Configuration reference

Files

Anaconda Repository loads configuration files with the extension .yaml from the following locations:

  • /etc/binstar/
  • /etc/anaconda-server/
  • $PREFIX/etc/anaconda-server

NOTE: $PREFIX is the location where repository is installed.

Files are loaded from these directories in order, with later files overriding earlier files. Files are loaded from each directory in alphabetical order.

If an environment variable ANACONDA_SERVER_CONFIG is set with the path of a configuration file, this file is loaded after the three already listed. Its settings override any conflicting settings in the earlier files.

Each configuration setting variable can have its value set with the anaconda-server-config --set command, or by editing a configuration file.

EXAMPLE: To set a value named VALUE_ONE to 50, add this to a configuration file:

VALUE_ONE: 50

Or, you can set a value named VALUE_ONE to 50 with this command:

anaconda-server-config --set VALUE_ONE 50

Logging

The location of the server’s log file is defined in the supervisord configuration file $PREFIX/etc/supervisord.conf by the stdout_logfile config entry located in the [program:anaconda-server] section.

Advanced configuration of logging requires setting a LOGGING key on the server’s config.yaml. It uses Python’s logging module config structure.

Usernames

USER_REGEX

A regular expression that defines the allowable user names.

For example, this setting specifies that user names contain only lowercase letters, periods, plus and minus characters (., + and -):

USER_REGEX: '^[a-z.+-]+$'

NOTE: The default value for USER_REGEX is ^[a-z0-9_][a-z0-9_-]+$ which translates to: at least one alphanumeric character or underscore, followed by zero or more alphanumeric, dash or underscore characters.

NOTE: Escape any extra instances of the single quote character ' as \'. Do not use the slash and ampersand characters / and &, which have special meanings in URLs.

NOTE: If USER_REGEX is changed and the server is restarted, existing usernames that do not match the new USER_REGEX do not cause errors.

Database

Repository uses MongoDB as the database back end.

MONGO_URL

A MongoDB connection URI is used to connect to the MongoDB database server. It can be used to configure the hostname and port, as well as database authentication.

For example:

MONGO_URL: mongodb://anaconda-server:Pa55w0rd@mongodb.serv/

MONGO_DBNAME

The MongoDB database where Repository stores its data.

MQ_DBNAME

The MongoDB database where Repository stores data used for asynchronous processing.

MONGO_REPLICA_SET

The name of a MongoDB replica set Repository connects to after establishing a connection to the database server.

File storage

Repository can serve package contents from a local file-system, or from Amazon Web Services Simple Storage Service: AWS S3.

Storage_type

The storage mechanism to use. Valid choices are fs, for file-system storage, or s3, for AWS S3 storage.

keyname_full_path

When this option is set, Repository stores the files by full paths and not just by hashes. This way a tensorflow file uploaded by the user Bob will be stored on <fs_storage_root>/Bob/tensorflow/osx-64/tensorflow-1.1.0-np112py36_0.tar.bz2-594ac56e7e042600648defdb.

NOTE: The storage path does not always contain the current file owner and their user name. This is because the file location on the storage does not change when you rename a user or transfer a file to a different user.

Fs_storage_root

If configured to use file-system storage, the absolute path to a directory where Repository stores all uploaded packages.

PACKAGE_BUCKET_ID

If configured to use AWS S3 storage, the name of an AWS S3 bucket where Repository stores uploaded packages.

You can identify the name of your bucket by using <bucket> in your http://<bucket>.s3.amazonaws.com URL.

S3_REGION_NAME

The S3 region that the bucket is located in. The available regions can be found in the Amazon AWS documentation.

S3_SERVER_SIDE_ENCRYPTION

This variable can be set to AES256 to enable server-side encryption for packages stored in the S3 bucket.

Notebooks

MAX_IPYNB_SIZE

Specifies the maximum allowed size when uploading notebooks to the server. The default is 25 MB. This variable can be set in config.yaml.

Web server

SERVER_NAME

The name and port number of the server. This option is required for subdomain support.

For example:

SERVER_NAME: anaconda.srv:8080

port

The port number of the server. Defaults to 8080.

subdomains

If set to true, Repository serves conda package from a separate subdomain. Defaults to false.

For example:

SERVER_NAME: anaconda.srv:8080
subdomains: true

Allows access to conda packages at http://conda.anaconda.srv:8080/.

USER_CONTENT_DOMAIN

As a cross-site scripting (XSS) protection, notebook content can be served from a separate domain name. If this option is configured, Repository only serves rendered notebooks from this domain.

See Securing user-created content.

ssl_options

Repository can serve content over HTTPS, using user-provided SSL certificates.

For example:

ssl_options:
    certfile: /etc/anaconda-server/server.crt
    keyfile: /etc/anaconda-server/server.key
PREFERRED_URL_SCHEME: https

certfile

The absolute path to a PEM-formatted X.509 certificate file.

keyfile

The absolute path to a PEM-formatted private key for the associated certificate.

ssl_version

An integer that specifies the SSL protocol version as defined by Python’s ssl module:

PROTOCOL_SSLv2 = 0
PROTOCOL_SSLv23 = 2
PROTOCOL_SSLv3 = 1
PROTOCOL_TLS = 2
PROTOCOL_TLSv1 = 3

PROTOCOL_TLSv1_1 = 4
PROTOCOL_TLSv1_2 = 5

The default is 5 (TLS v1.2).

PREFERRED_URL_SCHEME

The preferred scheme that is used to generate URLs. Set this to https if HTTPS is configured.

gunicorn

Repository uses Gunicorn. The most commonly used options are timeout and workers. A complete list of settings can be found in Gunicorn’s documentation.

For example:

gunicorn:
    timeout: 60
    workers: 5

timeout

The number of seconds for which a worker is allowed to process a request, before being forcefully terminated.

Default: 120

workers

The number of workers that Gunicorn spawns to serve Repository. Defaults to 2 × the number of CPUs + 1.

Authentication

AUTH_TYPE

The method Repository uses to authenticate users. Valid choices are NATIVE, for built-in authentication, KERBEROS, for Kerberos, and LDAP.

LDAP

Options for configuring LDAP authentication and group synchronization.

For example:

LDAP:
  # Replace with company LDAP server
  URI: 'ldap://<ldap.company.com>'
  # Replace <uid=%(username)s,ou=People,dc=company,dc=com> with your company specific LDAP Bind/Base DN
  # Bind directly to this Base DN.
  BIND_DN: '<uid=%(username)s,ou=People,dc=company,dc=com>'
  # password of the user specified in the BIND_DN
  BIND_AUTH: abc123456

  USER_SEARCH:
      base: cn=Users,dc=example,dc=com
      filter: sAMAccountName=%(username)s

  # Map LDAP keys into application specific keys
  KEY_MAP:
      name: 'cn'
      company: 'o'
      location: 'l'
      email: 'mail'

  OPTIONS:
      OPT_NETWORK_TIMEOUT: 60
      OPT_TIMEOUT: 60

NOTE: To use LDAP with SSL, set the USER_REGEX and account_names_filter options:

account_names_filter: false
USER_REGEX: ^[a-z0-9_][a-z0-9_-.]+$
LDAP:
    [configuration continues as above with URI, BIND_DN, and so on]

See Using LDAP and TLS configuration options.

LOCK_DOWN

Makes all views with the exception of the login form and welcome page, unaccessible to anonymous users.

Email

Repository can be configured to send email for various reasons, including to reset forgotten usernames and passwords. Email can be sent using SMTP protocol, or through Amazon Web Services Simple Email Service (AWS SES).

SMTP_HOST

The hostname of the SMTP server.

SMTP_PORT

The port of the SMTP server.

SMTP_TLS

If set to true, Repository attempts an SSL connection to the SMTP server.

SMTP_USERNAME

The username to authenticate against the SMTP server before attempting to send email.

SMTP_PASSWORD

The password to authenticate against the SMTP server before attempting to send email.

USE_SES

If set to true, Repository sends email with AWS SES. To authenticate to AWS, the server should be configured with an appropriate IAM role, or have credentials specified in a Boto configuration file.

RETURN_ADDRESS

The From: email address that Repository uses as sender.

ALLOW_DUPLICATED_EMAILS

If set to true, Repository allows different users to share the same email or secondary email. Defaults to false.

require_email_validation

If set to true, Repository emails new users a unique token to validate their email address before permitting them to log in.

Advanced

AVATAR_METHOD

The method to use to generate the user avatar URL. Valid choices are:

  • ‘gravatar’ to use the gravatar.com service
  • ‘default’ to show a predefined static icon
  • ‘static’ to use a custom static URL

AVATAR_GRAVATAR_URL

A URL for a Gravatar compatible service. Default: https://www.gravatar.com/. This URL is used as the prefix to build a valid gravatar URL.

AVATAR_STATIC_URL

A static URL to use when AVATAR_METHOD is set to static. Defaults to an empty string.

CONSTRUCTOR_TIMEOUT

The timeout in seconds for the call to constructor while building installers, parcels and management packs. Defaults to 60 seconds.

CONSTRUCTOR_TOKEN_TIMEOUT

To provide access to private packages while building an installer, a temporary token is created. It must be valid during the call to constructor and it should expire soon after the call completes. CONSTRUCTOR_TOKEN_TIMEOUT sets the token’s valid lifetime in seconds. Defaults to 60 seconds. This value should be greater than or equal to CONSTRUCTOR_TIMEOUT.

CONSTRUCTOR_ALLOWED_OPTIONS

A list of constructor option names that are allowed to be included in the installer construction form. The default is [] (no options are allowed).

PARCELS_ROOT

The prefix with which Cloudera parcels are generated. Defaults to /opt/cloudera/parcels.

PARCEL_DISTRO_SUFFIXES

The distributions for which Cloudera parcels are generated. Defaults to ['el5', 'el6', 'el7', 'lucid', 'precise', 'trusty', 'wheezy', 'jessie', 'squeeze', 'sles11', 'sles12'].

For example, if you want to support only Ubuntu:

PARCEL_DISTRO_SUFFIXES:
    - lucid
    - precise
    - trusty

DEFAULT_CHANNELS

The Repository accounts that environments installed with the bundled Anaconda distributions pull packages from. Defaults to ['anaconda', 'r-channel'].

For example, to add an additional custom account:

DEFAULT_CHANNELS:
    - anaconda
    - r-channel
    - custom

CONSTRUCTOR_TMPDIR

When constructor builds an installer it stores the configuration in this temporary directory. The default is None, which tells constructor to create a temporary directory using Python’s tempfile.mkdtemp.

STANDARD_LABELS

A list of standarized labels. If a user defines a label that is not listed as standard, a warning notice will be shown in the package’s page. Defaults to ['main', 'dev', 'alpha', 'beta', 'broken'].

CONDA_CACHE_SIZE

The maximum size (in bytes) of the repodata.json requests cache. Set to 0 to disable repodata.json caching. Default: 1 Gb. When the maximum size is reached, the 10 least recently used entries of the cache are evicted.

CACHE_METHOD

The method used for caching repodata info. It can either be tempfile (the prior method of caching) or diskcache, which uses SQLite as a back-end. Default: diskcache.

PERMANENT_SESSION_LIFETIME

An integer that sets how many minutes the session will live. Only used when REMEMBER_COOKIE_ENABLED is false. Default is 44640 (31 days).

SUPERUSER_ORG_ADMIN

Whether superusers should automatically be granted admin rights on organizations. Default is false.

NEXT_URL_WHITELIST

List of hostnames that are marked as safe when redirecting requests due to the presence of a “next” request parameter. It is mainly used under an Anaconda Enterprise Notebooks Single Sign-on Set-up. The default is [] (no external redirects are safe).

NEXT_URL_WHITELIST_REGEXP

A regular expression to match hostnames that are marked as safe when redirecting requests due to the presence of a “next” request parameter. It is mainly used under an Anaconda Enterprise Notebooks Single Sign-on Set-up. The default is ‘(?!)’ which matches nothing, so only local redirects are allowed.