Review Compose Stack Files

Nucleus Stack Compose Settings (.env) File
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
################################################################################
## Required basic configuration
################################################################################

# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# !! IMPORTANT - you MUST set EXTERNAL_IP_OR_HOST, 
# !! or nothing will work.
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

# Set this to (preferrably) a hostname or an IP address of the server 
# that will be used by the users to access it. 

EXTERNAL_IP_OR_HOST=FIXME_host_or_IP_address

# Instance name
INSTANCE_NAME=my_omniverse

################################################################################
## Required secrets and passwords configuration
################################################################################

# !!!!!!!!!!!!!!!!!!!!!!!!!!!
# !! WARNING - DANGER ZONE !!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!
#
# Your installation will be as secure as the items below are. Please
# secure them accordingly. 
# 
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# !!! REVIEW AND UNDERSTAND EVERY VALUE BELOW !!!
# !!! EXPOSURE OF ANY ONE OF THEM CAN LEAD    !!!
# !!! TO YOUR AUTHENTICATION SETUP            !!!
# !!! BEING COMPROMISED                       !!!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


# For illustration and a quick eval in an *insecure* environment, 
# a simple shell script generating these values is provided in 
# generate-sample-insecure-secrets.sh. Feel freee to use it to arrive
# at a quick sample set; but MAKE SURE YOU UNDERSTAND THAT THE SAMPLE
# SET IS INSECURE. 

# Master superuser  ('omniverse') user's password 

# Note: this is the initial setting and you can change this password
#       later. 

# If you change this password using the UI, you will NOT be able to 
# reset it from here. The only way to recover it would be to 
# delete your accounts' db (that will delete ALL accounts), 
# located in ${DATA_ROOT}/local-accounts-db/

MASTER_PASSWORD=123456 

# Password for built-in service accounts for all services 
# shipped with this stack. 

# Authentication DB will be initialized with this password, and 
# all the services will be configured to use it. Our recommendation is
# to configure this once, and not touch it. 

# If you desire to change service accounts' password, 
# use your Superuser (`omniverse`), change 
# service accounts' passwords for **all** `*_service` accounts to be 
# the same new password, update the value below, and restart your stack. 

SERVICE_PASSWORD=123456

# A Public-Private Keypair to act as a root of trust between
# the Authentication and Core Nucleus services. 

AUTH_ROOT_OF_TRUST_PUB=./secrets/auth_root_of_trust.pub
AUTH_ROOT_OF_TRUST_PRI=./secrets/auth_root_of_trust.pem

# Salt to use when hashing passwords for built-in accounts 
# in the auth service 
PWD_SALT=./secrets/pwd_salt

# This token is used by other services to register with Nucleus Discovery
# service (which is later used to locate those services). 
#
# Think of it as a symmetric (shared) root of trust, or just 
# as a symmetric key.
DISCOVERY_REGISTRATION_TOKEN=./secrets/svc_reg_token

################################################################################
## Advanced / additional options
################################################################################

# Set this variable to where you want Nuceleus Data to be. 
# Make sure the right kind of disk, and enough of diskspace, are available.
DATA_ROOT=/var/lib/omni/nucleus-data

# Nucleus API port. All OV Clients assume 3009 by default.
API_PORT=3009

# Large File Transfer Service Port. Can be anything.
LFT_PORT=3030

# Web UI Port
WEB_PORT=80

# Discovery Service Port
# DANGER: do not change, or clients won't work! 
DISCOVERY_PORT=3333

# Authentication Service Ports
AUTH_PORT=3100
AUTH_LOGIN_FORM_PORT=3180

# Search Service Port
SEARCH_PORT=3400

# Snapshot Service Port
SNAPSHOTS_PORT=3120

# Tagging Service Port 
TAGGING_PORT=3020

# Prometheus Metrics
METRICS_PORT=3010

# Default "internal" network for containers. 
# Modify this if it conflicts with your environment. 
CONTAINER_SUBNET=192.168.2.0/26

# Registry root URL
REGISTRY=nvcr.io/omniverse/public
Nucleus Stack Compose File
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
################################################################################
################################################################################
################################################################################
#
# This Compose file will bring up the Omniverse Nucleus stack, consisting of:
#
# * API Service
# * LFT (Large File Transfer) Service
# * Web UI
# * Discovery Service
# * Authentication Service 
# * Thumbnail Service
# * Snapshot Service
# * Search (former Indexing) Service
# * Tagging Service
# * Some additional utility sidecars
#
# Services listening on a socket will bind to 
# ports configured in *_PORT variables in 
# nucleus-stack.env file.
#
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 
# It is of utmost importance to configure your nucleus-stack.env. 
# Review it in FULL and configure it's values as desired. Default 
# nucleus-stack.env will not render an operational deployment. 
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! 

version: "3.7"

services: 

  ############################
  # Main (Core) Nucleus Stack
  ############################

  nucleus-api:

    image: ${REGISTRY}/nucleus-api:109.9
    restart: always
    environment:
        OMNI_INSTANCE: ${INSTANCE_NAME}
        OMNI_CONTENT_RAM_SZ: 6
        OMNI_LFTADDRESS: http://${EXTERNAL_IP_OR_HOST}:${LFT_PORT}
        OMNI_LFTTHRESHOLD: 262144

        OMNI_LAUNCHER_PROMETHEUS_PORT: 9500
        OMNI_METRICS_PREFIX: test_omni_api

        OMNI_MASTER_PASSWORD: ${MASTER_PASSWORD}
        OMNI_AUTH_JWT_PUBKEY: /omni/secrets/jwt_pubkey.pub
        OMNI_S3_RESOLVER_CACHE: http://nucleus-resolver-cache:3128
    volumes:
        - ${DATA_ROOT}/log/api:/omni/log
        - ${DATA_ROOT}/data:/omni/data

        # Secrets
        - ${AUTH_ROOT_OF_TRUST_PUB}:/omni/secrets/jwt_pubkey.pub
    ports:
        - "${API_PORT}:3009"
           
  nucleus-lft:
    image: ${REGISTRY}/nucleus-lft:109.9
    restart: always
    volumes:
        - ${DATA_ROOT}/log/lft:/omni/log
        - ${DATA_ROOT}/data:/omni/data
    ports:
        - "${LFT_PORT}:3030"

  nucleus-log-processor:
    image: ${REGISTRY}/nucleus-log-processor:109.9
    restart: always
    environment: 
       OV_INSTANCE: ${INSTANCE_NAME}
       OV_PROCESS_LFT_LOGS: 1
    volumes:
       - ${DATA_ROOT}/log:/omni/log
       - /proc:/proc

  nucleus-resolver-cache:
    image: ctbackend/squid:2.7
    restart: always
    volumes:
       - ${DATA_ROOT}/resolver-cache:/squid/data
       - ${DATA_ROOT}/log/resolver-cache:/squid/logs

  resolver-cache-logrotate:
    image: graffic/logrotate:1.4
    restart: always
    volumes:
       - ${DATA_ROOT}/log/resolver-cache:/omni/log
    environment:
      LOGROTATE_PATTERN: "/omni/log/*.log"
      LOGROTATE_OPTIONS: |-
        size 100M
        compress

  utl-monpx:
    image: ${REGISTRY}/utl-monpx:109.9
    restart: always
    environment:
       OV_MONPX_SCRAPE_URLS: http://nucleus-api:9500/metrics;http://nucleus-api:3010/metrics;http://nucleus-log-processor:9500/metrics
       OV_DS_BLACKLIST_PATH: /omni/data/PathBlackList.json
    volumes:
       - ${DATA_ROOT}/data:/omni/data
    ports:
       - "${METRICS_PORT}:8080"

  #####################
  # Discovery Service 
  #####################

  nucleus-discovery:
    image: ${REGISTRY}/nucleus-discovery:1.0.5
    restart: always
    tty: true
    ports:
      - "${DISCOVERY_PORT}:3333"
    environment:
      SERVICE_TOKEN: /service/secrets/SERVICE_TOKEN
    volumes:
      # Secrets
      - ${DISCOVERY_REGISTRATION_TOKEN}:/service/secrets/SERVICE_TOKEN

  #########################
  # Authentication Service
  #########################

  nucleus-auth:
    image: ${REGISTRY}/nucleus-auth:1.0.2
    restart: always
    tty: true
    ports:
      - "${AUTH_PORT}:3100"
      - "${AUTH_LOGIN_FORM_PORT}:3180"
    environment:
     SERVICE_LOGIN_URL: http://${EXTERNAL_IP_OR_HOST}:3180
     SERVICE_DISCOVERY_HOST: ${EXTERNAL_IP_OR_HOST}
     SERVICE_DISCOVERY_PORT: ${DISCOVERY_PORT}
     SERVICE_ACCESS_TOKEN_DURATION: 360
     SERVICE_REFRESH_TOKEN_DURATION: 10080
     SERVICE_PRIVATE_KEY: /service/secrets/SERVICE_PRIVATE_KEY
     SERVICE_PUBLIC_KEY: /service/secrets/SERVICE_PUBLIC_KEY
     SERVICE_SALT: /service/secrets/SERVICE_SALT
     SERVICE_DISCOVERY_TOKEN: /service/secrets/SERVICE_DISCOVERY_TOKEN
     SERVICE_LOG_LEVEL: DEBUG
     USE_MICROSOFT_SSO: 0
     CREDENTIAL_AUTO_REGISTER: "False"
     CREDENTIAL_UI_VISIBLE: "True"
     SERVICE_DEPLOYMENTS: | 
       reg:
         - name: external
           transport:
             type: sows
             params:
               host: ${EXTERNAL_IP_OR_HOST}
               port: ${AUTH_PORT}
     CREDENTIAL_USERS: |
       [
         {
           "username": "omniverse",
           "password": "${MASTER_PASSWORD}",
           "profile": { "admin": true }
         },
         {
           "username": "tags_service",
           "password": "${SERVICE_PASSWORD}",
           "profile": { "admin": true, "readonly": true }
         },
         {
           "username": "thumbnails_service",
           "password": "${SERVICE_PASSWORD}",
           "profile": { "admin": true, "readonly": true }
         },
         {
           "username": "search_service",
           "password": "${SERVICE_PASSWORD}",
           "profile": { "admin": true, "readonly": true }
         }
       ]
    volumes:
      - ${DATA_ROOT}/local-accounts-db:/service/data

      # Secrets
      - ${AUTH_ROOT_OF_TRUST_PRI}:/service/secrets/SERVICE_PRIVATE_KEY
      - ${AUTH_ROOT_OF_TRUST_PUB}:/service/secrets/SERVICE_PUBLIC_KEY
      - ${PWD_SALT}:/service/secrets/SERVICE_SALT
      - ${DISCOVERY_REGISTRATION_TOKEN}:/service/secrets/SERVICE_DISCOVERY_TOKEN

  #####################
  # Web
  #####################
 
  nucleus-web-ui:
    image: ${REGISTRY}/nucleus-web-ui:2.2.8
    restart: always
    tty: true
    environment:
      OV_DEFAULT_SERVER: ${EXTERNAL_IP_OR_HOST}
      OV_DEBUG: "False"
      USE_PASSWORDS: "True"
      SUPPORTS_SNAPSHOTS: "True"
      SUPPORTS_SEARCH: "True"
      SUPPORTS_TOOL_MANAGEMENT: "False"
      SUPPORTS_USER_MANAGEMENT: "True"
      SUPPORTS_ASSET_CONVERTER: "False"
      SUPPORTS_MOUNTS: "True"
      SUPPORTS_TAGS: "True"
    ports:
      - "${WEB_PORT}:80"

  #####################
  # Additional Services
  #####################

  nucleus-search:
    image: ${REGISTRY}/nucleus-search:2.0.3
    restart: always
    tty: true
    environment:
      SERVICE_BACKEND_HOST: ${EXTERNAL_IP_OR_HOST}
      SERVICE_BACKEND_PORT: ${API_PORT}
      SERVICE_BACKEND_USER: search_service
      SERVICE_BACKEND_PASSWORD: ${SERVICE_PASSWORD}
      SERVICE_HOST: 0.0.0.0
      SERVICE_PORT: 3400
      SERVICE_DISCOVERY_TOKEN: /service/secrets/SERVICE_DISCOVERY_TOKEN
      SERVICE_DEPLOYMENTS: | 
        reg:
          - name: external
            transport:
              type: sows
              params:
                host: ${EXTERNAL_IP_OR_HOST}
                port: ${SEARCH_PORT}
      # WAR fix in upcoming version
      SERVICE_DEPLOYMENTS_FILE: search/configs/deployments.default.yaml
    ports:
      - "${SEARCH_PORT}:3400"
    volumes:
      # Secrets
      - ${DISCOVERY_REGISTRATION_TOKEN}:/service/secrets/SERVICE_DISCOVERY_TOKEN

  nucleus-snapshots:
    image: ${REGISTRY}/nucleus-snapshots:2.0.3
    restart: always
    tty: true
    environment:
      SERVICE_BACKEND_HOST: ${EXTERNAL_IP_OR_HOST}
      SERVICE_DISCOVERY_TOKEN: /service/secrets/SERVICE_DISCOVERY_TOKEN
      SERVICE_DEPLOYMENTS: | 
        reg:
          - name: external
            transport:
              type: sows
              params:
                host: ${EXTERNAL_IP_OR_HOST}
                port: ${SNAPSHOTS_PORT}
    ports:
      - "${SNAPSHOTS_PORT}:3120"
    volumes:
      # Secrets
      - ${DISCOVERY_REGISTRATION_TOKEN}:/service/secrets/SERVICE_DISCOVERY_TOKEN

  nucleus-thumbnails: 
    image: ${REGISTRY}/nucleus-thumbnails:1.3.0
    restart: always
    environment:
      ACCEPT_EULA: Y
      OV_SERVER: ${EXTERNAL_IP_OR_HOST}
      OV_USERNAME: thumbnails_service
      OV_PASSWORD: ${SERVICE_PASSWORD}
      OV_MEMORY_RESERVE: 256
      OV_MEMORY_LIMIT: 4096
      OV_CPU_RESERVE: 0.25
      OV_CPU_LIMIT: 1
      OV_STACK_PROMETHEUS_PORT: 2001
      OV_SERVICE_BIND_HOST: 0.0.0.0
      OV_HOST_NAME: 
      OV_INSTANCE_NAME: ${INSTANCE_NAME}
      OV_LOGFILE: /omni/log/create_thumbnails.log
    volumes:
        - ${DATA_ROOT}/log/thumbnails:/omni/log

  nucleus-tagging:
    image: ${REGISTRY}/nucleus-tagging:2.0.7
    restart: always
    environment:
      ACCEPT_EULA: Y
      OV_SERVER: ${EXTERNAL_IP_OR_HOST}
      OV_SERVICE_BIND_HOST: 0.0.0.0
      OV_SERVICE_BIND_PORT: 3020
      OV_STACK_SERVICE_PORT: 3020

      OV_USERNAME: tags_service
      OV_PASSWORD: ${SERVICE_PASSWORD}
      SQLITE_TMPDIR: /omni/temp

      OV_MEMORY_RESERVE: 256
      OV_MEMORY_LIMIT: 2048
      OV_CPU_RESERVE: 0.25
      OV_CPU_LIMIT: 2
      OV_REGENERATE_DB: 0

      OV_UPDATE_TAG_FORMAT_1_0: 0
      OV_STACK_PROMETHEUS_PORT: 2000

      OV_INSTANCE_NAME: ${INSTANCE_NAME}
      OV_LOGFILE: /omni/log/tagging_service.log
      OV_SERVICE_DISCOVERY_TOKEN_FILE: /omni/keys/discovery_token
      OV_SERVICE_DEPLOYMENTS: |
        reg:
          - name: external
            transport:
              type: sows
              params:
                host: ${EXTERNAL_IP_OR_HOST}
                port: ${TAGGING_PORT}
    ports:
      - "${TAGGING_PORT}:3020"
    volumes:
      - ${DATA_ROOT}/tags-db:/omni/data
      - ${DATA_ROOT}/log/tagging:/omni/log
      - ${DATA_ROOT}/tmp/tagging:/omni/tmp
      # Secrets
      - ${DISCOVERY_REGISTRATION_TOKEN}:/omni/keys/discovery_token

  # A sidecar to rotate tagging service's logs
  tagging-logrotate:
    image: graffic/logrotate:1.4
    restart: always
    environment:
      LOGROTATE_PATTERN: "/omni/log/*.log"
      LOGROTATE_OPTIONS: |-
        size 100M
        compress
    volumes:
       - ${DATA_ROOT}/log/tagging:/omni/log

networks: 
  default: 
    ipam:
      config: 
        - subnet: "${CONTAINER_SUBNET}"