Merge pull request #247 from stackhpc/feat/proxy-nameservers

Support configuring nameservers and proxies

ansible/.gitignore

@@ -33,4 +33,10 @@ roles/*
 !roles/mysql/
 !roles/mysql/**
 !roles/systemd/
-!roles/systemd/**
+!roles/systemd/**
+!roles/freeipa/
+!roles/freeipa/**
+!roles/proxy/
+!roles/proxy/**
+!roles/resolv_conf/
+!roles/resolv_conf/**

ansible/bootstrap.yml

@@ -13,6 +13,14 @@
           to update these variable names. ** NB: The actual secrets will not be changed.**
       when: "'secrets_openhpc_' in (hostvars[inventory_hostname] | join)"
 
+- hosts: resolv_conf
+  become: yes
+  gather_facts: false
+  tags: resolv_conf
+  tasks:
+    - import_role:
+        name: resolv_conf
+
 - hosts: etc_hosts
   gather_facts: false
   tags: etc_hosts
@@ -21,6 +29,14 @@
     - import_role:
         name: etc_hosts
 
+- hosts: proxy
+  gather_facts: false
+  tags: proxy
+  become: yes
+  tasks:
+    - import_role:
+        name: proxy
+
 - hosts: cluster
   gather_facts: false
   tasks:

ansible/cleanup.yml

@@ -13,8 +13,12 @@
   file:
     path: /etc/resolv.conf
     state: absent
+  when: "'resolv_conf' not in group_names" # if its been overriden, deleting it is the wrong thing to do
 
 - name: Reenable NetworkManager control of resolv.conf
+  # NB: This *doesn't* delete the 90-dns-none.conf file created by the resolv_conf role
+  # as if nameservers are explicitly being set by that role we don't want to allow NM
+  # to override it again.
   file:
     path: /etc/NetworkManager/conf.d/99-cloud-init.conf
     state: absent

ansible/roles/proxy/README.md

@@ -0,0 +1,11 @@
+# proxy
+
+Define http/s proxy configuration.
+
+## Role variables
+
+- `proxy_http_proxy`: Required. Address of http proxy. E.g. "http://10.1.0.28:3128" for a Squid proxy on default port.
+- `proxy_https_proxy`: Optional. Address of https proxy. Default is `{{ proxy_http_proxy }}`.
+- `proxy_no_proxy`: Optional. Comma-separated list of addresses not to proxy. Default is to concatenate `inventory_hostname` (for hostnames) and `ansible_host` (for host IPs) for all Ansible hosts.
+- `proxy_dnf`: Optional bool. Whether to configure yum/dnf proxying through `proxy_http_proxy`. Default `true`.
+- `proxy_systemd`: Optional bool. Whether to give processes started by systemd the above http, https and no_proxy configuration. **NB** Running services will need restarting if this is changed. Default `true`.

ansible/roles/proxy/defaults/main.yml

@@ -0,0 +1,5 @@
+# proxy_http_proxy: 
+proxy_https_proxy: "{{ proxy_http_proxy }}"
+proxy_no_proxy: "{{ (groups['all'] + hostvars.values() | map(attribute='ansible_host')) | sort | join(',') }}"
+proxy_dnf: true
+proxy_systemd: true

ansible/roles/proxy/tasks/main.yml

@@ -0,0 +1,63 @@
+- name: Define configuration in /etc/environment
+  tags: proxy
+  lineinfile:
+    path: "/etc/environment"
+    create: yes
+    owner: root
+    group: root
+    mode: o=rw,go=r
+    state: present
+    regexp: "{{ item.key }}=.*"
+    line: "{{ item.key }}={{ item.value }}"
+  loop:
+    - key: http_proxy
+      value: "{{ proxy_http_proxy }}"
+    - key: https_proxy
+      value: "{{ proxy_https_proxy }}"
+    - key: no_proxy
+      value: "{{ proxy_no_proxy }}"
+
+- name: Define dnf proxy
+  ini_file:
+    path: /etc/dnf/dnf.conf
+    section: main
+    option: "proxy"
+    value: "{{ proxy_http_proxy }}"
+    no_extra_spaces: true
+    owner: root
+    group: root
+    mode: o=rw,go=r
+  when: proxy_dnf | bool
+
+- name: Create systemd configuration directory
+  file:
+    path: /etc/systemd/system.conf.d/
+    state: directory
+    owner: root
+    group: root
+    mode: ug=rw,o=rX
+  when: proxy_systemd | bool
+
+- name: Define proxy configuration for systemd units
+  community.general.ini_file:
+    path: /etc/systemd/system.conf.d/90-proxy.conf
+    section: Manager
+    option: DefaultEnvironment
+    value: >
+        "http_proxy={{ proxy_http_proxy }}" "https_proxy={{ proxy_http_proxy }}" "no_proxy={{ proxy_no_proxy }}"
+    no_extra_spaces: true
+    owner: root
+    group: root
+    mode: ug=rw,o=r
+  register: _copy_systemd_proxy
+  when: proxy_systemd | bool
+
+- name: Restart systemd
+  command: systemctl daemon-reexec
+  when: 
+    - proxy_systemd | bool
+    - _copy_systemd_proxy.changed | default(false)
+
+- name: Reset connection to get new /etc/environment
+  meta: reset_connection
+  # NB: conditionals not supported

ansible/roles/resolv_conf/README.md

@@ -0,0 +1,12 @@
+# resolv_conf
+
+Template out `/etc/resolv.conf`.
+
+## Role variables
+- `resolv_conf_nameservers`: List of up to 3 nameserver addresses.
+
+Notes:
+- `NetworkManager` (if used) will be prevented from rewriting this file on boot.
+- If `/etc/resolv.conf` includes `127.0.0.1` (e.g. due to a FreeIPA server installation), then `resolv_conf_nameservers` is ignored and this role does not change `/etc/resolv.conf`
+- For hosts in the `resolv_conf` group, the `/etc/resolv.conf` created with `resolv_conf_nameservers` will
+  NOT be deleted at the end of Packer image builds.

ansible/roles/resolv_conf/defaults/main.yml

@@ -0,0 +1 @@
+resolv_conf_nameservers: []

ansible/roles/resolv_conf/files/NetworkManager-dns-none.conf

@@ -0,0 +1,2 @@
+[main]
+dns=none

ansible/roles/resolv_conf/tasks/main.yml

@@ -0,0 +1,30 @@
+- name: Read nameservers from /etc/resolv.conf
+  ansible.builtin.slurp:
+    src: /etc/resolv.conf
+  register: _slurp_resolv_conf
+
+- name: Set nameservers in /etc/resolv.conf
+  # Might need to set this for freeipa_server host, but freeipa server install
+  # will then change it to point to 127.0.0.1.
+  ansible.builtin.template:
+    src: resolv.conf.j2
+    dest: /etc/resolv.conf
+    owner: root
+    group: root
+    mode: u=rw,og=r
+  when: "'127.0.0.1' not in (_slurp_resolv_conf.content | b64decode)"
+
+- name: Disable NetworkManager control of resolv.conf
+  ansible.builtin.copy:
+    src: NetworkManager-dns-none.conf
+    dest: /etc/NetworkManager/conf.d/90-dns-none.conf
+    owner: root
+    group: root
+    mode: u=rw,og=r
+  register: _copy_nm_config
+
+- name: Reload NetworkManager
+  ansible.builtin.systemd:
+    name: NetworkManager
+    state: reloaded
+  when: _copy_nm_config.changed | default(false)

ansible/roles/resolv_conf/templates/resolv.conf.j2

@@ -0,0 +1,6 @@
+# Created by slurm appliance ansible/roles/resolv_conf
+search {{ openhpc_cluster_name }}.{{ tld }}
+
+{% for ns in resolv_conf_nameservers[0:3] %}
+nameserver {{ ns }}
+{% endfor %}

environments/common/inventory/group_vars/all/defaults.yml

@@ -3,8 +3,7 @@
 ansible_user: rocky
 appliances_repository_root: "{{ lookup('env', 'APPLIANCES_REPO_ROOT') }}"
 appliances_environment_root: "{{ lookup('env', 'APPLIANCES_ENVIRONMENT_ROOT') }}"
-#appliances_state_dir: # define an absolute path here to use for persistent state
-releasever: '8.6'
+#appliances_state_dir: # define an absolute path here to use for persistent state: NB: This is defined as /var/lib/state in inventory by the default Terraform
 
 # Address(ip/dns) for internal communication between services. This is
 # normally traffic you do no want to expose to users.

environments/common/inventory/groups

@@ -94,13 +94,15 @@ fail2ban
 [etc_hosts]
 # Hosts to manage /etc/hosts e.g. if no internal DNS. See ansible/roles/etc_hosts/README.md
 
-[cloud_init:children]
-# Hosts to template out cloud_init data for
-etc_hosts
-
 [systemd:children]
 # Hosts to make systemd unit adjustments on
 opensearch
 grafana
 control
 prometheus
+
+[resolv_conf]
+# Allows defining nameservers in /etc/resolv.conf - see ansible/roles/resolv_conf/README.md
+
+[proxy]
+# Hosts to configure http/s proxies - see ansible/roles/proxy/README.md

environments/common/layouts/everything

@@ -54,3 +54,9 @@ compute
 
 [etc_hosts]
 # Hosts to manage /etc/hosts e.g. if no internal DNS. See ansible/roles/etc_hosts/README.md
+
+[resolv_conf]
+# Allows defining nameservers in /etc/resolv.conf - see ansible/roles/resolv_conf/README.md
+
+[proxy]
+# Hosts to configure http/s proxies - see ansible/roles/proxy/README.md