Versions Compared

Version Old Version 57 New Version Current
Changes made by

Yajing Wang

Bhargav Ravuri

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The x-install tool is the newest Exostellar installer designed to simplify the setup process. It offers a variety of subcommands to provision a sandbox environment, install Exostellar products, and verify post-installation readiness.

Prerequisites

Before using the x-install tool, ensure that your environment meets the following requirements:

...

IAM Permissions
Expand
titleIAM Permissions for the AWS Account - Standalone Flow

When working with standalone flow i.e., deploying everything from scratch using the create-standalone command, use the following IAM policy.

Please add your AWS account ID and cluster name to the policy below.

Code Block
languagejson
{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"autoscalingiam:CompleteLifecycleActionPassRole",
				"autoscaling:CreateAutoScalingGroup"],
				"Resource"autoscaling:DeleteAutoScalingGroup", [
				"autoscaling:EnableMetricsCollectionarn:aws:iam::<account-id>:role/<cluster-name>*",
				"autoscaling:PutNotificationConfiguration",
				"autoscaling:UpdateAutoScalingGrouparn:aws:iam::<account-id>:role/terraform-*"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"ec2autoscaling:AllocateAddressCompleteLifecycleAction",
				"ec2autoscaling:AssignPrivateIpAddressesCreateAutoScalingGroup",
				"ec2autoscaling:AssociateRouteTableDeleteAutoScalingGroup",
				"ec2autoscaling:AttachInternetGatewayEnableMetricsCollection",
				"ec2autoscaling:AttachNetworkInterfacePutNotificationConfiguration",
				"ec2autoscaling:AuthorizeSecurityGroupEgressUpdateAutoScalingGroup"
			],
				"Resource"ec2:AuthorizeSecurityGroupIngress" "*"
		},
		{
			"Effect"ec2:CreateFleet "Allow",
				"Action"ec2:CreateInternetGateway", [
				"ec2:CreateLaunchTemplateAllocateAddress",
				"ec2:CreateLaunchTemplateVersionAssignPrivateIpAddresses",
				"ec2:CreateNatGatewayAssociateRouteTable",
				"ec2:CreateNetworkAclEntryAttachInternetGateway",
				"ec2:CreateNetworkInterfaceAttachNetworkInterface",
				"ec2:CreateNetworkInterfacePermissionAuthorizeSecurityGroupEgress",
				"ec2:CreateRouteAuthorizeSecurityGroupIngress",
				"ec2:CreateRouteTableCreateFleet",
				"ec2:CreateSecurityGroupCreateInternetGateway",
				"ec2:CreateSubnetCreateLaunchTemplate",
				"ec2:CreateTagsCreateLaunchTemplateVersion",
				"ec2:CreateVpcCreateNatGateway",
				"ec2:DeleteInternetGatewayCreateNetworkAclEntry",
				"ec2:DeleteLaunchTemplateCreateNetworkInterface",
				"ec2:DeleteNatGatewayCreateNetworkInterfacePermission",
				"ec2:DeleteNetworkAclEntryCreateRoute",
				"ec2:DeleteNetworkInterfaceCreateRouteTable",
				"ec2:DeleteRouteCreateSecurityGroup",
				"ec2:DeleteRouteTableCreateSubnet",
				"ec2:DeleteSecurityGroupCreateTags",
				"ec2:DeleteSubnetCreateVpc",
				"ec2:DeleteTagsDeleteInternetGateway",
				"ec2:DeleteVpcDeleteLaunchTemplate",
				"ec2:DescribeAddressesDeleteNatGateway",
				"ec2:DescribeAddressesAttributeDeleteNetworkAclEntry",
				"ec2:DescribeAvailabilityZonesDeleteNetworkInterface",
				"ec2:DescribeDhcpOptionsDeleteRoute",
				"ec2:DescribeImagesDeleteRouteTable",
				"ec2:DescribeInstanceAttributeDeleteSecurityGroup",
				"ec2:DescribeInstancesDeleteSubnet",
				"ec2:DescribeInstanceTypesDeleteTags",
				"ec2:DescribeInternetGatewaysDeleteVpc",
				"ec2:DescribeLaunchTemplatesDescribeAddresses",
				"ec2:DescribeLaunchTemplateVersionsDescribeAddressesAttribute",
				"ec2:DescribeNatGatewaysDescribeAvailabilityZones",
				"ec2:DescribeNetworkAclsDescribeDhcpOptions",
				"ec2:DescribeNetworkInterfacesDescribeImages",
				"ec2:DescribeRouteTablesDescribeInstanceAttribute",
				"ec2:DescribeSecurityGroupRulesDescribeInstances",
				"ec2:DescribeSecurityGroupsDescribeInstanceTypes",
				"ec2:DescribeSnapshotsDescribeInternetGateways",
				"ec2:DescribeSubnetsDescribeKeyPairs",
				"ec2:DescribeTagsDescribeLaunchTemplates",
				"ec2:DescribeVolumesDescribeLaunchTemplateVersions",
				"ec2:DescribeVpcAttributeDescribeNatGateways",
				"ec2:DescribeVpcsDescribeNetworkAcls",
				"ec2:DetachInternetGatewayDescribeNetworkInterfaces",
				"ec2:DetachNetworkInterfaceDescribeRouteTables",
				"ec2:DisassociateAddressDescribeSecurityGroupRules",
				"ec2:DisassociateRouteTableDescribeSecurityGroups",
				"ec2:ModifyInstanceAttributeDescribeSnapshots",
				"ec2:ModifyLaunchTemplateDescribeSubnets",
				"ec2:ModifyNetworkInterfaceAttributeDescribeTags",
				"ec2:ModifySubnetAttributeDescribeVolumes",
				"ec2:ModifyVpcAttributeDescribeVpcAttribute",
				"ec2:ReleaseAddressDescribeVpcs",
				"ec2:RevokeSecurityGroupEgressDetachInternetGateway",
				"ec2:RevokeSecurityGroupIngressDetachNetworkInterface",
				"ec2:RunInstancesDisassociateAddress",
				"ec2:TerminateInstancesDisassociateRouteTable",
			],
			"Resource"ec2: "*"
		}ModifyInstanceAttribute",
		{
			"Effect": "Allowec2:ModifyLaunchTemplate",
				"Actionec2:ModifyNetworkInterfaceAttribute":,
[
				"eksec2:AssociateAccessPolicyModifySubnetAttribute",
				"eksec2:CreateAccessEntryModifyVpcAttribute",
				"eksec2:CreateAddonReleaseAddress",
				"eksec2:CreateClusterRevokeSecurityGroupEgress",
				"eksec2:CreateNodegroupRevokeSecurityGroupIngress",
				"eksec2:DeleteAccessEntryRunInstances",
				"eksec2:DeleteAddonTerminateInstances"
			],
				"Resource"eks:DeleteCluster" "*"
		},
		{
			"eks:DeleteNodegroup",
Effect": "Allow",
			"Action": [
				"eks:DescribeAccessEntryAssociateAccessPolicy",
				"eks:DescribeAddonCreateAccessEntry",
				"eks:DescribeAddonVersionsCreateAddon",
				"eks:DescribeClusterCreateCluster",
				"eks:DescribeNodegroupCreateNodegroup",
				"eks:DisassociateAccessPolicyDeleteAccessEntry",
				"eks:ListAssociatedAccessPoliciesDeleteAddon",
				"eks:ListNodegroupsDeleteCluster",
				"eks:TagResourceDeleteNodegroup",
			]	"eks:DescribeAccessEntry",
				"Resource"eks:DescribeAddon",
"*"				"eks:DescribeAddonVersions",
		}		"eks:DescribeCluster",
		{		"eks:DescribeNodegroup",
				"Effect"eks: DisassociateAccessPolicy"Allow",
				"Action": [eks:ListAssociatedAccessPolicies",
				"eventseks:PutRuleListNodegroups",
				"eventseks:PutTargetsTagResource"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"iamevents:AddRoleToInstanceProfilePutRule",
				"iamevents:AttachRolePolicyPutTargets",
				"iam:CreateInstanceProfile"],
				"Resource"iam:CreateOpenIDConnectProvider "*",
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:AddRoleToInstanceProfile",
				"iam:AttachRolePolicy",
				"iam:CreateInstanceProfile",
				"iam:CreateOpenIDConnectProvider",
				"iam:CreatePolicy",
				"iam:CreateRole",
				"iam:DeleteInstanceProfile",
				"iam:DeleteOpenIDConnectProvider",
				"iam:DeletePolicy",
				"iam:DeleteRole",
				"iam:DeleteRolePolicy",
				"iam:DetachRolePolicy",
				"iam:GetInstanceProfile",
				"iam:GetOpenIDConnectProvider",
				"iam:GetPolicy",
				"iam:GetPolicyVersion",
				"iam:GetRole",
				"iam:GetRolePolicy",
				"iam:ListAttachedRolePolicies",
				"iam:ListInstanceProfilesForRole",
				"iam:ListPolicyVersions",
				"iam:ListRolePolicies",
				"iam:PutRolePolicy",
				"iam:RemoveRoleFromInstanceProfile",
				"iam:TagInstanceProfile",
				"iam:TagOpenIDConnectProvider",
				"iam:TagRole"TagPolicy",
				"iam:TagRole"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"iamkms:PassRoleCreateAlias",
			]	"kms:CreateGrant",
				"Resourcekms:CreateKey":,
[
				"arn:aws:iam::<account-id>:role/<cluster-name>*kms:DeleteAlias",
				"arn:aws:iam::<account-id>:role/terraform-*"kms:DescribeKey",
			]
		}	"kms:EnableKeyRotation",
		{
			"Effect": "Allow",
			"Action": [
				"kms:CreateAlias		"kms:GetKeyPolicy",
				"kms:CreateGrantGetKeyRotationStatus",
				"kms:CreateKeyListAliases",
				"kms:DeleteAliasListResourceTags",
				"kms:EnableKeyRotation",
				"kms:ListAliasesPutKeyPolicy",
				"kms:RetireGrant",
				"kms:ScheduleKeyDeletion",
				"kms:TagResource"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"logs:CreateLogGroup",
				"logs:CreateLogStream",
				"logs:DeleteLogGroup",
				"logs:DescribeLogGroups",
				"logs:ListTagsForResource",
				"logs:PutRetentionPolicy",
				"logs:TagResource"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"aws-marketplace:ListEntities"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"ssms3:RegisterManagedInstanceGetObject",
				"ssms3:UpdateInstanceInformationListBucket"
			],
			"Resource": "*"
		},
	]
}
Expand
title
	{
			"Effect": "Allow",
			"Action": [
				"ssm:RegisterManagedInstance",
				"ssm:UpdateInstanceInformation"
			],
			"Resource": "*"
		}
	]
}
Expand
titleIAM Permissions for the AWS Account - Using an Existing Cluster

When working with existing EKS clusters, use the following IAM policy.

Please add your AWS account ID and cluster name to the policy below.

Code Block
languagejson
{
    	"Version": "2012-10-17",
    	"Statement": [
        {
            		{
			"Effect": "Allow",
            			"Action": [
                "aws-marketplace:ListEntities				"iam:PassRole"
			],
			"Resource": "*"[
		},
		{
			""arn:aws:iam::<account-id>:role/<cluster-name>*",
				"arn:aws:iam::<account-id>:role/terraform-*"
			]
		},
		{
			"Effect": "Allow",
			"Action": [
				"aws-marketplace:ListEntities"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
      				"ec2:AuthorizeSecurityGroupEgress",
				"ec2:ModifyInstanceAttributeAuthorizeSecurityGroupIngress",
                				"ec2:AuthorizeSecurityGroupEgressCreateSecurityGroup",
                				"ec2:CreateTags",
				"ec2:AuthorizeSecurityGroupIngressDeleteSecurityGroup",
                				"ec2:CreateSecurityGroupDescribeDhcpOptions",
                				"ec2:CreateTagsDescribeImages",
                				"ec2:DescribeInstanceAttribute",
				"ec2:DeleteSecurityGroupDescribeInstances",
                				"ec2:DescribeDhcpOptionsDescribeInstanceTypes",
                				"ec2:DescribeImagesDescribeInternetGateways",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
                "eks:DescribeCluster",
                "eks:DescribeNodegroup",
                "eks:ListNodegroups"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
                "iam:AddRoleToInstanceProfile",
                "iam:AttachRolePolicy",
                "iam:CreateInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteInstanceProfile",
                "iam:DeleteRole",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:GetInstanceProfile",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfilesForRole",
                "iam:ListRolePolicies",
                "iam:PutRolePolicy",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:TagInstanceProfile",
                				"ec2:DescribeNatGateways",
				"ec2:DescribeNetworkInterfaces",
				"ec2:DescribeRouteTables",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeSnapshots",
				"ec2:DescribeSubnets",
				"ec2:DescribeTags",
				"ec2:DescribeVolumes",
				"ec2:DescribeVpcAttribute",
				"ec2:DescribeVpcs",
				"ec2:ModifyInstanceAttribute",
				"ec2:RevokeSecurityGroupEgress",
				"ec2:RunInstances",
				"ec2:TerminateInstances"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"eks:DescribeCluster",
				"eks:DescribeNodegroup",
				"eks:ListNodegroups"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:AddRoleToInstanceProfile",
				"iam:AttachRolePolicy",
				"iam:CreateInstanceProfile",
				"iam:CreateRole",
				"iam:DeleteInstanceProfile",
				"iam:DeleteRole",
				"iam:DeleteRolePolicy",
				"iam:DetachRolePolicy",
				"iam:GetInstanceProfile",
				"iam:GetPolicy",
				"iam:GetPolicyVersion",
				"iam:GetRole",
				"iam:GetRolePolicy",
				"iam:ListAttachedRolePolicies",
				"iam:ListInstanceProfilesForRole",
				"iam:ListRolePolicies",
				"iam:PutRolePolicy",
				"iam:RemoveRoleFromInstanceProfile",
				"iam:TagInstanceProfile",
				"iam:TagRole"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"iam:PassRole"
			],
			"Resource": [
				"arn:aws:iam::<account-id>:role/<cluster-name>*"s3:GetObject",
				"arn:aws:iam::<account-id>:role/terraform-*	"s3:ListBucket"
			],
		}
    	"Resource": "*"
		}
	]
}

...

  • x-install tool: Version 0.0.1517+

Expand
titlex-install Download Options

Platform

Architecture

File

Release Date

macOS

ARM64

View file
namex-install-darwin-arm64-.0.0.1517.tar.gz

14 Jan

macOS

x86_64

View file
namex-install-darwin-x86_64-.0.0.1517.tar.gz

14 Jan

Linux

ARM64

View file
namex-install-linux-arm64-.0.0.1517.tar.gz

14 Jan

Linux

i386

View file
namex-install-linux-i386-.0.0.1517.tar.gz

14 Jan

Linux

x86_64

View file
namex-install-linux-x86_64-.0.0.1517.tar.gz

14 Jan

Windows

ARM64

View file
namex-install-windows-arm64-.0.0.1517.zip

14 Jan

Windows

i386

View file
namex-install-windows-i386-.0.0.1517.zip

14 Jan

Windows

x86_64

View file
namex-install-windows-x86_64-.0.0.1517.zip

14 Jan

Info

For macOS users, please grant x-install permissions by clicking the “Allow Anyway” button in the Security settings. This button is available for about an hour after you try to open the app. You can access the Security settings by choosing Apple Menu System Settings, then clicking Privacy & Security in the sidebar.

Installation Steps

Creating a Sandbox EKS Cluster and Deploying the Management Server

1. Create a Standalone Stack

Navigate to the directory where x-install is downloaded and use the following command to create a standalone stack, customizing the cluster name, VPC CIDR, SSH key pair, and region to suit your environment:

...

By default, x-install auto-detects the latest Management Server AMI in the region within the AWS account. To specify a version or custom AMI ID, use --mgmt-server-ami-id:

Code Block
languagebash
x-install create-standalone \
  --cluster=xio-standalone \
  --vpc-cidr=10.0.0.0/16 \
  --ssh-key-pair-name=my-dev-key \
  --region=us-east-2 \
  --mgmt-server-ami-id=ami-053b51fb9abf27xxx

2. Verify Post-Installation Readiness

After the standalone stack is successfully created, use the following command to check if the stack is ready:

...

Info

It might take a few attempts for post-install to pass all system units and containers readiness checks, due to infrastructure readiness latency.

Deploying the Management Server into an Existing EKS Cluster

1. Add Necessary IAM Permissions

Ensure all required IAM resources are present by running:

Code Block
languagebash
x-install apply-iam --cluster xio-standalone --region us-east-2

2. Check the Target Environment

Verify the existing EKS cluster meets installation prerequisites:

...

Info

Please refer to this for the IAM roles required for the cluster’s node group.

3. Install the Management Server

Deploy the Management Server into the existing EKS Cluster:

Code Block
languagebash
x-install apply --cluster xio-standalone

4. Integrate the Management Server with the Existing EKS Cluster

Run the following command to complete the integration:

...

To update the integration configurations:

Code Block
languagebash
x-install eksconfig --cluster xio-standalone --override-existing-params

Adding X-Compute Nodes to the EKS Cluster via eks-node-cli

1. Access the Management Server

SSH into the Exostellar Management Server using:

Code Block
languagebash
ssh -i "my-dev-key.pem" rocky@<management-server-public-ip>

2. Add a New Node

Run this command on the server to add a new node to the EKS cluster:

...

By default, the EKS token used to access the standalone EKS cluster expired after 60 minutes. Following that, all attempts to access the cluster will fail with Unauthorized errors.

To generate a new EKS token and use it with your existing kubeconfig file, run:

Code Block
languagebash
x-install update-kubeconfig --cluster=xio-standalone

Adding X-Compute Nodes to the EKS Cluster via Exostellar Karpenter

Reference deployment example:

Code Block
languagebash
cat <<EOF | kubectl apply -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 2
  template:
    metadata:
      labels:
        app: nginx
    spec:
      tolerations:
      - key: "exokarpenter.sh/x-compute"
        operator: "Exists"
        effect: "NoSchedule"
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: exokarpenter.sh/nodepool
                operator: In
                values:
                - pool-a
      containers:
      - name: nginx
        image: nginx:1.14.2
        ports:
        - containerPort: 80
        resources:
            requests:
              cpu: 1
EOF

Cleaning Up

The entire standalone stack can be deleted with the destroy command:

...

Info

In some cases, Terraform might time out during the destroy process. If this happens, simply re-run the command to allow Terraform to reconcile its final state.

At this time, all controllers and workers EC2 instances need to be manually terminated.

Additional Help and Support

To explore other subcommands, use the following command for a list of available options:

...