Merge branch 'main' into upgrade/ansible-core-2.16

Author: bertiethorpe

.github/workflows/trivyscan.yml

@@ -102,7 +102,7 @@ jobs:
         run: sudo guestmount -a /mnt/images/${{ steps.manifest.outputs.image-name }}.qcow2 -i --ro -o allow_other './${{ steps.manifest.outputs.image-name }}'
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@v0.33.1
+        uses: aquasecurity/trivy-action@0.33.1
         with:
           scan-type: fs
           scan-ref: "${{ steps.manifest.outputs.image-name }}"
@@ -122,7 +122,7 @@ jobs:
           category: "${{ matrix.build }}"
 
       - name: Fail if scan has CRITICAL vulnerabilities
-        uses: aquasecurity/trivy-action@v0.33.1
+        uses: aquasecurity/trivy-action@0.33.1
         with:
           scan-type: fs
           scan-ref: "${{ steps.manifest.outputs.image-name }}"

.github/workflows/workflow-cleanup.yml

@@ -0,0 +1,38 @@
+name: Workflow Cleanup
+on:
+  workflow_dispatch:
+      # checkov:skip=CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
+      inputs:
+        ci_cloud:
+          description: 'Select the CI_CLOUD'
+          required: true
+          type: choice
+          options:
+            - LEAFCLOUD
+            - SMS
+            - ARCUS
+        cluster_name:
+          description: 'Cluster to delete'
+          type: string
+          required: true
+
+
+permissions:
+  contents: read
+  packages: write
+  # To report GitHub Actions status checks
+  statuses: write
+
+jobs:
+  dummy:
+    name: dummy-job1
+    runs-on: ubuntu-22.04
+    env:
+      CI_CLOUD: ${{ github.event.inputs.ci_cloud }}
+      CLUSTER_NAME: ${{ github.event.inputs.cluster_name }}
+
+    steps:
+      - name: print input vars
+        run: |
+          echo CI_CLOUD: ${{ env.CI_CLOUD }}
+          echo CLUSTER_NAME: ${{ env.CLUSTER_NAME }}

ansible/roles/compute_init/files/compute-init.yml

@@ -277,22 +277,13 @@
         name: basic_users
       when: enable_basic_users
 
-    - name: EESSI
-      when: enable_eessi
       # NB: don't need conditional block on enable_compute as have already exited
       # if not the case
-      block:
-        - name: Copy cvmfs config
-          ansible.builtin.copy:
-            src: /var/tmp/cluster/cvmfs/default.local
-            dest: /etc/cvmfs/default.local
-            owner: root
-            group: root
-            mode: "0644"
-
-        - name: Ensure CVMFS config is setup # noqa: no-changed-when
-          ansible.builtin.command:
-            cmd: "cvmfs_config setup"
+    - name: Configure EESSI
+      ansible.builtin.include_role:
+        name: eessi
+        tasks_from: configure.yml
+      when: enable_eessi
 
     - name: Configure VGPUs
       ansible.builtin.include_role:

ansible/roles/compute_init/tasks/export.yml

@@ -62,17 +62,6 @@
   run_once: true
   delegate_to: "{{ groups['control'] | first }}"
 
-- name: Copy EESSI CVMFS config to /exports/cluster
-  ansible.builtin.copy:
-    src: /etc/cvmfs/default.local
-    dest: /exports/cluster/cvmfs/default.local
-    owner: slurm
-    group: root
-    mode: "0644"
-    remote_src: true
-  run_once: true
-  delegate_to: "{{ groups['control'] | first }}"
-
 - name: Export cacerts
   ansible.builtin.include_role:
     name: cacerts

ansible/roles/compute_init/tasks/install.yml

@@ -54,6 +54,8 @@
       dest: roles/
     - src: ../../nhc
       dest: roles/
+    - src: ../../eessi
+      dest: roles/
 
 - name: Add filter_plugins to ansible.cfg
   ansible.builtin.lineinfile:

ansible/roles/cuda/defaults/main.yml

@@ -2,9 +2,9 @@
 # yamllint disable-line rule:line-length
 cuda_repo_url: "https://developer.download.nvidia.com/compute/cuda/repos/rhel{{ ansible_distribution_major_version }}/{{ ansible_architecture }}/cuda-rhel{{ ansible_distribution_major_version }}.repo"
 cuda_nvidia_driver_stream: '580-open'
-cuda_nvidia_driver_version: '580.82.07-1'
+cuda_nvidia_driver_version: '580.105.08-1'
 cuda_nvidia_driver_pkg: "nvidia-open-3:{{ cuda_nvidia_driver_version }}.el{{ ansible_distribution_major_version }}"
-cuda_package_version: '13.0.1-1'
+cuda_package_version: '13.0.2-1'
 cuda_version_short: "{{ (cuda_package_version | split('.'))[0:2] | join('.') }}" # major.minor
 cuda_packages_default:
   - "cuda-toolkit-{{ cuda_package_version }}"

ansible/roles/eessi/tasks/configure.yml

@@ -15,3 +15,20 @@
 - name: Ensure CVMFS config is setup # noqa: no-changed-when
   ansible.builtin.command:
     cmd: "cvmfs_config setup"
+
+# configure gpus
+- name: Check for NVIDIA GPU
+  ansible.builtin.stat:
+    path: /dev/nvidia0
+  register: nvidia_driver
+
+- name: Set fact if NVIDIA GPU is present
+  ansible.builtin.set_fact:
+    has_nvidia_driver: "{{ nvidia_driver.stat.exists | default(false) }}"
+
+- name: Expose GPU drivers
+  ansible.builtin.shell: |
+    source /cvmfs/software.eessi.io/versions/2023.06/init/bash
+    /cvmfs/software.eessi.io/versions/2023.06/scripts/gpu_support/nvidia/link_nvidia_host_libraries.sh
+  when: has_nvidia_driver
+  changed_when: true

ansible/roles/openondemand/README.md

@@ -69,10 +69,10 @@ This role enables SSL on the Open Ondemand server, using the following self-sign
   - `new_window`: Optional. Whether to open link in new window. Bool, default `false`.
   - `app_name`: Optional. Unique name for app appended to `/var/www/ood/apps/sys/`. Default is `name`, useful if that is not unique or not suitable as a path component.
 - `openondemand_dashboard_support_url`: Optional. URL or email etc to show as support contact under Help in dashboard. Default `(undefined)`.
-- `openondemand_desktop_partition`: Optional. Name of Slurm partition to use for remote desktops. Requires a corresponding group named "openondemand_desktop" and entry in openhpc_partitions.
+- `openondemand_desktop_partition`: Optional. Name of Slurm partition to use for remote desktops, by default supplied with `openhpc_partitions` entry. During open ondemand config the string is used to provide a default partition in the UX. During image build, with `openondemand` group, setting this partition as a boolean determines if app installed in image.
 - `openondemand_desktop_screensaver`: Optional. Whether to enable screen locking/screensaver. **NB:** Users must have passwords if this is enabled. Bool, default `false`.
 - `openondemand_filesapp_paths`: List of paths (in addition to $HOME, which is always added) to include shortcuts to within the Files dashboard app.
-- `openondemand_jupyter_partition`: Required. Name of Slurm partition to use for Jupyter Notebook servers. Requires a corresponding group named "openondemand_jupyter" and entry in openhpc_partitions.
+- `openondemand_jupyter_partition`: Required. Name of Slurm partition to use for Jupyter Notebook servers, by default supplied with `openhpc_partitions` entry. During open ondemand config the string is used to provide a default partition in the UX. During image build, with `openondemand` group, setting this partition as a boolean determines if app installed in image.
 - `openondemand_gres_options`: Optional. A list of `[label, value]` items used
   to provide a drop-down for resource/GRES selection in application forms. The
   default constructs a list from all GRES definitions in the cluster. See the

docs/experimental/slurm-controlled-rebuild.md

@@ -117,7 +117,7 @@ compute = {
 
    - `name`: Partition name matching `rebuild` role variable `rebuild_partitions`,
      default `rebuild`.
-   - `groups`: A list of nodegroup names, matching `openhpc_nodegroup` and
+   - `nodegroups`: A list of nodegroup names, matching `openhpc_nodegroup` and
      keys in the OpenTofu `compute` variable (see example in step 2 above).
      Normally every compute node group should be listed here, unless
      Slurm-controlled rebuild is not required for certain node groups.

docs/openondemand.md

@@ -63,6 +63,14 @@ The appliance automatically configures Open OnDemand to proxy Grafana and adds a
 
 [^1]: Note that if `openondemand_auth` is `basic_pam` and anonymous Grafana login is enabled, the appliance will (by default) configure Open OnDemand's Apache server to remove the Authorisation header from proxying of all `node/` addresses. This is done as otherwise Grafana tries to use this header to authenticate, which fails with the default configuration where only the admin Grafana user `grafana` is created. Note that the removal of this header in this configuration means it cannot be used to authenticate proxied interactive applications - however the appliance-deployed remote desktop and Jupyter Notebook server applications use other authentication methods. An alternative if using `basic_pam` is not to enable anonymous Grafana login and to create Grafana users matching the local users (e.g. in `environments/<env>/hooks/post.yml`).
 
+## Image Build
+
+By default, most ondemand apps are installed in image builds when the build includes the inventory group `openondemand` (which is the default for "fatimage" builds). The apps installed are
+defined by the `openondemand_<app>_partition` variables in `environments/common/inventory/group_vars/all/builder/defaults.yml`. Note that in this case the values are not strings and are instead
+simply truthy, i.e. they do not describe cluster partition groups but just whether those apps will be installed in the image or not.
+
+For e.g. site-specific image builds where different app installs are required, due to precedence rules these must overriden in a `builder`-groupvars file e.g. `environments/site/inventory/group_vars/all/builder/defaults.yml`.
+
 ## Access
 
 By default the appliance authenticates against OOD with basic auth through PAM. When creating a new environment, a new user with username `demo_user` will be created.