3 navsection: installguide
4 title: Install API server and Controller
7 Copyright (C) The Arvados Authors. All rights reserved.
9 SPDX-License-Identifier: CC-BY-SA-3.0
12 # "Introduction":#introduction
13 # "Install dependencies":#dependencies
14 # "Set up database":#database-setup
15 # "Update config.yml":#update-config
16 # "Update nginx configuration":#update-nginx
17 # "Install arvados-api-server and arvados-controller":#install-packages
18 # "Confirm working installation":#confirm-working
20 h2(#introduction). Introduction
22 The Arvados core API server consists of four services: PostgreSQL, Arvados Rails API, Arvados Controller, and Nginx.
24 Here is a simplified diagram showing the relationship between the core services. Client requests arrive at the public-facing Nginx reverse proxy. The request is forwarded to Arvados controller. The controller is able handle some requests itself, the rest are forwarded to the Arvados Rails API. The Rails API server implements the majority of business logic, communicating with the PostgreSQL database to fetch data and make transactional updates. All services are stateless, except the PostgreSQL database. This guide assumes all of these services will be installed on the same node, but it is possible to install these services across multiple nodes.
26 !(full-width){{site.baseurl}}/images/proxy-chain.svg!
28 h2(#dependencies). Install dependencies
30 # "Install PostgreSQL":install-postgresql.html
31 # "Install nginx":nginx.html
33 h2(#database-setup). Set up database
35 {% assign service_role = "arvados" %}
36 {% assign service_database = "arvados_production" %}
37 {% assign use_contrib = true %}
38 {% include 'install_postgres_database' %}
40 h2(#update-config). Update config.yml
42 Starting from an "empty config.yml file,":config.html#empty add the following configuration keys.
47 <pre><code> SystemRootToken: <span class="userinput">"$system_root_token"</span>
48 ManagementToken: <span class="userinput">"$management_token"</span>
50 BlobSigningKey: <span class="userinput">"$blob_signing_key"</span>
54 These secret tokens are used to authenticate messages between Arvados components.
55 * @SystemRootToken@ is used by Arvados system services to authenticate as the system (root) user when communicating with the API server.
56 * @ManagementToken@ is used to authenticate access to system metrics.
57 * @Collections.BlobSigningKey@ is used to control access to Keep blocks.
59 Each token should be a string of at least 50 alphanumeric characters. You can generate a suitable token with the following command:
62 <pre><code>~$ <span class="userinput">tr -dc 0-9a-zA-Z </dev/urandom | head -c50 ; echo</span>
66 h3. PostgreSQL.Connection
69 <pre><code> PostgreSQL:
71 host: <span class="userinput">localhost</span>
72 user: <span class="userinput">arvados</span>
73 password: <span class="userinput">$postgres_password</span>
74 dbname: <span class="userinput">arvados_production</span>
78 Replace the @$postgres_password@ placeholder with the password you generated during "database setup":#database-setup.
85 ExternalURL: <span class="userinput">"https://ClusterID.example.com"</span>
87 <span class="userinput">"http://localhost:8003": {}</span>
89 # Does not have an ExternalURL
91 <span class="userinput">"http://localhost:8004": {}</span>
93 # Does not have InternalURLs
94 ExternalURL: <span class="userinput">"https://*.containers.ClusterID.example.com"</span>
98 Replace @ClusterID.example.com@ with the hostname that you previously selected for the API server.
100 The @Services@ section of the configuration helps Arvados components contact one another (service discovery). Each service has one or more @InternalURLs@ and an @ExternalURL@. The @InternalURLs@ describe where the service runs, and how the Nginx reverse proxy will connect to it. The @ExternalURL@ is how external clients contact the service.
102 h2(#update-nginx). Update nginx configuration
104 Use a text editor to create a new file @/etc/nginx/conf.d/arvados-controller.conf@ with the following configuration. Options that need attention are marked in <span class="userinput">red</span>.
107 <pre><code>proxy_http_version 1.1;
109 # When Keep clients request a list of Keep services from the API
110 # server, use the origin IP address to determine if the request came
111 # from the internal subnet or it is an external client. This sets the
112 # $external_client variable which in turn is used to set the
113 # X-External-Client header.
115 # The API server uses this header to choose whether to respond to a
116 # "available keep services" request with either a list of internal keep
117 # servers (0) or with the keepproxy (1).
119 # <span class="userinput">Following the example here, update the 10.20.30.0/24 netmask</span>
120 # <span class="userinput">to match your private subnet.</span>
121 # <span class="userinput">Update 1.2.3.4 and add lines as necessary with the public IP</span>
122 # <span class="userinput">address of all servers that can also access the private network to</span>
123 # <span class="userinput">ensure they are not considered 'external'.</span>
125 geo $external_client {
128 <span class="userinput">10.20.30.0/24</span> 0;
129 <span class="userinput">1.2.3.4/32</span> 0;
132 # This is the port where nginx expects to contact arvados-controller.
133 upstream controller {
134 server localhost:8003 fail_timeout=10s;
138 # This configures the public https port that clients will actually connect to,
139 # the request is reverse proxied to the upstream 'controller'
142 server_name <span class="userinput">ClusterID.example.com</span>
143 *.<span class="userinput">containers.ClusterID.example.com</span>;
145 ssl_certificate <span class="userinput">/YOUR/PATH/TO/cert.pem</span>;
146 ssl_certificate_key <span class="userinput">/YOUR/PATH/TO/cert.key</span>;
148 # Refer to the comment about this setting in the passenger (arvados
149 # api server) section of your Nginx configuration.
150 client_max_body_size 128m;
153 proxy_pass http://controller;
155 proxy_connect_timeout 90s;
156 proxy_read_timeout 300s;
157 proxy_max_temp_file_size 0;
158 proxy_request_buffering off;
160 proxy_http_version 1.1;
162 proxy_set_header Host $http_host;
163 proxy_set_header Upgrade $http_upgrade;
164 proxy_set_header Connection "upgrade";
165 proxy_set_header X-External-Client $external_client;
166 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
167 proxy_set_header X-Forwarded-Proto https;
168 proxy_set_header X-Real-IP $remote_addr;
174 h2. Enable development repository
176 Skip to the next section if you are installing on Debian or Ubuntu.
178 On Red Hat, AlmaLinux, and Rocky Linux, the API server package depends on development headers available from a separate repository. The repository you need depends on which version of the distribution you're running. Run the command given for your distribution below:
180 |_. Distribution and version|_. Command to enable repository|
181 |Red Hat/AlmaLinux/Rocky Linux 9|@# dnf config-manager --set-enabled devel@|
182 |Red Hat/AlmaLinux/Rocky Linux 8|@# dnf config-manager --set-enabled powertools@|
184 {% assign arvados_component = 'arvados-api-server arvados-controller' %}
186 {% include 'install_packages' %}
188 h3(#railsapi-config). Configure Rails API server
190 By default, the Rails API server is configured to listen on @localhost:8004@, matching the example cluster configuration above. If you need to change this, edit the @arvados-railsapi.service@ definition to redefine the @PASSENGER_ADDRESS@ and @PASSENGER_PORT@ environment variables, like this:
193 <pre><code># <span class="userinput">systemctl edit arvados-railsapi.service</span>
194 ### Editing /etc/systemd/system/arvados-railsapi.service.d/override.conf
195 ### Anything between here and the comment below will become the new contents of the file
196 <span class="userinput">[Service]
197 Environment=PASSENGER_ADDRESS=<strong>0.0.0.0</strong>
198 Environment=PASSENGER_PORT=<strong>8040</strong></span>
199 ### Lines below this comment will be discarded
204 You can similarly define other Passenger settings if desired. The "Passenger Standalone reference":https://www.phusionpassenger.com/library/config/standalone/reference/ documents all the available settings.
206 {% assign arvados_component = 'arvados-railsapi arvados-controller' %}
208 {% include 'start_service' %}
210 h2(#confirm-working). Confirm working installation
212 We recommend using the "Cluster diagnostics tool.":diagnostics.html The first few tests (10, 20, 30) will succeed if you have a working API server and controller. Of course, tests for services that you have not yet installed and configured will fail.
214 Here are some other checks you can perform manually.
216 h3. Confirm working controller
218 <notextile><pre><code>$ curl https://<span class="userinput">ClusterID.example.com</span>/arvados/v1/config
219 </code></pre></notextile>
221 h3. Confirm working Rails API server
223 <notextile><pre><code>$ curl https://<span class="userinput">ClusterID.example.com</span>/discovery/v1/apis/arvados/v1/rest
224 </code></pre></notextile>
226 h3. Confirm that you can use the system root token to act as the system root user
228 <notextile><pre><code>$ curl -H "Authorization: Bearer $system_root_token" https://<span class="userinput">ClusterID.example.com</span>/arvados/v1/users/current
229 </code></pre></notextile>
233 If you are getting TLS errors, make sure the @ssl_certificate@ directive in your nginx configuration has the "full certificate chain":http://nginx.org/en/docs/http/configuring_https_servers.html#chains.
235 Logs can be found in @/var/www/arvados-api/current/log/production.log@ and using @journalctl -u arvados-controller@. See also the admin page on "Logging":{{site.baseurl}}/admin/logging.html.
projects / arvados.git / blob