Deploy LLM/Diffusuion model with AWS EKS service with front end(Next JS), backend(Fastapi) and network configurations like ISTIO, S3 association along with Serving tools like KServe, with monitoring tools like Kiali, prometheus, grafana.
Note:
-
I have used "OFA-Sys/small-stable-diffusion-v0" with 256x256 resolution image generation instead of SD3-medium with 1024x1024 as the cost of debugging and developing in g6.2xlarge is very high
-
If you take a g6.2xlarge instance it cost 0.4$ per hour even for spot instance so either develop with a small model first with g4dn.xlarge and if eveything works fine go for sd3 models. Else you will end up lossing 5-7 dollars for gpu alone. While developing assignment use a small model + <=256x256 generation image with diffuser. Dont use sd3 or 1024x1024 inference first itself it needs 24GB GPU RAM to load
Wait paitently see all deletion is successfull in aws cloud formation stack page and then close the system because some times
the deletion gets failed so at backend something would be running and it may cost you high
If you triggering a spot instance manually with peresistent type ensure that both the spot request is cancelled manually
and the AWS instance is terminated finally
- Redo the SD3 Deployment that we did in the class on KServe
- Create README.mdLinks to an external site.
- Write instructions to create the .mar file
- Write instruction to deploy the model on KServe
- What to Submit
- Output of kubectl get all -A
- Manifest Files used for deployments
- Kiali Graph of the Deployment
- GPU Usage from Grafana and Prometheus while on LOAD
- Logs of your torchserve-predictor
- 5 Outputs of the SD3 Model
- Make sure you copy the logs of torchserve pod while the model is inferencing
- GitHub Repo with the README.md file and manifests and logs
Note: You can refer class-work and develop the deployments stage by stage similar in session-16 class
Refer: class-work-readme for proper usage of classwork files (it gives the commands in proper manner. todo: restructure it)
Note: it took 5$ for doing class work debugging and development and another 7$ for assignment debugging and development as i used g6.2xlarge initially so dont do that mistake.
Local installations (no need a new ec2 instance for doing below work)
AWS install
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
Provide credentials
aws configure
EKSCTL Install
# for ARM systems, set ARCH to: `arm64`, `armv6` or `armv7`
ARCH=amd64
PLATFORM=$(uname -s)_$ARCH
curl -sLO "https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_$PLATFORM.tar.gz"
# (Optional) Verify checksum
curl -sL "<https://github.com/eksctl-io/eksctl/releases/latest/download/eksctl_checksums.txt>" | grep $PLATFORM | sha256sum --check
tar -xzf eksctl_$PLATFORM.tar.gz -C /tmp && rm eksctl_$PLATFORM.tar.gz
sudo mv /tmp/eksctl /usr/local/bin
Set the default ssh-gen key in local
This default ssh key is used by aws for default ssh login
ssh-keygen -t rsa -b 4096
Install kubectl for aws eks in your local
curl -O https://s3.us-west-2.amazonaws.com/amazon-eks/1.32.0/2024-12-20/bin/linux/amd64/kubectl
chmod +x ./kubectl
mkdir -p $HOME/bin && cp ./kubectl $HOME/bin/kubectl && export PATH=$HOME/bin:$PATH
Docker images to ECR
Build and push docker images to AWS ECR
Model server
- K-Serve and Kubernetes inference services takes care of it so no need docker for model server
Web server
docker build -t web-server -f Dockerfile.web-server .
UI server
docker build -t ui-server -f Dockerfile.ui-server .
Model file preparation
Take a new spot instance manully g4dn.xlarge and check if it works else go for small model or take larger GPU instance
Use the code inside model-server/sd3_deploy/test_small_model_infer
python test_small_model_infer.py
Use the code inside model-server/sd3_deploy
# Take a g4dn.xlarge instance.
aws configure
python download_small_model.py
mkdir -p ../model-store
sh create_mar.sh
sh upload_to_s3.sh
Verify inside s3 if you can see all above files. Dont forget to add config folder while uploading
Note: Make sure you change your account number in all .yaml files
Go into src/eks-cluster-config folder. It takes 7-15 minutes based on number of resources you have listed in .yaml file for cluster creation
eksctl create cluster -f eks-cluster.yaml
<debug-facts>
# only usefull during debugging
# Create a new nodegroup
# You can comment out a resource and later uncomment it and create the new nodegroup in same cluster
# This can save some cost of gpu nodes. But make sure to create before doing gpu related installations
eksctl create nodegroup --config-file=eks-cluster.yaml
# Delete nodegroup
eksctl delete nodegroup --cluster basic-cluster --name ng-gpu-spot-1
# Delete cluster, Also check in "AWS Cloud Formation" as sometimes even in CLI if its success
in "AWS Cloud Formation" you will get deletion failed.
eksctl delete cluster -f eks-cluster.yaml --disable-nodegroup-eviction
</debug-facts>
Check instances which is in EC2
For this to work the defualt ssh should have been configured and it helps in establishing connection with EC2
ssh ec2-user@43.204.212.5
kubectl config view
kubectl get all
IRSA for s3 usage
Ensure iam-s3-test-policy.json is in your current path
# Associates an IAM OIDC (OpenID Connect) provider with your EKS cluster. This association allows you to enable Kubernetes
# service accounts in your cluster to use IAM roles for fine-grained permissions.
eksctl utils associate-iam-oidc-provider --region ap-south-1 --cluster basic-cluster --approve
# Create Iam policy
aws iam create-policy --policy-name S3ListTestEMLO --policy-document file://iam-s3-test-policy.json
# Verification
aws iam get-policy-version --policy-arn arn:aws:iam::ACCOUNT_ID:policy/S3ListTestEMLO --version-id v1
# Attach policy to cluster name
eksctl create iamserviceaccount --name s3-list-sa --cluster basic-cluster --attach-policy-arn arn:aws:iam::306093656765:policy/S3ListTestEMLO --approve --region ap-south-1
Verify
kubectl get saaws s3 ls mybucket-emlo-mumbai- "mybucket-emlo-mumbai" is my bucket name
EBS on EKS
# Do if need: IAM OIDC association
eksctl utils associate-iam-oidc-provider --region ap-south-1 --cluster basic-cluster --approve
# Service account for ebs usage
eksctl create iamserviceaccount \
--name ebs-csi-controller-sa \
--namespace kube-system \
--region ap-south-1 \
--cluster basic-cluster \
--attach-role-arn arn:aws:iam::306093656765:role/AmazonEKS_EBS_CSI_DriverRole
# Create a addon to cluster
eksctl create addon --name aws-ebs-csi-driver --cluster basic-cluster --service-account-role-arn arn:aws:iam::306093656765:role/AmazonEKS_EBS_CSI_DriverRole --region ap-south-1 --force
Verify resouces
kubectl get nodes -L node.kubernetes.io/instance-typekubectl get sckubectl get sa -n kube-system
Istio is an open source service mesh that helps organizations run distributed, microservices-based apps anywhere. Why use Istio? Istio enables organizations to secure, connect, and monitor microservices, so they can modernize their enterprise apps more swiftly and securely.
Setup ISTIO
-
helm repo add istio https://istio-release.storage.googleapis.com/charts -
helm repo update -
kubectl create namespace istio-system -
helm install istio-base istio/base --version 1.20.2 --namespace istio-system --wait -
helm install istiod istio/istiod --version 1.20.2 --namespace istio-system --wait -
kubectl create namespace istio-ingress
<debug-facts>
# Could be used if something in istio-ingress service didnt start or didnt get external ip after long time
- helm uninstall istio-ingress istio/gateway --namespace istio-ingress
</debug-facts>
Install istio-ingress
helm install istio-ingress istio/gateway \
--version 1.20.2 \
--namespace istio-ingress \
--set labels.istio=ingressgateway \
--set service.annotations."service\\.beta\\.kubernetes\\.io/aws-load-balancer-type"=external \
--set service.annotations."service\\.beta\\.kubernetes\\.io/aws-load-balancer-nlb-target-type"=ip \
--set service.annotations."service\\.beta\\.kubernetes\\.io/aws-load-balancer-scheme"=internet-facing \
--set service.annotations."service\\.beta\\.kubernetes\\.io/aws-load-balancer-attributes"="load_balancing.cross_zone.enabled=true"
kubectl rollout restart deployment istio-ingress -n istio-ingress
Verify
kubectl get deployment.apps/istio-ingress -n istio-ingress
Note: Install loadbalancer which is few steps away -> Wait for load balancer to become action then run below command -> Check if istio gets an external ip after load balancer is active else redo above ones and debug it. If istio didnt get an external ip or if any of its kubernetes resource status is imagepullfailed redo above else you cant get an accessible url.
ALB
- Assumed policy(
AWSLoadBalancerControllerIAMPolicy) is already created from session-15 or else refer it
eksctl create iamserviceaccount \
--cluster=basic-cluster \
--namespace=kube-system \
--name=aws-load-balancer-controller \
--attach-policy-arn=arn:aws:iam::306093656765:policy/AWSLoadBalancerControllerIAMPolicy \
--override-existing-serviceaccounts \
--region ap-south-1 \
--approve
helm repo add eks https://aws.github.io/eks-chartshelm repo updatehelm install aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName=basic-cluster --set serviceAccount.create=false --set serviceAccount.name=aws-load-balancer-controller
Verify
kubectl get pods,svc -n istio-systemkubectl get pods,svc -n istio-ingress
If istio-ingress external ip is not assigned even after load-balancer becomes active use below command after loadbalancer becomes active
kubectl rollout restart deployment istio-ingress -n istio-ingress
Install Metrics
<debug-facts>
kubectl delete -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
Additionally Patching is done in above reference
<debug-facts>
Kubernetes Dashboard
-
helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/ -
helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard -
kubectl label namespace default istio-injection=enabled
Install the Gateway CRDs
kubectl get crd gateways.gateway.networking.k8s.io &> /dev/null || \\ { kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v1.2.0" | kubectl apply -f -; }
Apply istio-kserve-ingress to create istio class and assign to kserve
kubectl apply -f istio-kserve-ingress.yaml
Install Cert Manager
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml
Install KServe using HELM
-
helm install kserve-crd oci://ghcr.io/kserve/charts/kserve-crd --version v0.14.1 -
helm install kserve oci://ghcr.io/kserve/charts/kserve \ --version v0.14.1 \ --set kserve.controller.deploymentMode=RawDeployment \ --set kserve.controller.gateway.ingressGateway.className=istio
GPU installations
helm repo add nvidia https://helm.ngc.nvidia.com/nvidia && helm repo updatehelm install --wait --generate-name -n gpu-operator --create-namespace nvidia/gpu-operator --version=v24.9.1kubectl -n gpu-operator logs -f $(kubectl -n gpu-operator get pods | grep dcgm | cut -d ' ' -f 1 | head -n 1)
Linking S3 policy to Cluster
- eksctl utils associate-iam-oidc-provider --region ap-south-1 --cluster basic-cluster --approve
eksctl create iamserviceaccount \ --cluster=basic-cluster \ --name=s3-read-only \ --attach-policy-arn=arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \ --override-existing-serviceaccounts \ --region ap-south-1 \ --approve
(not able to move to helm charts but there is a way)
-
kubectl apply -f s3-secret.yaml -
kubectl patch serviceaccount s3-read-only -p '{"secrets": [{"name": "s3-secret"}]}'
Helm Installation
Note:
- Make sure you have updated the istio end point in this file
fastapi-helm/templates/model-server.cm.yml. istio end point doesnt change untill you reinstall the isitio service in a cluster. So until you dont touch istio services it remains constant. - Your
ui-serverend point is dynamic for every helm install as its configured insidefastapi-helm/templates/ui-server.service.yml
Install fastapi-helm
- helm install fastapi-release-default fastapi-helm --values fastapi-helm/values.yaml
Verify
- kubectl get all
<debug-facts>
# Uninstallation
helm uninstall fastapi-release-default
# if uninstallation fails do below
kubectl delete secret sh.helm.release.v1.fastapi-release-default.v1 -n default
# Want to change a image of a pod ? set image pull policy to "Always" update the image in AWS ECR and then delete the pod
# After deletion the cluster recreates now with new image. This helps in faster debugging without need to deleting entire cluster.
kubectl delete pods/web-server-669c6cc8f8-zjvsd
<debug-facts>
Hacks made to make this code work. I was not able to install in any of the existing namespace so only after running below commands i was able to give access to Helm to deploy in preexisting namespaces. fastapi-release-default is the helm chart name that user has gives.
kubectl label namespace default app.kubernetes.io/managed-by=Helm
kubectl annotate namespace default meta.helm.sh/release-name=fastapi-release-default
kubectl annotate namespace default meta.helm.sh/release-namespace=default
helm install fastapi-release-default fastapi-helm --values fastapi-helm/values.yaml --namespace default
Debugging inside helm pods
Getting inside a specific pod and having iterative shell
kubectl exec -it ui-server-59cb8d9f96-8559p -- /bin/bash
Check if webservice is reachable from ui-service pods. If some service like ui-server, web-server is not able to be reached get inside the specific pod and do a curl to the service
curl -X POST "http://web-server-service/generate_image?text=horseriding"
While debugging docker files rebuild with no-cache as it may push the same thing again sometimes
docker build -t a16/web-server -f Dockerfile.web-server . --no-cache
Delete pods but dont worry it recreates automatically to match the replicas
kubectl delete pods/web-server-669c6cc8f8-zjvsd
Use fake-server.py to setup a server instead of gpu service and verify network configurations and main codes with local docker runs and debugging.
Use test_sd3_from_local for testing the model server. Check the pod logs of torchserve predictor only after model loading and if the torchserve established in 8080 port in logs we can tell that its ready to serve.
Install Kiali, prometheus and grafana
Just run below in linux terminal
for ADDON in kiali jaeger prometheus grafana
do
ADDON_URL="https://raw.githubusercontent.com/istio/istio/release-1.20/samples/addons/$ADDON.yaml"
kubectl apply -f $ADDON_URL
done
For promethues to fetch GPU utilization run following file which is prometheus.yaml
kubectl apply -f prometheus.yaml
Port forwarding and visuvalization
kubectl port-forward svc/kiali 20001:20001 -n istio-system
Get to the Prometheus UI
kubectl port-forward svc/prometheus 9090:9090 -n istio-system
Visualize metrics in using Grafana
kubectl port-forward svc/grafana 3000:3000 -n istio-system
Add DCGM_FI_DEV_GPU_UTIL panel in promethus so that it can fetch those metrics. Now in Grafana download nvidia-dcgm dashboard packages json file and upload in new dashboard section in grafana. Now you can see GPU metrics
After this you can go to the ui-server url and query it may give some output. After you make 5-10 queries you can see some significant metrics in grafana, promethues and kiali.
May through an error as we have did some hacky change for helm install fastapi-release-default
helm uninstall fastapi-release-default
This will completely uninstall helm's particular resources
kubectl delete secret sh.helm.release.v1.fastapi-release-default.v1 -n default
Delete cluster and all resources
eksctl delete cluster -f eks-cluster.yaml --disable-nodegroup-eviction
Wait paitently see all deletion is successfull in cloud formation and then close the system because some times the deletion gets failed so at backend something would be running and it may cost you high
-
If u force delete resources in CLI it will be running in background so check cloud formation or ec2 instances. But if you do it in "AWS Cloud formation" UI, it will delete all resources completely.
-
I could have moved the service account creation to yaml files and could have done it with helm install command but already the assignment took more time so that could be improved.
-
Usage of small model in the same
diffusersandStableDiffusionPipelinemodule could save more cost in debugging and development time. -
Deletion of pods and auto recreation
kubectl delete pods/web-server-669c6cc8f8-zjvsd
-
Debugging a particular pod by getting inside it
-
kubectl exec -it ui-server-59cb8d9f96-8559p -- /bin/bash -
Managing nodegroups through
.yamlfilesCreate nodegroup
eksctl create nodegroup --config-file=eks-cluster.yaml
Delete nodegroup
eksctl delete nodegroup --cluster basic-cluster --name ng-gpu-spot-1
-
connecting kserve with istio and managing pods
-
Ouput of kubectl get all -A
-
Kiali Graph of the Deployment
-
GPU Usage from Grafana and Prometheus while on LOAD
-
Logs of your torchserve-predictor
-
5 Outputs of the SD3 Model
-
Other logs
-
Other Screenshots
-
Architecture
- Ajith Kumar V (myself)
- Pravin Sagar
- Hema M
- Muthukamalan