stackhpc
diff --git a/‎.github/workflows/fatimage.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/fatimage.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎ansible/.gitignore
Lines changed: 2 additions & 0 deletions b/‎ansible/.gitignore
Lines changed: 2 additions & 0 deletions
diff --git a/‎ansible/adhoc/backup-keytabs.yml
Lines changed: 11 additions & 0 deletions b/‎ansible/adhoc/backup-keytabs.yml
Lines changed: 11 additions & 0 deletions
diff --git a/‎ansible/adhoc/cve-2023-41914.yml
Lines changed: 6 additions & 0 deletions b/‎ansible/adhoc/cve-2023-41914.yml
Lines changed: 6 additions & 0 deletions
diff --git a/‎ansible/bootstrap.yml
Lines changed: 15 additions & 10 deletions b/‎ansible/bootstrap.yml
Lines changed: 15 additions & 10 deletions
diff --git a/‎ansible/ci/retrieve_inventory.yml
Lines changed: 2 additions & 1 deletion b/‎ansible/ci/retrieve_inventory.yml
Lines changed: 2 additions & 1 deletion
diff --git a/‎ansible/extras.yml
Lines changed: 22 additions & 1 deletion b/‎ansible/extras.yml
Lines changed: 22 additions & 1 deletion
diff --git a/‎ansible/fatimage.yml
Lines changed: 15 additions & 3 deletions b/‎ansible/fatimage.yml
Lines changed: 15 additions & 3 deletions
diff --git a/‎ansible/iam.yml
Lines changed: 38 additions & 4 deletions b/‎ansible/iam.yml
Lines changed: 38 additions & 4 deletions
diff --git a/‎ansible/roles/cuda/README.md
Lines changed: 1 addition & 0 deletions b/‎ansible/roles/cuda/README.md
Lines changed: 1 addition & 0 deletions
@@ -47,7 +47,7 @@ jobs:
           . environments/.stackhpc/activate
           cd packer/
           packer init .
-          PACKER_LOG=1 packer build -only openstack.openhpc -on-error=ask -var-file=$PKR_VAR_environment_root/${{ vars.CI_CLOUD }}.pkrvars.hcl openstack.pkr.hcl
+          PACKER_LOG=1 packer build -only openstack.openhpc -on-error=${{ vars.PACKER_ON_ERROR }} -var-file=$PKR_VAR_environment_root/${{ vars.CI_CLOUD }}.pkrvars.hcl openstack.pkr.hcl
 
       - name: Get created image name from manifest
         id: manifest
 
@@ -42,3 +42,5 @@ roles/*
 !roles/proxy/**
 !roles/resolv_conf/
 !roles/resolv_conf/**
+!roles/cve-2023-41914
+!roles/cve-2023-41914/**
@@ -0,0 +1,11 @@
+# Use ONE of the following tags on this playbook:
+#   - retrieve: copies keytabs out of the state volume to the environment
+#   - deploy: copies keytabs from the environment to the state volume
+
+- hosts: freeipa_client
+  become: yes
+  gather_facts: no
+  tasks:
+    - import_role:
+        name: freeipa
+        tasks_from: backup-keytabs.yml
@@ -0,0 +1,6 @@
+- hosts: openhpc
+  gather_facts: no
+  become: yes
+  tasks:
+    - import_role:
+        name: cve-2023-41914
@@ -82,6 +82,21 @@
         policy: "{{ selinux_policy }}"
       register: sestatus
 
+- hosts: freeipa_server
+  # Done here as it might be providing DNS
+  tags:
+    - freeipa
+    - freeipa_server
+  gather_facts: yes
+  become: yes
+  tasks:
+    - name: Install FreeIPA server
+      import_role:
+        name: freeipa
+        tasks_from: server.yml
+
+# --- tasks after here require access to package repos ---
+
 - hosts: firewalld
   gather_facts: false
   become: yes
@@ -112,16 +127,6 @@
         tasks_from: config.yml
       tags: config
 
-- name: Setup EESSI
-  hosts: eessi
-  tags: eessi
-  become: true
-  gather_facts: false
-  tasks:
-    - name: Install and configure EESSI
-      import_role:
-        name: eessi
-
 - hosts: update
   gather_facts: false
   become: yes
 
@@ -7,7 +7,8 @@
   gather_facts: no
   vars:
     cluster_prefix: "{{ undef(hint='cluster_prefix must be defined') }}" # e.g. ci4005969475
-    cluster_network: WCDC-iLab-60
+    ci_vars_file: "{{ appliances_environment_root + '/terraform/' + lookup('env', 'CI_CLOUD') }}.tfvars"
+    cluster_network: "{{ lookup('ansible.builtin.ini', 'cluster_net', file=ci_vars_file, type='properties') | trim('\"') }}"
   tasks:
     - name: Get control host IP
       set_fact:
 
@@ -1,4 +1,25 @@
-- hosts: cuda
+- hosts: basic_users
+  become: yes
+  tags:
+    - basic_users
+    - users
+  gather_facts: yes
+  tasks:
+    - import_role:
+        name: basic_users
+
+- name: Setup EESSI
+  hosts: eessi
+  tags: eessi
+  become: true
+  gather_facts: false
+  tasks:
+    - name: Install and configure EESSI
+      import_role:
+        name: eessi
+
+- name: Setup CUDA
+  hosts: cuda
   become: yes
   gather_facts: no
   tags: cuda
 
@@ -1,5 +1,12 @@
 # Builder version of site.yml just installing binaries
 
+- hosts: builder
+  become: no
+  gather_facts: no
+  tasks:
+    - name: Report hostname (= final image name)
+      command: hostname
+
 - name: Run pre.yml hook
   vars:
     appliances_environment_root: "{{ lookup('env', 'APPLIANCES_ENVIRONMENT_ROOT') }}"
@@ -27,6 +34,13 @@
         state: stopped
         enabled: false
 
+    # - import_playbook: iam.yml
+    - name: Install FreeIPA client
+      import_role:
+        name: freeipa
+        tasks_from: client-install.yml
+      when: "'freeipa_client' in group_names"
+
     # - import_playbook: filesystems.yml
     - name: nfs
       dnf:
@@ -44,7 +58,7 @@
         tasks_from: "install-{{ openhpc_install_type }}.yml"
 
     - name: Include distribution variables for osc.ood
-      include_vars: "{{ appliances_repository_root }}/ansible/roles/osc.ood/vars/Rocky.yml"
+      include_vars: "{{ appliances_repository_root }}/ansible/roles/osc.ood/vars/Rocky/8.yml"
     # FUTURE: install-apps.yml - this is git clones
 
     # - import_playbook: portal.yml
@@ -141,8 +155,6 @@
         name: cloudalchemy.grafana
         tasks_from: install.yml
 
-    # - import_playbook: iam.yml - nothing to do
-
 - name: Run post.yml hook
   vars:
     appliances_environment_root: "{{ lookup('env', 'APPLIANCES_ENVIRONMENT_ROOT') }}"
 
@@ -1,8 +1,42 @@
-- hosts: basic_users
+- hosts: freeipa_client
+  tags:
+    - freeipa
+    - freeipa_server # as this is only relevant if using freeipa_server
+    - freeipa_host
+  gather_facts: no
   become: yes
+  tasks:
+    - name: Ensure FreeIPA client hosts are added to the FreeIPA server
+      import_role:
+        name: freeipa
+        tasks_from: addhost.yml
+      when: groups['freeipa_server'] | length > 0
+
+- hosts: freeipa_client
   tags:
-    - basic_users
+    - freeipa
+    - freeipa_client
   gather_facts: yes
+  become: yes
+  tasks:
+    - name: Install FreeIPA client
+      import_role:
+        name: freeipa
+        tasks_from: client-install.yml
+    - name: Enrol FreeIPA client
+      import_role:
+        name: freeipa
+        tasks_from: enrol.yml
+
+- hosts: freeipa_server
+  tags:
+    - freeipa
+    - freeipa_server
+    - users
+  gather_facts: yes
+  become: yes
   tasks:
-    - import_role:
-        name: basic_users
+    - name: Add FreeIPA users
+      import_role:
+        name: freeipa
+        tasks_from: users.yml
@@ -10,5 +10,6 @@ Requires OFED to be installed to provide required kernel-* packages.
 
 - `cuda_distro`: Optional. Default `rhel8`.
 - `cuda_repo`: Optional. Default `https://developer.download.nvidia.com/compute/cuda/repos/{{ cuda_distro }}/x86_64/cuda-{{ cuda_distro }}.repo`
+- `cuda_driver_stream`: Optional. The default value `default` will, on first use of this role, enable the dkms-flavour `nvidia-driver` DNF module stream with the current highest version number. The `latest-dkms` stream is not enabled, and subsequent runs of the role will *not* change the enabled stream, even if a later version has become available. Changing this value once an `nvidia-driver` stream has been enabled raises an error. If an upgrade of the `nvidia-driver` module is required, the currently-enabled stream and all packages should be manually removed.
 - `cuda_packages`: Optional. Default: `['cuda', 'nvidia-gds']`.
 - `cuda_persistenced_state`: Optional. State of systemd `nvidia-persistenced` service. Values as [ansible.builtin.systemd:state](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/systemd_module.html#parameter-state). Default `started`.