Commit 05c81fc7 authored by Ryan Jones's avatar Ryan Jones
Browse files

updated files

parent 5c5745b2
#!/bin/env ruby
$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
require 'ood_auth_map'
class Regex < OodAuthMap
# Default regular expression to use when parsing authenticated username
DEFAULT_REGEX = "^(.+)$"
# Body of option parser
define_body do |parser|
parser.separator ""
parser.separator "Used to parse for a mapped authenticated user from a string using a regular expression."
parser.separator ""
parser.separator "General options:"
options[:regex] = DEFAULT_REGEX
parser.on("-r", "--regex=REGEX", "# Regular expression used to capture the system-level username", "# Default: #{DEFAULT_REGEX}") do |regex|
options[:regex] = regex
end
end
# Footer of option parser
define_footer do |parser|
parser.separator ""
parser.separator <<-EOF.gsub(/^ {6}/, "")
Examples:
If the authenticated username completely matches the system-level
username use the default regular expression:
#{File.basename($0)} bob
this will return `bob`.
For more complicated strings, a regular expression needs to be
supplied as an option:
#{File.basename($0)} --regex='^(\\w+)@osc.edu$' bob@osc.edu
where the first captured match is returned as the system-level username.
If no match is found in the string, then a blank line is returned:
#{File.basename($0)} --regex='^(\\w+)@osc.edu$' bob@mit.edu
this will return a blank line, meaning no match was found.
EOF
parser.separator ""
end
define_run do |auth_user|
user_check = `getent passwd #{auth_user} | cut -d : -f 1`
#puts user_check
if user_check != ""
puts auth_user
else
puts ""
exit(false)
end
end
end
# Start the workflow of the Regex CLI
Regex.run
---
- name: Enable Copr Repos
shell: yum -y copr enable "{{ item.repo_name }}"
with_items: "{{ copr_repos }}"
when: enable_copr == true and inventory_hostname in item.host
- name: Install mod_wsgi for httpd24
yum: name="{{ mod_wsgi_pkg_name }}" state=latest
- name: Install pip via yum
yum: name=python2-pip state=latest
- name: Install virtualenv via pip
pip: name=virtualenv state=latest
- name: Remove existing user register app install
file:
path: "{{ user_register_app_path }}"
state: absent
- name: Creates directory to clone the user register app
file:
path: "{{ user_register_app_path }}"
state: directory
- name: Clone user register app form from gitlab
git:
repo: "{{ user_register_app_repo }}"
dest: "{{ user_register_app_path }}"
- name: Install requirements in virtualenv
pip:
requirements: requirements.txt
virtualenv: venv
chdir: "{{ user_register_app_path }}"
- name: Put apache config file in place
template:
src: user-reg_conf.j2
dest: "/opt/rh/httpd24/root/etc/httpd/conf.d/user-reg.conf"
- name: Put wsgi config file in place
template:
src: wsgi.j2
dest: "{{ user_register_app_path }}/{{ user_register_app}}.wsgi"
- name: Enable user registration redirect
replace:
path: /etc/ood/config/ood_portal.yml
regexp: '{{ item.regexp }}'
replace: '{{ item.replace }}'
backup: yes
with_items:
- { regexp: "^#?(user_map_cmd:).*", replace: "\\1 '/opt/ood/ood_auth_map/bin/uab_ood_auth.regex'" }
- { regexp: "^#?(map_fail_uri:).*", replace: "\\1 '/register'" }
- { regexp: "^#?(register_uri:).*", replace: "\\1 '/register'" }
- name: Stage regex file for ood
copy:
src: uab_ood_auth.regex
dest: /opt/ood/ood_auth_map/bin/uab_ood_auth.regex
owner: root
group: root
mode: 0755
- name: Build the updated Apache config
command: /opt/ood/ood-portal-generator/sbin/update_ood_portal
ignore_errors: yes
- name: Get UID and GID of RegUser from OHPC
stat:
path: /home/{{ RegUser_app_user }}
register: RegUser_stat
- name: Create Group for RegUser on OOD
group:
gid: "{{ RegUser_stat.stat.gid }}"
name: "{{ RegUser_app_user }}"
state: present
- name: Create RegUser on OOD
user:
name: "{{ RegUser_app_user }}"
comment: "{{ RegUser_app_user_full_name }}"
shell: /bin/bash
uid: "{{ RegUser_stat.stat.uid }}"
group: "{{ RegUser_app_user }}"
createhome: no
state: present
WSGIDaemonProcess "{{ user_register_app }}" user={{ RegUser_app_user }} group={{ RegUser_app_user }} threads=5
WSGIProcessGroup "{{ user_register_app }}"
WSGIScriptAlias /register "{{ user_register_app_path}}/{{ user_register_app }}.wsgi"
<Location /register>
AuthType Basic
AuthName "Private"
AuthUserFile "/opt/rh/httpd24/root/etc/httpd/.htpasswd"
RequestHeader unset Authorization
Require valid-user
</Location>
<Directory {{ user_register_app_path }}>
WSGIProcessGroup {{ user_register_app }}
WSGIApplicationGroup %{GLOBAL}
Require all granted
</Directory>
#!/bin/python
# Activate virtualenv
activate_this = '{{ user_register_app_path }}/venv/bin/activate_this.py'
execfile(activate_this, dict(__file__=activate_this))
import sys
import os
sys.path.append("{{ user_register_app_path }}")
os.environ['FLASK_CONFIG'] = 'production'
from run import app as application
<%= link_to icon('fas', 'eye', 'Launch Desktop in new tab'), novnc_link(connect), class: 'btn btn-primary', target: '_blank' %>
<%= link_to 'View Only (Share-able Link)', novnc_link(connect, view_only: true), class: 'btn btn-default pull-right', target: '_blank' %>
---
script:
native:
- "-N 1"
- "-n <%= bc_num_slots.blank? ? 1 : bc_num_slots.to_i %>"
- "--mem-per-cpu=<%= bc_num_mems.blank? ? 4 : bc_num_mems.to_i %>G"
- "--partition=<%= bc_partition %>"
- "--time=<%= bc_num_hours.blank? ? 1 : bc_num_hours.to_i %>:00:00"
- "--job-name=ood-vnc"
<%- if bc_partition == "pascalnodes" -%>
- "--gres=gpu:1"
<%- end -%>
---
- name: Put custom cluster.yml in place
template:
src: cluster.yml
dest: /etc/ood/config/apps/bc_desktop/{{ cluster_name }}.yml
backup: yes
- name: Put submit.yml.erb in place
copy:
src: vnc-submit.yml.erb
dest: /etc/ood/config/apps/bc_desktop/submit/submit.yml.erb
backup: yes
- name: Put noVNC.html.erb in place
copy:
src: custom-novnc.html.erb
dest: /var/www/ood/apps/sys/dashboard/app/views/batch_connect/sessions/connections/_novnc.html.erb
backup: yes
---
title: "HPC Desktop"
cluster: {{ cluster_name }}
submit: "submit/submit.yml.erb"
attributes:
desktop: "xfce"
bc_num_slots:
label: Number of CPU
value: 1
min: 1
max: 24
step: 1
bc_num_mems:
widget: "number_field"
label: Memory per CPU (GB)
value: 4
min: 1
max: 128
step: 1
bc_partition:
widget: select
label: Partition
options:
- [ "low", "low" ]
form:
- desktop
- bc_num_hours
- bc_partition
- bc_num_slots
- bc_num_mems
---
# - name: check hostname
# - fail:
# msg: "Hostname in inventory/headnode doesn't match local hostname! Please fix and run again."
# when: inventory_hostname != ansible_hostname
# - name: yum update
# yum: name=* state=latest update_cache=yes
- fail:
msg: "Kernel version mismatch between loaded kernel and group-vars/all! Please fix and run again."
when: build_kernel_ver != ansible_kernel
- name: install necessary stuff
yum:
state: latest
name:
- "MySQL-python"
- "epel-release"
- "wget"
- "tcpdump"
- "whois"
- "lsof"
- "xinetd"
- "vim"
- "net-tools"
- "exportfs"
- "firewalld"
- "chrony"
- "pciutils"
- "rsync"
- "bash-completion"
- "libselinux-python"
- "libsemanage-python"
- "policycoreutils"
# - "lua" # testing; this could fix the lmod-ohpc issue?
#otherwise, do a yum update --skip-broken, yum update...
- name: get OpenHPC Repo #hardcoded version # :(
yum: name={{ openhpc_release_rpm }} state=present
- name: Install Copr plugin for yum
yum: name=yum-plugin-copr state=present update_cache=true
when: enable_copr == true
- name: enable Copr Repos
shell: yum -y copr enable "{{ item.repo_name }}"
with_items: "{{ copr_repos }}"
when: enable_copr == true and inventory_hostname in item.host
- name: install fail2ban # separate b/c it's in epel
yum: name=fail2ban state=latest
#this is only necessary for non-local ansible!
# - name: turn off requiretty for sudo
# lineinfile:
# dest: /etc/sudoers
# regexp: "Defaults requiretty"
# line: "Defaults !requiretty"
# state: present
- template: src=firewall_conf/services/slurm.xml dest=/etc/firewalld/services/slurm.xml
- template: src=firewall_conf/firewalld.conf dest=/etc/firewalld/firewalld.conf
- template: src=firewall_conf/zones/internal.xml dest=/etc/firewalld/zones/internal.xml
- template: src=firewall_conf/zones/public.xml dest=/etc/firewalld/zones/public.xml
# default network profile naming in CentOS-7 uses the name 'System ethN' as
# the profile name for the 'ethN' interface. The ansible framework uses
# a single variable for the profile name interface name. We change the
# default profile names to match the interface name to match this convesion
# and make nmcli commands more consistent with tranditional naming.
- name: check for default public network profile name
shell: nmcli con | grep '{{ public_interface }}'
register: network_profile_name
- name: simplify the name of the public network profile name
command: nmcli con mod 'System {{ public_interface }}' connection.id '{{ public_interface }}'
when: "'System' in network_profile_name.stdout"
- name: check for default private network profile name
shell: nmcli con | grep '{{ private_interface }}'
register: network_profile_name
- name: simplify the name of the private network profile name
command: nmcli con mod 'System {{ private_interface }}' connection.id '{{ private_interface }}'
when: "'System' in network_profile_name.stdout"
- name: add private interface to internal zone via nmcli
command: nmcli connection modify {{ private_interface }} connection.zone internal
- name: add public interface to public zone via nmcli
command: nmcli connection modify {{ public_interface }} connection.zone public
# - name: restart dbus for firewalld :(
# service: name=dbus state=restarted
# Changing it temporarily to stop
- name: firewalld restart # to load new slurm service
service: name=firewalld state=stopped
## This section seems to be redundant
## - name: add interface to internal zone firewall-cmd
## firewalld:
## zone: internal
## interface: "{{ private_interface }}"
## permanent: yes
## state: enabled
##
## - name: add interface to external zone firewall-cmd
## firewalld:
## zone: public
## interface: "{{ public_interface }}"
## permanent: yes
## state: enabled
##
### - name: add interfaces to external zone firewalld
### lineinfile: dest=/etc/sysconfig/network-scripts/ifcfg-{{ public_interface }} regexp=^ZONE= line=ZONE=public
##
## - name: add services to internal zone firewall-cmd
## firewalld:
## zone: internal
## service: '{{ item }}'
## permanent: yes
## immediate: yes
## state: enabled
## with_items:
## - 'slurm'
## - 'mdns'
## - 'ipp-client'
## - 'dhcpv6-client'
## - 'ssh'
## - 'nfs'
## - 'mountd'
## - 'rpc-bind'
## - 'http'
## - 'https'
## - 'tftp'
## - 'samba-client'
##
## - name: firewalld restart
## service: name=firewalld state=restarted
- name: set up /etc/hosts
template: src=hosts.j2 dest=/etc/hosts
- name: set up /etc/ssh/sshd_config
template: src=sshd_config.j2 dest=/etc/ssh/sshd_config
- name: restart sshd
service: name=sshd state=restarted
- name: selinux allow homedirs
seboolean:
name: use_nfs_home_dirs
state: yes
persistent: yes
- name: create /export dir for software
file: path=/export state=directory owner=root group=root mode=0777
- name: open up chrony across private network
lineinfile:
path: /etc/chrony.conf
regexp: '^#allow 192'
line: "allow all {{ private_network }}/24"
state: present
- name: enable and restart chrony
service: name=chronyd state=restarted enabled=yes
# firewalld config file
# default zone
# The default zone used if an empty zone string is used.
# Default: public
DefaultZone=public
# Minimal mark
# Marks up to this minimum are free for use for example in the direct
# interface. If more free marks are needed, increase the minimum
# Default: 100
MinimalMark=100
# Clean up on exit
# If set to no or false the firewall configuration will not get cleaned up
# on exit or stop of firewalld
# Default: yes
CleanupOnExit=yes
# Lockdown
# If set to enabled, firewall changes with the D-Bus interface will be limited
# to applications that are listed in the lockdown whitelist.
# The lockdown whitelist file is lockdown-whitelist.xml
# Default: no
Lockdown=no
# IPv6_rpfilter
# Performs a reverse path filter test on a packet for IPv6. If a reply to the
# packet would be sent via the same interface that the packet arrived on, the
# packet will match and be accepted, otherwise dropped.
# The rp_filter for IPv4 is controlled using sysctl.
# Default: yes
IPv6_rpfilter=yes
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Slurmctld</short>
<description> Slurmctld is the controller daemon for the Slurm
scheduler, which communicates with slurmd on controlled nodes.
</description>
<port protocol="tcp" port="6817"/>
<port protocol="udp" port="6817"/>
<port protocol="tcp" port="6818"/>
<port protocol="udp" port="6818"/>
<port protocol="tcp" port="7321"/>
<port protocol="udp" port="7321"/>
</service>
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>External</short>
<description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<masquerade/>
</zone>
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Internal</short>
<description>For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="mdns"/>
<service name="ipp-client"/>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="nfs"/>
<service name="ntp"/>
<service name="mountd"/>
<service name="rpc-bind"/>
<service name="http"/>
<service name="https"/>
<service name="tftp"/>
<service name="slurm"/>
<service name="samba-client"/>
</zone>
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
</zone>
127.0.0.1 localhost
::1 localhost
{% for host in groups['headnode'] %}
{{ headnode_private_ip }} {{ hostvars[host]['inventory_hostname'] }} {{ hostvars[host]['inventory_hostname'] }}.local
{% endfor %}
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes