From 8a27fe370239ecb8e50d53f46b45ed61203a35ca Mon Sep 17 00:00:00 2001 From: Ward Vandewege Date: Thu, 2 Jun 2022 13:39:05 -0400 Subject: [PATCH] Refactor the multi-host salt install page. refs #19175 Arvados-DCO-1.1-Signed-off-by: Ward Vandewege --- doc/_includes/_download_installer.liquid | 20 ++++ doc/_includes/_install_ca_cert.liquid | 38 ++++++ doc/_includes/_ssl_config_multi.liquid | 52 ++++++++ doc/_includes/_ssl_config_single.liquid | 56 +++++++++ .../salt-multi-host.html.textile.liquid | 76 +++++------- .../salt-single-host.html.textile.liquid | 112 ++---------------- 6 files changed, 206 insertions(+), 148 deletions(-) create mode 100644 doc/_includes/_download_installer.liquid create mode 100644 doc/_includes/_install_ca_cert.liquid create mode 100644 doc/_includes/_ssl_config_multi.liquid create mode 100644 doc/_includes/_ssl_config_single.liquid diff --git a/doc/_includes/_download_installer.liquid b/doc/_includes/_download_installer.liquid new file mode 100644 index 0000000000..5690820086 --- /dev/null +++ b/doc/_includes/_download_installer.liquid @@ -0,0 +1,20 @@ +{% comment %} +Copyright (C) The Arvados Authors. All rights reserved. + +SPDX-License-Identifier: CC-BY-SA-3.0 +{% endcomment %} + +{% include 'branchname' %} + +This procedure will install all the main Arvados components to get you up and running in a single host. + +This is a package-based installation method, however the installation script is currently distributed in source form via @git@: + + +
git clone https://git.arvados.org/arvados.git
+git checkout {{ branchname }}
+cd arvados/tools/salt-install
+
+
+ +The @provision.sh@ script will help you deploy Arvados by preparing your environment to be able to run the installer, then running it. The actual installer is located in the "arvados-formula git repository":https://git.arvados.org/arvados-formula.git/tree/refs/heads/{{ branchname }} and will be cloned during the running of the @provision.sh@ script. The installer is built using "Saltstack":https://saltproject.io/ and @provision.sh@ performs the install using master-less mode. diff --git a/doc/_includes/_install_ca_cert.liquid b/doc/_includes/_install_ca_cert.liquid new file mode 100644 index 0000000000..35d5826de0 --- /dev/null +++ b/doc/_includes/_install_ca_cert.liquid @@ -0,0 +1,38 @@ +{% comment %} +Copyright (C) The Arvados Authors. All rights reserved. + +SPDX-License-Identifier: CC-BY-SA-3.0 +{% endcomment %} + +h2(#ca_root_certificate). Install the CA root certificate (SSL_MODE=self-signed only) + +Arvados uses SSL to encrypt communications. The web interface uses AJAX which will silently fail if the certificate is not valid or signed by an unknown Certification Authority. + +For this reason, the @arvados-formula@ has a helper state to create a root certificate to authorize Arvados services. The @provision.sh@ script will leave a copy of the generated CA's certificate (@arvados-snakeoil-ca.pem@) in the script's directory so you can add it to your workstation. + +Installing the root certificate into your web browser will prevent security errors when accessing Arvados services with your web browser. + +# Go to the certificate manager in your browser. +#* In Chrome, this can be found under "Settings → Advanced → Manage Certificates" or by entering @chrome://settings/certificates@ in the URL bar. +#* In Firefox, this can be found under "Preferences → Privacy & Security" or entering @about:preferences#privacy@ in the URL bar and then choosing "View Certificates...". +# Select the "Authorities" tab, then press the "Import" button. Choose @arvados-snakeoil-ca.pem@ + +The certificate will be added under the "Arvados Formula". + +To access your Arvados instance using command line clients (such as arv-get and arv-put) without security errors, install the certificate into the OS certificate storage. + +* On Debian/Ubuntu: + + +
cp arvados-root-cert.pem /usr/local/share/ca-certificates/
+/usr/sbin/update-ca-certificates
+
+
+ +* On CentOS: + + +
cp arvados-root-cert.pem /etc/pki/ca-trust/source/anchors/
+/usr/bin/update-ca-trust
+
+
diff --git a/doc/_includes/_ssl_config_multi.liquid b/doc/_includes/_ssl_config_multi.liquid new file mode 100644 index 0000000000..1bcd1b64ef --- /dev/null +++ b/doc/_includes/_ssl_config_multi.liquid @@ -0,0 +1,52 @@ +{% comment %} +Copyright (C) The Arvados Authors. All rights reserved. + +SPDX-License-Identifier: CC-BY-SA-3.0 +{% endcomment %} + +h2(#certificates). Choose the SSL configuration (SSL_MODE) + +Arvados requires an SSL certificate to work correctly. This installer supports these options: + +* @self-signed@: let the installer create self-signed certificates +* @lets-encrypt@: automatically obtain and install an SSL certificates for your hostnames +* @bring-your-own@: supply your own certificates in the `certs` directory + +h3(#self-signed). Using self-signed certificates + +To make the installer use self-signed certificates, change the configuration like this: + + +
SSL_MODE="self-signed"
+
+
+ +When connecting to the Arvados web interface for the first time, you will need to accept the self-signed certificates as trusted to bypass the browser warnings. This can be a little tricky to do. Alternatively, you can also install the self-signed root certificate in your browser, see below. + +h3(#lets-encrypt). Using a Let's Encrypt certificate + +In the default configuration, this installer gets a valid certificate via Let's Encrypt. If you have the CLUSTER.DOMAIN domain in a route53 zone, you can set USE_LETSENCRYPT_ROUTE53 to YES and supply appropriate credentials so that Let's Encrypt can use dns-01 validation to get the appropriate certificates. + + +
SSL_MODE="lets-encrypt"
+USE_LETSENCRYPT_ROUTE53="yes"
+LE_AWS_REGION="us-east-1"
+LE_AWS_ACCESS_KEY_ID="AKIABCDEFGHIJKLMNOPQ"
+LE_AWS_SECRET_ACCESS_KEY="thisistherandomstringthatisyoursecretkey"
+
+
+ +Please note that when using AWS, EC2 instances can have a default hostname that ends with amazonaws.com. Let's Encrypt has a blacklist of domain names for which it will not issue certificates, and that blacklist includes the amazonaws.com domain, which means the default hostname can not be used to get a certificate from Let's Encrypt. + +h3(#bring-your-own). Bring your own certificates + +To supply your own certificates, change the configuration like this: + + +
SSL_MODE="bring-your-own"
+
+
+ +{% include 'multi_host_install_custom_certificates' %} + +All certificate files will be used by nginx. You may need to include intermediate certificates in your certificate files. See "the nginx documentation":http://nginx.org/en/docs/http/configuring_https_servers.html#chains for more details. diff --git a/doc/_includes/_ssl_config_single.liquid b/doc/_includes/_ssl_config_single.liquid new file mode 100644 index 0000000000..25b88de469 --- /dev/null +++ b/doc/_includes/_ssl_config_single.liquid @@ -0,0 +1,56 @@ +{% comment %} +Copyright (C) The Arvados Authors. All rights reserved. + +SPDX-License-Identifier: CC-BY-SA-3.0 +{% endcomment %} + +h2(#certificates). Choose the SSL configuration (SSL_MODE) + +Arvados requires an SSL certificate to work correctly. This installer supports these options: + +* @self-signed@: let the installer create a self-signed certificate +* @lets-encrypt@: automatically obtain and install an SSL certificate for your hostname +* @bring-your-own@: supply your own certificate in the `certs` directory + +h3(#self-signed). Using a self-signed certificate + +In the default configuration, this installer uses self-signed certificate(s): + + +
SSL_MODE="self-signed"
+
+
+ +When connecting to the Arvados web interface for the first time, you will need to accept the self-signed certificate as trusted to bypass the browser warnings. This can be a little tricky to do. Alternatively, you can also install the self-signed root certificate in your browser, see below. + +h3(#lets-encrypt). Using a Let's Encrypt certificate + +To automatically get a valid certificate via Let's Encrypt, change the configuration like this: + + +
SSL_MODE="lets-encrypt"
+
+
+ +The hostname for your Arvados cluster must be defined in @HOSTNAME_EXT@ and resolve to the public IP address of your Arvados instance, so that Let's Encrypt can validate the domainname ownership and issue the certificate. + +When using AWS, EC2 instances can have a default hostname that ends with amazonaws.com. Let's Encrypt has a blacklist of domain names for which it will not issue certificates, and that blacklist includes the amazonaws.com domain, which means the default hostname can not be used to get a certificate from Let's Encrypt. + +h3(#bring-your-own). Bring your own certificate + +To supply your own certificate, change the configuration like this: + + +
SSL_MODE="bring-your-own"
+
+
+ +Copy your certificate files to the directory specified with the variable @CUSTOM_CERTS_DIR@. The provision script will find it there. The certificate and its key need to be copied to a file named after @HOSTNAME_EXT@. For example, if @HOSTNAME_EXT@ is defined as @my-arvados.example.net@, the script will look for + + +
${CUSTOM_CERTS_DIR}/my-arvados.example.net.crt
+${CUSTOM_CERTS_DIR}/my-arvados.example.net.key
+
+
+ +All certificate files will be used by nginx. You may need to include intermediate certificates in your certificate file. See "the nginx documentation":http://nginx.org/en/docs/http/configuring_https_servers.html#chains for more details. diff --git a/doc/install/salt-multi-host.html.textile.liquid b/doc/install/salt-multi-host.html.textile.liquid index 5d871c4277..640883baab 100644 --- a/doc/install/salt-multi-host.html.textile.liquid +++ b/doc/install/salt-multi-host.html.textile.liquid @@ -10,33 +10,38 @@ SPDX-License-Identifier: CC-BY-SA-3.0 {% endcomment %} # "Introduction":#introduction -# "Hosts preparation":#hosts_preparation -## "Create a compute image":#create_a_compute_image -# "Multi host install using the provision.sh script":#multi_host -# "Choose the desired configuration":#choose_configuration -## "Multiple hosts / multiple hostnames":#multi_host_multi_hostnames -## "Further customization of the installation (modifying the salt pillars and states)":#further_customization +# "Prerequisites and planning":#prerequisites +# "Download the installer":#download +# "Copy the configuration files":#copy_config +# "Choose the SSL configuration":#certificates +## "Using a self-signed certificates":#self-signed +## "Using a Let's Encrypt certificates":#lets-encrypt +## "Bring your own certificates":#bring-your-own +# "Create a compute image":#create_a_compute_image +# "Further customization of the installation (modifying the salt pillars and states)":#further_customization # "Installation order":#installation_order # "Run the provision.sh script":#run_provision_script +# "Install the CA root certificate":#ca_root_certificate # "Initial user and login":#initial_user # "Test the installed cluster running a simple workflow":#test_install # "After the installation":#post_install h2(#introduction). Introduction -Arvados components can be installed in a distributed infrastructure, whether it is an "on-prem" with physical or virtual hosts, or a cloud environment. +This multi host installer is an AWS specific example that is generally useful, but will likely need to be adapted for your environment. The installer is highly configurable. -As infrastructures vary a great deal from site to site, these instructions should be considered more as 'guidelines' than fixed steps to follow. +h2(#prerequisites). Prerequisites and planning -We provide an "installer script":salt.html that can help you deploy the different Arvados components. At the time of writing, the provided examples are suitable to install Arvados on AWS. +Prerequisites: +* git +* a number of (virtual) machines for your Arvados cluster with at least 2 cores and 8 GiB of RAM, running a "supported Arvados distribution":{{site.baseurl}}/install/install-manual-prerequisites.html#supportedlinux +* a number of DNS hostnames that resolve to the IP addresses of your Arvados hosts +* ports 443 need to be reachable from your client (configurable in @local.params@, see below) +* port 80 needs to be reachable from everywhere on the internet (only when using "Let's Encrypt":#lets-encrypt without Route53 integration) +* SSL certificatse matching the hostnames in use (only when using "bring your own certificates":#bring-your-own) - -h2(#hosts_preparation). Hosts preparation - -In order to run Arvados on a multi-host installation, there are a few requirements that your infrastructure has to fulfill. - -These instructions explain how to setup a multi-host environment that is suitable for production use of Arvados. +Planning: We suggest distributing the Arvados components in the following way, creating at least 6 hosts: @@ -55,53 +60,32 @@ We suggest distributing the Arvados components in the following way, creating at # KEEPPROXY node: ## arvados keepproxy ## arvados keepweb -# KEEPSTOREs (at least 2) +# KEEPSTORE nodes (at least 2) ## arvados keepstore # SHELL node (optional): ## arvados shell -Note that these hosts can be virtual machines in your infrastructure and they don't need to be physical machines. - -Again, if your infrastructure differs from the setup proposed above (ie, using RDS or an existing DB server), remember that you will need to edit the configuration files for the scripts so they work with your infrastructure. - -h2(#multi_host). Multi host install using the provision.sh script - -{% include 'branchname' %} - -This is a package-based installation method. Start with the @provision.sh@ script which is available by cloning the @{{ branchname }}@ branch from "https://git.arvados.org/arvados.git":https://git.arvados.org/arvados.git . The @provision.sh@ script and its supporting files can be found in the "arvados/tools/salt-install":https://git.arvados.org/arvados.git/tree/refs/heads/{{ branchname }}:/tools/salt-install directory in the Arvados git repository. - -This procedure will install all the main Arvados components to get you up and running in a multi-host environment. +If your infrastructure differs from the setup proposed above (ie, using RDS or an existing DB server), remember that you will need to edit the configuration files for the scripts so they work with your infrastructure. -The @provision.sh@ script will help you deploy Arvados by preparing your environment to be able to run the installer, then running it. The actual installer is located at "arvados-formula":https://git.arvados.org/arvados-formula.git/tree/refs/heads/{{ branchname }} and will be cloned during the running of the @provision.sh@ script. The installer is built using "Saltstack":https://saltproject.io/ and @provision.sh@ performs the install using master-less mode. +h2(#download). Download the installer -After setting up a few variables in a config file (next step), you'll be ready to run it and get Arvados deployed. +{% include 'download_installer' %} -h3(#create_a_compute_image). Create a compute image - -In a multi-host installation, containers are dispatched in docker daemons running in the compute instances, which need some special setup. We provide a "compute image builder script":https://github.com/arvados/arvados/tree/main/tools/compute-images that you can use to build a template image following "these instructions":https://doc.arvados.org/main/install/crunch2-cloud/install-compute-node.html . Once you have that image created, you can use the image ID in the Arvados configuration in the next steps. - -h2(#choose_configuration). Choose the desired configuration - -For documentation's sake, we will use the cluster name arva2 and the domain arv.local. If you don't change them as required in the next steps, installation won't proceed. +h2(#copy_config). Copy the configuration files -We will try to provide a few Arvados' multi host installation configurations examples for different infrastructure providers. Currently only AWS is available but they can be used with almost any provider with little changes. - -You need to copy one of the example configuration files and directory, and edit them to suit your needs. - -h3(#multi_host_multi_hostnames). Multiple hosts / multiple hostnames
cp local.params.example.multiple_hosts local.params
 cp -r config_examples/multi_host/aws local_config_dir
 
-Edit the variables in the local.params file. Pay attention to the *_INT_IP, *_TOKEN and *KEY variables. Those variables will be used to do a search and replace on the pillars/* in place of any matching __VARIABLE__. +Edit the variables in the local.params file. Pay attention to the *_INT_IP, *_TOKEN and *_KEY variables. The *SSL_MODE* variable is discussed in the next section. -The multi_host example includes Let's Encrypt salt code to automatically request and install the certificates for the public-facing hosts (API/controller, Workbench, Keepproxy/Keepweb) using AWS' Route53. +{% include 'ssl_config_multi' %} -{% include 'multi_host_install_custom_certificates' %} +h3(#create_a_compute_image). Create a compute image -If you want to use valid certificates provided by Let's Encrypt, set the variable SSL_MODE=lets-encrypt and make sure that all the FQDNs that you will use for the public-facing applications (API/controller, Workbench, Keepproxy/Keepweb) are reachable. +In a multi-host installation, containers are dispatched in docker daemons running in the compute instances, which need some special setup. We provide a "compute image builder script":https://github.com/arvados/arvados/tree/main/tools/compute-images that you can use to build a template image following "these instructions":https://doc.arvados.org/main/install/crunch2-cloud/install-compute-node.html. Once you have that image created, you will need to update the pillars/arvados.sls file with the AMI ID and the private ssh key for the dispatcher. h3(#further_customization). Further customization of the installation (modifying the salt pillars and states) @@ -181,6 +165,8 @@ ssh user@host sudo ./provision.sh --config local.params --roles shell +{% include 'install_ca_cert' %} + h2(#initial_user). Initial user and login At this point you should be able to log into the Arvados cluster. The initial URL will be: diff --git a/doc/install/salt-single-host.html.textile.liquid b/doc/install/salt-single-host.html.textile.liquid index 4b13dcc11e..d436e5cdd7 100644 --- a/doc/install/salt-single-host.html.textile.liquid +++ b/doc/install/salt-single-host.html.textile.liquid @@ -11,7 +11,8 @@ SPDX-License-Identifier: CC-BY-SA-3.0 # "Limitations of the single host install":#limitations # "Prerequisites":#prerequisites -# "Download the installer":#single_host +# "Download the installer":#download +# "Copy the configuration files":#copy_config # "Choose the SSL configuration":#certificates ## "Using a self-signed certificate":#self-signed ## "Using a Let's Encrypt certificate":#lets-encrypt @@ -35,9 +36,7 @@ Using the default configuration, this installation method has a number of limita It is possible to start with the single host installation method and modify the Arvados configuration file later to address these limitations. E.g. switch to a "different storage volume setup":{{site.baseurl}}/install/configure-s3-object-storage.html for Keep, and switch to "the cloud dispatcher":{{site.baseurl}}/install/crunch2-cloud/install-dispatch-cloud.html to provision compute resources dynamically. -h2(#prerequisites). Prerequisites and planning - -Prerequisites: +h2(#prerequisites). Prerequisites * git * a dedicated (virtual) machine for your Arvados server with at least 2 cores and 8 GiB of RAM, running a "supported Arvados distribution":{{site.baseurl}}/install/install-manual-prerequisites.html#supportedlinux @@ -46,24 +45,11 @@ Prerequisites: * port 80 needs to be reachable from everywhere on the internet (only when using "Let's Encrypt":#lets-encrypt) * an SSL certificate matching the hostname in use (only when using "bring your own certificate":#bring-your-own) -h2(#single_host). Download the installer - -{% include 'branchname' %} - -This procedure will install all the main Arvados components to get you up and running in a single host. - -This is a package-based installation method, however the installation script is currently distributed in source form via @git@: - - -
git clone https://git.arvados.org/arvados.git
-git checkout {{ branchname }}
-cd arvados/tools/salt-install
-
-
+h2(#download). Download the installer -The @provision.sh@ script will help you deploy Arvados by preparing your environment to be able to run the installer, then running it. The actual installer is located in the "arvados-formula git repository":https://git.arvados.org/arvados-formula.git/tree/refs/heads/{{ branchname }} and will be cloned during the running of the @provision.sh@ script. The installer is built using "Saltstack":https://saltproject.io/ and @provision.sh@ performs the install using master-less mode. +{% include 'download_installer' %} -First, copy the configuration files: +h2(#copy_config). Copy the configuration files
cp local.params.example.single_host_single_hostname local.params
@@ -71,58 +57,9 @@ cp -r config_examples/single_host/single_hostname local_config_dir
 
-Edit the variables in the local.params file. Pay attention to the *_PORT, *_TOKEN and *KEY variables. The *SSL_MODE* variable is discussed in the next section. - -h2(#certificates). Choose the SSL configuration (SSL_MODE) - -Arvados requires an SSL certificate to work correctly. This installer supports these options: - -* @self-signed@: let the installer create a self-signed certificate -* @lets-encrypt@: automatically obtain and install an SSL certificate for your hostname -* @bring-your-own@: supply your own certificate in the `certs` directory - -h3(#self-signed). Using a self-signed certificate - -In the default configuration, this installer uses self-signed certificate(s): - - -
SSL_MODE="self-signed"
-
-
- -When connecting to the Arvados web interface for the first time, you will need to accept the self-signed certificate as trusted to bypass the browser warnings. - -h3(#lets-encrypt). Using a Let's Encrypt certificate - -To automatically get a valid certificate via Let's Encrypt, change the configuration like this: - - -
SSL_MODE="lets-encrypt"
-
-
- -The hostname for your Arvados cluster must be defined in @HOSTNAME_EXT@ and resolve to the public IP address of your Arvados instance, so that Let's Encrypt can validate the domainname ownership and issue the certificate. - -When using AWS, EC2 instances can have a default hostname that ends with amazonaws.com. Let's Encrypt has a blacklist of domain names for which it will not issue certificates, and that blacklist includes the amazonaws.com domain, which means the default hostname can not be used to get a certificate from Let's Encrypt. - -h3(#bring-your-own). Bring your own certificate +Edit the variables in the local.params file. Pay attention to the *_PORT, *_TOKEN and *_KEY variables. The *SSL_MODE* variable is discussed in the next section. -To supply your own certificate, change the configuration like this: - - -
SSL_MODE="bring-your-own"
-
-
- -Copy your certificate files to the directory specified with the variable @CUSTOM_CERTS_DIR@. The provision script will find it there. The certificate and its key need to be copied to a file named after @HOSTNAME_EXT@. For example, if @HOSTNAME_EXT@ is defined as @my-arvados.example.net@, the script will look for - - -
${CUSTOM_CERTS_DIR}/my-arvados.example.net.crt
-${CUSTOM_CERTS_DIR}/my-arvados.example.net.key
-
-
- -All certificate files will be used by nginx. You may need to include intermediate certificates in your certificate file. See "the nginx documentation":http://nginx.org/en/docs/http/configuring_https_servers.html#chains for more details. +{% include 'ssl_config' %} h2(#further_customization). Further customization of the installation (modifying the salt pillars and states) @@ -148,38 +85,7 @@ arvados: Failed: 0 -h2(#ca_root_certificate). Install the CA root certificate (SSL_MODE=self-signed only) - -Arvados uses SSL to encrypt communications. The web interface uses AJAX which will silently fail if the certificate is not valid or signed by an unknown Certification Authority. - -For this reason, the @arvados-formula@ has a helper state to create a root certificate to authorize Arvados services. The @provision.sh@ script will leave a copy of the generated CA's certificate (@arvados-snakeoil-ca.pem@) in the script's directory so you can add it to your workstation. - -Installing the root certificate into your web browser will prevent security errors when accessing Arvados services with your web browser. - -# Go to the certificate manager in your browser. -#* In Chrome, this can be found under "Settings → Advanced → Manage Certificates" or by entering @chrome://settings/certificates@ in the URL bar. -#* In Firefox, this can be found under "Preferences → Privacy & Security" or entering @about:preferences#privacy@ in the URL bar and then choosing "View Certificates...". -# Select the "Authorities" tab, then press the "Import" button. Choose @arvados-snakeoil-ca.pem@ - -The certificate will be added under the "Arvados Formula". - -To access your Arvados instance using command line clients (such as arv-get and arv-put) without security errors, install the certificate into the OS certificate storage. - -* On Debian/Ubuntu: - - -
cp arvados-root-cert.pem /usr/local/share/ca-certificates/
-/usr/sbin/update-ca-certificates
-
-
- -* On CentOS: - - -
cp arvados-root-cert.pem /etc/pki/ca-trust/source/anchors/
-/usr/bin/update-ca-trust
-
-
+{% include 'install_ca_cert' %} h2(#initial_user). Initial user and login -- 2.30.2