Merge pull request #50 from kreczko/2016-spring-clean

2016 spring clean

lib/puppet/parser/functions/join_machine_list.rb

@@ -0,0 +1,15 @@
+module Puppet::Parser::Functions
+  newfunction(:join_machine_list, :type => :rvalue) do |args|
+    raise(Puppet::ParseError, "join_machine_list() wrong number of arguments. Given: #{args.size} for 2)") if args.size !=2
+    prefix = args[0]
+    machine_list = args[1]
+    new_machine_list = Array.new
+
+    machine_list.each do |item|
+      machine = prefix + item
+      new_machine_list.push machine
+    end
+
+    return new_machine_list.join(", ")
+  end
+end

manifests/config.pp

@@ -155,20 +155,51 @@
   $template_workernode = "${module_name}/20_workernode.config.erb",
   $template_ganglia    = "${module_name}/23_ganglia.config.erb",
   $template_defrag     = "${module_name}/33_defrag.config.erb",
+  $use_htcondor_account_mapping   = true,
   $use_fs_auth                    = true,
   $use_password_auth              = true,
   $use_kerberos_auth              = false,
   $use_claim_to_be_auth           = false,
   $use_cert_map_file              = false,
   $use_krb_map_file               = false,
+  $use_pid_namespaces             = false,
   $cert_map_file                  = '/etc/condor/certificate_mapfile',
-  $krb_map_file                   = '/etc/condor/kerberos_mapfile',) {
+  $krb_map_file                   = '/etc/condor/kerberos_mapfile',
+  $machine_list_prefix            = 'condor_pool@$(UID_DOMAIN)/',
+  $max_walltime                   = '80 * 60 * 60',
+  $max_cputime                    = '80 * 60 * 60',
+  ) {
+  # purge all non-managed config files from /etc/condor/config.d
+  file {'/etc/condor/config.d':
+    ensure  => directory,
+    recurse => true,
+    purge   => true,
+  }
+
   $now                 = strftime('%d.%m.%Y_%H.%M')
   $ce_daemon_list      = ['SCHEDD']
   $worker_daemon_list  = ['STARTD']
   $ganglia_daemon_list = ['GANGLIAD']
   $auth_string = construct_auth_string($use_fs_auth, $use_password_auth,
   $use_kerberos_auth, $use_claim_to_be_auth)
+
+  # because HTCondor uses user 'condor_pool' for remote access
+  # and user 'condor' for local the variables below need to include
+  # both users in case a machine has more than one role (i.e. manager + CE)
+  $machine_prefix_local = "${condor_user}@$(UID_DOMAIN)/"
+
+  $manager_string_remote = join_machine_list($machine_list_prefix, $managers)
+  $manager_string_local = join_machine_list($machine_prefix_local, $managers)
+  $manager_string = join([$manager_string_remote, $manager_string_local], ', ')
+
+  $ce_string_remote = join_machine_list($machine_list_prefix, $computing_elements)
+  $ce_string_local = join_machine_list($machine_prefix_local, $computing_elements)
+  $ce_string = join([$ce_string_remote, $ce_string_local], ', ')
+
+  $wn_string_remote = join_machine_list($machine_list_prefix, $worker_nodes)
+  $wn_string_local = join_machine_list($machine_prefix_local, $worker_nodes)
+  $wn_string = join([$wn_string_remote, $wn_string_local], ', ')
+
   if $enable_multicore {
     $manage_daemon_list = ['COLLECTOR', 'NEGOTIATOR', 'DEFRAG']
   } else {

manifests/init.pp

@@ -178,14 +178,19 @@
   $template_ganglia               = "${module_name}/23_ganglia.config.erb",
   $template_workernode            = "${module_name}/20_workernode.config.erb",
   $template_defrag                = "${module_name}/33_defrag.config.erb",
+  $use_htcondor_account_mapping   = true,
   $use_fs_auth                    = true,
   $use_password_auth              = true,
   $use_kerberos_auth              = false,
   $use_claim_to_be_auth           = false,
   $use_cert_map_file              = false,
   $use_krb_map_file               = false,
+  $use_pid_namespaces             = false,
   $cert_map_file                  = '/etc/condor/certificate_mapfile',
   $krb_map_file                   = '/etc/condor/kerberos_mapfile',
+  $machine_list_prefix            = 'condor_pool@$(UID_DOMAIN)/',
+  $max_walltime                   = '80 * 60 * 60',
+  $max_cputime                    = '80 * 60 * 60',
   ) {
   class { 'htcondor::repositories':
     install_repos   => $install_repositories,
@@ -257,14 +262,19 @@
     template_workernode            => $template_workernode,
     template_ganglia               => $template_ganglia,
     template_defrag                => $template_defrag,
+    use_htcondor_account_mapping   => $use_htcondor_account_mapping,
     use_fs_auth                    => $use_fs_auth,
     use_password_auth              => $use_password_auth,
     use_kerberos_auth              => $use_kerberos_auth,
     use_claim_to_be_auth           => $use_claim_to_be_auth,
     use_cert_map_file              => $use_cert_map_file,
     use_krb_map_file               => $use_krb_map_file,
+    use_pid_namespaces             => $use_pid_namespaces,
     cert_map_file                  => $cert_map_file,
     krb_map_file                   => $krb_map_file,
+    machine_list_prefix            => $machine_list_prefix,
+    max_walltime                   => $max_walltime,
+    max_cputime                    => $max_cputime,
   }
 
   class { 'htcondor::service':

spec/unit/puppet/parser/functions/join_machine_list_spec.rb

@@ -0,0 +1,27 @@
+require 'spec_helper'
+require 'puppetlabs_spec_helper/puppetlabs_spec/puppet_internals'
+
+describe "join_machine_list function" do
+  let(:scope) { PuppetlabsSpec::PuppetInternals.scope }
+  it "should exist" do
+    expect(Puppet::Parser::Functions.function("join_machine_list")).to eq("function_join_machine_list")
+  end
+  machine_prefix = 'condor_pool@$(UID_DOMAIN)/'
+
+  context 'join_machine_list tests' do
+    it "single machine" do
+      result = scope.function_join_machine_list([machine_prefix,['test1.example.com']])
+      expect(result).to eq(machine_prefix + 'test1.example.com')
+    end
+    it "single machine different prefix" do
+      prefix = 'root@$(UID_DOMAIN)/'
+      result = scope.function_join_machine_list([prefix, ['test1.example.com']])
+      expect(result).to eq(prefix + 'test1.example.com')
+    end
+    it "multiple machines" do
+      result = scope.function_join_machine_list([machine_prefix,['test1.example.com', 'test2.example.com', 'test3.example.com']])
+      expect(result).to eq('condor_pool@$(UID_DOMAIN)/test1.example.com, condor_pool@$(UID_DOMAIN)/test2.example.com, condor_pool@$(UID_DOMAIN)/test3.example.com')
+    end
+  end
+end
+

templates/10_security.config.erb

@@ -15,9 +15,9 @@ TRUST_UID_DOMAIN = True
 <% end -%>
 
 # Machines & users
-CMS = <%= @managers.flatten.join(', ') %>
-CES = <%= @computing_elements.flatten.join(', ') %>
-WNS = <%= @worker_nodes.flatten.join(', ') %>
+CMS = <%= @manager_string %>
+CES = <%= @ce_string %>
+WNS = <%= @wn_string %>
 
 USERS = *@$(UID_DOMAIN)
 
@@ -32,7 +32,8 @@ HOSTALLOW_NEGOTIATOR = $(COLLECTOR_HOST)
 HOSTALLOW_ADMINISTRATOR = $(COLLECTOR_HOST)
 HOSTALLOW_NEGOTIATOR_SCHEDD = $(COLLECTOR_HOST)
 
-ALLOW_READ = */*.$(UID_DOMAIN)
+# allow read to anyone, block unwanted with iptables
+ALLOW_READ = *
 ALLOW_WRITE = $(CMS), $(CES), $(WNS)
 
 #if the CE has a private NIC, it needs to be included here as well
@@ -42,8 +43,18 @@ COLLECTOR.ALLOW_ADVERTISE_STARTD = $(WNS)
 
 SCHEDD.ALLOW_WRITE = $(USERS), $(CES)
 
-ALLOW_DAEMON = condor@$(UID_DOMAIN)/*.$(UID_DOMAIN), condor_pool@$(UID_DOMAIN)/*.$(UID_DOMAIN)
-ALLOW_ADMINISTRATOR = *@$(UID_DOMAIN)/$(FULL_HOSTNAME)
+ALLOW_DAEMON = condor@$(UID_DOMAIN), \
+               condor@$(UID_DOMAIN)/*.$(UID_DOMAIN), \
+               condor_pool@$(UID_DOMAIN), \
+               condor_pool@$(UID_DOMAIN)/*.$(UID_DOMAIN), \
+               $(FULL_HOSTNAME)
+<% if @is_worker then -%>
+# fix for new security default in HTCondor 8.4.X (fixed in 8.5.1)
+ALLOW_DAEMON = $(ALLOW_DAEMON), \
+               submit-side@matchsession/*, \
+               execute-side@matchsession/*
+<% end -%>
+ALLOW_ADMINISTRATOR = root@$(UID_DOMAIN)/$(IP_ADDRESS), condor_pool@$(UID_DOMAIN)/$(IP_ADDRESS), $(CMS)
 ALLOW_CONFIG = root@$(FULL_HOSTNAME)
 
 # Don't allow nobody to run jobs
@@ -64,7 +75,7 @@ SEC_ENABLE_MATCH_PASSWORD_AUTHENTICATION = True
 CERTIFICATE_MAPFILE = <%= @cert_map_file %>
 <% end -%>
 <% if @use_krb_map_file -%>
-CERTIFICATE_MAPFILE = <%= @krb_map_file %>
+KERBEROS_MAP_FILE = <%= @krb_map_file %>
 <% end -%>
 <% end -%>
 <% if @use_password_auth then -%>

templates/12_resourcelimits.config.erb

@@ -1,8 +1,9 @@
 # HTCondor configuration: resource limits
+# This file will be deployed on every scheduler
 
 ## Time limits
-RemoveDefaultJobWallTime = ( RemoteWallClockTime > 80 * 60 * 60 )
-RemoveDefaultJobCpuTime  = ( RemoteSysCpu + RemoteUserCpu > 80 * 60 * 60 )
+RemoveDefaultJobWallTime = ( RemoteWallClockTime > <%= @max_walltime %> )
+RemoveDefaultJobCpuTime  = ( RemoteSysCpu + RemoteUserCpu > <%= @max_cputime %> )
 
 ## Memory usage limit
 RemoveMemoryUsage = ( ResidentSetSize_RAW > 1000*RequestMemory )

templates/20_workernode.config.erb

@@ -75,7 +75,11 @@ MASTER_UPDATE_INTERVAL = $RANDOM_INTEGER(230, 370)
 EXECUTE = <%= @pool_home %>/condor
 
 ## Make sure jobs have independent PID namespaces
+<% if @use_pid_namespaces -%>
 USE_PID_NAMESPACES = true
+<% else -%>
+USE_PID_NAMESPACES = false
+<% end -%>
 
 ## If the binaries are updated, let any running jobs finish before restarting
 MASTER_NEW_BINARY_RESTART=PEACEFUL

templates/condor_config.local.erb

@@ -4,7 +4,6 @@ CONDOR_IDS = 0.0
 CONDOR_IDS = <%= @condor_uid %>.<%= @condor_gid %>
 <% end -%>
 CONDOR_ADMIN = <%= @condor_admin_email %>
-use_x509userproxy = True
 PeriodicRemove = false
 <% if @request_memory -%>
 request_memory = int(JobMemoryLimit/1024.0)
@@ -16,11 +15,11 @@ LeaveJobInQueue = (time() - CompletionDate) > <%= @leave_job_in_queue %>
 <% else -%>
 LeaveJobInQueue = False
 <% end -%>
-SUBMIT_EXPRS = $(SUBMIT_EXPRS) use_x509userproxy,request_memory,LeaveJobInQueue
+SUBMIT_EXPRS = $(SUBMIT_EXPRS) request_memory,LeaveJobInQueue
 DELEGATE_JOB_GSI_CREDENTIALS = False
 EMAIL_DOMAIN = <%= @email_domain %>
 
-<% if @is_ce == true -%>
+<% if @is_ce == true and @use_htcondor_account_mapping == true -%>
 AcctSubGroup = \
 ifThenElse(RequestCpus > 1, "multicore",\ 
 ifThenElse(regexp("prd",Owner),	"production",\