Server Installation
The Lyftdata binary is installed and available on the system, set up the Server as follows:
-
Create a system account.
-
Create a data directory.
-
Create
systemd
files. -
Start the Server.
By the end of this section, you should be able to access the Server via a browser.
Create a system account
Create a system account for the Server to run under:
sudo adduser --system --home /var/lib/lyftdata-server --disabled-login --group lyftdata
Create a Data Directory
The Server requires a data directory to store Jobs, logs, and metric data.
The lyftdata
user home directory is /var/lib/lyftdata-server
and it will also serve as the data directory.
If a different data directory is required, create it with the appropriate ownership and permissions. For example:
sudo mkdir -p /data/lyftdata
sudo chown lyftdata:lyftdata /data/lyftdata
Create systemd
Files
Create a systemd
service unit file:
sudo vi /etc/systemd/system/lyftdata-server.service
The file must contain the following:
[Unit]Description=lyftdata ServerAfter=network.target auditd.service
[Service]EnvironmentFile=/etc/default/lyftdata-serverUser=lyftdataGroup=lyftdataExecStart=/usr/sbin/lyftdata run serverRestart=on-failureRestartSec=60
[Install]WantedBy=multi-user.target
Create an environment file for the EnvironmentFile
setting:
sudo vi /etc/default/lyftdata-server
Here, the Server is configured through either lyftdata run server
options or environment variables. In this case, we’ll be using the latter.
At a minimum, the Server needs LYFTDATA_STAGING_DIR
:
LYFTDATA_STAGING_DIR=/var/lib/lyftdata-serverLYFTDATA_LICENSE_EULA_ACCEPT=yesLYFTDATA_ADMIN_INIT_PASSWORD=ChangeMeVerySoon
We’ve added 2 additional environment variables:
-
LYFTDATA_LICENSE_EULA_ACCEPT=yes
prevents the one-time prompt for accepting the EULA. -
LYFTDATA_ADMIN_INIT_PASSWORD
provides an initialpassword
for the Serveradmin
user.
Upon first initialization of the Server user database, if LYFTDATA_ADMIN_INIT_PASSWORD
is unset, a random password
will be generated in the Server STDOUT
output (see journalctl -u lyftdata-server
).
Once you have saved the service unit file, reload systemd
:
sudo systemctl daemon-reload
To start the Server at boot, enable the service with:
sudo systemctl enable lyftdata-server
Finally, start the Server:
sudo systemctl start lyftdata-server
Verify that the Server started successfully:
systemctl status lyftdata-server
It’s a good idea to inspect the startup output, which will contain the admin
user password
if it wasn’t set with LYFTDATA_ADMIN_INIT_PASSWORD
:
journalctl -u lyftdata-server
The Server will be listening on LYFTDATA_BIND_ADDRESS
(default 127.0.0.1:3000
).
If your cert uses subjectAltName
, you must have an entry matching the cert CN
. In the below CSR
it is server.lyftdata.local
:
openssl req -new -nodes -out server.lyftdata.local.csr -newkey rsa:4096 -keyout server.lyftdata.local.key -subj '/CN=server.lyftdata.local/C=ZA/ST=Gauteng/L=Johannesburg/O=Lyftdata'
The matching entry DNS.1 = server.lyftdata.local
:
authorityKeyIdentifier=keyid,issuerbasicConstraints=CA:FALSEkeyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEnciphermentsubjectAltName = @alt_names[alt_names]DNS.1 = server.lyftdata.localIP.1 = 192.168.235.10
If no subjectAltName
, the CN
will suffice for successful cert verification, else an error occurs (see journalctl -u lyftdata-server
):
...X509VerifyResult { code: 62, error: "**_Hostname mismatch_**" }
When testing with curl -v
, the output is indicative of what failed:
* subjectAltName does not match server.lyftdata.local
openssl s_client
works without issues.
Go to http://localhost:3000
in a browser. Log in with the username admin
and the appropriate password
.
At this point, the Server is ready to start serving Workers.