gpu-dev 0.5.22__tar.gz → 0.5.24__tar.gz

{gpu_dev-0.5.22 → gpu_dev-0.5.24}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: gpu-dev
-Version: 0.5.22
+Version: 0.5.24
 Summary: CLI tool for PyTorch GPU developer server reservations
 Author: PyTorch Team
 Requires-Python: >=3.10

{gpu_dev-0.5.22 → gpu_dev-0.5.24}/cli-tools/gpu-dev-cli/gpu_dev.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: gpu-dev
-Version: 0.5.22
+Version: 0.5.24
 Summary: CLI tool for PyTorch GPU developer server reservations
 Author: PyTorch Team
 Requires-Python: >=3.10

{gpu_dev-0.5.22 → gpu_dev-0.5.24}/cli-tools/gpu-dev-cli/gpu_dev_cli/auth.py

@@ -38,6 +38,19 @@ def _load_auth_cache(github_user: str) -> Optional[Dict[str, Any]]:
             return None
         if time.time() - float(entry.get("ts", 0)) > _AUTH_CACHE_TTL_SECONDS:
             return None
+        # Defense against stale cache on a persistent disk that pre-dates the IRSA fix:
+        # if AWS_ROLE_ARN points at a role the cached ARN doesn\'t reference, the cache
+        # is from a different identity (e.g. IMDS-fallback before fs_group=1081 landed)
+        # and should be ignored.
+        expected_role_arn = os.environ.get("AWS_ROLE_ARN", "")
+        cached_arn = (entry.get("result") or {}).get("arn", "")
+        if expected_role_arn:
+            try:
+                role_name = expected_role_arn.rsplit("/", 1)[-1]
+                if role_name and role_name not in cached_arn:
+                    return None
+            except Exception:
+                pass
         return entry.get("result")
     except Exception:
         return None

{gpu_dev-0.5.22 → gpu_dev-0.5.24}/cli-tools/gpu-dev-cli/gpu_dev_cli/config.py

@@ -240,8 +240,17 @@ class Config:
         return self.user_config.get(key)
 
     def get_github_username(self) -> Optional[str]:
-        """Get GitHub username from config."""
-        return self.user_config.get("github_user")
+        """Get GitHub username, falling back to GPU_DEV_GITHUB_USER env var.
+
+        Lambda sets GPU_DEV_GITHUB_USER on every pod from the reservation's
+        github_user field, so a user running gpu-dev from inside their dev pod
+        doesn\'t have to `gpu-dev config set github_user <name>` first.
+        """
+        v = self.user_config.get("github_user")
+        if v:
+            return v
+        v = os.environ.get("GPU_DEV_GITHUB_USER")
+        return v or None
 
 
 def load_config() -> Config:

{gpu_dev-0.5.22 → gpu_dev-0.5.24}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "gpu-dev"
-version = "0.5.22"
+version = "0.5.24"
 description = "CLI tool for PyTorch GPU developer server reservations"
 authors = [{name = "PyTorch Team"}]
 readme = "cli-tools/gpu-dev-cli/README.md"

{gpu_dev-0.5.22 → gpu_dev-0.5.24}/terraform-gpu-devservers/lambda/reservation_processor/index.py

@@ -2888,6 +2888,7 @@ def allocate_gpu_resources(reservation_id: str, request: dict[str, Any], trace_d
             gpu_count=gpu_count,
             gpu_type=gpu_type,
             github_public_key=github_public_key,
+            github_user=github_user,
             reservation_id=reservation_id,
             jupyter_enabled=jupyter_enabled,
             persistent_volume_id=persistent_volume_id,
@@ -3434,7 +3435,8 @@ def create_kubernetes_resources(
     gpu_count: int,
     gpu_type: str,
     github_public_key: str,
-    reservation_id: str,
+    github_user: str = "",
+    reservation_id: str = None,
     jupyter_enabled: bool = False,
     persistent_volume_id: str = None,
     user_id: str = None,
@@ -3538,6 +3540,7 @@ def create_kubernetes_resources(
                         gpu_count,
                         gpu_type,
                         github_public_key,
+                        github_user=github_user,
                         jupyter_enabled=True,
                         persistent_volume_id=persistent_volume_id,
                         user_id=user_id,
@@ -3627,6 +3630,7 @@ def create_kubernetes_resources(
                         gpu_count,
                         gpu_type,
                         github_public_key,
+                        github_user=github_user,
                         jupyter_enabled=False,
                         persistent_volume_id=persistent_volume_id,
                         user_id=user_id,
@@ -3979,6 +3983,7 @@ def create_pod(
     gpu_count: int,
     gpu_type: str,
     github_public_key: str,
+    github_user: str = "",
     jupyter_enabled: bool = False,
     persistent_volume_id: str = None,
     user_id: str = None,
@@ -4486,6 +4491,18 @@ export MULTINODE_SIZE="$MULTINODE_SIZE"
 export MASTER_ADDR="$MASTER_ADDR"
 export MASTER_PORT="$MASTER_PORT"
 
+# IRSA + region — same reason as MULTINODE: sshd strips these from login shells, so
+# we bake the current container values into the rc file. Lets gpu-dev / aws / boto3
+# inside an SSH session pick up the gpu-dev-pod-sa IAM role automatically.
+export AWS_ROLE_ARN="$AWS_ROLE_ARN"
+export AWS_WEB_IDENTITY_TOKEN_FILE="$AWS_WEB_IDENTITY_TOKEN_FILE"
+export AWS_ROLE_SESSION_NAME="$AWS_ROLE_SESSION_NAME"
+export AWS_REGION="$AWS_REGION"
+export AWS_DEFAULT_REGION="$AWS_DEFAULT_REGION"
+export AWS_STS_REGIONAL_ENDPOINTS="$AWS_STS_REGIONAL_ENDPOINTS"
+# CLI falls back to this when ~/.config/gpu-dev/config.json has no github_user
+export GPU_DEV_GITHUB_USER="$GPU_DEV_GITHUB_USER"
+
 # Function to check for GPU reservation expiry warnings and startup script status
 check_warnings() {{
     # Check for startup script still running
@@ -4539,6 +4556,15 @@ export MULTINODE_SIZE="$MULTINODE_SIZE"
 export MASTER_ADDR="$MASTER_ADDR"
 export MASTER_PORT="$MASTER_PORT"
 
+# IRSA + region (see .bashrc_ext for rationale)
+export AWS_ROLE_ARN="$AWS_ROLE_ARN"
+export AWS_WEB_IDENTITY_TOKEN_FILE="$AWS_WEB_IDENTITY_TOKEN_FILE"
+export AWS_ROLE_SESSION_NAME="$AWS_ROLE_SESSION_NAME"
+export AWS_REGION="$AWS_REGION"
+export AWS_DEFAULT_REGION="$AWS_DEFAULT_REGION"
+export AWS_STS_REGIONAL_ENDPOINTS="$AWS_STS_REGIONAL_ENDPOINTS"
+export GPU_DEV_GITHUB_USER="$GPU_DEV_GITHUB_USER"
+
 # Function to check for GPU reservation expiry warnings and startup script status
 check_warnings() {{
     # Check for startup script still running
@@ -5314,6 +5340,9 @@ EOF
                         ),
                         client.V1EnvVar(
                             name="AWS_ROLE_SESSION_NAME", value=(user_id or "gpu-dev-pod")[:64]
+                        ),
+                        client.V1EnvVar(
+                            name="GPU_DEV_GITHUB_USER", value=github_user or ""
                         )
                     ] + get_nccl_env_vars(gpu_type) + get_cpu_thread_env_vars(gpu_count, gpu_type) + _get_multinode_env_vars(multinode_peer_pods, multinode_rank),
                     resources=client.V1ResourceRequirements(
@@ -5501,6 +5530,10 @@ EOF
             # with the AWS_ROLE_SESSION_NAME env var below this lets users run
             # `gpu-dev submit` from inside their dev pod with no manual aws sso login.
             service_account_name="gpu-dev-pod-sa",
+            # fs_group=1081 makes the IRSA-projected token (default 0600 root:root)
+            # readable by the dev user. Without it boto3-as-dev falls through to IMDS
+            # and gets the node's IAM role, which doesn't have DDB/SQS permissions.
+            security_context=client.V1PodSecurityContext(fs_group=1081),
             # EFA requires host network namespace for RDMA access to efa0 interface
             **({
                 "host_network": True,

{gpu_dev-0.5.22 → gpu_dev-0.5.24}/terraform-gpu-devservers/lambda.tf

@@ -180,7 +180,7 @@ resource "aws_lambda_function" "reservation_processor" {
       HOSTED_ZONE_ID                     = local.effective_domain_name != "" ? local.hosted_zone_id : ""
       SSH_DOMAIN_MAPPINGS_TABLE          = local.effective_domain_name != "" ? aws_dynamodb_table.ssh_domain_mappings.name : ""
       SSL_CERTIFICATE_ARN                = local.effective_domain_name != "" ? aws_acm_certificate.wildcard[0].arn : ""
-      LAMBDA_VERSION                     = "0.5.23"
+      LAMBDA_VERSION                     = "0.5.25"
       MIN_CLI_VERSION                    = "0.5.16"
       DISK_CONTENTS_BUCKET               = aws_s3_bucket.disk_contents.bucket
       OPERATIONS_TABLE                   = aws_dynamodb_table.operations.name