X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/2d29045a1b392251b777639634e527abfd8b06e2..37710c707e0f7b0a57a836ff8cc42dd0c5f762ff:/lib/config/config.default.yml diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml index 472a22c6b2..3ca137e9c4 100644 --- a/lib/config/config.default.yml +++ b/lib/config/config.default.yml @@ -373,6 +373,24 @@ Clusters: # cluster. RoleGroupsVisibleToAll: true + # If CanCreateRoleGroups is true, regular (non-admin) users can + # create new role groups. + # + # If false, only admins can create new role groups. + CanCreateRoleGroups: true + + # During each period, a log entry with event_type="activity" + # will be recorded for each user who is active during that + # period. The object_uuid attribute will indicate the user's + # UUID. + # + # Multiple log entries for the same user may be generated during + # a period if there are multiple controller processes or a + # controller process is restarted. + # + # Use 0 to disable activity logging. + ActivityLoggingPeriod: 24h + AuditLogs: # Time to keep audit logs, in seconds. (An audit log is a row added # to the "logs" table in the PostgreSQL database each time an @@ -611,21 +629,17 @@ Clusters: # Time to cache manifests, permission checks, and sessions. TTL: 300s - # Time to cache collection state. - UUIDTTL: 5s - # Block cache entries. Each block consumes up to 64 MiB RAM. MaxBlockEntries: 20 - # Collection cache entries. - MaxCollectionEntries: 1000 - - # Approximate memory limit (in bytes) for collection cache. + # Approximate memory limit (in bytes) for session cache. + # + # Note this applies to the in-memory representation of + # projects and collections -- metadata, block locators, + # filenames, etc. -- excluding cached file content, which is + # limited by MaxBlockEntries. MaxCollectionBytes: 100000000 - # UUID cache entries. - MaxUUIDEntries: 1000 - # Persistent sessions. MaxSessions: 100 @@ -789,6 +803,12 @@ Clusters: # Skip TLS certificate name verification. InsecureTLS: false + # Mininum TLS version to negotiate when connecting to server + # (ldaps://... or StartTLS). It may be necessary to set this + # to "1.1" for compatibility with older LDAP servers. If + # blank, use the recommended minimum version (1.2). + MinTLSVersion: "" + # Strip the @domain part if a user supplies an email-style # username with this domain. If "*", strip any user-provided # domain. If "", never strip the domain part. Example: @@ -870,16 +890,28 @@ Clusters: # by going through login again. IssueTrustedTokens: true - # When the token is returned to a client, the token itself may - # be restricted from viewing/creating other tokens based on whether - # the client is "trusted" or not. The local Workbench1 and - # Workbench2 are trusted by default, but if this is a - # LoginCluster, you probably want to include the other Workbench - # instances in the federation in this list. + # Origins (scheme://host[:port]) of clients trusted to receive + # new tokens via login process. The ExternalURLs of the local + # Workbench1 and Workbench2 are trusted implicitly and do not + # need to be listed here. If this is a LoginCluster, you + # probably want to include the other Workbench instances in the + # federation in this list. + # + # Example: + # + # TrustedClients: + # "https://workbench.other-cluster.example": {} + # "https://workbench2.other-cluster.example": {} TrustedClients: - SAMPLE: - "https://workbench.federate1.example": {} - "https://workbench.federate2.example": {} + SAMPLE: {} + + # Treat any origin whose host part is "localhost" or a private + # IP address (e.g., http://10.0.0.123:3000/) as if it were + # listed in TrustedClients. + # + # Intended only for test/development use. Not appropriate for + # production use. + TrustPrivateNetworks: false Git: # Path to git or gitolite-shell executable. Each authenticated @@ -900,10 +932,31 @@ Clusters: Repositories: /var/lib/arvados/git/repositories TLS: + # Use "file:///var/lib/acme/live/example.com/cert" and + # ".../privkey" to load externally managed certificates. Certificate: "" Key: "" + + # Accept invalid certificates when connecting to servers. Never + # use this in production. Insecure: false + ACME: + # Obtain certificates automatically for ExternalURL domains + # using an ACME server and http-01 validation. + # + # To use Let's Encrypt, specify "LE". To use the Let's + # Encrypt staging environment, specify "LE-staging". To use a + # different ACME server, specify the full directory URL + # ("https://..."). + # + # Note: this feature is not yet implemented in released + # versions, only in the alpha/prerelease arvados-server-easy + # package. + # + # Implies agreement with the server's terms of service. + Server: "" + Containers: # List of supported Docker Registry image formats that compute nodes # are able to use. `arv keep docker` will error out if a user tries @@ -924,8 +977,15 @@ Clusters: # troubleshooting purposes. LogReuseDecisions: false - # Default value for keep_cache_ram of a container's runtime_constraints. - DefaultKeepCacheRAM: 268435456 + # Default value for keep_cache_ram of a container's + # runtime_constraints. Note: this gets added to the RAM request + # used to allocate a VM or submit an HPC job. + # + # If this is zero, container requests that don't specify RAM or + # disk cache size will use a disk cache, sized to the + # container's RAM requirement (but with minimum 2 GiB and + # maximum 32 GiB). + DefaultKeepCacheRAM: 0 # Number of times a container can be unlocked before being # automatically cancelled. @@ -987,7 +1047,7 @@ Clusters: # Extra RAM to reserve on the node, in addition to # the amount specified in the container's RuntimeConstraints - ReserveExtraRAM: 256MiB + ReserveExtraRAM: 550MiB # Minimum time between two attempts to run the same container MinRetryPeriod: 0s @@ -1042,12 +1102,16 @@ Clusters: LocalKeepLogsToContainerLog: none Logging: - # When you run the db:delete_old_container_logs task, it will find - # containers that have been finished for at least this many seconds, + # Periodically (see SweepInterval) Arvados will check for + # containers that have been finished for at least this long, # and delete their stdout, stderr, arv-mount, crunch-run, and # crunchstat logs from the logs table. MaxAge: 720h + # How often to delete cached log entries for finished + # containers (see MaxAge). + SweepInterval: 12h + # These two settings control how frequently log events are flushed to the # database. Log lines are buffered until either crunch_log_bytes_per_event # has been reached or crunch_log_seconds_between_events has elapsed since @@ -1466,7 +1530,7 @@ Clusters: RaceWindow: 24h PrefixLength: 0 # Use aws-s3-go (v2) instead of goamz - UseAWSS3v2Driver: false + UseAWSS3v2Driver: true # For S3 driver, potentially unsafe tuning parameter, # intentionally excluded from main documentation. @@ -1687,6 +1751,10 @@ Clusters: # This feature is disabled when set to zero. IdleTimeout: 0s + # URL to a file that is a fragment of text or HTML which should + # be rendered in Workbench as a banner. + BannerURL: "" + # Workbench welcome screen, this is HTML text that will be # incorporated directly onto the page. WelcomePageHTML: |