X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/f08a2e4a1fd2c65798574e29c34fdff5cb8ef366..09cbdc3074b3f1e69c9c537875146f6da0a6ed8f:/lib/config/config.default.yml diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml index b72faa2375..f7c2beca33 100644 --- a/lib/config/config.default.yml +++ b/lib/config/config.default.yml @@ -22,44 +22,78 @@ Clusters: Services: - # In each of the service sections below, the keys under - # InternalURLs are the endpoints where the service should be - # listening, and reachable from other hosts in the - # cluster. Example: + # Each of the service sections below specifies InternalURLs + # (each with optional ListenURL) and ExternalURL. + # + # InternalURLs specify how other Arvados service processes will + # connect to the service. Typically these use internal hostnames + # and high port numbers. Example: # # InternalURLs: - # "http://host1.example:12345": {} - # "http://host2.example:12345": {} + # "http://host1.internal.example:12345": {} + # "http://host2.internal.example:12345": {} + # + # ListenURL specifies the address and port the service process's + # HTTP server should listen on, if different from the + # InternalURL itself. Example, using an intermediate TLS proxy: + # + # InternalURLs: + # "https://host1.internal.example": + # ListenURL: "http://10.0.0.7:12345" + # + # When there are multiple InternalURLs configured, the service + # process will try listening on each InternalURLs (using + # ListenURL if provided) until one works. If you use a ListenURL + # like "0.0.0.0" which can be bound on any machine, use an + # environment variable + # ARVADOS_SERVICE_INTERNAL_URL=http://host1.internal.example to + # control which entry to use. + # + # ExternalURL specifies how applications/clients will connect to + # the service, regardless of whether they are inside or outside + # the cluster. Example: + # + # ExternalURL: "https://keep.zzzzz.example.com/" + # + # To avoid routing internal traffic through external networks, + # use split-horizon DNS for ExternalURL host names: inside the + # cluster's private network "host.zzzzz.example.com" resolves to + # the host's private IP address, while outside the cluster + # "host.zzzzz.example.com" resolves to the host's public IP + # address (or its external gateway or load balancer). RailsAPI: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} ExternalURL: "" Controller: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} ExternalURL: "" Websocket: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} ExternalURL: "" Keepbalance: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} ExternalURL: "" GitHTTP: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} ExternalURL: "" GitSSH: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} ExternalURL: "" DispatchCloud: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} ExternalURL: "" DispatchLSF: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} + ExternalURL: "" + DispatchSLURM: + InternalURLs: {SAMPLE: {ListenURL: ""}} ExternalURL: "" Keepproxy: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} ExternalURL: "" WebDAV: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} # Base URL for Workbench inline preview. If blank, use # WebDAVDownload instead, and disable inline preview. # If both are empty, downloading collections from workbench @@ -98,7 +132,7 @@ Clusters: ExternalURL: "" WebDAVDownload: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} # Base URL for download links. If blank, serve links to WebDAV # with disposition=attachment query param. Unlike preview links, # browsers do not render attachments, so there is no risk of XSS. @@ -114,6 +148,7 @@ Clusters: Keepstore: InternalURLs: SAMPLE: + ListenURL: "" # Rendezvous is normally empty/omitted. When changing the # URL of a Keepstore service, Rendezvous should be set to # the old URL (with trailing slash omitted) to preserve @@ -121,10 +156,10 @@ Clusters: Rendezvous: "" ExternalURL: "" Composer: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} ExternalURL: "" WebShell: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} # ShellInABox service endpoint URL for a given VM. If empty, do not # offer web shell logins. # @@ -135,13 +170,13 @@ Clusters: # https://*.webshell.uuid_prefix.arvadosapi.com ExternalURL: "" Workbench1: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} ExternalURL: "" Workbench2: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} ExternalURL: "" Health: - InternalURLs: {SAMPLE: {}} + InternalURLs: {SAMPLE: {ListenURL: ""}} ExternalURL: "" PostgreSQL: @@ -240,6 +275,19 @@ Clusters: # https://doc.arvados.org/admin/metadata-vocabulary.html VocabularyPath: "" + # If true, a project must have a non-empty description field in + # order to be frozen. + FreezeProjectRequiresDescription: false + + # Project properties that must have non-empty values in order to + # freeze a project. Example: "property_name": {} + FreezeProjectRequiresProperties: + SAMPLE: {} + + # If true, only an admin user can un-freeze a project. If false, + # any user with "manage" permission can un-freeze. + UnfreezeProjectRequiresAdmin: false + Users: # Config parameters to automatically setup new users. If enabled, # this users will be able to self-activate. Enable this if you want @@ -325,6 +373,18 @@ Clusters: # cluster. RoleGroupsVisibleToAll: true + # During each period, a log entry with event_type="activity" + # will be recorded for each user who is active during that + # period. The object_uuid attribute will indicate the user's + # UUID. + # + # Multiple log entries for the same user may be generated during + # a period if there are multiple controller processes or a + # controller process is restarted. + # + # Use 0 to disable activity logging. + ActivityLoggingPeriod: 24h + AuditLogs: # Time to keep audit logs, in seconds. (An audit log is a row added # to the "logs" table in the PostgreSQL database each time an @@ -563,21 +623,17 @@ Clusters: # Time to cache manifests, permission checks, and sessions. TTL: 300s - # Time to cache collection state. - UUIDTTL: 5s - # Block cache entries. Each block consumes up to 64 MiB RAM. MaxBlockEntries: 20 - # Collection cache entries. - MaxCollectionEntries: 1000 - - # Approximate memory limit (in bytes) for collection cache. + # Approximate memory limit (in bytes) for session cache. + # + # Note this applies to the in-memory representation of + # projects and collections -- metadata, block locators, + # filenames, etc. -- excluding cached file content, which is + # limited by MaxBlockEntries. MaxCollectionBytes: 100000000 - # UUID cache entries. - MaxUUIDEntries: 1000 - # Persistent sessions. MaxSessions: 100 @@ -822,16 +878,28 @@ Clusters: # by going through login again. IssueTrustedTokens: true - # When the token is returned to a client, the token itself may - # be restricted from viewing/creating other tokens based on whether - # the client is "trusted" or not. The local Workbench1 and - # Workbench2 are trusted by default, but if this is a - # LoginCluster, you probably want to include the other Workbench - # instances in the federation in this list. + # Origins (scheme://host[:port]) of clients trusted to receive + # new tokens via login process. The ExternalURLs of the local + # Workbench1 and Workbench2 are trusted implicitly and do not + # need to be listed here. If this is a LoginCluster, you + # probably want to include the other Workbench instances in the + # federation in this list. + # + # Example: + # + # TrustedClients: + # "https://workbench.other-cluster.example": {} + # "https://workbench2.other-cluster.example": {} TrustedClients: - SAMPLE: - "https://workbench.federate1.example": {} - "https://workbench.federate2.example": {} + SAMPLE: {} + + # Treat any origin whose host part is "localhost" or a private + # IP address (e.g., http://10.0.0.123:3000/) as if it were + # listed in TrustedClients. + # + # Intended only for test/development use. Not appropriate for + # production use. + TrustPrivateNetworks: false Git: # Path to git or gitolite-shell executable. Each authenticated @@ -852,10 +920,31 @@ Clusters: Repositories: /var/lib/arvados/git/repositories TLS: + # Use "file:///var/lib/acme/live/example.com/cert" and + # ".../privkey" to load externally managed certificates. Certificate: "" Key: "" + + # Accept invalid certificates when connecting to servers. Never + # use this in production. Insecure: false + ACME: + # Obtain certificates automatically for ExternalURL domains + # using an ACME server and http-01 validation. + # + # To use Let's Encrypt, specify "LE". To use the Let's + # Encrypt staging environment, specify "LE-staging". To use a + # different ACME server, specify the full directory URL + # ("https://..."). + # + # Note: this feature is not yet implemented in released + # versions, only in the alpha/prerelease arvados-server-easy + # package. + # + # Implies agreement with the server's terms of service. + Server: "" + Containers: # List of supported Docker Registry image formats that compute nodes # are able to use. `arv keep docker` will error out if a user tries @@ -876,8 +965,15 @@ Clusters: # troubleshooting purposes. LogReuseDecisions: false - # Default value for keep_cache_ram of a container's runtime_constraints. - DefaultKeepCacheRAM: 268435456 + # Default value for keep_cache_ram of a container's + # runtime_constraints. Note: this gets added to the RAM request + # used to allocate a VM or submit an HPC job + DefaultKeepCacheRAM: 0 + + # Default value for keep_cache_disk of a container's + # runtime_constraints. Note: this gets added to the disk + # request used to allocate a VM or submit an HPC job + DefaultKeepCacheDisk: 8589934592 # Number of times a container can be unlocked before being # automatically cancelled. @@ -912,6 +1008,8 @@ Clusters: # price for the preemptible variant will be the non-preemptible # price multiplied by PreemptiblePriceFactor. If 0, preemptible # variants are not added automatically. + # + # A price factor of 1.0 is a reasonable starting point. PreemptiblePriceFactor: 0 # PEM encoded SSH key (RSA, DSA, or ECDSA) used by the @@ -937,7 +1035,7 @@ Clusters: # Extra RAM to reserve on the node, in addition to # the amount specified in the container's RuntimeConstraints - ReserveExtraRAM: 256MiB + ReserveExtraRAM: 550MiB # Minimum time between two attempts to run the same container MinRetryPeriod: 0s @@ -955,15 +1053,25 @@ Clusters: # A zero value disables this feature. # # In order for this feature to be activated, no volume may use - # AccessViaHosts, and each volume must have Replication higher - # than Collections.DefaultReplication. If these requirements are - # not satisfied, the feature is disabled automatically - # regardless of the value given here. + # AccessViaHosts, and no writable volume may have Replication + # lower than Collections.DefaultReplication. If these + # requirements are not satisfied, the feature is disabled + # automatically regardless of the value given here. # - # Note that when this configuration is enabled, the entire - # cluster configuration file, including the system root token, - # is copied to the worker node and held in memory for the - # duration of the container. + # When an HPC dispatcher is in use (see SLURM and LSF sections), + # this feature depends on the operator to ensure an up-to-date + # cluster configuration file (/etc/arvados/config.yml) is + # available on all compute nodes. If it is missing or not + # readable by the crunch-run user, the feature will be disabled + # automatically. To read it from a different location, add a + # "-config=/path/to/config.yml" argument to + # CrunchRunArgumentsList above. + # + # When the cloud dispatcher is in use (see CloudVMs section) and + # this configuration is enabled, the entire cluster + # configuration file, including the system root token, is copied + # to the worker node and held in memory for the duration of the + # container. LocalKeepBlobBuffersPerVCPU: 1 # When running a dedicated keepstore process for a container @@ -982,12 +1090,16 @@ Clusters: LocalKeepLogsToContainerLog: none Logging: - # When you run the db:delete_old_container_logs task, it will find - # containers that have been finished for at least this many seconds, + # Periodically (see SweepInterval) Arvados will check for + # containers that have been finished for at least this long, # and delete their stdout, stderr, arv-mount, crunch-run, and # crunchstat logs from the logs table. MaxAge: 720h + # How often to delete cached log entries for finished + # containers (see MaxAge). + SweepInterval: 12h + # These two settings control how frequently log events are flushed to the # database. Log lines are buffered until either crunch_log_bytes_per_event # has been reached or crunch_log_seconds_between_events has elapsed since @@ -1254,7 +1366,9 @@ Clusters: # need to be detected and cleaned up manually. TagKeyPrefix: Arvados - # Cloud driver: "azure" (Microsoft Azure) or "ec2" (Amazon AWS). + # Cloud driver: "azure" (Microsoft Azure), "ec2" (Amazon AWS), + # or "loopback" (run containers on dispatch host for testing + # purposes). Driver: ec2 # Cloud-specific driver parameters. @@ -1404,7 +1518,7 @@ Clusters: RaceWindow: 24h PrefixLength: 0 # Use aws-s3-go (v2) instead of goamz - UseAWSS3v2Driver: false + UseAWSS3v2Driver: true # For S3 driver, potentially unsafe tuning parameter, # intentionally excluded from main documentation. @@ -1496,6 +1610,11 @@ Clusters: ShowUserAgreementInline: false SecretKeyBase: "" + # Set this configuration to true to avoid providing an easy way for users + # to share data with unauthenticated users; this may be necessary on + # installations where strict data access controls are needed. + DisableSharingURLsUI: false + # Scratch directory used by the remote repository browsing # feature. If it doesn't exist, it (and any missing parents) will be # created using mkdir_p. @@ -1620,6 +1739,10 @@ Clusters: # This feature is disabled when set to zero. IdleTimeout: 0s + # URL to a file that is a fragment of text or HTML which should + # be rendered in Workbench as a banner. + BannerURL: "" + # Workbench welcome screen, this is HTML text that will be # incorporated directly onto the page. WelcomePageHTML: |