skypilot-nightly 1.0.0.dev20250626__py3-none-any.whl → 1.0.0.dev20250628__py3-none-any.whl

sky/data/storage.py

@@ -1802,7 +1802,8 @@ class S3Store(AbstractStore):
 
             # Add AWS tags configured in config.yaml to the bucket.
             # This is useful for cost tracking and external cleanup.
-            bucket_tags = skypilot_config.get_nested(('aws', 'labels'), {})
+            bucket_tags = skypilot_config.get_effective_region_config(
+                cloud='aws', region=None, keys=('labels',), default_value={})
             if bucket_tags:
                 s3_client.put_bucket_tagging(
                     Bucket=bucket_name,
@@ -2765,8 +2766,12 @@ class AzureBlobStore(AbstractStore):
         # Creates new resource group and storage account or use the
         # storage_account provided by the user through config.yaml
         else:
-            config_storage_account = skypilot_config.get_nested(
-                ('azure', 'storage_account'), None)
+            config_storage_account = (
+                skypilot_config.get_effective_region_config(
+                    cloud='azure',
+                    region=None,
+                    keys=('storage_account',),
+                    default_value=None))
             if config_storage_account is not None:
                 # using user provided storage account from config.yaml
                 storage_account_name = config_storage_account

sky/global_user_state.py

@@ -65,6 +65,7 @@ user_table = sqlalchemy.Table(
     sqlalchemy.Column('id', sqlalchemy.Text, primary_key=True),
     sqlalchemy.Column('name', sqlalchemy.Text),
     sqlalchemy.Column('password', sqlalchemy.Text),
+    sqlalchemy.Column('created_at', sqlalchemy.Integer),
 )
 
 cluster_table = sqlalchemy.Table(
@@ -167,6 +168,21 @@ ssh_key_table = sqlalchemy.Table(
     sqlalchemy.Column('ssh_private_key', sqlalchemy.Text),
 )
 
+service_account_token_table = sqlalchemy.Table(
+    'service_account_tokens',
+    Base.metadata,
+    sqlalchemy.Column('token_id', sqlalchemy.Text, primary_key=True),
+    sqlalchemy.Column('token_name', sqlalchemy.Text),
+    sqlalchemy.Column('token_hash', sqlalchemy.Text),
+    sqlalchemy.Column('created_at', sqlalchemy.Integer),
+    sqlalchemy.Column('last_used_at', sqlalchemy.Integer, server_default=None),
+    sqlalchemy.Column('expires_at', sqlalchemy.Integer, server_default=None),
+    sqlalchemy.Column('creator_user_hash',
+                      sqlalchemy.Text),  # Who created this token
+    sqlalchemy.Column('service_account_user_id',
+                      sqlalchemy.Text),  # Service account's own user ID
+)
+
 cluster_yaml_table = sqlalchemy.Table(
     'cluster_yaml',
     Base.metadata,
@@ -174,6 +190,15 @@ cluster_yaml_table = sqlalchemy.Table(
     sqlalchemy.Column('yaml', sqlalchemy.Text),
 )
 
+system_config_table = sqlalchemy.Table(
+    'system_config',
+    Base.metadata,
+    sqlalchemy.Column('config_key', sqlalchemy.Text, primary_key=True),
+    sqlalchemy.Column('config_value', sqlalchemy.Text),
+    sqlalchemy.Column('created_at', sqlalchemy.Integer),
+    sqlalchemy.Column('updated_at', sqlalchemy.Integer),
+)
+
 
 def _glob_to_similar(glob_pattern):
     """Converts a glob pattern to a PostgreSQL LIKE pattern."""
@@ -331,6 +356,12 @@ def create_table():
             'password',
             sqlalchemy.Text(),
             default_statement='DEFAULT NULL')
+        db_utils.add_column_to_table_sqlalchemy(
+            session,
+            'users',
+            'created_at',
+            sqlalchemy.Integer(),
+            default_statement='DEFAULT NULL')
 
         db_utils.add_column_to_table_sqlalchemy(
             session,
@@ -383,7 +414,8 @@ def _init_db(func):
 
 
 @_init_db
-def add_or_update_user(user: models.User) -> bool:
+def add_or_update_user(user: models.User,
+                       allow_duplicate_name: bool = True) -> bool:
     """Store the mapping from user hash to user name for display purposes.
 
     Returns:
@@ -394,7 +426,18 @@ def add_or_update_user(user: models.User) -> bool:
     if user.name is None:
         return False
 
+    # Set created_at if not already set
+    created_at = user.created_at
+    if created_at is None:
+        created_at = int(time.time())
     with orm.Session(_SQLALCHEMY_ENGINE) as session:
+        # Check for duplicate names if not allowed (within the same transaction)
+        if not allow_duplicate_name:
+            existing_user = session.query(user_table).filter(
+                user_table.c.name == user.name).first()
+            if existing_user is not None:
+                return False
+
         if (_SQLALCHEMY_ENGINE.dialect.name ==
                 db_utils.SQLAlchemyDialect.SQLITE.value):
             # For SQLite, use INSERT OR IGNORE followed by UPDATE to detect new
@@ -405,14 +448,15 @@ def add_or_update_user(user: models.User) -> bool:
             insert_stmnt = insert_func(user_table).prefix_with(
                 'OR IGNORE').values(id=user.id,
                                     name=user.name,
-                                    password=user.password)
+                                    password=user.password,
+                                    created_at=created_at)
             result = session.execute(insert_stmnt)
 
             # Check if the INSERT actually inserted a row
             was_inserted = result.rowcount > 0
 
             if not was_inserted:
-                # User existed, so update it
+                # User existed, so update it (but don't update created_at)
                 if user.password:
                     session.query(user_table).filter_by(id=user.id).update({
                         user_table.c.name: user.name,
@@ -430,8 +474,12 @@ def add_or_update_user(user: models.User) -> bool:
             # For PostgreSQL, use INSERT ... ON CONFLICT with RETURNING to
             # detect insert vs update
             insert_func = postgresql.insert
+
             insert_stmnt = insert_func(user_table).values(
-                id=user.id, name=user.name, password=user.password)
+                id=user.id,
+                name=user.name,
+                password=user.password,
+                created_at=created_at)
 
             # Use a sentinel in the RETURNING clause to detect insert vs update
             if user.password:
@@ -464,7 +512,10 @@ def get_user(user_id: str) -> Optional[models.User]:
         row = session.query(user_table).filter_by(id=user_id).first()
     if row is None:
         return None
-    return models.User(id=row.id, name=row.name, password=row.password)
+    return models.User(id=row.id,
+                       name=row.name,
+                       password=row.password,
+                       created_at=row.created_at)
 
 
 def get_user_by_name(username: str) -> List[models.User]:
@@ -473,8 +524,10 @@ def get_user_by_name(username: str) -> List[models.User]:
     if len(rows) == 0:
         return []
     return [
-        models.User(id=row.id, name=row.name, password=row.password)
-        for row in rows
+        models.User(id=row.id,
+                    name=row.name,
+                    password=row.password,
+                    created_at=row.created_at) for row in rows
     ]
 
 
@@ -490,8 +543,10 @@ def get_all_users() -> List[models.User]:
     with orm.Session(_SQLALCHEMY_ENGINE) as session:
         rows = session.query(user_table).all()
     return [
-        models.User(id=row.id, name=row.name, password=row.password)
-        for row in rows
+        models.User(id=row.id,
+                    name=row.name,
+                    password=row.password,
+                    created_at=row.created_at) for row in rows
     ]
 
 
@@ -1592,6 +1647,137 @@ def set_ssh_keys(user_hash: str, ssh_public_key: str, ssh_private_key: str):
         session.commit()
 
 
+@_init_db
+def add_service_account_token(token_id: str,
+                              token_name: str,
+                              token_hash: str,
+                              creator_user_hash: str,
+                              service_account_user_id: str,
+                              expires_at: Optional[int] = None) -> None:
+    """Add a service account token to the database."""
+    assert _SQLALCHEMY_ENGINE is not None
+    created_at = int(time.time())
+
+    with orm.Session(_SQLALCHEMY_ENGINE) as session:
+        if (_SQLALCHEMY_ENGINE.dialect.name ==
+                db_utils.SQLAlchemyDialect.SQLITE.value):
+            insert_func = sqlite.insert
+        elif (_SQLALCHEMY_ENGINE.dialect.name ==
+              db_utils.SQLAlchemyDialect.POSTGRESQL.value):
+            insert_func = postgresql.insert
+        else:
+            raise ValueError('Unsupported database dialect')
+
+        insert_stmnt = insert_func(service_account_token_table).values(
+            token_id=token_id,
+            token_name=token_name,
+            token_hash=token_hash,
+            created_at=created_at,
+            expires_at=expires_at,
+            creator_user_hash=creator_user_hash,
+            service_account_user_id=service_account_user_id)
+        session.execute(insert_stmnt)
+        session.commit()
+
+
+@_init_db
+def get_service_account_token(token_id: str) -> Optional[Dict[str, Any]]:
+    """Get a service account token by token_id."""
+    assert _SQLALCHEMY_ENGINE is not None
+    with orm.Session(_SQLALCHEMY_ENGINE) as session:
+        row = session.query(service_account_token_table).filter_by(
+            token_id=token_id).first()
+    if row is None:
+        return None
+    return {
+        'token_id': row.token_id,
+        'token_name': row.token_name,
+        'token_hash': row.token_hash,
+        'created_at': row.created_at,
+        'last_used_at': row.last_used_at,
+        'expires_at': row.expires_at,
+        'creator_user_hash': row.creator_user_hash,
+        'service_account_user_id': row.service_account_user_id,
+    }
+
+
+@_init_db
+def get_user_service_account_tokens(user_hash: str) -> List[Dict[str, Any]]:
+    """Get all service account tokens for a user (as creator)."""
+    assert _SQLALCHEMY_ENGINE is not None
+    with orm.Session(_SQLALCHEMY_ENGINE) as session:
+        rows = session.query(service_account_token_table).filter_by(
+            creator_user_hash=user_hash).all()
+    return [{
+        'token_id': row.token_id,
+        'token_name': row.token_name,
+        'token_hash': row.token_hash,
+        'created_at': row.created_at,
+        'last_used_at': row.last_used_at,
+        'expires_at': row.expires_at,
+        'creator_user_hash': row.creator_user_hash,
+        'service_account_user_id': row.service_account_user_id,
+    } for row in rows]
+
+
+@_init_db
+def update_service_account_token_last_used(token_id: str) -> None:
+    """Update the last_used_at timestamp for a service account token."""
+    assert _SQLALCHEMY_ENGINE is not None
+    last_used_at = int(time.time())
+
+    with orm.Session(_SQLALCHEMY_ENGINE) as session:
+        session.query(service_account_token_table).filter_by(
+            token_id=token_id).update(
+                {service_account_token_table.c.last_used_at: last_used_at})
+        session.commit()
+
+
+@_init_db
+def delete_service_account_token(token_id: str) -> bool:
+    """Delete a service account token.
+
+    Returns:
+        True if token was found and deleted.
+    """
+    assert _SQLALCHEMY_ENGINE is not None
+    with orm.Session(_SQLALCHEMY_ENGINE) as session:
+        result = session.query(service_account_token_table).filter_by(
+            token_id=token_id).delete()
+        session.commit()
+    return result > 0
+
+
+@_init_db
+def rotate_service_account_token(token_id: str,
+                                 new_token_hash: str,
+                                 new_expires_at: Optional[int] = None) -> None:
+    """Rotate a service account token by updating its hash and expiration.
+
+    Args:
+        token_id: The token ID to rotate.
+        new_token_hash: The new hashed token value.
+        new_expires_at: New expiration timestamp, or None for no expiration.
+    """
+    assert _SQLALCHEMY_ENGINE is not None
+    current_time = int(time.time())
+
+    with orm.Session(_SQLALCHEMY_ENGINE) as session:
+        count = session.query(service_account_token_table).filter_by(
+            token_id=token_id
+        ).update({
+            service_account_token_table.c.token_hash: new_token_hash,
+            service_account_token_table.c.expires_at: new_expires_at,
+            service_account_token_table.c.last_used_at: None,  # Reset last used
+            # Update creation time
+            service_account_token_table.c.created_at: current_time,
+        })
+        session.commit()
+
+    if count == 0:
+        raise ValueError(f'Service account token {token_id} not found.')
+
+
 @_init_db
 def get_cluster_yaml_str(cluster_yaml_path: Optional[str]) -> Optional[str]:
     """Get the cluster yaml from the database or the local file system.
@@ -1662,3 +1848,65 @@ def remove_cluster_yaml(cluster_name: str):
         session.query(cluster_yaml_table).filter_by(
             cluster_name=cluster_name).delete()
         session.commit()
+
+
+@_init_db
+def get_all_service_account_tokens() -> List[Dict[str, Any]]:
+    """Get all service account tokens across all users (for admin access)."""
+    assert _SQLALCHEMY_ENGINE is not None
+    with orm.Session(_SQLALCHEMY_ENGINE) as session:
+        rows = session.query(service_account_token_table).all()
+    return [{
+        'token_id': row.token_id,
+        'token_name': row.token_name,
+        'token_hash': row.token_hash,
+        'created_at': row.created_at,
+        'last_used_at': row.last_used_at,
+        'expires_at': row.expires_at,
+        'creator_user_hash': row.creator_user_hash,
+        'service_account_user_id': row.service_account_user_id,
+    } for row in rows]
+
+
+@_init_db
+def get_system_config(config_key: str) -> Optional[str]:
+    """Get a system configuration value by key."""
+    assert _SQLALCHEMY_ENGINE is not None
+    with orm.Session(_SQLALCHEMY_ENGINE) as session:
+        row = session.query(system_config_table).filter_by(
+            config_key=config_key).first()
+    if row is None:
+        return None
+    return row.config_value
+
+
+@_init_db
+def set_system_config(config_key: str, config_value: str) -> None:
+    """Set a system configuration value."""
+    assert _SQLALCHEMY_ENGINE is not None
+    current_time = int(time.time())
+
+    with orm.Session(_SQLALCHEMY_ENGINE) as session:
+        if (_SQLALCHEMY_ENGINE.dialect.name ==
+                db_utils.SQLAlchemyDialect.SQLITE.value):
+            insert_func = sqlite.insert
+        elif (_SQLALCHEMY_ENGINE.dialect.name ==
+              db_utils.SQLAlchemyDialect.POSTGRESQL.value):
+            insert_func = postgresql.insert
+        else:
+            raise ValueError('Unsupported database dialect')
+
+        insert_stmnt = insert_func(system_config_table).values(
+            config_key=config_key,
+            config_value=config_value,
+            created_at=current_time,
+            updated_at=current_time)
+
+        upsert_stmnt = insert_stmnt.on_conflict_do_update(
+            index_elements=[system_config_table.c.config_key],
+            set_={
+                system_config_table.c.config_value: config_value,
+                system_config_table.c.updated_at: current_time,
+            })
+        session.execute(upsert_stmnt)
+        session.commit()

sky/jobs/client/sdk.py

@@ -82,12 +82,11 @@ def launch(
             task=dag_str,
             name=name,
         )
-        response = rest.post(
-            f'{server_common.get_server_url()}/jobs/launch',
+        response = server_common.make_authenticated_request(
+            'POST',
+            '/jobs/launch',
             json=json.loads(body.model_dump_json()),
-            timeout=(5, None),
-            cookies=server_common.get_api_cookie_jar(),
-        )
+            timeout=(5, None))
         return server_common.get_request_id(response)
 
 
@@ -142,12 +141,11 @@ def queue(refresh: bool,
         all_users=all_users,
         job_ids=job_ids,
     )
-    response = rest.post(
-        f'{server_common.get_server_url()}/jobs/queue',
+    response = server_common.make_authenticated_request(
+        'POST',
+        '/jobs/queue',
         json=json.loads(body.model_dump_json()),
-        timeout=(5, None),
-        cookies=server_common.get_api_cookie_jar(),
-    )
+        timeout=(5, None))
     return server_common.get_request_id(response=response)
 
 
@@ -182,12 +180,11 @@ def cancel(
         all=all,
         all_users=all_users,
     )
-    response = rest.post(
-        f'{server_common.get_server_url()}/jobs/cancel',
+    response = server_common.make_authenticated_request(
+        'POST',
+        '/jobs/cancel',
         json=json.loads(body.model_dump_json()),
-        timeout=(5, None),
-        cookies=server_common.get_api_cookie_jar(),
-    )
+        timeout=(5, None))
     return server_common.get_request_id(response=response)
 
 
@@ -233,13 +230,12 @@ def tail_logs(name: Optional[str] = None,
         refresh=refresh,
         tail=tail,
     )
-    response = rest.post(
-        f'{server_common.get_server_url()}/jobs/logs',
+    response = server_common.make_authenticated_request(
+        'POST',
+        '/jobs/logs',
         json=json.loads(body.model_dump_json()),
         stream=True,
-        timeout=(5, None),
-        cookies=server_common.get_api_cookie_jar(),
-    )
+        timeout=(5, None))
     request_id = server_common.get_request_id(response)
     # Log request is idempotent when tail is 0, thus can resume previous
     # streaming point on retry.
@@ -283,12 +279,11 @@ def download_logs(
         controller=controller,
         local_dir=local_dir,
     )
-    response = rest.post(
-        f'{server_common.get_server_url()}/jobs/download_logs',
+    response = server_common.make_authenticated_request(
+        'POST',
+        '/jobs/download_logs',
         json=json.loads(body.model_dump_json()),
-        timeout=(5, None),
-        cookies=server_common.get_api_cookie_jar(),
-    )
+        timeout=(5, None))
     job_id_remote_path_dict = sdk.stream_and_get(
         server_common.get_request_id(response))
     remote2local_path_dict = client_common.download_logs_from_api_server(

sky/models.py

@@ -20,6 +20,18 @@ class User:
     # Display name of the user
     name: Optional[str] = None
     password: Optional[str] = None
+    created_at: Optional[int] = None
+
+    def __init__(
+            self,
+            id: str,  # pylint: disable=redefined-builtin
+            name: Optional[str] = None,
+            password: Optional[str] = None,
+            created_at: Optional[int] = None):
+        self.id = id.strip().lower()
+        self.name = name
+        self.password = password
+        self.created_at = created_at
 
     def to_dict(self) -> Dict[str, Any]:
         return {'id': self.id, 'name': self.name}
@@ -37,6 +49,10 @@ class User:
         user_hash = common_utils.get_user_hash()
         return User(id=user_hash, name=user_name)
 
+    def is_service_account(self) -> bool:
+        """Check if the user is a service account."""
+        return self.id.lower().startswith('sa-')
+
 
 RealtimeGpuAvailability = collections.namedtuple(
     'RealtimeGpuAvailability', ['gpu', 'counts', 'capacity', 'available'])

sky/provision/kubernetes/config.py

@@ -35,7 +35,7 @@ def bootstrap_instances(
     _configure_services(namespace, context, config.provider_config)
 
     networking_mode = network_utils.get_networking_mode(
-        config.provider_config.get('networking_mode'))
+        config.provider_config.get('networking_mode'), context)
     if networking_mode == kubernetes_enums.KubernetesNetworkingMode.NODEPORT:
         config = _configure_ssh_jump(namespace, context, config)
 

sky/provision/kubernetes/instance.py

@@ -941,7 +941,7 @@ def _create_pods(region: str, cluster_name_on_cloud: str,
             head_pod_name = pod.metadata.name
 
     networking_mode = network_utils.get_networking_mode(
-        config.provider_config.get('networking_mode'))
+        config.provider_config.get('networking_mode'), context)
     if networking_mode == kubernetes_enums.KubernetesNetworkingMode.NODEPORT:
         # Adding the jump pod to the new_nodes list as well so it can be
         # checked if it's scheduled and running along with other pods.
@@ -1102,7 +1102,7 @@ def terminate_instances(
 
     # Clean up the SSH jump pod if in use
     networking_mode = network_utils.get_networking_mode(
-        provider_config.get('networking_mode'))
+        provider_config.get('networking_mode'), context)
     if networking_mode == kubernetes_enums.KubernetesNetworkingMode.NODEPORT:
         pod_name = list(pods.keys())[0]
         try:
@@ -1147,8 +1147,11 @@ def get_cluster_info(
     head_pod_name = None
 
     port_forward_mode = kubernetes_enums.KubernetesNetworkingMode.PORTFORWARD
-    network_mode_str = skypilot_config.get_nested(('kubernetes', 'networking'),
-                                                  port_forward_mode.value)
+    network_mode_str = skypilot_config.get_effective_region_config(
+        cloud='kubernetes',
+        region=context,
+        keys=('networking_mode',),
+        default_value=port_forward_mode.value)
     network_mode = kubernetes_enums.KubernetesNetworkingMode.from_str(
         network_mode_str)
     external_ip = kubernetes_utils.get_external_ip(network_mode, context)

sky/provision/kubernetes/network.py

@@ -22,8 +22,9 @@ def open_ports(
 ) -> None:
     """See sky/provision/__init__.py"""
     assert provider_config is not None, 'provider_config is required'
+    context = kubernetes_utils.get_context_from_config(provider_config)
     port_mode = network_utils.get_port_mode(
-        provider_config.get('port_mode', None))
+        provider_config.get('port_mode', None), context)
     ports = list(port_ranges_to_set(ports))
     if port_mode == kubernetes_enums.KubernetesPortMode.LOADBALANCER:
         _open_ports_using_loadbalancer(
@@ -46,8 +47,10 @@ def _open_ports_using_loadbalancer(
 ) -> None:
     service_name = _LOADBALANCER_SERVICE_NAME.format(
         cluster_name_on_cloud=cluster_name_on_cloud)
+    context = kubernetes_utils.get_context_from_config(provider_config)
     content = network_utils.fill_loadbalancer_template(
         namespace=provider_config.get('namespace', 'default'),
+        context=context,
         service_name=service_name,
         ports=ports,
         selector_key='skypilot-cluster',
@@ -59,7 +62,7 @@ def _open_ports_using_loadbalancer(
 
     network_utils.create_or_replace_namespaced_service(
         namespace=kubernetes_utils.get_namespace_from_config(provider_config),
-        context=kubernetes_utils.get_context_from_config(provider_config),
+        context=context,
         service_name=service_name,
         service_spec=content['service_spec'])
 
@@ -70,6 +73,7 @@ def _open_ports_using_ingress(
     provider_config: Dict[str, Any],
 ) -> None:
     context = kubernetes_utils.get_context_from_config(provider_config)
+    namespace = kubernetes_utils.get_namespace_from_config(provider_config)
     # Check if an ingress controller exists
     if not network_utils.ingress_controller_exists(context):
         raise Exception(
@@ -100,6 +104,7 @@ def _open_ports_using_ingress(
     # multiple rules.
     content = network_utils.fill_ingress_template(
         namespace=provider_config.get('namespace', 'default'),
+        context=context,
         service_details=service_details,
         ingress_name=f'{cluster_name_on_cloud}-skypilot-ingress',
         selector_key='skypilot-cluster',
@@ -111,9 +116,8 @@ def _open_ports_using_ingress(
         # Update metadata from config
         kubernetes_utils.merge_custom_metadata(service_spec['metadata'])
         network_utils.create_or_replace_namespaced_service(
-            namespace=kubernetes_utils.get_namespace_from_config(
-                provider_config),
-            context=kubernetes_utils.get_context_from_config(provider_config),
+            namespace=namespace,
+            context=context,
             service_name=service_name,
             service_spec=service_spec,
         )
@@ -121,8 +125,8 @@ def _open_ports_using_ingress(
     kubernetes_utils.merge_custom_metadata(content['ingress_spec']['metadata'])
     # Create or update the single ingress for all services
     network_utils.create_or_replace_namespaced_ingress(
-        namespace=kubernetes_utils.get_namespace_from_config(provider_config),
-        context=kubernetes_utils.get_context_from_config(provider_config),
+        namespace=namespace,
+        context=context,
         ingress_name=f'{cluster_name_on_cloud}-skypilot-ingress',
         ingress_spec=content['ingress_spec'],
     )
@@ -135,8 +139,9 @@ def cleanup_ports(
 ) -> None:
     """See sky/provision/__init__.py"""
     assert provider_config is not None, 'provider_config is required'
+    context = kubernetes_utils.get_context_from_config(provider_config)
     port_mode = network_utils.get_port_mode(
-        provider_config.get('port_mode', None))
+        provider_config.get('port_mode', None), context)
     ports = list(port_ranges_to_set(ports))
     if port_mode == kubernetes_enums.KubernetesPortMode.LOADBALANCER:
         _cleanup_ports_for_loadbalancer(
@@ -202,8 +207,9 @@ def query_ports(
     """See sky/provision/__init__.py"""
     del head_ip  # unused
     assert provider_config is not None, 'provider_config is required'
+    context = kubernetes_utils.get_context_from_config(provider_config)
     port_mode = network_utils.get_port_mode(
-        provider_config.get('port_mode', None))
+        provider_config.get('port_mode', None), context)
     ports = list(port_ranges_to_set(ports))
 
     try: