Skip to content
This repository was archived by the owner on Nov 1, 2023. It is now read-only.

[WIP] unmanaged node prototype #2339

Closed
wants to merge 70 commits into from
Closed

[WIP] unmanaged node prototype #2339

wants to merge 70 commits into from

Conversation

@chkeita
Copy link
Contributor

@chkeita chkeita commented Sep 2, 2022
edited
Loading

Summary of the Pull Request

  • endpoint to retrieve the configuration of a pool for an unmanaged node
  • enable role verification in the authentication
  • added Os to the registration request from the agent
  • new "unmanagedNode" app role
  • registration command to associate authorize an existing appid to be used to connect an unmanaged node

@chkeita chkeita force-pushed the rewrite/unmanaged_node branch from 306d2ab to dc6cd05 Compare September 2, 2022 18:17
@chkeita chkeita force-pushed the rewrite/unmanaged_node branch from dc6cd05 to 0150d32 Compare September 2, 2022 19:01
@stishkin
Copy link
Contributor

stishkin commented Sep 2, 2022

Can you write a one page architecture spec that can be reviewed first before proceeding with implementation ?

stishkin
stishkin suggested changes Sep 14, 2022
View reviewed changes
Copy link
Contributor

@stishkin stishkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

- Is it dedicated pool for unmanaged nodes or is pool can be mixed with managed and unmanaged nodes ? 
- What if pool is Linux but unmanaged node is Windows, how is it enforced (same 32 bit vs 64 bit) Same for OS image - Ubuntu vs Redhat ?
- How is unmanaged node name is assigned ? what if there is a duplicate in the pool ? 
- what happens if unmanaged node goes rogue ? Do we try to prevent it from taking work ? (Since OneFuzz was designed with "tear it down" in mind, and unmanaged node we cannot tear it down)
- Which queue unmanaged node gets it's work from ? 
- Currently managed nodes auth using token that they get from inside vnet. Unmanaged node cannot do that - what's the auth, and can it be mixed with "user" auth when node makes a request ? 
- Can I have 2 agents running on one unmanged node ? Are they going to interfere with each other ?
- Which app insights unmanaged node logs to ? how is that setup ?
- What if pool does not exist for which unmanaged node claims to be registered with

- What happens if unmanaged node is outdated ? What's the update process ? 
- Does it have to be part of a scaleset ? or is it standalone VM ? 

- What's the testing strategy ?
    - What's test automation strategy ?

@chkeita
Copy link
Contributor Author

chkeita commented Sep 26, 2022

Can you write a one page architecture spec that can be reviewed first before proceeding with implementation ?

This is a prototype in a draft PR. I am not committing to an specific implementation. The point of this prototype is to understand what is needed.

@codecov-commenter
Copy link

codecov-commenter commented Sep 26, 2022
edited
Loading

Codecov Report

Merging #2339 (349f7c5) into main (ae827b2) will decrease coverage by 0.09%.
The diff coverage is 20.41%.

@@            Coverage Diff             @@
##             main    #2339      +/-   ##
==========================================
- Coverage   29.37%   29.27%   -0.10%     
==========================================
  Files         290      290              
  Lines       35603    35690      +87     
==========================================
- Hits        10457    10449       -8     
- Misses      25146    25241      +95
Impacted Files Coverage Δ
...piService/ApiService/Functions/AgentCanSchedule.cs 0.00% <0.00%> (ø)
...rc/ApiService/ApiService/OneFuzzTypes/Responses.cs 75.88% <0.00%> (-0.55%) ⬇️
src/ApiService/ApiService/UserCredentials.cs 8.82% <ø> (ø)
...ice/ApiService/onefuzzlib/EndpointAuthorization.cs 21.77% <ø> (ø)
src/ApiService/ApiService/onefuzzlib/Extension.cs 0.00% <0.00%> (ø)
src/agent/onefuzz-agent/src/commands.rs 0.00% <ø> (ø)
src/agent/onefuzz-agent/src/config.rs 0.00% <0.00%> (ø)
src/agent/onefuzz-agent/src/coordinator.rs 5.75% <0.00%> (ø)
src/agent/onefuzz-agent/src/heartbeat.rs 0.00% <0.00%> (ø)
src/agent/onefuzz-agent/src/main.rs 0.46% <0.00%> (-0.02%) ⬇️
... and 36 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

@chkeita
Copy link
Contributor Author

chkeita commented Sep 26, 2022

  • Is it dedicated pool for unmanaged nodes or is pool can be mixed with managed and unmanaged nodes ?

dedicated. The pool already has a field to that says if it is managed or not.

  • What if pool is Linux but unmanaged node is Windows, how is it enforced (same 32 bit vs 64 bit) Same for OS image - Ubuntu vs Redhat ?

we have validtion the os matches at the registration. But keep in mind that in this scenrio we do not control the nodes. So we rely on whatever the gent gives which makes it hard to enforce.

  • How is unmanaged node name is assigned ? what if there is a duplicate in the pool ?

The node id will be provided by the agent. At this point in the prototype, a duplicate will overwrit the previous registration

  • what happens if unmanaged node goes rogue ? Do we try to prevent it from taking work ? (Since OneFuzz was designed with "tear it down" in mind, and unmanaged node we cannot tear it down)

No. we don't since we do not control it. it is up to the node owner to tear it down

  • Which queue unmanaged node gets it's work from ?

The queue of the pool it is registered to. Same as the current nodes

  • Currently managed nodes auth using token that they get from inside vnet. Unmanaged node cannot do that - what's the auth, and can it be mixed with "user" auth when node makes a request ?

The client support 2 types of authentication
we currently use ManagedIdentity. The unmanaged node will use Client. The credential will created by the unmnaged node owner by creating a new Application registration in azure and assigning it to the onefuzz instance. There will be helpers for that

  • Can I have 2 agents running on one unmanged node ? Are they going to interfere with each other ?

Currently both agent can run but they will interfere with each other because they will share the same machine id

  • Which app insights unmanaged node logs to ? how is that setup ?

The appinsight config is part of the job config and is independent of the node. the setup for is the same as the current implementation

  • What if pool does not exist for which unmanaged node claims to be registered with

the agent registration will fail

  • What happens if unmanaged node is outdated ? What's the update process ?

it is up to the owner of the unmanaged node

  • Does it have to be part of a scaleset ? or is it standalone VM ?

it could be part of a scaleset or a standalone VM . That is up to the unmanaged node owner. The service side will only see the node.

  • What's the testing strategy ?
  • What's test automation strategy ?

create an unmanaged pools,
create the auth data
create vms.
deploy the latest agent on that vm and run it unmnged on thosse VM
run check PR on those pools

@stishkin
Copy link
Contributor

stishkin commented Sep 26, 2022

Can you write a one page spec with scenarios that implementation supposed to handle and the whole team can review and ask questions and provide feedback ?

All those questions that I wrote were just of the top of my head. And it would be great to have a some sort of a plan to read through to understand what are you trying to implement.

And also have a paragraph explaining test strategy.

@chkeita
Copy link
Contributor Author

chkeita commented Sep 26, 2022

Can you write a one page spec with scenarios that implementation supposed to handle and the whole team can review and ask questions and provide feedback ?

All those questions that I wrote were just of the top of my head. And it would be great to have a some sort of a plan to read through to understand what are you trying to implement.

And also have a paragraph explaining test strategy.

When i am done with prototyping

@chkeita chkeita force-pushed the rewrite/unmanaged_node branch from a5cf2bf to 5fc5b8a Compare October 18, 2022 17:22
chkeita added 29 commits November 21, 2022 17:27
@chkeita
include a reason when telling a node it is not allowed to schedule work
569266e
@chkeita
format
2cb3d44
@chkeita
making machine identity a parameter
379553e
@chkeita
making machine identity a parameter
88f24ec
@chkeita
build fix
9d1dbb3
@chkeita
build fix
be6092e
@chkeita
format
f36dd9d
@chkeita
Merge branch 'main' into bug_fix
c014ead
@chkeita
address pr comment
3df523f
@chkeita
build fix
8a127f6
@chkeita
Merge branch 'bug_fix' into rewrite/unmanaged_node
d066ff9
@chkeita
Merge branch 'unmanaged_nodes/machine_identity' into rewrite/unmanage…
349f7c5 
…d_node
@chkeita
get baseAddress from environment variable
c729336
@chkeita
adding machine_id and machine_name paramters
1d4add5
@chkeita
more tweaking
0019181
@chkeita
pass the machine_identity from the agent to the task
36aab28
@chkeita
clippy fix
e710ce7
@chkeita
removing default from MachineIdenitty
cdde478
@chkeita
fix tests
3d3f2ff
@chkeita
more tests fixes
83ca26c
@chkeita
format
8fd1fcf
@chkeita
clippy fix
6119664
@chkeita
another fix
5dfcfb5
@chkeita
fix test
64811da
@chkeita
Merge branch 'bug_fix' into rewrite/unmanaged_node
546f839
@chkeita
more fixes
828b1a2 
includin the machine in the path of the working di
@chkeita
Merge branch 'main' into rewrite/unmanaged_node
1e13e99
@chkeita
Merge branch 'main' into rewrite/unmanaged_node
e88631f
@chkeita
rename client_id in pool to object_id
d9e2433
@chkeita chkeita closed this Feb 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@stishkin stishkin stishkin requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chkeita @stishkin @codecov-commenter