[ARVADOS] created: 1.3.0-60-g2a6cb99cf
Git user
git at public.curoverse.com
Fri Jan 4 10:17:52 EST 2019
at 2a6cb99cf7a21a273efe8dc793929b74149871f6 (commit)
commit 2a6cb99cf7a21a273efe8dc793929b74149871f6
Author: Peter Amstutz <pamstutz at veritasgenetics.com>
Date: Thu Jan 3 14:53:25 2019 -0500
14660: Add workbench2 to arvbox. Improve SSL support in arvbox.
Arvados-DCO-1.1-Signed-off-by: Peter Amstutz <pamstutz at veritasgenetics.com>
diff --git a/tools/arvbox/bin/arvbox b/tools/arvbox/bin/arvbox
index 69fc2cede..e2f58cf13 100755
--- a/tools/arvbox/bin/arvbox
+++ b/tools/arvbox/bin/arvbox
@@ -50,6 +50,10 @@ if test -z "$COMPOSER_ROOT" ; then
COMPOSER_ROOT="$ARVBOX_DATA/composer"
fi
+if test -z "$WORKBENCH2_ROOT" ; then
+ WORKBENCH2_ROOT="$ARVBOX_DATA/workbench2"
+fi
+
PG_DATA="$ARVBOX_DATA/postgres"
VAR_DATA="$ARVBOX_DATA/var"
PASSENGER="$ARVBOX_DATA/passenger"
@@ -158,7 +162,8 @@ run() {
echo $localip > $iptemp
chmod og+r $iptemp
PUBLIC="--volume=$iptemp:/var/run/localip_override
- --publish=80:80
+ --publish=443:443
+ --publish=3001:3001
--publish=8000:8000
--publish=8900:8900
--publish=9001:9001
@@ -205,6 +210,9 @@ run() {
if ! test -d "$COMPOSER_ROOT" ; then
git clone https://github.com/curoverse/composer.git "$COMPOSER_ROOT"
fi
+ if ! test -d "$WORKBENCH2_ROOT" ; then
+ git clone https://github.com/curoverse/arvados-workbench2.git "$WORKBENCH2_ROOT"
+ fi
if test "$CONFIG" = test ; then
@@ -218,6 +226,7 @@ run() {
"--volume=$ARVADOS_ROOT:/usr/src/arvados:rw" \
"--volume=$SSO_ROOT:/usr/src/sso:rw" \
"--volume=$COMPOSER_ROOT:/usr/src/composer:rw" \
+ "--volume=$WORKBENCH2_ROOT:/usr/src/workbench2:rw" \
"--volume=$PG_DATA:/var/lib/postgresql:rw" \
"--volume=$VAR_DATA:/var/lib/arvados:rw" \
"--volume=$PASSENGER:/var/lib/passenger:rw" \
@@ -261,6 +270,7 @@ run() {
"--volume=$ARVADOS_ROOT:/usr/src/arvados:rw" \
"--volume=$SSO_ROOT:/usr/src/sso:rw" \
"--volume=$COMPOSER_ROOT:/usr/src/composer:rw" \
+ "--volume=$WORKBENCH2_ROOT:/usr/src/workbench2:rw" \
"--volume=$PG_DATA:/var/lib/postgresql:rw" \
"--volume=$VAR_DATA:/var/lib/arvados:rw" \
"--volume=$PASSENGER:/var/lib/passenger:rw" \
@@ -274,6 +284,7 @@ run() {
updateconf
wait_for_arvbox
echo "The Arvados source code is checked out at: $ARVADOS_ROOT"
+ echo "The Arvados testing root certificate is $VAR_DATA/root-cert.pem"
else
echo "Unknown configuration '$CONFIG'"
fi
diff --git a/tools/arvbox/lib/arvbox/docker/api-setup.sh b/tools/arvbox/lib/arvbox/docker/api-setup.sh
index 6dd6a6569..ca706ea81 100755
--- a/tools/arvbox/lib/arvbox/docker/api-setup.sh
+++ b/tools/arvbox/lib/arvbox/docker/api-setup.sh
@@ -38,9 +38,6 @@ if ! test -s /var/lib/arvados/management_token ; then
fi
management_token=$(cat /var/lib/arvados/management_token)
-# self signed key will be created by SSO server script.
-test -s /var/lib/arvados/self-signed.key
-
sso_app_secret=$(cat /var/lib/arvados/sso_app_secret)
if test -s /var/lib/arvados/vm-uuid ; then
@@ -59,8 +56,8 @@ $RAILS_ENV:
sso_app_id: arvados-server
sso_provider_url: "https://$localip:${services[sso]}"
sso_insecure: true
- workbench_address: "http://$localip/"
- websocket_address: "ws://$localip:${services[websockets]}/websocket"
+ workbench_address: "https://$localip/"
+ websocket_address: "wss://$localip:${services[websockets-ssl]}/websocket"
git_repo_ssh_base: "git@$localip:"
git_repo_https_base: "http://$localip:${services[arv-git-httpd]}/"
new_users_are_active: true
diff --git a/tools/arvbox/lib/arvbox/docker/common.sh b/tools/arvbox/lib/arvbox/docker/common.sh
index a82a964ea..d14e45d0b 100644
--- a/tools/arvbox/lib/arvbox/docker/common.sh
+++ b/tools/arvbox/lib/arvbox/docker/common.sh
@@ -19,7 +19,9 @@ fi
declare -A services
services=(
- [workbench]=80
+ [workbench]=443
+ [workbench2]=3000
+ [workbench2-ssl]=3001
[api]=8004
[controller]=8003
[controller-ssl]=8000
@@ -32,7 +34,8 @@ services=(
[keepstore1]=25108
[ssh]=22
[doc]=8001
- [websockets]=8002
+ [websockets]=8005
+ [websockets-ssl]=8002
)
if test "$(id arvbox -u 2>/dev/null)" = 0 ; then
diff --git a/tools/arvbox/lib/arvbox/docker/service/nginx/run-service b/tools/arvbox/lib/arvbox/docker/service/nginx/run-service
index a55660eb8..f2b0a89d2 100755
--- a/tools/arvbox/lib/arvbox/docker/service/nginx/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/nginx/run-service
@@ -37,8 +37,8 @@ http {
server {
listen *:${services[controller-ssl]} ssl default_server;
server_name controller;
- ssl_certificate "/var/lib/arvados/self-signed.pem";
- ssl_certificate_key "/var/lib/arvados/self-signed.key";
+ ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
+ ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
location / {
proxy_pass http://controller;
proxy_set_header Host \$http_host;
@@ -47,6 +47,47 @@ http {
proxy_redirect off;
}
}
+
+upstream arvados-ws {
+ server localhost:${services[websockets]};
+}
+server {
+ listen *:${services[websockets-ssl]} ssl default_server;
+ server_name websockets;
+
+ proxy_connect_timeout 90s;
+ proxy_read_timeout 300s;
+
+ ssl on;
+ ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
+ ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+
+ location / {
+ proxy_pass http://arvados-ws;
+ proxy_set_header Upgrade \$http_upgrade;
+ proxy_set_header Connection "upgrade";
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ }
+}
+
+ upstream workbench2 {
+ server localhost:${services[workbench2]};
+ }
+ server {
+ listen *:${services[workbench2-ssl]} ssl default_server;
+ server_name workbench2;
+ ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
+ ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
+ location / {
+ proxy_pass http://workbench2;
+ proxy_set_header Host \$http_host;
+ proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto https;
+ proxy_redirect off;
+ }
+ }
+
}
EOF
diff --git a/tools/arvbox/lib/arvbox/docker/service/ready/run-service b/tools/arvbox/lib/arvbox/docker/service/ready/run-service
index 7766fb7ec..4e1371eb6 100755
--- a/tools/arvbox/lib/arvbox/docker/service/ready/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/ready/run-service
@@ -90,6 +90,6 @@ fi
echo
echo "Your Arvados-in-a-box is ready!"
-echo "Workbench is running at http://$localip"
+echo "Workbench is running at https://$localip"
rm -r /tmp/arvbox-ready
diff --git a/tools/arvbox/lib/arvbox/docker/service/sso/run-service b/tools/arvbox/lib/arvbox/docker/service/sso/run-service
index 281405949..278d94e82 100755
--- a/tools/arvbox/lib/arvbox/docker/service/sso/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/sso/run-service
@@ -35,8 +35,68 @@ if ! test -s /var/lib/arvados/sso_secret_token ; then
fi
secret_token=$(cat /var/lib/arvados/sso_secret_token)
-if ! test -s /var/lib/arvados/self-signed.key ; then
- openssl req -new -x509 -nodes -out /var/lib/arvados/self-signed.pem -keyout /var/lib/arvados/self-signed.key -days 365 -subj '/CN=localhost'
+if test ! -s /var/lib/arvados/root-cert.pem ; then
+ # req signing request sub-command
+ # -new new certificate request
+ # -nodes "no des" don't encrypt key
+ # -sha256 include sha256 fingerprint
+ # -x509 generate self-signed certificate
+ # -subj certificate subject
+ # -reqexts certificate request extension for subjectAltName
+ # -extensions certificate request extension for subjectAltName
+ # -config certificate generation configuration plus subjectAltName
+ # -out certificate output
+ # -keyout private key output
+ # -days certificate lifetime
+ openssl req \
+ -new \
+ -nodes \
+ -sha256 \
+ -x509 \
+ -subj "/C=US/ST=MA/O=Arvados testing/OU=arvbox/CN=arvbox testing root CA for ${uuid_prefix}" \
+ -extensions x509_ext \
+ -config <(cat /etc/ssl/openssl.cnf \
+ <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
+ -out /var/lib/arvados/root-cert.pem \
+ -keyout /var/lib/arvados/root-cert.key \
+ -days 365
+fi
+
+if test ! -s /var/lib/arvados/server-cert-${localip}.pem ; then
+ # req signing request sub-command
+ # -new new certificate request
+ # -nodes "no des" don't encrypt key
+ # -sha256 include sha256 fingerprint
+ # -subj certificate subject
+ # -reqexts certificate request extension for subjectAltName
+ # -extensions certificate request extension for subjectAltName
+ # -config certificate generation configuration plus subjectAltName
+ # -out certificate output
+ # -keyout private key output
+ # -days certificate lifetime
+ openssl req \
+ -new \
+ -nodes \
+ -sha256 \
+ -subj "/C=US/ST=MA/O=Arvados testing for ${uuid_prefix}/OU=arvbox/CN=localhost" \
+ -reqexts x509_ext \
+ -extensions x509_ext \
+ -config <(cat /etc/ssl/openssl.cnf \
+ <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,IP:$localip")) \
+ -out /var/lib/arvados/server-cert-${localip}.csr \
+ -keyout /var/lib/arvados/server-cert-${localip}.key \
+ -days 365
+
+ openssl x509 \
+ -req \
+ -in /var/lib/arvados/server-cert-${localip}.csr \
+ -CA /var/lib/arvados/root-cert.pem \
+ -CAkey /var/lib/arvados/root-cert.key \
+ -out /var/lib/arvados/server-cert-${localip}.pem \
+ -set_serial $RANDOM$RANDOM \
+ -extfile <(cat /etc/ssl/openssl.cnf \
+ <(printf "\n[x509_ext]\nkeyUsage=critical,digitalSignature,keyEncipherment\nsubjectAltName=DNS:localhost,IP:$localip")) \
+ -extensions x509_ext
fi
cat >config/application.yml <<EOF
@@ -92,5 +152,5 @@ if test "$1" = "--only-setup" ; then
fi
exec bundle exec passenger start --port=${services[sso]} \
- --ssl --ssl-certificate=/var/lib/arvados/self-signed.pem \
- --ssl-certificate-key=/var/lib/arvados/self-signed.key
+ --ssl --ssl-certificate=/var/lib/arvados/server-cert-${localip}.pem \
+ --ssl-certificate-key=/var/lib/arvados/server-cert-${localip}.key
diff --git a/tools/arvbox/lib/arvbox/docker/service/websockets/run-service b/tools/arvbox/lib/arvbox/docker/service/websockets/run-service
index ebdf266c6..417130852 100755
--- a/tools/arvbox/lib/arvbox/docker/service/websockets/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/websockets/run-service
@@ -34,7 +34,7 @@ Postgres:
user: arvados
password: $database_pw
host: localhost
-Listen: :8002
+Listen: localhost:${services[websockets]}
EOF
exec /usr/local/bin/arvados-ws -config /var/lib/arvados/arvados-ws.yml
diff --git a/tools/arvbox/lib/arvbox/docker/service/workbench/run b/tools/arvbox/lib/arvbox/docker/service/workbench/run
index 5615884f7..e65801b44 100755
--- a/tools/arvbox/lib/arvbox/docker/service/workbench/run
+++ b/tools/arvbox/lib/arvbox/docker/service/workbench/run
@@ -23,5 +23,7 @@ fi
if test "$1" != "--only-deps" ; then
exec bundle exec passenger start --port=${services[workbench]} \
+ --ssl --ssl-certificate=/var/lib/arvados/server-cert-${localip}.pem \
+ --ssl-certificate-key=/var/lib/arvados/server-cert-${localip}.key \
--user arvbox
fi
diff --git a/tools/arvbox/lib/arvbox/docker/service/workbench/run-service b/tools/arvbox/lib/arvbox/docker/service/workbench/run-service
index 366096ace..5d3757755 100755
--- a/tools/arvbox/lib/arvbox/docker/service/workbench/run-service
+++ b/tools/arvbox/lib/arvbox/docker/service/workbench/run-service
@@ -33,10 +33,6 @@ if ! test -s /var/lib/arvados/workbench_secret_token ; then
fi
secret_token=$(cat /var/lib/arvados/workbench_secret_token)
-if ! test -s self-signed.key ; then
- openssl req -new -x509 -nodes -out self-signed.pem -keyout self-signed.key -days 365 -subj '/CN=localhost'
-fi
-
cat >config/application.yml <<EOF
$RAILS_ENV:
secret_token: $secret_token
diff --git a/tools/arvbox/lib/arvbox/docker/service/workbench2/log/main/.gitstub b/tools/arvbox/lib/arvbox/docker/service/workbench2/log/main/.gitstub
new file mode 100644
index 000000000..e69de29bb
diff --git a/tools/arvbox/lib/arvbox/docker/service/workbench2/log/run b/tools/arvbox/lib/arvbox/docker/service/workbench2/log/run
new file mode 120000
index 000000000..d6aef4a77
--- /dev/null
+++ b/tools/arvbox/lib/arvbox/docker/service/workbench2/log/run
@@ -0,0 +1 @@
+/usr/local/lib/arvbox/logger
\ No newline at end of file
diff --git a/tools/arvbox/lib/arvbox/docker/service/workbench2/run b/tools/arvbox/lib/arvbox/docker/service/workbench2/run
new file mode 100755
index 000000000..cd2f86a27
--- /dev/null
+++ b/tools/arvbox/lib/arvbox/docker/service/workbench2/run
@@ -0,0 +1,8 @@
+#!/bin/sh
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+set -e
+
+/usr/local/lib/arvbox/runsu.sh $0-service $1
diff --git a/tools/arvbox/lib/arvbox/docker/service/workbench2/run-service b/tools/arvbox/lib/arvbox/docker/service/workbench2/run-service
new file mode 100755
index 000000000..1aef13279
--- /dev/null
+++ b/tools/arvbox/lib/arvbox/docker/service/workbench2/run-service
@@ -0,0 +1,23 @@
+#!/bin/bash
+# Copyright (C) The Arvados Authors. All rights reserved.
+#
+# SPDX-License-Identifier: AGPL-3.0
+
+exec 2>&1
+set -ex -o pipefail
+
+. /usr/local/lib/arvbox/common.sh
+
+cd /usr/src/workbench2
+
+npm -d install --prefix /usr/local --global yarn
+
+yarn install
+
+if test "$1" = "--only-deps" ; then
+ exit
+fi
+
+echo "{\"API_HOST\": \"${localip}:${services[controller-ssl]}\"}" > /usr/src/workbench2/public/config.json
+export HTTPS=false
+exec yarn start
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list