diff --git a/docs/README.rst b/docs/README.rst
index e5982c7..0fb3eda 100644
--- a/docs/README.rst
+++ b/docs/README.rst
@@ -44,7 +44,22 @@ Please see `How to contribute `_ you can find `a provision script `_
+to deploy a single-node, all-in-one Arvados cluster (The script uses this formula to get a cluster up and running in Saltstack's master-less mode).
+
+The `single-node` install does not include SLURM: it is intended for an `all-in-one-host` installation,
+so it uses `crunch-dispatch-local` to run containers in the same instance.
+
+The provision script can be run anywhere, so you can run it in an AWS instance and you'll get a `single-node` Arvados cluster there.
+
+The Arvados formula allows you to `install any dispatcher available `_,
+provided you configure the pillars the way you need them.
+
+Arvados currently has three dispatchers:
+
+* **crunch-dispatch-local** (for single node installations),
+* **arvados-dispatch-cloud** (for dynamic compute on AWS or Azure) and
+* **crunch-dispatch-slurm** (for SLURM integration).
Requisites
----------
@@ -56,7 +71,10 @@ We suggest you use the `postgres-formula `_ and the
`letsencrypt-formula `_ to satisfy these dependencies.
In the **test/salt/pillar/examples/** directory there are example pillar YAMLs to set up these packages, using the mentioned formulas
-as Arvados needs them.
+as Arvados needs them.a
+
+In the **test/salt/states/examples/** directory there are some example helper states to set up a few requirements for single-node
+(all-in-one) Arvados host.
Usage
-----
diff --git a/kitchen.yml b/kitchen.yml
index 4067e1c..f2e0add 100644
--- a/kitchen.yml
+++ b/kitchen.yml
@@ -104,16 +104,14 @@ suites:
state_top:
base:
'*':
- - example_single_host_host_entries
- - example_add_snakeoil_certs
+ - single_host.host_entries
+ - single_host.snakeoil_certs
- locale
- nginx.passenger
- postgres
- arvados.repo
- arvados.api
- arvados.websocket
- # keepproxy complains when using snakeoil certs, so we can't
- # properly test it here until next version removes this limitation
- arvados.keepproxy
- arvados.keepweb
- arvados.controller
@@ -146,10 +144,8 @@ suites:
example_nginx_controller.sls: test/salt/pillar/examples/nginx_controller_configuration.sls
# yamllint enable rule:line-length
dependencies:
- - name: example_single_host_host_entries
- path: test/salt/states
- - name: example_add_snakeoil_certs
- path: test/salt/states
+ - name: single_host
+ path: test/salt/states/examples
- name: locale
repo: git
source: https://github.com/saltstack-formulas/locale-formula.git
@@ -175,8 +171,8 @@ suites:
state_top:
base:
'*':
- - example_single_host_host_entries
- - example_add_snakeoil_certs
+ - single_host.host_entries
+ - single_host.snakeoil_certs
- nginx.passenger
- arvados.repo
- arvados.workbench
@@ -197,10 +193,8 @@ suites:
example_nginx_workbench2.sls: test/salt/pillar/examples/nginx_workbench2_configuration.sls
# yamllint enable rule:line-length
dependencies:
- - name: example_single_host_host_entries
- path: test/salt/states
- - name: example_add_snakeoil_certs
- path: test/salt/states
+ - name: single_host
+ path: test/salt/states/examples
- name: nginx
repo: git
source: https://github.com/netmanagers/nginx-formula.git
diff --git a/test/salt/pillar/examples/README.rst b/test/salt/pillar/examples/README.rst
new file mode 100644
index 0000000..b0a7e85
--- /dev/null
+++ b/test/salt/pillar/examples/README.rst
@@ -0,0 +1,7 @@
+Pillar examples
+===============
+
+The files in this directory are pillar examples for the other formulas used to install
+Arvados (`locale-formula `_,
+`postgres-formula `_ and
+`nginx-formula `_.
diff --git a/test/salt/pillar/examples/nginx_passenger.sls b/test/salt/pillar/examples/nginx_passenger.sls
index 8c41acb..ec79746 100644
--- a/test/salt/pillar/examples/nginx_passenger.sls
+++ b/test/salt/pillar/examples/nginx_passenger.sls
@@ -53,8 +53,8 @@ nginx:
# - resolver: 127.0.0.1
ssl_snakeoil.conf:
- - ssl_certificate: /etc/ssl/certs/ssl-cert-snakeoil.pem
- - ssl_certificate_key: /etc/ssl/private/ssl-cert-snakeoil.key
+ - ssl_certificate: /etc/ssl/certs/arvados-snakeoil-cert.pem
+ - ssl_certificate_key: /etc/ssl/private/arvados-snakeoil-cert.key
### SITES
servers:
diff --git a/test/salt/pillar/examples/postgresql.sls b/test/salt/pillar/examples/postgresql.sls
index aec4f13..5d800ec 100644
--- a/test/salt/pillar/examples/postgresql.sls
+++ b/test/salt/pillar/examples/postgresql.sls
@@ -7,8 +7,8 @@ postgres:
postgresconf: |-
listen_addresses = '*' # listen on all interfaces
#ssl = on
- #ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
- #ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
+ #ssl_cert_file = '/etc/ssl/certs/arvados-snakeoil-cert.pem'
+ #ssl_key_file = '/etc/ssl/private/arvados-snakeoil-cert.key'
acls:
- ['local', 'all', 'postgres', 'peer']
- ['local', 'all', 'all', 'peer']
diff --git a/test/salt/states/example_add_snakeoil_certs/init.sls b/test/salt/states/example_add_snakeoil_certs/init.sls
deleted file mode 100644
index 158abcc..0000000
--- a/test/salt/states/example_add_snakeoil_certs/init.sls
+++ /dev/null
@@ -1,69 +0,0 @@
-{%- set curr_tpldir = tpldir %}
-{%- set tpldir = 'arvados' %}
-{%- from "arvados/map.jinja" import arvados with context %}
-{%- set tpldir = curr_tpldir %}
-
-snake_oil_certs:
- pkg.installed:
- - name: openssl
- cmd.run:
- - name: |
- cat > /tmp/openssl.cnf <<-CNF
- [req]
- default_bits = 2048
- prompt = no
- default_md = sha256
- x509_extensions = v3_req
- distinguished_name = dn
- [dn]
- C = CC
- ST = SomeState
- L = SomeLocation
- O = ArvadosFormula
- OU = R&D
- CN = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
- emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
- [v3_req]
- subjectAltName = @alt_names
- [alt_names]
- {%- for entry in grains.get('ipv4') %}
- IP.{{ loop.index }} = {{ entry }}
- {%- endfor %}
- {%- for entry in [
- 'keep',
- 'keep0',
- 'collections',
- 'download',
- 'ws',
- 'workbench',
- 'workbench2',
- ]
- %}
- DNS.{{ loop.index }} = {{ entry }}.{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
- {%- endfor %}
- CNF
-
- mkdir -p /etc/ssl/certs/ /etc/ssl/private/ && \
- openssl req -config /tmp/openssl.cnf -new -x509 -days 3650 -nodes -sha256 \
- -out /etc/ssl/certs/ssl-cert-snakeoil.pem \
- -keyout /etc/ssl/private/ssl-cert-snakeoil.key > /tmp/snake_oil_certs.output 2>&1 && \
- chmod 0644 /etc/ssl/certs/ssl-cert-snakeoil.pem && \
- chmod 0640 /etc/ssl/private/ssl-cert-snakeoil.key
- - unless: test -f /etc/ssl/private/ssl-cert-snakeoil.key
- - require:
- - pkg: openssl
-
-{%- if grains.get('os_family') == 'Debian' %}
-ssl_certs:
- pkg.installed:
- - name: ssl-cert
- - require_in:
- - sls: postgres
-
-snake_oil_certs_permissions:
- cmd.run:
- - name: |
- chown root:ssl-cert /etc/ssl/private/ssl-cert-snakeoil.key
- - require:
- - pkg: ssl_certs
-{%- endif %}
diff --git a/test/salt/states/examples/single_host/README.rst b/test/salt/states/examples/single_host/README.rst
new file mode 100644
index 0000000..b50716d
--- /dev/null
+++ b/test/salt/states/examples/single_host/README.rst
@@ -0,0 +1,17 @@
+Helper states for all-in-one setup
+==================================
+
+These states are helpful for setting up an all-in-one Arvados host.
+
+* `host_entries.sls`: adds a bunch of host entries in the `/etc/hosts` file of
+ the host instance, so all Arvados' components can find each other correctly,
+ using meaningful names.
+
+* `snakeoil_certs.sls`: Arvados uses SSL/TLS for communications, so you'll need
+ certificates for the different hosts. If you can't provide valid certificates
+ issued by a recognized CA, this state will create a SnakeOil CA and issue
+ certificates signed by it.
+
+ The certs can't be self-signed because some of the libraries that Arvados
+ uses require certs issued by a CA. For this reason, if you use this state,
+ you'll need to copy the created CA cert to your certificates' directory.
diff --git a/test/salt/states/example_single_host_host_entries/init.sls b/test/salt/states/examples/single_host/host_entries.sls
similarity index 91%
rename from test/salt/states/example_single_host_host_entries/init.sls
rename to test/salt/states/examples/single_host/host_entries.sls
index 6425448..855757e 100644
--- a/test/salt/states/example_single_host_host_entries/init.sls
+++ b/test/salt/states/examples/single_host/host_entries.sls
@@ -3,7 +3,7 @@
{%- from "arvados/map.jinja" import arvados with context %}
{%- set tpldir = curr_tpldir %}
-arvados_hosts_entries:
+arvados_test_salt_states_examples_single_host_etc_hosts_host_present:
host.present:
- ip: {{ grains.get('ipv4')[0] }}
- names:
diff --git a/test/salt/states/examples/single_host/snakeoil_certs.sls b/test/salt/states/examples/single_host/snakeoil_certs.sls
new file mode 100644
index 0000000..e6c6a96
--- /dev/null
+++ b/test/salt/states/examples/single_host/snakeoil_certs.sls
@@ -0,0 +1,148 @@
+{%- set curr_tpldir = tpldir %}
+{%- set tpldir = 'arvados' %}
+{%- from "arvados/map.jinja" import arvados with context %}
+{%- set tpldir = curr_tpldir %}
+
+include:
+ - nginx.service
+
+{%- set arvados_ca_cert_file = '/etc/ssl/certs/arvados-snakeoil-ca.pem' %}
+{%- set arvados_ca_key_file = '/etc/ssl/private/arvados-snakeoil-ca.key' %}
+{%- set arvados_cert_file = '/etc/ssl/certs/arvados-snakeoil-cert.pem' %}
+{%- set arvados_csr_file = '/etc/ssl/private/arvados-snakeoil-cert.csr' %}
+{%- set arvados_key_file = '/etc/ssl/private/arvados-snakeoil-cert.key' %}
+
+{%- if grains.get('os_family') == 'Debian' %}
+ {%- set arvados_ca_cert_dest = '/usr/local/share/ca-certificates/arvados-snakeoil-ca.crt' %}
+ {%- set update_ca_cert = '/usr/sbin/update-ca-certificates' %}
+ {%- set openssl_conf = '/etc/ssl/openssl.cnf' %}
+{%- else %}
+ {%- set arvados_ca_cert_dest = '/etc/pki/ca-trust/source/anchors/arvados-snakeoil-ca.pem' %}
+ {%- set update_ca_cert = '/usr/bin/update-ca-trust' %}
+ {%- set openssl_conf = '/etc/pki/tls/openssl.cnf' %}
+{%- endif %}
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed:
+ pkg.installed:
+ - pkgs:
+ - openssl
+ - ca-certificates
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run:
+ # Taken from https://github.com/arvados/arvados/blob/master/tools/arvbox/lib/arvbox/docker/service/certificate/run
+ cmd.run:
+ - name: |
+ # These dirs are not to CentOS-ish, but this is a helper script
+ # and they should be enough
+ mkdir -p /etc/ssl/certs/ /etc/ssl/private/ && \
+ openssl req \
+ -new \
+ -nodes \
+ -sha256 \
+ -x509 \
+ -subj "/C=CC/ST=Some State/O=Arvados Formula/OU=arvados-formula/CN=snakeoil-ca-{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}" \
+ -extensions x509_ext \
+ -config <(cat {{ openssl_conf }} \
+ <(printf "\n[x509_ext]\nbasicConstraints=critical,CA:true,pathlen:0\nkeyUsage=critical,keyCertSign,cRLSign")) \
+ -out {{ arvados_ca_cert_file }} \
+ -keyout {{ arvados_ca_key_file }} \
+ -days 3650 && \
+ cp {{ arvados_ca_cert_file }} {{ arvados_ca_cert_dest }} && \
+ {{ update_ca_cert }}
+ - unless:
+ - test -f {{ arvados_ca_cert_file }}
+ - openssl verify -CAfile {{ arvados_ca_cert_file }} {{ arvados_ca_cert_file }}
+ - require:
+ - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run:
+ cmd.run:
+ - name: |
+ cat > /tmp/openssl.cnf <<-CNF
+ [req]
+ default_bits = 2048
+ prompt = no
+ default_md = sha256
+ req_extensions = rext
+ distinguished_name = dn
+ [dn]
+ C = CC
+ ST = Some State
+ L = Some Location
+ O = Arvados Formula
+ OU = arvados-formula
+ CN = {{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+ emailAddress = admin@{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+ [rext]
+ subjectAltName = @alt_names
+ [alt_names]
+ {%- for entry in grains.get('ipv4') %}
+ IP.{{ loop.index }} = {{ entry }}
+ {%- endfor %}
+ {%- for entry in [
+ 'keep',
+ 'collections',
+ 'download',
+ 'ws',
+ 'workbench',
+ 'workbench2',
+ ]
+ %}
+ DNS.{{ loop.index }} = {{ entry }}.{{ arvados.cluster.name }}.{{ arvados.cluster.domain }}
+ {%- endfor %}
+ CNF
+
+ # The req
+ openssl req \
+ -config /tmp/openssl.cnf \
+ -new \
+ -nodes \
+ -sha256 \
+ -out {{ arvados_csr_file }} \
+ -keyout {{ arvados_key_file }} > /tmp/snake_oil_certs.output 2>&1 && \
+ # The cert
+ openssl x509 \
+ -req \
+ -days 3650 \
+ -in {{ arvados_csr_file }} \
+ -out {{ arvados_cert_file }} \
+ -extfile /tmp/openssl.cnf \
+ -extensions rext \
+ -CA {{ arvados_ca_cert_file }} \
+ -CAkey {{ arvados_ca_key_file }} \
+ -set_serial $(date +%s) && \
+ chmod 0644 {{ arvados_cert_file }} && \
+ chmod 0640 {{ arvados_key_file }}
+ - unless:
+ - test -f {{ arvados_key_file }}
+ - openssl verify -CAfile {{ arvados_ca_cert_file }} {{ arvados_cert_file }}
+ - require:
+ - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_dependencies_pkg_installed
+ - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_ca_cmd_run
+
+{%- if grains.get('os_family') == 'Debian' %}
+arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed:
+ pkg.installed:
+ - name: ssl-cert
+ - require_in:
+ - sls: postgres
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_certs_permissions_cmd_run:
+ cmd.run:
+ - name: |
+ chown root:ssl-cert {{ arvados_key_file }}
+ - require:
+ - cmd: arvados_test_salt_states_examples_single_host_snakeoil_certs_arvados_snake_oil_cert_cmd_run
+ - pkg: arvados_test_salt_states_examples_single_host_snakeoil_certs_ssl_cert_pkg_installed
+{%- endif %}
+
+arvados_test_salt_states_examples_single_host_snakeoil_certs_nginx_snakeoil_file_managed:
+ file.managed:
+ - name: /etc/nginx/snippets/arvados-snakeoil.conf
+ - contents: |
+ ssl_certificate {{ arvados_cert_file }};
+ ssl_certificate_key {{ arvados_key_file }};
+ - watch_in:
+ - service: nginx_service
+
+