3 navsection: installguide
4 title: Build a cloud compute node image
7 Copyright (C) The Arvados Authors. All rights reserved.
9 SPDX-License-Identifier: CC-BY-SA-3.0
12 {% include 'notebox_begin_warning' %}
13 @arvados-dispatch-cloud@ is only relevant for cloud installations. Skip this section if you are installing an on premises cluster that will spool jobs to Slurm or LSF.
14 {% include 'notebox_end' %}
16 # "Introduction":#introduction
17 # "Create an SSH keypair":#sshkeypair
18 # "The build script":#building
19 # "Singularity mksquashfs configuration":#singularity_mksquashfs_configuration
20 # "Build an AWS image":#aws
21 # "Build an Azure image":#azure
23 h2(#introduction). Introduction
25 This page describes how to build a compute node image that can be used to run containers dispatched by Arvados in the cloud.
27 Packer templates for AWS and Azure are provided with Arvados. To use them, the following are needed:
29 * "Packer":https://www.packer.io/
30 * credentials for your cloud account
31 * configuration details for your cloud account
34 h2(#sshkeypair). Create a SSH keypair
36 @arvados-dispatch-cloud@ communicates with the compute nodes via SSH. To do this securely, a SSH keypair is needed.
38 Generate a SSH keypair with no passphrase. The private key needs to be stored in the cluster configuration file (see @Containers/DispatchPrivateKey@) for use by @arvados-dispatch-cloud@, as described in the "next section":install-dispatch-cloud.html#update-config. The public key will be baked into the compute node images, see the cloud-specific documentation below.
41 <pre><code>~$ <span class="userinput">ssh-keygen -N '' -f ~/.ssh/id_dispatcher</span>
42 Generating public/private rsa key pair.
43 Your identification has been saved in /home/user/.ssh/id_dispatcher.
44 Your public key has been saved in /home/user/.ssh/id_dispatcher.pub.
45 The key fingerprint is:
47 ~$ <span class="userinput">cat ~/.ssh/id_dispatcher</span>
48 -----BEGIN RSA PRIVATE KEY-----
49 MIIEpQIBAAKCAQEAqXoCzcOBkFQ7w4dvXf9B++1ctgZRqEbgRYL3SstuMV4oawks
50 ttUuxJycDdsPmeYcHsKo8vsEZpN6iYsX6ZZzhkO5nEayUTU8sBjmg1ZCTo4QqKXr
52 oFyAjVoexx0RBcH6BveTfQtJKbktP1qBO4mXo2dP0cacuZEtlAqW9Eb06Pvaw/D9
53 foktmqOY8MyctzFgXBpGTxPliGjqo8OkrOyQP2g+FL7v+Km31Xs61P8=
54 -----END RSA PRIVATE KEY-----
58 {% assign show_docker_warning = true %}
60 {% include 'singularity_mksquashfs_configuration' %}
62 The desired amount of memory to make available for @mksquashfs@ can be configured in an argument to the build script, see the next section. It defaults to @256M@.
64 h2(#building). The build script
66 The necessary files are located in the @arvados/tools/compute-images@ directory in the source tree. A build script is provided to generate the image. The @--help@ argument lists all available options:
68 <notextile><pre><code>~$ <span class="userinput">./build.sh --help</span>
69 build.sh: Build cloud images for arvados-dispatch-cloud
76 --json-file (required)
77 Path to the packer json file
78 --arvados-cluster-id (required)
79 The ID of the Arvados cluster, e.g. zzzzz
80 --aws-profile (default: false)
81 AWS profile to use (valid profile from ~/.aws/config
82 --aws-secrets-file (default: false, required if building for AWS)
83 AWS secrets file which will be sourced from this script
84 --aws-source-ami (default: false, required if building for AWS)
85 The AMI to use as base for building the images
86 --aws-region (default: us-east-1)
87 The AWS region to use for building the images
88 --aws-vpc-id (optional)
89 VPC id for AWS, otherwise packer will pick the default one
91 Subnet id for AWS otherwise packer will pick the default one for the VPC
92 --gcp-project-id (default: false, required if building for GCP)
94 --gcp-account-file (default: false, required if building for GCP)
96 --gcp-zone (default: us-central1-f)
98 --azure-secrets-file (default: false, required if building for Azure)
99 Azure secrets file which will be sourced from this script
100 --azure-resource-group (default: false, required if building for Azure)
102 --azure-location (default: false, required if building for Azure)
103 Azure location, e.g. centralus, eastus, westeurope
104 --azure-sku (default: unset, required if building for Azure, e.g. 16.04-LTS)
105 Azure SKU image to use
106 --ssh_user (default: packer)
107 The user packer will use to log into the image
108 --resolver (default: host's network provided)
109 The dns resolver for the machine
110 --reposuffix (default: unset)
111 Set this to "-dev" to track the unstable/dev Arvados repositories
112 --public-key-file (required)
113 Path to the public key file that a-d-c will use to log into the compute node
114 --mksquashfs-mem (default: 256M)
115 Only relevant when using Singularity. This is the amount of memory mksquashfs is allowed to use.
116 --nvidia-gpu-support (default: false)
117 Install all the necessary tooling for Nvidia GPU support
118 --debug (default: false)
119 Output debug information
120 </code></pre></notextile>
122 h2(#building). NVIDIA GPU support
124 If you plan on using instance types with NVIDIA GPUs, add @--nvidia-gpu-support@ to the build command line. Arvados uses the same compute image for both GPU and non-GPU instance types. The GPU tooling is ignored when using the image with a non-GPU instance type.
126 h2(#aws). Build an AWS image
128 <notextile><pre><code>~$ <span class="userinput">./build.sh --json-file arvados-images-aws.json \
129 --arvados-cluster-id ClusterID \
130 --aws-profile AWSProfile \
131 --aws-source-ami AMI \
133 --aws-subnet-id Subnet \
135 --resolver ResolverIP \
136 --public-key-file ArvadosDispatchCloudPublicKeyPath
138 </code></pre></notextile>
140 For @ClusterID@, fill in your cluster ID. The @VPC@ and @Subnet@ should be configured for where you want the compute image to be generated and stored. The @AMI@ is the identifier for the base image to be used. Current AMIs are maintained by "Debian":https://wiki.debian.org/Cloud/AmazonEC2Image/Buster and "Ubuntu":https://cloud-images.ubuntu.com/locator/ec2/.
142 @AWSProfile@ should be replaced with the name of an AWS profile with sufficient permissions to create the image.
144 @ArvadosDispatchCloudPublicKeyPath@ should be replaced with the path to the ssh *public* key file generated in "Create an SSH keypair":#sshkeypair, above.
146 Compute nodes must be able to resolve the hostnames of the API server and any keepstore servers to your internal IP addresses. You can do this by running an internal DNS resolver. The IP address of the resolver should replace the string @ResolverIP@ in the command above.
148 Alternatively, the services could be hardcoded into an @/etc/hosts@ file. For example:
150 <notextile><pre><code>10.20.30.40 <span class="userinput">ClusterID.example.com</span>
151 10.20.30.41 <span class="userinput">keep1.ClusterID.example.com</span>
152 10.20.30.42 <span class="userinput">keep2.ClusterID.example.com</span>
153 </code></pre></notextile>
155 Adding these lines to the @/etc/hosts@ file in the compute node image could be done with a small change to the Packer template and the @scripts/base.sh@ script, which will be left as an exercise for the reader.
157 h2(#azure). Build an Azure image
159 <notextile><pre><code>~$ <span class="userinput">./build.sh --json-file arvados-images-azure.json \
160 --arvados-cluster-id ClusterID \
161 --azure-resource-group ResourceGroup \
162 --azure-location AzureRegion \
163 --azure-sku AzureSKU \
164 --azure-secrets-file AzureSecretsFilePath \
165 --resolver ResolverIP \
166 --public-key-file ArvadosDispatchCloudPublicKeyPath
168 </code></pre></notextile>
170 For @ClusterID@, fill in your cluster ID. The @ResourceGroup@ and @AzureRegion@ (e.g. 'eastus2') should be configured for where you want the compute image to be generated and stored. The @AzureSKU@ is the SKU of the base image to be used, e.g. '18.04-LTS' for Ubuntu 18.04.
172 @AzureSecretsFilePath@ should be replaced with the path to a shell script that loads the Azure secrets with sufficient permissions to create the image. The file would look like this:
174 <notextile><pre><code>export ARM_CLIENT_ID=...
175 export ARM_CLIENT_SECRET=...
176 export ARM_SUBSCRIPTION_ID=...
177 export ARM_TENANT_ID=...
178 </code></pre></notextile>
180 These secrets can be generated from the Azure portal, or with the cli using a command like this:
182 <notextile><pre><code>~$ <span class="userinput">az ad sp create-for-rbac --name Packer --password ...</span>
183 </code></pre></notextile>
185 @ArvadosDispatchCloudPublicKeyPath@ should be replaced with the path to the ssh *public* key file generated in "Create an SSH keypair":#sshkeypair, above.
187 Compute nodes must be able to resolve the hostnames of the API server and any keepstore servers to your internal IP addresses. You can do this by running an internal DNS resolver. The IP address of the resolver should replace the string @ResolverIP@ in the command above.
189 Alternatively, the services could be hardcoded into an @/etc/hosts@ file. For example:
191 <notextile><pre><code>10.20.30.40 <span class="userinput">ClusterID.example.com</span>
192 10.20.30.41 <span class="userinput">keep1.ClusterID.example.com</span>
193 10.20.30.42 <span class="userinput">keep2.ClusterID.example.com</span>
194 </code></pre></notextile>
196 Adding these lines to the @/etc/hosts@ file in the compute node image could be done with a small change to the Packer template and the @scripts/base.sh@ script, which will be left as an exercise for the reader.