From fe08ffa0dd69bc9869d4ca56ccf10df7fc7d2911 Mon Sep 17 00:00:00 2001 From: "David J. Allen" Date: Tue, 22 Jul 2025 12:41:08 -0600 Subject: [PATCH] chore: updated some of the use cases docs --- ...dding SLURM and MPI to the Compute Node.md | 6 +- ...rd Security for the `cloud-init-server`.md | 84 ++++++++++++++++++- ...t Filesystem with NFS (import-image.sh).md | 45 ++++++++++ 3 files changed, 131 insertions(+), 4 deletions(-) diff --git a/Use Cases/Adding SLURM and MPI to the Compute Node.md b/Use Cases/Adding SLURM and MPI to the Compute Node.md index 549b83b..8982ced 100644 --- a/Use Cases/Adding SLURM and MPI to the Compute Node.md +++ b/Use Cases/Adding SLURM and MPI to the Compute Node.md @@ -157,11 +157,11 @@ main(int argc, char **argv) { int node; - MPI_Init(&argc,&argv); + MPI_Init(&argc, &argv); MPI_Comm_rank(MPI_COMM_WORLD, &node); - + printf("Hello World from Node %d\n",node); - + MPI_Finalize(); } ``` diff --git a/Use Cases/Enable WireGuard Security for the `cloud-init-server`.md b/Use Cases/Enable WireGuard Security for the `cloud-init-server`.md index 2b79472..1db5966 100644 --- a/Use Cases/Enable WireGuard Security for the `cloud-init-server`.md +++ b/Use Cases/Enable WireGuard Security for the `cloud-init-server`.md @@ -1 +1,83 @@ -When nodes boot in OpenCHAMI, they make a request out to the `cloud-init-server` to retrieve a cloud-init config. The request is not encrypted and can be intercepted and modified. \ No newline at end of file +When nodes boot in OpenCHAMI, they make a request out to the `cloud-init-server` to retrieve a cloud-init config. The request is not encrypted and can be intercepted and modified. + +# Using WireGuard with Cloud-Init + +The OpenCHAMI cloud-init metadata server includes a feature to enable a wireguard tunnel **before** running cloud-init. +## Create a systemd override file for cloud-init + +```ini +[Service] +PassEnvironment=ochami_wg_ip +ExecStartPre=/usr/local/bin/ochami-wg-cloud-init-setup.sh +ExecPostStop=/bin/bash -c "ip link delete wg0" +``` + +## Create a Script to Activate WireGuard + +```bash +#!/bin/sh +set -e -o pipefail + +# As configured in systemd, we expect to inherit the "ochami_wg_url" cmdline +# parameter as an env var. Exit if this is not the case. +if [ -z "${ochami_wg_ip}" ]; +then + echo "ERROR: Failed to find the 'ochami_wg_url' environment variable." + echo "It should be specified on the kernel cmdline, and will be inherited from there." + if [ -f "/etc/cloud/cloud.cfg.d/ochami.cfg" ]; + then + echo "Removing ochami-specific cloud-config; cloud-init will use other defaults" + rm /etc/cloud/cloud.cfg.d/ochami.cfg + else + echo "Not writing ochami-specific cloud-config; cloud-init will use other defaults" + fi + exit 0 +fi +echo "Found OpenCHAMI cloud-init URL '${ochami_wg_ip}'" +echo "!!!!Starting pre cloud-init config!!!!" + +echo "Loading WireGuard kernel mod" +modprobe wireguard + +echo "Generating WireGuard keys" +wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key + +echo "Making Request to configure wireguard tunnel" +PUBLIC_KEY=$(cat /etc/wireguard/public.key) +PAYLOAD="{ \"public_key\": \"${PUBLIC_KEY}\" }" +WG_PAYLOAD=$(curl -s -X POST -d "${PAYLOAD}" http://${ochami_wg_ip}:27777/cloud-init/wg-init) + +echo $WG_PAYLOAD | jq + +CLIENT_IP=$(echo $WG_PAYLOAD | jq -r '."client-vpn-ip"') +SERVER_IP=$(echo $WG_PAYLOAD | jq -r '."server-ip"' | awk -F'/' '{print $1}') +SERVER_PORT=$(echo $WG_PAYLOAD | jq -r '."server-port"') +SERVER_KEY=$(echo $WG_PAYLOAD | jq -r '."server-public-key"') + +echo "Setting up local wireguard interface" +echo "Adding wg0 link" +ip link add dev wg0 type wireguard +echo "Adding ip address ${CLIENT_IP}/32" +ip address add dev wg0 ${CLIENT_IP}/32 +echo "Setting the private key" +wg set wg0 private-key /etc/wireguard/private.key +echo "Bringing up the wg0 link" +ip link set wg0 up +echo "Setting up the peer with the server" +wg set wg0 peer ${SERVER_KEY} allowed-ips ${SERVER_IP}/32 endpoint ${ochami_wg_ip}:$SERVER_PORT +rm /etc/wireguard/private.key +rm /etc/wireguard/public.key +``` + +## Add the Scripts to Your Image + +```yaml +copyfiles: + - src: '/opt/workdir/images/files/cloud-init-override.conf' + dest: '/etc/systemd/system/cloud-init.service.d/override.conf' + - src: '/opt/workdir/images/files/ochami-ci-setup.sh' + dest: '/usr/local/bin/ochami-ci-setup.sh' + +``` + +## Restart `cloud-init-server` with WireGuard \ No newline at end of file diff --git a/Use Cases/Serving the Root Filesystem with NFS (import-image.sh).md b/Use Cases/Serving the Root Filesystem with NFS (import-image.sh).md index 9a6cc88..7295dc4 100644 --- a/Use Cases/Serving the Root Filesystem with NFS (import-image.sh).md +++ b/Use Cases/Serving the Root Filesystem with NFS (import-image.sh).md @@ -18,3 +18,48 @@ Reload the NFS daemon to apply the changes. modprobe -r nfsd && modprobe nfsd ``` +For NFS, we need to update the /etc/exports file and then reload the kernel nfs daemon + +Create `/opt/nfsroot` to serve our images + +```bash +sudo mkdir /srv/nfs +sudo chown rocky: /srv/nfs +``` + + - Create the `/etc/exports` file with the following contents to export the `/srv/nfs` directory for use by our compute nodes + ```bash + /srv/nfs *(ro,no_root_squash,no_subtree_check,noatime,async,fsid=0) + ``` + + - Reload the nfs daemon + ```bash + sudo modprobe -r nfsd && sudo modprobe nfsd + ``` + +### Webserver for Boot Artifacts + +We expose our NFS directory over https as well to make it easy to serve boot artifacts. + +```yaml +# nginx.container +[Unit] +Description=Serve /srv/nfs over HTTP +After=network-online.target +Wants=network-online.target + +[Container] +ContainerName=nginx +Image=docker.io/library/nginx:1.28-alpine +Volume=/srv/nfs:/usr/share/nginx/html:Z +PublishPort=80:80 + +[Service] +TimeoutStartSec=0 +Restart=always +``` + +### Import Images from OCI to Share with NFS + +[Import-image Script](https://github.com/OpenCHAMI/image-builder/blob/main/scripts/image-import.sh) +