Enable EESSI proxy by default

[sjpb]

IMPORTANT: This PR impacts default services on the control node. Review docs below to assess suitability of the default configuration. It also changes squid role defaults.

• Default to running squid on control node as a proxy for EESSI to reduce load on Stratum 1 servers and reduce latency for clients. See docs/eessi.yml for notes on proxy requirements and alternative configurations.

• Modify squid role to support two default configurations, selectable via squid_mode: general for previous general/DNF proxy and eessi (the default) for EESSI clients.

• As part of automatic configuration for the above an inventory group_var cluster_subnets is now templated into the hosts.yml file. This contains dicts for each network in OpenTofu variable cluster_networks with keys name and cidr.

• Adds back testing of EESSI in StackHPC CI.

Requires an image build as changes eessi role which is copied into image.

[sjpb]

Image build: https://github.com/stackhpc/ansible-slurm-appliance/actions/runs/21252996034

[sjpb]

Image build: https://github.com/stackhpc/ansible-slurm-appliance/actions/runs/21255302356

[sjpb]

Image build: https://github.com/stackhpc/ansible-slurm-appliance/actions/runs/21255975312

[sjpb]

Image build: https://github.com/stackhpc/ansible-slurm-appliance/actions/runs/21258134741

[elelaysh]

LGTM with a couple remarks.

And a question: to not switch to an eessi proxy, what should a client site do?

• remove control from [squid:children] in the environments/site/inventory/groups
• set cvmfs_http_proxy: '' in eg. environments/site/inventory/group_vars/all.yml

[sjpb]

• remove control from [squid:children] in the environments/site/inventory/groups
• set cvmfs_http_proxy: '' in eg. environments/site/inventory/group_vars/all.yml

The first would work, the 2nd would work but would still leave you with squid configured to be a proxy. Or alternatively setting squid_conf_mode: general will remove that squid node from being a CVMFS proxy - so if you set that generally, there will be no CVMFS proxies and EESSI will not proxy.

I'm not too fussed about documenting this TBH, everyone should be running with a proxy really if using EESSI and the notes in docs/eeesi do suggest alternative configs.

[elelaysh]

• remove control from [squid:children] in the environments/site/inventory/groups
• set cvmfs_http_proxy: '' in eg. environments/site/inventory/group_vars/all.yml

The first would work, the 2nd would work but would still leave you with squid configured to be a proxy. Or alternatively setting squid_conf_mode: general will remove that squid node from being a CVMFS proxy - so if you set that generally, there will be no CVMFS proxies and EESSI will not proxy.

• remove control from [squid:children] in the environments/site/inventory/groups
• set cvmfs_http_proxy: '' in eg. environments/site/inventory/group_vars/all.yml

The first would work, the 2nd would work but would still leave you with squid configured to be a proxy.

I thought both were necessary, one to not setup the proxy, the other not to use it.

I'm not too fussed about documenting this TBH, everyone should be running with a proxy really if using EESSI and the notes in docs/eeesi do suggest alternative configs.

Sure

[sjpb]

I thought both were necessary, one to not setup the proxy, the other not to use it.

If you don't setup the proxy (i.e. no squid nodes in eessi squid_conf_mode, then the logic in environments/common/inventory/group_vars/all/eessi.yml ensures that eessi clients do not use a proxy.

[sjpb]

Image build: https://github.com/stackhpc/ansible-slurm-appliance/actions/runs/21392085447

[elelaysh]

LGTM