From 9e5bb48b50f1ccfaab1939d6016f1b21b0802334 Mon Sep 17 00:00:00 2001
From: Peter Amstutz <peter.amstutz@curii.com>
Date: Fri, 23 Sep 2022 15:34:32 -0400
Subject: [PATCH] 19215: Install doc update work in progress checkpoint

Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <peter.amstutz@curii.com>
---
 doc/_config.yml                               |  10 +-
 doc/_includes/_install_ca_cert.liquid         |  45 +++--
 ...ti_host_install_custom_certificates.liquid |  20 ++-
 ...install-dispatch-cloud.html.textile.liquid |  22 ++-
 doc/install/index.html.textile.liquid         |  17 +-
 ...l-manual-prerequisites.html.textile.liquid |  18 +-
 .../salt-multi-host.html.textile.liquid       | 160 +++++-------------
 ...params.example.single_host_single_hostname |   8 +-
 tools/salt-install/provision.sh               |  14 +-
 9 files changed, 143 insertions(+), 171 deletions(-)

diff --git a/doc/_config.yml b/doc/_config.yml
index 148e1a166e..56ae1bf191 100644
--- a/doc/_config.yml
+++ b/doc/_config.yml
@@ -209,13 +209,13 @@ navbar:
       - install/index.html.textile.liquid
     - Docker quick start:
       - install/arvbox.html.textile.liquid
-    - Installation with Salt:
+    - Arvados Installer:
       - install/salt-single-host.html.textile.liquid
       - install/salt-multi-host.html.textile.liquid
-    - Arvados on Kubernetes:
-      - install/arvados-on-kubernetes.html.textile.liquid
-      - install/arvados-on-kubernetes-minikube.html.textile.liquid
-      - install/arvados-on-kubernetes-GKE.html.textile.liquid
+#    - Arvados on Kubernetes:
+#      - install/arvados-on-kubernetes.html.textile.liquid
+#      - install/arvados-on-kubernetes-minikube.html.textile.liquid
+#      - install/arvados-on-kubernetes-GKE.html.textile.liquid
     - Manual installation:
       - install/install-manual-prerequisites.html.textile.liquid
       - install/packages.html.textile.liquid
diff --git a/doc/_includes/_install_ca_cert.liquid b/doc/_includes/_install_ca_cert.liquid
index 35d5826de0..0be6df4301 100644
--- a/doc/_includes/_install_ca_cert.liquid
+++ b/doc/_includes/_install_ca_cert.liquid
@@ -10,29 +10,54 @@ Arvados uses SSL to encrypt communications. The web interface uses AJAX which wi
 
 For this reason, the @arvados-formula@ has a helper state to create a root certificate to authorize Arvados services. The @provision.sh@ script will leave a copy of the generated CA's certificate (@arvados-snakeoil-ca.pem@) in the script's directory so you can add it to your workstation.
 
+h3. Web Browser
+
 Installing the root certificate into your web browser will prevent security errors when accessing Arvados services with your web browser.
 
-# Go to the certificate manager in your browser.
-#* In Chrome, this can be found under "Settings &rarr; Advanced &rarr; Manage Certificates" or by entering @chrome://settings/certificates@ in the URL bar.
-#* In Firefox, this can be found under "Preferences &rarr; Privacy &amp; Security" or entering @about:preferences#privacy@ in the URL bar and then choosing "View Certificates...".
-# Select the "Authorities" tab, then press the "Import" button.  Choose @arvados-snakeoil-ca.pem@
+h4. Chrome
+
+# Go to "Settings &rarr; Privacy and Security &rarr; Security &rarr; Manage Certificates" or enter @chrome://settings/certificates@ in the URL bar.
+# *Click on the "Authorities" tab*  (it is not selected by default)
+# Click on the "Import" button
+# Choose @arvados-snakeoil-ca.pem@
+# Tick the checkbox next to "Trust this certificate for identifying websites"
+# Hit OK
+# The certificate should appear in the list of Authorities under "Arvados"
+
+h4. Firefox
+
+# Go to "Preferences &rarr; Privacy &amp; Security" or enter @about:preferences#privacy@ in the URL bar
+# Scroll down to the *Certificates* section
+# Click on the button "View Certificates...".
+# Make sure the "Authorities" tab is selected
+# Press the "Import..." button.
+# Choose @arvados-snakeoil-ca.pem@
+# Tick the checkbox next to "Trust this CA to identify websites"
+# Hit OK
+# The certificate should appear in the list of Authorities under "Arvados"
+
+h4. Other browsers (Safari, etc)
+
+The process will be similar to that of Chrome and Firefox, but the exact user interface will be different.  If you can't figure it out, try searching for "how do I install a custom certificate authority in <my browser>".
+
+h3. Installation on Linux OS certificate storage
 
-The certificate will be added under the "Arvados Formula".
+To access your Arvados instance using command line clients (such as @arv-get@ and @arv-put@) without security errors, install the certificate into the OS certificate storage.
 
-To access your Arvados instance using command line clients (such as arv-get and arv-put) without security errors, install the certificate into the OS certificate storage.
+h4. Debian/Ubuntu
 
-* On Debian/Ubuntu:
+*Important* the certificate file added to @ca-certificates@ must have the extension @.crt@ or it won't be recognized.
 
 <notextile>
-<pre><code>cp arvados-root-cert.pem /usr/local/share/ca-certificates/
+<pre><code>cp arvados-snakeoil-ca.pem /usr/local/share/ca-certificates/arvados-snakeoil-ca.crt
 /usr/sbin/update-ca-certificates
 </code></pre>
 </notextile>
 
-* On CentOS:
+h4. CentOS
 
 <notextile>
-<pre><code>cp arvados-root-cert.pem /etc/pki/ca-trust/source/anchors/
+<pre><code>cp arvados-snakeoil-ca.pem /etc/pki/ca-trust/source/anchors/
 /usr/bin/update-ca-trust
 </code></pre>
 </notextile>
diff --git a/doc/_includes/_multi_host_install_custom_certificates.liquid b/doc/_includes/_multi_host_install_custom_certificates.liquid
index 7672372af2..40d24449f0 100644
--- a/doc/_includes/_multi_host_install_custom_certificates.liquid
+++ b/doc/_includes/_multi_host_install_custom_certificates.liquid
@@ -4,6 +4,18 @@ Copyright (C) The Arvados Authors. All rights reserved.
 SPDX-License-Identifier: CC-BY-SA-3.0
 {% endcomment %}
 
+You will need certificates for each DNS name and DNS wildcard previously described in the "Hosts":#hosts .
+
+To simplify certificate management, we recommend creating a single certificate with all of the hostnames, or creating a wildcard certificate that covers all possible hostnames (with the following patterns in subjectAltName):
+
+<pre>
+xarv1.example.com
+*.xarv1.example.com
+*.collections.xarv1.example.com
+</pre>
+
+(Replacing xarv1 with your own ${CLUSTER}.${DOMAIN})
+
 Copy your certificates to the directory specified with the variable @CUSTOM_CERTS_DIR@ in the remote directory where you copied the @provision.sh@ script. The provision script will find the certificates there.
 
 The script expects cert/key files with these basenames (matching the role except for <i>keepweb</i>, which is split in both <i>download / collections</i>):
@@ -27,4 +39,10 @@ ${CUSTOM_CERTS_DIR}/keepproxy.key
 
 Make sure that all the FQDNs that you will use for the public-facing applications (API/controller, Workbench, Keepproxy/Keepweb) are reachable.
 
-It may be easier to create a single certificate wh
\ No newline at end of file
+Note: because the installer currently looks for a different certificate file for each service, if you use a single certificate, we recommend creating a symlink for each certificate and key file to the primary certificate and key, e.g.
+
+<notextile>
+<pre><code>ln -s xarv1.crt ${CUSTOM_CERTS_DIR}/keepproxy.crt
+ln -s xarv1.key ${CUSTOM_CERTS_DIR}/keepproxy.key
+</code></pre>
+</notextile>
diff --git a/doc/install/crunch2-cloud/install-dispatch-cloud.html.textile.liquid b/doc/install/crunch2-cloud/install-dispatch-cloud.html.textile.liquid
index 2a7e105905..779071d4ae 100644
--- a/doc/install/crunch2-cloud/install-dispatch-cloud.html.textile.liquid
+++ b/doc/install/crunch2-cloud/install-dispatch-cloud.html.textile.liquid
@@ -130,6 +130,8 @@ The <span class="userinput">ImageID</span> value is the compute node image that
 </code></pre>
 </notextile>
 
+h3(#IAM). Example IAM policy
+
 Example policy for the IAM role used by the cloud dispatcher:
 
 <notextile>
@@ -141,13 +143,19 @@ Example policy for the IAM role used by the cloud dispatcher:
         {
             "Effect": "Allow",
             "Action": [
-                "iam:PassRole",
-                "ec2:DescribeKeyPairs",
-                "ec2:ImportKeyPair",
-                "ec2:RunInstances",
-                "ec2:DescribeInstances",
-                "ec2:CreateTags",
-                "ec2:TerminateInstances"
+                  "ec2:CreateTags",
+                  "ec2:Describe*",
+                  "ec2:CreateImage",
+                  "ec2:CreateKeyPair",
+                  "ec2:ImportKeyPair",
+                  "ec2:DeleteKeyPair",
+                  "ec2:RunInstances",
+                  "ec2:StopInstances",
+                  "ec2:TerminateInstances",
+                  "ec2:ModifyInstanceAttribute",
+                  "ec2:CreateSecurityGroup",
+                  "ec2:DeleteSecurityGroup",
+                  "iam:PassRole"
             ],
             "Resource": "*"
         }
diff --git a/doc/install/index.html.textile.liquid b/doc/install/index.html.textile.liquid
index 2bd9710f7e..eebc0ab7d3 100644
--- a/doc/install/index.html.textile.liquid
+++ b/doc/install/index.html.textile.liquid
@@ -20,15 +20,12 @@ Arvados components can be installed and configured in a number of different ways
 <div class="offset1">
 table(table table-bordered table-condensed).
 |||\5=. Appropriate for|
-||_. Setup difficulty|_. Multiuser/networked access|_. Workflow Development and Testing|_. Large Scale Production|_. Development of Arvados|_. Arvados Evaluation|
-|"Arvados-in-a-box":arvbox.html (arvbox)|Easy|no|yes|no|yes|yes|
-|"Installation with Salt":salt-single-host.html (single host)|Easy|no|yes|no|yes|yes|
-|"Installation with Salt":salt-multi-host.html (multi host)|Moderate|yes|yes|yes|yes|yes|
-|"Arvados on Kubernetes":arvados-on-kubernetes.html|Easy ^1^|yes|yes ^2^|no ^2^|no|yes|
-|"Manual installation":install-manual-prerequisites.html|Hard|yes|yes|yes|no|no|
-|"Cluster Operation Subscription supported by Curii":mailto:info@curii.com|N/A ^3^|yes|yes|yes|yes|yes|
+||_. Setup difficulty|_. Arvados Evaluation|_. Workflow Development|_. Production at Scale|
+|"Arvados-in-a-box":arvbox.html (arvbox)|Easy|yes|limited|no|
+|"Arados Installer":salt-single-host.html (single host)|Easy|yes|limited|no|
+|"Arados Installer":salt-multi-host.html (multi host)|Moderate|yes|yes|yes|
+|"Manual installation":install-manual-prerequisites.html|Difficult|yes|yes|yes|
+|"Cluster Operation Subscription supported by Curii":https://curii.com|N/A ^1^|yes|yes|yes|
 </div>
 
-* ^1^ Assumes a Kubernetes cluster is available
-* ^2^ Arvados on Kubernetes is under development and not yet ready for production use
-* ^3^ No user installation necessary, Curii run and managed
+* ^1^ No user installation necessary, Curii run and managed
diff --git a/doc/install/install-manual-prerequisites.html.textile.liquid b/doc/install/install-manual-prerequisites.html.textile.liquid
index 21b3871e01..784d712f1e 100644
--- a/doc/install/install-manual-prerequisites.html.textile.liquid
+++ b/doc/install/install-manual-prerequisites.html.textile.liquid
@@ -24,24 +24,10 @@ The Arvados storage subsystem is called "keep".  The compute subsystem is called
 # "Arvados Cluster ID":#clusterid
 # "DNS and TLS":#dnstls
 
+
 h2(#supportedlinux). Supported GNU/Linux distributions
 
-table(table table-bordered table-condensed).
-|_. Distribution|_. State|_. Last supported Arvados version|
-|CentOS 7|Supported|Latest|
-|Debian 11 ("bullseye")|Supported|Latest|
-|Debian 10 ("buster")|Supported|Latest|
-|Ubuntu 20.04 ("focal")|Supported|Latest|
-|Ubuntu 18.04 ("bionic")|Supported|Latest|
-|Ubuntu 16.04 ("xenial")|EOL|2.1.2|
-|Debian 9 ("stretch")|EOL|2.1.2|
-|Debian 8 ("jessie")|EOL|1.4.3|
-|Ubuntu 14.04 ("trusty")|EOL|1.4.3|
-|Ubuntu 12.04 ("precise")|EOL|8ed7b6dd5d4df93a3f37096afe6d6f81c2a7ef6e (2017-05-03)|
-|Debian 7 ("wheezy")|EOL|997479d1408139e96ecdb42a60b4f727f814f6c9 (2016-12-28)|
-|CentOS 6 |EOL|997479d1408139e96ecdb42a60b4f727f814f6c9 (2016-12-28)|
-
-Arvados packages are published for current Debian releases (until the EOL date), current Ubuntu LTS releases (until the end of standard support), and the latest version of CentOS.
+{% include 'supportedlinux' %}
 
 h2(#components). Choosing which components to install
 
diff --git a/doc/install/salt-multi-host.html.textile.liquid b/doc/install/salt-multi-host.html.textile.liquid
index 1a70d46ef8..4be657f1e7 100644
--- a/doc/install/salt-multi-host.html.textile.liquid
+++ b/doc/install/salt-multi-host.html.textile.liquid
@@ -11,23 +11,29 @@ SPDX-License-Identifier: CC-BY-SA-3.0
 
 # "Introduction":#introduction
 # "Prerequisites and planning":#prerequisites
+# "Hosts":#hosts
 # "Download the installer":#download
 # "Initialize the installer":#copy_config
+# "Edit local.params":#localparams
+# "Configure Keep storage":#keep
 # "Choose the SSL configuration":#certificates
 ## "Using a self-signed certificates":#self-signed
 ## "Using a Let's Encrypt certificates":#lets-encrypt
 ## "Bring your own certificates":#bring-your-own
 # "Create a compute image":#create_a_compute_image
-# "Further customization of the installation (modifying the salt pillars and states)":#further_customization
+# "Further customization of the installation":#further_customization
 # "Begin installation":#installation
+## "Run diagnostics to confirming the cluster is working":#test-install
+## "Debugging issues":#debugging
+## "Iterating on config changes":#iterating
+## "Common problems and solutions":#common-problems
 # "Install the CA root certificate":#ca_root_certificate
 # "Initial user and login":#initial_user
-# "Test the installed cluster running a simple workflow":#test_install
 # "After the installation":#post_install
 
 h2(#introduction). Introduction
 
-This multi host installer is the recommendend way to set up a production Arvados cluster.  These instructions include speciic details for installing on Amazon Web Services (AWS), which are marked as "AWS specific".  However with additional customization the installer can be used as a template for deployment on other cloud provider or HPC systems.
+This multi host installer is the recommendend way to set up a production Arvados cluster.  These instructions include specific details for installing on Amazon Web Services (AWS), which are marked as "AWS specific".  However with additional customization the installer can be used as a template for deployment on other cloud provider or HPC systems.
 
 h2(#prerequisites). Prerequisites and planning
 
@@ -55,9 +61,15 @@ We recommend "creating an S3 bucket":https://docs.aws.amazon.com/AmazonS3/latest
 
 Then create an IAM role called @${CLUSTER}-keepstore-00-iam-role@ which has "permission to read and write the bucket":https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html
 
-h3. Machines
+h3. Other IAM Roles (AWS specific)
 
-You will need to allocate (virtual) machines for the fixed infrastructure of the Arvados cluster.  These machines should have at least 2 cores and 8 GiB of RAM, running a "supported Arvados distribution":{{site.baseurl}}/install/install-manual-prerequisites.html#supportedlinux
+
+
+h2(#hosts). Hosts
+
+You will need to allocate several hosts (physical or virtual machines) for the fixed infrastructure of the Arvados cluster.  These machines should have at least 2 cores and 8 GiB of RAM, running a supported Linux distribution.
+
+{% include 'supportedlinux' %}
 
 Allocate these as appropriate for your site.  On AWS you may choose to do it manually with the AWS console, or using a DevOps tool such as CloudFormation or Terraform.
 
@@ -101,7 +113,7 @@ Additional prerequisites when preparing machines to run the installer:
 ## @webshell.${CLUSTER}.${DOMAIN}@
 ## @shell.${CLUSTER}.${DOMAIN}@
 
-(AWS specific) The machine that runs the arvados cloud dispatcher will need an "IAM role that allows it to create EC2 instances, see here for details .":https://doc.arvados.org/v2.4/install/crunch2-cloud/install-dispatch-cloud.html
+(AWS specific) The machine that runs the arvados cloud dispatcher will need an "IAM role that allows it to create EC2 instances, see here for details .":https://doc.arvados.org/v2.4/install/crunch2-cloud/install-dispatch-cloud.html#IAM
 
 If your infrastructure differs from the setup proposed above (ie, different hostnames, or using AWS RDS or an existing DB server), you can still use the installer, but additional customization will be necessary.
 
@@ -111,16 +123,16 @@ h2(#download). Download the installer
 {% assign config_examples_src = 'multi_host/aws'%}
 {% include 'download_installer' %}
 
-h2. Edit @local.params@
+h2(#localparams). Edit @local.params@
 
 This can be found wherever you choose to initialize the install files (@~/setup-arvados-xarv1@ in these examples).
 
 # Set @CLUSTER@ to the 5-character cluster identifier (e.g "xarv1")
 # Set @DOMAIN@ to the base DNS domain of the environment, e.g. "example.com"
 # Edit Internal IP settings. Since services share hosts, some hosts are the same.
-# Edit @CLUSTER_INT_CIDR@, this should be the CIDR of the private network that Arvados is running on, e.g. the VPC
-	AWS Specific: Go to the AWS console and into the VPC service, there is a column in
-	this table view of the VPCs that gives the CIDR for the VPC (IPv4 CIDR).
+# Edit @CLUSTER_INT_CIDR@, this should be the CIDR of the private network that Arvados is running on, e.g. the VPC.
+CIDR stands for "Classless Inter-Domain Routing" and describes which portion of the IP address that refers to the network.  For example 192.168.3.0/24 means that the first 24 bits are the network (192.168.3) and the last 8 bits are a specific host on that network.
+_AWS Specific: Go to the AWS console and into the VPC service, there is a column in this table view of the VPCs that gives the CIDR for the VPC (IPv4 CIDR)._
 # Set @INITIAL_USER_EMAIL@ to your email address, as you will be the first admin user of the system.
 # Set each @KEY@ / @TOKEN@ to a random string
 	Here's an easy way to create five random tokens:
@@ -134,13 +146,19 @@ done
    With backslash quoting the special characters it should appear like this in local.params:
 <pre><code>DATABASE_PASSWORD="Cq\&WU\<A\'\]p\?j"</code></pre>
 
-{% include 'ssl_config_multi' %}
+h2(#keep). Configure Keep storage
 
-h2(#create_a_compute_image). Configure Keep on S3 (AWS specific)
+The @multi_host/aws@ template uses S3 for storage.  Arvados also supports "filesystem storage":configure-fs-storage.html and "Azure blob storage":configure-azure-blob-storage.html .  Keep storage configuration can be found in @local_config_dir/pillars/arvados.sls@ in the section @arvados.cluster.Volumes@.
 
-Once you have that image created, Open @local_config_dir/pillars/arvados.sls@ and edit as follows:
+h3. Object storage in S3 (AWS Specific)
 
-1. In the @arvados.cluster.Volumes@ section, set @Region@ to the appropriate AWS region (e.g. 'us-east-1')
+Open @local_config_dir/pillars/arvados.sls@ and edit as follows:
+
+# In the @arvados.cluster.Volumes@ section, set @Region@ to the appropriate AWS region (e.g. 'us-east-1')
+# Set @IAMRole@ to the name of the `KeepstoreRole` generated by CloudFormation.  Just use the part after the '/' (not the arn:aws:iam.... stuff at the beginning).
+# Set @Bucket@ to the value of `KeepBucket1`
+
+{% include 'ssl_config_multi' %}
 
 h2(#create_a_compute_image). Create a compute image
 
@@ -181,6 +199,8 @@ Run this in ~/arvados-setup-xarv1:
 
 This will deploy all the nodes.  It will take a while and produce a lot of logging.  If it runs into an error, it will stop.
 
+h3(#test-install). Run diagnostics to confirming the cluster is working
+
 When everything has finished, you can run the diagnostics.
 
 Depending on where you are running the installer, you need to provide @-internal-client@ or @-external-client@.
@@ -193,7 +213,7 @@ You are an "external client" if you running the diagnostics from your workstatio
 ./installer.sh diagnostics (-internal-client|-external-client)
 </pre>
 
-h3. Diagnosing issues
+h3(#debugging). Debugging issues
 
 Most service logs go to @/var/log/syslog@
 
@@ -213,15 +233,21 @@ You can iterate on the config and maintain the cluster by making changes to @loc
 
 If you are debugging a configuration issue on a specific node, you can speed up the cycle a bit by deploying just one node:
 
-@installer.sh deploy keep0.xarv1.example.com@
+<pre>
+./installer.sh deploy keep0.xarv1.example.com@
+</pre>
 
 However, once you have a final configuration, you should run a full deploy to ensure that the configuration has been synchronized on all the nodes.
 
-h3. Common problems and solutions
+h3(#common-problems). Common problems and solutions
+
+h4. Missing ENA support (AWS Specific)
+
+If the AMI wasn't built with ENA (extended networking) support and the instance type requires it, it'll fail to start.  You'll see an error in syslog on the node that runs @arvados-dispatch-cloud@.  The solution is to build a new AMI with --aws-ena-support true
 
-* (AWS Specific) If the AMI wasn't built with ENA (extended networking) support and the instance type requires it, it'll fail to start.  You'll see an error in syslog on the node that runs @arvados-dispatch-cloud@.  The solution is to build a new AMI with --aws-ena-support true
+h4. PG::UndefinedTable: ERROR:  relation \"api_clients\" does not exist
 
-* The arvados-api-server package sets up the database as a post-install script.  If the database host or password wasn't set correctly (or quoted correctly) at the time that package is installed, it won't be able to set up the database.
+The arvados-api-server package sets up the database as a post-install script.  If the database host or password wasn't set correctly (or quoted correctly) at the time that package is installed, it won't be able to set up the database.
 
 This will manifest as an error like this:
 
@@ -232,14 +258,14 @@ This will manifest as an error like this:
 If this happens, you need to
 
 1. correct the database information
-2. run "installer.sh deploy xngs2.rdcloud.bms.com" to update the configuration on the API/controller node
+2. run @./installer.sh deploy xarv1.example.com@ to update the configuration on the API/controller node
 3. On the API/controller server node, run this command to re-run the post-install script, which will set up the database:
 
 <pre>
 dpkg-reconfigure arvados-api-server
 </pre>
 
-4. Re-run 'installer.sh deploy' again to synchronize everything, and so that the install steps that need to contact the API server are run successfully.
+4. Re-run @./installer.sh deploy@ again to synchronize everything, and so that the install steps that need to contact the API server are run successfully.
 
 {% include 'install_ca_cert' %}
 
@@ -257,98 +283,6 @@ Assuming you didn't change these values in the @local.params@ file, the initial
 * Password: 'password'
 * Email: 'admin@${CLUSTER}.${DOMAIN}'
 
-h2(#test_install). Test the installed cluster running a simple workflow
-
-As part of the installation, the @provision.sh@ script saves a simple example test workflow in the @/tmp/cluster_tests@ directory in the @shell@ node. If you want to run it, just ssh to the node, then run:
-
-<notextile>
-<pre><code>cd /tmp/cluster_tests
-sudo /run-test.sh
-</code></pre>
-</notextile>
-
-It will create a test user (by default, the same one as the admin user), upload a small workflow and run it. If everything goes OK, the output should similar to this (some output was shortened for clarity):
-
-<notextile>
-<pre><code>Creating Arvados Standard Docker Images project
-Arvados project uuid is 'arva2-j7d0g-0prd8cjlk6kfl7y'
-{
- ...
- "uuid":"arva2-o0j2j-n4zu4cak5iifq2a",
- "owner_uuid":"arva2-tpzed-000000000000000",
- ...
-}
-Uploading arvados/jobs' docker image to the project
-2.1.1: Pulling from arvados/jobs
-8559a31e96f4: Pulling fs layer
-...
-Status: Downloaded newer image for arvados/jobs:2.1.1
-docker.io/arvados/jobs:2.1.1
-2020-11-23 21:43:39 arvados.arv_put[32678] INFO: Creating new cache file at /home/vagrant/.cache/arvados/arv-put/c59256eda1829281424c80f588c7cc4d
-2020-11-23 21:43:46 arvados.arv_put[32678] INFO: Collection saved as 'Docker image arvados jobs:2.1.1 sha256:0dd50'
-arva2-4zz18-1u5pvbld7cvxuy2
-Creating initial user ('admin')
-Setting up user ('admin')
-{
- "items":[
-  {
-   ...
-   "owner_uuid":"arva2-tpzed-000000000000000",
-   ...
-   "uuid":"arva2-o0j2j-1ownrdne0ok9iox"
-  },
-  {
-   ...
-   "owner_uuid":"arva2-tpzed-000000000000000",
-   ...
-   "uuid":"arva2-o0j2j-1zbeyhcwxc1tvb7"
-  },
-  {
-   ...
-   "email":"admin@arva2.arv.local",
-   ...
-   "owner_uuid":"arva2-tpzed-000000000000000",
-   ...
-   "username":"admin",
-   "uuid":"arva2-tpzed-3wrm93zmzpshrq2",
-   ...
-  }
- ],
- "kind":"arvados#HashList"
-}
-Activating user 'admin'
-{
- ...
- "email":"admin@arva2.arv.local",
- ...
- "username":"admin",
- "uuid":"arva2-tpzed-3wrm93zmzpshrq2",
- ...
-}
-Running test CWL workflow
-INFO /usr/bin/cwl-runner 2.1.1, arvados-python-client 2.1.1, cwltool 3.0.20200807132242
-INFO Resolved 'hasher-workflow.cwl' to 'file:///tmp/cluster_tests/hasher-workflow.cwl'
-...
-INFO Using cluster arva2 (https://arva2.arv.local:8443/)
-INFO Upload local files: "test.txt"
-INFO Uploaded to ea34d971b71d5536b4f6b7d6c69dc7f6+50 (arva2-4zz18-c8uvwqdry4r8jao)
-INFO Using collection cache size 256 MiB
-INFO [container hasher-workflow.cwl] submitted container_request arva2-xvhdp-v1bkywd58gyocwm
-INFO [container hasher-workflow.cwl] arva2-xvhdp-v1bkywd58gyocwm is Final
-INFO Overall process status is success
-INFO Final output collection d6c69a88147dde9d52a418d50ef788df+123
-{
-    "hasher_out": {
-        "basename": "hasher3.md5sum.txt",
-        "class": "File",
-        "location": "keep:d6c69a88147dde9d52a418d50ef788df+123/hasher3.md5sum.txt",
-        "size": 95
-    }
-}
-INFO Final process status is success
-</code></pre>
-</notextile>
-
 h2(#post_install). After the installation
 
 As part of the operation of @installer.sh@, it automatically creates a @git@ repository with your configuration templates.  You should retain this repository but be aware that it contains sensitive information (passwords and tokens used by the Arvados services).
diff --git a/tools/salt-install/local.params.example.single_host_single_hostname b/tools/salt-install/local.params.example.single_host_single_hostname
index 0a9965426b..1c72446a29 100644
--- a/tools/salt-install/local.params.example.single_host_single_hostname
+++ b/tools/salt-install/local.params.example.single_host_single_hostname
@@ -22,9 +22,11 @@ NODES=(
   [localhost]=database,api,controller,websocket,dispatcher,keepbalance,keepstore,keepproxy,keepweb,workbench,workbench2,webshell,shell
 )
 
-# Set this value when installing a cluster in a single host with a single
-# hostname to access all the instances. HOSTNAME_EXT should be set to the
-# external hostname for the instance.
+# HOSTNAME_EXT must be set to the address that users will use to
+# connect to the instance (e.g. what they will type into the URL bar
+# of the browser to get to workbench).  If you haven't given the
+# instance a working DNS name, you might need to use an IP address
+# here.
 HOSTNAME_EXT="hostname_ext_fixme_or_this_wont_work"
 
 # The internal IP address for the host.
diff --git a/tools/salt-install/provision.sh b/tools/salt-install/provision.sh
index 4f9c209ef0..74bc16493f 100755
--- a/tools/salt-install/provision.sh
+++ b/tools/salt-install/provision.sh
@@ -840,17 +840,19 @@ if [ -d /etc/cloud/cloud.cfg.d ]; then
 fi
 
 # Leave a copy of the Arvados CA so the user can copy it where it's required
-if [ "$DEV_MODE" = "yes" ]; then
-  echo "Copying the Arvados CA certificate to the installer dir, so you can import it"
-  # If running in a vagrant VM, also add default user to docker group
+if [ "${SSL_MODE}" = "self-signed" ]; then
+  echo "Copying the Arvados CA certificate '${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.crt' to the installer dir, so you can import it"
   if [ "x${VAGRANT}" = "xyes" ]; then
     cp /etc/ssl/certs/arvados-snakeoil-ca.pem /vagrant/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem
+  else
+    cp /etc/ssl/certs/arvados-snakeoil-ca.pem ${SCRIPT_DIR}/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.crt
+  fi
+fi
 
+if [ "x${VAGRANT}" = "xyes" ]; then
+    # If running in a vagrant VM, also add default user to docker group
     echo "Adding the vagrant user to the docker group"
     usermod -a -G docker vagrant
-  else
-    cp /etc/ssl/certs/arvados-snakeoil-ca.pem ${SCRIPT_DIR}/${CLUSTER}.${DOMAIN}-arvados-snakeoil-ca.pem
-  fi
 fi
 
 # Test that the installation finished correctly
-- 
2.30.2