Management Host
Warning
If you are updating CCME from a version prior to 6.0.0, to version 6.0.0, please review Update to 6.0.0 to understand the changes in parameters.
Prerequisites
CCME deployment can be done with the basic CCME automation configuration or manually. Even with the automated deployment, you still have the possibility to manually modify the CCME and AWS ParallelCluster configuration of your clusters.
The CCME_x.y.z directory contains the following files and directories:
deployCCME.sh: the script to start the Management Host
roles.ccme.conf: the configuration file for the CCME Roles Stack (CRS)
deployment.ccme.conf: the configuration file for the CCME Management Host (CMH)
dependencies.yaml: the version of the dependencies used in CCME
CCME/: the scripts to configure a CCME cluster
management/: the scripts to deploy the Management Host and associated services
doc/: this documentation
You will first need to untar the CCME_x.y.z.tar.gz archive to get access to the code on your
local machine (which needs to have access to AWS and have the AWS CLI installed and configured):
mkdir "CCME_x.y.z"
tar xvf "CCME_x.y.z.tar.gz" -C "CCME_x.y.z"
cd "CCME_x.y.z"
deployCCME.sh
This is the script that you need to use to deploy the initial stacks for the CCME roles, the Management Host and the associated services.
$ ../../deployCCME.sh --help
Usage: deployCCME.sh [-h|--help] [-r|--create-roles-stack] [-m|--create-management-stack] [-cr|--conf-roles <crs_conf_file>] [-cm|--conf-management <cmh_conf_file>] [-s|--set-management-roles <stack_name>] [-n|--name <stack_name>] [-u|--update] [-nr|--no-rollback] [-p|--profile <aws_profile>]
deployCCME can be used to update the CCME bucket set in <conf_file> and/or to deploy a CCME Management Host
Options :
-r|--create-roles-stack Create CCME Roles Stack (CRS) with a name built with the prefix 'CRS-' and the selected -n|--name option
-m|--create-management-host Create CCME Management Host (CMH) with a name built with the the prefix 'CMH-' and the -n|--name option
-ur|--update-roles-stack Update the deployed CCME Roles Stack (CRS) named with the -n|--name option
-um|--update-management-host Update the deployed CCME Management Host (CMH) named with the -n|--name option
-cr|--conf-roles <crs_conf_file> Reads a configuration file for the CCME Roles Stack (CRS)
-cm|--conf-management <cmh_conf_file> Reads a configuration file for the CCME Management Host (CMH) and update action
-s|--set-management-roles <stack_name> Replace the IAM Roles in the CCME Management Host (CMH) configuration file with
-n|--name <stack_name> Defines the name of the stack deployed by the script (default is CCME)
-u|--update Updates the CCME bucket
-nr|--no-rollback Disables rollback of the CMH creation stack in CloudFormation when the stack fails
-p|--profile <aws_profile> Use non-default AWS credentials profile with aws commmand
-h/--help Help
CCME Roles Stack (CRS)
CRS Configuration
The configuration of the “CCME Roles Stack” is described in the roles.ccme.conf file:
1#### CONFIGURATION FILE for the CCME Roles Stack (CRS) automatic setup ####
2
3#### IAM Configuration
4# iam_path_prefix defines the prefix of the IAM roles created by the stack
5# The expected value is a string prefix like "ccme" or "parallelcluster".
6# Setting this variable is MANDATORY.
7# Default value: parallelcluster
8iam_path_prefix=parallelcluster
9
10
11#### Global
12# global_tags defines a list of tags associated to the CMH stack
13# Pattern: ("Key=your_key,Value=your_value" "Key=your_key,Value=your_value")
14# Setting this variable is OPTIONAL.
15# Default value: no tag
16# Update Policy: This setting can be changed during an update and requires to update the CMH and deployed clusters with the updated setting.
17# global_tags=("Key=your_key,Value=your_value" "Key=your_key,Value=your_value")
18
19# global_sources_path is the BucketName:BucketKey where BucketName is the name of an existing s3 bucket
20# and where CCME machinery will be stored at the "BucketKey" path to be used to manage clusters.
21# E.g.: "ccme-bucket:subfolder1/subfolder2/subfolder3/"
22# Subfolder must end with a '/'
23# Setting this variable is MANDATORY.
24# No default value exists.
25# Update Policy for BucketName: If this setting is changed, the update is not allowed for the CMH stack and the clusters.
26# Update Policy for BucketKey: If this setting is changed, the update is allowed for the CMH stack, but not the clusters.
27global_sources_path=
28
29# global_data_bucket is the Name of an existing s3 bucket where common user data is accessed by users on any cluster.
30# Setting this variable is MANDATORY.
31# No default value exists.
32# Update Policy: This setting can be changed during an update.
33global_data_bucket=
34
35# global_secrets_prefix defines the prefix of the secrets stored in the Secrets Service Manager
36# CCME requires AWS Secrets, it requires to register each secret with a name starting by the same prefix.
37# Setting this variable is MANDATORY.
38# No default value exists.
39# E.g.: "ccme-prefix"
40# E.g. of secret using this prefix: "arn:aws:secretsmanager:eu-west-1:012345678910:secret:ccme-prefix-adreadonlyuser.password-7dFt5"
41# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
42global_secrets_prefix=
43
44
45#### Network
46# network_route53_access defines the possibility of Route53 creation and usage
47# for each cluster.
48# Setting this variable is OPTIONAL.
49# Value: true or false
50# Default value: true
51# network_route53_access=true
52
53# fsx_s3_access defines the possibility of FSx to access to s3 buckets
54# Setting this variable is OPTIONAL.
55# Value: true or false
56# Default value: false
57# network_fsx_s3_access=false
58
59# network_fsx_s3_buckets_arn_list defines the list of S3 buckets to allow the lambda function
60# to import/export from/to S3 when creating an FSx filesystem.
61# The expected value is a comma separated list of S3 bucket ARNs,
62# NOTE - The setting is used only when network_fsx_s3_access is set to true.
63# E.g.: arn:aws:s3:::<S3_BUCKET_1>,arn:aws:s3:::<S3_BUCKET_2>)
64# Setting this variable is OPTIONAL.
65# Default value: arn:*:s3:::ccme-fsx-*
66# network_fsx_s3_buckets_arn_list='arn:*:s3:::ccme-fsx-*'
67
68#### Clusters
69# cluster_prefix defines the prefix of the future clusters
70# Used to restrict rights to CloudWatch dashboards
71# Setting this variable is MANDATORY.
72# Default value is "ccme-".
73cluster_prefix="ccme-"
74
75# cluster_admin_sns_topic_arn define the admin SNS topic ARN you want to
76# deliver information about the cluster when it is ready to be used.
77# For example, you can configure your SNS topic to deliver the information
78# by email to the administrator of the platform
79# Setting this variable is OPTIONAL.
80# No default value exists.
81# E.g.: arn:aws:sns:REGION:ACCOUNT:TOPICNAME
82# cluster_admin_sns_topic_arn=
83
84
85#### KMS Encryption
86# The following variables define the ARN of KMS keys used to encrypt storages or
87# communications on multiple services used by CCME.
88# Setting these variables is MANDATORY.
89# Value: ARN of existing KMS key
90# Default value is '*' (allow all keys)
91
92# CMH EBS encryption
93kms_cmh_ebs=*
94
95# DCV Proxy encryption
96kms_dcv_proxy_ebs=*
97
98# Clusters EBS encryption
99kms_clusters_ebs=*
100
101# Additional KMS key for CMH and Clusters encryption.
102# kms_additional_key=NONE
103
104# FSx encryption
105kms_file_systems=*
106
107# S3 encryption
108kms_s3=*
109
110# SNS encryption
111kms_sns=*
112
113# Secrets Manager encryption
114kms_secrets=*
115
116# CloudWatch encryption
117kms_cloudwatch=*
118
119# Lambda encryption
120kms_lambda=*
You can modify and use this example configuration file or you can create a new
file based on it. This configuration file is then used to deploy the CCME
Management Host through the script named deployCCME.sh.
Deployment
The following command will create all the IAM roles needed for CCME and on a CCME Roles Stack.
$ ./deployCCME.sh --create-roles-stack --conf-roles "my-ccme.roles.ccme.conf" --name "my-ccme"
**** CCME Roles Deployment - START ****
{
"StackId": "arn:aws:cloudformation:eu-west-1:012345678910:stack/CRS-my-ccme/af11b1e0-9a5a-11ed-ab69-06562ac4f907"
}
**** CCME Roles Deployment - END ****
CCME Management Host (CMH)
CMH Configuration
The configuration of the “CCME Management Host” is described in the deployment.ccme.conf file:
1#### CONFIGURATION FILE for the CCME Management Host (CMH) automatic setup ####
2
3#### IAM
4# iam_management_stack_role defines the IAM role ARN that will be attached to the Management Stack.
5# The expected value in the ARN of an IAM role. Check the documentation for more information about this role.
6# This parameter corresponds to the output "ParallelClusterUserRole" of the CCME Roles Stack (CRS)
7# Setting this variable is MANDATORY.
8# No default value exists.
9# Update Policy: This setting can be changed during an update.
10iam_management_stack_role=
11
12# iam_management_instance_profile defines the CCME Management Host (CMH) AWS IAM Instance Profile ARN
13# This parameter corresponds to the output "ParallelClusterUserInstanceProfile" of the CCME Roles Stack (CRS)
14# Setting this variable is MANDATORY.
15# No default value exists.
16# Update Policy: This setting can be changed during an update.
17iam_management_instance_profile=
18
19# iam_dcv_proxy_lambda_certificate_role defines the DCV Certificate Lambda AWS IAM Role ARN
20# This parameter corresponds to the output "CustomLambdaResourcesRoleDcvProxyCertificate" of the CCME Roles Stack (CRS)
21# Setting this variable is MANDATORY.
22# No default value exists.
23# Update Policy: This setting can be changed during an update.
24iam_dcv_proxy_lambda_certificate_role=
25
26# iam_tagging_lambda_role defines the Tagging Lambda AWS IAM Role ARN
27# This parameter corresponds to the output "CustomLambdaResourcesRoleTagging" of the CCME Roles Stack (CRS)
28# Setting this variable is MANDATORY.
29# No default value exists.
30# Update Policy: This setting can be changed during an update.
31iam_tagging_lambda_role=
32
33# iam_application_load_balancer_lambda_role defines the ApplicationLoadBalancer Lambda AWS IAM Role ARN
34# This parameter corresponds to the output "CustomLambdaResourcesRoleApplicationLoadBalancer" of the CCME Roles Stack (CRS)
35# Setting this variable is MANDATORY.
36# No default value exists.
37# Update Policy: This setting can be changed during an update.
38iam_application_load_balancer_lambda_role=
39
40# iam_dcv_proxy_instance_profile defines the DCV Proxy AutoScaling Group instances AWS IAM Role ARN
41# This parameter corresponds to the output "DcvProxyInstanceProfile" of the CCME Roles Stack (CRS)
42# Setting this variable is MANDATORY.
43# No default value exists.
44# Update Policy: This setting can be changed during an update.
45iam_dcv_proxy_instance_profile=
46
47# iam_dcv_proxy_asg_role defines the DCV Proxy AutoScaling Group AWS IAM Role ARN
48# This parameter corresponds to the output "DcvProxyAutoscalingGroupRole" of the CCME Roles Stack (CRS)
49# Setting this variable is MANDATORY.
50# No default value exists.
51# Update Policy: This setting can be changed during an update.
52iam_dcv_proxy_asg_role=
53
54# iam_cluster_lambda_role defines the ParallelCluster Lambda AWS IAM Role ARN
55# This parameter corresponds to the output "CustomLambdaResourcesRoleSlurm" of the CCME Roles Stack (CRS)
56# Setting this variable is MANDATORY.
57# No default value exists.
58# Update Policy: If this setting is changed, the update is not allowed.
59iam_cluster_lambda_role=
60
61# iam_cluster_headnode_instance_profile defines the HeadNode AWS IAM Instance Profile ARN
62# This parameter corresponds to the output "HeadNodeInstanceProfileSlurm" of the CCME Roles Stack (CRS)
63# Setting this variable is MANDATORY.
64# No default value exists.
65# Update Policy: If this setting is changed, the update is not allowed.
66iam_cluster_headnode_instance_profile=
67
68# iam_cluster_compute_instance_profile defines the Compute Nodes AWS IAM Instance profile ARN
69# This parameter corresponds to the output "ComputeNodeInstanceProfileSlurm" of the CCME Roles Stack (CRS)
70# Setting this variable is MANDATORY.
71# No default value exists.
72# Update Policy: If this setting is changed, the update is not allowed.
73iam_cluster_compute_instance_profile=
74
75#### Global
76# global_debug is a boolean variable. When set to true, the stack does not automatically "rollback" after any failure.
77# Setting this variable is MANDATORY.
78# Default value: false
79# Update Policy: This setting can be changed during an update.
80global_debug=false
81
82# global_timezone is a string variable. It configures the timezone for the CMH and the clusters
83# You can list available timezones as following :
84# - Typing: ``timedatectl list-timezones`` to list your linux system timezone.
85# - See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
86# Setting this variable is MANDATORY.
87# Default value: 'Europe/Paris'
88# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
89global_timezone='Europe/Paris'
90
91# global_sources_path is the BucketName:BucketKey where BucketName is the name of an existing s3 bucket
92# and where CCME machinery will be stored at the "BucketKey" path to be used to manage clusters.
93# Subfolder must end with a '/'
94# Setting this variable is MANDATORY.
95# E.g.: "ccme-bucket:subfolder1/subfolder2/subfolder3/"
96# No default value exists.
97# Update Policy for BucketName: If this setting is changed, the update is not allowed.
98# Update Policy for BucketKey: If this setting is changed, the update is allowed for the CMH stack, but not the clusters.
99global_sources_path=
100
101# global_data_bucket is the Name of an existing s3 bucket where common user data is accessed by users on any cluster.
102# Setting this variable is MANDATORY.
103# No default value exists.
104# Update Policy: This setting can be changed during an update.
105global_data_bucket=
106
107# global_logging_bucket is the Name of an existing s3 bucket where S3 access logs are stored
108# for the ccme deployed s3 buckets.
109# Setting this variable is MANDATORY.
110# No default value exists.
111# Update Policy: This setting can be changed during an update.
112global_logging_bucket=
113
114# global_logs_retention_in_days defines the retention period of CCME logs in days.
115# Setting this variable is OPTIONAL.
116# Pattern: 1|3|5|7|14|30|60|90|120|150|180|365|400|545|731|1096|1827|2192|2557|2922|3288|3653
117# Default value: 14
118# Update Policy: This setting can be changed during an update.
119# global_logs_retention_in_days=14
120
121# global_tags defines a list of tags associated to the CMH stack
122# Pattern: ("Key=your_key,Value=your_value" "Key=your_key,Value=your_value")
123# Setting this variable is OPTIONAL.
124# Default value: no tag
125# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
126# global_tags=("Key=your_key,Value=your_value" "Key=your_key,Value=your_value")
127
128
129#### Network
130# network_vpc defines the VPC where the CMH should be setup. The expected value is an existing VPCId.
131# Setting this variable is MANDATORY.
132# No default value exists.
133# Update Policy: If this setting is changed, the update is not allowed.
134network_vpc_id=
135
136# network_alb_subnets defines the Primary and Secondary subnets (created in 2 different AZs)
137# where the Application Load Balancer should be setup.
138# The expected values is a pair of existing SubnetId.
139# Setting this variable is MANDATORY.
140# No default value exists.
141# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
142network_alb_subnets=( "" "" )
143
144# network_private_subnets defines the Primary and Secondary subnets (created in 2 different AZs)
145# where the Active Directory and CCME Management Host should be setup.
146# The expected values is a pair of existing SubnetId.
147# Setting this variable is MANDATORY.
148# No default value exists.
149# Update Policy: If this setting is changed, the update is not allowed.
150network_private_subnets=( "" "" )
151
152# network_ingress_security_groups_ssh_cidr_block specifies the CIDR-formatted IP range for ingress connections to:
153# - Private Security Group
154# - Headnode Security Group
155# If this setting is not set or set to NONE disables the ssh authorization in the security groups.
156# Setting this variable is OPTIONAL.
157# Pattern: NONE or x.x.x.x/x
158# Default value: NONE
159# Update Policy: This setting can be changed during an update.
160# network_ingress_security_groups_ssh_cidr_block=NONE
161
162# network_additional_security_group defines one optional additional security group
163# to the CMH and clusters.
164# Setting this variable is OPTIONAL.
165# Default value: NONE
166# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
167# network_additional_security_group=NONE
168
169# network_proxy defines the optional proxy for CMH and clusters
170# Setting this variable is OPTIONAL.
171# Pattern: protocol://host:port
172# E.g.: "https://url_of_proxy:443"
173# Default value: NONE
174# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
175# network_proxy=NONE
176
177# network_no_proxy defines the optional list of no_proxy delimited by comma for CMH and clusters
178# Setting this variable is OPTIONAL.
179# Pattern: host
180# E.g.: "my.domain1,my.domain2"
181# Default value: NONE
182# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
183# network_no_proxy=NONE
184
185# network_pip_repository defines a private pip repository
186# Setting this variable is OPTIONAL.
187# Pattern: protocol://host
188# E.g.: "https://url_of_pip_repo"
189# Default value: NONE
190# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
191# network_pip_repository=NONE
192
193
194#### Application Load Balancer
195# application_load_balancer_arn defines the application load balancer used to forward the
196# portal and the visualization of CCME to the end users.
197# The expected value is the ARN of the choosen Application Load Balancer
198# Setting this variable is OPTIONAL.
199# Default value: NONE
200# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
201# application_load_balancer_arn=NONE
202
203# application_load_balancer_scheme defines if the Application Load Balancer (ALB) is "internet-facing" or "internal"
204# Setting this variable is MANDATORY.
205# Default value: 'internet-facing'
206# Update Policy: If this setting is changed, the update is not allowed.
207application_load_balancer_scheme=internet-facing
208
209# application_load_balancer_ingress_cidr_block specifies the CIDR-formatted IP range for ingress connections to the ALB.
210# Setting this variable is OPTIONAL.
211# Default value: 0.0.0.0/0
212# Update Policy: This setting can be changed during an update.
213# application_load_balancer_ingress_cidr_block=0.0.0.0/0
214
215# application_load_balancer_ssl_certificate defines the SSL certificate used by the Application Load Balancer being the entry point to CCME.
216# The expected value in the ARN of a SSL certificate stored in AWS Certificate Manager (ACM).
217# Setting this variable is MANDATORY.
218# No default value exists.
219# Update Policy: This setting can be changed during an update.
220application_load_balancer_ssl_certificate=
221
222
223#### DCV Proxy
224# dcv_proxy_asg_min_size defines the DCV Proxy AutoScalingGroup (asg) minimum size
225# Setting this variable is MANDATORY.
226# Pattern: Number
227# Default value: 1
228# Update Policy: This setting can be changed during an update.
229dcv_proxy_asg_min_size=1
230
231# dcv_proxy_asg_max_size defines the DCV Proxy AutoScalingGroup (asg) maximum size
232# Setting this variable is MANDATORY.
233# Pattern: Number
234# Default value: 5
235# Update Policy: This setting can be changed during an update.
236dcv_proxy_asg_max_size=5
237
238# dcv_proxy_asg_desired_size defines the DCV Proxy AutoScalingGroup (asg) desired size at launch
239# Setting this variable is MANDATORY.
240# Pattern: Number
241# Default value: 1
242# Update Policy: This setting can be changed during an update.
243dcv_proxy_asg_desired_size=1
244
245# dcv_proxy_instance_type defines the instance type for the DCV Proxy
246# Only AWS EC2 x86_64 instance type is allowed.
247# Recommended value: m5a.large
248# Default value: t2.micro
249# Update Policy: This setting can be changed during an update.
250dcv_proxy_instance_type=t2.micro
251
252# dcv_proxy_instance_ami defines the AMI for the DCV Proxy instance
253# Setting this variable is OPTIONAL.
254# Default value: NONE
255# Update Policy: This setting can be changed during an update.
256# dcv_proxy_instance_ami=NONE
257
258# dcv_proxy_instance_volume_size defines the volume size in GB for DCV Proxy instances
259# Setting this variable is OPTIONAL.
260# Default value: NONE
261# Update Policy: This setting can be changed during an update. WARNING: A new DCV Proxy instances will be created.
262# dcv_proxy_instance_volume_size=NONE
263
264
265#### ActiveDirectory
266# active_directory_uri defines the list of URI of the Active Directory.
267# When the default (NONE) value is used, a new AWS-managed Active Directory is created and the CMH is configured to use it.
268# Otherwise, the format is a comma separated list of ldap:// or ldaps:// addresses.
269# Setting this variable is OPTIONAL.
270# Pattern: protocol://host
271# E.g., ldap://10.0.0.1,ldap://10.0.0.2
272# Default value: NONE
273# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
274# active_directory_uri=NONE
275
276# active_directory_name defines the Domain Name of your Active Directory.
277# If the value is NONE, then no Active Directory is deployed.
278# Setting this variable is MANDATORY ONLY IF using ActiveDirectory.
279# Default value: ccme.ad
280# Update Policy: This setting can be changed during an update only if the previous and the new values are set for internal Active Directory.
281# active_directory_name=NONE
282
283# active_directory_readonlyuser_dn defines the distinguished name of ReadOnlyUser account in your AD.
284# The expected value in the preexisting ARN is a "cn=string,OU=string,DC=string,DC=string".
285# Setting this variable differently than 'ReadOnlyUser' default value is MANDATORY ONLY IF using ActiveDirectory preexisting.
286# Default value: ReadOnlyUser
287# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
288# active_directory_read_only_user_dn="ReadOnlyUser"
289
290# active_directory_read_only_user_password_secret_arn defines the password of ReadOnlyUser accounts in your AD.
291# The expected value in the preexisting ARN of a plaintext string stored in AWS Secrets Manager (ASM).
292# E.g.: active_directory_read_only_user_password_secret_arn=arn:aws:secretsmanager:eu-west-1:012345678910:secret:ccme-prefix-adreadonlyuser.password-3nSOf
293# Setting this variable is MANDATORY ONLY IF using ActiveDirectory.
294# Default value: NONE
295# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
296# active_directory_read_only_user_password_secret_arn=NONE
297
298# active_directory_admin_password_secret_arn defines the password of Admin accounts in your AD.
299# The expected value in the preexisting ARN of a plaintext string stored in AWS Secrets Manager (ASM).
300# E.g.: active_directory_admin_password_secret_arn=arn:aws:secretsmanager:eu-west-1:012345678910:secret:ccme-prefix-adadmin.password-7dFt5
301# Setting this variable is MANDATORY ONLY IF using ActiveDirectory deployed by CCME.
302# Default value: NONE
303# Update Policy: If this setting is changed, the update is not allowed.
304# active_directory_admin_password_secret_arn=NONE
305
306# active_directory_edition defines the ActiveDirectory edition.
307# application_load_balancer_scheme defines if the Application Load Balancer (ALB) is "Standard" or "Enterprise".
308# Setting this variable is MANDATORY ONLY IF using ActiveDirectory deployed by CCME.
309# Default value: 'Standard'
310# Update Policy: If this setting is changed, the update is not allowed.
311# active_directory_edition=Standard
312
313
314#### Management Host
315# management_host_instance_type defines the instance type that will be configured as a CMH
316# Only AWS EC2 x86_64 instance type is allowed.
317# Setting this variable is MANDATORY.
318# Default value: t3a.medium
319# Update Policy: This setting can be changed during an update.
320management_host_instance_type=t3a.medium
321
322# management_host_os defines the operating system of the CCME Management Host (CMH)
323# Allowed values for this variable are the following:
324# - al2023
325# - rhel8
326# - rhel9
327# Setting this variable is MANDATORY.
328# Default value: al2023
329# Update Policy: This setting can be changed during an update. WARNING: A new CMH instance will be created.
330management_host_os=al2023
331
332# management_host_ami defines the AMI for the CMH instance
333# Setting this variable is OPTIONAL.
334# Default value: NONE
335# Update Policy: This setting can be changed during an update. WARNING: A new CMH instance will be created.
336# management_host_ami=NONE
337
338# management_host_volume_size defines the volume size in GB for the CMH instance
339# Setting this variable is OPTIONAL.
340# Default value: NONE
341# Update Policy: This setting can be changed during an update. WARNING: A new CMH instance will be created.
342# management_host_volume_size=NONE
343
344# management_host_keypair_name is the Name of an existing EC2 key pair that should be used to connect to the CMH with SSH.
345# If you do not specify a key pair or set the value to NONE, you can't connect to the instance
346# unless you choose an AMI providing another way to log in.
347# Setting this variable is OPTIONAL.
348# No default value exists.
349# Update Policy: If this setting is changed, the update is not allowed.
350# management_host_keypair_name=
351
352# management_host_elastic_ip defines the address of an Elastic IP (if you already have one to use for your CMH)
353# If the default value is used, CCME will request a new Elastic IP to attach it to the CMH.
354# Set "NONE" to not assign a public IP.
355# Setting this variable is OPTIONAL.
356# Default value: 0.0.0.0
357# Update Policy: This setting can be changed during an update.
358# management_host_elastic_ip=0.0.0.0
359
360# management_host_sudoer_group_name defines the group of users which is allowed to use sudo on your CMH.
361# The group can be local or from Active Directory.
362# If the default value is used, no group is authorized to use sudo.
363# Setting this variable is OPTIONAL.
364# Default value: NONE
365# Update Policy: This setting can be changed during an update.
366# management_host_sudoer_group_name=NONE
367
368# management_host_authorized_group_name defines the AD groups of users which are allowed to login to your CMH.
369# If the default value is used, no filter is applied and everyone in AD is authorized to login.
370# Setting this variable is OPTIONAL.
371# Default value: NONE
372# Update Policy: This setting can be changed during an update.
373# management_host_authorized_group_name=NONE
374
375
376#### KMS Encryption
377# The following variables define the ARN of KMS keys used to encrypt storages or
378# communications on multiple services used by CCME.
379# Setting these variables is MANDATORY.
380# Value: ARN of existing KMS key
381# No default value exists.
382
383# CMH EBS encryption
384# Update Policy: If this setting is changed, the update is not allowed.
385kms_cmh_ebs=
386
387# DCV Proxy encryption
388# Update Policy: This setting can be changed during an update if the CCME Role Stack allows access to the resource ARN.
389kms_dcv_proxy_ebs=
390
391# Clusters EBS encryption
392# Update Policy: If this setting is changed, the update is not allowed.
393kms_clusters_ebs=
394
395# EFS and FSx encryption
396# Update Policy: If this setting is changed, the update is not allowed.
397kms_file_systems=
398
399# S3 encryption
400# Update Policy: This setting can be changed during an update if the CCME Role Stack allows access to the resource ARN.
401kms_s3=
402
403# SNS encryption
404# Update Policy: This setting can be changed during an update if the CCME Role Stack allows access to the resource ARN.
405kms_sns=
406
407# CloudWatch encryption
408# Update Policy: If this setting is changed, the update is not allowed.
409kms_cloudwatch=
410
411# Lambda encryption
412# Update Policy: This setting can be changed during an update if the CCME Role Stack allows access to the resource ARN.
413kms_lambda=
You can modify and use this example configuration file or you can create a new
file based on it. This configuration file is then used to deploy the CCME
Management Host through the script named deployCCME.sh.
Resources
The resources deployed in your AWS account by the CCME Management Host are:
An AWS Lambda with a log group in
/ccme/ccme-lambda-alb-${StackId}An AWS EC2 instance as CCME Management Host
Optional
An Active Directory
An Application Load Balancer
Multiple AWS EC2 security-groups
Those resources are named using ccme as prefix and -Stack_id as suffix.
Example for the resource LambdaALB, the resource is named: ccmeLambdaALB-7225f980-0a8a-11ee-81f0-06c4c07a0d95:
ccmeas prefixA variable information related to the resource:
LambdaALBin this caseThe
stack_idof the CMH stack and a suffix preceded by a-:-7225f980-0a8a-11ee-81f0-06c4c07a0d95in our case
The only exception for this rule is related to the Application Load Balancer (ALB).
The ALB is using -Stack_name instead of the -Stack_id as suffix due to restrictions on the length of the name of the ALB
Deployment
The following command will create all the environment needed for CCME and create a Management Host named my_ccme_mgt_host.
First it will upload all the source code of CCME to the ccme_bucket_path as specified in the deployment.ccme.conf file,
this is mandatory on a first deployment. For further deployments, you can directly reuse the same bucket if no code change has been made.
$ ./deployCCME.sh --update --create-management-host --conf-management "my-ccme.deployment.ccme.conf" --name "my-ccme"
**** CCME Bucket Update - START ****
**** CCME Bucket Update - END ****
**** CCME ManagementHost Deployment - START ****
{
"StackId": "arn:aws:cloudformation:eu-west-1:012345678910:stack/CMH-my-ccme/bf11b1e0-9a5a-11ed-ab69-06562ac4f907"
}
**** CCME ManagementHost Deployment - END ****
Customization
Custom Ansible Scripts
On top of CCME specific configurations, you can integrate your own custom scripts to CCME Management Host.
To deploy a CMH embedding and executing your own custom scripts, you must place them in
the management/custom directory and synchronize this directory in the S3 bucket.
You can provide your own Ansible playbooks to add specific configurations to the CMH, they must
have the following naming convention: management/custom/install-*-management.yaml.
Custom ParallelCluster configuration files
On top of the ParallelCluster example configuration files provided with CCME, you can provide your own Jinja template along with a set of parameters to generate your own configuration files.
To do so, you just need to:
add your templates in
management/customand name them with the following pattern*.pcluster.config.j2,add any specific configuration variable in the
management/custom/pcluster.vars.yamlfile (YAML format). All variables in this file will be assigned under thecustomvariable. This means that if you declaremyvar: myval, it will be available ascustom.myvarin you*.pcluster.config.j2files.
management/custom/custom.pcluster.config.j2
1Region: '{{ AWS_REGION }}'
2CustomS3Bucket: '{{ CCME_CLUSTER_S3BUCKET }}'
3Iam:
4 Roles:
5 LambdaFunctionsRole: '{{ CCME_CLUSTER_LAMBDA_ROLE }}'
6 # If the role associated to the cluster includes a custom IAM path prefix,
7 # replace "parallelcluster" by the custom IAM path prefix.
8 ResourcePrefix: "{{ CCME_CLUSTER_HEADNODE_INSTANCE_PROFILE.split('/')[1] }}"
9Image:
10 Os: alinux2
11 # CustomAmi:
12Tags:
13{% for key, value in CCME_TAGS.items() %}
14{% if "aws:" not in key and key != "Name" %}
15 - Key: {{ key }}
16 Value: "{{ value }}"
17{% endif %}
18{% endfor %}
19SharedStorage:
20 - Name: shared
21 StorageType: Efs
22 MountDir: shared
23 EfsSettings:
24{% if "NONE" not in CCME_KMS_FILE_SYSTEMS %}
25 Encrypted: true
26 KmsKeyId: {{ CCME_KMS_FILE_SYSTEMS }}
27{% else %}
28 Encrypted: false
29{% endif %}
30HeadNode:
31 InstanceType: {{ custom.headinsttype }}
32 Networking:
33 SubnetId: '{{ CCME_SUBNET }}'
34 SecurityGroups:
35 - '{{ CCME_HEADNODE_SG }}'
36{%if CCME_PROXY is defined and CCME_PROXY and CCME_PROXY != "NONE"%}
37 Proxy:
38 HttpProxyAddress: '{{ CCME_PROXY }}'
39{% endif %}
40 Ssh:
41 KeyName: '{{ AWS_KEYNAME }}'
42 CustomActions:
43 OnNodeStart:
44 Script: s3://{{ CCME_SOURCES }}CCME/sbin/pre-install.sh
45 OnNodeConfigured:
46 Script: s3://{{ CCME_SOURCES }}CCME/sbin/post-install.sh
47 OnNodeUpdated:
48 Script: s3://{{ CCME_SOURCES }}CCME/sbin/update-install.sh
49 Args:
50 - CCME_CMH_NAME={{ CCME_CMH_NAME }}
51 - CCME_S3FS={{ CCME_DATA_BUCKET }}
52 - CCME_JSLOGS_BUCKET={{ CCME_DATA_BUCKET }}
53 # CCME_SHARED_DIR is a mandatory parameter: it must the the mountdir of one of the SharedStorage
54 # It will be used to store CCME shared files with the compute nodes. Especially EnginFrame spoolers
55 # which may require a large storage space depending on how it is used.
56 # Update Policy: this parameter must not be changed during an update
57 - CCME_SHARED_DIR=shared
58{%if CCME_NO_PROXY is defined and CCME_NO_PROXY and CCME_NO_PROXY != "NONE"%}
59 - CCME_NO_PROXY={{ CCME_NO_PROXY }}
60{% endif %}
61 # - CCME_OIDC=default
62 # - CCME_USER_HOME=/shared-filesystem/home/%u
63 # - CCME_DNS=NONE
64 - CCME_WIN_LAUNCH_TEMPLATE_ID={{ CCME_WIN_LAUNCH_TEMPLATE_ID }}
65 # - CCME_WIN_AMI=NONE
66 # - CCME_WIN_INSTANCE_TYPE=NONE
67 # - CCME_WIN_INACTIVE_SESSION_TIME=600
68 # - CCME_WIN_NO_SESSION_TIME=600
69 # - CCME_WIN_NO_BROKER_COMMUNICATION_TIME=600
70 # - CCME_LIN_INACTIVE_SESSION_TIME=3600
71 # - CCME_EF_ADMIN_GROUP=
72 # - CCME_EFADMIN_PASSWORD=
73{%if CCME_REPOSITORY_PIP is defined and CCME_REPOSITORY_PIP and CCME_REPOSITORY_PIP != "NONE"%}
74 - CCME_REPOSITORY_PIP={{ CCME_REPOSITORY_PIP }}
75{% endif %}
76 Iam:
77 InstanceProfile: '{{ CCME_CLUSTER_HEADNODE_INSTANCE_PROFILE }}'
78Scheduling:
79 Scheduler: slurm
80 SlurmSettings:
81 Dns:
82 # If the role associated to the cluster is not authorized to use Route 53,
83 # set "DisableManagedDns" to true.
84 DisableManagedDns: False
85 SlurmQueues:
86{% for queue in custom.queues %}
87 - Name: {{ queue.Name }}
88 CapacityType: ONDEMAND
89 ComputeResources:
90{% for cr in queue.InstanceTypes %}
91 - Name: {{ cr | replace('.', '') }}
92 InstanceType: {{ cr }}
93 MinCount: 0
94 MaxCount: 10
95{% endfor %}
96 CustomActions:
97 OnNodeStart:
98 Script: s3://{{ CCME_SOURCES }}CCME/sbin/pre-install.sh
99 OnNodeConfigured:
100 Script: s3://{{ CCME_SOURCES }}CCME/sbin/post-install.sh
101 Iam:
102 InstanceProfile: '{{ CCME_CLUSTER_COMPUTE_INSTANCE_PROFILE }}'
103 Networking:
104 SubnetIds:
105 - '{{ CCME_SUBNET }}'
106 SecurityGroups:
107 - '{{ CCME_COMPUTE_SG }}'
108{%if CCME_PROXY is defined and CCME_PROXY and CCME_PROXY != "NONE"%}
109 Proxy:
110 HttpProxyAddress: '{{ CCME_PROXY }}'
111{% endif %}
112{% endfor %}
113{%if CCME_AD_DIR_NAME != "NONE"%}
114DirectoryService:
115 DomainName: {{ CCME_AD_DIR_NAME }}
116 DomainAddr: {% for adip in CCME_AD_IPS.split(',') %}{% if adip == CCME_AD_IPS.split(',')[0] %}ldap://{{ adip }}{% else %},ldap://{{ adip }}{% endif %}{% endfor %}{{''}}
117 PasswordSecretArn: {{ CCME_AD_READ_ONLY_USER_PASSWORD }}
118 DomainReadOnlyUser: {% if CCME_AD_ORIGIN == "external" %}{{ CCME_AD_READ_ONLY_USER_DN }}{% elif CCME_AD_ORIGIN == "internal" %}cn=ReadOnlyUser,ou=Users,ou={{ CCME_AD_DIR_NAME.split('.')[0] }}{% for addn in CCME_AD_DIR_NAME.split('.') %},dc={{ addn }}{% endfor %}{% endif %}{{''}}
119 LdapTlsReqCert: never
120 # LdapAccessFilter
121 AdditionalSssdConfigs:
122 # debug_level: "0x1ff"
123 ldap_auth_disable_tls_never_use_in_production: True
124{% endif %}
125Imds:
126 ImdsSupport: v2.0
127DevSettings:
128 Timeouts:
129 HeadNodeBootstrapTimeout: 2400
130 ComputeNodeBootstrapTimeout: 1800
management/custom/pcluster.vars.yaml
1################################################################################
2# Copyright (c) 2017-2025 UCit SAS
3# All Rights Reserved
4#
5# This software is the confidential and proprietary information
6# of UCit SAS ("Confidential Information").
7# You shall not disclose such Confidential Information
8# and shall use it only in accordance with the terms of
9# the license agreement you entered into with UCit.
10################################################################################
11# This file can be used to set custom variables used to render the *.pcluster.conf.j2 templates
12# All variables in this file will be assigned under the "custom" variable.
13# This means that if you declare "myvar: myval", it will be available as custom.myvar
14headinsttype: t3.xlarge
15queues:
16 - Name: basic-slurm
17 InstanceTypes:
18 - c5n.18xlarge
19 - c5n.xlarge
20 - Name: dcv-gpu
21 InstanceTypes:
22 - g4dn.xlarge
Connection
There are two network possibilities to connect to the Management Host: - From authorized IP / CIDR with a Public IP attributed to the CCME Management Host - From authorized IP / CIDR with a Private IP, using an instance in the same VPC (e.g.: bastion, proxy/bounce server…)
There are two user possibilities to connect to the Management Host:
CCME Admin user:
ec2-userUser from the ActiveDirectory
Must be in the group authorized to connect to the Management Host, as defined by the variable “management_host_authorized_group” of the configuration file described in the section “Configuration”
The required information are:
Username (
ManagementHostUser): available in the CloudFormation output of the CCME ManagementHost stackssh key: For the local user named
ec2-userpassword: For user from the Active Directory
IP address: are available in the CloudFormation output of the CCME ManagementHost stack
Public IP (
ManagementHostPublicIP)Private IP (
ManagementHostPrivateIP)
You can retrieve the output from the Management Host stack from the AWS Console as in this example:
Key |
Value |
Description |
|---|---|---|
|
10.0.0.32 |
Private IP Address of the Management Host |
|
54.122.171.48 |
Public IP address of the ManagementHost |
|
ec2-user |
User of the Management Host |