Skip to content

Commit

Permalink
Merge branch 'develop' into develop
Browse files Browse the repository at this point in the history
  • Loading branch information
hgreebe authored Jan 17, 2024
2 parents aa792be + 517e55d commit 4479020
Show file tree
Hide file tree
Showing 19 changed files with 326 additions and 11 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ This file is used to list changes made in each version of the AWS ParallelCluste
- Upgrade CUDA Toolkit to version 12.2.2.
- Use Open Source NVIDIA GPU drivers (OpenRM) as NVIDIA kernel module for Linux instead of NVIDIA closed source module.
- Do not wait for static nodes in maintenance to signal CFN that the head node initialization is complete.
- Upgrade EFA installer to `1.29.0`.
- Upgrade EFA installer to `1.29.1`.
- Efa-driver: `efa-2.6.0-1`
- Efa-config: `efa-config-1.15-1`
- Efa-profile: `efa-profile-1.5-1`
Expand Down
7 changes: 7 additions & 0 deletions cookbooks/aws-parallelcluster-entrypoints/recipes/update.rb
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,17 @@
# generate the updated shared storages mapping file
include_recipe 'aws-parallelcluster-environment::update_fs_mapping'

if node["cluster"]["node_type"] == "ComputeFleet"
Chef::Log.info("Dummy log line to prove that update is triggered on compute node")
return
end

include_recipe 'aws-parallelcluster-environment::directory_service'
include_recipe 'aws-parallelcluster-slurm::update' if node['cluster']['scheduler'] == 'slurm'

# Update node package - useful for development purposes only
if is_custom_node?
include_recipe 'aws-parallelcluster-computefleet::update_parallelcluster_node'
end

sudo_access "Update Sudo Access" if node['cluster']['scheduler'] == 'slurm'
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@
# EFA setup: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/efa-start.html
#

property :efa_version, String, default: '1.29.0'
property :efa_checksum, String, default: '836655f87015547e733e7d9f7c760e4e24697f8bbc261bb5f3560abd4206bc36'
property :efa_version, String, default: '1.29.1'
property :efa_checksum, String, default: '178b263b8c25845b63dc93b25bcdff5870df5204ec509af26f43e8d283488744'

action :setup do
if efa_installed? && !::File.exist?(efa_tarball)
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@

# parallelcluster default source dir defined in attributes
source_dir = '/opt/parallelcluster/sources'
efa_version = '1.29.0'
efa_checksum = '836655f87015547e733e7d9f7c760e4e24697f8bbc261bb5f3560abd4206bc36'
efa_version = '1.29.1'
efa_checksum = '178b263b8c25845b63dc93b25bcdff5870df5204ec509af26f43e8d283488744'

class ConvergeEfa
def self.setup(chef_run)
Expand Down
16 changes: 16 additions & 0 deletions cookbooks/aws-parallelcluster-platform/kitchen.platform-config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -199,3 +199,19 @@ suites:
verifier:
controls:
- /tag:config_supervisord/
- name: sudo_access
run_list:
- recipe[aws-parallelcluster-tests::setup]
- recipe[aws-parallelcluster-tests::test_resource]
verifier:
controls:
- /tag:config_sudo_access/
attributes:
resource: sudo_access:setup
cluster:
## Test to check if sudo access for default user is disabled (Disable Action)
## The test runs with default user, it will fail to check the files content as it does not have sudo access anymore if we don't override with pcluster-admin
cluster_user: 'pcluster-admin'
disable_sudo_access_for_default_user: 'true'
# Test to check if sudo access for default user is enabled (Enable Action)
# disable_sudo_access_for_default_user: 'false'
2 changes: 1 addition & 1 deletion cookbooks/aws-parallelcluster-platform/recipes/config.rb
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
include_recipe 'aws-parallelcluster-platform::openssh'
include_recipe 'aws-parallelcluster-platform::sudo_config'
include_recipe 'aws-parallelcluster-platform::cluster_user'
sudo_access "Setup Sudo Access of Default User"
include_recipe 'aws-parallelcluster-platform::networking'
include_recipe 'aws-parallelcluster-platform::nvidia_config'
sticky_bits 'setup sticky bits'
Expand All @@ -24,5 +25,4 @@
# Supervisord configuration must be executed after DCV because dcv external authenticator is part of it
include_recipe 'aws-parallelcluster-platform::supervisord_config'
fetch_config 'Fetch and load cluster configs'

include_recipe 'aws-parallelcluster-platform::config_login' if node['cluster']['node_type'] == 'LoginNode'
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
# frozen_string_literal: true
#
# Copyright:: 2013-2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License").
# You may not use this file except in compliance with the License.
# A copy of the License is located at
#
# http://aws.amazon.com/apache2.0/
#
# or in the "LICENSE.txt" file accompanying this file.
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied.
# See the License for the specific language governing permissions and limitations under the License.

unified_mode true
default_action :setup

property :user_name, String, default: node['cluster']['cluster_user']

action :setup do
node['cluster']['disable_sudo_access_for_default_user'] == 'true' ? action_disable : action_enable
end

action :enable do
Chef::Log.info("Enabling Sudo Access for #{new_resource.user_name}")
# Enable sudo access for default user
template '/etc/sudoers.d/99-parallelcluster-revoke-sudo-access' do
only_if { ::File.exist? "/etc/sudoers.d/99-parallelcluster-revoke-sudo-access" }
source 'sudo_access/99-parallelcluster-revoke-sudo.erb'
cookbook 'aws-parallelcluster-platform'
action :delete
end
end

action :disable do
Chef::Log.info("Disabling Sudo Access for #{new_resource.user_name}")
replace_or_add "Disable Sudo Access for #{new_resource.user_name}" do
path "/etc/sudoers"
pattern "^#{new_resource.user_name}*"
line ""
remove_duplicates true
replace_only true
end

# Disable sudo access for default user
template '/etc/sudoers.d/99-parallelcluster-revoke-sudo-access' do
source 'sudo_access/99-parallelcluster-revoke-sudo.erb'
cookbook 'aws-parallelcluster-platform'
owner 'root'
group 'root'
mode '0600'
variables(
user_name: new_resource.user_name
)
action :create
end
end
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# frozen_string_literal: true

# Copyright:: 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License").
# You may not use this file except in compliance with the License.
# A copy of the License is located at
#
# http://aws.amazon.com/apache2.0/
#
# or in the "LICENSE.txt" file accompanying this file.
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied.
# See the License for the specific language governing permissions and limitations under the License.

provides :sudo_access, platform: 'amazon', platform_version: '2'

use 'partial/_sudo_access_common.rb'
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# frozen_string_literal: true

# Copyright:: 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License").
# You may not use this file except in compliance with the License.
# A copy of the License is located at
#
# http://aws.amazon.com/apache2.0/
#
# or in the "LICENSE.txt" file accompanying this file.
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied.
# See the License for the specific language governing permissions and limitations under the License.

provides :sudo_access, platform: 'centos' do |node|
node['platform_version'].to_i == 7
end

use 'partial/_sudo_access_common.rb'
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# frozen_string_literal: true

# Copyright:: 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License").
# You may not use this file except in compliance with the License.
# A copy of the License is located at
#
# http://aws.amazon.com/apache2.0/
#
# or in the "LICENSE.txt" file accompanying this file.
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied.
# See the License for the specific language governing permissions and limitations under the License.

provides :sudo_access, platform: 'redhat' do |node|
node['platform_version'].to_i == 8
end

use 'partial/_sudo_access_common.rb'
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# frozen_string_literal: true

# Copyright:: 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License").
# You may not use this file except in compliance with the License.
# A copy of the License is located at
#
# http://aws.amazon.com/apache2.0/
#
# or in the "LICENSE.txt" file accompanying this file.
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied.
# See the License for the specific language governing permissions and limitations under the License.

provides :sudo_access, platform: 'rocky' do |node|
node['platform_version'].to_i == 8
end

use 'partial/_sudo_access_common.rb'
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# frozen_string_literal: true

# Copyright:: 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License").
# You may not use this file except in compliance with the License.
# A copy of the License is located at
#
# http://aws.amazon.com/apache2.0/
#
# or in the "LICENSE.txt" file accompanying this file.
# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied.
# See the License for the specific language governing permissions and limitations under the License.

provides :sudo_access, platform: 'ubuntu' do |node|
node['platform_version'].to_i >= 20
end

use 'partial/_sudo_access_common.rb'
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@

it 'has the correct content' do
is_expected.to render_file('/etc/parallelcluster/parallelcluster_supervisord.conf')
.with_content("[program:cfn-hup]")
.with_content("[program:clustermgtd]")
.with_content("[program:clusterstatusmgtd]")
.with_content("[program:pcluster_dcv_authenticator]")
Expand Down Expand Up @@ -69,6 +70,7 @@

it 'has the correct content' do
is_expected.to render_file('/etc/parallelcluster/parallelcluster_supervisord.conf')
.with_content("[program:cfn-hup]")
.with_content("[program:computemgtd]")

is_expected.not_to render_file('/etc/parallelcluster/parallelcluster_supervisord.conf')
Expand All @@ -91,6 +93,7 @@
.with_content("[program:loginmgtd]")

is_expected.not_to render_file('/etc/parallelcluster/parallelcluster_supervisord.conf')
.with_content("[program:cfn-hup]")
.with_content("[program:pcluster_dcv_authenticator]")
end
end
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
require 'spec_helper'

class ConvergeDisableSudoAccess
def self.setup(chef_run)
chef_run.converge_dsl('aws-parallelcluster-platform') do
sudo_access 'setup' do
action :setup
end
end
end
end

describe 'sudo_access:setup' do
for_all_oses do |platform, version|
context "on #{platform}#{version}" do
cached(:default_user) { 'ubuntu' }
let(:chef_run) do
runner(platform: platform, version: version, step_into: ['sudo_access']) do |node|
node.override['cluster']['cluster_user'] = default_user
end
end

context "when disable_sudo_access_for_default_user is true" do
before do
chef_run.node.override['cluster']['disable_sudo_access_for_default_user'] = 'true'
ConvergeDisableSudoAccess.setup(chef_run)
end

it('it disables sudo access for default user') do
is_expected.to edit_replace_or_add("Disable Sudo Access for #{default_user}").with(
path: '/etc/sudoers',
pattern: "^#{default_user}*",
line: "",
remove_duplicates: true,
replace_only: true
)
is_expected.to create_template("/etc/sudoers.d/99-parallelcluster-revoke-sudo-access").with(
source: 'sudo_access/99-parallelcluster-revoke-sudo.erb',
cookbook: 'aws-parallelcluster-platform',
user: 'root',
group: 'root',
mode: '0600',
variables: {
user_name: default_user,
}
)
end
end

context "when disable_sudo_access_for_default_user is false" do
before do
chef_run.node.override['cluster']['disable_sudo_access_for_default_user'] = 'false'
end

context 'and 99-parallelcluster-revoke-sudo-access file doesnt exist' do
before do
mock_file_exists("/etc/sudoers.d/99-parallelcluster-revoke-sudo-access", false)
ConvergeDisableSudoAccess.setup(chef_run)
end
it('it enables sudo access for default user') do
is_expected.not_to delete_template('/etc/sudoers.d/99-parallelcluster-revoke-sudo-access').with(
source: "sudo_access/99-parallelcluster-revoke-sudo.erb"
)
end
end

context 'and 99-parallelcluster-revoke-sudo-access file exists' do
before do
mock_file_exists("/etc/sudoers.d/99-parallelcluster-revoke-sudo-access", true)
ConvergeDisableSudoAccess.setup(chef_run)
end
it('it enables sudo access for default user') do
is_expected.to delete_template('/etc/sudoers.d/99-parallelcluster-revoke-sudo-access').with(
source: "sudo_access/99-parallelcluster-revoke-sudo.erb"
)
end
end
end
end
end
end
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
<%= @user_name %> ALL=(ALL) !ALL
Original file line number Diff line number Diff line change
@@ -1,17 +1,22 @@
# Generated by Chef for AWS ParallelCluster <%= node['cluster']['node_type'] -%>
# Local modifications could be overwritten.
<%# HeadNode, ComputeFleet -%>
<% case node['cluster']['node_type'] -%>
<%# HeadNode -%>
<% when 'HeadNode' -%>
<% when 'HeadNode', 'ComputeFleet' -%>
[program:cfn-hup]
command = <%= node['cluster']['scripts_dir']%>/cfn-hup-runner.sh
autorestart = true
redirect_stderr = true
stdout_logfile = /var/log/parallelcluster/cfn-hup-runner.log
stdout_logfile_maxbytes = 1MB
<% if @region.start_with?('us-iso') -%>
environment = AWS_CA_BUNDLE="<%= @aws_ca_bundle %>"
environment = AWS_CA_BUNDLE="<%= @aws_ca_bundle %>"
<% end -%>
<% end -%>

<% case node['cluster']['node_type'] -%>
<%# HeadNode -%>
<% when 'HeadNode' -%>
<% if node['cluster']['scheduler'] == 'slurm' -%>
[program:clustermgtd]
command = <%= node_virtualenv_path %>/bin/clustermgtd
Expand Down
Loading

0 comments on commit 4479020

Please sign in to comment.