Improve interactive tool support (UtrechtUniversity#20)

* Update docs
* Improve interactive tool support (Pulsar Embedded)

README.md

@@ -31,14 +31,19 @@ Galaxy is configured such that members of the CO that are in the SRAM workspace
 
 The component takes the following parameters:
 
-* `src_galaxy_version`: set to e.g. `23.0` (default) to control the version of Galaxy that will be installed.
+* `src_galaxy_version`: String. Set to e.g. `23.2` (default) to control the version of Galaxy that will be installed.
+* `src_galaxy_api_exposed`: Boolean. if `true` (default), the `/api` route does not require authentication via Single Sign-On.
 * `src_ibridges`: Boolean (default: `true`). Whether to enable support for the [iBridges](https://github.com/UtrechtUniversity/galaxy-tools-ibridges) tool for connecting to Yoda and iRODS instances. Implies `src_galaxy_bootstrap`, and adds iBridges to the list of tools to be installed automatically.
+* `src_galaxy_jobs_docker`: Boolean. Enables Galaxy support for running jobs in Docker containers. Any jobs that *can* be run in a docker container will be---jobs that cannot will be run in the default manner (in a `conda` env). Runnings jobs in a container may be slower than running them locally, so consider turning this feature off if not needed.
+* `src_galaxy_pulsar_embedded`: Boolean (default: `true`). Runs any Docker jobs with the 'Pulsar Embedded' runner, which provides better data isolation (without it, [Docker containers have access to the entire data directory](https://training.galaxyproject.org/training-material/topics/admin/tutorials/interactive-tools/tutorial.html#securing-interactive-tools)). However, this causes another performance hit: job data needs to be copied to the container.
+* `src_galaxy_interactive_tools`: if `true` (default), support for [interactive tools](https://docs.galaxyproject.org/en/master/admin/special_topics/interactivetools.html) is enabled. **Note**: this implies *src_galaxy_jobs_docker*, and the accompanying performance hits.
+* `src_galaxy_co_admin_group`: String group corresponding to an SRAM group. Members of this SRAM group will be made Galaxy admin users.
+* `src_galaxy_bootstrap`: if `true` (default), will attempt to install workflows, dataproviders and tools as configured by the following options:
+    * `src_galaxy_tool_files`: String of comma-separated paths to YAML files (in this repo) containing tool specifications.
+    * `src_galaxy_workflow_files`: String of comma-separated paths to `.ga` files (in this repo) containing workflow specifications.
+    * `src_galaxy_custom_repo`: **Interactive parameter**. String URL to a git repo containing workflow files (in the `workflows` dir of the root of the repo) and tool specification files (in the `tools` dir). Example repo: 
+    * `src_galaxy_custom_repo_branch`: **Interactive parameter**. String branch of the custom repo to be used.
 * `src_galaxy_storage_path`: **Interactive parameter**. Default: `/srv/galaxy/datadir`. Path where Galaxy's "mutable data directory" will be located, including the following files:
 
-```
-# ls /srv/galaxy/datadir/
-cache  config  datasets  dependencies  gravity  jobs  log  shed_tools  tool_data
-```
-
 If you attach additional networked storage to the workspace, you can set `src_galaxy_storage_path` to a path on that storage volume. If your storage is e.g. called "galaxy storage", set the parameter to: `/data/galaxy_storage/datadir`. In theory, this should allow you to re-use datasets, tools, etc. from previous Galaxy workspaces.
 

galaxysrv.yml

@@ -26,7 +26,7 @@
 
   roles:
     - role: geerlingguy.docker
-      when: not _molecule_active
+      when: not _molecule_active and _galaxy_jobs_docker
     - role: uusrc.general.nginx_reverse_proxy
       vars:
         nginx_reverse_proxy_locations: "{{ galaxy_nginx_vhost_config }}"
@@ -40,7 +40,17 @@
 
   tasks:
 
-    - name: Configure nginx for interactive tools
+    - name: Copy default tool config
+      tags: molecule-idempotence-notest
+      ansible.builtin.copy:
+        remote_src: true
+        src: "{{ galaxy_server_dir }}/config/tool_conf.xml.sample"
+        dest: "{{ galaxy_config_dir }}/tool_conf.xml"
+        owner: "{{ galaxy_privsep_user }}"
+        group: "{{ galaxy_user }}"
+        mode: "644"
+
+    - name: Enable interactive tools
       ansible.builtin.include_tasks: tasks/interactive_tools.yml
       when: _galaxy_use_interactive_tools
 

tasks/interactive_tools.yml

@@ -1,8 +1,16 @@
 ---
-- ansible.builtin.template:
+- name: Add interactive tool proxy conf for nginx
+  ansible.builtin.template:
     src: "templates/nginx/galaxy-gie-proxy.j2"
     dest: "/etc/nginx/conf.d/gie-server.conf"
     mode: "0640"
     owner: "www-data"
     group: "www-data"
   notify: restart nginx
+
+- name: Remove comment to activate default interactive tools
+  # match [\d\D\n] to match digits, non-digits, and newlines -- this is because .* does not match newlines in ansible.builtin.replace
+  ansible.builtin.replace:
+    path: "{{ galaxy_config_dir }}/tool_conf.xml"
+    regexp: '\s*<!--\s*\n.*(<section id="interactivetools" name="Interactive tools">[\d\D\n]*</section>)\n\s*-->'
+    replace: '\n  \1'

templates/galaxy/config/job_conf.xml.j2

@@ -1,22 +1,32 @@
 <job_conf>
+    <handlers assign_with="db-skip-locked" />
     <plugins workers="4">
         <plugin id="local" type="runner" load="galaxy.jobs.runners.local:LocalJobRunner"/>
+        <plugin id="pulsar_embedded" type="runner" load="galaxy.jobs.runners.pulsar:PulsarEmbeddedJobRunner">
+            <param id="pulsar_config">/srv/galaxy/config/pulsar_app.yml</param>
+        </plugin>
     </plugins>
-    <destinations default="docker_dispatch">
+    <destinations default="{{ 'docker_dispatch' if _galaxy_jobs_docker else 'local' }}">
         <destination id="local" runner="local"/>
-        <destination id="docker_local" runner="local">
+        {% if _galaxy_jobs_docker %}
+        <destination id="docker_local" runner="{{ 'pulsar' if _galaxy_jobs_pulsar_embedded else 'local'  }}">
             <param id="docker_enabled">true</param>
             <param id="docker_volumes">$defaults</param>
             <param id="docker_sudo">false</param>
             <param id="docker_net">bridge</param>
             <param id="docker_auto_rm">true</param>
             <param id="docker_set_user"></param>
             <param id="require_container">true</param>
+            {% if _galaxy_jobs_pulsar_embedded %}
+            <param id="container_monitor_result">callback</param>
+            <env id="REQUESTS_CA_BUNDLE">/etc/ssl/certs/ca-certificates.crt</env>
+            {% endif %}
         </destination>
         <destination id="docker_dispatch" runner="dynamic">
             <param id="type">docker_dispatch</param>
             <param id="docker_destination_id">docker_local</param>
             <param id="default_destination_id">local</param>
         </destination>
+        {% endif %}
     </destinations>
 </job_conf>

templates/galaxy/config/pulsar_app.yml.j2

@@ -0,0 +1,16 @@
+---
+
+# The path where per-job directories will be created
+staging_directory: "{{ galaxy_job_working_directory }}/_pulsar_embedded"
+
+# Where Pulsar state information will be stored (e.g. currently active jobs)
+persistence_directory: "{{ galaxy_mutable_data_dir }}/pulsar"
+
+# Where to find Galaxy tool dependencies
+tool_dependency_dir: "{{ galaxy_tool_dependency_dir }}"
+
+# How to run jobs (see https://pulsar.readthedocs.io/en/latest/job_managers.html)
+managers:
+  _default_:
+    type: queued_python
+    num_concurrent_jobs: 1

vars/galaxy_vars.yml

@@ -23,6 +23,8 @@ galaxy_config_templates:
     dest: "{{ galaxy_config_dir }}/user_preferences_extra_conf.yml"
   - src: templates/galaxy/config/job_conf.xml.j2
     dest: "{{ galaxy_config_dir }}/job_conf.xml"
+  - src: templates/galaxy/config/pulsar_app.yml.j2
+    dest: "{{ galaxy_config_dir }}/pulsar_app.yml"
 postgresql_objects_users:
   - name: galaxy
     password: null
@@ -39,7 +41,8 @@ galaxy_configuration:
     database_connection: "postgresql:///galaxy?host=/var/run/postgresql"
     file_path: "{{ galaxy_mutable_data_dir }}/datasets"
     job_config_file: "{{ galaxy_config_dir }}/job_conf.xml"
-    user_preferences_extra_conf_file: "{{ galaxy_config_dir }}/user_preferences_extra_conf.yml"
+    tool_config_file: "{{ galaxy_config_dir }}/tool_conf.xml"
+    user_preferences_extra_conf_path: "{{ galaxy_config_dir }}/user_preferences_extra_conf.yml"
     interactivetools_enable: "{{ _galaxy_use_interactive_tools }}"
     interactivetools_map: "{{ _galaxy_use_interactive_tools | ternary(gie_proxy_sessions_path, omit) }}"
     galaxy_infrastructure_url: "{{ _galaxy_local_address }}"
@@ -72,7 +75,7 @@ galaxy_configuration:
       loglevel: DEBUG
     handlers:
       handler:
-        processes: 2
+        processes: 4
         pools:
           - job-handlers
           - workflow-schedulers

vars/src_galaxy_vars.yml

@@ -14,6 +14,9 @@ _galaxy_custom_repo_branch: "{{ src_galaxy_custom_repo_branch | default('main',
 _galaxy_api_exposed: "{{ src_galaxy_api_exposed | default(true, true) }}"
 _galaxy_use_interactive_tools: "{{ src_galaxy_interactive_tools | default(true, true) | bool }}"
 _galaxy_server_fqdn: "{{ workspace_fqdn | default('localhost', true) }}"
+_galaxy_jobs_docker: "{{ _galaxy_use_interactive_tools or (src_galaxy_jobs_docker | default(true, false) | bool )  }}"
+_galaxy_jobs_pulsar_embedded: "{{ src_galaxy_pulsar_embedded | default(_galaxy_use_interactive_tools, true) | bool }}"
+
 # Note that some component parameters are also used in galaxy_vars.yml:
 # src_galaxy_storage_path
 # src_galaxy_version