towk/openchami-wiki
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore: updated some of the use cases docs

Browse source
This commit is contained in:
David Allen 2025-07-22 12:41:08 -06:00
parent 6908f9bdd1
commit fe08ffa0dd
Signed by: towk
GPG key ID: 793B2924A49B3A3F
3 changed files with 131 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Use Cases/Adding SLURM and MPI to the Compute Node.md
View file

@ -157,11 +157,11 @@ main(int argc, char **argv)
{ {
int node; int node;
MPI_Init(&argc,&argv); MPI_Init(&argc, &argv);
MPI_Comm_rank(MPI_COMM_WORLD, &node); MPI_Comm_rank(MPI_COMM_WORLD, &node);
printf("Hello World from Node %d\n",node); printf("Hello World from Node %d\n",node);
MPI_Finalize(); MPI_Finalize();
} }
``` ```

84
Use Cases/Enable WireGuard Security for the `cloud-init-server`.md
View file

@ -1 +1,83 @@
When nodes boot in OpenCHAMI, they make a request out to the `cloud-init-server` to retrieve a cloud-init config. The request is not encrypted and can be intercepted and modified. When nodes boot in OpenCHAMI, they make a request out to the `cloud-init-server` to retrieve a cloud-init config. The request is not encrypted and can be intercepted and modified.
# Using WireGuard with Cloud-Init
The OpenCHAMI cloud-init metadata server includes a feature to enable a wireguard tunnel **before** running cloud-init.
## Create a systemd override file for cloud-init
```ini
[Service]
PassEnvironment=ochami_wg_ip
ExecStartPre=/usr/local/bin/ochami-wg-cloud-init-setup.sh
ExecPostStop=/bin/bash -c "ip link delete wg0"
```
## Create a Script to Activate WireGuard
```bash
#!/bin/sh
set -e -o pipefail
# As configured in systemd, we expect to inherit the "ochami_wg_url" cmdline
# parameter as an env var. Exit if this is not the case.
if [ -z "${ochami_wg_ip}" ];
then
echo "ERROR: Failed to find the 'ochami_wg_url' environment variable."
echo "It should be specified on the kernel cmdline, and will be inherited from there."
if [ -f "/etc/cloud/cloud.cfg.d/ochami.cfg" ];
then
echo "Removing ochami-specific cloud-config; cloud-init will use other defaults"
rm /etc/cloud/cloud.cfg.d/ochami.cfg
else
echo "Not writing ochami-specific cloud-config; cloud-init will use other defaults"
fi
exit 0
fi
echo "Found OpenCHAMI cloud-init URL '${ochami_wg_ip}'"
echo "!!!!Starting pre cloud-init config!!!!"
echo "Loading WireGuard kernel mod"
modprobe wireguard
echo "Generating WireGuard keys"
wg genkey | tee /etc/wireguard/private.key | wg pubkey > /etc/wireguard/public.key
echo "Making Request to configure wireguard tunnel"
PUBLIC_KEY=$(cat /etc/wireguard/public.key)
PAYLOAD="{ \"public_key\": \"${PUBLIC_KEY}\" }"
WG_PAYLOAD=$(curl -s -X POST -d "${PAYLOAD}" http://${ochami_wg_ip}:27777/cloud-init/wg-init)
echo $WG_PAYLOAD | jq
CLIENT_IP=$(echo $WG_PAYLOAD | jq -r '."client-vpn-ip"')
SERVER_IP=$(echo $WG_PAYLOAD | jq -r '."server-ip"' | awk -F'/' '{print $1}')
SERVER_PORT=$(echo $WG_PAYLOAD | jq -r '."server-port"')
SERVER_KEY=$(echo $WG_PAYLOAD | jq -r '."server-public-key"')
echo "Setting up local wireguard interface"
echo "Adding wg0 link"
ip link add dev wg0 type wireguard
echo "Adding ip address ${CLIENT_IP}/32"
ip address add dev wg0 ${CLIENT_IP}/32
echo "Setting the private key"
wg set wg0 private-key /etc/wireguard/private.key
echo "Bringing up the wg0 link"
ip link set wg0 up
echo "Setting up the peer with the server"
wg set wg0 peer ${SERVER_KEY} allowed-ips ${SERVER_IP}/32 endpoint ${ochami_wg_ip}:$SERVER_PORT
rm /etc/wireguard/private.key
rm /etc/wireguard/public.key
```
## Add the Scripts to Your Image
```yaml
copyfiles:
- src: '/opt/workdir/images/files/cloud-init-override.conf'
dest: '/etc/systemd/system/cloud-init.service.d/override.conf'
- src: '/opt/workdir/images/files/ochami-ci-setup.sh'
dest: '/usr/local/bin/ochami-ci-setup.sh'
```
## Restart `cloud-init-server` with WireGuard

45
Use Cases/Serving the Root Filesystem with NFS (import-image.sh).md
View file

@ -18,3 +18,48 @@ Reload the NFS daemon to apply the changes.
modprobe -r nfsd && modprobe nfsd modprobe -r nfsd && modprobe nfsd
``` ```
For NFS, we need to update the /etc/exports file and then reload the kernel nfs daemon
Create `/opt/nfsroot` to serve our images
```bash
sudo mkdir /srv/nfs
sudo chown rocky: /srv/nfs
```
- Create the `/etc/exports` file with the following contents to export the `/srv/nfs` directory for use by our compute nodes
```bash
/srv/nfs *(ro,no_root_squash,no_subtree_check,noatime,async,fsid=0)
```
- Reload the nfs daemon
```bash
sudo modprobe -r nfsd && sudo modprobe nfsd
```
### Webserver for Boot Artifacts
We expose our NFS directory over https as well to make it easy to serve boot artifacts.
```yaml
# nginx.container
[Unit]
Description=Serve /srv/nfs over HTTP
After=network-online.target
Wants=network-online.target
[Container]
ContainerName=nginx
Image=docker.io/library/nginx:1.28-alpine
Volume=/srv/nfs:/usr/share/nginx/html:Z
PublishPort=80:80
[Service]
TimeoutStartSec=0
Restart=always
```
### Import Images from OCI to Share with NFS
[Import-image Script](https://github.com/OpenCHAMI/image-builder/blob/main/scripts/image-import.sh)