Centralized authentication systems
To enable centralized authentication in the cluster, Omnia installs either:
FreeIPA
LDAP Client
Note
Nodes provisioned using the Omnia provision tool do not require a RedHat subscription to run
security.yml
on RHEL cluster nodes.For RHEL cluster nodes not provisioned by Omnia, ensure that RedHat subscription is enabled on all cluster nodes. Every cluster node will require a RedHat subscription.
Using FreeIPA
Enter the following parameters in input/security_config.yml
.
Caution
Do not remove or comment any lines in the input/security_config.yml
file.
Parameter |
Details |
---|---|
|
Boolean indicating whether FreeIPA is required or not.
|
|
Sets the intended realm name.
|
|
|
|
“admin” user password for the IPA server on RockyOS. |
|
Sets the intended domain name
|
Note
The input/security_config.yml
file is encrypted on the first run of security.yml
and omnia.yml
:
To view the encrypted parameters:
ansible-vault view security_config.yml --vault-password-file .security_vault.keyTo edit the encrypted parameters:
ansible-vault edit security_config.yml --vault-password-file .security_vault.key
If a subsequent run of security.yml
or omnia.yml
, all configuration files that have been encrypted by the playbook will be unencrypted.
Omnia installs a FreeIPA server on the manager node and FreeIPA clients on the cluster and login node using one of the below commands:
ansible-playbook security.yml -i inventory
ansible-playbook omnia.yml -i inventory
Where inventory follows the format defined under inventory file in the provided Sample Files. The inventory file is case-sensitive. Follow the casing provided in the sample file link.
The omnia.yml
playbook installs Slurm, BeeFGS Client, NFS Client in addition to freeIPA.
Note
Omnia does not create any accounts (HPC users) on FreeIPA. To create a user, check out FreeIPA documentation.
Alternatively, use the below commands with admin credentials on the login/head node:
kinit admin (When prompted, provide kerberos_admin_password as entered in security_config.yml) ipa user-add FirstName_LastName --first=FirstName --last=LastName --password --homedir=/home/omnia-share/FirstName_LastName --shell /bin/bash
For example: ipa user-add FirstName_LastName --first=FirstName --last=LastName --password --homedir=/home/omnia-share/FirstName_LastName --shell /bin/bash
After the new user account logs in for the first time, you will be prompted to change the password to the account.
Setting up Passwordless SSH for FreeIPA
Once user accounts are created, admins can enable passwordless SSH for users to run HPC jobs on the cluster nodes.
Note
Once user accounts are created on FreeIPA, use the accounts to login to the cluster nodes to reset the password and create a corresponding home directory.
To customize your setup of passwordless ssh, input parameters in input/passwordless_ssh_config.yml
.
Parameter |
Details |
---|---|
|
|
|
Indicates whether LDAP or FreeIPA is in use on the cluster.
|
|
|
Use the below command to enable passwordless SSH:
ansible-playbook user_passwordless_ssh.yml -i inventory
Where inventory follows the format defined under inventory file in the provided Sample Files. The inventory file is case-sensitive. Follow the casing provided in the sample file link.
Caution
Do not run ssh-keygen commands after passwordless SSH is set up on the nodes.
Using LDAP client
To add the cluster to an external LDAP server, Omnia enables the installation of LDAP client on the manager, compute and login nodes.
To customize your LDAP client installation, input parameters in input/security_config.yml
Parameter |
Details |
---|---|
|
Boolean indicating whether LDAP is required or not.
|
|
Sets the intended domain name
|
|
LDAP server IP. Required if |
|
|
|
|
|
|
|
|
|
|
Note
Omnia does not create any accounts (HPC users) on LDAP. To create a user, check out LDAP documentation.
Setting up Passwordless SSH for LDAP
Once user accounts are created, admins can enable passwordless SSH for users to run HPC jobs on the cluster nodes.
Note
Ensure that the control plane can reach the designated LDAP server.
- If
enable_omnia_nfs
is true ininput/omnia_config.yml
, follow the below steps to configure an NFS share on your LDAP server: - From the manager node:
Add the LDAP server IP address to
/etc/exports
.Run
exportfs -ra
to enable the NFS configuration.
- From the LDAP server:
Add the required fstab entries in
/etc/fstab
. (The corresponding entry will be available on the cluster nodes in/etc/fstab
)Mount the NFS share using
mount manager_ip: /home/omnia-share /home/omnia-share
.
- If
If
enable_omnia_nfs
is false ininput/omnia_config.yml
, ensure the user-configured NFS share is mounted on the LDAP server.
To customize your setup of passwordless ssh, input parameters in input/passwordless_ssh_config.yml
Parameter |
Details |
---|---|
|
|
|
Indicates whether LDAP or FreeIPA is in use on the cluster.
|
|
Default value: |
Use the below command to enable passwordless SSH:
ansible-playbook user_passwordless_ssh.yml -i inventory
Where inventory follows the format defined under inventory file.
[manager]
10.5.0.101
[compute]
10.5.0.102
10.5.0.103
[ldap_server]
10.5.0.105
Caution
Do not run ssh-keygen commands after passwordless SSH is set up on the nodes.
If you have any feedback about Omnia documentation, please reach out at omnia.readme@dell.com.