[GCP] Support private IPs for GCP

[Michaelvll]

Fixes #2818.

Use Internal IP

For security reason, users may only want to use internal IPs for SkyPilot instances.
To do so, you can use SkyPilot's global config file ~/.sky/config.yaml to specify the gcp.use_internal_ips and gcp.ssh_proxy_command fields (to see the detailed syntax, see :ref:config-yaml):

    gcp:
      use_internal_ips: true
      # VPC with NAT setup, see below
      vpc_name: my-vpc-name
      ssh_proxy_command: ssh -W %h:%p -o StrictHostKeyChecking=no myself@my.proxy      

The gcp.ssh_proxy_command field is optional. If SkyPilot is run on a machine that can directly access the internal IPs of the instances, it can be omitted. Otherwise, it should be set to a command that can be used to proxy SSH connections to the internal IPs of the instances.

Cloud NAT Setup

Instances created with internal IPs only on GCP cannot access public internet by default. To make sure SkyPilot can install the dependencies correctly on the instances,
cloud NAT needs to be setup for the VPC.

Cloud NAT is a regional resource, so it will need to be created in each region that SkyPilot will be used in.

To limit SkyPilot to use some specific regions only, you can specify the gcp.ssh_proxy_command to be a dict mapping from region to the SSH proxy command for that region (see :ref:config-yaml for details):

    gcp:
      use_internal_ips: true
      vpc_name: my-vpc-name
      ssh_proxy_command:
        us-west1: ssh -W %h:%p -o StrictHostKeyChecking=no myself@my.us-west1.proxy
        us-east1: ssh -W %h:%p -o StrictHostKeyChecking=no myself@my.us-west2.proxy

If proxy is not needed, but the regions need to be limited, you can set the gcp.ssh_proxy_command to be a dict mapping from region to null:

    gcp:
      use_internal_ips: true
      vpc_name: my-vpc-name
      ssh_proxy_command:
        us-west1: null
        us-east1: null

With the setup above, we should be able to create clusters with internal IPs only using SkyPilot and the ~/.sky/config.yaml above.
sky launch -c test-private --cloud gcp --cpus 2

Tested (run the relevant ones):

• Code formatting: bash format.sh
• Any manual or new tests for this PR (please specify below)
  • Creating a cluster in a region with internal IPs only: sky launch -c test-private --cloud gcp --cpus 2
  • sky launch -c test-private --cloud gcp --gpus L4 --num-nodes 2 echo hi
  • sky launch -y -c test-tpu-pod examples/tpu/tpuvm_mnist.yaml --gpus tpu-v2-32 --use-spot --zone europe-west4-a
  • sky spot launch -n test-private --cloud gcp --gpus L4 --num-nodes 2 sleep 1000000 with spot controller on AWS (We have to share the ~/.ssh/sky-key between the local and controller to make this work, as the spot controller needs to be connected with the jump server)
  • sky spot launch -n test-private --cloud gcp --gpus L4 --num-nodes 2 sleep 1000000 with spot controller on GCP
  • sky launch -c test-no-proxy --cloud gcp --cpus 2 echo hi

    gcp:
        vpc_name: skypilot-vpc
        use_internal_ips: true

• All smoke tests: pytest tests/test_smoke.py --gcp (except for the docker and serve (no public access) related tests)
• Relevant individual smoke tests: pytest tests/test_smoke.py::test_fill_in_the_name
• Backward compatibility tests: bash tests/backward_comaptibility_tests.sh
  • gcp
  • aws

[concretevitamin]

Awesome @Michaelvll! Finished a pass except for docs/. Some comments.

[concretevitamin]

Is it safe? It feels hard to reason about. Any ways to avoid this?

[Michaelvll]

When the controller is launching a task, it should use the task-specific skypilot_config decided by SKYPILOT_CONFIG env var, and we have to update the proxy command setting in that config.
Added a docstr to for calling this with cautious.

If needed we can save the new config in a new config_file and reset the os.environ['SKYPILOT_CONFIG'] to the new config_file and set _dict to the new config.

I don't think this will make much difference than directly overwrite the original config file. Wdyt?

[concretevitamin]

1. What's the reason for replacing the previous way? I.e., directly write out the properly modified config to a local temp file and upload it. It seems like local client does know where the controller is/is going to be launched?
2. If there's a strong reason to do it this way, how about renaming this to unsafe_overwrite_config_file_on_controller or something like that?

[Michaelvll]

What's the reason for replacing the previous way? I.e., directly write out the properly modified config to a local temp file and upload it. It seems like local client does know where the controller is/is going to be launched?

The previous way was done before the controller is actually UP (failover may happen), which means we don't know which cloud the controller will use when we run sky.launch for the controller. The current way replaces the config on the controller, so it has the latest information about the controller itself.

If there's a strong reason to do it this way, how about renaming this to unsafe_overwrite_config_file_on_controller or something like that?

Yes, renaming it sounds good to me.

[concretevitamin]

See comment in skypilot_config.

[concretevitamin]

Thanks, a question about overwriting the config file. Other parts LGTM

[concretevitamin]

1. What's the reason for replacing the previous way? I.e., directly write out the properly modified config to a local temp file and upload it. It seems like local client does know where the controller is/is going to be launched?
2. If there's a strong reason to do it this way, how about renaming this to unsafe_overwrite_config_file_on_controller or something like that?

[Michaelvll]

According to the request, I refactored the way we reset the config file being uploaded to the controller, so we don't have to overwrite the config file on the remote cluster. @concretevitamin PTAL. : )

Tested:

• AWS spot controller, and check the config file uploaded to the controller:

  spot:
    controller:
      resources:
        cloud: aws
  
  gcp:
    use_internal_ips: true
    vpc_name: skypilot-vpc
    ssh_proxy_command: 
      us-west1: ssh -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes gcpuser@xx.xxx.xxx.xx -i ~/.ssh/sky-key
  
  aws:
    use_internal_ips: true
    vpc_name: skypilot-test-vpc
    ssh_proxy_command:
      us-east-1: ssh -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -i ~/.ssh/sky-key ec2-user@xx.xxx.xxx.xxx

  • Launch spot job on GCP: sky spot launch --cloud gcp
  • Launch spot job on AWS: sky spot launch --cloud aws
• GCP spot controller, and check the config file uploaded to the controller:

  spot:
    controller:
      resources:
        cloud: gcp
  
  gcp:
    use_internal_ips: true
    vpc_name: skypilot-vpc
    ssh_proxy_command: 
      us-west1: ssh -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes gcpuser@xx.xxx.xxx.xx -i ~/.ssh/sky-key
  
  aws:
    use_internal_ips: true
    vpc_name: skypilot-test-vpc
    ssh_proxy_command:
      us-east-1: ssh -W %h:%p -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -i ~/.ssh/sky-key ec2-user@xx.xxx.xxx.xxx

• pytest tests/test_smoke.py --gcp (except docker and test_gcp_http_server_with_custom_ports as they don't support ssh_proxy_command)

[concretevitamin]

It doesn't look quite clean to do a controller_utils call here.

Can we move this invocation to controller_utils.get_controller_resources(), perhaps renaming it back to controller_utils.skypilot_config_setup()?

This way, we can also remove the hard-coded magic constant skypilot:local_skypilot_config_path. The two controllers j2 files can just take a {{local config path}} like before, and we can pass in a tmp file there.

[Michaelvll]

No, when we call control_utils.get_controller_resources(), it is not possible to know where the controller will be launched, i.e. not be able to get the correct skypilot config. We have to call the function after the controller is provisioned, i.e. after the _provision step is finished and the cloud is decided for the controller.

Basically, we have to decide the content of the skypilot config to be uploaded after the controller actually goes through failover and provisioned. I think the current way is clean if we move this replace_skypilot_config_path_in_file_mounts from controller_utils to backend_utils and rename it to replace_predefined_placeholder_in_file_mounts, as it can be used for filling other predefined file mounts values that needs to be decided after the VM is provisioned.
It can also be useful in the future when we want to decide the location of the mounted bucket based on the cloud a normal VM is launched (currently we just default to the first cloud that is enabled).

[concretevitamin]

ditto

[concretevitamin]

setup_proxy_command_on_controller() seems more accurate?

[concretevitamin]

After discussion, this comment is still relevant? Also, maybe arg rename: cloud -> controller_launched_cloud?

[concretevitamin]

LGTM, thanks @Michaelvll for shipping this!

[concretevitamin]

Seems outdated now.

[concretevitamin]

After discussion, this comment is still relevant? Also, maybe arg rename: cloud -> controller_launched_cloud?