use ansible-init user for cluster share

Author: sjpb

ansible/roles/cacerts/tasks/export.yml

@@ -3,9 +3,9 @@
   ansible.builtin.copy:
     src: "{{ item }}"
     dest: /exports/cluster/cacerts/
-    owner: slurm
-    group: root
-    mode: "0644"
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rw,go=
   with_fileglob:
     - "{{ cacerts_cert_dir }}/*"
   delegate_to: "{{ groups['control'] | first }}"

ansible/roles/compute_init/files/compute-init.yml

@@ -83,7 +83,7 @@
         - ansible.builtin.meta: end_play
     - name: Check if hostvars exist
       become: true
-      become_user: slurm
+      become_user: ansible-init # share is root-squashed
       ansible.builtin.stat:
         path: "/mnt/cluster/hostvars/{{ ansible_hostname }}/hostvars.yml"
       register: hostvars_stat
@@ -98,7 +98,7 @@
         - ansible.builtin.meta: end_play
     - name: Sync /mnt/cluster to /var/tmp
       become: true
-      become_user: slurm
+      become_user: ansible-init # share is root-squashed
       ansible.posix.synchronize:
         src: "/mnt/cluster/"
         dest: "/var/tmp/cluster/"

ansible/roles/compute_init/tasks/export.yml

@@ -1,80 +1,74 @@
 ---
-- name: Ensure the /exports/cluster directory exists
+- name: Ensure /exports/cluster directory structure exists
   ansible.builtin.file:
     path: /exports/cluster
     state: directory
-    owner: slurm
-    group: root
+    owner: ansible-init
+    group: ansible-init
     mode: u=rX,g=rwX,o=
   run_once: true
+  loop:
+    - /exports/cluster
+    - /exports/cluster/hostvars
+    - /exports/cluster/cacerts
+    - /exports/cluster/cvmfs
+    - /exports/cluster/hostconfig
+    
   delegate_to: "{{ groups['control'] | first }}"
 
 - name: Copy /etc/hosts to /exports/cluster
   ansible.builtin.copy:
     src: /etc/hosts
     dest: /exports/cluster/hosts
-    owner: slurm
-    group: root
-    mode: u=r,g=rw,o=
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rw,go=r
     remote_src: true
   run_once: true
   delegate_to: "{{ groups['control'] | first }}"
 
-- name: Create hostvars directory
+- name: Create per-host hostvars directory
   ansible.builtin.file:
     path: /exports/cluster/hostvars/{{ inventory_hostname }}/
     state: directory
-    owner: slurm
-    group: root
-    mode: u=rX,g=rwX,o=
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rwX,go=
   delegate_to: "{{ groups['control'] | first }}"
 
 - name: Template out hostvars
   ansible.builtin.template:
     src: hostvars.yml.j2
     dest: /exports/cluster/hostvars/{{ inventory_hostname }}/hostvars.yml
-    owner: slurm
-    group: root
-    mode: u=r,g=rw,o=
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rw,go=
   delegate_to: "{{ groups['control'] | first }}"
 
-- name: Copy manila share info to /exports/cluster
-  ansible.builtin.copy:
-    content: "{{ os_manila_mount_share_info_var | to_nice_yaml }}"
+- name: Template manila share info to /exports/cluster
+  ansible.builtin.template:
+    src: os_manila_mount_share_info.j2
     dest: /exports/cluster/manila_share_info.yml
-    owner: slurm
-    group: root
-    mode: u=r,g=rw,o=
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rw,go=
   run_once: true
   delegate_to: "{{ groups['control'] | first }}"
   when: os_manila_mount_share_info is defined
-  vars:
-    os_manila_mount_share_info_var:
-      os_manila_mount_share_info: "{{ os_manila_mount_share_info }}"
-
-- name: Ensure /exports/cluster/cvmfs directory exists
-  ansible.builtin.file:
-    path: /exports/cluster/cvmfs
-    state: directory
-    owner: slurm
-    group: root
-    mode: "0755"
-  run_once: true
-  delegate_to: "{{ groups['control'] | first }}"
 
 - name: Export cacerts
   ansible.builtin.include_role:
     name: cacerts
     tasks_from: export.yml
   when: "'cacerts' in group_names"
 
-- name: Create hostconfig directory
+- name: Create per-host hostconfig directory
   ansible.builtin.file:
     path: "/exports/cluster/hostconfig/{{ inventory_hostname }}/"
     state: directory
-    owner: slurm
-    group: root
-    mode: u=rX,g=rwX,o=
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rwX,go=
   delegate_to: "{{ groups['control'] | first }}"
 
 - name: Template sssd config

ansible/roles/compute_init/templates/os_manila_mount_share_info.j2

@@ -0,0 +1 @@
+{{ os_manila_mount_share_info_var | to_nice_yaml }}

ansible/roles/nhc/tasks/export.yml

@@ -3,5 +3,7 @@
   ansible.builtin.template:
     src: "{{ nhc_config_template }}"
     dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/nhc.conf"
-    mode: "0644"
+    owner: ansible-init
+    group: ansible-init
+    mode: u=rw,go=
   delegate_to: "{{ groups['control'] | first }}"

ansible/roles/sssd/tasks/export.yml

@@ -4,7 +4,7 @@
   ansible.builtin.template:
     src: "{{ sssd_conf_src }}"
     dest: "/exports/cluster/hostconfig/{{ inventory_hostname }}/sssd.conf"
-    owner: root
-    group: root
+    owner: ansible-init
+    group: ansible-init
     mode: u=rw,go=
   delegate_to: "{{ groups['control'] | first }}"

environments/common/inventory/group_vars/all/defaults.yml

@@ -77,6 +77,18 @@ appliances_local_users_default:
       shell: /sbin/nologin
       system: true
     enable: "{{ 'grafana' in group_names }}"
+  
+  - group:
+      name: ansible-init
+      gid: 301
+    user:
+      name: ansible-init
+      comment: ansible-init user
+      uid: 301
+      create_home: false
+      shell: /sbin/nologin
+      system: true
+    enable: "{{ 'ansible_init' in group_names }}"
 
 # Overide this to add extra users whilst keeping the defaults.
 appliances_local_users_extra: [] # see format of appliances_local_users_default above

environments/common/inventory/group_vars/all/nfs.yml

@@ -31,6 +31,7 @@ nfs_configuration_compute_nodes: # cluster configuration for compute_init/slurm-
       server: "{{ inventory_hostname in groups['control'] }}"
       clients: false
     nfs_export: "/exports/cluster"
+    nfs_export_options: "ro,secure,root_squash"
 
 nfs_configurations_extra: [] # site-specific nfs shares