3.4. Deploy#

The vantage6 server is a Flask application, that uses python-socketio for socketIO connections. The server runs as a standalone process (listening on its own ip address/port).

There are many deployment options. We simply provide a few examples.

Note

Because the server uses socketIO to exchange messages with the nodes and users, it is not trivial to horizontally scale the server. To prevent that socket messages get lost:

  • you should deploy a RabbitMQ service and configure the server to use it. This section explains how to do so.

  • you should ensure sticky sessions are enabled in your load balancer.

3.4.1. NGINX#

Two examples are provided below. The first example shows how to configure NGINX with a basic setup, which is suitable if you do not require the horizontal scaling feature. The second example shows how to configure NGINX with sticky sessions.

Note

SSL is not configured in these examples.

The most basic setup is to have a single backend server.

server {

    # Public port
    listen 80;
    server_name _;

    # vantage6-server. In the case you use a sub-path here, make sure
    # to forward also it to the proxy_pass
    location /subpath {
        include proxy_params;

        # internal ip and port
        proxy_pass http://127.0.0.1:5000/subpath;
    }

    # Allow the websocket traffic
    location /socket.io {
        include proxy_params;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_pass http://127.0.0.1:5000/socket.io;
    }
}

The following example shows how to configure NGINX where there are 3 backend servers that are behind a load balancer. The load balancer is configured to use sticky sessions.

upstream backend {
    server backend1.example.com;
    server backend2.example.com;
    server backend3.example.com;

    sticky name=sessionid path=/;
}

server {

    # Public port
    listen 80;
    server_name _;

    # vantage6-server. In the case you use a sub-path here, make sure to forward also
    # it to the proxy_pass
    location /subpath {
        include proxy_params;

        # internal ip and port
        proxy_pass http://backend/subpath;
    }

    # Allow the websocket traffic
    location /socket.io {
        include proxy_params;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_pass http://backend/socket.io;
    }
}

Note

When you Configure the server, make sure to include the /subpath that has been set in the NGINX configuration into the api_path setting (e.g. api_path: /subpath/api)

3.4.2. Docker compose#

An alternative to v6 server start is to use docker-compose. Below is an example of a docker-compose.yml file that may be used to start the server. Obviously, you may want to change this to your own situation. For example, you may want to use a different image tag, or you may want to use a different port.

services:
  vantage6-server:
    image: harbor2.vantage6.ai/infrastructure/server:cotopaxi
    ports:
    - "8000:80"
    volumes:
    - /path/to/my/server.yaml:/mnt/config.yaml
    command: ["/bin/bash", "-c", "/vantage6/vantage6-server/server.sh"]

If you wanted to set up a strong initial super user password, you can make use of V6_INIT_SUPER_PASS_HASHED_FILE. For this, your docker-compose file could look something like this if you want to use secrets in docker compose:

services:
  vantage6-server:
    image: harbor2.vantage6.ai/infrastructure/server:cotopaxi
    ports:
    - "8000:80"
    environment:
      # Set the path to the file containing the hashed password
      V6_INIT_SUPER_PASS_HASHED_FILE: /run/secrets/super-pass-hashed
      # Alternatively, you can also set the hashed password directly
      #V6_INIT_SUPER_PASS_HASHED: $2b$12$...
    volumes:
    - /path/to/my/server.yaml:/mnt/config.yaml
    command: ["/bin/bash", "-c", "/vantage6/vantage6-server/server.sh"]
    secrets:
    - super-pass-hashed

secrets:
    super-pass-hashed:
        file: /path/to/my/super-pass-hashed-root-only

To generate the hashed password, you can use the following script:

import getpass
import bcrypt

# read from stdin, to avoid having the password in the command history
password = getpass.getpass().encode('utf-8')
print(bcrypt.hashpw(password, bcrypt.gensalt()).decode('utf-8'))

Or, if you prefer it in a one-liner:

python3 -c "import getpass; import bcrypt; print(bcrypt.hashpw(getpass.getpass().encode('utf-8'), bcrypt.gensalt()).decode('utf-8'))" > /path/to/my/super-pass-hashed-root-only

Note

Note that there might be better ways of passing a secret to your container. Especially if you are using some container orchestration tool like Kubernetes or Docker Swarm. If you use above method, do make sure root has exclusive read access to the file containing the hashed password.