.gitlab-ci.yml

-image:
-  name: docker:20.10.17
+default:
+  image: $CI_REGISTRY_IMAGE:latest
 
 variables:
   CAMPUS_IP: 138.26.48.47
@@ -13,176 +13,254 @@ variables:
   OS_IDENTITY_API_VERSION: "3"
   OS_INTERFACE: "public"
   OS_REGION_NAME: "bhm1"
-  PKR_VAR_flavor: "m1.small"
+  PROXY_NETWORK: "proxy-net"
+  PKR_VAR_flavor: "m1.medium-ruffner"
   PKR_VAR_source_image: "CentOS-7-x86_64-GenericCloud-2009"
   PKR_VAR_floating_ip_network: "uab-campus"
   PKR_VAR_security_groups: '["allow-ssh"]'
   PKR_VAR_skip_create_image: "false"
   PKR_VAR_ssh_username: "centos"
-  PKR_VAR_networks: '["ec11e2be-8fac-46cf-8fa2-9dffb74ba5df"]'
+  PKR_VAR_networks: '["8cf2f12e-905d-46d9-bc70-b0897c65f75a"]'
   GIT_AUTHOR_NAME: "Gitlab runner"
   GIT_AUTHOR_EMAIL: "gitlab@runner"
-  NUM_SERVER_TO_KEEP: 5
-  NUM_IMAGE_TO_KEEP: 30
-  PKR_VAR_root_ssh_key: "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAFqqWgmYpEaGtHBeTu27ntVJpYjwq/x5aBefrvfhk8Z9lE3cuZ26vJ9n/9tGE4Zn2Pew1mpZgi6PzfJ3vMt8yA= root@master"
-  DEV_KEY: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCpncAcYosVHt7HsUcE2XOYDuCi4HQnmFJv279LOcpZgXtZ6o0BM1fe5FgJS0X1ohBXQUFRuYJuJSW/GSmC1K8T+wCrKjZLJdMbqrubHV27diUZfdoVkoJy1vcAQF5nEcoTC7MpAFbBomdn2rsrpgQe8DGiURV7+soqybXV1OsIR3FFf6npnUaskHYT/oVtG9eBOnscyBxoVgbxzlmyoBLXED/sHKFw4nQSF/glYKEFiDu6TRTsBBEGvv23Qo/66QpQiFJ6TNfApNiyY9L1X+Dy8EWU6lozmNgwGDjXQ70Lr6xHnA0QGVALJlHXa6QjpgtpC5Nefsdvtf1hpfFo2VutpbSB+aq9jk3gWNN+XkhrWN5PiwP7YYJNw/WozyfL+IhwjfHZGxkuws+wGR6ZKxlX9W9Vrsq9ncYNKuhy2SdsR6s2XECQtrEQ6ZlX5jRt6Yh5M9ls5fMsWEqknDPmr1Ui6wV7NxprYngo9fLSdYO/ETIO3S6PB0aEHOZOyGitGaM06EmNpvjQn/QkkaVgt/O8wKL1o1AVzXhDMAFvtG6ejppV6kuTUHXFgSGZF6N9fnP91HuytyzC09F+NMWcmnRdrgXlHapjuuL3zzi+XLCQvk8+aYTzBKx1nU2FPMDRZ9sInGmqdTuM002E7qVbaCy4OxcWaAS/L2UVhGnHr+egYw== louistw@uab.edu"
+  INSTANCE_FLAVOR: "m1.medium-ruffner"
+  HTTP_PROXY_INSTANCE_NAME: "http-proxy"
+  SSH_PROXY_INSTANCE_NAME: "ssh-proxy"
 
 stages:
   - build
-  - test
   - deploy
 
-build_image:
-  image: $CI_REGISTRY_IMAGE:latest
-  stage: build
-  environment:
-    name: knightly
-  tags:
-    - build
+workflow:
+  rules:
+    - if: $CI_PIPELINE_SOURCE == "web"
+    - if: $CI_PIPELINE_SOURCE == "schedule"
+
+.get_build_date: &get_build_date
+  - export BUILD_DATE=$(TZ=America/Chicago date +%Y-%m-%dT%H%M%S)
+  - echo BUILD_DATE=${BUILD_DATE}
+
+.update_ansible_repo: &update_ansible_repo
+  - *get_build_date
+  - |
+    export EXT_REPO_DIR=$(basename -s .git $EXT_PR_TARGET_REPO)
+    if [ ! -d $CI_PROJECT_DIR/$EXT_REPO_DIR ]; then
+      git clone ${EXT_PR_TARGET_REPO} ${EXT_REPO_DIR}
+      cd ${EXT_REPO_DIR}
+      git remote add upstream ${EXT_PR_SRC_REPO}
+      cd ..
+    fi
+  - cd ${EXT_REPO_DIR}
+  - git config user.name "${GIT_AUTHOR_NAME}"
+  - git config user.email "${GIT_AUTHOR_EMAIL}"
+  - git checkout ${EXT_PR_TARGET_BRANCH}
+  - git fetch origin ${EXT_PR_TARGET_BRANCH}
+  - git merge origin/${EXT_PR_TARGET_BRANCH}
+  - git checkout -b integration
+  - git fetch upstream ${EXT_PR_SRC_BRANCH}
+  - git merge upstream/${EXT_PR_SRC_BRANCH}
+  # export vars into job artifacts
+  - export EXT_REPO_HEAD=$(git rev-parse --short HEAD)
+  - export EXT_PR_SRC_BRANCH_SHA=$(git rev-parse --short upstream/${EXT_PR_SRC_BRANCH})
+  - export EXT_PR_TARGET_BRANCH_SHA=$(git rev-parse --short origin/${EXT_PR_TARGET_BRANCH})
+  - cd ..
+  - export PACKER_IMAGE_HEAD=$(git rev-parse --short HEAD)
+  - echo EXT_REPO_HEAD=${EXT_REPO_HEAD} | tee -a $CI_PROJECT_DIR/image.env
+  - echo EXT_PR_SRC_BRANCH_SHA=${EXT_PR_SRC_BRANCH_SHA} | tee -a $CI_PROJECT_DIR/image.env
+  - echo EXT_PR_TARGET_BRANCH_SHA=${EXT_PR_TARGET_BRANCH_SHA} | tee -a $CI_PROJECT_DIR/image.env
+  - echo PACKER_IMAGE_HEAD=${PACKER_IMAGE_HEAD} | tee -a $CI_PROJECT_DIR/image.env
+
+.get_ansible_files: &get_ansible_files
+  - s3cmd get --force -r --host=$AWS_HOST --host-bucket=$AWS_HOST s3://cheaha-cloud-ansible-files/ ansible/files/
+
+.build_proxy_image_template: &build_proxy_image_template
   script:
+    - *update_ansible_repo
+    - *get_ansible_files
+    # packer vars for job env
+    - export PKR_VAR_flavor="${PROXY_BUILD_FLAVOR:-$PKR_VAR_flavor}"
+    - export PKR_VAR_build_instance_name="${BUILD_TARGET}-${EXT_REPO_HEAD}"
+    - export PKR_VAR_image_date_suffix=false
     - |
-      if [ ! -d $CI_PROJECT_DIR/CRI_XCBC ]; then
-        git clone https://github.com/uabrc/CRI_XCBC.git
-        cd CRI_XCBC
-        git remote add upstream https://github.com/jprorama/CRI_XCBC.git
-        cd ..
+      if [ $CI_PIPELINE_SOURCE == 'merge_request_event' ]; then
+        export PKR_VAR_image_name="${BUILD_TARGET}-PR-${CI_MERGE_REQUEST_IID}"
+      elif [ $CI_PIPELINE_SOURCE == 'schedule' ]; then
+        export PKR_VAR_image_name="${BUILD_TARGET}-${BUILD_DATE}"
       fi
-    - cd CRI_XCBC
-    - git config user.name "${GIT_AUTHOR_NAME}"
-    - git config user.email "${GIT_AUTHOR_EMAIL}"
-    - git fetch --all
-    - git fetch origin '+refs/pull/*/head:refs/remotes/origin/pr/*'
-    - git fetch upstream '+refs/pull/*/head:refs/remotes/upstream/pr/*'
-    - git checkout uab-prod
-    - git merge origin/uab-prod
-    - git checkout -b integration
-    - git merge upstream/dev
-    - export CRI_XCBC_HEAD=$(git rev-parse --short HEAD)
-    - export CRI_XCBC_dev=$(git rev-parse --short upstream/dev)
-    - export CRI_XCBC_prod=$(git rev-parse --short origin/uab-prod)
-    - cd ..
-    - export PACKER_IMAGE_HEAD=$(git rev-parse --short HEAD)
-    - export BUILD_DATE=$(TZ=America/Chicago date +%Y%m%d)
-    - echo CRI_XCBC_HEAD=${CRI_XCBC_HEAD} | tee -a $CI_PROJECT_DIR/image.env
-    - echo CRI_XCBC_dev=${CRI_XCBC_dev} | tee -a $CI_PROJECT_DIR/image.env
-    - echo CRI_XCBC_prod=${CRI_XCBC_prod} | tee -a $CI_PROJECT_DIR/image.env
-    - echo PACKER_IMAGE_HEAD=${PACKER_IMAGE_HEAD} | tee -a $CI_PROJECT_DIR/image.env
-    - echo BUILD_DATE=${BUILD_DATE} | tee -a $CI_PROJECT_DIR/image.env
-    - >
-      curl --header "PRIVATE-TOKEN: ${ANSIBLE_VAR_TOKEN}"
-      "${CI_API_V4_URL}/projects/2836/repository/files/knightly/raw?ref=main"
-      -o CRI_XCBC/group_vars/knightly
-    - s3cmd get --force -r --host=$AWS_HOST --host-bucket=$AWS_HOST s3://cheaha-cloud-ansible-files/ ansible/files/
-    - 'sed -i -E "s/(lts_access_key: ).*/\1\"${AWS_ACCESS_KEY_ID}\"/" CRI_XCBC/group_vars/knightly'
-    - 'sed -i -E "s/(lts_secret_key: ).*/\1\"${AWS_SECRET_ACCESS_KEY}\"/" CRI_XCBC/group_vars/knightly'
-    - packer validate openstack-ood
-    - >
-      PKR_VAR_build_instance_name="ood-${CRI_XCBC_HEAD}"
-      PKR_VAR_image_date_suffix=false
-      PKR_VAR_image_name="ood-${BUILD_DATE}"
-      packer build -machine-readable openstack-ood | tee ood_build.log
-    - export BUILT_OOD_IMAGE_ID=$(grep 'Image:' ood_build.log | awk '{print $4}')
-    - echo BUILT_OOD_IMAGE_ID=${BUILT_OOD_IMAGE_ID} | tee -a $CI_PROJECT_DIR/image.env
-    - openstack image set --property CRI_XCBC_prod=${CRI_XCBC_prod} --property CRI_XCBC_dev=${CRI_XCBC_dev} --property PACKER_IMAGE_HEAD=${PACKER_IMAGE_HEAD} ${BUILT_OOD_IMAGE_ID}
+    # Ansible var overrides
+    - |
+      if [ -n "${PROXY_ENABLE_VAR}" ]; then
+        sed -i -E "s/(${PROXY_ENABLE_VAR}: ).*/\1true/" $EXT_REPO_DIR/group_vars/all
+      fi
+    - 'sed -i -E "s|(s3_endpoint: ).*|\1\"${S3_ENDPOINT}\"|" $EXT_REPO_DIR/group_vars/all'
+    - 'sed -i -E "s/(lts_access_key: ).*/\1\"${AWS_ACCESS_KEY_ID}\"/" $EXT_REPO_DIR/group_vars/all'
+    - 'sed -i -E "s/(lts_secret_key: ).*/\1\"${AWS_SECRET_ACCESS_KEY}\"/" $EXT_REPO_DIR/group_vars/all'
+    - 'sed -i -E "s/(s3_shibboleth_bucket_name: ).*/\1\"${S3_SHIBBOLETH_BUCKET_NAME}\"/" $EXT_REPO_DIR/group_vars/all'
+    - 'sed -i -E "s/(s3_shibboleth_object_name: ).*/\1\"${S3_SHIBBOLETH_OBJECT_NAME}\"/" $EXT_REPO_DIR/group_vars/all'
+    - 'sed -i -E "s|(ssh_pub_key: ).*|\1\"{{ lookup(''file'', ''${SSH_PUB_KEY}'') }}\"|" $EXT_REPO_DIR/group_vars/all'
+    # packer commands
+    - packer init openstack-proxy
+    - packer validate openstack-proxy
+    - packer build -machine-readable openstack-proxy | tee proxy_build.log
+    - export BUILT_PROXY_IMAGE_ID=$(grep 'Image:' proxy_build.log | awk '{print $4}')
+    - echo BUILT_PROXY_IMAGE_ID=${BUILT_PROXY_IMAGE_ID} | tee -a $CI_PROJECT_DIR/image.env
+    # set image properties with repo state
+    - openstack image set --property EXT_PR_SRC_REPO=${EXT_PR_SRC_REPO} --property EXT_PR_SRC_BRANCH_SHA=${EXT_PR_SRC_BRANCH_SHA} --property EXT_PR_TARGET_REPO=${EXT_PR_TARGET_REPO} --property EXT_PR_TARGET_BRANCH_SHA=${EXT_PR_TARGET_BRANCH_SHA} --property PACKER_IMAGE_HEAD=${PACKER_IMAGE_HEAD} ${BUILT_PROXY_IMAGE_ID}
   artifacts:
     reports:
       dotenv: image.env
 
-test:
-  image: $CI_REGISTRY_IMAGE:latest
-  stage: test
-  environment:
-    name: knightly
+build_compute_image:
+  stage: build
   tags:
     - build
   script:
-    - OLD_INSTANCE_IP=$(openstack floating ip list --floating-ip-address $CHEAHA_IP -c "Fixed IP Address" -f value)
-    - echo $OLD_INSTANCE_IP
-    - |
-      if [ ! -z $OLD_INSTANCE_IP ]; then
-        export OLD_INSTANCE_ID=$(openstack server list --name ood-knightly --ip $OLD_INSTANCE_IP -c ID -f value)
-      fi
-    - echo OLD_INSTANCE_ID=$OLD_INSTANCE_ID | tee -a instance.env
-    - |
-      cat > user_data.txt << OEOF
-      #!/bin/bash
-      cat > /etc/resolv.conf << EOF
-      search openstack.internal cm.cluster rc.uab.edu ib.cluster drac.cluster eth.cluster ib-hdr.cluster
-      nameserver 172.20.0.25
-      EOF
-      echo "$DEV_KEY" >> /root/.ssh/authorized_keys
-      ip route replace default via 10.250.0.3 dev eth0
-      ip route add 172.20.0.0/16 via 10.250.0.1 dev eth0
-      mkdir -p /run/shibboleth
-      chown shibd:shibd /run/shibboleth
-      pip3 install s3cmd
-      s3cmd get --force -r --access_key=$AWS_ACCESS_KEY_ID --secret_key=$AWS_SECRET_ACCESS_KEY --host=$AWS_HOST --host-bucket=$AWS_HOST s3://knightly-key/ /etc/ssh/
-      OEOF
-    - >
-      export NEW_INSTANCE_ID=$(openstack server create
-      -c id -f value --image $BUILT_OOD_IMAGE_ID
-      --network openstack-cheaha-internal
-      --security-group ood-https-ports
-      --security-group allow-ssh
-      --user-data user_data.txt
-      --flavor m1.medium
-      --wait
-      ood-knightly)
-    - echo NEW_INSTANCE_ID=$NEW_INSTANCE_ID | tee -a instance.env
-    - openstack server add floating ip $NEW_INSTANCE_ID $TEST_IP
-    - >
-      curl --retry 10 --retry-delay 20 --retry-connrefused https://knightly.rc.uab.edu/Shibboleth.sso/Metadata --resolve knightly.rc.uab.edu:443:$TEST_IP -kf
-      || (openstack server delete $NEW_INSTANCE_ID && openstack image delete $BUILT_OOD_IMAGE_ID && false)
+    - *update_ansible_repo
+    - *get_ansible_files
+    - export PKR_VAR_flavor="${COMPUTE_BUILD_FLAVOR:-$PKR_VAR_flavor}"
+    - export PKR_VAR_build_instance_name="${BUILD_TARGET}-${CRI_XCBC_HEAD}"
+    - export PKR_VAR_image_date_suffix=false
     - |
-      if [ $CI_PIPELINE_SOURCE = "schedule" ]; then
-        openstack server remove floating ip $NEW_INSTANCE_ID $TEST_IP
-      else
-        openstack server delete $NEW_INSTANCE_ID
-        openstack image delete $BUILT_OOD_IMAGE_ID
+      if [ $CI_PIPELINE_SOURCE == 'merge_request_event' ]; then
+        export PKR_VAR_image_name="${BUILD_TARGET}-PR-${CI_MERGE_REQUEST_IID}"
+      elif [ $CI_PIPELINE_SOURCE == 'schedule' ]; then
+        export PKR_VAR_image_name="${BUILD_TARGET}-${BUILD_DATE}"
       fi
-  artifacts:
-    reports:
-      dotenv: instance.env
+    # packer commands
+    - packer init openstack-compute
+    - packer validate openstack-compute
+    - packer build -machine-readable openstack-compute | tee compute_build.log
+    - export BUILT_COMPUTE_IMAGE_ID=$(grep 'Image:' compute_build.log | awk '{print $4}')
+    - echo BUILT_COMPUTE_IMAGE_ID=${BUILT_COMPUTE_IMAGE_ID} | tee -a $CI_PROJECT_DIR/image.env
+    - openstack image set --property CRI_XCBC_prod=${CRI_XCBC_prod} --property CRI_XCBC_dev=${CRI_XCBC_dev} --property PACKER_IMAGE_HEAD=${PACKER_IMAGE_HEAD} ${BUILT_COMPUTE_IMAGE_ID}
+  rules:
+    - if: $PIPELINE_TARGET == "build"
+      when: always
 
-deploy_knightly:
-  image: $CI_REGISTRY_IMAGE:latest
+
+build_http_proxy_image:
+  stage: build
+  environment:
+    name: $ENV
+  tags:
+    - build
+  variables:
+    PROXY_ENABLE_VAR: "enable_http_proxy"
+  <<: *build_proxy_image_template
+  rules:
+    - if: $PIPELINE_TARGET == "build" && $BUILD_TARGET == "http-proxy"
+      when: always
+
+build_ssh_proxy_image:
+  stage: build
+  environment:
+    name: $ENV
+  tags:
+    - build
+  variables:
+    PROXY_ENABLE_VAR: "enable_ssh_proxy"
+  <<: *build_proxy_image_template
+  rules:
+    - if: $PIPELINE_TARGET == "build" && $BUILD_TARGET == "ssh-proxy"
+      when: always
+
+deploy_http_proxy_node:
   stage: deploy
   environment:
-    name: knightly
+    name: $ENV
   tags:
     - build
   script:
+    - openstack image set --accept $HTTP_PROXY_IMAGE_ID || true
+    - FAILED=false
     - |
-      if [ ! -z $OLD_INSTANCE_ID ]; then
-        openstack server remove floating ip $OLD_INSTANCE_ID $CAMPUS_IP
-        openstack server remove floating ip $OLD_INSTANCE_ID $CHEAHA_IP
-      fi
+      cat > user_data.txt <<EOF
+      #!/bin/bash
+      cat >> /etc/NetworkManager/conf.d/90-dns-none.conf<<EEOF
+      [main]
+      dns=none
+      EEOF
+      systemctl reload NetworkManager
+      echo "$DEV_KEY" >> /root/.ssh/authorized_keys
+      ip route replace default via ${DEFAULT_GATEWAY_IP} dev eth0
+      git clone ${CI_REPOSITORY_URL} /tmp/${CI_PROJECT_NAME}
+      cd /tmp/${CI_PROJECT_NAME}
+      git checkout ${CI_COMMIT_REF_NAME}
+      cat >> ansible/hosts<<EEOF
+      [$ENV]
+      127.0.0.1
+      EEOF
+      ansible-playbook -c local -i ansible/hosts --extra-vars="$EXTRA_VARS" ansible/cluster.yml | tee -a /tmp/ansible.log
+      rm -rf /tmp/${CI_PROJECT_NAME}
+      EOF
     - |
-      if [ ! -z $NEW_INSTANCE_ID ]; then
-        openstack server add floating ip $NEW_INSTANCE_ID $CAMPUS_IP
-        openstack server add floating ip $NEW_INSTANCE_ID $CHEAHA_IP
-      fi
+      export cmd="openstack server create"
+      cmd+=" -c id -f value --image $HTTP_PROXY_IMAGE_ID"
+      cmd+=" --flavor $INSTANCE_FLAVOR"
+      cmd+=" --network $PROXY_NETWORK"
+      cmd+=" --security-group webserver_sec_group"
+      cmd+=" --security-group allow-ssh"
+      cmd+=" --user-data user_data.txt"
+      if [ -n "$HTTP_PROXY_PORT" ];then cmd+=" --port $HTTP_PROXY_PORT"; fi
+      cmd+=" --wait $HTTP_PROXY_INSTANCE_NAME"
+    - export HTTP_PROXY_INSTANCE_ID=$(bash -c "$cmd")
     - |
-      SERVER_TO_BE_DELETE=($(openstack server list --name ood-knightly --sort-column Image --sort-descending -f value -c ID | sed -n $(($NUM_SERVER_TO_KEEP+1))',$p'))
-      IMAGE_TO_BE_DELETE=($(openstack image list --sort-column Name --sort-descending -f value -c Name | grep -P '^ood-\d{8}$' | sed -n $(($NUM_IMAGE_TO_KEEP+1))',$p'))
-      for svr in $SERVER_TO_BE_DELETE; do
-        openstack server delete ${svr}
+      # Associate the floating IP(s) with the HTTP Proxy instance
+      for HTTP_PROXY_FLOATING_IP in ${HTTP_PROXY_FLOATING_IP_LIST[@]};
+      do
+        echo "Associating FLOATING_IP $HTTP_PROXY_FLOATING_IP with HTTP_PROXY_INSTANCE_ID $HTTP_PROXY_INSTANCE_ID"
+        openstack server add floating ip $HTTP_PROXY_INSTANCE_ID $HTTP_PROXY_FLOATING_IP
       done
-      for img in $IMAGE_TO_BE_DELETE; do
-        openstack image delete ${img}
-      done
-  only:
-    - schedules
+  rules:
+    - if: $PIPELINE_TARGET == "deploy" && $HTTP_PROXY_IMAGE_ID
+      when: always
 
-deploy_cheaha:
+deploy_ssh_proxy_node:
   stage: deploy
   environment:
-    name: cheaha
+    name: $ENV
   tags:
     - build
   script:
-    - echo "Job placeholder to deploy to Cheaha"
-  when: manual
-  only:
-    - main
-
+    - openstack image set --accept $SSH_PROXY_IMAGE_ID || true
+    - FAILED=false
+    - |
+      cat > user_data.txt <<EOF
+      #!/bin/bash
+      cat >> /etc/NetworkManager/conf.d/90-dns-none.conf<<EEOF
+      [main]
+      dns=none
+      EEOF
+      systemctl reload NetworkManager
+      echo "$DEV_KEY" >> /root/.ssh/authorized_keys
+      ip route replace default via ${DEFAULT_GATEWAY_IP} dev eth0
+      git clone ${CI_REPOSITORY_URL} /tmp/${CI_PROJECT_NAME}
+      cd /tmp/${CI_PROJECT_NAME}
+      git checkout ${CI_COMMIT_REF_NAME}
+      cat >> ansible/hosts<<EEOF
+      [$ENV]
+      127.0.0.1
+      EEOF
+      ansible-playbook -c local -i ansible/hosts --extra-vars="$EXTRA_VARS" ansible/cluster.yml | tee -a /tmp/ansible.log
+      rm -rf /tmp/${CI_PROJECT_NAME}
+      EOF
+    - |
+      export cmd="openstack server create"
+      cmd+=" -c id -f value --image $SSH_PROXY_IMAGE_ID"
+      cmd+=" --flavor $INSTANCE_FLAVOR"
+      cmd+=" --network $PROXY_NETWORK"
+      cmd+=" --security-group allow-ssh"
+      cmd+=" --user-data user_data.txt"
+      if [ -n "$SSH_PROXY_PORT" ];then cmd+=" --port $SSH_PROXY_PORT"; fi
+      cmd+=" --wait $SSH_PROXY_INSTANCE_NAME"
+    - export SSH_PROXY_INSTANCE_ID=$(bash -c "$cmd")
+    - |
+      # Associate the floating IP(s) with the SSH Proxy instance
+      for SSH_PROXY_FLOATING_IP in ${SSH_PROXY_FLOATING_IP_LIST[@]};
+      do
+        echo "Associating FLOATING_IP $SSH_PROXY_FLOATING_IP with SSH_PROXY_INSTANCE_ID $SSH_PROXY_INSTANCE_ID"
+        openstack server add floating ip $SSH_PROXY_INSTANCE_ID $SSH_PROXY_FLOATING_IP
+      done
+  rules:
+    - if: $PIPELINE_TARGET == "deploy" && $SSH_PROXY_IMAGE_ID
+      when: always

Dockerfile

+FROM python:3.8-slim
+
+ENV S3CMD_VER=2.3.0
+ENV ANSIBLE_VER=4.10.0
+ENV OSC_VER=5.8.0
+ENV TF_VER=1.4.6
+ENV PACKER_VER=1.9.4
+
+RUN apt-get update && apt-get install --no-install-recommends -y \
+    git \
+    ssh \
+    curl \
+    wget \
+    unzip \
+ && rm -rf /var/lib/apt/lists/*
+RUN wget https://releases.hashicorp.com/packer/${PACKER_VER}/packer_${PACKER_VER}_linux_amd64.zip \
+    && unzip packer_${PACKER_VER}_linux_amd64.zip -d /usr/local/bin \
+    && rm packer_${PACKER_VER}_linux_amd64.zip
+RUN wget https://releases.hashicorp.com/terraform/${TF_VER}/terraform_${TF_VER}_linux_amd64.zip \
+    && unzip terraform_${TF_VER}_linux_amd64.zip -d /usr/local/bin \
+    && rm terraform_${TF_VER}_linux_amd64.zip
+RUN pip install --no-cache-dir --upgrade pip \
+ && pip install --no-cache-dir \
+    s3cmd==$S3CMD_VER \
+    ansible==$ANSIBLE_VER \
+    python-openstackclient==$OSC_VER

ansible/base.yml

@@ -3,4 +3,5 @@
   hosts: default
   become: true
   roles:
+    - { name: 'fix_centos_repo', tags: 'fix_centos_repo' }
     - { name: 'install_packages', tags: 'install_packages' }

ansible/cheaha.yml

----
-- name: Setup node for use as a virtual cheaha node
-  hosts: default
-  become: true
-  roles:
-    - { name: 'cheaha.node', tags: 'cheaha.node' }
-    - { name: 'nfs_mounts', tags: 'nfs_mounts' }
-    - { name: 'ldap_config', tags: 'ldap_config' }
-    - { name: 'slurm_client', tags: 'slurm_client' }

ansible/cluster.yml

+---
+- name: Setup node for use as a virtual cheaha node
+  hosts: all
+  become: true
+  roles:
+    - { name: 'cheaha.node', tags: 'cheaha.node' }
+    - { name: 'nfs_mounts', tags: 'nfs_mounts', when: enable_nfs_mounts }
+    - { name: 'ldap_config', tags: 'ldap_config' }
+    - { name: 'slurm_client', tags: 'slurm_client', when: enable_slurm_client }
+    - { name: 'ssh_host_keys', tags: 'ssh_host_keys' }
+    - { name: 'ssh_proxy_config', tags: 'ssh_proxy_config', when: enable_ssh_proxy_config }
+    - { name: 'ssl_cert', tags: 'ssl_cert', when: enable_ssl_certs }
+    - { name: 'rsyslog_config', tags: 'rsyslog_config', when: enable_rsyslog_config }

ansible/compute.yml

@@ -3,9 +3,10 @@
   hosts: default
   become: true
   roles:
+    - { name: 'fix_centos_repo', tags: 'fix_centos_repo' }
     - { name: 'install_packages', tags: 'install_packages' }
     - { name: 'pam_slurm_adopt', tags: 'pam_slurm_adopt' }
-    - { name: 'lmod_user', tags: 'lmod_user'}
+    - { name: 'install_nhc', tags: 'install_nhc'}
 
 - name: Setup node for use as a virtual cheaha node
   ansible.builtin.import_playbook: cheaha.yml

ansible/files/nux-dextop.repo

 [nux-dextop]
 name=Nux.Ro RPMs for general desktop use
-baseurl=http://li.nux.ro/download/nux/dextop/el7/$basearch/ http://mirror.li.nux.ro/li.nux.ro/nux/dextop/el7/$basearch/
+baseurl=http://li.nux.ro/download/nux/dextop/el7/$basearch/
 enabled=1
 gpgcheck=1
 gpgkey=http://li.nux.ro/download/nux/RPM-GPG-KEY-nux.ro

ansible/gpu.yml

@@ -3,5 +3,11 @@
   hosts: default
   become: true
   roles:
+    - { name: 'fix_centos_repo', tags: 'fix_centos_repo' }
     - { name: 'install_packages', tags: 'install_packages' }
     - { name: 'cuda_driver', tags: 'cuda_driver' }
+    - { name: 'pam_slurm_adopt', tags: 'pam_slurm_adopt' }
+    - { name: 'install_nhc', tags: 'install_nhc'}
+
+- name: Setup node for use as a virtual cheaha node
+  ansible.builtin.import_playbook: cheaha.yml

ansible/group_vars/all

@@ -4,3 +4,61 @@
   yum_repo_files: []
   pkg_list: []
   slurm_version: 18.08.9
+  enable_slurm_client: false
+
+# NHC related
+  nhc_download_url: "https://github.com/mej/nhc/releases/download/1.4.3/lbnl-nhc-1.4.3-1.el7.noarch.rpm"
+  nhc_download_path: "/tmp"
+  nhc_git_repo: "https://gitlab.rc.uab.edu/rc/nhc.git"
+  nhc_git_repo_path: "/tmp/nhc"
+
+  root_ssh_key: ""
+
+# cheaha.node related
+  hostname_lookup_table:
+    - "10.141.255.254 master.cm.cluster master localmaster.cm.cluster localmaster ldapserver.cm.cluster ldapserver"
+  domain_search_list:
+    - openstack.internal
+    - cm.cluster
+  nameserver_list:
+    - 10.141.255.254
+
+# ldap_config related
+  ldap_cert_path: "/etc/openldap/certs"
+  ldap_uri: "ldap://ldapserver"
+
+# nfs_mounts related
+  enable_nfs_mounts: true
+  use_autofs: false
+  mount_points:
+    - { "src": "master:/gpfs4", "path": "/gpfs4", "opts": "ro,sync,hard", "mode": "0755" }
+    - { "src": "master:/gpfs5", "path": "/gpfs5", "opts": "ro,sync,hard", "mode": "0755" }
+
+#SSH Host Keys
+  S3_ENDPOINT: ""
+  SSH_HOST_KEYS_S3_BUCKET: ""
+  SSH_HOST_KEYS_S3_OBJECT: ""
+
+# AWS credentials
+  LTS_ACCESS_KEY: ""
+  LTS_SECRET_KEY: ""
+
+# ssh proxy
+  enable_ssh_proxy_config: false
+  sshpiper_dest_dir: "/opt/sshpiper"
+  fail2ban_cidr_list: "127.0.0.1/8"
+
+# rsyslog
+  enable_rsyslog_config: false
+  rsyslog_target: "*.* @master:514"
+
+# ssl certs
+  enable_ssl_certs: false
+  ssl_cert_s3_bucket: ""
+  ssl_cert_key_location: "/etc/pki/tls/private"
+  ssl_cert_file_location: "/etc/pki/tls/certs"
+  ssl_cert_key: ""
+  ssl_cert_file: ""
+  ssl_cert_chain_file: ""
+  ssl_apache_config: ""
+  apache_service: "httpd"

ansible/group_vars/base

@@ -28,7 +28,6 @@
     - "OpenIPMI-libs"
     - "OpenIPMI-modalias"
     - "PackageKit-glib"
-    - "Red_Hat_Enterprise_Linux-Release_Notes-7-en-US"
     - "SDL"
     - "Thunar"
     - "abattis-cantarell-fonts"
@@ -75,7 +74,6 @@
     - "atkmm"
     - "atlas"
     - "atlas-devel"
-    - "atom"
     - "atril"
     - "atril-caja"
     - "atril-libs"
@@ -183,9 +181,6 @@
     - "cjkuni-uming-fonts"
     - "clucene-contribs-lib"
     - "clucene-core"
-    - "clusterkit"
-    - "clusterkit"
-    - "clusterkit"
     - "clutter"
     - "clutter-gst2"
     - "clutter-gst3"
@@ -277,7 +272,6 @@
     - "dracut-config-rescue"
     - "dracut-network"
     - "dstat"
-    - "dump_pr"
     - "dvd+rw-tools"
     - "dwz"
     - "dyninst"
@@ -399,7 +393,6 @@
     - "geoclue2"
     - "geoclue2-libs"
     - "geocode-glib"
-    - "geoipupdate"
     - "gettext"
     - "gettext-common-devel"
     - "gettext-devel"
@@ -471,16 +464,6 @@
     - "google-noto-emoji-fonts"
     - "gparted"
     - "gperftools-libs"
-    - "gpfs.base"
-    - "gpfs.callhome-ecc-client"
-    - "gpfs.docs"
-    - "gpfs.ext"
-    - "gpfs.gpl"
-    - "gpfs.gskit"
-    - "gpfs.gss.pmsensors"
-    - "gpfs.java"
-    - "gpfs.license.std"
-    - "gpfs.msg.en_US"
     - "gpgme"
     - "gpm-libs"
     - "graphite2"
@@ -590,7 +573,6 @@
     - "ibus-setup"
     - "ibus-table"
     - "ibus-table-chinese"
-    - "ibutils2"
     - "icedax"
     - "icedtea-web"
     - "ilmbase"
@@ -662,7 +644,6 @@
     - "keyutils-libs-devel"
     - "khmeros-base-fonts"
     - "khmeros-fonts-common"
-    - "knem"
     - "kpartx"
     - "kpatch"
     - "krb5-devel"
@@ -1301,7 +1282,6 @@
     - "mtools"
     - "mtr"
     - "mutter"
-    - "mxm"
     - "mythes"
     - "mythes-en"
     - "nano"
@@ -1375,7 +1355,6 @@
     - "opencore-amr"
     - "openjpeg-libs"
     - "openjpeg2"
-    - "openmpi"
     - "openscap"
     - "openscap-scanner"
     - "opensm"
@@ -1686,58 +1665,36 @@
     - "python-warlock"
     - "python-wrapt"
     - "python-yubico"
-    - "python2-adal"
     - "python2-asn1crypto"
-    - "python2-babel"
     - "python2-backports-functools_lru_cache"
     - "python2-blockdev"
     - "python2-boto"
     - "python2-certifi"
-    - "python2-chardet"
-    - "python2-cmd2"
-    - "python2-contextlib2"
     - "python2-crypto"
     - "python2-cryptography"
     - "python2-dateutil"
-    - "python2-extras"
     - "python2-futures"
-    - "python2-gunicorn"
     - "python2-idna"
     - "python2-iso8601"
     - "python2-jmespath"
     - "python2-jsonpatch"
-    - "python2-jsonpointer"
     - "python2-jsonschema"
-    - "python2-jwt"
-    - "python2-ldap"
-    - "python2-markupsafe"
     - "python2-mimeparse"
     - "python2-mock"
-    - "python2-monotonic"
     - "python2-msgpack"
-    - "python2-msrest"
-    - "python2-msrestazure"
-    - "python2-munch"
     - "python2-oauthlib"
     - "python2-olefile"
-    - "python2-os-service-types"
-    - "python2-pexpect"
-    - "python2-pillow"
     - "python2-pip"
     - "python2-ptyprocess"
     - "python2-pyasn1"
     - "python2-pyasn1-modules"
     - "python2-pyatspi"
-    - "python2-pyparsing"
-    - "python2-pyperclip"
     - "python2-pyxdg"
-    - "python2-requests"
     - "python2-rpm-macros"
     - "python2-rsa"
     - "python2-setuptools"
     - "python2-subprocess32"
     - "python2-traceback2"
-    - "python2-unittest2"
     - "python2-urllib3"
     - "python2-wcwidth"
     - "python3"
@@ -1758,9 +1715,6 @@
     - "pyusb"
     - "pyxattr"
     - "qemu-guest-agent"
-    - "qemu-img-ev"
-    - "qemu-kvm-common-ev"
-    - "qemu-kvm-ev"
     - "qpdf-libs"
     - "qrencode-libs"
     - "qt"
@@ -1798,7 +1752,6 @@
     - "redhat-lsb-submod-multimedia"
     - "redhat-lsb-submod-security"
     - "redhat-menus"
-    - "redhat-release-server"
     - "redhat-rpm-config"
     - "redhat-support-lib-python"
     - "redhat-support-tool"
@@ -1876,7 +1829,6 @@
     - "sgpio"
     - "shadow-utils"
     - "shared-mime-info"
-    - "sharp"
     - "shim-x64"
     - "sil-abyssinica-fonts"
     - "sil-nuosu-fonts"
@@ -2660,7 +2612,6 @@
     - "ttmkfdir"
     - "tumbler"
     - "tuned"
-    - "turbovnc"
     - "twolame-libs"
     - "tzdata"
     - "tzdata-java"

ansible/group_vars/compute

@@ -3,7 +3,7 @@
     - TurboVNC.repo
     - cm.repo
   pkg_list:
-    - "Lmod"
+    - "Lmod-7.8.11"
     - "atftp-server"
     - "cluster-tools-dell"
     - "cluster-tools-slave"
@@ -36,7 +36,6 @@
     - "cm-libprometheus"
     - "cm-lua"
     - "cm-mariadb-libs"
-    - "cm-modules-init-client"
     - "cm-openssl"
     - "cm-python2"
     - "cm-python36"
@@ -47,7 +46,6 @@
     - "cmdaemon"
     - "cmdaemon-remotecm"
     - "confuse"
-    - "env-modules"
     - "gcc-recent"
     - "gdb-recent"
     - "lshw"
@@ -61,43 +59,22 @@
     - "net-snmp-recent"
     - "node-installer-slave"
     - "openvpn"
-    - "pbspro-ce-client"
-    - "pbspro-client"
     - "perl-Config-IniFiles"
-    - "python-azure-sdk"
     - "python-dogpile-cache"
     - "python-isodate"
     - "python-netaddr"
     - "python-netifaces"
-    - "python-oslo-i18n-lang"
-    - "python-oslo-utils-lang"
     - "python-setuptools_scm"
     - "python-testtools"
-    - "python-vcrpy"
     - "python-websockify"
-    - "python2-cffi"
-    - "python2-cinderclient"
     - "python2-cliff"
     - "python2-debtcollector"
     - "python2-deprecation"
     - "python2-fixtures"
     - "python2-funcsigs"
-    - "python2-glanceclient"
-    - "python2-heatclient"
     - "python2-ipaddress"
-    - "python2-keystoneauth1"
-    - "python2-keystoneclient"
-    - "python2-novaclient"
-    - "python2-openstacksdk"
-    - "python2-os-client-config"
-    - "python2-osc-lib"
-    - "python2-oslo-config"
-    - "python2-oslo-i18n"
-    - "python2-oslo-serialization"
-    - "python2-oslo-utils"
     - "python2-pbr"
     - "python2-positional"
-    - "python2-pyOpenSSL"
     - "python2-pysocks"
     - "python2-pyyaml"
     - "python2-requests-oauthlib"
@@ -105,10 +82,7 @@
     - "python2-rfc3986"
     - "python2-six"
     - "python2-stevedore"
-    - "python2-swiftclient"
     - "sdparm"
-    - "sge-client"
-    - "shorewall"
     - "sshpass"
     - "swig"
-    - "turbovnc"
+    - "turbovnc-2.2.6*"

ansible/group_vars/gpu

 ---
-  yum_repo_files: []
+  yum_repo_files:
+    - TurboVNC.repo
+    - cm.repo
   pkg_list:
+    - "Lmod-7.8.11"
+    - "atftp-server"
+    - "cluster-tools-dell"
+    - "cluster-tools-slave"
+    - "cm-boost"
+    - "cm-config-ceph-release-luminous"
+    - "cm-config-cm"
+    - "cm-config-dhclient"
+    - "cm-config-dracut-slave"
+    - "cm-config-grub"
+    - "cm-config-ldap-client"
+    - "cm-config-limits"
+    - "cm-config-man"
+    - "cm-config-named"
+    - "cm-config-network-slave"
+    - "cm-config-nfsclient"
+    - "cm-config-rootfiles-slave"
+    - "cm-config-selinux"
+    - "cm-config-ssh-slave"
+    - "cm-config-sysctl-slave"
+    - "cm-config-syslog-slave"
+    - "cm-config-systemd"
+    - "cm-config-xntp-slave"
+    - "cm-config-yum"
+    - "cm-curl"
+    - "cm-dhcp"
+    - "cm-freeipmi"
+    - "cm-ipmitool"
+    - "cm-ipxe-slave"
+    - "cm-libpam"
+    - "cm-libprometheus"
+    - "cm-lua"
+    - "cm-mariadb-libs"
+    - "cm-openssl"
+    - "cm-python2"
+    - "cm-python36"
+    - "cm-slave"
+    - "cm-uge-client"
+    - "cmburn"
+    - "cmburn-slave"
+    - "cmdaemon"
+    - "cmdaemon-remotecm"
+    - "confuse"
+    - "gcc-recent"
+    - "gdb-recent"
+    - "lshw"
+    - "lua-bit32"
+    - "lua-filesystem"
+    - "lua-json"
+    - "lua-lpeg"
+    - "lua-posix"
+    - "lua-term"
+    - "mysql++"
+    - "net-snmp-recent"
+    - "node-installer-slave"
+    - "openvpn"
+    - "perl-Config-IniFiles"
+    - "python-dogpile-cache"
+    - "python-isodate"
+    - "python-netaddr"
+    - "python-netifaces"
+    - "python-setuptools_scm"
+    - "python-testtools"
+    - "python-websockify"
+    - "python2-cliff"
+    - "python2-debtcollector"
+    - "python2-deprecation"
+    - "python2-fixtures"
+    - "python2-funcsigs"
+    - "python2-ipaddress"
+    - "python2-pbr"
+    - "python2-positional"
+    - "python2-pysocks"
+    - "python2-pyyaml"
+    - "python2-requests-oauthlib"
+    - "python2-requestsexceptions"
+    - "python2-rfc3986"
+    - "python2-six"
+    - "python2-stevedore"
+    - "sdparm"
+    - "sshpass"
+    - "swig"
+    - "turbovnc-2.2.6*"
     - "cuda-dcgm"
     - "cuda-dcgm-libs"
     - "cuda-dcgm-nvvs"

ansible/group_vars/ood

@@ -2,6 +2,7 @@
   yum_repo_files:
     - cm.repo
   pkg_list:
+    - autofs
     - Lmod
     - tmux
     - vim

ansible/group_vars/prod

+---
+  # cheaha.node related
+  hostname_lookup_table:
+    - "172.20.0.24 cheaha-master02.cm.cluster cheaha-master02"
+    - "172.20.0.22 cheaha-master01.cm.cluster cheaha-master01"
+    - "172.20.0.25 master.cm.cluster master localmaster.cm.cluster localmaster ldapserver.cm.cluster ldapserver"
+  domain_search_list:
+    - cm.cluster
+    - rc.uab.edu
+    - ib.cluster
+    - drac.cluster
+    - eth.cluster
+    - ib-hdr.cluster
+  nameserver_list:
+    - 172.20.0.25
+
+  bright_openldap_path: "/cm/local/apps/openldap"
+  ldap_cert_path: "{{bright_openldap_path}}/etc/certs"
+  ldap_uri: "ldaps://ldapserver"
+
+  # proxy_config
+  target_groups:
+    - {"name": "gpfs5", "host": "login002", "default": False, "authorized_keys":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs5/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}
+    - {"name": "gpfs4", "host": "login001", "default": True, "authorized_keys":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/authorized_keys", "private_key":"/gpfs4/data/user/home/$DOWNSTREAM_USER/.ssh/id_ecdsa"}

ansible/ood.yml

@@ -3,6 +3,7 @@
   hosts: default
   become: true
   roles:
+    - { name: 'fix_centos_repo', tags: 'fix_centos_repo' }
     - { name: 'install_packages', tags: 'install_packages' }
     - { name: 'install_zsh', tags: 'install_zsh' }
 

ansible/roles/cheaha.node/tasks/main.yml

@@ -4,15 +4,24 @@
     path: /etc/hosts
     line: "{{ item }}"
   loop:
-    - "172.20.0.24 cheaha-master02.cm.cluster cheaha-master02"
-    - "172.20.0.22 cheaha-master01.cm.cluster cheaha-master01"
-    - "172.20.0.25 master.cm.cluster master localmaster.cm.cluster localmaster ldapserver.cm.cluster ldapserver"
+    "{{ hostname_lookup_table }}"
 
 - name: Add proper DNS search to lookup other nodes on the cluster
   ansible.builtin.lineinfile:
     path: /etc/dhcp/dhclient.conf
     insertbefore: BOF
     line: 'append domain-name " cm.cluster rc.uab.edu ib.cluster drac.cluster eth.cluster ib-hdr.cluster";'
+    create: true
+    state: present
+
+- name: Template resolv.conf
+  ansible.builtin.template:
+    src: resolv.conf.j2
+    dest: /etc/resolv.conf
+    owner: root
+    group: root
+    mode: 0644
+    backup: true
 
 - name: Disable SELinux
   ansible.posix.selinux:
@@ -25,6 +34,7 @@
     owner: root
     group: root
     mode: 0644
+  when: "'cm.repo' in yum_repo_files"
 
 - name: Add ssh key for root access
   ansible.posix.authorized_key:
@@ -35,3 +45,7 @@
 - name: Set timezone to America/Chicago
   community.general.timezone:
     name: America/Chicago
+  retries: 3
+  delay: 3
+  register: result
+  until: not result.failed

ansible/roles/cheaha.node/templates/resolv.conf.j2

+search {{ domain_search_list | join(' ') }}
+{% for name_server in nameserver_list %}
+nameserver {{ name_server }}
+{% endfor %}

ansible/roles/cuda_driver/tasks/main.yml

@@ -16,11 +16,11 @@
       - cuda-dcgm.x86_64
       - cuda-dcgm-libs
       - cuda-dcgm-devel
-    state: present
+    state: latest
 
 - name: start cuda-driver service
   ansible.builtin.systemd:
-    name: cuda-driver
+    name: "{{ item }}"
     state: started
     enabled: yes
   loop:

ansible/roles/fix_centos_repo/tasks/main.yaml

+---
+- name: Get CentOS repo files
+  shell: ls /etc/yum.repos.d/CentOS-*
+  register: repo_files
+
+- name: Remove mirrorlist from CentOS repo files
+  ansible.builtin.replace:
+    path: "{{ item }}"
+    regexp: '^mirrorlist'
+    replace: '#mirrorlist'
+    backup: yes
+  with_items: "{{ repo_files.stdout_lines }}"
+
+- name: Use vault baseurl to CentOS repo files
+  ansible.builtin.replace:
+    path: "{{ item }}"
+    regexp: '^#baseurl=http://mirror.centos.org'
+    replace: 'baseurl=http://vault.centos.org'
+    backup: yes
+  with_items: "{{ repo_files.stdout_lines }}"

ansible/roles/install_nhc/tasks/main.yml

+---
+- name: Download the rpm
+  ansible.builtin.get_url:
+    url: "{{ nhc_download_url }}"
+    dest: "{{ nhc_download_path }}"
+
+- name: Clone the NHC config repo
+  ansible.builtin.git:
+    repo: "{{ nhc_git_repo }}"
+    dest: "{{ nhc_git_repo_path }}"
+
+- name: Install NHC
+  ansible.builtin.yum:
+    name: "{{ nhc_download_url }}"
+    state: latest
+
+- name: Copy config files
+  ansible.builtin.copy:
+    src: "{{ nhc_git_repo_path }}/{{ item.src }}" 
+    dest: "{{ item.dest }}"
+    owner: root
+    group: root
+    mode: '0644'
+    remote_src: true
+  loop:
+    - { src: 'nhc.conf' , dest: '/etc/nhc/' }
+    - { src: 'nhc.etc.sysconfig', dest: '/etc/sysconfig/nhc/' }
+