helper tool to add new security groups to FSxL ENIs #871
Conversation
|
|
||
| # First get one network interface then describe the network interface to get existing Security Groups attached | ||
| fsx_id_enis=$(aws fsx describe-file-systems "${awscli_args[@]}" --query 'FileSystems[0].NetworkInterfaceIds' --output text) | ||
| existing_sg=$(aws ec2 describe-network-interfaces "${awscli_args[@]}" --network-interface-ids $temp_eni_id --query 'NetworkInterfaces[0].Groups[*].GroupId' --output text) |
There was a problem hiding this comment.
$temp_eni_id is undefined and is referenced here, it'll fail.
Need to define "temp_eni_id"
There was a problem hiding this comment.
it needs to be fsx_id_enis (as we define in line 83 above).
| ;; | ||
| *) | ||
| [[ "$fsx_id" == "" ]] \ | ||
| && $fsx_id="$key" \ |
There was a problem hiding this comment.
shouldn't this be fsx_id="$key"?
There was a problem hiding this comment.
you have to check for both. The syntax do:
- Test if
fsx_idis empty - If it is true, then it assigns
keytofsx_id.
If the user does not provide a fsx_id as part of the arguments, then the test will be FALSE. The fsx_id won't get assigned a value which will cause the script to exit.
| fi | ||
|
|
||
| echo -e "Amazon FSx for Lustre filesystem: ${GREEN}${fsx_id}${NC}" | ||
| echo -e "Existing security groups attached on the filesystem: ${GREEN}${$existing_sg}${NC}" |
There was a problem hiding this comment.
incorrect variable syntax: ${$existing_sg} -> ${existing_sg}
|
|
||
| echo -e "Amazon FSx for Lustre filesystem: ${GREEN}${fsx_id}${NC}" | ||
| echo -e "Existing security groups attached on the filesystem: ${GREEN}${$existing_sg}${NC}" | ||
| echo -e "Adding security group ID: ${GREEN}${$security_group}${NC}" |
There was a problem hiding this comment.
Same here, incorrect variable syntax: ${$security_group} -> ${security_group}
|
|
||
| # Finally update the ENI to add the new security groups plus the existing security groups | ||
| for i in $fsx_id_enis; do | ||
| echo -e "Adding ${GREEN}${$security_group} to ENI $GREEN}${$i}" |
There was a problem hiding this comment.
same here, ${$security_group} -> ${security_group} and ${$i} -> ${i}
Additionally, missing { before GREEN, should be ${GREEN}
| # Finally update the ENI to add the new security groups plus the existing security groups | ||
| for i in $fsx_id_enis; do | ||
| echo -e "Adding ${GREEN}${$security_group} to ENI $GREEN}${$i}" | ||
| $(aws ec2 modify-network-interface-attribute "${awscli_args[@]}" --network-interface-id $i --groups $existing_sg $security_group) |
There was a problem hiding this comment.
Do we need the command substitution here?
We just executing the command, right? We don't need to capture the output?
shouldn't be below instead?:
aws ec2 modify-network-interface-attribute "${awscli_args[@]}" --network-interface-id $i --groups $existing_sg $security_group
There was a problem hiding this comment.
Either work, but you are right. I'm not capturing the output; I care about the exit signal only.
| YELLOW='\033[1;33m' | ||
| NC='\033[0m' # No Color | ||
|
|
||
| escape_spaces() { |
There was a problem hiding this comment.
Where is this function being used?
| security groups to the FSx for Lustre ENIs" | ||
|
|
||
| # First get one network interface then describe the network interface to get existing Security Groups attached | ||
| fsx_id_enis=$(aws fsx describe-file-systems "${awscli_args[@]}" --query 'FileSystems[0].NetworkInterfaceIds' --output text) |
There was a problem hiding this comment.
This is getting ENIs for the first fsx found, and not really for defined $fsx_id. If there are multiple fsx, this will cause issues and might cause modifying wrong SG.
We should be using $fsx_id here to make sure we are getting ENIs for correct fsx.
There was a problem hiding this comment.
nope, this is getting the ENIs for the $fsx_id defined on the arguments passed to the script. If the user does not pass an fsx_id on the arguments, the script doesn't run.
when the user pass the required arguments, then the parse_args function add the $fsx_id variable to the $awscli_args variable. Then on this CLI bash will expand ${awscli_args[@]} and use the required fsx_id as part of the command. It will then query the ENIs for the fsx_id passed as an argument to this function.
This is the right syntax.
paragao
left a comment
paragao
left a comment
There was a problem hiding this comment.
addressed PR feedback and committed changes.
| security groups to the FSx for Lustre ENIs" | ||
|
|
||
| # First get one network interface then describe the network interface to get existing Security Groups attached | ||
| fsx_id_enis=$(aws fsx describe-file-systems "${awscli_args[@]}" --query 'FileSystems[0].NetworkInterfaceIds' --output text) |
There was a problem hiding this comment.
nope, this is getting the ENIs for the $fsx_id defined on the arguments passed to the script. If the user does not pass an fsx_id on the arguments, the script doesn't run.
when the user pass the required arguments, then the parse_args function add the $fsx_id variable to the $awscli_args variable. Then on this CLI bash will expand ${awscli_args[@]} and use the required fsx_id as part of the command. It will then query the ENIs for the fsx_id passed as an argument to this function.
This is the right syntax.
| YELLOW='\033[1;33m' | ||
| NC='\033[0m' # No Color | ||
|
|
||
| escape_spaces() { |
| ;; | ||
| *) | ||
| [[ "$fsx_id" == "" ]] \ | ||
| && $fsx_id="$key" \ |
There was a problem hiding this comment.
you have to check for both. The syntax do:
- Test if
fsx_idis empty - If it is true, then it assigns
keytofsx_id.
If the user does not provide a fsx_id as part of the arguments, then the test will be FALSE. The fsx_id won't get assigned a value which will cause the script to exit.
| # Finally update the ENI to add the new security groups plus the existing security groups | ||
| for i in $fsx_id_enis; do | ||
| echo -e "Adding ${GREEN}${$security_group} to ENI $GREEN}${$i}" | ||
| $(aws ec2 modify-network-interface-attribute "${awscli_args[@]}" --network-interface-id $i --groups $existing_sg $security_group) |
There was a problem hiding this comment.
Either work, but you are right. I'm not capturing the output; I care about the exit signal only.
|
|
||
| # Finally update the ENI to add the new security groups plus the existing security groups | ||
| for i in $fsx_id_enis; do | ||
| echo -e "Adding ${GREEN}${$security_group} to ENI $GREEN}${$i}" |
|
|
||
| echo -e "Amazon FSx for Lustre filesystem: ${GREEN}${fsx_id}${NC}" | ||
| echo -e "Existing security groups attached on the filesystem: ${GREEN}${$existing_sg}${NC}" | ||
| echo -e "Adding security group ID: ${GREEN}${$security_group}${NC}" |
| fi | ||
|
|
||
| echo -e "Amazon FSx for Lustre filesystem: ${GREEN}${fsx_id}${NC}" | ||
| echo -e "Existing security groups attached on the filesystem: ${GREEN}${$existing_sg}${NC}" |
|
|
||
| # First get one network interface then describe the network interface to get existing Security Groups attached | ||
| fsx_id_enis=$(aws fsx describe-file-systems "${awscli_args[@]}" --query 'FileSystems[0].NetworkInterfaceIds' --output text) | ||
| existing_sg=$(aws ec2 describe-network-interfaces "${awscli_args[@]}" --network-interface-ids $temp_eni_id --query 'NetworkInterfaces[0].Groups[*].GroupId' --output text) |
There was a problem hiding this comment.
it needs to be fsx_id_enis (as we define in line 83 above).
nghtm
left a comment
nghtm
left a comment
There was a problem hiding this comment.
Approving - this is a utility script, as long as it is tested and works, LGTM!
3 participants
Issue #, if available: N/A
Description of changes:
Customers that want to share a single FSx for Lustre filesytem to different Sagemaker Hyperpod clusters need to update the FSx for Lustre ENIs with the new security group. FSx for Lustre scale the number of ENI depending on the size of storage it uses. For small filesystems (few TB), you may have just a few ENIs. For larger filesystems (hundreds of TB or PB), FSx for Lustre scale the number of ENIs (you can have dozens or hundreds).
This helper tool will automate adding the new security group to the existing file system ENIs.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.