3 # Copyright (C) The Arvados Authors. All rights reserved.
5 # SPDX-License-Identifier: CC-BY-SA-3.0
7 # If you want to test arvados in a single host, you can run this script, which
8 # will install it using salt masterless
9 # This script is run by the Vagrant file when you run it with
15 # capture the directory that the script is running from
16 SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
20 echo >&2 "Usage: ${0} [-h] [-h]"
22 echo >&2 "${0} options:"
23 echo >&2 " -d, --debug Run salt installation in debug mode"
24 echo >&2 " -c <local.params>, --config <local.params> Path to the local.params config file"
25 echo >&2 " -t, --test Test installation running a CWL workflow"
26 echo >&2 " -r, --roles List of Arvados roles to apply to the host, comma separated"
27 echo >&2 " Possible values are:"
29 echo >&2 " controller"
30 echo >&2 " dispatcher"
38 echo >&2 " workbench2"
39 echo >&2 " Defaults to applying them all"
40 echo >&2 " -h, --help Display this help and exit"
41 echo >&2 " --dump-config <dest_dir> Dumps the pillars and states to a directory"
42 echo >&2 " This parameter does not perform any installation at all. It's"
43 echo >&2 " intended to give you a parsed sot of configuration files so"
44 echo >&2 " you can inspect them or use them in you Saltstack infrastructure."
46 echo >&2 " - parses the pillar and states templates,"
47 echo >&2 " - downloads the helper formulas with their desired versions,"
48 echo >&2 " - prepares the 'top.sls' files both for pillars and states"
49 echo >&2 " for the selected role/s"
50 echo >&2 " - writes the resulting files into <dest_dir>"
51 echo >&2 " -v, --vagrant Run in vagrant and use the /vagrant shared dir"
52 echo >&2 " --development Run in dev mode, using snakeoil certs"
57 # NOTE: This requires GNU getopt (part of the util-linux package on Debian-based distros).
58 if ! which getopt > /dev/null; then
59 echo >&2 "GNU getopt is required to run this script. Please install it and re-reun it"
63 TEMP=$(getopt -o c:dhp:r:tv \
64 --long config:,debug,development,dump-config:,help,roles:,test,vagrant \
68 then echo "Please check the parameters you entered and re-run again"
71 # Note the quotes around `$TEMP': they are essential!
74 while [ ${#} -ge 1 ]; do
86 if [[ ${2} = /* ]]; then
87 DUMP_SALT_CONFIG_DIR=${2}
89 DUMP_SALT_CONFIG_DIR=${PWD}/${2}
92 S_DIR="${DUMP_SALT_CONFIG_DIR}/salt"
94 F_DIR="${DUMP_SALT_CONFIG_DIR}/formulas"
96 P_DIR="${DUMP_SALT_CONFIG_DIR}/pillars"
98 T_DIR="${DUMP_SALT_CONFIG_DIR}/tests"
109 # Verify the role exists
110 if [[ ! "database,api,controller,keepstore,websocket,keepweb,workbench2,webshell,keepproxy,shell,workbench,dispatcher" == *"$i"* ]]; then
111 echo "The role '${i}' is not a valid role"
115 ROLES="${ROLES} ${i}"
143 mkdir -p /srv/salt/certs
145 if [ -f ${cert_dir}/${cert_name}.crt ]; then
146 cp -v ${cert_dir}/${cert_name}.crt /srv/salt/certs/arvados-${cert_name}.pem
148 echo "${cert_dir}/${cert_name}.crt does not exist. Exiting"
151 if [ -f ${cert_dir}/${cert_name}.key ]; then
152 cp -v ${cert_dir}/${cert_name}.key /srv/salt/certs/arvados-${cert_name}.key
154 echo "${cert_dir}/${cert_name}.key does not exist. Exiting"
160 CONFIG_FILE="${SCRIPT_DIR}/local.params"
161 CONFIG_DIR="local_config_dir"
164 CONTROLLER_EXT_SSL_PORT=443
170 # Hostnames/IPs used for single-host deploys
175 INITIAL_USER_EMAIL=""
176 INITIAL_USER_PASSWORD=""
178 CONTROLLER_EXT_SSL_PORT=8000
179 KEEP_EXT_SSL_PORT=25101
180 # Both for collections and downloads
181 KEEPWEB_EXT_SSL_PORT=9002
182 WEBSHELL_EXT_SSL_PORT=4202
183 WEBSOCKET_EXT_SSL_PORT=8002
184 WORKBENCH1_EXT_SSL_PORT=443
185 WORKBENCH2_EXT_SSL_PORT=3001
187 SSL_MODE="self-signed"
188 USE_LETSENCRYPT_ROUTE53="no"
189 CUSTOM_CERTS_DIR="${SCRIPT_DIR}/certs"
191 ## These are ARVADOS-related parameters
192 # For a stable release, change RELEASE "production" and VERSION to the
193 # package version (including the iteration, e.g. X.Y.Z-1) of the
195 # The "local.params.example.*" files already set "RELEASE=production"
196 # to deploy production-ready packages
197 RELEASE="development"
200 # These are arvados-formula-related parameters
201 # An arvados-formula tag. For a stable release, this should be a
202 # branch name (e.g. X.Y-dev) or tag for the release.
203 # ARVADOS_TAG="2.2.0"
206 # Other formula versions we depend on
207 POSTGRES_TAG="v0.43.0"
211 LETSENCRYPT_TAG="v2.1.0"
214 DUMP_SALT_CONFIG_DIR=""
218 F_DIR="/srv/formulas"
222 T_DIR="/tmp/cluster_tests"
226 if [ -s ${CONFIG_FILE} ]; then
227 source ${CONFIG_FILE}
229 echo >&2 "You don't seem to have a config file with initial values."
230 echo >&2 "Please create a '${CONFIG_FILE}' file as described in"
231 echo >&2 " * https://doc.arvados.org/install/salt-single-host.html#single_host, or"
232 echo >&2 " * https://doc.arvados.org/install/salt-multi-host.html#multi_host_multi_hostnames"
236 if [ ! -d ${CONFIG_DIR} ]; then
237 echo >&2 "You don't seem to have a config directory with pillars and states."
238 echo >&2 "Please create a '${CONFIG_DIR}' directory (as configured in your '${CONFIG_FILE}'). Please see"
239 echo >&2 " * https://doc.arvados.org/install/salt-single-host.html#single_host, or"
240 echo >&2 " * https://doc.arvados.org/install/salt-multi-host.html#multi_host_multi_hostnames"
244 if grep -q 'fixme_or_this_wont_work' ${CONFIG_FILE} ; then
245 echo >&2 "The config file ${CONFIG_FILE} has some parameters that need to be modified."
246 echo >&2 "Please, fix them and re-run the provision script."
250 if ! grep -qE '^[[:alnum:]]{5}$' <<<${CLUSTER} ; then
251 echo >&2 "ERROR: <CLUSTER> must be exactly 5 alphanumeric characters long"
252 echo >&2 "Fix the cluster name in the 'local.params' file and re-run the provision script"
256 # Only used in single_host/single_name deploys
257 if [ ! -z "${HOSTNAME_EXT}" ] ; then
258 # We need to add some extra control vars to manage a single certificate vs. multiple
259 USE_SINGLE_HOSTNAME="yes"
261 USE_SINGLE_HOSTNAME="no"
262 # We set this variable, anyway, so sed lines do not fail and we don't need to add more
264 HOSTNAME_EXT="${CLUSTER}.${DOMAIN}"
267 if [ "${DUMP_CONFIG}" = "yes" ]; then
268 echo "The provision installer will just dump a config under ${DUMP_SALT_CONFIG_DIR} and exit"
270 # Install a few dependency packages
271 # First, let's figure out the OS we're working on
272 OS_ID=$(grep ^ID= /etc/os-release |cut -f 2 -d= |cut -f 2 -d \")
273 echo "Detected distro: ${OS_ID}"
277 echo "WARNING! Disabling SELinux, see https://dev.arvados.org/issues/18019"
278 sed -i 's/SELINUX=enforcing/SELINUX=permissive' /etc/sysconfig/selinux
279 setenforce permissive
280 yum install -y curl git jq
283 DEBIAN_FRONTEND=noninteractive apt update
284 DEBIAN_FRONTEND=noninteractive apt install -y curl git jq
288 if which salt-call; then
289 echo "Salt already installed"
291 curl -L https://bootstrap.saltstack.com -o /tmp/bootstrap_salt.sh
292 sh /tmp/bootstrap_salt.sh -XdfP -x python3
293 /bin/systemctl stop salt-minion.service
294 /bin/systemctl disable salt-minion.service
297 # Set salt to masterless mode
298 cat > /etc/salt/minion << EOFSM
313 mkdir -p ${S_DIR} ${F_DIR} ${P_DIR} ${T_DIR}
315 # Get the formula and dependencies
316 cd ${F_DIR} || exit 1
317 echo "Cloning formulas"
318 rm -rf ${F_DIR}/* || exit 1
319 git clone --quiet https://github.com/saltstack-formulas/docker-formula.git ${F_DIR}/docker
320 ( cd docker && git checkout --quiet tags/"${DOCKER_TAG}" -b "${DOCKER_TAG}" )
323 git clone --quiet https://github.com/saltstack-formulas/locale-formula.git ${F_DIR}/locale
324 ( cd locale && git checkout --quiet tags/"${LOCALE_TAG}" -b "${LOCALE_TAG}" )
327 git clone --quiet https://github.com/saltstack-formulas/nginx-formula.git ${F_DIR}/nginx
328 ( cd nginx && git checkout --quiet tags/"${NGINX_TAG}" -b "${NGINX_TAG}" )
331 git clone --quiet https://github.com/saltstack-formulas/postgres-formula.git ${F_DIR}/postgres
332 ( cd postgres && git checkout --quiet tags/"${POSTGRES_TAG}" -b "${POSTGRES_TAG}" )
334 echo "...letsencrypt"
335 git clone --quiet https://github.com/saltstack-formulas/letsencrypt-formula.git ${F_DIR}/letsencrypt
336 ( cd letsencrypt && git checkout --quiet tags/"${LETSENCRYPT_TAG}" -b "${LETSENCRYPT_TAG}" )
339 git clone --quiet https://git.arvados.org/arvados-formula.git ${F_DIR}/arvados
341 # If we want to try a specific branch of the formula
342 if [ "x${BRANCH}" != "x" ]; then
343 ( cd ${F_DIR}/arvados && git checkout --quiet -t origin/"${BRANCH}" -b "${BRANCH}" )
344 elif [ "x${ARVADOS_TAG}" != "x" ]; then
345 ( cd ${F_DIR}/arvados && git checkout --quiet tags/"${ARVADOS_TAG}" -b "${ARVADOS_TAG}" )
348 if [ "x${VAGRANT}" = "xyes" ]; then
349 EXTRA_STATES_DIR="/home/vagrant/${CONFIG_DIR}/states"
350 SOURCE_PILLARS_DIR="/home/vagrant/${CONFIG_DIR}/pillars"
351 SOURCE_TESTS_DIR="/home/vagrant/${TESTS_DIR}"
353 EXTRA_STATES_DIR="${SCRIPT_DIR}/${CONFIG_DIR}/states"
354 SOURCE_PILLARS_DIR="${SCRIPT_DIR}/${CONFIG_DIR}/pillars"
355 SOURCE_TESTS_DIR="${SCRIPT_DIR}/${TESTS_DIR}"
358 SOURCE_STATES_DIR="${EXTRA_STATES_DIR}"
360 echo "Writing pillars and states"
362 # Replace variables (cluster, domain, etc) in the pillars, states and tests
363 # to ease deployment for newcomers
364 if [ ! -d "${SOURCE_PILLARS_DIR}" ]; then
365 echo "${SOURCE_PILLARS_DIR} does not exist or is not a directory. Exiting."
368 for f in $(ls "${SOURCE_PILLARS_DIR}"/*); do
369 sed "s#__ANONYMOUS_USER_TOKEN__#${ANONYMOUS_USER_TOKEN}#g;
370 s#__BLOB_SIGNING_KEY__#${BLOB_SIGNING_KEY}#g;
371 s#__CONTROLLER_EXT_SSL_PORT__#${CONTROLLER_EXT_SSL_PORT}#g;
372 s#__CLUSTER__#${CLUSTER}#g;
373 s#__DOMAIN__#${DOMAIN}#g;
374 s#__HOSTNAME_EXT__#${HOSTNAME_EXT}#g;
375 s#__IP_INT__#${IP_INT}#g;
376 s#__INITIAL_USER_EMAIL__#${INITIAL_USER_EMAIL}#g;
377 s#__INITIAL_USER_PASSWORD__#${INITIAL_USER_PASSWORD}#g;
378 s#__INITIAL_USER__#${INITIAL_USER}#g;
379 s#__LE_AWS_REGION__#${LE_AWS_REGION}#g;
380 s#__LE_AWS_SECRET_ACCESS_KEY__#${LE_AWS_SECRET_ACCESS_KEY}#g;
381 s#__LE_AWS_ACCESS_KEY_ID__#${LE_AWS_ACCESS_KEY_ID}#g;
382 s#__DATABASE_PASSWORD__#${DATABASE_PASSWORD}#g;
383 s#__KEEPWEB_EXT_SSL_PORT__#${KEEPWEB_EXT_SSL_PORT}#g;
384 s#__KEEP_EXT_SSL_PORT__#${KEEP_EXT_SSL_PORT}#g;
385 s#__MANAGEMENT_TOKEN__#${MANAGEMENT_TOKEN}#g;
386 s#__RELEASE__#${RELEASE}#g;
387 s#__SYSTEM_ROOT_TOKEN__#${SYSTEM_ROOT_TOKEN}#g;
388 s#__VERSION__#${VERSION}#g;
389 s#__WEBSHELL_EXT_SSL_PORT__#${WEBSHELL_EXT_SSL_PORT}#g;
390 s#__WEBSOCKET_EXT_SSL_PORT__#${WEBSOCKET_EXT_SSL_PORT}#g;
391 s#__WORKBENCH1_EXT_SSL_PORT__#${WORKBENCH1_EXT_SSL_PORT}#g;
392 s#__WORKBENCH2_EXT_SSL_PORT__#${WORKBENCH2_EXT_SSL_PORT}#g;
393 s#__CLUSTER_INT_CIDR__#${CLUSTER_INT_CIDR}#g;
394 s#__CONTROLLER_INT_IP__#${CONTROLLER_INT_IP}#g;
395 s#__WEBSOCKET_INT_IP__#${WEBSOCKET_INT_IP}#g;
396 s#__KEEP_INT_IP__#${KEEP_INT_IP}#g;
397 s#__KEEPSTORE0_INT_IP__#${KEEPSTORE0_INT_IP}#g;
398 s#__KEEPSTORE1_INT_IP__#${KEEPSTORE1_INT_IP}#g;
399 s#__KEEPWEB_INT_IP__#${KEEPWEB_INT_IP}#g;
400 s#__WEBSHELL_INT_IP__#${WEBSHELL_INT_IP}#g;
401 s#__SHELL_INT_IP__#${SHELL_INT_IP}#g;
402 s#__WORKBENCH1_INT_IP__#${WORKBENCH1_INT_IP}#g;
403 s#__WORKBENCH2_INT_IP__#${WORKBENCH2_INT_IP}#g;
404 s#__DATABASE_INT_IP__#${DATABASE_INT_IP}#g;
405 s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g" \
406 "${f}" > "${P_DIR}"/$(basename "${f}")
409 if [ "x${TEST}" = "xyes" ] && [ ! -d "${SOURCE_TESTS_DIR}" ]; then
410 echo "You requested to run tests, but ${SOURCE_TESTS_DIR} does not exist or is not a directory. Exiting."
414 # Replace cluster and domain name in the test files
415 for f in $(ls "${SOURCE_TESTS_DIR}"/*); do
416 sed "s#__CLUSTER__#${CLUSTER}#g;
417 s#__CONTROLLER_EXT_SSL_PORT__#${CONTROLLER_EXT_SSL_PORT}#g;
418 s#__DOMAIN__#${DOMAIN}#g;
419 s#__IP_INT__#${IP_INT}#g;
420 s#__INITIAL_USER_EMAIL__#${INITIAL_USER_EMAIL}#g;
421 s#__INITIAL_USER_PASSWORD__#${INITIAL_USER_PASSWORD}#g
422 s#__INITIAL_USER__#${INITIAL_USER}#g;
423 s#__DATABASE_PASSWORD__#${DATABASE_PASSWORD}#g;
424 s#__SYSTEM_ROOT_TOKEN__#${SYSTEM_ROOT_TOKEN}#g" \
425 "${f}" > ${T_DIR}/$(basename "${f}")
427 chmod 755 ${T_DIR}/run-test.sh
429 # Replace helper state files that differ from the formula's examples
430 if [ -d "${SOURCE_STATES_DIR}" ]; then
431 mkdir -p "${F_DIR}"/extra/extra
433 for f in $(ls "${SOURCE_STATES_DIR}"/*); do
434 sed "s#__ANONYMOUS_USER_TOKEN__#${ANONYMOUS_USER_TOKEN}#g;
435 s#__CLUSTER__#${CLUSTER}#g;
436 s#__BLOB_SIGNING_KEY__#${BLOB_SIGNING_KEY}#g;
437 s#__CONTROLLER_EXT_SSL_PORT__#${CONTROLLER_EXT_SSL_PORT}#g;
438 s#__DOMAIN__#${DOMAIN}#g;
439 s#__HOSTNAME_EXT__#${HOSTNAME_EXT}#g;
440 s#__IP_INT__#${IP_INT}#g;
441 s#__INITIAL_USER_EMAIL__#${INITIAL_USER_EMAIL}#g;
442 s#__INITIAL_USER_PASSWORD__#${INITIAL_USER_PASSWORD}#g;
443 s#__INITIAL_USER__#${INITIAL_USER}#g;
444 s#__DATABASE_PASSWORD__#${DATABASE_PASSWORD}#g;
445 s#__KEEPWEB_EXT_SSL_PORT__#${KEEPWEB_EXT_SSL_PORT}#g;
446 s#__KEEP_EXT_SSL_PORT__#${KEEP_EXT_SSL_PORT}#g;
447 s#__MANAGEMENT_TOKEN__#${MANAGEMENT_TOKEN}#g;
448 s#__RELEASE__#${RELEASE}#g;
449 s#__SYSTEM_ROOT_TOKEN__#${SYSTEM_ROOT_TOKEN}#g;
450 s#__VERSION__#${VERSION}#g;
451 s#__CLUSTER_INT_CIDR__#${CLUSTER_INT_CIDR}#g;
452 s#__CONTROLLER_INT_IP__#${CONTROLLER_INT_IP}#g;
453 s#__WEBSOCKET_INT_IP__#${WEBSOCKET_INT_IP}#g;
454 s#__KEEP_INT_IP__#${KEEP_INT_IP}#g;
455 s#__KEEPSTORE0_INT_IP__#${KEEPSTORE0_INT_IP}#g;
456 s#__KEEPSTORE1_INT_IP__#${KEEPSTORE1_INT_IP}#g;
457 s#__KEEPWEB_INT_IP__#${KEEPWEB_INT_IP}#g;
458 s#__WEBSHELL_INT_IP__#${WEBSHELL_INT_IP}#g;
459 s#__WORKBENCH1_INT_IP__#${WORKBENCH1_INT_IP}#g;
460 s#__WORKBENCH2_INT_IP__#${WORKBENCH2_INT_IP}#g;
461 s#__DATABASE_INT_IP__#${DATABASE_INT_IP}#g;
462 s#__WEBSHELL_EXT_SSL_PORT__#${WEBSHELL_EXT_SSL_PORT}#g;
463 s#__WEBSOCKET_EXT_SSL_PORT__#${WEBSOCKET_EXT_SSL_PORT}#g;
464 s#__WORKBENCH1_EXT_SSL_PORT__#${WORKBENCH1_EXT_SSL_PORT}#g;
465 s#__WORKBENCH2_EXT_SSL_PORT__#${WORKBENCH2_EXT_SSL_PORT}#g;
466 s#__WORKBENCH_SECRET_KEY__#${WORKBENCH_SECRET_KEY}#g" \
467 "${f}" > "${F_DIR}/extra/extra"/$(basename "${f}")
471 # Now, we build the SALT states/pillars trees
472 # As we need to separate both states and pillars in case we want specific
473 # roles, we iterate on both at the same time
476 cat > ${S_DIR}/top.sls << EOFTSLS
483 cat > ${P_DIR}/top.sls << EOFPSLS
490 # States, extra states
491 if [ -d "${F_DIR}"/extra/extra ]; then
492 SKIP_SNAKE_OIL="snakeoil_certs"
494 if [[ "$DEV_MODE" = "yes" || "${SSL_MODE}" == "self-signed" ]] ; then
495 # In dev mode, we create some snake oil certs that we'll
496 # use as CUSTOM_CERTS, so we don't skip the states file.
497 # Same when using self-signed certificates.
498 SKIP_SNAKE_OIL="dont_add_snakeoil_certs"
500 for f in $(ls "${F_DIR}"/extra/extra/*.sls | grep -v ${SKIP_SNAKE_OIL}); do
501 echo " - extra.$(basename ${f} | sed 's/.sls$//g')" >> ${S_DIR}/top.sls
503 # Use byo or self-signed certificates
504 if [ "${SSL_MODE}" != "lets-encrypt" ]; then
505 mkdir -p "${F_DIR}"/extra/extra/files
509 # If we want specific roles for a node, just add the desired states
510 # and its dependencies
511 if [ -z "${ROLES}" ]; then
513 echo " - nginx.passenger" >> ${S_DIR}/top.sls
514 if [ "${SSL_MODE}" = "lets-encrypt" ]; then
515 if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
516 grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - extra.aws_credentials" >> ${S_DIR}/top.sls
518 grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls
520 # Use custom certs, as both bring-your-own and self-signed are copied using this state
521 # Copy certs to formula extra/files
522 # In dev mode, the files will be created and put in the destination directory by the
523 # snakeoil_certs.sls state file
524 mkdir -p /srv/salt/certs
525 cp -rv ${CUSTOM_CERTS_DIR}/* /srv/salt/certs/
526 # We add the custom_certs state
527 grep -q "custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
530 echo " - postgres" >> ${S_DIR}/top.sls
531 echo " - docker.software" >> ${S_DIR}/top.sls
532 echo " - arvados" >> ${S_DIR}/top.sls
535 echo " - docker" >> ${P_DIR}/top.sls
536 echo " - nginx_api_configuration" >> ${P_DIR}/top.sls
537 echo " - nginx_controller_configuration" >> ${P_DIR}/top.sls
538 echo " - nginx_keepproxy_configuration" >> ${P_DIR}/top.sls
539 echo " - nginx_keepweb_configuration" >> ${P_DIR}/top.sls
540 echo " - nginx_passenger" >> ${P_DIR}/top.sls
541 echo " - nginx_websocket_configuration" >> ${P_DIR}/top.sls
542 echo " - nginx_webshell_configuration" >> ${P_DIR}/top.sls
543 echo " - nginx_workbench2_configuration" >> ${P_DIR}/top.sls
544 echo " - nginx_workbench_configuration" >> ${P_DIR}/top.sls
545 echo " - postgresql" >> ${P_DIR}/top.sls
547 if [ "${SSL_MODE}" = "lets-encrypt" ]; then
548 if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
549 grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls
551 grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls
553 # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them
554 for c in controller websocket workbench workbench2 webshell keepweb keepproxy; do
555 if [ "${USE_SINGLE_HOSTNAME}" = "yes" ]; then
556 # Are we in a single-host-single-hostname env?
557 CERT_NAME=${HOSTNAME_EXT}
559 # We are in a single-host-multiple-hostnames env
560 CERT_NAME=${c}.${CLUSTER}.${DOMAIN}
563 sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${CERT_NAME}*/g;
564 s#__CERT_PEM__#/etc/letsencrypt/live/${CERT_NAME}/fullchain.pem#g;
565 s#__CERT_KEY__#/etc/letsencrypt/live/${CERT_NAME}/privkey.pem#g" \
566 ${P_DIR}/nginx_${c}_configuration.sls
569 # Use custom certs (either dev mode or prod)
570 grep -q "extra_custom_certs" ${P_DIR}/top.sls || echo " - extra_custom_certs" >> ${P_DIR}/top.sls
571 # And add the certs in the custom_certs pillar
572 echo "extra_custom_certs_dir: /srv/salt/certs" > ${P_DIR}/extra_custom_certs.sls
573 echo "extra_custom_certs:" >> ${P_DIR}/extra_custom_certs.sls
575 for c in controller websocket workbench workbench2 webshell keepweb keepproxy; do
576 # Are we in a single-host-single-hostname env?
577 if [ "${USE_SINGLE_HOSTNAME}" = "yes" ]; then
578 # Are we in a single-host-single-hostname env?
579 CERT_NAME=${HOSTNAME_EXT}
581 # We are in a multiple-hostnames env
585 if [[ "${SSL_MODE}" = "bring-your-own" || "${SSL_MODE}" == "self-signed" ]]; then
586 copy_custom_cert ${CUSTOM_CERTS_DIR} ${CERT_NAME}
589 grep -q ${CERT_NAME} ${P_DIR}/extra_custom_certs.sls || echo " - ${CERT_NAME}" >> ${P_DIR}/extra_custom_certs.sls
591 # As the pillar differs whether we use LE or custom certs, we need to do a final edition on them
592 sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${CERT_NAME}.pem/g;
593 s#__CERT_PEM__#/etc/nginx/ssl/arvados-${CERT_NAME}.pem#g;
594 s#__CERT_KEY__#/etc/nginx/ssl/arvados-${CERT_NAME}.key#g" \
595 ${P_DIR}/nginx_${c}_configuration.sls
599 # If we add individual roles, make sure we add the repo first
600 echo " - arvados.repo" >> ${S_DIR}/top.sls
601 # We add the extra_custom_certs state
602 grep -q "extra.custom_certs" ${S_DIR}/top.sls || echo " - extra.custom_certs" >> ${S_DIR}/top.sls
604 # And we add the basic part for the certs pillar
605 if [ "${SSL_MODE}" != "lets-encrypt" ]; then
606 # And add the certs in the custom_certs pillar
607 echo "extra_custom_certs_dir: /srv/salt/certs" > ${P_DIR}/extra_custom_certs.sls
608 echo "extra_custom_certs:" >> ${P_DIR}/extra_custom_certs.sls
609 grep -q "extra_custom_certs" ${P_DIR}/top.sls || echo " - extra_custom_certs" >> ${P_DIR}/top.sls
612 for R in ${ROLES}; do
616 echo " - postgres" >> ${S_DIR}/top.sls
618 echo ' - postgresql' >> ${P_DIR}/top.sls
622 # FIXME: https://dev.arvados.org/issues/17352
623 grep -q "postgres.client" ${S_DIR}/top.sls || echo " - postgres.client" >> ${S_DIR}/top.sls
624 grep -q "nginx.passenger" ${S_DIR}/top.sls || echo " - nginx.passenger" >> ${S_DIR}/top.sls
625 ### If we don't install and run LE before arvados-api-server, it fails and breaks everything
626 ### after it. So we add this here as we are, after all, sharing the host for api and controller
627 # Currently, only available on config_examples/multi_host/aws
628 if [ "${SSL_MODE}" = "lets-encrypt" ]; then
629 if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
630 grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls
632 grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls
635 if [ "${SSL_MODE}" = "bring-your-own" ]; then
636 copy_custom_cert ${CUSTOM_CERTS_DIR} controller
638 grep -q controller ${P_DIR}/extra_custom_certs.sls || echo " - controller" >> ${P_DIR}/extra_custom_certs.sls
640 grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls
642 grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls
643 grep -q "postgresql" ${P_DIR}/top.sls || echo " - postgresql" >> ${P_DIR}/top.sls
644 grep -q "nginx_passenger" ${P_DIR}/top.sls || echo " - nginx_passenger" >> ${P_DIR}/top.sls
645 grep -q "nginx_${R}_configuration" ${P_DIR}/top.sls || echo " - nginx_${R}_configuration" >> ${P_DIR}/top.sls
647 "controller" | "websocket" | "workbench" | "workbench2" | "webshell" | "keepweb" | "keepproxy")
649 grep -q "nginx.passenger" ${S_DIR}/top.sls || echo " - nginx.passenger" >> ${S_DIR}/top.sls
650 # Currently, only available on config_examples/multi_host/aws
651 if [ "${SSL_MODE}" = "lets-encrypt" ]; then
652 if [ "x${USE_LETSENCRYPT_ROUTE53}" = "xyes" ]; then
653 grep -q "aws_credentials" ${S_DIR}/top.sls || echo " - aws_credentials" >> ${S_DIR}/top.sls
655 grep -q "letsencrypt" ${S_DIR}/top.sls || echo " - letsencrypt" >> ${S_DIR}/top.sls
657 # Use custom certs, special case for keepweb
658 if [ ${R} = "keepweb" ]; then
659 if [ "${SSL_MODE}" = "bring-your-own" ]; then
660 copy_custom_cert ${CUSTOM_CERTS_DIR} download
661 copy_custom_cert ${CUSTOM_CERTS_DIR} collections
664 if [ "${SSL_MODE}" = "bring-your-own" ]; then
665 copy_custom_cert ${CUSTOM_CERTS_DIR} ${R}
669 # webshell role is just a nginx vhost, so it has no state
670 if [ "${R}" != "webshell" ]; then
671 grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls
674 grep -q "nginx_passenger" ${P_DIR}/top.sls || echo " - nginx_passenger" >> ${P_DIR}/top.sls
675 grep -q "nginx_${R}_configuration" ${P_DIR}/top.sls || echo " - nginx_${R}_configuration" >> ${P_DIR}/top.sls
676 # Special case for keepweb
677 if [ ${R} = "keepweb" ]; then
678 grep -q "nginx_download_configuration" ${P_DIR}/top.sls || echo " - nginx_download_configuration" >> ${P_DIR}/top.sls
679 grep -q "nginx_collections_configuration" ${P_DIR}/top.sls || echo " - nginx_collections_configuration" >> ${P_DIR}/top.sls
682 # Currently, only available on config_examples/multi_host/aws
683 if [ "${SSL_MODE}" = "lets-encrypt" ]; then
684 if [ "${USE_LETSENCRYPT_ROUTE53}" = "yes" ]; then
685 grep -q "aws_credentials" ${P_DIR}/top.sls || echo " - aws_credentials" >> ${P_DIR}/top.sls
687 grep -q "letsencrypt" ${P_DIR}/top.sls || echo " - letsencrypt" >> ${P_DIR}/top.sls
688 grep -q "letsencrypt_${R}_configuration" ${P_DIR}/top.sls || echo " - letsencrypt_${R}_configuration" >> ${P_DIR}/top.sls
690 # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them
691 # Special case for keepweb
692 if [ ${R} = "keepweb" ]; then
693 for kwsub in download collections; do
694 sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${kwsub}.${CLUSTER}.${DOMAIN}*/g;
695 s#__CERT_PEM__#/etc/letsencrypt/live/${kwsub}.${CLUSTER}.${DOMAIN}/fullchain.pem#g;
696 s#__CERT_KEY__#/etc/letsencrypt/live/${kwsub}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \
697 ${P_DIR}/nginx_${kwsub}_configuration.sls
700 sed -i "s/__CERT_REQUIRES__/cmd: create-initial-cert-${R}.${CLUSTER}.${DOMAIN}*/g;
701 s#__CERT_PEM__#/etc/letsencrypt/live/${R}.${CLUSTER}.${DOMAIN}/fullchain.pem#g;
702 s#__CERT_KEY__#/etc/letsencrypt/live/${R}.${CLUSTER}.${DOMAIN}/privkey.pem#g" \
703 ${P_DIR}/nginx_${R}_configuration.sls
706 # As the pillar differ whether we use LE or custom certs, we need to do a final edition on them
707 # Special case for keepweb
708 if [ ${R} = "keepweb" ]; then
709 for kwsub in download collections; do
710 sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${kwsub}.pem/g;
711 s#__CERT_PEM__#/etc/nginx/ssl/arvados-${kwsub}.pem#g;
712 s#__CERT_KEY__#/etc/nginx/ssl/arvados-${kwsub}.key#g" \
713 ${P_DIR}/nginx_${kwsub}_configuration.sls
714 grep -q ${kwsub} ${P_DIR}/extra_custom_certs.sls || echo " - ${kwsub}" >> ${P_DIR}/extra_custom_certs.sls
717 sed -i "s/__CERT_REQUIRES__/file: extra_custom_certs_file_copy_arvados-${R}.pem/g;
718 s#__CERT_PEM__#/etc/nginx/ssl/arvados-${R}.pem#g;
719 s#__CERT_KEY__#/etc/nginx/ssl/arvados-${R}.key#g" \
720 ${P_DIR}/nginx_${R}_configuration.sls
721 grep -q ${R} ${P_DIR}/extra_custom_certs.sls || echo " - ${R}" >> ${P_DIR}/extra_custom_certs.sls
727 grep -q "docker" ${S_DIR}/top.sls || echo " - docker.software" >> ${S_DIR}/top.sls
728 grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls
730 grep -q "docker" ${P_DIR}/top.sls || echo " - docker" >> ${P_DIR}/top.sls
734 grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls
736 # ATM, no specific pillar needed
740 grep -q "arvados.${R}" ${S_DIR}/top.sls || echo " - arvados.${R}" >> ${S_DIR}/top.sls
742 # ATM, no specific pillar needed
745 echo "Unknown role ${R}"
752 if [ "${DUMP_CONFIG}" = "yes" ]; then
753 # We won't run the rest of the script because we're just dumping the config
757 # FIXME! #16992 Temporary fix for psql call in arvados-api-server
758 if [ -e /root/.psqlrc ]; then
759 if ! ( grep 'pset pager off' /root/.psqlrc ); then
761 cp /root/.psqlrc /root/.psqlrc.provision.backup
767 echo '\pset pager off' >> /root/.psqlrc
768 # END FIXME! #16992 Temporary fix for psql call in arvados-api-server
770 # Now run the install
771 salt-call --local state.apply -l ${LOG_LEVEL}
773 # FIXME! #16992 Temporary fix for psql call in arvados-api-server
774 if [ "x${DELETE_PSQL}" = "xyes" ]; then
775 echo "Removing .psql file"
779 if [ "x${RESTORE_PSQL}" = "xyes" ]; then
780 echo "Restoring .psql file"
781 mv -v /root/.psqlrc.provision.backup /root/.psqlrc
783 # END FIXME! #16992 Temporary fix for psql call in arvados-api-server
785 # Leave a copy of the Arvados CA so the user can copy it where it's required
786 if [ "$DEV_MODE" = "yes" ]; then
787 echo "Copying the Arvados CA certificate to the installer dir, so you can import it"
788 # If running in a vagrant VM, also add default user to docker group
789 if [ "x${VAGRANT}" = "xyes" ]; then
790 cp /etc/ssl/certs/arvados-snakeoil-ca.pem /vagrant/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem
792 echo "Adding the vagrant user to the docker group"
793 usermod -a -G docker vagrant
795 cp /etc/ssl/certs/arvados-snakeoil-ca.pem ${SCRIPT_DIR}/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem
799 # Test that the installation finished correctly
800 if [ "x${TEST}" = "xyes" ]; then
802 # If we use RVM, we need to run this with it, or most ruby commands will fail
804 if [ -x /usr/local/rvm/bin/rvm-exec ]; then
805 RVM_EXEC="/usr/local/rvm/bin/rvm-exec"
807 ${RVM_EXEC} ./run-test.sh