diff --git a/ppml/trusted-big-data-ml/python/docker-graphene/Dockerfile b/ppml/trusted-big-data-ml/python/docker-graphene/Dockerfile index 7a1fa099822..7ffb4c186d0 100644 --- a/ppml/trusted-big-data-ml/python/docker-graphene/Dockerfile +++ b/ppml/trusted-big-data-ml/python/docker-graphene/Dockerfile @@ -325,7 +325,15 @@ RUN rm $SPARK_HOME/jars/okhttp-*.jar && \ # Azure support RUN curl -sL https://aka.ms/InstallAzureCLIDeb | bash +RUN apt-get install bsdmainutils ADD azure /ppml/trusted-big-data-ml/azure +RUN chmod a+x /ppml/trusted-big-data-ml/azure/create-aks.sh && \ + chmod a+x /ppml/trusted-big-data-ml/azure/deploy-local-spark-sgx.sh && \ + chmod a+x /ppml/trusted-big-data-ml/azure/generate-enclave-key-az.sh && \ + chmod a+x /ppml/trusted-big-data-ml/azure/generate-keys.sh && \ + chmod a+x /ppml/trusted-big-data-ml/azure/generate-password-az.sh && \ + chmod a+x /ppml/trusted-big-data-ml/azure/kubeconfig-secret.sh && \ + chmod a+x /ppml/trusted-big-data-ml/azure/submit-spark-sgx-az.sh WORKDIR /ppml/trusted-big-data-ml diff --git a/ppml/trusted-big-data-ml/python/docker-graphene/azure/create-aks.sh b/ppml/trusted-big-data-ml/python/docker-graphene/azure/create-aks.sh old mode 100644 new mode 100755 index 5f1c210310a..5250c4c891e --- a/ppml/trusted-big-data-ml/python/docker-graphene/azure/create-aks.sh +++ b/ppml/trusted-big-data-ml/python/docker-graphene/azure/create-aks.sh @@ -1,112 +1,145 @@ -#!/bin/bash - -usage(){ -echo "\ -`cmd` [OPTION...] ---resource-group; Set a resource group name for AKS cluster ---vnet-resource-group; vnet resource group to assign to AKS cluster ---vnet-name; vnet name to assign to AKS cluster ---subnet-name; subnet name to assign to AKS cluster ---cluster-name; AKS cluster name ---vm-size; AKS node vm size, should be DC-series, i.e. Standard_DC8ds_v3 ---node-count; AKS cluster initial node count ---help; help -" | column -t -s ";" -} - -while [ "$#" -gt 0 ]; do - case $1 in - --resource-group) - shift - if (( ! $# )); then - echo >&2 "$0: option $opt requires an argument." - exit 1 - fi - BigDLResourceGroupName=$1 - ;; - --vnet-resource-group) - shift - if (( ! $# )); then - echo >&2 "$0: option $opt requires an argument." - exit 1 - fi - VnetResourceGroupName=$1 - ;; - --vnet-name) - shift - if (( ! $# )); then - echo >&2 "$0: option $opt requires an argument." - exit 1 - fi - VnetName=$1 - ;; - --subnet-name) - shift - if (( ! $# )); then - echo >&2 "$0: option $opt requires an argument." - exit 1 - fi - SubnetName=$1 - ;; - --cluster-name) - shift - if (( ! $# )); then - echo >&2 "$0: option $opt requires an argument." - exit 1 - fi - AKSClusterName=$1 - ;; - --vm-size) - shift - if (( ! $# )); then - echo >&2 "$0: option $opt requires an argument." - exit 1 - fi - ConfVMSize=$1 - ;; - --node-count) - shift - if (( ! $# )); then - echo >&2 "$0: option $opt requires an argument." - exit 1 - fi - NodeCount=$1 - ;; - --help|-h) - usage - exit 0 - ;; - *) - echo >&2 "$0: unrecognized option $1." - usage - break - ;; - esac - - shift -done -region="eastus2" - -# Create Service Principle -APP_ID=$( az ad sp create-for-rbac --query id -o tsv) - -# Assign your service princile to the VNet -VNET_ID=$(az network vnet show --resource-group $VnetResourceGroupName --name $VnetName --query id -o tsv) -SUBNET_ID=$(az network vnet subnet show --resource-group $VnetResourceGroupName --vnet-name $VnetName --name $SubnetName --query id -o tsv) -az role assignment create --assignee $APP_ID --scope "/subscriptions/xxx/resourceGroups/$VnetResourceGroupName/providers/Microsoft.Network/virtualNetworks/$SubnetName" --role "Network Contributor" - -# Create aks cluster and enable confidential compute add-on -ConfVMSize="Standard_DC8ds_v3" - -az aks create \ - --resource-group $BigDLResourceGroupName \ - --name $AKSClusterName \ - --node-count $NodeCount \ - --node-vm-size $ConfVMSize \ - --vm-set-type AvailabilitySet \ - --network-plugin azure \ - --generate-ssh-keys \ - --vnet-subnet-id $SUBNET_ID \ - --service-principal $APP_ID \ - --enable-managed-identity \ - --enable-addons confcom \ No newline at end of file +#!/bin/bash + +usage() +{ + echo "\ + create-aks.sh [OPTION...] + --resource-group; Set a resource group name for AKS cluster + --vnet-resource-group; vnet resource group to assign to AKS cluster + --vnet-name; vnet name to assign to AKS cluster + --subnet-name; subnet name to assign to AKS cluster + --cluster-name; AKS cluster name + --vm-size; AKS node vm size, should be DC-series, i.e. Standard_DC8ds_v3 + --node-count; AKS cluster initial node count + --location; AKS's region + --help; help + " | column -t -s ";" +} + +if [ "$#" -eq 0 ]; then + usage + exit 1 +fi + +while [ "$#" -gt 0 ]; do + case $1 in + --resource-group) + shift + if (( ! $# )); then + echo >&2 "$0: option $opt requires an argument." + exit 1 + fi + BigDLResourceGroupName=$1 + ;; + --vnet-resource-group) + shift + if (( ! $# )); then + echo >&2 "$0: option $opt requires an argument." + exit 1 + fi + VnetResourceGroupName=$1 + ;; + --vnet-name) + shift + if (( ! $# )); then + echo >&2 "$0: option $opt requires an argument." + exit 1 + fi + VnetName=$1 + ;; + --subnet-name) + shift + if (( ! $# )); then + echo >&2 "$0: option $opt requires an argument." + exit 1 + fi + SubnetName=$1 + ;; + --cluster-name) + shift + if (( ! $# )); then + echo >&2 "$0: option $opt requires an argument." + exit 1 + fi + AKSClusterName=$1 + ;; + --vm-size) + shift + if (( ! $# )); then + echo >&2 "$0: option $opt requires an argument." + exit 1 + fi + ConfVMSize=$1 + ;; + --node-count) + shift + if (( ! $# )); then + echo >&2 "$0: option $opt requires an argument." + exit 1 + fi + NodeCount=$1 + ;; + --location) + shift + if (( ! $# )); then + echo >&2 "$0: option $opt requires an argument." + exit 1 + fi + region=$1 + ;; + --help|-h) + usage + exit 0 + ;; + *) + echo >&2 "$0: unrecognized option $1." + usage + break + ;; + esac + + shift +done +#region="eastus2" +echo "BigDLResourceGroupName: $BigDLResourceGroupName" +echo "AKSClusterName: $AKSClusterName" +echo "NodeCount: $NodeCount" +echo "ConfVMSize: $ConfVMSize" +echo "region: $region" + +# Create Service Principle +appinfo=$(az ad sp create-for-rbac --query "[appId, password]" -o tsv) +readarray -d $'\n' -t app <<< $appinfo +APP_ID=${app[0]} +PASSWORD=${app[1]} +echo "APP_ID: $APP_ID" + +# Assign your service princile to the VNet +VNET_ID=$(az network vnet show --resource-group $VnetResourceGroupName --name $VnetName --query id -o tsv) +echo "VNET_ID: $VNET_ID" +SUBNET_ID=$(az network vnet subnet show --resource-group $VnetResourceGroupName --vnet-name $VnetName --name $SubnetName --query id -o tsv) +echo "SUBNET_ID: $SUBNET_ID" + +subscriptionId="$(az account list --query "[?isDefault].id" -o tsv)" +echo "subscriptionId: $subscriptionId" + +az role assignment create --assignee $APP_ID --scope "/subscriptions/$subscriptionId/resourceGroups/$VnetResourceGroupName/providers/Microsoft.Network/virtualNetworks/$VnetName" --role "Network Contributor" + +# Create aks cluster and enable confidential compute add-on +#ConfVMSize="Standard_DC8ds_v3" + +az aks create \ + --resource-group $BigDLResourceGroupName \ + --name $AKSClusterName \ + --node-count $NodeCount \ + --node-vm-size $ConfVMSize \ + --vm-set-type AvailabilitySet \ + --network-plugin azure \ + --generate-ssh-keys \ + --vnet-subnet-id $SUBNET_ID \ + --enable-managed-identity \ + --enable-addons confcom \ + --location $region \ + --service-principal $APP_ID \ + --client-secret $PASSWORD +