Merge branch 'dellhpc:devel' into omnia_security

control_plane/input_params/security_vars.yml

@@ -59,3 +59,14 @@ user: ''
 # This variable provides the type of access
 # Accepted values 'Allow' or 'Deny' by default 'Allow'
 allow_deny: 'Allow'
+
+# This variable is used to disable services.
+# Accepted values: "true" or "false". 
+# Default values are: true  
+# Root access is needed.
+restrict_program_support: false
+
+# The below mentioned services can be disabled, by adding values in comma separated values format for restrict_softwares variable
+# Services: telnet,lpd,bluetooth,rlogin,rexec
+# Ex: restrict_softwares: 'telnet,rlogin,bluetooth' ( This disables 3 services, to disable more services, add services with comma separation. )
+restrict_softwares: ''

control_plane/roles/control_plane_common/tasks/fetch_security_inputs.yml

@@ -185,3 +185,57 @@
     success_msg: "{{ allow_deny_success_msg }}"
     fail_msg: "{{ allow_deny_fail_msg }}"
   tags: [ validate, security ]
+
+- name: Assert restrict_program_support
+  assert:
+    that:
+      - restrict_program_support == true or restrict_program_support == false
+    success_msg: "{{ restrict_program_support_success_msg }}"
+    fail_msg: "{{ restrict_program_support_failure_msg }}"
+  tags: [ validate, security ]
+
+- name: Initialize variables for restrict_softwares
+  set_fact:
+    restrict_program_status: false
+    disable_services: []
+  tags: security
+
+- block:
+    - name: The services needs to be disabled are appending to list
+      set_fact:
+          services_list: "{{ lookup('vars', 'restrict_softwares').split(',')| map('trim') | unique | select| list }}"
+      tags: security
+
+    - name: Assert restrict_softwares variable
+      assert:
+        that:
+          - item == 'telnet' or
+            item == 'lpd' or
+            item == 'bluetooth' or
+            item == 'rlogin' or
+            item == 'rexec'
+        success_msg: "{{ restrict_softwares_success_msg }}"
+        fail_msg: "{{ restrict_softwares_failure_msg }}"
+      failed_when: false
+      with_items: "{{ services_list }}"
+      tags: [ validate, security ]
+
+    - name: Creating a list for disabling services
+      set_fact:
+          disable_services: "{{ disable_services + [ item ] }}"
+      when:
+        - item == 'telnet' or
+          item == 'lpd' or
+          item == 'bluetooth' or
+          item == 'rlogin' or
+          item == 'rexec'
+      with_items: "{{ services_list }}"
+      tags: security
+
+    - name: Setting restrict_program_status
+      set_fact:
+        restrict_program_status: true
+      when:
+        - disable_services | length > 0
+      tags: security
+  when: restrict_program_support

control_plane/roles/control_plane_common/vars/main.yml

@@ -283,6 +283,10 @@ user_success_msg: "user successfully validated"
 user_fail_msg: "Failed. Incorrect user format in security_vars.yml"
 allow_deny_success_msg: "Access successfully validated"
 allow_deny_fail_msg: "Failed. Incorrect Access format in security_vars.yml"
+restrict_program_support_success_msg: "restrict_program_support successfully validated"
+restrict_program_support_failure_msg: "Failed. Accepted values are true or false."
+restrict_softwares_success_msg: "restrict_softwares successfully validated"
+restrict_softwares_failure_msg: "Warning. Values should be comma separated. The supported services are telnet, lpd, bluetooth, rlogin, rexec. Please check restrict_softwares variable"
 
 # Usage: validate_idrac_vars.yml
 idrac_input_filename: input_params/idrac_vars.yml

control_plane/roles/control_plane_security/tasks/main.yml

@@ -59,4 +59,8 @@
      
     - name: Session timeout configuration
       include_tasks: session_timeout.yml
+
+    - name: Restrict nonessential programs
+      include_tasks: restrict_nonessentials.yml
+      when: restrict_program_status
   when: enable_security_support

control_plane/roles/control_plane_security/tasks/restrict_nonessentials.yml

@@ -0,0 +1,89 @@
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
+#
+#  Licensed under the Apache License, Version 2.0 (the "License");
+#  you may not use this file except in compliance with the License.
+#  You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+---
+
+- name: Gathering service facts
+  service_facts:
+
+- name: Disable bluetooth services
+  block:
+    - name: Disabling bluetooth service
+      service:
+        name: bluetooth
+        enabled: no
+        state: stopped
+      when:
+        - "'bluetooth.service' in ansible_facts.services"
+        - ansible_facts.services['bluetooth.service'].status in service_status
+ 
+    - name: Disabling bluez service
+      service:
+        name: dbus-org.bluez.service
+        enabled: no
+        state: stopped
+      failed_when: false
+      when:
+        - "'dbus-org.bluez.service' in ansible_facts.services"
+        - ansible_facts.services['dbus-org.bluez.service'].status in service_status
+ 
+    - name: Disabling blueman service
+      systemd:
+        name: blueman-mechanism.service
+        state: stopped
+        enabled: no
+      when: 
+        - "'blueman-mechanism.service' in ansible_facts.services"
+        - ansible_facts.services['blueman-mechanism.service'].status in service_status
+  when: "'bluetooth' in disable_services"
+
+- name: Disabling telnet service
+  service:
+    name: telnet.socket
+    enabled: no
+    state: stopped
+  when:
+    - "'telnet' in disable_services"
+    - "'telnet@.service' in ansible_facts.services"
+    - ansible_facts.services['telnet@.service'].status in service_status
+
+- name: Disabling lpd service
+  service:
+    name: cups-lpd.socket
+    enabled: no
+    state: stopped
+  when:
+    - "'lpd' in disable_services"
+    - "'cups-lpd@.service' in ansible_facts.services"
+    - ansible_facts.services['cups-lpd@.service'].status in service_status
+ 
+- name: Disabling rlogin service
+  service:
+    name: rlogin.socket
+    enabled: no
+    state: stopped
+  when: 
+    - "'rlogin' in disable_services"
+    - "'rlogin.socket' in ansible_facts.services"
+    - ansible_facts.services['rlogin.socket'].status in service_status
+ 
+- name: Disabling rexec service
+  service:
+    name: rexec.socket
+    enabled: no
+    state: stopped
+    changed_when: false
+  when: 
+    -  "'rexec' in disable_services"
+    - "'rexec.socket' in ansible_facts.services"
+    -  ansible_facts.services['rexec.socket'].status in service_status

control_plane/roles/control_plane_security/vars/main.yml

@@ -100,3 +100,6 @@ kerberos_packages:
 kerberos_principal_path: /var/lib/kerberos/krb5kdc/principal
 kerberos_conf_path: /etc/krb5.conf
 kerberos_env_path: /usr/lib/mit/sbin/
+
+# Usage: restrict_nonessentials.yml
+service_status: ['enabled','alias','static','indirect','enabled-runtime','active','inactive']

roles/slurm_common/tasks/main.yml

@@ -1,4 +1,4 @@
-#  Copyright 2020 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -57,10 +57,23 @@
     name: "{{ common_packages }}"
     state: present
   tags: install
+  when: os_supported_leap not in compute_os
+
+- name: Install packages for slurm
+  package:
+    name: "{{ leap_common_packages }}"
+    state: present
+  when: os_supported_leap in compute_os
 
 - name: Create munge key
   command: "{{ munge_cmd }}"
   changed_when: true
+  when: os_supported_leap not in compute_os
+
+- name: Create munge key
+  shell: dd if=/dev/random bs=1 count=1024 >/etc/munge/munge.key
+  changed_when: true
+  when: os_supported_leap in compute_os
 
 - name: Copy munge key
   copy:
@@ -218,4 +231,4 @@
     state: restarted
     enabled: yes
   tags: install
-  failed_when: false
+  failed_when: false

roles/slurm_common/vars/main.yml

@@ -1,4 +1,4 @@
-#  Copyright 2020 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -23,6 +23,12 @@ common_packages:
    - mariadb-devel
    - man2html
 
+leap_common_packages:
+   - slurm
+   - munge
+   - mariadb
+   - slurm-munge
+
 common_python2_packages:
    - MySQL-python
    - python-netaddr
@@ -59,4 +65,5 @@ slurmd_log: "/var/log/slurm/slurmd.log"
 
 os_centos: 'centos'
 os_rocky: 'rocky'
-os_version: '8.0'
+os_version: '8.0'
+os_supported_leap: "leap"

roles/slurm_manager/tasks/main.yml

@@ -52,12 +52,21 @@
     name: "{{ slurm_packages }}"
     state: present
   tags: install
+  when: os_supported_leap not in compute_os
+
+- name: Install packages for slurm
+  package:
+    name: "{{ leap_slurm_packages }}"
+    state: present
+  tags: install
+  when: os_supported_leap in compute_os
 
 - name: Install development tools
   package:
     name: "{{ dev_tools }}"
     state: present
   tags: install
+  when: os_supported_leap not in compute_os
 
 - name: Get the hostname
   command: hostname

roles/slurm_manager/vars/main.yml

@@ -45,6 +45,10 @@ log_files_manager:
    - slurm_jobacct.log
    - slurm_jobcomp.log
 
+leap_slurm_packages:
+   - slurm-slurmdbd
+   - git
+
 tmp_mode: "0755"
 cluster_state_path: "/var/spool/slurm/cluster_state"
 spool_slurmctld_pth: "/var/spool/slurmctld"
@@ -71,4 +75,8 @@ dbd_host: "localhost"
 logfile: "/var/log/slurm/slurmdbd.log"
 pidfile: "/var/run/slurmdbd.pid"
 buffer_path: "/tmp/slurm.conf"
-slurm_mode: "0644"
+slurm_mode: "0644"
+
+os_centos: 'centos'
+os_rocky: 'rocky'
+os_supported_leap: "leap"

roles/slurm_restd/files/slurm-restd-custom.service

@@ -2,6 +2,7 @@
 Description = Start slurm restd
 
 [Service]
+Environment = SLURM_JWT=bvijavojviqjkenilejvkejfvvjfjv
 ExecStart = slurmrestd -a rest_auth/jwt -s openapi/v0.0.36 "0.0.0.0:6820"
 Restart = always
 RestartSec = 15

roles/slurm_restd/tasks/install_jansson.yml

@@ -18,6 +18,14 @@
     name: "{{ slurm_restd_packages }}"
     state: present
   tags: install
+  when: os_supported_leap not in compute_os
+
+- name: Install packages for slurm restd on leap
+  package:
+    name: "{{ slurm_restd_packages_leap }}"
+    state: present
+  tags: install
+  when: os_supported_leap in compute_os
 
 - name: Download and untar jansson package
   unarchive:
@@ -25,9 +33,12 @@
     dest: "{{ jansson_download_dir }}"
     remote_src: yes
 
-- name: Go to jansson directory
-  command: cd "{{ jansson_dir_path }}"
-  changed_when: false
+- name: Install required C packages
+  zypper:
+    name: "{{ slurm_gcc_leap }}"
+    state: present
+    type: pattern
+  when: os_supported_leap in compute_os
 
 - name: Execute autoreconf
   shell:  set -o pipefail && cd "{{ jansson_dir_path }}" && autoreconf -i

roles/slurm_restd/vars/main.yml

@@ -21,11 +21,23 @@ slurm_restd_packages:
    - libtool
    - make
 
+slurm_restd_packages_leap:
+   - slurm-rest
+   - libjson-c-devel
+   - http-parser-devel
+   - libtool
+   - make
+   - libopenssl-devel
+
+slurm_gcc_leap:
+  - devel_basis
+
 fil_mode: "0755"
 jansson_download_dir: /var/lib/
 jansson_src_url: https://github.com/akheron/jansson/archive/refs/tags/v2.14.tar.gz
 jansson_path: /usr/local/lib/pkgconfig
 jansson_dir_path: /var/lib/jansson-2.14/
+os_supported_leap: "leap"
 
 # Usage: install_libjwt.yml
 libjwt_repo: https://github.com/benmcollins/libjwt.git

roles/slurm_workers/tasks/main.yml

@@ -1,4 +1,4 @@
-#  Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved.
+#  Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 #  Licensed under the Apache License, Version 2.0 (the "License");
 #  you may not use this file except in compliance with the License.
@@ -81,12 +81,14 @@
     name: "{{ slurm_packages }}"
     state: present
   tags: install
+  when: os_supported_leap not in compute_os
 
 - name: Install development tools
   package:
     name: "{{ dev_tools }}"
     state: present
   tags: install
+  when: os_supported_leap not in compute_os
 
 - name: Get the hostname
   command: hostname
@@ -158,4 +160,4 @@
   fetch:
     src: "{{ slurm_confpth }}"
     dest: "{{ buffer_path }}"
-    flat: true
+    flat: true