<% content_for :breadcrumbs do raw '<!-- -->' end %>
-<div class="row">
- <div class="col-sm-8 col-sm-push-4" style="margin-top: 1em">
- <div class="well clearfix">
- <%= image_tag "dax.png", style: "width: 112px; height: 150px; margin-right: 2em", class: 'pull-left' %>
-
- <h3 style="margin-top:0">Please log in.</h3>
-
- <p>
+<%= javascript_tag do %>
+ function controller_password_authenticate(event) {
+ event.preventDefault()
+ document.getElementById('login-authenticate-error').innerHTML = '';
+ fetch('<%= "#{Rails.configuration.Services.Controller.ExternalURL}" %>arvados/v1/users/authenticate', {
+ method: 'POST',
- The "Log in" button below will show you a Google sign-in page.
- After you assure Google that you want to log in here with your
- Google account, you will be redirected back here to
- <%= Rails.configuration.Workbench.SiteName %>.
+ headers: {'Content-Type': 'application/json'},
+ body: JSON.stringify({
+ username: document.getElementById('login-username').value,
+ password: document.getElementById('login-password').value,
+ }),
+ }).then(function(resp) {
+ if (!resp.ok) {
+ resp.json().then(function(respj) {
+ document.getElementById('login-authenticate-error').innerHTML = "<p>"+respj.errors[0]+"</p>";
+ });
+ return;
+ }
- </p><p>
+ var redir = document.getElementById('login-return-to').value
+ if (redir.indexOf('?') > 0) {
+ redir += '&'
+ } else {
+ redir += '?'
+ }
+ resp.json().then(function(respj) {
+ document.location = redir + "api_token=v2/" + respj.uuid + "/" + respj.api_token;
+ });
+ });
+ }
+ function clear_authenticate_error() {
+ document.getElementById('login-authenticate-error').innerHTML = "";
+ }
+<% end %>
- If you have never used <%= Rails.configuration.Workbench.SiteName %>
- before, logging in for the first time will automatically
- create a new account.
-
- </p><p>
+<div class="row">
+ <div class="col-sm-8 col-sm-push-4" style="margin-top: 1em">
+ <div class="well clearfix">
- <i><%= Rails.configuration.Workbench.SiteName %> uses your name and
- email address only for identification, and does not retrieve
- any other personal information from Google.</i>
+ <%= raw(Rails.configuration.Workbench.WelcomePageHTML) %>
- </p>
- <%# Todo: add list of external authentications providers to
- discovery document, then generate the option list here. Right
- now, don't provide 'auth_provider' to get the default one. %>
+ <% case %>
+ <% when Rails.configuration.Login.Google.Enable %>
+ <% when Rails.configuration.Login.OpenIDConnect.Enable %>
+ <% when Rails.configuration.Login.SSO.Enable %>
<div class="pull-right">
<%= link_to arvados_api_client.arvados_login_url(return_to: request.url), class: "btn btn-primary" do %>
Log in to <%= Rails.configuration.Workbench.SiteName %>
<i class="fa fa-fw fa-arrow-circle-right"></i>
<% end %>
</div>
+ <% when Rails.configuration.Login.PAM.Enable %>
+ <% when Rails.configuration.Login.LDAP.Enable %>
+ <% when Rails.configuration.Login.Test.Enable %>
+ <form id="login-form-tag" onsubmit="controller_password_authenticate(event)">
+ <p>username <input type="text" class="form-control" name="login-username"
+ value="" id="login-username" style="width: 50%"
+ oninput="clear_authenticate_error()"></input></p>
+ <p>password <input type="password" class="form-control" name="login-password" value=""
+ id="login-password" style="width: 50%"
+ oninput="clear_authenticate_error()"></input></p>
+ <input type="hidden" name="return_to" value="<%= "#{Rails.configuration.Services.Workbench1.ExternalURL}" %>" id="login-return-to">
+ <span style="color: red"><p id="login-authenticate-error"></p></span>
+ <button type="submit" class="btn btn-primary">Log in</button>
+ </form>
+ <% end %>
+
</div>
</div>
</div>
if !user
assert page.has_text?('Please log in'), 'Not found text - Please log in'
- assert page.has_text?('The "Log in" button below will show you a Google sign-in page'), 'Not found text - google sign in page'
+ assert page.has_text?('If you have never used Arvados Workbench before'), 'Not found text - If you have never'
assert page.has_no_text?('My projects'), 'Found text - My projects'
- assert page.has_link?("Log in to #{Rails.configuration.Workbench.SiteName}"), 'Not found text - log in to'
+ assert page.has_link?("Log in"), 'Not found text - Log in'
elsif user['is_active']
if profile_config && !has_profile
assert page.has_text?('Save profile'), 'No text - Save profile'
- user/cwl/cwl-versions.html.textile.liquid
- user/cwl/crunchstat-summary.html.textile.liquid
- user/cwl/costanalyzer.html.textile.liquid
+ - user/debugging/container-shell-access.html.textile.liquid
- Working with git repositories:
- user/tutorials/add-new-repository.html.textile.liquid
- user/tutorials/git-arvados-guide.html.textile.liquid
- install/crunch2-slurm/configure-slurm.html.textile.liquid
- install/crunch2-slurm/install-compute-node.html.textile.liquid
- install/crunch2-slurm/install-test.html.textile.liquid
+ - Additional configuration:
+ - install/container-shell-access.html.textile.liquid
- External dependencies:
- install/install-postgresql.html.textile.liquid
- install/ruby.html.textile.liquid
--- /dev/null
+---
+layout: default
+navsection: installguide
+title: Configure container shell access
+...
+{% comment %}
+Copyright (C) The Arvados Authors. All rights reserved.
+
+SPDX-License-Identifier: CC-BY-SA-3.0
+{% endcomment %}
+
+Arvados can be configured to permit shell access to running containers. This can be handy for debugging, but it could affect reproducability of workflows. This feature can be enabled for admin users, or for all users. By default, it is entirely disabled.
+
+The relevant configuration section is
+
+<notextile>
+<pre><code> Containers:
+ ShellAccess:
+ # An admin user can use "arvados-client shell" to start an
+ # interactive shell (with any user ID) in any running
+ # container.
+ Admin: false
+
+ # Any user can use "arvados-client shell" to start an
+ # interactive shell (with any user ID) in any running
+ # container that they started, provided it isn't also
+ # associated with a different user's container request.
+ #
+ # Interactive sessions make it easy to alter the container's
+ # runtime environment in ways that aren't recorded or
+ # reproducible. Consider the implications for automatic
+ # container reuse before enabling and using this feature. In
+ # particular, note that starting an interactive session does
+ # not disqualify a container from being reused by a different
+ # user/workflow in the future.
+ User: false
+</code></pre>
+</notextile>
+
+To enable the feature a firewall change may also be required. This feature requires the opening of tcp connections from @arvados-controller@ to the range specified in the @net.ipv4.ip_local_port_range@ sysctl on compute nodes. If that range is unknown or hard to determine, it will be sufficient to allow tcp connections from @arvados-controller@ to port 1024-65535 on compute nodes, while allowing traffic that is part of existing tcp connections.
+
+After changing the configuration, @arvados-controller@ must be restarted for the change to take effect. When enabling, shell access will be enabled for any running containers. When disabling, access is removed immediately for any running containers, as well as any containers started subsequently. Restarting @arvados-controller@ will kill any active connections.
+
+Usage instructions for this feature are available in the "User guide":{{site.baseurl}}/user/debugging/container-shell-access.html.
--- /dev/null
+---
+layout: default
+navsection: userguide
+title: Debugging workflows - shell access
+...
+{% comment %}
+Copyright (C) The Arvados Authors. All rights reserved.
+
+SPDX-License-Identifier: CC-BY-SA-3.0
+{% endcomment %}
+
+{% include 'notebox_begin' %}
+
+To use this feature, your Arvados installation must be configured to allow container shell access. See "the install guide":{{site.baseurl}}/install/container-shell-access.html for more information.
+
+{% include 'notebox_end' %}
+
+The @arvados-client@ program can be used to connect to a container in a running workflow. It can be installed from packages (@apt install arvados-client@ or @yum install arvados-client@). The @arvados-client shell@ command provides an ssh connection into a running container.
+
+h2(#syntax). Syntax
+
+The @arvados-client shell@ tool has the following syntax:
+
+<notextile>
+<pre><code>~$ <span class="userinput">arvados-client shell -h</span>
+arvados-client shell: open an interactive shell on a running container.
+
+Usage: arvados-client shell [options] [username@]container-uuid [ssh-options] [remote-command [args...]]
+
+Options:
+ -detach-keys string
+ set detach key sequence, as in docker-attach(1) (default "ctrl-],ctrl-]")
+
+</code></pre>
+</notextile>
+
+The @arvados-client shell@ command calls the ssh binary on your system to make the connection. Everything after _[username@]container-uuid_ is passed through to your OpenSSH client. This means many other SSH features can be used, e.g. -g, -f -N, -n, ...
+
+h2(#Examples). Examples
+
+Connect to a running container, using the container request UUID:
+
+<notextile>
+<pre><code>~$ <span class="userinput">./arvados-client shell ce8i5-xvhdp-e6wnujfslyyqn4b</span>
+root@0f13dcd755fa:~#
+</code></pre>
+</notextile>
+
+The container UUID also works:
+
+<notextile>
+<pre><code>~$ <span class="userinput">./arvados-client shell ce8i5-dz642-h1cl0sa62d4i430</span>
+root@0f13dcd755fa:~#
+</code></pre>
+</notextile>
+
+SSH port forwarding is supported:
+
+<notextile>
+<pre><code>~$ <span class="userinput">./arvados-client shell ce8i5-dz642-h1cl0sa62d4i430 -L8888:localhost:80</span>
+root@0f13dcd755fa:~# nc -l -p 80
+</code></pre>
+</notextile>
+
+And then, connecting to port 8888 locally:
+
+<notextile>
+<pre><code>~$ <span class="userinput">echo hello | nc localhost 8888</span>
+</code></pre>
+</notextile>
+
+Which appears on the other end:
+
+<notextile>
+<pre><code>~$ <span class="userinput">./arvados-client shell ce8i5-dz642-h1cl0sa62d4i430 -L8888:localhost:80</span>
+root@0f13dcd755fa:~# nc -l -p 80
+hello
+</code></pre>
+</notextile>
<img src="/arvados-logo-big.png" style="width: 20%; float: right; padding: 1em;" />
<h2>Please log in.</h2>
- <p>The "Log in" button below will show you a sign-in
- page. After you log in, you will be redirected back to
- Arvados Workbench.</p>
-
<p>If you have never used Arvados Workbench before, logging in
for the first time will automatically create a new
account.</p>
- <i>Arvados Workbench uses your name and email address only for
+ <i>Arvados Workbench uses your information only for
identification, and does not retrieve any other personal
information.</i>
<img src="/arvados-logo-big.png" style="width: 20%; float: right; padding: 1em;" />
<h2>Please log in.</h2>
- <p>The "Log in" button below will show you a sign-in
- page. After you log in, you will be redirected back to
- Arvados Workbench.</p>
-
<p>If you have never used Arvados Workbench before, logging in
for the first time will automatically create a new
account.</p>
- <i>Arvados Workbench uses your name and email address only for
+ <i>Arvados Workbench uses your information only for
identification, and does not retrieve any other personal
information.</i>
},
"Login": {
"SSO": {
+ "Enable": True,
"ProviderAppID": "arvados-server",
"ProviderAppSecret": "608dbf356a327e2d0d4932b60161e212c2d8d8f5e25690d7b622f850a990cd33",
},