SSL/LDAP configuration for CloudMan/Galaxy

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL/LDAP configuration for CloudMan/Galaxy

David Kovalic

Hi,


We are interested in running CloudMan/Galaxy with SSL and LDAP. After searching around on the internet it seems like this is achievable and probably not too difficult, but there is no current complete “cookbook recipe” for doing so, so I thought it best to ask questions before I go ahead and break stuff :)


As I understand:

·         ngnix needs to have the LDAP module added, as the standard CM ngnix build doesn’t include this

·         ngnix needs to have a custom ngnix.conf file which specifies the use of SSL and LDAP

·         Galaxy need to have a custom configuration universe_wsgi.ini for LDAP use


By searching online I can’t clearly figure out:

·         How to recompile (and persist across CM cluster termination/restart) a new version of ngnix

·         The best way to maintain and specify a custom ngnix.conf. Is it possible to do this by placing the custom ngnix.conf in the cluster S3 bucket and adding a configuration line specifying its URL (e.g. "nginx_conf_contents: <a href="https://s3.amazonaws.com/[cm">https://s3.amazonaws.com/[cm bucket ID]/ngnix.conf") in persistent_data.yaml file in the CM S3 bucket?

·         Where do I make the modifications such that the changes to universe_wsgi.ini persist across CM cluster termination/restart?

It would be great to get some experienced insight on how best to complete this configuration, and have it persist.


Any guidance would be greatly appreciated. Thanks,


David Kovalic




___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: SSL/LDAP configuration for CloudMan/Galaxy

Enis Afgan-3
Hi David, 
The nginx change will require a new AMI that includes the appropriately compiled nginx. We've been working on automating the process of building the image and it's captured in this Ansible playbook: https://github.com/galaxyproject/galaxy-cloudman-playbook (the current README is a bit of out of sync with the code but I have been working on a updating that and will commit it later on today or tomorrow at the latest). You'll need to edit the nginx installation procedure to include the customizations for nginx you want. 

Re. configuration changes (nginx.conf and galaxy.ini) - these are done via CloudMan (https://github.com/galaxyproject/cloudman/tree/master/cm/conftemplates). So it would be necessary to create a your own S3 bucket and host CloudMan source there with the desired customizations. I'll send you a paper that will be presented next month that captures all the pieces that are required for assemble a custom version of Galaxy CloudMan. 

Hope this helps and please let us know if you have any more questions,
Enis

On Fri, Apr 24, 2015 at 2:25 PM, David Kovalic <[hidden email]> wrote:

Hi,


We are interested in running CloudMan/Galaxy with SSL and LDAP. After searching around on the internet it seems like this is achievable and probably not too difficult, but there is no current complete “cookbook recipe” for doing so, so I thought it best to ask questions before I go ahead and break stuff :)


As I understand:

·         ngnix needs to have the LDAP module added, as the standard CM ngnix build doesn’t include this

·         ngnix needs to have a custom ngnix.conf file which specifies the use of SSL and LDAP

·         Galaxy need to have a custom configuration universe_wsgi.ini for LDAP use


By searching online I can’t clearly figure out:

·         How to recompile (and persist across CM cluster termination/restart) a new version of ngnix

·         The best way to maintain and specify a custom ngnix.conf. Is it possible to do this by placing the custom ngnix.conf in the cluster S3 bucket and adding a configuration line specifying its URL (e.g. "nginx_conf_contents: https://s3.amazonaws.com/[cm bucket ID]/ngnix.conf") in persistent_data.yaml file in the CM S3 bucket?

·         Where do I make the modifications such that the changes to universe_wsgi.ini persist across CM cluster termination/restart?

It would be great to get some experienced insight on how best to complete this configuration, and have it persist.


Any guidance would be greatly appreciated. Thanks,


David Kovalic




___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/


___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: SSL/LDAP configuration for CloudMan/Galaxy

John Chilton-4
David,

Just to add to what Enis responded - in my previous position I managed
a CloudMan instance that used SSL and LDAP - I documented some of what
it took to configure it here
https://production-galaxy-instances-with-cloudman-and-cloudbiolinux.readthedocs.org/en/latest/
but it was based on CloudBioLinux instead of the newer Ansible recipes
so the documentation is probably of limited use - but it does give an
idea about what needs to be updated to how to update it - it just has
to be translated to Ansible.

Best of luck,

-John


On Mon, Apr 27, 2015 at 10:39 AM, Enis Afgan <[hidden email]> wrote:

> Hi David,
> The nginx change will require a new AMI that includes the appropriately
> compiled nginx. We've been working on automating the process of building the
> image and it's captured in this Ansible playbook:
> https://github.com/galaxyproject/galaxy-cloudman-playbook (the current
> README is a bit of out of sync with the code but I have been working on a
> updating that and will commit it later on today or tomorrow at the latest).
> You'll need to edit the nginx installation procedure to include the
> customizations for nginx you want.
>
> Re. configuration changes (nginx.conf and galaxy.ini) - these are done via
> CloudMan
> (https://github.com/galaxyproject/cloudman/tree/master/cm/conftemplates). So
> it would be necessary to create a your own S3 bucket and host CloudMan
> source there with the desired customizations. I'll send you a paper that
> will be presented next month that captures all the pieces that are required
> for assemble a custom version of Galaxy CloudMan.
>
> Hope this helps and please let us know if you have any more questions,
> Enis
>
> On Fri, Apr 24, 2015 at 2:25 PM, David Kovalic <[hidden email]> wrote:
>>
>> Hi,
>>
>>
>> We are interested in running CloudMan/Galaxy with SSL and LDAP. After
>> searching around on the internet it seems like this is achievable and
>> probably not too difficult, but there is no current complete “cookbook
>> recipe” for doing so, so I thought it best to ask questions before I go
>> ahead and break stuff :)
>>
>>
>> As I understand:
>>
>> ·         ngnix needs to have the LDAP module added, as the standard CM
>> ngnix build doesn’t include this
>>
>> ·         ngnix needs to have a custom ngnix.conf file which specifies the
>> use of SSL and LDAP
>>
>> ·         Galaxy need to have a custom configuration universe_wsgi.ini for
>> LDAP use
>>
>>
>> By searching online I can’t clearly figure out:
>>
>> ·         How to recompile (and persist across CM cluster
>> termination/restart) a new version of ngnix
>>
>> ·         The best way to maintain and specify a custom ngnix.conf. Is it
>> possible to do this by placing the custom ngnix.conf in the cluster S3
>> bucket and adding a configuration line specifying its URL (e.g.
>> "nginx_conf_contents: https://s3.amazonaws.com/[cm bucket ID]/ngnix.conf")
>> in persistent_data.yaml file in the CM S3 bucket?
>>
>> ·         Where do I make the modifications such that the changes to
>> universe_wsgi.ini persist across CM cluster termination/restart?
>>
>> It would be great to get some experienced insight on how best to complete
>> this configuration, and have it persist.
>>
>>
>> Any guidance would be greatly appreciated. Thanks,
>>
>>
>> David Kovalic
>>
>>
>>
>>
>> ___________________________________________________________
>> Please keep all replies on the list by using "reply all"
>> in your mail client.  To manage your subscriptions to this
>> and other Galaxy lists, please use the interface at:
>>   https://lists.galaxyproject.org/
>>
>> To search Galaxy mailing lists use the unified search at:
>>   http://galaxyproject.org/search/mailinglists/
>
>
>
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>   https://lists.galaxyproject.org/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: SSL/LDAP configuration for CloudMan/Galaxy

David Kovalic
John/Enis,

Thanks for the help.

John, I had discovered your document on the web and it gave me confidence that SSL/LDAP was going to be possible.

Enis, thanks for the pointers to the new developments which are "news to me" and look like a really exciting extension.

I'll give this a go and report back to the group when we are, hopefully :), successful.

Looking forward to meeting up with many of the architects/builders/admins at GCC 2015 in Norwich.

David


On Mon, Apr 27, 2015 at 9:45 AM John Chilton <[hidden email]> wrote:
David,

Just to add to what Enis responded - in my previous position I managed
a CloudMan instance that used SSL and LDAP - I documented some of what
it took to configure it here
https://production-galaxy-instances-with-cloudman-and-cloudbiolinux.readthedocs.org/en/latest/
but it was based on CloudBioLinux instead of the newer Ansible recipes
so the documentation is probably of limited use - but it does give an
idea about what needs to be updated to how to update it - it just has
to be translated to Ansible.

Best of luck,

-John


On Mon, Apr 27, 2015 at 10:39 AM, Enis Afgan <[hidden email]> wrote:
> Hi David,
> The nginx change will require a new AMI that includes the appropriately
> compiled nginx. We've been working on automating the process of building the
> image and it's captured in this Ansible playbook:
> https://github.com/galaxyproject/galaxy-cloudman-playbook (the current
> README is a bit of out of sync with the code but I have been working on a
> updating that and will commit it later on today or tomorrow at the latest).
> You'll need to edit the nginx installation procedure to include the
> customizations for nginx you want.
>
> Re. configuration changes (nginx.conf and galaxy.ini) - these are done via
> CloudMan
> (https://github.com/galaxyproject/cloudman/tree/master/cm/conftemplates). So
> it would be necessary to create a your own S3 bucket and host CloudMan
> source there with the desired customizations. I'll send you a paper that
> will be presented next month that captures all the pieces that are required
> for assemble a custom version of Galaxy CloudMan.
>
> Hope this helps and please let us know if you have any more questions,
> Enis
>
> On Fri, Apr 24, 2015 at 2:25 PM, David Kovalic <[hidden email]> wrote:
>>
>> Hi,
>>
>>
>> We are interested in running CloudMan/Galaxy with SSL and LDAP. After
>> searching around on the internet it seems like this is achievable and
>> probably not too difficult, but there is no current complete “cookbook
>> recipe” for doing so, so I thought it best to ask questions before I go
>> ahead and break stuff :)
>>
>>
>> As I understand:
>>
>> ·         ngnix needs to have the LDAP module added, as the standard CM
>> ngnix build doesn’t include this
>>
>> ·         ngnix needs to have a custom ngnix.conf file which specifies the
>> use of SSL and LDAP
>>
>> ·         Galaxy need to have a custom configuration universe_wsgi.ini for
>> LDAP use
>>
>>
>> By searching online I can’t clearly figure out:
>>
>> ·         How to recompile (and persist across CM cluster
>> termination/restart) a new version of ngnix
>>
>> ·         The best way to maintain and specify a custom ngnix.conf. Is it
>> possible to do this by placing the custom ngnix.conf in the cluster S3
>> bucket and adding a configuration line specifying its URL (e.g.
>> "nginx_conf_contents: https://s3.amazonaws.com/[cm bucket ID]/ngnix.conf")
>> in persistent_data.yaml file in the CM S3 bucket?
>>
>> ·         Where do I make the modifications such that the changes to
>> universe_wsgi.ini persist across CM cluster termination/restart?
>>
>> It would be great to get some experienced insight on how best to complete
>> this configuration, and have it persist.
>>
>>
>> Any guidance would be greatly appreciated. Thanks,
>>
>>
>> David Kovalic
>>
>>
>>
>>
>> ___________________________________________________________
>> Please keep all replies on the list by using "reply all"
>> in your mail client.  To manage your subscriptions to this
>> and other Galaxy lists, please use the interface at:
>>   https://lists.galaxyproject.org/
>>
>> To search Galaxy mailing lists use the unified search at:
>>   http://galaxyproject.org/search/mailinglists/
>
>
>
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>   https://lists.galaxyproject.org/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  https://lists.galaxyproject.org/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/