Merge branch '15795-sys-root-token'

[arvados.git] / doc / install / install-manual-prerequisites.html.textile.liquid

---
layout: default
navsection: installguide
title: Prerequisites
...
{% comment %}
Copyright (C) The Arvados Authors. All rights reserved.

SPDX-License-Identifier: CC-BY-SA-3.0
{% endcomment %}

h2. Supported Cloud and HPC platforms

Arvados can run in a variety of configurations.  For compute scheduling, Arvados supports HPC clusters using @slurm@, and supports elastic cloud computing on AWS, Google and Azure.  For storage, Arvados can store blocks on regular file systems such as ext4 or xfs, on network file systems such as GPFS, or object storage such as Azure blob storage, Amazon S3, and other object storage that supports the S3 API including Google Cloud Storage and Ceph.

h2. Hardware (or virtual machines)

This guide assumes you have seven systems available in the same network subnet:

<div class="offset1">
table(table table-bordered table-condensed).
|_. Function|_. Number of nodes|
|Arvados API, Crunch dispatcher, Git, Websockets and Workbench|1|
|Arvados Compute node|1|
|Arvados Keepproxy and Keep-web server|1|
|Arvados Keepstore servers|2|
|Arvados Shell server|1|
|Arvados SSO server|1|
</div>

The number of Keepstore, shell and compute nodes listed above is a minimum. In a real production installation, you will likely run many more of each of those types of nodes. In such a scenario, you would probably also want to dedicate a node to the Workbench server and Crunch dispatcher, respectively. For performance reasons, you may want to run the database server on a separate node as well.

h2. Supported GNU/Linux distributions

table(table table-bordered table-condensed).
|_. Distribution|_. State|_. Last supported version|
|CentOS 7|Supported|Latest|
|Debian 10 ("buster")|Supported|Latest|
|Debian 9 ("stretch")|Supported|Latest|
|Ubuntu 18.04 ("bionic")|Supported|Latest|
|Ubuntu 16.04 ("xenial")|Supported|Latest|
|Ubuntu 14.04 ("trusty")|EOL|5f943cd451acfbdcddd84e791738c3aa5926bfed (2019-07-10)|
|Debian 8 ("jessie")|EOL|5f943cd451acfbdcddd84e791738c3aa5926bfed (2019-07-10)|
|Ubuntu 12.04 ("precise")|EOL|8ed7b6dd5d4df93a3f37096afe6d6f81c2a7ef6e (2017-05-03)|
|Debian 7 ("wheezy")|EOL|997479d1408139e96ecdb42a60b4f727f814f6c9 (2016-12-28)|
|CentOS 6 |EOL|997479d1408139e96ecdb42a60b4f727f814f6c9 (2016-12-28)|

Arvados packages are published for current Debian releases (until the EOL date), current Ubuntu LTS releases (until the end of standard support), and the latest version of CentOS.

h2(#repos). Arvados package repositories

On any host where you install Arvados software, you'll need to set up an Arvados package repository.  They're available for several popular distributions.

h3. CentOS

Packages are available for CentOS 7. To install them with yum, save this configuration block in @/etc/yum.repos.d/arvados.repo@:

<notextile>
<pre><code>[arvados]
name=Arvados
baseurl=http://rpm.arvados.org/CentOS/$releasever/os/$basearch/
gpgcheck=1
gpgkey=http://rpm.arvados.org/CentOS/RPM-GPG-KEY-curoverse
</code></pre>
</notextile>

{% include 'install_redhat_key' %}

h3. Debian and Ubuntu

Packages are available for Debian 9 ("stretch"), Ubuntu 16.04 ("xenial") and Ubuntu 18.04 ("bionic").

First, register the Curoverse signing key in apt's database:

{% include 'install_debian_key' %}

Configure apt to retrieve packages from the Arvados package repository. This command depends on your OS vendor and version:

table(table table-bordered table-condensed).
|_. OS version|_. Command|
|Debian 9 ("stretch")|<notextile><code><span class="userinput">echo "deb http://apt.arvados.org/ stretch main" &#x7c; sudo tee /etc/apt/sources.list.d/arvados.list</span></code></notextile>|
|Ubuntu 16.04 ("xenial")[1]|<notextile><code><span class="userinput">echo "deb http://apt.arvados.org/ xenial main" &#x7c; sudo tee /etc/apt/sources.list.d/arvados.list</span></code></notextile>|
|Ubuntu 18.04 ("bionic")[1]|<notextile><code><span class="userinput">echo "deb http://apt.arvados.org/ bionic main" &#x7c; sudo tee /etc/apt/sources.list.d/arvados.list</span></code></notextile>|

{% include 'notebox_begin' %}

fn1. Arvados packages for Ubuntu may depend on third-party packages in Ubuntu's "universe" repository.  If you're installing on Ubuntu, make sure you have the universe sources uncommented in @/etc/apt/sources.list@.

{% include 'notebox_end' %}

Retrieve the package list:

<notextile>
<pre><code>~$ <span class="userinput">sudo apt-get update</span>
</code></pre>
</notextile>

h2. A unique identifier

Each Arvados installation should have a globally unique identifier, which is a unique 5-character lowercase alphanumeric string. For testing purposes, here is one way to make a random 5-character string:

<notextile>
<pre><code>~$ <span class="userinput">tr -dc 0-9a-z &lt;/dev/urandom | head -c5; echo</span>
</code></pre>
</notextile>

You may also use a different method to pick the unique identifier. The unique identifier will be part of the hostname of the services in your Arvados cluster. The rest of this documentation will refer to it as your @uuid_prefix@.


h2. SSL certificates

There are six public-facing services that require an SSL certificate. If you do not have official SSL certificates, you can use self-signed certificates.

{% include 'notebox_begin' %}

Most Arvados clients and services will accept self-signed certificates when the @ARVADOS_API_HOST_INSECURE@ environment variable is set to @true@.  However, web browsers generally do not make it easy for users to accept self-signed certificates from Web sites.

Users who log in through Workbench will visit at least three sites: the SSO server, the API server, and Workbench itself.  When a browser visits each of these sites, it will warn the user if the site uses a self-signed certificate, and the user must accept it before continuing.  This procedure usually only needs to be done once in a browser.

After that's done, Workbench includes JavaScript clients for other Arvados services.  Users are usually not warned if these client connections are refused because the server uses a self-signed certificate, and it is especially difficult to accept those cerficiates:

* JavaScript connects to the Websockets server to provide incremental page updates and view logs from running jobs.
* JavaScript connects to the API and Keepproxy servers to upload local files to collections.
* JavaScript connects to the Keep-web server to download log files.

In sum, Workbench will be much less pleasant to use in a cluster that uses self-signed certificates.  You should avoid using self-signed certificates unless you plan to deploy a cluster without Workbench; you are deploying only to evaluate Arvados as an individual system administrator; or you can push configuration to users' browsers to trust your self-signed certificates.

{% include 'notebox_end' %}

By convention, we use the following hostname pattern:

<div class="offset1">
table(table table-bordered table-condensed).
|_. Function|_. Hostname|
|Arvados API|@uuid_prefix@.your.domain|
|Arvados Git server|git.@uuid_prefix@.your.domain|
|Arvados Keepproxy server|keep.@uuid_prefix@.your.domain|
|Arvados Keep-web server|download.@uuid_prefix@.your.domain
_and_
*.collections.@uuid_prefix@.your.domain or
*<notextile>--</notextile>collections.@uuid_prefix@.your.domain or
collections.@uuid_prefix@.your.domain (see the "keep-web install docs":install-keep-web.html)|
|Arvados SSO Server|auth.your.domain|
|Arvados Websockets endpoint|ws.@uuid_prefix@.your.domain|
|Arvados Workbench|workbench.@uuid_prefix@.your.domain|
</div>