* modify pillars and examples to pass config-check
BREAKING CHANGE: the configuration file now is checked before deployment
to make sure it's valid. As keys and tokens now are checked to make sure
they comply with Arvados' requirements, old configurations might fail to
deploy
- template: jinja
- context:
arvados: {{ arvados | json }}
- template: jinja
- context:
arvados: {{ arvados | json }}
- - check_cmd: /usr/bin/arvados-server config-dump -config
+ - check_cmd: {{ arvados.config.check_command }}
- require:
- pkg: arvados-config-package-install-pkg-installed
- require:
- pkg: arvados-config-package-install-pkg-installed
user: root
group: root
mode: 640
user: root
group: root
mode: 640
+ check_command: /usr/bin/arvados-server config-check -config
# Experimental feature
# only available when 'release: development'
auto_reload_config: false
cluster:
# Experimental feature
# only available when 'release: development'
auto_reload_config: false
cluster:
- force_legacy_api14: false
-
database:
connection_pool_max: 32
database:
connection_pool_max: 32
SystemRootToken: {{ arvados.cluster.tokens.system_root | yaml_encode }}
ManagementToken: {{ arvados.cluster.tokens.management | yaml_encode }}
SystemRootToken: {{ arvados.cluster.tokens.system_root | yaml_encode }}
ManagementToken: {{ arvados.cluster.tokens.management | yaml_encode }}
- ForceLegacyAPI14: {{ arvados.cluster.force_legacy_api14 }}
-
API:
{%- if 'API' in arvados.cluster %}
{{ arvados.cluster.API | default('') | yaml(False) | indent(6) }}
API:
{%- if 'API' in arvados.cluster %}
{{ arvados.cluster.API | default('') | yaml(False) | indent(6) }}
### GENERAL CONFIG
# version: '2.1.0'
# release: production
### GENERAL CONFIG
# version: '2.1.0'
# release: production
- ## It makes little sense to disable this flag, but you can, if you want :)
+ ### It makes little sense to disable this flag, but you can, if you want :)
# use_upstream_repo: true
# use_upstream_repo: true
- ## Repo URL is built with grains values. If desired, it can be completely
- ## overwritten with the pillar parameter 'repo_url'
+ ### Repo URL is built with grains values. If desired, it can be completely
+ ### overwritten with the pillar parameter 'repo_url'
# repo:
# humanname: Arvados Official Repository
# repo:
# humanname: Arvados Official Repository
- ## IMPORTANT!!!!!
- ## api, workbench and shell require some gems, so you need to make sure ruby
- ## and deps are installed in order to install and compile the gems.
- ## We default to `false` in these two variables as it's expected you already
- ## manage OS packages with some other tool and you don't want us messing up
- ## with your setup.
+ # IMPORTANT!!!!!
+ # api, workbench and shell require some gems, so you need to make sure ruby
+ # and deps are installed in order to install and compile the gems.
+ # We default to `false` in these two variables as it's expected you already
+ # manage OS packages with some other tool and you don't want us messing up
+ # with your setup.
- ## We set these to `true` here for testing purposes.
- ## They both default to `false`.
+ # We set these to `true` here for testing purposes.
+ # They both default to `false`.
manage_ruby: true
use_rvm: false # If you want to use rvm. Defaults to true for centos-7
# pkg: ruby # Can specify a version like ruby-2.5.7 for rvm
manage_ruby: true
use_rvm: false # If you want to use rvm. Defaults to true for centos-7
# pkg: ruby # Can specify a version like ruby-2.5.7 for rvm
# config:
# file: /etc/arvados/config.yml
# user: root
# config:
# file: /etc/arvados/config.yml
# user: root
- ## IMPORTANT!!!!!
- ## If you're intalling any of the rails apps (api, workbench), the group
- ## should be set to that of the web server, usually `www-data`
+ ### IMPORTANT!!!!!
+ ### If you're intalling any of the rails apps (api, workbench), the group
+ ### should be set to that of the web server, usually `www-data`
# group: root
# mode: 640
# group: root
# mode: 640
+ #
+ ### This is the command run to verify the configuration is correct before
+ ### deploying it. By default it uses `-strict=true`, so it will error on
+ ### warnings (ie, unknown/deprecated parameters)
+ #
+ # check_command: /usr/bin/arvados-server config-check -config
+ #
+ ### To fail only on errors, you can use
+ #
+ # check_command: /usr/bin/arvados-server config-check -strict=false -config
+ #
+ ### and to disable configuration checking (not recommended), just set it to
+ ### any command that returns true
+ #
+ # check_command: /bin/true
### ARVADOS CLUSTER CONFIG
cluster:
### ARVADOS CLUSTER CONFIG
cluster:
# You can pass extra database connections parameters here,
# which will be rendered as yaml.
# extra_conn_params:
# You can pass extra database connections parameters here,
# which will be rendered as yaml.
# extra_conn_params:
- # sslmode: prefer
- # verify-ca: false
- # client_encoding: UTF8
+ # sslmode: prefer
+ # verify-ca: false
+ # client_encoding: UTF8
# Secrets and tokens have to be +32 alphanumeric,
# it does not accept underscores or special characters.
# See https://dev.arvados.org/issues/17150
# Secrets and tokens have to be +32 alphanumeric,
# it does not accept underscores or special characters.
# See https://dev.arvados.org/issues/17150
- system_root: changemesystemroottoken
- management: changememanagementtoken
+ system_root: systemroottokenmushaveatleast32characters
+ management: managementtokenmushaveatleast32characters
# The AnonymousUserToken can be set here or in the
# The AnonymousUserToken can be set here or in the
- # USers dictionary below. The latter will be used if set.
- anonymous_user: changemeanonymoususertoken
+ # Users dictionary below. The latter will be used if set.
+ anonymous_user: anonymoususertokenmushaveatleast32characters
- blob_signing_key: changemeblobsigningkey
- workbench_secret_key: changemeworkbenchsecretkey
+ blob_signing_key: blobsigningkeymushaveatleast32characters
+ workbench_secret_key: workbenchsecretkeymushaveatleast32characters
dispatcher_access_key: changemedispatcheraccesskey
dispatcher_secret_key: changemedispatchersecretkey
keep_access_key: changemekeepaccesskey
keep_secret_key: changemekeepsecretkey
dispatcher_access_key: changemedispatcheraccesskey
dispatcher_secret_key: changemedispatchersecretkey
keep_access_key: changemekeepaccesskey
keep_secret_key: changemekeepsecretkey
- AuditLogs:
- Section_to_ignore:
- - some_random_value
-
### VOLUMES
## This should usually match all your `keepstore` instances
Volumes:
### VOLUMES
## This should usually match all your `keepstore` instances
Volumes:
workbench_config = <<-WORKBENCH_STANZA
Workbench:
workbench_config = <<-WORKBENCH_STANZA
Workbench:
- SecretKeyBase: "changemeworkbenchsecretkey"
+ SecretKeyBase: "workbenchsecretkeymushaveatleast32characters"
SiteName: FIXME
WORKBENCH_STANZA
SiteName: FIXME
WORKBENCH_STANZA
- system_root: changemesystemroottoken
- management: changememanagementtoken
+ system_root: systemroottokenmushaveatleast32characters
+ management: managementtokenmushaveatleast32characters
anonymous_user: anonymoususertokensetinthetokensdict
### KEYS
secrets:
anonymous_user: anonymoususertokensetinthetokensdict
### KEYS
secrets:
- blob_signing_key: changemeblobsigningkey
- workbench_secret_key: changemeworkbenchsecretkey
+ blob_signing_key: blobsigningkeymushaveatleast32characters
+ workbench_secret_key: workbenchsecretkeymushaveatleast32characters
dispatcher_access_key: changemedispatcheraccesskey
dispatcher_secret_key: changemedispatchersecretkey
keep_access_key: changemekeepaccesskey
keep_secret_key: changemekeepsecretkey
dispatcher_access_key: changemedispatcheraccesskey
dispatcher_secret_key: changemedispatchersecretkey
keep_access_key: changemekeepaccesskey
keep_secret_key: changemekeepsecretkey
- AuditLogs:
- Section_to_ignore:
- - some_random_value
-
### VOLUMES
## This should usually match all your `keepstore` instances
Volumes:
### VOLUMES
## This should usually match all your `keepstore` instances
Volumes:
- system_root: changemesystemroottoken
- management: changememanagementtoken
+ system_root: systemroottokenmushaveatleast32characters
+ management: managementtokenmushaveatleast32characters
- blob_signing_key: changemeblobsigningkey
- workbench_secret_key: changemeworkbenchsecretkey
+ blob_signing_key: blobsigningkeymushaveatleast32characters
+ workbench_secret_key: workbenchsecretkeymushaveatleast32characters
dispatcher_access_key: changemedispatcheraccesskey
dispatcher_secret_key: changemedispatchersecretkey
keep_access_key: changemekeepaccesskey
keep_secret_key: changemekeepsecretkey
dispatcher_access_key: changemedispatcheraccesskey
dispatcher_secret_key: changemedispatchersecretkey
keep_access_key: changemekeepaccesskey
keep_secret_key: changemekeepsecretkey
- AuditLogs:
- Section_to_ignore:
- - some_random_value
-
### VOLUMES
## This should usually match all your `keepstore` instances
Volumes:
### VOLUMES
## This should usually match all your `keepstore` instances
Volumes: