X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/ee0c92074b196d9e48ffe4e22bd20fbd58b5b837..4a7d0843a42986501fbfd18ba7ab96fc8669d1af:/lib/config/generated_config.go diff --git a/lib/config/generated_config.go b/lib/config/generated_config.go index 25fa89394a..8e42eb3505 100644 --- a/lib/config/generated_config.go +++ b/lib/config/generated_config.go @@ -145,9 +145,6 @@ Clusters: Workbench2: InternalURLs: {} ExternalURL: "" - Nodemanager: - InternalURLs: {} - ExternalURL: "-" Health: InternalURLs: {} ExternalURL: "-" @@ -190,12 +187,21 @@ Clusters: MaxItemsPerResponse: 1000 # Maximum number of concurrent requests to accept in a single - # service process, or 0 for no limit. Currently supported only - # by keepstore. + # service process, or 0 for no limit. MaxConcurrentRequests: 0 - # Maximum number of 64MiB memory buffers per keepstore server - # process, or 0 for no limit. + # Maximum number of 64MiB memory buffers per Keepstore server process, or + # 0 for no limit. When this limit is reached, up to + # (MaxConcurrentRequests - MaxKeepBlobBuffers) HTTP requests requiring + # buffers (like GET and PUT) will wait for buffer space to be released. + # Any HTTP requests beyond MaxConcurrentRequests will receive an + # immediate 503 response. + # + # MaxKeepBlobBuffers should be set such that (MaxKeepBlobBuffers * 64MiB + # * 1.1) fits comfortably in memory. On a host dedicated to running + # Keepstore, divide total memory by 88MiB to suggest a suitable value. + # For example, if grep MemTotal /proc/meminfo reports MemTotal: 7125440 + # kB, compute 7125440 / (88 * 1024)=79 and configure MaxBuffers: 79 MaxKeepBlobBuffers: 128 # API methods to disable. Disabled methods are not listed in the @@ -437,6 +443,13 @@ Clusters: # or omitted, pages are processed serially. BalanceCollectionBuffers: 1000 + # Maximum time for a rebalancing run. This ensures keep-balance + # eventually gives up and retries if, for example, a network + # error causes a hung connection that is never closed by the + # OS. It should be long enough that it doesn't interrupt a + # long-running balancing operation. + BalanceTimeout: 6h + # Default lifetime for ephemeral collections: 2 weeks. This must not # be less than BlobSigningTTL. DefaultTrashLifetime: 336h @@ -476,6 +489,9 @@ Clusters: # Use of this feature is not recommended, if it can be avoided. ForwardSlashNameSubstitution: "" + # Include "folder objects" in S3 ListObjects responses. + S3FolderObjects: true + # Managed collection properties. At creation time, if the client didn't # provide the listed keys, they will be automatically populated following # one of the following behaviors: @@ -521,31 +537,163 @@ Clusters: MaxUUIDEntries: 1000 Login: - # These settings are provided by your OAuth2 provider (eg - # Google) used to perform upstream authentication. - ProviderAppID: "" - ProviderAppSecret: "" - - # (Experimental) Authenticate with Google, bypassing the - # SSO-provider gateway service. Use the Google Cloud console to - # enable the People API (APIs and Services > Enable APIs and - # services > Google People API > Enable), generate a Client ID - # and secret (APIs and Services > Credentials > Create - # credentials > OAuth client ID > Web application) and add your - # controller's /login URL (e.g., - # "https://zzzzz.example.com/login") as an authorized redirect - # URL. - # - # Incompatible with ForceLegacyAPI14. ProviderAppID must be - # blank. - GoogleClientID: "" - GoogleClientSecret: "" + # One of the following mechanisms (SSO, Google, PAM, LDAP, or + # LoginCluster) should be enabled; see + # https://doc.arvados.org/install/setup-login.html + + Google: + # Authenticate with Google. + Enable: false + + # Use the Google Cloud console to enable the People API (APIs + # and Services > Enable APIs and services > Google People API + # > Enable), generate a Client ID and secret (APIs and + # Services > Credentials > Create credentials > OAuth client + # ID > Web application) and add your controller's /login URL + # (e.g., "https://zzzzz.example.com/login") as an authorized + # redirect URL. + # + # Incompatible with ForceLegacyAPI14. ProviderAppID must be + # blank. + ClientID: "" + ClientSecret: "" + + # Allow users to log in to existing accounts using any verified + # email address listed by their Google account. If true, the + # Google People API must be enabled in order for Google login to + # work. If false, only the primary email address will be used. + AlternateEmailAddresses: true + + OpenIDConnect: + # Authenticate with an OpenID Connect provider. + Enable: false + + # Issuer URL, e.g., "https://login.example.com". + # + # This must be exactly equal to the URL returned by the issuer + # itself in its config response ("isser" key). If the + # configured value is "https://example" and the provider + # returns "https://example:443" or "https://example/" then + # login will fail, even though those URLs are equivalent + # (RFC3986). + Issuer: "" + + # Your client ID and client secret (supplied by the provider). + ClientID: "" + ClientSecret: "" + + # OpenID claim field containing the user's email + # address. Normally "email"; see + # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims + EmailClaim: "email" + + # OpenID claim field containing the email verification + # flag. Normally "email_verified". To accept every returned + # email address without checking a "verified" field at all, + # use the empty string "". + EmailVerifiedClaim: "email_verified" + + # OpenID claim field containing the user's preferred + # username. If empty, use the mailbox part of the user's email + # address. + UsernameClaim: "" + + PAM: + # (Experimental) Use PAM to authenticate users. + Enable: false + + # PAM service name. PAM will apply the policy in the + # corresponding config file (e.g., /etc/pam.d/arvados) or, if + # there is none, the default "other" config. + Service: arvados + + # Domain name (e.g., "example.com") to use to construct the + # user's email address if PAM authentication returns a + # username with no "@". If empty, use the PAM username as the + # user's email address, whether or not it contains "@". + # + # Note that the email address is used as the primary key for + # user records when logging in. Therefore, if you change + # PAMDefaultEmailDomain after the initial installation, you + # should also update existing user records to reflect the new + # domain. Otherwise, next time those users log in, they will + # be given new accounts instead of accessing their existing + # accounts. + DefaultEmailDomain: "" + + LDAP: + # Use an LDAP service to authenticate users. + Enable: false + + # Server URL, like "ldap://ldapserver.example.com:389" or + # "ldaps://ldapserver.example.com:636". + URL: "ldap://ldap:389" + + # Use StartTLS upon connecting to the server. + StartTLS: true + + # Skip TLS certificate name verification. + InsecureTLS: false + + # Strip the @domain part if a user supplies an email-style + # username with this domain. If "*", strip any user-provided + # domain. If "", never strip the domain part. Example: + # "example.com" + StripDomain: "" + + # If, after applying StripDomain, the username contains no "@" + # character, append this domain to form an email-style + # username. Example: "example.com" + AppendDomain: "" - # Allow users to log in to existing accounts using any verified - # email address listed by their Google account. If true, the - # Google People API must be enabled in order for Google login to - # work. If false, only the primary email address will be used. - GoogleAlternateEmailAddresses: true + # The LDAP attribute to filter on when looking up a username + # (after applying StripDomain and AppendDomain). + SearchAttribute: uid + + # Bind with this username (DN or UPN) and password when + # looking up the user record. + # + # Example user: "cn=admin,dc=example,dc=com" + SearchBindUser: "" + SearchBindPassword: "" + + # Directory base for username lookup. Example: + # "ou=Users,dc=example,dc=com" + SearchBase: "" + + # Additional filters to apply when looking up users' LDAP + # entries. This can be used to restrict access to a subset of + # LDAP users, or to disambiguate users from other directory + # entries that have the SearchAttribute present. + # + # Special characters in assertion values must be escaped (see + # RFC4515). + # + # Example: "(objectClass=person)" + SearchFilters: "" + + # LDAP attribute to use as the user's email address. + # + # Important: This must not be an attribute whose value can be + # edited in the directory by the users themselves. Otherwise, + # users can take over other users' Arvados accounts trivially + # (email address is the primary key for Arvados accounts.) + EmailAttribute: mail + + # LDAP attribute to use as the preferred Arvados username. If + # no value is found (or this config is empty) the username + # originally supplied by the user will be used. + UsernameAttribute: uid + + SSO: + # Authenticate with a separate SSO server. (Deprecated) + Enable: false + + # ProviderAppID and ProviderAppSecret are generated during SSO + # setup; see + # https://doc.arvados.org/v2.0/install/install-sso.html#update-config + ProviderAppID: "" + ProviderAppSecret: "" # The cluster ID to delegate the user database. When set, # logins on this cluster will be redirected to the login cluster @@ -629,7 +777,7 @@ Clusters: # (experimental) cloud dispatcher for executing containers on # worker VMs. Begins with "-----BEGIN RSA PRIVATE KEY-----\n" # and ends with "\n-----END RSA PRIVATE KEY-----\n". - DispatchPrivateKey: none + DispatchPrivateKey: "" # Maximum time to wait for workers to come up before abandoning # stale locks from a previous dispatch process. @@ -810,6 +958,12 @@ Clusters: TimeoutShutdown: 10s # Worker VM image ID. + # (aws) AMI identifier + # (azure) managed disks: the name of the managed disk image + # (azure) shared image gallery: the name of the image definition. Also + # see the SharedImageGalleryName and SharedImageGalleryImageVersion fields. + # (azure) unmanaged disks (deprecated): the complete URI of the VHD, e.g. + # https://xxxxx.blob.core.windows.net/system/Microsoft.Compute/Images/images/xxxxx.vhd ImageID: "" # An executable file (located on the dispatcher host) to be @@ -866,13 +1020,38 @@ Clusters: # (azure) Instance configuration. CloudEnvironment: AzurePublicCloud - ResourceGroup: "" Location: centralus + + # (azure) The resource group where the VM and virtual NIC will be + # created. + ResourceGroup: "" + + # (azure) The resource group of the Network to use for the virtual + # NIC (if different from ResourceGroup) + NetworkResourceGroup: "" Network: "" Subnet: "" + + # (azure) managed disks: The resource group where the managed disk + # image can be found (if different from ResourceGroup). + ImageResourceGroup: "" + + # (azure) shared image gallery: the name of the gallery + SharedImageGalleryName: "" + # (azure) shared image gallery: the version of the image definition + SharedImageGalleryImageVersion: "" + + # (azure) unmanaged disks (deprecated): Where to store the VM VHD blobs StorageAccount: "" BlobContainer: "" + + # (azure) How long to wait before deleting VHD and NIC + # objects that are no longer being used. DeleteDanglingResourcesAfter: 20s + + # Account (that already exists in the VM image) that will be + # set up with an ssh authorized key to allow the compute + # dispatcher to connect. AdminUsername: arvados InstanceTypes: @@ -925,10 +1104,13 @@ Clusters: Region: us-east-1a Bucket: aaaaa LocationConstraint: false + V2Signature: false IndexPageSize: 1000 ConnectTimeout: 1m ReadTimeout: 10m RaceWindow: 24h + # Use aws-s3-go (v2) instead of goamz + UseAWSS3v2Driver: false # For S3 driver, potentially unsafe tuning parameter, # intentionally excluded from main documentation. @@ -1114,7 +1296,7 @@ Clusters: RunningJobLogRecordsToFetch: 2000 # In systems with many shared projects, loading of dashboard and topnav - # cab be slow due to collections indexing; use the following parameters + # can be slow due to collections indexing; use the following parameters # to suppress these properties ShowRecentCollectionsOnDashboard: true ShowUserNotifications: true @@ -1175,10 +1357,36 @@ Clusters: Accessing an Arvados VM with SSH (generic instructions). Site configurations vary. Contact your local cluster administrator if you have difficulty accessing an Arvados shell node. + # Sample text if you are using a "switchyard" ssh proxy. + # Replace "zzzzz" with your Cluster ID. + #SSHHelpPageHTML: | + #
Add a section like this to your SSH configuration file ( ~/.ssh/config):
+ #Host *.zzzzz + # TCPKeepAlive yes + # ServerAliveInterval 60 + # ProxyCommand ssh -p2222 turnout@switchyard.zzzzz.arvadosapi.com -x -a $SSH_PROXY_FLAGS %h + #+ + # If you are using a switchyard ssh proxy, shell node hostnames + # may require a special hostname suffix. In the sample ssh + # configuration above, this would be ".zzzzz" + # This is added to the hostname in the "command line" column + # the Workbench "shell VMs" page. + # + # If your shell nodes are directly accessible by users without a + # proxy and have fully qualified host names, you should leave + # this blank. + SSHHelpHostSuffix: "" + # Bypass new (Arvados 1.5) API implementations, and hand off # requests directly to Rails instead. This can provide a temporary # workaround for clients that are incompatible with the new API # implementation. Note that it also disables some new federation # features and will be removed in a future release. ForceLegacyAPI14: false + +# (Experimental) Restart services automatically when config file +# changes are detected. Only supported by ` + "`" + `arvados-server boot` + "`" + ` in +# dev/test mode. +AutoReloadConfig: false `)