Merge pull request #298926 from xpillons/xpillons/ccws_april_release

CycleCloud Workspace for Slurm - April release

Author: v-ccolin

.openpublishing.redirection.json

@@ -6978,6 +6978,26 @@
       "source_path": "articles/defender-for-iot/organizations/eiot-sensor.md",
       "redirect_url": "/azure/defender-for-iot/organizations/concept-enterprise",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cyclecloud/release-notes/ccws/2024.09.18.md",
+      "redirect_url": "/azure/cyclecloud/release-notes/ccws/2024-09-18",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cyclecloud/release-notes/ccws/2024.11.08.md",
+      "redirect_url": "/azure/cyclecloud/release-notes/ccws/2024-11-08",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cyclecloud/release-notes/ccws/2024.12.18.md",
+      "redirect_url": "/azure/cyclecloud/release-notes/ccws/2024-12-18",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "articles/cyclecloud/release-notes/ccws/2025.02.06.md",
+      "redirect_url": "/azure/cyclecloud/release-notes/ccws/2025-02-06",
+      "redirect_document_id": false
     }
   ]
 }

articles/cyclecloud/how-to/ccws/configure-open-ondemand.md

@@ -0,0 +1,30 @@
+---
+title: Configure Open Demand with CycleCloud
+description: How to configure Open OnDemand with CycleCloud
+author: xpillons
+ms.date: 05/27/2025
+ms.author: padmalathas
+---
+
+# Configure Open OnDemand with CycleCloud
+Open OnDemand is a web-based interface that provides a user-friendly way to interact with the Slurm cluster deployed by Azure CycleCloud. Open OnDemand is automatically installed and configured when deploying Azure CycleCloud Workspace for Slurm, but there remain few steps that must be manually executed.
+
+## Update settings for Microsoft Entra ID authentication
+The Open OnDemand front end uses Open ID Connect (OIDC) for authentication. The OIDC provider is a Microsoft Entra ID application that was registered specifically for this purpose (see [How to register a Microsoft Entra ID application for Open OnDemand Authentication](./register-entra-id-app.md)). The following steps describe how to update the settings for Entra ID authentication.
+
+Browse to the CycleCloud web portal, select the OpenOnDemand cluster, and click on the Edit button. This opens the cluster template definition. 
+1. Select Advanced settings,
+1. Leave FQDN empty,
+1. Set the Client ID to that of the registered application ID created in previous steps,
+1. Set the user domain to the enterprise domain,
+1. Tenant ID should be set to that of the tenant in which the application registration exists,
+1. The managed identity should be manually set to the one named `/ccwOpenOnDemandManagedIdentity` 
+> [!NOTE]
+> This value will initially fail to appear due to a UI bug, so this needs to be set again when editing the template.
+ 
+Press `Save` and then `Start Cluster` and wait for the Open OnDemand virtual machine to be ready.
+
+:::image type="content" source="../../images/ccws/open-ondemand-advanced-settings.png" alt-text="Screenshot of Open OnDemand cluster configuration.":::
+
+## Resources
+* [Add users for Open OnDemand](./open-ondemand-add-users.md)

articles/cyclecloud/how-to/ccws/connect-to-login-node-with-bastion.md

@@ -2,20 +2,20 @@
 title: How to connect to a Login Node through Bastion
 description: How to securily connect using SSH to a Login Node through Bastion
 author: xpillons
-ms.date: 08/30/2024
-ms.author: xpillons
+ms.date: 05/27/2025
+ms.author: padmalathas
 ---
 
 # How to connect to a Login Node through Bastion
-There is no SSH route open from your local environment to Virtual Machines running in an Azure CycleCloud Workspace for Slurm by default for security reasons. However, an Azure Bastion can be deployed and used to SSH through to your Virtual Machines. Below are the instructions on how to do based on this documentation: [Connect to a VM using Bastion](/azure/bastion/connect-vm-native-client-linux).
+There's no SSH route open from your local environment to Virtual Machines running in an Azure CycleCloud Workspace for Slurm by default for security reasons. However, an Azure Bastion can be deployed and used to SSH through to your Virtual Machines. Below are the instructions on how to do based on this documentation: [Connect to a VM using Bastion](/azure/bastion/connect-vm-native-client-linux).
 
 ## Step 1 – Identify the SSH private key locally
-Locate the private SSH key file associated with the public key provided during the deployment. If it is not accessible locally, then download it.
+Locate the private SSH key file associated with the public key provided during the deployment. If it isn't accessible locally, then download it.
 
 ## Step 2 – Retrieve the Resource ID of the Login Node
 From the CycleCloud UI, select the Login node to which you want to connect and double click on that line to open the detail view of the node. Select the VM tab to display the resource details below and copy the `ResourceId`.
 
-![Login Node properties](../../images/ccws/login-node-resource-id.png)
+:::image type="content" source="../../images/ccws/login-node-resource-id.png" alt-text="Login Node properties":::
 
 ## Step 3 – Create a connect script
 Create a login script using the template below. Paste the login node `resourceID` retrieved above and specify the resource group and the private SSH key file to use.

articles/cyclecloud/how-to/ccws/connect-to-portal-with-bastion.md

@@ -1,16 +1,16 @@
 ---
 title: How to connect to the CycleCloud Portal through Bastion
-description: How to securily connect to the CycleCloud Portal using Bastion
+description: How to securely connect to the CycleCloud Portal using Bastion
 author: xpillons
-ms.date: 11/22/2024
+ms.date: 05/27/2025
 ms.author: padmalathas
 ---
 
 # How to connect to the CycleCloud Portal through Bastion
 You can deploy an Azure Bastion to establish an SSH tunnel to your Azure CycleCloud virtual machine when the HTTPS route is unavailable in your local environment. For detailed instructions, see [Connect to a VM - tunnel command](/azure/bastion/connect-vm-native-client-linux#tunnel).
 
 ## Step 1 – Retrieve the Resource ID of the CycleCloud VM
-To retrieve the resource ID of the `ccw-cyclecloud-vm` virtual machine, navigate to the Azure Portal. From the virtual machine view, select **Settings**, then **Properties**, and you will find the **ResourceID**.
+To retrieve the resource ID of the `ccw-cyclecloud-vm` virtual machine, navigate to the Azure portal. From the virtual machine view, select **Settings**, then **Properties**, and you'll find the **ResourceID**.
 
 ## Step 2 – Create a connect script
 Create a bash script using the template below. Paste the CycleCloud `resourceID` retrieved above.

articles/cyclecloud/how-to/ccws/deploy-with-cli.md

@@ -1,33 +1,31 @@
 ---
 title: How to deploy a CycleCloud Workspace for Slurm environment using the CLI
-description: How to deploy a CycleCloud Workspace for Slurm environment using the Azure CLI and the Azure Portal UI Sandbox
+description: How to deploy a CycleCloud Workspace for Slurm environment using the Azure CLI and the Azure portal UI Sandbox
 author: xpillons
-ms.date: 01/29/2025
-ms.author: xpillons
+ms.date: 05/27/2025
+ms.author: padmalathas
 ---
 
 # How to deploy a CycleCloud Workspace for Slurm environment using the CLI
 
-Prerequisites: Users will need to install the Azure CLI and Git. They will then need to sign into or set their Azure subscription.
+Prerequisites: Users need to install the Azure CLI and Git and then sign into or set their Azure subscription.
 
 - Clone the Azure CycleCloud Workspace for Slurm on the latest stable release
 
 ```bash
-latest=$(curl -s https://api.github.com/repos/azure/cyclecloud-slurm-workspace/releases/latest | grep -oP '"tag_name": "\K(.*)(?=")')
-echo "cloning on $latest"
-git clone --depth 1 --branch $latest https://github.com/azure/cyclecloud-slurm-workspace.git
+git clone --depth 1 https://github.com/azure/cyclecloud-slurm-workspace.git
 ```
 
 - Copy the content of the UI definition file `./uidefinitions/createUiDefinition.json`
 
 - Browse to the UI Definition Sandbox:
-    - For Azure Public Cloud [Azure Public Portal](https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/SandboxBlade)
-    - For Azure US Gov [Azure US Gov Portal](https://portal.azure.us/#view/Microsoft_Azure_CreateUIDef/SandboxBlade)
+    - For Azure Public Cloud [Azure Public portal](https://portal.azure.com/#view/Microsoft_Azure_CreateUIDef/SandboxBlade)
+    - For Azure US Gov [Azure US Gov portal](https://portal.azure.us/#view/Microsoft_Azure_CreateUIDef/SandboxBlade)
 
 - Paste the content of the UI Definition file into the multiline text box in the right,
-- Click `Preview >>` in the bottom-left corner. This will bring up a UI experience. 
+- Click `Preview >>` in the bottom-left corner to bring up a UI experience. 
 - Proceed through each page of the UI flow to ensure that necessary values populate in the output payload described in the next step,
-- Proceed with the UI flow to the `Review + create` page and then click the link labeled `View outputs payload` adjacent to the `Create` button. This will generate a pane with JSON-formatted text in its body on the right-hand side of the browser window,
+- Proceed with the UI flow to the `Review + create` page and then click the link labeled `View outputs payload` to the right of the `Create` button to generate a pane with JSON-formatted text in its body on the right-hand side of the browser window,
 - Copy the JSON-formatted text into a local JSON file, 
 - Save it as `parameters.json` and make note of the path to it. This is what we call the Parameters File for the deployment,
 - Open the shell of choice and navigate to the folder/directory that contains the `cyclecloud-slurm-workspace` repository cloned above,
@@ -42,9 +40,11 @@ az vm image terms accept --urn azurecyclecloud:azure-cyclecloud:cyclecloud8-gen2
 az deployment sub create --template-file ./cyclecloud-slurm-workspace/bicep/mainTemplate.bicep --parameters parameters.json --location [ANY AZURE LOCATION E.G. eastus] --name [OPTIONAL BUT HELPFUL, DELETE IF UNUSED] 
 ```
 
-- Wait until the shell indicates that the deployment was successful. One can also track the progress of the deployment in the Azure Portal by navigating to the resource group indicated in the UI, selecting `Deployments` from the Settings dropdown menu on the left-hand side menu, and checking the Status of the Deployment Name that begins with “pid-” at the bottom of the displayed list.
+- Wait until the shell indicates that the deployment was successful. One can also track the progress of the deployment in the Azure portal by navigating to the resource group indicated in the UI, selecting `Deployments` from the Settings dropdown menu on the left-hand side menu, and checking the Status of the Deployment Name that begins with “pid-” at the bottom of the displayed list.
 
 ## Resources
 
-* [How to connect to the CycleCloud Portal through Bastion](/azure/cyclecloud/how-to/ccws/connect-to-portal-with-bastion)
+* [Configure Open OnDemand with CycleCloud](./configure-open-ondemand.md)
+* [Add users for Open OnDemand](./open-ondemand-add-users.md)
+* [How to connect to the CycleCloud portal through Bastion](/azure/cyclecloud/how-to/ccws/connect-to-portal-with-bastion)
 * [How to connect to a Login Node through Bastion](/azure/cyclecloud/how-to/ccws/connect-to-login-node-with-bastion)

articles/cyclecloud/how-to/ccws/open-ondemand-add-users.md

@@ -0,0 +1,18 @@
+---
+title: Add users for Open OnDemand
+description: How to add users for Open OnDemand
+author: xpillons
+ms.date: 05/27/2025
+ms.author: padmalathas
+---
+
+# Add users for Open OnDemand
+Once authenticated with Microsoft Entra ID, Open OnDemand maps the user to a local user account managed by CycleCloud created with the same name as the Microsoft Entra ID user. The following steps describe how to add cluster users for Open OnDemand.
+1. Browse the CycleCloud web portal and select the top right gear icon to open the menu. Select the **Users** option.
+1. Click on the **Add** button to add a new user. For more details on user management in CycleCloud, see instructions: [User Management](../../concepts/user-management.md)
+1. Select at least the role **Global Node User** for regular users and **Global Node Admin** for administrators (sudo access)
+1. Save
+1. Add other users as needed
+1. Wait for the users to be created on clusters. It may take a few minutes.
+
+Users can now log in to Open OnDemand using their Microsoft Entra ID credentials. A consent message may appear upon an initial login attempt: users should affirm consent to be redirected to the Open OnDemand dashboard.

articles/cyclecloud/how-to/ccws/plan-your-deployment.md

@@ -2,7 +2,7 @@
 title: Plan your CycleCloud Workspace for Slurm Deployment
 description: A checklist to help plan for your CycleCloud Workspace for Slurm deployment
 author: xpillons
-ms.date: 03/05/2025
+ms.date: 05/27/2025
 ms.author: padmalathas
 ---
 
@@ -15,8 +15,11 @@ You have two deployment options for Azure CycleCloud Workspace for Slurm:
 When doing a deployment, the Azure user account used need to be granted the following roles:
 - `Contributor` on the Subscription
 - `User Access Administrator` on the Subscription
+- Optional: permission to register a Microsoft Entra application
 
-> Note: It is recommended to pre-deploy a [Hub VNet](/azure/architecture/networking/architecture/hub-spoke) to connect to your enterprise network if one is not already established. This hub can accommodate a [VPN Gateway](/azure/vpn-gateway/tutorial-create-gateway-portal) and an Azure Bastion. The CycleCloud Workspace for Slurm environment will be a spoke and peered during deployment.
+> [!NOTE]
+> Recommendation is to predeploy a [Hub virtual network](/azure/architecture/networking/architecture/hub-spoke) to connect to your enterprise network if one isn't already established. This hub can accommodate a [VPN Gateway](/azure/vpn-gateway/tutorial-create-gateway-portal) and an Azure Bastion. The CycleCloud Workspace for Slurm environment will be a spoke and peered during deployment.
+> Contact Azure HPC Support if VPN or Azure Bastion don't meet your requirements or are blocked by your organization
 
 ## Greenfield Deployment
 
@@ -32,24 +35,32 @@ In a greenfield deployment, the following resources and role assignments are cre
 - Optionally a NAT gateway named `ccw-nat-gateway` and public IP `pip-ccw-nat-gateway`.
 - Optionally an Azure NetApp Files account, pool, and volume with subnet `hpc-anf-subnet`.
 - Optionally an Azure Managed Lustre Filesystem with subnet `ccw-lustre-subnet`.
-- Optionally a VNET Peering.
+- Optionally a virtual network Peering.
 - Optionally a Private Endpoint to an existing Azure Database for MySQL flexible server instance.
 
 ## Brownfield Deployment
 
 In a brownfield deployment, you can provide existing resources for:
-- The VNET and subnets in which the environment is deployed.
-- Filesystem Storage for the user's home directories and/or other filers, as external NFS mount points or Azure Managed Lustre Filesystem (AMLS).
+- The virtual network and subnets in which the environment is deployed.
+- Filesystem Storage for the user's home directories and/or other filers, such as external NFS mount points or Azure Managed Lustre Filesystem (AMLS).
 - An Azure Database for MySQL flexible server instance for Slurm Job Accounting.
+- A registered Microsoft Entra ID application for Open OnDemand authentication.
+- A User-Assigned Managed Identity used by the registered Microsoft Entra ID application for the federated credentials.
 
-If you're bringing your own VNET, follow these prerequisites:
+If you're bringing your own virtual network, follow these prerequisites:
 - A /29 **cyclecloud** subnet for the CycleCloud VM.
 - A **compute** subnet for the nodes, where the scheduler, login, and compute nodes are created.
 - When using Azure NetApp Files, a dedicated **netapp** subnet with the `Microsoft.NetApp/volumes` delegation as documented here [Azure NetApp Files](/azure/azure-netapp-files/azure-netapp-files-introduction).
 - When using Azure Managed Lustre Filesystem, a dedicated **lustre** subnet with a CIDR based on the storage capacity to provision as documented here [Azure Managed Lustre](/azure/azure-managed-lustre/amlfs-overview).
 - If deploying a Bastion, a dedicated **BastionSubnet** as documented [here](/azure/bastion/configuration-settings#subnet).
 - Your NSGs should allow communications between subnets as defined in the [bicep/network-new.bicep](https://github.com/Azure/cyclecloud-slurm-workspace/blob/main/bicep/network-new.bicep) file.
 
+## Open OnDemand
+
+The Azure Bastion tunneling scenario doesn't work for Open OnDemand. The recommended approach is to use a VPN Gateway with Point-to-Site (P2S) VPN connections or has Azure ExpressRoute configured to allow users to connect securely to the CycleCloud Workspace for Slurm network and access Open OnDemand.
+
+Registration of a Microsoft Entra application is required to support the OpenID Connect authentication mechanism. Ensure that the user or subscription administrator have the proper roles to be granted to complete the registration.
+
 ## Quotas
 
 Before deploying, ensure that your subscription has the required quota for the VM types desired for the CycleCloud nodes.