[ARVADOS] created: 157a17462d308d94c68bcdaa4dab055c0e5ccbe8
git at public.curoverse.com
git at public.curoverse.com
Thu Jul 30 13:22:45 EDT 2015
at 157a17462d308d94c68bcdaa4dab055c0e5ccbe8 (commit)
commit 157a17462d308d94c68bcdaa4dab055c0e5ccbe8
Author: Peter Amstutz <peter.amstutz at curoverse.com>
Date: Thu Jul 30 13:23:27 2015 -0400
6590: Reorganize application.default.yml. Improve documentation for essential
API server configuration. Remove obsolete hardcoded api tokens setting.
diff --git a/doc/install/install-api-server.html.textile.liquid b/doc/install/install-api-server.html.textile.liquid
index 0503609..4b684ed 100644
--- a/doc/install/install-api-server.html.textile.liquid
+++ b/doc/install/install-api-server.html.textile.liquid
@@ -82,64 +82,111 @@ h2. Configure the database connection
Edit @/etc/arvados/api/database.yml@ and replace the @xxxxxxxx@ database password placeholders with the PostgreSQL password you generated above.
-h2. Configure the API server
+h2(#configure_application). Configure the API server
-Edit @/etc/arvados/api/application.yml@ following the instructions below. The deployment script will consistently deploy this to the API server's configuration directory. The API server reads both @application.yml@ and its own @config/application.default.yml@ file. Values in @application.yml@ take precedence over the defaults that are defined in @config/application.default.yml at . The @config/application.yml.example@ file is not read by the API server and is provided for installation convenience only.
+Edit @/etc/arvados/api/application.yml@ and to configure the settings described in the following sections. The deployment script will consistently deploy this to the API server's configuration directory. The API server reads both @application.yml@ and its own @config/application.default.yml@ file. The settings in @application.yml@ take precedence over the defaults that are defined in @config/application.default.yml at . The @config/application.yml.example@ file is not read by the API server and is provided as a starting template only.
-Always put your local configuration in @application.yml@ instead of editing @application.default.yml at .
+Only put local configuration in @application.yml@, do not edit @application.default.yml at .
h3(#uuid_prefix). uuid_prefix
-Define your @uuid_prefix@ in @application.yml@ by setting the @uuid_prefix@ field in the section for your environment. This prefix is used for all database identifiers to identify the record as originating from this site. It must be exactly 5 alphanumeric characters (lowercase ASCII letters and digits).
+The @uuid_prefix@ is used for all database identifiers to identify the record as originating from this site. It is a string consisting of exactly 5 lowercase ASCII letters and digits. Generate a random value and set it in @application.yml@:
-h3(#git_repositories_dir). git_repositories_dir
+<notextile>
+<pre><code>~$ <span class="userinput">ruby -e 'puts rand(2**40).to_s(36)[0,5]'</span>
+zzzzz
+</code></pre></notextile>
-This field defaults to @/var/lib/arvados/git at . You can override the value by defining it in @application.yml at .
+Example @application.yml@:
-Make sure a clone of the arvados repository exists in @git_repositories_dir at .
+<notextile>
+<pre><code> uuid_prefix: <span class="userinput">zzzzz</span></code></pre>
+</notextile>
+
+h3. secret_token
+
+The @secret_token@ is used for for signing cookies. IMPORTANT: This is a site secret. It should be at least 50 characters. Generate a random value and set it to @application.yml@:
<notextile>
-<pre><code>~$ <span class="userinput">sudo mkdir -p /var/lib/arvados/git</span>
-~$ <span class="userinput">sudo git clone --bare git://git.curoverse.com/arvados.git /var/lib/arvados/git/arvados.git</span>
+<pre><code>~$ <span class="userinput">ruby -e 'puts rand(2**400).to_s(36)'</span>
+yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
</code></pre></notextile>
-h3. secret_token
+Example @application.yml@:
-Generate a new secret token for signing cookies:
+<notextile>
+<pre><code> secret_token: <span class="userinput">yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy</span></code></pre>
+</notextile>
+
+h3(#blob_signing_key). blob_signing_key
+
+The @blob_signing_key@ is used to enforce access control to Keep blocks. This same key must be provided to the Keepstore daemons when "installing Keepstore servers.":install-keepstore.html IMPORTANT: This is a site secret. It should be at least 50 characters. Generate a random value and set it to @application.yml@:
<notextile>
<pre><code>~$ <span class="userinput">ruby -e 'puts rand(2**400).to_s(36)'</span>
-zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
+xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
</code></pre></notextile>
-Then put that value in the @secret_token@ field.
+Example @application.yml@:
+
+<notextile>
+<pre><code> blob_signing_key: <span class="userinput">xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</span></code></pre>
+</notextile>
+
+h3(#omniauth). sso_app_secret, sso_app_id, sso_provider_url
-h3. blob_signing_key
+The following settings enable the API server to communicate with the "Single Sign On (SSO) server":install-sso.html to authenticate user log in.
-If you want access control on your "Keepstore":install-keepstore.html server(s), you should set @blob_signing_key@ to the same value as the permission key you provide to your Keepstore daemon(s).
+Set @sso_provider_url@ to the base URL where your SSO server is installed. This should be a URL consisting of the scheme and host (and optionally, port), without a trailing slash.
+
+Set @sso_app_secret@ and @sso_app_id@ to the corresponding values for @app_secret@ and @app_id@ used in the "Create arvados-server client for Single Sign On (SSO)":install-sso.html#client step.
+
+Example @application.yml@:
+
+<notextile>
+<pre><code> sso_app_id: <span class="userinput">arvados-server</span>
+ sso_app_secret: <span class="userinput">wwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwwww</span>
+ sso_provider_url: <span class="userinput">https://sso.example.com</span>
+</code></pre>
+</notextile>
h3. workbench_address
-Fill in the url of your workbench application in @workbench_address@, for example
+Set @workbench_address@ to the URL of your workbench application after following "Install Workbench.":install-workbench-app.html
+
+Example @application.yml@:
+
+<notextile>
+<pre><code> workbench_address: <span class="userinput">https://workbench.zzzzz.example.com</span></code></pre>
+</notextile>
+
+h3. websockets_address
+
+Set @websockets_address@ to the @@wss://@ URL of the API server websocket endpoint after following "Set up Web servers.":#set_up
+
+Example @application.yml@:
+
+<notextile>
+<pre><code> websockets_address: <span class="userinput">https://ws.zzzzz.example.com</span></code></pre>
+</notextile>
- https://workbench.@uuid_prefix@.your.domain
+h3(#git_repositories_dir). git_repositories_dir, git_internal_dir
-h3(#omniauth). sso_app_id, sso_app_secret, sso_provider_url
+The @git_repositories_dir@ setting specifies the directory is where user git repositories will be stored. By default this is @/var/lib/arvados/git at . You can change the location by defining it in @application.yml at .
-For @sso_app_id@ and @sso_app_secret@, provide the same @app_id@ and @app_secret@ used in the "Create arvados-server client for Single Sign On (SSO)":install-sso.html#client step.
+The @git_internal_dir@ setting specifies the directory is where the system internal git repository will be stored. By default this is @/var/lib/arvados/internal.git at . This repository stores git branches that have been used to run crunch jobs.
-For @sso_provider_url@, provide the base URL where your SSO server is installed: just the scheme and host, with no trailing slash.
+Example @application.yml@:
<notextile>
-<pre><code> sso_app_id: arvados-server
- sso_app_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- sso_provider_url: https://sso.example.com
+<pre><code> git_repositories_dir: <span class="userinput">/var/lib/arvados/git</span>
+ git_internal_dir: <span class="userinput">/var/lib/arvados/internal.git</span>
</code></pre>
</notextile>
-h3. Other options
+h3. Additional settings
-Consult @/var/www/arvados-api/current/config/application.default.yml@ for a full list of configuration options. (But don't edit it. Edit @application.yml@ instead.)
+The file @config/application.default.yml@ (online at "https://arvados.org/projects/arvados/repository/revisions/master/entry/services/api/config/application.default.yml":https://arvados.org/projects/arvados/repository/revisions/master/entry/services/api/config/application.default.yml documents a number of additional configuration settings. Only put local configuration in @application.yml@, do not edit @application.default.yml at .
h2. Prepare the API server deployment
@@ -153,7 +200,7 @@ You can safely ignore the following error message you may see when loading the d
This command aborts when it encounters an error. It's safe to rerun multiple times, so if there's a problem with your configuration, you can fix that and try again.
-h2. Set up Web servers
+h2(#set_up). Set up Web servers
For best performance, we recommend you use Nginx as your Web server front-end, with a Passenger backend for the main API server and a Puma backend for API server Websockets. To do that:
diff --git a/services/api/config/application.default.yml b/services/api/config/application.default.yml
index 409dea6..bec6c21 100644
--- a/services/api/config/application.default.yml
+++ b/services/api/config/application.default.yml
@@ -1,80 +1,39 @@
# Do not use this file for site configuration. Create application.yml
# instead (see application.yml.example).
-
-development:
- force_ssl: false
- cache_classes: false
- whiny_nils: true
- consider_all_requests_local: true
- action_controller.perform_caching: false
- action_mailer.raise_delivery_errors: false
- action_mailer.perform_deliveries: false
- active_support.deprecation: :log
- action_dispatch.best_standards_support: :builtin
- active_record.mass_assignment_sanitizer: :strict
- active_record.auto_explain_threshold_in_seconds: 0.5
- assets.compress: false
- assets.debug: true
- local_modified: "<%= '-modified' if `git status -s` != '' %>"
-
-production:
- force_ssl: true
- cache_classes: true
- consider_all_requests_local: false
- action_controller.perform_caching: true
- serve_static_assets: false
- assets.compress: true
- assets.compile: false
- assets.digest: true
-
-test:
- force_ssl: false
- cache_classes: true
- serve_static_assets: true
- static_cache_control: public, max-age=3600
- whiny_nils: true
- consider_all_requests_local: true
- action_controller.perform_caching: false
- action_dispatch.show_exceptions: false
- action_controller.allow_forgery_protection: false
- action_mailer.delivery_method: :test
- active_support.deprecation: :stderr
- active_record.mass_assignment_sanitizer: :strict
- uuid_prefix: zzzzz
- sso_app_id: arvados-server
- sso_app_secret: <%= rand(2**512).to_s(36) %>
- sso_provider_url: http://localhost:3002
- secret_token: <%= rand(2**512).to_s(36) %>
- blob_signing_key: zfhgfenhffzltr9dixws36j1yhksjoll2grmku38mi7yxd66h5j4q9w4jzanezacp8s6q0ro3hxakfye02152hncy6zml2ed0uc
- user_profile_notification_address: arvados at example.com
- workbench_address: https://localhost:3001/
- git_repositories_dir: <%= Rails.root.join 'tmp', 'git', 'test' %>
- git_internal_dir: <%= Rails.root.join 'tmp', 'internal.git' %>
+#
+# The order of precedence is:
+# 1. config/environments/{RAILS_ENV}.rb (deprecated)
+# 2. Section in application.yml corresponding to RAILS_ENV (e.g., development)
+# 3. Section in application.yml called "common"
+# 4. Section in application.default.yml corresponding to RAILS_ENV
+# 5. Section in application.default.yml called "common"
common:
+ ###
+ ### Essential site configuration
+ ###
+
# The prefix used for all database identifiers to identify the record as
# originating from this site. Must be exactly 5 alphanumeric characters
# (lowercase ASCII letters and digits).
- uuid_prefix: <%= Digest::MD5.hexdigest(`hostname`).to_i(16).to_s(36)[0..4] %>
+ uuid_prefix: ~
- # If not false, this is the hostname that will be used for root_url and
- # advertised in the discovery document. By default, use the default Rails
- # logic for deciding on a hostname.
- host: false
+ # secret_token is a string of alphanumeric characters used by Rails
+ # to sign session tokens. IMPORTANT: This is a site secret. It
+ # should be at least 50 characters.
+ secret_token: ~
- # Base part of SSH git clone url given with repository resources. If
- # true, the default "git at git.(uuid_prefix).arvadosapi.com:" is
- # used. If false, SSH clone URLs are not advertised. Include a
- # trailing ":" or "/" if needed: it will not be added automatically.
- git_repo_ssh_base: true
+ # blob_signing_key is a string of alphanumeric characters used to
+ # generate permission signatures for Keep locators. It must be
+ # identical to the permission key given to Keep. IMPORTANT: This is
+ # a site secret. It should be at least 50 characters.
+ blob_signing_key: ~
- # Base part of HTTPS git clone urls given with repository
- # resources. This is expected to be an arv-git-httpd service which
- # accepts API tokens as HTTP-auth passwords. If true, the default
- # "https://git.(uuid_prefix).arvadosapi.com/" is used. If false,
- # HTTPS clone URLs are not advertised. Include a trailing ":" or "/"
- # if needed: it will not be added automatically.
- git_repo_https_base: true
+ # These settings are provided by your OAuth2 provider (e.g.,
+ # sso-provider).
+ sso_app_secret: ~
+ sso_app_id: ~
+ sso_provider_url: ~
# If this is not false, HTML requests at the API server's root URL
# are redirected to this location, and it is provided in the text of
@@ -82,6 +41,30 @@ common:
# to log in.
workbench_address: false
+ # The ARVADOS_WEBSOCKETS environment variable determines whether to
+ # serve http, websockets, or both.
+ #
+ # If ARVADOS_WEBSOCKETS="true", http and websockets are both served
+ # from the same process.
+ #
+ # If ARVADOS_WEBSOCKETS="ws-only", only websockets is served.
+ #
+ # If ARVADOS_WEBSOCKETS="false" or not set at all, only http is
+ # served. In this case, you should have a separate process serving
+ # websockets, and the address of that service should be given here
+ # as websocket_address.
+ #
+ # If websocket_address is false (which is the default), the
+ # discovery document will tell clients to use the current server as
+ # the websocket service, or (if the current server does not have
+ # websockets enabled) not to use websockets at all.
+ #
+ # Example: Clients will connect to the specified endpoint.
+ #websocket_address: wss://127.0.0.1:3333/websocket
+ # Default: Clients will connect to this server if it's running
+ # websockets, otherwise none at all.
+ websocket_address: false
+
# Git repositories must be readable by api server, or you won't be
# able to submit crunch jobs. To pass the test suites, put a clone
# of the arvados tree in {git_repositories_dir}/arvados.git or
@@ -94,93 +77,54 @@ common:
# subdirectory of {git_repositiories_dir}.
git_internal_dir: /var/lib/arvados/internal.git
- # :none or :slurm_immediate
- crunch_job_wrapper: :none
-
- # username, or false = do not set uid when running jobs.
- crunch_job_user: crunch
-
- # The web service must be able to create/write this file, and
- # crunch-job must be able to stat() it.
- crunch_refresh_trigger: /tmp/crunch_refresh_trigger
-
- # These two settings control how frequently log events are flushed to the
- # database. Log lines are buffered until either crunch_log_bytes_per_event
- # has been reached or crunch_log_seconds_between_events has elapsed since
- # the last flush.
- crunch_log_bytes_per_event: 4096
- crunch_log_seconds_between_events: 1
-
- # The sample period for throttling logs, in seconds.
- crunch_log_throttle_period: 60
-
- # Maximum number of bytes that job can log over crunch_log_throttle_period
- # before being silenced until the end of the period.
- crunch_log_throttle_bytes: 65536
-
- # Maximum number of lines that job can log over crunch_log_throttle_period
- # before being silenced until the end of the period.
- crunch_log_throttle_lines: 1024
-
- # Maximum bytes that may be logged by a single job. Log bytes that are
- # silenced by throttling are not counted against this total.
- crunch_limit_log_bytes_per_job: 67108864
+ # Default replication level for collections. This is used when a
+ # collection's replication_desired attribute is nil.
+ default_collection_replication: 2
- # Path to dns server configuration directory
- # (e.g. /etc/unbound.d/conf.d). If false, do not write any config
- # files or touch restart.txt (see below).
- dns_server_conf_dir: false
- # Template file for the dns server host snippets. See
- # unbound.template in this directory for an example. If false, do
- # not write any config files.
- dns_server_conf_template: false
+ ###
+ ### Overriding default advertised hostnames/URLs
+ ###
- # String to write to {dns_server_conf_dir}/restart.txt (with a
- # trailing newline) after updating local data. If false, do not
- # open or write the restart.txt file.
- dns_server_reload_command: false
+ # If not false, this is the hostname that will be used for root_url and
+ # advertised in the discovery document. By default, use the default Rails
+ # logic for deciding on a hostname.
+ host: false
- # Command to run after each DNS update. Template variables will be
- # substituted; see the "unbound" example below. If false, do not run
- # a command.
- dns_server_update_command: false
+ # Base part of SSH git clone url given with repository resources. If
+ # true, the default "git at git.(uuid_prefix).arvadosapi.com:" is
+ # used. If false, SSH clone URLs are not advertised. Include a
+ # trailing ":" or "/" if needed: it will not be added automatically.
+ git_repo_ssh_base: true
- ## Example for unbound:
- #dns_server_conf_dir: /etc/unbound/conf.d
- #dns_server_conf_template: /path/to/your/api/server/config/unbound.template
- ## ...plus one of the following two methods of reloading:
- #dns_server_reload_command: unbound-control reload
- #dns_server_update_command: echo %{hostname} %{hostname}.%{uuid_prefix} %{hostname}.%{uuid_prefix}.arvadosapi.com %{ptr_domain} | xargs -n 1 unbound-control local_data_remove && unbound-control local_data %{hostname} IN A %{ip_address} && unbound-control local_data %{hostname}.%{uuid_prefix} IN A %{ip_address} && unbound-control local_data %{hostname}.%{uuid_prefix}.arvadosapi.com IN A %{ip_address} && unbound-control local_data %{ptr_domain}. IN PTR %{hostname}.%{uuid_prefix}.arvadosapi.com
+ # Base part of HTTPS git clone urls given with repository
+ # resources. This is expected to be an arv-git-httpd service which
+ # accepts API tokens as HTTP-auth passwords. If true, the default
+ # "https://git.(uuid_prefix).arvadosapi.com/" is used. If false,
+ # HTTPS clone URLs are not advertised. Include a trailing ":" or "/"
+ # if needed: it will not be added automatically.
+ git_repo_https_base: true
- compute_node_domain: false
- compute_node_nameservers:
- - 192.168.1.1
- # The version below is suitable for AWS.
- # To use it, copy it to your application.yml, uncomment, and change <%# to <%=
- # compute_node_nameservers: <%#
- # require 'net/http'
- # ['local', 'public'].collect do |iface|
- # Net::HTTP.get(URI("http://169.254.169.254/latest/meta-data/#{iface}-ipv4")).match(/^[\d\.]+$/)[0]
- # end << '172.16.0.23'
- # %>
+ ###
+ ### New user and & email settings
+ ###
- accept_api_token: {}
+ # Config parameters to automatically setup new users.
+ # The params auto_setup_new_users_with_* are meaningful only when auto_setup_new_users is turned on.
+ # auto_setup_name_blacklist is a list of usernames to be blacklisted for auto setup.
+ auto_setup_new_users: false
+ auto_setup_new_users_with_vm_uuid: false
+ auto_setup_new_users_with_repository: false
+ auto_setup_name_blacklist: [arvados, git, gitolite, gitolite-admin, root, syslog]
# When new_users_are_active is set to true, the user agreement check is skipped.
new_users_are_active: false
- admin_notifier_email_from: arvados at example.com
- email_subject_prefix: "[ARVADOS] "
- user_notifier_email_from: arvados at example.com
- new_user_notification_recipients: [ ]
- new_inactive_user_notification_recipients: [ ]
-
# The e-mail address of the user you would like to become marked as an admin
# user on their first login.
# In the default configuration, authentication happens through the Arvados SSO
- # server, which uses openid against Google's servers, so in that case this
+ # server, which uses OAuth2 against Google's servers, so in that case this
# should be an address associated with a Google account.
auto_admin_user: false
@@ -188,51 +132,20 @@ common:
# other admin users exist will automatically become an admin user.
auto_admin_first_user: false
- ## Set Time.zone default to the specified zone and make Active
- ## Record auto-convert to this zone. Run "rake -D time" for a list
- ## of tasks for finding time zone names. Default is UTC.
- #time_zone: Central Time (US & Canada)
-
- ## Default encoding used in templates for Ruby 1.9.
- encoding: utf-8
-
- # Enable the asset pipeline
- assets.enabled: true
-
- # Version of your assets, change this if you want to expire all your assets
- assets.version: "1.0"
+ # Email address to notify whenever a user creates a profile for the
+ # first time
+ user_profile_notification_address: false
- arvados_theme: default
+ admin_notifier_email_from: arvados at example.com
+ email_subject_prefix: "[ARVADOS] "
+ user_notifier_email_from: arvados at example.com
+ new_user_notification_recipients: [ ]
+ new_inactive_user_notification_recipients: [ ]
- # The ARVADOS_WEBSOCKETS environment variable determines whether to
- # serve http, websockets, or both.
- #
- # If ARVADOS_WEBSOCKETS="true", http and websockets are both served
- # from the same process.
- #
- # If ARVADOS_WEBSOCKETS="ws-only", only websockets is served.
- #
- # If ARVADOS_WEBSOCKETS="false" or not set at all, only http is
- # served. In this case, you should have a separate process serving
- # websockets, and the address of that service should be given here
- # as websocket_address.
- #
- # If websocket_address is false (which is the default), the
- # discovery document will tell clients to use the current server as
- # the websocket service, or (if the current server does not have
- # websockets enabled) not to use websockets at all.
- #
- # Example: Clients will connect to the specified endpoint.
- #websocket_address: wss://127.0.0.1:3333/websocket
- # Default: Clients will connect to this server if it's running
- # websockets, otherwise none at all.
- websocket_address: false
- # blob_signing_key is a string of alphanumeric characters used to
- # generate permission signatures for Keep locators. It must be
- # identical to the permission key given to Keep. IMPORTANT: This is
- # a site secret. It should be at least 50 characters.
- blob_signing_key: ~
+ ###
+ ### Limits, timeouts and durations
+ ###
# Lifetime (in seconds) of blob permission signatures generated by
# the API server. This determines how long a client can take (after
@@ -252,58 +165,9 @@ common:
# The default is 2 weeks.
blob_signature_ttl: 1209600
- # Allow clients to create collections by providing a manifest with
- # unsigned data blob locators. IMPORTANT: This effectively disables
- # access controls for data stored in Keep: a client who knows a hash
- # can write a manifest that references the hash, pass it to
- # collections.create (which will create a permission link), use
- # collections.get to obtain a signature for that data locator, and
- # use that signed locator to retrieve the data from Keep. Therefore,
- # do not turn this on if your users expect to keep data private from
- # one another!
- permit_create_collection_with_unsigned_manifest: false
-
- # secret_token is a string of alphanumeric characters used by Rails
- # to sign session tokens. IMPORTANT: This is a site secret. It
- # should be at least 50 characters.
- secret_token: ~
-
- # Email address to notify whenever a user creates a profile for the
- # first time
- user_profile_notification_address: false
-
- default_openid_prefix: https://www.google.com/accounts/o8/id
-
- # Config parameters to automatically setup new users.
- # The params auto_setup_new_users_with_* are meaningful only when auto_setup_new_users is turned on.
- # auto_setup_name_blacklist is a list of usernames to be blacklisted for auto setup.
- auto_setup_new_users: false
- auto_setup_new_users_with_vm_uuid: false
- auto_setup_new_users_with_repository: false
- auto_setup_name_blacklist: [arvados, git, gitolite, gitolite-admin, root, syslog]
-
- # source_version
- source_version: "<%= `git log -n 1 --format=%h`.strip %>"
- local_modified: false
-
# Default lifetime for ephemeral collections: 2 weeks.
default_trash_lifetime: 1209600
- # Permit insecure (OpenSSL::SSL::VERIFY_NONE) connections to the Single Sign
- # On (sso) server. Should only be enabled during development when the SSO
- # server is using a self-signed cert.
- sso_insecure: false
-
- # These settings are provided by your OAuth2 provider (e.g.,
- # sso-provider).
- sso_app_id: ~
- sso_app_secret: ~
- sso_provider_url: ~
-
- # Default replication level for collections. This is used when a
- # collection's replication_desired attribute is nil.
- default_collection_replication: 2
-
# Maximum size (in bytes) allowed for a single API request. This
# limit is published in the discovery document for use by clients.
# Note: You must separately configure the upstream web server or
@@ -336,9 +200,77 @@ common:
# go down.
max_compute_nodes: 64
+ # These two settings control how frequently log events are flushed to the
+ # database. Log lines are buffered until either crunch_log_bytes_per_event
+ # has been reached or crunch_log_seconds_between_events has elapsed since
+ # the last flush.
+ crunch_log_bytes_per_event: 4096
+ crunch_log_seconds_between_events: 1
+
+ # The sample period for throttling logs, in seconds.
+ crunch_log_throttle_period: 60
+
+ # Maximum number of bytes that job can log over crunch_log_throttle_period
+ # before being silenced until the end of the period.
+ crunch_log_throttle_bytes: 65536
+
+ # Maximum number of lines that job can log over crunch_log_throttle_period
+ # before being silenced until the end of the period.
+ crunch_log_throttle_lines: 1024
+
+ # Maximum bytes that may be logged by a single job. Log bytes that are
+ # silenced by throttling are not counted against this total.
+ crunch_limit_log_bytes_per_job: 67108864
+
+
+ ###
+ ### Crunch, DNS & compute node management
+ ###
+
# Docker image to be used when none found in runtime_constraints of a job
default_docker_image_for_jobs: false
+ # :none or :slurm_immediate
+ crunch_job_wrapper: :none
+
+ # username, or false = do not set uid when running jobs.
+ crunch_job_user: crunch
+
+ # The web service must be able to create/write this file, and
+ # crunch-job must be able to stat() it.
+ crunch_refresh_trigger: /tmp/crunch_refresh_trigger
+
+ # Path to dns server configuration directory
+ # (e.g. /etc/unbound.d/conf.d). If false, do not write any config
+ # files or touch restart.txt (see below).
+ dns_server_conf_dir: false
+
+ # Template file for the dns server host snippets. See
+ # unbound.template in this directory for an example. If false, do
+ # not write any config files.
+ dns_server_conf_template: false
+
+ # String to write to {dns_server_conf_dir}/restart.txt (with a
+ # trailing newline) after updating local data. If false, do not
+ # open or write the restart.txt file.
+ dns_server_reload_command: false
+
+ # Command to run after each DNS update. Template variables will be
+ # substituted; see the "unbound" example below. If false, do not run
+ # a command.
+ dns_server_update_command: false
+
+ ## Example for unbound:
+ #dns_server_conf_dir: /etc/unbound/conf.d
+ #dns_server_conf_template: /path/to/your/api/server/config/unbound.template
+ ## ...plus one of the following two methods of reloading:
+ #dns_server_reload_command: unbound-control reload
+ #dns_server_update_command: echo %{hostname} %{hostname}.%{uuid_prefix} %{hostname}.%{uuid_prefix}.arvadosapi.com %{ptr_domain} | xargs -n 1 unbound-control local_data_remove && unbound-control local_data %{hostname} IN A %{ip_address} && unbound-control local_data %{hostname}.%{uuid_prefix} IN A %{ip_address} && unbound-control local_data %{hostname}.%{uuid_prefix}.arvadosapi.com IN A %{ip_address} && unbound-control local_data %{ptr_domain}. IN PTR %{hostname}.%{uuid_prefix}.arvadosapi.com
+
+ compute_node_domain: false
+ compute_node_nameservers:
+ - 192.168.1.1
+
# Hostname to assign to a compute node when it sends a "ping" and the
# hostname in its Node record is nil.
# During bootstrapping, the "ping" script is expected to notice the
@@ -354,3 +286,97 @@ common:
# assign_node_hostname: compute%<slot_number>04d
# (See http://ruby-doc.org/core-2.2.2/Kernel.html#method-i-format for more.)
assign_node_hostname: compute%<slot_number>d
+
+
+ ###
+ ### Remaining assorted configuration options.
+ ###
+
+ arvados_theme: default
+
+ # Permit insecure (OpenSSL::SSL::VERIFY_NONE) connections to the Single Sign
+ # On (sso) server. Should only be enabled during development when the SSO
+ # server is using a self-signed cert.
+ sso_insecure: false
+
+ ## Set Time.zone default to the specified zone and make Active
+ ## Record auto-convert to this zone. Run "rake -D time" for a list
+ ## of tasks for finding time zone names. Default is UTC.
+ #time_zone: Central Time (US & Canada)
+
+ ## Default encoding used in templates for Ruby 1.9.
+ encoding: utf-8
+
+ # Enable the asset pipeline
+ assets.enabled: true
+
+ # Version of your assets, change this if you want to expire all your assets
+ assets.version: "1.0"
+
+ # Allow clients to create collections by providing a manifest with
+ # unsigned data blob locators. IMPORTANT: This effectively disables
+ # access controls for data stored in Keep: a client who knows a hash
+ # can write a manifest that references the hash, pass it to
+ # collections.create (which will create a permission link), use
+ # collections.get to obtain a signature for that data locator, and
+ # use that signed locator to retrieve the data from Keep. Therefore,
+ # do not turn this on if your users expect to keep data private from
+ # one another!
+ permit_create_collection_with_unsigned_manifest: false
+
+ default_openid_prefix: https://www.google.com/accounts/o8/id
+
+ # source_version
+ source_version: "<%= `git log -n 1 --format=%h`.strip %>"
+ local_modified: false
+
+
+development:
+ force_ssl: false
+ cache_classes: false
+ whiny_nils: true
+ consider_all_requests_local: true
+ action_controller.perform_caching: false
+ action_mailer.raise_delivery_errors: false
+ action_mailer.perform_deliveries: false
+ active_support.deprecation: :log
+ action_dispatch.best_standards_support: :builtin
+ active_record.mass_assignment_sanitizer: :strict
+ active_record.auto_explain_threshold_in_seconds: 0.5
+ assets.compress: false
+ assets.debug: true
+ local_modified: "<%= '-modified' if `git status -s` != '' %>"
+
+production:
+ force_ssl: true
+ cache_classes: true
+ consider_all_requests_local: false
+ action_controller.perform_caching: true
+ serve_static_assets: false
+ assets.compress: true
+ assets.compile: false
+ assets.digest: true
+
+test:
+ force_ssl: false
+ cache_classes: true
+ serve_static_assets: true
+ static_cache_control: public, max-age=3600
+ whiny_nils: true
+ consider_all_requests_local: true
+ action_controller.perform_caching: false
+ action_dispatch.show_exceptions: false
+ action_controller.allow_forgery_protection: false
+ action_mailer.delivery_method: :test
+ active_support.deprecation: :stderr
+ active_record.mass_assignment_sanitizer: :strict
+ uuid_prefix: zzzzz
+ sso_app_id: arvados-server
+ sso_app_secret: <%= rand(2**512).to_s(36) %>
+ sso_provider_url: http://localhost:3002
+ secret_token: <%= rand(2**512).to_s(36) %>
+ blob_signing_key: zfhgfenhffzltr9dixws36j1yhksjoll2grmku38mi7yxd66h5j4q9w4jzanezacp8s6q0ro3hxakfye02152hncy6zml2ed0uc
+ user_profile_notification_address: arvados at example.com
+ workbench_address: https://localhost:3001/
+ git_repositories_dir: <%= Rails.root.join 'tmp', 'git', 'test' %>
+ git_internal_dir: <%= Rails.root.join 'tmp', 'internal.git' %>
diff --git a/services/api/config/application.yml.example b/services/api/config/application.yml.example
index ee14c0e..149770c 100644
--- a/services/api/config/application.yml.example
+++ b/services/api/config/application.yml.example
@@ -10,22 +10,33 @@
# 4. Section in application.default.yml corresponding to RAILS_ENV
# 5. Section in application.default.yml called "common"
-development:
- # Mandatory site secrets. See application.default.yml for more info.
+production:
+ # Mandatory site configuration. See application.default.yml and
+ # http://http://doc.arvados.org/install/install-api-server.html#configure_application
+ # for more information.
+ uuid_prefix: ~
secret_token: ~
blob_signing_key: ~
- uuid_prefix: bogus
- workbench_address: https://localhost:3031
+ sso_app_secret: ~
+ sso_app_id: ~
+ sso_provider_url: ~
+ workbench_address: ~
+ websockets_address: ~
+ #git_repositories_dir: ~
+ #git_internal_dir: ~
-production:
- # Mandatory site secrets. See application.default.yml for more info.
+development:
+ # Separate settings for development configuration.
+ uuid_prefix: ~
secret_token: ~
blob_signing_key: ~
- uuid_prefix: bogus
- workbench_address: https://workbench.bogus.arvadosapi.com
- sso_app_id: arvados-server
+ sso_app_id: ~
sso_app_secret: ~
- sso_provider_url: https://login.bogus.arvadosapi.com
+ sso_provider_url: ~
+ workbench_address: ~
+ websockets_address: ~
+ #git_repositories_dir: ~
+ #git_internal_dir: ~
test:
# Tests should be able to run without further configuration, but if you do
diff --git a/services/api/config/initializers/hardcoded_api_tokens.rb.example b/services/api/config/initializers/hardcoded_api_tokens.rb.example
deleted file mode 100644
index 6339bf6..0000000
--- a/services/api/config/initializers/hardcoded_api_tokens.rb.example
+++ /dev/null
@@ -1,3 +0,0 @@
-Server::Application.configure do
- config.accept_api_token = { 'foobar' => true }
-end
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list