Prevent pcluster from changing default permissions on /home directory (…

…#2797) * Prevent pcluster from changing default permissions on /home directory * Create mode attribute so /home permissions can be set to 755 --------- Co-authored-by: Ryan Anderson <ndry@amazon.com>
aws · Sep 12, 2024 · 3a1fb5f · 3a1fb5f
1 parent a496d39
commit 3a1fb5f
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 8 deletions.
diff --git a/cookbooks/aws-parallelcluster-environment/recipes/config/mount_home.rb b/cookbooks/aws-parallelcluster-environment/recipes/config/mount_home.rb
@@ -62,6 +62,7 @@
         efs_iam_authorization_array [node['cluster']['efs_iam_authorizations'].split(',')[index]]
         efs_mount_point_array ['/home']
         efs_access_point_id_array [node['cluster']['efs_access_point_ids'].split(',')[index]]
+        mode '755'
         action :mount
       end
       break
@@ -75,6 +76,7 @@
         efs_encryption_in_transit_array [node['cluster']['efs_encryption_in_transits'].split(',')[index]]
         efs_iam_authorization_array [node['cluster']['efs_iam_authorizations'].split(',')[index]]
         efs_access_point_id_array [node['cluster']['efs_access_point_ids'].split(',')[index]]
+        mode '755'
         action :mount
       end
       break
@@ -89,6 +91,7 @@
         fsx_dns_name_array [node['cluster']['fsx_dns_names'].split(',')[index]]
         fsx_mount_name_array [node['cluster']['fsx_mount_names'].split(',')[index]]
         fsx_volume_junction_path_array [node['cluster']['fsx_volume_junction_paths'].split(',')[index]]
+        mode '755'
         action :mount
       end
       break
@@ -101,6 +104,7 @@
         manage_ebs "add ebs /home" do
           shared_dir_array [dir]
           vol_array [node['cluster']['volume'].split(',')[index]]
+          mode '755'
           action %i(mount export)
         end
         break
@@ -111,6 +115,7 @@
         shared_dir '/home'
         device(lazy { "#{node['cluster']['head_node_private_ip']}:#{format_directory('/home')}" })
         fstype 'nfs'
+        mode '755'
         options node['cluster']['nfs']['hard_mount_options']
         retries 10
         retry_delay 6
@@ -123,6 +128,7 @@
         raid_shared_dir '/home'
         raid_type node['cluster']['raid_type']
         raid_vol_array node['cluster']['raid_vol_ids'].split(',')
+        mode '755'
         action %i(mount export)
       end
     when 'ComputeFleet', 'LoginNode'
@@ -131,6 +137,7 @@
         shared_dir '/home'
         device(lazy { "#{node['cluster']['head_node_private_ip']}:/home" })
         fstype 'nfs'
+        mode '755'
         options node['cluster']['nfs']['hard_mount_options']
         retries 10
         retry_delay 6

diff --git a/cookbooks/aws-parallelcluster-environment/resources/efs/partial/_mount_umount.rb b/cookbooks/aws-parallelcluster-environment/resources/efs/partial/_mount_umount.rb
@@ -22,6 +22,7 @@
 # This is the mount point on the EFS itself, as opposed to the local system directory, defaults to "/"
 property :efs_mount_point_array, Array, required: false
 property :efs_unmount_forced_array, Array, required: false
+property :mode, String, default: "1777"
 
 action :mount do
   return if on_docker?
@@ -61,7 +62,7 @@
     directory efs_shared_dir do
       owner 'root'
       group 'root'
-      mode '1777'
+      mode new_resource.mode
       recursive true
       action :create
     end unless ::File.directory?(efs_shared_dir)
@@ -97,7 +98,7 @@
       path efs_shared_dir
       owner 'root'
       group 'root'
-      mode '1777'
+      mode new_resource.mode
       only_if { node['cluster']['node_type'] == "HeadNode" }
     end
   end
@@ -130,7 +131,7 @@
     directory efs_shared_dir do
       owner 'root'
       group 'root'
-      mode '1777'
+      mode new_resource.mode
       recursive false
       action :delete
       only_if { Dir.exist?(efs_shared_dir.to_s) && Dir.empty?(efs_shared_dir.to_s) }

diff --git a/cookbooks/aws-parallelcluster-environment/resources/lustre/partial/_mount_unmount.rb b/cookbooks/aws-parallelcluster-environment/resources/lustre/partial/_mount_unmount.rb
@@ -15,6 +15,7 @@
 property :fsx_dns_name_array, Array, required: %i(mount unmount)
 property :fsx_mount_name_array, Array, required: %i(mount unmount)
 property :fsx_volume_junction_path_array, Array, required: %i(mount unmount)
+property :mode, String, default: "1777"
 
 action :mount do
   return if on_docker?
@@ -25,7 +26,7 @@
     directory fsx.shared_dir do
       owner 'root'
       group 'root'
-      mode '1777'
+      mode new_resource.mode
       recursive true
       action :create
     end
@@ -61,7 +62,7 @@
       path fsx.shared_dir
       owner 'root'
       group 'root'
-      mode '1777'
+      mode new_resource.mode
       only_if { fsx.can_change_shared_dir_permissions && node['cluster']['node_type'] == "HeadNode" }
     end
   end
@@ -92,7 +93,7 @@
     directory fsx.shared_dir do
       owner 'root'
       group 'root'
-      mode '1777'
+      mode new_resource.mode
       recursive false
       action :delete
       only_if { Dir.exist?(fsx.shared_dir) && Dir.empty?(fsx.shared_dir) }

diff --git a/cookbooks/aws-parallelcluster-environment/resources/manage_ebs.rb b/cookbooks/aws-parallelcluster-environment/resources/manage_ebs.rb
@@ -13,6 +13,7 @@
 
 property :shared_dir_array, Array, required: %i(mount export unmount unexport)
 property :vol_array, Array, required: %i(mount unmount)
+property :mode, String, default: "1777"
 
 default_action :mount
 
@@ -43,6 +44,7 @@
 
     volume "mount volume #{index}" do
       action :mount
+      mode new_resource.mode
       shared_dir shared_dir_array[index]
       device(lazy_uuid(dev_path[index]))
       fstype(DelayedEvaluator.new { node['cluster']['volume_fs_type'] })

diff --git a/cookbooks/aws-parallelcluster-environment/resources/raid/partial/_raid_common.rb b/cookbooks/aws-parallelcluster-environment/resources/raid/partial/_raid_common.rb
@@ -15,6 +15,7 @@
 property :raid_shared_dir, String, required: %i(mount unmount export unexport)
 property :raid_type, [String, Integer], required: %i(mount)
 property :raid_vol_array, Array, required: %i(mount unmount)
+property :mode, String, default: "1777"
 
 action :setup do
   package 'mdadm' do
@@ -79,6 +80,7 @@
     device raid_dev
     fstype "ext4"
     options "defaults,nofail,_netdev"
+    mode new_resource.mode
     retries 10
     retry_delay 6
   end

diff --git a/cookbooks/aws-parallelcluster-environment/resources/volume.rb b/cookbooks/aws-parallelcluster-environment/resources/volume.rb
@@ -7,6 +7,7 @@
 property :options, [Array, String], required: %i(mount)
 property :device_type, [String, Symbol], default: :device
 property :volume_id, String, required: %i(attach detach)
+property :mode, String, default: "1777"
 
 action :attach do
   volume_id = new_resource.volume_id.strip
@@ -42,7 +43,7 @@
   directory shared_dir do
     owner 'root'
     group 'root'
-    mode '1777'
+    mode new_resource.mode
     recursive true
     action :create
   end
@@ -78,7 +79,8 @@
   directory shared_dir do
     owner 'root'
     group 'root'
-    mode '1777'
+    mode new_resource.mode
+    only_if { node['cluster']['node_type'] == "HeadNode" }
   end
 end