1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
29 "git.arvados.org/arvados.git/lib/cmd"
30 "git.arvados.org/arvados.git/lib/config"
31 "git.arvados.org/arvados.git/lib/controller/rpc"
32 "git.arvados.org/arvados.git/sdk/go/arvados"
33 "git.arvados.org/arvados.git/sdk/go/auth"
34 "git.arvados.org/arvados.git/sdk/go/ctxlog"
38 var InitCommand cmd.Handler = &initCommand{}
40 type initCommand struct {
43 PostgreSQLPassword string
52 LoginGoogleClientID string
53 LoginGoogleClientSecret string
57 func (initcmd *initCommand) RunCommand(prog string, args []string, stdin io.Reader, stdout, stderr io.Writer) int {
58 logger := ctxlog.New(stderr, "text", "info")
59 ctx := ctxlog.Context(context.Background(), logger)
60 ctx, cancel := context.WithCancel(ctx)
66 logger.WithError(err).Info("exiting")
70 hostname, err := os.Hostname()
72 err = fmt.Errorf("Hostname(): %w", err)
76 flags := flag.NewFlagSet(prog, flag.ContinueOnError)
77 flags.SetOutput(stderr)
78 versionFlag := flags.Bool("version", false, "Write version information to stdout and exit 0")
79 flags.StringVar(&initcmd.ClusterID, "cluster-id", "", "cluster `id`, like x1234 for a dev cluster")
80 flags.StringVar(&initcmd.Domain, "domain", hostname, "cluster public DNS `name`, like x1234.arvadosapi.com")
81 flags.StringVar(&initcmd.Login, "login", "", "login `backend`: test, pam, 'google {client-id} {client-secret}', or ''")
82 flags.StringVar(&initcmd.AdminEmail, "admin-email", "", "give admin privileges to user with given `email`")
83 flags.StringVar(&initcmd.TLS, "tls", "none", "tls certificate `source`: acme, insecure, none, or /path/to/dir containing privkey and cert files")
84 flags.BoolVar(&initcmd.Start, "start", true, "start systemd service after creating config")
85 if ok, code := cmd.ParseFlags(flags, prog, args, "", stderr); !ok {
87 } else if *versionFlag {
88 return cmd.Version.RunCommand(prog, args, stdin, stdout, stderr)
89 } else if !regexp.MustCompile(`^[a-z][a-z0-9]{4}`).MatchString(initcmd.ClusterID) {
90 err = fmt.Errorf("cluster ID %q is invalid; must be an ASCII letter followed by 4 alphanumerics (try -help)", initcmd.ClusterID)
94 if fields := strings.Fields(initcmd.Login); len(fields) == 3 && fields[0] == "google" {
95 initcmd.LoginGoogle = true
96 initcmd.LoginGoogleClientID = fields[1]
97 initcmd.LoginGoogleClientSecret = fields[2]
98 } else if initcmd.Login == "test" {
99 initcmd.LoginTest = true
100 if initcmd.AdminEmail == "" {
101 initcmd.AdminEmail = "admin@example.com"
103 } else if initcmd.Login == "pam" {
104 initcmd.LoginPAM = true
105 } else if initcmd.Login == "" {
106 // none; login will show an error page
108 err = fmt.Errorf("invalid argument to -login: %q: should be 'test', 'pam', 'google {client-id} {client-secret}', or empty", initcmd.Login)
113 case "none", "acme", "insecure":
115 if !strings.HasPrefix(initcmd.TLS, "/") {
116 err = fmt.Errorf("invalid argument to -tls: %q; see %s -help", initcmd.TLS, prog)
119 initcmd.TLSDir = initcmd.TLS
122 confdir := "/etc/arvados"
123 conffile := confdir + "/config.yml"
124 if _, err = os.Stat(conffile); err == nil {
125 err = fmt.Errorf("config file %s already exists; delete it first if you really want to start over", conffile)
130 for i := 4440; i < 4460; i++ {
131 ports = append(ports, i)
133 if initcmd.TLS == "acme" {
134 ports = append(ports, 80)
136 for _, port := range ports {
137 err = initcmd.checkPort(ctx, fmt.Sprintf("%d", port))
143 // Do the "create extension" thing early. This way, if there's
144 // no local postgresql server (a likely failure mode), we can
145 // bail out without any side effects, and the user can start
147 fmt.Fprintln(stderr, "installing pg_trgm postgresql extension...")
148 cmd := exec.CommandContext(ctx, "sudo", "-u", "postgres", "psql", "--quiet",
149 "-c", `CREATE EXTENSION IF NOT EXISTS pg_trgm`)
155 err = fmt.Errorf("error preparing postgresql server: %w", err)
158 fmt.Fprintln(stderr, "...done")
160 wwwuser, err := user.Lookup("www-data")
162 err = fmt.Errorf("user.Lookup(%q): %w", "www-data", err)
165 wwwgid, err := strconv.Atoi(wwwuser.Gid)
169 initcmd.PostgreSQLPassword = initcmd.RandomHex(32)
171 fmt.Fprintln(stderr, "creating data storage directory /var/lib/arvados/keep ...")
172 err = os.Mkdir("/var/lib/arvados/keep", 0600)
173 if err != nil && !os.IsExist(err) {
174 err = fmt.Errorf("mkdir /var/lib/arvados/keep: %w", err)
177 fmt.Fprintln(stderr, "...done")
179 fmt.Fprintln(stderr, "creating config file", conffile, "...")
180 err = os.Mkdir(confdir, 0750)
181 if err != nil && !os.IsExist(err) {
182 err = fmt.Errorf("mkdir %s: %w", confdir, err)
185 err = os.Chown(confdir, 0, wwwgid)
187 err = fmt.Errorf("chown 0:%d %s: %w", wwwgid, confdir, err)
190 f, err := os.OpenFile(conffile+".tmp", os.O_CREATE|os.O_EXCL|os.O_WRONLY, 0644)
192 err = fmt.Errorf("open %s: %w", conffile+".tmp", err)
195 tmpl, err := template.New("config").Parse(`Clusters:
200 "http://0.0.0.0:9000/": {}
201 ExternalURL: {{printf "%q" ( print "https://" .Domain ":4440/" ) }}
204 "http://0.0.0.0:9001/": {}
207 "http://0.0.0.0:8005/": {}
208 ExternalURL: {{printf "%q" ( print "wss://" .Domain ":4446/" ) }}
211 "http://0.0.0.0:9019/": {}
214 "http://0.0.0.0:9005/": {}
215 ExternalURL: {{printf "%q" ( print "https://" .Domain ":4445/" ) }}
218 "http://0.0.0.0:9006/": {}
221 "http://0.0.0.0:9007/": {}
222 ExternalURL: {{printf "%q" ( print "https://" .Domain ":4447/" ) }}
225 "http://0.0.0.0:9008/": {}
226 ExternalURL: {{printf "%q" ( print "https://" .Domain ":4448/" ) }}
229 "http://0.0.0.0:9009/": {}
230 ExternalURL: {{printf "%q" ( print "https://" .Domain ":4449/" ) }}
233 "http://0.0.0.0:9010/": {}
235 ExternalURL: {{printf "%q" ( print "https://" .Domain ":4459/composer" ) }}
238 "http://0.0.0.0:9002/": {}
239 ExternalURL: {{printf "%q" ( print "https://" .Domain ":4442/" ) }}
242 "http://0.0.0.0:9003/": {}
243 ExternalURL: {{printf "%q" ( print "https://" .Domain "/" ) }}
246 "http://0.0.0.0:9011/": {}
248 BlobSigningKey: {{printf "%q" ( .RandomHex 50 )}}
249 {{if eq .TLS "insecure"}}
250 TrustAllContent: true
253 DispatchPrivateKey: {{printf "%q" .GenerateSSHPrivateKey}}
257 ManagementToken: {{printf "%q" ( .RandomHex 50 )}}
263 password: {{printf "%q" .PostgreSQLPassword}}
264 SystemRootToken: {{printf "%q" ( .RandomHex 50 )}}
266 {{if eq .TLS "insecure"}}
268 {{else if eq .TLS "acme"}}
271 {{else if ne .TLSDir ""}}
272 Certificate: {{printf "%q" (print .TLSDir "/cert")}}
273 Key: {{printf "%q" (print .TLSDir "/privkey")}}
278 {{.ClusterID}}-nyw5e-000000000000000:
281 Root: /var/lib/arvados/keep
284 SecretKeyBase: {{printf "%q" ( .RandomHex 50 )}}
289 {{else if .LoginTest}}
295 Email: {{printf "%q" .AdminEmail}}
297 {{else if .LoginGoogle}}
301 ClientID: {{printf "%q" .LoginGoogleClientID}}
302 ClientSecret: {{printf "%q" .LoginGoogleClientSecret}}
305 AutoAdminUserWithEmail: {{printf "%q" .AdminEmail}}
310 err = tmpl.Execute(f, initcmd)
312 err = fmt.Errorf("%s: tmpl.Execute: %w", conffile+".tmp", err)
317 err = fmt.Errorf("%s: close: %w", conffile+".tmp", err)
320 err = os.Rename(conffile+".tmp", conffile)
322 err = fmt.Errorf("rename %s -> %s: %w", conffile+".tmp", conffile, err)
325 fmt.Fprintln(stderr, "...done")
327 ldr := config.NewLoader(nil, logger)
328 ldr.SkipLegacy = true
329 ldr.Path = conffile // load the file we just wrote, even if $ARVADOS_CONFIG is set
330 cfg, err := ldr.Load()
332 err = fmt.Errorf("%s: %w", conffile, err)
335 cluster, err := cfg.GetCluster("")
340 fmt.Fprintln(stderr, "creating postresql user and database...")
341 err = initcmd.createDB(ctx, cluster.PostgreSQL.Connection, stderr)
345 fmt.Fprintln(stderr, "...done")
347 fmt.Fprintln(stderr, "initializing database...")
348 cmd = exec.CommandContext(ctx, "sudo", "-u", "www-data", "-E", "HOME=/var/www", "PATH=/var/lib/arvados/bin:"+os.Getenv("PATH"), "/var/lib/arvados/bin/bundle", "exec", "rake", "db:setup")
349 cmd.Dir = "/var/lib/arvados/railsapi"
354 err = fmt.Errorf("rake db:setup failed: %w", err)
357 fmt.Fprintln(stderr, "...done")
360 fmt.Fprintln(stderr, "starting systemd service...")
361 cmd := exec.CommandContext(ctx, "systemctl", "start", "arvados")
367 err = fmt.Errorf("%v: %w", cmd.Args, err)
370 fmt.Fprintln(stderr, "...done")
372 fmt.Fprintln(stderr, "checking controller API endpoint...")
373 u := url.URL(cluster.Services.Controller.ExternalURL)
374 conn := rpc.NewConn(cluster.ClusterID, &u, cluster.TLS.Insecure, rpc.PassthroughTokenProvider)
375 ctx := auth.NewContext(context.Background(), auth.NewCredentials(cluster.SystemRootToken))
376 _, err = conn.UserGetCurrent(ctx, arvados.GetOptions{})
378 err = fmt.Errorf("API request failed: %w", err)
381 fmt.Fprintln(stderr, "...looks good")
384 if out, err := exec.CommandContext(ctx, "docker", "version").CombinedOutput(); err == nil && strings.Contains(string(out), "\nServer:\n") {
385 fmt.Fprintln(stderr, "loading alpine docker image for diagnostics...")
386 cmd := exec.CommandContext(ctx, "docker", "pull", "alpine")
391 err = fmt.Errorf("%v: %w", cmd.Args, err)
394 cmd = exec.CommandContext(ctx, "arv", "sudo", "keep", "docker", "alpine")
399 err = fmt.Errorf("%v: %w", cmd.Args, err)
402 fmt.Fprintln(stderr, "...done")
404 fmt.Fprintln(stderr, "docker is not installed -- skipping step of downloading 'alpine' image")
407 fmt.Fprintf(stderr, `
408 Setup complete. Next steps:
409 * run 'arv sudo diagnostics'
410 * log in to workbench2 at %s
411 * see documentation at https://doc.arvados.org/install/automatic.html
412 `, cluster.Services.Workbench2.ExternalURL.String())
417 func (initcmd *initCommand) GenerateSSHPrivateKey() (string, error) {
418 privkey, err := rsa.GenerateKey(rand.Reader, 4096)
422 err = privkey.Validate()
426 return string(pem.EncodeToMemory(&pem.Block{
427 Type: "RSA PRIVATE KEY",
428 Bytes: x509.MarshalPKCS1PrivateKey(privkey),
432 func (initcmd *initCommand) RandomHex(chars int) string {
433 b := make([]byte, chars/2)
434 _, err := rand.Read(b)
438 return fmt.Sprintf("%x", b)
441 func (initcmd *initCommand) createDB(ctx context.Context, dbconn arvados.PostgreSQLConnection, stderr io.Writer) error {
442 cmd := exec.CommandContext(ctx, "sudo", "-u", "postgres", "psql", "--quiet",
443 "-c", `CREATE USER `+pq.QuoteIdentifier(dbconn["user"])+` WITH SUPERUSER ENCRYPTED PASSWORD `+pq.QuoteLiteral(dbconn["password"]),
444 "-c", `CREATE DATABASE `+pq.QuoteIdentifier(dbconn["dbname"])+` WITH TEMPLATE template0 ENCODING 'utf8'`,
451 return fmt.Errorf("error setting up arvados user/database: %w", err)
456 // Confirm that http://{initcmd.Domain}:{port} reaches a server that
459 // If port is "80", listening fails, and Nginx appears to be using the
460 // debian-packaged default configuration that listens on port 80,
461 // disable that Nginx config and try again.
463 // (Typically, the reason Nginx is installed is so that Arvados can
464 // run an Nginx child process; the default Nginx service using config
465 // from /etc/nginx is just an unfortunate side effect of installing
466 // Nginx by way of the Debian package.)
467 func (initcmd *initCommand) checkPort(ctx context.Context, port string) error {
468 err := initcmd.checkPortOnce(ctx, port)
469 if err == nil || port != "80" {
470 // success, or poking Nginx in the eye won't help
473 d, err2 := os.Open("/etc/nginx/sites-enabled/.")
477 fis, err2 := d.Readdir(-1)
478 if err2 != nil || len(fis) != 1 {
481 if target, err2 := os.Readlink("/etc/nginx/sites-enabled/default"); err2 != nil || target != "/etc/nginx/sites-available/default" {
484 err2 = os.Remove("/etc/nginx/sites-enabled/default")
488 exec.CommandContext(ctx, "nginx", "-s", "reload").Run()
489 time.Sleep(time.Second)
490 return initcmd.checkPortOnce(ctx, port)
493 // Start an http server on 0.0.0.0:{port} and confirm that
494 // http://{initcmd.Domain}:{port} reaches that server.
495 func (initcmd *initCommand) checkPortOnce(ctx context.Context, port string) error {
496 b := make([]byte, 128)
497 _, err := rand.Read(b)
501 token := fmt.Sprintf("%x", b)
504 Addr: net.JoinHostPort("", port),
505 Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
508 var errServe atomic.Value
510 errServe.Store(srv.ListenAndServe())
513 url := "http://" + net.JoinHostPort(initcmd.Domain, port) + "/probe"
514 req, err := http.NewRequestWithContext(ctx, "GET", url, nil)
518 resp, err := http.DefaultClient.Do(req)
520 defer resp.Body.Close()
522 if errServe, _ := errServe.Load().(error); errServe != nil {
523 // If server already exited, return that error
524 // (probably "can't listen"), not the request error.
530 buf := make([]byte, len(token))
531 n, err := io.ReadFull(resp.Body, buf)
532 if string(buf[:n]) != token {
533 return fmt.Errorf("listened on port %s but %s connected to something else, returned %q, err %v", port, url, buf[:n], err)
projects / arvados.git / blob