14812: Add documentation about migrating Workbench config.

[arvados.git] / doc / install / install-workbench-app.html.textile.liquid

---
layout: default
navsection: installguide
title: Install Workbench
...
{% comment %}
Copyright (C) The Arvados Authors. All rights reserved.

SPDX-License-Identifier: CC-BY-SA-3.0
{% endcomment %}

h2. Install prerequisites

The Arvados package repository includes a Workbench server package that can help automate much of the deployment.

h3(#install_ruby_and_bundler). Install Ruby and Bundler

{% include 'install_ruby_and_bundler' %}

h2(#install_workbench). Install Workbench and dependencies

Workbench doesn't need its own database, so it does not need to have PostgreSQL installed.

{% assign rh_version = "7" %}
{% include 'note_python_sc' %}

On a Debian-based system, install the following packages:

<notextile>
<pre><code>~$ <span class="userinput">sudo apt-get install bison build-essential graphviz git python-arvados-python-client arvados-workbench</span>
</code></pre>
</notextile>

On a Red Hat-based system, install the following packages:

<notextile>
<pre><code>~$ <span class="userinput">sudo yum install bison make automake gcc gcc-c++ graphviz git python-arvados-python-client arvados-workbench</span>
</code></pre>
</notextile>

h2(#configure). Configure Workbench

Edit @/etc/arvados/config.yml@ following the instructions below.  Only a few of the most important configuration options are listed here.  The full set of configuration options are in the "Workbench section of config.yml":{{site.baseurl}}/admin/config.html

h3. Workbench.SecretKeyBase

This application needs a secret token. Generate a new secret:

<notextile>
<pre><code>~$ <span class="userinput">ruby -e 'puts rand(2**400).to_s(36)'</span>
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
</code></pre>
</notextile>

Then put that value in the @Workbench.SecretKeyBase@ field.

h3. Services.Controller.ExternalURL

Ensure that @Services.Controller.ExternalURL@ is configured for "Arvados Controller":install-controller.html . For example like this:

<notextile>
<pre><code>Cluster:
  zzzzz:
    Services:
      Controller:
        ExternalURL: https://prefix_uuid.your.domain
</code></pre>
</notextile>

h3. Workbench.SiteName

@Workbench.SiteName@ can be set to any arbitrary string. It is used to identify this Workbench to people visiting it.

h3. TLS.Insecure

For testing only.  Allows use of self-signed certificates.  If true, workbench will not verify the TLS certificate of Arvados Controller.

h2. Configure Piwik

Piwik is optional, and can be to gather usage analytics.  In @/var/www/arvados-workbench/current/config@, copy @piwik.yml.example@ to @piwik.yml@ and edit to suit.

h2. Set up Web server

For best performance, we recommend you use Nginx as your Web server front-end, with a Passenger backend to serve Workbench.  To do that:

<notextile>
<ol>
<li><a href="https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html">Install Nginx and Phusion Passenger</a>.</li>

<li><p>Edit the http section of your Nginx configuration to run the Passenger server, and act as a front-end for it.  You might add a block like the following, adding SSL and logging parameters to taste:</p>

<pre><code>server {
  listen 127.0.0.1:9000;
  server_name localhost-workbench;

  root /var/www/arvados-workbench/current/public;
  index  index.html index.htm index.php;

  passenger_enabled on;
  # If you're using RVM, uncomment the line below.
  #passenger_ruby /usr/local/rvm/wrappers/default/ruby;

  # `client_max_body_size` should match the corresponding setting in
  # the API.MaxRequestSize and Controller's server's Nginx configuration.
  client_max_body_size 128m;
}

upstream workbench {
  server     127.0.0.1:9000  fail_timeout=10s;
}

proxy_http_version 1.1;

server {
  listen       <span class="userinput">[your public IP address]</span>:443 ssl;
  server_name  workbench.<span class="userinput">uuid-prefix.your.domain</span>;

  ssl on;
  ssl_certificate     <span class="userinput">/YOUR/PATH/TO/cert.pem</span>;
  ssl_certificate_key <span class="userinput">/YOUR/PATH/TO/cert.key</span>;

  index  index.html index.htm index.php;
  # `client_max_body_size` should match the corresponding setting in
  # the API.MaxRequestSize and Controller's server's Nginx configuration.
  client_max_body_size 128m;

  location / {
    proxy_pass            http://workbench;
    proxy_redirect        off;
    proxy_connect_timeout 90s;
    proxy_read_timeout    300s;

    proxy_set_header      X-Forwarded-Proto https;
    proxy_set_header      Host $http_host;
    proxy_set_header      X-Real-IP $remote_addr;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}
</code></pre>
</li>

<li>Restart Nginx.</li>

</ol>
</notextile>

h2. Prepare the Workbench deployment

{% assign railspkg = "arvados-workbench" %}
{% include 'install_rails_reconfigure' %}

{% include 'notebox_begin' %}
You can safely ignore the following error message you may see when Ruby Gems are installed:
<notextile>
<pre><code>themes_for_rails at /usr/local/rvm/gems/ruby-2.1.1/bundler/gems/themes_for_rails-1fd2d7897d75 did not have a valid gemspec.
This prevents bundler from installing bins or native extensions, but that may not affect its functionality.
The validation message from Rubygems was:
  duplicate dependency on rails (= 3.0.11, development), (>= 3.0.0) use:
    add_runtime_dependency 'rails', '= 3.0.11', '>= 3.0.0'
Using themes_for_rails (0.5.1) from https://github.com/holtkampw/themes_for_rails (at 1fd2d78)
</code></pre>
</notextile>
{% include 'notebox_end' %}

h2. Trusted client setting

Log in to Workbench once to ensure that the Arvados API server has a record of the Workbench client. (It's OK if Workbench says your account hasn't been activated yet. We'll deal with that next.)

In the <strong>API server</strong> project root, start the Rails console.  {% include 'install_rails_command' %}

At the console, enter the following commands to locate the ApiClient record for your Workbench installation (typically, while you're setting this up, the @last@ one in the database is the one you want), then set the @is_trusted@ flag for the appropriate client record:

<notextile><pre><code>irb(main):001:0&gt; <span class="userinput">wb = ApiClient.all.last; [wb.url_prefix, wb.created_at]</span>
=&gt; ["https://workbench.example.com/", Sat, 19 Apr 2014 03:35:12 UTC +00:00]
irb(main):002:0&gt; <span class="userinput">include CurrentApiClient</span>
=&gt; true
irb(main):003:0&gt; <span class="userinput">act_as_system_user do wb.update_attributes!(is_trusted: true) end</span>
=&gt; true
</code></pre>
</notextile>

h2(#admin-user). Add an admin user

Next, we're going to use the Rails console on the <strong>API server</strong> to activate your account and give yourself admin privileges.  {% include 'install_rails_command' %}

Enter the following commands at the console:

<notextile>
<pre><code>irb(main):001:0&gt; <span class="userinput">Thread.current[:user] = User.all.select(&:identity_url).last</span>
irb(main):002:0&gt; <span class="userinput">Thread.current[:user].update_attributes is_admin: true, is_active: true</span>
irb(main):003:0&gt; <span class="userinput">User.where(is_admin: true).collect &:email</span>
=&gt; ["root", "<b>your_address@example.com</b>"]
</code></pre></notextile>

At this point, you should have a working Workbench login with administrator privileges. Revisit your Workbench URL in a browser and reload the page to access it.