Pub/local repo arch

common/library/module_utils/local_repo/process_parallel.py

@@ -276,6 +276,10 @@ def execute_parallel(
     arc,
     standard_logger,
     local_repo_config_path,
+    user_reg_cred_input,
+    user_reg_key_path,
+    omnia_credentials_yaml_path,
+    omnia_credentials_vault_path,
     timeout
 ):
     """
@@ -307,10 +311,10 @@ def execute_parallel(
     config = load_yaml_file(local_repo_config_path)
     user_registries = config.get("user_registry", [])
     if user_registries:
-        if is_encrypted(USER_REG_CRED_INPUT):
-            process_file(USER_REG_CRED_INPUT, USER_REG_KEY_PATH, 'decrypt')
+        if is_encrypted(user_reg_cred_input):
+            process_file(user_reg_cred_input, user_reg_key_path, 'decrypt')
 
-        file2_data = load_yaml_file(USER_REG_CRED_INPUT)
+        file2_data = load_yaml_file(user_reg_cred_input)
         cred_lookup = {
             entry['name']: entry
             for entry in file2_data.get('user_registry_credential', [])
@@ -325,8 +329,8 @@ def execute_parallel(
 
 
     try:
-        docker_username, docker_password = load_docker_credentials(OMNIA_CREDENTIALS_YAML_PATH,
-                                                                  OMNIA_CREDENTIALS_VAULT_PATH)
+        docker_username, docker_password = load_docker_credentials(omnia_credentials_yaml_path,
+                                                                  omnia_credentials_vault_path)
     except RuntimeError as e:
         raise
     # Create a pool of worker processes to handle the tasks

common/library/modules/cert_vault_handler.py

@@ -81,8 +81,8 @@ def main():
 
     log.info(f"Start execution time cert_vault_handler: {start_time}")
 
-
-    local_repo_config = load_yaml_file(LOCAL_REPO_CONFIG_PATH_DEFAULT)
+    local_repo_path = os.path.join(vault_key_path, "local_repo_config.yml")
+    local_repo_config = load_yaml_file(local_repo_path)
     user_repos = local_repo_config.get(USER_REPO_URL, [])
     if not user_repos:
         log.info("No user repo found, proceeding without encryption")

common/library/modules/check_user_registry.py

@@ -16,7 +16,12 @@
 #!/usr/bin/python
 
 from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.local_repo.common_functions import load_yaml_file, get_repo_list, is_encrypted, process_file
+from ansible.module_utils.local_repo.common_functions import (
+    load_yaml_file,
+    get_repo_list,
+    is_encrypted,
+    process_file
+)
 from ansible.module_utils.local_repo.registry_utils import (
     validate_user_registry,
     check_reachability,
@@ -40,12 +45,16 @@ def main():
         argument_spec=dict(
             timeout=dict(type='int', default=5),
             config_file=dict(type='str', required=True),
+            user_reg_cred_input=dict(type='str', required=False, default=USER_REG_CRED_INPUT),
+            user_reg_key_path=dict(type='str', required=False, default=USER_REG_KEY_PATH)
         ),
         supports_check_mode=True
     )
 
     config_path = module.params['config_file']
     timeout = module.params['timeout']
+    user_reg_cred_input = module.params["user_reg_cred_input"]
+    user_reg_key_path = module.params["user_reg_key_path"]
 
     try:
         config_data = load_yaml_file(config_path)
@@ -56,10 +65,10 @@ def main():
 
     if user_registry:
         # Load credentials
-        if is_encrypted(USER_REG_CRED_INPUT):
-            process_file(USER_REG_CRED_INPUT, USER_REG_KEY_PATH, 'decrypt')
+        if is_encrypted(user_reg_cred_input):
+            process_file(user_reg_cred_input, user_reg_key_path, 'decrypt')
 
-        file2_data = load_yaml_file(USER_REG_CRED_INPUT)
+        file2_data = load_yaml_file(user_reg_cred_input)
         cred_lookup = {
             entry['name']: entry
             for entry in file2_data.get('user_registry_credential', [])

common/library/modules/parallel_tasks.py

@@ -54,7 +54,9 @@
     STATUS_CSV_HEADER,
     LOCAL_REPO_CONFIG_PATH_DEFAULT,
     USER_REG_CRED_INPUT,
-    USER_REG_KEY_PATH
+    USER_REG_KEY_PATH,
+    OMNIA_CREDENTIALS_YAML_PATH,
+    OMNIA_CREDENTIALS_VAULT_PATH
 )
 
 def update_status_csv(csv_dir, software, overall_status):
@@ -259,6 +261,10 @@ def main():
         "overall_status_dict": {"type": "dict", "required": False, "default": {}},
         "local_repo_config_path": {"type": "str", "required": False, "default": LOCAL_REPO_CONFIG_PATH_DEFAULT},
         "arch": {"type": "str", "required": False}
+        "user_reg_cred_input": {"type": "str", "required": False, "default": USER_REG_CRED_INPUT},
+        "user_reg_key_path": {"type": "str", "required": False, "default": USER_REG_KEY_PATH},
+        "omnia_credentials_yaml_path": {"type": "str", "required": False, "default": OMNIA_CREDENTIALS_YAML_PATH},
+        "omnia_credentials_vault_path": {"type": "str", "required": False, "default": OMNIA_CREDENTIALS_VAULT_PATH}
     }
     module = AnsibleModule(argument_spec=module_args, supports_check_mode=True)
     tasks = module.params["tasks"]
@@ -275,6 +281,11 @@ def main():
     overall_status_dict = module.params['overall_status_dict']
     local_repo_config_path = module.params["local_repo_config_path"]
     arc= module.params["arch"]
+    user_reg_cred_input = module.params["user_reg_cred_input"]
+    user_reg_key_path = module.params["user_reg_key_path"]
+    omnia_credentials_yaml_path = module.params["omnia_credentials_yaml_path"]
+    omnia_credentials_vault_path = module.params["omnia_credentials_vault_path"]
+
     # Initialize standard logger.
     slogger = setup_standard_logger(slog_file)
     result = {"changed": False, "task_results": []}
@@ -304,18 +315,19 @@ def main():
         slogger.info(f"Cluster OS: {cluster_os_type}")
         slogger.info(f"Version Variables: {version_variables}")
         gen_result = {}
-        if not os.path.isfile(USER_REG_KEY_PATH):
-            gen_result = generate_vault_key(USER_REG_KEY_PATH)
+        if not os.path.isfile(user_reg_key_path):
+            gen_result = generate_vault_key(user_reg_key_path)
         if gen_result is None:
-            module.fail_json(msg=f"Unable to generate local_repo key at path: {USER_REG_KEY_PATH}")
+            module.fail_json(msg=f"Unable to generate local_repo key at path: {user_reg_key_path}")
 
         overall_status, task_results = execute_parallel(
             tasks, determine_function, nthreads, repo_store_path, csv_file_path,
-            log_dir, user_data, version_variables, arc, slogger, local_repo_config_path, timeout
+            log_dir, user_data, version_variables, slogger, local_repo_config_path, user_reg_cred_input, user_reg_key_path,
+            omnia_credentials_yaml_path, omnia_credentials_vault_path, timeout
         )
 
-        if not is_encrypted(USER_REG_CRED_INPUT):
-            process_file(USER_REG_CRED_INPUT,USER_REG_KEY_PATH,'encrypt')
+        if not is_encrypted(user_reg_cred_input):
+            process_file(user_reg_cred_input,user_reg_key_path,'encrypt')
 
         end_time = datetime.now()
         formatted_end_time = end_time.strftime("%I:%M:%S %p")

local_repo/roles/parse_and_download/tasks/execute_parallel_tasks.yml

@@ -27,13 +27,17 @@
         user_json_file: "{{ user_json_file }}"
         local_repo_config_path: "{{ local_repo_config_path }}"
         arch: "{{ item.arch }}"
+        user_reg_cred_input: "{{ user_reg_cred_input }}"
+        user_reg_key_path: "{{ user_reg_key_path }}"
+        omnia_credentials_yaml_path: "{{ omnia_credentials_yaml_path }}"
+        omnia_credentials_vault_path: "{{ omnia_credentials_vault_path }}"
         nthreads: "{{ (local_repo_py_module_vars[item.key].nthreads | default(local_repo_py_module_vars.default_vars.nthreads)) }}"
         timeout: "{{ (local_repo_py_module_vars[item.key].timeout | default(local_repo_py_module_vars.default_vars.timeout)) }}"
       register: task_results
 
     - name: Set fact for overall status
       ansible.builtin.set_fact:
         overall_status_dict: "{{ overall_status_dict | default({}) | combine({ item.key: {'overall_status': task_results.overall_status, 'arch': task_results.arch }}) }}" # noqa: yaml[line-length]
   rescue:
     - name: Log the failure
       ansible.builtin.debug:

local_repo/roles/parse_and_download/vars/main.yml

@@ -23,6 +23,10 @@ local_repo_config_path: "{{ project_input_path }}/local_repo_config.yml"
 sw_config_json_path: "{{ project_input_path }}/software_config.json"
 roles_config_path: "{{ project_input_path }}/roles_config.yml"
 user_json_file: "{{ project_input_path }}/software_config.json"
+user_reg_cred_input: "{{ project_input_path }}/user_registry_credential.yml"
+user_reg_key_path: "{{ project_input_path }}/.local_repo_credentials_key"
+omnia_credentials_yaml_path: "{{ project_input_path }}/omnia_config_credentials.yml"
+omnia_credentials_vault_path: "{{ project_input_path }}/.omnia_config_credentials_key"
 clean_rpms: true
 rpm_dir_path: "{{ repo_store_path }}/offline_repo/cluster/{{ item }}/rhel/9.6/rpm"
 local_repo_py_module_vars:

local_repo/roles/validation/tasks/main.yml

@@ -59,6 +59,8 @@
 - name: Check user registry reachability
   check_user_registry:
     config_file: "{{ local_repo_config_file }}"
+    user_reg_cred_input: "{{ user_reg_cred_input }}"
+    user_reg_key_path: "{{ user_reg_key_path }}"
     timeout: "{{ time_out }}"
   register: registry_check_result
 

local_repo/roles/validation/vars/main.yml

@@ -56,6 +56,8 @@ kubeadm_package_name: "kubeadm-v1.31.4"
 # Usage: main.yml
 nfs_shared_path: "/opt/omnia"
 local_repo_config_file: "{{ project_input_path }}/local_repo_config.yml"
+user_reg_cred_input: "{{ project_input_path }}/user_registry_credential.yml"
+user_reg_key_path: "{{ project_input_path }}/.local_repo_credentials_key"
 var_mount_percentage_limit: 80
 var_mount_overuse_msg: |
   [WARNING] local_repo.yml may fail as /var mount usage has exceeded the limit of {{ var_mount_percentage_limit }}%.

scheduler/roles/slurm/tasks/main.yml

@@ -59,3 +59,7 @@
 - name: Fresh cluster install
   ansible.builtin.include_tasks: new_install.yml
   when: not slurmctld_status
+
+- name: Slurm pam
+  ansible.builtin.include_tasks: slurm_pam.yml
+  when: enable_slurm_pam | bool

scheduler/roles/slurm_pam/tasks/slurm_pam_compute.yml → scheduler/roles/slurm/tasks/slurm_pam.yml

@@ -1,4 +1,4 @@
-# Copyright 2023 Dell Inc. or its subsidiaries. All Rights Reserved.
+# Copyright 2025 Dell Inc. or its subsidiaries. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -11,33 +11,32 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
----
 
+# Install slurm_pam
+- name: Install compute packages
+  ansible.builtin.package:
+    name: "{{ slurm_pam_packages[ansible_os_family] }}"
+    state: present
+  when:
+    - '"login" in group_names or "slurm_node" in group_names'
+
+# Compute node
 - name: Modify sshd file for slurm pam configuration
   ansible.builtin.lineinfile:
     path: "{{ pam_sshd_path }}"
     insertafter: "{{ pam_sshd_regexp }}"
     line: "{{ pam_sshd_config_compute }}"
+  when: '"slurm_node" in group_names'
 
-- name: Remove pam_systemd.so line in common-session
-  ansible.builtin.lineinfile:
-    path: "{{ common_session_file_path }}"
-    regexp: "{{ pam_systemd_regexp }}"
-    state: absent
-  when:
-    - ansible_distribution | lower == "ubuntu"
-    - ansible_distribution_version == "24.04"
-
-- name: Remove pam_systemd.so line in password-auth
-  ansible.builtin.lineinfile:
-    path: "{{ password_auth_file_path }}"
-    regexp: "{{ pam_systemd_regexp }}"
-    state: absent
 
-- name: Start slurmd on compute nodes
-  ansible.builtin.systemd:
-    name: slurmd.service
-    state: restarted
-    enabled: true
-  register: slurmd_status
-  when: '"slurm_node" in group_names'
+# Slurm_pam needs slurm.conf in the default path /etc/slurm
+# Creating symlink for nfs_share mode
+- name: Create a symbolic link for slurm conf (login node)
+  ansible.builtin.file:
+    src: "{{ slurm_share_prefix }}{{ slurm_config_dir }}/slurm.conf"
+    dest: "/{{ slurm_config_dir }}/slurm.conf"
+    state: link
+    force: true
+  when:
+    - slurm_installation_type == "nfs_share"
+    - '"login" in group_names or "slurm_node" in group_names'

scheduler/roles/slurm/vars/main.yml

@@ -104,3 +104,12 @@ utils_packages_file: "{{ input_project_dir }}/config/{{ software_config.cluster_
 path_edit_msg: "Editing the bashrc failed, please manually source the /etc/environment for slurm"
 slurm_support_msg: "Slurm is not added in software_config, hence skipping slurm deployment"
 share_unavailable_msg: "Slurm install type is nfs_share, but share_path not available, hence skipping slurm deployment"
+
+# Usage: slurm-pam
+enable_slurm_pam: true
+pam_sshd_path: /etc/pam.d/sshd
+pam_sshd_regexp: "^account    required"
+pam_sshd_config_compute: "account    required     pam_slurm_adopt.so action_no_jobs=deny"
+slurm_pam_packages:
+  RedHat:
+    - slurm-pam_slurm