X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/465cb9225cce74600349239a295b1360ce2b0fa6..cf5d136d81bd22ce5340243643a4734f3cf20856:/doc/install/install-api-server.html.textile.liquid diff --git a/doc/install/install-api-server.html.textile.liquid b/doc/install/install-api-server.html.textile.liquid index 0503609166..c234bca927 100644 --- a/doc/install/install-api-server.html.textile.liquid +++ b/doc/install/install-api-server.html.textile.liquid @@ -3,6 +3,11 @@ layout: default navsection: installguide title: Install the API server ... +{% comment %} +Copyright (C) The Arvados Authors. All rights reserved. + +SPDX-License-Identifier: CC-BY-SA-3.0 +{% endcomment %} h2. Install prerequisites @@ -12,183 +17,203 @@ h3(#install_ruby_and_bundler). Install Ruby and Bundler {% include 'install_ruby_and_bundler' %} -h3(#install_postgres). Install PostgreSQL - -{% include 'install_postgres' %} - -h3(#build_tools_apiserver). Build tools - -On older distributions, you may need to use a backports repository to satisfy these requirements. For example, on older Red Hat-based systems, consider using the "postgresql92":https://www.softwarecollections.org/en/scls/rhscl/postgresql92/ and "nginx16":https://www.softwarecollections.org/en/scls/rhscl/nginx16/ Software Collections. +h2(#install_apiserver). Install API server and dependencies On a Debian-based system, install the following packages: -
~$ sudo apt-get install bison build-essential libcurl4-openssl-dev git nginx arvados-api-server
+
~$ sudo apt-get install bison build-essential libcurl4-openssl-dev git arvados-api-server
 

 
 
 On a Red Hat-based system, install the following packages:
 
 
-
~$ sudo yum install bison make automake gcc gcc-c++ libcurl-devel nginx git arvados-api-server
+
~$ sudo yum install bison make automake gcc gcc-c++ libcurl-devel git arvados-api-server
 

 
 
-h2. Set up the database
-
-Generate a new database password. Nobody ever needs to memorize it or type it, so we'll make a strong one:
-
-
-
~$ ruby -e 'puts rand(2**128).to_s(36)'
-6gqa1vu492idd7yca9tfandj3
-

-
-Create a new database user.
+{% include 'install_git' %}
 
-
-
~$ sudo -u postgres createuser --encrypted -R -S --pwprompt arvados
-[sudo] password for you: yourpassword
-Enter password for new role: paste-password-you-generated
-Enter it again: paste-password-again
-

+h2(#configure_application). Configure the API server
 
-{% include 'notebox_begin' %}
+Edit @/etc/arvados/config.yml@ to set the keys below.  Only the most important configuration options are listed here.  The example configuration fragments given below should be merged into a single configuration structure.  Correct indentation is important.  The full set of configuration options are listed in "config.yml":{{site.baseurl}}/admin/config.html
 
-This user setup assumes that your PostgreSQL is configured to accept password authentication.  Red Hat systems use ident-based authentication by default.  You may need to either adapt the user creation, or reconfigure PostgreSQL (in @pg_hba.conf@) to accept password authentication.
-
-{% include 'notebox_end' %}
+h3(#uuid_prefix). ClusterID
 
-Create the database:
+The @ClusterID@ is used for all database identifiers to identify the record as originating from this site.  It is the first key under @Clusters@ in @config.yml@.  It must be exactly 5 lowercase ASCII letters and digits.  All configuration items go under the cluster id key (replace @zzzzz@ with your cluster id in the examples below).
 
 
-
~$ sudo -u postgres createdb arvados_production -T template0 -E UTF8 -O arvados
-

+
Clusters:
+  zzzzz:
+    ...

 
 
-h2. Set up configuration files
+h3(#configure). PostgreSQL.Connection
 
-The API server package uses configuration files that you write to @/etc/arvados/api@ and ensures they're consistently deployed.  Create this directory and copy the example configuration files to it:
+Replace the @xxxxxxxx@ database password placeholder with the "password you generated during database setup":install-postgresql.html#api.
 
 
-
~$ sudo mkdir -p /etc/arvados/api
-~$ sudo chmod 700 /etc/arvados/api
-~$ cd /var/www/arvados-api/current
-/var/www/arvados-api/current$ sudo cp config/database.yml.sample /etc/arvados/api/database.yml
-/var/www/arvados-api/current$ sudo cp config/application.yml.example /etc/arvados/api/application.yml
-

+
Clusters:
+  zzzzz:
+    PostgreSQL:
+      Connection:
+        host: localhost
+        user: arvados
+        password: xxxxxxxx
+        dbname: arvados_production
+      

 
 
-h2. Configure the database connection
+h3. API.RailsSessionSecretToken
 
-Edit @/etc/arvados/api/database.yml@ and replace the @xxxxxxxx@ database password placeholders with the PostgreSQL password you generated above.
+The @API.RailsSessionSecretToken@ is used for for signing cookies.  IMPORTANT: This is a site secret. It should be at least 50 characters.  Generate a random value and set it in @config.yml@:
 
-h2. Configure the API server
-
-Edit @/etc/arvados/api/application.yml@ following the instructions below.  The deployment script will consistently deploy this to the API server's configuration directory.  The API server reads both @application.yml@ and its own @config/application.default.yml@ file.  Values in @application.yml@ take precedence over the defaults that are defined in @config/application.default.yml@.  The @config/application.yml.example@ file is not read by the API server and is provided for installation convenience only.
+
+
~$ ruby -e 'puts rand(2**400).to_s(36)'
+yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
+

 
-Always put your local configuration in @application.yml@ instead of editing @application.default.yml@.
+Example @config.yml@:
 
-h3(#uuid_prefix). uuid_prefix
+
+
Clusters:
+  zzzzz:
+    API:
+      RailsSessionSecretToken: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

+
 
-Define your @uuid_prefix@ in @application.yml@ by setting the @uuid_prefix@ field in the section for your environment.  This prefix is used for all database identifiers to identify the record as originating from this site.  It must be exactly 5 alphanumeric characters (lowercase ASCII letters and digits).
+h3(#blob_signing_key). Collections.BlobSigningKey
 
-h3(#git_repositories_dir). git_repositories_dir
+The @Collections.BlobSigningKey@ is used to enforce access control to Keep blocks.  This same key must be provided to the Keepstore daemons when "installing Keepstore servers.":install-keepstore.html  IMPORTANT: This is a site secret. It should be at least 50 characters.  Generate a random value and set it in @config.yml@:
 
-This field defaults to @/var/lib/arvados/git@. You can override the value by defining it in @application.yml@.
+
+
~$ ruby -e 'puts rand(2**400).to_s(36)'
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+

 
-Make sure a clone of the arvados repository exists in @git_repositories_dir@.
+Example @config.yml@:
 
 
-
~$ sudo mkdir -p /var/lib/arvados/git
-~$ sudo git clone --bare git://git.curoverse.com/arvados.git /var/lib/arvados/git/arvados.git
-

+
Clusters:
+  zzzzz:
+    Collections:
+      BlobSigningKey: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

+
 
-h3. secret_token
+h3(#omniauth). Login.ProviderAppID, Login.ProviderAppSecret, Services.SSO.ExternalURL
 
-Generate a new secret token for signing cookies:
+The following settings enable the API server to communicate with the "Single Sign On (SSO) server":install-sso.html to authenticate user log in.
 
-
-
~$ ruby -e 'puts rand(2**400).to_s(36)'
-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
-

+Set @Services.SSO.ExternalURL@ to the base URL where your SSO server is installed.  This should be a URL consisting of the scheme and host (and optionally, port), without a trailing slash.
 
-Then put that value in the @secret_token@ field.
+Set @Login.ProviderAppID@ and @Login.ProviderAppSecret@ to the corresponding values for @app_id@ and @app_secret@ used in the "Create arvados-server client for Single Sign On (SSO)":install-sso.html#client step.
 
-h3. blob_signing_key
+Example @config.yml@:
 
-If you want access control on your "Keepstore":install-keepstore.html server(s), you should set @blob_signing_key@ to the same value as the permission key you provide to your Keepstore daemon(s).
+
+
Clusters:
+  zzzzz:
+    Services:
+      SSO:
+        ExternalURL: https://sso.example.com
+    Login:
+      ProviderAppID: arvados-server
+      ProviderAppSecret: wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww

+
 
-h3. workbench_address
+h3. Services.Workbench1.ExternalURL
 
-Fill in the url of your workbench application in @workbench_address@, for example
+Set @Services.Workbench1.ExternalURL@ to the URL of your workbench application after following "Install Workbench.":install-workbench-app.html
 
-  https://workbench.@uuid_prefix@.your.domain
+Example @config.yml@:
 
-h3(#omniauth). sso_app_id, sso_app_secret, sso_provider_url
+
+
Clusters:
+  zzzzz:
+    Services:
+      Workbench1:
+        ExternalURL: https://workbench.zzzzz.example.com

+
 
-For @sso_app_id@ and @sso_app_secret@, provide the same @app_id@ and @app_secret@ used in the "Create arvados-server client for Single Sign On (SSO)":install-sso.html#client step.
+h3. Services.Websocket.ExternalURL
 
-For @sso_provider_url@, provide the base URL where your SSO server is installed: just the scheme and host, with no trailing slash.
+Set @Services.Websocket.ExternalURL@ to the @wss://@ URL of the API server websocket endpoint after following "Install the websocket server":install-ws.html .
+
+Example @config.yml@:
 
 
-
  sso_app_id: arvados-server
-  sso_app_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
-  sso_provider_url: https://sso.example.com
-

+
Clusters:
+  zzzzz:
+    Services:
+      Websocket:
+        ExternalURL: wss://ws.zzzzz.example.com

 
 
-h3. Other options
+h3(#git_repositories_dir). Git.Repositories
 
-Consult @/var/www/arvados-api/current/config/application.default.yml@ for a full list of configuration options. (But don't edit it. Edit @application.yml@ instead.)
+The @Git.Repositories@ setting specifies the directory where user git repositories will be stored.
 
-h2. Prepare the API server deployment
+The git server setup process is covered on "its own page":install-arv-git-httpd.html. For now, create an empty directory in the default location:
 
-Now that all your configuration is in place, run @/usr/local/bin/arvados-api-server-upgrade.sh@.  This will install and check your configuration, install necessary gems, and run any necessary database setup.
+
+
~$ sudo mkdir -p /var/lib/arvados/git/repositories
+

+
+If you intend to store your git repositories in a different location, specify that location in @config.yml@.  Example:
 
-{% include 'notebox_begin' %}
-You can safely ignore the following error message you may see when loading the database structure:
 
-
ERROR:  must be owner of extension plpgsql

-{% include 'notebox_end' %}
+
Clusters:
+  zzzzz:
+    Git:
+      Repositories: /var/lib/arvados/git/repositories

+
 
-This command aborts when it encounters an error.  It's safe to rerun multiple times, so if there's a problem with your configuration, you can fix that and try again.
+h3(#enable_legacy_jobs_api). Containers.JobsAPI.Enable
 
-h2. Set up Web servers
+Enable the legacy "Jobs API":install-crunch-dispatch.html .  Note: new installations should use the "Containers API":crunch2-slurm/install-prerequisites.html
 
-For best performance, we recommend you use Nginx as your Web server front-end, with a Passenger backend for the main API server and a Puma backend for API server Websockets.  To do that:
+Disabling the jobs API means methods involving @jobs@, @job_tasks@, @pipeline_templates@ and @pipeline_instances@ are disabled.  This functionality is superceded by the containers API which consists of @container_requests@, @containers@ and @workflows@.  Arvados clients (such as @arvados-cwl-runner@) detect which APIs are available and adjust behavior accordingly.  Note the configuration value must be a quoted string.
+
+* 'auto' -- (default) enable the Jobs API only if it has been used before (i.e., there are job records in the database), otherwise disable jobs API .
+* 'true' -- enable the Jobs API even if there are no existing job records.
+* 'false' -- disable the Jobs API even in the presence of existing job records.
 
 
-
    
-
  1. Install Nginx via your distribution or a backports repository.
    2. 
+
    Clusters:
+  zzzzz:
+    Containers:
+      JobsAPI:
+        Enable: 'auto'
    
+
 
-
  2. Install Phusion Passenger for Nginx.
    3. 
+h4(#git_internal_dir). Containers.JobsAPI.GitInternalDir
 
-
  3. Puma is already included with the API server's gems.  We recommend you use a tool like runit or something similar.  Here's a sample run script for that:
    
+Only required if the legacy "Jobs API" is enabled, otherwise you should skip this.
 
-
    #!/bin/bash
+The @Containers.JobsAPI.GitInternalDir@ setting specifies the location of Arvados' internal git repository.  By default this is @/var/lib/arvados/internal.git@.  This repository stores git commits that have been used to run Crunch jobs.  It should _not_ be a subdirectory of the directory in @Git.Repositories@.
 
-set -e
-exec 2>&1
+Example @config.yml@:
 
-# Uncomment the line below if you're using RVM.
-#source /etc/profile.d/rvm.sh
+
+
    Clusters:
+  zzzzz:
+    Containers:
+      JobsAPI:
+        GitInternalDir: /var/lib/arvados/internal.git
    
+    
 
-envdir="`pwd`/env"
-mkdir -p "$envdir"
-echo ws-only > "$envdir/ARVADOS_WEBSOCKETS"
+h2(#set_up). Set up Nginx and Passenger
 
-cd /var/www/arvados-api/current
-echo "Starting puma in `pwd`"
+The Nginx server will serve API requests using Passenger. It will also be used to proxy SSL requests to other services which are covered later in this guide.
 
-# You may need to change arguments below to match your deployment, especially -u.
-exec chpst -m 1073741824 -u www-data:www-data -e "$envdir" \
-  bundle exec puma -t 0:512 -e production -b tcp://127.0.0.1:8100
-
    
-
    4. 
+First, "Install Nginx and Phusion Passenger":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html.
 
-
  4. Edit the http section of your Nginx configuration to run the Passenger server, and act as a front-end for both it and Puma.  You might add a block like the following, adding SSL and logging parameters to taste:
    
+Edit the http section of your Nginx configuration to run the Passenger server. Add a block like the following, adding SSL and logging parameters to taste:
 
-
    server {
+
+
    
+server {
   listen 127.0.0.1:8000;
   server_name localhost-api;
 
@@ -198,62 +223,55 @@ exec chpst -m 1073741824 -u www-data:www-data -e "$envdir" \
   passenger_enabled on;
   # If you're using RVM, uncomment the line below.
   #passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+
+  # This value effectively limits the size of API objects users can
+  # create, especially collections.  If you change this, you should
+  # also ensure the following settings match it:
+  # * `client_max_body_size` in the server section below
+  # * `client_max_body_size` in the Workbench Nginx configuration (twice)
+  # * `API.MaxRequestSize` in config.yml
+  client_max_body_size 128m;
 }
 
 upstream api {
   server     127.0.0.1:8000  fail_timeout=10s;
 }
 
-upstream websockets {
-  # The address below must match the one specified in puma's -b option.
-  server     127.0.0.1:8100  fail_timeout=10s;
-}
-
 proxy_http_version 1.1;
 
-server {
-  listen       [your public IP address]:443 ssl;
-  server_name  uuid_prefix.your.domain;
-
-  ssl on;
-
-  index  index.html index.htm index.php;
+# When Keep clients request a list of Keep services from the API server, the
+# server will automatically return the list of available proxies if
+# the request headers include X-External-Client: 1.  Following the example
+# here, at the end of this section, add a line for each netmask that has
+# direct access to Keep storage daemons to set this header value to 0.
+geo $external_client {
+  default        1;
+  10.20.30.0/24  0;
+}
+
    
+    
 
-  location / {
-    proxy_pass            http://api;
-    proxy_redirect        off;
+Restart Nginx to apply the new configuration.
 
-    proxy_set_header      X-Forwarded-Proto https;
-    proxy_set_header      Host $http_host;
-    proxy_set_header      X-External-Client $external_client;
-    proxy_set_header      X-Real-IP $remote_addr;
-    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
-  }
-}
+
+
    ~$ sudo nginx -s reload
+
    
+    
 
-server {
-  listen       [your public IP address]:443 ssl;
-  server_name  ws.uuid_prefix.your.domain;
+h2. Prepare the API server deployment
 
-  ssl on;
+{% assign railspkg = "arvados-api-server" %}
+{% include 'install_rails_reconfigure' %}
 
-  index  index.html index.htm index.php;
+{% include 'notebox_begin' %}
+You can safely ignore the following messages if they appear while this command runs:
 
-  location / {
-    proxy_pass            http://websockets;
-    proxy_redirect        off;
+
    Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will
+break this application for all non-root users on this machine.
    
 
-    proxy_set_header      Upgrade $http_upgrade;
-    proxy_set_header      Connection "upgrade";
-    proxy_set_header      Host $host;
-    proxy_set_header      X-Real-IP $remote_addr;
-    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
-  }
-}
-
    
-
    5. 
+
    fatal: Not a git repository (or any of the parent directories): .git
    
+{% include 'notebox_end' %}
 
-
  5. Restart Nginx.
    6. 
+h2. Troubleshooting
 
-

-
+Once you have the API Server up and running you may need to check it back if dealing with client related issues. Please read our "admin troubleshooting notes":{{site.baseurl}}/admin/troubleshooting.html on how requests can be tracked down between services.
\ No newline at end of file