{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import arvados with context %}
-{% for gm in arvados.api.gem.name %}
+{%- for gm in arvados.api.gem.name %}
arvados-api-package-clean-gem-{{ gm }}-removed:
gem.removed:
- name: {{ gm }}
- require_in:
- pkg: arvados-api-package-clean-gems-deps-pkg-removed
-{% endfor %}
+{%- endfor %}
arvados-api-package-clean-gems-deps-pkg-removed:
pkg.removed:
- pkgs: {{ arvados.ruby.gems_deps | unique | json }}
- only_if: test "{{ arvados.ruby.manage_gems_deps | lower }}" = "true"
-{% for gm in arvados.api.gem.name | unique %}
+{%- for gm in arvados.api.gem.name | unique %}
arvados-api-package-install-gem-{{ gm }}-installed:
gem.installed:
- name: {{ gm }}
{%- endif %}
- require_in:
- pkg: arvados-api-package-install-pkg-installed
-{% endfor %}
+{%- endfor %}
arvados-api-package-install-pkg-installed:
pkg.installed:
- user: root
- group: root
- makedirs: True
+ - context:
+ arvados: {{ arvados | json }}
+ - require:
+ - pkg: arvados-dispatcher-package-install-pkg-installed
+
+arvados-dispatcher-service-file-file-managed-crunch-dispatch-local-credentials:
+ file.managed:
+ - name: /etc/arvados/crunch-dispatch-local-credentials
+ - source: {{ files_switch(['crunch-dispatch-local-credentials.tmpl'],
+ lookup='arvados-dispatcher-service-file-file-managed-crunch-dispatch-local-credentials',
+ use_subpath=True
+ )
+ }}
+ - mode: '0640'
+ - user: root
+ - group: root
+ - makedirs: True
- template: jinja
- context:
arvados: {{ arvados | json }}
arvados: {{ arvados | json }}
- require:
- file: arvados-dispatcher-service-file-file-managed-crunch-run-sh
+ - file: arvados-dispatcher-service-file-file-managed-crunch-dispatch-local-credentials
- pkg: arvados-dispatcher-package-install-pkg-installed
cmd.run:
- name: systemctl daemon-reload
--- /dev/null
+########################################################################
+# File managed by Salt at <{{ source }}>.
+# Your changes will be overwritten.
+########################################################################
+ARVADOS_API_HOST={{ arvados.cluster.Services.Controller.ExternalURL | regex_replace('^http(s?)://', '', ignorecase=true) }}
+ARVADOS_API_HOST_INSECURE={{ '1' if arvados.cluster.tls.insecure | default('0') }}
+ARVADOS_API_TOKEN={{ arvados.cluster.tokens.system_root }}
[Service]
Type=simple
-EnvironmentFile=-/etc/arvados/environment
+EnvironmentFile=-/etc/arvados/crunch-dispatch-local-credentials
ExecStart=/usr/bin/crunch-dispatch-local -poll-interval=1 -crunch-run-command=/usr/local/bin/crunch-run.sh
# Set a reasonable default for the open file limit
LimitNOFILE=65536
+#!/bin/sh
########################################################################
# File managed by Salt at <{{ source }}>.
# Your changes will be overwritten.
########################################################################
-#!/bin/sh
-exec /usr/bin/crunch-run -container-enable-networking=default -container-network-mode=host $@
+exec /usr/bin/crunch-run -container-enable-networking=default -container-network-mode=host ${@}
{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import arvados with context %}
-{% if arvados.use_upstream_repo -%}
- {% if grains.get('os_family') == 'Debian' -%}
+{%- if arvados.use_upstream_repo %}
+ {%- if grains.get('os_family') == 'Debian' %}
arvados-repo-clean-repo-absent:
pkgrepo.absent:
- file: {{ arvados.repo.file }}
{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import arvados with context %}
-{%- if arvados.use_upstream_repo -%}
- {%- if grains.get('os_family') == 'Debian' -%}
+{%- if arvados.use_upstream_repo %}
+ {%- if grains.get('os_family') == 'Debian' %}
{%- if arvados.release == 'testing' %}
{%- set release = grains.get('lsb_distrib_codename') ~ '-testing' %}
{%- elif arvados.release == 'development' %}
{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import arvados with context %}
-{% for gm in arvados.shell.gem.name %}
+{%- for gm in arvados.shell.gem.name %}
arvados-shell-package-clean-gem-{{ gm }}-removed:
gem.removed:
- name: {{ gm }}
- require_in:
- pkg: arvados-shell-package-clean-gems-deps-pkg-removed
-{% endfor %}
+{%- endfor %}
arvados-shell-package-clean-gems-deps-pkg-removed:
pkg.removed:
{%- set tplroot = tpldir.split('/')[0] %}
{%- from tplroot ~ "/map.jinja" import arvados with context %}
-{% for gm in arvados.shell.gem.name %}
+{%- for gm in arvados.shell.gem.name %}
arvados-shell-package-clean-gem-{{ gm }}-removed:
gem.removed:
- name: {{ gm }}
- require_in:
- pkg: arvados-shell-package-clean-gems-deps-pkg-removed
-{% endfor %}
+{%- endfor %}
arvados-shell-package-clean-gems-deps-pkg-removed:
pkg.removed:
- pkgs: {{ arvados.ruby.gems_deps | json }}
- only_if: test "{{ arvados.ruby.manage_gems_deps | lower }}" = "true"
-{% for gm in arvados.shell.gem.name %}
+{%- for gm in arvados.shell.gem.name %}
arvados-shell-package-install-gem-{{ gm }}-installed:
gem.installed:
- name: {{ gm }}
- {{ ruby_dep }}: arvados-ruby-package-install-ruby-{{ ruby_dep }}-installed
{%- endif %}
- pkg: arvados-shell-package-install-gems-deps-pkg-installed
-{% endfor %}
+{%- endfor %}
state_top:
base:
'*':
+ - example_single_host_host_entries
- example_add_snakeoil_certs
- locale
- nginx.passenger
example_nginx_controller.sls: test/salt/pillar/examples/nginx_controller_configuration.sls
# yamllint enable rule:line-length
dependencies:
+ - name: example_single_host_host_entries
+ path: test/salt/states
- name: example_add_snakeoil_certs
path: test/salt/states
- name: locale
state_top:
base:
'*':
+ - example_single_host_host_entries
- example_add_snakeoil_certs
- nginx.passenger
- arvados.repo
example_nginx_workbench2.sls: test/salt/pillar/examples/nginx_workbench2_configuration.sls
# yamllint enable rule:line-length
dependencies:
+ - name: example_single_host_host_entries
+ path: test/salt/states
- name: example_add_snakeoil_certs
path: test/salt/states
- name: nginx
### TOKENS
tokens:
- system_root: changeme_system_root_token
- management: changeme_management_token
- rails_secret: changeme_rails_secret_token
- anonymous_user: changeme_anonymous_user_token
+ # SystemRootToken has to be alphanumeric, it does not accept underscores
+ # or special characters. See
+ # https://dev.arvados.org/issues/17150
+ system_root: changemesystemroottoken
+ management: changememanagementtoken
+ rails_secret: changemerailssecrettoken
+ anonymous_user: changemeanonymoususertoken
### KEYS
secrets:
- blob_signing_key: changeme_blob_signing_key
- workbench_secret_key: changeme_workbench_secret_key
- dispatcher_access_key: changeme_dispatcher_access_key
- dispatcher_secret_key: changeme_dispatcher_secret_key
- keep_access_key: changeme_keep_access_key
- keep_secret_key: changeme_keep_secret_key
+ blob_signing_key: changemeblobsigningkey
+ workbench_secret_key: changemeworkbenchsecretkey
+ dispatcher_access_key: changemedispatcheraccesskey
+ dispatcher_secret_key: changemedispatchersecretkey
+ keep_access_key: changemekeepaccesskey
+ keep_secret_key: changemekeepsecretkey
AuditLogs:
Section_to_ignore:
api_stanza = <<-API_STANZA
API:
- RailsSessionSecretToken: "changeme_rails_secret_token"
+ RailsSessionSecretToken: "changemerailssecrettoken"
API_STANZA
rails_stanza = <<-RAILS_STANZA
RailsAPI:
InternalURLs:
- http://127.0.0.2:8004: {}
+ http://api.internal:8004: {}
RAILS_STANZA
group = case os[:name]
WebDAV:
ExternalURL: https://collections.fixme.example.net
InternalURLs:
- http://127.0.0.2:9002: {}
+ http://collections.internal:9002: {}
WebDAVDownload:
ExternalURL: https://download.fixme.example.net
KEEPWEB_STANZA
Websocket:
ExternalURL: wss://ws.fixme.example.net/websocket
InternalURLs:
- http://127.0.0.2:8005: {}
+ http://ws.internal:8005: {}
WEBSOCKET_STANZA
group = case os[:name]
workbench_config = <<-WORKBENCH_STANZA
Workbench:
- SecretKeyBase: "changeme_workbench_secret_key"
+ SecretKeyBase: "changemeworkbenchsecretkey"
SiteName: FIXME
WORKBENCH_STANZA
### TOKENS
tokens:
- system_root: changeme_system_root_token
- management: changeme_management_token
- rails_secret: changeme_rails_secret_token
- anonymous_user: changeme_anonymous_user_token
+ system_root: changemesystemroottoken
+ management: changememanagementtoken
+ rails_secret: changemerailssecrettoken
+ anonymous_user: changemeanonymoususertoken
### KEYS
secrets:
- blob_signing_key: changeme_blob_signing_key
- workbench_secret_key: changeme_workbench_secret_key
- dispatcher_access_key: changeme_dispatcher_access_key
- dispatcher_secret_key: changeme_dispatcher_secret_key
- keep_access_key: changeme_keep_access_key
- keep_secret_key: changeme_keep_secret_key
+ blob_signing_key: changemeblobsigningkey
+ workbench_secret_key: changemeworkbenchsecretkey
+ dispatcher_access_key: changemedispatcheraccesskey
+ dispatcher_secret_key: changemedispatchersecretkey
+ keep_access_key: changemekeepaccesskey
+ keep_secret_key: changemekeepsecretkey
AuditLogs:
Section_to_ignore:
Controller:
ExternalURL: https://fixme.example.net
InternalURLs:
- http://127.0.0.2:8003: {}
+ http://controller.internal:8003: {}
DispatchCloud:
InternalURLs:
http://fixme.example.net:9006: {}
Keepproxy:
ExternalURL: https://keep.fixme.example.net
InternalURLs:
- http://127.0.0.2:25100: {}
+ http://keep.internal:25100: {}
Keepstore:
InternalURLs:
http://keep0.fixme.example.net:25107: {}
RailsAPI:
InternalURLs:
- http://127.0.0.2:8004: {}
+ http://api.internal:8004: {}
WebDAV:
ExternalURL: https://collections.fixme.example.net
InternalURLs:
- http://127.0.0.2:9002: {}
+ http://collections.internal:9002: {}
WebDAVDownload:
ExternalURL: https://download.fixme.example.net
WebShell:
Websocket:
ExternalURL: wss://ws.fixme.example.net/websocket
InternalURLs:
- http://127.0.0.2:8005: {}
+ http://ws.internal:8005: {}
Workbench1:
ExternalURL: https://workbench.fixme.example.net
Workbench2:
### TOKENS
tokens:
- system_root: changeme_system_root_token
- management: changeme_management_token
- rails_secret: changeme_rails_secret_token
- anonymous_user: changeme_anonymous_user_token
+ system_root: changemesystemroottoken
+ management: changememanagementtoken
+ rails_secret: changemerailssecrettoken
+ anonymous_user: changemeanonymoususertoken
### KEYS
secrets:
- blob_signing_key: changeme_blob_signing_key
- workbench_secret_key: changeme_workbench_secret_key
- dispatcher_access_key: changeme_dispatcher_access_key
- dispatcher_secret_key: changeme_dispatcher_secret_key
- keep_access_key: changeme_keep_access_key
- keep_secret_key: changeme_keep_secret_key
+ blob_signing_key: changemeblobsigningkey
+ workbench_secret_key: changemeworkbenchsecretkey
+ dispatcher_access_key: changemedispatcheraccesskey
+ dispatcher_secret_key: changemedispatchersecretkey
+ keep_access_key: changemekeepaccesskey
+ keep_secret_key: changemekeepsecretkey
AuditLogs:
Section_to_ignore:
Controller:
ExternalURL: https://fixme.example.net
InternalURLs:
- http://127.0.0.2:8003: {}
+ http://controller.internal:8003: {}
DispatchCloud:
InternalURLs:
http://fixme.example.net:9006: {}
Keepproxy:
ExternalURL: https://keep.fixme.example.net
InternalURLs:
- http://127.0.0.2:25100: {}
+ http://keep.internal:25100: {}
Keepstore:
InternalURLs:
http://keep0.fixme.example.net:25107: {}
RailsAPI:
InternalURLs:
- http://127.0.0.2:8004: {}
+ http://api.internal:8004: {}
WebDAV:
ExternalURL: https://collections.fixme.example.net
InternalURLs:
- http://127.0.0.2:9002: {}
+ http://collections.internal:9002: {}
WebDAVDownload:
ExternalURL: https://download.fixme.example.net
WebShell:
Websocket:
ExternalURL: wss://ws.fixme.example.net/websocket
InternalURLs:
- http://127.0.0.2:8005: {}
+ http://ws.internal:8005: {}
Workbench1:
ExternalURL: https://workbench.fixme.example.net
Workbench2:
overwrite: true
config:
- server:
- - listen: '127.0.0.2:8004'
+ - listen: 'api.internal:8004'
- server_name: api
- root: /var/www/arvados-api/current/public
- index: index.html index.htm
default: 1
'127.0.0.0/8': 0
upstream controller_upstream:
- - server: '127.0.0.2:8003 fail_timeout=10s'
+ - server: 'controller.internal:8003 fail_timeout=10s'
### SITES
servers:
### STREAMS
http:
upstream keepproxy_upstream:
- - server: '127.0.0.2:25100 fail_timeout=10s'
+ - server: 'keep.internal:25100 fail_timeout=10s'
servers:
managed:
### STREAMS
http:
upstream collections_downloads_upstream:
- - server: '127.0.0.2:9002 fail_timeout=10s'
+ - server: 'collections.internal:9002 fail_timeout=10s'
servers:
managed:
- add_header: 'Strict-Transport-Security "max-age=63072000" always'
# OCSP stapling
- - ssl_stapling: 'on'
- - ssl_stapling_verify: 'on'
+ # FIXME! Stapling does not work with self-signed certificates, so disabling for tests
+ # - ssl_stapling: 'on'
+ # - ssl_stapling_verify: 'on'
# verify chain of trust of OCSP response using Root CA and Intermediate certs
# - ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates
### STREAMS
http:
upstream webshell_upstream:
- - server: '127.0.0.2:4200 fail_timeout=10s'
+ - server: 'shell.internal:4200 fail_timeout=10s'
### SITES
servers:
### STREAMS
http:
upstream websocket_upstream:
- - server: '127.0.0.2:8005 fail_timeout=10s'
+ - server: 'ws.internal:8005 fail_timeout=10s'
servers:
managed:
### STREAMS
http:
upstream workbench_upstream:
- - server: '127.0.0.2:9000 fail_timeout=10s'
+ - server: 'workbench.internal:9000 fail_timeout=10s'
### SITES
servers:
overwrite: true
config:
- server:
- - listen: '127.0.0.2:9000'
+ - listen: 'workbench.internal:9000'
- server_name: workbench
- root: /var/www/arvados-workbench/current/public
- index: index.html index.htm
+{%- set curr_tpldir = tpldir %}
+{%- set tpldir = 'arvados' %}
+{%- from "arvados/map.jinja" import arvados with context %}
+{%- set tpldir = curr_tpldir %}
+
snake_oil_certs:
-{%- if grains.os_family in ('RedHat',) %}
pkg.installed:
- name: openssl
cmd.run:
- name: |
cat > /tmp/openssl.cnf <<-CNF
- RANDFILE = /dev/urandom
- [ req ]
- default_bits = 2048
- default_keyfile = privkey.pem
- distinguished_name = req_distinguished_name
- prompt = no
- policy = policy_anything
- req_extensions = v3_req
- x509_extensions = v3_req
- [ req_distinguished_name ]
- commonName = {{ grains.fqdn }}
- [ v3_req ]
- basicConstraints = CA:FALSE
+ [req]
+ default_bits = 2048
+ prompt = no
+ default_md = sha256
+ x509_extensions = v3_req
+ distinguished_name = dn
+ [dn]
+ C = CC
+ ST = SomeState
+ L = SomeLocation
+ O = ArvadosFormula
+ OU = R&D
+ CN = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+ emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+ [v3_req]
+ subjectAltName = @alt_names
+ [alt_names]
+ {%- for entry in grains.get('ipv4') %}
+ IP.{{ loop.index }} = {{ entry }}
+ {%- endfor %}
+ {%- for entry in [
+ 'keep',
+ 'keep0',
+ 'collections',
+ 'download',
+ 'ws',
+ 'workbench',
+ 'workbench2',
+ ]
+ %}
+ DNS.{{ loop.index }} = {{ entry }}.{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+ {%- endfor %}
CNF
+
mkdir -p /etc/ssl/certs/ /etc/ssl/private/ && \
openssl req -config /tmp/openssl.cnf -new -x509 -days 3650 -nodes -sha256 \
-out /etc/ssl/certs/ssl-cert-snakeoil.pem \
- -keyout /etc/ssl/private/ssl-cert-snakeoil.key > /tmp/snake_oil_certs.output 2>&1
+ -keyout /etc/ssl/private/ssl-cert-snakeoil.key > /tmp/snake_oil_certs.output 2>&1 && \
+ chmod 0644 /etc/ssl/certs/ssl-cert-snakeoil.pem && \
+ chmod 0640 /etc/ssl/private/ssl-cert-snakeoil.key
- unless: test -f /etc/ssl/private/ssl-cert-snakeoil.key
- require:
- pkg: openssl
-{%- else %}
+
+{%- if grains.get('os_family') == 'Debian' %}
+ssl_certs:
pkg.installed:
- name: ssl-cert
+ - require_in:
+ - sls: postgres
+
+snake_oil_certs_permissions:
+ cmd.run:
+ - name: |
+ chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
+ - require:
+ - pkg: ssl_certs
{%- endif %}
--- /dev/null
+{%- set curr_tpldir = tpldir %}
+{%- set tpldir = 'arvados' %}
+{%- from "arvados/map.jinja" import arvados with context %}
+{%- set tpldir = curr_tpldir %}
+
+arvados_hosts_entries:
+ host.present:
+ - ip: {{ grains.get('ipv4')[0] }}
+ - names:
+ - {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+ # FIXME! This just works for our testings.
+ # Won't work if the cluster name != host name
+ {%- for entry in [
+ 'api',
+ 'collections',
+ 'controller',
+ 'download',
+ 'keep',
+ 'keep0',
+ 'shell',
+ 'workbench',
+ 'workbench2',
+ 'ws',
+ ]
+ %}
+ - {{ entry }}.internal
+ - {{ entry }}.{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+ {%- endfor %}