return 0
fi
. "$VENVDIR/bin/activate"
- echo 'Starting API, keepproxy, keep-web, ws, arv-git-httpd, and nginx ssl proxy...'
+ echo 'Starting API, controller, keepproxy, keep-web, arv-git-httpd, ws, and nginx ssl proxy...'
if [[ ! -d "$WORKSPACE/services/api/log" ]]; then
mkdir -p "$WORKSPACE/services/api/log"
fi
title "test $1"
timer_reset
+ result=
if which deactivate >/dev/null; then deactivate; fi
if ! . "$VENVDIR/bin/activate"
then
title "install $1"
timer_reset
+ result=
if which deactivate >/dev/null; then deactivate; fi
if [[ "$1" != "env" ]] && ! . "$VENVDIR/bin/activate"; then
result=1
- Other:
- admin/collection-versioning.html.textile.liquid
- admin/federation.html.textile.liquid
+ - admin/controlling-container-reuse.html.textile.liquid
+ - admin/logs-table-management.html.textile.liquid
installguide:
- Overview:
- install/index.html.textile.liquid
--- /dev/null
+---
+layout: default
+navsection: admin
+title: Controlling container reuse
+...
+
+{% comment %}
+Copyright (C) The Arvados Authors. All rights reserved.
+
+SPDX-License-Identifier: CC-BY-SA-3.0
+{% endcomment %}
+
+This page describes how an admin can control container reuse using the @arv@ command. This can be utilized to avoid reusing a completed container without disabling reuse for the corresponding steps in affected workflows. For example, if a container exited successfully but produced bad output, it may not be feasible to update the workflow immediately. Meanwhile, changing the state of the container from @Complete@ to @Cancelled@ will prevent it from being used in subsequent workflows.
+
+If a container is in the @Complete@ state, the following @arv@ command will change its state to @Cancelled@, where @xxxxx-xxxxx-xxxxxxxxxxxxxxx@ is the @UUID@ of the container:
+
+<pre>arv container update -u xxxxx-xxxxx-xxxxxxxxxxxxxxx -c '{"state":"Cancelled"}'</pre>
+
+Use the following command to list all containers that exited with 0 and were then cancelled:
+
+<pre>arv container list --filters='[["state", "=", "Cancelled"], ["exit_code", "=", 0]]'</pre>See the "arv CLI tool overview":{{site.baseurl}}/sdk/cli/index.html for more details about using the @arv@ command.
--- /dev/null
+---
+layout: default
+navsection: admin
+title: "Logs table management"
+...
+
+{% comment %}
+Copyright (C) The Arvados Authors. All rights reserved.
+
+SPDX-License-Identifier: CC-BY-SA-3.0
+{% endcomment %}
+
+This page aims to provide insight about managing the ever growing API Server's logs table.
+
+h3. Logs table purpose & behavior
+
+This database table currently serves three purposes:
+* It's an audit log, permitting admins and users to look up the time and details of past changes to Arvados objects via @arvados.v1.logs.*@ endpoints.
+* It's a mechanism for passing cache-invalidation events, used by websocket servers, the Python SDK "events" library, and @arvados-cwl-runner@ to detect when an object has changed.
+* It's a staging area for stdout/stderr text coming from users' containers, permitting users to see what their containers are doing while they are still running (i.e., before those text files are written to Keep).
+
+As a result, this table grows indefinitely, even on sites where policy does not require an audit log; making backups, migrations, and upgrades unnecessarily slow and painful.
+
+h3. API Server configuration
+
+To solve the problem mentioned above, the API server offers the possibility to limit the amount of log information stored on the table:
+
+<pre>
+# Time to keep audit logs (a row in the log table added each time an
+# Arvados object is created, modified, or deleted) in the PostgreSQL
+# database. Currently, websocket event notifications rely on audit
+# logs, so this should not be set lower than 600 (10 minutes).
+max_audit_log_age: 1209600
+</pre>
+
+...and to prevent surprises and avoid bad database behavior (especially the first time the cleanup job runs on an existing cluster with a huge backlog) a maximum number of rows to delete in a single transaction.
+
+<pre>
+# Maximum number of log rows to delete in a single SQL transaction.
+#
+# If max_audit_log_delete_batch is 0, log entries will never be
+# deleted by Arvados. Cleanup can be done by an external process
+# without affecting any Arvados system processes, as long as very
+# recent (<5 minutes old) logs are not deleted.
+#
+# 100000 is a reasonable batch size for most sites.
+max_audit_log_delete_batch: 0
+</pre>
+
+This feature works when both settings are non-zero, periodically dispatching a background task that deletes all log rows older than @max_audit_log_age@.
+The events being cleaned up by this process don't include job/container stderr logs (they're handled by the existing @delete job/container logs@ rake tasks)
+
+h3. Additional consideration
+
+Depending on the local installation's audit requirements, the cluster admins should plan for an external backup procedure before enabling this feature, as this information is not replicated anywhere else.
|Queued|Waiting for a dispatcher to lock it and try to run the container.|Locked, Cancelled|
|Locked|A dispatcher has "taken" the container and is allocating resources for it. The container has not started yet.|Queued, Running, Cancelled|
|Running|Resources have been allocated and the contained process has been started (or is about to start). Crunch-run _must_ set state to Running _before_ there is any possibility that user code will run in the container.|Complete, Cancelled|
-|Complete|Container was running, and the contained process/command has exited.|-|
+|Complete|Container was running, and the contained process/command has exited.|Cancelled|
|Cancelled|The container did not run long enough to produce an exit code. This includes cases where the container didn't even start, cases where the container was interrupted/killed before it exited by itself (e.g., priority changed to 0), and cases where some problem prevented the system from capturing the contained process's exit status (exit code and output).|-|
+See "Controlling container reuse":{{site.baseurl}}/admin/controlling-container-reuse.html for details about changing state from @Complete@ to @Cancelled@
+
h2(#mount_types). {% include 'mount_types' %}
h2(#runtime_constraints). {% include 'container_runtime_constraints' %}
<pre>
$ arvbox
-Arvados-in-a-box http://arvados.org
-
-start|run <config> [tag] start arvbox container
-stop stop arvbox container
-restart <config> stop, then run again
-status print some information about current arvbox
-ip print arvbox docker container ip address
-host print arvbox published host
-shell enter arvbox shell
-open open arvbox workbench in a web browser
-root-cert get copy of root certificate
-update <config> stop, pull latest image, run
-build <config> build arvbox Docker image
-reboot <config> stop, build arvbox Docker image, run
-rebuild <config> build arvbox Docker image, no layer cache
-reset delete arvbox arvados data (be careful!)
-destroy delete all arvbox code and data (be careful!)
-log <service> tail log of specified service
-ls <options> list directories inside arvbox
-cat <files> get contents of files inside arvbox
-pipe run a bash script piped in from stdin
-sv <start|stop|restart> <service> change state of service inside arvbox
-clone <from> <to> clone an arvbox
+Arvados-in-a-box https://doc.arvados.org/install/arvbox.html
+
+start|run <config> [tag] start arvbox container
+stop stop arvbox container
+restart <config> stop, then run again
+status print some information about current arvbox
+ip print arvbox docker container ip address
+host print arvbox published host
+shell enter shell as root
+ashell enter shell as 'arvbox'
+psql enter postgres console
+open open arvbox workbench in a web browser
+root-cert get copy of root certificate
+update <config> stop, pull latest image, run
+build <config> build arvbox Docker image
+reboot <config> stop, build arvbox Docker image, run
+rebuild <config> build arvbox Docker image, no layer cache
+reset delete arvbox arvados data (be careful!)
+destroy delete all arvbox code and data (be careful!)
+log <service> tail log of specified service
+ls <options> list directories inside arvbox
+cat <files> get contents of files inside arvbox
+pipe run a bash script piped in from stdin
+sv <start|stop|restart> <service>
+ change state of service inside arvbox
+clone <from> <to> clone dev arvbox
</pre>
h2. Install root certificate
h3. test
-Run the test suite.
+Starts postgres and initializes the API server, then runs the Arvados test suite. Will pass command line arguments to test runner. Supports test runner interactive mode.
+
+h3. devenv
+
+Starts a minimal container with no services and the host's $HOME bind mounted inside the container, then enters an interactive login shell. Intended to make it convenient to use tools installed in arvbox that don't require services.
h3. publicdev
# https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal/
# and updated for v2 of the Azure cli tool.
#
-# az ad app create --display-name "Node Manager" --homepage "https://arvados.org" --identifier-uris "https://<Your_Application_Uri>" --password <Your_Password>
+# az ad app create --display-name "Node Manager" --homepage "https://arvados.org" --identifier-uris "https://<Your_Application_Uri>" --password <Your_Password> --end-date <Desired_credential_expiry_date>
# az ad sp create "<Application_Id>"
# az role assignment create --assignee "<Application_Id>" --role Owner --resource-group "<Your_Azure_Arvados_Resource_Group>"
#
defer wg.Done()
err := cq.Unlock(uuid)
c.Check(err, check.NotNil)
+ c.Check(err, check.ErrorMatches, ".*cannot unlock when Queued*.")
err = cq.Lock(uuid)
c.Check(err, check.IsNil)
}()
}
wg.Wait()
-
- err = cq.Cancel(arvadostest.CompletedContainerUUID)
- c.Check(err, check.ErrorMatches, `.*State cannot change from Complete to Cancelled.*`)
}
func (suite *IntegrationSuite) TestCancelIfNoInstanceType(c *check.C) {
nil => [Queued],
Queued => [Locked, Cancelled],
Locked => [Queued, Running, Cancelled],
- Running => [Complete, Cancelled]
+ Running => [Complete, Cancelled],
+ Complete => [Cancelled]
}
def self.limit_index_columns_read
return false
end
- if self.state == Running &&
+ if self.state_was == Running &&
!current_api_client_authorization.nil? &&
(current_api_client_authorization.uuid == self.auth_uuid ||
current_api_client_authorization.token == self.runtime_token)
# change priority or log.
permitted.push *final_attrs
permitted = permitted - [:log, :priority]
+ elsif !current_user.andand.is_admin
+ raise PermissionDeniedError
elsif self.locked_by_uuid && self.locked_by_uuid != current_api_client_authorization.andand.uuid
# When locked, progress fields cannot be updated by the wrong
# dispatcher, even though it has admin privileges.
assert_equal c1.runtime_status, {}
assert_equal Container::Queued, c1.state
- assert_raises ActiveRecord::RecordInvalid do
+ assert_raises ArvadosModel::PermissionDeniedError do
c1.update_attributes! runtime_status: {'error' => 'Oops!'}
end
end
end
+ [
+ [Container::Queued, {state: Container::Locked}],
+ [Container::Queued, {state: Container::Running}],
+ [Container::Queued, {state: Container::Complete}],
+ [Container::Queued, {state: Container::Cancelled}],
+ [Container::Queued, {priority: 123456789}],
+ [Container::Queued, {runtime_status: {'error' => 'oops'}}],
+ [Container::Queued, {cwd: '/'}],
+ [Container::Locked, {state: Container::Running}],
+ [Container::Locked, {state: Container::Queued}],
+ [Container::Locked, {priority: 123456789}],
+ [Container::Locked, {runtime_status: {'error' => 'oops'}}],
+ [Container::Locked, {cwd: '/'}],
+ [Container::Running, {state: Container::Complete}],
+ [Container::Running, {state: Container::Cancelled}],
+ [Container::Running, {priority: 123456789}],
+ [Container::Running, {runtime_status: {'error' => 'oops'}}],
+ [Container::Running, {cwd: '/'}],
+ [Container::Complete, {state: Container::Cancelled}],
+ [Container::Complete, {priority: 123456789}],
+ [Container::Complete, {runtime_status: {'error' => 'oops'}}],
+ [Container::Complete, {cwd: '/'}],
+ [Container::Cancelled, {cwd: '/'}],
+ ].each do |start_state, updates|
+ test "Container update #{updates.inspect} when #{start_state} forbidden for non-admin" do
+ set_user_from_auth :active
+ c, _ = minimal_new
+ if start_state != Container::Queued
+ set_user_from_auth :dispatch1
+ c.lock
+ if start_state != Container::Locked
+ c.update_attributes! state: Container::Running
+ if start_state != Container::Running
+ c.update_attributes! state: start_state
+ end
+ end
+ end
+ assert_equal c.state, start_state
+ set_user_from_auth :active
+ assert_raises(ArvadosModel::PermissionDeniedError) do
+ c.update_attributes! updates
+ end
+ end
+ end
+
test "Container only set exit code on complete" do
set_user_from_auth :active
c, _ = minimal_new
c.update_attributes! state: Container::Running
set_user_from_auth :running_to_be_deleted_container_auth
- refute c.update_attributes(output: collections(:foo_file).portable_data_hash)
+ assert_raises(ArvadosModel::PermissionDeniedError) do
+ c.update_attributes(output: collections(:foo_file).portable_data_hash)
+ end
end
test "can set trashed output on running container" do
-#!/bin/sh
+#!/bin/bash
# Copyright (C) The Arvados Authors. All rights reserved.
#
# SPDX-License-Identifier: AGPL-3.0
RLIBS="$ARVBOX_DATA/Rlibs"
getip() {
- docker inspect $ARVBOX_CONTAINER | grep \"IPAddress\" | head -n1 | tr -d ' ":,\n' | cut -c10-
+ docker inspect --format='{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $ARVBOX_CONTAINER
}
gethost() {
docker logs -f $ARVBOX_CONTAINER > $FF &
LOGPID=$!
while read line ; do
- if echo $line | grep "ok: down: ready:" >/dev/null ; then
+ if [[ $line =~ "ok: down: ready:" ]] ; then
kill $LOGPID
+ set +e
+ wait $LOGPID 2>/dev/null
+ set -e
else
echo $line
fi
"--volume=$NPMCACHE:/var/lib/npm:rw" \
"--volume=$GOSTUFF:/var/lib/gopath:rw" \
"--volume=$RLIBS:/var/lib/Rlibs:rw" \
+ --label "org.arvados.arvbox_config=$CONFIG" \
"$@"
}
+running_config() {
+ docker inspect $ARVBOX_CONTAINER -f '{{index .Config.Labels "org.arvados.arvbox_config"}}'
+}
+
run() {
CONFIG=$1
TAG=$2
need_setup=1
if docker ps -a --filter "status=running" | grep -E "$ARVBOX_CONTAINER$" -q ; then
- if test "$CONFIG" = test ; then
+ if [[ $(running_config) != "$CONFIG" ]] ; then
+ echo "Container $ARVBOX_CONTAINER is '$(running_config)' config but requested '$CONFIG'; use restart or reboot"
+ return 1
+ fi
+ if test "$CONFIG" = test -o "$CONFIG" = devenv ; then
need_setup=0
else
echo "Container $ARVBOX_CONTAINER is already running"
- exit 0
+ return 0
fi
fi
if test $need_setup = 1 ; then
if docker ps -a | grep -E "$ARVBOX_CONTAINER$" -q ; then
echo "Container $ARVBOX_CONTAINER already exists but is not running; use restart or reboot"
- exit 1
+ return 1
fi
fi
TAG=":$TAG"
shift
else
+ if [[ $TAG = '-' ]] ; then
+ shift
+ fi
unset TAG
fi
fi
- if echo "$CONFIG" | grep '^public' ; then
+ if [[ "$CONFIG" =~ ^public ]] ; then
if test -n "$ARVBOX_PUBLISH_IP" ; then
localip=$ARVBOX_PUBLISH_IP
else
PUBLIC=""
fi
- if echo "$CONFIG" | grep 'demo$' ; then
+ if [[ "$CONFIG" =~ demo$ ]] ; then
if test -d "$ARVBOX_DATA" ; then
echo "It looks like you already have a development container named $ARVBOX_CONTAINER."
- echo "Set ARVBOX_CONTAINER to set a different name for your demo container"
+ echo "Set environment variable ARVBOX_CONTAINER to set a different name for your demo container"
exit 1
fi
--name=$ARVBOX_CONTAINER \
--privileged \
--volumes-from $ARVBOX_CONTAINER-data \
+ --label "org.arvados.arvbox_config=$CONFIG" \
$PUBLIC \
arvados/arvbox-demo$TAG
updateconf
else
mkdir -p "$PG_DATA" "$VAR_DATA" "$PASSENGER" "$GEMS" "$PIPCACHE" "$NPMCACHE" "$GOSTUFF" "$RLIBS"
-
if ! test -d "$ARVADOS_ROOT" ; then
git clone https://github.com/curoverse/arvados.git "$ARVADOS_ROOT"
fi
git clone https://github.com/curoverse/arvados-workbench2.git "$WORKBENCH2_ROOT"
fi
- if test "$CONFIG" = test ; then
+ if [[ "$CONFIG" = test ]] ; then
mkdir -p $VAR_DATA/test
fi
docker exec -ti \
+ -e LINES=$(tput lines) \
+ -e COLUMNS=$(tput cols) \
+ -e TERM=$TERM \
+ -e WORKSPACE=/usr/src/arvados \
+ -e GEM_HOME=/var/lib/gems \
$ARVBOX_CONTAINER \
/usr/local/lib/arvbox/runsu.sh \
/usr/src/arvados/build/run-tests.sh \
--temp /var/lib/arvados/test \
- WORKSPACE=/usr/src/arvados \
- GEM_HOME=/var/lib/gems \
"$@"
- elif echo "$CONFIG" | grep 'dev$' ; then
+ elif [[ "$CONFIG" = devenv ]] ; then
+ if [[ $need_setup = 1 ]] ; then
+ docker_run_dev \
+ --detach \
+ --name=${ARVBOX_CONTAINER} \
+ "--env=SVDIR=/etc/devenv-service" \
+ "--volume=$HOME:$HOME:rw" \
+ --volume=/tmp/.X11-unix:/tmp/.X11-unix:rw \
+ arvados/arvbox-dev$TAG
+ fi
+ exec docker exec --interactive --tty \
+ -e LINES=$(tput lines) \
+ -e COLUMNS=$(tput cols) \
+ -e TERM=$TERM \
+ -e "ARVBOX_HOME=$HOME" \
+ -e "DISPLAY=$DISPLAY" \
+ --workdir=$PWD \
+ ${ARVBOX_CONTAINER} \
+ /usr/local/lib/arvbox/devenv.sh "$@"
+ elif [[ "$CONFIG" =~ dev$ ]] ; then
docker_run_dev \
--detach \
--name=$ARVBOX_CONTAINER \
check() {
case "$1" in
- localdemo|publicdemo|dev|publicdev|test)
+ localdemo|publicdemo|dev|publicdev|test|devenv)
true
;;
*)
- echo "Argument to $subcmd must be one of localdemo, publicdemo, dev, publicdev, test"
+ echo "Argument to $subcmd must be one of localdemo, publicdemo, dev, publicdev, test, devenv"
exit 1
;;
esac
;;
sh*)
- exec docker exec -ti \
+ exec docker exec --interactive --tty \
-e LINES=$(tput lines) \
-e COLUMNS=$(tput cols) \
-e TERM=$TERM \
$ARVBOX_CONTAINER /bin/bash
;;
+ ash*)
+ exec docker exec --interactive --tty \
+ -e LINES=$(tput lines) \
+ -e COLUMNS=$(tput cols) \
+ -e TERM=$TERM \
+ -e GEM_HOME=/var/lib/gems \
+ -u arvbox \
+ -w /usr/src/arvados \
+ $ARVBOX_CONTAINER /bin/bash --login
+ ;;
+
pipe)
exec docker exec -i $ARVBOX_CONTAINER /usr/bin/env GEM_HOME=/var/lib/gems /bin/bash -
;;
echo "Certificate copied to $CERT"
;;
- devenv)
- set -x
- if docker ps -a --filter "status=exited" | grep -E "${ARVBOX_CONTAINER}-devenv$" -q ; then
- docker start ${ARVBOX_CONTAINER}-devenv
- elif ! (docker ps -a --filter "status=running" | grep -E "${ARVBOX_CONTAINER}-devenv$" -q) ; then
- docker_run_dev \
- --detach \
- --name=${ARVBOX_CONTAINER}-devenv \
- "--env=SVDIR=/etc/devenv-service" \
- "--volume=$HOME:$HOME:rw" \
- --volume=/tmp/.X11-unix:/tmp/.X11-unix:rw \
- arvados/arvbox-dev$TAG
- fi
-
- exec docker exec --interactive --tty \
- -e LINES=$(tput lines) \
- -e COLUMNS=$(tput cols) \
- -e TERM=$TERM \
- -e "ARVBOX_HOME=$HOME" \
- -e "DISPLAY=$DISPLAY" \
- --workdir=$PWD \
- ${ARVBOX_CONTAINER}-devenv \
- /usr/local/lib/arvbox/devenv.sh "$@"
- ;;
-
- devenv-stop)
- docker stop ${ARVBOX_CONTAINER}-devenv
- ;;
-
- devenv-reset)
- docker stop ${ARVBOX_CONTAINER}-devenv
- docker rm ${ARVBOX_CONTAINER}-devenv
+ psql)
+ exec docker exec -ti $ARVBOX_CONTAINER bash -c 'PGPASSWORD=$(cat /var/lib/arvados/api_database_pw) exec psql --dbname=arvados_development --host=localhost --username=arvados'
;;
*)
- echo "Arvados-in-a-box http://arvados.org"
+ echo "Arvados-in-a-box https://doc.arvados.org/install/arvbox.html"
echo
- echo "start|run <config> [tag] start $ARVBOX_CONTAINER container"
- echo "stop stop arvbox container"
- echo "restart <config> stop, then run again"
- echo "status print some information about current arvbox"
- echo "ip print arvbox docker container ip address"
- echo "host print arvbox published host"
- echo "shell enter arvbox shell"
- echo "open open arvbox workbench in a web browser"
- echo "root-cert get copy of root certificate"
- echo "update <config> stop, pull latest image, run"
- echo "build <config> build arvbox Docker image"
- echo "reboot <config> stop, build arvbox Docker image, run"
- echo "rebuild <config> build arvbox Docker image, no layer cache"
- echo "reset delete arvbox arvados data (be careful!)"
- echo "destroy delete all arvbox code and data (be careful!)"
- echo "log <service> tail log of specified service"
- echo "ls <options> list directories inside arvbox"
- echo "cat <files> get contents of files inside arvbox"
- echo "pipe run a bash script piped in from stdin"
- echo "sv <start|stop|restart> <service> change state of service inside arvbox"
- echo "clone <from> <to> clone an arvbox"
+ echo "start|run <config> [tag] start $ARVBOX_CONTAINER container"
+ echo "stop stop arvbox container"
+ echo "restart <config> stop, then run again"
+ echo "status print some information about current arvbox"
+ echo "ip print arvbox docker container ip address"
+ echo "host print arvbox published host"
+ echo "shell enter shell as root"
+ echo "ashell enter shell as 'arvbox'"
+ echo "psql enter postgres console"
+ echo "open open arvbox workbench in a web browser"
+ echo "root-cert get copy of root certificate"
+ echo "update <config> stop, pull latest image, run"
+ echo "build <config> build arvbox Docker image"
+ echo "reboot <config> stop, build arvbox Docker image, run"
+ echo "rebuild <config> build arvbox Docker image, no layer cache"
+ echo "reset delete arvbox arvados data (be careful!)"
+ echo "destroy delete all arvbox code and data (be careful!)"
+ echo "log <service> tail log of specified service"
+ echo "ls <options> list directories inside arvbox"
+ echo "cat <files> get contents of files inside arvbox"
+ echo "pipe run a bash script piped in from stdin"
+ echo "sv <start|stop|restart> <service> "
+ echo " change state of service inside arvbox"
+ echo "clone <from> <to> clone dev arvbox"
;;
esac
RUN curl -L -f https://nodejs.org/dist/${NODEVERSION}/node-${NODEVERSION}-linux-x64.tar.xz | tar -C /usr/local -xJf - && \
ln -s ../node-${NODEVERSION}-linux-x64/bin/node ../node-${NODEVERSION}-linux-x64/bin/npm /usr/local/bin
+ENV GRADLEVERSION 5.3.1
+
+RUN cd /tmp && \
+ curl -L -O https://services.gradle.org/distributions/gradle-${GRADLEVERSION}-bin.zip && \
+ unzip gradle-${GRADLEVERSION}-bin.zip -d /usr/local && \
+ ln -s ../gradle-${GRADLEVERSION}/bin/gradle /usr/local/bin && \
+ rm gradle-${GRADLEVERSION}-bin.zip
+
# Set UTF-8 locale
RUN echo en_US.UTF-8 UTF-8 > /etc/locale.gen && locale-gen
ENV LANG en_US.UTF-8
useradd --home-dir /var/lib/arvados/git --uid $HOSTUID --gid $HOSTGID --non-unique git
useradd --groups docker crunch
- chown arvbox:arvbox -R /usr/local /var/lib/arvados /var/lib/gems \
- /var/lib/passenger /var/lib/postgresql \
- /var/lib/nginx /var/log/nginx /etc/ssl/private \
- /var/lib/gopath /var/lib/pip /var/lib/npm
+ if [[ "$1" != --no-chown ]] ; then
+ chown arvbox:arvbox -R /usr/local /var/lib/arvados /var/lib/gems \
+ /var/lib/passenger /var/lib/postgresql \
+ /var/lib/nginx /var/log/nginx /etc/ssl/private \
+ /var/lib/gopath /var/lib/pip /var/lib/npm
+ fi
mkdir -p /var/lib/gems/ruby
chown arvbox:arvbox -R /var/lib/gems/ruby
#
# SPDX-License-Identifier: AGPL-3.0
-flock /var/lib/arvados/createusers.lock /usr/local/lib/arvbox/createusers.sh
+flock /var/lib/arvados/createusers.lock /usr/local/lib/arvbox/createusers.sh --no-chown
if [[ -n "$*" ]] ; then
exec su --preserve-environment arvbox -c "$*"