Omnia

Ansible playbook-based tools for deploying Slurm and Kubernetes clusters for High Performance Computing, Machine Learning, Deep Learning, and High-Performance Data Analytics

This project is maintained by dellhpc

Parameters in security_vars.yml and omnia_security_config.yml

Configure the below parameters to set up security on the Control Plane (/control_plane/input_params/security_vars.yml) and Login Node (omnia_security_config.yml)

Variables [Required/ Optional] Default, Accepted values Description
domain_name omnia.test The domain name should not contain an underscore ( _ )
realm_name OMNIA.TEST The realm name should follow the following rules per https://www.freeipa.org/page/Deployment_Recommendations
* The realm name must not conflict with any other existing Kerberos realm name (e.g. name used by Active Directory).
* The realm name should be upper-case (EXAMPLE.COM) version of primary DNS domain name (example.com).
max_failures 3 Failures allowed before lockout.
This value cannot currently be changed.
failure_reset_interval 60 Period (in seconds) after which the number of failed login attempts is reset
Accepted Values: 30-60
lockout_duration 10 Period (in seconds) for which users are locked out.
Accepted Values: 5-10
session_timeout 180 Period (in seconds) after which idle users get logged out automatically
Accepted Values: 30-90
alert_email_address   Email address used for sending alerts in case of authentication failure. Currently, only one email address is supported in this field.
If this variable is left blank, authentication failure alerts will be disabled.
user   Array of users that are allowed or denied based on the allow_deny value. Multiple users must be separated by a space. Accepted user value formats are: root root@xx.xx.xx.xx.
Note: If IPs are to be specified in the user value, ensure that every IP associated with the host (often 2 or more) in question is listed in the user list.
Eg: For a host with IPs xx.xx.xx.xx and yy.yy.yy.yy where root is to be restricted, the user array will contain root@xx.xx.xx.xx root@yy.yy.yy.yy
allow_deny Allow This variable sets whether the user list is Allowed or Denied.
Accepted Values: Allow, Deny
restrict_program_support false This variable sets whether the network services/protocols listed in restrict_softwares are to be blocked.
restrict_softwares   Array of services/protocols to be blocked by Omnia. Values are to be separated by commas.
Accepted values: telnet,lpd,bluetooth,rlogin,rexec
Non Accepted values: ftp,smbd,nmbd,automount,portmap
Note: This parameter is Case Sensitive.

Note: The same parameters are also available in omnia_security_config.yml to configure security for the Login Node.