X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/db31bedb109a4d918830a910654685a9f591cf28..16b445f3d52952d284dbaac603e70a7196d9a3e9:/doc/install/install-api-server.html.textile.liquid diff --git a/doc/install/install-api-server.html.textile.liquid b/doc/install/install-api-server.html.textile.liquid index 1f885f909a..6c3eabba4f 100644 --- a/doc/install/install-api-server.html.textile.liquid +++ b/doc/install/install-api-server.html.textile.liquid @@ -48,25 +48,20 @@ h3. Tokens
    SystemRootToken: "$system_root_token"
     ManagementToken: "$management_token"
-    API:
-      RailsSessionSecretToken: "$rails_secret_token"
     Collections:
-      BlobSigningKey: "blob_signing_key"
+      BlobSigningKey: "$blob_signing_key"
 
-@SystemRootToken@ is used by Arvados system services to authenticate as the system (root) user when communicating with the API server. +These secret tokens are used to authenticate messages between Arvados components. +* @SystemRootToken@ is used by Arvados system services to authenticate as the system (root) user when communicating with the API server. +* @ManagementToken@ is used to authenticate access to system metrics. +* @Collections.BlobSigningKey@ is used to control access to Keep blocks. -@ManagementToken@ is used to authenticate access to system metrics. - -@API.RailsSessionSecretToken@ is required by the API server. - -@Collections.BlobSigningKey@ is used to control access to Keep blocks. - -You can generate a random token for each of these items at the command line like this: +Each token should be a string of at least 50 alphanumeric characters. You can generate a suitable token with the following command: -
~$ tr -dc 0-9a-zA-Z </dev/urandom | head -c50; echo
+
~$ tr -dc 0-9a-zA-Z </dev/urandom | head -c50 ; echo
 
@@ -89,23 +84,23 @@ h3. Services
    Services:
       Controller:
-        ExternalURL: "https://xxxxx.example.com"
+        ExternalURL: "https://ClusterID.example.com"
         InternalURLs:
-          "http://xxxxx.example.com:8003": {}
+          "http://localhost:8003": {}
       RailsAPI:
         # Does not have an ExternalURL
         InternalURLs:
-          "http://xxxxx.example.com:8004": {}
+          "http://localhost:8004": {}
 
-Replace @xxxxx.example.com@ with the hostname that you previously selected for the API server. +Replace @ClusterID.example.com@ with the hostname that you previously selected for the API server. The @Services@ section of the configuration helps Arvados components contact one another (service discovery). Each service has one or more @InternalURLs@ and an @ExternalURL@. The @InternalURLs@ describe where the service runs, and how the Nginx reverse proxy will connect to it. The @ExternalURL@ is how external clients contact the service. h2(#update-nginx). Update nginx configuration -Use a text editor to create a new file @/etc/nginx/conf.d/arvados-api-and-controller.conf@ with the following configuration. Options that need attention are marked with "TODO". +Use a text editor to create a new file @/etc/nginx/conf.d/arvados-api-and-controller.conf@ with the following configuration. Options that need attention are marked in red.
proxy_http_version 1.1;
@@ -120,29 +115,33 @@ Use a text editor to create a new file @/etc/nginx/conf.d/arvados-api-and-contro
 # "available keep services" request with either a list of internal keep
 # servers (0) or with the keepproxy (1).
 #
-# TODO: Following the example here, update the netmask to the
-# your internal subnet.
+# Following the example here, update the 10.20.30.0/24 netmask
+# to match your private subnet.
+# Update 1.2.3.4 and add lines as necessary with the public IP
+# address of all servers that can also access the private network to
+# ensure they are not considered 'external'.
 
 geo $external_client {
   default        1;
+  127.0.0.0/24   0;
   10.20.30.0/24  0;
+  1.2.3.4/32     0;
 }
 
 # This is the port where nginx expects to contact arvados-controller.
 upstream controller {
-  server     xxxxx.example.com:8003  fail_timeout=10s;
+  server     localhost:8003  fail_timeout=10s;
 }
 
 server {
   # This configures the public https port that clients will actually connect to,
   # the request is reverse proxied to the upstream 'controller'
 
-  listen       xxxxx.example.com:443 ssl;
-  server_name  xxxxx.example.com;
+  listen       443 ssl;
+  server_name  ClusterID.example.com;
 
-  ssl on;
-  ssl_certificate     /TODO/YOUR/PATH/TO/cert.pem;
-  ssl_certificate_key /TODO/YOUR/PATH/TO/cert.key;
+  ssl_certificate     /YOUR/PATH/TO/cert.pem;
+  ssl_certificate_key /YOUR/PATH/TO/cert.key;
 
   # Refer to the comment about this setting in the passenger (arvados
   # api server) section of your Nginx configuration.
@@ -154,11 +153,13 @@ server {
     proxy_connect_timeout 90s;
     proxy_read_timeout    300s;
 
-    proxy_set_header      X-Forwarded-Proto https;
-    proxy_set_header      Host $http_host;
+    proxy_set_header      Host              $http_host;
+    proxy_set_header      Upgrade           $http_upgrade;
+    proxy_set_header      Connection        "upgrade";
     proxy_set_header      X-External-Client $external_client;
-    proxy_set_header      X-Real-IP $remote_addr;
-    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header      X-Forwarded-For   $proxy_add_x_forwarded_for;
+    proxy_set_header      X-Forwarded-Proto https;
+    proxy_set_header      X-Real-IP         $remote_addr;
   }
 }
 
@@ -166,7 +167,7 @@ server {
   # This configures the Arvados API server.  It is written using Ruby
   # on Rails and uses the Passenger application server.
 
-  listen xxxxx.example.com:8004;
+  listen localhost:8004;
   server_name localhost-api;
 
   root /var/www/arvados-api/current/public;
@@ -174,8 +175,8 @@ server {
 
   passenger_enabled on;
 
-  # TODO: If you are using RVM, uncomment the line below.
-  # If you're using system ruby, leave it commented out.
+  # If you are using RVM, uncomment the line below.
+  # If you're using system ruby, leave it commented out.
   #passenger_ruby /usr/local/rvm/wrappers/default/ruby;
 
   # This value effectively limits the size of API objects users can
@@ -188,42 +189,35 @@ server {
 
-h2(#install-packages). Install arvados-api-server and arvados-controller - -h3. Centos 7 +{% assign arvados_component = 'arvados-api-server arvados-controller' %} - -
# yum install arvados-api-server arvados-controller
-
-
+{% include 'install_packages' %} -h3. Debian and Ubuntu +{% assign arvados_component = 'arvados-controller' %} - -
# apt-get --no-install-recommends install arvados-api-server arvados-controller
-
-
+{% include 'start_service' %} h2(#confirm-working). Confirm working installation Confirm working controller: -
-$ curl https://xxxxx.example.com/arvados/v1/config
-
+
$ curl https://ClusterID.example.com/arvados/v1/config
+
Confirm working Rails API server: -
-$ curl https://xxxxx.example.com/discovery/v1/apis/arvados/v1/rest
-
+
$ curl https://ClusterID.example.com/discovery/v1/apis/arvados/v1/rest
+
Confirm that you can use the system root token to act as the system root user: -
-$ curl -H "Authorization: Bearer $system_root_token" https://xxxxx.example.com/arvados/v1/users/current
-
+
$ curl -H "Authorization: Bearer $system_root_token" https://ClusterID.example.com/arvados/v1/users/current
+
h3. Troubleshooting -See the admin page on "Logging":{{site.baseurl}}/admin/logging.html . +If you are getting TLS errors, make sure the @ssl_certificate@ directive in your nginx configuration has the "full certificate chain":http://nginx.org/en/docs/http/configuring_https_servers.html#chains + +Logs can be found in @/var/www/arvados-api/current/log/production.log@ and using @journalctl -u arvados-controller@. + +See also the admin page on "Logging":{{site.baseurl}}/admin/logging.html .