From 48cac1c35d55bc00c0b0e230bdbb8193e0e0d667 Mon Sep 17 00:00:00 2001 From: Will Date: Fri, 11 Aug 2023 11:05:51 +0100 Subject: [PATCH 01/17] Trying build with OOD 3 --- image/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image/Dockerfile b/image/Dockerfile index 855a1cc..6a2c9a2 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -16,7 +16,7 @@ RUN set -ex \ && yum -y install dnf-plugins-core \ && yum config-manager --set-enabled powertools \ && yum -y module enable ruby:2.7 nodejs:14 \ - && yum -y install https://yum.osc.edu/ondemand/2.0/ondemand-release-web-2.0-1.noarch.rpm \ + && yum -y install https://yum.osc.edu/ondemand/3.0/ondemand-release-web-3.0-1.noarch.rpm \ && yum -y module install ruby nodejs \ && yum -y install \ wget \ From 8d9d1b3e6b59db6585544ccb6f72d6a63f91dfdd Mon Sep 17 00:00:00 2001 From: Will Date: Fri, 11 Aug 2023 11:10:54 +0100 Subject: [PATCH 02/17] Trying updated ruby module --- image/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image/Dockerfile b/image/Dockerfile index 6a2c9a2..fe9083f 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -15,7 +15,7 @@ RUN set -ex \ && yum -y install dnf-plugins-core epel-release \ && yum -y install dnf-plugins-core \ && yum config-manager --set-enabled powertools \ - && yum -y module enable ruby:2.7 nodejs:14 \ + && yum module enable ruby:3.0 nodejs:14 \ && yum -y install https://yum.osc.edu/ondemand/3.0/ondemand-release-web-3.0-1.noarch.rpm \ && yum -y module install ruby nodejs \ && yum -y install \ From 69ef1478e9d0e9162b0a3c39dfaafdd14fc075c7 Mon Sep 17 00:00:00 2001 From: Will Date: Fri, 11 Aug 2023 11:20:38 +0100 Subject: [PATCH 03/17] Added -y option --- image/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image/Dockerfile b/image/Dockerfile index fe9083f..eda87a1 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -15,7 +15,7 @@ RUN set -ex \ && yum -y install dnf-plugins-core epel-release \ && yum -y install dnf-plugins-core \ && yum config-manager --set-enabled powertools \ - && yum module enable ruby:3.0 nodejs:14 \ + && yum -y module enable ruby:3.0 nodejs:14 \ && yum -y install https://yum.osc.edu/ondemand/3.0/ondemand-release-web-3.0-1.noarch.rpm \ && yum -y module install ruby nodejs \ && yum -y install \ From 35f18c5098fc08a60cdb132193b1093af50d8e78 Mon Sep 17 00:00:00 2001 From: Will Date: Tue, 15 Aug 2023 12:19:44 +0100 Subject: [PATCH 04/17] Trying with htpasswd --- image/docker-entrypoint.sh | 3 ++- slurm-cluster-chart/files/ood_portal.yaml | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/image/docker-entrypoint.sh b/image/docker-entrypoint.sh index 14b511c..89b3f17 100755 --- a/image/docker-entrypoint.sh +++ b/image/docker-entrypoint.sh @@ -95,6 +95,7 @@ then echo "ssh keys already found" else ssh-keygen -t rsa -f /home/rocky/.ssh/id_rsa -N "" + chown rocky:rocky /home/rocky/.ssh/id_rsa /home/rocky/.ssh/id_rsa.pub fi echo "---> Setting permissions for user home directories" @@ -132,7 +133,7 @@ then /opt/ood/ood-portal-generator/sbin/update_ood_portal mkdir --parents /opt/rh/httpd24/root/etc/httpd/ - /usr/bin/htdbm -cb /opt/rh/httpd24/root/etc/httpd/.htpasswd.dbm rocky $ROCKY_OOD_PASS + /usr/bin/htpasswd -cb /opt/rh/httpd24/root/etc/httpd/apache-passwords rocky $ROCKY_OOD_PASS /usr/sbin/httpd -k start -X -e debug elif [ "$1" = "check-queue-hook" ] diff --git a/slurm-cluster-chart/files/ood_portal.yaml b/slurm-cluster-chart/files/ood_portal.yaml index d5227b2..f08ab78 100644 --- a/slurm-cluster-chart/files/ood_portal.yaml +++ b/slurm-cluster-chart/files/ood_portal.yaml @@ -243,8 +243,8 @@ ssl: host_regex: 'head' auth: - 'AuthType Basic' - - 'AuthName "private"' - - 'AuthBasicProvider dbm' - - 'AuthDBMUserFile "/opt/rh/httpd24/root/etc/httpd/.htpasswd.dbm"' + - 'AuthName "Restricted Files"' + - 'AuthBasicProvider file' + - 'AuthDBMUserFile "/opt/rh/httpd24/root/etc/httpd/apache-passwords"' - 'RequestHeader unset Authorization' - 'Require valid-user' \ No newline at end of file From be0ec37e26af1136740f9150e40cedad2e774783 Mon Sep 17 00:00:00 2001 From: Will Date: Tue, 15 Aug 2023 14:48:28 +0100 Subject: [PATCH 05/17] Trying creating password file before portal generation and using OOD 3 example portal file --- image/docker-entrypoint.sh | 6 +- slurm-cluster-chart/files/ood_portal.yaml | 261 +++++++++++++++++++--- 2 files changed, 239 insertions(+), 28 deletions(-) diff --git a/image/docker-entrypoint.sh b/image/docker-entrypoint.sh index 89b3f17..d2a5654 100755 --- a/image/docker-entrypoint.sh +++ b/image/docker-entrypoint.sh @@ -130,10 +130,12 @@ then env > /etc/ood/config/apps/shell/env /usr/libexec/httpd-ssl-gencerts - /opt/ood/ood-portal-generator/sbin/update_ood_portal - mkdir --parents /opt/rh/httpd24/root/etc/httpd/ + mkdir --parents /opt/rh/httpd24/root/etc/httpd/ /usr/bin/htpasswd -cb /opt/rh/httpd24/root/etc/httpd/apache-passwords rocky $ROCKY_OOD_PASS + + /opt/ood/ood-portal-generator/sbin/update_ood_portal + /usr/sbin/httpd -k start -X -e debug elif [ "$1" = "check-queue-hook" ] diff --git a/slurm-cluster-chart/files/ood_portal.yaml b/slurm-cluster-chart/files/ood_portal.yaml index f08ab78..0eec2ed 100644 --- a/slurm-cluster-chart/files/ood_portal.yaml +++ b/slurm-cluster-chart/files/ood_portal.yaml @@ -8,19 +8,30 @@ # Example: # listen_addr_port: 443 # Default: null (don't add any more listen directives) -#listen_addr_port: 80 +#listen_addr_port: null # The server name used for name-based Virtual Host # Example: # servername: 'www.example.com' # Default: null (don't use name-based Virtual Host) -#servername: 128.232.226.84 -#serverAlias: 128.232.226.84 +#servername: null + +# The server aliases used for the name-based Virtual Host +# Example: +# server_aliases: +# - foo.example.com +#server_aliases: [] + +# The server name used for rewrites +# Example: +# proxy_server: 'proxy.example.com' +# Default: The value of servername +#proxy_server: null # The port specification for the Virtual Host # Example: # port: 8080 -#Default: null (use default port 80 or 443 if SSL enabled) +# Default: null (use default port 80 or 443 if SSL enabled) #port: null # List of SSL Apache directives @@ -29,7 +40,6 @@ # - 'SSLCertificateFile "/etc/pki/tls/certs/www.example.com.crt"' # - 'SSLCertificateKeyFile "/etc/pki/tls/private/www.example.com.key"' # Default: null (no SSL support) -#ssl: null ssl: - 'SSLCertificateFile "/etc/pki/tls/certs/localhost.crt"' - 'SSLCertificateKeyFile "/etc/pki/tls/private/localhost.key"' @@ -40,6 +50,60 @@ ssl: # Default: 'logs' (this is relative to ServerRoot) #logroot: 'logs' +# Error log filename +# Example: +# errorlog: 'error.log' +# Default: 'error.log' (If 'servername' and 'ssl' options are defined +# the default value will be _error_ssl.log) +#errorlog: 'error.log' + +# Access log filename +# Example: +# accesslog: 'access.log' +# Default: 'access.log' (If 'servername' and 'ssl' options are defined +# the default value will be _access_ssl.log) +#accesslog: 'access.log' + +# Apache access log format (Don't specify log nickname see: http://httpd.apache.org/docs/current/mod/mod_log_config.html#transferlog) +# Example: +# logformat: '"%v %h \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %T"' +# Default: Apache combined format +#logformat: Apache combine format + +# Should RewriteEngine be used +# Example: +# use_rewrites: false +# Default: true +#use_rewrites: true + +# Should Maintenance Rewrite rules be added +# Example: +# use_maintenance: false +# Default: true +#use_maintenance: true + +# List of IPs to allowed when maintenance is enabled +# Example: +# maintenance_ip_allowlist: +# - 192.168.0..* +# - 192.168.1..* +# Default: [] (no IPs allowed) +#maintenance_ip_allowlist: [] + +# Set Header Content-Security-Policy frame-ancestors. +# Example: +# security_csp_frame_ancestors: https://ondemand.osc.edu +# Example to disable setting: +# security_csp_frame_ancestors: false +# Default: based on servername and ssl settings +#security_csp_frame_ancestors: + +# Set Header Strict-Transport-Security to help enforce SSL +# Example: +# security_strict_transport: false +# Default: true when ssl is enabled, false otherwise +#security_strict_transport: false + # Root directory of the Lua handler code # Example: # lua_root: '/path/to/lua/handlers' @@ -53,11 +117,19 @@ ssl: # Default: 'info' (get verbose logs) #lua_log_level: 'info' +# Lua regular expression used to map authenticated-user to system-user +# This configuration is ignored if user_map_cmd is defined +# Example: +# user_map_match: '^([^@]+)@.*$' +# Default: '.*' +#user_map_match: '.*' + # System command used to map authenticated-user to system-user +# This option takes precedence over user_map_match # Example: -# user_map_cmd: '/opt/ood/ood_auth_map/bin/ood_auth_map.regex --regex=''^(\w+)@example.com$''' -# Default: '/opt/ood/ood_auth_map/bin/ood_auth_map.regex' (this echo's back auth-user) -#user_map_cmd: '/opt/ood/ood_auth_map/bin/ood_auth_map.regex' +# user_map_cmd: '/usr/local/bin/ondemand-usermap' +# Default: null (use user_map_match) +#user_map_cmd: null # Use an alternative CGI environment variable instead of REMOTE_USER for # determining the authenticated-user fed to the mapping script @@ -81,13 +153,17 @@ ssl: # List of Apache authentication directives # NB: Be sure the appropriate Apache module is installed for this -# Default: (see below, uses basic auth with an htpasswd file) -# auth: -# - 'AuthType Basic' -# - 'AuthName "private"' -# - 'AuthUserFile "/opt/rh/httpd24/root/etc/httpd/.htpasswd"' -# - 'RequestHeader unset Authorization' -# - 'Require valid-user' +# Default: (see below, uses OIDC auth with Dex) +#auth: +# - 'AuthType openid-connect' +# - 'Require valid-user' +host_regex: 'head' +auth: + - 'AuthType Basic' + - 'AuthName "Restricted Files"' + - 'AuthBasicProvider file' + - 'AuthUserFile /opt/rh/httpd24/root/etc/httpd/apache-passwords' + - 'Require valid-user' # Redirect user to the following URI when accessing root URI # Example: @@ -157,14 +233,14 @@ ssl: # Example: # node_uri: '/node' # Default: null (disable this feature) -#node_uri: null +node_uri: '/node' # Sub-uri used to reverse proxy to backend web server running on node that # ONLY uses *relative* URI paths # Example: # rnode_uri: '/rnode' # Default: null (disable this feature) -#rnode_uri: null +rnode_uri: '/rnode' # # Per-user NGINX Passenger apps @@ -196,6 +272,21 @@ ssl: # Default: 5 (only try 5 times) #pun_max_retries: 5 +# The PUN pre hook command to execute as root +# +# Example: +# pun_pre_hook_root_cmd: '/opt/hpc-site/ood_pun_prehook' +# Default: null (do not run any PUN pre hook as root) +#pun_pre_hook_root_cmd: null + +# Comma separated list of environment variables to pass from the apache context +# into the PUN pre hook. Defaults to null so nothing is exported. +# +# Example: +# pun_pre_hook_exports: 'OIDC_ACCESS_TOKEN,OIDC_CLAIM_EMAIL' +# Default: null (pass nothing) +#pun_pre_hook_exports: null + # # Support for OpenID Connect # @@ -204,7 +295,7 @@ ssl: # Example: # oidc_uri: '/oidc' # Default: null (disable OpenID Connect support) -#oidc_uri: null +oidc_uri: '/oidc' # Sub-uri user is redirected to if they are not authenticated. This is used to # *discover* what ID provider the user will login through. @@ -240,11 +331,129 @@ ssl: # Default: null (display error to user if mapping fails) #register_root: null -host_regex: 'head' -auth: - - 'AuthType Basic' - - 'AuthName "Restricted Files"' - - 'AuthBasicProvider file' - - 'AuthDBMUserFile "/opt/rh/httpd24/root/etc/httpd/apache-passwords"' - - 'RequestHeader unset Authorization' - - 'Require valid-user' \ No newline at end of file +# OIDC metadata URL +# Example: +# oidc_provider_metadata_url: https://example.com:5554/.well-known/openid-configuration +# Default: null (value auto-generated if using Dex) +#oidc_provider_metadata_url: null + +# OIDC client ID +# Example: +# oidc_client_id: ondemand.example.com +# Default: null (value auto-generated if using Dex) +#oidc_client_id: null + +# OIDC client secret +# Example: +# oidc_client_secret: 334389048b872a533002b34d73f8c29fd09efc50 +# Default: null (value auto-generated if using Dex) +#oidc_client_secret: null + +# OIDC remote user claim. This is the claim that populates REMOTE_USER +# Example: +# oidc_remote_user_claim: preferred_username +# Default: preferred_username +#oidc_remote_user_claim: preferred_username + +# OIDC scopes +# Example: +# oidc_scope: "openid profile email groups" +# Default: "openid profile email" +#oidc_scope: "openid profile email" + +# OIDC session inactivity timeout +# Example: +# oidc_session_inactivity_timeout: 28800 +# Default: 28800 +#oidc_session_inactivity_timeout: 28800 + +# OIDC session max duration +# Example: +# oidc_session_max_duration: 28800 +# Default: 28800 +#oidc_session_max_duration: 28800 + +# OIDC max number of state cookies and if to automatically clean old cookies +# Example: +# oidc_state_max_number_of_cookies: "10 true" +# Default: "10 true" +#oidc_state_max_number_of_cookies: "10 true" + +# OIDC Enable SameSite cookie +# When ssl is defined this defaults to 'Off' +# When ssl is not defined this defaults to 'On' +# Example: +# oidc_cookie_same_site: 'Off' +# Default: 'On' +#oidc_cookie_same_site: 'On' + +# Additional OIDC settings as key-value pairs +# Example: +# oidc_settings: +# OIDCPassIDTokenAs: serialized +# OIDCPassRefreshToken: On +# Default: {} (empty hash) +#oidc_settings: {} + +# The Dex URI behind Apache reverse proxy +# Set to false or null to disable Dex behing the Apache reverse proxy +# Example: +# dex_uri: /auth +# Default: /dex +#dex_uri: /dex + +# Dex configurations, values inside the "dex" structure are directly used to configure Dex +# If the value for "dex" key is false or null, Dex support is disabled +# Dex support will auto-enable if ondemand-dex package is installed +#dex: + # Default based on if ssl key for ood-portal-generator is defined +# ssl: false + # Only used if SSL is disabled +# http_port: "5556" + # Only used if SSL is enabled +# https_port: "5554" + # tls_cert and tls_key take OnDemand configured values for ssl and copy keys to /etc/ood/dex maintaining file names +# tls_cert: null +# tls_key: null +# storage_file: /etc/ood/dex/dex.db +# grpc: null +# expiry: null + # Client ID, defaults to servername or FQDN +# client_id: null +# client_name: OnDemand + # Client secret, value auto generated + # A value that is a filesystem path can be used to store secret in a file +# client_secret: /etc/ood/dex/ondemand.secret + # The OnDemand redirectURI is auto-generated, this option allows adding additional URIs +# client_redirect_uris: [] + # Additional Dex OIDC clients to configure +# static_clients: [] + # The following example is to configure OpenLDAP + # Docs: https://github.com/dexidp/dex/blob/master/Documentation/connectors/ldap.md +# connectors: +# - type: ldap +# id: ldap +# name: LDAP +# config: +# host: openldap.my_center.edu:636 +# insecureSkipVerify: false +# bindDN: cn=admin,dc=example,dc=org +# bindPW: admin +# userSearch: +# baseDN: ou=People,dc=example,dc=org +# filter: "(objectClass=posixAccount)" +# username: uid +# idAttr: uid +# emailAttr: mail +# nameAttr: gecos +# preferredUsernameAttr: uid +# groupSearch: +# baseDN: ou=Groups,dc=example,dc=org +# filter: "(objectClass=posixGroup)" +# userMatchers: +# - userAttr: DN +# groupAttr: member +# nameAttr: cn +# frontend: +# theme: ondemand +# dir: /usr/share/ondemand-dex/web \ No newline at end of file From 131a45c836dcc747c9c4dbd76d13ca662c4fead3 Mon Sep 17 00:00:00 2001 From: Will Date: Tue, 15 Aug 2023 15:02:27 +0100 Subject: [PATCH 06/17] Trying passworded user with PAM --- image/Dockerfile | 3 ++- image/docker-entrypoint.sh | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/image/Dockerfile b/image/Dockerfile index eda87a1..d74c55d 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -46,6 +46,7 @@ RUN set -ex \ openssh-server \ apptainer \ ondemand \ + mod_authnz_pam && yum clean all \ && rm -rf /var/cache/yum @@ -93,7 +94,7 @@ RUN mkdir /etc/sysconfig/slurm \ && useradd -r --uid=990 slurm \ && chown -R slurm:slurm /var/*/slurm* \ && useradd -u 1000 rocky \ - && usermod -p '*' rocky # unlocks account but sets no password + && usermod -p 'openssl password' rocky VOLUME /etc/slurm COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh diff --git a/image/docker-entrypoint.sh b/image/docker-entrypoint.sh index d2a5654..5f10eff 100755 --- a/image/docker-entrypoint.sh +++ b/image/docker-entrypoint.sh @@ -131,6 +131,10 @@ then /usr/libexec/httpd-ssl-gencerts + cp /etc/pam.d/sshd /etc/pam.d/ood + chmod 640 /etc/shadow + chgrp apache /etc/shadow + mkdir --parents /opt/rh/httpd24/root/etc/httpd/ /usr/bin/htpasswd -cb /opt/rh/httpd24/root/etc/httpd/apache-passwords rocky $ROCKY_OOD_PASS From 500908294e03f4df8388ec774f913b88a199dfce Mon Sep 17 00:00:00 2001 From: Will Date: Tue, 15 Aug 2023 15:04:19 +0100 Subject: [PATCH 07/17] Fixed typo --- image/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image/Dockerfile b/image/Dockerfile index d74c55d..a2d9879 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -46,7 +46,7 @@ RUN set -ex \ openssh-server \ apptainer \ ondemand \ - mod_authnz_pam + mod_authnz_pam \ && yum clean all \ && rm -rf /var/cache/yum From 504a225ef66e9596bbc3f0aea22267b78a25384f Mon Sep 17 00:00:00 2001 From: Will Date: Tue, 15 Aug 2023 15:23:46 +0100 Subject: [PATCH 08/17] Enabling PAM in apache --- image/docker-entrypoint.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/image/docker-entrypoint.sh b/image/docker-entrypoint.sh index 5f10eff..890832d 100755 --- a/image/docker-entrypoint.sh +++ b/image/docker-entrypoint.sh @@ -131,6 +131,7 @@ then /usr/libexec/httpd-ssl-gencerts + echo "LoadModule authnz_pam_module modules/mod_authnz_pam.so" > /etc/httpd/conf.modules.d/55-authnz_pam.conf cp /etc/pam.d/sshd /etc/pam.d/ood chmod 640 /etc/shadow chgrp apache /etc/shadow From 69b365b160ce665c6a9d3f65d8324d8b4c62c76c Mon Sep 17 00:00:00 2001 From: Will Date: Tue, 15 Aug 2023 15:48:29 +0100 Subject: [PATCH 09/17] Matching system and OOD password --- image/Dockerfile | 3 +-- image/docker-entrypoint.sh | 2 ++ 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/image/Dockerfile b/image/Dockerfile index a2d9879..7e75067 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -93,8 +93,7 @@ RUN mkdir /etc/sysconfig/slurm \ /var/lib/slurmd/fed_mgr_state \ && useradd -r --uid=990 slurm \ && chown -R slurm:slurm /var/*/slurm* \ - && useradd -u 1000 rocky \ - && usermod -p 'openssl password' rocky + && useradd -u 1000 rocky VOLUME /etc/slurm COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh diff --git a/image/docker-entrypoint.sh b/image/docker-entrypoint.sh index 890832d..74883bc 100755 --- a/image/docker-entrypoint.sh +++ b/image/docker-entrypoint.sh @@ -86,6 +86,8 @@ then chown root:root /home chmod 755 /home + echo $OOD_PASS | passwd --stdin rocky + echo "---> Setting up ssh for user" mkdir -p /home/rocky/.ssh From dc487f2643580939b586fe6681e01bd2f092b0d8 Mon Sep 17 00:00:00 2001 From: Will Date: Tue, 15 Aug 2023 15:54:32 +0100 Subject: [PATCH 10/17] Added passwd --- image/Dockerfile | 1 + image/docker-entrypoint.sh | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/image/Dockerfile b/image/Dockerfile index 7e75067..c12dd79 100644 --- a/image/Dockerfile +++ b/image/Dockerfile @@ -46,6 +46,7 @@ RUN set -ex \ openssh-server \ apptainer \ ondemand \ + passwd \ mod_authnz_pam \ && yum clean all \ && rm -rf /var/cache/yum diff --git a/image/docker-entrypoint.sh b/image/docker-entrypoint.sh index 74883bc..b4044d9 100755 --- a/image/docker-entrypoint.sh +++ b/image/docker-entrypoint.sh @@ -86,7 +86,7 @@ then chown root:root /home chmod 755 /home - echo $OOD_PASS | passwd --stdin rocky + echo "$OOD_PASS" | passwd --stdin rocky echo "---> Setting up ssh for user" From 1c11bb60ac40e84853fa9c952549bdc606f0c509 Mon Sep 17 00:00:00 2001 From: Will Date: Tue, 15 Aug 2023 15:57:40 +0100 Subject: [PATCH 11/17] Fixed typo --- image/docker-entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image/docker-entrypoint.sh b/image/docker-entrypoint.sh index b4044d9..39ed0cc 100755 --- a/image/docker-entrypoint.sh +++ b/image/docker-entrypoint.sh @@ -86,7 +86,7 @@ then chown root:root /home chmod 755 /home - echo "$OOD_PASS" | passwd --stdin rocky + echo $ROCKY_OOD_PASS | passwd --stdin rocky echo "---> Setting up ssh for user" From f58fc1e3476c03826fa7af58ae4b3bd80d56c049 Mon Sep 17 00:00:00 2001 From: Will Date: Tue, 15 Aug 2023 16:01:23 +0100 Subject: [PATCH 12/17] Changed values and config --- slurm-cluster-chart/files/ood_portal.yaml | 6 +++--- slurm-cluster-chart/values.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/slurm-cluster-chart/files/ood_portal.yaml b/slurm-cluster-chart/files/ood_portal.yaml index 0eec2ed..4ee94b7 100644 --- a/slurm-cluster-chart/files/ood_portal.yaml +++ b/slurm-cluster-chart/files/ood_portal.yaml @@ -160,9 +160,9 @@ ssl: host_regex: 'head' auth: - 'AuthType Basic' - - 'AuthName "Restricted Files"' - - 'AuthBasicProvider file' - - 'AuthUserFile /opt/rh/httpd24/root/etc/httpd/apache-passwords' + - 'AuthName "Open OnDemand"' + - 'AuthBasicProvider PAM' + - 'AuthPAMService ood' - 'Require valid-user' # Redirect user to the following URI when accessing root URI diff --git a/slurm-cluster-chart/values.yaml b/slurm-cluster-chart/values.yaml index 6a394cb..b9d74de 100644 --- a/slurm-cluster-chart/values.yaml +++ b/slurm-cluster-chart/values.yaml @@ -1,4 +1,4 @@ -slurmImage: ghcr.io/stackhpc/slurm-docker-cluster:f52e918 +slurmImage: ghcr.io/stackhpc/slurm-docker-cluster:1c11bb6 replicas: slurmd: 2 From 14f5a4991f4ca780dcd70f98d39f8ef1a03c0386 Mon Sep 17 00:00:00 2001 From: Will Date: Wed, 16 Aug 2023 09:40:52 +0100 Subject: [PATCH 13/17] Trying with PAM login --- image/docker-entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/image/docker-entrypoint.sh b/image/docker-entrypoint.sh index 39ed0cc..255c779 100755 --- a/image/docker-entrypoint.sh +++ b/image/docker-entrypoint.sh @@ -134,7 +134,7 @@ then /usr/libexec/httpd-ssl-gencerts echo "LoadModule authnz_pam_module modules/mod_authnz_pam.so" > /etc/httpd/conf.modules.d/55-authnz_pam.conf - cp /etc/pam.d/sshd /etc/pam.d/ood + cp /etc/pam.d/password-auth /etc/pam.d/ood chmod 640 /etc/shadow chgrp apache /etc/shadow From 6bf206e53b246e2270959c42dbc083ff33dc5b63 Mon Sep 17 00:00:00 2001 From: Will Date: Wed, 16 Aug 2023 10:24:40 +0100 Subject: [PATCH 14/17] Accepts password but 403 at dashboard --- slurm-cluster-chart/files/ood_portal.yaml | 4 ++-- slurm-cluster-chart/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/slurm-cluster-chart/files/ood_portal.yaml b/slurm-cluster-chart/files/ood_portal.yaml index 4ee94b7..d186e26 100644 --- a/slurm-cluster-chart/files/ood_portal.yaml +++ b/slurm-cluster-chart/files/ood_portal.yaml @@ -157,7 +157,7 @@ ssl: #auth: # - 'AuthType openid-connect' # - 'Require valid-user' -host_regex: 'head' +#host_regex: 'head' auth: - 'AuthType Basic' - 'AuthName "Open OnDemand"' @@ -295,7 +295,7 @@ rnode_uri: '/rnode' # Example: # oidc_uri: '/oidc' # Default: null (disable OpenID Connect support) -oidc_uri: '/oidc' +# oidc_uri: '/oidc' # Sub-uri user is redirected to if they are not authenticated. This is used to # *discover* what ID provider the user will login through. diff --git a/slurm-cluster-chart/values.yaml b/slurm-cluster-chart/values.yaml index b9d74de..cdcde60 100644 --- a/slurm-cluster-chart/values.yaml +++ b/slurm-cluster-chart/values.yaml @@ -1,4 +1,4 @@ -slurmImage: ghcr.io/stackhpc/slurm-docker-cluster:1c11bb6 +slurmImage: ghcr.io/stackhpc/slurm-docker-cluster:14f5a49 replicas: slurmd: 2 From 06ecc8e403eddeaf28e3fcc52defdd15e46c1c48 Mon Sep 17 00:00:00 2001 From: Will Date: Wed, 16 Aug 2023 10:47:13 +0100 Subject: [PATCH 15/17] Can connect to OOD 3 but requires FIP in config --- slurm-cluster-chart/files/ood_portal.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/slurm-cluster-chart/files/ood_portal.yaml b/slurm-cluster-chart/files/ood_portal.yaml index d186e26..e4e308e 100644 --- a/slurm-cluster-chart/files/ood_portal.yaml +++ b/slurm-cluster-chart/files/ood_portal.yaml @@ -14,7 +14,7 @@ # Example: # servername: 'www.example.com' # Default: null (don't use name-based Virtual Host) -#servername: null +servername: 128.232.226.194 # The server aliases used for the name-based Virtual Host # Example: From a4e81d6092109c26d139f52ec98152e19bb97442 Mon Sep 17 00:00:00 2001 From: Will Date: Wed, 16 Aug 2023 14:05:34 +0100 Subject: [PATCH 16/17] Trying injecting hosts into rails --- image/docker-entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/image/docker-entrypoint.sh b/image/docker-entrypoint.sh index 255c779..ed711c5 100755 --- a/image/docker-entrypoint.sh +++ b/image/docker-entrypoint.sh @@ -141,6 +141,8 @@ then mkdir --parents /opt/rh/httpd24/root/etc/httpd/ /usr/bin/htpasswd -cb /opt/rh/httpd24/root/etc/httpd/apache-passwords rocky $ROCKY_OOD_PASS + echo "config.hosts = nil" >> /var/www/ood/apps/sys/dashboard/config/environments/production.rb + /opt/ood/ood-portal-generator/sbin/update_ood_portal /usr/sbin/httpd -k start -X -e debug From a62ee786a5cbb22b2d01e9f4145319665da139cf Mon Sep 17 00:00:00 2001 From: Will Date: Wed, 16 Aug 2023 14:24:35 +0100 Subject: [PATCH 17/17] Injection fix --- image/docker-entrypoint.sh | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/image/docker-entrypoint.sh b/image/docker-entrypoint.sh index ed711c5..4f8b07f 100755 --- a/image/docker-entrypoint.sh +++ b/image/docker-entrypoint.sh @@ -141,7 +141,10 @@ then mkdir --parents /opt/rh/httpd24/root/etc/httpd/ /usr/bin/htpasswd -cb /opt/rh/httpd24/root/etc/httpd/apache-passwords rocky $ROCKY_OOD_PASS - echo "config.hosts = nil" >> /var/www/ood/apps/sys/dashboard/config/environments/production.rb + head -102 /var/www/ood/apps/sys/dashboard/config/environments/production.rb > tmp.txt + cat tmp.txt > /var/www/ood/apps/sys/dashboard/config/environments/production.rb + echo " config.hosts = nil" >> /var/www/ood/apps/sys/dashboard/config/environments/production.rb + echo "end" >> /var/www/ood/apps/sys/dashboard/config/environments/production.rb /opt/ood/ood-portal-generator/sbin/update_ood_portal