From: Javier BĂ©rtoli Date: Thu, 3 Dec 2020 22:48:54 +0000 (-0300) Subject: Merge pull request #10 from netmanagers/master X-Git-Url: https://git.arvados.org/arvados-formula.git/commitdiff_plain/2d2dd6742e1d8ee0a4cefa5f9db85ec1bdca2dae?hp=5e2db4ee2a9c5ac0b60dc9734d0f48bb68ca7b84 Merge pull request #10 from netmanagers/master Add a CA to the example files, required for some Arvados components --- diff --git a/docs/README.rst b/docs/README.rst index e5982c7..0fb3eda 100644 --- a/docs/README.rst +++ b/docs/README.rst @@ -44,7 +44,22 @@ Please see `How to contribute `_ you can find `a provision script `_ +to deploy a single-node, all-in-one Arvados cluster (The script uses this formula to get a cluster up and running in Saltstack's master-less mode). + +The `single-node` install does not include SLURM: it is intended for an `all-in-one-host` installation, +so it uses `crunch-dispatch-local` to run containers in the same instance. + +The provision script can be run anywhere, so you can run it in an AWS instance and you'll get a `single-node` Arvados cluster there. + +The Arvados formula allows you to `install any dispatcher available `_, +provided you configure the pillars the way you need them. + +Arvados currently has three dispatchers: + +* **crunch-dispatch-local** (for single node installations), +* **arvados-dispatch-cloud** (for dynamic compute on AWS or Azure) and +* **crunch-dispatch-slurm** (for SLURM integration). Requisites ---------- @@ -56,7 +71,10 @@ We suggest you use the `postgres-formula `_ and the `letsencrypt-formula `_ to satisfy these dependencies. In the **test/salt/pillar/examples/** directory there are example pillar YAMLs to set up these packages, using the mentioned formulas -as Arvados needs them. +as Arvados needs them.a + +In the **test/salt/states/examples/** directory there are some example helper states to set up a few requirements for single-node +(all-in-one) Arvados host. Usage ----- diff --git a/kitchen.yml b/kitchen.yml index 4067e1c..f2e0add 100644 --- a/kitchen.yml +++ b/kitchen.yml @@ -104,16 +104,14 @@ suites: state_top: base: '*': - - example_single_host_host_entries - - example_add_snakeoil_certs + - single_host.host_entries + - single_host.snakeoil_certs - locale - nginx.passenger - postgres - arvados.repo - arvados.api - arvados.websocket - # keepproxy complains when using snakeoil certs, so we can't - # properly test it here until next version removes this limitation - arvados.keepproxy - arvados.keepweb - arvados.controller @@ -146,10 +144,8 @@ suites: example_nginx_controller.sls: test/salt/pillar/examples/nginx_controller_configuration.sls # yamllint enable rule:line-length dependencies: - - name: example_single_host_host_entries - path: test/salt/states - - name: example_add_snakeoil_certs - path: test/salt/states + - name: single_host + path: test/salt/states/examples - name: locale repo: git source: https://github.com/saltstack-formulas/locale-formula.git @@ -175,8 +171,8 @@ suites: state_top: base: '*': - - example_single_host_host_entries - - example_add_snakeoil_certs + - single_host.host_entries + - single_host.snakeoil_certs - nginx.passenger - arvados.repo - arvados.workbench @@ -197,10 +193,8 @@ suites: example_nginx_workbench2.sls: test/salt/pillar/examples/nginx_workbench2_configuration.sls # yamllint enable rule:line-length dependencies: - - name: example_single_host_host_entries - path: test/salt/states - - name: example_add_snakeoil_certs - path: test/salt/states + - name: single_host + path: test/salt/states/examples - name: nginx repo: git source: https://github.com/netmanagers/nginx-formula.git diff --git a/test/salt/pillar/examples/README.rst b/test/salt/pillar/examples/README.rst new file mode 100644 index 0000000..b0a7e85 --- /dev/null +++ b/test/salt/pillar/examples/README.rst @@ -0,0 +1,7 @@ +Pillar examples +=============== + +The files in this directory are pillar examples for the other formulas used to install +Arvados (`locale-formula `_, +`postgres-formula `_ and +`nginx-formula `_. diff --git a/test/salt/pillar/examples/nginx_passenger.sls b/test/salt/pillar/examples/nginx_passenger.sls index 8c41acb..ec79746 100644 --- a/test/salt/pillar/examples/nginx_passenger.sls +++ b/test/salt/pillar/examples/nginx_passenger.sls @@ -53,8 +53,8 @@ nginx: # - resolver: 127.0.0.1 ssl_snakeoil.conf: - - ssl_certificate: /etc/ssl/certs/ssl-cert-snakeoil.pem - - ssl_certificate_key: /etc/ssl/private/ssl-cert-snakeoil.key + - ssl_certificate: /etc/ssl/certs/arvados-snakeoil-cert.pem + - ssl_certificate_key: /etc/ssl/private/arvados-snakeoil-cert.key ### SITES servers: diff --git a/test/salt/pillar/examples/postgresql.sls b/test/salt/pillar/examples/postgresql.sls index aec4f13..5d800ec 100644 --- a/test/salt/pillar/examples/postgresql.sls +++ b/test/salt/pillar/examples/postgresql.sls @@ -7,8 +7,8 @@ postgres: postgresconf: |- listen_addresses = '*' # listen on all interfaces #ssl = on - #ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem' - #ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key' + #ssl_cert_file = '/etc/ssl/certs/arvados-snakeoil-cert.pem' + #ssl_key_file = '/etc/ssl/private/arvados-snakeoil-cert.key' acls: - ['local', 'all', 'postgres', 'peer'] - ['local', 'all', 'all', 'peer'] diff --git a/test/salt/states/example_add_snakeoil_certs/init.sls b/test/salt/states/example_add_snakeoil_certs/init.sls deleted file mode 100644 index 158abcc..0000000 --- a/test/salt/states/example_add_snakeoil_certs/init.sls +++ /dev/null @@ -1,69 +0,0 @@ -{%- set curr_tpldir = tpldir %} -{%- set tpldir = 'arvados' %} -{%- from "arvados/map.jinja" import arvados with context %} -{%- set tpldir = curr_tpldir %} - -snake_oil_certs: - pkg.installed: - - name: openssl - cmd.run: - - name: | - cat > /tmp/openssl.cnf <<-CNF - [req] - default_bits = 2048 - prompt = no - default_md = sha256 - x509_extensions = v3_req - distinguished_name = dn - [dn] - C = CC - ST = SomeState - L = SomeLocation - O = ArvadosFormula - OU = R&D - CN = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }} - emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }} - [v3_req] - subjectAltName = @alt_names - [alt_names] - {%- for entry in grains.get('ipv4') %} - IP.{{ loop.index }} = {{ entry }} - {%- endfor %} - {%- for entry in [ - 'keep', - 'keep0', - 'collections', - 'download', - 'ws', - 'workbench', - 'workbench2', - ] - %} - DNS.{{ loop.index }} = {{ entry }}.{{ arvados.cluster.name }}.{{ arvados.cluster.domain }} - {%- endfor %} - CNF - - mkdir -p /etc/ssl/certs/ /etc/ssl/private/ && \ - openssl req -config /tmp/openssl.cnf -new -x509 -days 3650 -nodes -sha256 \ - -out /etc/ssl/certs/ssl-cert-snakeoil.pem \ - -keyout /etc/ssl/private/ssl-cert-snakeoil.key > /tmp/snake_oil_certs.output 2>&1 && \ - chmod 0644 /etc/ssl/certs/ssl-cert-snakeoil.pem && \ - chmod 0640 /etc/ssl/private/ssl-cert-snakeoil.key - - unless: test -f /etc/ssl/private/ssl-cert-snakeoil.key - - require: - - pkg: openssl - -{%- if grains.get('os_family') == 'Debian' %} -ssl_certs: - pkg.installed: - - name: ssl-cert - - require_in: - - sls: postgres - -snake_oil_certs_permissions: - cmd.run: - - name: | - chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key - - require: - - pkg: ssl_certs -{%- endif %} diff --git a/test/salt/states/examples/single_host/README.rst b/test/salt/states/examples/single_host/README.rst new file mode 100644 index 0000000..b50716d --- /dev/null +++ b/test/salt/states/examples/single_host/README.rst @@ -0,0 +1,17 @@ +Helper states for all-in-one setup +================================== + +These states are helpful for setting up an all-in-one Arvados host. + +* `host_entries.sls`: adds a bunch of host entries in the `/etc/hosts` file of + the host instance, so all Arvados' components can find each other correctly, + using meaningful names. + +* `snakeoil_certs.sls`: Arvados uses SSL/TLS for communications, so you'll need + certificates for the different hosts. If you can't provide valid certificates + issued by a recognized CA, this state will create a SnakeOil CA and issue + certificates signed by it. + + The certs can't be self-signed because some of the libraries that Arvados + uses require certs issued by a CA. For this reason, if you use this state, + you'll need to copy the created CA cert to your certificates' directory. diff --git a/test/salt/states/example_single_host_host_entries/init.sls b/test/salt/states/examples/single_host/host_entries.sls similarity index 91% rename from test/salt/states/example_single_host_host_entries/init.sls rename to test/salt/states/examples/single_host/host_entries.sls index 6425448..855757e 100644 --- a/test/salt/states/example_single_host_host_entries/init.sls +++ b/test/salt/states/examples/single_host/host_entries.sls @@ -3,7 +3,7 @@ {%- from "arvados/map.jinja" import arvados with context %} {%- set tpldir = curr_tpldir %} -arvados_hosts_entries: +arvados_test_salt_states_examples_single_host_etc_hosts_host_present: host.present: - ip: {{ grains.get('ipv4')[0] }} - names: diff --git a/test/salt/states/examples/single_host/snakeoil_certs.sls b/test/salt/states/examples/single_host/snakeoil_certs.sls new file mode 100644 index 0000000..e6c6a96 --- /dev/null +++ b/test/salt/states/examples/single_host/snakeoil_certs.sls @@ -0,0 +1,148 @@ +{%- set curr_tpldir = tpldir %} +{%- set tpldir = 'arvados' %} +{%- from "arvados/map.jinja" import arvados with context %} +{%- set tpldir = curr_tpldir %} + +include: + - nginx.service + +{%- set arvados_ca_cert_file = '/etc/ssl/certs/arvados-snakeoil-ca.pem' %} +{%- set arvados_ca_key_file = '/etc/ssl/private/arvados-snakeoil-ca.key' %} +{%- set arvados_cert_file = '/etc/ssl/certs/arvados-snakeoil-cert.pem' %} +{%- set arvados_csr_file = '/etc/ssl/private/arvados-snakeoil-cert.csr' %} +{%- set arvados_key_file = '/etc/ssl/private/arvados-snakeoil-cert.key' %} + +{%- if grains.get('os_family') == 'Debian' %} + {%- set arvados_ca_cert_dest = '/usr/local/share/ca-certificates/arvados-snakeoil-ca.crt' %} + {%- set update_ca_cert = '/usr/sbin/update-ca-certificates' %} + {%- set openssl_conf = '/etc/ssl/openssl.cnf' %} +{%- else %} + {%- set arvados_ca_cert_dest = '/etc/pki/ca-trust/source/anchors/arvados-snakeoil-ca.pem' %} + {%- set update_ca_cert = '/usr/bin/update-ca-trust' %} + {%- set openssl_conf = '/etc/pki/tls/openssl.cnf' %} +{%- endif %} + +arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed: + pkg.installed: + - pkgs: + - openssl + - ca-certificates + +arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run: + # Taken from https://github.com/arvados/arvados/blob/master/tools/arvbox/lib/arvbox/docker/service/certificate/run + cmd.run: + - name: | + # These dirs are not to CentOS-ish, but this is a helper script + # and they should be enough + mkdir -p /etc/ssl/certs/ /etc/ssl/private/ && \ + openssl req \ + -new \ + -nodes \ + -sha256 \ + -x509 \ + -subj "/C=CC/ST=Some State/O=Arvados Formula/OU=arvados-formula/CN=snakeoil-ca-{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}" \ + -extensions x509_ext \ + -config <(cat {{ openssl_conf }} \ + <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \ + -out {{ arvados_ca_cert_file }} \ + -keyout {{ arvados_ca_key_file }} \ + -days 3650 && \ + cp {{ arvados_ca_cert_file }} {{ arvados_ca_cert_dest }} && \ + {{ update_ca_cert }} + - unless: + - test -f {{ arvados_ca_cert_file }} + - openssl verify -CAfile {{ arvados_ca_cert_file }} {{ arvados_ca_cert_file }} + - require: + - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed + +arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run: + cmd.run: + - name: | + cat > /tmp/openssl.cnf <<-CNF + [req] + default_bits = 2048 + prompt = no + default_md = sha256 + req_extensions = rext + distinguished_name = dn + [dn] + C = CC + ST = Some State + L = Some Location + O = Arvados Formula + OU = arvados-formula + CN = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }} + emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }} + [rext] + subjectAltName = @alt_names + [alt_names] + {%- for entry in grains.get('ipv4') %} + IP.{{ loop.index }} = {{ entry }} + {%- endfor %} + {%- for entry in [ + 'keep', + 'collections', + 'download', + 'ws', + 'workbench', + 'workbench2', + ] + %} + DNS.{{ loop.index }} = {{ entry }}.{{ arvados.cluster.name }}.{{ arvados.cluster.domain }} + {%- endfor %} + CNF + + # The req + openssl req \ + -config /tmp/openssl.cnf \ + -new \ + -nodes \ + -sha256 \ + -out {{ arvados_csr_file }} \ + -keyout {{ arvados_key_file }} > /tmp/snake_oil_certs.output 2>&1 && \ + # The cert + openssl x509 \ + -req \ + -days 3650 \ + -in {{ arvados_csr_file }} \ + -out {{ arvados_cert_file }} \ + -extfile /tmp/openssl.cnf \ + -extensions rext \ + -CA {{ arvados_ca_cert_file }} \ + -CAkey {{ arvados_ca_key_file }} \ + -set_serial $(date +%s) && \ + chmod 0644 {{ arvados_cert_file }} && \ + chmod 0640 {{ arvados_key_file }} + - unless: + - test -f {{ arvados_key_file }} + - openssl verify -CAfile {{ arvados_ca_cert_file }} {{ arvados_cert_file }} + - require: + - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed + - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run + +{%- if grains.get('os_family') == 'Debian' %} +arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed: + pkg.installed: + - name: ssl-cert + - require_in: + - sls: postgres + +arvados_test_salt_states_examples_single_host_snakeoil_certs_certs_permissions_cmd_run: + cmd.run: + - name: | + chown root:ssl-cert {{ arvados_key_file }} + - require: + - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run + - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed +{%- endif %} + +arvados_test_salt_states_examples_single_host_snakeoil_certs_nginx_snakeoil_file_managed: + file.managed: + - name: /etc/nginx/snippets/arvados-snakeoil.conf + - contents: | + ssl_certificate {{ arvados_cert_file }}; + ssl_certificate_key {{ arvados_key_file }}; + - watch_in: + - service: nginx_service + +