X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/3a4b7ec9daecbff438c83380c6beccaf88d9e47c..5fcca42249b8b35f50beb9ed4c51d090d76c1767:/doc/install/install-api-server.html.textile.liquid?ds=sidebyside
diff --git a/doc/install/install-api-server.html.textile.liquid b/doc/install/install-api-server.html.textile.liquid
index 695584fa24..e64c382669 100644
--- a/doc/install/install-api-server.html.textile.liquid
+++ b/doc/install/install-api-server.html.textile.liquid
@@ -1,290 +1,160 @@
---
layout: default
navsection: installguide
-title: Install the API server
+title: Install API server and Controller
...
+{% comment %}
+Copyright (C) The Arvados Authors. All rights reserved.
-h2. Install prerequisites
+SPDX-License-Identifier: CC-BY-SA-3.0
+{% endcomment %}
-The Arvados package repository includes an API server package that can help automate much of the deployment.
+# "Introduction":#introduction
+# "Install dependencies":#dependencies
+# "Set up database":#database-setup
+# "Update config.yml":#update-config
+# "Update nginx configuration":#update-nginx
+# "Install arvados-api-server and arvados-controller":#install-packages
+# "Confirm working installation":#confirm-working
-h3(#install_ruby_and_bundler). Install Ruby and Bundler
+h2(#introduction). Introduction
-{% include 'install_ruby_and_bundler' %}
+The Arvados core API server consists of four services: PostgreSQL, Arvados Rails API, Arvados Controller, and Nginx.
-h3(#install_postgres). Install PostgreSQL
+Here is a simplified diagram showing the relationship between the core services. Client requests arrive at the public-facing Nginx reverse proxy. The request is forwarded to Arvados controller. The controller is able handle some requests itself, the rest are forwarded to the Arvados Rails API. The Rails API server implements the majority of business logic, communicating with the PostgreSQL database to fetch data and make transactional updates. All services are stateless, except the PostgreSQL database. This guide assumes all of these services will be installed on the same node, but it is possible to install these services across multiple nodes.
-{% include 'install_postgres' %}
+!(full-width){{site.baseurl}}/images/proxy-chain.svg!
-h2(#install_apiserver). Install API server and dependencies
+h2(#dependencies). Install dependencies
-On a Debian-based system, install the following packages:
+# "Install PostgreSQL":install-postgresql.html
+# "Install Ruby and Bundler":ruby.html
+# "Install nginx":nginx.html
+# "Install Phusion Passenger":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html
- Puma is already included with the API server's gems. We recommend you run it as a service under runit or a similar tool. Here's a sample runit script for that: Edit the http section of your Nginx configuration to run the Passenger server, and act as a front-end for both it and Puma. You might add a block like the following, adding SSL and logging parameters to taste:
-~$ sudo apt-get install bison build-essential libcurl4-openssl-dev git arvados-api-server
-
-~$ sudo yum install bison make automake gcc gcc-c++ libcurl-devel git arvados-api-server
-
~$ ruby -e 'puts rand(2**128).to_s(36)'
-6gqa1vu492idd7yca9tfandj3
-
~$ sudo -u postgres createuser --encrypted -R -S --pwprompt arvados
-[sudo] password for you: yourpassword
-Enter password for new role: paste-password-you-generated
-Enter it again: paste-password-again
-
-~$ sudo -u postgres createdb arvados_production -T template0 -E UTF8 -O arvados
-
~$ sudo mkdir -p /etc/arvados/api
-~$ sudo chmod 700 /etc/arvados/api
-~$ cd /var/www/arvados-api/current
-/var/www/arvados-api/current$ sudo cp config/database.yml.example /etc/arvados/api/database.yml
-/var/www/arvados-api/current$ sudo cp config/application.yml.example /etc/arvados/api/application.yml
+
SystemRootToken: "$system_root_token"
+ ManagementToken: "$management_token"
+ API:
+ RailsSessionSecretToken: "$rails_secret_token"
+ Collections:
+ BlobSigningKey: "blob_signing_key"
- uuid_prefix: zzzzz
~$ ruby -e 'puts rand(2**400).to_s(36)'
-yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
-
- secret_token: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
~$ ruby -e 'puts rand(2**400).to_s(36)'
-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-
- blob_signing_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
sso_app_id: arvados-server
- sso_app_secret: wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
- sso_provider_url: https://sso.example.com
+
~$ tr -dc 0-9a-zA-Z </dev/urandom | head -c50; echo
- workbench_address: https://workbench.zzzzz.example.com
- websocket_address: wss://ws.zzzzz.example.com/websocket
~$ sudo mkdir -p /var/lib/arvados/git/repositories
-
git_repositories_dir: /var/lib/arvados/git/repositories
+
PostgreSQL:
+ Connection:
+ host: localhost
+ user: arvados
+ password: $postgres_password
+ dbname: arvados_production
git_internal_dir: /var/lib/arvados/internal.git
+
Services:
+ Controller:
+ ExternalURL: "https://ClusterID.example.com"
+ InternalURLs:
+ "http://localhost:8003": {}
+ RailsAPI:
+ # Does not have an ExternalURL
+ InternalURLs:
+ "http://localhost:8004": {}
-
-#!/bin/bash
-
-set -e
-exec 2>&1
-
-# Uncomment the line below if you're using RVM.
-#source /etc/profile.d/rvm.sh
+Replace @ClusterID.example.com@ with the hostname that you previously selected for the API server.
-envdir="`pwd`/env"
-mkdir -p "$envdir"
-echo ws-only > "$envdir/ARVADOS_WEBSOCKETS"
+The @Services@ section of the configuration helps Arvados components contact one another (service discovery). Each service has one or more @InternalURLs@ and an @ExternalURL@. The @InternalURLs@ describe where the service runs, and how the Nginx reverse proxy will connect to it. The @ExternalURL@ is how external clients contact the service.
-cd /var/www/arvados-api/current
-echo "Starting puma in `pwd`"
+h2(#update-nginx). Update nginx configuration
-# Change arguments below to match your deployment, "webserver-user" and
-# "webserver-group" should be changed to the user and group of the web server
-# process. This is typically "www-data:www-data" on Debian systems by default,
-# other systems may use different defaults such the name of the web server
-# software (for example, "nginx:nginx").
-exec chpst -m 1073741824 -u webserver-user:webserver-group -e "$envdir" \
- bundle exec puma -t 0:512 -e production -b tcp://127.0.0.1:8100
-
server {
- listen 127.0.0.1:8000;
- server_name localhost-api;
-
- root /var/www/arvados-api/current/public;
- index index.html index.htm index.php;
-
- passenger_enabled on;
- # If you're using RVM, uncomment the line below.
- #passenger_ruby /usr/local/rvm/wrappers/default/ruby;
-}
-
-upstream api {
- server 127.0.0.1:8000 fail_timeout=10s;
-}
+Use a text editor to create a new file @/etc/nginx/conf.d/arvados-api-and-controller.conf@ with the following configuration. Options that need attention are marked in red.
-upstream websockets {
- # The address below must match the one specified in puma's -b option.
- server 127.0.0.1:8100 fail_timeout=10s;
-}
+
-proxy_http_version 1.1;
-proxy_http_version 1.1;
+# When Keep clients request a list of Keep services from the API
+# server, use the origin IP address to determine if the request came
+# from the internal subnet or it is an external client. This sets the
+# $external_client variable which in turn is used to set the
+# X-External-Client header.
+#
+# The API server uses this header to choose whether to respond to a
+# "available keep services" request with either a list of internal keep
+# servers (0) or with the keepproxy (1).
+#
+# Following the example here, update the 10.20.30.0/24 netmask
+# to match your private subnet.
+# Update 1.2.3.4 and add lines as necessary with the public IP
+# address of all servers that can also access the private network to
+# ensure they are not considered 'external'.
-# When Keep clients request a list of Keep services from the API server, the
-# server will automatically return the list of available proxies if
-# the request headers include X-External-Client: 1. Following the example
-# here, at the end of this section, add a line for each netmask that has
-# direct access to Keep storage daemons to set this header value to 0.
geo $external_client {
default 1;
+ 127.0.0.0/24 0;
10.20.30.0/24 0;
+ 1.2.3.4/32 0;
+}
+
+# This is the port where nginx expects to contact arvados-controller.
+upstream controller {
+ server localhost:8003 fail_timeout=10s;
}
server {
- listen [your public IP address]:443 ssl;
- server_name uuid_prefix.your.domain;
+ # This configures the public https port that clients will actually connect to,
+ # the request is reverse proxied to the upstream 'controller'
+
+ listen *:443 ssl;
+ server_name xxxxx.example.com;
ssl on;
ssl_certificate /YOUR/PATH/TO/cert.pem;
ssl_certificate_key /YOUR/PATH/TO/cert.key;
- index index.html index.htm index.php;
-
- # This value effectively limits the size of API objects users can create,
- # especially collections. If you change this, you should also set
- # `max_request_size` in the API server's application.yml file to the same
- # value.
+ # Refer to the comment about this setting in the passenger (arvados
+ # api server) section of your Nginx configuration.
client_max_body_size 128m;
location / {
- proxy_pass http://api;
+ proxy_pass http://controller;
proxy_redirect off;
proxy_connect_timeout 90s;
proxy_read_timeout 300s;
@@ -298,51 +168,61 @@ server {
}
server {
- listen [your public IP address]:443 ssl;
- server_name ws.uuid_prefix.your.domain;
+ # This configures the Arvados API server. It is written using Ruby
+ # on Rails and uses the Passenger application server.
- ssl on;
- ssl_certificate /YOUR/PATH/TO/cert.pem;
- ssl_certificate_key /YOUR/PATH/TO/cert.key;
+ listen localhost:8004;
+ server_name localhost-api;
+ root /var/www/arvados-api/current/public;
index index.html index.htm index.php;
- location / {
- proxy_pass http://websockets;
- proxy_redirect off;
- proxy_connect_timeout 90s;
- proxy_read_timeout 300s;
+ passenger_enabled on;
- proxy_set_header Upgrade $http_upgrade;
- proxy_set_header Connection "upgrade";
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- }
+ # If you are using RVM, uncomment the line below.
+ # If you're using system ruby, leave it commented out.
+ #passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+
+ # This value effectively limits the size of API objects users can
+ # create, especially collections. If you change this, you should
+ # also ensure the following settings match it:
+ # * `client_max_body_size` in the previous server section
+ # * `API.MaxRequestSize` in config.yml
+ client_max_body_size 128m;
}
Restart Nginx:
+{% assign arvados_component = 'arvados-api-server arvados-controller' %} -~$ sudo nginx -s reload
-
+{% include 'install_packages' %}
-$ curl https://ClusterID.example.com/arvados/v1/config
+
$ curl https://ClusterID.example.com/discovery/v1/apis/arvados/v1/rest
+
+$ curl -H "Authorization: Bearer $system_root_token" https://ClusterID.example.com/arvados/v1/users/current
+
Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will -break this application for all non-root users on this machine.-
fatal: Not a git repository (or any of the parent directories): .git-{% include 'notebox_end' %} +If you are getting TLS errors, make sure the @ssl_certificate@ directive in your nginx configuration has the "full certificate chain":http://nginx.org/en/docs/http/configuring_https_servers.html#chains -This command aborts when it encounters an error. It's safe to rerun multiple times, so if there's a problem with your configuration, you can fix that and try again. +Logs can be found in @/var/www/arvados-api/current/log/production.log@ and using @journalctl -u arvados-controller@. +See also the admin page on "Logging":{{site.baseurl}}/admin/logging.html .