X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/b9fd7e3f374248a61159e4750a84e38d1c48d5dd..bee95c1cdbc3859f47a0a95940680ebaa2a4c9a5:/doc/admin/upgrading.html.textile.liquid?ds=sidebyside diff --git a/doc/admin/upgrading.html.textile.liquid b/doc/admin/upgrading.html.textile.liquid index 23d7120438..061b68fa5d 100644 --- a/doc/admin/upgrading.html.textile.liquid +++ b/doc/admin/upgrading.html.textile.liquid @@ -10,14 +10,14 @@ Copyright (C) The Arvados Authors. All rights reserved. SPDX-License-Identifier: CC-BY-SA-3.0 {% endcomment %} -What you need to know and do in order to upgrade your Arvados installation. +For Arvados administrators, this page will cover what you need to know and do in order to ensure a smooth upgrade of your Arvados installation. For general release notes covering features added and bugs fixed, see "Arvados releases":https://arvados.org/releases . h2. General process # Consult upgrade notes below to see if any manual configuration updates are necessary. # Wait for the cluster to be idle and stop Arvados services. # Install new packages using @apt-get upgrade@ or @yum upgrade@. -# Package installation scripts will perform any necessary data migrations. +# Wait for package installation scripts as they perform any necessary data migrations. # Restart Arvados services. h2. Upgrade notes @@ -34,11 +34,58 @@ TODO: extract this information based on git commit messages and generate changel
-h2(#master). development master (as of 2020-02-07) +h2(#master). development master (as of 2020-06-17) "Upgrading from 2.0.0":#v2_0_0 -None in current development master. +h3. Removing libpam-arvados, replaced with libpam-arvados-go + +The Python-based PAM package has been replaced with a version written in Go. See "using PAM for authentication":{{site.baseurl}}/install/setup-login.html#pam for details. + +h3. Removing sso-provider + +The SSO (single sign-on) component is deprecated and will not be supported in future releases. Existing configurations will continue to work in this release, but you should switch to one of the built-in authentication mechanisms as soon as possible. See "setting up web based login":{{site.baseurl}}/install/setup-login.html for details. + +After migrating your configuration, uninstall the @arvados-sso-provider@ package. + +h3. S3 signatures + +Keepstore now uses "V4 signatures":https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html by default for S3 requests. If you are using Amazon S3, no action is needed; all regions support V4 signatures. If you are using a different S3-compatible service that does not support V4 signatures, add @V2Signature: true@ to your volume driver parameters to preserve the old behavior. See "configuring S3 object storage":{{site.baseurl}}/install/configure-s3-object-storage.html. + +h3. New permission system constraints + +Some constraints on the permission system have been added, in particular @role@ and @project@ group types now have distinct behavior. These constraints were already de-facto imposed by the Workbench UI, so on most installations the only effect of this migration will be to reassign @role@ groups to the system user and create a @can_manage@ permission link for the previous owner. + +# The @group_class@ field must be either @role@ or @project@. Invalid group_class are migrated to @role@. +# A @role@ cannot own things. Anything owned by a role is migrated to a @can_manage@ link and reassigned to the system user. +# Only @role@ and @user@ can have outgoing permission links. Permission links originating from projects are deleted by the migration. +# A @role@ is always owned by the system_user. When a group is created, it creates a @can_manage@ link for the object that would have been assigned to @owner_uuid@. Migration adds @can_manage@ links and reassigns roles to the system user. This also has the effect of requiring that all @role@ groups have unique names on the system. If there is a name collision during migration, roles will be renamed to ensure they are unique. +# A permission link can have the permission level (@name@) updated but not @head_uuid@, @tail_uuid@ or @link_class@. + +The @arvados-sync-groups@ tool has been updated to reflect these constraints, so it is important to use the version of @arvados-sync-groups@ that matches the API server version. + +Before upgrading, use the following commands to find out which groups and permissions in your database will be automatically modified or deleted during the upgrade. + +To determine which groups have invalid @group_class@ (these will be migrated to @role@ groups): + +
+arv group list --filters '[["group_class", "not in", ["project", "role"]]]'
+
+ +To list all @role@ groups, which will be reassigned to the system user (unless @owner_uuid@ is already the system user): + +
+arv group list --filters '[["group_class", "=", "role"]]'
+
+ +To list which @project@ groups have outgoing permission links (such links are now invalid and will be deleted by the migration): + +
+for uuid in $(arv link list --filters '[["link_class", "=", "permission"], ["tail_uuid", "like", "%-j7d0g-%"]]' |
+              jq -r .items[].tail_uuid | sort | uniq) ; do
+   arv group list --filters '[["group_class", "=", "project"], ["uuid", "=", "'$uuid'"]]' | jq .items
+done
+
h2(#v2_0_0). v2.0.0 (2020-02-07) @@ -136,7 +183,7 @@ h3. New property vocabulary format for Workbench2 h3. Cloud installations only: node manager replaced by arvados-dispatch-cloud -Node manager is deprecated and replaced by @arvados-dispatch-cloud@. No automated config migration is available. Follow the instructions to "install the cloud dispatcher":../install/install-dispatch-cloud.html +Node manager is deprecated and replaced by @arvados-dispatch-cloud@. No automated config migration is available. Follow the instructions to "install the cloud dispatcher":../install/crunch2-cloud/install-dispatch-cloud.html *Only one dispatch process should be running at a time.* If you are migrating a system that currently runs Node manager and @crunch-dispatch-slurm@, it is safest to remove the @crunch-dispatch-slurm@ service entirely before installing @arvados-dispatch-cloud@. @@ -526,7 +573,7 @@ As part of story "#11349":https://dev.arvados.org/issues/11349, commit "2c094e2" * To enable it, add to your configuration file: 
[Manage]
   address = 127.0.0.1
-  port = 8989
(see example configuration files in source:services/nodemanager/doc or https://doc.arvados.org/install/install-nodemanager.html for more info) + port = 8989 * The server responds to @http://{address}:{port}/status.json@ with a summary of how many nodes are in each state (booting, busy, shutdown, etc.) h3. New websockets component (2017-03-23)