1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
18 "git.arvados.org/arvados.git/lib/cloud"
19 "git.arvados.org/arvados.git/sdk/go/arvados"
20 "github.com/aws/aws-sdk-go/aws"
21 "github.com/aws/aws-sdk-go/aws/credentials"
22 "github.com/aws/aws-sdk-go/aws/credentials/ec2rolecreds"
23 "github.com/aws/aws-sdk-go/aws/ec2metadata"
24 "github.com/aws/aws-sdk-go/aws/session"
25 "github.com/aws/aws-sdk-go/service/ec2"
26 "github.com/sirupsen/logrus"
27 "golang.org/x/crypto/ssh"
30 // Driver is the ec2 implementation of the cloud.Driver interface.
31 var Driver = cloud.DriverFunc(newEC2InstanceSet)
33 type ec2InstanceSetConfig struct {
35 SecretAccessKey string
37 SecurityGroupIDs arvados.StringSet
43 type ec2Interface interface {
44 DescribeKeyPairs(input *ec2.DescribeKeyPairsInput) (*ec2.DescribeKeyPairsOutput, error)
45 ImportKeyPair(input *ec2.ImportKeyPairInput) (*ec2.ImportKeyPairOutput, error)
46 RunInstances(input *ec2.RunInstancesInput) (*ec2.Reservation, error)
47 DescribeInstances(input *ec2.DescribeInstancesInput) (*ec2.DescribeInstancesOutput, error)
48 CreateTags(input *ec2.CreateTagsInput) (*ec2.CreateTagsOutput, error)
49 TerminateInstances(input *ec2.TerminateInstancesInput) (*ec2.TerminateInstancesOutput, error)
52 type ec2InstanceSet struct {
53 ec2config ec2InstanceSetConfig
54 instanceSetID cloud.InstanceSetID
55 logger logrus.FieldLogger
58 keys map[string]string
61 func newEC2InstanceSet(config json.RawMessage, instanceSetID cloud.InstanceSetID, _ cloud.SharedResourceTags, logger logrus.FieldLogger) (prv cloud.InstanceSet, err error) {
62 instanceSet := &ec2InstanceSet{
63 instanceSetID: instanceSetID,
66 err = json.Unmarshal(config, &instanceSet.ec2config)
71 sess, err := session.NewSession()
75 // First try any static credentials, fall back to an IAM instance profile/role
76 creds := credentials.NewChainCredentials(
77 []credentials.Provider{
78 &credentials.StaticProvider{Value: credentials.Value{AccessKeyID: instanceSet.ec2config.AccessKeyID, SecretAccessKey: instanceSet.ec2config.SecretAccessKey}},
79 &ec2rolecreds.EC2RoleProvider{Client: ec2metadata.New(sess)},
82 awsConfig := aws.NewConfig().WithCredentials(creds).WithRegion(instanceSet.ec2config.Region)
83 instanceSet.client = ec2.New(session.Must(session.NewSession(awsConfig)))
84 instanceSet.keys = make(map[string]string)
85 if instanceSet.ec2config.EBSVolumeType == "" {
86 instanceSet.ec2config.EBSVolumeType = "gp2"
88 return instanceSet, nil
91 func awsKeyFingerprint(pk ssh.PublicKey) (md5fp string, sha1fp string, err error) {
92 // AWS key fingerprints don't use the usual key fingerprint
93 // you get from ssh-keygen or ssh.FingerprintLegacyMD5()
94 // (you can get that from md5.Sum(pk.Marshal())
96 // AWS uses the md5 or sha1 of the PKIX DER encoding of the
97 // public key, so calculate those fingerprints here.
103 if err := ssh.Unmarshal(pk.Marshal(), &rsaPub); err != nil {
104 return "", "", fmt.Errorf("agent: Unmarshal failed to parse public key: %v", err)
106 rsaPk := rsa.PublicKey{
107 E: int(rsaPub.E.Int64()),
110 pkix, _ := x509.MarshalPKIXPublicKey(&rsaPk)
111 md5pkix := md5.Sum([]byte(pkix))
112 sha1pkix := sha1.Sum([]byte(pkix))
115 for i := 0; i < len(md5pkix); i++ {
116 md5fp += fmt.Sprintf(":%02x", md5pkix[i])
118 for i := 0; i < len(sha1pkix); i++ {
119 sha1fp += fmt.Sprintf(":%02x", sha1pkix[i])
121 return md5fp[1:], sha1fp[1:], nil
124 func (instanceSet *ec2InstanceSet) Create(
125 instanceType arvados.InstanceType,
126 imageID cloud.ImageID,
127 newTags cloud.InstanceTags,
128 initCommand cloud.InitCommand,
129 publicKey ssh.PublicKey) (cloud.Instance, error) {
131 md5keyFingerprint, sha1keyFingerprint, err := awsKeyFingerprint(publicKey)
133 return nil, fmt.Errorf("Could not make key fingerprint: %v", err)
135 instanceSet.keysMtx.Lock()
138 if keyname, ok = instanceSet.keys[md5keyFingerprint]; !ok {
139 keyout, err := instanceSet.client.DescribeKeyPairs(&ec2.DescribeKeyPairsInput{
140 Filters: []*ec2.Filter{{
141 Name: aws.String("fingerprint"),
142 Values: []*string{&md5keyFingerprint, &sha1keyFingerprint},
146 return nil, fmt.Errorf("Could not search for keypair: %v", err)
149 if len(keyout.KeyPairs) > 0 {
150 keyname = *(keyout.KeyPairs[0].KeyName)
152 keyname = "arvados-dispatch-keypair-" + md5keyFingerprint
153 _, err := instanceSet.client.ImportKeyPair(&ec2.ImportKeyPairInput{
155 PublicKeyMaterial: ssh.MarshalAuthorizedKey(publicKey),
158 return nil, fmt.Errorf("Could not import keypair: %v", err)
161 instanceSet.keys[md5keyFingerprint] = keyname
163 instanceSet.keysMtx.Unlock()
165 ec2tags := []*ec2.Tag{}
166 for k, v := range newTags {
167 ec2tags = append(ec2tags, &ec2.Tag{
169 Value: aws.String(v),
174 for sg := range instanceSet.ec2config.SecurityGroupIDs {
175 groups = append(groups, sg)
178 rii := ec2.RunInstancesInput{
179 ImageId: aws.String(string(imageID)),
180 InstanceType: &instanceType.ProviderType,
181 MaxCount: aws.Int64(1),
182 MinCount: aws.Int64(1),
185 NetworkInterfaces: []*ec2.InstanceNetworkInterfaceSpecification{
187 AssociatePublicIpAddress: aws.Bool(false),
188 DeleteOnTermination: aws.Bool(true),
189 DeviceIndex: aws.Int64(0),
190 Groups: aws.StringSlice(groups),
191 SubnetId: &instanceSet.ec2config.SubnetID,
193 DisableApiTermination: aws.Bool(false),
194 InstanceInitiatedShutdownBehavior: aws.String("terminate"),
195 TagSpecifications: []*ec2.TagSpecification{
197 ResourceType: aws.String("instance"),
200 UserData: aws.String(base64.StdEncoding.EncodeToString([]byte("#!/bin/sh\n" + initCommand + "\n"))),
203 if instanceType.AddedScratch > 0 {
204 rii.BlockDeviceMappings = []*ec2.BlockDeviceMapping{{
205 DeviceName: aws.String("/dev/xvdt"),
206 Ebs: &ec2.EbsBlockDevice{
207 DeleteOnTermination: aws.Bool(true),
208 VolumeSize: aws.Int64((int64(instanceType.AddedScratch) + (1<<30 - 1)) >> 30),
209 VolumeType: &instanceSet.ec2config.EBSVolumeType,
213 if instanceType.Preemptible {
214 rii.InstanceMarketOptions = &ec2.InstanceMarketOptionsRequest{
215 MarketType: aws.String("spot"),
216 SpotOptions: &ec2.SpotMarketOptions{
217 InstanceInterruptionBehavior: aws.String("terminate"),
218 MaxPrice: aws.String(fmt.Sprintf("%v", instanceType.Price)),
222 rsv, err := instanceSet.client.RunInstances(&rii)
229 provider: instanceSet,
230 instance: rsv.Instances[0],
234 func (instanceSet *ec2InstanceSet) Instances(tags cloud.InstanceTags) (instances []cloud.Instance, err error) {
235 var filters []*ec2.Filter
236 for k, v := range tags {
237 filters = append(filters, &ec2.Filter{
238 Name: aws.String("tag:" + k),
239 Values: []*string{aws.String(v)},
242 dii := &ec2.DescribeInstancesInput{Filters: filters}
244 dio, err := instanceSet.client.DescribeInstances(dii)
249 for _, rsv := range dio.Reservations {
250 for _, inst := range rsv.Instances {
251 if *inst.State.Name != "shutting-down" && *inst.State.Name != "terminated" {
252 instances = append(instances, &ec2Instance{instanceSet, inst})
256 if dio.NextToken == nil {
257 return instances, err
259 dii.NextToken = dio.NextToken
263 func (instanceSet *ec2InstanceSet) Stop() {
266 type ec2Instance struct {
267 provider *ec2InstanceSet
268 instance *ec2.Instance
271 func (inst *ec2Instance) ID() cloud.InstanceID {
272 return cloud.InstanceID(*inst.instance.InstanceId)
275 func (inst *ec2Instance) String() string {
276 return *inst.instance.InstanceId
279 func (inst *ec2Instance) ProviderType() string {
280 return *inst.instance.InstanceType
283 func (inst *ec2Instance) SetTags(newTags cloud.InstanceTags) error {
284 var ec2tags []*ec2.Tag
285 for k, v := range newTags {
286 ec2tags = append(ec2tags, &ec2.Tag{
288 Value: aws.String(v),
292 _, err := inst.provider.client.CreateTags(&ec2.CreateTagsInput{
293 Resources: []*string{inst.instance.InstanceId},
300 func (inst *ec2Instance) Tags() cloud.InstanceTags {
301 tags := make(map[string]string)
303 for _, t := range inst.instance.Tags {
304 tags[*t.Key] = *t.Value
310 func (inst *ec2Instance) Destroy() error {
311 _, err := inst.provider.client.TerminateInstances(&ec2.TerminateInstancesInput{
312 InstanceIds: []*string{inst.instance.InstanceId},
317 func (inst *ec2Instance) Address() string {
318 if inst.instance.PrivateIpAddress != nil {
319 return *inst.instance.PrivateIpAddress
324 func (inst *ec2Instance) RemoteUser() string {
325 return inst.provider.ec2config.AdminUsername
328 func (inst *ec2Instance) VerifyHostKey(ssh.PublicKey, *ssh.Client) error {
329 return cloud.ErrNotImplemented