Change permission for cfn-hup files and directories for only root user access

* Add Proxy if being used.

Author: Himani Anil Deshpande

cookbooks/aws-parallelcluster-environment/files/cfn_hup_configuration/get_compute_user_data.py renamed to cookbooks/aws-parallelcluster-environment/files/cfn_hup_configuration/share_compute_fleet_dna.py

@@ -1,4 +1,4 @@
-# Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License").
 # You may not use this file except in compliance with the
@@ -11,49 +11,88 @@
 # limitations under the License.
 
 
-
+import configparser
 import argparse
 from email import message_from_string
 import json
 import os
 import boto3
+from botocore.config import Config
 import yaml
 import base64
 import logging
 from retrying import retry
 
-SHARED_LOCATION = "/opt/parallelcluster/"
-
-COMPUTE_FLEET_SHARED_LOCATION = SHARED_LOCATION + 'shared/'
+COMPUTE_FLEET_SHARED_LOCATION = "/opt/parallelcluster/shared/"
 
-COMPUTE_FLEET_DNA_LOC = COMPUTE_FLEET_SHARED_LOCATION + 'dna/'
+COMPUTE_FLEET_SHARED_DNA_LOCATION = COMPUTE_FLEET_SHARED_LOCATION + 'dna/'
 
-COMPUTE_FLEET_LAUNCH_TEMPLATE_ID = COMPUTE_FLEET_SHARED_LOCATION + 'launch-templates-config.json'
+COMPUTE_FLEET_LAUNCH_TEMPLATE_CONFIG = COMPUTE_FLEET_SHARED_LOCATION + 'launch-templates-config.json'
 
 logger = logging.getLogger(__name__)
 logging.basicConfig(level=logging.INFO)
 
-def get_compute_launch_template_ids(shared_storage):
-    """Load launch-templates-config.json which contains ID, Version number and Logical ID of all queues in Compute Fleet's Launch Template."""
+def get_compute_launch_template_ids(lt_config_file_name):
+    """Load launch-templates-config.json which contains ID, Version number and Logical ID of all queues in Compute Fleet's Launch Template.
+    The format of launch-templates-config.json is
+     {
+        "Queues": {
+            "queue1": {
+                "ComputeResources": {
+                    "queue1-i1": {
+                        "LaunchTemplate": {
+                            "Version": "1",
+                            "LogicalId": "LaunchTemplate123456789012345",
+                            "Id": "lt-12345678901234567"
+                        }
+                    }
+                }
+            },
+            "queue2": {
+                "ComputeResources": {
+                    "queue2-i1": {
+                        "LaunchTemplate": {
+                            "Version": "1",
+                            "LogicalId": "LaunchTemplate012345678901234",
+                            "Id": "lt-01234567890123456"
+                        }
+                    }
+                }
+            }
+        }
+     }
+    """
+    lt_config = None
     try:
-        with open(shared_storage, 'r') as file:
+        with open(lt_config_file_name, 'r') as file:
             lt_config = json.loads(file.read())
     except Exception as err:
-        logger.warn("Unable to read %s due to %s", shared_storage, err)
+        logger.warn("Unable to read %s due to %s", lt_config_file_name, err)
 
     return  lt_config
 
 
-
-def create_dna_files(args):
+def share_compute_fleet_dna(args):
     """Creates all dna.json for each queue in cluster."""
-    lt_config = get_compute_launch_template_ids(COMPUTE_FLEET_LAUNCH_TEMPLATE_ID)
+    lt_config = get_compute_launch_template_ids(COMPUTE_FLEET_LAUNCH_TEMPLATE_CONFIG)
     if lt_config:
         all_queues = lt_config.get('Queues')
         for _, queues in all_queues.items():
             compute_resources = queues.get('ComputeResources')
             for _, compute_res in compute_resources.items():
-                get_latest_dns_data(compute_res, COMPUTE_FLEET_DNA_LOC, args)
+                get_latest_dna_data(compute_res, COMPUTE_FLEET_SHARED_DNA_LOCATION, args)
+
+
+# FIXME: Fix Code Duplication
+def parse_proxy_config():
+    config = configparser.RawConfigParser()
+    config.read("/etc/boto.cfg")
+    proxy_config = Config()
+    if config.has_option("Boto", "proxy") and config.has_option("Boto", "proxy_port"):
+        proxy = config.get("Boto", "proxy")
+        proxy_port = config.get("Boto", "proxy_port")
+        proxy_config = Config(proxies={"https": f"{proxy}:{proxy_port}"})
+    return proxy_config
 
 
 @retry(stop_max_attempt_number=5, wait_fixed=3000)
@@ -65,8 +104,11 @@ def get_user_data(lt_id, lt_version, region_name):
     :param region_name: AWS region name (eg: us-east-1)
     :return: User_data in MIME format
     """
+    decoded_data = None
     try:
-        ec2_client = boto3.client("ec2", region_name=region_name)
+        proxy_config = parse_proxy_config()
+
+        ec2_client = boto3.client("ec2", region_name=region_name, config=proxy_config)
         response = ec2_client.describe_launch_template_versions(
             LaunchTemplateId= lt_id,
             Versions=[
@@ -78,23 +120,25 @@ def get_user_data(lt_id, lt_version, region_name):
         if hasattr(err, "message"):
             err = err.message
         logger.error(
-            "Unable to get UserData for launch template%s with version %s.\nException: %s",
+            "Unable to get UserData for launch template %s with version %s.\nException: %s",
             lt_id, lt_version, err
         )
 
     return decoded_data
 
 
-
-def parse_mime_user_data(user_data):
+def get_write_directives_section(user_data):
     """
     Parses MIME formatted UserData that we get from EC2 to extract write_files section from cloud-config section.
     """
-    data = message_from_string(user_data)
-    for cloud_config_section in data.walk():
-        if cloud_config_section.get_content_type() == 'text/cloud-config':
-            write_directives_section = yaml.safe_load(cloud_config_section._payload).get('write_files')
-
+    write_directives_section = None
+    try:
+        data = message_from_string(user_data)
+        for cloud_config_section in data.walk():
+            if cloud_config_section.get_content_type() == 'text/cloud-config':
+                write_directives_section = yaml.safe_load(cloud_config_section._payload).get('write_files')
+    except Exception as err:
+        logger.error("Error occurred while parsing write_files section.\nException: %s", err)
     return write_directives_section
 
 
@@ -116,7 +160,8 @@ def write_dna_files(write_files_section, shared_storage_loc):
             err = err.message
         logger.error("Unable to write %s due to %s", file_path, err)
 
-def get_latest_dns_data(resource, output_location, args):
+
+def get_latest_dna_data(resource, output_location, args):
     """
     Function to get latest User Data, extract relevant details and write dna.json.
     :param resource: Resource containing LT ID, Version and Logical id
@@ -125,8 +170,10 @@ def get_latest_dns_data(resource, output_location, args):
     :rtype: None
     """
     user_data = get_user_data(resource.get('LaunchTemplate').get('Id'), resource.get('LaunchTemplate').get('Version'), args.region)
-    write_directives = parse_mime_user_data(user_data)
-    write_dna_files(write_directives, output_location+resource.get('LaunchTemplate').get("LogicalId"))
+    if user_data:
+        write_directives = get_write_directives_section(user_data)
+        write_dna_files(write_directives, output_location+resource.get('LaunchTemplate').get("LogicalId"))
+
 
 def cleanup(directory_loc):
     """Cleanup dna.json and extra.json files."""
@@ -138,6 +185,7 @@ def cleanup(directory_loc):
         except Exception as err:
             logger.warn(f"Unable to delete %s due to %s", f_path, err)
 
+
 def _parse_cli_args():
     """Parse command line args."""
     parser = argparse.ArgumentParser(
@@ -157,7 +205,6 @@ def _parse_cli_args():
         "-c",
         "--cleanup",
         action="store_true",
-        default=False,
         required=False,
         help="Cleanup DNA files created",
     )
@@ -171,9 +218,9 @@ def main():
     try:
         args = _parse_cli_args()
         if args.cleanup:
-            cleanup(COMPUTE_FLEET_DNA_LOC)
+            cleanup(COMPUTE_FLEET_SHARED_DNA_LOCATION)
         else:
-            create_dna_files(args)
+            share_compute_fleet_dna(args)
     except Exception as err:
         if hasattr(err, "message"):
             err = err.message

cookbooks/aws-parallelcluster-environment/recipes/config.rb

@@ -38,4 +38,4 @@
 # spack 'Configure Spack Packages' do
 #   action :configure
 # end
-cfn_hup_configuration "Configure Cfn-hup"
+cfn_hup_configuration "Configure cfn-hup"

cookbooks/aws-parallelcluster-environment/resources/cfn_hup_configuration.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 #
-# Copyright:: 2024 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# Copyright:: 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the
 # License. A copy of the License is located at
@@ -27,14 +27,14 @@
   directory '/etc/cfn' do
     owner 'root'
     group 'root'
-    mode '0770'
+    mode '0700'
     recursive true
   end
 
   directory '/etc/cfn/hooks.d' do
     owner 'root'
     group 'root'
-    mode '0770'
+    mode '0700'
     recursive true
   end
 
@@ -64,19 +64,20 @@
       cloudformation_url: cloudformation_url,
       cfn_init_role: instance_role_name,
       launch_template_resource_id: node['cluster']['launch_template_id'],
-      update_hook_script_dir: node['cluster']['scripts_dir']
+      update_hook_script_dir: node['cluster']['scripts_dir'],
+      node_bootstrap_timeout: node['cluster']['compute_node_bootstrap_timeout'] || node['cluster']['Timeout']
     )
   end
 end
 
 action :extra_configuration do
   case node['cluster']['node_type']
   when 'HeadNode'
-    cookbook_file "#{node['cluster']['scripts_dir']}/get_compute_user_data.py" do
-      source 'cfn_hup_configuration/get_compute_user_data.py'
+    cookbook_file "#{node['cluster']['scripts_dir']}/share_compute_fleet_dna.py" do
+      source 'cfn_hup_configuration/share_compute_fleet_dna.py'
       owner 'root'
       group 'root'
-      mode '0755'
+      mode '0700'
       action :create_if_missing
     end
 

cookbooks/aws-parallelcluster-environment/spec/unit/resources/cfn_hup_configuration_spec.rb

@@ -18,6 +18,7 @@ def self.configure(chef_run)
 LAUNCH_TEMPLATE_ID = "LAUNCH_TEMPLATE_ID".freeze
 SCRIPT_DIR = "SCRIPT_DIR".freeze
 MONITOR_SHARED_DIR = "MONITOR_SHARED_DIR".freeze
+NODE_BOOTSTRAP_TIMEOUT = "1800"
 
 describe 'cfn_hup_configuration:configure' do
   for_all_oses do |platform, version|
@@ -39,6 +40,7 @@ def self.configure(chef_run)
               node.override["cluster"]["launch_template_id"] = LAUNCH_TEMPLATE_ID
               node.override['cluster']['scripts_dir'] = SCRIPT_DIR
               node.override['cluster']['shared_dir'] = MONITOR_SHARED_DIR
+              node.override['cluster']['compute_node_bootstrap_timeout'] = NODE_BOOTSTRAP_TIMEOUT
             end
             ConvergeCfnHupConfiguration.configure(runner)
           end
@@ -49,7 +51,7 @@ def self.configure(chef_run)
               is_expected.to create_directory(dir)
                                .with(owner: 'root')
                                .with(group: 'root')
-                               .with(mode:  "0770")
+                               .with(mode:  "0700")
                                .with(recursive: true)
             end
           end
@@ -81,6 +83,7 @@ def self.configure(chef_run)
                                cfn_init_role: INSTANCE_ROLE_NAME,
                                launch_template_resource_id: LAUNCH_TEMPLATE_ID,
                                update_hook_script_dir: SCRIPT_DIR,
+                               node_bootstrap_timeout: NODE_BOOTSTRAP_TIMEOUT,
                              })
           end
 
@@ -97,12 +100,12 @@ def self.configure(chef_run)
                                })
             end
           elsif node_type == 'HeadNode'
-            it "creates #{SCRIPT_DIR}/get_compute_user_data.py" do
-              is_expected.to create_if_missing_cookbook_file("#{SCRIPT_DIR}/get_compute_user_data.py")
-                               .with(source: 'cfn_hup_configuration/get_compute_user_data.py')
+            it "creates #{SCRIPT_DIR}/share_compute_fleet_dna.py" do
+              is_expected.to create_if_missing_cookbook_file("#{SCRIPT_DIR}/share_compute_fleet_dna.py")
+                               .with(source: 'cfn_hup_configuration/share_compute_fleet_dna.py')
                                .with(user: 'root')
                                .with(group: 'root')
-                               .with(mode: '0755')
+                               .with(mode: '0700')
             end
 
             it "creates the directory #{MONITOR_SHARED_DIR}/dna" do

cookbooks/aws-parallelcluster-environment/templates/cfn_hup_configuration/ComputeFleet/cfn-hup-update-action.sh.erb

@@ -1,8 +1,10 @@
 #!/bin/bash
 set -ex
 
-
-
+# This script is invoked by cfn-hup as part of its update hook action.
+# This script runs on each node of ComputeFleet to monitor the shared location for latest dna.json and extra.json files and run ParallelCluster Cookbook recipes.
+#
+# Usage:   ./cfn-hup-update-action.sh
 
 function run_cookbook_recipes() {
     LATEST_DNA_LOC=<%= @monitor_shared_dir %>
@@ -35,7 +37,7 @@ function run_cookbook_recipes() {
 main() {
   PATH=/usr/local/bin:/bin:/usr/bin:/opt/aws/bin;
   . /etc/parallelcluster/pcluster_cookbook_environment.sh;
-  echo "We monitor <%= @monitor_shared_dir %> to check for <%= @launch_template_resource_id %>-dna.json is being added"
+  echo "We monitor <%= @monitor_shared_dir %> to check for <%= @launch_template_resource_id %>-dna.json has been added and run ParallelCluster cookbook recipes."
   run_cookbook_recipes
 }
 

cookbooks/aws-parallelcluster-environment/templates/cfn_hup_configuration/cfn-hook-update.conf.erb

@@ -6,6 +6,6 @@ path=Resources.<%= @launch_template_resource_id %>.Metadata.AWS::CloudFormation:
 action=PATH=/usr/local/bin:/bin:/usr/bin:/opt/aws/bin; . /etc/parallelcluster/pcluster_cookbook_environment.sh; $CFN_BOOTSTRAP_VIRTUALENV_PATH/cfn-init -v --stack <%= @stack_id %> --resource <%= @launch_template_resource_id %> --configsets update --region <%= @region %> --url <%= @cloudformation_url %> --role <%= @cfn_init_role %>
 <% when 'ComputeFleet' -%>
 path=Resources.<%= @launch_template_resource_id %>
-action=timeout 900 <%= @update_hook_script_dir %>/cfn-hup-update-action.sh
+action=timeout <%= @node_bootstrap_timeout %> <%= @update_hook_script_dir %>/cfn-hup-update-action.sh
 <% end %>
 runas=root

cookbooks/aws-parallelcluster-environment/test/controls/cfn_hup_configuration_spec.rb

@@ -1,4 +1,4 @@
-# Copyright:: 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# Copyright:: 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License").
 # You may not use this file except in compliance with the License. A copy of the License is located at
@@ -15,7 +15,7 @@
   %w(/etc/cfn /etc/cfn/hooks.d).each do |dir|
     describe directory(dir) do
       it { should exist }
-      its('mode') { should cmp '0770' }
+      its('mode') { should cmp '0700' }
       its('owner') { should eq 'root' }
       its('group') { should eq 'root' }
     end
@@ -35,9 +35,9 @@
   title "cfn_hup configuration files and directories for HeadNode should be created"
   only_if { instance.head_node? }
 
-  describe file("#{node['cluster']['scripts_dir']}/get_compute_user_data.py") do
+  describe file("#{node['cluster']['scripts_dir']}/share_compute_fleet_dna.py") do
     it { should exist }
-    its('mode') { should cmp '0400' }
+    its('mode') { should cmp '0700' }
     its('owner') { should eq 'root' }
     its('group') { should eq 'root' }
   end