To enable centralized authentication in the cluster, Omnia installs either:
- FreeIPA
- LDAP Client
Note
* Nodes provisioned using the Omnia provision tool do not require a RedHat subscription to run security.yml
on RHEL target nodes. * For RHEL target nodes not provisioned by Omnia, ensure that RedHat subscription is enabled on all target nodes. Every target node will require a RedHat subscription.
Enter the following parameters in input/security_config.yml
.
Parameter | Details |
---|---|
|
Boolean indicating whether FreeIPA is required or not.
|
|
Sets the intended realm name.
|
|
|
|
“admin” user password for the IPA server on RockyOS. |
|
Sets the intended domain name
|
Note
- The
input/omnia_config.yml
file is encrypted on the first run of the provision tool: To view the encrypted parameters: :
ansible-vault view security_config.yml --vault-password-file .security_vault_key
To edit the encrypted parameters: :
ansible-vault edit security_config.yml --vault-password-file .security_vault_key
Omnia installs a FreeIPA server on the manager node and FreeIPA clients on the compute and login node using one of the below commands: :
ansible-playbook security.yml -i inventory
Where inventory follows the format defined under inventory file in the provided Sample Files :
ansible-playbook omnia.yml -i inventory
Where inventory follows the format defined under inventory file in the provided Sample Files The omnia.yml
playbook installs Slurm, BeeFGS Client, NFS Client in addition to freeIPA.
Note
- Omnia does not create any accounts (HPC users) on FreeIPA. To create a user, check out FreeIPA documentation.
- Alternatively, use the below command with admin credentials: :
ipa user-add --homedir=<nfs_dir_path> --password
Setting up Passwordless SSH for FreeIPA
Once user accounts are created, admins can enable passwordless SSH for users to run HPC jobs.
To customize your setup of passwordless ssh, input parameters in input/passwordless_ssh_config.yml
Parameter | Details |
---|---|
|
The user that requires passwordless SSH |
|
Indicates whether LDAP or FreeIPA is in use on the cluster.
|
|
|
Use the below command to enable passwordless SSH: :
ansible-playbook user_passwordless_ssh.yml -i inventory
Where inventory follows the format defined under inventory file in the provided Sample Files
Caution
Do not run ssh-keygen commands after passwordless SSH is set up on the nodes.
To add the cluster to an external LDAP server, Omnia enables the installation of LDAP client on the manager, compute and login nodes.
To customize your LDAP client installation, input parameters in input/security_config.yml
Parameter | Details |
---|---|
|
Boolean indicating whether LDAP is required or not.
|
|
Sets the intended domain name
|
|
LDAP server IP. Required if ldap_required is true. There should be an explicit LDAP server running on this IP. |
|
|
|
|
|
|
|
|
|
|
Note
Omnia does not create any accounts (HPC users) on LDAP. To create a user, check out LDAP documentation.
Setting up Passwordless SSH for LDAP
Once user accounts are created, admins can enable passwordless SSH for users to run HPC jobs.
Note
Ensure that the control plane can reach the designated LDAP server
To customize your setup of passwordless ssh, input parameters in input/passwordless_ssh_config.yml
Parameter | Details |
---|---|
|
The user that requires passwordless SSH |
|
Indicates whether LDAP or FreeIPA is in use on the cluster.
|
|
|
Use the below command to enable passwordless SSH: :
ansible-playbook user_passwordless_ssh.yml -i inventory
Where inventory follows the format defined under inventory file. :
[manager]
10.5.0.101
[compute]
10.5.0.102
10.5.0.103
[ldap_server]
10.5.0.105
Caution
Do not run ssh-keygen commands after passwordless SSH is set up on the nodes.