X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/e51a22dc5b9da795b68c87cb9d0a45e4732ed2f6..c5e4c7027338235435e9698057847686baaee6cc:/doc/install/install-api-server.html.textile.liquid
diff --git a/doc/install/install-api-server.html.textile.liquid b/doc/install/install-api-server.html.textile.liquid
index f5d5825377..fa07f889f1 100644
--- a/doc/install/install-api-server.html.textile.liquid
+++ b/doc/install/install-api-server.html.textile.liquid
@@ -12,180 +12,156 @@ h3(#install_ruby_and_bundler). Install Ruby and Bundler
{% include 'install_ruby_and_bundler' %}
-h3(#install_postgres). Install PostgreSQL
-
-{% include 'install_postgres' %}
-
-h3(#build_tools_apiserver). Build tools
-
-On older distributions, you may need to use a backports repository to satisfy these requirements. For example, on older Red Hat-based systems, consider using the "postgresql92":https://www.softwarecollections.org/en/scls/rhscl/postgresql92/ and "nginx16":https://www.softwarecollections.org/en/scls/rhscl/nginx16/ Software Collections.
+h2(#install_apiserver). Install API server and dependencies
On a Debian-based system, install the following packages:
~$ sudo apt-get install bison build-essential libcurl4-openssl-dev git nginx arvados-api-server
+
~$ sudo apt-get install bison build-essential libcurl4-openssl-dev git arvados-api-server
~$ sudo yum install bison make automake gcc gcc-c++ libcurl-devel nginx git arvados-api-server
+
~$ sudo yum install bison make automake gcc gcc-c++ libcurl-devel git arvados-api-server
~$ ruby -e 'puts rand(2**128).to_s(36)'
-6gqa1vu492idd7yca9tfandj3
-
~$ sudo -u postgres createuser --encrypted -R -S --pwprompt arvados
-[sudo] password for you: yourpassword
-Enter password for new role: paste-password-you-generated
-Enter it again: paste-password-again
+
~$ editor /etc/arvados/api/database.yml
-~$ sudo -u postgres createdb arvados_production -T template0 -E UTF8 -O arvados
-
+~$ sudo mkdir -p /etc/arvados/api
-~$ sudo chmod 700 /etc/arvados/api
-~$ cd /var/www/arvados-api/current
-/var/www/arvados-api/current$ sudo cp config/database.yml.sample /etc/arvados/api/database.yml
-/var/www/arvados-api/current$ sudo cp config/application.yml.example /etc/arvados/api/application.yml
-
uuid_prefix: zzzzz
~$ ruby -e 'puts rand(2**400).to_s(36)'
+yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
+
+ secret_token: yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
~$ sudo mkdir -p /var/lib/arvados/git/repositories
+
~$ ruby -e 'puts rand(2**400).to_s(36)'
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
~$ ruby -e 'puts rand(2**400).to_s(36)'
-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
-
blob_signing_key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+
-Then put that value in the @secret_token@ field.
+h3(#omniauth). sso_app_secret, sso_app_id, sso_provider_url
-h3. blob_signing_key
+The following settings enable the API server to communicate with the "Single Sign On (SSO) server":install-sso.html to authenticate user log in.
-If you want access control on your "Keepstore":install-keepstore.html server(s), you should set @blob_signing_key@ to the same value as the permission key you provide to your Keepstore daemon(s).
+Set @sso_provider_url@ to the base URL where your SSO server is installed. This should be a URL consisting of the scheme and host (and optionally, port), without a trailing slash.
-h3. workbench_address
+Set @sso_app_secret@ and @sso_app_id@ to the corresponding values for @app_secret@ and @app_id@ used in the "Create arvados-server client for Single Sign On (SSO)":install-sso.html#client step.
-Fill in the url of your workbench application in @workbench_address@, for example
+Example @application.yml@:
- https://workbench.@uuid_prefix@.your.domain
+ sso_app_id: arvados-server
+ sso_app_secret: wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww
+ sso_provider_url: https://sso.example.com
+
+ sso_app_id: arvados-server
- sso_app_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- sso_provider_url: https://sso.example.com
-
+ workbench_address: https://workbench.zzzzz.example.com
Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will -break this application for all non-root users on this machine.-
fatal: Not a git repository (or any of the parent directories): .git-{% include 'notebox_end' %} +
websocket_address: wss://ws.zzzzz.example.com/websocket
+~$ sudo mkdir -p /var/lib/arvados/git/repositories
+
Puma is already included with the API server's gems. We recommend you use a tool like runit or something similar. Here's a sample run script for that:
+If you intend to store your git repositories in a different location, specify that location in @application.yml@. -#!/bin/bash
+Default setting in @application.default.yml@:
-set -e
-exec 2>&1
+
+ git_repositories_dir: /var/lib/arvados/git/repositories
+
+
-# Uncomment the line below if you're using RVM.
-#source /etc/profile.d/rvm.sh
+h3(#git_internal_dir). git_internal_dir
-envdir="`pwd`/env"
-mkdir -p "$envdir"
-echo ws-only > "$envdir/ARVADOS_WEBSOCKETS"
+The @git_internal_dir@ setting specifies the location of Arvados' internal git repository. By default this is @/var/lib/arvados/internal.git@. This repository stores git commits that have been used to run Crunch jobs. It should _not_ be a subdirectory of @git_repositories_dir@.
-cd /var/www/arvados-api/current
-echo "Starting puma in `pwd`"
+Example @application.yml@:
-# You may need to change arguments below to match your deployment, especially -u.
-exec chpst -m 1073741824 -u www-data:www-data -e "$envdir" \
- bundle exec puma -t 0:512 -e production -b tcp://127.0.0.1:8100
+
+ git_internal_dir: /var/lib/arvados/internal.git
-
Edit the http section of your Nginx configuration to run the Passenger server, and act as a front-end for both it and Puma. You might add a block like the following, adding SSL and logging parameters to taste:
+h2(#set_up). Set up Nginx and Passenger +The Nginx server will serve API requests using Passenger. It will also be used to proxy SSL requests to other services which are covered later in this guide. + +First, "Install Nginx and Phusion Passenger":https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/ownserver/nginx/oss/install_passenger_main.html. + +Edit the http section of your Nginx configuration to run the Passenger server, and serve SSL requests. Add a block like the following, adding SSL and logging parameters to taste: + +server {
listen 127.0.0.1:8000;
server_name localhost-api;
@@ -196,30 +172,50 @@ exec chpst -m 1073741824 -u www-data:www-data -e "$envdir" \
passenger_enabled on;
# If you're using RVM, uncomment the line below.
#passenger_ruby /usr/local/rvm/wrappers/default/ruby;
+
+ # This value effectively limits the size of API objects users can
+ # create, especially collections. If you change this, you should
+ # also ensure the following settings match it:
+ # * `client_max_body_size` in the server section below
+ # * `client_max_body_size` in the Workbench Nginx configuration (twice)
+ # * `max_request_size` in the API server's application.yml file
+ client_max_body_size 128m;
}
upstream api {
server 127.0.0.1:8000 fail_timeout=10s;
}
-upstream websockets {
- # The address below must match the one specified in puma's -b option.
- server 127.0.0.1:8100 fail_timeout=10s;
-}
-
proxy_http_version 1.1;
+# When Keep clients request a list of Keep services from the API server, the
+# server will automatically return the list of available proxies if
+# the request headers include X-External-Client: 1. Following the example
+# here, at the end of this section, add a line for each netmask that has
+# direct access to Keep storage daemons to set this header value to 0.
+geo $external_client {
+ default 1;
+ 10.20.30.0/24 0;
+}
+
server {
listen [your public IP address]:443 ssl;
server_name uuid_prefix.your.domain;
ssl on;
+ ssl_certificate /YOUR/PATH/TO/cert.pem;
+ ssl_certificate_key /YOUR/PATH/TO/cert.key;
index index.html index.htm index.php;
+ # Refer to the comment about this setting in the server section above.
+ client_max_body_size 128m;
+
location / {
proxy_pass http://api;
proxy_redirect off;
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
@@ -228,30 +224,26 @@ server {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
+
+~$ sudo nginx -s reload
+
+Don't run Bundler as root. Bundler can ask for sudo if it is needed, and installing your bundle as root will +break this application for all non-root users on this machine.
fatal: Not a git repository (or any of the parent directories): .git