Commit 716630da authored by eric pellegrini's avatar eric pellegrini

replaced list by dict for cluster users in examples config files and associated plays

replaced remote_user which are sudoers by root
added filter plugins for updating nested dictionary with another dict
parent 6f9510a0
......@@ -215,6 +215,7 @@ os_vms_commons:
delete_fip: True
config_drive: True
identity_file: "{{ os_keypairs[1]['identity_file'] }}"
vm_admin: ubuntu
os_vms:
- name: jhub-srv-1
......@@ -261,10 +262,13 @@ cluster_users_commons:
add_public: True
cluster_users:
- name: ubuntu
vm_admin:
name: ubuntu
new: False
- name: jhub-admin
jupyterhub_admin:
name: jhub-admin
group: admin
groups:
- sudo
......
......@@ -195,6 +195,7 @@ os_vms_commons:
delete_fip: True
config_drive: True
identity_file: "{{ os_keypairs[1]['identity_file'] }}"
vm_admin: ubuntu
os_vms:
- name: k8s-master-1
......@@ -250,10 +251,13 @@ cluster_users_commons:
add_public: True
cluster_users:
- name: ubuntu
vm_admin:
name: ubuntu
new: False
- name: k8s-admin
kubernetes_admin:
name: k8s-admin
group: admin
groups:
- sudo
......
......@@ -6,15 +6,15 @@
- name: create dynamic inventories
import_playbook: "{{ playbook_dir | dirname }}/plays/setup_os_dynamic_inventories.yml"
- name: configure openstack cluster
import_playbook: "{{ playbook_dir | dirname }}/plays/configure_os_cluster.yml"
- name: configure ansible controller
import_playbook: "{{ playbook_dir | dirname }}/plays/configure_ansible_controller.yml"
- name: configure cluster users
import_playbook: "{{ playbook_dir | dirname }}/plays/cluster_users.yml"
- name: configure openstack cluster
import_playbook: "{{ playbook_dir | dirname }}/plays/configure_os_cluster.yml"
- name: setup ntp for all nodes
import_playbook: "{{ playbook_dir | dirname }}/plays/setup_ntp.yml"
......
......@@ -6,15 +6,15 @@
- name: create dynamic inventories
import_playbook: "{{ playbook_dir | dirname }}/plays/setup_os_dynamic_inventories.yml"
- name: configure openstack cluster
import_playbook: "{{ playbook_dir | dirname }}/plays/configure_os_cluster.yml"
- name: configure ansible controller
import_playbook: "{{ playbook_dir | dirname }}/plays/configure_ansible_controller.yml"
- name: configure cluster users
import_playbook: "{{ playbook_dir | dirname }}/plays/cluster_users.yml"
- name: configure openstack cluster
import_playbook: "{{ playbook_dir | dirname }}/plays/configure_os_cluster.yml"
- name: setup ntp for all nodes
import_playbook: "{{ playbook_dir | dirname }}/plays/setup_ntp.yml"
......
---
- hosts: k8s_workers
remote_user: "{{ cluster_users.1.name }}"
remote_user: "{{ cluster_users.kubernetes_admin.name }}"
environment: "{{ proxy_settings }}"
......
- hosts: cluster
remote_user: "{{ users[0]['name'] }}"
remote_user: root
tasks:
......@@ -8,6 +8,6 @@
import_role:
name: roles/cluster-users
vars:
users: "{{ cluster_users | map('combine',cluster_users_commons) | list }}"
users: "{{ cluster_users | update(cluster_users_commons) }}"
---
- hosts: cluster
remote_user: root
tasks: []
- hosts: localhost
tasks:
- name: gather ip addresses from openstack server facts
os_server_facts:
auth: "{{ item.auth }}"
auth_type: "{{ item.auth_type }}"
server: "{{ item.name }}"
loop: "{{ os_vms | map('combine',os_vms_commons | default({})) | list }}"
register: os_servers
- name: setup openstack vms
import_role:
name: roles/ansible-controller
vars:
known_hosts: "{{ os_servers.results | map(attribute='ansible_facts.openstack_servers.0.public_v4') | list }}"
known_hosts: "{{ groups['cluster'] | map('extract',hostvars,['ansible_default_ipv4','address']) | list }}"
identity_files: "{{ ansible_controller['identity_files'] }}"
---
- hosts: k8s_masters
remote_user: "{{ cluster_users.1.name }}"
remote_user: "{{ cluster_users.kubernetes_admin.name }}"
environment: "{{ proxy_settings }}"
......
---
- hosts: cluster
remote_user: "{{ cluster_users[0]['name'] }}"
remote_user: "{{ os_vms_commons.vm_admin }}"
become: True
tasks:
......
---
- hosts: jhub_servers
remote_user: "{{ cluster_users.1.name }}"
remote_user: "{{ cluster_users.jupyterhub_admin.name }}"
environment: "{{ proxy_settings }}"
......
---
- hosts: k8s
remote_user: "{{ cluster_users.0.name }}"
become: True
remote_user: root
environment: "{{ proxy_settings }}"
......
---
- hosts: k8s_masters
remote_user: "{{ cluster_users.1.name }}"
remote_user: "{{ cluster_users.kubernetes_admin.name }}"
environment: "{{ proxy_settings }}"
......
---
- hosts: jhub_servers
remote_user: "{{ cluster_users.1.name }}"
remote_user: "{{ cluster_users.jupyterhub_admin.name }}"
environment: "{{ proxy_settings }}"
......
---
- hosts: jhub_servers
remote_user: "{{ cluster_users.1.name }}"
remote_user: "{{ cluster_users.jupyterhub_admin.name }}"
environment: "{{ proxy_settings }}"
......
---
- hosts: k8s
remote_user: "{{ cluster_users.0.name }}"
become: True
remote_user: root
environment: "{{ proxy_settings }}"
......
---
- hosts: nfs_clients
remote_user: "{{ cluster_users.0.name }}"
become: True
remote_user: root
environment: "{{ proxy_settings }}"
......
---
- hosts: cluster
- hosts: nginx_server
remote_user: "{{ cluster_users.0.name }}"
become: True
remote_user: root
environment: "{{ proxy_settings }}"
......
---
- hosts: cluster
remote_user: "{{ cluster_users[0]['name'] }}"
become: True
remote_user: root
environment: "{{ proxy_settings }}"
......
---
- hosts: cluster
remote_user: "{{ cluster_users.1.name }}"
become: True
remote_user: root
environment: "{{ proxy_settings }}"
......@@ -13,5 +11,5 @@
name: roles/sssd
vars:
local_homes:
- user: "{{ cluster_users.0.name }}"
home: "/localhome/{{ cluster_users.0.name }}"
- user: "{{ cluster_users.vm_admin.name }}"
home: "/localhome/{{ cluster_users.vm_admin.name }}"
def update(old_dict, new_dict):
for v in old_dict.values():
if isinstance(v,dict):
v.update(new_dict)
return old_dict
# ---- Ansible filters ----
class FilterModule(object):
''' URI filter '''
def filters(self):
return { 'update': update }
---
- block:
- name: create group
group:
name: "{{ user.group }}"
state: present
when: user.group is defined
- name: create group
group:
name: "{{ user.group }}"
state: present
when: user.group is defined
- name: create home base directories
file:
path: "{{ user.home | dirname }}"
state: directory
- name: create home base directories
file:
path: "{{ user.home | dirname }}"
state: directory
- name: create user
user:
name: "{{ user.name }}"
group: "{{ user.group | default(omit) }}"
password: "{{ user.password | default(omit) | password_hash('sha512') }}"
home: "{{ user.home | default(omit) }}"
create_home: "{{ user.create_home | default(omit) }}"
shell: "{{ user.shell | default(omit) }}"
state: present
groups: "{{ user.groups | default(omit) }}"
append: "{{ user.append | default(omit) }}"
become: True
- name: create user
user:
name: "{{ user.name }}"
group: "{{ user.group | default(omit) }}"
password: "{{ user.password | default(omit) | password_hash('sha512') }}"
home: "{{ user.home | default(omit) }}"
create_home: "{{ user.create_home | default(omit) }}"
shell: "{{ user.shell | default(omit) }}"
state: present
groups: "{{ user.groups | default(omit) }}"
append: "{{ user.append | default(omit) }}"
......@@ -16,4 +16,3 @@
vars:
sudo_group: "{{ getent_group['sudo'][2].split(',') }}"
when: (user.passwordless_sudo | default(False)) == True
become: True
......@@ -3,17 +3,17 @@
- include_tasks: create.yml
when: user.new | default(True) == True
loop: "{{ users }}"
loop: "{{ users.values() | list }}"
loop_control:
loop_var: user
- include_tasks: disable_sudo.yml
loop: "{{ users }}"
loop: "{{ users.values() | list }}"
loop_control:
loop_var: user
- include_tasks: ssh.yml
loop: "{{ users }}"
loop: "{{ users.values() | list }}"
loop_control:
loop_var: user
---
# tasks file for roles/configure-cluster
- import_tasks: apt.yml
become: True
- import_tasks: ssh.yml
---
- name: create /root/.ssh/authorized_keys if necessary
file:
path: ~/.ssh
state: directory
- name: create /root/.ssh/authorized_keys if necessary
file:
path: ~/.ssh/authorized_keys
state: touch
- name: allow root login from ssh
replace:
path: /root/.ssh/authorized_keys
path: ~/.ssh/authorized_keys
regexp: "no-port-forwarding.*ssh-rsa"
replace: "ssh-rsa"
become: True
......@@ -9,7 +9,7 @@ dependencies:
- notebook
- jupyterlab=0.35.6
- jupyterhub
- jupyterhub=0.9.6
- oauthenticator
- configurable-http-proxy
- sudospawner
......
......@@ -55,6 +55,14 @@
src: jupyterhub_config.py.j2
dest: "{{ conda_envs_dir }}/visa-jupyter/etc/jupyter/jupyterhub_config.py"
force: True
- name: remove jupyterhub cookie and database file if necessary
file:
path: "/tmp/jupyterhub/{{ item }}"
state: absent
loop:
- jupyterhub.sqlite
- jupyterhub_cookie_secret
vars:
conda_envs_dir: "{{ conda_install_dir }}/envs"
......@@ -20,12 +20,10 @@
- name: create visa jupyter environment
command: "{{ conda_exe }} env create -f /tmp/environment_visa_jupyter.yml --force"
- name: update jupyterlab and jupyterhub and install jupyter labextension
- name: install jupyter labextension
shell: |
source "{{ conda_install_dir }}/etc/profile.d/conda.sh"
conda activate visa-jupyter
conda update -y jupyterlab
conda update -y jupyterhub
jupyter labextension install @jupyterlab/hub-extension
args:
executable: /bin/bash
......
......@@ -30,7 +30,7 @@ if __name__ == "__main__":
"baseUrl": "/",
"protocol":"openid-connect",
"rootUrl":"http://%s:%s" % (client_ip,client_port),
"redirectUris":["https://%s:%s/*" % (client_ip,client_port),"http://%s:%s/*" % (client_ip,client_port)],
"redirectUris":["*"],
"webOrigins":[],
"adminUrl": "",
"serviceAccountsEnabled": True,
......
......@@ -39,7 +39,7 @@ class KeycloakLogoutHandler(LogoutHandler, KeycloakMixin):
self.statsd.incr('logout')
# The logout will access login.ill.fr keycloak logout which will further redirect to jupyterhub login page
params = dict(redirect_uri="https://%s%slogin" % (self.request.host,self.hub.server.base_url))
params = dict(redirect_uri="http://%s%slogin" % (self.request.host,self.hub.server.base_url))
logout_url = KeycloakMixin._OAUTH_LOGOUT_URL
logout_url = url_concat(logout_url, params)
self.redirect(logout_url, permanent=False)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment