Skip to content

Commit

Permalink
Force NFSv4
Browse files Browse the repository at this point in the history 
Revert EL repo use for BOS
Fix Makefile for image variants
Fix permissions for home dir on login
Add MOTD update task
  • Loading branch information
@tom91136
tom91136 committed Sep 28, 2024
1 parent e0e1250 commit 4e503fc
Show file tree
Hide file tree
Showing 8 changed files with 68 additions and 65 deletions.
39 changes: 9 additions & 30 deletions images/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ ALMA_VERSION_MAJOR := $(shell VERSION=$(ALMA_VERSION); echo $${VERSION%%.*})

all: opnsense.qcow2 \
bos.x86_64.qcow2 bos.aarch64.qcow2 \
cos.x86_64.warewulf.tar cos.aarch64.warewulf.tar
cos.plain.x86_64.warewulf.tar cos.plain.aarch64.warewulf.tar

clean:
rm -rf *.sha256 *.qcow2 *.iso *.iso.bz2 *.raw *.vmdk *.tar *.tmp.sh output-* .config .cache *.log
Expand Down Expand Up @@ -65,35 +65,14 @@ bos.%.qcow2: AlmaLinux-$(ALMA_VERSION_MAJOR)-GenericCloud-$(ALMA_VERSION)-$(ALMA
almalinux.pkr.hcl
mv output-bos."$*"/$@ "$@"

cos.%.qcow2: export PACKER_LOG = 1
cos.%.qcow2: AlmaLinux-$(ALMA_VERSION_MAJOR)-GenericCloud-$(ALMA_VERSION)-$(ALMA_BUILD).%.qcow2 almalinux.pkr.hcl cos-provision.sh
packer init .
packer build -force -only='cos.*' \
-var "name=cos" \
-var "image=$<" \
-var "arch=$*" \
-var "ovmf_code=$(OVMF_CODE_PATH)" -var "ovmf_vars=$(OVMF_VARS_PATH)" \
-var "aavmf_code=$(AAVMF_CODE_PATH)" -var "aavmf_vars=$(AAVMF_VARS_PATH)" \
-var "PACKAGES=$(PACKAGES)" \
almalinux.pkr.hcl
mv output-cos."$*"/$@ "$@"

VARIANT ?= plain

# Builds a warewulf uncompressed VNFS template of COS with warewulf patches
cos.%.warewulf.tar: Containerfile.cos.warewulf cos-provision.sh
$(eval VARIANT := $(word 1,$(subst ., ,$*))) \
$(eval ARCH := $(word 2,$(subst ., ,$*))) \
podman build --security-opt label=disable --no-cache \
--build-arg PACKAGES="$(PACKAGES)" \
--build-arg VARIANT="$(VARIANT)" \
--build-arg COS_RELEASE="$(ALMA_VERSION)" \
--platform "linux/$*" \
-f Containerfile.cos.warewulf -t "warewulf_cos_$(VARIANT)_$*"
podman save "warewulf_cos_$(VARIANT)_$*" >cos.$(VARIANT).$*.warewulf.tar

# Builds a uncompressed RAW format of COS (the size of match the size of the disk)
cos.%.raw: cos.%.qcow2
qemu-img convert "$<" "$@"

# Builds a compressed VMDK format of COS
cos.%.vmdk: cos.%.qcow2
qemu-img convert -f qcow2 -O vmdk -o adapter_type=lsilogic,subformat=streamOptimized,compat6 "$<" "$@"
--build-arg PACKAGES="$(PACKAGES)" \
--build-arg VARIANT="$(VARIANT)" \
--build-arg COS_RELEASE="$(ALMA_VERSION)" \
--platform "linux/$(ARCH)" \
-f Containerfile.cos.warewulf -t "warewulf_cos_$*"
podman save "warewulf_cos_$*" >"$@"
5 changes: 1 addition & 4 deletions images/bos-provision.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,8 @@ dnf install -y "https://repos.openhpc.community/OpenHPC/3/EL_9/$(arch)/ohpc-rele
dnf config-manager --set-enabled crb
dnf copr enable cyqsimon/micro -y

rpm --import "https://www.elrepo.org/RPM-GPG-KEY-elrepo.org"
dnf install -y "https://www.elrepo.org/elrepo-release-9.el9.elrepo.noarch.rpm"

dnf update -y
dnf install -y --enablerepo=elrepo-kernel kernel-ml kernel-ml-modules kernel-ml-devel
dnf install -y kernel-modules kernel-headers
dnf install -y --allowerasing --setopt=install_weak_deps=False \
podman perl /bin/mailx ${PACKAGES}

Expand Down
7 changes: 6 additions & 1 deletion images/cos-provision.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,9 +7,14 @@ dnf install -y "https://repos.openhpc.community/OpenHPC/3/EL_9/$(arch)/ohpc-rele
dnf config-manager --set-enabled crb
dnf copr enable cyqsimon/micro -y

IFS='_' read -r -a values <<<"$VARIANT"
if [ ${#values[@]} -eq 0 ]; then
echo "No variant specified"
exit 1
fi

dnf update -y

IFS='_' read -r -a values <<<"$VARIANT"
for value in "${values[@]}"; do
case $value in
plain)
Expand Down
57 changes: 32 additions & 25 deletions playbook-svc-mgmt.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,36 +19,40 @@

- name: Generate webhookd privatekeys
community.crypto.openssl_privatekey:
path: "/etc/webhookd/{{item}}.key"
mode: 600
path: "{{host_backup_directory}}/{{item}}.key"
loop: [server, client]
delegate_to: localhost
become: false

- name: Create CSR for new certificate
community.crypto.openssl_csr_pipe:
privatekey_path: "/etc/webhookd/{{item}}.key"
privatekey_path: "{{host_backup_directory}}/{{item}}.key"
use_common_name_for_san: false
common_name: local CA
subject_alt_name:
- "DNS:mgmt.{{domain}}"
- "DNS:{{hostvars[inventory_hostname]['ansible_default_ipv4']['address']}}"
register: csr
loop: [server, client]
delegate_to: localhost
become: false

- name: Generate webhookd publickeys
community.crypto.x509_certificate:
privatekey_path: "/etc/webhookd/{{item.item}}.key"
path: "/etc/webhookd/{{item.item}}.pem"
privatekey_path: "{{host_backup_directory}}/{{item.item}}.key"
path: "{{host_backup_directory}}/{{item.item}}.pem"
csr_content: "{{item.csr}}"
provider: selfsigned
selfsigned_not_after: "+3650d"
mode: 644
loop: "{{csr.results}}"
delegate_to: localhost
become: false

- name: Fetch webhookd keypairs
ansible.builtin.fetch:
flat: true
src: "/etc/webhookd/{{item}}"
dest: "{{host_backup_directory}}/{{item}}"
- name: Upload webhookd keypairs
ansible.builtin.copy:
src: "{{host_backup_directory}}/{{item}}"
dest: "/etc/webhookd/{{item}}"
mode: 600
loop: [server.pem, server.key, client.pem, client.key]

- name: Allow binding webhook port in SELinux
Expand Down Expand Up @@ -300,30 +304,33 @@
group: "{{idm_default_group}}"
loop: "{{mgmt_exported_directories}}"

- name: Permit mountd service
- name: Permit rpc-bind and dependent services
ansible.posix.firewalld:
service: mountd
state: enabled
permanent: true

- name: Permit rpc-bind service
ansible.posix.firewalld:
service: rpc-bind
state: enabled
permanent: true

- name: Permit rquotad service
ansible.posix.firewalld:
service: rquotad
service: "{{item}}"
state: enabled
permanent: true
loop: [rpc-bind, mountd, rquotad]

- name: Enable rquotad service
ansible.builtin.systemd_service:
name: rpc-rquotad
state: started
enabled: true

- name: Enable NFSv4 only
ansible.builtin.blockinfile:
path: /etc/nfs.conf
append_newline: true
prepend_newline: true
marker: "### {mark} Ansible generated block: do not edit this section! ###"
block: |
[nfsd]
vers3=n
vers4=y
vers4.0=y
vers4.1=y
vers4.2=y
### rds1 NFS ###

- name: Get fresh Kerberos ticket
Expand Down
9 changes: 9 additions & 0 deletions playbook-task-update_motd.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
- name: Update login node MOTD
hosts: "login-*.{{domain}}"
become: true

tasks:
- name: Upload motd
ansible.builtin.copy:
content: "{{login_message_of_the_day}}"
dest: /etc/motd.d/00-welcome.motd
8 changes: 4 additions & 4 deletions staging.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,10 +153,10 @@ def self.write_inventory(pve_ip:, storage_pool:, extra_hosts:, host_common_hash:
overlays: %w[wwinit generic arch-x86_64],
sockets: 1,
threads_per_core: 1,
cores_per_socket: 2,
cores_per_socket: 4,
pve_disk_size: '1G',
pve_mem_gb: 10, # Otherwise iPXE runs out of memory decompressing initramfs
pve_ncores: 2
pve_ncores: 4
},
"compute1.#{DOMAIN}": {
ip: '10.10.10.151',
Expand All @@ -168,10 +168,10 @@ def self.write_inventory(pve_ip:, storage_pool:, extra_hosts:, host_common_hash:
overlays: %w[wwinit generic arch-aarch64],
sockets: 1,
threads_per_core: 1,
cores_per_socket: 2,
cores_per_socket: 4,
pve_disk_size: '1G',
pve_mem_gb: 10, # Otherwise iPXE runs out of memory decompressing initramfs
pve_ncores: 2
pve_ncores: 4
}
}

Expand Down
1 change: 1 addition & 0 deletions templates/webhookd_exec_del_host.sh.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,6 @@ logger "$0: Deleting host $HOST.{{domain}}"
ipa host-del "$HOST.{{domain}}" 2>&1 || true | logger
logger "$0: Deleting A record for $HOST"
ipa dnsrecord-del "{{domain}}" "$HOST" --del-all 2>&1 || true | logger
logger "$0: Host $HOST.{{domain}} deleted"

exit 0
7 changes: 6 additions & 1 deletion templates/webhookd_exec_provision.sh.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,21 @@ set -eu
PAM_USER="$user"
HOME_DIR="/mnt/rds1/home/$PAM_USER"

logger "$0: Provisioning for $PAM_USER @ $HOME_DIR ..."

kinit -kt /etc/root.keytab root

if [ -d "$HOME_DIR" ]; then
logger "$0: Request received for user $PAM_USER with existing homedir: $HOME_DIR; skipping..."
logger "$0: Request received for user $PAM_USER with existing homedir: $HOME_DIR; setting permissions only..."
chown "$PAM_USER":"$PAM_USER" "$HOME_DIR"
elif ipa user-find --login="$user" --in-groups="{{idm_default_group}}" >/dev/null 2>&1; then
logger "$0: Creating homedir $HOME_DIR for $PAM_USER ($(id -u "$PAM_USER"))"
mkdir -p "$HOME_DIR"
find /etc/skel -mindepth 1 -exec cp {} "$HOME_DIR/" \;
chown -R "$PAM_USER":"$PAM_USER" "$HOME_DIR"
chmod 700 "$HOME_DIR"
else
logger "$0: Unknown user $PAM_USER, request ignored"
fi
logger "$0: Provision completed for $PAM_USER"
exit 0

0 comments on commit 4e503fc

Please sign in to comment.