FAQ
Last updated
Last updated
Boto3 () is the official AWS Python SDK. We recommend to update boto3 on a regular basis in order to stay up-to-date with the latest AWS releases (new instance types ...)
To update Boto3, run the following patch command:
./idea-admin.sh patch scheduler \
--cluster-name <CLUSTER_NAME> \
--aws-region <REGION> \
--force \
--patch-command 'sudo idea_pip install boto3 --upgrade && sudo supervisorctl restart all'
Refer to Patch IDEA module (idea-admin.sh patch) to learn more about the patch utility
To safelist a new IP, navigate to VPC > Managed Prefix List and add your new entry into the Prefix List created by IDEA.
Alternatively, you can run the following idea-admin.sh
command:
./idea-admin.sh utils cluster-prefix-list add-entry
--cluster-name <CLUSTER_NAME> \
--aws-region <REGION> \
--cidr x.x.x.x/x \
--description '<DESCRIPTION>'
Use ideactl
If you cannot receive email from Cognito due to IT restriction. Login to the Cluster Manager EC2 instance and run ideactl accounts create-user
# Make sure to run this command as root on the CLUSTER Manager
# ideactl accounts create-user --email "[email protected]" --password "Password123@" --username "mcrozes2" --sudo --email-verified
{
"username": "mcrozes2",
"email": "[email protected]",
"uid": 5068,
"gid": 5077,
"group_name": "mcrozes2-user-group",
"login_shell": "/bin/bash",
"home_dir": "/data/home/mcrozes2",
"sudo": true,
"status": "CONFIRMED",
"enabled": true,
"created_on": "2022-12-21T16:37:32.033000+00:00",
"updated_on": "2022-12-21T16:37:32.033000+00:00"
}
If you cannot use SSM, you can use idea-admin.sh
. Run the following commands to create a new admin user via IDEA APIs
IDEA_ADMIN_USER="username"
IDEA_ADMIN_USER_PASSWORD="password"
IDEA_USER_EMAIL_ADDRESS="email_address"
IDEA_CLUSTER_NAME="idea-xxx"
IDEA_DEPLOYMENT_REGION="region where you deployed IDEA"
# Retrieve Client ID
CLIENT_ID_ARN=$(./idea-admin.sh config show \
--query "cluster-manager.client_id" \
--cluster-name $IDEA_CLUSTER_NAME \
--aws-region $IDEA_DEPLOYMENT_REGION \
--format raw)
CLIENT_ID=$(aws secretsmanager get-secret-value --secret-id $CLIENT_ID_ARN --query "SecretString" --output text --region $IDEA_DEPLOYMENT_REGION)# Retrieve Client Secret
# Retrieve Client secret
CLIENT_SECRET_ARN=$(./idea-admin.sh config show \
--query "cluster-manager.client_secret" \
--cluster-name $IDEA_CLUSTER_NAME \
--aws-region $IDEA_DEPLOYMENT_REGION \
--format raw)
CLIENT_SECRET=$(aws secretsmanager get-secret-value --secret-id $CLIENT_SECRET_ARN --query "SecretString" --output text --region $IDEA_DEPLOYMENT_REGION)
# Retrieve Cognito URL
COGNITO_USER_POOL=$(./idea-admin.sh config show \
--query "identity-provider.cognito.domain_url" \
--cluster-name $IDEA_CLUSTER_NAME \
--aws-region $IDEA_DEPLOYMENT_REGION \
--format raw)
# Retrieve ALB endpoint
IDEA_ALB=$(./idea-admin.sh config show \
--query "cluster.load_balancers.external_alb.load_balancer_dns_name" \
--cluster-name $IDEA_CLUSTER_NAME \
--aws-region $IDEA_DEPLOYMENT_REGION \
--format raw)
# Generate Authorization Header (remove -w 0 if using Mac)
AUTHORIZATION_HEADER=$(echo -n $CLIENT_ID:$CLIENT_SECRET | base64 -w 0)
# Request Bearer
curl --silent --insecure --location --request POST "$COGNITO_USER_POOL/oauth2/token" \
--header "Authorization: Basic $AUTHORIZATION_HEADER" \
--header "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "scope=cluster-manager/read cluster-manager/write" > .bearer
# Bearer output is stored as text file in order to use -r. File is removed shortly after
BEARER=$(cat .bearer | jq -r ".access_token")
rm -rf .bearer
# Create Admin User
curl --silent --insecure --location --request POST "https://$IDEA_ALB/cluster-manager/api/v1" \
--header "Authorization: Bearer $BEARER" \
--header "Content-Type: application/json" \
--data-raw '{
"header": {
"namespace": "Accounts.CreateUser"
},
"payload": {
"user": {
"username": "'$IDEA_ADMIN_USER'",
"password": "'$IDEA_ADMIN_USER_PASSWORD'",
"email": "'$IDEA_USER_EMAIL_ADDRESS'",
"additional_groups": ["managers-cluster-group", "administrators-cluster-group]
},
"email_verified": true
}
}'
See Uninstall IDEA
The logo, title and subtitle of the Web Portal can be customized using configurations.
title - Integrated Digital Engineering on AWS (IDEA)
logo - IDEA Default Logo
subtitle - <cluster-name> (<aws-region>)
Logo can be customized by uploading appropriate logo file to the cluster's S3 Bucket. Copy the S3 object key and run the below command:
./idea-admin.sh config \
set Key=cluster-manager.web_portal.logo,Type=string,Value=assets/logo.png \
--cluster-name <CLUSTER_NAME> \
--aws-region <REGION>
Title can be customized by running the below command:
./idea-admin.sh config \
set "Key=cluster-manager.web_portal.title,Type=string,Value=My Company" \
--cluster-name <CLUSTER_NAME> \
--aws-region <REGION>
Subtitle can be customized by running the below command:
./idea-admin.sh config \
set "Key=cluster-manager.web_portal.subtitle,Type=string,Value=R&D Cluster" \
--cluster-name <CLUSTER_NAME> \
--aws-region <REGION>
See Shared Storage module
Update the last section of idea/idea-administrator/resources/config/templates/global-settings/settings.yml
# provide custom tags for all resources created by IDEA
# for eg. to add custom tags, tags as below:
# custom_tags:
# - Key=custom:MyTagName,Value=MyTagValue
# - Key=AnotherExampleName,Value=Another Example Value
custom_tags: []
Add the managed policy ARN in cluster settings: source/idea-administrator/resources/config/templates/cluster/settings.yml
All roles will contain the policy(ies) you have added to the list.
IDEA create a route53 private hosted zone.
If you try to curl any DNS from this Route53 Zone,and get no result, even though the Private Zone is assigned to the VPC
# nslookup
internal-alb.idea-demo.us
-east-2.local
Server: 10.110.0.2
Address: 10.110.0.2#53
** server can't find
internal-alb.idea-demo.us
-east-2.local: NXDOMAIN
To fix this, enable DNS hostname/resolution on your VPC
IDEA modules such as cluster-manager, virtual-desktop-controller and scheduler run a python based application server.
The application server logs are available under: /opt/idea/app/logs
All logs will be available in application.log. In rare occasions, few logs may be available under stdout.log.
Logging can configured per application server using IDEA Cluster Configuration. Below is the logging configuration for cluster-manager:
./idea-admin.sh config show \
--cluster-name <CLUSTER_NAME> \
--aws-region <REGION> \
--query "cluster-manager.logging.*"
+-----------------------------------------------+--------------------+---------+
| Key | Value | Version |
+-----------------------------------------------+--------------------+---------+
| cluster-manager.logging.default_log_file_name | application.log | 1 |
| cluster-manager.logging.logs_directory | /opt/idea/app/logs | 1 |
| cluster-manager.logging.profile | production | 1 |
+-----------------------------------------------+--------------------+---------+
1 - Log in to the EC2 machine and check the logs under /root/boostrap/logs.
Try to find some potential issue(s) by looking for keywords like:
error
fatal
denied
permission
All infrastructure nodes such as directoryservice (openldap-server), scheduler, bastion-host, virtual-desktop controller use a standard directory structure during bootstrap.
2 - Check if supervisord is running correctly (/opt/idea/python/latest/bin/supervisorctl status), if not check /var/log/supervisord.log
3 - Depending your module, you can also check the app log via /opt/idea/app/logs
Make sure to run supervisorctl restart all after making any changes
If your job is not starting, you can verify if the provisioned capacity is configured correctly by checking the bootstrap logs under /apps/<CLUSTER>/scheduler/jobs
Logs structure:
jobs/
<job_id>/
<job_type> (bootstrap or compute_node setup)
<EC2 Host>
Example: /apps/idea-demo/scheduler/jobs/98/logs/ip-10-110-4-189