Merge branch 'develop' into develop

Author: hgreebe

CHANGELOG.md

@@ -39,7 +39,7 @@ This file is used to list changes made in each version of the AWS ParallelCluste
 - Upgrade CUDA Toolkit to version 12.2.2.
 - Use Open Source NVIDIA GPU drivers (OpenRM) as NVIDIA kernel module for Linux instead of NVIDIA closed source module.
 - Do not wait for static nodes in maintenance to signal CFN that the head node initialization is complete.
-- Upgrade EFA installer to `1.29.0`.
+- Upgrade EFA installer to `1.29.1`.
   - Efa-driver: `efa-2.6.0-1`
   - Efa-config: `efa-config-1.15-1`
   - Efa-profile: `efa-profile-1.5-1`

cookbooks/aws-parallelcluster-entrypoints/recipes/update.rb

@@ -19,10 +19,17 @@
 # generate the updated shared storages mapping file
 include_recipe 'aws-parallelcluster-environment::update_fs_mapping'
 
+if node["cluster"]["node_type"] == "ComputeFleet"
+  Chef::Log.info("Dummy log line to prove that update is triggered on compute node")
+  return
+end
+
 include_recipe 'aws-parallelcluster-environment::directory_service'
 include_recipe 'aws-parallelcluster-slurm::update' if node['cluster']['scheduler'] == 'slurm'
 
 # Update node package - useful for development purposes only
 if is_custom_node?
   include_recipe 'aws-parallelcluster-computefleet::update_parallelcluster_node'
 end
+
+sudo_access "Update Sudo Access" if node['cluster']['scheduler'] == 'slurm'

cookbooks/aws-parallelcluster-environment/resources/efa/partial/_common.rb

@@ -17,8 +17,8 @@
 # EFA setup: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/efa-start.html
 #
 
-property :efa_version, String, default: '1.29.0'
-property :efa_checksum, String, default: '836655f87015547e733e7d9f7c760e4e24697f8bbc261bb5f3560abd4206bc36'
+property :efa_version, String, default: '1.29.1'
+property :efa_checksum, String, default: '178b263b8c25845b63dc93b25bcdff5870df5204ec509af26f43e8d283488744'
 
 action :setup do
   if efa_installed? && !::File.exist?(efa_tarball)

cookbooks/aws-parallelcluster-environment/spec/unit/resources/efa_spec.rb

@@ -2,8 +2,8 @@
 
 # parallelcluster default source dir defined in attributes
 source_dir = '/opt/parallelcluster/sources'
-efa_version = '1.29.0'
-efa_checksum = '836655f87015547e733e7d9f7c760e4e24697f8bbc261bb5f3560abd4206bc36'
+efa_version = '1.29.1'
+efa_checksum = '178b263b8c25845b63dc93b25bcdff5870df5204ec509af26f43e8d283488744'
 
 class ConvergeEfa
   def self.setup(chef_run)

cookbooks/aws-parallelcluster-platform/kitchen.platform-config.yml

@@ -199,3 +199,19 @@ suites:
     verifier:
       controls:
         - /tag:config_supervisord/
+  - name: sudo_access
+    run_list:
+      - recipe[aws-parallelcluster-tests::setup]
+      - recipe[aws-parallelcluster-tests::test_resource]
+    verifier:
+      controls:
+        - /tag:config_sudo_access/
+    attributes:
+      resource: sudo_access:setup
+      cluster:
+##       Test to check if sudo access for default user is disabled (Disable Action) 
+##       The test runs with default user, it will fail to check the files content as it does not have sudo access anymore if we don't override with pcluster-admin 
+        cluster_user: 'pcluster-admin'
+        disable_sudo_access_for_default_user: 'true'
+#        Test to check if sudo access for default user is enabled (Enable Action) 
+#        disable_sudo_access_for_default_user: 'false'

cookbooks/aws-parallelcluster-platform/recipes/config.rb

@@ -14,6 +14,7 @@
 include_recipe 'aws-parallelcluster-platform::openssh'
 include_recipe 'aws-parallelcluster-platform::sudo_config'
 include_recipe 'aws-parallelcluster-platform::cluster_user'
+sudo_access "Setup Sudo Access of Default User"
 include_recipe 'aws-parallelcluster-platform::networking'
 include_recipe 'aws-parallelcluster-platform::nvidia_config'
 sticky_bits 'setup sticky bits'
@@ -24,5 +25,4 @@
 # Supervisord configuration must be executed after DCV because dcv external authenticator is part of it
 include_recipe 'aws-parallelcluster-platform::supervisord_config'
 fetch_config 'Fetch and load cluster configs'
-
 include_recipe 'aws-parallelcluster-platform::config_login' if node['cluster']['node_type'] == 'LoginNode'

cookbooks/aws-parallelcluster-platform/resources/sudo_access/partial/_sudo_access_common.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+#
+# Copyright:: 2013-2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License").
+# You may not use this file except in compliance with the License.
+# A copy of the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "LICENSE.txt" file accompanying this file.
+# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied.
+# See the License for the specific language governing permissions and limitations under the License.
+
+unified_mode true
+default_action :setup
+
+property :user_name, String, default: node['cluster']['cluster_user']
+
+action :setup do
+  node['cluster']['disable_sudo_access_for_default_user'] == 'true' ? action_disable : action_enable
+end
+
+action :enable do
+  Chef::Log.info("Enabling Sudo Access for #{new_resource.user_name}")
+  # Enable sudo access for default user
+  template '/etc/sudoers.d/99-parallelcluster-revoke-sudo-access' do
+    only_if { ::File.exist? "/etc/sudoers.d/99-parallelcluster-revoke-sudo-access" }
+    source 'sudo_access/99-parallelcluster-revoke-sudo.erb'
+    cookbook 'aws-parallelcluster-platform'
+    action :delete
+  end
+end
+
+action :disable do
+  Chef::Log.info("Disabling Sudo Access for #{new_resource.user_name}")
+  replace_or_add "Disable Sudo Access for #{new_resource.user_name}" do
+    path "/etc/sudoers"
+    pattern "^#{new_resource.user_name}*"
+    line ""
+    remove_duplicates true
+    replace_only true
+  end
+
+  # Disable sudo access for default user
+  template '/etc/sudoers.d/99-parallelcluster-revoke-sudo-access' do
+    source 'sudo_access/99-parallelcluster-revoke-sudo.erb'
+    cookbook 'aws-parallelcluster-platform'
+    owner 'root'
+    group 'root'
+    mode '0600'
+    variables(
+      user_name: new_resource.user_name
+    )
+    action :create
+  end
+end

cookbooks/aws-parallelcluster-platform/resources/sudo_access/sudo_access_amazon2.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+# Copyright:: 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License").
+# You may not use this file except in compliance with the License.
+# A copy of the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "LICENSE.txt" file accompanying this file.
+# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied.
+# See the License for the specific language governing permissions and limitations under the License.
+
+provides :sudo_access, platform: 'amazon', platform_version: '2'
+
+use 'partial/_sudo_access_common.rb'

cookbooks/aws-parallelcluster-platform/resources/sudo_access/sudo_access_centos7.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+# Copyright:: 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License").
+# You may not use this file except in compliance with the License.
+# A copy of the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "LICENSE.txt" file accompanying this file.
+# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied.
+# See the License for the specific language governing permissions and limitations under the License.
+
+provides :sudo_access, platform: 'centos' do |node|
+  node['platform_version'].to_i == 7
+end
+
+use 'partial/_sudo_access_common.rb'

cookbooks/aws-parallelcluster-platform/resources/sudo_access/sudo_access_redhat8.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+# Copyright:: 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License").
+# You may not use this file except in compliance with the License.
+# A copy of the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "LICENSE.txt" file accompanying this file.
+# This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, express or implied.
+# See the License for the specific language governing permissions and limitations under the License.
+
+provides :sudo_access, platform: 'redhat' do |node|
+  node['platform_version'].to_i == 8
+end
+
+use 'partial/_sudo_access_common.rb'