Merge branch 'main' into feature/cacert

Author: sjpb

ansible/roles/compute_init/README.md

@@ -46,7 +46,7 @@ it also requires an image build with the role name added to the
 | bootstrap.yml            | (system users)          | None required - use image build | No                  |
 | bootstrap.yml            | systemd                 | None required - use image build | No                  |
 | bootstrap.yml            | selinux                 | None required - use image build | Maybe [1]           |
-| bootstrap.yml            | sshd                    | None at present                 | No                  |
+| bootstrap.yml            | sshd                    | Fully supported                 | No                  |
 | bootstrap.yml            | dnf_repos               | None at present [2]             | -                   |
 | bootstrap.yml            | cacerts                 | Supported [3]                   | -                   |
 | bootstrap.yml            | squid                   | Not relevant for compute nodes  | n/a                 |
@@ -64,7 +64,7 @@ it also requires an image build with the role name added to the
 | hooks/post-bootstrap.yml | ?                       | None at present                 | n/a                 |
 | iam.yml                  | freeipa_client          | None at present [4]             | Yes                 |
 | iam.yml                  | freeipa_server          | Not relevant for compute nodes  | n/a                 |
-| iam.yml                  | sssd                    | None at present                 | No                  |
+| iam.yml                  | sssd                    | Fully supported                 | No                  |
 | filesystems.yml          | block_devices           | None required - role deprecated | n/a                 |
 | filesystems.yml          | nfs                     | All client functionality        | No                  |
 | filesystems.yml          | manila                  | All functionality               | No [5]              |

ansible/roles/compute_init/files/compute-init.yml

@@ -9,7 +9,12 @@
     enable_compute: "{{ os_metadata.meta.compute | default(false) | bool }}"
     enable_resolv_conf: "{{ os_metadata.meta.resolv_conf | default(false) | bool }}"
     enable_etc_hosts: "{{ os_metadata.meta.etc_hosts | default(false) | bool }}"
+<<<<<<< HEAD
     enable_cacerts: "{{ os_metadata.meta.cacerts | default(false) | bool }}"
+=======
+    enable_sssd: "{{ os_metadata.meta.sssd | default(false) | bool }}"
+    enable_sshd: "{{ os_metadata.meta.sshd | default(false) | bool }}"
+>>>>>>> main
     enable_tuned:  "{{ os_metadata.meta.tuned | default(false) | bool }}"
     enable_nfs: "{{ os_metadata.meta.nfs | default(false) | bool }}"
     enable_manila: "{{ os_metadata.meta.manila | default(false) | bool }}"
@@ -140,10 +145,25 @@
         cacerts_cert_dir: "/mnt/cluster/cacerts"
       when: enable_cacerts
 
+    - name: Configure sshd
+      ansible.builtin.include_role:
+        name: sshd
+      vars:
+        sshd_conf_src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sshd.conf"
+      when: enable_sshd
+
     - name: Configure tuned
       include_tasks: tasks/tuned.yml
       when: enable_tuned
 
+    - name: Configure sssd
+      ansible.builtin.include_role:
+        name: sssd
+        tasks_from: configure.yml
+      vars:
+        sssd_conf_src: "/mnt/cluster/hostconfig/{{ ansible_hostname }}/sssd.conf"
+      when: enable_sssd
+
     # NFS client mount
     - name: If nfs-clients is present
       include_tasks: tasks/nfs-clients.yml

ansible/roles/compute_init/tasks/export.yml

@@ -84,3 +84,24 @@
   delegate_to: "{{ groups['control'] | first }}"
   run_once: true
   when: "'cacerts' in group_names"
+
+- name: Create hostconfig directory
+  file:
+    path: "/exports/cluster/hostconfig/{{ inventory_hostname }}/"
+    state: directory
+    owner: root
+    group: root
+    mode: u=rw,go=
+  delegate_to: "{{ groups['control'] | first }}"
+
+- name: Template sssd config 
+  import_role:
+    name: sssd
+    tasks_from: export.yml
+  when: "'sssd' in group_names"
+
+- name: Template sshd config 
+  import_role:
+    name: sshd
+    tasks_from: export.yml
+  when: "'sshd' in group_names"

ansible/roles/compute_init/tasks/install.yml

@@ -35,6 +35,10 @@
       dest: filter_plugins/filter_keys.py
     - src: ../../cacerts
       dest: roles/
+    - src: ../../sssd
+      dest: roles/
+    - src: ../../sshd
+      dest: roles/
     - src: ../../tuned/tasks/configure.yml
       dest: tasks/tuned.yml
     - src: ../../stackhpc.nfs/tasks/nfs-clients.yml

ansible/roles/sshd/tasks/export.yml

@@ -0,0 +1,9 @@
+# Exclusively used for compute-init
+- name: Inject host specific config template
+  template:
+    src: "{{ sshd_conf_src }}"
+    dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/sshd.conf"
+    owner: root
+    group: root
+    mode: u=rw,go=
+  delegate_to: "{{ groups['control'] | first }}"

ansible/roles/sssd/tasks/configure.yml

@@ -30,5 +30,6 @@
 - name: "Ensure oddjob is started"
   service:
     name: oddjobd
-    state: "{{ sssd_enable_mkhomedir }}"
-    enabled: "{{ sssd_enable_mkhomedir }}"
+    state: 'started'
+    enabled: true
+  when: sssd_enable_mkhomedir | bool

ansible/roles/sssd/tasks/export.yml

@@ -0,0 +1,9 @@
+# Exclusively used for compute-init
+- name: Inject host specific config template
+  template:
+    src: "{{ sssd_conf_src }}"
+    dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/sssd.conf"
+    owner: root
+    group: root
+    mode: u=rw,go=
+  delegate_to: "{{ groups['control'] | first }}"