X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/ccc9ae7a1f1e3acf1ec4f1f18006db2b74c4ea95..4d9a9766999dda4657bce039a1d56a5591201e95:/tools/salt-install/provision.sh diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh index bb4a4c6eb5..a57164276e 100755 --- a/tools/salt-install/provision.sh +++ b/tools/salt-install/provision.sh @@ -23,7 +23,8 @@ usage() { echo >&2 "${0} options:" echo >&2 " -d, --debug Run salt installation in debug mode" echo >&2 " -c , --config Path to the local.params config file" - echo >&2 " -t, --test Test installation running a CWL workflow" + echo >&2 " -t, --test Test cluster by running \`arvados-client diagnostics\`" + echo >&2 " and a simple workflow" echo >&2 " -r, --roles List of Arvados roles to apply to the host, comma separated" echo >&2 " Possible values are:" echo >&2 " balancer" @@ -206,6 +207,7 @@ apply_var_substitutions() { s#__SSL_KEY_AWS_SECRET_NAME__#${SSL_KEY_AWS_SECRET_NAME}#g; s#__CONTROLLER_MAX_WORKERS__#${CONTROLLER_MAX_WORKERS:-}#g; s#__CONTROLLER_MAX_QUEUED_REQUESTS__#${CONTROLLER_MAX_QUEUED_REQUESTS:-128}#g; + s#__CONTROLLER_MAX_GATEWAY_TUNNELS__#${CONTROLLER_MAX_GATEWAY_TUNNELS:-1000}#g; s#__MONITORING_USERNAME__#${MONITORING_USERNAME}#g; s#__MONITORING_EMAIL__#${MONITORING_EMAIL}#g; s#__MONITORING_PASSWORD__#${MONITORING_PASSWORD}#g; @@ -283,17 +285,15 @@ VERSION="latest" # We pin the salt version to avoid potential incompatibilities when a new # stable version is released. -SALT_VERSION="3004" +SALT_VERSION="3007" # Other formula versions we depend on -#POSTGRES_TAG="v0.44.0" -#POSTGRES_URL="https://github.com/saltstack-formulas/postgres-formula.git" -POSTGRES_TAG="0.45.0-bugfix327" +POSTGRES_TAG="a809e03bad115bbdf24ad347e2dc9a52e144c31f" POSTGRES_URL="https://github.com/arvados/postgres-formula.git" NGINX_TAG="v2.8.1" DOCKER_TAG="v2.4.2" -LOCALE_TAG="v0.3.4" -LETSENCRYPT_TAG="v2.1.0" +LOCALE_TAG="v0.3.5" +LETSENCRYPT_TAG="v3.2.0" LOGROTATE_TAG="v0.14.0" PROMETHEUS_TAG="v5.6.5" GRAFANA_TAG="v3.1.3" @@ -361,37 +361,60 @@ fi if [ "${DUMP_CONFIG}" = "yes" ]; then echo "The provision installer will just dump a config under ${DUMP_SALT_CONFIG_DIR} and exit" else - # Install a few dependency packages - # First, let's figure out the OS we're working on - OS_ID=$(grep ^ID= /etc/os-release |cut -f 2 -d= |cut -f 2 -d \") - echo "Detected distro: ${OS_ID}" - - case ${OS_ID} in - "centos") - echo "WARNING! Disabling SELinux, see https://dev.arvados.org/issues/18019" - sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux - setenforce permissive - yum install -y curl git jq - ;; - "debian"|"ubuntu") - # Wait 2 minutes for any apt locks to clear - # This option is supported from apt 1.9.1 and ignored in older apt versions. - # Cf. https://blog.sinjakli.co.uk/2021/10/25/waiting-for-apt-locks-without-the-hacky-bash-scripts/ - DEBIAN_FRONTEND=noninteractive apt -o DPkg::Lock::Timeout=120 update - DEBIAN_FRONTEND=noninteractive apt install -y curl git jq - ;; - esac - - if which salt-call; then - echo "Salt already installed" - else - curl -L https://bootstrap.saltstack.com -o /tmp/bootstrap_salt.sh - sh /tmp/bootstrap_salt.sh -XdfP -x python3 old-stable ${SALT_VERSION} - /bin/systemctl stop salt-minion.service - /bin/systemctl disable salt-minion.service - fi + # Read the variables of /etc/os-release but prefix their names with `_OS_` + # to avoid name conflicts. + eval "$(awk '(/^[A-Z_]+=/) { print "_OS_" $0 }' /etc/os-release)" + echo "Detected distro families: ${_OS_ID:-} ${_OS_ID_LIKE:-}" + + # Several of our formulas use the cron module, which requires the crontab + # command. We install systemd-cron to ensure we have that. + # The rest of these packages are required by the rest of the script. + for OS_ID in ${_OS_ID:-} ${_OS_ID_LIKE:-}; do + case "$OS_ID" in + rhel) + echo "WARNING! Disabling SELinux, see https://dev.arvados.org/issues/18019" + sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux + setenforce permissive + yum install -y curl git jq systemd-cron + if command -v salt-call >/dev/null; then + echo "Salt already installed" + break + fi + curl -L https://bootstrap.saltstack.com -o /tmp/bootstrap_salt.sh + sh /tmp/bootstrap_salt.sh -XdfP -x python3 stable ${SALT_VERSION} + break + ;; + debian) + DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=120 update + # This list includes our own dependencies, plus depdencies necessary + # to retrieve the Salt apt repository. + DEBIAN_FRONTEND=noninteractive apt-get install -y \ + apt-transport-https ca-certificates curl git gnupg jq systemd-cron + if command -v salt-call >/dev/null; then + echo "Salt already installed" + break + fi + salt_apt_url="https://repo.saltproject.io/salt/py3/$_OS_ID/$_OS_VERSION_ID/$(dpkg --print-architecture)" + salt_apt_key=SALT-PROJECT-GPG-PUBKEY-2023.gpg + install -d -m 755 /etc/apt/keyrings + curl -fsSL -o "/etc/apt/keyrings/$salt_apt_key" "$salt_apt_url/$salt_apt_key" + chmod go+r "/etc/apt/keyrings/$salt_apt_key" + install -b -m 644 /dev/stdin "/etc/apt/sources.list.d/salt$SALT_VERSION.sources" < /etc/salt/minion << EOFSM failhard: "True" @@ -429,7 +452,7 @@ test -d nginx && ( cd nginx && git fetch ) \ echo "...postgres" test -d postgres && ( cd postgres && git fetch ) \ || git clone --quiet ${POSTGRES_URL} ${F_DIR}/postgres -( cd postgres && git checkout --quiet tags/"${POSTGRES_TAG}" ) +( cd postgres && git checkout --quiet "${POSTGRES_TAG}" ) echo "...prometheus" test -d prometheus && ( cd prometheus && git fetch ) \ @@ -613,10 +636,12 @@ if [ -z "${ROLES:-}" ]; then echo " - extra.shell_sudo_passwordless" >> ${STATES_TOP} echo " - extra.shell_cron_add_login_sync" >> ${STATES_TOP} echo " - extra.passenger_rvm" >> ${STATES_TOP} + echo " - extra.workbench1_uninstall" >> ${STATES_TOP} # Pillars echo " - docker" >> ${PILLARS_TOP} echo " - nginx_api_configuration" >> ${PILLARS_TOP} + echo " - logrotate" >> ${PILLARS_TOP} echo " - logrotate_api" >> ${PILLARS_TOP} echo " - nginx_controller_configuration" >> ${PILLARS_TOP} echo " - nginx_keepproxy_configuration" >> ${PILLARS_TOP} @@ -852,6 +877,7 @@ else grep -q "arvados.controller" ${STATES_TOP} || echo " - arvados.controller" >> ${STATES_TOP} ### Pillars ### + grep -q "logrotate" ${PILLARS_TOP} || echo " - logrotate" >> ${PILLARS_TOP} grep -q "logrotate_api" ${PILLARS_TOP} || echo " - logrotate_api" >> ${PILLARS_TOP} grep -q "aws_credentials" ${PILLARS_TOP} || echo " - aws_credentials" >> ${PILLARS_TOP} grep -q "postgresql" ${PILLARS_TOP} || echo " - postgresql" >> ${PILLARS_TOP} @@ -913,6 +939,10 @@ else if [[ "${R}" != "webshell" && "${R}" != "workbench" ]]; then grep -q "arvados.${R}" ${STATES_TOP} || echo " - arvados.${R}" >> ${STATES_TOP} fi + # Make sure wb1's package get uninstalled + if [[ "${R}" == "workbench" ]]; then + grep -q "workbench1_uninstall" ${STATES_TOP} || echo " - extra.workbench1_uninstall" >> ${STATES_TOP} + fi ### Pillars ### grep -q "nginx_${R}_configuration" ${PILLARS_TOP} || echo " - nginx_${R}_configuration" >> ${PILLARS_TOP}