Azure CycleCloud is an enterprise-friendly tool for orchestrating and managing High-Performance Computing (HPC) environments on Azure. With CycleCloud, users can provision infrastructure for HPC systems, deploy familiar HPC schedulers, and automatically scale the infrastructure to run jobs efficiently at any scale.
There are two primary mechanisms for enabling login access to cluster nodes, through CycleCloud's built-in authentication, or by integrating nodes with a directory service such as Active Directory or LDAP. For enterprise production clusters, it is recommended that user access be managed through a directory service such as LDAP, Active Directory, or NIS.
In this blog, we are discussing how to integrate Active Directory into the CycleCloud cluster (Node Authentication) for User management, using a custom project called cyclecloud-adauth.
The cyclecloud-adauth project installs and configures Active directory-based user authentication for CycleCloud based HPC Clusters and it configure the home directory and password less ssh for AD users, right after they login.
- CycleCloud must be installed and running (CycleCloud 8.0 or later).
- Windows Active Directory must be configured and running.
- Active Directory should be reachable to all the nodes in the cluster and required ports should be opened for authentication.
- Supported OS versions: CentOS 7 / RHEL7 / Alma Linux 8 / Ubuntu 18.04
- Default user home directory for CycleCloud HPC nodes in /shared/home. This project configures home dirs. in the CycleCloud default user home location.
- SELinux in Permissive mode
Configuring the Project
- Open a terminal session in CycleCloud server with the CycleCloud CLI enabled.
- Clone the cyclecloud-adauth repo
$ git clone https://github.com/vinil-v/cyclecloud-adauth.git
- Swtich to cyclecloud-adauth project directory and upload the project to cyclecloud locker.
$ cd cyclecloud-adauth/
$ cyclecloud project upload <locker name>
- Import the required template (Slurm/ OpenPBS or Gridenigne).
$ cyclecloud import_template -f templates/slurm_with_ad.txt
Configuring AD Login in CycleCloud Portal
The following parameters are required for successful configuration.
- FQDN of AD server (e.g.: adserver.hpc.local)
- IP address of AD server
- Administrator account (User account should have rights to add the nodes to domain)
- Administrator password
Create new cluster from the imported template (Slurm with AD in this case) and in the Active Directory section, add the above-mentioned parameter.
Start the cluster. Make sure that the Active directory is running and reachable to all the nodes.
Testing the user login
Trying to login with AD user user1.
login to scheduler with AD user user1 with AD user password. it will create home directory under /shared/home.
$ ssh firstname.lastname@example.org
Creating home directory for user1.
[user1@centos7slurm1-scheduler ~]$ pwd
[user1@centos7slurm1-scheduler ~]$ ls -la .ssh/
drwx------. 2 user1 domain users 61 Feb 1 05:28 .
drwx------. 5 user1 domain users 103 Feb 1 05:28 ..
-rw-r--r--. 1 user1 domain users 411 Feb 1 05:28 authorized_keys
-rw-------. 1 user1 domain users 1679 Feb 1 05:28 id_rsa
-rw-r--r--. 1 user1 domain users 411 Feb 1 05:28 id_rsa.pub
[user1@centos7slurm1-scheduler ~]$ sinfo
PARTITION AVAIL TIMELIMIT NODES STATE NODELIST
hpc* up infinite 50 idle~ centos7slurm1-hpc-pg0-[1-50]
htc up infinite 50 idle~ centos7slurm1-htc-[1-50]
NOTE: Check the UID or GID support for the job submission. some scheduler has configuration to support UID/GID range.
Learn more about CycleCloud
More info on Azure High-Performance computing
Read more on Cyclecloud User Management