X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/308a6da1a9fd716f3957b116110a932c08aefafe..3f7bde601546dc898975fbe7d56957794985fe43:/doc/install/install-api-server.html.textile.liquid diff --git a/doc/install/install-api-server.html.textile.liquid b/doc/install/install-api-server.html.textile.liquid index 6440a54e4d..7201460dde 100644 --- a/doc/install/install-api-server.html.textile.liquid +++ b/doc/install/install-api-server.html.textile.liquid @@ -3,191 +3,252 @@ layout: default navsection: installguide title: Install the API server ... +{% comment %} +Copyright (C) The Arvados Authors. All rights reserved. -This installation guide assumes you are on a 64 bit Debian or Ubuntu system. +SPDX-License-Identifier: CC-BY-SA-3.0 +{% endcomment %} h2. Install prerequisites - -
~$ sudo apt-get install \
-    bison build-essential gettext libcurl3 libcurl3-gnutls \
-    libcurl4-openssl-dev libpcre3-dev libpq-dev libreadline-dev \
-    libssl-dev libxslt1.1 postgresql sudo wget zlib1g-dev
-
 +The Arvados package repository includes an API server package that can help automate much of the deployment. -Also make sure you have "Ruby and bundler":install-manual-prerequisites-ruby.html installed. +h3(#install_ruby_and_bundler). Install Ruby and Bundler -h2. Download the source tree +{% include 'install_ruby_and_bundler' %} - -
~$ cd $HOME # (or wherever you want to install)
-~$ git clone https://github.com/curoverse/arvados.git
-
 +h2(#install_apiserver). Install API server and dependencies -See also: "Downloading the source code":https://arvados.org/projects/arvados/wiki/Download on the Arvados wiki. +On a Debian-based system, install the following packages: -The API server is in @services/api@ in the source tree. + +
~$ sudo apt-get install bison build-essential libcurl4-openssl-dev git arvados-api-server
+
+ -h2. Install gem dependencies +On a Red Hat-based system, install the following packages: -
~$ cd arvados/services/api
-~/arvados/services/api$ bundle install
-
 +
~$ sudo yum install bison make automake gcc gcc-c++ libcurl-devel git arvados-api-server
+
+ -h2. Choose your environment +{% include 'install_git' %} -The API server can be run in @development@ or in @production@ mode. Unless this installation is going to be used for development on the Arvados API server itself, you should run it in @production@ mode. +h2(#configure). Set up the database -Copy the example environment file for your environment. For example, if you choose @production@: +Configure the API server to connect to your database by updating @/etc/arvados/api/database.yml@. Replace the @xxxxxxxx@ database password placeholder with the "password you generated during database setup":install-postgresql.html#api. Be sure to update the @production@ section. -
~/arvados/services/api$ cp -i config/environments/production.rb.example config/environments/production.rb
+
~$ editor /etc/arvados/api/database.yml
 

 
-h2. Configure the API server
-
-First, copy the example configuration file:
+h2(#configure_application). Configure the API server
 
-
-
~/arvados/services/api$ cp -i config/application.yml.example config/application.yml
-

+Edit @/etc/arvados/api/application.yml@ to configure the settings described in the following sections.  The API server reads both @application.yml@ and its own @config/application.default.yml@ file.  The settings in @application.yml@ take precedence over the defaults that are defined in @config/application.default.yml@.  The @config/application.yml.example@ file is not read by the API server and is provided as a starting template only.
 
-The API server reads the @config/application.yml@ file, as well as the @config/application.defaults.yml@ file. Values in @config/application.yml@ take precedence over the defaults that are defined in @config/application.defaults.yml@. The @config/application.yml.example@ file is not read by the API server and is provided for installation convenience, only.
+@config/application.default.yml@ documents additional configuration settings not listed here.  You can "view the current source version":https://dev.arvados.org/projects/arvados/repository/revisions/master/entry/services/api/config/application.default.yml for reference.
 
-Consult @config/application.default.yml@ for a full list of configuration options. Always put your local configuration in @config/application.yml@, never edit @config/application.default.yml@.
+Only put local configuration in @application.yml@.  Do not edit @application.default.yml@.
 
 h3(#uuid_prefix). uuid_prefix
 
-It is recommended to explicitly define your @uuid_prefix@ in @config/application.yml@, by setting the 'uuid_prefix' field in the section for your environment.
+Define your @uuid_prefix@ in @application.yml@ by setting the @uuid_prefix@ field in the section for your environment.  This prefix is used for all database identifiers to identify the record as originating from this site.  It must be exactly 5 lowercase ASCII letters and digits.
 
-h3(#git_repositories_dir). git_repositories_dir
+Example @application.yml@:
+
+
+
  uuid_prefix: zzzzz

+
 
-This field defaults to @/var/lib/arvados/git@. You can override the value by defining it in @config/application.yml@.
+h3. secret_token
 
-Make sure a clone of the arvados repository exists in @git_repositories_dir@.
+The @secret_token@ is used for for signing cookies.  IMPORTANT: This is a site secret. It should be at least 50 characters.  Generate a random value and set it in @application.yml@:
 
 
-
~/arvados/services/api$ sudo mkdir -p /var/lib/arvados/git
-~/arvados/services/api$ sudo git clone --bare ../../.git /var/lib/arvados/git/arvados.git
+
~$ ruby -e 'puts rand(2**400).to_s(36)'
+yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
 

 
-h3. secret_token
+Example @application.yml@:
+
+
+
  secret_token: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

+
+
+h3(#blob_signing_key). blob_signing_key
 
-Generate a new secret token for signing cookies:
+The @blob_signing_key@ is used to enforce access control to Keep blocks.  This same key must be provided to the Keepstore daemons when "installing Keepstore servers.":install-keepstore.html  IMPORTANT: This is a site secret. It should be at least 50 characters.  Generate a random value and set it in @application.yml@:
 
 
-
~/arvados/services/api$ rake secret
-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
+
~$ ruby -e 'puts rand(2**400).to_s(36)'
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 

 
-Then put that value in the @secret_token@ field.
+Example @application.yml@:
+
+
+
  blob_signing_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

+
 
-h3. blob_signing_key
+h3(#omniauth). sso_app_secret, sso_app_id, sso_provider_url
 
-If you want access control on your "Keepstore":install-keepstore.html server(s), you should set @blob_signing_key@ to the same value as the permission key you provide to your Keepstore daemon(s).
+The following settings enable the API server to communicate with the "Single Sign On (SSO) server":install-sso.html to authenticate user log in.
 
-h3. workbench_address
+Set @sso_provider_url@ to the base URL where your SSO server is installed.  This should be a URL consisting of the scheme and host (and optionally, port), without a trailing slash.
 
-Fill in the url of your workbench application in in @workbench_address@, for example 
+Set @sso_app_secret@ and @sso_app_id@ to the corresponding values for @app_secret@ and @app_id@ used in the "Create arvados-server client for Single Sign On (SSO)":install-sso.html#client step.
 
-  https://workbench.@prefix_uuid@.your.domain
+Example @application.yml@:
 
-h3. other options
+
+
  sso_app_id: arvados-server
+  sso_app_secret: wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
+  sso_provider_url: https://sso.example.com
+

+
 
-Consult @application.default.yml@ for a full list of configuration options. Always put your local configuration in @application.yml@ instead of editing @application.default.yml@.
+h3. workbench_address
 
-h2. Set up the database
+Set @workbench_address@ to the URL of your workbench application after following "Install Workbench.":install-workbench-app.html
 
-Generate a new database password. Nobody ever needs to memorize it or type it, so we'll make a strong one:
+Example @application.yml@:
 
 
-
~/arvados/services/api$ ruby -e 'puts rand(2**128).to_s(36)'
-6gqa1vu492idd7yca9tfandj3
-

+
  workbench_address: https://workbench.zzzzz.example.com

+
 
-Create a new database user with permission to create its own databases.
+h3. websocket_address
 
-
-
~/arvados/services/api$ sudo -u postgres createuser --createdb --encrypted --pwprompt arvados
-[sudo] password for you: yourpassword
-Enter password for new role: paste-password-you-generated
-Enter it again: paste-password-again
-Shall the new role be a superuser? (y/n) n
-Shall the new role be allowed to create more new roles? (y/n) n
-

+Set @websocket_address@ to the @wss://@ URL of the API server websocket endpoint after following "Set up Web servers":#set_up.  The path of the default endpoint is @/websocket@.
 
-Configure API server to connect to your database by creating and updating @config/database.yml@. Replace the @xxxxxxxx@ database password placeholders with the new password you generated above.
+Example @application.yml@:
 
 
-
~/arvados/services/api$ cp -i config/database.yml.sample config/database.yml
-~/arvados/services/api$ edit config/database.yml
-

+
  websocket_address: wss://ws.zzzzz.example.com/websocket

+
 
-Create and initialize the database. If you are planning a production system, choose the @production@ rails environment, otherwise use @development@.
+h3(#git_repositories_dir). git_repositories_dir
 
-
-
~/arvados/services/api$ RAILS_ENV=production bundle exec rake db:setup
-

+The @git_repositories_dir@ setting specifies the directory where user git repositories will be stored.
 
-Alternatively, if the database user you intend to use for the API server is not allowed to create new databases, you can create the database first and then populate it with rake. Be sure to adjust the database name if you are using the @development@ environment. This sequence of commands is functionally equivalent to the rake db:setup command above.
+The git server setup process is covered on "its own page":install-arv-git-httpd.html. For now, create an empty directory in the default location:
 
 
-
~/arvados/services/api$ su postgres createdb arvados_production -E UTF8 -O arvados
-~/arvados/services/api$ RAILS_ENV=production bundle exec rake db:structure:load
-~/arvados/services/api$ RAILS_ENV=production bundle exec rake db:seed
+
~$ sudo mkdir -p /var/lib/arvados/git/repositories
 

 
-

-  
-  
Note!

-You can safely ignore the following error message you may see when loading the database structure:
+If you intend to store your git repositories in a different location, specify that location in @application.yml@.
+
+Default setting in @application.default.yml@:
+
 
-
ERROR:  must be owner of extension plpgsql

-

+
  git_repositories_dir: /var/lib/arvados/git/repositories
+

+
+
+h3(#git_internal_dir). git_internal_dir
 
-h2. Set up omniauth
+The @git_internal_dir@ setting specifies the location of Arvados' internal git repository.  By default this is @/var/lib/arvados/internal.git@.  This repository stores git commits that have been used to run Crunch jobs.  It should _not_ be a subdirectory of @git_repositories_dir@.
 
-First copy the omniauth configuration file:
+Example @application.yml@:
 
 
-
~/arvados/services/api$ cp -i config/initializers/omniauth.rb.example config/initializers/omniauth.rb
-

+
  git_internal_dir: /var/lib/arvados/internal.git
+

+
+
+h2(#set_up). Set up Nginx and Passenger
 
-Edit @config/initializers/omniauth.rb@, and tell your api server to use the Curoverse SSO server for authentication. Use the @APP_SECRET@ specified in the snippet below.
+The Nginx server will serve API requests using Passenger. It will also be used to proxy SSL requests to other services which are covered later in this guide.
+
+First, "Install Nginx and Phusion Passenger":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html.
+
+Edit the http section of your Nginx configuration to run the Passenger server, and serve SSL requests. Add a block like the following, adding SSL and logging parameters to taste:
 
 
-
APP_ID = 'local_docker_installation'
-APP_SECRET = 'yohbai4eecohshoo1Yoot7tea9zoca9Eiz3Tajahweo9eePaeshaegh9meiye2ph'
-CUSTOM_PROVIDER_URL = 'https://auth.curoverse.com'
-

-

+
server {
+  listen 127.0.0.1:8000;
+  server_name localhost-api;
 
-

-  
-  
Note!

-  
You can also run your own SSO server. However, the SSO server codebase currently uses OpenID 2.0 to talk to Google's authentication service. Google has deprecated that protocol. This means that new clients will not be allowed to talk to Google's authentication services anymore over OpenID 2.0, and they will phase out the use of OpenID 2.0 completely in the coming monts. We are working on upgrading the SSO server codebase to a newer protocol. That work should be complete by the end of November 2014. In the mean time, anyone is free to use the existing Curoverse SSO server for any local Arvados installation.

-

+  root /var/www/arvados-api/current/public;
+  index  index.html index.htm index.php;
 
-h2. Start the API server
+  passenger_enabled on;
+  # If you're using RVM, uncomment the line below.
+  #passenger_ruby /usr/local/rvm/wrappers/default/ruby;
 
-h3. Development environment
+  # This value effectively limits the size of API objects users can
+  # create, especially collections.  If you change this, you should
+  # also ensure the following settings match it:
+  # * `client_max_body_size` in the server section below
+  # * `client_max_body_size` in the Workbench Nginx configuration (twice)
+  # * `max_request_size` in the API server's application.yml file
+  client_max_body_size 128m;
+}
 
-If you plan to run in development mode, you can now run the development server this way:
+upstream api {
+  server     127.0.0.1:8000  fail_timeout=10s;
+}
 
-
-
~/arvados/services/api$ bundle exec rails server --port=3030
-

+proxy_http_version 1.1;
+
+# When Keep clients request a list of Keep services from the API server, the
+# server will automatically return the list of available proxies if
+# the request headers include X-External-Client: 1.  Following the example
+# here, at the end of this section, add a line for each netmask that has
+# direct access to Keep storage daemons to set this header value to 0.
+geo $external_client {
+  default        1;
+  10.20.30.0/24  0;
+}
+
+server {
+  listen       [your public IP address]:443 ssl;
+  server_name  uuid_prefix.your.domain;
+
+  ssl on;
+  ssl_certificate     /YOUR/PATH/TO/cert.pem;
+  ssl_certificate_key /YOUR/PATH/TO/cert.key;
 
-h3. Production environment
+  index  index.html index.htm index.php;
 
-We recommend "Passenger":https://www.phusionpassenger.com/ to run the API server in production. 
+  # Refer to the comment about this setting in the server section above.
+  client_max_body_size 128m;
 
-Point it to the services/api directory in the source tree.
+  location / {
+    proxy_pass            http://api;
+    proxy_redirect        off;
+    proxy_connect_timeout 90s;
+    proxy_read_timeout    300s;
 
-To enable streaming so users can monitor crunch jobs in real time, make sure to add the following to your Passenger configuration:
+    proxy_set_header      X-Forwarded-Proto https;
+    proxy_set_header      Host $http_host;
+    proxy_set_header      X-External-Client $external_client;
+    proxy_set_header      X-Real-IP $remote_addr;
+    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+  }
+}
+

+
+
+Restart Nginx to apply the new configuration.
 
 
-
PassengerBufferResponse off
+
~$ sudo nginx -s reload
 

 
+
+h2. Prepare the API server deployment
+
+{% assign railspkg = "arvados-api-server" %}
+{% include 'install_rails_reconfigure' %}
+
+{% include 'notebox_begin' %}
+You can safely ignore the following messages if they appear while this command runs:
+
+
Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will
+break this application for all non-root users on this machine.

+
+
fatal: Not a git repository (or any of the parent directories): .git

+{% include 'notebox_end' %}