-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Local and Secure Deployment of Broadsea (and related Deployments) #100
Comments
Here are some additional ideas you could investigate which may enable some secure sites to run the Broadsea container images: Podman - doesn’t run as root, and no Docker service running on server: Kubernetes - may be a good option if a site is already using it for other applications AWS Elastic Container Service (ECS) or other cloud container service equivalent This AWS Whitepaper - Architecting for HIPAA Security and Compliance on AWS may be a useful reference for secure cloud services approach: Note. A local site install of PostgreSQL or cloud database service like AWS RDS is recommended for Broadsea production use instead of the demo broadsea-atladb container image. There is also an OHDSI-in-a-box virtual server image that doesn’t use Docker here (Windows or Linux OS): |
ContainerdContainerd is a container runtime that uses Open Container Initiative (OCI) standards and can be used with both Linux and Windows daemons. Dependencies:
Pros
Cons
VagrantVagrant is a tool for building and managing virtual machine environments. This can be paired with a hypervisor of choice. Dependencies:
Pros
Cons
Nix and NixOSNix is a tool for package management and creating reproducible, declarative and reliable systems. Dependencies:
Pros
Cons
|
Ideally, we could just leverage the same compose setup. Do any of these work with docker compose files? I see podman can (mostly). |
nerdctl is a drop-in replacement for docker-compose and should run the same yml format without any reformatting. I am currently testing it and hcsshim referencing a write-up by James Sturtevant, and another by Markus Lippert. What's promising here is Hyper-V is not necessarily needed if the same version of windows is used as the container image. If this is possible for Linux/OSX as well it may help with any situations in which virtualization permissions is the main issue. |
I think once we select a Docker alternative (that is compose compliant), let's test it in GitHub Actions here to gain evidence that the approach can work. |
@alondhe Broadsea on Podman is working locally for me with a OCI translated image. I should be able to submit a pull later tonight/tomorrow as a proof of concept w/ readme. I also suggest looking into CRI-O and Windows Containers as two other runtimes to support. If Docker, Podman, CRI-O and Windows Containers OR virtualization in general are not options -- I think only a local install would be feasible. This is out-of-scope and non-container related but there have also been some efforts to run portable Shiny apps locally (1, 1.1, 2) using Electron and R-Portable that may fit some use-cases. |
This is great @haydenbspence - thanks for working on this! |
My testing with Podman really only worked when removing the following:
I also don't see a non-system specific way to fix the 80 / 443 issue with non-admin/root users. OHDSI/Broadsea/tree/podman seems to be in-line with this. |
Official release notes for Podman 1.2 adds support for compose |
Is it fair to say Podman is the most supported alternative? I'd want to stick to platforms that have long term viability if possible. |
Yes, Podman looks like a solid alternative for deployments in unique security situations that Docker doesn't cover. Here's why:
If a tech department isn't behind Docker or Podman, other choices are probably in 'shadow IT' territory, like nerdctl. Podman does have a hitch - it needs WSL for Windows Servers and can't work with Windows Containers like Docker can. This is due to how it uses Namespaces, and might never change. So far, I haven't found alternatives that support both Windows Containers and daemonless/rootless deployment. Though this might change (as mentioned in this article), it's too early to adopt. We're better off waiting for more support from Microsoft. Check out Ajit's branch of Podman. Closing the issue, reopen if Podman does not fulfill your site's needs or some magic is discovered we didn't find. |
Purpose
This is a general issue to house the discussion of deploying Broadsea in local, secure, and similar environments, whether that is by adjusting Docker or modeling separate technologies after Broadsea's Docker implementation to deploy the suite.
Problem Statement
Docker is often not able to be deployed by default in some environments. IT departments may have default environment settings that do not allow for Docker. In some settings, this may involve a lengthy process of paperwork and approvals to change, which increases the barriers to using Broadsea. In other settings, the deployment may not be feasible at all due to policy.
Types of Problems
Security: The permissions provided to a user may not allow for some of the aspects of Docker or the technologies in docker-compose. However, it would be possible using different tooling that the same functionality could be possible under default user permissions.
Firewalls: The ports necessary may not be able to be opened, even locally, depending on the security settings. This may impact the Broadsea database deployment and WebAPI in particular.
Virtualization Performance/Security: The secure environment is hosted on a server, which is frequently a virtualization itself. For both security and performance reasons IT Admins may not approve of virtualization on top of virtualization.
Detailed Analysis
The following are considerations that IT offices often include in their analysis. This may be helpful when evaluating Docker alternatives. However, organization policies also factor into permissibility.
Initial Ideas
Forum Post
The text was updated successfully, but these errors were encountered: