X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/51dc4f3f6d1faa0dfa79ae4d282f584fbe797299..3f0914ec893c01440778b01620776745da2546de:/doc/install/install-api-server.html.textile.liquid
diff --git a/doc/install/install-api-server.html.textile.liquid b/doc/install/install-api-server.html.textile.liquid
index 3846e3c9aa..e64c382669 100644
--- a/doc/install/install-api-server.html.textile.liquid
+++ b/doc/install/install-api-server.html.textile.liquid
@@ -1,161 +1,228 @@
---
layout: default
navsection: installguide
-title: Install the API server
+title: Install API server and Controller
...
+{% comment %}
+Copyright (C) The Arvados Authors. All rights reserved.
-h2. Install prerequisites
+SPDX-License-Identifier: CC-BY-SA-3.0
+{% endcomment %}
-The Arvados package repository includes an API server package that can help automate much of the deployment.
+# "Introduction":#introduction
+# "Install dependencies":#dependencies
+# "Set up database":#database-setup
+# "Update config.yml":#update-config
+# "Update nginx configuration":#update-nginx
+# "Install arvados-api-server and arvados-controller":#install-packages
+# "Confirm working installation":#confirm-working
-h3(#install_ruby_and_bundler). Install Ruby and Bundler
+h2(#introduction). Introduction
-{% include 'install_ruby_and_bundler' %}
+The Arvados core API server consists of four services: PostgreSQL, Arvados Rails API, Arvados Controller, and Nginx.
-h3(#install_postgres). Install Postgres
+Here is a simplified diagram showing the relationship between the core services. Client requests arrive at the public-facing Nginx reverse proxy. The request is forwarded to Arvados controller. The controller is able handle some requests itself, the rest are forwarded to the Arvados Rails API. The Rails API server implements the majority of business logic, communicating with the PostgreSQL database to fetch data and make transactional updates. All services are stateless, except the PostgreSQL database. This guide assumes all of these services will be installed on the same node, but it is possible to install these services across multiple nodes.
-{% include 'install_postgres' %}
+!(full-width){{site.baseurl}}/images/proxy-chain.svg!
-h3(#build_tools_apiserver). Build tools
+h2(#dependencies). Install dependencies
-* Build tools and the curl and PostgreSQL development libraries, to build gem dependencies
-* Nginx
+# "Install PostgreSQL":install-postgresql.html
+# "Install Ruby and Bundler":ruby.html
+# "Install nginx":nginx.html
+# "Install Phusion Passenger":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html
-On older distributions, you may need to use a backports repository to satisfy these requirements. For example, on older Red Hat-based systems, consider using the "postgresql92":https://www.softwarecollections.org/en/scls/rhscl/postgresql92/ and "nginx16":https://www.softwarecollections.org/en/scls/rhscl/nginx16/ Software Collections.
+h2(#database-setup). Set up database
-On a Debian-based system, install the following packages:
+{% assign service_role = "arvados" %}
+{% assign service_database = "arvados_production" %}
+{% assign use_contrib = true %}
+{% include 'install_postgres_database' %}
-
-~$ sudo apt-get install bison build-essential libpq-dev libcurl4-openssl-dev postgresql git nginx arvados-api-server
-
-
+h2(#update-config). Update config.yml
-On a Red Hat-based system, install the following packages:
+Starting from an "empty config.yml file,":config.html#empty add the following configuration keys.
+
+h3. Tokens
-~$ sudo yum install bison make automake gcc gcc-c++ libcurl-devel postgresql-server postgresql-devel nginx git arvados-api-server
+ SystemRootToken: "$system_root_token"
+ ManagementToken: "$management_token"
+ API:
+ RailsSessionSecretToken: "$rails_secret_token"
+ Collections:
+ BlobSigningKey: "blob_signing_key"
-h2. Set up the database
-
-Generate a new database password. Nobody ever needs to memorize it or type it, so we'll make a strong one:
+@SystemRootToken@ is used by Arvados system services to authenticate as the system (root) user when communicating with the API server.
-
-~$ ruby -e 'puts rand(2**128).to_s(36)'
-6gqa1vu492idd7yca9tfandj3
-
-
-Create a new database user.
+@ManagementToken@ is used to authenticate access to system metrics.
-
-~$ sudo -u postgres createuser --encrypted -R -S --pwprompt arvados
-[sudo] password for you: yourpassword
-Enter password for new role: paste-password-you-generated
-Enter it again: paste-password-again
-
+@API.RailsSessionSecretToken@ is required by the API server.
-{% include 'notebox_begin' %}
+@Collections.BlobSigningKey@ is used to control access to Keep blocks.
-This user setup assumes that your PostgreSQL is configured to accept password authentication. Red Hat systems use ident-based authentication by default. You may need to either adapt the user creation, or reconfigure PostgreSQL (in @pg_hba.conf@) to accept password authentication.
-
-{% include 'notebox_end' %}
-
-Create the database:
+You can generate a random token for each of these items at the command line like this:
-~$ sudo -u postgres createdb arvados_production -T template0 -E UTF8 -O arvados
+~$ tr -dc 0-9a-zA-Z </dev/urandom | head -c50; echo
-h2. Set up configuration files
-
-The API server package uses configuration files that you write to @/etc/arvados/api@ and ensures they're consistently deployed. Create this directory and copy the example configuration files to it:
+h3. PostgreSQL.Connection
-~$ sudo mkdir -p /etc/arvados/api
-~$ sudo chmod 700 /etc/arvados/api
-~$ cd /var/www/arvados-api/current
-/var/www/arvados-api/current$ sudo cp config/database.yml.sample /etc/arvados/api/database.yml
-/var/www/arvados-api/current$ sudo cp config/application.yml.example /etc/arvados/api/application.yml
+ PostgreSQL:
+ Connection:
+ host: localhost
+ user: arvados
+ password: $postgres_password
+ dbname: arvados_production
-h2. Configure the database connection
-
-Edit @/etc/arvados/api/database.yml@ and replace the @xxxxxxxx@ database password placeholders with the PostgreSQL password you generated above.
-
-h2. Configure the API server
-
-Edit @/etc/arvados/api/application.yml@ following the instructions below. The deployment script will consistently deploy this to the API server's configuration directory. The API server reads both @application.yml@ and its own @config/application.default.yml@ file. Values in @application.yml@ take precedence over the defaults that are defined in @config/application.default.yml@. The @config/application.yml.example@ file is not read by the API server and is provided for installation convenience only.
-
-Always put your local configuration in @application.yml@ instead of editing @application.default.yml@.
-
-h3(#uuid_prefix). uuid_prefix
-
-Define your @uuid_prefix@ in @application.yml@ by setting the @uuid_prefix@ field in the section for your environment. This prefix is used for all database identifiers to identify the record as originating from this site. It must be exactly 5 alphanumeric characters (lowercase ASCII letters and digits).
+Replace the @$postgres_password@ placeholder with the password you generated during "database setup":#database-setup .
-h3(#git_repositories_dir). git_repositories_dir
-
-This field defaults to @/var/lib/arvados/git@. You can override the value by defining it in @application.yml@.
-
-Make sure a clone of the arvados repository exists in @git_repositories_dir@.
+h3. Services
-~$ sudo mkdir -p /var/lib/arvados/git
-~$ sudo git clone --bare git://git.curoverse.com/arvados.git /var/lib/arvados/git/arvados.git
-
-
-h3. secret_token
+ Services:
+ Controller:
+ ExternalURL: "https://ClusterID.example.com"
+ InternalURLs:
+ "http://localhost:8003": {}
+ RailsAPI:
+ # Does not have an ExternalURL
+ InternalURLs:
+ "http://localhost:8004": {}
+
+
-Generate a new secret token for signing cookies:
+Replace @ClusterID.example.com@ with the hostname that you previously selected for the API server.
-
-~$ ruby -e 'puts rand(2**400).to_s(36)'
-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
-
+The @Services@ section of the configuration helps Arvados components contact one another (service discovery). Each service has one or more @InternalURLs@ and an @ExternalURL@. The @InternalURLs@ describe where the service runs, and how the Nginx reverse proxy will connect to it. The @ExternalURL@ is how external clients contact the service.
-Then put that value in the @secret_token@ field.
+h2(#update-nginx). Update nginx configuration
-h3. blob_signing_key
+Use a text editor to create a new file @/etc/nginx/conf.d/arvados-api-and-controller.conf@ with the following configuration. Options that need attention are marked in red.
-If you want access control on your "Keepstore":install-keepstore.html server(s), you should set @blob_signing_key@ to the same value as the permission key you provide to your Keepstore daemon(s).
+
+proxy_http_version 1.1;
+
+# When Keep clients request a list of Keep services from the API
+# server, use the origin IP address to determine if the request came
+# from the internal subnet or it is an external client. This sets the
+# $external_client variable which in turn is used to set the
+# X-External-Client header.
+#
+# The API server uses this header to choose whether to respond to a
+# "available keep services" request with either a list of internal keep
+# servers (0) or with the keepproxy (1).
+#
+# Following the example here, update the 10.20.30.0/24 netmask
+# to match your private subnet.
+# Update 1.2.3.4 and add lines as necessary with the public IP
+# address of all servers that can also access the private network to
+# ensure they are not considered 'external'.
+
+geo $external_client {
+ default 1;
+ 127.0.0.0/24 0;
+ 10.20.30.0/24 0;
+ 1.2.3.4/32 0;
+}
+
+# This is the port where nginx expects to contact arvados-controller.
+upstream controller {
+ server localhost:8003 fail_timeout=10s;
+}
+
+server {
+ # This configures the public https port that clients will actually connect to,
+ # the request is reverse proxied to the upstream 'controller'
+
+ listen *:443 ssl;
+ server_name xxxxx.example.com;
+
+ ssl on;
+ ssl_certificate /YOUR/PATH/TO/cert.pem;
+ ssl_certificate_key /YOUR/PATH/TO/cert.key;
+
+ # Refer to the comment about this setting in the passenger (arvados
+ # api server) section of your Nginx configuration.
+ client_max_body_size 128m;
+
+ location / {
+ proxy_pass http://controller;
+ proxy_redirect off;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_set_header Host $http_host;
+ proxy_set_header X-External-Client $external_client;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ }
+}
+
+server {
+ # This configures the Arvados API server. It is written using Ruby
+ # on Rails and uses the Passenger application server.
+
+ listen localhost:8004;
+ server_name localhost-api;
+
+ root /var/www/arvados-api/current/public;
+ index index.html index.htm index.php;
+
+ passenger_enabled on;
+
+ # If you are using RVM, uncomment the line below.
+ # If you're using system ruby, leave it commented out.
+ #passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+
+ # This value effectively limits the size of API objects users can
+ # create, especially collections. If you change this, you should
+ # also ensure the following settings match it:
+ # * `client_max_body_size` in the previous server section
+ # * `API.MaxRequestSize` in config.yml
+ client_max_body_size 128m;
+}
+
+
-h3. workbench_address
+{% assign arvados_component = 'arvados-api-server arvados-controller' %}
-Fill in the url of your workbench application in @workbench_address@, for example
+{% include 'install_packages' %}
- https://workbench.@uuid_prefix@.your.domain
+{% assign arvados_component = 'arvados-controller' %}
-h3(#omniauth). sso_app_id, sso_app_secret, sso_provider_url
+{% include 'start_service' %}
-For @sso_app_id@ and @sso_app_secret@, provide the same @app_id@ and @app_secret@ used in the "Create arvados-server client for Single Sign On (SSO)":install-sso.html#client step.
+h2(#confirm-working). Confirm working installation
-For @sso_provider_url@, provide the base URL where your SSO server is installed: just the scheme and host, with no trailing slash.
+Confirm working controller:
-
- sso_app_id: arvados-server
- sso_app_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- sso_provider_url: https://sso.example.com
-
-
+$ curl https://ClusterID.example.com/arvados/v1/config
+
-h3. Other options
+Confirm working Rails API server:
-Consult @/var/www/arvados-api/current/config/application.default.yml@ for a full list of configuration options. (But don't edit it. Edit @application.yml@ instead.)
+$ curl https://ClusterID.example.com/discovery/v1/apis/arvados/v1/rest
+
-h2. Prepare the API server deployment
+Confirm that you can use the system root token to act as the system root user:
-Now that all your configuration is in place, run @/usr/local/bin/arvados-api-server-upgrade.sh@. This will install and check your configuration, install necessary gems, and run any necessary database setup.
+
+$ curl -H "Authorization: Bearer $system_root_token" https://ClusterID.example.com/arvados/v1/users/current
+
-{% include 'notebox_begin' %}
-You can safely ignore the following error message you may see when loading the database structure:
-
-ERROR: must be owner of extension plpgsql
-{% include 'notebox_end' %}
+h3. Troubleshooting
-This command aborts when it encounters an error. It's safe to rerun multiple times, so if there's a problem with your configuration, you can fix that and try again.
+If you are getting TLS errors, make sure the @ssl_certificate@ directive in your nginx configuration has the "full certificate chain":http://nginx.org/en/docs/http/configuring_https_servers.html#chains
-h2. Set up Web servers
+Logs can be found in @/var/www/arvados-api/current/log/production.log@ and using @journalctl -u arvados-controller@.
-{% include 'install_nginx_apiserver' %}
+See also the admin page on "Logging":{{site.baseurl}}/admin/logging.html .