-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[autoscaler][AWS] Make sure subnets belong to same VPC as user-specified security groups #13558
[autoscaler][AWS] Make sure subnets belong to same VPC as user-specified security groups #13558
Conversation
looks like test_autoscaler_aws isn't happy... better go fix that. |
Currently, I'm not sure I fully understand the context behind the test failures (and vpc / sg / subnet setup in general). |
|
Thanks, will look into that.
…On Tue, Jan 19, 2021 at 19:07 Allen ***@***.***> wrote:
test_autoscaler_aws.test_create_sg_different_vpc_same_rules and
test_autoscaler_aws.test_create_sg_with_custom_inbound_rules_and_name are
testing logics for creating security groups and they stub out the ec2 and
IAM client. With your code change we need to update how the ec2 client is
stubbed. You can find the stubs in tests/aws/utils/stubs.py
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#13558 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/APAQTK7WAPYC3GCKZC5O2LTS2ZCFLANCNFSM4WJCAXDA>
.
|
Stubs are now fixed and tests pass. Should I add a unit test to |
@DmitriGekhtman , lets add a unit test to make sure everything is OK. |
Will do. |
Added a unit test. |
"should belong to the same VPC." | ||
cli_logger.doassert(len(vpc_ids) <= 1, multiple_vpc_msg) | ||
assert len(vpc_ids) <= 1, multiple_vpc_msg | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the user specifies security groups for both head and worker, and the security groups belong to different VPCs, this will throw an error.
We could have it support user-specified security groups in different VPCs for head and workers.
This would match the behavior for subnets: #8374 .
I think I won't bother with that, unless reviewers think I should.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we wanted to go further down that path, we would want at some point to support different VPCs for each node type in a multi node-type config.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me!
Nice job @DmitriGekhtman !
Let's see what @thomasdesr thinks about it :-).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm comfortable with this as is, but it'd be great to have a unit test that demonstrates the bug.
E.g.
- stub describe_subnets to return many subnets (1000?) each in different VPCs
- bootstrap a config with explicitly security groups configuration targeting a single VPC
- confirm the subnets returned after configuring are both in the security group's VPC and not any others.
8f289c5
to
3db7bbb
Compare
Added a unit test that demonstrates that the bug is fixed. Changed the filtering logic a bit to enable the unit test. |
Co-authored-by: Thomas Desrosiers <681004+thomasdesr@users.noreply.github.com>
@ericl I think this is good to merge. |
@ericl, can you please merge this? |
…ied security groups (ray-project#13558) * initial commit * Filter subnets by security groups' VPCs * fix stubs * wip * Fix inbound rule logic. Tests WIP. * wip * unit test * example yaml * Unit test tests for bug being fixed * Update python/ray/tests/aws/utils/constants.py Co-authored-by: Thomas Desrosiers <681004+thomasdesr@users.noreply.github.com> Co-authored-by: Thomas Desrosiers <681004+thomasdesr@users.noreply.github.com>
…r-specified security groups (ray-project#13558)" This reverts commit 748813a.
Why are these changes needed?
This PR addresses a problem in
autoscaler/_private/aws/config.py
.Currently
_configure_subnets
does not take into account security groups specified in thehead_node
andworker_nodes
fields.Thus, it's possible that a subnet is chosen that belongs to a different VPC than user-specified security groups. In this situation, a cluster can't be launched.
This PR fixes that problem by detecting the VPC of security groups specified in
head_node
andworker_nodes
configs and restricting to subnets in that VPC.Related issue number
Checks
scripts/format.sh
to lint the changes in this PR.I also did some manual tests of
_configure_subnets
and ofray up
to make sure things were working as expected.