feat: add os_user and os_env_vars for use by deadline vfs #104
Conversation
| @@ -327,6 +332,9 @@ def get_launch_environ(cls) -> dict: | |||
| ] = f"{Fus3ProcessManager.find_fus3_link_dir()}{os.pathsep}{os.environ['PATH']}" | |||
| my_env["LD_LIBRARY_PATH"] = Fus3ProcessManager.get_library_path() # type: ignore[assignment] | |||
|
|
|||
| my_env["AWS_CONFIG_FILE"] = str(Path(f"~{self._os_user}/.aws/config").expanduser()) | |||
There was a problem hiding this comment.
Shouldn't the path be f"~/{self._os_user}/.aws/config" with a slash after the tilde? Or does the _os_user variable come with a slash prepended?
There was a problem hiding this comment.
Neither, the expanduser method returns a new path with both ~ and ~user constructs expanded, so it provides the first slash
There was a problem hiding this comment.
Shouldn't the caller control this through the os_env_vars argument?
deadline vfs Signed-off-by: Nathan Matthews <[email protected]>
Signed-off-by: Nathan Matthews <[email protected]>
Signed-off-by: Nathan Matthews <[email protected]>
containing the AWS_PROFILE for use by the VFS Signed-off-by: Nathan Matthews <[email protected]>
natmatn
force-pushed
the
natmatn/deadline_vfs_user
branch
from
ecff747 to
b8772d0
Compare
| @@ -400,6 +402,9 @@ def sync_inputs( | |||
| if ( | |||
| attachments.fileSystem == JobAttachmentsFileSystem.VIRTUAL.value | |||
| and sys.platform != "win32" | |||
| and fs_permission_settings is not None | |||
There was a problem hiding this comment.
Question - does this mean if a user turns off the jobRunAsUser feature, the VFS will stop working?
There was a problem hiding this comment.
Is it possible to turn off that feature? I thought it was a required field of the create-queue request
There was a problem hiding this comment.
It is required, but users can opt-out by entering blank values for the jobRunAsUser → user and jobRunAsUser → group.
There was a problem hiding this comment.
Ah, you're right. Those fs_permission_settings are still using job-user when those fields are empty, which explains why my testing didn't encounter an issue here.
There was a problem hiding this comment.
Discussed offline and we will address this in a follow-up fix.
| @@ -327,6 +332,9 @@ def get_launch_environ(cls) -> dict: | |||
| ] = f"{Fus3ProcessManager.find_fus3_link_dir()}{os.pathsep}{os.environ['PATH']}" | |||
| my_env["LD_LIBRARY_PATH"] = Fus3ProcessManager.get_library_path() # type: ignore[assignment] | |||
|
|
|||
| my_env["AWS_CONFIG_FILE"] = str(Path(f"~{self._os_user}/.aws/config").expanduser()) | |||
There was a problem hiding this comment.
Shouldn't the caller control this through the os_env_vars argument?
| os_group (str): The target operating system group for ownership. | ||
| dir_mode (int): The permission mode to be added to directories. | ||
| file_mode (int): The permission mode to be added to files. | ||
| """ | ||
|
|
||
| os_user: str |
There was a problem hiding this comment.
Do we still need this change? I believe it will have no effect if we are going with the solution to have the caller pass environment variables.
There was a problem hiding this comment.
The environment variables being passed only contain the AWS_PROFILE so I still need to get the Config file path on the other side
There was a problem hiding this comment.
We discussed offline. While I maintain that a cleaner interface would be to have the worker agent pass AWS_CONFIG_FILE in the os_env_vars argument, it requires greater effort on the worker agent side and the code architecture there is not very conducive to this solution.
I'd like to revisit this later, but for now I'm okay merging this due to time constraints.
jusiskin
changed the title
What was the problem/requirement? (What/Why)
Queue credentials for the working session are stored and accessed in the deadline-cloud-worker-agent using the
os_user's aws config file. This is used to create a boto3 session that deadline-cloud uses to sync inputs in the Copied method. This session can't be passed to the deadline_vfs subprocess so another path is needed to retrieve them.What was the solution? (How)
Add
os_userto theFileSystemPermissionSettingsand anos_env_varsargument toAssetSync.sync_inputs(...)which can be used to configure the AWS config file path and AWS profile that is setup by the worker agent. If these details don't exist, theCOPIEDfallback is used in place of theVIRTUALinput sync method.What is the impact of this change?
The Deadline worker agent will be able to configure the Deadline VFS to use the AWS credentials it vends for the queue and sync inputs for the job.
How was this change tested?
VIRTUALandCOPIEDjobsWas this change documented?
No
Is this a breaking change?
Yes, adding the new
os_userrequired field requires a code change on the worker agent side. I've got another PR in the works to have thedeadline-cloud-worker-agentprovide this information from the session to thesync_inputsmethod