From e2c805940e64064fa6876c2720057626ab18217d Mon Sep 17 00:00:00 2001 From: Tadej Date: Mon, 12 Jul 2021 20:06:37 +0300 Subject: [PATCH 01/17] Replace Nginx with Traefik --- cvat_proxy/conf.d/cvat.conf.template | 22 -- cvat_proxy/nginx.conf | 18 -- docker-compose.https.yml | 35 +++ docker-compose.yml | 74 ++--- .../administration/basics/installation.md | 296 +++--------------- 5 files changed, 120 insertions(+), 325 deletions(-) delete mode 100644 cvat_proxy/conf.d/cvat.conf.template delete mode 100644 cvat_proxy/nginx.conf create mode 100644 docker-compose.https.yml diff --git a/cvat_proxy/conf.d/cvat.conf.template b/cvat_proxy/conf.d/cvat.conf.template deleted file mode 100644 index 0c7ab685f39a..000000000000 --- a/cvat_proxy/conf.d/cvat.conf.template +++ /dev/null @@ -1,22 +0,0 @@ -server { - listen 80; - server_name _ default; - return 404; -} - -server { - listen 80; - server_name ${CVAT_HOST}; - - proxy_pass_header X-CSRFToken; - proxy_set_header Host $http_host; - proxy_pass_header Set-Cookie; - - location ~* /api/.*|git/.*|opencv/.*|analytics/.*|static/.*|admin(?:/(.*))?.*|documentation/.*|django-rq(?:/(.*))? { - proxy_pass http://cvat:8080; - } - - location / { - proxy_pass http://cvat_ui; - } -} diff --git a/cvat_proxy/nginx.conf b/cvat_proxy/nginx.conf deleted file mode 100644 index 105f76b02bb0..000000000000 --- a/cvat_proxy/nginx.conf +++ /dev/null @@ -1,18 +0,0 @@ -worker_processes 2; - - -events { - worker_connections 1024; -} - -http { - include mime.types; - default_type application/octet-stream; - sendfile on; - keepalive_timeout 65; - # For long domain names (e.g. AWS hosts) - server_names_hash_bucket_size 128; - - include /etc/nginx/conf.d/*.conf; - client_max_body_size 0; -} diff --git a/docker-compose.https.yml b/docker-compose.https.yml new file mode 100644 index 000000000000..92c8d5b19170 --- /dev/null +++ b/docker-compose.https.yml @@ -0,0 +1,35 @@ +version: '3.3' + +services: + cvat: + labels: + - traefik.http.routers.cvat.entrypoints=websecure + - traefik.http.routers.cvat.tls.certresolver=lets-encrypt + + cvat_ui: + labels: + - traefik.http.routers.cvat-ui.entrypoints=websecure + - traefik.http.routers.cvat-ui.tls.certresolver=lets-encrypt + + traefik: + image: traefik:v2.4 + container_name: traefik + command: + - "--providers.docker.exposedByDefault=false" + - "--providers.docker.network=test" + - "--entryPoints.web.address=:80" + - "--entryPoints.web.http.redirections.entryPoint.to=websecure" + - "--entryPoints.web.http.redirections.entryPoint.scheme=https" + - "--entryPoints.websecure.address=:443" + - "--certificatesResolvers.lets-encrypt.acme.email=${ACME_EMAIL:?Please set the ACME_EMAIL env variable}" + - "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true" + - "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json" + # Uncomment to get Traefik dashboard + - "--api.insecure=true" + ports: + - 443:443 + volumes: + - cvat_letsencrypt:/letsencrypt + +volumes: + cvat_letsencrypt: diff --git a/docker-compose.yml b/docker-compose.yml index ce09604465ba..778e0df90cf9 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,18 +1,9 @@ -# -# Copyright (C) 2018-2021 Intel Corporation -# -# SPDX-License-Identifier: MIT -# version: '3.3' services: cvat_db: container_name: cvat_db image: postgres:10-alpine - networks: - default: - aliases: - - db restart: always environment: POSTGRES_USER: root @@ -20,15 +11,15 @@ services: POSTGRES_HOST_AUTH_METHOD: trust volumes: - cvat_db:/var/lib/postgresql/data + networks: + - cvat cvat_redis: container_name: cvat_redis image: redis:4.0-alpine - networks: - default: - aliases: - - redis restart: always + networks: + - cvat cvat: container_name: cvat @@ -43,47 +34,56 @@ services: CVAT_REDIS_HOST: 'cvat_redis' CVAT_POSTGRES_HOST: 'cvat_db' ADAPTIVE_AUTO_ANNOTATION: 'false' + labels: + - traefik.enable=true + - traefik.http.services.cvat.loadbalancer.server.port=80 + - traefik.http.routers.cvat.rule=Host(`${CVAT_HOST:-localhost}`) && + PathPrefix(`/api/`, `/git/`, `/opencv/`, `/analytics/`, `/static/`, `/admin`, `/documentation/`, `/django-rq`) + - traefik.http.routers.cvat.entrypoints=web volumes: - cvat_data:/home/django/data - cvat_keys:/home/django/keys - cvat_logs:/home/django/logs + networks: + - cvat cvat_ui: container_name: cvat_ui image: openvino/cvat_ui restart: always - networks: - default: - aliases: - - ui depends_on: - cvat - - cvat_proxy: - container_name: cvat_proxy - image: nginx:stable-alpine - restart: always - depends_on: + labels: + - traefik.enable=true + - traefik.http.services.cvat-ui.loadbalancer.server.port=80 + - traefik.http.routers.cvat-ui.rule=Host(`${CVAT_HOST:-localhost}`) + - traefik.http.routers.cvat-ui.entrypoints=web + networks: - cvat - - cvat_ui - environment: - CVAT_HOST: localhost + + traefik: + image: traefik:v2.4 + container_name: traefik + command: + - "--providers.docker.exposedByDefault=false" + - "--providers.docker.network=test" + - "--entryPoints.web.address=:80" + # Uncomment to get Traefik dashboard + - "--api.insecure=true" ports: - - '8080:80' + - 80:80 + # Uncomment to get Traefik dashboard + - 8080:8080 volumes: - - ./cvat_proxy/nginx.conf:/etc/nginx/nginx.conf:ro - - ./cvat_proxy/conf.d/cvat.conf.template:/etc/nginx/conf.d/cvat.conf.template:ro - command: /bin/sh -c "envsubst '$$CVAT_HOST' < /etc/nginx/conf.d/cvat.conf.template > /etc/nginx/conf.d/default.conf && nginx -g 'daemon off;'" - -networks: - default: - ipam: - driver: default - config: - - subnet: 172.28.0.0/24 + - /var/run/docker.sock:/var/run/docker.sock:ro + networks: + - cvat volumes: cvat_db: cvat_data: cvat_keys: cvat_logs: + +networks: + cvat: \ No newline at end of file diff --git a/site/content/en/docs/administration/basics/installation.md b/site/content/en/docs/administration/basics/installation.md index 2aa91205cc2d..1c6e2179a397 100644 --- a/site/content/en/docs/administration/basics/installation.md +++ b/site/content/en/docs/administration/basics/installation.md @@ -281,6 +281,42 @@ which starts containers and add JSON such as the following: These environment variables are set automatically within any container. Please see the [Docker documentation](https://docs.docker.com/network/proxy/) for more details. +### Using the Traefik dashboard + +If you are customizing the docker compose files and you come upon some unexpected issues, using the Traefik +dashboard might be very useful to see if the problem is with Traefik configuration, or with some of the services. + +You can enable the Traefik dashboard by uncommenting the following lines from `docker-compose.yml` + +``` +services: + # ... + traefik: + # ... + command: + # ... + # Uncomment to get Traefik dashboard + # - "--api.insecure=true" + ports: + - 80:80 + # Uncomment to get Traefik dashboard + # - 8080:8080 +``` + +and if you are using `docker-compose.https.yml`, also uncomment this line +``` +services: + # ... + traefik: + # ... + command: + # ... + # Uncomment to get Traefik dashboard + # - "--api.insecure=true" +``` + +Note that this "insecure" dashboard is not recommended in production (and if your instance is publicly available); if you want to keep the dashboard in production you should read Traefik's [documentation](https://doc.traefik.io/traefik/operations/dashboard/) on how to properly secure it. + ### Additional components - [Analytics: management and monitoring of data annotation team](/docs/administration/advanced/analytics/) @@ -304,24 +340,14 @@ created by `up`. docker-compose down ``` -### Advanced settings - -If you want to access your instance of CVAT outside of your localhost you should -specify the `CVAT_HOST` environment variable. The best way to do that is to create -[docker-compose.override.yml](https://docs.docker.com/compose/extends/) and put -all your extra settings here. +### Use your own domain -```yml -version: '3.3' +If you want to access your instance of CVAT outside of your localhost (on another domain), +you should specify the `CVAT_HOST` environment variable, like this: -services: - cvat_proxy: - environment: - CVAT_HOST: .example.com ``` - -Please don't forget include this file to docker-compose commands using the `-f` -option (in some cases it can be omitted). +export CVAT_HOST= +``` ### Share path @@ -384,244 +410,18 @@ to install and set up remote access to CVAT on a Scaleway cloud instance with da ### Deploy secure CVAT instance with HTTPS -Certificates (issued by let's encrypt) to cloud instance. - -#### Prerequisites - -We assume that: - -- you have a virtual instance (machine) in the cloud provider with docker installed; -- there is no root permissions required if user is in docker group; -- there is no services listen 80 and 443 tcp ports on virtual instance. - -There are multiple approaches. Our approach suggests: - -- easy setup automatic certificate updates; -- leave certificates in safe place on docker host (protect from `docker-compose down` cleanup); -- no unnecessary certificate files copying between container and host. - -#### Roadmap - -We will go through the following sequence of steps to get CVAT over HTTPS: - -- Install [acme.sh](https://github.com/acmesh-official/acme.sh) on the virtual instance (docker host). -- Configure Nginx site template `HOME/cvat/cvat_proxy/conf.d/cvat.conf.template` used in `cvat_proxy` container. -- Deploy CVAT services in the most common way with docker-compose utilizes default HTTP scheme. -- Create the https certificates with `acme.sh` client. -- Reconfigure Nginx to serve over HTTPS. -- Make sure that certificates will be able to automatically update via cron job. - -#### Step-by-step instructions - -##### 1. Make the proxy listen on 80 and 443 ports - -Prepare nginx for the ACME challenge via webroot method - -Let's assume the server domain name is `CVAT.example.com`. - -Clone repo and point you shell in cvat repository directory, usually `cd $HOME/cvat`: - -Install and create the required directories for letsencrypt webroot operation and acme folder passthrough. - -```bash -# on the docker host - -# this will create ~/.acme.sh directory -curl https://get.acme.sh | sh - -# create a subdirs for acme-challenge webroot manually -mkdir -p $HOME/cvat/letsencrypt-webroot/.well-known/acme-challenge -``` - -Create `docker-compose.override.yml` in repo root like follows: - -> modify CVAT_HOST with your own domain name -> (nginx tests the request’s header field “Host” to determine which server the request should be routed to) - -```yaml -version: '3.3' - -services: - cvat_proxy: - environment: - CVAT_HOST: CVAT.example.com - ports: - - '80:80' - - '443:443' - volumes: - - ./letsencrypt-webroot:/var/tmp/letsencrypt-webroot - - /etc/ssl/private:/etc/ssl/private - - cvat: - environment: - ALLOWED_HOSTS: '*' -``` - -Update a CVAT site proxy template `$HOME/cvat/cvat_proxy/conf.d/cvat.conf.template` on docker(system) host. -Site config updates from this template each time `cvat_proxy` container start. - -Add a location to server with `server_name ${CVAT_HOST};` ahead others: - -``` - location ^~ /.well-known/acme-challenge/ { - default_type "text/plain"; - root /var/tmp/letsencrypt-webroot; - } -``` - -Make the changes where necessary, e.g. base.py or somewhere else. - -Build the containers with new configurations updated in `docker-compose.override.yml` - -E.g. including `analytics` module: +Using Traefik, you can automatically obtain TLS certificate for your domain from Let's Encrypt, enabling you to use HTTPS protocol to access your website. -``` -docker-compose -f docker-compose.yml -f components/analytics/docker-compose.analytics.yml -f docker-compose.override.yml up -d --build -``` - -Your server should be available (and unsecured) at `http://CVAT.example.com` - -Something went wrong ? The most common cause is a containers and images cache which were built earlier. - -This will enable serving `http://CVAT.example.com/.well-known/acme-challenge/` -route from `/var/tmp/letsencrypt-webroot` directory on the container's filesystem -which is bind mounted from docker host `$HOME/cvat/letsencrypt-webroot`. -That volume needed for issue and renewing certificates only. - -Another volume `/etc/ssl/private` should be used within web server according to [acme.sh](https://github.com/acmesh-official/acme.sh#3-install-the-cert-to-apachenginx-etc) documentation - -At this point your deployment is up and running, ready for run acme-challenge for issue a new certificate - -##### 2. Issue a certificate and run HTTPS versions with `acme.sh` helper - -###### Create certificate files using an ACME challenge on docker host - -**Prepare certificates** - -Point you shell in cvat repository directory, usually `cd $HOME/cvat` on docker host. - -Let’s Encrypt provides rate limits to ensure fair usage by as many people as possible. -They recommend utilize their staging environment instead of the production API during testing. -So first try to get a test certificate. +To enable this, first set the the `CVAT_HOST` (the domain of your website) and `ACME_EMAIL` (contact email for Let's Encrypt) environment +variables: ``` -~/.acme.sh/acme.sh --issue --staging -d CVAT.example.com -w $HOME/cvat/letsencrypt-webroot --debug +export CVAT_HOST= +export ACME_EMAIL= ``` -> Debug note: nginx server logs for cvat_proxy are not saved in container. You shall see it at docker host by with: `docker logs cvat_proxy`. +Then, use the `docker-compose.https.yml` file to override the base `docker-compose.yml` file: -If certificates is issued a successful we can test a renew: - -``` -~/.acme.sh/acme.sh --renew --force --staging -d CVAT.example.com -w $HOME/cvat/letsencrypt-webroot --debug ``` - -**Remove test certificate, if success** - -``` -~/.acme.sh/acme.sh --remove -d CVAT.example.com --debug -rm -r /root/.acme.sh/CVAT.example.com -``` - -**Issue a production certificate** - -``` -~/.acme.sh/acme.sh --issue -d CVAT.example.com -w $HOME/cvat/letsencrypt-webroot --debug -``` - -**Install production certificate and a user cron job (`crontab -e`) for update it** - -This will copy necessary certificate files to a permanent directory for serve. -According to acme.sh [documentation](https://github.com/acmesh-official/acme.sh#3-install-the-cert-to-apachenginx-etc) - -Additionally, we must create a directory for our domain. -Acme supports a valid install configuration options in domain config file -E.g. `~/.acme.sh/CVAT.example.com/lsoft-cvat.cvisionlab.com.conf`. - -``` -mkdir /etc/ssl/private/CVAT.example.com - -acme.sh --install-cert -d CVAT.example.com \ ---cert-file /etc/ssl/private/CVAT.example.com/site.cer \ ---key-file /etc/ssl/private/CVAT.example.com/site.key \ ---fullchain-file /etc/ssl/private/CVAT.example.com/fullchain.cer \ ---reloadcmd "/usr/bin/docker restart cvat_proxy" -``` - -Down the cvat_proxy container for setup https with issued certificate. - -```bash -docker stop cvat_proxy -``` - -**Reconfigure nginx for use certificates** - -Bring the configuration file `$HOME/cvat/cvat_proxy/conf.d/cvat.conf.template` to the following form: - -- add location with redirect `return 301` from http to https port; -- change main cvat server to listen on 443 port; -- add ssl certificates options. - -Final configuration file should look like: - -> for a more accurate proxy configuration according to upstream, -> do not neglect the verification with -> this configuration [file](https://github.com/openvinotoolkit/cvat/blob/v1.2.0/cvat_proxy/conf.d/cvat.conf.template). - -``` -server { - listen 80; - server_name _ default; - return 404; -} - -server { - listen 80; - server_name ${CVAT_HOST}; - - location ^~ /.well-known/acme-challenge/ { - default_type "text/plain"; - root /var/tmp/letsencrypt-webroot; - } - - location / { - return 301 https://$server_name$request_uri; - } -} - -server { - listen 443 ssl; - server_name ${CVAT_HOST}; - - ssl_certificate /etc/ssl/private/${CVAT_HOST}/site.cer; - ssl_certificate_key /etc/ssl/private/${CVAT_HOST}/site.key; - ssl_trusted_certificate /etc/ssl/private/${CVAT_HOST}/fullchain.cer; - - # security options - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_prefer_server_ciphers on; - ssl_stapling on; - ssl_session_timeout 24h; - ssl_session_cache shared:SSL:2m; - ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES'; - - proxy_pass_header X-CSRFToken; - proxy_set_header Host $http_host; - proxy_pass_header Set-Cookie; - - location ~* /api/.*|git/.*|analytics/.*|static/.*|admin(?:/(.*))?.*|documentation/.*|django-rq(?:/(.*))? { - proxy_pass http://cvat:8080; - } - - location / { - proxy_pass http://cvat_ui; - } -} - -``` - -Start cvat_proxy container with https enabled. - -```bash -docker start cvat_proxy +docker-compose -f docker-compose.yml -f docker-compose.https.yml up -d ``` From 73762f1b51cc1e6ce4163dc0a5947ea7bbccd2f0 Mon Sep 17 00:00:00 2001 From: Tadej Date: Mon, 12 Jul 2021 20:07:45 +0300 Subject: [PATCH 02/17] Comment Traefik dashboard commands and ports --- docker-compose.https.yml | 2 +- docker-compose.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/docker-compose.https.yml b/docker-compose.https.yml index 92c8d5b19170..439c58cd60c1 100644 --- a/docker-compose.https.yml +++ b/docker-compose.https.yml @@ -25,7 +25,7 @@ services: - "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true" - "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json" # Uncomment to get Traefik dashboard - - "--api.insecure=true" + # - "--api.insecure=true" ports: - 443:443 volumes: diff --git a/docker-compose.yml b/docker-compose.yml index 778e0df90cf9..2da29b3cf45f 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -69,11 +69,11 @@ services: - "--providers.docker.network=test" - "--entryPoints.web.address=:80" # Uncomment to get Traefik dashboard - - "--api.insecure=true" + # - "--api.insecure=true" ports: - 80:80 # Uncomment to get Traefik dashboard - - 8080:8080 + # - 8080:8080 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro networks: From 38c84c27f3be563113690b6f821caa4c2e86f43a Mon Sep 17 00:00:00 2001 From: Tadej Date: Mon, 12 Jul 2021 20:14:33 +0300 Subject: [PATCH 03/17] Fix cvat service port --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index 2da29b3cf45f..5059c68ad7d5 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -36,7 +36,7 @@ services: ADAPTIVE_AUTO_ANNOTATION: 'false' labels: - traefik.enable=true - - traefik.http.services.cvat.loadbalancer.server.port=80 + - traefik.http.services.cvat.loadbalancer.server.port=8080 - traefik.http.routers.cvat.rule=Host(`${CVAT_HOST:-localhost}`) && PathPrefix(`/api/`, `/git/`, `/opencv/`, `/analytics/`, `/static/`, `/admin`, `/documentation/`, `/django-rq`) - traefik.http.routers.cvat.entrypoints=web From 21c940fd7ed0360b3e2e6f1ef97da2d5bf7225a5 Mon Sep 17 00:00:00 2001 From: Tadej Date: Mon, 12 Jul 2021 21:13:34 +0300 Subject: [PATCH 04/17] Simplify traefik dashboard instructions --- site/content/en/docs/administration/basics/installation.md | 7 ------- 1 file changed, 7 deletions(-) diff --git a/site/content/en/docs/administration/basics/installation.md b/site/content/en/docs/administration/basics/installation.md index 1c6e2179a397..357077120ee1 100644 --- a/site/content/en/docs/administration/basics/installation.md +++ b/site/content/en/docs/administration/basics/installation.md @@ -290,15 +290,11 @@ You can enable the Traefik dashboard by uncommenting the following lines from `d ``` services: - # ... traefik: - # ... command: - # ... # Uncomment to get Traefik dashboard # - "--api.insecure=true" ports: - - 80:80 # Uncomment to get Traefik dashboard # - 8080:8080 ``` @@ -306,11 +302,8 @@ services: and if you are using `docker-compose.https.yml`, also uncomment this line ``` services: - # ... traefik: - # ... command: - # ... # Uncomment to get Traefik dashboard # - "--api.insecure=true" ``` From 8892aba3da87cefd5b23ae1da3a3408d10b9e3d5 Mon Sep 17 00:00:00 2001 From: Tadej Date: Mon, 12 Jul 2021 21:38:15 +0300 Subject: [PATCH 05/17] Add license to docker-compose files --- docker-compose.https.yml | 4 ++++ docker-compose.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/docker-compose.https.yml b/docker-compose.https.yml index 439c58cd60c1..d47f6d5e9594 100644 --- a/docker-compose.https.yml +++ b/docker-compose.https.yml @@ -1,3 +1,7 @@ +# Copyright (C) 2018-2021 Intel Corporation +# +# SPDX-License-Identifier: MIT + version: '3.3' services: diff --git a/docker-compose.yml b/docker-compose.yml index 5059c68ad7d5..e06491b67396 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,3 +1,7 @@ +# Copyright (C) 2018-2021 Intel Corporation +# +# SPDX-License-Identifier: MIT + version: '3.3' services: From e291ea6bc6c2ac9d34a4ac88e9eeca452eee6d55 Mon Sep 17 00:00:00 2001 From: Tadej Date: Tue, 13 Jul 2021 09:00:33 +0300 Subject: [PATCH 06/17] Update all mentions of CVAT_HOST in the docs --- .../basics/AWS-Deployment-Guide.md | 11 ++--- site/content/en/docs/faq.md | 41 ++++++++++++------- 2 files changed, 29 insertions(+), 23 deletions(-) diff --git a/site/content/en/docs/administration/basics/AWS-Deployment-Guide.md b/site/content/en/docs/administration/basics/AWS-Deployment-Guide.md index ab52cea1675e..549d44647251 100644 --- a/site/content/en/docs/administration/basics/AWS-Deployment-Guide.md +++ b/site/content/en/docs/administration/basics/AWS-Deployment-Guide.md @@ -21,14 +21,10 @@ There are two ways of deploying the CVAT. [installation instructions](/docs/administration/basics/installation/). The additional step is to add a [security group and rule to allow incoming connections](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html). -For any of above, don't forget to add exposed AWS public IP address or hostname to `docker-compose.override.yml`: +For any of above, don't forget to set the `CVAT_HOST` environemnt variable to the exposed AWS public IP address or hostname: ``` -version: "2.3" -services: - cvat_proxy: - environment: - CVAT_HOST: your-instance.amazonaws.com +export CVAT_HOST=your-instance.amazonaws.com ``` In case of problems with using hostname, you can also use the public IPV4 instead of hostname. @@ -37,5 +33,4 @@ the public IPV4 and hostname changes with every stop and reboot. To address this efficiently, avoid using spot instances that cannot be stopped, since copying the EBS to an AMI and restarting it throws problems. On the other hand, when a regular instance is stopped and restarted, -the new hostname/IPV4 can be used in the `CVAT_HOST` variable in the `docker-compose.override.yml` -and the build can happen instantly with CVAT tasks being available through the new IPV4. +the new hostname/IPV4 can be used to set the `CVAT_HOST` environment variable. \ No newline at end of file diff --git a/site/content/en/docs/faq.md b/site/content/en/docs/faq.md index 169f905336b3..e3b5256938a2 100644 --- a/site/content/en/docs/faq.md +++ b/site/content/en/docs/faq.md @@ -46,21 +46,25 @@ You should free up disk space or change the threshold, to do so check: [Elastics ## How to change default CVAT hostname or port -The best way to do that is to create docker-compose.override.yml and override the host and port settings here. +To change the hostname, simply set the `CVAT_HOST` environemnt variable -version: "3.3" +``` +export CVAT_HOST= +``` -```yaml +If you want to change the port, change the `entryPoints.web.address` part of `traefik` image command in `docker-compose.yml` + +``` services: - cvat_proxy: - environment: - CVAT_HOST: example.com - ports: - - '80:80' + traefik: + command: + - "--providers.docker.exposedByDefault=false" + - "--providers.docker.network=test" + - "--entryPoints.web.address=:" ``` -Please don't forget to include this file in docker-compose commands -using the `-f` option (in some cases it can be omitted). +Note that changing the port does not make sense if you are using HTTPS - port 443 is conventionally used for HTTPS connections, +and is needed for Let's Encrypt [TLS challenge](https://doc.traefik.io/traefik/https/acme/#tlschallenge). ## How to configure connected share folder on Windows @@ -130,13 +134,20 @@ You should build CVAT images with ['Analytics' component](https://github.com/ope You can upload annotation for a multi-job task from the Dasboard view or the Task view. Uploading of annotation from the Annotation view only affects the current job. -## How to specify multiple hostnames for CVAT_HOST +## How to specify multiple hostnames + +To do this, you will need to edit `traefik.http..cvat.rule` docker label for both the +`cvat` and `cvat_ui` services, like so ```yaml -services: - cvat_proxy: - environment: - CVAT_HOST: example1.com example2.com + cvat: + labels: + - traefik.http.routers.cvat.rule=(Host(`example1.com`) || Host(`example2.com`)) && + PathPrefix(`/api/`, `/git/`, `/opencv/`, `/analytics/`, `/static/`, `/admin`, `/documentation/`, `/django-rq`) + + cvat_ui: + labels: + - traefik.http.routers.cvat-ui.rule=Host(`example1.com`) || Host(`example2.com`) ``` ## How to create a task with multiple jobs From 4c95b7426f15e573e8836c931fb556bf2bf65ca3 Mon Sep 17 00:00:00 2001 From: Tadej Date: Tue, 13 Jul 2021 09:05:53 +0300 Subject: [PATCH 07/17] Add link to Traefik documentation on router rules --- site/content/en/docs/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/en/docs/faq.md b/site/content/en/docs/faq.md index e3b5256938a2..1d461a6412f3 100644 --- a/site/content/en/docs/faq.md +++ b/site/content/en/docs/faq.md @@ -137,7 +137,7 @@ Uploading of annotation from the Annotation view only affects the current job. ## How to specify multiple hostnames To do this, you will need to edit `traefik.http..cvat.rule` docker label for both the -`cvat` and `cvat_ui` services, like so +`cvat` and `cvat_ui` services, like so (see [the documentation](https://doc.traefik.io/traefik/routing/routers/#rule) on Traefik rules for more details): ```yaml cvat: From bd4df677f0ce03cac7db6dbef0f6d3a522b6e0ff Mon Sep 17 00:00:00 2001 From: Tadej Date: Tue, 13 Jul 2021 20:08:09 +0300 Subject: [PATCH 08/17] Return base CVAT port to 8080 --- docker-compose.https.yml | 8 +++++--- docker-compose.yml | 18 +++++++++++------- .../docs/administration/basics/installation.md | 18 +++++++++++------- 3 files changed, 27 insertions(+), 17 deletions(-) diff --git a/docker-compose.https.yml b/docker-compose.https.yml index d47f6d5e9594..cabc0842a77a 100644 --- a/docker-compose.https.yml +++ b/docker-compose.https.yml @@ -20,7 +20,7 @@ services: container_name: traefik command: - "--providers.docker.exposedByDefault=false" - - "--providers.docker.network=test" + - "--providers.docker.network=cvat" - "--entryPoints.web.address=:80" - "--entryPoints.web.http.redirections.entryPoint.to=websecure" - "--entryPoints.web.http.redirections.entryPoint.scheme=https" @@ -29,8 +29,10 @@ services: - "--certificatesResolvers.lets-encrypt.acme.tlsChallenge=true" - "--certificatesResolvers.lets-encrypt.acme.storage=/letsencrypt/acme.json" # Uncomment to get Traefik dashboard - # - "--api.insecure=true" - ports: + # - "--entryPoints.dashboard.address=:8090" + # - "--api.dashboard=true" + ports: + - 80:80 - 443:443 volumes: - cvat_letsencrypt:/letsencrypt diff --git a/docker-compose.yml b/docker-compose.yml index e06491b67396..326f38d08b21 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -70,14 +70,18 @@ services: container_name: traefik command: - "--providers.docker.exposedByDefault=false" - - "--providers.docker.network=test" - - "--entryPoints.web.address=:80" - # Uncomment to get Traefik dashboard - # - "--api.insecure=true" + - "--providers.docker.network=cvat" + - "--entryPoints.web.address=:8080" + # Uncomment to get Traefik dashboard + # - "--entryPoints.dashboard.address=:8090" + # - "--api.dashboard=true" + # labels: + # - traefik.enable=true + # - traefik.http.routers.dashboard.entrypoints=dashboard + # - traefik.http.routers.dashbaord.service=api@internal ports: - - 80:80 - # Uncomment to get Traefik dashboard - # - 8080:8080 + - 8080:8080 + - 8090:8090 volumes: - /var/run/docker.sock:/var/run/docker.sock:ro networks: diff --git a/site/content/en/docs/administration/basics/installation.md b/site/content/en/docs/administration/basics/installation.md index 357077120ee1..d361cedd3078 100644 --- a/site/content/en/docs/administration/basics/installation.md +++ b/site/content/en/docs/administration/basics/installation.md @@ -291,12 +291,13 @@ You can enable the Traefik dashboard by uncommenting the following lines from `d ``` services: traefik: - command: - # Uncomment to get Traefik dashboard - # - "--api.insecure=true" - ports: - # Uncomment to get Traefik dashboard - # - 8080:8080 + # Uncomment to get Traefik dashboard + # - "--entryPoints.dashboard.address=:8090" + # - "--api.dashboard=true" + # labels: + # - traefik.enable=true + # - traefik.http.routers.dashboard.entrypoints=dashboard + # - traefik.http.routers.dashbaord.service=api@internal ``` and if you are using `docker-compose.https.yml`, also uncomment this line @@ -305,7 +306,8 @@ services: traefik: command: # Uncomment to get Traefik dashboard - # - "--api.insecure=true" + # - "--entryPoints.dashboard.address=:8090" + # - "--api.dashboard=true" ``` Note that this "insecure" dashboard is not recommended in production (and if your instance is publicly available); if you want to keep the dashboard in production you should read Traefik's [documentation](https://doc.traefik.io/traefik/operations/dashboard/) on how to properly secure it. @@ -418,3 +420,5 @@ Then, use the `docker-compose.https.yml` file to override the base `docker-compo ``` docker-compose -f docker-compose.yml -f docker-compose.https.yml up -d ``` + +Then, the CVAT instance will be available at your domain on ports 443 (HTTPS) and 80 (HTTP, redirects to 443). \ No newline at end of file From 3916f9a6c859be515fd5d34c960c0f03d1e0bc58 Mon Sep 17 00:00:00 2001 From: Tadej Date: Tue, 13 Jul 2021 20:19:25 +0300 Subject: [PATCH 09/17] Fix spelling in documentation --- site/content/en/docs/administration/basics/installation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/en/docs/administration/basics/installation.md b/site/content/en/docs/administration/basics/installation.md index d361cedd3078..a9650fafd985 100644 --- a/site/content/en/docs/administration/basics/installation.md +++ b/site/content/en/docs/administration/basics/installation.md @@ -300,7 +300,7 @@ services: # - traefik.http.routers.dashbaord.service=api@internal ``` -and if you are using `docker-compose.https.yml`, also uncomment this line +and if you are using `docker-compose.https.yml`, also uncomment these lines ``` services: traefik: From 5c01c6728478d2b13245e7b30bbc15e82212dc48 Mon Sep 17 00:00:00 2001 From: Tadej Date: Wed, 14 Jul 2021 10:00:43 +0300 Subject: [PATCH 10/17] Fix port indentaion in docker-compose file --- docker-compose.https.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.https.yml b/docker-compose.https.yml index cabc0842a77a..efdcf69290a1 100644 --- a/docker-compose.https.yml +++ b/docker-compose.https.yml @@ -31,7 +31,7 @@ services: # Uncomment to get Traefik dashboard # - "--entryPoints.dashboard.address=:8090" # - "--api.dashboard=true" - ports: + ports: - 80:80 - 443:443 volumes: From b5c6f183e31eaa490a8289647eb9446be7a8cf96 Mon Sep 17 00:00:00 2001 From: Tadej Date: Wed, 14 Jul 2021 10:09:13 +0300 Subject: [PATCH 11/17] Fix Traefik dashboard config --- docker-compose.yml | 11 ++++++----- .../en/docs/administration/basics/installation.md | 11 ++++++----- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/docker-compose.yml b/docker-compose.yml index 326f38d08b21..2ae57d99168b 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -73,12 +73,13 @@ services: - "--providers.docker.network=cvat" - "--entryPoints.web.address=:8080" # Uncomment to get Traefik dashboard - # - "--entryPoints.dashboard.address=:8090" - # - "--api.dashboard=true" + # - "--entryPoints.dashboard.address=:8090" + # - "--api.dashboard=true" # labels: - # - traefik.enable=true - # - traefik.http.routers.dashboard.entrypoints=dashboard - # - traefik.http.routers.dashbaord.service=api@internal + # - traefik.enable=true + # - traefik.http.routers.dashboard.entrypoints=dashboard + # - traefik.http.routers.dashboard.service=api@internal + # - traefik.http.routers.dashboard.rule=Host(`${CVAT_HOST:-localhost}`) ports: - 8080:8080 - 8090:8090 diff --git a/site/content/en/docs/administration/basics/installation.md b/site/content/en/docs/administration/basics/installation.md index a9650fafd985..0004f86122ac 100644 --- a/site/content/en/docs/administration/basics/installation.md +++ b/site/content/en/docs/administration/basics/installation.md @@ -292,12 +292,13 @@ You can enable the Traefik dashboard by uncommenting the following lines from `d services: traefik: # Uncomment to get Traefik dashboard - # - "--entryPoints.dashboard.address=:8090" - # - "--api.dashboard=true" + # - "--entryPoints.dashboard.address=:8090" + # - "--api.dashboard=true" # labels: - # - traefik.enable=true - # - traefik.http.routers.dashboard.entrypoints=dashboard - # - traefik.http.routers.dashbaord.service=api@internal + # - traefik.enable=true + # - traefik.http.routers.dashboard.entrypoints=dashboard + # - traefik.http.routers.dashboard.service=api@internal + # - traefik.http.routers.dashboard.rule=Host(`${CVAT_HOST:-localhost}`) ``` and if you are using `docker-compose.https.yml`, also uncomment these lines From 4715a39fa12bc7225336fd80ac2320546834885b Mon Sep 17 00:00:00 2001 From: Tadej Date: Wed, 14 Jul 2021 10:28:08 +0300 Subject: [PATCH 12/17] Update changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1af1255db815..1dbf824fd0d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Update of COCO format documentation () - Updated Webpack Dev Server config to add proxxy () - Update to Django 3.1.12 () +- Changed Nginx proxy to Traefik in `docker-compose.yml` (https://github.com/openvinotoolkit/cvat/pull/3409) +- Simplify the process of deploying CVAT with HTTPS (https://github.com/openvinotoolkit/cvat/pull/3409) ### Deprecated From b7a8053afb2d6bea2475d3869c16108e61ec8c85 Mon Sep 17 00:00:00 2001 From: Tadej Date: Wed, 14 Jul 2021 17:35:46 +0300 Subject: [PATCH 13/17] Adapt serverless dockerfile --- components/serverless/docker-compose.serverless.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/components/serverless/docker-compose.serverless.yml b/components/serverless/docker-compose.serverless.yml index 8938d5c53207..13f9713221b6 100644 --- a/components/serverless/docker-compose.serverless.yml +++ b/components/serverless/docker-compose.serverless.yml @@ -1,13 +1,11 @@ version: '3.3' services: - serverless: + nuclio: container_name: nuclio image: quay.io/nuclio/dashboard:1.5.16-amd64 restart: always networks: - default: - aliases: - - nuclio + - cvat volumes: - /tmp:/tmp - /var/run/docker.sock:/var/run/docker.sock From 37abdef60e60d12466776c5e696eb6ae9f8be8a5 Mon Sep 17 00:00:00 2001 From: Tadej Date: Fri, 23 Jul 2021 21:16:28 +0200 Subject: [PATCH 14/17] Update analytics dockerfile --- .../analytics/docker-compose.analytics.yml | 22 +++++++------------ 1 file changed, 8 insertions(+), 14 deletions(-) diff --git a/components/analytics/docker-compose.analytics.yml b/components/analytics/docker-compose.analytics.yml index 23e8720d2a37..6b91ee249f6f 100644 --- a/components/analytics/docker-compose.analytics.yml +++ b/components/analytics/docker-compose.analytics.yml @@ -1,12 +1,10 @@ version: '3.3' services: - cvat_elasticsearch: + elasticsearch: container_name: cvat_elasticsearch image: cvat_elasticsearch networks: - default: - aliases: - - elasticsearch + - cvat build: context: ./components/analytics/elasticsearch args: @@ -15,18 +13,16 @@ services: - cvat_events:/usr/share/elasticsearch/data restart: always - cvat_kibana: + kibana: container_name: cvat_kibana image: cvat_kibana networks: - default: - aliases: - - kibana + - cvat build: context: ./components/analytics/kibana args: ELK_VERSION: 6.4.0 - depends_on: ['cvat_elasticsearch'] + depends_on: ['elasticsearch'] restart: always cvat_kibana_setup: @@ -56,13 +52,11 @@ services: environment: no_proxy: elasticsearch,kibana,${no_proxy} - cvat_logstash: + logstash: container_name: cvat_logstash image: cvat_logstash networks: - default: - aliases: - - logstash + - cvat build: context: ./components/analytics/logstash args: @@ -73,7 +67,7 @@ services: LOGSTASH_OUTPUT_HOST: elasticsearch:9200 LOGSTASH_OUTPUT_USER: LOGSTASH_OUTPUT_PASS: - depends_on: ['cvat_elasticsearch'] + depends_on: ['elasticsearch'] restart: always cvat: From d417b8a17676a2b97d639a7e6858cbf3b6bf0ae2 Mon Sep 17 00:00:00 2001 From: Tadej Date: Sat, 24 Jul 2021 09:09:45 +0200 Subject: [PATCH 15/17] Update analytics docker compose file --- components/analytics/docker-compose.analytics.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/components/analytics/docker-compose.analytics.yml b/components/analytics/docker-compose.analytics.yml index 6b91ee249f6f..58d3874debf7 100644 --- a/components/analytics/docker-compose.analytics.yml +++ b/components/analytics/docker-compose.analytics.yml @@ -31,6 +31,8 @@ services: volumes: ['./components/analytics/kibana:/home/django/kibana:ro'] depends_on: ['cvat'] working_dir: '/home/django' + networks: + - cvat entrypoint: [ 'bash', From 451d26f0606d1ec51e3426ab9c7742e7baf7ad0f Mon Sep 17 00:00:00 2001 From: Tadej Date: Sat, 24 Jul 2021 09:18:08 +0200 Subject: [PATCH 16/17] Fix linting issues --- CHANGELOG.md | 4 ++-- .../basics/AWS-Deployment-Guide.md | 5 +++-- .../docs/administration/basics/installation.md | 16 ++++++++++------ 3 files changed, 15 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5afe8d90b1b5..783ba09cc3f1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -24,8 +24,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Update to Django 3.1.12 () - Updated visibility for removable points in AI tools () - Updated UI handling for IOG serverless function () -- Changed Nginx proxy to Traefik in `docker-compose.yml` (https://github.com/openvinotoolkit/cvat/pull/3409) -- Simplify the process of deploying CVAT with HTTPS (https://github.com/openvinotoolkit/cvat/pull/3409) +- Changed Nginx proxy to Traefik in `docker-compose.yml` () +- Simplify the process of deploying CVAT with HTTPS () ### Deprecated diff --git a/site/content/en/docs/administration/basics/AWS-Deployment-Guide.md b/site/content/en/docs/administration/basics/AWS-Deployment-Guide.md index 549d44647251..12396134a376 100644 --- a/site/content/en/docs/administration/basics/AWS-Deployment-Guide.md +++ b/site/content/en/docs/administration/basics/AWS-Deployment-Guide.md @@ -21,7 +21,8 @@ There are two ways of deploying the CVAT. [installation instructions](/docs/administration/basics/installation/). The additional step is to add a [security group and rule to allow incoming connections](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html). -For any of above, don't forget to set the `CVAT_HOST` environemnt variable to the exposed AWS public IP address or hostname: +For any of above, don't forget to set the `CVAT_HOST` environemnt variable to the exposed +AWS public IP address or hostname: ``` export CVAT_HOST=your-instance.amazonaws.com @@ -33,4 +34,4 @@ the public IPV4 and hostname changes with every stop and reboot. To address this efficiently, avoid using spot instances that cannot be stopped, since copying the EBS to an AMI and restarting it throws problems. On the other hand, when a regular instance is stopped and restarted, -the new hostname/IPV4 can be used to set the `CVAT_HOST` environment variable. \ No newline at end of file +the new hostname/IPV4 can be used to set the `CVAT_HOST` environment variable. diff --git a/site/content/en/docs/administration/basics/installation.md b/site/content/en/docs/administration/basics/installation.md index 0004f86122ac..792f057a0c93 100644 --- a/site/content/en/docs/administration/basics/installation.md +++ b/site/content/en/docs/administration/basics/installation.md @@ -311,7 +311,9 @@ services: # - "--api.dashboard=true" ``` -Note that this "insecure" dashboard is not recommended in production (and if your instance is publicly available); if you want to keep the dashboard in production you should read Traefik's [documentation](https://doc.traefik.io/traefik/operations/dashboard/) on how to properly secure it. +Note that this "insecure" dashboard is not recommended in production (and if your instance is publicly available); +if you want to keep the dashboard in production you should read Traefik's +[documentation](https://doc.traefik.io/traefik/operations/dashboard/) on how to properly secure it. ### Additional components @@ -401,15 +403,17 @@ for details. ### Deploy CVAT on the Scaleway public cloud -Please follow [this tutorial](https://blog.scaleway.com/smart-data-annotation-for-your-computer-vision-projects-cvat-on-scaleway/) +Please follow +[this tutorial](https://blog.scaleway.com/smart-data-annotation-for-your-computer-vision-projects-cvat-on-scaleway/) to install and set up remote access to CVAT on a Scaleway cloud instance with data in a mounted object storage bucket. ### Deploy secure CVAT instance with HTTPS -Using Traefik, you can automatically obtain TLS certificate for your domain from Let's Encrypt, enabling you to use HTTPS protocol to access your website. +Using Traefik, you can automatically obtain TLS certificate for your domain from Let's Encrypt, +enabling you to use HTTPS protocol to access your website. -To enable this, first set the the `CVAT_HOST` (the domain of your website) and `ACME_EMAIL` (contact email for Let's Encrypt) environment -variables: +To enable this, first set the the `CVAT_HOST` (the domain of your website) and `ACME_EMAIL` +(contact email for Let's Encrypt) environment variables: ``` export CVAT_HOST= @@ -422,4 +426,4 @@ Then, use the `docker-compose.https.yml` file to override the base `docker-compo docker-compose -f docker-compose.yml -f docker-compose.https.yml up -d ``` -Then, the CVAT instance will be available at your domain on ports 443 (HTTPS) and 80 (HTTP, redirects to 443). \ No newline at end of file +Then, the CVAT instance will be available at your domain on ports 443 (HTTPS) and 80 (HTTP, redirects to 443). From 59e9d83aa867f9a644ca669f00c98f94571792d0 Mon Sep 17 00:00:00 2001 From: Andrey Zhavoronkov Date: Mon, 26 Jul 2021 14:58:50 +0300 Subject: [PATCH 17/17] fixed linter issues --- site/content/en/docs/faq.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/site/content/en/docs/faq.md b/site/content/en/docs/faq.md index 1d461a6412f3..45e8228eb9f6 100644 --- a/site/content/en/docs/faq.md +++ b/site/content/en/docs/faq.md @@ -63,8 +63,8 @@ services: - "--entryPoints.web.address=:" ``` -Note that changing the port does not make sense if you are using HTTPS - port 443 is conventionally used for HTTPS connections, -and is needed for Let's Encrypt [TLS challenge](https://doc.traefik.io/traefik/https/acme/#tlschallenge). +Note that changing the port does not make sense if you are using HTTPS - port 443 is conventionally +used for HTTPS connections, and is needed for Let's Encrypt [TLS challenge](https://doc.traefik.io/traefik/https/acme/#tlschallenge). ## How to configure connected share folder on Windows @@ -137,7 +137,8 @@ Uploading of annotation from the Annotation view only affects the current job. ## How to specify multiple hostnames To do this, you will need to edit `traefik.http..cvat.rule` docker label for both the -`cvat` and `cvat_ui` services, like so (see [the documentation](https://doc.traefik.io/traefik/routing/routers/#rule) on Traefik rules for more details): +`cvat` and `cvat_ui` services, like so +(see [the documentation](https://doc.traefik.io/traefik/routing/routers/#rule) on Traefik rules for more details): ```yaml cvat: