本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
將服務受管機群連接至自訂授權伺服器
您可以攜帶自己的授權伺服器,以與截止日期雲端服務受管機群搭配使用。若要取得自己的授權,您可以使用陣列中的佇列環境來設定授權伺服器。若要設定授權伺服器,您應該已設定陣列和佇列。
連線至軟體授權伺服器的方式取決於機群的組態和軟體廠商的需求。一般而言,您可以透過下列兩種方式之一來存取伺服器:
-
直接傳送至授權伺服器。您的工作者會使用網際網路從軟體廠商的授權伺服器取得授權。您的所有工作者都必須能夠連線到伺服器。
-
透過授權代理。您的工作者連線到本機網路中的代理伺服器。只有代理伺服器才能透過網際網路連線至廠商的授權伺服器。
使用下列指示,您可以使用 Amazon EC2 Systems Manager (SSM) 將連接埠從工作者執行個體轉送到您的授權伺服器或代理執行個體。在以下範例中,如果您的授權伺服器無法提供授權,則會使用 Deadline Cloud 的用量型授權。在耗盡授權之後,移除不適用於您不想使用用量型授權之管道或產品的區段。
步驟 1:設定佇列環境
您可以在佇列中設定佇列環境來存取授權伺服器。首先,請確定您已使用下列其中一種方法設定具有授權伺服器存取權的 AWS 執行個體:
-
授權伺服器 – 執行個體會直接託管授權伺服器。
-
授權代理 – 執行個體具有授權伺服器的網路存取權,並將授權伺服器連接埠轉送至授權伺服器。如需如何設定授權代理執行個體的詳細資訊,請參閱 步驟 2:(選用) 授權代理執行個體設定。
如需設定授權環境變數的詳細資訊,請參閱 步驟 3:將轉譯應用程式連接到端點。對於自訂授權伺服器設定,授權伺服器地址會保持 localhost,而不是 Amazon VPC 端點。
將必要的許可新增至佇列角色
-
從截止日期雲端主控台
中,選擇前往儀表板。 -
從儀表板中選取陣列,然後選取您要設定的佇列。
-
從佇列詳細資訊 > 服務角色中,選取角色。
-
選擇新增許可,然後選擇建立內嵌政策。
-
選取 JSON 政策編輯器,然後將下列文字複製並貼到編輯器中。
-
儲存新政策之前,請在政策文字中取代下列值:
-
region將 取代為您陣列所在的 AWS 區域 -
instance_id將 取代為您正在使用的授權伺服器或代理執行個體的執行個體 ID -
account_id以包含您陣列 AWS 的帳號取代
-
-
選擇下一步。
-
針對政策名稱,輸入
LicenseForwarding。 -
選擇建立政策以儲存變更,並建立具有所需許可的政策。
將新的佇列環境新增至佇列
-
如果您尚未前往儀表板,請從截止日期雲端主控台
選擇前往儀表板。 -
從儀表板中選取陣列,然後選取您要設定的佇列。
-
選擇佇列環境 > 動作 > 使用 YAML 建立新的 。
-
將下列文字複製並貼到 YAML 指令碼編輯器。
-
儲存佇列環境之前,請視需要對環境文字進行下列變更:
-
更新下列參數的預設值,以反映您的環境:
-
LicenseInstanceID – 授權伺服器或代理執行個體的 Amazon EC2 執行個體 ID
-
LicenseInstanceRegion – 包含您陣列 AWS 的區域
-
LicensePorts – 以逗號分隔的連接埠清單,以轉送至授權伺服器或代理執行個體 (例如 2700,2701)
-
-
如果您想要在用盡自有授權 (BYOL) 後使用以用量為基礎的授權 (UBL),請確定連接埠適用於您的授權伺服器。如果您在 BYOL 用盡之後不想使用 UBL,請將任何必要的授權環境變數新增至變數區段。
這些變數應將 DCCs導向授權伺服器連接埠上的 localhost。例如,如果您的 Foundry 授權伺服器正在接聽連接埠 6101,您可以將變數新增為
foundry_LICENSE: 6101@localhost。
-
-
(選用) 您可以將優先順序設定為 0,也可以將其變更為在多個佇列環境中以不同的方式排序優先順序。
-
選擇建立佇列環境以儲存新環境。
設定佇列環境後,提交至此佇列的任務將從已設定的授權伺服器擷取授權。
步驟 2:(選用) 授權代理執行個體設定
除了使用授權伺服器之外,您也可以使用授權代理。若要建立授權代理,請建立具有授權伺服器網路存取權的新 Amazon Linux 2023 執行個體。如有需要,您可以使用 VPN 連線設定此存取權。如需詳細資訊,請參閱《Amazon VPC 使用者指南》中的 VPN 連線。
若要為截止日期雲端設定授權代理執行個體,請遵循此程序中的步驟。在此新執行個體上執行下列組態步驟,以啟用將授權流量轉送到您的授權伺服器
-
若要安裝 HAProxy 套件,請輸入
sudo yum install haproxy -
使用下列內容更新 /etc/haproxy/haproxy.cfg 組態檔案的接聽授權伺服器區段:
-
將 LicensePort1 和 LicensePort2 取代為要轉送至授權伺服器的連接埠號碼。新增或移除逗號分隔值,以容納所需的連接埠數量。
-
以授權伺服器的主機名稱或 IP 地址取代 LicenseServerHost。
lobal log 127.0.0.1 local2 chroot /var/lib/haproxy user haproxy group haproxy daemon defaults timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s listen license-server bind *:LicensePort1,*:LicensePort2server license-serverLicenseServerHost -
-
若要啟用和啟動 HAProxy 服務,請執行下列命令:
sudo systemctl enable haproxysudo service haproxy start
完成這些步驟後,從轉送佇列環境傳送至 localhost 的授權請求應轉送至指定的授權伺服器。
步驟 3: CloudFormation 範本設定
您可以使用 CloudFormation 範本來設定整個陣列,以使用您自己的授權。
-
修改下一個步驟中提供的範本,將任何必要的授權環境變數新增至 BYOLQueueEnvironment 下的變數區段。
-
使用下列 CloudFormation 範本。
AWSTemplateFormatVersion: 2010-09-09 Description: "Create &ADC; resources for BYOL" Parameters: LicenseInstanceId: Type: AWS::EC2::Instance::Id Description: Instance ID for the license server/proxy instance LicensePorts: Type: String Description: Comma-separated list of ports to forward to the license instance Resources: JobAttachmentBucket: Type: AWS::S3::Bucket Properties: BucketName: !Sub byol-example-ja-bucket-${AWS::AccountId}-${AWS::Region} BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: AES256 Farm: Type: AWS::Deadline::Farm Properties: DisplayName: BYOLFarm QueuePolicy: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: BYOLQueuePolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:ListBucket - s3:GetBucketLocation Resource: - !Sub ${JobAttachmentBucket.Arn} - !Sub ${JobAttachmentBucket.Arn}/job-attachments/* Condition: StringEquals: aws:ResourceAccount: !Sub ${AWS::AccountId} - Effect: Allow Action: logs:GetLogEvents Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/deadline/${Farm.FarmId}/* - Effect: Allow Action: - s3:ListBucket - s3:GetObject Resource: - "*" Condition: ArnLike: s3:DataAccessPointArn: - arn:aws:s3:*:*:accesspoint/deadline-software-* StringEquals: s3:AccessPointNetworkOrigin: VPC BYOLSSMPolicy: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: BYOLSSMPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - ssm:StartSession Resource: - !Sub arn:aws:ssm:${AWS::Region}::document/AWS-StartPortForwardingSession - !Sub arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/${LicenseInstanceId} WorkerPolicy: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: BYOLWorkerPolicy PolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - logs:CreateLogStream Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/deadline/${Farm.FarmId}/* Condition: ForAnyValue:StringEquals: aws:CalledVia: - deadline.amazonaws.com - Effect: Allow Action: - logs:PutLogEvents - logs:GetLogEvents Resource: !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/deadline/${Farm.FarmId}/* QueueRole: Type: AWS::IAM::Role Properties: RoleName: BYOLQueueRole ManagedPolicyArns: - !Ref QueuePolicy - !Ref BYOLSSMPolicy AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - sts:AssumeRole Principal: Service: - credentials.deadline.amazonaws.com - deadline.amazonaws.com Condition: StringEquals: aws:SourceAccount: !Sub ${AWS::AccountId} ArnEquals: aws:SourceArn: !Ref Farm WorkerRole: Type: AWS::IAM::Role Properties: RoleName: BYOLWorkerRole ManagedPolicyArns: - arn:aws:iam::aws:policy/AWSDeadlineCloud-FleetWorker - !Ref WorkerPolicy AssumeRolePolicyDocument: Version: 2012-10-17 Statement: - Effect: Allow Action: - sts:AssumeRole Principal: Service: credentials.deadline.amazonaws.com Queue: Type: AWS::Deadline::Queue Properties: DisplayName: BYOLQueue FarmId: !GetAtt Farm.FarmId RoleArn: !GetAtt QueueRole.Arn JobRunAsUser: Posix: Group: "" User: "" RunAs: WORKER_AGENT_USER JobAttachmentSettings: RootPrefix: job-attachments S3BucketName: !Ref JobAttachmentBucket Fleet: Type: AWS::Deadline::Fleet Properties: DisplayName: BYOLFleet FarmId: !GetAtt Farm.FarmId MinWorkerCount: 1 MaxWorkerCount: 2 Configuration: ServiceManagedEc2: InstanceCapabilities: VCpuCount: Min: 4 Max: 16 MemoryMiB: Min: 4096 Max: 16384 OsFamily: LINUX CpuArchitectureType: x86_64 InstanceMarketOptions: Type: on-demand RoleArn: !GetAtt WorkerRole.Arn QFA: Type: AWS::Deadline::QueueFleetAssociation Properties: FarmId: !GetAtt Farm.FarmId FleetId: !GetAtt Fleet.FleetId QueueId: !GetAtt Queue.QueueId CondaQueueEnvironment: Type: AWS::Deadline::QueueEnvironment Properties: FarmId: !GetAtt Farm.FarmId Priority: 5 QueueId: !GetAtt Queue.QueueId TemplateType: YAML Template: | specificationVersion: 'environment-2023-09' parameterDefinitions: - name: CondaPackages type: STRING description: > This is a space-separated list of conda package match specifications to install for the job. E.g. "blender=3.6" for a job that renders frames in Blender 3.6. See https://docs.conda.io/projects/conda/en/latest/user-guide/concepts/pkg-specs.html#package-match-specifications default: "" userInterface: control: LINE_EDIT label: Conda Packages - name: CondaChannels type: STRING description: > This is a space-separated list of conda channels from which to install packages. &ADC; SMF packages are installed from the "deadline-cloud" channel that is configured by &ADC;. Add "conda-forge" to get packages from the https://conda-forge.org/ community, and "defaults" to get packages from Anaconda Inc (make sure your usage complies with https://www.anaconda.com/terms-of-use). default: "deadline-cloud" userInterface: control: LINE_EDIT label: Conda Channels environment: name: Conda script: actions: onEnter: command: "conda-queue-env-enter" args: ["{{Session.WorkingDirectory}}/.env", "--packages", "{{Param.CondaPackages}}", "--channels", "{{Param.CondaChannels}}"] onExit: command: "conda-queue-env-exit" BYOLQueueEnvironment: Type: AWS::Deadline::QueueEnvironment Properties: FarmId: !GetAtt Farm.FarmId Priority: 10 QueueId: !GetAtt Queue.QueueId TemplateType: YAML Template: !Sub | specificationVersion: "environment-2023-09" parameterDefinitions: - name: LicenseInstanceId type: STRING description: > The Instance ID of the license server/proxy instance default: "" - name: LicenseInstanceRegion type: STRING description: > The region containing this farm default: "" - name: LicensePorts type: STRING description: > Comma-separated list of ports to be forwarded to the license server/proxy instance. Example: "2701,2702,7075,2703,6101,1715,1716,1717,7054,7055,30304" default: "2701,2702,7075,2703,6101,1715,1716,1717,7054,7055,30304" environment: name: BYOL License Forwarding variables: example_LICENSE: 2701@localhost script: actions: onEnter: command: bash args: [ "{{Env.File.Enter}}" ] onExit: command: bash args: [ "{{Env.File.Exit}}" ] embeddedFiles: - name: Enter type: TEXT runnable: True data: | curl https://s3.amazonaws.com/session-manager-downloads/plugin/latest/linux_64bit/session-manager-plugin.rpm -Ls | rpm2cpio - | cpio -iv --to-stdout ./usr/local/sessionmanagerplugin/bin/session-manager-plugin > {{Session.WorkingDirectory}}/session-manager-plugin chmod +x {{Session.WorkingDirectory}}/session-manager-plugin conda activate python {{Env.File.StartSession}} {{Session.WorkingDirectory}}/session-manager-plugin - name: Exit type: TEXT runnable: True data: | echo Killing SSM Manager Plugin PIDs: $BYOL_SSM_PIDS for pid in ${BYOL_SSM_PIDS//,/ }; do kill $pid; done - name: StartSession type: TEXT data: | import boto3 import json import subprocess import sys import os import tempfile instance_id = "{{Param.LicenseInstanceId}}" region = "{{Param.LicenseInstanceRegion}}" license_ports_list = "{{Param.LicensePorts}}".split(",") ssm_client = boto3.client("ssm", region_name=region) pids = [] for port in license_ports_list: session_response = ssm_client.start_session( Target=instance_id, DocumentName="AWS-StartPortForwardingSession", Parameters={"portNumber": [port], "localPortNumber": [port]} ) cmd = [ sys.argv[1], json.dumps(session_response), region, "StartSession", "", json.dumps({"Target": instance_id}), f"https://ssm.{region}.amazonaws.com" ] process = subprocess.Popen(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) pids.append(process.pid) print(f"SSM Port Forwarding Session started for port {port}") print(f"openjd_env: BYOL_SSM_PIDS={','.join(str(pid) for pid in pids)}") # Enabling UBL after the "bring your own license" (BYOL) has run out requires prepending the BYOL configuration to the existing license setup # Remove the sections that do not apply to your pipeline, or you do not want to use UBL after exhausting the BYOL licenses. # The port numbers used may not match what your license server is serving. # Arnold os.environ["ADSKFLEX_LICENSE_FILE"] = f"2701@localhost:{os.environ.get('ADSKFLEX_LICENSE_FILE', '')}" print(f"openjd_env: ADSKFLEX_LICENSE_FILE={os.environ['ADSKFLEX_LICENSE_FILE']}") # Nuke os.environ["foundry_LICENSE"] = f"6101@localhost:{os.environ.get('foundry_LICENSE', '')}" print(f"openjd_env: foundry_LICENSE={os.environ['foundry_LICENSE']}") # SideFX os.environ["SESI_LMHOST"] = f"localhost:1715;{os.environ.get('SESI_LMHOST', '')}" print(f"openjd_env: SESI_LMHOST={os.environ['SESI_LMHOST']}") # Redshift and Red Giant os.environ["redshift_LICENSE"] = f"7054@localhost:7055@localhost:{os.environ.get('redshift_LICENSE', '')}" print(f"openjd_env: redshift_LICENSE={os.environ['redshift_LICENSE']}") # V-Ray doesn't support multiple license servers in a single environment variable # See https://documentation.chaos.com/space/LIC5/125050770/Sharing+a+License+Configuration+in+a+Network vray_license = os.environ.get('VRAY_AUTH_CLIENT_SETTINGS', '') xml_content = """<VRLClient> <LicServer> <Host>localhost</Host> <Port>30304</Port>""" if vray_license and vray_license.startswith('licset://'): server_parts = vray_license.removeprefix('licset://').split(':') if len(server_parts) >= 2: xml_content += f""" <Host1>{server_parts[0]}</Host1> <Port1>{server_parts[1]}</Port1>""" xml_content += """ <User></User> <Pass></Pass> </LicServer> </VRLClient>""" temp_dir = tempfile.gettempdir() xml_path = os.path.join(temp_dir, 'vrlclient.xml') with open(xml_path, 'w') as f: f.write(xml_content) os.environ["VRAY_AUTH_CLIENT_FILE_PATH"] = temp_dir print(f"openjd_env: VRAY_AUTH_CLIENT_FILE_PATH={os.environ['VRAY_AUTH_CLIENT_FILE_PATH']}") # Clear the existing VRAY_AUTH_CLIENT_SETTINGS so only the vrlclient.xml file is used. os.environ["VRAY_AUTH_CLIENT_SETTINGS"] = '' print(f"openjd_env: VRAY_AUTH_CLIENT_SETTINGS={os.environ['VRAY_AUTH_CLIENT_SETTINGS']}") # Print out the created xml file's contents print(f"V-Ray configuration file: {xml_path}") with open(xml_path, 'r') as f: print(f"{f.read()}") -
部署 CloudFormation 範本時,請提供下列參數:
-
使用授權伺服器或代理執行個體的 Amazon EC2 執行個體 ID 更新 LicenseInstanceID
-
使用以逗號分隔的連接埠清單更新 LicensePorts,以轉送至授權伺服器或代理執行個體 (例如 2700,2701)
-
在範本
example_LICENSE: 2700@localhost中取代 以新增授權環境變數
-
-
部署 範本以使用自己的授權功能來設定您的陣列。
