X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/675794872a5d064cf0a8177d662555c04b0dae51..689f463bbd231fba8e32b6d46a963d0dacf0e509:/doc/install/install-api-server.html.textile.liquid diff --git a/doc/install/install-api-server.html.textile.liquid b/doc/install/install-api-server.html.textile.liquid index 0d721fcb09..695584fa24 100644 --- a/doc/install/install-api-server.html.textile.liquid +++ b/doc/install/install-api-server.html.textile.liquid @@ -4,161 +4,345 @@ navsection: installguide title: Install the API server ... -h2. Prerequisites: +h2. Install prerequisites -# A GNU/Linux (virtual) machine -# A domain name for your api server +The Arvados package repository includes an API server package that can help automate much of the deployment. -h2(#dependencies). Install dependencies +h3(#install_ruby_and_bundler). Install Ruby and Bundler - -
~$ sudo apt-get install libcurl3 libcurl3-gnutls libcurl4-openssl-dev \
-    libxslt1.1 zlib1g-dev gettext bison libssl-dev libreadline-dev \
-    libpq-dev sqlite3 libsqlite3-dev build-essential wget postgresql sudo
-
 +{% include 'install_ruby_and_bundler' %} + +h3(#install_postgres). Install PostgreSQL + +{% include 'install_postgres' %} -h2(#ruby). Install Ruby and bundler +h2(#install_apiserver). Install API server and dependencies -We recommend Ruby >= 2.1. +On a Debian-based system, install the following packages: -
mkdir -p ~/src
-cd ~/src
-wget http://cache.ruby-lang.org/pub/ruby/2.1/ruby-2.1.1.tar.gz
-tar xzf ruby-2.1.1.tar.gz
-cd ruby-2.1.1
-./configure
-make
-sudo make install
+
~$ sudo apt-get install bison build-essential libcurl4-openssl-dev git arvados-api-server
+

+
+
+On a Red Hat-based system, install the following packages:
+
+
+
~$ sudo yum install bison make automake gcc gcc-c++ libcurl-devel git arvados-api-server
+

+
+
+{% include 'install_git' %}
 
-sudo gem install bundler
+h2. Set up the database
+
+Generate a new database password. Nobody ever needs to memorize it or type it, so we'll make a strong one:
+
+
+
~$ ruby -e 'puts rand(2**128).to_s(36)'
+6gqa1vu492idd7yca9tfandj3
 

 
-h2. Download the source tree
+Create a new database user.
 
 
-
~$ cd $HOME # (or wherever you want to install)
-~$ git clone https://github.com/curoverse/arvados.git
+
~$ sudo -u postgres createuser --encrypted -R -S --pwprompt arvados
+[sudo] password for you: yourpassword
+Enter password for new role: paste-password-you-generated
+Enter it again: paste-password-again
 

 
-See also: "Downloading the source code":https://arvados.org/projects/arvados/wiki/Download on the Arvados wiki.
+{% include 'notebox_begin' %}
+
+This user setup assumes that your PostgreSQL is configured to accept password authentication.  Red Hat systems use ident-based authentication by default.  You may need to either adapt the user creation, or reconfigure PostgreSQL (in @pg_hba.conf@) to accept password authentication.
+
+{% include 'notebox_end' %}
 
-h2. Install gem dependencies
+Create the database:
 
 
-
~$ cd arvados/services/api
-~/arvados/services/api$ bundle install
-

+
~$ sudo -u postgres createdb arvados_production -T template0 -E UTF8 -O arvados
+

+
 
-h2. Configure the API server
+h2. Set up configuration files
 
-Edit the main configuration:
+The API server package uses configuration files that you write to @/etc/arvados/api@ and ensures they're consistently deployed.  Create this directory and copy the example configuration files to it:
 
 
-
~/arvados/services/api$ cp -i config/application.yml.example config/application.yml
-

+
~$ sudo mkdir -p /etc/arvados/api
+~$ sudo chmod 700 /etc/arvados/api
+~$ cd /var/www/arvados-api/current
+/var/www/arvados-api/current$ sudo cp config/database.yml.example /etc/arvados/api/database.yml
+/var/www/arvados-api/current$ sudo cp config/application.yml.example /etc/arvados/api/application.yml
+

+
+
+h2. Configure the database connection
+
+Edit @/etc/arvados/api/database.yml@ and replace the @xxxxxxxx@ database password placeholders with the PostgreSQL password you generated above.
+
+h2(#configure_application). Configure the API server
+
+Edit @/etc/arvados/api/application.yml@ to configure the settings described in the following sections.  The deployment script will consistently deploy this to the API server's configuration directory.  The API server reads both @application.yml@ and its own @config/application.default.yml@ file.  The settings in @application.yml@ take precedence over the defaults that are defined in @config/application.default.yml@.  The @config/application.yml.example@ file is not read by the API server and is provided as a starting template only.
+
+@config/application.default.yml@ documents additional configuration settings not listed here.  You can "view the current source version":https://dev.arvados.org/projects/arvados/repository/revisions/master/entry/services/api/config/application.default.yml for reference.
 
-Choose a unique 5-character alphanumeric string to use as your @uuid_prefix@. An example is given that generates a 5-character string based on a hash of your hostname. The @uuid_prefix@ is a unique identifier for your API server. It also serves as the first part of the hostname for your API server.
+Only put local configuration in @application.yml@.  Do not edit @application.default.yml@.
 
-For a development site, use your own domain instead of arvadosapi.com.
+h3(#uuid_prefix). uuid_prefix
 
-Make sure a clone of the arvados repository exists in @git_repositories_dir@:
+Define your @uuid_prefix@ in @application.yml@ by setting the @uuid_prefix@ field in the section for your environment.  This prefix is used for all database identifiers to identify the record as originating from this site.  It must be exactly 5 lowercase ASCII letters and digits.
+
+Example @application.yml@:
 
 
-
~/arvados/services/api$ sudo mkdir -p /var/cache/git
-~/arvados/services/api$ sudo git clone --bare ../../.git /var/cache/git/arvados.git
-

+
  uuid_prefix: zzzzz

+
 
-Generate a new secret token for signing cookies:
+h3. secret_token
+
+The @secret_token@ is used for for signing cookies.  IMPORTANT: This is a site secret. It should be at least 50 characters.  Generate a random value and set it in @application.yml@:
 
 
-
~/arvados/services/api$ rake secret
-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
+
~$ ruby -e 'puts rand(2**400).to_s(36)'
+yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
 

 
-Put it in @config/application.yml@ in the production or common section:
+Example @application.yml@:
 
 
-
    secret_token: zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
-

+
  secret_token: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

 
 
-Consult @application.default.yml@ for a full list of configuration options. Always put your local configuration in @application.yml@ instead of editing @application.default.yml@.
+h3(#blob_signing_key). blob_signing_key
 
-Generate a new database password. Nobody ever needs to memorize it or type it, so we'll make a strong one:
+The @blob_signing_key@ is used to enforce access control to Keep blocks.  This same key must be provided to the Keepstore daemons when "installing Keepstore servers.":install-keepstore.html  IMPORTANT: This is a site secret. It should be at least 50 characters.  Generate a random value and set it in @application.yml@:
 
 
-
~/arvados/services/api$ ruby -e 'puts rand(2**128).to_s(36)'
-6gqa1vu492idd7yca9tfandj3
+
~$ ruby -e 'puts rand(2**400).to_s(36)'
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 

 
-Create a new database user with permission to create its own databases.
+Example @application.yml@:
 
 
-
~/arvados/services/api$ sudo -u postgres createuser --createdb --encrypted --pwprompt arvados
-[sudo] password for you: yourpassword
-Enter password for new role: paste-password-you-generated
-Enter it again: paste-password-again
-Shall the new role be a superuser? (y/n) n
-Shall the new role be allowed to create more new roles? (y/n) n
-

+
  blob_signing_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

+
+
+h3(#omniauth). sso_app_secret, sso_app_id, sso_provider_url
+
+The following settings enable the API server to communicate with the "Single Sign On (SSO) server":install-sso.html to authenticate user log in.
+
+Set @sso_provider_url@ to the base URL where your SSO server is installed.  This should be a URL consisting of the scheme and host (and optionally, port), without a trailing slash.
+
+Set @sso_app_secret@ and @sso_app_id@ to the corresponding values for @app_secret@ and @app_id@ used in the "Create arvados-server client for Single Sign On (SSO)":install-sso.html#client step.
 
-Configure API server to connect to your database by creating and updating @config/database.yml@. Replace the @xxxxxxxx@ database password placeholders with the new password you generated above.
+Example @application.yml@:
 
 
-
~/arvados/services/api$ cp -i config/database.yml.sample config/database.yml
-~/arvados/services/api$ edit config/database.yml
-

+
  sso_app_id: arvados-server
+  sso_app_secret: wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
+  sso_provider_url: https://sso.example.com
+

+
+
+h3. workbench_address
+
+Set @workbench_address@ to the URL of your workbench application after following "Install Workbench.":install-workbench-app.html
 
-Create and initialize the database.
+Example @application.yml@:
 
 
-
~/arvados/services/api$ RAILS_ENV=development bundle exec rake db:setup
-

+
  workbench_address: https://workbench.zzzzz.example.com

+
+
+h3. websocket_address
 
-Set up omniauth:
+Set @websocket_address@ to the @wss://@ URL of the API server websocket endpoint after following "Set up Web servers":#set_up.  The path of the default endpoint is @/websocket@.
+
+Example @application.yml@:
 
 
-
~/arvados/services/api$ cp -i config/initializers/omniauth.rb.example config/initializers/omniauth.rb
-

+
  websocket_address: wss://ws.zzzzz.example.com/websocket

+
+
+h3(#git_repositories_dir). git_repositories_dir
 
-Edit @config/initializers/omniauth.rb@. Set @APP_SECRET@ to the value of @app_secret@ from "installing the single sign on server":install-sso.html .
+The @git_repositories_dir@ setting specifies the directory where user git repositories will be stored.
 
-You can now run the development server:
+The git server setup process is covered on "its own page":install-arv-git-httpd.html. For now, create an empty directory in the default location:
 
 
-
~/arvados/services/api$ bundle exec rails server --port=3030
+
~$ sudo mkdir -p /var/lib/arvados/git/repositories
 

 
-h3. Apache/Passenger (optional)
-
-You can use "Passenger":https://www.phusionpassenger.com/ for deployment. Point it to the services/api directory in the source tree.
+If you intend to store your git repositories in a different location, specify that location in @application.yml@.
 
-To enable streaming so users can monitor crunch jobs in real time, add to your Passenger configuration in Apache:
+Default setting in @application.default.yml@:
 
 
-
PassengerBufferResponse off
+
  git_repositories_dir: /var/lib/arvados/git/repositories
 

 
 
-h2(#admin-user). Add an admin user
+h3(#git_internal_dir). git_internal_dir
 
-Point your browser to the API server's login endpoint:
+The @git_internal_dir@ setting specifies the location of Arvados' internal git repository.  By default this is @/var/lib/arvados/internal.git@.  This repository stores git commits that have been used to run Crunch jobs.  It should _not_ be a subdirectory of @git_repositories_dir@.
+
+Example @application.yml@:
 
 
-
https://localhost:3030/login
+
  git_internal_dir: /var/lib/arvados/internal.git
 

 
 
-Log in with your google account.
+h2(#set_up). Set up Web servers
 
-Use the rails console to give yourself admin privileges:
+For best performance, we recommend you use Nginx as your Web server front-end, with a Passenger backend for the main API server and a Puma backend for API server Websockets.  To do that:
 
 
-
~/arvados/services/api$ bundle exec rails console
-irb(main):001:0> Thread.current[:user] = User.all.select(&:identity_url).last
-irb(main):002:0> Thread.current[:user].is_admin = true
-irb(main):003:0> Thread.current[:user].update_attributes is_admin: true, is_active: true
-irb(main):004:0> User.where(is_admin: true).collect &:email
-=> ["root", "your_address@example.com"]
-

+
    
+
  1. Install Nginx and Phusion Passenger.
    2. 
+
+
  2. Puma is already included with the API server's gems.  We recommend you run it as a service under runit or a similar tool.  Here's a sample runit script for that:
    
+
+
    #!/bin/bash
+
+set -e
+exec 2>&1
+
+# Uncomment the line below if you're using RVM.
+#source /etc/profile.d/rvm.sh
+
+envdir="`pwd`/env"
+mkdir -p "$envdir"
+echo ws-only > "$envdir/ARVADOS_WEBSOCKETS"
+
+cd /var/www/arvados-api/current
+echo "Starting puma in `pwd`"
+
+# Change arguments below to match your deployment, "webserver-user" and
+# "webserver-group" should be changed to the user and group of the web server
+# process.  This is typically "www-data:www-data" on Debian systems by default,
+# other systems may use different defaults such the name of the web server
+# software (for example, "nginx:nginx").
+exec chpst -m 1073741824 -u webserver-user:webserver-group -e "$envdir" \
+  bundle exec puma -t 0:512 -e production -b tcp://127.0.0.1:8100
+
    
+
    3. 
+
+
  3. Edit the http section of your Nginx configuration to run the Passenger server, and act as a front-end for both it and Puma.  You might add a block like the following, adding SSL and logging parameters to taste:
    
+
+
    server {
+  listen 127.0.0.1:8000;
+  server_name localhost-api;
+
+  root /var/www/arvados-api/current/public;
+  index  index.html index.htm index.php;
+
+  passenger_enabled on;
+  # If you're using RVM, uncomment the line below.
+  #passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+}
+
+upstream api {
+  server     127.0.0.1:8000  fail_timeout=10s;
+}
+
+upstream websockets {
+  # The address below must match the one specified in puma's -b option.
+  server     127.0.0.1:8100  fail_timeout=10s;
+}
+
+proxy_http_version 1.1;
+
+# When Keep clients request a list of Keep services from the API server, the
+# server will automatically return the list of available proxies if
+# the request headers include X-External-Client: 1.  Following the example
+# here, at the end of this section, add a line for each netmask that has
+# direct access to Keep storage daemons to set this header value to 0.
+geo $external_client {
+  default        1;
+  10.20.30.0/24  0;
+}
+
+server {
+  listen       [your public IP address]:443 ssl;
+  server_name  uuid_prefix.your.domain;
+
+  ssl on;
+  ssl_certificate     /YOUR/PATH/TO/cert.pem;
+  ssl_certificate_key /YOUR/PATH/TO/cert.key;
+
+  index  index.html index.htm index.php;
+
+  # This value effectively limits the size of API objects users can create,
+  # especially collections.  If you change this, you should also set
+  # `max_request_size` in the API server's application.yml file to the same
+  # value.
+  client_max_body_size 128m;
+
+  location / {
+    proxy_pass            http://api;
+    proxy_redirect        off;
+    proxy_connect_timeout 90s;
+    proxy_read_timeout    300s;
+
+    proxy_set_header      X-Forwarded-Proto https;
+    proxy_set_header      Host $http_host;
+    proxy_set_header      X-External-Client $external_client;
+    proxy_set_header      X-Real-IP $remote_addr;
+    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+  }
+}
+
+server {
+  listen       [your public IP address]:443 ssl;
+  server_name  ws.uuid_prefix.your.domain;
+
+  ssl on;
+  ssl_certificate     /YOUR/PATH/TO/cert.pem;
+  ssl_certificate_key /YOUR/PATH/TO/cert.key;
+
+  index  index.html index.htm index.php;
+
+  location / {
+    proxy_pass            http://websockets;
+    proxy_redirect        off;
+    proxy_connect_timeout 90s;
+    proxy_read_timeout    300s;
+
+    proxy_set_header      Upgrade $http_upgrade;
+    proxy_set_header      Connection "upgrade";
+    proxy_set_header      Host $host;
+    proxy_set_header      X-Real-IP $remote_addr;
+    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+  }
+}
+
    
+
    4. 
+
+
  4. Restart Nginx:
    
+
+
    ~$ sudo nginx -s reload
+
    
+
+
    5. 
+
+

+
+
+h2. Prepare the API server deployment
+
+Now that all your configuration is in place, run @/usr/local/bin/arvados-api-server-upgrade.sh@.  This will install and check your configuration, install necessary gems, and run any necessary database setup.
+
+{% include 'notebox_begin' %}
+You can safely ignore the following messages if they appear while this script runs:
+
Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will
+break this application for all non-root users on this machine.

+
fatal: Not a git repository (or any of the parent directories): .git

+{% include 'notebox_end' %}
+
+This command aborts when it encounters an error.  It's safe to rerun multiple times, so if there's a problem with your configuration, you can fix that and try again.
+