[Core][AWS] Allow specification of Security Groups for resources.

[JGSweets]

Similar to #3488 but for SGs
This PR:

• Allows specification of SGs for controllers vs workers.
• Currently removes the port requirement to be able to allow SG specification in serve.

Addresses: #3473

In ~/.sky/config.yaml:

• When setting for a controller wildcard and all other resources ("*")

aws:
  security_group_name:
    - sky-serve-controller-*: skypilot-controller-fake-sg
    - "*": skypilot-default-fake-sg 

• When setting for everything by specifying a default ("*")

aws:
  security_group_name:
    - "*": skypilot-default-fake-sg

• When setting for everything by specifying just the security_group_name via string

aws:
  security_group_name: skypilot-default-fake-sg

Tested (run the relevant ones):

• Code formatting: bash format.sh
• Any manual or new tests for this PR (please specify below)
  • tested running in all 3 configs in AWS
    • Nothing set
    • setting different controller and default values (controller vs replica in serve received different remote_identities)
    • setting default only
• All smoke tests: pytest tests/test_smoke.py
• Relevant individual smoke tests: pytest tests/test_smoke.py::test_fill_in_the_name
• Backward compatibility tests: bash tests/backward_comaptibility_tests.sh

EDITED:

• refactored to match the IAM format.

[JGSweets]

Feedback for resolving the following would be appreciated:

• ports / security_group_name for serve
• cloud resources only receive cluster_name_on_cloud for make_deploy_variables instead of cluster_name

[JGSweets]

I'm not sure how best to resolve this. For Serve, ports are automatically specified for the load balancer which conflicts with being able to set SGs for it.
#3473

[JGSweets]

Updated to match the format of remote identity.

[JGSweets]

This function does not currently have access to cluster_name

[Michaelvll]

This is a good catch! A proposal would be we refactor the make_deploy_resources_variable to take ClusterName dataclass in all cloud classes, instead of a single string for the cluster name:

skypilot/sky/provision/provisioner.py

Lines 41 to 50 in 05aafb8

	@dataclasses.dataclass
	class ClusterName:
	display_name: str
	name_on_cloud: str
	def __repr__(self) -> str:
	return repr(self.display_name)
	def __str__(self) -> str:
	return self.display_name

To do so, we can move the ClusterName class out of provision module to utils.resources_utils, and let the cloud class and the functions under provision module to use ClusterName object as input.

[JGSweets]

@Michaelvll @concretevitamin do you have any suggestions for the concerns I raised? Thanks!

[Michaelvll]

Thanks for adding the support for specifying security group names for different cluster @JGSweets! This is awesome. I left some comments, mainly concerning that specifying security group name will cause open ports not reliable if the user does not have the security group set up correctly. For now, a good warning or hint message can be enough.

[Michaelvll]

This is a good catch! A proposal would be we refactor the make_deploy_resources_variable to take ClusterName dataclass in all cloud classes, instead of a single string for the cluster name:

skypilot/sky/provision/provisioner.py

Lines 41 to 50 in 05aafb8

	@dataclasses.dataclass
	class ClusterName:
	display_name: str
	name_on_cloud: str
	def __repr__(self) -> str:
	return repr(self.display_name)
	def __str__(self) -> str:
	return self.display_name

To do so, we can move the ClusterName class out of provision module to utils.resources_utils, and let the cloud class and the functions under provision module to use ClusterName object as input.

[Michaelvll]

ports should be the correct field?

[JGSweets]

Yes, ports is correct as it pops this from _get_single_resources_schema`

skypilot/sky/utils/schemas.py

Line 659 in 8a0a34d

'ports': {

[Michaelvll]

Oh, I mean, it seems we changed it to port now, which seems not a valid property to pop? It seems the issue is fixed in the latest commit : )

[Michaelvll]

minor nit: Since this pattern has been used by the remote_identity and security_group_name, we can probably have a constant or a function to generate this dict.

[JGSweets]

Fixes an error with IAM roles if the cluster previously existed.

[Michaelvll]

Does this mean we want to always update the IamInstanceProfile for an old cluster when a user update the ~/.sky/config.yaml? Does this work with launching an existing cluster with a different remote_identity? It would be nice to include some tests in the PR description : )

[JGSweets]

I guess my thoughts are if you have a specified cluster name and you change the IAM or SG, I would expect the cluster to update. However, maybe that isn't the desired behavior? Otherwise, one would have to tear down the entire cluster to change it.

[JGSweets]

@Michaelvll I did test launching with different names to ensure it changes with the name in serve between controller and worker. In this case the controller and the worker are getting different cluster names.
Workers being replicas.

[Michaelvll]

The behavior sounds fine to me, except that it may cause a risk that the controller may get a different IamInstanceProfile that no longer has permission to access the previous service replicas or managed job clusters.

[JGSweets]

I'm not sure this is the ideal place as it seems to print the warning 10+ times per launch.

[Michaelvll]

This is a good catch! Let's remove the warning here and move it to the aws.make_deploy_resources_variables so that the warning will only shown when launching an exact launchable resource. (check out the comment in aws.py above)

[JGSweets]

@Michaelvll @cblmemo I've updated the PR with the ClusterName refactor.

Do we want to further refactor provisioners? If so, should we do it in this PR or a subsequent PR?

[Michaelvll]

Thanks for the update @JGSweets and sorry for the delay! This PR and the ClusterName refactoring looks mostly good to me. Left several additional comments. I don't think we need further refactoring for provisioners at the moment.

[Michaelvll]

Oh, I mean, it seems we changed it to port now, which seems not a valid property to pop? It seems the issue is fixed in the latest commit : )

[Michaelvll]

Does this mean we want to always update the IamInstanceProfile for an old cluster when a user update the ~/.sky/config.yaml? Does this work with launching an existing cluster with a different remote_identity? It would be nice to include some tests in the PR description : )

[Michaelvll]

Let's move the warning from aws.py to here so that it will only be printed once whenever it is trying to launch an AWS cluster with the security group specified.

        security_group = user_security_group
        if security_group is None:
            if resources.ports is not None:
                # Already checked in Resources._try_validate_ports
                security_group = USER_PORTS_SECURITY_GROUP_NAME.format(
                    cluster_name.name_on_cloud)
            elif user_security_group is None:
                security_group = DEFAULT_SECURITY_GROUP_NAME
        elif resources.ports is not None:
            # resources.ports will only take effect when the security group is not specified
            # by user.
            logger.warning(
                f'{colorama.Fore.YELLOW}AWS security group name is specified '
                f'({security_group}) with aws.security_group_name in ~/.sky/config.yaml, '
                f'while ports ({resources.ports}) is also specified in task resources. The '
                'ports are not guaranteed to be opened in the specified security group, '
                'due to the complex rules setup. Please manually make sure it.'
                f'{colorama.Style.RESET_ALL}')

Unfortunately, since we call make_deploy_resources_variables in the following place, the logging will still twice for each failover. The resources_vars retrieved is just for getting the custom_resources later, so we can add a custom_resources field in the provision_record returned by the bulk_provision.

skypilot/sky/backends/cloud_vm_ray_backend.py

Lines 1557 to 1562 in 0b2d5b2

	resources_vars = (
	to_provision.cloud.make_deploy_resources_variables(
	to_provision,
	resources_utils.ClusterName(
	cluster_name, handle.cluster_name_on_cloud),
	region, zones))

skypilot/sky/backends/cloud_vm_ray_backend.py

Lines 1544 to 1553 in 0b2d5b2

	provision_record = provisioner.bulk_provision(
	to_provision.cloud,
	region,
	zones,
	resources_utils.ClusterName(
	cluster_name, handle.cluster_name_on_cloud),
	num_nodes=num_nodes,
	cluster_yaml=handle.cluster_yaml,
	prev_cluster_ever_up=prev_cluster_ever_up,
	log_dir=self.log_dir)

I am ok to leave the change for bulk_provision and provision_record to a future PR if we think the current PR involves too many things.

[Michaelvll]

This can be simplified to:

Suggested change

	if self.cloud is None or isinstance(self.cloud, clouds.AWS):
	if isinstance(self.cloud, clouds.AWS):

[JGSweets]

this is removed anyways since the warning is moved.

[Michaelvll]

Suggested change

	with ux_utils.print_exception_no_traceback():
	logger.warning(
	f'Ports {self.ports} and security group name are '
	f'specified: {security_group_name}. It is not '
	'guaranteed that the ports will be opened if the '
	'specified security group is not correctly set up. '
	'Please try to specify `ports` only and leave out '
	'`aws.security_group_name` in `~/.sky/config.yaml` to '
	'allow SkyPilot to automatically create and configure '
	'the security group.')
	logger.warning(
	f'Ports {self.ports} and security group name are '
	f'specified: {security_group_name}. It is not '
	'guaranteed that the ports will be opened if the '
	'specified security group is not correctly set up. '
	'Please try to specify `ports` only and leave out '
	'`aws.security_group_name` in `~/.sky/config.yaml` to '
	'allow SkyPilot to automatically create and configure '
	'the security group.')

[Michaelvll]

nit: we can use a constant instead and let the callers use the constant.

_PRORPERTY_NAME_OR_CLUSTER_NAME_TO_PROPERTY = {
            'oneOf': [
                {
                    'type': 'string'
                },
                {
                    # A list of single-element dict to pretain the
                    # order.
                    # Example:
                    #  property_name:
                    #    - my-cluster1-*: my-property-1
                    #    - my-cluster2-*: my-property-2
                    #    - "*"": my-property-3
                    'type': 'array',
                    'items': {
                        'type': 'object',
                        'additionalProperties': {
                            'type': 'string'
                        },
                        'maxProperties': 1,
                        'minProperties': 1,
                    },
                }
            ]
        }

In the callers, we just use:

'remote_identity': _PRORPERTY_NAME_OR_CLUSTER_NAME_TO_PROPERTY

'security_group_name': _PRORPERTY_NAME_OR_CLUSTER_NAME_TO_PROPERTY

[Michaelvll]

This is a good catch! Let's remove the warning here and move it to the aws.make_deploy_resources_variables so that the warning will only shown when launching an exact launchable resource. (check out the comment in aws.py above)

[JGSweets]

@Michaelvll Could you please re-review this PR? Thanks!

[Michaelvll]

Thanks for the update @JGSweets! Sorry for the delay. The PR looks mostly good to me, except some minor fixes. : )

[Michaelvll]

I don't think we need this, as our new provisioner no longer needs to look into the worker config. Similar for the line below, let's remove the line for ray.worker.default, 'node_config', 'UserData'`

[Michaelvll]

The behavior sounds fine to me, except that it may cause a risk that the controller may get a different IamInstanceProfile that no longer has permission to access the previous service replicas or managed job clusters.

[Michaelvll]

nit: this seems more direct to me

Suggested change

	if user_security_group is not None and not isinstance(
	user_security_group, str):
	if user_security_group is not None and isinstance(user_security_group, list):

[Michaelvll]

Seems this is ensured by the previous if statement.

Suggested change

	elif security_group is not None and resources.ports is not None:
	elif resources.ports is not None:

[Michaelvll]

nit: simplified and clearified the logging a little bit.

Suggested change

	f'Ports {resources.ports} and security group name are '
	f'specified: {security_group}. It is not '
	'guaranteed that the ports will be opened if the '
	'specified security group is not correctly set up. '
	'Please try to specify `ports` only and leave out '
	'`aws.security_group_name` in `~/.sky/config.yaml` to '
	'allow SkyPilot to automatically create and configure '
	'the security group.')
	f'Skip opening ports {resources.ports} for cluster {cluster_name!r}, '
	'as `aws.security_group_name` in `~/.sky/config.yaml` is specified as '
	f' {security_group!r}. Please make sure the specified security group '
	'has requested ports setup; or, leave out `aws.security_group_name` '
	'in `~/.sky/config.yaml`.')

[Michaelvll]

Do we need this parenthesis?

Suggested change

	'security_group_name':
	(_PRORPERTY_NAME_OR_CLUSTER_NAME_TO_PROPERTY),
	'security_group_name': _PRORPERTY_NAME_OR_CLUSTER_NAME_TO_PROPERTY,

[JGSweets]

Unfortunately, black would fix to what you suggest, but then the linter would say the line is too long. I can add a commented exception if we want instead.

[Michaelvll]

Should use display name for matching, as it is user facing:

Suggested change

	if fnmatch.fnmatchcase(cluster_name.name_on_cloud,
	if fnmatch.fnmatchcase(cluster_name.display_name,

[JGSweets]

If we change this for security groups, we should also change this for IAM. I'll add that to this PR if that's okay. Nevermind, IAM already uses cluster_name which equates to display_name!

[Michaelvll]

How about checking the remote_identity as well?

[JGSweets]

remote_identity is not constructed here, however, new tests were added to fix that.

[Michaelvll]

Let's get rid of this "*" item here to test the default remote_identity set by SkyPilot?

[JGSweets]

Good catch!

[JGSweets]

Discovered and fixed a bug related to this.

[Michaelvll]

Let's match the cluster name by the display name instead of the name_on_cloud as the former is the one a user actually specifies?

[JGSweets]

@Michaelvll fixed a bug here when there was no match.

[JGSweets]

this fixes a bug if no match is found when a list is provided

[JGSweets]

new test for remote identity, this is somewhat redundant with the resource_utils test since it is encapsulated in write_cluster_config.

I can remove that test if we desire.