[autoscaler][AWS] Make sure subnets belong to same VPC as user-specified security groups #13558
Conversation
|
looks like test_autoscaler_aws isn't happy... better go fix that. |
DmitriGekhtman
added
the
@author-action-required
|
Currently, I'm not sure I fully understand the context behind the test failures (and vpc / sg / subnet setup in general). |
|
|
|
Thanks, will look into that.
…On Tue, Jan 19, 2021 at 19:07 Allen ***@***.***> wrote:
test_autoscaler_aws.test_create_sg_different_vpc_same_rules and
test_autoscaler_aws.test_create_sg_with_custom_inbound_rules_and_name are
testing logics for creating security groups and they stub out the ec2 and
IAM client. With your code change we need to update how the ec2 client is
stubbed. You can find the stubs in tests/aws/utils/stubs.py
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#13558 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/APAQTK7WAPYC3GCKZC5O2LTS2ZCFLANCNFSM4WJCAXDA>
.
|
DmitriGekhtman
added
tests-ok
|
Stubs are now fixed and tests pass. Should I add a unit test to |
|
@DmitriGekhtman , lets add a unit test to make sure everything is OK. |
Will do. |
AmeerHajAli
added
@author-action-required
DmitriGekhtman
removed
the
@author-action-required
|
Added a unit test. |
| "should belong to the same VPC." | ||
| cli_logger.doassert(len(vpc_ids) <= 1, multiple_vpc_msg) | ||
| assert len(vpc_ids) <= 1, multiple_vpc_msg | ||
|
|
There was a problem hiding this comment.
If the user specifies security groups for both head and worker, and the security groups belong to different VPCs, this will throw an error.
We could have it support user-specified security groups in different VPCs for head and workers.
This would match the behavior for subnets: #8374 .
I think I won't bother with that, unless reviewers think I should.
There was a problem hiding this comment.
If we wanted to go further down that path, we would want at some point to support different VPCs for each node type in a multi node-type config.
There was a problem hiding this comment.
This looks good to me!
Nice job @DmitriGekhtman !
Let's see what @thomasdesr thinks about it :-).
There was a problem hiding this comment.
I'm comfortable with this as is, but it'd be great to have a unit test that demonstrates the bug.
E.g.
- stub describe_subnets to return many subnets (1000?) each in different VPCs
- bootstrap a config with explicitly security groups configuration targeting a single VPC
- confirm the subnets returned after configuring are both in the security group's VPC and not any others.
DmitriGekhtman
force-pushed
the
aws-subnet-sg-compatibility
branch
from
8f289c5
to
3db7bbb
Compare
|
Added a unit test that demonstrates that the bug is fixed. Changed the filtering logic a bit to enable the unit test. |
Co-authored-by: Thomas Desrosiers <681004+thomasdesr@users.noreply.github.com>
AmeerHajAli
added
the
@author-action-required
DmitriGekhtman
removed
the
@author-action-required
|
@ericl I think this is good to merge. |
DmitriGekhtman
added
the
tests-ok
|
@ericl, can you please merge this? |
…ied security groups (ray-project#13558) * initial commit * Filter subnets by security groups' VPCs * fix stubs * wip * Fix inbound rule logic. Tests WIP. * wip * unit test * example yaml * Unit test tests for bug being fixed * Update python/ray/tests/aws/utils/constants.py Co-authored-by: Thomas Desrosiers <681004+thomasdesr@users.noreply.github.com> Co-authored-by: Thomas Desrosiers <681004+thomasdesr@users.noreply.github.com>
…r-specified security groups (ray-project#13558)" This reverts commit 748813a.
Why are these changes needed?
This PR addresses a problem in
autoscaler/_private/aws/config.py.Currently
_configure_subnetsdoes not take into account security groups specified in thehead_nodeandworker_nodesfields.Thus, it's possible that a subnet is chosen that belongs to a different VPC than user-specified security groups. In this situation, a cluster can't be launched.
This PR fixes that problem by detecting the VPC of security groups specified in
head_nodeandworker_nodesconfigs and restricting to subnets in that VPC.Related issue number
Checks
scripts/format.shto lint the changes in this PR.I also did some manual tests of
_configure_subnetsand ofray upto make sure things were working as expected.