[arvados] created: 2.6.0-210-g5a148d937

Mon May 29 19:24:59 UTC 2023

at  5a148d937308202b392bd05a25b28f9fc2ca81cc (commit)


commit 5a148d937308202b392bd05a25b28f9fc2ca81cc
Author: Tom Clegg <tom at curii.com>
Date:   Mon May 29 15:24:52 2023 -0400

    20485: Option to skip automatic SSH key deployment on cloud VMs.
    
    Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom at curii.com>

diff --git a/lib/cloud/azure/azure.go b/lib/cloud/azure/azure.go
index 7b170958b..494db854e 100644
--- a/lib/cloud/azure/azure.go
+++ b/lib/cloud/azure/azure.go
@@ -514,20 +514,23 @@ func (az *azureInstanceSet) Create(
 				AdminUsername: to.StringPtr(az.azconfig.AdminUsername),
 				LinuxConfiguration: &compute.LinuxConfiguration{
 					DisablePasswordAuthentication: to.BoolPtr(true),
-					SSH: &compute.SSHConfiguration{
-						PublicKeys: &[]compute.SSHPublicKey{
-							{
-								Path:    to.StringPtr("/home/" + az.azconfig.AdminUsername + "/.ssh/authorized_keys"),
-								KeyData: to.StringPtr(string(ssh.MarshalAuthorizedKey(publicKey))),
-							},
-						},
-					},
 				},
 				CustomData: &customData,
 			},
 		},
 	}
 
+	if publicKey != nil {
+		vmParameters.VirtualMachineProperties.OsProfile.LinuxConfiguration.SSH = &compute.SSHConfiguration{
+			PublicKeys: &[]compute.SSHPublicKey{
+				{
+					Path:    to.StringPtr("/home/" + az.azconfig.AdminUsername + "/.ssh/authorized_keys"),
+					KeyData: to.StringPtr(string(ssh.MarshalAuthorizedKey(publicKey))),
+				},
+			},
+		}
+	}
+
 	if instanceType.Preemptible {
 		// Setting maxPrice to -1 is the equivalent of paying spot price, up to the
 		// normal price. This means the node will not be pre-empted for price
diff --git a/lib/cloud/ec2/ec2.go b/lib/cloud/ec2/ec2.go
index 81e1f8b00..e2cf5e0f1 100644
--- a/lib/cloud/ec2/ec2.go
+++ b/lib/cloud/ec2/ec2.go
@@ -149,11 +149,6 @@ func (instanceSet *ec2InstanceSet) Create(
 	initCommand cloud.InitCommand,
 	publicKey ssh.PublicKey) (cloud.Instance, error) {
 
-	keyname, err := instanceSet.getKeyName(publicKey)
-	if err != nil {
-		return nil, err
-	}
-
 	ec2tags := []*ec2.Tag{}
 	for k, v := range newTags {
 		ec2tags = append(ec2tags, &ec2.Tag{
@@ -172,7 +167,6 @@ func (instanceSet *ec2InstanceSet) Create(
 		InstanceType: &instanceType.ProviderType,
 		MaxCount:     aws.Int64(1),
 		MinCount:     aws.Int64(1),
-		KeyName:      &keyname,
 
 		NetworkInterfaces: []*ec2.InstanceNetworkInterfaceSpecification{
 			{
@@ -192,6 +186,14 @@ func (instanceSet *ec2InstanceSet) Create(
 		UserData: aws.String(base64.StdEncoding.EncodeToString([]byte("#!/bin/sh\n" + initCommand + "\n"))),
 	}
 
+	if publicKey != nil {
+		keyname, err := instanceSet.getKeyName(publicKey)
+		if err != nil {
+			return nil, err
+		}
+		rii.KeyName = &keyname
+	}
+
 	if instanceType.AddedScratch > 0 {
 		rii.BlockDeviceMappings = []*ec2.BlockDeviceMapping{{
 			DeviceName: aws.String("/dev/xvdt"),
diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index 06f4fb55e..4494a627d 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -1413,6 +1413,12 @@ Clusters:
         # version of crunch-run installed; see CrunchRunCommand above.
         DeployRunnerBinary: "/proc/self/exe"
 
+        # Install the Dispatcher's SSH public key (derived from
+        # DispatchPrivateKey) when creating new cloud
+        # instances. Change this to false if you are using a different
+        # mechanism to pre-install the public key on new instances.
+        DeployPublicKey: true
+
         # Tags to add on all resources (VMs, NICs, disks) created by
         # the container dispatcher. (Arvados's own tags --
         # InstanceType, IdleBehavior, and InstanceSecret -- will also
diff --git a/lib/dispatchcloud/dispatcher.go b/lib/dispatchcloud/dispatcher.go
index 06a558d5f..e982736ff 100644
--- a/lib/dispatchcloud/dispatcher.go
+++ b/lib/dispatchcloud/dispatcher.go
@@ -142,6 +142,10 @@ func (disp *dispatcher) initialize() {
 	} else {
 		disp.sshKey = key
 	}
+	installPublicKey := disp.sshKey.PublicKey()
+	if !disp.Cluster.Containers.CloudVMs.DeployPublicKey {
+		installPublicKey = nil
+	}
 
 	instanceSet, err := newInstanceSet(disp.Cluster, disp.InstanceSetID, disp.logger, disp.Registry)
 	if err != nil {
@@ -149,7 +153,7 @@ func (disp *dispatcher) initialize() {
 	}
 	dblock.Dispatch.Lock(disp.Context, disp.dbConnector.GetDB)
 	disp.instanceSet = instanceSet
-	disp.pool = worker.NewPool(disp.logger, disp.ArvClient, disp.Registry, disp.InstanceSetID, disp.instanceSet, disp.newExecutor, disp.sshKey.PublicKey(), disp.Cluster)
+	disp.pool = worker.NewPool(disp.logger, disp.ArvClient, disp.Registry, disp.InstanceSetID, disp.instanceSet, disp.newExecutor, installPublicKey, disp.Cluster)
 	disp.queue = container.NewQueue(disp.logger, disp.Registry, disp.typeChooser, disp.ArvClient)
 
 	if disp.Cluster.ManagementToken == "" {
diff --git a/sdk/go/arvados/config.go b/sdk/go/arvados/config.go
index 1018a9f23..4da851763 100644
--- a/sdk/go/arvados/config.go
+++ b/sdk/go/arvados/config.go
@@ -559,6 +559,7 @@ type CloudVMsConfig struct {
 	BootProbeCommand               string
 	InstanceInitCommand            string
 	DeployRunnerBinary             string
+	DeployPublicKey                bool
 	ImageID                        string
 	MaxCloudOpsPerSecond           int
 	MaxProbesPerSecond             int

-----------------------------------------------------------------------


hooks/post-receive
-- 


