|
5 | 5 |
|
6 | 6 | nfs_server_default: "{{ groups['control'] | first }}" # avoid using hostvars for compute-init |
7 | 7 |
|
| 8 | +# create a space-separated list of nfs group IPs: |
| 9 | +_nfs_node_ips: "{{ groups['nfs'] | map('extract', hostvars, 'ansible_host') | join(' ') }}" |
| 10 | + |
| 11 | +# default *all* entries in nfs_configurations to only permitting mounts from above IPs: |
| 12 | +nfs_export_clients: "{{ _nfs_node_ips }}" |
| 13 | + |
8 | 14 | nfs_configurations: |
9 | 15 | - comment: Export /exports/home from Slurm control node as /home |
10 | 16 | nfs_enable: |
11 | 17 | server: "{{ inventory_hostname in groups['control'] }}" |
12 | | - # Don't mount share on server where it is exported from... |
13 | | - # Could do something like `nfs_clients: "{{ 'nfs_servers' not in group_names }}"` instead. |
| 18 | + # Don't mount share on control node: |
14 | 19 | clients: "{{ inventory_hostname in groups['cluster'] and inventory_hostname not in groups['control'] }}" |
15 | 20 | nfs_server: "{{ nfs_server_default }}" |
16 | 21 | nfs_export: "/exports/home" # assumes skeleton TF is being used |
17 | 22 | nfs_client_mnt_point: "/home" |
18 | 23 | # prevent tunnelling and setuid binaries: |
19 | 24 | # NB: this is stackhpc.nfs role defaults but are set here to prevent being |
20 | 25 | # accidently overriden via default options |
21 | | - nfs_export_options: 'rw,secure,root_squash' |
| 26 | + nfs_export_options: 'rw,secure,root_squash' |
| 27 | + # prevent non-cluster IPs mounting the share: |
| 28 | + # NB: this is set as default for all shares above but is repeated here |
| 29 | + # in case nfs_export_clients is overriden |
| 30 | + nfs_export_clients: "{{ _nfs_node_ips }}" |
0 commit comments