Fixes and updates related to Slurm configs.

.gitignore

@@ -12,4 +12,4 @@ promtools/results/*
 roles/hpc-cloud
 roles/HPCplaybooks
 roles/HPCplaybooks/*
-ssh-host-ca
+ssh-host-ca/umcg-hpc-ca

README.md

@@ -135,19 +135,21 @@ The steps below describe how to get from machines with a bare ubuntu 16.04 insta
       ECDSA key fingerprint is ....
       Are you sure you want to continue connecting (yes/no)?
    ```
-   * The filename of the private key is specified using the ```ssh_host_signer_ca_private_key``` variable defined in ```group_vars/*/vars.yml```
-   * The filename of the corresponding public key must be the same as the one of the private key suffixed with ```.pub```
+   * The filename of the CA private key is specified using the ```ssh_host_signer_ca_private_key``` variable defined in ```group_vars/*/vars.yml```
+   * The filename of the corresponding CA public key must be the same as the one of the private key suffixed with ```.pub```
+   * The password required to decrypt the CA private key must be specified using the ```ssh_host_signer_ca_private_key_pass``` variable defined in ```group_vars/*/secrets.yml```,
+     which must be encrypted with ```ansible-vault```.
    * Each user must add the content of the CA public key to their ```~.ssh/known_hosts``` like this:
      ```
-     @cert-authority [names of the hosts for which the cert is valid] [content of the CA pulbic key]
+     @cert-authority [names of the hosts for which the cert is valid] [content of the CA public key]
      ```
      E.g.:
      ```
      @cert-authority reception*,*talos,*tl-* ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDWNAF....VMZpZ5b9+5GA3O8w== UMCG HPC Development CA
      ```
-   * Example to create a new 4096 bitsize CA key pair with the ```rsa``` algorithm:
+   * Example to create a new CA key pair with the ```rsa``` algorithm:
      ```bash
-     ssh-keygen -b 4096 -t rsa -f ssh-host-ca/ca-key-file-name -C "CA key for ..."
+     ssh-keygen -t ed25519 -a 101 -f ssh-host-ca/ca-key-file-name -C "CA key for ..."
      ```
 
 5. Build Prometheus Node Exporter

cluster.yml

@@ -71,12 +71,12 @@
      - isilon
      - slurm-client
 
-- name: export /home
+- name: Export /home on NFS server.
   hosts: user-interface:&talos-cluster
   roles:
      - nfs_home_server
 
-- name: export /home
+- name: Mount /home on NFS clients.
   hosts: compute-vm&talos-cluster
   roles:
      - nfs_home_client

group_vars/talos-cluster/secrets.yml

@@ -1,22 +1,27 @@
 $ANSIBLE_VAULT;1.1;AES256
-65373739663965393330306364356663356530313363386530663433393666616532613531656361
-3564613662306133353337306134353433366338396438620a383438656235343634346464383663
-33313862663236623630346631616261326430653636623632376137653133303639656638383737
-3561393265663637390a303339353963386665343261326236386639373130383364343234626230
-32313338386534633366343763643065336531636635616231353664306630333961613832343834
-37313435303164356633343731363962363633373363376434343833346535353230316663663233
-63333162363363653830636634343965363063666465613537353163636132656438653330353531
-35383765626634646563346438393934366239363132366138396531323062353835303838666330
-32613466343034356262383833616163376463306462356630373061303234633463613839623638
-33366563643531613462373363373665376638376434383932666132363833306362393830383764
-32393066396265626133303836663665386661393339386433343837386362383861396165343830
-61343433643439613630333865326162356134366430396339316366313232633837633264313465
-30356164613030373230396338636261343930636466363963316139356631323031303635363335
-30313462333463623638636432623138613130613961663665626533636662323032643235343630
-33373633383832353435663238316234366439373938633861366132333466313431373430373236
-30666335383939346534373934323663353465613436306331363936383835353834633436623132
-38366533343339316463356662333635396631346161613034383064326664663039653865343338
-65393930623561363832303434313237383533393632383761323331366562373038353433363236
-30333464373235653133656233373931346264633361633338363339303732373261616331356632
-37383533643331646137386162303662353864326661306632356265353837653936626663336565
-35636461313961343932653864343662366366646566313231393463663039383363
+36363232356235643436383162303734376463343966373436646339303861326236666337633138
+6561663835303037373831383233333134366461653539360a643237333166393266656338613530
+66366266643264383761313831343934636261666366396539376130666465313662313537366332
+3235616432613462370a623130393439636466663734326136646139373962393331316663326662
+30643837373934343337646430373463623865383931383764366466376261663034306234356133
+64386666643562653664653933336236363462346134336534616166363561306235356463653963
+65656463663232626137613533316139623462653434666532343263316362656361623032333230
+33343630376437613033333263343439636666636365336263393938383264346138333364393832
+31613663303362353364663038366637303932353364333661303635623030323666346433393265
+36303739313338353932326139373038316130323639323938613764623833353631623539316663
+33653636653865323733383133653338303861313434383136653830393637636264363234303161
+38666363636563613464313362333839643631363333636137343231306433373235336165346438
+39643634383863333631313764303161333764623930343731353037326530633937646263326234
+38656236366665663737333235336632303835333530303236363336333766626666386330303138
+34636433316163376335656431613631646436386530363837366133383764326465303865343961
+63663833303732373762303034636465383639623232663664386334323931313034353631666366
+30336266616137373862316531646464336132363436396430373233316330343336346635646537
+36613439623561393365383539366435393235356434643937323733313462386430303832653635
+35663966356561383161386464396635353935623738333965336637613931383235336138393931
+32663066613062326231393865363137613932356237343762626536316266663332333566383737
+66663933313361653639336664653934303761363966373536623231366364666362393535663933
+30383166643366613230333739333165336364383637303236316137333865313762643361383363
+65666263343463353966353461616231623164393738373034396662616563306536616538346335
+35356238323965346639313063306365313031366563653866616534636538373534653233663535
+38633963323534616336353164333435616635373165623761363864666337353764636333303132
+3132333039393739303933646165343862306632613032336538

group_vars/talos-cluster/vars.yml

@@ -17,4 +17,10 @@ ui_real_memory: 8192
 ui_local_disk: 0
 ui_features: 'prm08,tmp08'
 ssh_host_signer_ca_private_key: "{{ ssh_host_signer_ca_keypair_dir }}/umcg-hpc-development-ca"
+uri_ldap: 172.23.40.249
+uri_ldaps: comanage-in.id.rug.nl
+ldap_port: 389
+ldaps_port: 636
+ldap_base: ou=umcg,o=asds
+ldap_binddn: cn=clusteradminumcg,o=asds
 ...

roles/slurm/tasks/main.yml

@@ -45,21 +45,23 @@
 
 - name: Make sure the database user is present.
   mysql_user:
-      login_host: 127.0.0.1
-      login_user: root
-      login_password: "{{ MYSQL_ROOT_PASSWORD }}"
-      name: "{{ slurm_storage_user }}"
-      password: "{{ slurm_storage_pass }}"
-      host: '%'
-      priv: '*.*:ALL'
-
+    login_host: 127.0.0.1
+    login_user: root
+    login_password: "{{ MYSQL_ROOT_PASSWORD }}"
+    name: "{{ slurm_storage_user }}"
+    password: "{{ slurm_storage_pass }}"
+    host: '%'
+    priv: '*.*:ALL'
+  no_log: True
+
 - name: Create a database for Slurm accounting.
   mysql_db:
-      login_host: 127.0.0.1
-      login_user: root
-      login_password: "{{ MYSQL_ROOT_PASSWORD }}"
-      name: slurm_acct_db
-      state: present
+    login_host: 127.0.0.1
+    login_user: root
+    login_password: "{{ MYSQL_ROOT_PASSWORD }}"
+    name: slurm_acct_db
+    state: present
+  no_log: True
 
 - name: Install Docker config.
   template:
@@ -215,6 +217,7 @@
              > /srv/slurm/backup/slurm.sql
   tags:
     - backup
+  no_log: True
 
 - name: Dump the database every night. Keep 7 backups.
   cron:
@@ -231,4 +234,5 @@
            /bin/find /srv/slurm/backup/slurm_bak.sql.* -mtime 7 -delete
   tags:
     - backup
+  no_log: True
 ...

roles/spacewalk_client/tasks/main.yml

@@ -4,7 +4,7 @@
     name: https://copr-be.cloud.fedoraproject.org/results/@spacewalkproject/spacewalk-2.8-client/epel-7-x86_64/00742644-spacewalk-repo/spacewalk-client-repo-2.8-11.el7.centos.noarch.rpm
     state: present
 
-- name: install spacewalk client packages.
+- name: Install spacewalk client packages.
   yum:
    name:
      - rhn-client-tools
@@ -14,12 +14,12 @@
      - m2crypto
      - yum-rhn-plugin
 
-- name: restart spacewalk daemon
+- name: Restart spacewalk daemon.
   systemd:
    name: rhnsd.service
    state: restarted
 
-- name: register at the spacewalk server
+- name: Register client at the spacewalk server.
   rhn_register:
    state: present
    activationkey: "{{activation_key}}"
@@ -30,24 +30,25 @@
   retries: 3
   delay: 3
   ignore_errors: yes
+  no_log: True
 
-- name: Disable gpgcheck
+- name: Disable gpgcheck.
   command: sed -i 's/gpgcheck = 1/gpgcheck = 0/g' /etc/yum/pluginconf.d/rhnplugin.conf
   args:
     warn: false
 
-- name: remove all current repos
+- name: Remove all current repo config files.
   shell: "rm -rf /etc/yum.repos.d/*"
   args:
     warn: false
 
-- name: remove all current repos
+- name: Clear the yum cache.
   command: "yum clean all"
   args:
     warn: false
   ignore_errors: yes
 
-- name: upgrade all packages
+- name: Upgrade all packages to version specified in spacewalk channel.
   yum:
    name: '*'
    state: latest

roles/ssh_host_signer/tasks/main.yml

@@ -30,10 +30,18 @@
   with_items: "{{ private_keys.files }}"
   changed_when: false
 
+- name: Check if we have a CA private key with correct permissions.
+  file:
+    path: "{{ ssh_host_signer_ca_private_key }}"
+    mode: 0600
+  delegate_to: localhost
+
 - name: Sign SSH keys.
-  local_action: command ssh-keygen -s "{{ ssh_host_signer_ca_private_key | quote }}" -I {{ ssh_host_signer_id | quote }} -h -n {{ ssh_host_signer_hostnames | quote }} "{{ temporary_directory.path }}/public_keys/{{ inventory_hostname | quote }}{{ item.path | quote }}.pub"
+  command: ssh-keygen -s {{ ssh_host_signer_ca_private_key | quote }} -P {{ ssh_host_signer_ca_private_key_pass | quote }} -I {{ ssh_host_signer_id | quote }} -h -n {{ ssh_host_signer_hostnames | quote }} "{{ temporary_directory.path }}/public_keys/{{ inventory_hostname | quote }}{{ item.path | quote }}.pub"
   with_items: "{{ private_keys.files }}"
   changed_when: false
+  delegate_to: localhost
+  no_log: True
 
 - name: Find certificates.
   local_action:

ssh-host-ca/umcg-hpc-development-ca

@@ -0,0 +1,8 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCViZrnYl
+lIsl1fpwIBBZ/oAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIJ2R24oebG0oGQxJ
+QvxzCVjd7lAVFzlOB9ygg5N+WUDpAAAAoED/slN77LCfjBMd41yeXF+84qlUbP5/vzLu/F
+4kozjpT2/atimYs0i7YYwVs6gHNnIyTbhs4JORTMa+wszWPt67Nwu2ooir1qfBF+my72yQ
+dcSTzQxCMiQVM9EwXxmcXUikBihIfjcsZYKGMfcCf8CwEJCDiD4ojId12aLB7fF/ON0Jkz
+dnT8PXA2gbnd41ry1W9hI6/tzvl979ylxQ21s=
+-----END OPENSSH PRIVATE KEY-----

ssh-host-ca/umcg-hpc-development-ca.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2R24oebG0oGQxJQvxzCVjd7lAVFzlOB9ygg5N+WUDp UMCG HPC Development CA