X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/c232747bc0896ada224d0453de58d24a6f14cf9b..refs/heads/20755-ec2-multiple-subnets:/lib/config/config.default.yml

diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml
index 0fb4a2babd..8260224ab7 100644
--- a/lib/config/config.default.yml
+++ b/lib/config/config.default.yml
@@ -225,7 +225,7 @@ Clusters:
 
       # Maximum number of concurrent requests to process concurrently
       # in a single service process, or 0 for no limit.
-      MaxConcurrentRequests: 64
+      MaxConcurrentRequests: 4
 
       # Maximum number of incoming requests to hold in a priority
       # queue waiting for one of the MaxConcurrentRequests slots to be
@@ -234,7 +234,7 @@ Clusters:
       #
       # If MaxQueuedRequests is 0, respond 503 immediately to
       # additional requests while at the MaxConcurrentRequests limit.
-      MaxQueuedRequests: 64
+      MaxQueuedRequests: 128
 
       # Maximum time a "lock container" request is allowed to wait in
       # the incoming request queue before returning 503.
@@ -412,6 +412,48 @@ Clusters:
       # Use 0 to disable activity logging.
       ActivityLoggingPeriod: 24h
 
+      # The SyncUser* options control what system resources are managed by
+      # arvados-login-sync on shell nodes. They correspond to:
+      # * SyncUserAccounts: The user's Unix account on the shell node
+      # * SyncUserGroups: The group memberships of that account
+      # * SyncUserSSHKeys: Whether to authorize the user's Arvados SSH keys
+      # * SyncUserAPITokens: Whether to set up the user's Arvados API token
+      # All default to true.
+      SyncUserAccounts: true
+      SyncUserGroups: true
+      SyncUserSSHKeys: true
+      SyncUserAPITokens: true
+
+      # If SyncUserGroups=true, then arvados-login-sync will ensure that all
+      # managed accounts are members of the Unix groups listed in
+      # SyncRequiredGroups, in addition to any groups listed in their Arvados
+      # login permission. The default list includes the "fuse" group so
+      # users can use arv-mount. You can require no groups by specifying an
+      # empty list (i.e., `SyncRequiredGroups: []`).
+      SyncRequiredGroups:
+        - fuse
+
+      # SyncIgnoredGroups is a list of group names. arvados-login-sync will
+      # never modify these groups. If user login permissions list any groups
+      # in SyncIgnoredGroups, they will be ignored. If a user's Unix account
+      # belongs to any of these groups, arvados-login-sync will not remove
+      # the account from that group. The default is a set of particularly
+      # security-sensitive groups across Debian- and Red Hat-based
+      # distributions.
+      SyncIgnoredGroups:
+        - adm
+        - disk
+        - kmem
+        - mem
+        - root
+        - shadow
+        - staff
+        - sudo
+        - sys
+        - utempter
+        - utmp
+        - wheel
+
     AuditLogs:
       # Time to keep audit logs, in seconds. (An audit log is a row added
       # to the "logs" table in the PostgreSQL database each time an
@@ -1032,7 +1074,7 @@ Clusters:
 
       # Number of times a container can be unlocked before being
       # automatically cancelled.
-      MaxDispatchAttempts: 5
+      MaxDispatchAttempts: 10
 
       # Default value for container_count_max for container requests.  This is the
       # number of times Arvados will create a new container to satisfy a container
@@ -1371,10 +1413,30 @@ Clusters:
         # down.
         MaxInstances: 64
 
-        # Maximum fraction of CloudVMs.MaxInstances allowed to run
-        # "supervisor" containers at any given time. A supervisor is a
-        # container whose purpose is mainly to submit and manage other
-        # containers, such as arvados-cwl-runner workflow runner.
+        # The minimum number of instances expected to be runnable
+        # without reaching a provider-imposed quota.
+        #
+        # This is used as the initial value for the dispatcher's
+        # dynamic instance limit, which increases (up to MaxInstances)
+        # as containers start up successfully and decreases in
+        # response to high API load and cloud quota errors.
+        #
+        # Setting this too high creates a risk that the dispatcher
+        # will cause deadlock by starting so many supervisor
+        # containers (based on SupervisorFraction and MaxInstances)
+        # that the cloud quota prevents them from running any child
+        # containers.
+        #
+        # Setting this too low causes the dispatcher to be
+        # unnecessarily slow to start up new instances after a
+        # restart.
+        InitialQuotaEstimate: 16
+
+        # Maximum fraction of available instance capacity allowed to
+        # run "supervisor" containers at any given time. A supervisor
+        # is a container whose purpose is mainly to submit and manage
+        # other containers, such as arvados-cwl-runner workflow
+        # runner.
         #
         # If there is a hard limit on the amount of concurrent
         # containers that the cluster can run, it is important to
@@ -1469,10 +1531,23 @@ Clusters:
           SecretAccessKey: ""
 
           # (ec2) Instance configuration.
+
+          # (ec2) Region, like "us-east-1".
+          Region: ""
+
+          # (ec2) Security group IDs. Omit or use {} to use the
+          # default security group.
           SecurityGroupIDs:
             "SAMPLE": {}
+
+          # (ec2) One or more subnet IDs. Omit or leave empty to let
+          # AWS choose a default subnet from your default VPC. If
+          # multiple subnets are configured here (enclosed in brackets
+          # like [subnet-abc123, subnet-def456]) the cloud dispatcher
+          # will detect subnet-related errors and retry using a
+          # different subnet. Most sites specify one subnet.
           SubnetID: ""
-          Region: ""
+
           EBSVolumeType: gp2
           AdminUsername: debian
           # (ec2) name of the IAMInstanceProfile for instances started by