From af120c21434a4ee10ed5464dc36b7a6dd31d4603 Mon Sep 17 00:00:00 2001 From: MichaelTansiniSeqera Date: Tue, 23 Jun 2026 14:23:11 +0100 Subject: [PATCH 1/7] Update preflight-checks.mdx Signed-off-by: MichaelTansiniSeqera --- .../docs/compute-envs/preflight-checks.mdx | 69 ++++++++++--------- 1 file changed, 37 insertions(+), 32 deletions(-) diff --git a/platform-cloud/docs/compute-envs/preflight-checks.mdx b/platform-cloud/docs/compute-envs/preflight-checks.mdx index 9d52d3cfd..12d98d609 100644 --- a/platform-cloud/docs/compute-envs/preflight-checks.mdx +++ b/platform-cloud/docs/compute-envs/preflight-checks.mdx @@ -5,20 +5,20 @@ date: "23 Jun 2026" tags: [compute environments, credentials, troubleshooting] --- -Pre-flight checks continuously validate that a compute environment (CE) is usable before and at the point of pipeline launch. They run in the background on a schedule and synchronously at launch time, so problems are surfaced to users before pipelines are submitted rather than failing mid-run. +Pre-flight checks validate that a compute environment (CE) is usable before and at the point of pipeline launch on Seqera Platform. They run in regular intervals in the background and synchronously at launch time, so problems are surfaced to users before pipelines are submitted rather than failing. Pre-flight checks only check for criteria that would cause a pipeline launch to always fail. Pre-flight checks are enabled by default and cannot be disabled. ## What to verify before creating a compute environment -Resolving problems before they are caught by the background sweep or a blocked launch is faster than diagnosing them after the fact. Before creating or deploying a compute environment, confirm the following: +Before creating or deploying a compute environment, confirm the following: **Credentials** - The access keys, service account key, or managed identity are valid and have not been rotated or revoked. - The IAM role or service account has the permissions required by the target platform. See the relevant CE page for the minimum required policy. **Work directory** -- The bucket or storage container exists in the same region as the compute environment (required for AWS). +- The bucket or storage container exists in the same region as the compute environment (required for AWS Batch and Cloud Compute environments only). - The credential attached to the CE has read and write access to the work directory path. - The path itself exists if the provider requires it (not all cloud storage providers auto-create paths). @@ -26,37 +26,31 @@ Resolving problems before they are caught by the background sweep or a blocked l - The Wave service is running and reachable from the Platform instance. **Tower Agent** (HPC/grid CEs only) -- The Tower Agent process is running on the cluster before any pipeline is launched against that CE. -- See [Tower Agent](../getting-started/tower-agent) for installation and startup instructions. +- Tower Agent is reachable from Platform. See [Tower Agent](../getting-started/tower-agent) for installation and startup instructions. ## What is checked and when -Platform runs three tiers of validation: +Seqera Platform validates three different of validation: -### 1. Background credential sweep +### 1. Credential validation -Runs on a recurring schedule. For each cloud credential (AWS, GCP, Azure) in scope, Platform calls the provider API to verify the credential keys are still accepted — for example, that AWS access keys haven't been rotated or that a GCP service account key hasn't been revoked. +Runs on a recurring schedule and at pipeline launch. For each cloud credential (AWS, GCP, Azure) in scope, Platform calls the provider API to verify the credential is still accepted and can authenticate. For AWS role-based credentials and GCP Workload Idenitty Federation, this check confirms the credential is well-formed but cannot fully verify the underlying role or identity provider trust configuration. -When a credential fails this check, it is marked **INVALID** with the specific provider error recorded in the credential record. This state is then visible to the CE sweep and to any launch that references that credential. +When a credential fails this check, it is marked **INVALID** with the provider error recorded on the credential record. The error message is recorded against the credential, and also returned for any pipeline launch with the API that references this credential -:::note -Platform also checks whether the credential permissions are sufficient to run the pipeline, not just that the keys are valid. -::: +A CE marked **INVALID** displays a banner with the corresponding error message. A Compute environment that is marked as **AVAILABLE** has its `lastValidated` timestamp refreshed. -### 2. Background CE sweep +### 2. Compute environment validation -Runs approximately every hour across all **AVAILABLE** compute environments. Each CE goes through two gated checks in sequence: +Runs approximately every hour across all compute environments where the status is **AVAILABLE**. The checks validate: -1. **Credential status** — reads the credential status already recorded in the database (no extra cloud call). If the credential is **INVALID**, the CE is immediately marked **INVALID** and the work directory check is skipped. -2. **Work directory** — calls the cloud provider to verify the CE's configured work directory is accessible. If this fails, the CE is marked **INVALID** with the provider error appended. +1. **Credential status** — If the credential is **INVALID**, the CE is immediately marked **INVALID**. +2. **Work directory** — Validates whether the Compute environment's configured work directory is accessible. If this fails, the CE is marked **INVALID** with the provider error appended in the card view and at the top of the form page. -A CE marked **INVALID** by the background sweep displays a banner explaining the reason. A CE that passes returns to or stays **AVAILABLE** and its `lastValidated` timestamp is refreshed. +A CE marked **INVALID** displays a banner with the corresponding error message. A Compute environment that is marked as **AVAILABLE** has its `lastValidated` timestamp refreshed. -:::note -The background CE sweep covers AWS Batch, AWS Cloud, Azure Batch, Azure Cloud, Google Cloud Batch, and Google Cloud compute environments. -::: -### 3. Synchronous launch-time checks +### 3. Pipeline launch-time checks Run immediately when a user submits a pipeline launch. If any check fails, the launch is blocked and a specific error is returned. Multiple failures are reported together. @@ -65,10 +59,22 @@ Run immediately when a user submits a pipeline launch. If any check fails, the l | CE status | Blocks launch if the CE is marked **INVALID** | | Credential status | Blocks launch if the credential associated with the CE is marked **INVALID** | | Work directory override | If the user provided a different work directory at launch, validates that path with the cloud provider | -| Wave connectivity | For CEs with Wave enabled, verifies the Wave service connection is active | -| Tower Agent | For HPC/grid CEs, verifies a Tower Agent is online for the environment | +| Wave connectivity | For Compute Environments with Wave enabled, verifies the Wave service connection is active | +| Tower Agent | For HPC Compute enrionemnts, verifies a Tower Agent is online for the environment | -## Manually re-validating a compute environment +## Manually re-validating credentials + +When a credential is marked **INVALID** and you have rotated the keys or fixed the underlying issue, you can trigger an immediate +re-validation: + +1. Navigate to **Credentials** in your workspace. +2. Find the credential and select **Validate**. + +If the credential is valid, Seqera Platform will update the credential status immediately. The status of the credential will return to **AVAILABLE**. + +Any compute environments that were marked **INVALID** due to failed credentials will not recover automatically, and will need to be validated separately. + +## Manually re-validating a Compute environment When a compute environment is marked **INVALID** and you have fixed the underlying issue, you can trigger an immediate re-validation without waiting for the next background sweep: @@ -76,17 +82,17 @@ When a compute environment is marked **INVALID** and you have fixed the underlyi 2. Find the CE and open its **⋮** (three-dot) dropdown menu. 3. Select **Validate**. -Platform runs the full check sequence (live credential probe + work directory check) and updates the CE status immediately. If all checks pass, the CE returns to **AVAILABLE**. +Seqera Platform will carry out pre-flight checks and update the CE status immediately. If all checks pass, the CE returns to **AVAILABLE**. ## Error reference -### CE banner messages +### Compute environment error messages These appear on the compute environment detail page when the CE is **INVALID**. | Banner | Meaning | Action | |---|---|---| -| `Associated credentials are invalid or expired. Update the credentials and validate this compute environment, or contact your workspace maintainer to resolve this.` | The background sweep found the attached credential marked INVALID | Go to **Credentials**, update or rotate the credential, then use **Validate** on the CE | +| `Associated credentials are invalid or expired. Update the credentials and validate this compute environment, or contact your workspace maintainer to resolve this.` | The pre-flight checks found the attached credential were now no longer valid | Go to **Credentials**, update or rotate the credential, then use **Validate** on the CE | | `Work directory is invalid. {reason}. Fix it and validate this compute environment, or contact your workspace maintainer to resolve this.` | The background sweep could not access the configured work directory | Fix the bucket/path permissions or location, then use **Validate** on the CE | ### Launch-time errors @@ -95,15 +101,14 @@ These are returned immediately to the user when a launch is blocked. | Error | Cause | Resolution | |---|---|---| -| `The selected compute environment '...' is in an invalid state` | CE is marked INVALID (see banner on the CE for the specific reason) | Fix the root cause shown in the CE banner, then re-validate the CE | -| `The credentials '...' used by this compute environment are invalid` | Credential is marked INVALID | Go to **Credentials**, update or rotate the credential. The CE will be re-validated automatically or use **Validate** on the CE | -| `Wave is required by the selected compute environment but the Wave service connection is not active. Verify that Wave is running and check for connectivity issues` | Platform cannot reach the Wave service | Check that Wave is running. Contact your platform administrator if the issue persists | -| `Wave is required by the selected compute environment but is not configured on this platform` | Wave is enabled on the CE but not configured at the platform level | Contact your platform administrator to configure Wave | +| `The selected compute environment '$COMPUTE_ENVIRONMENT' is in an invalid state` | Compute envrionemnt is no longer valid (see error messsage on the Compute environemnt for the specific reason) | Fix the root cause shown in the CE banner, then re-validate the CE | +| `The credentials '$CREDENTIAL' used by this compute environment are invalid` | Credentials are no longer valid | Go to **Credentials**, update or rotate the credential and then validate any associated Compute environments | +| `Wave is required by the selected compute environment but the Wave service connection is not active. Verify that Wave is running and check for connectivity issues` | Platform cannot reach the Wave service | Check that Wave is running. Contact your platform administrator if the issue persists, and then retry the launch once Wave is restored | | `No Tower Agent is online for the selected compute environment. Check that Tower Agent is running at your cluster.` | No Tower Agent process is connected for this CE (HPC/grid only) | Start or restart Tower Agent on the cluster. See [Tower Agent](../getting-started/tower-agent) | ### Credential error messages -When the credential sweep marks a credential INVALID, the provider-specific reason is stored on the credential record and surfaced in the CE banner and launch error. + When the credential pre-flight check marks a credential as INVALID, the provider-specific reason is stored on the credential record. It also appears in the launch-time error when a pipeline is blocked | Provider | Example message | |---|---| From ecbaa628f09724aea0fe068e9eccb1d61cdc9b8c Mon Sep 17 00:00:00 2001 From: MichaelTansiniSeqera Date: Tue, 23 Jun 2026 14:53:16 +0100 Subject: [PATCH 2/7] Update preflight-checks.mdx Signed-off-by: MichaelTansiniSeqera --- platform-cloud/docs/compute-envs/preflight-checks.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-cloud/docs/compute-envs/preflight-checks.mdx b/platform-cloud/docs/compute-envs/preflight-checks.mdx index a0bbdcf4c..a4e369396 100644 --- a/platform-cloud/docs/compute-envs/preflight-checks.mdx +++ b/platform-cloud/docs/compute-envs/preflight-checks.mdx @@ -29,7 +29,7 @@ Before creating or deploying a compute environment, confirm the following: ## What is checked and when -Seqera Platform validates three different of validation: +Seqera Platform carries out three different tiers of validation: ### 1. Credential validation From 3ee648d73c3553d0595a268e5999594bea741c39 Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Tue, 23 Jun 2026 22:17:47 +0200 Subject: [PATCH 3/7] Apply suggestions from code review Co-authored-by: Justine Geffen Signed-off-by: Justine Geffen --- .../docs/compute-envs/preflight-checks.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/platform-cloud/docs/compute-envs/preflight-checks.mdx b/platform-cloud/docs/compute-envs/preflight-checks.mdx index a4e369396..5d34a96a5 100644 --- a/platform-cloud/docs/compute-envs/preflight-checks.mdx +++ b/platform-cloud/docs/compute-envs/preflight-checks.mdx @@ -53,11 +53,11 @@ Run immediately when a user submits a pipeline launch. If any check fails, the l | Check | What it does | |---|---| -| CE status | Blocks launch if the CE is marked **INVALID** | -| Credential status | Blocks launch if the credential associated with the CE is marked **INVALID** | +| Compute environment status | Blocks launch if the CE is marked **INVALID** | +| Credential status | Blocks launch if the credential associated with the compute environment is marked **INVALID** | | Work directory override | If the user provided a different work directory at launch, validates that path with the cloud provider | -| Wave connectivity | For Compute Environments with Wave enabled, verifies the Wave service connection is active | -| Tower Agent | For HPC Compute enrionemnts, verifies a Tower Agent is online for the environment | +| Wave connectivity | For compute environment with Wave enabled, verifies the Wave service connection is active | +| Tower Agent | For HPC compute environments, verifies a Tower Agent is online for the environment | ## Manually re-validating credentials @@ -75,10 +75,10 @@ Any compute environments that were marked **INVALID** due to this credential wil When a compute environment is marked **INVALID** and you have fixed the underlying issue, you can trigger an immediate re-validation without waiting for the next background sweep: 1. Navigate to **Compute environments** in your workspace. -2. Find the CE and open its **⋮** (three-dot) dropdown menu. +2. Find the compute environment and open its **⋮** (three-dot) dropdown menu. 3. Select **Validate**. -Seqera Platform will carry out pre-flight checks and update the CE status immediately. If all checks pass, the CE returns to **AVAILABLE**. +Seqera Platform will carry out pre-flight checks and update the compute environment status immediately. If all checks pass, the compute environment returns to **AVAILABLE**. ## Error reference From a5141c45852fcb3971871f57ec00b0564fe1b434 Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Tue, 23 Jun 2026 22:18:06 +0200 Subject: [PATCH 4/7] Apply suggestions from code review Co-authored-by: Justine Geffen Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/preflight-checks.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/platform-cloud/docs/compute-envs/preflight-checks.mdx b/platform-cloud/docs/compute-envs/preflight-checks.mdx index 5d34a96a5..a019f4d93 100644 --- a/platform-cloud/docs/compute-envs/preflight-checks.mdx +++ b/platform-cloud/docs/compute-envs/preflight-checks.mdx @@ -41,10 +41,10 @@ When a credential fails this check, it is marked **INVALID** with the provider e Runs approximately every hour across all compute environments where the status is **AVAILABLE**. The checks validate: -1. **Credential status** — If the credential is **INVALID**, the CE is immediately marked **INVALID**. -2. **Work directory** — Validates whether the Compute environment's configured work directory is accessible. If this fails, the CE is marked **INVALID** with the provider error appended in the card view and at the top of the form page. +1. **Credential status**. If the credential is **INVALID**, the compute environment is immediately marked **INVALID**. +2. **Work directory**. Validates whether the compute environment's configured work directory is accessible. If this fails, the compute environment is marked **INVALID** with the provider error appended in the card view and at the top of the form page. -A CE marked **INVALID** displays a banner with the corresponding error message. A Compute environment that is marked as **AVAILABLE** has its `lastValidated` timestamp refreshed. +A compute environment marked **INVALID** displays a banner with the corresponding error message. A compute environment that is marked as **AVAILABLE** has its `lastValidated` timestamp refreshed. ### 3. Pipeline launch-time checks From e4eee4f24db1c63b95548fcaf2dc6278f092aded Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Tue, 23 Jun 2026 22:22:23 +0200 Subject: [PATCH 5/7] Update preflight-checks.mdx Signed-off-by: Justine Geffen --- .../docs/compute-envs/preflight-checks.mdx | 37 +++++++++---------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/platform-cloud/docs/compute-envs/preflight-checks.mdx b/platform-cloud/docs/compute-envs/preflight-checks.mdx index a019f4d93..55a76ab01 100644 --- a/platform-cloud/docs/compute-envs/preflight-checks.mdx +++ b/platform-cloud/docs/compute-envs/preflight-checks.mdx @@ -1,11 +1,11 @@ --- title: "Compute environment pre-flight checks" description: "How Seqera Platform continuously validates compute environments and what to do when a check fails" -date: "23 Jun 2026" +date created: "2026-06-23" tags: [compute environments, credentials, troubleshooting] --- -Pre-flight checks validate that a compute environment (CE) is usable before and at the point of pipeline launch. They run in the background on a recurring schedule and synchronously at launch time, so problems are surfaced before pipelines are submitted rather than failing mid-run. Pre-flight checks only flag conditions that would cause a pipeline launch to fail. +Pre-flight checks validate that a compute environment is usable before and at the point of pipeline launch. They run in the background on a recurring schedule and synchronously at launch time, so problems are surfaced before pipelines are submitted rather than failing mid-run. Pre-flight checks only flag conditions that would cause a pipeline launch to fail. Pre-flight checks are enabled by default and cannot be disabled. @@ -15,19 +15,19 @@ Before creating or deploying a compute environment, confirm the following: **Credentials** - The access keys, service account key, or managed identity are valid and have not been rotated or revoked. -- The IAM role or service account has the permissions required by the target platform. See the relevant CE page for the minimum required policy. +- The IAM role or service account has the permissions required by the target platform. See the relevant compute environment page for the minimum required policy. **Work directory** - The bucket or storage container exists in the same region as the compute environment (required for AWS Batch and AWS Cloud compute environments only). -- The credential attached to the CE has read and write access to the work directory path. +- The credential attached to the compute environment has read and write access to the work directory path. -**Wave** (if enabled on the CE) +**Wave** (if enabled) - The Wave service is running and reachable from the Platform instance. -**Tower Agent** (HPC/grid CEs only) +**Tower Agent** (HPC/grid compute environments only) - Tower Agent is reachable from Platform. See [Tower Agent](../getting-started/tower-agent) for installation and startup instructions. -## What is checked and when +## Validation process Seqera Platform carries out three different tiers of validation: @@ -35,7 +35,7 @@ Seqera Platform carries out three different tiers of validation: Runs on a recurring schedule. For each cloud credential (AWS, GCP, Azure) in scope, Platform calls the provider API to verify the credential is still accepted and can authenticate. The credential sweep makes a live API call to verify the credential is still accepted by the cloud provider. For AWS role-based credentials and GCP Workload Identity Federation, this check confirms the credential is well-formed but cannot fully verify the underlying role or identity provider trust configuration. -When a credential fails this check, it is marked **INVALID** with the provider error recorded on the credential record. This error appears in the launch-time error when a pipeline is blocked, but not in the CE banner — to see the specific provider error, check the credential record directly. +When a credential fails this check, it is marked **INVALID** with the provider error recorded on the credential record. This error appears in the launch-time error when a pipeline is blocked, but not in the compute environment banner — to see the specific provider error, check the credential record directly. ### 2. Compute environment validation @@ -46,20 +46,19 @@ Runs approximately every hour across all compute environments where the status i A compute environment marked **INVALID** displays a banner with the corresponding error message. A compute environment that is marked as **AVAILABLE** has its `lastValidated` timestamp refreshed. - ### 3. Pipeline launch-time checks Run immediately when a user submits a pipeline launch. If any check fails, the launch is blocked and a specific error is returned. Multiple failures are reported together. | Check | What it does | |---|---| -| Compute environment status | Blocks launch if the CE is marked **INVALID** | +| Compute environment status | Blocks launch if the compute environment is marked **INVALID** | | Credential status | Blocks launch if the credential associated with the compute environment is marked **INVALID** | | Work directory override | If the user provided a different work directory at launch, validates that path with the cloud provider | | Wave connectivity | For compute environment with Wave enabled, verifies the Wave service connection is active | | Tower Agent | For HPC compute environments, verifies a Tower Agent is online for the environment | -## Manually re-validating credentials +## Manual credential validation When a credential is marked **INVALID** and you have rotated the keys or fixed the underlying issue, you can trigger an immediate re-validation: @@ -68,9 +67,9 @@ When a credential is marked **INVALID** and you have rotated the keys or fixed t Platform makes a live call to the cloud provider and updates the credential status immediately. If the check passes, the credential returns to **AVAILABLE**. -Any compute environments that were marked **INVALID** due to this credential will not recover automatically — use **Validate** on each affected CE after the credential is restored. +Any compute environments that were marked **INVALID** due to this credential will not recover automatically — use **Validate** on each affected compute environment after the credential is restored. -## Manually re-validating a compute environment +## Manual compute environment validation When a compute environment is marked **INVALID** and you have fixed the underlying issue, you can trigger an immediate re-validation without waiting for the next background sweep: @@ -88,8 +87,8 @@ These appear on the compute environment detail page when the CE is **INVALID**. | Banner | Meaning | Action | |---|---|---| -| `Associated credentials are invalid or expired. Update the credentials and validate this compute environment, or contact your workspace maintainer to resolve this.` | The background sweep found the attached credential is no longer valid | Go to **Credentials**, update or rotate the credential, then use **Validate** on the CE | -| `Work directory is invalid. {reason}. Fix it and validate this compute environment, or contact your workspace maintainer to resolve this.` | The background sweep could not access the configured work directory | Fix the bucket/path permissions or location, then use **Validate** on the CE | +| `Associated credentials are invalid or expired. Update the credentials and validate this compute environment, or contact your workspace maintainer to resolve this.` | The background sweep found the attached credential is no longer valid | Go to **Credentials**, update or rotate the credential, then use **Validate** on the compute environment | +| `Work directory is invalid. {reason}. Fix it and validate this compute environment, or contact your workspace maintainer to resolve this.` | The background sweep could not access the configured work directory | Fix the bucket/path permissions or location, then use **Validate** on the compute environment | ### Launch-time errors @@ -97,14 +96,14 @@ These are returned immediately to the user when a launch is blocked. | Error | Cause | Resolution | |---|---|---| -| `The selected compute environment '...' is in an invalid state` | CE is marked INVALID (see banner on the CE for the specific reason) | Fix the root cause shown in the CE banner, then use **Validate** on the CE | -| `The credentials '...' used by this compute environment are invalid` | Credential is marked INVALID | Go to **Credentials**, update or rotate the credential, then use **Validate** on the CE | +| `The selected compute environment '...' is in an invalid state` | Compute environment is marked INVALID (see banner for the specific reason) | Fix the root cause, then use **Validate** on the compute environment | +| `The credentials '...' used by this compute environment are invalid` | Credential is marked INVALID | Go to **Credentials**, update or rotate the credential, then use **Validate** on the compute environment | | `Wave is required by the selected compute environment but the Wave service connection is not active. Verify that Wave is running and check for connectivity issues` | Platform cannot reach the Wave service | Contact your platform administrator. Once Wave is restored, retry the launch | -| `No Tower Agent is online for the selected compute environment. Check that Tower Agent is running at your cluster.` | No Tower Agent is connected for this CE (HPC/grid only) | Start or restart Tower Agent on the cluster. See [Tower Agent](../getting-started/tower-agent) | +| `No Tower Agent is online for the selected compute environment. Check that Tower Agent is running at your cluster.` | No Tower Agent is connected for this compute environment (HPC/grid only) | Start or restart Tower Agent on the cluster. See [Tower Agent](../getting-started/tower-agent) | ### Credential error messages -When the credential sweep marks a credential INVALID, the provider-specific reason is stored on the credential record. It appears in the launch-time error when a pipeline is blocked, but not in the CE banner — to see the specific provider error, check the credential record directly. +When the credential sweep marks a credential **INVALID**, the provider-specific reason is stored on the credential record. It appears in the launch-time error when a pipeline is blocked, but not in the compute environment banner. To see the specific provider error, check the credential record directly. | Provider | Example message | |---|---| From 9163ad7488e89871386d09a8162dbea33f3886ec Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Wed, 24 Jun 2026 20:53:43 +0200 Subject: [PATCH 6/7] docs(cloud): deslop pass on preflight-checks page Tighten prose, restore the CE-types scope note (reworded for "checks" terminology), normalize CE -> compute environment and Platform -> Seqera Platform, fix passive constructions and a stray , so connector, apply the drop-down Vale rule. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../docs/compute-envs/preflight-checks.mdx | 36 ++++++++++--------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/platform-cloud/docs/compute-envs/preflight-checks.mdx b/platform-cloud/docs/compute-envs/preflight-checks.mdx index 55a76ab01..571cdbd4b 100644 --- a/platform-cloud/docs/compute-envs/preflight-checks.mdx +++ b/platform-cloud/docs/compute-envs/preflight-checks.mdx @@ -5,7 +5,7 @@ date created: "2026-06-23" tags: [compute environments, credentials, troubleshooting] --- -Pre-flight checks validate that a compute environment is usable before and at the point of pipeline launch. They run in the background on a recurring schedule and synchronously at launch time, so problems are surfaced before pipelines are submitted rather than failing mid-run. Pre-flight checks only flag conditions that would cause a pipeline launch to fail. +Pre-flight checks validate that a compute environment is usable before and at the point of pipeline launch. They run in the background on a recurring schedule and synchronously at launch time. Problems appear before pipeline submission rather than mid-run. Pre-flight checks only flag conditions that would block a pipeline launch. Pre-flight checks are enabled by default and cannot be disabled. @@ -25,37 +25,41 @@ Before creating or deploying a compute environment, confirm the following: - The Wave service is running and reachable from the Platform instance. **Tower Agent** (HPC/grid compute environments only) -- Tower Agent is reachable from Platform. See [Tower Agent](../getting-started/tower-agent) for installation and startup instructions. +- Tower Agent is reachable from Seqera Platform. See [Tower Agent](../getting-started/tower-agent) for installation and startup instructions. ## Validation process -Seqera Platform carries out three different tiers of validation: +Seqera Platform runs three tiers of validation: ### 1. Credential validation -Runs on a recurring schedule. For each cloud credential (AWS, GCP, Azure) in scope, Platform calls the provider API to verify the credential is still accepted and can authenticate. The credential sweep makes a live API call to verify the credential is still accepted by the cloud provider. For AWS role-based credentials and GCP Workload Identity Federation, this check confirms the credential is well-formed but cannot fully verify the underlying role or identity provider trust configuration. +Runs on a recurring schedule. For each cloud credential (AWS, GCP, Azure) in scope, Seqera Platform calls the provider API to verify that the credential is still accepted. For AWS role-based credentials and GCP Workload Identity Federation, this check confirms the credential is well-formed but cannot fully verify the underlying role or identity provider trust configuration. -When a credential fails this check, it is marked **INVALID** with the provider error recorded on the credential record. This error appears in the launch-time error when a pipeline is blocked, but not in the compute environment banner — to see the specific provider error, check the credential record directly. +When a credential fails this check, Seqera Platform marks it **INVALID** and records the provider error on the credential record. This error appears in the launch-time error when a pipeline is blocked, but not in the compute environment banner. To see the specific provider error, check the credential record directly. ### 2. Compute environment validation -Runs approximately every hour across all compute environments where the status is **AVAILABLE**. The checks validate: +Runs approximately every hour across all **AVAILABLE** compute environments. Seqera Platform validates: -1. **Credential status**. If the credential is **INVALID**, the compute environment is immediately marked **INVALID**. -2. **Work directory**. Validates whether the compute environment's configured work directory is accessible. If this fails, the compute environment is marked **INVALID** with the provider error appended in the card view and at the top of the form page. +1. **Credential status**: If the credential is **INVALID**, the compute environment is marked **INVALID** immediately. +2. **Work directory**: Seqera Platform calls the cloud provider to verify that the configured work directory is accessible. If this check fails, the compute environment is marked **INVALID** and the provider error appears in the card view and at the top of the form page. -A compute environment marked **INVALID** displays a banner with the corresponding error message. A compute environment that is marked as **AVAILABLE** has its `lastValidated` timestamp refreshed. +A compute environment marked **INVALID** displays a banner with the error message. An **AVAILABLE** compute environment has its `lastValidated` timestamp refreshed. + +:::note +These checks cover AWS Batch, AWS Cloud, Azure Batch, Azure Cloud, Google Cloud Batch, and Google Cloud compute environments. +::: ### 3. Pipeline launch-time checks -Run immediately when a user submits a pipeline launch. If any check fails, the launch is blocked and a specific error is returned. Multiple failures are reported together. +Runs immediately when a user submits a pipeline launch. If any check fails, the launch is blocked and a specific error is returned. Multiple failures are reported together. | Check | What it does | |---|---| | Compute environment status | Blocks launch if the compute environment is marked **INVALID** | | Credential status | Blocks launch if the credential associated with the compute environment is marked **INVALID** | | Work directory override | If the user provided a different work directory at launch, validates that path with the cloud provider | -| Wave connectivity | For compute environment with Wave enabled, verifies the Wave service connection is active | +| Wave connectivity | For compute environments with Wave enabled, verifies the Wave service connection is active | | Tower Agent | For HPC compute environments, verifies a Tower Agent is online for the environment | ## Manual credential validation @@ -65,25 +69,25 @@ When a credential is marked **INVALID** and you have rotated the keys or fixed t 1. Navigate to **Credentials** in your workspace. 2. Find the credential and select **Validate**. -Platform makes a live call to the cloud provider and updates the credential status immediately. If the check passes, the credential returns to **AVAILABLE**. +Seqera Platform makes a live call to the cloud provider and updates the credential status immediately. If the check passes, the credential returns to **AVAILABLE**. -Any compute environments that were marked **INVALID** due to this credential will not recover automatically — use **Validate** on each affected compute environment after the credential is restored. +Compute environments marked **INVALID** because of this credential do not recover automatically. Use **Validate** on each affected compute environment after restoring the credential. ## Manual compute environment validation When a compute environment is marked **INVALID** and you have fixed the underlying issue, you can trigger an immediate re-validation without waiting for the next background sweep: 1. Navigate to **Compute environments** in your workspace. -2. Find the compute environment and open its **⋮** (three-dot) dropdown menu. +2. Find the compute environment and open its **⋮** (three-dot) drop-down. 3. Select **Validate**. -Seqera Platform will carry out pre-flight checks and update the compute environment status immediately. If all checks pass, the compute environment returns to **AVAILABLE**. +Seqera Platform runs pre-flight checks and updates the compute environment status immediately. If all checks pass, the compute environment returns to **AVAILABLE**. ## Error reference ### Compute environment error messages -These appear on the compute environment detail page when the CE is **INVALID**. +These banners appear on the compute environment detail page when the compute environment is **INVALID**. | Banner | Meaning | Action | |---|---|---| From f54fd2ed56f9fd095ad644fc70cd50e02d88a1b3 Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Wed, 24 Jun 2026 21:51:32 +0200 Subject: [PATCH 7/7] Update preflight-checks.mdx Signed-off-by: Justine Geffen --- .../docs/compute-envs/preflight-checks.mdx | 38 +++++++++---------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/platform-cloud/docs/compute-envs/preflight-checks.mdx b/platform-cloud/docs/compute-envs/preflight-checks.mdx index 571cdbd4b..75bdd733d 100644 --- a/platform-cloud/docs/compute-envs/preflight-checks.mdx +++ b/platform-cloud/docs/compute-envs/preflight-checks.mdx @@ -25,26 +25,26 @@ Before creating or deploying a compute environment, confirm the following: - The Wave service is running and reachable from the Platform instance. **Tower Agent** (HPC/grid compute environments only) -- Tower Agent is reachable from Seqera Platform. See [Tower Agent](../getting-started/tower-agent) for installation and startup instructions. +- Tower Agent is reachable from Platform. See [Tower Agent](../getting-started/tower-agent) for installation and startup instructions. ## Validation process -Seqera Platform runs three tiers of validation: +Platform runs three tiers of validation: ### 1. Credential validation -Runs on a recurring schedule. For each cloud credential (AWS, GCP, Azure) in scope, Seqera Platform calls the provider API to verify that the credential is still accepted. For AWS role-based credentials and GCP Workload Identity Federation, this check confirms the credential is well-formed but cannot fully verify the underlying role or identity provider trust configuration. +Runs on a recurring schedule. For each cloud credential (AWS, GCP, Azure) in scope, Platform calls the provider API to verify that the credential is still accepted. For AWS role-based credentials and GCP Workload Identity Federation, this check confirms the credential is well-formed but cannot fully verify the underlying role or identity provider trust configuration. -When a credential fails this check, Seqera Platform marks it **INVALID** and records the provider error on the credential record. This error appears in the launch-time error when a pipeline is blocked, but not in the compute environment banner. To see the specific provider error, check the credential record directly. +When a credential fails this check, Platform marks it **INVALID** and records the provider error on the credential record. This error appears in the launch-time error when a pipeline is blocked, but not in the compute environment banner. To see the specific provider error, check the credential record directly. ### 2. Compute environment validation -Runs approximately every hour across all **AVAILABLE** compute environments. Seqera Platform validates: +Runs approximately every hour across all `AVAILABLE` compute environments. Platform validates: -1. **Credential status**: If the credential is **INVALID**, the compute environment is marked **INVALID** immediately. -2. **Work directory**: Seqera Platform calls the cloud provider to verify that the configured work directory is accessible. If this check fails, the compute environment is marked **INVALID** and the provider error appears in the card view and at the top of the form page. +1. **Credential status**: If the credential is `INVALID`, the compute environment is marked `INVALID` immediately. +2. **Work directory**: Platform calls the cloud provider to verify that the configured work directory is accessible. If this check fails, the compute environment is marked **INVALID** and the provider error appears in the card view and at the top of the form page. -A compute environment marked **INVALID** displays a banner with the error message. An **AVAILABLE** compute environment has its `lastValidated` timestamp refreshed. +A compute environment marked `INVALID` displays a banner with the error message. An `AVAILABLE` compute environment has its `lastValidated` timestamp refreshed. :::note These checks cover AWS Batch, AWS Cloud, Azure Batch, Azure Cloud, Google Cloud Batch, and Google Cloud compute environments. @@ -56,38 +56,38 @@ Runs immediately when a user submits a pipeline launch. If any check fails, the | Check | What it does | |---|---| -| Compute environment status | Blocks launch if the compute environment is marked **INVALID** | -| Credential status | Blocks launch if the credential associated with the compute environment is marked **INVALID** | +| Compute environment status | Blocks launch if the compute environment is marked `INVALID` | +| Credential status | Blocks launch if the credential associated with the compute environment is marked `INVALID` | | Work directory override | If the user provided a different work directory at launch, validates that path with the cloud provider | | Wave connectivity | For compute environments with Wave enabled, verifies the Wave service connection is active | | Tower Agent | For HPC compute environments, verifies a Tower Agent is online for the environment | ## Manual credential validation -When a credential is marked **INVALID** and you have rotated the keys or fixed the underlying issue, you can trigger an immediate re-validation: +When a credential is marked `INVALID` and you have rotated the keys or fixed the underlying issue, you can trigger an immediate re-validation: 1. Navigate to **Credentials** in your workspace. 2. Find the credential and select **Validate**. -Seqera Platform makes a live call to the cloud provider and updates the credential status immediately. If the check passes, the credential returns to **AVAILABLE**. +Platform makes a live call to the cloud provider and updates the credential status immediately. If the check passes, the credential returns to `AVAILABLE`. -Compute environments marked **INVALID** because of this credential do not recover automatically. Use **Validate** on each affected compute environment after restoring the credential. +Compute environments marked `INVALID` because of this credential do not recover automatically. Use **Validate** on each affected compute environment after restoring the credential. ## Manual compute environment validation -When a compute environment is marked **INVALID** and you have fixed the underlying issue, you can trigger an immediate re-validation without waiting for the next background sweep: +When a compute environment is marked `INVALID` and you have fixed the underlying issue, you can trigger an immediate re-validation without waiting for the next background sweep: 1. Navigate to **Compute environments** in your workspace. 2. Find the compute environment and open its **⋮** (three-dot) drop-down. 3. Select **Validate**. -Seqera Platform runs pre-flight checks and updates the compute environment status immediately. If all checks pass, the compute environment returns to **AVAILABLE**. +Platform runs pre-flight checks and updates the compute environment status immediately. If all checks pass, the compute environment returns to `AVAILABLE`. ## Error reference ### Compute environment error messages -These banners appear on the compute environment detail page when the compute environment is **INVALID**. +These banners appear on the compute environment detail page when the compute environment is `INVALID`. | Banner | Meaning | Action | |---|---|---| @@ -100,14 +100,14 @@ These are returned immediately to the user when a launch is blocked. | Error | Cause | Resolution | |---|---|---| -| `The selected compute environment '...' is in an invalid state` | Compute environment is marked INVALID (see banner for the specific reason) | Fix the root cause, then use **Validate** on the compute environment | -| `The credentials '...' used by this compute environment are invalid` | Credential is marked INVALID | Go to **Credentials**, update or rotate the credential, then use **Validate** on the compute environment | +| `The selected compute environment '...' is in an invalid state` | Compute environment is marked `INVALID` (see banner for the specific reason) | Fix the root cause, then use **Validate** on the compute environment | +| `The credentials '...' used by this compute environment are invalid` | Credential is marked `INVALID` | Go to **Credentials**, update or rotate the credential, then use **Validate** on the compute environment | | `Wave is required by the selected compute environment but the Wave service connection is not active. Verify that Wave is running and check for connectivity issues` | Platform cannot reach the Wave service | Contact your platform administrator. Once Wave is restored, retry the launch | | `No Tower Agent is online for the selected compute environment. Check that Tower Agent is running at your cluster.` | No Tower Agent is connected for this compute environment (HPC/grid only) | Start or restart Tower Agent on the cluster. See [Tower Agent](../getting-started/tower-agent) | ### Credential error messages -When the credential sweep marks a credential **INVALID**, the provider-specific reason is stored on the credential record. It appears in the launch-time error when a pipeline is blocked, but not in the compute environment banner. To see the specific provider error, check the credential record directly. +When the credential sweep marks a credential `INVALID`, the provider-specific reason is stored on the credential record. It appears in the launch-time error when a pipeline is blocked, but not in the compute environment banner. To see the specific provider error, check the credential record directly. | Provider | Example message | |---|---|