[AD] Fix the sync of AD data by moving the sync step at the end of the finalize phase ignoring failures.

gmarciani · gmarciani · commit 1e07cc24b9c3 · 2024-02-20T18:39:58.000+01:00
Signed-off-by: Giacomo Marciani &lt;mgiacomo@amazon.com&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -34,7 +34,6 @@ This file is used to list changes made in each version of the AWS ParallelCluste
 **BUG FIXES**
 - Fix issue making job fail when submitted as active directory user from login nodes. 
   The issue was caused by an incomplete configuration of the integration with the external Active Directory on the head node.
-  This fix comes with a breaking change: now cluster creation/update would fail if the integration with the Active Directory does not work.
 
 3.8.0
 ------
diff --git a/cookbooks/aws-parallelcluster-entrypoints/recipes/finalize.rb b/cookbooks/aws-parallelcluster-entrypoints/recipes/finalize.rb
@@ -21,6 +21,7 @@
 end
 
 include_recipe "aws-parallelcluster-platform::finalize"
-include_recipe "aws-parallelcluster-environment::finalize"
 
 include_recipe 'aws-parallelcluster-slurm::finalize' if node['cluster']['scheduler'] == 'slurm'
+
+include_recipe "aws-parallelcluster-environment::finalize"
diff --git a/cookbooks/aws-parallelcluster-environment/recipes/finalize/finalize_directory_service.rb b/cookbooks/aws-parallelcluster-environment/recipes/finalize/finalize_directory_service.rb
@@ -22,10 +22,13 @@
   read_only_user = domain_service_read_only_user_name(node['cluster']['directory_service']['domain_read_only_user'])
 
   execute 'Fetch user data from remote directory service' do
-    # The switch-user (sudo -u) is necessary to trigger the fetching of AD data
+    # The switch-user (sudo -u) is necessary to trigger the fetching of AD data.
+    # Failures are ignored because we experimentally verified that a MsAD backend
+    # may take long time to become available.
+    # So, we prefer to execute this step in best effort mode.
+    # Once we will reintroduce the failures, we should consider 30 retries with 10 seconds delay.
     command "sudo -u #{default_user} getent passwd #{read_only_user}"
     user 'root'
-    retries 10 # Retries are just a safe guard in case the node is still fetching data from the AD
-    retry_delay 3
+    ignore_failure true
   end
 end
diff --git a/cookbooks/aws-parallelcluster-environment/spec/unit/recipes/finalize_directory_service_spec.rb b/cookbooks/aws-parallelcluster-environment/spec/unit/recipes/finalize_directory_service_spec.rb
@@ -38,8 +38,7 @@
               is_expected.to run_execute('Fetch user data from remote directory service').with(
                 command: "sudo -u #{cluster_user} getent passwd #{domain_read_only_user}",
                 user: 'root',
-                retries: 10,
-                retry_delay: 3
+                ignore_failure: true
               )
             end
           else
