Vishal Santoshi
10/15/2021, 7:35 PMrun_launcher:
module: dagster_celery_k8s
class: CeleryK8sRunLauncher
config:
dagster_home:
env: DAGSTER_HOME
instance_config_map:
env: DAGSTER_K8S_INSTANCE_CONFIG_MAP
postgres_password_secret:
env: DAGSTER_K8S_PG_PASSWORD_SECRET
broker: "<pyamqp://test:test@dagster-rabbitmq:5672//>"
backend: "rpc://"
So it sets up the celery worker container ... and it has the DAGSTER_K8S_PG_PASSWORD_SECRET and the DAGSTER_K8S_INSTANCE_CONFIG_MAP ... When we launch a pipeline the run container complains about both
`
Error 2: Post processing at path root:postgres_password_secret of original value {'env': 'DAGSTER_K8S_PG_PASSWORD_SECRET'} failed:
dagster.config.errors.PostProcessingError: You have attempted to fetch the environment variable "DAGSTER_K8S_PG_PASSWORD_SECRET" which is not set. In order for this execution to succeed it must be set in this environment.
Vishal Santoshi
10/15/2021, 7:40 PMVishal Santoshi
10/15/2021, 7:47 PMVishal Santoshi
10/15/2021, 7:48 PMjohann
10/15/2021, 8:51 PMkubectl get configmaps
it will have a result <name>-pipeline-env
, defaulting to dagster-pipeline-env
but its overridable. Then use that configmap in your pipeline run config (entered either in code via a PresetDefinition, or in the Dagit playground)
execution:
celery-k8s:
config:
env_config_maps:
- "<NAME>-pipeline-env"
This configmap contains the env vars that your container is missing.Vishal Santoshi
10/16/2021, 1:11 PMcompute_logs:
module: dagster_aws.s3.compute_log_manager
class: S3ComputeLogManager
config:
bucket: "xxxxxx-dev-null"
prefix: "dagster-test-"
And it fails with S3 credentials issue
botocore.exceptions.NoCredentialsError: Unable to locate credentials
I though want the run container to execute via an IAM role that allows for writes to the said S3 bucket.Vishal Santoshi
10/16/2021, 1:12 PMannotations = {
"<http://iam.amazonaws.com/role|iam.amazonaws.com/role>" = <aws_iam_role.dagster_poc.name>
I do not see any complete example of setting up execute containers with the right configurations, maps, annotations etc ... That said the celery workers ( that presumably launch these containers ) have been set up with the required annotation that allows for S3 access to the said compute log bucket and should arguably be propagating their set up to the containers they launch.
Annotations: <http://iam.amazonaws.com/role|iam.amazonaws.com/role>: dagster-poc-yyyyyyyyyyyy
In fact we need this role to be available to all the run steps ( access to different resources of our stack ) and thus to all pods executed from a celery worker. This issues is not restricted to just the compute logs I would assume.Vishal Santoshi
10/17/2021, 3:25 PMs3_pickle_io_manager
botocore.exceptions.NoCredentialsError: Unable to locate credentials
File "/usr/local/lib/python3.8/site-packages/dagster/core/errors.py", line 184, in user_code_error_boundary
yield
File "/usr/local/lib/python3.8/site-packages/dagster/core/execution/resources_init.py", line 289, in single_resource_event_generator
resource_def.resource_fn(context)
File "/usr/local/lib/python3.8/site-packages/dagster_aws/s3/io_manager.py", line 114, in s3_pickle_io_manager
pickled_io_manager = PickledObjectS3IOManager(s3_bucket, s3_session, s3_prefix=s3_prefix)
File "/usr/local/lib/python3.8/site-packages/dagster_aws/s3/io_manager.py", line 17, in __init__
self.s3.head_bucket(Bucket=self.bucket)
Want this pods to launch under an IAM role that allows access to configured buckets....Vishal Santoshi
10/17/2021, 6:59 PM@solid(
tags = {
'dagster-k8s/config': {
'container_config': {
'resources': {
'requests': { 'cpu': '250m', 'memory': '64Mi' },
'limits': { 'cpu': '500m', 'memory': '2560Mi' },
},
},
'pod_template_spec_metadata': {
'annotations': { "<http://iam.amazonaws.com/role|iam.amazonaws.com/role>": "dagster-poc-20211014204833791300000001"}
},
},
},
)
def not_much():
return
And it did get the annotation on the run pod
Annotations: <http://iam.amazonaws.com/role|iam.amazonaws.com/role>: dagster-poc-20211014204833791300000001
<http://kubernetes.io/psp|kubernetes.io/psp>: eks.privileged
It still complains about missing
botocore.exceptions.NoCredentialsError: Unable to locate credentials
Stack Trace:
File "/usr/local/lib/python3.8/site-packages/dagster/core/errors.py", line 184, in user_code_error_boundary
yield
File "/usr/local/lib/python3.8/site-packages/dagster/core/execution/resources_init.py", line 289, in single_resource_event_generator
resource_def.resource_fn(context)
File "/usr/local/lib/python3.8/site-packages/dagster_aws/s3/io_manager.py", line 114, in s3_pickle_io_manager
pickled_io_manager = PickledObjectS3IOManager(s3_bucket, s3_session, s3_prefix=s3_prefix)
File "/usr/local/lib/python3.8/site-packages/dagster_aws/s3/io_manager.py", line 17, in __init__
Vishal Santoshi
10/17/2021, 7:14 PMIf you are running on Amazon EC2 and no credentials have been found by any of the providers above, Boto3 will try to load credentials from the instance metadata service. In order to take advantage of this feature, you must have specified an IAM role to use when you launched your EC2 instance.
I think I am missing where to specify that role within dagster set up.....johann
10/18/2021, 2:25 PMAWS_ACCESS_KEY_ID
etc. variables, then use env_secrets
in run launcher config (or executor config, if it differs per run).
env_secrets (Optional[List[str]]): A list of custom Secret names from which to
draw environment variables (using ``envFrom``) for the Job. Default: ``[]``. See:
<https://kubernetes.io/docs/tasks/inject-data-application/distribute-credentials-secure/#configure-all-key-value-pairs-in-a-secret-as-container-environment-variables>
I’m assuming you’re on EKS? If so there are a few other options. In our clusters, we use iam roles for service accounts https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.htmljohann
10/18/2021, 2:25 PMDagster Bot
10/18/2021, 2:25 PMjohann
10/18/2021, 2:27 PMDagster Bot
10/18/2021, 2:27 PMVishal Santoshi
10/18/2021, 8:26 PMOne option is to create a secret in your cluster with theetc. variables, then useAWS_ACCESS_KEY_ID
in run launcher config (or executor config, if it differs per run).env_secrets
Vishal Santoshi
10/18/2021, 8:28 PMAWS_ACCESS_KEY_ID
set up as in kubectl -n dagster-poc exec -it dagster-celery-workers-redis-7bb85b84fb-h2cnd -- env | grep ACCE
returns me the desired values ( here redis is the celery queue ) . but still the exception persists ...johann
10/18/2021, 8:59 PMjohann
10/18/2021, 9:00 PMVishal Santoshi
10/18/2021, 9:01 PM`runLauncher = {
type = "CeleryK8sRunLauncher"
config = {
celeryK8sRunLauncher = {
image = {
repository = "<http://docker.io/dagster/dagster-celery-k8s|docker.io/dagster/dagster-celery-k8s>"
tag = "0.12.2"
pullPolicy = "IfNotPresent"
}
envSecrets = [
{
name = local.dagster_poc_external_secrets.resources[0].metadata.name
},
]
annotations = {
"<http://iam.amazonaws.com/role|iam.amazonaws.com/role>" = aws_iam_role.dagster_poc.name
}
workerQueues = [
{
name = "dagster"
replicaCount = 1
},
{
name = "redis"
replicaCount = 1
},
]
}
}
}
Vishal Santoshi
10/18/2021, 9:04 PMjohann
10/18/2021, 9:05 PMkubectl describe
on one of the step jobs? They have the name dagster-job-…
. You could confirm that way that the secret isn’t getting loaded on the containerjohann
10/18/2021, 9:07 PMVishal Santoshi
10/18/2021, 9:07 PM@solid(
tags = {
'dagster-celery/queue': 'redis',
'dagster-k8s/config': {
'container_config': {
'resources': {
'requests': { 'cpu': '250m', 'memory': '64Mi' },
'limits': { 'cpu': '500m', 'memory': '2560Mi' },
},
},
'pod_template_spec_metadata': {
'annotations': { "<http://iam.amazonaws.com/role|iam.amazonaws.com/role>": "dagster-poc-20211014204833791300000001"}
},
},
},
)
def not_much():
return
Vishal Santoshi
10/18/2021, 9:07 PMjohann
10/18/2021, 9:15 PMVishal Santoshi
10/18/2021, 9:17 PMI’m actually surprised that those env vars are appearing on the k8s workers-
Vishal Santoshi
10/18/2021, 9:17 PM"runLauncher":
"config":
"celeryK8sRunLauncher":
"annotations":
"<http://iam.amazonaws.com/role|iam.amazonaws.com/role>": "dagster-poc-20211014204833791800000002"
"envSecrets":
- "name": "dagster-poc-secrets"
"image":
"pullPolicy": "IfNotPresent"
"repository": "<http://docker.io/dagster/dagster-celery-k8s|docker.io/dagster/dagster-celery-k8s>"
"tag": "0.12.2"
"workerQueues":
- "name": "dagster"
"replicaCount": 1
- "name": "redis"
"replicaCount": 1
"type": "CeleryK8sRunLauncher"
Vishal Santoshi
10/18/2021, 9:17 PMVishal Santoshi
10/18/2021, 9:17 PM"runLauncher":
"config":
"celeryK8sRunLauncher":
"annotations":
"<http://iam.amazonaws.com/role|iam.amazonaws.com/role>": "dagster-poc-20211014204833791800000002"
"image":
"pullPolicy": "IfNotPresent"
"repository": "<http://docker.io/dagster/dagster-celery-k8s|docker.io/dagster/dagster-celery-k8s>"
"tag": "0.12.2"
"workerQueues":
- "name": "dagster"
"replicaCount": 1
- "name": "redis"
"replicaCount": 1
"type": "CeleryK8sRunLauncher"
johann
10/18/2021, 9:18 PMexecution:
celery-k8s:
config:
job_image: '<http://my_repo.com/image_name:latest|my_repo.com/image_name:latest>'
job_namespace: 'some-namespace'
broker: '<pyamqp://guest@localhost//>' # Optional[str]: The URL of the Celery broker
backend: 'rpc://' # Optional[str]: The URL of the Celery results backend
include: ['my_module'] # Optional[List[str]]: Modules every worker should import
...
config_source: # Dict[str, Any]: Any additional parameters to pass to the
#... # Celery workers. This dict will be passed as the `config_source`
#... # argument of celery.Celery().
https://docs.dagster.io/_apidocs/libraries/dagster-celery-k8s#dagster_celery_k8s.celery_k8s_job_executor
So you could add env_secrets
to this configVishal Santoshi
10/18/2021, 9:18 PMenvSecrets
and there are no
kubectl -n dagster-poc exec -it dagster-celery-workers-redis-697f8bb695-jtfg9 -- env | grep ACCE
johann
10/18/2021, 9:20 PMVishal Santoshi
10/18/2021, 9:21 PMresources:
io_manager:
config:
s3_bucket: "loom-dev-null"
s3_prefix: "dagster-poc-"
execution:
celery-k8s:
config:
job_namespace: 'dagster-poc'
env_config_maps:
- "dagster-pipeline-env"
env_secrets:
- "dagster-poc-secrets"
johann
10/18/2021, 9:25 PMVishal Santoshi
10/18/2021, 9:44 PMbotocore.exceptions.ClientError: An error occurred (403) when calling the HeadBucket operation: Forbidden