Management Host
Warning
If you are updating CCME from a version prior to 6.0.0, to version 6.0.0, please review Update to 6.0.0 to understand the changes in parameters.
Prerequisites
CCME deployment can be done with the basic CCME automation configuration or manually. Even with the automated deployment, you still have the possibility to manually modify the CCME and AWS ParallelCluster configuration of your clusters.
The CCME_x.y.z directory contains the following files and directories:
deployCCME.sh: the script to start the Management Host
roles.ccme.conf: the configuration file for the CCME Roles Stack (CRS)
deployment.ccme.conf: the configuration file for the CCME Management Host (CMH)
dependencies.yaml: the version of the dependencies used in CCME
CCME/: the scripts to configure a CCME cluster
management/: the scripts to deploy the Management Host and associated services
doc/: this documentation
You will first need to untar the CCME_x.y.z.tar.gz archive to get access to the code on your
local machine (which needs to have access to AWS and have the AWS CLI installed and configured):
mkdir "CCME_x.y.z"
tar xvf "CCME_x.y.z.tar.gz" -C "CCME_x.y.z"
cd "CCME_x.y.z"
deployCCME.sh
This is the script that you need to use to deploy the initial stacks for the CCME roles, the Management Host and the associated services.
$ ../../deployCCME.sh --help
Usage: deployCCME.sh [-h|--help] [-r|--create-roles-stack] [-m|--create-management-stack] [-cr|--conf-roles <crs_conf_file>] [-cm|--conf-management <cmh_conf_file>] [-s|--set-management-roles <stack_name>] [-n|--name <stack_name>] [-u|--update] [-nr|--no-rollback] [-p|--profile <aws_profile>]
deployCCME can be used to update the CCME bucket set in <conf_file> and/or to deploy a CCME Management Host
Options :
-r|--create-roles-stack Create CCME Roles Stack (CRS) with a name built with the prefix 'CRS-' and the selected -n|--name option
-m|--create-management-host Create CCME Management Host (CMH) with a name built with the the prefix 'CMH-' and the -n|--name option
-ur|--update-roles-stack Update the deployed CCME Roles Stack (CRS) named with the -n|--name option
-um|--update-management-host Update the deployed CCME Management Host (CMH) named with the -n|--name option
-cr|--conf-roles <crs_conf_file> Reads a configuration file for the CCME Roles Stack (CRS)
-cm|--conf-management <cmh_conf_file> Reads a configuration file for the CCME Management Host (CMH) and update action
-s|--set-management-roles <stack_name> Replace the IAM Roles in the CCME Management Host (CMH) configuration file with the CCME Roles Stack (CRS) outputs
-n|--name <stack_name> Defines the name of the stack deployed by the script (default is CCME)
-u|--update Updates the CCME bucket
-nr|--no-rollback Disables rollback of the CMH creation stack in CloudFormation when the stack fails
-p|--profile <aws_profile> Use non-default AWS credentials profile with aws commmand
-h/--help Help
CCME Roles Stack (CRS)
CRS Configuration
The configuration of the “CCME Roles Stack” is described in the roles.ccme.conf file:
1#### CONFIGURATION FILE for the CCME Roles Stack (CRS) automatic setup ####
2
3#### IAM Configuration
4# iam_path_prefix defines the prefix of the IAM roles created by the stack
5# The expected value is a string prefix like "ccme" or "parallelcluster".
6# Setting this variable is MANDATORY.
7# Default value: parallelcluster
8iam_path_prefix=parallelcluster
9
10
11#### Global
12# global_tags defines a list of tags associated to the CMH stack
13# Pattern: ("Key=your_key,Value=your_value" "Key=your_key,Value=your_value")
14# Setting this variable is OPTIONAL.
15# Default value: no tag
16# Update Policy: This setting can be changed during an update and requires to update the CMH and deployed clusters with the updated setting.
17# global_tags=("Key=your_key,Value=your_value" "Key=your_key,Value=your_value")
18
19# global_sources_path is the BucketName:BucketKey where BucketName is the name of an existing s3 bucket
20# and where CCME machinery will be stored at the "BucketKey" path to be used to manage clusters.
21# E.g.: "ccme-bucket:subfolder1/subfolder2/subfolder3/"
22# Subfolder must end with a '/'
23# Setting this variable is MANDATORY.
24# No default value exists.
25# Update Policy for BucketName: If this setting is changed, the update is not allowed for the CMH stack and the clusters.
26# Update Policy for BucketKey: If this setting is changed, the update is allowed for the CMH stack, but not the clusters.
27global_sources_path=
28
29# global_data_bucket is the Name of an existing s3 bucket where common user data is accessed by users on any cluster.
30# Setting this variable is MANDATORY.
31# No default value exists.
32# Update Policy: This setting can be changed during an update.
33global_data_bucket=
34
35# global_read_bucket_prefix defines the prefix of bucket allowing read only from CMH and Clusters.
36# Setting this variable is OPTIONAL.
37# No default value exists.
38# Update Policy: This setting can be changed during an update.
39# global_read_bucket_prefix=
40
41# global_read_bucket_prefix defines the prefix of bucket allowing read-write from CMH and Clusters.
42# Setting this variable is OPTIONAL.
43# No default value exists.
44# Update Policy: This setting can be changed during an update.
45# global_read_write_bucket_prefix=
46
47# global_secrets_prefix defines the prefix of the secrets stored in the Secrets Service Manager
48# CCME requires AWS Secrets, it requires to register each secret with a name starting by the same prefix.
49# Setting this variable is MANDATORY.
50# No default value exists.
51# E.g.: "ccme-prefix"
52# E.g. of secret using this prefix: "arn:aws:secretsmanager:eu-west-1:012345678910:secret:ccme-prefix-adreadonlyuser.password-7dFt5"
53# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
54global_secrets_prefix=
55
56
57#### Network
58# network_route53_access defines the possibility of Route53 creation and usage
59# for each cluster.
60# Setting this variable is OPTIONAL.
61# Value: true or false
62# Default value: true
63# network_route53_access=true
64
65# fsx_s3_access defines the possibility of FSx to access to s3 buckets
66# Setting this variable is OPTIONAL.
67# Value: true or false
68# Default value: false
69# network_fsx_s3_access=false
70
71# network_fsx_s3_buckets_arn_list defines the list of S3 buckets to allow the lambda function
72# to import/export from/to S3 when creating an FSx filesystem.
73# The expected value is a comma separated list of S3 bucket ARNs,
74# NOTE - The setting is used only when network_fsx_s3_access is set to true.
75# E.g.: arn:aws:s3:::<S3_BUCKET_1>,arn:aws:s3:::<S3_BUCKET_2>)
76# Setting this variable is OPTIONAL.
77# Default value: arn:*:s3:::ccme-fsx-*
78# network_fsx_s3_buckets_arn_list='arn:*:s3:::ccme-fsx-*'
79
80#### Clusters
81# cluster_prefix defines the prefix of the future clusters
82# Used to restrict rights to CloudWatch dashboards
83# Setting this variable is MANDATORY.
84# Default value is "ccme-".
85cluster_prefix="ccme-"
86
87# cluster_admin_sns_topic_arn define the admin SNS topic ARN you want to
88# deliver information about the cluster when it is ready to be used.
89# For example, you can configure your SNS topic to deliver the information
90# by email to the administrator of the platform
91# Setting this variable is OPTIONAL.
92# No default value exists.
93# E.g.: arn:aws:sns:REGION:ACCOUNT:TOPICNAME
94# cluster_admin_sns_topic_arn=
95
96
97#### KMS Encryption
98# The following variables define the ARN of KMS keys used to encrypt storages or
99# communications on multiple services used by CCME.
100# Setting these variables is MANDATORY.
101# Value: ARN of existing KMS key
102# Default value is '*' (allow all keys)
103
104# CMH EBS encryption
105kms_cmh_ebs=*
106
107# DCV Proxy encryption
108kms_dcv_proxy_ebs=*
109
110# Clusters EBS encryption
111kms_clusters_ebs=*
112
113# Additional KMS key for CMH and Clusters encryption.
114# kms_additional_key=NONE
115
116# FSx encryption
117kms_file_systems=*
118
119# S3 encryption
120kms_s3=*
121
122# SNS encryption
123kms_sns=*
124
125# Secrets Manager encryption
126kms_secrets=*
127
128# CloudWatch encryption
129kms_cloudwatch=*
130
131# Lambda encryption
132kms_lambda=*
You can modify and use this example configuration file or you can create a new
file based on it. This configuration file is then used to deploy the CCME
Management Host through the script named deployCCME.sh.
Deployment
The following command will create all the IAM roles needed for CCME and on a CCME Roles Stack.
$ ./deployCCME.sh --create-roles-stack --conf-roles "my-ccme.roles.ccme.conf" --name "my-ccme"
**** CCME Roles Deployment - START ****
{
"StackId": "arn:aws:cloudformation:eu-west-1:012345678910:stack/CRS-my-ccme/af11b1e0-9a5a-11ed-ab69-06562ac4f907"
}
**** CCME Roles Deployment - END ****
CCME Management Host (CMH)
CMH Configuration
The configuration of the “CCME Management Host” is described in the deployment.ccme.conf file:
1#### CONFIGURATION FILE for the CCME Management Host (CMH) automatic setup ####
2
3#### IAM
4# iam_management_stack_role defines the IAM role ARN that will be attached to the Management Stack.
5# The expected value in the ARN of an IAM role. Check the documentation for more information about this role.
6# This parameter corresponds to the output "ParallelClusterUserRole" of the CCME Roles Stack (CRS)
7# Setting this variable is MANDATORY.
8# No default value exists.
9# Update Policy: This setting can be changed during an update.
10iam_management_stack_role=
11
12# iam_management_instance_profile defines the CCME Management Host (CMH) AWS IAM Instance Profile ARN
13# This parameter corresponds to the output "ParallelClusterUserInstanceProfile" of the CCME Roles Stack (CRS)
14# Setting this variable is MANDATORY.
15# No default value exists.
16# Update Policy: This setting can be changed during an update.
17iam_management_instance_profile=
18
19# iam_dcv_proxy_lambda_certificate_role defines the DCV Certificate Lambda AWS IAM Role ARN
20# This parameter corresponds to the output "CustomLambdaResourcesRoleDcvProxyCertificate" of the CCME Roles Stack (CRS)
21# Setting this variable is MANDATORY.
22# No default value exists.
23# Update Policy: This setting can be changed during an update.
24iam_dcv_proxy_lambda_certificate_role=
25
26# iam_tagging_lambda_role defines the Tagging Lambda AWS IAM Role ARN
27# This parameter corresponds to the output "CustomLambdaResourcesRoleTagging" of the CCME Roles Stack (CRS)
28# Setting this variable is MANDATORY.
29# No default value exists.
30# Update Policy: This setting can be changed during an update.
31iam_tagging_lambda_role=
32
33# iam_dcvsm_ddb_cleanup_lambda_role defines the DCVSM DynamoDB Cleanup Lambda AWS IAM Role ARN
34# This parameter corresponds to the output "CustomLambdaResourcesRoleDcvsmDdbCleanup" of the CCME Roles Stack (CRS)
35# Setting this variable is MANDATORY.
36# No default value exists.
37# Update Policy: This setting can be changed during an update.
38iam_dcvsm_ddb_cleanup_lambda_role=
39
40# iam_dcv_asg_lambda_role defines the DCV ASG Lambda AWS IAM Role ARN
41# This parameter corresponds to the output "CustomLambdaResourcesRoleDcvAsg" of the CCME Roles Stack (CRS)
42# Setting this variable is MANDATORY.
43# No default value exists.
44# Update Policy: This setting can be changed during an update.
45iam_dcv_asg_lambda_role=
46
47# iam_application_load_balancer_lambda_role defines the ApplicationLoadBalancer Lambda AWS IAM Role ARN
48# This parameter corresponds to the output "CustomLambdaResourcesRoleApplicationLoadBalancer" of the CCME Roles Stack (CRS)
49# Setting this variable is MANDATORY.
50# No default value exists.
51# Update Policy: This setting can be changed during an update.
52iam_application_load_balancer_lambda_role=
53
54# iam_dcv_proxy_instance_profile defines the DCV Proxy AutoScaling Group instances AWS IAM Role ARN
55# This parameter corresponds to the output "DcvProxyInstanceProfile" of the CCME Roles Stack (CRS)
56# Setting this variable is MANDATORY.
57# No default value exists.
58# Update Policy: This setting can be changed during an update.
59iam_dcv_proxy_instance_profile=
60
61# iam_cluster_lambda_role defines the ParallelCluster Lambda AWS IAM Role ARN
62# This parameter corresponds to the output "CustomLambdaResourcesRoleSlurm" of the CCME Roles Stack (CRS)
63# Setting this variable is MANDATORY.
64# No default value exists.
65# Update Policy: If this setting is changed, the update is not allowed.
66iam_cluster_lambda_role=
67
68# iam_cluster_headnode_instance_profile defines the HeadNode AWS IAM Instance Profile ARN
69# This parameter corresponds to the output "HeadNodeInstanceProfileSlurm" of the CCME Roles Stack (CRS)
70# Setting this variable is MANDATORY.
71# No default value exists.
72# Update Policy: If this setting is changed, the update is not allowed.
73iam_cluster_headnode_instance_profile=
74
75# iam_cluster_compute_instance_profile defines the Compute Nodes AWS IAM Instance profile ARN
76# This parameter corresponds to the output "ComputeNodeInstanceProfileSlurm" of the CCME Roles Stack (CRS)
77# Setting this variable is MANDATORY.
78# No default value exists.
79# Update Policy: If this setting is changed, the update is not allowed.
80iam_cluster_compute_instance_profile=
81
82#### Global
83# global_debug is a boolean variable. When set to true, the stack does not automatically "rollback" after any failure.
84# Setting this variable is MANDATORY.
85# Default value: false
86# Update Policy: This setting can be changed during an update.
87global_debug=false
88
89# global_timezone is a string variable. It configures the timezone for the CMH and the clusters
90# You can list available timezones as following :
91# - Typing: ``timedatectl list-timezones`` to list your linux system timezone.
92# - See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
93# Setting this variable is MANDATORY.
94# Default value: 'Europe/Paris'
95# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
96global_timezone='Europe/Paris'
97
98# global_sources_path is the BucketName:BucketKey where BucketName is the name of an existing s3 bucket
99# and where CCME machinery will be stored at the "BucketKey" path to be used to manage clusters.
100# Subfolder must end with a '/'
101# Setting this variable is MANDATORY.
102# E.g.: "ccme-bucket:subfolder1/subfolder2/subfolder3/"
103# No default value exists.
104# Update Policy for BucketName: If this setting is changed, the update is not allowed.
105# Update Policy for BucketKey: If this setting is changed, the update is allowed for the CMH stack, but not the clusters.
106global_sources_path=
107
108# global_data_bucket is the Name of an existing s3 bucket where common user data is accessed by users on any cluster.
109# Setting this variable is MANDATORY.
110# No default value exists.
111# Update Policy: This setting can be changed during an update.
112global_data_bucket=
113
114# global_logging_bucket is the Name of an existing s3 bucket where S3 access logs are stored
115# for the ccme deployed s3 buckets.
116# Setting this variable is MANDATORY.
117# No default value exists.
118# Update Policy: This setting can be changed during an update.
119global_logging_bucket=
120
121# global_logs_retention_in_days defines the retention period of CCME logs in days.
122# Setting this variable is OPTIONAL.
123# Pattern: 1|3|5|7|14|30|60|90|120|150|180|365|400|545|731|1096|1827|2192|2557|2922|3288|3653
124# Default value: 14
125# Update Policy: This setting can be changed during an update.
126# global_logs_retention_in_days=14
127
128# global_tags defines a list of tags associated to the CMH stack
129# Pattern: ("Key=your_key,Value=your_value" "Key=your_key,Value=your_value")
130# Setting this variable is OPTIONAL.
131# Default value: no tag
132# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
133# global_tags=("Key=your_key,Value=your_value" "Key=your_key,Value=your_value")
134
135
136#### Network
137# network_vpc defines the VPC where the CMH should be setup. The expected value is an existing VPCId.
138# Setting this variable is MANDATORY.
139# No default value exists.
140# Update Policy: If this setting is changed, the update is not allowed.
141network_vpc_id=
142
143# network_alb_subnets defines the Primary and Secondary subnets (created in 2 different AZs)
144# where the Application Load Balancer should be setup.
145# The expected values is a pair of existing SubnetId.
146# Setting this variable is MANDATORY.
147# No default value exists.
148# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
149network_alb_subnets=( "" "" )
150
151# network_private_subnets defines the Primary and Secondary subnets (created in 2 different AZs)
152# where the Active Directory and CCME Management Host should be setup.
153# The expected values is a pair of existing SubnetId.
154# Setting this variable is MANDATORY.
155# No default value exists.
156# Update Policy: If this setting is changed, the update is not allowed.
157network_private_subnets=( "" "" )
158
159# network_ingress_security_groups_ssh_cidr_block specifies the CIDR-formatted IP range for ingress connections to:
160# - Private Security Group
161# - Headnode Security Group
162# If this setting is not set or set to NONE disables the ssh authorization in the security groups.
163# Setting this variable is OPTIONAL.
164# Pattern: NONE or x.x.x.x/x
165# Default value: NONE
166# Update Policy: This setting can be changed during an update.
167# network_ingress_security_groups_ssh_cidr_block=NONE
168
169# network_security_groups_login_nodes_ingress_ssh_cidr_block specifies the CIDR-formatted IP range for ingress connections to:
170# - LoginNodes Security Group
171# Setting this variable is OPTIONAL.
172# Pattern: NONE or x.x.x.x/x
173# Default value: NONE
174# Update Policy: This setting can be changed during an update.
175# network_security_groups_login_nodes_ingress_ssh_cidr_block=NONE
176
177# network_additional_security_group defines one optional additional security group
178# to the CMH and clusters.
179# Setting this variable is OPTIONAL.
180# Default value: NONE
181# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
182# network_additional_security_group=NONE
183
184# network_proxy defines the optional proxy for CMH and clusters
185# Setting this variable is OPTIONAL.
186# Pattern: protocol://host:port
187# E.g.: "https://url_of_proxy:443"
188# Default value: NONE
189# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
190# network_proxy=NONE
191
192# network_no_proxy defines the optional list of no_proxy delimited by comma for CMH and clusters
193# Setting this variable is OPTIONAL.
194# Pattern: host
195# E.g.: "my.domain1,my.domain2"
196# Default value: NONE
197# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
198# network_no_proxy=NONE
199
200# network_pip_repository defines a private pip repository
201# Setting this variable is OPTIONAL.
202# Pattern: protocol://host
203# E.g.: "https://url_of_pip_repo"
204# Default value: NONE
205# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
206# network_pip_repository=NONE
207
208
209#### Application Load Balancer
210# application_load_balancer_arn defines the application load balancer used to forward the
211# portal and the visualization of CCME to the end users.
212# The expected value is the ARN of the choosen Application Load Balancer
213# Setting this variable is OPTIONAL.
214# Default value: NONE
215# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
216# application_load_balancer_arn=NONE
217
218# application_load_balancer_scheme defines if the Application Load Balancer (ALB) is "internet-facing" or "internal"
219# Setting this variable is MANDATORY.
220# Default value: 'internet-facing'
221# Update Policy: If this setting is changed, the update is not allowed.
222application_load_balancer_scheme=internet-facing
223
224# application_load_balancer_ingress_cidr_block specifies the CIDR-formatted IP range for ingress connections to the ALB.
225# Setting this variable is OPTIONAL.
226# Default value: 0.0.0.0/0
227# Update Policy: This setting can be changed during an update.
228# application_load_balancer_ingress_cidr_block=0.0.0.0/0
229
230# application_load_balancer_ssl_certificate defines the SSL certificate used by the Application Load Balancer being the entry point to CCME.
231# The expected value in the ARN of a SSL certificate stored in AWS Certificate Manager (ACM).
232# Setting this variable is MANDATORY.
233# No default value exists.
234# Update Policy: This setting can be changed during an update.
235application_load_balancer_ssl_certificate=
236
237
238#### DCV Proxy
239# dcv_proxy_asg_min_size defines the DCV Proxy AutoScalingGroup (asg) minimum size
240# Setting this variable is MANDATORY.
241# Pattern: Number
242# Default value: 1
243# Update Policy: This setting can be changed during an update.
244dcv_proxy_asg_min_size=1
245
246# dcv_proxy_asg_max_size defines the DCV Proxy AutoScalingGroup (asg) maximum size
247# Setting this variable is MANDATORY.
248# Pattern: Number
249# Default value: 5
250# Update Policy: This setting can be changed during an update.
251dcv_proxy_asg_max_size=5
252
253# dcv_proxy_asg_desired_size defines the DCV Proxy AutoScalingGroup (asg) desired size at launch
254# Setting this variable is MANDATORY.
255# Pattern: Number
256# Default value: 1
257# Update Policy: This setting can be changed during an update.
258dcv_proxy_asg_desired_size=1
259
260# dcv_proxy_instance_type defines the instance type for the DCV Proxy
261# Only AWS EC2 x86_64 instance type is allowed.
262# Recommended value: m5a.large
263# Default value: t2.micro
264# Update Policy: This setting can be changed during an update.
265dcv_proxy_instance_type=t2.micro
266
267# dcv_proxy_instance_ami defines the AMI for the DCV Proxy instance
268# Setting this variable is OPTIONAL.
269# Default value: NONE
270# Update Policy: This setting can be changed during an update.
271# dcv_proxy_instance_ami=NONE
272
273# dcv_proxy_instance_volume_size defines the volume size in GB for DCV Proxy instances
274# Setting this variable is OPTIONAL.
275# Default value: NONE
276# Update Policy: This setting can be changed during an update. WARNING: A new DCV Proxy instances will be created.
277# dcv_proxy_instance_volume_size=NONE
278
279
280#### ActiveDirectory
281# active_directory_id defines the id of the Microsoft or Simple Active Directory.
282# This variable allows to manage user accounts from the CCME Management Host.
283# Setting this variable is OPTIONAL.
284# Pattern: d-xxxxxxxxxx
285# Default value: NONE
286# Update Policy: This setting can be changed during an update.
287# active_directory_id=NONE
288
289# active_directory_uri defines the list of URI of the Active Directory.
290# The format is a comma separated list of ldap:// or ldaps:// addresses.
291# Setting this variable is MANDATORY ONLY IF using ActiveDirectory.
292# Pattern: protocol://host
293# E.g., ldap://10.0.0.1,ldap://10.0.0.2
294# Default value: NONE
295# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
296# active_directory_uri=NONE
297
298# active_directory_name defines the Domain Name of your Active Directory.
299# If the value is NONE, then no Active Directory is binded to CCME.
300# Setting this variable is MANDATORY ONLY IF using ActiveDirectory.
301# Default value: ccme.ad
302# Update Policy: This setting can be changed during an update only if the previous and the new values are set for internal Active Directory.
303# active_directory_name=NONE
304
305# active_directory_readonlyuser_dn defines the distinguished name of ReadOnlyUser account in your AD.
306# E.g., "CN=string,OU=string,DC=string,DC=string".
307# Setting this variable is MANDATORY ONLY IF using ActiveDirectory.
308# Default value: NONE
309# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
310# active_directory_read_only_user_dn=NONE
311
312# active_directory_read_only_user_password_secret_arn defines the password of ReadOnlyUser accounts in your AD.
313# The expected value in the preexisting ARN of a plaintext string stored in AWS Secrets Manager (ASM).
314# E.g.: active_directory_read_only_user_password_secret_arn=arn:aws:secretsmanager:eu-west-1:012345678910:secret:ccme-prefix-adreadonlyuser.password-3nSOf
315# Setting this variable is MANDATORY ONLY IF using ActiveDirectory.
316# Default value: NONE
317# Update Policy: This setting can be changed during an update and requires to update the deployed clusters with the updated setting.
318# active_directory_read_only_user_password_secret_arn=NONE
319
320# active_directory_admin_password_secret_arn defines the password of Admin accounts in your AD.
321# The expected value in the preexisting ARN of a plaintext string stored in AWS Secrets Manager (ASM).
322# E.g.: active_directory_admin_password_secret_arn=arn:aws:secretsmanager:eu-west-1:012345678910:secret:ccme-prefix-adadmin.password-7dFt5
323# Setting this variable is MANDATORY ONLY IF using ActiveDirectory deployed by CCME.
324# Default value: NONE
325# Update Policy: If this setting is changed, the update is not allowed.
326# active_directory_admin_password_secret_arn=NONE
327
328# active_directory_ssh_public_key_attribute defines the ActiveDirectory ssh public key.
329# If the value is NONE, then the ssh to the CCME ManagementHost with a ssh public key stored in
330# the ActiveDirectory will be disabled.
331# Setting this variable is MANDATORY ONLY IF using ActiveDirectory.
332# Default value: ccme.ad
333# Update Policy: This setting can be changed during an update only if the previous and the new values are set for internal Active Directory.
334# active_directory_name=NONE
335
336#### Management Host
337# management_host_instance_type defines the instance type that will be configured as a CMH
338# Only AWS EC2 x86_64 instance type is allowed.
339# Setting this variable is MANDATORY.
340# Default value: t3a.medium
341# Update Policy: This setting can be changed during an update.
342management_host_instance_type=t3a.medium
343
344# management_host_os defines the operating system of the CCME Management Host (CMH)
345# Allowed values for this variable are the following:
346# - al2023
347# - rhel8
348# - rhel9
349# Setting this variable is MANDATORY.
350# Default value: al2023
351# Update Policy: This setting can be changed during an update. WARNING: A new CMH instance will be created.
352management_host_os=al2023
353
354# management_host_ami defines the AMI for the CMH instance
355# Setting this variable is OPTIONAL.
356# Default value: NONE
357# Update Policy: This setting can be changed during an update. WARNING: A new CMH instance will be created.
358# management_host_ami=NONE
359
360# management_host_volume_size defines the volume size in GB for the CMH instance
361# Setting this variable is OPTIONAL.
362# Default value: NONE
363# Update Policy: This setting can be changed during an update. WARNING: A new CMH instance will be created.
364# management_host_volume_size=NONE
365
366# management_host_keypair_name is the Name of an existing EC2 key pair that should be used to connect to the CMH with SSH.
367# If you do not specify a key pair or set the value to NONE, you can't connect to the instance
368# unless you choose an AMI providing another way to log in.
369# Setting this variable is OPTIONAL.
370# No default value exists.
371# Update Policy: If this setting is changed, the update is not allowed.
372# management_host_keypair_name=
373
374# management_host_elastic_ip defines the address of an Elastic IP (if you already have one to use for your CMH)
375# If the default value is used, CCME will request a new Elastic IP to attach it to the CMH.
376# Set "NONE" to not assign a public IP.
377# Setting this variable is OPTIONAL.
378# Default value: 0.0.0.0
379# Update Policy: This setting can be changed during an update.
380# management_host_elastic_ip=0.0.0.0
381
382# management_host_sudoer_group_name defines the group of users which is allowed to use sudo on your CMH.
383# The group can be local or from Active Directory.
384# If the default value is used, no group is authorized to use sudo.
385# Setting this variable is OPTIONAL.
386# Default value: NONE
387# Update Policy: This setting can be changed during an update.
388# management_host_sudoer_group_name=NONE
389
390# management_host_authorized_group_name defines the AD groups of users which are allowed to login to your CMH.
391# If the default value is used, no filter is applied and everyone in AD is authorized to login.
392# Setting this variable is OPTIONAL.
393# Default value: NONE
394# Update Policy: This setting can be changed during an update.
395# management_host_authorized_group_name=NONE
396
397
398#### KMS Encryption
399# The following variables define the ARN of KMS keys used to encrypt storages or
400# communications on multiple services used by CCME.
401# Setting these variables is MANDATORY.
402# Value: ARN of existing KMS key
403# No default value exists.
404
405# CMH EBS encryption
406# Update Policy: If this setting is changed, the update is not allowed.
407kms_cmh_ebs=
408
409# DCV Proxy encryption
410# Update Policy: This setting can be changed during an update if the CCME Role Stack allows access to the resource ARN.
411kms_dcv_proxy_ebs=
412
413# Clusters EBS encryption
414# Update Policy: If this setting is changed, the update is not allowed.
415kms_clusters_ebs=
416
417# EFS and FSx encryption
418# Update Policy: If this setting is changed, the update is not allowed.
419kms_file_systems=
420
421# S3 encryption
422# Update Policy: This setting can be changed during an update if the CCME Role Stack allows access to the resource ARN.
423kms_s3=
424
425# SNS encryption
426# Update Policy: This setting can be changed during an update if the CCME Role Stack allows access to the resource ARN.
427kms_sns=
428
429# CloudWatch encryption
430# Update Policy: If this setting is changed, the update is not allowed.
431kms_cloudwatch=
432
433# Lambda encryption
434# Update Policy: This setting can be changed during an update if the CCME Role Stack allows access to the resource ARN.
435kms_lambda=
You can modify and use this example configuration file or you can create a new
file based on it. This configuration file is then used to deploy the CCME
Management Host through the script named deployCCME.sh.
Resources
The resources deployed in your AWS account by the CCME Management Host are:
An AWS Lambda with a log group in
/ccme/ccme-lambda-alb-${StackId}An AWS EC2 instance as CCME Management Host
Optional
An Active Directory
An Application Load Balancer
Multiple AWS EC2 security-groups
Those resources are named using ccme as prefix and -Stack_id as suffix.
Example for the resource LambdaALB, the resource is named: ccmeLambdaALB-7225f980-0a8a-11ee-81f0-06c4c07a0d95:
ccmeas prefixA variable information related to the resource:
LambdaALBin this caseThe
stack_idof the CMH stack and a suffix preceded by a-:-7225f980-0a8a-11ee-81f0-06c4c07a0d95in our case
The only exception for this rule is related to the Application Load Balancer (ALB).
The ALB is using -Stack_name instead of the -Stack_id as suffix due to restrictions on the length of the name of the ALB
Deployment
The following command will create all the environment needed for CCME and create a Management Host named my_ccme_mgt_host.
First it will upload all the source code of CCME to the ccme_bucket_path as specified in the deployment.ccme.conf file,
this is mandatory on a first deployment. For further deployments, you can directly reuse the same bucket if no code change has been made.
$ ./deployCCME.sh --update --create-management-host --conf-management "my-ccme.deployment.ccme.conf" --name "my-ccme"
**** CCME Bucket Update - START ****
**** CCME Bucket Update - END ****
**** CCME ManagementHost Deployment - START ****
{
"StackId": "arn:aws:cloudformation:eu-west-1:012345678910:stack/CMH-my-ccme/bf11b1e0-9a5a-11ed-ab69-06562ac4f907"
}
**** CCME ManagementHost Deployment - END ****
Customization
Custom Ansible Scripts
On top of CCME specific configurations, you can integrate your own custom scripts to CCME Management Host.
To deploy a CMH embedding and executing your own custom scripts, you must place them in
the management/custom directory and synchronize this directory in the S3 bucket.
You can provide your own Ansible playbooks to add specific configurations to the CMH, they must
have the following naming convention: management/custom/install-*-management.yaml.
Custom ParallelCluster configuration files
On top of the ParallelCluster example configuration files provided with CCME, you can provide your own Jinja template along with a set of parameters to generate your own configuration files.
To do so, you just need to:
add your templates in
management/customand name them with the following pattern*.pcluster.config.j2,add any specific configuration variable in the
management/custom/pcluster.vars.yamlfile (YAML format). All variables in this file will be assigned under thecustomvariable. This means that if you declaremyvar: myval, it will be available ascustom.myvarin you*.pcluster.config.j2files.
management/custom/custom.pcluster.config.j2
1Region: '{{ AWS_REGION }}'
2CustomS3Bucket: '{{ CCME_CLUSTER_S3BUCKET }}'
3Iam:
4 Roles:
5 LambdaFunctionsRole: '{{ CCME_CLUSTER_LAMBDA_ROLE }}'
6 # If the role associated to the cluster includes a custom IAM path prefix,
7 # replace "parallelcluster" by the custom IAM path prefix.
8 ResourcePrefix: "{{ CCME_CLUSTER_HEADNODE_INSTANCE_PROFILE.split('/')[1] }}"
9Image:
10 Os: alinux2
11 # CustomAmi:
12Tags:
13{% for key, value in CCME_TAGS.items() %}
14{% if "aws:" not in key and key != "Name" %}
15 - Key: {{ key }}
16 Value: "{{ value }}"
17{% endif %}
18{% endfor %}
19SharedStorage:
20 - Name: shared
21 StorageType: Efs
22 MountDir: shared
23 EfsSettings:
24{% if "NONE" not in CCME_KMS_FILE_SYSTEMS %}
25 Encrypted: true
26 KmsKeyId: {{ CCME_KMS_FILE_SYSTEMS }}
27{% else %}
28 Encrypted: false
29{% endif %}
30HeadNode:
31 InstanceType: {{ custom.headinsttype }}
32 Networking:
33 SubnetId: '{{ CCME_SUBNET }}'
34 SecurityGroups:
35 - '{{ CCME_HEADNODE_SG }}'
36{%if CCME_PROXY is defined and CCME_PROXY and CCME_PROXY != "NONE"%}
37 Proxy:
38 HttpProxyAddress: '{{ CCME_PROXY }}'
39{% endif %}
40 Ssh:
41 KeyName: '{{ AWS_KEYNAME }}'
42 CustomActions:
43 OnNodeStart:
44 Script: s3://{{ CCME_SOURCES }}CCME/sbin/pre-install.sh
45 OnNodeConfigured:
46 Script: s3://{{ CCME_SOURCES }}CCME/sbin/post-install.sh
47 OnNodeUpdated:
48 Script: s3://{{ CCME_SOURCES }}CCME/sbin/update-install.sh
49 Args:
50 - CCME_CMH_NAME={{ CCME_CMH_NAME }}
51 - CCME_S3FS={{ CCME_DATA_BUCKET }}
52 - CCME_JSLOGS_BUCKET={{ CCME_DATA_BUCKET }}
53 # CCME_SHARED_DIR is a mandatory parameter: it must the the mountdir of one of the SharedStorage
54 # It will be used to store CCME shared files with the compute nodes. Especially EnginFrame spoolers
55 # which may require a large storage space depending on how it is used.
56 # Update Policy: this parameter must not be changed during an update
57 - CCME_SHARED_DIR=shared
58{%if CCME_NO_PROXY is defined and CCME_NO_PROXY and CCME_NO_PROXY != "NONE"%}
59 - CCME_NO_PROXY={{ CCME_NO_PROXY }}
60{% endif %}
61 # - CCME_OIDC=default
62 # - CCME_USER_HOME=/shared-filesystem/home/%u
63 # - CCME_DNS=NONE
64 - CCME_WIN_LAUNCH_TEMPLATE_ID={{ CCME_WIN_LAUNCH_TEMPLATE_ID }}
65 # - CCME_WIN_AMI=NONE
66 # - CCME_WIN_INSTANCE_TYPE=NONE
67 # - CCME_WIN_INACTIVE_SESSION_TIME=600
68 # - CCME_WIN_NO_SESSION_TIME=600
69 # - CCME_WIN_NO_BROKER_COMMUNICATION_TIME=600
70 # - CCME_LIN_INACTIVE_SESSION_TIME=3600
71 # - CCME_EF_ADMIN_GROUP=
72 # - CCME_EFADMIN_PASSWORD=
73{%if CCME_REPOSITORY_PIP is defined and CCME_REPOSITORY_PIP and CCME_REPOSITORY_PIP != "NONE"%}
74 - CCME_REPOSITORY_PIP={{ CCME_REPOSITORY_PIP }}
75{% endif %}
76 Iam:
77 InstanceProfile: '{{ CCME_CLUSTER_HEADNODE_INSTANCE_PROFILE }}'
78Scheduling:
79 Scheduler: slurm
80 SlurmSettings:
81 Dns:
82 # If the role associated to the cluster is not authorized to use Route 53,
83 # set "DisableManagedDns" to true.
84 DisableManagedDns: False
85 SlurmQueues:
86{% for queue in custom.queues %}
87 - Name: {{ queue.Name }}
88 CapacityType: ONDEMAND
89 ComputeResources:
90{% for cr in queue.InstanceTypes %}
91 - Name: {{ cr | replace('.', '') }}
92 InstanceType: {{ cr }}
93 MinCount: 0
94 MaxCount: 10
95{% endfor %}
96 CustomActions:
97 OnNodeStart:
98 Script: s3://{{ CCME_SOURCES }}CCME/sbin/pre-install.sh
99 OnNodeConfigured:
100 Script: s3://{{ CCME_SOURCES }}CCME/sbin/post-install.sh
101 Iam:
102 InstanceProfile: '{{ CCME_CLUSTER_COMPUTE_INSTANCE_PROFILE }}'
103 Networking:
104 SubnetIds:
105 - '{{ CCME_SUBNET }}'
106 SecurityGroups:
107 - '{{ CCME_COMPUTE_SG }}'
108{%if CCME_PROXY is defined and CCME_PROXY and CCME_PROXY != "NONE"%}
109 Proxy:
110 HttpProxyAddress: '{{ CCME_PROXY }}'
111{% endif %}
112{% endfor %}
113LoginNodes:
114 Pools:
115 - Name: login-pool-1
116 Count: 1
117 InstanceType: t3a.small
118 # GracetimePeriod: integer
119 # Image:
120 # CustomAmi:
121 Ssh:
122 KeyName: '{{ AWS_KEYNAME }}'
123 Networking:
124 SubnetIds:
125 - '{{ CCME_SUBNET }}'
126 SecurityGroups:
127 - '{{ CCME_LOGIN_SG }}'
128 Iam:
129 InstanceProfile: '{{ CCME_CLUSTER_COMPUTE_INSTANCE_PROFILE }}'
130{%if CCME_AD_DIR_NAME is defined and CCME_AD_DIR_NAME != "NONE" and CCME_AD_URI is defined and CCME_AD_URI != "NONE"%}
131DirectoryService:
132 DomainName: {{ CCME_AD_DIR_NAME }}
133 DomainAddr: {{ CCME_AD_URI }}
134 PasswordSecretArn: {{ CCME_AD_READ_ONLY_USER_PASSWORD }}
135 DomainReadOnlyUser: {{ CCME_AD_READ_ONLY_USER_DN }}
136 LdapTlsReqCert: hard
137 LdapTlsCaCert: {{ CCME_CLUSTER_DIR }}/conf/{{ CCME_AD_URI.split('/')[2] }}.crt
138 # LdapAccessFilter:
139 # AdditionalSssdConfigs:
140 # debug_level: "0x1ff"
141{% endif %}
142Imds:
143 ImdsSupport: v2.0
144DevSettings:
145 Timeouts:
146 HeadNodeBootstrapTimeout: 2400
147 ComputeNodeBootstrapTimeout: 1800
management/custom/pcluster.vars.yaml
1################################################################################
2# Copyright (c) 2017-2025 UCit SAS
3# All Rights Reserved
4#
5# This software is the confidential and proprietary information
6# of UCit SAS ("Confidential Information").
7# You shall not disclose such Confidential Information
8# and shall use it only in accordance with the terms of
9# the license agreement you entered into with UCit.
10################################################################################
11# This file can be used to set custom variables used to render the *.pcluster.conf.j2 templates
12# All variables in this file will be assigned under the "custom" variable.
13# This means that if you declare "myvar: myval", it will be available as custom.myvar
14headinsttype: t3.xlarge
15queues:
16 - Name: basic-slurm
17 InstanceTypes:
18 - c5n.18xlarge
19 - c5n.xlarge
20 - Name: dcv-gpu
21 InstanceTypes:
22 - g4dn.xlarge
Connection
There are two network possibilities to connect to the Management Host: - From authorized IP / CIDR with a Public IP attributed to the CCME Management Host - From authorized IP / CIDR with a Private IP, using an instance in the same VPC (e.g.: bastion, proxy/bounce server…)
There are two user possibilities to connect to the Management Host:
CCME Admin user:
ec2-userUser from the ActiveDirectory
Must be in the group authorized to connect to the Management Host, as defined by the variable “management_host_authorized_group” of the configuration file described in the section “Configuration”
The required information are:
Username (
ManagementHostUser): available in the CloudFormation output of the CCME ManagementHost stackssh key: For the local user named
ec2-userpassword: For user from the Active Directory
IP address: are available in the CloudFormation output of the CCME ManagementHost stack
Public IP (
ManagementHostPublicIP)Private IP (
ManagementHostPrivateIP)
You can retrieve the output from the Management Host stack from the AWS Console as in this example:
Key |
Value |
Description |
|---|---|---|
|
10.0.0.32 |
Private IP Address of the Management Host |
|
54.122.171.48 |
Public IP address of the ManagementHost |
|
ec2-user |
User of the Management Host |