var/log/tine20/tine20.log
port = http,https
#
# Web Applications
#
#
[drupal-auth]
port = http,https
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
[guacamole]
port = http,https
logpath = /var/log/tomcat*/catalina.out
[monit]
#Ban clients brute-forcing the monit gui login
port = 2812
logpath = /var/log/monit
[webmin-auth]
port = 10000
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[froxlor-auth]
port = http,https
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
#
# HTTP Proxy servers
#
#
[squid]
port = 80,443,3128,8080
logpath = /var/log/squid/access.log
[3proxy]
port = 3128
logpath = /var/log/3proxy.log
#
# FTP servers
#
[proftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(proftpd_log)s
backend = %(proftpd_backend)s
[pure-ftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(pureftpd_log)s
backend = %(pureftpd_backend)s
[gssftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
[wuftpd]
port = ftp,ftp-data,ftps,ftps-data
logpath = %(wuftpd_log)s
backend = %(wuftpd_backend)s
[vsftpd]
# or overwrite it in jails.local to be
# logpath = %(syslog_authpriv)s
# if you want to rely on PAM failed login attempts
# vsftpd's failregex should match both of those formats
port = ftp,ftp-data,ftps,ftps-data
logpath = %(vsftpd_log)s
#
# Mail servers
#
# ASSP SMTP Proxy Jail
[assp]
port = smtp,465,submission
logpath = /root/path/to/assp/logs/maillog.txt
[courier-smtp]
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[postfix]
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[postfix-rbl]
port = smtp,465,submission
logpath = %(postfix_log)s
backend = %(postfix_backend)s
maxretry = 1
[sendmail-auth]
port = submission,465,smtp
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[sendmail-reject]
port = smtp,465,submission
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[qmail-rbl]
filter = qmail
port = smtp,465,submission
logpath = /service/qmail/log/main/current
# dovecot defaults to logging to the mail syslog facility
# but can be set by syslog_facility in the dovecot configuration.
[dovecot]
port = pop3,pop3s,imap,imaps,submission,465,sieve
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[sieve]
port = smtp,465,submission
logpath = %(dovecot_log)s
backend = %(dovecot_backend)s
[solid-pop3d]
port = pop3,pop3s
logpath = %(solidpop3d_log)s
[exim]
port = smtp,465,submission
logpath = %(exim_main_log)s
[exim-spam]
port = smtp,465,submission
logpath = %(exim_main_log)s
[kerio]
port = imap,smtp,imaps,465
logpath = /opt/kerio/mailserver/store/logs/security.log
#
# Mail servers authenticators: might be used for smtp,ftp,imap servers, so
# all relevant ports get banned
#
[courier-auth]
port = smtp,465,submission,imap3,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[postfix-sasl]
port = smtp,465,submission,imap3,imaps,pop3,pop3s
# You might consider monitoring /var/log/mail.warn instead if you are
# running postfix since it would provide the same log lines at the
# "warn" level but overall at the smaller filesize.
logpath = %(postfix_log)s
backend = %(postfix_backend)s
[perdition]
port = imap3,imaps,pop3,pop3s
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[squirrelmail]
port = smtp,465,submission,imap2,imap3,imaps,pop3,pop3s,http,https,socks
logpath = /var/lib/squirrelmail/prefs/squirrelmail_access_log
[cyrus-imap]
port = imap3,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
[uwimap-auth]
port = imap3,imaps
logpath = %(syslog_mail)s
backend = %(syslog_backend)s
#
#
# DNS servers
#
# !!! WARNING !!!
# Since UDP is connection-less protocol, spoofing of IP and imitation
# of illegal actions is way too simple. Thus enabling of this filter
# might provide an easy way for implementing a DoS against a chosen
# victim. See
# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
# Please DO NOT USE this jail unless you know what you are doing.
#
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks UDP traffic for DNS requests.
# [named-refused-udp]
#
# filter = named-refused
# port = domain,953
# protocol = udp
# logpath = /var/log/named/security.log
# IMPORTANT: see filter.d/named-refused for instructions to enable logging
# This jail blocks TCP traffic for DNS requests.
[named-refused]
port = domain,953
logpath = /var/log/named/security.log
[nsd]
port = 53
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/nsd.log
#
# Miscellaneous
#
[asterisk]
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/asterisk/messages
maxretry = 10
[freeswitch]
port = 5060,5061
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s"]
logpath = /var/log/freeswitch.log
maxretry = 10
# To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
# equivalent section:
# log-warning = 2
#
# for syslog (daemon facility)
# [mysqld_safe]
# syslog
#
# for own logfile
# [mysqld]
# log-error=/var/log/mysqld.log
[mysqld-auth]
port = 3306
logpath = %(mysql_log)s
backend = %(mysql_backend)s
# Log wrong MongoDB auth (for details see filter 'filter.d/mongodb-auth.conf')
[mongodb-auth]
# change port when running with "--shardsvr" or "--configsvr" runtime operation
port = 27017
logpath = /var/log/mongodb/mongodb.log
# Jail for more extended banning of persistent abusers
# !!! WARNINGS !!!
# 1. Make sure that your loglevel specified in fail2ban.conf/.local
# is not at DEBUG level -- which might then cause fail2ban to fall into
# an infinite loop constantly feeding itself with non-informative lines
# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
# to maintain entries for failed logins for sufficient amount of time
[recidive]
logpath = /var/log/fail2ban.log
banaction = %(banaction_allports)s
bantime = 604800 ; 1 week
findtime = 86400 ; 1 day
# Generic filter for PAM. Has to be used with action which bans all
# ports such as iptables-allports, shorewall
[pam-generic]
# pam-generic filter can be customized to monitor specific subset of 'tty's
banaction = %(banaction_allports)s
logpath = %(syslog_authpriv)s
backend = %(syslog_backend)s
[xinetd-fail]
banaction = iptables-multiport-log
logpath = %(syslog_daemon)s
backend = %(syslog_backend)s
maxretry = 2
# stunnel - need to set port for this
[stunnel]
logpath = /var/log/stunnel4/stunnel.log
[ejabberd-auth]
port = 5222
logpath = /var/log/ejabberd/ejabberd.log
[counter-strike]
logpath = /opt/cstrike/logs/L[0-9]*.log
# Firewall: http://www.cstrike-planet.com/faq/6
tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039
udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015
action = %(banaction)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
# consider low maxretry and a long bantime
# nobody except your own Nagios server should ever probe nrpe
[nagios]
logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility
backend = %(syslog_backend)s
maxretry = 1
[oracleims]
# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above
logpath = /opt/sun/comms/messaging64/log/mail.log_current
banaction = %(banaction_allports)s
[directadmin]
logpath = /var/log/directadmin/login.log
port = 2222
[portsentry]
logpath = /var/lib/portsentry/portsentry.history
maxretry = 1
[pass2allow-ftp]
# this pass2allow example allows FTP traffic after successful HTTP authentication
port = ftp,ftp-data,ftps,ftps-data
# knocking_url variable must be overridden to some secret value in jail.local
knocking_url = /knocking/
filter = apache-pass[knocking_url="%(knocking_url)s"]
# access log of the website with HTTP auth
logpath = %(apache_access_log)s
blocktype = RETURN
returntype = DROP
bantime = 3600
maxretry = 1
findtime = 1
[murmur]
# AKA mumble-server
port = 64738
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol=tcp, chain="%(chain)s", actname=%(banaction)s-tcp]
%(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol=udp, chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/mumble-server/mumble-server.log
[screensharingd]
# For Mac OS Screen Sharing Service (VNC)
logpath = /var/log/system.log
logencoding = utf-8
[haproxy-http-auth]
# HAProxy by default doesn't log to file you'll need to set it up to forward
# logs to a syslog server which would then write them to disk.
# See "haproxy-http-auth" filter for a brief cautionary note when setting
# maxretry and findtime.
logpath = /var/log/haproxy.log
[slapd]
port = ldap,ldaps
filter = slapd
logpath = /var/log/slapd.log
[domino-smtp]
port = smtp,ssmtp
filter = domino-smtp
logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log
roles/fastest_mirror/tasks/main.yml
View file @ cae6bd7b
- name: "Clear yum cache" - name: "Clear yum cache"
command: yum clean all command: yum clean all
sudo: true become: true
when: ansible_os_family == 'RedHat' when: ansible_os_family == 'RedHat'
- name: remove the bad repo on centos7 images - name: remove the bad repo on centos7 images
file: path=/etc/yum.repos.d/rdo-release.repo state=absent file: path=/etc/yum.repos.d/rdo-release.repo state=absent
sudo: true become: true
- name: "Make yum cache" - name: "Make yum cache"
command: yum makecache command: yum makecache
sudo: true become: true
when: ansible_os_family == 'RedHat'
# For some reason ed went missing from the NeCTAR official CentOS 7 image
# This meant that fail2ban could ban you, but could never unban you
- name: "make sure ed is installed"
yum: name=ed state=present
become: true
when: ansible_os_family == 'RedHat' when: ansible_os_family == 'RedHat'
roles/gluster-monitor/README.md 0 → 100644
View file @ cae6bd7b
Puts a cron job to search gluster for split brain errors. Only applicable on management nodes
Usage
- { role: gluster-monitor, tags: [ gluster,gluster_client ] }
- { role: gluster-monitor, EMAIL_DEST: "hpc-alerts-warning-l@monash.edu", tags: [ gluster,gluster_client ] }
roles/gluster-monitor/tasks/main.yml 0 → 100644
View file @ cae6bd7b
---
- name: mkdir /usr/local/sbin if it does not exit
file:
path: /usr/local/sbin
state: directory
become: true
become_user: root
- name: template gluster_monitoring
template:
src=detect-gluster-problems.py.j2
dest=/usr/local/sbin/detect-gluster-problems.py
mode=755
owner=root
group=root
become: true
become_user: root
- name: gluster_monitoring- install crontab entry
#cron: name="Check glust for problems" minute="*/5" job="/usr/local/sbin/detect-gluster-problems.sh >> /tmp/detect-gluster-problems.txt 2>&1"
cron: name="Check gluster for problems" minute="*/5" job="/usr/local/sbin/detect-gluster-problems.py"
become: true
become_user: root
roles/gluster-monitor/templates/detect-gluster-problems.py.j2 0 → 100644
View file @ cae6bd7b
#!/bin/env python
#
#
# detect-gluster-problems.py
# Authors simon michnowicz 13 April 2021
import os
import sys
import subprocess
##############################
def error(e):
'''
we have an error. Send an email
e=error string
'''
hostname = os.uname()[1]
#print("Error is:\n{}".format(e))
HEADER="Error Message from {}".format(hostname)
MAILTO="{{ EMAIL_DEST }}"
command="echo -e \"{}\" | mail -s \"{}\" \"{}\" ".format(e,HEADER,MAILTO)
#print("Command is:\n{}".format(command))
os.system(command)
##############################
def Test1():
'''
This tests looks for the word "split brain" in a general query
'''
COMMAND="sudo gluster volume heal gv info"
try:
result = subprocess.check_output(COMMAND.split()).decode('UTF-8')
#print("Test1 Output is {}".format(result))
outList=result.splitlines()
for line in outList:
#print("Test1 line is {}".format(line))
if 'split' in line:
error(COMMAND+"\n"+outlist)
except subprocess.CalledProcessError as error:
error("Test1: \nPlease contact mcc-help@monash.edu \n error code", error.returncode, error.output)
sys.exit(1)
##############################
def Test2():
'''
This test checks for number of split brain entries
sudo gluster volume heal gv info split-brain
Brick 172.16.227.169:/gbrick/brick
Status: Connected
Number of entries in split-brain: 0
'''
COMMAND="sudo gluster volume heal gv info split-brain"
try:
result = subprocess.check_output(COMMAND.split()).decode('UTF-8')
#print("Test2 Output is {}".format(result))
outList=result.splitlines()
for line in outList:
#print("Line is {}".format(line))
if 'Number of entries in split-brain' in line:
split=line.split(':')
if len(split)!=2:
error("Logic error in Test2: split is {}".format(split))
sys.exit(1)
NoOfSplitBrains=int(split[1])
#print("Number of Split Brains is {}".format(NoOfSplitBrains))
if (NoOfSplitBrains!=0):
error("Number of Split Brains is {}".format(NoOfSplitBrains))
except subprocess.CalledProcessError as error:
error("Test2: \nPlease contact mcc-help@monash.edu \n error code", error.returncode, error.output)
sys.exit(1)
##############################
def main():
Test1()
Test2()
if __name__ == "__main__":
main()
roles/gluster-monitor/templates/detect-gluster-problems.sh.j2 0 → 100644
View file @ cae6bd7b
#!/bin/bash
#detect-gluster-problems.sh
# written by sgm 10 March 2021 to be a script
# that looks for gluster problems and emails help
# if anything happens
# See https://docs.gluster.org/en/latest/Troubleshooting/resolving-splitbrain/
# We look for keywords in output
# a) 'Is in split-brain'
# b) 'Is possibly undergoing heal'
COMMAND="sudo gluster volume heal gv info"
HEADER="Possible Error Message in `hostname`"
MAILTO="{{ EMAIL_DEST }}"
myOutput=`$COMMAND`
#myOutput=" a split brain that heals"
#echo "Output is $myOutput"
#
# check for split brain or healing messages in gluster output
#
echo $myOutput | grep -i "split"
exitCode=$?
if [ $exitCode -eq 0 ]
then
logger "detect-gluster-problems.sh: We found a split brain situation"
EmailBody="Possible split brain situation on `hostname` on `date` \n${myOutput}"
HEADER1="$HEADER : Split brain message"
echo -e "$EmailBody" | mail -s "$HEADER1" "$MAILTO"
#else
# echo "No brain worries"
fi
#
# check for healing
#
echo $myOutput | grep -i "heal"
exitCode=$?
if [ $exitCode -eq 0 ]
then
logger "detect-gluster-problems.sh: We found a healing situation"
HEADER1="$HEADER : healing message"
EmailBody="Possible healing situation on `hostname` on `date` \n${myOutput}"
echo -e "$EmailBody" | mail -s "$HEADER1" "$MAILTO"
#else
# echo "No healing worries"
fi
roles/gluster-monitor/vars/main.yml 0 → 100644
View file @ cae6bd7b
---
EMAIL_DEST: "youremailhere@nowhere.com"
roles/gluster_client/tasks/main.yml
View file @ cae6bd7b
--- ---
- name: add repo
copy: src=glusterfs-epel.repo dest=/etc/yum.repos.d/glusterfs-epel.repo
sudo: true
when: ansible_os_family == 'RedHat'
- name: install gluster - name: install gluster
yum: name={{ item }} state='latest' yum: name={{ item }} state='latest'
when: ansible_os_family == 'RedHat' when: ansible_os_family == 'RedHat'
with_items: with_items:
- glusterfs-client - glusterfs-client
sudo: true become: true
- name: install gluster - name: install gluster
apt: name=glusterfs-client state='latest' apt: name=glusterfs-client state='latest'
when: ansible_os_family == 'Debian' when: ansible_os_family == 'Debian'
sudo: true become: true
- name: mount volume - name: mount volume
#mount: name="{{ volmnt }}" src="{{ gluster_servers[0] }}:/{{ volname }}" state="mounted" fstype="glusterfs" opts="defaults,acl,_netdev,backupvolfile-server={{ gluster_servers[1] }}" mount: name="{{ volmnt }}" src="{{ gluster_servers[0] }}:/{{ volname }}" state="mounted" fstype="glusterfs" opts="defaults,acl,_netdev,backupvolfile-server={{ gluster_servers[1] }}"
mount: name="{{ volmnt }}" src="{{ gluster_servers[0] }}:/{{ volname }}" state="mounted" fstype="glusterfs" opts="defaults,acl,backupvolfile-server={{ gluster_servers[1] }},noauto,comment=systemd.automount" # mount: name="{{ volmnt }}" src="{{ gluster_servers[0] }}:/{{ volname }}" state="mounted" fstype="glusterfs" opts="defaults,_netdev,acl,backupvolfile-server={{ gluster_servers[1] }},comment=systemd.automount"
sudo: true become: true
roles/gluster_server/tasks/main.yml
View file @ cae6bd7b
--- ---
#https://docs.gluster.org/en/latest/Administrator%20Guide/Storage%20Pools/
- name: add repo
copy: src=glusterfs-epel.repo dest=/etc/yum.repos.d/glusterfs-epel.repo - name: install gluster repository
sudo: true yum:
name:
- centos-release-gluster9
state: present
enablerepo: extras
update_cache: yes
when: ansible_os_family == 'RedHat' when: ansible_os_family == 'RedHat'
become: true
become_user: root
register: glusterrepo_added
- name: force refresh of the repository cache
shell: |
yum clean metadata
yum clean all
yum updateinfo
yum makecache
become: true
async: 600
poll: 5
check_mode: no
when: ansible_os_family == 'RedHat' and glusterrepo_added.changed
args:
warn: False
- name: install gluster - name: install gluster
yum: name={{ item }} state='latest' yum:
name:
- glusterfs-9.2
- glusterfs-server-9.2
state: present
update_cache: yes
disablerepo: base,monashhpc_base,updates
when: ansible_os_family == 'RedHat' when: ansible_os_family == 'RedHat'
with_items: become: true
- glusterfs become_user: root
- glusterfs-server register: gluster_installed
sudo: true
- name: install gluster - name: install gluster
apt: name=glusterfs-server state='latest' apt: name=glusterfs-server state=present
when: ansible_os_family == 'Debian' when: ansible_os_family == 'Debian'
sudo: true become: true
become_user: root
- name: start daemon - name: start daemon
service: name=glusterd enabled=yes state=started service: name=glusterd enabled=yes state=started
sudo: true become: true
when: ansible_os_family == 'RedHat' become_user: root
when: ansible_os_family == 'RedHat' and gluster_installed.changed
- name: start daemon - name: start daemon
service: name=glusterfs-server enabled=yes state=started service: name=glusterfs-server enabled=yes state=started
sudo: true become: true
become_user: root
when: ansible_os_family == 'Debian' when: ansible_os_family == 'Debian'
- name: make server list #- name: make brick dir
set_fact: # file: state=directory path="{{ brickmnt }}/brick"
server_list: "{{ gluster_servers|join(',') }}" # become: true
# become_user: root
# when: gluster_installed.changed
- name: set quorum ratio
command: "gluster volume set all cluster.server-quorum-ratio 51%"
become: true
become_user: root
ignore_errors: yes
run_once: True
delegate_to: "{{ groups['SQLNodes'][0] }}"
when: gluster_installed.changed
- name: echo server list - name: enable bitrot
debug: var=server_list command: "gluster volume bitrot gv enable"
become: true
become_user: root
ignore_errors: yes
run_once: True
delegate_to: "{{ groups['SQLNodes'][0] }}"
when: gluster_installed.changed
- name: make brick dir #https://docs.gluster.org/en/v3/Upgrade-Guide/op_version/
file: state=directory path="{{ brickmnt }}/brick" - name: fail on purpose to manually look up gluster op.version and use it in a later task
sudo: true fail:
msg: The purpose of this fail is to 1. let you look up what op.version we want to use via gluster volume get all cluster.max-op-version. read doco above ansible line. 2. set this in this role below. 3. comment this fail and run ansible.
- name: create volume - name: set cluster.op-version set this after fail
gluster_volume: command: "gluster volume set all cluster.op-version 90000"
name: "{{ volname }}"
brick: "{{ brickmnt }}/brick" #gluster volume bitrot <VOLNAME> enable
cluster: "{{ server_list }}"
replicas: "{{ replicas }}" #not needed anymore or not supported
state: present #- name: set quorum type
sudo: true # command: "gluster volume set all cluster.server-quorum-type server"
run_once: true # become: true
# become_user: root
# ignore_errors: true
#- name: set quorum type
# command: "gluster volume set all cluster.quorum-type auto"
# become: true
# become_user: root
# ignore_errors: true
#gluster volume heal <vol> info
roles/gluster_volcreate/tasks/main.yml 0 → 100644
View file @ cae6bd7b
---
- name: make server list
set_fact:
server_list: "{{ gluster_servers|join(',') }}"
- name: show server list
debug: var=server_list
- name: "Attemtp to fix transaction problem. Modfy ping-timeout parameter in /etc/glusterfs/glusterd.vol"
replace: dest="/etc/glusterfs/glusterd.vol" regexp=" option ping-timeout 0" replace=" option ping-timeout 5"
become: true
become_user: root
- name: restart gluster service
systemd: name=glusterd state=restarted daemon_reload=yes
become: true
become_user: root
- name: probe peers
shell: "gluster peer probe {{ item }}"
#run_once: true
with_items: "{{ (gluster_servers|difference([inventory_hostname])) }}"
become: true
become_user: root
delegate_to: "{{ gluster_servers[0] }}"
- name: create volume
gluster_volume:
name: "{{ volname }}"
brick: "{{ brickmnt }}/brick"
cluster: "{{ server_list }}"
replicas: "{{ replicas }}"
host: "{{ inventory_hostname }}"
state: present
become: true
ignore_errors: true
# run_once: true
delegate_to: "{{ gluster_servers[0] }}"
roles/gpu/tasks/main.yml
View file @ cae6bd7b
--- ---
- name: install deps - name: install deps
yum: name={{ item }} state=installed package:
sudo: true state: present
with_items: name:
- gcc - gcc
- perl - perl
- wget - wget
- pciutils - pciutils
- kernel-headers - kernel-headers
- kernel-devel - kernel-devel
- xterm - xterm
- libX11-common - libX11-common
- libX11-devel - libX11-devel
- libX11 - libX11
- xorg-x11-server-common - libglvnd-devel
- xorg-x11-util-macros - xorg-x11-server-common
- xorg-x11-server-utils - xorg-x11-util-macros
- xorg-x11-font-utils - xorg-x11-server-utils
- xorg-x11-server-Xorg - xorg-x11-font-utils
- xorg-x11-glamor - xorg-x11-server-Xorg
- xorg-x11-xinit - xorg-x11-glamor
- xorg-x11-utils - xorg-x11-xinit
- xorg-x11-xauth - xorg-x11-utils
- xorg-x11-proto-devel - xorg-x11-xauth
- xorg-x11-xkb-utils - xorg-x11-proto-devel
- xorg-x11-xkb-utils
- name: Add nouveau from blacklist - python-jinja2
lineinfile: become: true
args: when: ansible_os_family == 'RedHat'
dest: /etc/modprobe.d/blacklist.conf
line: "blacklist nouveau" - name: install deps
apt:
name:
- 'gcc'
- 'perl'
- 'wget'
- 'pciutils'
- 'linux-headers-generic'
- 'xterm'
- 'libx11-dev'
- 'libx11-6'
- 'libglvnd-dev'
- 'xserver-xorg'
- 'vim'
- 'python-jinja2'
- 'python3-jinja2'
state: present state: present
sudo: true update_cache: yes
become: true
become_user: root
when: ansible_distribution == 'Ubuntu'
- name: install development tools
yum: name="@Development Tools" state=present
become: true
become_user: root
ignore_errors: yes
when: ansible_os_family == 'RedHat'
- name: disable nouveau
template: src=blacklist-nouveau.conf.j2 dest=/etc/modprobe.d/blacklist-nouveau.conf
become: true
become_user: root
- name: template unit for for persistenced
template: src=nvidia-persistenced.service dest=/etc/systemd/system/nvidia-persistenced.service
become: true
become_user: root
- name: create the nvidia-persistenced user
user: name=nvidia-persistenced state=present system=yes shell=/bin/false
become: true
become_user: root
- name: Template disable-nouvear.conf - name: remove nouveau
template: dest=/etc/modprobe.d/disable-nouveau.conf src=disable-nouveau.conf.j2 modprobe: name=nouveau state=absent
sudo: true become: true
become_user: root
- name: get kernel version
shell: uname -r
register: kernel_version
check_mode: no
changed_when: False
- name: Template nvidia.conf
template: dest=/etc/modprobe.d/nvidia.conf src=nvidia.conf.j2
sudo: true
- name: check nvidia driver - name: check nvidia driver
shell: ls /usr/lib64/libnvidia-opencl.so.{{ nvidia_version }} stat: path="/lib/modules/{{ kernel_version.stdout }}/kernel/drivers/video/nvidia.ko"
register: has_been_compiled register: nvidia_driver
ignore_errors: true ignore_errors: true
- name: Copy boot file - name: set default driver version
template: src=grub.conf.j2 dest=/boot/grub/grub.conf set_fact:
sudo: true installed_driver_version: '0.0'
- name: check nvidia driver version
shell: 'nvidia-smi | grep -Po "Driver Version: \K\S+"'
register: installed_driver_version
when: nvidia_driver.stat.exists
check_mode: no
changed_when: False
- name: set install default
set_fact:
install_driver: false
- name: set uninstall default
set_fact:
uninstall_driver: false
- name: set install
set_fact:
install_driver: true
when: not nvidia_driver.stat.exists or not installed_driver_version.stdout == nvidia_version
- name: set uninstall
set_fact:
uninstall_driver: true
when: nvidia_driver.stat.exists and not installed_driver_version.stdout == nvidia_version
- name: Populate service facts
service_facts:
#- debug:
# var: ansible_facts.services
#- debug:
# msg: '{{ services["nvidia-persistenced.service"].state }}'
# when: '"nvidia-persistenced.service" in services'
- name: stop the persistence daemon
service:
name: nvidia-persistenced
state: stopped
become: true
when: uninstall_driver and services["nvidia-persistenced.service"] is defined
- name: Copy X config file - name: stop the create-dev-uvm daemon
template: src=xorg.conf.j2 dest=/etc/X11/xorg.conf service: name=create-dev-uvm state=stopped
sudo: true become: true
when: uninstall_driver and services["create-dev-uvm.service"] is defined
- name: stop the telegraf daemon
service: name=telegraf state=stopped
become: true
when: uninstall_driver and services["telegraf.service"] is defined
- name: Unload nvidia driver
shell: rmmod nvidia_uvm nvidia_drm nvidia_modeset nvidia || true
become: true
when: install_driver
- name: kill any X processes
shell: ps ax | grep "X :0" | grep -v grep | cut -f 1 -d " " | xargs -I{} kill -9 {}
become: true
become_user: root
when: uninstall_driver
- name: get nvidia driver
get_url:
url: https://us.download.nvidia.com/tesla/{{ nvidia_version }}/NVIDIA-Linux-x86_64-{{ nvidia_version }}.run
dest: /tmp/NVIDIA-Linux-x86_64-{{ nvidia_version }}.run
become: true
become_user: root
when: install_driver
#- name: Copy boot file
# template: src=grub.conf.j2 dest=/boot/grub/grub.conf
# become: true
#
#- name: Copy X config file
# template: src=xorg.conf.j2 dest=/etc/X11/xorg.conf
# become: true
- name: Copy xserver file - name: Copy xserver file
template: src=xserver.j2 dest=/etc/pam.d/xserver template: src=xserver.j2 dest=/etc/pam.d/xserver
sudo: true become: true
- name: restart_host - name: chmod nvidia driver builder
command: shutdown -r now "Reboot triggered by Ansible" file:
async: 900 path: /tmp/NVIDIA-Linux-x86_64-{{ nvidia_version }}.run
poll: 60 mode: 0755
sudo: true become: true
ignore_errors: true when: install_driver
when: has_been_compiled | failed
- name: build nvidia driver
- name: wait_restart shell: /tmp/NVIDIA-Linux-x86_64-{{ nvidia_version }}.run -q -a -n -X -s
local_action: wait_for host="{{ inventory_hostname }}" port=22 delay=5 timeout=600 become: true
sudo: true when: install_driver
when: has_been_compiled | failed
- name: set the GOM
- name: get nvidia driver shell: nvidia-smi --gom=0
shell: wget http://us.download.nvidia.com/XFree86/Linux-x86_64/{{ nvidia_version }}/NVIDIA-Linux-x86_64-{{ nvidia_version }}.run become: true
args: become_user: root
chdir: /tmp register: nvidiagomcall
creates: /tmp/NVIDIA-Linux-x86_64-{{ nvidia_version }}.run changed_when: '"cannot be changed" not in nvidiagomcall.stdout' # only tested on a k80
sudo: true
when: has_been_compiled | failed - name: enable persistenced on boot
service: name=nvidia-persistenced state=started enabled=yes
- name: build nvidia driver become: true
shell: chmod 755 /tmp/NVIDIA-Linux-x86_64-{{ nvidia_version }}.run; /tmp/NVIDIA-Linux-x86_64-{{ nvidia_version }}.run --silent --kernel-source-path /usr/src/kernels/{{ kernel_version }}.el6.x86_64 become_user: root
sudo: true
when: has_been_compiled | failed - name: Configure xorg.conf with nvidia-xconfig so xorg.conf matches gpu number
shell: /usr/bin/nvidia-xconfig -a --use-display-device=none --preserve-busid
- name: set persistence mode become: true
lineinfile: become_user: root
args: args:
dest: /etc/rc.d/rc.local creates: /etc/X11/xorg.conf
line: "nvidia-smi --persistence-mode=1"
state: present - name: re-start the persistence daemon
sudo: true service: name=nvidia-persistenced state=started
become: true
become_user: root
when: uninstall_driver and services["nvidia-persistenced.service"] is defined and services["nvidia-persistenced.service"].state == "running"
- name: Load module - name: re-start the create-dev-uvm daemon
shell: modprobe nvidia service: name=create-dev-uvm state=started
sudo: true become: true
become_user: root
when: uninstall_driver and services["create-dev-uvm.service"] is defined and services["create-dev-uvm.service"].state == "running"
- name: re-start the telegraf daemon
service: name=telegraf state=started
become: true
become_user: root
when: uninstall_driver and services["telegraf.service"] is defined and services["telegraf.service"].state == "running"
roles/gpu/templates/nvidia-persistenced.service 0 → 100644
View file @ cae6bd7b
#
# Copyright (c) 2013 NVIDIA Corporation
#
# Permission is hereby granted, free of charge, to any person obtaining a
# copy of this software and associated documentation files (the "Software"),
# to deal in the Software without restriction, including without limitation
# the rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Software, and to permit persons to whom the
# Software is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
# DEALINGS IN THE SOFTWARE.
#
# This is a sample systemd service file, designed to show how the NVIDIA
# Persistence Daemon can be started.
#
[Unit]
Description=NVIDIA Persistence Daemon
Wants=syslog.target
[Service]
Type=forking
ExecStart=/usr/bin/nvidia-persistenced --persistence-mode --user nvidia-persistenced
ExecStopPost=/bin/rm -rf /var/run/nvidia-persistenced
[Install]
WantedBy=multi-user.target
roles/gpu/templates/xorg.conf.j2
View file @ cae6bd7b
# nvidia-xconfig: X configuration file generated by nvidia-xconfig # nvidia-xconfig: X configuration file generated by nvidia-xconfig
# nvidia-xconfig: version 340.58 (buildmeister@swio-display-x86-rhel47-09) Fri Oct 31 17:40:05 PDT 2014 # nvidia-xconfig: version 375.66 (buildmeister@swio-display-x86-rhel47-06) Mon May 1 15:45:32 PDT 2017
Section "DRI" Section "DRI"
Mode 0660 Mode 0666
Group "vglusers"
EndSection EndSection
Section "ServerLayout" Section "ServerLayout"
Identifier "Layout0"
Screen 0 "Screen0" #InputDevice "Keyboard0" "CoreKeyboard"
InputDevice "Keyboard0" "CoreKeyboard" #InputDevice "Mouse0" "CorePointer"
InputDevice "Mouse0" "CorePointer" Identifier "Layout0"
{% for screen in item.screens %}
{% if item.screens.index(screen) == 0 %}
Screen 0 "Screen{{item.screens.index(screen)}}"
{% else %}
Screen {{item.screens.index(screen)}} "Screen{{item.screens.index(screen)}}" RightOf "Screen{{item.screens.index(screen)-1}}"
{% endif %}
{% endfor %}
#InputDevice "Keyboard0" "CoreKeyboard"
#InputDevice "Mouse0" "CorePointer"
EndSection EndSection
Section "Files" Section "Files"
...@@ -17,6 +25,7 @@ Section "Files" ...@@ -17,6 +25,7 @@ Section "Files"
EndSection EndSection
Section "InputDevice" Section "InputDevice"
# generated from default # generated from default
Identifier "Mouse0" Identifier "Mouse0"
Driver "mouse" Driver "mouse"
...@@ -27,36 +36,45 @@ Section "InputDevice" ...@@ -27,36 +36,45 @@ Section "InputDevice"
EndSection EndSection
Section "InputDevice" Section "InputDevice"
# generated from data in "/etc/sysconfig/keyboard"
# generated from default
Identifier "Keyboard0" Identifier "Keyboard0"
Driver "kbd" Driver "kbd"
Option "XkbLayout" "us"
Option "XkbModel" "pc105"
EndSection EndSection
{% for monitor in item.monitors %}
Section "Monitor" Section "Monitor"
Identifier "Monitor0" Identifier "{{monitor}}"
VendorName "Unknown" VendorName "Unknown"
ModelName "Unknown" ModelName "Unknown"
HorizSync 28.0 - 33.0 HorizSync 28.0 - 33.0
VertRefresh 43.0 - 72.0 VertRefresh 43.0 - 72.0
Option "DPMS" Option "DPMS"
EndSection EndSection
{% endfor %}
{% for device in item.devices %}
Section "Device" Section "Device"
Identifier "Device0" Identifier "Device{{item.devices.index(device)}}"
Driver "nvidia" Driver "nvidia"
VendorName "NVIDIA Corporation" VendorName "NVIDIA Corporation"
BusID "PCI:00:06:0" boardname "{{item.boardname}}"
BusID "{{device}}"
EndSection EndSection
{% endfor %}
{% for screen in item.screens %}
Section "Screen" Section "Screen"
Identifier "Screen0" Identifier "Screen{{item.screens.index(screen)}}"
Device "Device0" Device "Device{{item.screens.index(screen)}}"
Monitor "Monitor0" Monitor "Monitor{{item.screens.index(screen)}}"
DefaultDepth 24 DefaultDepth 24
Option "ProbeAllGpus" "false"
{% if item.boardname == 'GRID K1' %}
Option "UseDisplayDevice" "None"
{% endif %}
SubSection "Display" SubSection "Display"
Virtual 1920 1200
Depth 24 Depth 24
EndSubSection EndSubSection
EndSection EndSection
{% endfor -%}