Secure Slurm Solution#6
Conversation
chinmaybaikar
commented
Jan 15, 2025
- A new VPC and subnet will now be created to spin up the Slurm solution
- The SSH access will only be allowed to the login nodes
- All VMs within the subnet can talk to each other without any restrictions
- NFS traffic is now only restricted from the subnet all the VMs are created in
pacharya-pf9
left a comment
There was a problem hiding this comment.
The one problem I see here, these changes don't seem to be backward compatible. Does deleting or managing a cluster created with previous tf work after making this change?
I don't have full understanding of the changes here so feel free to ignore my feedback.
|
Correct! This would need to be a new release/tag since it won't be backward compatible. |
|
|
||
| provisioner "local-exec" { | ||
| command = "ansible-playbook -i ansible/inventory/inventory.yml ansible/slurm.yml -f 128" | ||
| command = "ansible-playbook --ssh-common-args=\"-o StrictHostKeyChecking=no -o ProxyCommand='ssh -W %h:%p -q ${local.bastion_host} -o UserKnownHostsFile=/dev/null'\" -i ansible/inventory/inventory.yml ansible/slurm.yml -f 128" |
There was a problem hiding this comment.
I could recommend to set StrictHostKeyChecking=accept-new to make it interaction-free and Trust-on-First-Use, while still guarding against being MITM'ed.
Without this, a MITM between where ansible is running and Crusoe Cloud could result in secrets being sent to an untrusted destination 🙀
| ansible_host = each.value.network_interfaces[0].private_ipv4.address | ||
| instance_type = each.value.type | ||
| location = each.value.location | ||
| cidr = crusoe_vpc_subnet.slurm_vpc_subnet.cidr |
There was a problem hiding this comment.
I found this name (cidr) a bit misleading when it gets referenced in the ansible as hostvars['slurm-nfs-node-0'].cidr; it maybe implied that it was taking the CIDR of the network address of the NFS node itself.
Maybe rename cidr to slurm_vpc_subnet_cidr?
There was a problem hiding this comment.
Changed! Appreciate the feedback
8d855fb to
7af9e09
Compare