stormreply · mapk-amazon · Jul 23, 2024 · Aug 5, 2024 · Aug 14, 2024 · Jul 19, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,7 +7,9 @@ This file is used to list changes made in each version of the AWS ParallelCluste
 ------
 
 **ENHANCEMENTS**
-- Allow custom actions on Login Nodes.
+- Allow custom actions on login nodes.
+- Allow DCV connection on login nodes.
+- Add new attribute `efs_access_point_ids` to specify optional EFS access points for the mounts
 
 **BUG FIXES**
 - Fix EFA kmod installation with RHEL 8.10 or newer.

diff --git a/cookbooks/aws-parallelcluster-environment/attributes/environment.rb b/cookbooks/aws-parallelcluster-environment/attributes/environment.rb
@@ -16,7 +16,7 @@
 # IMDS
 default['cluster']['head_node_imds_secured'] = 'true'
 default['cluster']['head_node_imds_allowed_users'] = ['root', node['cluster']['cluster_admin_user'], node['cluster']['cluster_user'] ]
-default['cluster']['head_node_imds_allowed_users'].append('dcv') if node['cluster']['dcv_enabled'] == 'head_node' && dcv_installed?
+default['cluster']['head_node_imds_allowed_users'].append('dcv') if (node['cluster']['dcv_enabled'] == 'head_node' || node['cluster']['dcv_enabled'] == 'login_node') && dcv_installed?
 
 # ParallelCluster internal variables to configure active directory service
 default['cluster']["directory_service"]["domain_name"] = nil
@@ -37,6 +37,7 @@
 default['cluster']['efs_fs_ids'] = ''
 default['cluster']['efs_encryption_in_transits'] = ''
 default['cluster']['efs_iam_authorizations'] = ''
+default['cluster']['efs_access_point_ids'] = ''
 default['cluster']['fsx_shared_dirs'] = ''
 default['cluster']['fsx_fs_ids'] = ''
 default['cluster']['fsx_dns_names'] = ''

diff --git a/cookbooks/aws-parallelcluster-environment/files/cloudwatch/cloudwatch_agent_config.json b/cookbooks/aws-parallelcluster-environment/files/cloudwatch/cloudwatch_agent_config.json
@@ -296,12 +296,13 @@
       ],
       "platforms": {{ default_platforms | tojson}},
       "node_roles": [
-        "HeadNode"
+        "HeadNode",
+        "LoginNode"
       ],
       "feature_conditions": [
         {
           "dna_key": "dcv_enabled",
-          "satisfying_values": ["head_node"]
+          "satisfying_values": ["head_node", "login_node"]
         }
       ]
     },
@@ -379,12 +380,13 @@
       ],
       "platforms": {{ default_platforms | tojson}},
       "node_roles": [
-        "HeadNode"
+        "HeadNode",
+        "LoginNode"
       ],
       "feature_conditions": [
         {
           "dna_key": "dcv_enabled",
-          "satisfying_values": ["head_node"]
+          "satisfying_values": ["head_node", "login_node"]
         }
       ]
     },
@@ -398,12 +400,13 @@
       ],
       "platforms": {{ default_platforms | tojson}},
       "node_roles": [
-        "HeadNode"
+        "HeadNode",
+        "LoginNode"
       ],
       "feature_conditions": [
         {
           "dna_key": "dcv_enabled",
-          "satisfying_values": ["head_node"]
+          "satisfying_values": ["head_node", "login_node"]
         }
       ]
     },
@@ -417,12 +420,13 @@
       ],
       "platforms": {{ default_platforms | tojson}},
       "node_roles": [
-        "HeadNode"
+        "HeadNode",
+        "LoginNode"
       ],
       "feature_conditions": [
         {
           "dna_key": "dcv_enabled",
-          "satisfying_values": ["head_node"]
+          "satisfying_values": ["head_node", "login_node"]
         }
       ]
     },
@@ -436,12 +440,13 @@
       ],
       "platforms": {{ default_platforms | tojson}},
       "node_roles": [
-        "HeadNode"
+        "HeadNode",
+        "LoginNode"
       ],
       "feature_conditions": [
         {
           "dna_key": "dcv_enabled",
-          "satisfying_values": ["head_node"]
+          "satisfying_values": ["head_node", "login_node"]
         }
       ]
     },
@@ -455,12 +460,13 @@
       ],
       "platforms": {{ default_platforms | tojson}},
       "node_roles": [
-        "HeadNode"
+        "HeadNode",
+        "LoginNode"
       ],
       "feature_conditions": [
         {
           "dna_key": "dcv_enabled",
-          "satisfying_values": ["head_node"]
+          "satisfying_values": ["head_node", "login_node"]
         }
       ]
     },
@@ -474,12 +480,13 @@
       ],
       "platforms": {{ default_platforms | tojson}},
       "node_roles": [
-        "HeadNode"
+        "HeadNode",
+        "LoginNode"
       ],
       "feature_conditions": [
         {
           "dna_key": "dcv_enabled",
-          "satisfying_values": ["head_node"]
+          "satisfying_values": ["head_node", "login_node"]
         }
       ]
     },

diff --git a/cookbooks/aws-parallelcluster-environment/recipes/config/efs.rb b/cookbooks/aws-parallelcluster-environment/recipes/config/efs.rb
@@ -15,6 +15,7 @@
 id_array = node['cluster']['efs_fs_ids'].split(',')
 encryption_array = node['cluster']['efs_encryption_in_transits'].split(',')
 iam_array = node['cluster']['efs_iam_authorizations'].split(',')
+access_point_id_array = node['cluster']['efs_access_point_ids'].split(',')
 
 # Identify the previously mounted filesystems and remove them from the set of filesystems to mount
 shared_dir_array.each_with_index do |dir, index|
@@ -23,6 +24,7 @@
   id_array.delete_at(index)
   encryption_array.delete_at(index)
   iam_array.delete_at(index)
+  access_point_id_array.delete_at(index)
 end
 
 # Mount EFS directories with the efs resource
@@ -31,6 +33,7 @@
   efs_fs_id_array id_array
   efs_encryption_in_transit_array encryption_array
   efs_iam_authorization_array iam_array
+  efs_access_point_id_array access_point_id_array
   action :mount
   not_if { shared_dir_array.empty? }
 end
diff --git a/cookbooks/aws-parallelcluster-environment/recipes/config/mount_home.rb b/cookbooks/aws-parallelcluster-environment/recipes/config/mount_home.rb
@@ -61,6 +61,7 @@
         efs_encryption_in_transit_array [node['cluster']['efs_encryption_in_transits'].split(',')[index]]
         efs_iam_authorization_array [node['cluster']['efs_iam_authorizations'].split(',')[index]]
         efs_mount_point_array ['/home']
+        efs_access_point_id [node['cluster']['efs_access_point_ids'].split(',')[index]]
         action :mount
       end
       break
@@ -73,6 +74,7 @@
         efs_fs_id_array [node['cluster']['efs_fs_ids'].split(',')[index]]
         efs_encryption_in_transit_array [node['cluster']['efs_encryption_in_transits'].split(',')[index]]
         efs_iam_authorization_array [node['cluster']['efs_iam_authorizations'].split(',')[index]]
+        efs_access_point_id [node['cluster']['efs_access_point_ids'].split(',')[index]]
         action :mount
       end
       break

diff --git a/cookbooks/aws-parallelcluster-environment/resources/cloudwatch/partial/_cloudwatch_common.rb b/cookbooks/aws-parallelcluster-environment/resources/cloudwatch/partial/_cloudwatch_common.rb
@@ -175,7 +175,6 @@ def package_path
   execute "cloudwatch-agent-start" do
     user 'root'
     timeout 300
-    command "/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json -s"
-    not_if "/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a status | grep status | grep running"
+    command "/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a append-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json -s || /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json -s"
   end unless node['cluster']['cw_logging_enabled'] != 'true' || on_docker?
 end
diff --git a/cookbooks/aws-parallelcluster-environment/resources/efs/partial/_mount_umount.rb b/cookbooks/aws-parallelcluster-environment/resources/efs/partial/_mount_umount.rb
@@ -18,6 +18,7 @@
 property :efs_fs_id_array, Array, required: %i(mount unmount)
 property :efs_encryption_in_transit_array, Array, required: false
 property :efs_iam_authorization_array, Array, required: false
+property :efs_access_point_id_array, Array, required: false
 # This is the mount point on the EFS itself, as opposed to the local system directory, defaults to "/"
 property :efs_mount_point_array, Array, required: false
 property :efs_unmount_forced_array, Array, required: false
@@ -28,19 +29,23 @@
   efs_fs_id_array = new_resource.efs_fs_id_array.dup
   efs_encryption_in_transit_array = new_resource.efs_encryption_in_transit_array.dup
   efs_iam_authorization_array = new_resource.efs_iam_authorization_array.dup
+  efs_access_point_id_array = new_resource.efs_access_point_id_array.dup
   efs_mount_point_array = new_resource.efs_mount_point_array.dup
 
   efs_fs_id_array.each_with_index do |efs_fs_id, index|
     efs_shared_dir = efs_shared_dir_array[index]
     efs_encryption_in_transit = efs_encryption_in_transit_array[index] unless efs_encryption_in_transit_array.nil?
     efs_iam_authorization = efs_iam_authorization_array[index] unless efs_iam_authorization_array.nil?
+    efs_access_point_id = efs_access_point_id_array[index] unless efs_access_point_id_array.nil?
 
     # Path needs to be fully qualified, for example "shared/temp" becomes "/shared/temp"
     efs_shared_dir = "/#{efs_shared_dir}" unless efs_shared_dir.start_with?('/')
 
     # See reference of mount options: https://docs.aws.amazon.com/efs/latest/ug/automount-with-efs-mount-helper.html
     mount_options = "_netdev,noresvport"
-    if efs_encryption_in_transit == "true"
+    if efs_access_point_id
+      mount_options = "iam,tls,access_point=#{efs_access_point_id}"
+    elsif efs_encryption_in_transit == "true"
       mount_options += ",tls"
       if efs_iam_authorization == "true"
         mount_options += ",iam"

diff --git a/cookbooks/aws-parallelcluster-environment/spec/unit/resources/cloudwatch_spec.rb b/cookbooks/aws-parallelcluster-environment/spec/unit/resources/cloudwatch_spec.rb
@@ -255,7 +255,7 @@ def self.configure(chef_run)
           is_expected.to run_execute("cloudwatch-agent-start").with(
             user: 'root',
             timeout: 300,
-            command: "/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json -s"
+            command: "/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a append-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json -s || /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json -s"
           )
         end
       end
@@ -309,8 +309,12 @@ def self.configure(chef_run)
           ConvergeCloudWatch.configure(runner)
         end
 
-        it 'does not start cloudwatch' do
-          is_expected.not_to run_execute("cloudwatch-agent-start")
+        it 'starts cloudwatch agent' do
+          is_expected.to run_execute("cloudwatch-agent-start").with(
+            user: 'root',
+            timeout: 300,
+            command: "/opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a append-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json -s || /opt/aws/amazon-cloudwatch-agent/bin/amazon-cloudwatch-agent-ctl -a fetch-config -m ec2 -c file:/opt/aws/amazon-cloudwatch-agent/etc/amazon-cloudwatch-agent.json -s"
+          )
         end
       end
     end

diff --git a/cookbooks/aws-parallelcluster-environment/templates/shared_storages/shared_storages_data.erb b/cookbooks/aws-parallelcluster-environment/templates/shared_storages/shared_storages_data.erb
@@ -19,12 +19,14 @@ raid:
 <% efs_shared_dir_array = node['cluster']['efs_shared_dirs'].split(',') -%>
 <% efs_encryption_in_transit_array = node['cluster']['efs_encryption_in_transits'].split(',') -%>
 <% efs_iam_authorization_array = node['cluster']['efs_iam_authorizations'].split(',') -%>
+<% efs_access_point_id_array = node['cluster']['efs_access_point_ids'].split(',') -%>
 efs:
 <% efs_fs_ids_array.each_with_index do |efs_fs_id, index| -%>
   - efs_fs_id: <%= efs_fs_id %>
     mount_dir: <%= efs_shared_dir_array[index] %>
     efs_encryption_in_transit: <%= efs_encryption_in_transit_array[index] %>
     efs_iam_authorization: <%= efs_iam_authorization_array[index] %>
+    efs_access_point_id: <%= efs_access_point_id_array[index] %>
 <% end -%>
 <%# FSX %>
 <% fsx_fs_id_array = node['cluster']['fsx_fs_ids'].split(',') -%>

diff --git a/cookbooks/aws-parallelcluster-platform/files/dcv/pcluster_dcv_connect.sh b/cookbooks/aws-parallelcluster-platform/files/dcv/pcluster_dcv_connect.sh
@@ -122,7 +122,7 @@ main() {
 
     # Create a session with session storage enabled.
     mkdir -p "${DCV_SESSION_FOLDER}"
-    dcv_session_file="${DCV_SESSION_FOLDER}/dcv_session"
+    dcv_session_file="${DCV_SESSION_FOLDER}/dcv_session_$(hostname)"
     if [[ ! -e ${dcv_session_file} ]]; then
         sessionid=$(_create_dcv_session "${dcv_session_file}" "${shared_folder_path}")
     else

diff --git a/cookbooks/aws-parallelcluster-platform/kitchen.platform-config.yml b/cookbooks/aws-parallelcluster-platform/kitchen.platform-config.yml
@@ -181,6 +181,7 @@ suites:
       cluster:
         log_rotation_enabled: 'true'
         node_type: 'LoginNode'
+        dcv_enabled: "login_node"
         directory_service:
           generate_ssh_keys_for_users: 'true'
         scheduler: 'slurm'

diff --git a/cookbooks/aws-parallelcluster-platform/recipes/config/dcv.rb b/cookbooks/aws-parallelcluster-platform/recipes/config/dcv.rb
@@ -20,4 +20,11 @@
       action :configure
     end
   end unless on_docker?
+when 'LoginNode'
+  if node['cluster']['dcv_enabled'] == "login_node"
+    # Activate DCV on login node
+    dcv "Configure DCV" do
+      action :configure
+    end
+  end unless on_docker?
 end
diff --git a/cookbooks/aws-parallelcluster-platform/recipes/config/log_rotation_login_node.rb b/cookbooks/aws-parallelcluster-platform/recipes/config/log_rotation_login_node.rb
@@ -22,6 +22,12 @@
   parallelcluster_supervisord_log_rotation
 )
 
+if node['cluster']['dcv_enabled'] == "login_node" && dcv_installed?
+  config_files += %w(
+    parallelcluster_dcv_log_rotation
+  )
+end
+
 if node['cluster']["directory_service"]["generate_ssh_keys_for_users"] == 'true'
   config_files += %w(
     parallelcluster_pam_ssh_key_generator_log_rotation

diff --git a/cookbooks/aws-parallelcluster-platform/recipes/config/supervisord_config.rb b/cookbooks/aws-parallelcluster-platform/recipes/config/supervisord_config.rb
@@ -24,7 +24,9 @@
   variables(
     region: region,
     aws_ca_bundle: region.start_with?('us-iso') ? "/etc/pki/#{region}/certs/ca-bundle.pem" : '',
-    dcv_configured: node['cluster']['dcv_enabled'] == "head_node" && dcv_installed?,
+    dcv_configured: (node['cluster']['dcv_enabled'] == "head_node" ||
+                    node['cluster']['dcv_enabled'] == "login_node") &&
+                    dcv_installed?,
     dcv_auth_virtualenv_path: node['cluster']['dcv']['authenticator']['virtualenv_path'],
     dcv_auth_user_home: node['cluster']['dcv']['authenticator']['user_home'],
     dcv_port: node['cluster']['dcv_port'],

diff --git a/cookbooks/aws-parallelcluster-platform/resources/dcv/partial/_dcv_common.rb b/cookbooks/aws-parallelcluster-platform/resources/dcv/partial/_dcv_common.rb
@@ -183,7 +183,7 @@ def optionally_disable_rnd
 end
 
 action :configure do
-  if dcv_supported? && node['cluster']['node_type'] == "HeadNode"
+  if dcv_supported? && (node['cluster']['node_type'] == "HeadNode" || node['cluster']['node_type'] == "LoginNode")
     if dcv_gpu_accel_supported?
       # Enable graphic acceleration in dcv conf file for graphic instances.
       allow_gpu_acceleration

diff --git a/cookbooks/aws-parallelcluster-platform/spec/unit/recipes/log_rotation_spec.rb b/cookbooks/aws-parallelcluster-platform/spec/unit/recipes/log_rotation_spec.rb
@@ -218,13 +218,15 @@
         end
       end
 
-      context "in the login node when log_rotation enabled and pam ssh key generation is enabled" do
+      context "in the login node when log_rotation, pam ssh key generation, and dcv are enabled" do
         cached(:chef_run) do
           runner = runner(platform: platform, version: version) do |node|
             node.override['cluster']['node_type'] = "LoginNode"
             node.override['cluster']['log_rotation_enabled'] = 'true'
+            node.override['cluster']['dcv_enabled'] = "login_node"
             node.override['cluster']["directory_service"]["generate_ssh_keys_for_users"] = 'true'
             node.override['cluster']["scheduler"] = 'slurm'
+            allow_any_instance_of(Object).to receive(:dcv_installed?).and_return(true)
           end
           runner.converge(described_recipe)
         end
@@ -235,12 +237,12 @@
           parallelcluster_supervisord_log_rotation
           parallelcluster_cloud_init_output_log_rotation
           parallelcluster_pam_ssh_key_generator_log_rotation
+          parallelcluster_dcv_log_rotation
         )
         unexpected_config_files = %w(
           parallelcluster_bootstrap_error_msg_log_rotation
           parallelcluster_cfn_init_log_rotation
           parallelcluster_chef_client_log_rotation
-          parallelcluster_dcv_log_rotation
           parallelcluster_clustermgtd_log_rotation
           parallelcluster_clusterstatusmgtd_log_rotation
           parallelcluster_slurm_fleet_status_manager_log_rotation