Brett Smith [Thu, 12 Dec 2024 19:59:18 +0000 (14:59 -0500)]
22232: Apply database read limit logic to all "large" columns
We recently had another situation where a query for logs that happened
to have very large properties (changes to a large container request)
caused a DoS. Rather than hardcoding which columns should be affected by
database read limits, introspect them and use all potentially-unbounded
columns.
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>
Brett Smith [Wed, 11 Dec 2024 15:16:31 +0000 (10:16 -0500)]
22349: Restore conditional confdir setup in RailsAPI postinst
When I originally wrote d1b63dc072d5f80ddb8e56d0919e70f8e8df73c4, I
thought `install` would not change the ownership or permissions of an
existing directory. I was mistaken. This reverts that commit to restore
the conditional logic, and adds the empty $WWW_OWNER logic to it.
Brett Smith [Sat, 7 Dec 2024 14:58:41 +0000 (09:58 -0500)]
22349: Refine Passenger agent install
* Don't call `install-agent` because `install-standalone-runtime` does
that anyway.
* Pass options to `install-standalone-runtime` more appropriate for a
postinst script that should either work or not.
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>
Brett Smith [Fri, 6 Dec 2024 14:38:50 +0000 (09:38 -0500)]
22363: Update RailsAPI's arvados gem dependency
Ideally this would've been done as part of preparing the Arvados 3.0.0
release, but it's not a huge deal since RailsAPI doesn't actually depend
on any new functionality in the gem.
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>
Brett Smith [Fri, 6 Dec 2024 14:34:46 +0000 (09:34 -0500)]
22363: Update bundled Passenger
To get a curl-related security update. Pin the version we're using while
we're at it, since we plan to make this part of the deployment going
forward (see #22349).
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>
This strips leading "development-" from the generated version string.
Version strings are derived from tags, which are usually just the bare
version number. However, in order to get development versions to
interact properly with release branches, we sometimes need to apply
version tags with a "development-" prefix to the main branch.
no issue #
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz@curii.com>
Stephen Smith [Tue, 3 Dec 2024 15:11:01 +0000 (10:11 -0500)]
22116: Convert WebSocketService to singleton
Allows easier status checking without involving the store
Moves connection parameter initialization to connect() so that
consumers checking connection status need not pass config params
on the constructor / getInstance
Arvados-DCO-1.1-Signed-off-by: Stephen Smith <stephen@curii.com>
Brett Smith [Mon, 2 Dec 2024 22:02:53 +0000 (17:02 -0500)]
22364: Improve gem version construction
* Consider dependencies when constructing a development timestamp,
including version-at-commit.sh.
* For internal dependencies, use ~> for development dependencies,
== otherwise.
This ports the arvados_version.py logic from #21601 into Ruby.
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>
Brett Smith [Sat, 30 Nov 2024 19:01:26 +0000 (14:01 -0500)]
22349: Run RailsAPI as a standalone Passenger service
The primary motivation for this is to be able to run Passenger with the
same version of Ruby that RailsAPI depends on. On RHEL8, the official
Passenger packages depend on the system Ruby 2.5, which is too old for
us to use.
A secondary benefit is that this simplifies installation for everyone by
eliminating the need for a separate Passenger install and nginx
integration.
A tertiary benefit is that the systemd service definition can better
handle some preparation work that we were previously doing in the
postinst script.
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>
Brett Smith [Mon, 2 Dec 2024 17:16:10 +0000 (12:16 -0500)]
22349: Only remove arvados-api-server RPM files after final erasure
Without this, during `dnf reinstall arvados-api-server`, the %preun
scriptlet is called with an argument >0. The scriptlet removes
`/var/www/arvados-api/current/.bundle`, which causes `bundle` commands
in `postinst.sh` to fail.
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>
Brett Smith [Wed, 27 Nov 2024 20:27:02 +0000 (15:27 -0500)]
22349: Streamline Rails build scripts
Mostly get rid of step2.sh, which was primarily there to add functions
to support upstart and systemd simultaneously. Now that upstart is out
of the picture, it's easy to ditch the whole file.
Similarly removed httpd detection code. That hasn't been tested for a
while either.
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>
Brett Smith [Wed, 27 Nov 2024 19:49:11 +0000 (14:49 -0500)]
22349: Update RailsAPI package dependencies
This includes:
* Ruby dependencies that should declare that we no longer support RVM.
* Undeclared dependencies of the dependent gems and the postinst script.
* Dependencies of Passenger so we can run it standalone.
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>
Brett Smith [Tue, 26 Nov 2024 22:07:08 +0000 (17:07 -0500)]
22349: Add RailsAPI Passengerfile
These are settings that we're willing to use across both development and
production. The hope is this can be a baseline for building a standalone
Passenger systemd service for deployment.
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>
Brett Smith [Mon, 25 Nov 2024 16:45:11 +0000 (11:45 -0500)]
22317: Authorize additional keys from `compute_authorized_keys`
This serves two purposes. One, it gives the administrator a way to build
a compute node without having the dispatcher's private key. Two, it
simplifies development testing: you can just point this at your public
SSH key to build a node.
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>
Brett Smith [Thu, 21 Nov 2024 20:20:52 +0000 (15:20 -0500)]
22317: Remove compute node image build.sh
It is replaced by a process where the user edits Ansible and Packer
configuration files in place, then runs the appropriate tool directly.
While it was nice that build.sh saved you from knowing the details of
how tools were configured, it was becoming more difficult to maintain as
we grew more options. It also requires the user to remember the full
build.sh command they used if they want to build a new version for a new
base AMI, new Arvados release, etc. This improves that situation by
letting the user keep configuration files they can keep and update as
needed.
Arvados-DCO-1.1-Signed-off-by: Brett Smith <brett.smith@curii.com>
projects / arvados.git / log