Issue #435: Freeipa server and client installation

Signed-off-by: DeepikaKrishnaiah <deepika_k2@dell.com>

control_plane/control_plane.yml

@@ -18,11 +18,11 @@
   connection: local
   roles:
     - control_plane_common
-    - control_plane_repo
     - control_plane_k8s
     - control_plane_device
     - provision_cobbler
+    - webui_awx
     - control_plane_ib
     - control_plane_sm
     - control_plane_customiso
-    - webui_awx
+    - control_plane_repo

control_plane/roles/control_plane_common/tasks/main.yml

@@ -36,4 +36,7 @@
 
 - name: Subnet manager inputs validation
   import_tasks: fetch_sm_inputs.yml
-  when: ib_switch_support
+  when: ib_switch_support
+
+- name: NFS Server setup for offline repo and awx
+  import_tasks: nfs_server_setup.yml

control_plane/roles/control_plane_common/vars/main.yml

@@ -141,4 +141,14 @@ fail_msg_config_file: ib_vars.yml file doesn't exist.
 fail_msg_opensm_config_file: opensm.conf file doesn't exist.
 
 fail_msg_ib_input_definition: Infiniband config directories must be defined.
-fail_msg_ib_input: Infiniband config directories can't be left empty.
+fail_msg_ib_input: Infiniband config directories can't be left empty.
+
+# Usage: nfs_server_setup.yml
+nfs_share_offline_repo: /var/nfs_repo
+nfs_share_awx: /var/nfs_awx
+nfs_share_dir_mode: 0644
+exports_file_path: /etc/exports
+nfs_services:
+  - mountd
+  - rpc-bind
+  - nfs

control_plane/roles/control_plane_repo/files/poweredge_models.txt

@@ -0,0 +1,18 @@
+C4140
+C6420
+C6520
+R240
+R340
+R430
+R440
+R540
+R640
+R650
+R740
+R740xd
+R740xd2
+R750
+R750xa
+R840
+R940
+R940xa

control_plane/roles/control_plane_repo/tasks/download_fmw_updates.yml

@@ -0,0 +1,20 @@
+#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Downloading Firwmare Updates (This process may take few hours depending upon the poweredge_model list)
+  command: 'dsu --destination-type=REP --input-inventory-file="{{ role_path }}/files/{{ item }}_inv.xml" \
+    --destination-location="{{ nfs_share_offline_repo }}" --non-interactive'
+  with_items: "{{ poweredge_model.split(',') | map('trim') }}"
+  changed_when: true

control_plane/roles/control_plane_repo/tasks/install_dsu.yml

@@ -0,0 +1,40 @@
+#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Creating DSU directory
+  file:
+    path: "{{ dsu_folder_dest }}"
+    state: directory
+    mode: "{{ dsu_folder_dest_mode }}"
+
+- name: Download bootstrap.cgi
+  get_url:
+    url: "{{ bootstrap_repo_url }}"
+    dest: "{{ dsu_folder_dest }}"
+  register: bootstrap_repo_result
+  until: bootstrap_repo_result is not failed
+  retries: 20
+
+- name: Execute bootstrap.cgi
+  shell: >
+    echo "y" | bash {{ dsu_folder_dest }}/bootstrap.cgi
+  changed_when: true
+  register: bootstrap_execution_result
+  failed_when: "'FAILED' in bootstrap_execution_result.stderr"
+
+- name: Install DSU
+  package:
+    name: dell-system-update
+    state: present

control_plane/roles/control_plane_repo/tasks/main.yml

@@ -13,5 +13,16 @@
 #  limitations under the License.
 ---
 
-- name: NFS Server setup
-  import_tasks: nfs_server_setup.yml
+- name: Include common variables
+  include_vars:  ../../control_plane_common/vars/main.yml
+
+- name: Validate idrac_vars
+  include_tasks: validate_idrac_vars.yml
+
+- name: Install DSU
+  include_tasks: install_dsu.yml
+  when: firmware_update_required
+
+- name: Download iDRAC firmware updates
+  include_tasks: download_fmw_updates.yml
+  when: firmware_update_required

control_plane/roles/control_plane_repo/tasks/validate_idrac_vars.yml

@@ -0,0 +1,41 @@
+# Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+
+- name: Include variable file idrac_vars.yml
+  include_vars: "{{ idrac_input_filename }}"
+  run_once: true
+
+- name: Assert firmware_update_required value
+  assert:
+    that:
+      - firmware_update_required == true or firmware_update_required == false
+    success_msg: "{{ firmware_update_success_msg }}"
+    fail_msg: "{{ firmware_update_fail_msg }}"
+
+- name: Read poweredge_model file
+  command: cat {{ role_path }}/files/poweredge_models.txt
+  ignore_errors: yes
+  register: poweredge_models_file_output
+  changed_when: false
+
+- name: Assert poweredge_model value
+  assert:
+    that:
+      - item | length > 1
+      - item in poweredge_models_file_output.stdout
+    success_msg: "{{ poweredge_model_success_msg }}"
+    fail_msg: "{{ poweredge_model_fail_msg }}"
+  when: firmware_update_required
+  with_items: "{{ poweredge_model.split(',') | map('trim') }}"

control_plane/roles/control_plane_repo/vars/main.yml

@@ -15,12 +15,14 @@
 
 # vars file for offline_repo
 
-# Usage: nfs_server_setup.yml
-nfs_share_offline_repo: /var/nfs_repo
-nfs_share_awx: /var/nfs_awx
-nfs_share_dir_mode: 0777
-exports_file_path: /etc/exports
-nfs_services:
-  - mountd
-  - rpc-bind
-  - nfs
+# Usage: validate_idrac_vars.yml
+idrac_input_filename: input_params/idrac_vars.yml
+firmware_update_success_msg: "firmware_update_required validated"
+firmware_update_fail_msg: "Failed. firmware_update_required accepts only true or false in idrac_vars.yml"
+poweredge_model_success_msg: "poweredge_model validated"
+poweredge_model_fail_msg: "Failed. poweredge_model is incorrect or unsupported. Please update the list with the supported models in the correct format"
+
+# Usage: install_dsu.yml
+dsu_folder_dest: /root/dsu
+dsu_folder_dest_mode: 0644
+bootstrap_repo_url: https://linux.dell.com/repo/hardware/dsu/bootstrap.cgi

omnia.yml

@@ -30,6 +30,27 @@
     - common
   tags: common
 
+- name: Apply login common installation and config
+  hosts: manager, login_node
+  gather_facts: false
+  roles:
+    - login_common
+  tags: freeipa
+
+- name: Apply login server installation and config
+  hosts: manager
+  gather_facts: false
+  roles:
+    - login_server
+  tags: freeipa
+
+- name: Apply login node installation and config
+  hosts: login_node
+  gather_facts: false
+  roles:
+    - login_node
+  tags: freeipa
+
 - name: Apply common K8s installation and config
   hosts: manager, compute
   gather_facts: false

omnia_config.yml

@@ -48,4 +48,28 @@ docker_password: ""
 # Default value is "/etc/ansible"
 # This directory is on the host running ansible, if ansible is installed using dnf
 # If ansible is installed using pip, this path should be set
-ansible_config_file_path: /etc/ansible
+ansible_config_file_path: /etc/ansible
+
+# Boolean indicating whether login node is required or not
+# It can be set to true or false
+# By default it is set to true indicating login node will be configured
+login_node_required: true
+
+# This variable is used to accept the domain name the user intends to configure
+# Eg: ipa.test
+domain_name: ""
+
+# A Kerberos realm is the domain over which a Kerberos authentication server has the authority to authenticate a user, host or service. 
+# A realm name is often, but not always the upper case version of the name of the DNS domain over which it presides
+realm_name: ""
+
+# The directory server operations require an administrative user. 
+# This user is referred to as the Directory Manager and has full access to the Directory for system management tasks 
+# and will be added to the instance of directory server created for IPA. 
+# The password must be at least 8 characters long
+# The password must not contain -,\, ',"
+directory_manager_password: ""
+
+# The IPA server requires an administrative user, named 'admin'. 
+# This user is a regular system account used for IPA server administration
+ipa_admin_password: ""

roles/cluster_validation/tasks/fetch_password.yml

@@ -59,6 +59,16 @@
       k8s_pod_network_cidr | length < 1 or
       ansible_config_file_path | length < 1
 
+- name: Validate login node parameters when login_node_reqd is set to true
+  fail:
+    msg: "{{ input_config_failure_msg }} for login_node"
+  when:
+    - ( domain_name | length < 1 or
+      realm_name | length < 1 or
+      directory_manager_password | length < 1 or
+      ipa_admin_password | length < 1 ) and
+      login_node_required
+
 - name: Assert mariadb_password
   assert:
     that:
@@ -130,6 +140,64 @@
     replace: 'log_path = /var/log/omnia.log'
   when: ansible_conf_exists.stat.exists
 
+- name: Verify the value of login_node_required
+  assert:
+    that:
+      - login_node_required == true or login_node_required == false
+    success_msg: "{{ login_node_required_success_msg }}"
+    fail_msg: "{{ login_node_required_fail_msg }}"
+
+- name: Login node to contain exactly 1 node
+  assert:
+    that:
+      - "groups['login_node'] | length | int == 1"
+    fail_msg: "{{ login_node_group_fail_msg }}"
+    success_msg: "{{ login_node_group_success_msg }}"
+  when: login_node_required
+
+- name: Validate the domain name
+  assert:
+    that:
+      - domain_name is regex("^(?!-)[A-Za-z0-9-]+([\\-\\.]{1}[a-z0-9]+)*\\.[A-Za-z]{2,6}$")
+    success_msg: "{{ domain_name_success_msg }}"
+    fail_msg: "{{ domain_name_fail_msg }}"
+  when: login_node_required
+
+- name: Validate the realm name
+  assert:
+    that:
+      - realm_name is regex("^(?!-)[A-Z0-9-]+([\\-\\.]{1}[a-z0-9]+)*\\.[A-Z]{2,6}$")
+      - '"." in realm_name'
+    success_msg: "{{ realm_name_success_msg }}"
+    fail_msg: "{{ realm_name_fail_msg }}"
+  when: login_node_required
+
+- name: Assert directory_manager_password
+  assert:
+    that:
+      - directory_manager_password | length > min_length | int - 1
+      - directory_manager_password | length < max_length | int + 1
+      - '"-" not in directory_manager_password '
+      - '"\\" not in directory_manager_password '
+      - '"\"" not in directory_manager_password '
+      - " \"'\" not in directory_manager_password "
+    success_msg: "{{ success_msg_directory_manager_password }}"
+    fail_msg: "{{ fail_msg_directory_manager_password }}"
+  when: login_node_required
+
+- name: Assert ipa_admin_password
+  assert:
+    that:
+      - ipa_admin_password | length > min_length | int - 1
+      - ipa_admin_password | length < max_length | int + 1
+      - '"-" not in ipa_admin_password '
+      - '"\\" not in ipa_admin_password '
+      - '"\"" not in ipa_admin_password '
+      - " \"'\" not in ipa_admin_password "
+    success_msg: "{{ success_msg_ipa_admin_password }}"
+    fail_msg: "{{ fail_msg_ipa_admin_password }}"
+  when: login_node_required
+
 - name: Encrypt input config file
   command: >-
     ansible-vault encrypt {{ role_path }}/../../{{ config_filename }}

roles/cluster_validation/vars/main.yml

@@ -26,6 +26,18 @@ fail_msg_k8s_cni: "Kubernetes CNI not correct."
 success_msg_k8s_pod_network_cidr: "Kubernetes pod network cidr validated"
 fail_msg_k8s_pod_network_cidr: "Kubernetes pod network cidr not given in correct format"
 file_perm: '0755'
+domain_name_length: '63'
+domain_name_success_msg: "domain name successfully validated"
+domain_name_fail_msg: "Failed. Incorrect format provided for domain name in omnia_config.yml"
+realm_name_success_msg: "realm_name successfully validated"
+realm_name_fail_msg: "Failed. Incorrect realm_name formate in omnia_config.yml"
+success_msg_directory_manager_password: "directory_manager_password successfully validated"
+fail_msg_directory_manager_password: "Failed. Incorrect format provided for directory_manager_password"
+success_msg_ipa_admin_password: "ipa_admin_password successfully validated"
+fail_msg_ipa_admin_password: "Failed. Incorrect format provided for ipa_admin_password"
+input_config_failure_msg: "Input parameters cannot be empty"
+login_node_required_success_msg: "Login_node_required successfully validated"
+login_node_required_fail_msg: "Failed. login_node_required can be either true or false"
 
 #Usage: validations.yml
 skip_tag_fail_msg: "Can't skip both slurm and kubernetes"
@@ -34,4 +46,6 @@ manager_group_success_msg: "manager group check passed"
 compute_group_fail_msg: "compute group should contain atleast 1 node"
 compute_group_success_msg: "compute group check passed"
 disjoint_fail_msg: "manager and compute groups should be disjoint"
-disjoint_success_msg: "manager and compute groups are disjoint"
+disjoint_success_msg: "manager and compute groups are disjoint"
+login_node_group_fail_msg: "Login node group should contain atleast 1 node when login_node_required is true"
+login_node_group_success_msg: "Login node group check passed when login_node_required is true"

roles/common/tasks/main.yml

@@ -150,4 +150,43 @@
     mode: "{{ hosts_file_mode }}"
   with_items:
     - "{{ groups['manager'] }}"
-  when: "'compute' in group_names"
+  when: "'compute' in group_names"
+
+- name: Add login node info in /etc/hosts of manager node
+  lineinfile:
+    dest: "{{ hosts_file_dest }}"
+    line: "{{ hostvars[item].node_ip }} {{ hostvars[item].node_hostname }}"
+    state: present
+    create: yes
+    mode: "{{ hosts_file_mode }}"
+  with_items:
+    - "{{ groups['login_node'] }}"
+  when:
+    - '"manager" in group_names'
+    - hostvars["127.0.0.1"]["login_node_required"]
+
+- name: Add manager info in /etc/hosts of login node
+  lineinfile:
+    dest: "{{ hosts_file_dest }}"
+    line: "{{ hostvars[item].node_ip }} {{ hostvars[item].node_hostname }}"
+    state: present
+    create: yes
+    mode: "{{ hosts_file_mode }}"
+  with_items:
+    - "{{ groups['manager'] }}"
+  when:
+    - '"login_node" in group_names'
+    - hostvars["127.0.0.1"]["login_node_required"]
+
+- name: Add compute info in /etc/hosts of login node
+  lineinfile:
+    dest: "{{ hosts_file_dest }}"
+    line: "{{ hostvars[item].node_ip }} {{ hostvars[item].node_hostname }}"
+    state: present
+    create: yes
+    mode: "{{ hosts_file_mode }}"
+  with_items:
+    - "{{ groups['compute'] }}"
+  when:
+    - hostvars["127.0.0.1"]["login_node_required"]
+    - '"login_node" in group_names'

roles/login_common/tasks/firewall_settings.yml

@@ -0,0 +1,60 @@
+#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Install firewalld
+  package:
+    name: firewalld
+    state: present
+  tags: firewalld
+
+- name: Start and enable firewalld
+  service:
+    name: firewalld
+    state: started
+    enabled: yes
+  tags: firewalld
+
+- name: Firewall ports addition - tcp/udp ports
+  firewalld:
+    zone: public
+    port: "{{ item }}"
+    permanent: true
+    state: enabled
+  with_items:
+    - "{{ https_port1 }}"
+    - "{{ https_port2 }}"
+    - "{{ ldap_port1 }}"
+    - "{{ ldap_port2 }}"
+    - "{{ kerberos_port1 }}"
+    - "{{ kerberos_port2 }}"
+    - "{{ kerberos_port3 }}"
+    - "{{ kerberos_port4 }}"
+    - "{{ dns_port1 }}"
+    - "{{ dns_port2 }}"
+    - "{{ ntp_port1 }}"
+    - "{{ dt_port1 }}"
+  tags: firewalld
+
+- name: Reload firewalld
+  command: firewall-cmd --reload
+  changed_when: true
+  tags: firewalld
+
+- name: Stop and disable firewalld
+  service:
+    name: firewalld
+    state: stopped
+    enabled: no
+  tags: firewalld

roles/login_common/tasks/main.yml

@@ -0,0 +1,18 @@
+#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Add ports of manager and login node to firewall
+  include_tasks: firewall_settings.yml
+  when: hostvars['127.0.0.1']['login_node_required']

roles/login_common/vars/main.yml

@@ -0,0 +1,32 @@
+#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+# Usage: set_fqdn.yml
+etc_hosts_file_dest: /etc/hosts
+file_mode: '0644'
+
+# Usage: firewall_settings.yml
+https_port1: "80/tcp"
+https_port2: "443/tcp"
+ldap_port1: "389/tcp"
+ldap_port2: "636/tcp"
+kerberos_port1: "88/tcp"
+kerberos_port2: "464/tcp"
+kerberos_port3: "88/udp"
+kerberos_port4: "464/udp"
+dns_port1: "53/tcp"
+dns_port2: "53/udp"
+dt_port1: "7389/tcp"
+ntp_port1: "123/udp"

roles/login_node/tasks/firewall_settings.yml

@@ -0,0 +1,53 @@
+#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Install firewalld
+  package:
+    name: firewalld
+    state: present
+  tags: firewalld
+
+- name: Start and enable firewalld
+  service:
+    name: firewalld
+    state: started
+    enabled: yes
+  tags: firewalld
+
+- name: Firewall rule for slurm jobs - tcp/udp ports
+  firewalld:
+    zone: public
+    port: "{{ item }}"
+    permanent: true
+    state: enabled
+  with_items:
+    - "{{ slurmctld_tcp_port }}"
+    - "{{ slurmd_tcp_port }}"
+    - "{{ srun_tcp_port }}"
+    - "{{ slurmctld_udp_port }}"
+    - "{{ slurmd_udp_port }}"
+  tags: firewalld
+
+- name: Reload firewalld
+  command: firewall-cmd --reload
+  changed_when: true
+  tags: firewalld
+
+- name: Stop and disable firewalld
+  service:
+    name: firewalld
+    state: stopped
+    enabled: no
+  tags: firewalld

roles/login_node/tasks/install_ipa_client.yml

@@ -0,0 +1,38 @@
+#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Include ipa server variables
+  include_vars: ../../login_common/vars/main.yml
+
+- name: Fetch hostname
+  command: hostname
+  register: loginnode_hostname
+  changed_when: false
+
+- name: Install freeipa client package
+  package:
+    name: "{{ ipa_client_package }}"
+    state: present
+  tags: install
+
+- name: Uninstall client if already installed
+  command: ipa-client-install --uninstall -U
+  changed_when: false
+  failed_when: false
+
+- name: Install ipa client
+  command: ipa-client-install --domain '{{ hostvars['127.0.0.1']['domain_name'] }}' --server '{{ hostvars[groups['manager'][0]]['server_hostname'] }}' --principal admin --password '{{ hostvars['127.0.0.1']['ipa_admin_password'] }}' --force-join --enable-dns-updates --force-ntpd -U
+  changed_when: true
+  no_log: true

roles/login_node/tasks/main.yml

@@ -0,0 +1,22 @@
+#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Add ports to firewall to run slurm jobs
+  include_tasks: firewall_settings.yml
+  when: hostvars['127.0.0.1']['login_node_required']
+
+- name: Install ipa client
+  include_tasks: install_ipa_client.yml
+  when: hostvars['127.0.0.1']['login_node_required']

roles/login_node/vars/main.yml

@@ -0,0 +1,26 @@
+#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+# Usage: install_packages.yml
+ipa_client_package:
+  - bind-utils
+  - freeipa-client
+  - ipa-admintools
+
+slurmctld_tcp_port: "6817/tcp"
+slurmd_tcp_port: "6818/tcp"
+srun_tcp_port: "60001-63000/tcp"
+slurmctld_udp_port: "6817/udp"
+slurmd_udp_port: "6818/udp"

roles/login_server/tasks/install_ipa_server.yml

@@ -0,0 +1,48 @@
+#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Include common vars
+  include_vars: ../../login_common/vars/main.yml
+
+- name: Fetch hostname
+  command: hostname
+  register: new_serv_hostname
+  changed_when: false
+
+- name: Set fact for server hostname
+  set_fact:
+    server_hostname: "{{ new_serv_hostname.stdout }}"
+
+- name: Uninstall server if it is already installed
+  command: ipa-server-install --uninstall -U
+  changed_when: false
+  failed_when: false
+
+- name: Install ipa server
+  command: ipa-server-install -n '{{ hostvars['127.0.0.1']['domain_name'] }}' --hostname='{{ server_hostname }}' -a '{{ hostvars['127.0.0.1']['ipa_admin_password'] }}' -p '{{ hostvars['127.0.0.1']['directory_manager_password'] }}' -r '{{ hostvars['127.0.0.1']['realm_name'] }}' --setup-dns --auto-forwarders --auto-reverse -U
+  changed_when: true
+  no_log: true
+
+- name: Authenticate as admin
+  shell: set -o pipefail && echo $'{{ hostvars['127.0.0.1']['ipa_admin_password'] }}' | kinit admin
+  no_log: true
+  changed_when: false
+
+- name: Replace the /etc/resolv.conf file
+  copy:
+    src: "{{ temp_resolv_conf_path }}"
+    dest: "{{ resolv_conf_path }}"
+    mode: "{{ file_mode }}"
+    remote_src: yes

roles/login_server/tasks/install_packages.yml

@@ -0,0 +1,42 @@
+#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Install packages
+  package:
+    name: "{{ ipa_server_packages }}"
+    state: present
+  tags: install
+
+- name: Take a backup of /etc/resolv.conf
+  copy:
+    src: "{{ resolv_conf_path }}"
+    dest: "{{ temp_resolv_conf_path }}"
+    mode: "{{ resolv_file_mode }}"
+
+- name: Add the domain name in /etc/resolv.conf
+  replace:
+    path: "{{ temp_resolv_conf_path }}"
+    regexp: "search"
+    replace: "search {{ hostvars['127.0.0.1']['domain_name'] }}"
+  register:
+    replace_output
+
+- name: Add the domain name in /etc/resolv.conf when there is no domain name
+  replace:
+    path: "{{ temp_resolv_conf_path }}"
+    regexp: "# Generated by NetworkManager"
+    replace: "# Generated by NetworkManager\nsearch {{ hostvars['127.0.0.1']['domain_name'] }}"
+  when:
+    replace_output.msg | length == 0

roles/login_server/tasks/main.yml

@@ -0,0 +1,26 @@
+#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Include variables
+  include_vars: ../../login_common/vars/main.yml
+  when: hostvars['127.0.0.1']['login_node_required']
+
+- name: Install required packages
+  include_tasks: install_packages.yml
+  when: hostvars['127.0.0.1']['login_node_required']
+
+- name: Install free-ipa server
+  include_tasks: install_ipa_server.yml
+  when: hostvars['127.0.0.1']['login_node_required']

roles/login_server/vars/main.yml

@@ -0,0 +1,25 @@
+#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+# Usage: install_packages.yml
+ipa_server_packages:
+  - bind
+  - bind-dyndb-ldap
+  - ipa-server-dns
+  - freeipa-server
+
+resolv_conf_path: /etc/resolv.conf
+temp_resolv_conf_path: /tmp/resolv.conf
+resolv_file_mode: '0644'