job preparation sequence diagram + some fixs

Author: telliere

docs/architecture/architecture.md

@@ -0,0 +1,142 @@
+# Architecture
+
+## Current architecture - Overview
+
+```mermaid
+flowchart LR
+
+subgraph UL["User laptop"]
+    HPCSC["HPCS Client"]
+    ULSPA["Spire Agent"]
+end
+
+subgraph SS["Supercomputing Site"]
+    subgraph CN["Compute node"]
+        CNSPA["Spire Agent"]
+        SBATCH["Sbatch"]
+    end
+    LN["Login node"]
+end
+
+subgraph UN["Utility node"]
+    subgraph k8s["Kubernetes cluster"]
+        SPS["Spire Server"]
+        HPCSS["HPCS Server"]
+        SPA["Spire Agent"]
+        Vault
+    end
+end
+
+UL <--"SSH"--> LN
+LN <--"Scheduling"--> CN
+UL <--"HTTPS (HPCS), HTTPS (Vault), TCP (Spire)"--> UN
+CN <--"HTTPS (HPCS), HTTPS (Vault), TCP (Spire)"--> UN
+```
+
+## Current architecture - In depth
+
+```mermaid
+flowchart LR
+
+subgraph UL["User laptop"]
+
+    subgraph HPCSCDP["Data preparation"]
+        HPCSCDPB["HPCS Client"]
+        SPADP["Spire Agent"]
+    end
+
+    subgraph HPCSCCP["Container preparation"]
+        HPCSCCPB["HPCS Client"]
+        SPACP["Spire Agent"]
+    end
+    subgraph HPCSCJP["HPCS Client - Job preparation"]
+        HPCSCJPB["HPCS Client"]
+    end
+end
+
+subgraph SS["Supercomputing Site"]
+    SC["Slurm Controller"]
+    LN["Login nodes"]
+    subgraph PCPU["CPU Partition"]
+        subgraph  CN1["Compute node 1"]
+            CN1SBATCH["Sbatch"]
+            CN1SA["Spire Agent"]
+        end
+        subgraph  CN2["Compute node 2"]
+            CN2SBATCH["Sbatch"]
+            CN2SA["Spire Agent"]
+        end
+    end
+    subgraph PGPU["GPU Partition"]
+        subgraph CN3["Compute node 3"]
+            CN3SBATCH["Sbatch"]
+            CN3SA["Spire Agent"]
+        end
+        subgraph CN4["Compute node 4"]
+            CN4SBATCH["Sbatch"]
+            CN4SA["Spire Agent"]
+        end
+    end
+end
+
+subgraph UN["Utility node"]
+    subgraph k8s["Kubernetes cluster"]
+        subgraph HPCSP["HPCS Pod"]
+            SPS["Spire Server"]
+            subgraph HPCSSC["HPCS Server Container"]
+                HPCSS["HPCS Server"]
+                SPA["Spire Agent"]
+            end
+            SPO["Spire OIDC"]
+            NI["Nginx Ingress"]
+        end
+        Vault
+    end
+end
+
+SPS <--"UNIX Socket"--> SPO
+SPO <--"UNIX Socket"--> NI
+
+HPCSS <--"CLI + UNIX Socket"--> SPS
+HPCSS <--"PYSPIFFE (UNIX SOCKET)"--> SPA
+
+SPA <--TCP--> SPS
+
+Vault <--"HTTPS"--> NI
+Vault <--"HTTPS (mTLS)"--> HPCSS
+
+LN <--"CLI"--> SC
+
+SC <--"Scheduling"--> PCPU
+SC <--"Scheduling"--> PGPU
+
+SPADP <--"TCP"--> SPS
+SPACP <--"TCP"--> SPS
+
+HPCSCDPB <--"HTTPS (mTLS)"--> HPCSS
+HPCSCCPB <--"HTTPS (mTLS)"--> HPCSS
+
+HPCSCDPB <--"HTTPS"--> Vault
+HPCSCCPB <--"HTTPS"--> Vault
+
+HPCSCCPB <--"CLI/Lib + UNIX Socket"--> SPACP
+HPCSCDPB <--"CLI/Lib + UNIX Socket"--> SPADP
+
+CN1SA <--"TCP"--> SPS
+CN2SA <--"TCP"--> SPS
+CN3SA <--"TCP"--> SPS
+CN4SA <--"TCP"--> SPS
+
+CN1SBATCH <--"HTTPS"--> Vault
+CN2SBATCH <--"HTTPS"--> Vault
+CN3SBATCH <--"HTTPS"--> Vault
+CN4SBATCH <--"HTTPS"--> Vault
+
+HPCSCDPB <--"SSH (As user - Data & Info files)"--> LN
+HPCSCCPB <--"SSH (As user - Container image & Info files)"--> LN
+
+HPCSCJPB --"SSH (As user - SBATCH file & CLI Call to SBATCH)"--> LN
+LN --"SSH (As user - Info files)"--> HPCSCJPB
+```
+
+This diagram doesn't show the HTTPS requests from client/compute node to HPCS Server used to register the agents since this behaviour is a practical workaround.

docs/architecture/container_preparation.md

@@ -6,6 +6,7 @@ This step consist in using an original OCI image to prepare it, encrypt it and s
 
 ```mermaid
 sequenceDiagram
+    actor User
     User -->> Container Preparation container: spawns using docker-compose
     Container Preparation container -->> Spire Agent: spawns using `spawn_agent.py`
     Spire Agent ->> Spire Server: Runs node attestation
@@ -16,35 +17,37 @@ sequenceDiagram
     Container Preparation container ->> Vault: Log-in using SVID
     Vault ->> Container Preparation container: Returns an authentication token (write only on client's path)
     Container Preparation container ->> Vault: Write private key using authentication token
-    Vault ->> Container Preparation container: 
+    Vault ->> Container Preparation container:
     Container Preparation container ->> HPCS Server: Request creation of workloads (compute nodes, users, groups ...) authorized to access the key and using SVID to authenticate
     HPCS Server ->> Spire Server: Validate SVID
-    Spire Server ->> HPCS Spire Agent: 
+    Spire Server ->> HPCS Spire Agent:
     HPCS Spire Agent ->> Spire Server: Validate SVID
-    Spire Server ->> HPCS Server: 
+    Spire Server ->> HPCS Server:
     HPCS Server ->> Spire Server: Create workloads identities to access the key
-    Spire Server ->> HPCS Server: 
+    Spire Server ->> HPCS Server:
     HPCS Server ->> Vault: Create role and policy to access the key
-    Vault ->> HPCS Server: 
+    Vault ->> HPCS Server:
     HPCS Server ->> Container Preparation container: SpiffeID & role to access the container, path to the secret
     Container Preparation container ->> Container Preparation container: Parse info file based on previous steps
     Container Preparation container ->> Supercomputer: Ship encrypted container
-    Supercomputer ->> Container Preparation container: 
+    Supercomputer ->> Container Preparation container:
     Container Preparation container ->> Supercomputer: Ship info file
-    Supercomputer ->> Container Preparation container: 
+    Supercomputer ->> Container Preparation container:
     Container Preparation container -->> Spire Agent: Kills
-    Spire Agent -->> Container Preparation container: 
-    Spire Agent -->> Container Preparation container: Dies 
+    Spire Agent -->> Container Preparation container:
+    Spire Agent -->> Container Preparation container: Dies
     Container Preparation container -->> User: Finishes
 ```
 
-
 ## Sequence diagram of the container's preparation (without shipping)
 
 ### Image is prepared and then encrypted (Encryption at rest)
+
 This step is currently (3/2024) used to encrypt the container. It does not require changes on LUMI to work.
+
 ```mermaid
 sequenceDiagram
+    actor User
     User -->>HPCS Client: spawns using `python3 prepare_container.py [OPTIONS]`
     HPCS Client -->> Docker Client: spawns
     HPCS Client ->> HPCS Client: Create prepared Dockerfile
@@ -59,11 +62,13 @@ sequenceDiagram
     HPCS Client ->> HPCS Client: Encrypt image file
 ```
 
-
 ### Image is prepared and SIF encrypted
+
 When HPC nodes support encrypted containers, this process can be used.
+
 ```mermaid
 sequenceDiagram
+    actor User
     User -->>HPCS Client: spawns using `python3 prepare_container.py [OPTIONS]`
     HPCS Client -->> Docker Client: spawns
     HPCS Client ->> HPCS Client: Create prepared Dockerfile
@@ -75,4 +80,4 @@ sequenceDiagram
     Docker Client -->> Build-Env: Spawns
     Build-Env ->> Build-Env: Build final prepared and encrypted SIF image
     Build-Env ->> HPCS Client: Returns final prepared and encrypted SIF image
-```
+```

docs/architecture/data_preparation.md

@@ -6,6 +6,7 @@ This step consists in using an input directory, encrypt it and ship it to the su
 
 ```mermaid
 sequenceDiagram
+    actor User
     User -->> Data Preparation container: spawns using docker-compose
     Data Preparation container -->> Spire Agent: spawns using `spawn_agent.py`
     Spire Agent ->> Spire Server: Runs node attestation
@@ -16,24 +17,24 @@ sequenceDiagram
     Data Preparation container ->> Vault: Log-in using SVID
     Vault ->> Data Preparation container: Returns an authentication token (write only on client's path)
     Data Preparation container ->> Vault: Write private key using authentication token
-    Vault ->> Data Preparation container: 
+    Vault ->> Data Preparation container:
     Data Preparation container ->> HPCS Server: Request creation of workloads (compute nodes, users, groups ...) authorized to access the key and using SVID to authenticate
     HPCS Server ->> Spire Server: Validate SVID
-    Spire Server ->> HPCS Spire Agent: 
+    Spire Server ->> HPCS Spire Agent:
     HPCS Spire Agent ->> Spire Server: Validate SVID
-    Spire Server ->> HPCS Server: 
+    Spire Server ->> HPCS Server:
     HPCS Server ->> Spire Server: Create workloads identities to access the key
-    Spire Server ->> HPCS Server: 
+    Spire Server ->> HPCS Server:
     HPCS Server ->> Vault: Create role and policy to access the key
-    Vault ->> HPCS Server: 
+    Vault ->> HPCS Server:
     HPCS Server ->> Data Preparation container: SpiffeID & role to access the container, path to the secret
     Data Preparation container ->> Data Preparation container: Parse info file based on previous steps
     Data Preparation container ->> Supercomputer: Ship encrypted containe
-    Supercomputer ->> Data Preparation container: 
+    Supercomputer ->> Data Preparation container:
     Data Preparation container ->> Supercomputer: Ship info file
-    Supercomputer ->> Data Preparation container: 
+    Supercomputer ->> Data Preparation container:
     Data Preparation container -->> Spire Agent: Kills
-    Spire Agent -->> Data Preparation container: 
-    Spire Agent -->> Data Preparation container: Dies 
+    Spire Agent -->> Data Preparation container:
+    Spire Agent -->> Data Preparation container: Dies
     Data Preparation container -->> User: Finishes
-```
+```

docs/architecture/job_preparation.md

@@ -0,0 +1,81 @@
+# Job preparation
+
+This step consists in the preparation of the secure job, followed by its execution. It requires two info files (one for the data, one for the secured container) and more settings about the runtime (arguments, parameters for the singularity container ...).
+
+## Sequence diagram of this step
+
+```mermaid
+sequenceDiagram
+    actor User
+    participant Job Preparation container
+    participant Login Node
+    participant Scheduler
+
+    User -->> Job Preparation container: spawns using docker-compose
+    Job Preparation container ->> Login Node: Initiate SSH Connection
+    rect rgb(191, 223, 255)
+        note right of User: Job preparation
+        Job Preparation container ->> Login Node: SCP Data's info file
+        Login Node ->> Job Preparation container: Info file
+        Job Preparation container ->> Job Preparation container: Parse info from info file
+        Job Preparation container ->> Login Node: SCP Container image's info file
+        Login Node ->> Job Preparation container: Info file
+        Job Preparation container ->> Job Preparation container: Parse info from info file
+        Job Preparation container ->> Job Preparation container: Generate SBATCH file from template based on info gathered
+        Job Preparation container ->> Login Node: Copy SBATCH File and HPCS Configuration file
+        Login Node ->> Job Preparation container:
+        Job Preparation container ->> Job Preparation container: Generate keypair for output data
+        Job Preparation container ->> Login Node: Copy encryption key
+        Login Node ->> Job Preparation container:
+    end
+
+    rect rgb(191, 223, 255)
+        note right of User: Job runtime
+        Job Preparation container ->> Login Node: SSH Execute "sbatch SBATCHFILE"
+        Login Node ->>+ Scheduler: sbatch SBATCHFILE
+        Scheduler ->> Login Node: Job created + Job id
+        Login Node ->> Job Preparation container: Job created + Job id
+        Job Preparation container ->> Job Preparation container: Follows job output or job status
+        activate Job Preparation container
+        Scheduler ->> Scheduler: Scheduling job
+        activate Scheduler
+        deactivate Scheduler
+        Scheduler ->> Compute node: Elect node - Execute SBATCHFILE
+        Compute node ->> Compute node: Clone HPCS Github / Download age and gocryptfs binaries
+        Compute node -->> Spire Agent: spawns using `spawn_agent.py`
+        Spire Agent ->> Spire Server: Runs node attestation
+        Spire Server ->> Spire Agent: Attests node, provide SVIDs for linked identities
+        Compute node ->> Spire Agent: Fetches API to get an SVID
+        Spire Agent ->> Compute node: Provides SVID
+        Compute node ->> Vault: Log-in using SVID
+        Vault ->> Compute node: Returns an authentication token (read only on container key's path)
+        Compute node ->> Vault: Read container's key using authentication token
+        Vault ->> Compute node: Returns container's key
+        Compute node ->> Compute node: Decrypt container image
+        Compute node ->> Compute node: Setup secure environment for runtime (Encrypted volumes, gather flags etc)
+        Compute node ->> Spire Agent: Fetches API to get an SVID
+        Spire Agent ->> Compute node: Provides SVID
+        Compute node ->> Compute node: Export SVID and data secret path in a variable
+        Compute node -->> Application container: spawns using `singularity run`
+        Application container ->> Vault: Log-in using SVID
+        Vault ->> Application container: Returns an authentication token (read only on data key's path)
+        Application container ->> Vault: Read data's key using authentication token
+        Vault ->> Application container: Returns data's key
+        Application container ->> Application container: Decrypt data using key
+        Application container ->> Application container: Runs input scripts
+        Application container ->> Application container: Application runs
+        Application container ->> Application container: Runs output scripts
+        Application container ->> Application container: Encrypt output directory
+        Application container -->> Compute node: Finishes
+        Compute node -->> Spire Agent: Kills
+        Spire Agent -->> Compute node:
+        Spire Agent -->> Compute node: Dies
+        Compute node ->> Scheduler: Becomes available
+        deactivate Job Preparation container
+    end
+    Job Preparation container ->> Login Node: Close SSH connection
+    Login Node ->> Job Preparation container:
+    Login Node ->> Job Preparation container: Close SSH connection
+
+    Job Preparation container -->> User: Finishes
+```