2024.04.01

Signed-off-by: junbo <68558268+junbo75@users.noreply.github.com>

CHANGELOG.md

@@ -1,6 +1,15 @@
 # Change Log
 This file is used to list changes made in each release of Research and Engineering Studio (RES).
 
+
+2024.04.01
+------
+
+**BUG FIXES**
+
+- Fixed an issue where Admin users outside the sudoers group were not granted sudo permissions on Linux virtual desktops when DisableADJoin was set to True.
+- Resolved an issue that prevented RES infrastructure hosts and Linux virtual desktops from automatically recovering after unexpected reboots during instance warm-up.
+
 2024.04
 ------
 
@@ -9,9 +18,9 @@ This file is used to list changes made in each release of Research and Engineeri
 - Add support for RES Ready AMI.
   - Improve VDI boot times by installing all necessary software in the AMI instead of installing it at EC2 instance launch. This also allows VDIs to run in private subnets with no internet access.
 - Add QUIC support for VDIs.
-  - The QUIC protocol has better streaming performance in high latency environments. Administrators can toggle this for all VDIs under Session Management → Desktop Settings → General → QUIC. 
+  - The QUIC protocol has better streaming performance in high latency environments. Administrators can toggle this for all VDIs under Session Management → Desktop Settings → General → QUIC.
 - Add support for custom VDI Instance launch parameters.
-  - Launch parameters include additional IAM policies, security groups and launch scripts. Add these configurations under Advanced Options when creating or editing a project. The settings will apply to all VDIs launched for that project. 
+  - Launch parameters include additional IAM policies, security groups and launch scripts. Add these configurations under Advanced Options when creating or editing a project. The settings will apply to all VDIs launched for that project.
 - Add support for IAM Permission boundaries.
   - Customers can now specify a permission boundary that will be added to all IAM roles created by the RES environment.
 - Add support for deploying RES in an isolated VPC.

RES_VERSION.txt

@@ -1 +1 @@
-2024.04
+2024.04.01

source/idea/idea-administrator/src/ideaadministrator/app/cdk/cdk_invoker.py

@@ -359,7 +359,7 @@ def cdk_destroy(self):
             self.exec_shell(cdk_cmd, print_cmd=True)
         finally:
             self.log('CdkInvoker: End Destroy')
-    
+
     def upload_vdi_install_scripts(self, cluster_config: ClusterConfig,
                                            force_build=False,
                                            upload=True) -> None:
@@ -368,11 +368,6 @@ def upload_vdi_install_scripts(self, cluster_config: ClusterConfig,
         returns None.
         """
 
-        if ideaadministrator.props.is_dev_mode():
-            bootstrap_source_dir = ideaadministrator.props.dev_mode_bootstrap_source_dir
-        else:
-            bootstrap_source_dir = os.path.join(ideaadministrator.props.resources_dir, 'bootstrap')
-
         session = Utils.create_boto_session(self.aws_region, self.aws_profile)
         s3_client = session.client('s3')
 
@@ -392,7 +387,7 @@ def upload_vdi_install_scripts(self, cluster_config: ClusterConfig,
 
             builder = BootstrapPackageBuilder(
                 bootstrap_context=bootstrap_context,
-                source_directory=bootstrap_source_dir,
+                source_directory=ideaadministrator.props.bootstrap_source_dir,
                 target_package_basename=f"res_{vdi_os}_install_{bootstrap_context.module_version}",
                 components=components,
                 tmp_dir=self.deployment_dir,

source/idea/idea-administrator/src/ideaadministrator/app/cdk/stacks/bastion_host_stack.py

@@ -152,7 +152,8 @@ def build_ec2_instance(self):
                 '/bin/bash bastion-host/setup.sh'
             ],
             proxy_config=proxy_config,
-            base_os=base_os
+            base_os=base_os,
+            bootstrap_source_dir_path=ideaadministrator.props.bootstrap_source_dir
         ).build()
 
         launch_template = ec2.LaunchTemplate(

source/idea/idea-administrator/src/ideaadministrator/app/cdk/stacks/cluster_manager_stack.py

@@ -292,7 +292,8 @@ def build_auto_scaling_group(self):
                 '/bin/bash cluster-manager/setup.sh'
             ],
             proxy_config=proxy_config,
-            base_os=base_os
+            base_os=base_os,
+            bootstrap_source_dir_path=ideaadministrator.props.bootstrap_source_dir
         ).build()
 
         launch_template = ec2.LaunchTemplate(

source/idea/idea-administrator/src/ideaadministrator/app/cdk/stacks/directoryservice_stack.py

@@ -266,7 +266,8 @@ def build_ec2_instance(self):
                 'LDAP_TLS_CERTIFICATE_SECRET_ARN': '${__LDAP_TLS_CERTIFICATE_SECRET_ARN__}',
                 'LDAP_TLS_PRIVATE_KEY_SECRET_ARN': '${__LDAP_TLS_PRIVATE_KEY_SECRET_ARN__}'
             },
-            proxy_config=proxy_config
+            proxy_config=proxy_config,
+            bootstrap_source_dir_path=ideaadministrator.props.bootstrap_source_dir
         ).build()
 
         substituted_userdata = cdk.Fn.sub(user_data, {

source/idea/idea-administrator/src/ideaadministrator/app/cdk/stacks/scheduler_stack.py

@@ -323,7 +323,8 @@ def build_ec2_instance(self):
                 '/bin/bash scheduler/setup.sh'
             ],
             proxy_config=proxy_config,
-            base_os=base_os
+            base_os=base_os,
+            bootstrap_source_dir_path=ideaadministrator.props.bootstrap_source_dir
         ).build()
 
         launch_template = ec2.LaunchTemplate(

source/idea/idea-administrator/src/ideaadministrator/app/cdk/stacks/virtual_desktop_controller_stack.py

@@ -628,6 +628,7 @@ def build_dcv_broker(self):
                 'CONTROLLER_EVENTS_QUEUE_URL': '${__CONTROLLER_EVENTS_QUEUE_URL__}'
             },
             proxy_config=proxy_config,
+            bootstrap_source_dir_path=ideaadministrator.props.bootstrap_source_dir,
             base_os=self.context.config().get_string('virtual-desktop-controller.dcv_broker.autoscaling.base_os', required=True)
         ).build()
         substituted_userdata = cdk.Fn.sub(broker_userdata, {
@@ -728,6 +729,7 @@ def build_virtual_desktop_controller(self):
                     '/bin/bash virtual-desktop-controller/setup.sh'
                 ],
                 proxy_config=proxy_config,
+                bootstrap_source_dir_path=ideaadministrator.props.bootstrap_source_dir,
                 base_os=self.context.config().get_string('virtual-desktop-controller.controller.autoscaling.base_os', required=True)
             ).build()),
             node_type=constants.NODE_TYPE_APP
@@ -964,6 +966,7 @@ def _build_dcv_connection_gateway_instance_infrastructure(self):
                 'PRIVATE_KEY_SECRET_ARN': '${__PRIVATE_KEY_SECRET_ARN__}',
             },
             proxy_config=proxy_config,
+            bootstrap_source_dir_path=ideaadministrator.props.bootstrap_source_dir,
             base_os=self.context.config().get_string('virtual-desktop-controller.dcv_connection_gateway.autoscaling.base_os', required=True)
         ).build()
 

source/idea/idea-administrator/src/ideaadministrator/app_props.py

@@ -85,6 +85,13 @@ def resources_dir(self) -> str:
         else:
             return os.path.join(self.soca_admin_dir, 'resources')
 
+    @property
+    def bootstrap_source_dir(self) -> str:
+        if self.is_dev_mode():
+            return self.dev_mode_bootstrap_source_dir
+        else:
+            return os.path.join(self.resources_dir, 'bootstrap')
+
     @property
     def lambda_function_commons_package_name(self) -> str:
         return 'idea_lambda_commons'

source/idea/idea-administrator/src/ideaadministrator_meta/__init__.py

@@ -12,4 +12,4 @@
 # pkg config for soca-admin. no dependencies.
 
 __name__ = 'idea-administrator'
-__version__ = '2024.04'
+__version__ = '2024.04.01'

source/idea/idea-bootstrap/_templates/linux/bootstrap_userdata_linux_base_non_substitution.sh.jinja2

@@ -0,0 +1,111 @@
+Content-Type: multipart/mixed; boundary="//"
+MIME-Version: 1.0
+
+--//
+Content-Type: text/cloud-config; charset="us-ascii"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="cloud-config.txt"
+
+#cloud-config, set to always run to counter unexpected reboots. Lock files will be used to skip executed steps.
+cloud_final_modules:
+- [scripts-user, always]
+
+--//
+Content-Type: text/x-shellscript; charset="us-ascii"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="userdata.txt"
+
+#!/bin/bash
+set -x
+
+if [ ! -f /root/bootstrap/semaphore/pre_install_finished.lock ]; then
+  mkdir -p /root/bootstrap
+  AWS_REGION="{{ aws_region }}"
+  BASE_OS="{{ base_os }}"
+  DEFAULT_AWS_REGION="{{ aws_region }}"
+  AWSCLI_X86_64_URL="https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"
+  AWSCLI_AARCH64_URL="https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip"
+
+  echo "
+  {% if proxy_config %}
+  {% for key, value in proxy_config.items() %}
+  export {{ key }}={{ value }}
+  {% endfor %}
+  {% else %}
+  {% endif %}
+  " > /root/bootstrap/proxy.cfg
+  source /root/bootstrap/proxy.cfg
+
+  timestamp=$(date +%s)
+  mkdir -p /root/bootstrap/logs
+  if [[ -f /root/bootstrap/logs/userdata.log ]]; then
+    mv /root/bootstrap/logs/userdata.log /root/bootstrap/logs/userdata.log.${timestamp}
+  fi
+  exec > /root/bootstrap/logs/userdata.log 2>&1
+
+  export PATH="${PATH}:/usr/local/bin"
+
+  function install_aws_cli () {
+    AWS=$(command -v aws)
+    if [[ $($AWS --version | awk -F'[/.]' '{print $2}') != 2 ]]; then
+      if [[ "${BASE_OS}" == "amazonlinux2" ]]; then
+        yum remove -y awscli
+      fi
+      cd /root/bootstrap
+      local machine=$(uname -m)
+      if [[ ${machine} == "x86_64" ]]; then
+        curl -s ${AWSCLI_X86_64_URL} -o "awscliv2.zip"
+        elif [[ ${machine} == "aarch64" ]]; then
+          curl -s ${AWSCLI_AARCH64_URL} -o "awscliv2.zip"
+      fi
+      which unzip > /dev/null 2>&1
+      if [[ "$?" != "0" ]]; then
+        yum install -y unzip
+      fi
+      unzip -q awscliv2.zip
+      ./aws/install --bin-dir /bin --update
+      rm -rf aws awscliv2.zip
+    fi
+  }
+
+  echo "#!/bin/bash
+  PACKAGE_DOWNLOAD_URI=\${1}
+  PACKAGE_ARCHIVE=\$(basename \${PACKAGE_DOWNLOAD_URI})
+  PACKAGE_NAME=\${PACKAGE_ARCHIVE%.tar.gz*}
+  INSTANCE_REGION=\$(TOKEN=\$(curl --silent -X PUT 'http://169.254.169.254/latest/api/token' -H 'X-aws-ec2-metadata-token-ttl-seconds: 900') && curl --silent -H \"X-aws-ec2-metadata-token: \${TOKEN}\" 'http://169.254.169.254/latest/meta-data/placement/region')
+  if [[ \${PACKAGE_DOWNLOAD_URI} == s3://* ]]; then
+    AWS=\$(command -v aws)
+    \$AWS --region \${INSTANCE_REGION} s3 cp \${PACKAGE_DOWNLOAD_URI} /root/bootstrap/
+  else
+    cp \${PACKAGE_DOWNLOAD_URI} /root/bootstrap/
+  fi
+  PACKAGE_DIR=/root/bootstrap/\${PACKAGE_NAME}
+  if [[ -d \${PACKAGE_DIR} ]]; then
+    rm -rf \${PACKAGE_DIR}
+  fi
+  mkdir -p \${PACKAGE_DIR}
+  tar -xvf /root/bootstrap/\${PACKAGE_ARCHIVE} -C \${PACKAGE_DIR}
+  rm -rf /root/bootstrap/latest
+  ln -sf \${PACKAGE_DIR} /root/bootstrap/latest
+  " > /root/bootstrap/download_bootstrap.sh
+
+  chmod +x /root/bootstrap/download_bootstrap.sh
+
+  install_aws_cli
+  bash /root/bootstrap/download_bootstrap.sh "{{ bootstrap_package_uri }}"
+
+  # prepare steps are done, create the lock file with the timestamp
+  mkdir -p /root/bootstrap/semaphore
+  echo $(date +%s) > /root/bootstrap/semaphore/pre_install_finished.lock
+fi
+
+cd /root/bootstrap/latest
+
+# Run the install commands, each install script should ensure their own idempotency
+{% for install_command in install_commands %}
+{{ install_command }}
+{% endfor %}
+
+--//--

source/idea/idea-bootstrap/_templates/linux/bootstrap_userdata_linux_base_substitution.sh.jinja2

@@ -0,0 +1,119 @@
+Content-Type: multipart/mixed; boundary="//"
+MIME-Version: 1.0
+
+--//
+Content-Type: text/cloud-config; charset="us-ascii"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="cloud-config.txt"
+
+#cloud-config, set to always run to counter unexpected reboots. Lock files will be used to skip executed steps.
+cloud_final_modules:
+- [scripts-user, always]
+
+--//
+Content-Type: text/x-shellscript; charset="us-ascii"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="userdata.txt"
+
+#!/bin/bash
+set -x
+
+if [ ! -f /root/bootstrap/semaphore/pre_install_finished.lock ]; then
+  mkdir -p /root/bootstrap
+  AWS_REGION="{{ aws_region }}"
+  BASE_OS="{{ base_os }}"
+  DEFAULT_AWS_REGION="{{ aws_region }}"
+  AWSCLI_X86_64_URL="https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"
+  AWSCLI_AARCH64_URL="https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip"
+
+  echo "
+  {% if infra_config %}
+  {% for key, value in infra_config.items() %}
+  {{ key }}={{ value }}
+  {% endfor %}
+  {% endif %}
+  " > /root/bootstrap/infra.cfg
+
+  echo "
+  {% if proxy_config %}
+  {% for key, value in proxy_config.items() %}
+  export {{ key }}={{ value }}
+  {% endfor %}
+  {% else %}
+  {% endif %}
+  " > /root/bootstrap/proxy.cfg
+  source /root/bootstrap/proxy.cfg
+
+  timestamp=$(date +%s)
+  mkdir -p /root/bootstrap/logs
+  if [[ -f /root/bootstrap/logs/userdata.log ]]; then
+    mv /root/bootstrap/logs/userdata.log /root/bootstrap/logs/userdata.log.${!timestamp}
+  fi
+  exec > /root/bootstrap/logs/userdata.log 2>&1
+
+  export PATH="${!PATH}:/usr/local/bin"
+
+  function install_aws_cli () {
+    AWS=$(command -v aws)
+    if [[ $($AWS --version | awk -F'[/.]' '{print $2}') != 2 ]]; then
+      if [[ "${!BASE_OS}" == "amazonlinux2" ]]; then
+        yum remove -y awscli
+      fi
+      cd /root/bootstrap
+      local machine=$(uname -m)
+      if [[ ${!machine} == "x86_64" ]]; then
+        curl -s ${!AWSCLI_X86_64_URL} -o "awscliv2.zip"
+        elif [[ ${!machine} == "aarch64" ]]; then
+          curl -s ${!AWSCLI_AARCH64_URL} -o "awscliv2.zip"
+      fi
+      which unzip > /dev/null 2>&1
+      if [[ "$?" != "0" ]]; then
+        yum install -y unzip
+      fi
+      unzip -q awscliv2.zip
+      ./aws/install --bin-dir /bin --update
+      rm -rf aws awscliv2.zip
+    fi
+  }
+
+  echo "#!/bin/bash
+  PACKAGE_DOWNLOAD_URI=\${!1}
+  PACKAGE_ARCHIVE=\$(basename \${!PACKAGE_DOWNLOAD_URI})
+  PACKAGE_NAME=\${!PACKAGE_ARCHIVE%.tar.gz*}
+  INSTANCE_REGION=\$(TOKEN=\$(curl --silent -X PUT 'http://169.254.169.254/latest/api/token' -H 'X-aws-ec2-metadata-token-ttl-seconds: 900') && curl --silent -H \"X-aws-ec2-metadata-token: \${!TOKEN}\" 'http://169.254.169.254/latest/meta-data/placement/region')
+  if [[ \${!PACKAGE_DOWNLOAD_URI} == s3://* ]]; then
+    AWS=\$(command -v aws)
+    \$AWS --region \${!INSTANCE_REGION} s3 cp \${!PACKAGE_DOWNLOAD_URI} /root/bootstrap/
+  else
+    cp \${!PACKAGE_DOWNLOAD_URI} /root/bootstrap/
+  fi
+  PACKAGE_DIR=/root/bootstrap/\${!PACKAGE_NAME}
+  if [[ -d \${!PACKAGE_DIR} ]]; then
+    rm -rf \${!PACKAGE_DIR}
+  fi
+  mkdir -p \${!PACKAGE_DIR}
+  tar -xvf /root/bootstrap/\${!PACKAGE_ARCHIVE} -C \${!PACKAGE_DIR}
+  rm -rf /root/bootstrap/latest
+  ln -sf \${!PACKAGE_DIR} /root/bootstrap/latest
+  " > /root/bootstrap/download_bootstrap.sh
+
+  chmod +x /root/bootstrap/download_bootstrap.sh
+
+  install_aws_cli
+  bash /root/bootstrap/download_bootstrap.sh "{{ bootstrap_package_uri }}"
+
+  # prepare steps are done, create the lock file with the timestamp
+  mkdir -p /root/bootstrap/semaphore
+  echo $(date +%s) > /root/bootstrap/semaphore/pre_install_finished.lock
+fi
+
+cd /root/bootstrap/latest
+
+# Run the install commands, each install script should ensure their own idempotency
+{% for install_command in install_commands %}
+{{ install_command }}
+{% endfor %}
+
+--//--

source/idea/idea-bootstrap/_templates/linux/join_directoryservice.jinja2

@@ -9,7 +9,7 @@
 {%- if context.config.get_string('directoryservice.provider') in ['activedirectory', 'aws_managed_activedirectory'] %}
   {%- if context.config.get_string('directoryservice.disable_ad_join') == 'True'%}
     {%- include '_templates/linux/connect_activedirectory.jinja2' %}
-    {%- include '_templates/linux/set_sudoers.jinja2' %}
+{% include '_templates/linux/set_sudoers.jinja2' %}
   {% endif -%}
   {%- if context.config.get_string('directoryservice.disable_ad_join') == 'False'%}
     {%- include '_templates/linux/join_activedirectory.jinja2' %}

source/idea/idea-bootstrap/_templates/linux/set_sudoers.jinja2

@@ -15,6 +15,7 @@ function add_admins_to_sudoers () {
     create_jq_ddb_filter
   fi
 
+  local AWS=$(command -v aws)
   admins=$($AWS dynamodb query \
        --table-name ${RES_USER_TABLE} \
        --index-name role-index \