3 navsection: installguide
4 title: Build a cloud compute node image
7 Copyright (C) The Arvados Authors. All rights reserved.
9 SPDX-License-Identifier: CC-BY-SA-3.0
12 {% include 'notebox_begin_warning' %}
13 @arvados-dispatch-cloud@ is only relevant for cloud installations. Skip this section if you are installing an on premises cluster that will spool jobs to Slurm or LSF.
14 {% include 'notebox_end' %}
16 # "Introduction":#introduction
17 # "Create an SSH keypair":#sshkeypair
18 # "Compute image requirements":#requirements
19 # "The build script":#building
20 # "DNS resolution":#dns-resolution
21 # "NVIDIA GPU support":#nvidia
22 # "Singularity mksquashfs configuration":#singularity_mksquashfs_configuration
23 # "Build an AWS image":#aws
24 ## "Autoscaling compute node scratch space":#aws-ebs-autoscaler
25 # "Build an Azure image":#azure
27 h2(#introduction). Introduction
29 This page describes how to build a compute node image that can be used to run containers dispatched by Arvados in the cloud.
31 Packer templates for AWS and Azure are provided with Arvados. To use them, the following are needed:
33 * "Packer":https://www.packer.io/
34 * credentials for your cloud account
35 * configuration details for your cloud account
38 h2(#sshkeypair). Create a SSH keypair
40 @arvados-dispatch-cloud@ communicates with the compute nodes via SSH. To do this securely, a SSH keypair is needed.
42 Generate a SSH keypair with no passphrase. The private key needs to be stored in the cluster configuration file (see @Containers/DispatchPrivateKey@) for use by @arvados-dispatch-cloud@, as described in the "next section":install-dispatch-cloud.html#update-config. The public key will be baked into the compute node images, see the cloud-specific documentation below.
45 <pre><code>~$ <span class="userinput">ssh-keygen -N '' -f ~/.ssh/id_dispatcher</span>
46 Generating public/private rsa key pair.
47 Your identification has been saved in /home/user/.ssh/id_dispatcher.
48 Your public key has been saved in /home/user/.ssh/id_dispatcher.pub.
49 The key fingerprint is:
51 ~$ <span class="userinput">cat ~/.ssh/id_dispatcher</span>
52 -----BEGIN RSA PRIVATE KEY-----
53 MIIEpQIBAAKCAQEAqXoCzcOBkFQ7w4dvXf9B++1ctgZRqEbgRYL3SstuMV4oawks
54 ttUuxJycDdsPmeYcHsKo8vsEZpN6iYsX6ZZzhkO5nEayUTU8sBjmg1ZCTo4QqKXr
56 oFyAjVoexx0RBcH6BveTfQtJKbktP1qBO4mXo2dP0cacuZEtlAqW9Eb06Pvaw/D9
57 foktmqOY8MyctzFgXBpGTxPliGjqo8OkrOyQP2g+FL7v+Km31Xs61P8=
58 -----END RSA PRIVATE KEY-----
62 h2(#requirements). Compute image requirements
64 Arvados comes with a build script to automate the creation of a suitable compute node image (see "The build script":#building below). It is provided as a convenience. It is also possible to create a compute node image via other means. These are the requirements:
66 * for AWS: the SSH public key for @arvados-dispatch-cloud@ (the one that corresponds with @Containers.DispatchPrivateKey@ in the Arvados config file) needs to go into ~/.ssh/authorized_keys for the SSH user you want @arvados-dispatch-cloud@ to use (cf. @CloudVMs.DriverParameters.AdminUsername@ in the Arvados config file) and that user needs to be able to sudo without password prompt, unless you use `root` in which case sudo is not used.
67 * for Azure: @arvados-dispatch-cloud@ automatically extracts the SSH public key from the value of @Containers.DispatchPrivateKey@ and uses an API call to create the user specified in @CloudVMs.DriverParameters.AdminUsername@ with that SSH public key and password-less sudo enabled.
68 * SSH needs to be running and reachable by @arvados-dispatch-cloud@ on port 22 (or a custom port, see @CloudVMS.SSHPort@ to in the Arvados config file)
69 * the @python3-arvados-fuse@ package needs to be installed
70 * @Docker@ or @Singularity@ needs to be installed (cf. @Containers.RuntimeEngine@ in the Arvados config file).
71 * all available scratch space should be made available under `/tmp`.
73 h2(#building). The build script
75 The necessary files are located in the @arvados/tools/compute-images@ directory in the source tree. A build script is provided to generate the image. The @--help@ argument lists all available options:
77 <notextile><pre><code>~$ <span class="userinput">./build.sh --help</span>
78 build.sh: Build cloud images for arvados-dispatch-cloud
85 --json-file <path>
86 Path to the packer json file (required)
87 --arvados-cluster-id <xxxxx>
88 The ID of the Arvados cluster, e.g. zzzzz(required)
89 --aws-profile <profile>
90 AWS profile to use (valid profile from ~/.aws/config (optional)
91 --aws-secrets-file <path>
92 AWS secrets file which will be sourced from this script (optional)
93 When building for AWS, either an AWS profile or an AWS secrets file
95 --aws-source-ami <ami-xxxxxxxxxxxxxxxxx>
96 The AMI to use as base for building the images (required if building for AWS)
97 --aws-region <region> (default: us-east-1)
98 The AWS region to use for building the images
99 --aws-vpc-id <vpc-id>
100 VPC id for AWS, if not specified packer will derive from the subnet id or pick the default one.
101 --aws-subnet-id <subnet-xxxxxxxxxxxxxxxxx>
102 Subnet id for AWS, if not specified packer will pick the default one for the VPC.
104 Install the AWS EBS autoscaler daemon (default: do not install the AWS EBS autoscaler).
105 --aws-associate-public-ip <true|false>
106 Associate a public IP address with the node used for building the compute image.
107 Required when the machine running packer can not reach the node used for building
108 the compute image via its private IP. (default: true if building for AWS)
109 Note: if the subnet has "Auto-assign public IPv4 address" enabled, disabling this
110 flag will have no effect.
111 --aws-ena-support <true|false>
112 Enable enhanced networking (default: true if building for AWS)
113 --gcp-project-id <project-id>
114 GCP project id (required if building for GCP)
115 --gcp-account-file <path>
116 GCP account file (required if building for GCP)
117 --gcp-zone <zone> (default: us-central1-f)
119 --azure-secrets-file <patch>
120 Azure secrets file which will be sourced from this script (required if building for Azure)
121 --azure-resource-group <resouce-group>
122 Azure resource group (required if building for Azure)
123 --azure-location <location>
124 Azure location, e.g. centralus, eastus, westeurope (required if building for Azure)
125 --azure-sku <sku> (required if building for Azure, e.g. 16.04-LTS)
126 Azure SKU image to use
127 --ssh_user <user> (default: packer)
128 The user packer will use to log into the image
129 --resolver <resolver_IP>
130 The dns resolver for the machine (default: host's network provided)
131 --reposuffix <suffix>
132 Set this to "-dev" to track the unstable/dev Arvados repositories
133 --public-key-file <path>
134 Path to the public key file that a-d-c will use to log into the compute node (required)
135 --mksquashfs-mem (default: 256M)
136 Only relevant when using Singularity. This is the amount of memory mksquashfs is allowed to use.
138 Install all the necessary tooling for Nvidia GPU support (default: do not install Nvidia GPU support)
140 Output debug information (default: no debug output is printed)
141 </code></pre></notextile>
143 h2(#dns-resolution). DNS resolution
145 Compute nodes must be able to resolve the hostnames of the API server and any keepstore servers to your internal IP addresses. You can do this by running an internal DNS resolver. The IP address of the resolver should be passed as the value for the @--resolver@ argument to "the build script":#building.
147 Alternatively, the services could be hardcoded into an @/etc/hosts@ file. For example:
149 <notextile><pre><code>10.20.30.40 <span class="userinput">ClusterID.example.com</span>
150 10.20.30.41 <span class="userinput">keep1.ClusterID.example.com</span>
151 10.20.30.42 <span class="userinput">keep2.ClusterID.example.com</span>
152 </code></pre></notextile>
154 Adding these lines to the @/etc/hosts@ file in the compute node image could be done with a small change to the Packer template and the @scripts/base.sh@ script, which will be left as an exercise for the reader.
156 h2(#nvidia). NVIDIA GPU support
158 If you plan on using instance types with NVIDIA GPUs, add @--nvidia-gpu-support@ to the build command line. Arvados uses the same compute image for both GPU and non-GPU instance types. The GPU tooling is ignored when using the image with a non-GPU instance type.
160 {% assign show_docker_warning = true %}
162 {% include 'singularity_mksquashfs_configuration' %}
164 The desired amount of memory to make available for @mksquashfs@ can be configured in an argument to "the build script":#building. It defaults to @256M@.
166 h2(#aws). Build an AWS image
168 <notextile><pre><code>~$ <span class="userinput">./build.sh --json-file arvados-images-aws.json \
169 --arvados-cluster-id ClusterID \
170 --aws-profile AWSProfile \
171 --aws-source-ami AMI \
173 --aws-subnet-id Subnet \
175 --resolver ResolverIP \
176 --public-key-file ArvadosDispatchCloudPublicKeyPath
178 </code></pre></notextile>
180 For @ClusterID@, fill in your cluster ID. The @VPC@ and @Subnet@ should be configured for where you want the compute image to be generated and stored. The @AMI@ is the identifier for the base image to be used. Current AMIs are maintained by "Debian":https://wiki.debian.org/Cloud/AmazonEC2Image/Buster and "Ubuntu":https://cloud-images.ubuntu.com/locator/ec2/.
182 @AWSProfile@ should be replaced with the name of an AWS profile with sufficient permissions to create the image.
184 @ArvadosDispatchCloudPublicKeyPath@ should be replaced with the path to the ssh *public* key file generated in "Create an SSH keypair":#sshkeypair, above.
186 h3(#aws-ebs-autoscaler). Autoscaling compute node scratch space
188 If you want to add the "AWS EBS autoscaler":https://github.com/awslabs/amazon-ebs-autoscale daemon in your images, add the @--aws-ebs-autoscale@ flag to the "the build script":#building. Doing so will make the compute image scratch space scale automatically as needed.
190 The AWS EBS autoscaler daemon will be installed with this configuration:
192 <notextile><pre><code>{
193 "mountpoint": "/tmp",
194 "filesystem": "lvm.ext4",
196 "volume_group": "autoscale_vg",
197 "logical_volume": "autoscale_lv"
204 "detection_interval": 2,
206 "max_ebs_volume_size": 1500,
207 "max_logical_volume_size": 8000,
208 "max_ebs_volume_count": 16
211 "log_file": "/var/log/ebs-autoscale.log",
215 </code></pre></notextile>
217 Changing the configuration is left as an exercise for the reader.
219 Using this feature also requires a few Arvados configuration changes in @config.yml@:
221 * The @Containers/InstanceTypes@ list should be modified so that all @AddedScratch@ lines are removed, and the @IncludedScratch@ value should be set to a (fictional) high number. This way, the scratch space requirements will be met by all the defined instance type. For example:
223 <notextile><pre><code> InstanceTypes:
225 ProviderType: c5.large
228 IncludedScratch: 16TB
231 ProviderType: m5.large
234 IncludedScratch: 16TB
237 </code></pre></notextile>
239 * You will also need to create an IAM role in AWS with these permissions:
241 <notextile><pre><code>{
242 "Version": "2012-10-17",
248 "ec2:DescribeVolumeStatus",
249 "ec2:DescribeVolumes",
251 "ec2:ModifyInstanceAttribute",
252 "ec2:DescribeVolumeAttribute",
261 </code></pre></notextile>
263 Then, in @config.yml@ set @Containers/CloudVMs/DriverParameters/IAMInstanceProfile@ to the name of the IAM role. This will make @arvados-dispatch-cloud@ pass an IAMInstanceProfile to the compute nodes as they start up, giving them sufficient permissions to attach and grow EBS volumes.
265 h2(#azure). Build an Azure image
267 <notextile><pre><code>~$ <span class="userinput">./build.sh --json-file arvados-images-azure.json \
268 --arvados-cluster-id ClusterID \
269 --azure-resource-group ResourceGroup \
270 --azure-location AzureRegion \
271 --azure-sku AzureSKU \
272 --azure-secrets-file AzureSecretsFilePath \
273 --resolver ResolverIP \
274 --public-key-file ArvadosDispatchCloudPublicKeyPath
276 </code></pre></notextile>
278 For @ClusterID@, fill in your cluster ID. The @ResourceGroup@ and @AzureRegion@ (e.g. 'eastus2') should be configured for where you want the compute image to be generated and stored. The @AzureSKU@ is the SKU of the base image to be used, e.g. '18.04-LTS' for Ubuntu 18.04.
280 @AzureSecretsFilePath@ should be replaced with the path to a shell script that loads the Azure secrets with sufficient permissions to create the image. The file would look like this:
282 <notextile><pre><code>export ARM_CLIENT_ID=...
283 export ARM_CLIENT_SECRET=...
284 export ARM_SUBSCRIPTION_ID=...
285 export ARM_TENANT_ID=...
286 </code></pre></notextile>
288 These secrets can be generated from the Azure portal, or with the cli using a command like this:
290 <notextile><pre><code>~$ <span class="userinput">az ad sp create-for-rbac --name Packer --password ...</span>
291 </code></pre></notextile>
293 @ArvadosDispatchCloudPublicKeyPath@ should be replaced with the path to the ssh *public* key file generated in "Create an SSH keypair":#sshkeypair, above.