Configuration Reference¶
This page explains how to configure the resource limits and the security settings
in the Anaconda Enterprise configuration file, anaconda-platform.yml.
To access the Anaconda Enterprise configuration file, login to the Anaconda Enterprise
Operations Center by visiting the following URL in your
browser: https://anaconda.example.com:32009 and click the Configuration link.
NOTE: Replace anaconda.example.com with the domain name you are using.
Complete Anaconda Enterprise Configuration File¶
See the full configuration file below, or download a copy to review.
Additional details regarding the configuration settings are shown below:
version: 1
# GLOBAL CONFIGURATION
auth-server: # Common authentication client settings for all services
url: https://anaconda.example.com:30080/auth
realm: AnacondaPlatform
realm-key: ''
db: # Database client configuration
drivername: postgresql # Database driver (default postgresql, which is currently the only driver supported)
host: postgres # Database hostname
port: 5432
username: postgres
password: ''
auth-escrow: # Common authentication client settings for all services
url: https://anaconda.example.com:30091/api/v1
https: # Common HTTPS client and server settings for all services
certificate-authority: /etc/ssl/certs/ca-certificates.crt # Path to Certificate Authority bundle for private CA or self-signed certificates
# certificate-authority: /etc/ssl/certs/DST_Root_CA_X3.pem # For lets encrypt
images:
app: apiserver:5000/ap-app:5.0.1-1896-g6d27a29
app_proxy: apiserver:5000/ap-app-proxy:5.0.1-1896-g6d27a29
editor: apiserver:5000/ap-editor:5.0.1-1896-g6d27a29
kubernetes:
server: https://kubernetes.default.svc.cluster.local
use_service_account: true
max_cores_per_app: 2
max_ram_mb_per_app: 2048
license:
number: PASTE_LICENSE_CODE_OR_CLIENT_ID_HERE
# key: PASTE_OFFLINE_KEY_HERE_FOR_OFFLINE_ACTIVATION
working-directory: /tmp/anaconda
security:
x: 207
y: 705
z: 278
analytics:
enabled: true
# PER-SERVICE CONFIGURATION
auth: # Authentication server configuration
port: 9080
db:
database: anaconda_auth
https: # HTTPS configuration
keystore: /etc/secrets/certs/keystore.jks # Name of server keystore in Java keystore (.jks) format
keystore-password: anaconda # Keystore password defined when generating the Java keystore
key-alias: auth # Name of the key in the keystore
truststore: null # (optional) Path to the trust store to use for outgoing HTTPS requests (e.g. for LDAPS)
truststore-password: null # (optional) Truststore password defined when generating the Java keystore
debug: False # If true, enable use of a pregenerated SSL key for testing. DO NOT SET TO TRUE IN PRODUCTION.
api: # Service settings for auth-api
port: 9090
limit: 12
https:
key: /etc/secrets/certs/server.key
certificate: /etc/secrets/certs/server.crt
escrow: # Service settings for auth-escrow
port: 9091
db:
database: anaconda_auth_escrow
hosts: # List of hosts (host:port pairs) to allow in API request headers
- anaconda.example.com:30091
prefix: '' # URL prefix
https:
key: /etc/secrets/certs/server.key
certificate: /etc/secrets/certs/server.crt
auth-server:
client-secret: ed7ec3ff-c535-455b-b431-5ed97d78b8be
client-id: anaconda-platform
deploy: # Deployment server configuration
port: 8081
prefix: '' # URL prefix
url: https://anaconda.example.com:30081/ # Deployment server URL
https:
key: /etc/secrets/certs/server.key
certificate: /etc/secrets/certs/server.crt
hosts: # List of hosts (host:port pairs) to allow in API request headers
- anaconda.example.com:30081
db:
database: anaconda_deploy
users: '*' # Users/groups who have permission to access deployed apps
deployers: # Users/groups who have permission to deploy here
users: []
groups:
- developers
roles: []
superusers: # Users/groups who have unrestricted access
users: []
groups: []
roles: []
auth-server:
client-id: anaconda-deploy
apps-host: anaconda.example.com # Hostname where apps are deployed, if different from the one in kubernetes.server
auth-proxy: # Settings for deployed app proxy
client-id: anaconda-deploy-proxy # Client ID of the proxy, as registered in the auth service
dns-server: 10.100.0.4 # IP address of DNS server used by the app proxy. Default is the internal kubernetes resolver.
https:
key: /etc/secrets/certs/server.key
certificate: /etc/secrets/certs/server.crt
debug: False # If true, enable debugging. DO NOT SET TO TRUE IN PRODUCTION.
spaces: # Spaces server configuration
port: 8090
prefix: '' # URL prefix
url: https://anaconda.example.com:30095/ # Spaces server URL
https:
key: /etc/secrets/certs/server.key
certificate: /etc/secrets/certs/server.crt
hosts: # List of hosts (host:port pairs) to allow in API request headers
- anaconda.example.com:30095
db:
database: anaconda_spaces
users: '*' # Users/groups who have permission to create spaces
superusers: # Users/groups who have unrestricted access
users: []
groups: []
roles: []
auth-server:
client-id: anaconda-spaces-api
spaces-host: anaconda.example.com # Hostname where spaces are hosted, if different from the one in kubernetes.server
auth-proxy: # Settings for spaces access control proxy
client-id: anaconda-spaces # Client ID of the proxy, as registered in the auth service
dns-server: 10.100.0.4 # IP address of DNS server used by the app proxy. Default is the internal kubernetes resolver.
https:
key: /etc/secrets/certs/server.key
certificate: /etc/secrets/certs/server.crt
debug: False # If true, enable debugging. DO NOT SET TO TRUE IN PRODUCTION.
storage: # Storage server configuration
host: anaconda.example.com # full hostname of the storage server
port: 8086
prefix: '' # URL prefix
hosts: # List of hosts (host:port pairs) to allow in API request headers
- anaconda.example.com:30086
url: https://anaconda.example.com:30086 # Base URL of storage server
db:
database: anaconda_storage
https:
key: /etc/secrets/certs/server.key
certificate: /etc/secrets/certs/server.crt
git:
default:
name: Example.com Anaconda Enterprise Server # human-readable name of this git server
type: internal # server type. There is support for "internal" and planned support for "github" and "gitlab".
url: https://anaconda.example.com:30088 # URL of git server
repository: '{name}-{id}' # Template for repository names; use {name}, {id}, and {owner} as placeholders.
auth-header: Anaconda-User # Name of HTTP header for proxy authentication (internal server type only)
username: anaconda # Username of git service account
# no password needed when using auth-header
proxy:
url: https://anaconda.example.com:30085 # URL of git proxy
client-id: anaconda-git-proxy # Auth client ID of this proxy
dns-server: 10.100.0.4 # IP address of DNS server used by the git proxy.
run-as-user: www-data # System user account to run the proxy under
api-key: f49fece0b2ef8d122d4a2473278465f7c77781617428b7e18401f2d0139b39e7 # secret api key to allow storage service API calls through the proxy. Should be uniquely generated for each installation.
port: 8095
probe-port: 8096
https:
key: /etc/secrets/certs/server.key
certificate: /etc/secrets/certs/server.crt
objects:
projects: # storage location for objects in projects. You may use placeholders {name} {owner} and {id} for project name, project owner and project ID.
bucket: anaconda-projects
path: projects/{owner}-{id}
global: # storage location for global objects (available to all logged-in users)
bucket: anaconda-objects
path: 'global/'
public: # storage location for public objects (available to everyone without logging in)
bucket: anaconda-objects
path: 'public/'
users: '*' # Users/groups who can create projects
creators: # Users/groups who can create new projects
users: []
groups:
- developers
roles: []
superusers: # Users/groups who have unrestricted access
users: []
groups: []
roles: []
repository: # Repository server configuration
port: 8089
hosts: # List of hosts (host:port pairs) to allow in API request headers
- anaconda.example.com:30089
prefix: '' # URL prefix
db:
database: anaconda_repository
https:
key: /etc/secrets/certs/server.key
certificate: /etc/secrets/certs/server.crt
users: '*' # Users/groups who can access the repository
uploaders: # Users/groups who can create and upload packages
users: []
groups:
- developers
roles: []
superusers: # Users/groups who have unrestricted access
users: []
groups: []
roles: []
bucket: anaconda-repository # S3/object storage bucket to store repository files
auth-escrow:
url: https://anaconda.example.com:30091/api/v1
cleanup-upload-seconds: 3600 # How long an unfinished upload will be kept before being cleaned up
cleanup-period-seconds: 73 # How frequently the server will check for files that should be removed from disk
index-update-cooldown-seconds: 7 # How much time without new uploads is required before index will be rebuilt
index-update-period-seconds: 23 # How frequently the server will check for channels that require rebuilding of index information (repodata.json)
s3: # configuration for the object-storage service
host: 0.0.0.0 # full hostname of the object store server S3 API
port: 8087
https:
key: /etc/secrets/certs/server.key
certificate: /etc/secrets/certs/server.crt
access-key: 's3-access-key'
secret-key: 's3-secret-key'
directory: /export
s3-client: # configuration for clients to the object storage service
endpoint-url: https://anaconda.example.com:30087 # AWS endpoint URL
access-key: 's3-access-key'
secret-key: 's3-secret-key'
region-name: 'us-east-1' # the AWS region where your S3 bucket is located
git:
url: https://anaconda.example.com:30088 # externally visible URL of the git server
host: anaconda.example.com # full hostname of the git server
port: 8088
https:
key: /etc/secrets/certs/server.key
certificate: /etc/secrets/certs/server.crt
db:
database: anaconda_git
directory: /export # directory where git server will store its data
username: anaconda # OS username that the git server should run under
lfs-secret: AohzzmIZVHYSTYJ7HM1E1GWhjRYCTcfLdxHHGR8fKCM # LFS authentication token secret. Should be uniquely generated for each installation.
secret-key: E3P99Z3XRAXaoJHGygmCjZ613pIZ9nvg6SnVRrPHTBU # git server secret key. Should be uniquely generated for each installation.
conda: # Common conda settings for editing sessions and deployments
channels: # List of channels to put in .condarc
- defaults
default-channels: [] # List of channels that should be used for channel 'defaults'
channel-alias: https://anaconda.example.com:30089/conda # Default conda URL prefix for channels given by name only
offline_docs:
url: https://anaconda.example.com:30071 # Docs server URL
hosts: # List of hosts (host:port pairs) to allow in API request headers
- anaconda.example.com:30071
port: 8091
https:
key: /etc/secrets/certs/server.key
certificate: /etc/secrets/certs/server.crt
directory: docs/_build/ # The path relative to the base directory of the static docs.
prefix: '' # URL prefix
ui: # Anaconda Platform UI server configuration
base-url: / # URL prefix
cookie-secret: this-is-a-very-insecure-secret # secret key used to sign session cookies
cookie-session:
name: anaconda-platform-ui-session-v1
cookie-next:
name: anaconda-platform-ui-next-v1
db:
database: anaconda_ui
debug: False # If true, enable debugging. DO NOT SET TO TRUE IN PRODUCTION.
host: anaconda.example.com # full hostname of the UI server
public-url: https://anaconda.example.com:30090/ # User-facing URL of site, if different than host/port
https:
key: /etc/secrets/certs/server.key
certificate: /etc/secrets/certs/server.crt
port: 6990
auth-server:
client-secret: ed7ec3ff-c535-455b-b431-5ed97d78b8be
client-id: anaconda-platform
services:
anaconda-storage:
storage:
icon: fa-anaconda
label: Storage
url: https://anaconda.example.com:30086/api/v1
anaconda-deploy:
deploy:
icon: fa-anaconda
label: Deploy
url: https://anaconda.example.com:30081/api/v1
anaconda-spaces:
spaces:
icon: fa-anaconda
label: Spaces
url: https://anaconda.example.com:30095/api/v1
options:
spaces:
tools:
notebook:
default: true
label: Jupyter Notebook Classic
packages: [notebook]
lab-pre:
label: JupyterLab
packages: [jupyterlab]
sync:
label: Anaconda Project Sync
packages: [anaconda-platform-sync]
templates:
jupyter-5:
label: Jupyter Notebook Classic
tools:
- notebook
- sync
jupyterlab:
label: JupyterLab
default: true
tools:
- lab-pre
- sync
anaconda-repo5:
repo:
html-url: https://anaconda.example.com:30089
icon: fa-anaconda
label: Repo Service
url: https://anaconda.example.com:30089/api
auth-api:
auth-api:
icon: fa-anaconda
label: Auth API
url: https://anaconda.example.com:30082/api/v1
documentation:
offline_docs:
html-url: https://anaconda.example.com:30071
icon: fa-anaconda
label: Documentation
url: https://anaconda.example.com:30071
help: # Help links
docs:
label: Anaconda Documentation - Home
external: true
href: https://anaconda.example.com:30071
position: 0
started:
label: Getting Started with Anaconda Enterprise
external: true
href: https://anaconda.example.com:30071/user-guide/getting-started.html
position: 1
release:
label: Release Notes
external: true
href: https://anaconda.example.com:30071/release-notes.html
position: 2
support:
label: Support
external: true
href: https://anaconda.example.com:30071/help-support.html
position: 3
feedback:
label: Feedback
external: true
href: https://continuum.typeform.com/to/TnHsme
position: 4
postgresql: # PostgreSQL server configuration
port: 7080
Setting Resource Limits for Project Editor Sessions and Deployments¶
Each project editor session and deployment uses compute resources on the Anaconda Enterprise cluster.
NOTE: We strongly recommend to save a copy of the original file before making any edits.
You can configure the maximum number of cores and amount of memory/RAM that each project editor or deployment consumes. This is a global setting across the cluster that applies to all users, nodes, editor sessions, and deployments:
kubernetes:
max_cores_per_app: 2
max_ram_mb_per_app: 2048
Required security settings¶
These values and credentials must be set for every installation.
s3.access-keyands3.secret-keyfor the Minio internal object stores3-client.access-keyands3-client.secret-keyfor the object store client. When using the internal object store, these must matchs3.access-keyands3.secret-key.auth.https.keystore-passwordmatching the password used when creating the Java keystore for the auth servicegit.lfs-secretandgit.secret-keyfor the internal git serverstorage.git.<server>.proxy.api-keyui.cookie-secret
Configuring Outbound SSL (for systems such as Secure LDAP)¶
See LDAP configuration.