X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/f94ac6e8ad9aec3c781cd71b72fcc5e2c1cedd8d..0fd23242967b5c8c7144f4325bf0b65043585b55:/lib/config/config.default.yml diff --git a/lib/config/config.default.yml b/lib/config/config.default.yml index 1919d7b704..723e64ceab 100644 --- a/lib/config/config.default.yml +++ b/lib/config/config.default.yml @@ -223,10 +223,23 @@ Clusters: # parameter higher than this value, this value is used instead. MaxItemsPerResponse: 1000 - # Maximum number of concurrent requests to accept in a single - # service process, or 0 for no limit. + # Maximum number of concurrent requests to process concurrently + # in a single service process, or 0 for no limit. MaxConcurrentRequests: 64 + # Maximum number of incoming requests to hold in a priority + # queue waiting for one of the MaxConcurrentRequests slots to be + # free. When the queue is longer than this, respond 503 to the + # lowest priority request. + # + # If MaxQueuedRequests is 0, respond 503 immediately to + # additional requests while at the MaxConcurrentRequests limit. + MaxQueuedRequests: 64 + + # Maximum time a "lock container" request is allowed to wait in + # the incoming request queue before returning 503. + MaxQueueTimeForLockRequests: 2s + # Fraction of MaxConcurrentRequests that can be "log create" # messages at any given time. This is to prevent logging # updates from crowding out more important requests. @@ -399,6 +412,48 @@ Clusters: # Use 0 to disable activity logging. ActivityLoggingPeriod: 24h + # The SyncUser* options control what system resources are managed by + # arvados-login-sync on shell nodes. They correspond to: + # * SyncUserAccounts: The user's Unix account on the shell node + # * SyncUserGroups: The group memberships of that account + # * SyncUserSSHKeys: Whether to authorize the user's Arvados SSH keys + # * SyncUserAPITokens: Whether to set up the user's Arvados API token + # All default to true. + SyncUserAccounts: true + SyncUserGroups: true + SyncUserSSHKeys: true + SyncUserAPITokens: true + + # If SyncUserGroups=true, then arvados-login-sync will ensure that all + # managed accounts are members of the Unix groups listed in + # SyncRequiredGroups, in addition to any groups listed in their Arvados + # login permission. The default list includes the "fuse" group so + # users can use arv-mount. You can require no groups by specifying an + # empty list (i.e., `SyncRequiredGroups: []`). + SyncRequiredGroups: + - fuse + + # SyncIgnoredGroups is a list of group names. arvados-login-sync will + # never modify these groups. If user login permissions list any groups + # in SyncIgnoredGroups, they will be ignored. If a user's Unix account + # belongs to any of these groups, arvados-login-sync will not remove + # the account from that group. The default is a set of particularly + # security-sensitive groups across Debian- and Red Hat-based + # distributions. + SyncIgnoredGroups: + - adm + - disk + - kmem + - mem + - root + - shadow + - staff + - sudo + - sys + - utempter + - utmp + - wheel + AuditLogs: # Time to keep audit logs, in seconds. (An audit log is a row added # to the "logs" table in the PostgreSQL database each time an @@ -442,6 +497,15 @@ Clusters: # params_truncated. MaxRequestLogParamsSize: 2000 + # In all services except RailsAPI, periodically check whether + # the incoming HTTP request queue is nearly full (see + # MaxConcurrentRequests) and, if so, write a snapshot of the + # request queue to {service}-requests.json in the specified + # directory. + # + # Leave blank to disable. + RequestQueueDumpDirectory: "" + Collections: # Enable access controls for data stored in Keep. This should @@ -543,11 +607,12 @@ Clusters: BalanceCollectionBatch: 0 # The size of keep-balance's internal queue of - # collections. Higher values use more memory and improve throughput - # by allowing keep-balance to fetch the next page of collections - # while the current page is still being processed. If this is zero - # or omitted, pages are processed serially. - BalanceCollectionBuffers: 1000 + # collections. Higher values may improve throughput by allowing + # keep-balance to fetch collections from the database while the + # current collection are still being processed, at the expense of + # using more memory. If this is zero or omitted, pages are + # processed serially. + BalanceCollectionBuffers: 4 # Maximum time for a rebalancing run. This ensures keep-balance # eventually gives up and retries if, for example, a network @@ -909,6 +974,9 @@ Clusters: # probably want to include the other Workbench instances in the # federation in this list. # + # A wildcard like "https://*.example" will match client URLs + # like "https://a.example" and "https://a.b.c.example". + # # Example: # # TrustedClients: @@ -1038,6 +1106,10 @@ Clusters: # cloud dispatcher for executing containers on worker VMs. # Begins with "-----BEGIN RSA PRIVATE KEY-----\n" # and ends with "\n-----END RSA PRIVATE KEY-----\n". + # + # Use "file:///absolute/path/to/key" to load the key from a + # separate file instead of embedding it in the configuration + # file. DispatchPrivateKey: "" # Maximum time to wait for workers to come up before abandoning @@ -1142,6 +1214,8 @@ Clusters: # Maximum bytes that may be logged by a single job. Log bytes that are # silenced by throttling are not counted against this total. + # If you set this to zero, each container will only create a single + # log on the API server, noting for users that logging is throttled. LimitLogBytesPerJob: 67108864 LogPartialLineThrottlePeriod: 5s @@ -1339,10 +1413,30 @@ Clusters: # down. MaxInstances: 64 - # Maximum fraction of CloudVMs.MaxInstances allowed to run - # "supervisor" containers at any given time. A supervisor is a - # container whose purpose is mainly to submit and manage other - # containers, such as arvados-cwl-runner workflow runner. + # The minimum number of instances expected to be runnable + # without reaching a provider-imposed quota. + # + # This is used as the initial value for the dispatcher's + # dynamic instance limit, which increases (up to MaxInstances) + # as containers start up successfully and decreases in + # response to high API load and cloud quota errors. + # + # Setting this too high creates a risk that the dispatcher + # will cause deadlock by starting so many supervisor + # containers (based on SupervisorFraction and MaxInstances) + # that the cloud quota prevents them from running any child + # containers. + # + # Setting this too low causes the dispatcher to be + # unnecessarily slow to start up new instances after a + # restart. + InitialQuotaEstimate: 16 + + # Maximum fraction of available instance capacity allowed to + # run "supervisor" containers at any given time. A supervisor + # is a container whose purpose is mainly to submit and manage + # other containers, such as arvados-cwl-runner workflow + # runner. # # If there is a hard limit on the amount of concurrent # containers that the cluster can run, it is important to @@ -1384,6 +1478,12 @@ Clusters: # https://xxxxx.blob.core.windows.net/system/Microsoft.Compute/Images/images/xxxxx.vhd ImageID: "" + # Shell script to run on new instances using the cloud + # provider's UserData (EC2) or CustomData (Azure) feature. + # + # It is not necessary to include a #!/bin/sh line. + InstanceInitCommand: "" + # An executable file (located on the dispatcher host) to be # copied to cloud instances at runtime and used as the # container runner/supervisor. The default value is the @@ -1394,6 +1494,12 @@ Clusters: # version of crunch-run installed; see CrunchRunCommand above. DeployRunnerBinary: "/proc/self/exe" + # Install the Dispatcher's SSH public key (derived from + # DispatchPrivateKey) when creating new cloud + # instances. Change this to false if you are using a different + # mechanism to pre-install the public key on new instances. + DeployPublicKey: true + # Tags to add on all resources (VMs, NICs, disks) created by # the container dispatcher. (Arvados's own tags -- # InstanceType, IdleBehavior, and InstanceSecret -- will also @@ -1584,8 +1690,6 @@ Clusters: ReadTimeout: 10m RaceWindow: 24h PrefixLength: 0 - # Use aws-s3-go (v2) instead of goamz - UseAWSS3v2Driver: true # For S3 driver, potentially unsafe tuning parameter, # intentionally excluded from main documentation.