Set up a shell node

  1. Introduction
  2. Install Dependencies and SDKs
  3. Install git and curl
  4. Update Git Config
  5. Create record for VM
  6. Install arvados-login-sync
  7. Confirm working installation

Introduction

Arvados support for shell nodes allows you to use Arvados permissions to grant Linux shell accounts to users.

A shell node runs the arvados-login-sync service to manage user accounts, and typically has Arvados utilities and SDKs pre-installed. Users are allowed to log in and run arbitrary programs. For optimal performance, the Arvados shell server should be on the same LAN as the Arvados cluster.

Because Arvados config.yml contains secrets it should not be present on shell nodes.

Shell nodes should be separate virtual machines from the VMs running other Arvados services. You may choose to grant root access to users so that they can customize the node, for example, installing new programs. This has security considerations depending on whether a shell node is single-user or multi-user.

A single-user shell node should be set up so that it only stores Arvados access tokens that belong to that user. In that case, that user can be safely granted root access without compromising other Arvados users.

In the multi-user shell node case, a malicious user with root access could access other user’s Arvados tokens. Users should only be given root access on a multi-user shell node if you would trust them to be Arvados administrators. Be aware that with access to the docker daemon, it is trival to gain root access to any file on the system, so giving users docker access should be considered equivalent to root access.

Install Dependencies and SDKs

  1. Install Ruby and Bundler
  2. Install the Python SDK
  3. Install the FUSE driver
  4. Install the CLI
  5. Install the R SDK (optional)
  6. Install Docker (optional)

Install git and curl

Red Hat and Centos

# yum install git curl

Debian and Ubuntu

# apt-get install git curl

Update Git Config

Configure git to use the ARVADOS_API_TOKEN environment variable to authenticate to arvados-git-httpd. We use the --system flag so it takes effect for all current and future user accounts. It does not affect git’s behavior when connecting to other git servers.

# git config --system 'credential.https://git.ClusterID.example.com/.username' none
# git config --system 'credential.https://git.ClusterID.example.com/.helper' '!cred(){ cat >/dev/null; if [ "$1" = get ]; then echo password=$ARVADOS_API_TOKEN; fi; };cred'

Create record for VM

As an admin, create an Arvados virtual_machine object representing this shell server. This will return a uuid.

apiserver:~$ arv --format=uuid virtual_machine create --virtual-machine '{"hostname":"shell.ClusterID.example.com"}'
zzzzz-2x53u-zzzzzzzzzzzzzzz

Install arvados-login-sync

The arvados-login-sync service makes it possible for Arvados users to log in to the shell server. It sets up login accounts, updates group membership, adds each user’s SSH public keys to the ~/.ssh/authorized_keys file, and adds an Arvados token to ~/.config/arvados/settings.conf .

Install the arvados-login-sync program from RubyGems.

shellserver:# gem install arvados-login-sync

Run arvados-login-sync periodically

Create a cron job to run the arvados-login-sync program every 2 minutes. This will synchronize user accounts.

If this is a single-user shell node, then ARVADOS_API_TOKEN should be a token for that user. See Create a token for a user .

If this is a multi-user shell node, then ARVADOS_API_TOKEN should be an administrator token such as the SystemRootToken. See discussion in the introduction about security on multi-user shell nodes.

Set ARVADOS_VIRTUAL_MACHINE_UUID to the UUID from Create record for VM

Standalone cluster

shellserver:# umask 0700; tee /etc/cron.d/arvados-login-sync <<EOF
ARVADOS_API_HOST="ClusterID.example.com"
ARVADOS_API_TOKEN="xxxxxxxxxxxxxxxxx"
ARVADOS_VIRTUAL_MACHINE_UUID="zzzzz-2x53u-zzzzzzzzzzzzzzz"
*/2 * * * * root arvados-login-sync
EOF

Part of a LoginCluster federation

If the cluster is part of a federation with centralized user management , the login sync script needs to be given an admin token from the login cluster.

shellserver:# umask 0700; tee /etc/cron.d/arvados-login-sync <<EOF
ARVADOS_API_HOST="ClusterID.example.com"
ARVADOS_API_TOKEN="yyyloginclusteradmintokenyyyy"
ARVADOS_VIRTUAL_MACHINE_UUID="zzzzz-2x53u-zzzzzzzzzzzzzzz"
*/2 * * * * root arvados-login-sync
EOF

Confirm working installation

A user should be able to log in to the shell server when the following conditions are satisfied:

  1. As an admin user, you have given the user permission to log in using the Workbench → Admin menu → “Users” item → “Show” button → “Admin” tab → “Setup account” button.
  2. The cron job has run.

In order to log in via SSH, the user must also upload an SSH public key. Alternately, if configured, users can log in using Webshell .

See also how to add a VM login permission link at the command line


Previous: Customizing Workbench Next: Configure webshell

The content of this documentation is licensed under the Creative Commons Attribution-Share Alike 3.0 United States licence.
Code samples in this documentation are licensed under the Apache License, Version 2.0.