Arvados upgrade notes

For Arvados administrators, this page will cover what you need to know and do in order to ensure a smooth upgrade of your Arvados installation. For general release notes covering features added and bugs fixed, see Arvados releases.

Upgrade instructions can be found at Maintenance and upgrading.

Upgrade notes

Some versions introduce changes that require special attention when upgrading: e.g., there is a new service to install, or there is a change to the default configuration that you might need to override in order to preserve the old behavior. These notes are listed below, organized by release version. Scroll down to the version number you are upgrading to.

v2.4.4 (2022-11-18)

previous: Upgrading to 2.4.3

This update only consists of improvements to arvados-cwl-runner. There are no changes to backend services.

v2.4.3 (2022-09-21)

previous: Upgrading to 2.4.2

Fixed PAM authentication security vulnerability

In Arvados 2.4.2 and earlier, when using PAM authentication, if a user
presented valid credentials but the account is disabled or otherwise
not allowed to access the host, it would still be accepted for access
to Arvados. From 2.4.3 onwards, Arvados now also checks that the
account is permitted to access the host before completing the PAM login
process.

Other authentication methods (LDAP, OpenID Connect) are not affected
by this flaw.

v2.4.2 (2022-08-09)

previous: Upgrading to 2.4.1

GHSL-2022-063

GitHub Security Lab (GHSL) reported a remote code execution (RCE) vulnerability in the Arvados Workbench that allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads.

This vulnerability is fixed in 2.4.2 (#19316).

It is likely that this vulnerability exists in all versions of Arvados up to 2.4.1.

This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack.

CVE-2022-31163 and CVE-2022-32224

As a precaution, Arvados 2.4.2 has includes security updates for Ruby on Rails and the TZInfo Ruby gem. However, there are no known exploits in Arvados based on these CVEs.

Disable Sharing URLs UI

There is now a configuration option Workbench.DisableSharingURLsUI for admins to disable the user interface for “sharing link” feature (URLs which can be sent to users to access the data in a specific collection in Arvados without an Arvados account), for organizations where sharing links violate their data sharing policy.

v2.4.1 (2022-06-02)

previous: Upgrading to 2.4.0

New proxy parameters for arvados-controller

We now recommend disabling nginx proxy caching for arvados-controller, to avoid truncation of large responses.

In your Nginx configuration file (/etc/nginx/conf.d/arvados-api-and-controller.conf), add the following lines to the location / block with http://controller (see Update nginx configuration for an example) and reload/restart Nginx (sudo nginx -s reload).

    proxy_max_temp_file_size 0;
    proxy_request_buffering  off;
    proxy_buffering          off;
    proxy_http_version       1.1;

Now recommending Singularity 3.9.9

The compute image build script now installs Singularity 3.9.9 instead of 3.7.4. The newer version includes a bugfix that should resolve intermittent loopback device errors when running containers.

Changes to arvados-cwl-runner --create-workflow and --update-workflow

When using arvados-cwl-runner --create-workflow or --update-workflow, by default it will now make a copy of all collection and Docker image dependencies in the target project. Running workflows retains the old behavior (use the dependencies wherever they are found). The can be controlled explicit with --copy-deps and --no-copy-deps.

v2.4.0 (2022-04-08)

previous: Upgrading to 2.3.1

Default result order changed

When requesting a list of objects without an explicit order parameter, the default order has changed from modified_at desc, uuid asc to modified_at desc, uuid desc. This means that if two objects have identical modified_at timestamps, the tiebreaker will now be based on uuid in decending order where previously it would be ascending order. The practical effect of this should be minor; with microsecond precision it is unusual to have two records with exactly the same timestamp, and order-sensitive queries should already provide an explicit order parameter.

Ubuntu 18.04 Arvados Python packages now depend on python-3.8

Ubuntu 18.04 ships with Python 3.6 as the default version of Python 3. Ubuntu also ships a version of Python 3.8, and the Arvados Python packages (python3-arvados-cwl-runner, python3-arvados-fuse, python3-arvados-python-client, python3-arvados-user-activity and python3-crunchstat-summary) now depend on the python-3.8 system package.

This means that they are now installed under /usr/share/python3.8 (before, the path was /usr/share/python3). If you rely on the python3 executable from the packages (e.g. to load a virtualenv), you may need to update the path to that executable.

Minimum supported Ruby version is now 2.6

The minimum supported Ruby version is now 2.6. If you are running Arvados on Debian 10 or Ubuntu 18.04, you may need to switch to using RVM or upgrade your OS. See Install Ruby and Bundler for more information.

Anonymous token changes

The anonymous token configured in Users.AnonymousUserToken must now be 32 characters or longer. This was already the suggestion in the documentation, now it is enforced. The script/get_anonymous_user_token.rb script that was needed to register the anonymous user token in the database has been removed. Registration of the anonymous token is no longer necessary.

Preemptible instance support changes

The Containers.UsePreemptibleInstances option has been renamed to Containers.AlwaysUsePreemptibleInstances and has the same behavior when true and one or more preemptible instances are configured. However, a value of false no longer disables support for preemptible instances, instead users can now enable use of preemptible instances at the level of an individual workflow or workflow step.

In addition, there is a new configuration option Containers.PreemptiblePriceFactor will automatically add a preemptible instance type corresponding to each regular instance type. See Using Preemptible instances for details.

Default LSF arguments have changed

If you use LSF and your configuration specifies Containers.LSF.BsubArgumentsList, you should update it to include the new arguments ("-R", "select[mem>=%MMB]", ..., see configuration reference). Otherwise, containers that are too big to run on any LSF host will remain in the LSF queue instead of being cancelled.

Support for NVIDIA CUDA GPUs

Arvados now supports requesting NVIDIA CUDA GPUs for cloud and LSF (Slurm is currently not supported). To be able to request GPU nodes, some additional configuration is needed:

Including GPU support in cloud compute node image

Configure cloud dispatcher for GPU support

LSF GPU configuration

Role groups are visible to all users by default

The permission model has changed such that all role groups are visible to all active users. This enables users to share objects with groups they don’t belong to. To preserve the previous behavior, where role groups are only visible to members and admins, add RoleGroupsVisibleToAll: false to the Users section of your configuration file.

Previously trashed role groups will be deleted

Due to a bug in previous versions, the DELETE operation on a role group caused the group to be flagged as trash in the database, but continue to grant permissions regardless. After upgrading, any role groups that had been trashed this way will be deleted. This might surprise some users if they were relying on permissions that were still in effect due to this bug. Future DELETE operations on a role group will immediately delete the group and revoke the associated permissions.

Dedicated keepstore process for each container

When Arvados runs a container via arvados-dispatch-cloud, the crunch-run supervisor process now brings up its own keepstore server to handle I/O for mounted collections, outputs, and logs. With the default configuration, the keepstore process allocates one 64 MiB block buffer per VCPU requested by the container. For most workloads this will increase throughput, reduce total network traffic, and make it possible to run more containers at once without provisioning additional keepstore nodes to handle the I/O load.

  • If you have containers that can effectively handle multiple I/O threads per VCPU, consider increasing the Containers.LocalKeepBlobBuffersPerVCPU value.
  • If you already have a robust permanent keepstore infrastructure, you can set Containers.LocalKeepBlobBuffersPerVCPU to 0 to disable this feature and preserve the previous behavior of sending container I/O traffic to your separately provisioned keepstore servers.
  • This feature is enabled only if no volumes use AccessViaHosts, and no volumes have underlying Replication less than Collections.DefaultReplication. If the feature is configured but cannot be enabled due to an incompatible volume configuration, this will be noted in the crunch-run.txt file in the container log.

v2.3.1 (2021-11-24)

previous: Upgrading to 2.3.0

Users are visible to other users by default

When a new user is set up (either via AutoSetupNewUsers config or via Workbench admin interface) the user immediately becomes visible to other users. To revert to the previous behavior, where the administrator must add two users to the same group using the Workbench admin interface in order for the users to see each other, change the new Users.ActivatedUsersAreVisibleToOthers config to false.

Backend support for vocabulary checking

If your installation uses the vocabulary feature on Workbench2, you will need to update the cluster configuration by moving the vocabulary definition file to the node where controller runs, and set the API.VocabularyPath configuration parameter to the local path where the file was placed.
This will enable the vocabulary checking cluster-wide, including Workbench2. The Workbench.VocabularyURL configuration parameter is deprecated and will be removed in a future release.
You can read more about how this feature works on the admin page.

v2.3.0 (2021-10-27)

previous: Upgrading to 2.2.0

Ubuntu 18.04 packages for arvados-api-server and arvados-workbench now conflict with ruby-bundler

Ubuntu 18.04 ships with Bundler version 1.16.1, which is no longer compatible with the Gemfiles in the Arvados packages (made with Bundler 2.2.19). The Ubuntu 18.04 packages for arvados-api-server and arvados-workbench now conflict with the ruby-bundler package to work around this issue. The post-install scripts for arvados-api-server and arvados-workbench install the proper version of Bundler as a gem.

Removed unused update_uuid endpoint for users.

The update_uuid endpoint was superseded by the link accounts feature, so it’s no longer available.

Removed deprecated ‘@@’ search operator

The ‘@@’ full text search operator, previously deprecated, has been removed. To perform a string search across multiple columns, use the ‘ilike’ operator on ‘any’ column as described in the available list method filter section of the API documentation.

Storage classes must be defined explicitly

If your configuration uses the StorageClasses attribute on any Keep volumes, you must add a new StorageClasses section that lists all of your storage classes. Refer to the updated documentation about configuring storage classes for details.

keep-balance requires access to PostgreSQL

Make sure the keep-balance process can connect to your PostgreSQL server using the settings in your config file. (In previous versions, keep-balance accessed the database through controller instead of connecting to the database server directly.)

crunch-dispatch-local now requires config.yml

The crunch-dispatch-local dispatcher now reads the API host and token from the system wide /etc/arvados/config.yml . It will fail to start that file is not found or not readable.

Multi-file docker image collections

Typically a docker image collection contains a single .tar file at the top level. Handling of atypical cases has changed. If a docker image collection contains files with extensions other than .tar, they will be ignored (previously they could cause errors). If a docker image collection contains multiple .tar files, it will cause an error at runtime, “cannot choose from multiple tar files in image collection” (previously one of the .tar files was selected). Subdirectories are ignored. The arv keep docker command always creates a collection with a single .tar file, and never uses subdirectories, so this change will not affect most users.

v2.2.0 (2021-06-03)

previous: Upgrading to 2.1.0

New spelling of S3 credential configs

If you use the S3 driver for Keep volumes and specify credentials in your configuration file (as opposed to using an IAM role), you should change the spelling of the AccessKey and SecretKey config keys to AccessKeyID and SecretAccessKey. If you don’t update them, the previous spellings will still be accepted, but warnings will be logged at server startup.

New proxy parameters for arvados-controller

In your Nginx configuration file (/etc/nginx/conf.d/arvados-api-and-controller.conf), add the following lines to the location / block with http://controller (see Update nginx configuration for an example) and reload/restart Nginx (sudo nginx -s reload).

    proxy_set_header      Upgrade           $http_upgrade;
    proxy_set_header      Connection        "upgrade";

Changes on the collection’s preserve_version attribute semantics

The preserve_version attribute on collections was originally designed to allow clients to persist a preexisting collection version. This forced clients to make 2 requests if the intention is to “make this set of changes in a new version that will be kept”, so we have changed the semantics to do just that: When passing preserve_version=true along with other collection updates, the current version is persisted and also the newly created one will be persisted on the next update.

System token requirements

System services now log a warning at startup if any of the system tokens (ManagementToken, SystemRootToken, and Collections.BlobSigningKey) are less than 32 characters, or contain characters other than a-z, A-Z, and 0-9. After upgrading, run arvados-server config-check and update your configuration file if needed to resolve any warnings.

The API.RailsSessionSecretToken configuration key has been removed. Delete this entry from your configuration file after upgrading.

Centos7 Python 3 dependency upgraded to python3

Now that Python 3 is part of the base repository in CentOS 7, the Python 3 dependency for Centos7 Arvados packages was changed from SCL rh-python36 to python3.

ForceLegacyAPI14 option removed

The ForceLegacyAPI14 configuration option has been removed. In the unlikely event it is mentioned in your config file, remove it to avoid “deprecated/unknown config” warning logs.

v2.1.0 (2020-10-13)

previous: Upgrading to 2.0.0

LoginCluster conflicts with other Login providers

A satellite cluster that delegates its user login to a central user database must only have `Login.LoginCluster` set, or it will return an error. This is a change in behavior, previously it would return an error if another login provider was not configured, even though the provider would never be used.

Minimum supported Python version is now 3.5

We no longer publish Python 2 based distribution packages for our Python components. There are equivalent packages based on Python 3, but their names are slightly different. If you were using the Python 2 based packages, you can install the Python 3 based package for a drop in replacement. On Debian and Ubuntu:

    apt remove python-arvados-fuse && apt install python3-arvados-fuse
    apt remove python-arvados-python-client && apt install python3-arvados-python-client
    apt remove python-arvados-cwl-runner && apt install python3-arvados-cwl-runner
    apt remove python-crunchstat-summary && apt install python3-crunchstat-summary
    apt remove python-cwltest && apt install python3-cwltest

On CentOS:

    yum remove python-arvados-fuse && yum install python3-arvados-fuse
    yum remove python-arvados-python-client && yum install python3-arvados-python-client
    yum remove python-arvados-cwl-runner && yum install python3-arvados-cwl-runner
    yum remove python-crunchstat-summary && yum install python3-crunchstat-summary
    yum remove python-cwltest && yum install python3-cwltest

Minimum supported Ruby version is now 2.5

The minimum supported Ruby version is now 2.5. If you are running Arvados on Debian 9 or Ubuntu 16.04, you may need to switch to using RVM or upgrade your OS. See Install Ruby and Bundler for more information.

Removing libpam-arvados, replaced with libpam-arvados-go

The Python-based PAM package has been replaced with a version written in Go. See using PAM for authentication for details.

Removing sso-provider

The SSO (single sign-on) component is deprecated and will not be supported in future releases. Existing configurations will continue to work in this release, but you should switch to one of the built-in authentication mechanisms as soon as possible. See setting up web based login for details.

After migrating your configuration, uninstall the arvados-sso-provider package.

S3 signatures

Keepstore now uses V4 signatures by default for S3 requests. If you are using Amazon S3, no action is needed; all regions support V4 signatures. If you are using a different S3-compatible service that does not support V4 signatures, add V2Signature: true to your volume driver parameters to preserve the old behavior. See configuring S3 object storage.

New permission system constraints

Some constraints on the permission system have been added, in particular role and project group types now have distinct behavior. These constraints were already de-facto imposed by the Workbench UI, so on most installations the only effect of this migration will be to reassign role groups to the system user and create a can_manage permission link for the previous owner.

  1. The group_class field must be either role or project. Invalid group_class are migrated to role.
  2. A role cannot own things. Anything owned by a role is migrated to a can_manage link and reassigned to the system user.
  3. Only role and user can have outgoing permission links. Permission links originating from projects are deleted by the migration.
  4. A role is always owned by the system_user. When a group is created, it creates a can_manage link for the object that would have been assigned to owner_uuid. Migration adds can_manage links and reassigns roles to the system user. This also has the effect of requiring that all role groups have unique names on the system. If there is a name collision during migration, roles will be renamed to ensure they are unique.
  5. A permission link can have the permission level (name) updated but not head_uuid, tail_uuid or link_class.

The arvados-sync-groups tool has been updated to reflect these constraints, so it is important to use the version of arvados-sync-groups that matches the API server version.

Before upgrading, use the following commands to find out which groups and permissions in your database will be automatically modified or deleted during the upgrade.

To determine which groups have invalid group_class (these will be migrated to role groups):

arv group list --filters '[["group_class", "not in", ["project", "role"]]]'

To list all role groups, which will be reassigned to the system user (unless owner_uuid is already the system user):

arv group list --filters '[["group_class", "=", "role"]]'

To list which project groups have outgoing permission links (such links are now invalid and will be deleted by the migration):

for uuid in $(arv link list --filters '[["link_class", "=", "permission"], ["tail_uuid", "like", "%-j7d0g-%"]]' |
              jq -r .items[].tail_uuid | sort | uniq) ; do
   arv group list --filters '[["group_class", "=", "project"], ["uuid", "=", "'$uuid'"]]' | jq .items
done

“Public favorites” moved to their own project

As a side effect of new permission system constraints, “star” links (indicating shortcuts in Workbench) that were previously owned by “All users” (which is now a “role” and cannot own things) will be migrated to a new system project called “Public favorites” which is readable by the “Anonymous users” role.

v2.0.0 (2020-02-07)

previous: Upgrading to 1.4.1

Arvados 2.0 is a major upgrade, with many changes. Please read these upgrade notes carefully before you begin.

Migrating to centralized config.yml

See Migrating Configuration for notes on migrating legacy per-component configuration files to the new centralized /etc/arvados/config.yml.

To ensure a smooth transition, the per-component config files continue to be read, and take precedence over the centralized configuration. Your cluster should continue to function after upgrade but before doing the full configuration migration. However, several services (keepstore, keep-web, keepproxy) require a minimal `/etc/arvados/config.yml` to start:

Clusters:
  zzzzz:
    Services:
      Controller:
        ExternalURL: "https://zzzzz.example.com"

Keep-balance configuration migration

(feature #14714 ) The keep-balance service can now be configured using the centralized configuration file at /etc/arvados/config.yml. The following command line and configuration options have changed.

You can no longer specify types of keep services to balance via the KeepServiceTypes config option in the legacy config at /etc/arvados/keep-balance/keep-balance.yml. If you are still using the legacy config and KeepServiceTypes has a value other than “disk”, keep-balance will produce an error.

You can no longer specify individual keep services to balance via the config.KeepServiceList command line option or KeepServiceList legacy config option. Instead, keep-balance will operate on all keepstore servers with service_type:disk as reported by the arv keep_service list command. If you are still using the legacy config, KeepServiceList should be removed or keep-balance will produce an error.

Please see the config migration guide and keep-balance install guide for more details.

Arv-git-httpd configuration migration

(feature #14712 ) The arv-git-httpd package can now be configured using the centralized configuration file at /etc/arvados/config.yml. Configuration via individual command line arguments is no longer available. Please see arv-git-httpd’s config migration guide for more details.

Keepstore and keep-web configuration migration

keepstore and keep-web no longer support configuration via (previously deprecated) command line configuration flags and environment variables.

keep-web now supports the legacy keep-web.yml config format (used by Arvados 1.4) and the new cluster config file format. Please check keep-web’s install guide for more details.

keepstore now supports the legacy keepstore.yml config format (used by Arvados 1.4) and the new cluster config file format. Please check the keepstore config migration notes and keepstore install guide for more details.

Keepproxy configuration migration

(feature #14715 ) Keepproxy can now be configured using the centralized config at /etc/arvados/config.yml. Configuration via individual command line arguments is no longer available and the DisableGet, DisablePut, and PIDFile configuration options are no longer supported. If you are still using the legacy config and DisableGet or DisablePut are set to true or PIDFile has a value, keepproxy will produce an error and fail to start. Please see keepproxy’s config migration guide for more details.

Delete “keep_services” records

After all keepproxy and keepstore configurations have been migrated to the centralized configuration file, all keep_services records you added manually during installation should be removed. System logs from keepstore and keepproxy at startup, as well as the output of arvados-server config-check, will remind you to do this.

$ export ARVADOS_API_HOST=...
$ export ARVADOS_API_TOKEN=...
$ arv --format=uuid keep_service list | xargs -n1 arv keep_service delete --uuid

Once these old records are removed, arv keep_service list will instead return the services listed under Services/Keepstore/InternalURLs and Services/Keepproxy/ExternalURL in your centralized configuration file.

Enabling Postgres trigram indexes

Feature #15106 improves the speed and functionality of full text search by introducing trigram indexes on text searchable database columns via a migration. Prior to updating, you must first install the postgresql-contrib package on your system and subsequently run the CREATE EXTENSION pg_trgm SQL command on the arvados_production database as a postgres superuser.

The postgres-contrib package has been supported since PostgreSQL version 9.4. The version of the contrib package should match the version of your PostgreSQL installation. Using 9.5 as an example, the package can be installed and the extension enabled using the following:

Centos 7

~$ sudo yum install -y postgresql95-contrib
~$ su - postgres -c "psql -d 'arvados_production' -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm'"

RHEL 7

~$ sudo yum install -y rh-postgresql95-postgresql-contrib
~$ su - postgres -c "psql -d 'arvados_production' -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm'"

Debian or Ubuntu

~$ sudo apt-get install -y postgresql-contrib-9.5
~$ sudo -u postgres psql -d 'arvados_production' -c 'CREATE EXTENSION IF NOT EXISTS pg_trgm'

Subsequently, the psql -d 'arvados_production' -c '\dx' command will display the installed extensions for the arvados_production database. This list should now contain pg_trgm.

New Workbench 2

Workbench 2 is now ready for regular use. Follow the instructions to install workbench 2

New property vocabulary format for Workbench2

(feature #14151) Workbench2 supports a new vocabulary format and it isn’t compatible with the previous one, please read the metadata vocabulary format admin page for more information.

Cloud installations only: node manager replaced by arvados-dispatch-cloud

Node manager is deprecated and replaced by arvados-dispatch-cloud. No automated config migration is available. Follow the instructions to install the cloud dispatcher

Only one dispatch process should be running at a time. If you are migrating a system that currently runs Node manager and crunch-dispatch-slurm, it is safest to remove the crunch-dispatch-slurm service entirely before installing arvados-dispatch-cloud.

~$ sudo systemctl --now disable crunch-dispatch-slurm
~$ sudo apt-get remove crunch-dispatch-slurm

Jobs API is read-only

(task #15133 ) The legacy ‘jobs’ API is now read-only. It has been superceded since Arvados 1.1 by containers / container_requests (aka crunch v2). Arvados installations since the end of 2017 (v1.1.0) have probably only used containers, and are unaffected by this change.

So that older Arvados sites don’t lose access to legacy records, the API has been converted to read-only. Creating and updating jobs (and related types job_task, pipeline_template and pipeline_instance) is disabled and much of the business logic related has been removed, along with various other code specific to the jobs API. Specifically, the following programs associated with the jobs API have been removed: crunch-dispatch.rb, crunch-job, crunchrunner, arv-run-pipeline-instance, arv-run.

“/” prohibited in collection and project names

(issue #15836) By default, Arvados now rejects new names containing the / character when creating or renaming collections and projects. Previously, these names were permitted, but the resulting objects were invisible in the WebDAV “home” tree. If you prefer, you can restore the previous behavior, and optionally configure a substitution string to make the affected objects accessible via WebDAV. See ForwardSlashNameSubstitution in the configuration reference.

No longer stripping ‘:’ from strings in serialized database columns

(bug #15311 ) Strings read from serialized columns in the database with a leading ‘:’ would have the ‘:’ stripped after loading the record. This behavior existed due to legacy serialization behavior which stored Ruby symbols with a leading ‘:’. Unfortunately this corrupted fields where the leading “:” was intentional. This behavior has been removed.

You can test if any records in your database are affected by going to the API server directory and running bundle exec rake symbols:check. This will report which records contain fields with a leading ‘:’ that would previously have been stripped. If there are records to be updated, you can update the database using bundle exec rake symbols:stringify.

Scoped tokens should use PATCH for updates

The API server accepts both PUT and PATCH for updates, but they will be normalized to PATCH by arvados-controller. Scoped tokens should be updated accordingly.

v1.4.1 (2019-09-20)

previous: Upgrading to 1.4.0

Centos7 Python 3 dependency upgraded to rh-python36

The Python 3 dependency for Centos7 Arvados packages was upgraded from rh-python35 to rh-python36.

v1.4.0 (2019-06-05)

previous: Upgrading to 1.3.3

Populating the new file_count and file_size_total columns on the collections table

As part of story #14484, two new columns were added to the collections table in a database migration. If your installation has a large collections table, this migration may take some time. We’ve seen it take ~5 minutes on an installation with 250k collections, but your mileage may vary.

The new columns are initialized with a zero value. In order to populate them, it is necessary to run a script called populate-file-info-columns-in-collections.rb from the scripts directory of the API server. This can be done out of band, ideally directly after the API server has been upgraded to v1.4.0.

Stricter collection manifest validation on the API server

As a consequence of #14482, the Ruby SDK does a more rigorous collection manifest validation. Collections created after 2015-05 are unlikely to be invalid, however you may check for invalid manifests using the script below.

You could set up a new rvm gemset and install the specific arvados gem for testing, like so:

~$ rvm gemset create rubysdk-test
~$ rvm gemset use rubysdk-test
~$ gem install arvados -v 1.3.1.20190301212059

Next, you can run the following script using admin credentials, it will scan the whole collection database and report any collection that didn’t pass the check:

require 'arvados'
require 'arvados/keep'

api = Arvados.new
offset = 0
batch_size = 100
invalid = []

while true
    begin
        req = api.collection.index(
            :select => [:uuid, :created_at, :manifest_text],
            :include_trash => true, :include_old_versions => true,
            :limit => batch_size, :offset => offset)
    rescue
        invalid.each {|c| puts "#{c[:uuid]} (Created at #{c[:created_at]}): #{c[:error]}" }
        raise
    end

    req[:items].each do |col|
        begin
            Keep::Manifest.validate! col[:manifest_text]
        rescue Exception => e
            puts "Collection #{col[:uuid]} manifest not valid"
            invalid << {uuid: col[:uuid], error: e, created_at: col[:created_at]}
        end
    end
    puts "Checked #{offset} / #{req[:items_available]} - Invalid: #{invalid.size}"
    offset += req[:limit]
    break if offset > req[:items_available]
end

if invalid.empty?
    puts "No invalid collection manifests found"
else
    invalid.each {|c| puts "#{c[:uuid]} (Created at #{c[:created_at]}): #{c[:error]}" }
end

The script will return a final report enumerating any invalid collection by UUID, with its creation date and error message so you can take the proper correction measures, if needed.

Python packaging change

As part of story #9945, the distribution packaging (deb/rpm) of our Python packages has changed. These packages now include a built-in virtualenv to reduce dependencies on system packages. We have also stopped packaging and publishing backports for all the Python dependencies of our packages, as they are no longer needed.

One practical consequence of this change is that the use of the Arvados Python SDK (aka “import arvados”) will require a tweak if the SDK was installed from a distribution package. It now requires the loading of the virtualenv environment from our packages. The Install documentation for the Arvados Python SDK reflects this change. This does not affect the use of the command line tools (e.g. arv-get, etc.).

Python scripts that rely on the distribution Arvados Python SDK packages to import the Arvados SDK will need to be tweaked to load the correct Python environment.

This can be done by activating the virtualenv outside of the script:

~$ source /usr/share/python2.7/dist/python-arvados-python-client/bin/activate
(python-arvados-python-client) ~$ path-to-the-python-script

Or alternatively, by updating the shebang line at the start of the script to:

#!/usr/share/python2.7/dist/python-arvados-python-client/bin/python

python-arvados-cwl-runner deb/rpm package now conflicts with python-cwltool deb/rpm package

As part of story #9945, the distribution packaging (deb/rpm) of our Python packages has changed. The python-arvados-cwl-runner package now includes a version of cwltool. If present, the python-cwltool and cwltool distribution packages will need to be uninstalled before the python-arvados-cwl-runner deb or rpm package can be installed.

Centos7 Python 3 dependency upgraded to rh-python35

As part of story #9945, the Python 3 dependency for Centos7 Arvados packages was upgraded from SCL python33 to rh-python35.

Centos7 package for libpam-arvados depends on the python-pam package, which is available from EPEL

As part of story #9945, it was discovered that the Centos7 package for libpam-arvados was missing a dependency on the python-pam package, which is available from the EPEL repository. The dependency has been added to the libpam-arvados package. This means that going forward, the EPEL repository will need to be enabled to install libpam-arvados on Centos7.

New configuration

Arvados is migrating to a centralized configuration file for all components. During the migration, legacy configuration files will continue to be loaded. See Migrating Configuration for details.

v1.3.3 (2019-05-14)

previous: Upgrading to 1.3.0

This release corrects a potential data loss issue, if you are running Arvados 1.3.0 or 1.3.1 we strongly recommended disabling keep-balance until you can upgrade to 1.3.3 or 1.4.0. With keep-balance disabled, there is no chance of data loss.

We’ve put together a wiki page which outlines how to recover blocks which have been put in the trash, but not yet deleted, as well as how to identify any collections which have missing blocks so that they can be regenerated. The keep-balance component has been enhanced to provide a list of missing blocks and affected collections and we’ve provided a utility script which can be used to identify the workflows that generated those collections and who ran those workflows, so that they can be rerun.

v1.3.0 (2018-12-05)

previous: Upgrading to 1.2

This release includes several database migrations, which will be executed automatically as part of the API server upgrade. On large Arvados installations, these migrations will take a while. We’ve seen the upgrade take 30 minutes or more on installations with a lot of collections.

The arvados-controller component now requires the /etc/arvados/config.yml file to be present.

Support for the deprecated “jobs” API is broken in this release. Users who rely on it should not upgrade. This will be fixed in an upcoming 1.3.1 patch release, however users are encouraged to migrate as support for the “jobs” API will be dropped in an upcoming release. Users who are already using the “containers” API are not affected.

v1.2.1 (2018-11-26)

There are no special upgrade notes for this release.

v1.2.0 (2018-09-05)

previous: Upgrading to 1.1.2 or 1.1.3

Regenerate Postgres table statistics

It is recommended to regenerate the table statistics for Postgres after upgrading to v1.2.0. If autovacuum is enabled on your installation, this script would do the trick:

#!/bin/bash

set -e
set -u

tables=`echo "\dt" | psql arvados_production | grep public|awk -e '{print $3}'`

for t in $tables; do
    echo "echo 'analyze $t' | psql arvados_production"
    time echo "analyze $t" | psql arvados_production
done

If you also need to do the vacuum, you could adapt the script to run ‘vacuum analyze’ instead of ‘analyze’.

New component: arvados-controller

Commit db5107dca adds a new system service, arvados-controller. More detail is available in story #13496.

To add the Arvados Controller to your system please refer to the installation instructions after upgrading your system to 1.2.0.

Verify your setup by confirming that API calls appear in the controller’s logs (e.g., journalctl -fu arvados-controller) while loading a workbench page.

v1.1.4 (2018-04-10)

previous: Upgrading to 1.1.3

arvados-cwl-runner regressions (2018-04-05)

Secondary files missing from toplevel workflow inputs

This only affects workflows that rely on implicit discovery of secondaryFiles.

If a workflow input does not declare secondaryFiles corresponding to the secondaryFiles of workflow steps which use the input, the workflow would inconsistently succeed or fail depending on whether the input values were specified as local files or referenced an existing collection (and whether the existing collection contained the secondary files or not). To ensure consistent behavior, the workflow is now required to declare in the top level workflow inputs any secondaryFiles that are expected by workflow steps.

As an example, the following workflow will fail because the toplevel_input does not declare the secondaryFiles that are expected by step_input:

class: Workflow
cwlVersion: v1.0
inputs:
  toplevel_input: File
outputs: []
steps:
  step1:
    in:
      step_input: toplevel_input
    out: []
    run:
      id: sub
      class: CommandLineTool
      inputs:
        step_input:
          type: File
          secondaryFiles:
            - .idx
      outputs: []
      baseCommand: echo

When run, this produces an error like this:

cwltool ERROR: [step step1] Cannot make job: Missing required secondary file 'hello.txt.idx' from file object: {
    "basename": "hello.txt",
    "class": "File",
    "location": "keep:ade9d0e032044bd7f58daaecc0d06bc6+51/hello.txt",
    "size": 0,
    "nameroot": "hello",
    "nameext": ".txt",
    "secondaryFiles": []
}

To fix this error, add the appropriate secondaryFiles section to toplevel_input

class: Workflow
cwlVersion: v1.0
inputs:
  toplevel_input:
    type: File
    secondaryFiles:
      - .idx
outputs: []
steps:
  step1:
    in:
      step_input: toplevel_input
    out: []
    run:
      id: sub
      class: CommandLineTool
      inputs:
        step_input:
          type: File
          secondaryFiles:
            - .idx
      outputs: []
      baseCommand: echo

This bug has been fixed in Arvados release v1.2.0.

Secondary files on default file inputs

File inputs that have default values and also expect secondaryFiles and will fail to upload default secondaryFiles. As an example, the following case will fail:

class: CommandLineTool
inputs:
  step_input:
    type: File
    secondaryFiles:
      - .idx
    default:
      class: File
      location: hello.txt
outputs: []
baseCommand: echo

When run, this produces an error like this:

2018-05-03 10:58:47 cwltool ERROR: Unhandled error, try again with --debug for more information:
  [Errno 2] File not found: u'hello.txt.idx'

To fix this, manually upload the primary and secondary files to keep and explicitly declare secondaryFiles on the default primary file:

class: CommandLineTool
inputs:
  step_input:
    type: File
    secondaryFiles:
      - .idx
    default:
      class: File
      location: keep:4d8a70b1e63b2aad6984e40e338e2373+69/hello.txt
      secondaryFiles:
       - class: File
         location: keep:4d8a70b1e63b2aad6984e40e338e2373+69/hello.txt.idx
outputs: []
baseCommand: echo

This bug has been fixed in Arvados release v1.2.0.

v1.1.3 (2018-02-08)

There are no special upgrade notes for this release.

v1.1.2 (2017-12-22)

previous: Upgrading to 1.1.0 or 1.1.1

The minimum version for Postgres is now 9.4 (2017-12-08)

As part of story #11908, commit 8f987a9271 introduces a dependency on Postgres 9.4. Previously, Arvados required Postgres 9.3.

  • Debian 8 (pg 9.4) and Debian 9 (pg 9.6) do not require an upgrade
  • Ubuntu 16.04 (pg 9.5) does not require an upgrade
  • Ubuntu 14.04 (pg 9.3) requires upgrade to Postgres 9.4: https://www.postgresql.org/download/linux/ubuntu/
  • CentOS 7 and RHEL7 (pg 9.2) require upgrade to Postgres 9.4. It is necessary to migrate of the contents of your database: https://www.postgresql.org/docs/9.0/static/migration.html
    1. Create a database backup using pg_dump
    2. Install the rh-postgresql94 backport package from either Software Collections: http://doc.arvados.org/install/install-postgresql.html or the Postgres developers: https://www.postgresql.org/download/linux/redhat/
    3. Restore from the backup using psql

v1.1.1 (2017-11-30)

There are no special upgrade notes for this release.

v1.1.0 (2017-10-24)

The minimum version for Postgres is now 9.3 (2017-09-25)

As part of story #12032, commit 68bdf4cbb1 introduces a dependency on Postgres 9.3. Previously, Arvados required Postgres 9.1.

  • Debian 8 (pg 9.4) and Debian 9 (pg 9.6) do not require an upgrade
  • Ubuntu 16.04 (pg 9.5) does not require an upgrade
  • Ubuntu 14.04 (pg 9.3) is compatible, however upgrading to Postgres 9.4 is recommended: https://www.postgresql.org/download/linux/ubuntu/
  • CentOS 7 and RHEL7 (pg 9.2) should upgrade to Postgres 9.4. It is necessary to migrate of the contents of your database: https://www.postgresql.org/docs/9.0/static/migration.html
    1. Create a database backup using pg_dump
    2. Install the rh-postgresql94 backport package from either Software Collections: http://doc.arvados.org/install/install-postgresql.html or the Postgres developers: https://www.postgresql.org/download/linux/redhat/
    3. Restore from the backup using psql

Older versions

Upgrade slower than usual (2017-06-30)

As part of story #11807, commit 55aafbb converts old “jobs” database records from YAML to JSON, making the upgrade process slower than usual.

  • The migration can take some time if your database contains a substantial number of YAML-serialized rows (i.e., you installed Arvados before March 3, 2017 660a614 and used the jobs/pipelines APIs). Otherwise, the upgrade will be no slower than usual.
  • The conversion runs as a database migration, i.e., during the deb/rpm package upgrade process, while your API server is unavailable.
  • Expect it to take about 1 minute per 20K jobs that have ever been created/run.

Service discovery overhead change in keep-web (2017-06-05)

As part of story #9005, commit cb230b0 reduces service discovery overhead in keep-web requests.

  • When upgrading keep-web or keepproxy to/past this version, make sure to update API server as well. Otherwise, a bad token in a request can cause keep-web to fail future requests until either keep-web restarts or API server gets upgraded.

Node manager now has an http endpoint for management (2017-04-12)

As part of story #11349, commit 2c094e2 adds a “management” http server to nodemanager.

  • To enable it, add to your configuration file:
    [Manage]
    address = 127.0.0.1
    port = 8989
  • The server responds to http://{address}:{port}/status.json with a summary of how many nodes are in each state (booting, busy, shutdown, etc.)

New websockets component (2017-03-23)

As part of story #10766, commit e8cc0d7 replaces puma with arvados-ws as the recommended websocket server.

  • See http://doc.arvados.org/install/install-ws.html for install/upgrade instructions.
  • Remove the old puma server after the upgrade is complete. Example, with runit:

    $ sudo sv down /etc/sv/puma
    $ sudo rm -r /etc/sv/puma
    Example, with systemd:

    $ systemctl disable puma
    $ systemctl stop puma

Change of database encoding for hashes and arrays (2017-03-06)

As part of story #11168, commit 660a614 uses JSON instead of YAML to encode hashes and arrays in the database.

  • Aside from a slight performance improvement, this should have no externally visible effect.
  • Downgrading past this version is not supported, and is likely to cause errors. If this happens, the solution is to upgrade past this version.
  • After upgrading, make sure to restart puma and crunch-dispatch-* processes.

Docker image format compatibility check (2017-02-03)

As part of story #10969, commit 74a9dec introduces a Docker image format compatibility check: the arv keep docker command prevents users from inadvertently saving docker images that compute nodes won’t be able to run.

  • If your compute nodes run a version of docker older than 1.10 you must override the default by adding to your API server configuration (/etc/arvados/api/application.yml):
    docker_image_formats: ["v1"]
  • Refer to the comments above docker_image_formats in /var/www/arvados-api/current/config/application.default.yml or source:services/api/config/application.default.yml or issue #10969 for more detail.
  • NOTE: This does not include any support for migrating existing Docker images from v1 to v2 format. This will come later: for now, sites running Docker 1.9 or earlier should still avoid upgrading Docker further than 1.9.

Debian and RPM packages now have systemd unit files (2016-09-27)

Several Debian and RPM packages — keep-balance (d9eec0b), keep-web (3399e63), keepproxy (6de67b6), and arvados-git-httpd (9e27ddf) — now enable their respective components using systemd. These components prefer YAML configuration files over command line flags (3bbe1cd).

  • On Debian-based systems using systemd, services are enabled automatically when packages are installed.
  • On RedHat-based systems using systemd, unit files are installed but services must be enabled explicitly: e.g., "sudo systemctl enable keep-web; sudo systemctl start keep-web".
  • The new systemd-supervised services will not start up successfully until configuration files are installed in /etc/arvados/: e.g., "Sep 26 18:23:55 62751f5bb946 keep-web[74]: 2016/09/26 18:23:55 open /etc/arvados/keep-web/keep-web.yml: no such file or directory"
  • To migrate from runit to systemd after installing the new packages, we recommend the following procedure:
    1. Bring down the runit service: “sv down /etc/sv/keep-web”
    2. Create a JSON configuration file (e.g., /etc/arvados/keep-web/keep-web.yml — see “keep-web -help”)
    3. Ensure the service is running correctly under systemd: “systemctl status keep-web” / “journalctl -u keep-web”
    4. Remove the runit service so it doesn’t start at next boot
  • Affected services:
    • keep-balance – /etc/arvados/keep-balance/keep-balance.yml
    • keep-web – /etc/arvados/keep-web/keep-web.yml
    • keepproxy – /etc/arvados/keepproxy/keepproxy.yml
    • arvados-git-httpd – /etc/arvados/arv-git-httpd/arv-git-httpd.yml

Installation paths for Python modules and script changed (2016-05-31)

Commits ae72b172c8 and 3aae316c25 change the filesystem location where Python modules and scripts are installed.

  • Previous packages installed these files to the distribution’s preferred path under /usr/local (or the equivalent location in a Software Collection). Now they get installed to a path under /usr. This improves compatibility with other Python packages provided by the distribution. See #9242 for more background.
  • If you simply import Python modules from scripts, or call Python tools relying on $PATH, you don’t need to make any changes. If you have hardcoded full paths to some of these files (e.g., in symbolic links or configuration files), you will need to update those paths after this upgrade.

Crunchrunner package is required on compute and shell nodes (2016-04-25)

Commit eebcb5e requires the crunchrunner package to be installed on compute nodes and shell nodes in order to run CWL workflows.

  • On each Debian-based compute node and shell node, run: sudo apt-get install crunchrunner
  • On each Red Hat-based compute node and shell node, run: sudo yum install crunchrunner

Keep permission signature algorithm change (2016-04-21)

Commit 3c88abd changes the Keep permission signature algorithm.

  • All software components that generate signatures must be upgraded together. These are: keepstore, API server, keep-block-check, and keep-rsync. For example, if keepstore < 0.1.20160421183420 but API server >= 0.1.20160421183420, clients will not be able to read or write data in Keep.
  • Jobs and client operations that are in progress during the upgrade (including arv-put’s “resume cache”) will fail.

Workbench’s “Getting Started” popup disabled by default (2015-01-05)

Commit e1276d6e disables Workbench’s “Getting Started” popup by default.

  • If you want new users to continue seeing this popup, set enable_getting_started_popup: true in Workbench’s application.yml configuration.

Crunch jobs now have access to Keep-backed writable scratch storage (2015-12-03)

Commit 5590c9ac makes a Keep-backed writable scratch directory available in crunch jobs (see #7751)

  • All compute nodes must be upgraded to arvados-fuse >= 0.1.2015112518060 because crunch-job uses some new arv-mount flags (—mount-tmp, —mount-by-pdh) introduced in merge 346a558
  • Jobs will fail if the API server (in particular crunch-job from the arvados-cli gem) is upgraded without upgrading arvados-fuse on compute nodes.

Recommended configuration change for keep-web (2015-11-11)

Commit 1e2ace5 changes recommended config for keep-web (see #5824)

  • proxy/dns/ssl config should be updated to route “https://download.ClusterID.example.com/” requests to keep-web (alongside the existing “collections” routing)
  • keep-web command line adds -attachment-only-host download.ClusterID.example.com
  • Workbench config adds keep_web_download_url
  • More info on the (still beta/non-TOC-linked) keep-web doc page

Stopped containers are now automatically removed on compute nodes (2015-11-04)

Commit 1d1c6de removes stopped containers (see #7444)

  • arvados-docker-cleaner removes all docker containers as soon as they exit, effectively making docker run default to --rm. If you run arvados-docker-cleaner on a host that does anything other than run crunch-jobs, and you still want to be able to use docker start, read the new doc page to learn how to turn this off before upgrading.

New keep-web service (2015-11-04)

Commit 21006cf adds a new keep-web service (see #5824).

  • Nothing relies on keep-web yet, but early adopters can install it now by following http://doc.arvados.org/install/install-keep-web.html (it is not yet linked in the TOC).

Previous: Configuration reference Next: Maintenance and upgrading

The content of this documentation is licensed under the Creative Commons Attribution-Share Alike 3.0 United States licence.
Code samples in this documentation are licensed under the Apache License, Version 2.0.