Issue #876: Login node ssh security issue and repos added to minimal leap

Signed-off-by: Bhagyashree-shetty <Bhagyashree_Shetty@dellteam.com>

docs/INSTALL_OMNIA.md

@@ -90,7 +90,7 @@ __Note:__ After the Omnia repository is cloned, a folder named __omnia__ is crea
 | domain_name                | omnia.test    | Sets the intended domain name                                                                                                                                                                                                                        |
 | realm_name                 | OMNIA.TEST    | Sets the intended realm name                                                                                                                                                                                                                         |
 | directory_manager_password |               | Password authenticating admin level access to the Directory for system   management tasks. It will be added to the instance of directory server   created for IPA. <br> Required Length: 8 characters. <br> The   password must not contain -,\, '," |
-| ipa_admin_password         |               | IPA server admin password                                                                                                                                                                                                                            |
+| kerberos_admin_password         |               | "admin" user password for the IPA server on RockyOS. If LeapOS is in use, it is used as the "kerberos admin" user password for 389-ds <br> This field is not relevant to Management Stations running `LeapOS`                                                                                                                                                                                                                            |
 | enable_secure_login_node   |  **false**, true             | Boolean value deciding whether security features are enabled on the Login Node. For more information, see [here](docs/Security/Enable_Security_LoginNode.md).                                                                                                                                                                                                                           |
 	
 	

docs/README.md

@@ -51,8 +51,8 @@ The following table lists the software and operating system requirements on the
 
 Requirements  |   Version
 ----------------------------------  |   -------
-OS pre-installed on the management station  |  Rocky 8.5/ Leap 15.3
-OS deployed by Omnia on bare-metal Dell EMC PowerEdge Servers | Rocky 8.5 Minimal Edition/ Leap 15.3
+OS pre-installed on the management station  |  Rocky 8.x/ Leap 15.x
+OS deployed by Omnia on bare-metal Dell EMC PowerEdge Servers | Rocky 8.x Minimal Edition/ Leap 15.x
 Cobbler  |  3.2.2
 Ansible AWX  |  19.4.0
 Slurm Workload Manager  |  20.11.2
@@ -80,10 +80,10 @@ The following table lists the software and its compatible version managed by Omn
 
 Software	|	License	|	Compatible Version	|	Description
 -----------	|	-------	|	----------------	|	-----------------
-LeapOS 15.3	|	-	|	15.3|	Operating system on entire cluster
+LeapOS 15.3	|	-	|	15.x|	Operating system on entire cluster
 CentOS Linux release 7.9.2009 (Core)	|	-	|	7.9	|	Operating system on entire cluster except for management station
-Rocky 8.5	|	-	|	8.5	|	Operating system on entire cluster except for management station
-Rocky 8.5	|	-	|	8.5	|	Operating system on the management station
+Rocky 8.x	|	-	|	8.x	|	Operating system on entire cluster except for management station
+Rocky 8.x	|	-	|	8.x	|	Operating system on the management station
 MariaDB	|	GPL 2.0	|	5.5.68	|	Relational database used by Slurm
 Slurm	|	GNU General Public	|	20.11.7	|	HPC Workload Manager
 Docker CE	|	Apache-2.0	|	20.10.2	|	Docker Service
@@ -110,7 +110,7 @@ AWX	|	Apache-2.0	|	19.4.0	|	Web-based User Interface
 AWX.AWX	|	Apache-2.0	|	19.4.0	|	Galaxy collection to perform awx configuration
 AWXkit	|	Apache-2.0	|	to be updated	|	To perform configuration through CLI commands
 Cri-o	|	Apache-2.0	|	1.21	|	Container Service
-Buildah	|	Apache-2.0	|	1.21.4	|	Tool to build and run container
+Buildah	|	Apache-2.0	|	1.22.4	|	Tool to build and run containers
 PostgreSQL	|	Copyright (c) 1996-2020, PostgreSQL Global Development Group	|	10.15	|	Database Management System
 Redis	|	BSD-3-Clause License	|	6.0.10	|	In-memory database
 NGINX	|	BSD-2-Clause License	|	1.14	|	-

docs/Security/Enable_Security_LoginNode.md

@@ -1,4 +1,4 @@
-# Enabling Security on the Login Node (RockyOS)
+# Enabling Security on the Login Node 
 
 * Ensure that `enable_secure_login_node` is set to **true** in `omnia_config.yml`
 * Set the following parameters in `omnia_security_config.yml`
@@ -9,7 +9,19 @@
 | failure_reset_interval | 60              | Period (in seconds) after which the number of failed login attempts is   reset <br> Accepted Values: 30-60                                                       |
 | lockout_duration       | 10              | Period (in seconds) for which users are locked out. <br> Accepted   Values: 5-10                                                                                 |
 | session_timeout        | 180             | Period (in seconds) after which idle users get logged out automatically   <br> Accepted Values: 30-90                                                            |
-| alert_email_address    |                 | Email address used for sending alerts in case of authentication failure   <br> If this variable is left blank, authentication failure alerts will   be disabled. |
+| alert_email_address    |                 | Email address used for sending alerts in case of authentication failure. Currently, only one email ID is accepted in this field.   <br> If this variable is left blank, authentication failure alerts will   be disabled. |
 | allow_deny             | Allow           | This variable sets whether the user list is Allowed or Denied. <br>   Accepted Values: Allow, Deny                                                               |
 | user                   |                 | Array of users that are allowed or denied based on the `allow_deny`   value. Multiple users must be separated by a space.                                        |
 
+* Set the following parameters in `control_plane/input_params/security_vars.yml`
+
+|  Parameter Name        |  Default Value  |  Additional Information                                                                                                                                          |
+|------------------------|-----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| allow_deny             | Allow           | This variable sets whether the user list is Allowed or Denied. <br>   Accepted Values: Allow, Deny                                                               |
+| user                   |                 | Array of users that are allowed or denied based on the `allow_deny`   value. Multiple users must be separated by a space.                                        |
+
+
+## Kernel Lockdown
+
+* RockyOS has Kernel Lockdown mode (Integrity) enabled by default
+* SUSE/Leap allows users to set Kernel Lockdown mode to Confidentiality or Integrity.

docs/control_plane/device_templates/PROVISION_SERVERS.md

@@ -63,7 +63,7 @@ If you want to reprovision all the servers in the cluster or any of the faulty s
 
 Omnia role used: *provision_cobbler*  
 Ports used by Cobbler:  
-* TCP ports: 80,443,69
+* TCP ports: 69,8000, 8008
 * UDP ports: 69,4011
 
 To create the Cobbler image, Omnia configures the following:
@@ -81,6 +81,9 @@ To access the Cobbler dashboard, enter `https://<IP>/cobbler_web` where `<IP>` i
 
 >> __Note__: With the addition of Multiple profiles, the cobbler container dynamically updates the mount point based on the value of `provision_os` in `base_vars.yml`.
 
+### DHCP routing using Cobbler
+Omnia now supports DHCP routing via Cobbler. To enable routing, update the `primary_dns` and `secondary_dns` in `base_vars` with the appropriate IPs (hostnames are currently not supported). For compute nodes that are not directly connected to the internet (ie only host network is configured), this configuration allows for internet connectivity.
+
 ## Security enhancements  
 Omnia provides the following options to enhance security on the provisioned PowerEdge servers:
 * **System lockdown mode**: To enable the system lockdown mode on iDRAC, set the *system_lockdown* variable to "enabled" in the `idrac_vars.yml` file.

roles/common/tasks/main.yml

@@ -110,6 +110,16 @@
   when: ( os_supported_leap not in compute_os )
 
 - block:
+    - name: Add leap repos
+      zypper_repository:
+        name: "{{ item.name }}"
+        repo: "{{ item.repo }}"
+        state: present
+        autorefresh: yes
+      with_items:
+        - "{{ leap_repo }}"
+      tags: install
+      
     - name: Installing python-xml
       package:
         name: python-xml

roles/common/vars/main.yml

@@ -13,6 +13,12 @@
 #  limitations under the License.
 ---
 
+leap_repo:
+  - { name: repo-non-oss, repo: http://download.opensuse.org/distribution/leap/15.3/repo/non-oss/ }
+  - { name: repo-oss, repo: http://download.opensuse.org/distribution/leap/15.3/repo/oss/ }
+  - { name: repo-update-oss, repo: http://download.opensuse.org/update/leap/15.3/oss/ }
+  - { name: repo-update-non-oss, repo: http://download.opensuse.org/update/leap/15.3/non-oss/ }
+
 nvidia_repo: https://download.nvidia.com/opensuse/leap/15.3/
 docker_repo_url_leap: https://download.docker.com/linux/sles/docker-ce.repo
 docker_repo_dest_leap: /etc/YaST2/docker-ce.repo

roles/login_node/tasks/configure_sshd.yml

@@ -13,6 +13,11 @@
 #  limitations under the License.
 ---
 
+- name: Set values for user and allow_deny variables
+  set_fact:
+    user: "{{ hostvars['127.0.0.1']['user'] }}"
+    allow_deny: "{{ hostvars['127.0.0.1']['allow_deny'] }}"
+    
 - name: Check if AllowUsers entry exixts
   shell: cat "{{ sshd_conf_file }}"
   register: file_content