Merge branch '17151-system-token-validation'

closes #17151

Arvados-DCO-1.1-Signed-off-by: Tom Clegg <tom@curii.com>

diff --combined doc/admin/upgrading.html.textile.liquid
index ac697d87071ce4d31ce59ec5015d93d1f50f8c79,86ac509626db5806239a4c904257d5f26aa749fa..8317a744a705e614051f16f6f3c908ff85329e31
--- 1/doc/admin/upgrading.html.textile.liquid
--- 2/doc/admin/upgrading.html.textile.liquid
+++ b/doc/admin/upgrading.html.textile.liquid
@@@ -35,14 -35,16 +35,20 @@@ TODO: extract this information based o
  <div class="releasenotes">
  </notextile>
  
 -h2(#main). development main (as of 2020-10-28)
 +h2(#main). development main (as of 2020-12-10)
  
  "Upgrading from 2.1.0":#v2_1_0
  
 +h3. Changes on the collection's @preserve_version@ attribute semantics
 +
 +The @preserve_version@ attribute on collections was originally designed to allow clients to persist a preexisting collection version. This forced clients to make 2 requests if the intention is to "make this set of changes in a new version that will be kept", so we have changed the semantics to do just that: When passing @preserve_version=true@ along with other collection updates, the current version is persisted and also the newly created one will be persisted on the next update.
 +
+ h3. System token requirements
+ 
+ System services now log a warning at startup if any of the system tokens (@ManagementToken@, @SystemRootToken@, and @Collections.BlobSigningKey@) are less than 32 characters, or contain characters other than a-z, A-Z, and 0-9. After upgrading, run @arvados-server config-check@ and update your configuration file if needed to resolve any warnings.
+ 
+ The @API.RailsSessionSecretToken@ configuration key has been removed. Delete this entry from your configuration file after upgrading.
+ 
  h3. Centos7 Python 3 dependency upgraded to python3
  
  Now that Python 3 is part of the base repository in CentOS 7, the Python 3 dependency for Centos7 Arvados packages was changed from SCL rh-python36 to python3.

diff --combined sdk/python/tests/run_test_server.py
index c79aa4e945924f782b93fc7c76389b657fe6ecc7,4562a0654639415ad117b594d1f11ddb7ac36ff9..6a0f7d9f49d0820476449998030b951688aab7a6
--- 1/sdk/python/tests/run_test_server.py
--- 2/sdk/python/tests/run_test_server.py
+++ b/sdk/python/tests/run_test_server.py
@@@ -73,7 -73,6 +73,7 @@@ if not os.path.exists(TEST_TMPDIR)
  my_api_host = None
  _cached_config = {}
  _cached_db_config = {}
 +_already_used_port = {}
  
  def find_server_pid(PID_PATH, wait=10):
      now = time.time()
@@@ -182,15 -181,11 +182,15 @@@ def find_available_port()
      would take care of the races, and this wouldn't be needed at all.
      """
  
 -    sock = socket.socket()
 -    sock.bind(('0.0.0.0', 0))
 -    port = sock.getsockname()[1]
 -    sock.close()
 -    return port
 +    global _already_used_port
 +    while True:
 +        sock = socket.socket()
 +        sock.bind(('0.0.0.0', 0))
 +        port = sock.getsockname()[1]
 +        sock.close()
 +        if port not in _already_used_port:
 +            _already_used_port[port] = True
 +            return port
  
  def _wait_until_port_listens(port, timeout=10, warn=True):
      """Wait for a process to start listening on the given port.
@@@ -767,7 -762,6 +767,6 @@@ def setup_config()
                  "SystemRootToken": auth_token('system_user'),
                  "API": {
                      "RequestTimeout": "30s",
-                     "RailsSessionSecretToken": "e24205c490ac07e028fd5f8a692dcb398bcd654eff1aef5f9fe6891994b18483",
                  },
                  "Login": {
                      "SSO": {