---
layout: default
navsection: installguide
title: Install API server and Controller
...
{% comment %}
Copyright (C) The Arvados Authors. All rights reserved.

SPDX-License-Identifier: CC-BY-SA-3.0
{% endcomment %}

# "Introduction":#introduction
# "Set up database":#database-setup
# "Update config.yml":#update-config
# "Update nginx configuration":#update-nginx
# "Install packages":#install-packages

h2(#introduction). Introduction

The Arvados core API server consists of four services: PostgreSQL, Arvados Rails API, Arvados Controller, and Nginx.

Here is a simplified diagram showing the relationship between the core services.  Client requests arrive at the public-facing Nginx reverse proxy.  The request is forwarded to Arvados controller.  The controller is able handle some requests itself, the rest are forwarded to the Arvados Rails API.  The Rails API server implements the majority of business logic, communicating with the PostgreSQL database to fetch data and make transactional updates.  All services are stateless, except the PostgreSQL database.  This guide assumes all of these services will be installed on the same node, but it is possible to install these services across multiple nodes.

!(full-width){{site.baseurl}}/images/proxy-chain.svg!

h2(#database-setup). Set up database

"On the node that will host the database, install PostgreSQL":install-postgresql.html .

{% assign service_role = "arvados" %}
{% assign service_database = "arvados_production" %}
{% assign use_contrib = true %}
{% include 'install_postgres_database' %}

h2(#update-config). Update config.yml

Starting from an "empty config.yml file,":config.html#empty add the following configuration keys.

h3. Tokens

<notextile>
<pre><code>    SystemRootToken: <span class="userinput">"$system_root_token"</span>
    ManagementToken: <span class="userinput">"$management_token"</span>
    API:
      RailsSessionSecretToken: <span class="userinput">"$rails_secret_token"</span>
</code></pre>
</notextile>

@SystemRootToken@ is used by Arvados system services to authenticate as the system (root) user when communicating with the API server.

@ManagementToken@ is used to authenticate access to system metrics.

@API.RailsSessionSecretToken@ is required by the API server.

You can generate a random token for each of these items at the command line like this:

<notextile>
<pre><code>~$ <span class="userinput">tr -dc 0-9a-zA-Z &lt;/dev/urandom | head -c50; echo</span>
</code></pre>
</notextile>

h3. PostgreSQL.Connection

<notextile>
<pre><code>    PostgreSQL:
      Connection:
        host: <span class="userinput">localhost</span>
        user: <span class="userinput">arvados</span>
        password: <span class="userinput">$postgres_password</span>
        dbname: <span class="userinput">arvados_production</span>
</code></pre>
</notextile>

Replace the @$postgres_password@ placeholder with the password you generated during "database setup":#database-setup .

h3. Services

<notextile>
<pre><code>    Services:
      Controller:
        ExternalURL: <span class="userinput">"https://xxxxx.example.com"</span>
        InternalURLs:
          <span class="userinput">"http://xxxxx.example.com:8003": {}</span>
      RailsAPI:
        # Does not have an ExternalURL
        InternalURLs:
          <span class="userinput">"http://xxxxx.example.com:8004": {}</span>
</code></pre>
</notextile>

Replace @xxxxx.example.com@ with the hostname that you previously selected for the API server.

The @Services@ section of the configuration helps Arvados components contact one another (service discovery).  Each service has one or more @InternalURLs@ and an @ExternalURL@.  The @InternalURLs@ describe where the service runs, and how the Nginx reverse proxy will connect to it.  The @ExternalURL@ is how external clients contact the service.

h2(#update-nginx). Update nginx configuration

Create a new file @/etc/nginx/conf.d/arvados-api-and-controller.conf@ . Configuration options that need attention are marked with "TODO".

<notextile>
<pre><code>
proxy_http_version 1.1;

# When Keep clients request a list of Keep services from the API
# server, use the origin IP address to determine if the request came
# from the internal subnet or it is an external client.  This sets the
# $external_client variable which in turn is used to set the
# X-External-Client header.
#
# The API server uses this header to choose whether to respond to a
# "available keep services" request with either a list of internal keep
# servers (0) or with the keepproxy (1).
#
# TODO: Following the example here, update the netmask to the
# your internal subnet.

geo $external_client {
  default        1;
  <span class="userinput">10.20.30.0/24</span>  0;
}

# This is the port where nginx expects to contact arvados-controller.
upstream controller {
  server     127.0.0.1:8003  fail_timeout=10s;
}

server {
  # This configures the public https port that clients will actually connect to,
  # the request is reverse proxied to the upstream 'controller'

  listen       <span class="userinput">[TODO: replace with your public IP address]</span>:443 ssl;
  server_name  <span class="userinput">[TODO: replace with the api server hostname]</span>;

  ssl on;
  ssl_certificate     <span class="userinput">/TODO/YOUR/PATH/TO/cert.pem</span>;
  ssl_certificate_key <span class="userinput">/TODO/YOUR/PATH/TO/cert.key</span>;

  # Refer to the comment about this setting in the passenger (arvados
  # api server) section of your Nginx configuration.
  client_max_body_size 128m;

  location / {
    proxy_pass            http://controller;
    proxy_redirect        off;
    proxy_connect_timeout 90s;
    proxy_read_timeout    300s;

    proxy_set_header      X-Forwarded-Proto https;
    proxy_set_header      Host $http_host;
    proxy_set_header      X-External-Client $external_client;
    proxy_set_header      X-Real-IP $remote_addr;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}

server {
  # This configures the Arvados API server.  It is written using Ruby
  # on Rails and uses the Passenger application server.

  listen 127.0.0.1:8004;
  server_name localhost-api;

  root /var/www/arvados-api/current/public;
  index  index.html index.htm index.php;

  passenger_enabled on;
  # If you're using RVM, uncomment the line below.
  #passenger_ruby /usr/local/rvm/wrappers/default/ruby;

  # This value effectively limits the size of API objects users can
  # create, especially collections.  If you change this, you should
  # also ensure the following settings match it:
  # * `client_max_body_size` in the previous server section
  # * `API.MaxRequestSize` in config.yml
  client_max_body_size 128m;
}
</code></pre>
</notextile>

h2(#install-packages). Install packages

Step 1: "Install Ruby and Bundler":ruby.html

Step 2: "Install Nginx and Phusion Passenger":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html.

Step 3: Install arvados-api-server and arvados-controller

h3. Debian and Ubuntu

<notextile>
<pre><code>~$ <span class="userinput">sudo apt-get install bison build-essential libcurl4-openssl-dev git arvados-api-server arvados-controller</span>
</code></pre>
</notextile>

h3. Centos 7

<notextile>
<pre><code>~$ <span class="userinput">sudo yum install bison make automake gcc gcc-c++ libcurl-devel git arvados-api-server arvados-controller</span>
</code></pre>
</notextile>

h2. Confirm working installation

Confirm working controller:

<pre>
$ curl https://xxxxx.example.com/arvados/v1/config
</pre>

Confirm working Rails API server:

<pre>
$ curl https://xxxxx.example.com/discovery/v1/apis/arvados/v1/rest
</pre>

Confirm that you can use the system root token to act as the system root user:

<pre>
$ curl -H "Authorization: Bearer $system_root_token" https://xxxxx.example.com/arvados/v1/users/current
</pre>

h2. Troubleshooting

See the admin page on "Logging":{{site.baseurl}}/admin/logging.html .