Remove condercert ....

Author: dietrichliko

.gitignore

@@ -0,0 +1,4 @@
+__pycache__
+*.swp
+*.pyc
+default_junit.xml

.gitlab-ci.yml

@@ -0,0 +1,22 @@
+---
+centos7:
+  tags:
+    - dood
+  image: gitlab-registry.cern.ch/hephyvienna/docker/centos7-molecule:latest
+  variables:
+    ROLE: hephyvienna.grid-htc-ce
+  before_script:
+    - ln -s $CI_PROJECT_NAME ../$ROLE
+  script:
+    - docker --version
+    - python --version
+    - ansible --version
+    - molecule --version
+    - molecule test
+    - junit2html default_junit.xml default_junit.html
+  artifacts:
+    reports:
+      junit: default_junit.xml
+    paths:
+      - default_junit.xml
+      - default_junit.html

defaults/main.yml

@@ -3,9 +3,16 @@
 grid_htc_ce_repo_install: true
 grid_htc_ce_repo_development_enable: false
 grid_htc_ce_batch_system: slurm
-grid_htc_ce_pkgs:
-  - htcondor-ce-bdii
-  - htcondor-ce-client
-  - htcondor-ce-view
-  - htcondor-ce
-  - "htcondor-ce-{{ grid_htc_ce_batch_system }}"
+grid_htc_ce_enable_static_shadow: true
+grid_htc_ce_enable_bdii: true
+grid_htc_ce_uid_domain: {{ ansible_domain }}
+grid_htc_ce_condor_view_hosts: []
+grid_htc_ce_pool_collector_str: ''
+grid_htc_ce_gsi_regexp: '^\/DC\=ch\/DC\=cern\/OU\=computers\/CN\=(host\/)?([A-Za-z0-9.\-]*)$'
+grid_htc_ce_benchmark_result: 10.00-HEP-SPEC06
+grid_htc_ce_execution_env_cores: 16
+grid_htc_ce_election_hosts:
+  - {{ ansible_fqdn }}
+grid_htc_ce_argus_server:
+grid_htc_ce_argus_port: 8154
+grid_htc_ce_argus_resourceid: http://authz-interop.org/xacml/resource/resource-type/ce

files/condor-ce.sysconfig

@@ -0,0 +1,24 @@
+##############################################################################
+#
+# Condor-CE environment configuration.
+#
+# This file is sourced prior to starting the Condor-CE daemons.  Add any
+# special configurations you might deem necessary.  Prior to sourcing this
+# file, /usr/libexec/condor-ce/condor_ce_env_bootstrap is sourced.
+#
+# Condor-CE upgrades will not change this file.
+#
+##############################################################################
+
+# Example: the base condor install for this host has been relocated into
+# /opt/condor
+# export PATH=/opt/condor/bin:/opt/condor/sbin:$PATH
+
+# Example: Have GSI authorization use a different plugin for Condor than the
+# rest of the system.
+export GSI_AUTHZ_CONF=/etc/grid-security/gsi-authz.conf
+export GSI_PEP_CALLOUT_CONF=/etc/grid-security/gsi-pep-callout-condor.conf
+
+# Example: Have the HTCondor-CE use a different hostname from the rest of
+# the system.
+# export CONDORCE_HOSTNAME=condorce.example.com

files/job-routes.conf

@@ -0,0 +1,23 @@
+#####################################################
+# Example Job Route
+#
+# This is an extraordinarily simple job route.
+# All it does is route local condor and set a
+# simple Accounting Group and default RequestMemory.
+#####################################################
+
+# No custom functions for job router entries; these are causing crashes in 8.3.5.
+# Can remove the eval_set_environment attribute below starting in 8.3.8.
+JOB_ROUTER_ENTRIES = \
+   [ \
+    eval_set_environment = debug(strcat("HOME=/tmp CONDORCE_COLLECTOR_HOST=", CondorCECollectorHost, " ", \
+        ifThenElse(orig_environment is undefined, osg_environment, \
+          strcat(osg_environment, " ", orig_environment) \
+        ))); \
+     TargetUniverse = 5; \
+     name = "Local_Condor"; \
+     eval_set_AccountingGroup = strcat("group_u_", x509userproxyvoname, ".", Owner); \
+     delete_SUBMIT_Iwd = true; \
+     set_WantIOProxy = true; \
+     set_default_maxMemory = 3000; \
+   ]

handlers/main.yml

@@ -1,2 +1,5 @@
 ---
 # handlers file for hephyvienna.htcondor-ce
+- name: reconfigure condor_ce
+  command: /usr/bin/condor_ce_reconfig
+  when: not service_bdii.changed | default(true) or not service_condor-ce

molecule/default/files/dummy.crt

@@ -0,0 +1 @@
+dummy crt

molecule/default/files/dummy.key

@@ -0,0 +1 @@
+dummy key

molecule/default/molecule.yml

@@ -7,12 +7,24 @@ lint:
   name: yamllint
 platforms:
   - name: instance
-    image: centos:7
+    image: centos/systemd
+    capabilities:
+      - SYS_ADMIN
+    tmpfs:
+      - /tmp
+      - /run
+    volume_mounts:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
 provisioner:
   name: ansible
   lint:
     name: ansible-lint
 verifier:
   name: testinfra
+  options:
+    # FIXME
+    W: ignore::DeprecationWarning
+    junit-xml: ../../default_junit.xml
   lint:
     name: flake8

molecule/default/playbook.yml

@@ -1,5 +1,42 @@
 ---
 - name: Converge
   hosts: all
+  vars:
+    poolaccounts:
+      - name: 'cms%d.d3'
+        uid: 10000
+        number: 100
+        comment: 'Standard User of the CMS VO'
+        group: cms
+        gid: 10000
+      - name: 'cmsprd%d.d3'
+        uid: 11000
+        number: 10
+        comment: 'Production User of the CMS VO'
+        group: cmsprd
+        gid: 11000
+        groups: cms
+      - name: 'cmspil%d.d3'
+        uid: 12000
+        number: 10
+        comment: 'Pilot User of the CMS VO'
+        group: cmspil
+        gid: 10000
+        groups: cms
+      - name: 'cmssgm'
+        uid: 13000
+        comment: 'SW User of the CMS VO'
+        group: cmssgm
+        gid: 11000
+        groups: cms
+    grid_enable_repo: false
+    grid_site_name: Hephy-Vienna
+    grid_vos:
+      - cms
+    grid_host_certificate:
+      cert: files/dummy.crt
+      key: files/dummy.key
   roles:
+    - role: hephyvienna.poolaccounts
+    - role: hephyvienna.grid
     - role: hephyvienna.grid-htc-ce

molecule/default/requirements.yml

@@ -0,0 +1,6 @@
+---
+- src: geerlingguy.repo-epel
+- src: git+https://gitlab.cern.ch/hephyvienna/ansible/role-grid.git
+  name: hephyvienna.grid
+- src: git+https://gitlab.cern.ch/hephyvienna/ansible/role-poolaccounts.git
+  name: hephyvienna.poolaccounts

tasks/auth-argus.yml

@@ -0,0 +1,17 @@
+---
+- name: Install argus packages
+  package:
+    name:
+      - argus-pep-api-c
+      - argus-gsi-pep-callout
+    state: present
+
+- name: Configure gsi-authz
+  copy:
+    src: files/gsi-authz.conf
+    dest: /etc/grid-security/gsi-authz.conf
+
+- name: Configure gsi-pep-callout-condor
+  template:
+    src: gsi-pep-callout-condor.conf.j2
+    dest: /etc/grid-security/gsi-pep-callout-condor.conf

tasks/bdii.yml

@@ -0,0 +1,17 @@
+---
+- name: Install BDII
+  package:
+    name: htcondor-ce-bdii
+
+- name: Configure BDII
+  template:
+    sec: ce-bdii.conf.j2
+    dest: /etc/condor-ce/config.d/06-ce-bdii.conf
+  notify: reconfigure condor_ce
+
+- name: Start BDII
+  service:
+    name: bdii
+    state: started
+    enabled: true
+  register: service_bdii

tasks/htcondor-ce.yml

@@ -0,0 +1,65 @@
+---
+- name: Install pkgs
+  package:
+    name:
+      - htcondor-ce-client
+      - htcondor-ce-view
+      - htcondor-ce
+      - "htcondor-ce-{{ grid_htc_ce_batch_system }}"
+
+- name: Copy certificates
+  copy:
+    src: "/etc/grid-security/{{ item.src }}"
+    dest: "/etc/grid-security/{{ item.dest }}"
+    remote_src: true
+    owner: condor
+    group: condor
+  loop:
+    - src: hostcert.pem
+      dest: condorcert.pem
+    - src: hostkey.pem
+      dest: condorkey.pem
+
+- name: Configure site security
+  template:
+    src: ce-site-security.conf.j2
+    dest: /etc/condor-ce/config.d/59-site-security.conf
+  notify: reconfigure condor_ce
+
+- name: Configure main CE
+  template:
+    src: configured-attributes.conf.j2
+    dest: /etc/condor-ce/config.d/60-configured-attributes.conf
+  notify: reconfigure condor_ce
+
+- name: Configure job routes
+  copy:
+    src: job-routes.conf
+    dest: /etc/condor-ce/config.d/61-job-routes.conf
+  notify: reconfigure condor_ce
+
+- name: Configure condor mapfile
+  template:
+    src: condor_mapfile.j2
+    dest: /etc/condor-ce/condor_mapfile
+  notify: reconfigure condor_ce
+
+- name: Configure condor sysconfig
+  copy:
+    src: condor-ce.sysconfig
+    dest: /etc/sysconfig/condor-ce
+
+- name: Enable static shadow
+  include_tasks: static-shadow.yml
+  when: grid_htc_ce_enable_static_shadow
+
+- name: Enable argus authorisation
+  include_tasks: auth-argus.yml
+  when: grid_htc_argus | length > 0
+
+- name: Start HTCondor CE
+  service:
+    name: condor-ce
+    state: started
+    enabled: true
+  register: service_condor-ce

tasks/main.yml

@@ -4,16 +4,9 @@
   include_tasks: repos.yml
   when: grid_htc_ce_repo_install
 
-- name: Install pkgs
-  package:
-    name: "{{ grid_htc_ce_pkgs }}"
+- name: Install HTCondor CE
+  include_tasks: htcondor-ce.yml
 
-- name: Configure gsi-authz
-  copy:
-    src: files/gsi-authz.conf
-    dest: /etc/grid-security/gsi-authz.conf
-
-- name: Configure gsi-pep-callout-condor
-  template:
-    src: gsi-pep-callout-condor.conf.j2
-    dest: /etc/grid-security/gsi-pep-callout-condor.conf
+- name: Install BDII
+  include_tasks: bdii.yml
+  when: grid_htc_ce_enable_bdii

tasks/static-shadow.yml

@@ -0,0 +1,10 @@
+---
+- name: Install static shadow packages
+  package:
+    name: condor-static-shadow
+    state: present
+
+- name: Configure static shadows
+  copy:
+    content: "SHADOW = $(SBIN)/condor_shadow_s\n"
+    dest: etc/condor/config.d/41_ce_shadow.conf

templates/ce-bdii.conf.j2

@@ -0,0 +1,21 @@
+
+##############################################################################
+#
+# HTCondor-CE BDII/GLUE Publication configuration file.
+#
+##############################################################################
+
+# For multi-CE sites, only one CE publishes certain values.
+{% if grid_htc_ce_election_hosts | length > 1 %}
+HTCONDORCE_BDII_ELECTION = ZOOKEEPER
+HTCONDORCE_BDII_ZKHOSTS  = {{ grid_htc_ce_election_hosts | sort | join(',')  }}
+{% else %}
+HTCONDORCE_BDII_ELECTION = LEADER
+HTCONDORCE_BDII_LEADER   = {{ grid_htc_ce_election_hosts[0] }}
+{% end %}
+
+# BDII Static Info and VOs
+HTCONDORCE_VONames = {{ grid_vos | sort | join(', ') }}
+HTCONDORCE_SiteName = {{ grid_site_name }}
+HTCONDORCE_HEPSPEC_INFO = {{ grid_htc_ce_benchmark_result }}
+HTCONDORCE_CORES = {{ grid_htc_ce_execution_env_cores }} # cores per node

templates/ce-site-security.conf.j2

@@ -0,0 +1,16 @@
+{{ ansibleManaged | comment }}
+## Allow local condor daemons to be recognised as friendly
+UID_DOMAIN = {{ grid_htc_ce_uid_domain }}
+FRIENDLY_DAEMONS = $(FRIENDLY_DAEMONS), $(FULL_HOSTNAME)@$(UID_DOMAIN)/$(FULL_HOSTNAME), *@$(UID_DOMAIN), condor@$(UID_DOMAIN)/$(FULL_HOSTNAME), condor@child/$(FULL_HOSTNAME)
+## Recognise users from your site
+USERS = $(USERS), *@$(UID_DOMAIN)
+## Allow local daemons to write to the CE schedd
+ALLOW_DAEMON = $(ALLOW_DAEMON), $(FRIENDLY_DAEMONS)
+SCHEDD.ALLOW_WRITE = $(SCHEDD.ALLOW_WRITE), $(FULL_HOSTNAME)@$(UID_DOMAIN)/$(FULL_HOSTNAME), *@$(UID_DOMAIN)
+COLLECTOR.ALLOW_ADVERTISE_MASTER =  $(COLLECTOR.ALLOW_ADVERTISE_MASTER), $(FRIENDLY_DAEMONS), *@$(UID_DOMAIN)
+COLLECTOR.ALLOW_ADVERTISE_SCHEDD =  $(COLLECTOR.ALLOW_ADVERTISE_SCHEDD), $(FRIENDLY_DAEMONS), *@$(UID_DOMAIN)
+COLLECTOR.ALLOW_ADVERTISE_STARTD =  $(COLLECTOR.ALLOW_ADVERTISE_STARTD), $(FRIENDLY_DAEMONS), *@$(UID_DOMAIN)
+## Local daemons need to be able to negotiate
+SCHEDD.ALLOW_NEGOTIATOR = $(SCHEDD.ALLOW_NEGOTIATOR), $(FULL_HOSTNAME)@$(UID_DOMAIN)/$(FULL_HOSTNAME), *@$(UID_DOMAIN)
+## Allow administrator access to CE daemons
+ALLOW_ADMINISTRATOR = $(ALLOW_ADMINISTRATOR), $(FULL_HOSTNAME)@$(UID_DOMAIN)/$(FULL_HOSTNAME)

templates/condor_mapfile.j2

@@ -0,0 +1,9 @@
+GSI "^\/DC\=com\/DC\=DigiCert-Grid\/O=Open Science Grid\/OU\=Services\/CN\=(host\/)?([A-Za-z0-9.\-]*)$" \2@daemon.opensciencegrid.org
+GSI "^\/DC\=DigiCert-Grid\/DC\=com\/O=Open Science Grid\/OU\=Services\/CN\=(host\/)?([A-Za-z0-9.\-]*)$" \2@daemon.opensciencegrid.org
+GSI "^\/DC\=org\/DC\=opensciencegrid\/O=Open Science Grid\/OU\=Services\/CN\=(host\/)?([A-Za-z0-9.\-]*)$" \2@daemon.opensciencegrid.org
+GSI "^\/DC=ch\/DC=cern\/OU=computers\/CN=?([A-Za-z0-9.\-]*)$" \1@cern.ch
+GSI "{{ grid_htc_ce_gsi_regexp }}" \1@{{ grid_htc_ce_uid_domain }}
+GSI (.*) GSS_ASSIST_GRIDMAP
+GSI "(/CN=[-.A-Za-z0-9/= ]+)" \1@unmapped.opensciencegrid.org
+CLAIMTOBE .* anonymous@claimtobe
+FS (.*) \1

templates/configured-attributes.conf.j2

@@ -0,0 +1,18 @@
+# Condor View Hosts routes your collector information to global or site collectors
+CONDOR_VIEW_HOST = {{ grid_htc_ce_condor_view_hosts | join(', ') }}
+
+# Disable problematic shared library
+CLASSAD_USER_LIBS=
+
+# Set appropriate place to route.
+JOB_ROUTER_SCHEDD2_NAME = {{ ansible_fqdn }}
+JOB_ROUTER_SCHEDD2_POOL = {{ grid_htc_ce_pool_collector_str }}
+
+# No reason to hide jobs from view on CE
+CONDOR_Q_ONLY_MY_JOBS = False
+
+# Cache Argus lookups for 2 hours.
+GSS_ASSIST_GRIDMAP_CACHE_EXPIRATION=7200
+
+SCHEDD_COLLECT_STATS_BY_VO = x509userproxyvoname
+STATISTICS_TO_PUBLISH = SCHEDD:2

templates/gsi-pep-callout-condor.conf.j2

@@ -1,6 +1,6 @@
 pep_ssl_server_capath /etc/grid-security/certificates/
 pep_ssl_client_cert /etc/grid-security/condorcert.pem
 pep_ssl_client_key /etc/grid-security/condorkey.pem
-pep_url https:{{ grid_htc_ce_argus_server }}:8154/authz
+pep_url https://{{ grid_htc_ce_argus_server }}:{{ grid_htc_ce_argus_port }}/authz
 pep_timeout 30 # seconds
-xacml_resourceid http:{{ grid_htc_ce_argus_server }}/condor-ce
+xacml_resourceid {{ grid_htc_ce_argus_resourceid }}