3 navsection: installguide
4 title: Install API server and Controller
7 Copyright (C) The Arvados Authors. All rights reserved.
9 SPDX-License-Identifier: CC-BY-SA-3.0
12 # "Introduction":#introduction
13 # "Install dependencies":#dependencies
14 # "Set up database":#database-setup
15 # "Update config.yml":#update-config
16 # "Update nginx configuration":#update-nginx
17 # "Install arvados-api-server and arvados-controller":#install-packages
18 # "Confirm working installation":#confirm-working
20 h2(#introduction). Introduction
22 The Arvados core API server consists of four services: PostgreSQL, Arvados Rails API, Arvados Controller, and Nginx.
24 Here is a simplified diagram showing the relationship between the core services. Client requests arrive at the public-facing Nginx reverse proxy. The request is forwarded to Arvados controller. The controller is able handle some requests itself, the rest are forwarded to the Arvados Rails API. The Rails API server implements the majority of business logic, communicating with the PostgreSQL database to fetch data and make transactional updates. All services are stateless, except the PostgreSQL database. This guide assumes all of these services will be installed on the same node, but it is possible to install these services across multiple nodes.
26 !(full-width){{site.baseurl}}/images/proxy-chain.svg!
28 h2(#dependencies). Install dependencies
30 # "Install PostgreSQL":install-postgresql.html
31 # "Install Ruby and Bundler":ruby.html
32 # "Install nginx":nginx.html
33 # "Install Phusion Passenger":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html
35 h2(#database-setup). Set up database
37 {% assign service_role = "arvados" %}
38 {% assign service_database = "arvados_production" %}
39 {% assign use_contrib = true %}
40 {% include 'install_postgres_database' %}
42 h2(#update-config). Update config.yml
44 Starting from an "empty config.yml file,":config.html#empty add the following configuration keys.
49 <pre><code> SystemRootToken: <span class="userinput">"$system_root_token"</span>
50 ManagementToken: <span class="userinput">"$management_token"</span>
52 RailsSessionSecretToken: <span class="userinput">"$rails_secret_token"</span>
54 BlobSigningKey: <span class="userinput">"blob_signing_key"</span>
58 @SystemRootToken@ is used by Arvados system services to authenticate as the system (root) user when communicating with the API server.
60 @ManagementToken@ is used to authenticate access to system metrics.
62 @API.RailsSessionSecretToken@ is required by the API server.
64 @Collections.BlobSigningKey@ is used to control access to Keep blocks.
66 You can generate a random token for each of these items at the command line like this:
69 <pre><code>~$ <span class="userinput">tr -dc 0-9a-zA-Z </dev/urandom | head -c50; echo</span>
73 h3. PostgreSQL.Connection
76 <pre><code> PostgreSQL:
78 host: <span class="userinput">localhost</span>
79 user: <span class="userinput">arvados</span>
80 password: <span class="userinput">$postgres_password</span>
81 dbname: <span class="userinput">arvados_production</span>
85 Replace the @$postgres_password@ placeholder with the password you generated during "database setup":#database-setup .
92 ExternalURL: <span class="userinput">"https://ClusterID.example.com"</span>
94 <span class="userinput">"http://localhost:8003": {}</span>
96 # Does not have an ExternalURL
98 <span class="userinput">"http://localhost:8004": {}</span>
102 Replace @ClusterID.example.com@ with the hostname that you previously selected for the API server.
104 The @Services@ section of the configuration helps Arvados components contact one another (service discovery). Each service has one or more @InternalURLs@ and an @ExternalURL@. The @InternalURLs@ describe where the service runs, and how the Nginx reverse proxy will connect to it. The @ExternalURL@ is how external clients contact the service.
106 h2(#update-nginx). Update nginx configuration
108 Use a text editor to create a new file @/etc/nginx/conf.d/arvados-api-and-controller.conf@ with the following configuration. Options that need attention are marked in <span class="userinput">red</span>.
111 <pre><code>proxy_http_version 1.1;
113 # When Keep clients request a list of Keep services from the API
114 # server, use the origin IP address to determine if the request came
115 # from the internal subnet or it is an external client. This sets the
116 # $external_client variable which in turn is used to set the
117 # X-External-Client header.
119 # The API server uses this header to choose whether to respond to a
120 # "available keep services" request with either a list of internal keep
121 # servers (0) or with the keepproxy (1).
123 # <span class="userinput">Following the example here, update the 10.20.30.0/24 netmask</span>
124 # <span class="userinput">to match your private subnet.</span>
125 # <span class="userinput">Update 1.2.3.4 and add lines as necessary with the public IP</span>
126 # <span class="userinput">address of all servers that can also access the private network to</span>
127 # <span class="userinput">ensure they are not considered 'external'.</span>
129 geo $external_client {
132 <span class="userinput">10.20.30.0/24</span> 0;
133 <span class="userinput">1.2.3.4/32</span> 0;
136 # This is the port where nginx expects to contact arvados-controller.
137 upstream controller {
138 server localhost:8003 fail_timeout=10s;
142 # This configures the public https port that clients will actually connect to,
143 # the request is reverse proxied to the upstream 'controller'
146 server_name <span class="userinput">ClusterID.example.com</span>;
148 ssl_certificate <span class="userinput">/YOUR/PATH/TO/cert.pem</span>;
149 ssl_certificate_key <span class="userinput">/YOUR/PATH/TO/cert.key</span>;
151 # Refer to the comment about this setting in the passenger (arvados
152 # api server) section of your Nginx configuration.
153 client_max_body_size 128m;
156 proxy_pass http://controller;
158 proxy_connect_timeout 90s;
159 proxy_read_timeout 300s;
161 proxy_set_header X-Forwarded-Proto https;
162 proxy_set_header Host $http_host;
163 proxy_set_header X-External-Client $external_client;
164 proxy_set_header X-Real-IP $remote_addr;
165 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
170 # This configures the Arvados API server. It is written using Ruby
171 # on Rails and uses the Passenger application server.
173 listen <span class="userinput">localhost:8004</span>;
174 server_name localhost-api;
176 root /var/www/arvados-api/current/public;
177 index index.html index.htm index.php;
179 passenger_enabled on;
181 # <span class="userinput">If you are using RVM, uncomment the line below.</span>
182 # <span class="userinput">If you're using system ruby, leave it commented out.</span>
183 #passenger_ruby /usr/local/rvm/wrappers/default/ruby;
185 # This value effectively limits the size of API objects users can
186 # create, especially collections. If you change this, you should
187 # also ensure the following settings match it:
188 # * `client_max_body_size` in the previous server section
189 # * `API.MaxRequestSize` in config.yml
190 client_max_body_size 128m;
195 {% assign arvados_component = 'arvados-api-server arvados-controller' %}
197 {% include 'install_packages' %}
199 {% assign arvados_component = 'arvados-controller' %}
201 {% include 'start_service' %}
203 h2(#confirm-working). Confirm working installation
205 Confirm working controller:
207 <notextile><pre><code>$ curl https://<span class="userinput">ClusterID.example.com</span>/arvados/v1/config
208 </code></pre></notextile>
210 Confirm working Rails API server:
212 <notextile><pre><code>$ curl https://<span class="userinput">ClusterID.example.com</span>/discovery/v1/apis/arvados/v1/rest
213 </code></pre></notextile>
215 Confirm that you can use the system root token to act as the system root user:
217 <notextile><pre><code>
218 $ curl -H "Authorization: Bearer $system_root_token" https://<span class="userinput">ClusterID.example.com</span>/arvados/v1/users/current
219 </code></pre></notextile>
223 If you are getting TLS errors, make sure the @ssl_certificate@ directive in your nginx configuration has the "full certificate chain":http://nginx.org/en/docs/http/configuring_https_servers.html#chains
225 Logs can be found in @/var/www/arvados-api/current/log/production.log@ and using @journalctl -u arvados-controller@.
227 See also the admin page on "Logging":{{site.baseurl}}/admin/logging.html .