Skip to content

Commit 7c821e9

Browse files
authored
Product guide updates including added section outlining volume mount … (#16)
* Product guide updates including added section outlining volume mount usage as a debug tool, updates related to podman transition, and removal of the nginx container. Revision history list has also been updated. * Fixed cleanup command * Addressed comments and a few other identified tweaks.
1 parent 0c206cb commit 7c821e9

3 files changed

Lines changed: 136 additions & 28 deletions

File tree

product-guide/docinfo.xml.in

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
</orgname>
77
</author>
88
<copyright>
9-
<year>2023-2024</year>
9+
<year>2023-2025</year>
1010
<holder>The Johns Hopkins University Applied Physics Laboratory LLC</holder>
1111
</copyright>
1212
<legalnotice>
@@ -46,4 +46,11 @@ subcontract 1658085.
4646
Updates for ANMS v1.1.0
4747
</revdescription>
4848
</revision>
49+
<revision>
50+
<revnumber>B</revnumber>
51+
<date>31 July 2025</date>
52+
<revdescription>
53+
Updates for ANMS v2.0
54+
</revdescription>
55+
</revision>
4956
</revhistory>

product-guide/manual.adoc

Lines changed: 120 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -118,7 +118,7 @@ The network protocol used for inter-container communication and for BP convergen
118118
|DOC-005446
119119

120120
|ANMS User Guide[[anms-user-guide,ANMS User Guide]]
121-
|DOC-005443 rev A
121+
|DOC-005443 rev B
122122

123123
|===
124124

@@ -134,8 +134,8 @@ The network protocol used for inter-container communication and for BP convergen
134134
|Installing Bolt[[puppet-bolt]]
135135
|https://www.puppet.com/docs/bolt/latest/bolt_installing.html#install-bolt-on-rhel[puppet-bolt]
136136

137-
|Using SELinux[[rhel8-selinux]]
138-
|https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/pdf/using_selinux/red_hat_enterprise_linux-8-using_selinux-en-us.pdf[rhel8-selinux]
137+
|Using SELinux[[rhel9-selinux]]
138+
|https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/pdf/using_selinux/red_hat_enterprise_linux-9-using_selinux-en-us.pdf[rhel9-selinux]
139139

140140
|ANMS Source[[anms-source]]
141141
|https://github.com/NASA-AMMOS/anms[anms-source]
@@ -155,7 +155,7 @@ Although some of the subsystems have a preferred start-up order (to ensure initi
155155

156156
=== ANMS Components
157157

158-
The subsystems of the ANMS (all containers) are illustrated as gray blocks within the "ANMS Instance" group in the diagram of <<fig-anms-components-protocol>>.
158+
The subsystems (containers) of the ANMS are illustrated as gray blocks within the "ANMS Instance" group in the diagram of <<fig-anms-components-protocol>>.
159159
The entire ANMS instance is made to be run on a single host, with future plans to allow installing in a more distributed environment.
160160
Currently the ANMS provides security at the boundary of the instance but not between comtainers (see <<sec-security>> for details), which would be required for a distributed installation.
161161

@@ -197,6 +197,10 @@ Specific procedures for performing an installation using a local Puppet apply ar
197197
Conditions for installing the ANMS are a host with packages identified in <<target-host-packages>>, at least 7{nbsp}GiB of filesystem space for container image storage, and additional space for long-term data warehouse storage.
198198
The total amount of storage needed depends on the mission use of reports, specifically the average size and rate of reported data.
199199

200+
NOTE: Usage of podman is recommended. Docker should continue to function as a drop-in replacement, however only podman deployments will be directly supported by the ANMS team.
201+
202+
NOTE: It is recommended to use docker-compose (which is fully compatible with podman). docker-compose is a distinct package from Docker, while podman-compose is a fully compatible alternative. Older versions of compose were called directly (ie: `docker-compose`), while current versions are invoked as a subcommand (ie: `docker compose` or `podman compose`).
203+
200204
[#target-host-packages]
201205
.Target host packages
202206
[%header,width=75%,cols=2*]
@@ -205,10 +209,10 @@ The total amount of storage needed depends on the mission use of reports, specif
205209
|Version Minimum
206210

207211
|podman
208-
|5.2
212+
|5.2+
209213

210-
|podman-compose
211-
|1.0
214+
|docker-compose (preferred) OR podman-compose.
215+
|2.29+ OR 5.3+
212216

213217
|systemd
214218
|252
@@ -228,8 +232,9 @@ In any case, deployment and configuration of CAM itself is outside the scope of
228232
[#sec-deployment-camemu]
229233
==== Using a CAM Gateway Emulator
230234

231-
To allow the ANMS to be tested in environments where a CAM Server is unavailable or too burdensome to set up, the ANMS can be built with an emulator of the CAM Gateway which uses static accounts, credentials, and access controls.
232-
The environment `AUTHNZ_EMU=demo` during a build (see <<sec-proc-build>>) enables the CAM Gateway emulator behavior.
235+
To allow the ANMS to be tested in environments where a CAM Server is unavailable or too burdensome to set up, the ANMS can be built with an emulator of the CAM Gateway which uses static accounts, credentials, and access controls. This is now known as the "demo" configuration.
236+
237+
Auth mode is determined by the environment variable `AUTHNZ_EMU` during build (see <<sec-proc-build>>). Set `AUTHNZ_EMU=cam-gateway` to utilize the CAM Server, or `AUTHNZ_EMU=demo` to utilize the CAM Gateway emulation (a basic authentication demo configuration).
233238

234239
CAUTION: The CAM Gateway emulator is for demonstration only and must not be present in a production installation.
235240

@@ -254,6 +259,7 @@ The CAM Gateway reverse proxy for authentication, authorization, and auditing \(
254259
This container uses the external `ammos-tls` volume for TLS configuration (see <<sec-proc-install-tls>>).
255260
This provides HTTP routing access is to `anms-ui`, `anms-core`, and `grafana` containers.
256261
Exposes TCP port 443 for HTTPS and 80 for HTTP, both mapped to the same host port numbers.
262+
This container can be remapped to use the cam-gateway or demo (basic http auth) configuration.
257263
`anms-core`::
258264
The ANMS backend REST services.
259265
Exposes TCP port 5555 for HTTP.
@@ -295,7 +301,7 @@ An intermediate service to bookkeep transcoding requests from the ANMS to the AR
295301
[#sec-host-files]
296302
=== Filesystem
297303

298-
Because the ANMS is deployed as a Podman Compose configuration, the only primary files present on the host are to configure a compose project, its use as a system service, and the system firewall.
304+
Because the ANMS is deployed as a Compose configuration, the only primary files present on the host are to configure the containerized project, its use as a system service, and the system firewall.
299305

300306
The principal directories and files used by ANMS are:
301307

@@ -458,6 +464,8 @@ This chapter includes specific procedures related to managing an ANMS production
458464

459465
The ANMS source is composed of a top-level repository `anms` and a number of submodule repositories; all of them are required for building the ANMS.
460466

467+
Before beginning, ensure that either Docker or Podman (preferred) is installed and functional on your system along with docker-compose. A hello-world image can be run to verify functionality, ie: `docker run --rm hello-world` or `podman run --rm hello-world`. Compose can be verified with `podman compose ps` - If compose is not properly installed it will report 'unrecognized command'
468+
461469
. The top-level checkout can be done with:
462470
+
463471
----
@@ -469,19 +477,24 @@ git clone --recursive --branch <TAGNAME> https://github.com/NASA-AMMOS/anms.git
469477
git checkout <TAGNAME>
470478
git submodule update --init --recursive
471479
----
472-
. The container image building is then executed with:
480+
. If running rootful containers (not recommended. Podman defaults to rootless), it may be necessary to add the local user to the `docker` access group with the following. :
473481
+
474482
----
475-
export DOCKER_IMAGE_PREFIX=<REPOURL>
476-
export DOCKER_IMAGE_TAG=latest
477-
./build.sh buildonly
483+
sudo usermod -a -G docker ${USER}
478484
----
485+
. Update `.env` file as needed. Fields that may need to be updated include `DOCKER_IMAGE_PREFIX` and for rootless podman the port mappings for AUTHNZ may need to be uncommented to avoid permissions issues
486+
. Build images using either: (Note: The podman-build-args flag is required for healthchecks to function under podman).
487+
+
488+
----
489+
docker compose -f docker-compose.yml -f testenv-compose.yml build
490+
podman compose --podman-build-args='--format docker' -f docker-compose.yml -f testenv-compose.yml build
491+
----
492+
479493
+
480-
which by default uses the current top-level branch name as the tag for all container images.
481494

482495
[NOTE]
483496
====
484-
To build an ANMS that uses an emulator for the CAM Gateway (which means that the ANMS will not require a CAM server), have the following environment set in the build step above:
497+
To build an ANMS that uses an emulator for the CAM Gateway (which means that the ANMS will not require a CAM server), have the following environment set in the build step above. (Note: The default value that uses the CAM Gateway is `cam-gateay`):
485498
----
486499
export AUTHNZ_EMU=demo
487500
----
@@ -546,12 +559,13 @@ The PEM-encoded CA bundle containing at least the CA chain used to sign the serv
546559

547560
=== Upgrading
548561

549-
Because the ANMS is deployed as a Docker Compose configuration with associated environment variables and container images, an upgrade involves updating the compose configuration and restarting affected containers.
562+
Because the ANMS is deployed as a series of containers managed by compose with associated environment variables and configuration, an upgrade involves rebuilding and restarting affected containers.
550563

551564
An upgrade can be performed using the same procedure as <<sec-proc-install>>, where Puppet will make any required changes for the upgrade and restart services and containers as necessary.
552565
Individual ANMS releases may identify pre-upgrade or post-upgrade steps in their specific Release Description Document (RDD).
553566

554-
=== Resetting Docker State
567+
[#sec-reset-system]
568+
=== Resetting Container State
555569

556570
[WARNING]
557571
The following will reset all database state, including user profiles, ADM configuration, and all historical report data.
@@ -560,9 +574,21 @@ This should only be used for test hosts or after performing a full Postgres DB b
560574
To force containers and volumes (containing long-term database files) to be cleared, a maintainer can run the following from the host.
561575

562576
```
563-
docker stop $(docker ps -q); docker rm $(docker ps -a -q); docker volume rm $(docker volume ls -q)
577+
podman stop --all
578+
podman system prune --all --volumes
564579
```
565580

581+
To verify artifacts have been removed you may use the following. The prune command (or object-specific prune command) may need to be reissued if not all relevant artifacts have been cleared.
582+
583+
```
584+
podman image ls
585+
podman container ls
586+
podman volume ls
587+
podman network ls
588+
```
589+
590+
TIP: In some cases, issues may arise due to system cache files on the host system not being cleared (a potential issue with select podman versions). It is recommended to restart the host system after clearing objects to ensure a clean start.
591+
566592
After clearing containers and volumes, the normal `apply_local` step of <<sec-proc-install>> should be performed to re-install and start the containers.
567593

568594

@@ -613,7 +639,7 @@ podman compose -p anms logs [service-name]
613639
[#sec-proc-mon-selinux]
614640
==== SELinux Audit Events
615641

616-
The procedures in this section are a summary of more detail provided in Chapter 5 of the RedHat <<rhel8-selinux>> document.
642+
The procedures in this section are a summary of more detail provided in Chapter 5 of the RedHat <<rhel9-selinux>> document.
617643

618644
By default, the `setroubleshootd` service is running, which intercepts SELinux audit events
619645

@@ -781,7 +807,6 @@ See <<sec-proc-mon-selinux>> for details on observing the audit log events.
781807

782808
CAUTION: The SELinux permissive mode is for troubleshooting only and must not be present in a production installation.
783809

784-
785810
==== Operations
786811

787812
This section covers issues that can occur after successful installation (see <<sec-proc-install>>) and checkout (see <<sec-checkout>>) of the ANMS.
@@ -790,12 +815,14 @@ This section covers issues that can occur after successful installation (see <<s
790815

791816
If the Grafana panels in the `Monitor` tab displays `Connection was reset` errors, the Grafana container may not have started successfully.
792817

793-
Restart the container with `docker-compose up grafana` (run from within the `anms/` folder).
818+
Restart the container with `podman compose up grafana` (run from within the `anms/` folder).
794819

795820
If restarting the container does not resolve the problem, and the Grafana startup
796821
contains errors related to only having read-only access to the database, permissions on
797822
various files in the source code will need to be updated for Grafana to run.
798823

824+
The following permissions example is for typical rootful Docker systems. Rootless podman may require different permissions.
825+
799826
For both the `docker_data/grafana_vol/` folder and the `docker_data/grafana_vol/grafana.db`
800827
file, change the group to `docker` and the permissions to `777`:
801828

@@ -806,14 +833,14 @@ $ sudo chmod 777 docker_data/grafana_vol
806833
$ sudo chmod 777 docker_data/grafana_vol/grafana.db
807834
```
808835

809-
After changing these permissions, run `docker-compose up grafana` again, and the Grafana
836+
After changing these permissions, run `podman compose up grafana` again, and the Grafana
810837
container should start sucessfully.
811838

812839
===== Agent Registration Issues on ANMS Startup
813840

814841
If an Agent is not present in the `Agents` tab on start up, it is likely due to an error in one of the ION containers and their connection to the underlying database.
815842

816-
To resolve the issue, restart the ION containers using `docker-compose restart n1 n2`.
843+
To resolve the issue, restart the ION containers using `podman compose restart n1 n2`.
817844

818845
===== New Agent Registration Issues
819846

@@ -846,8 +873,7 @@ With ANMS running, go to `localhost:8080` and log in to the database with:
846873
===== ANMS-UI is not visible at hostname:9030
847874

848875
This error may indicate that the anms-ui docker is experiencing issues receiving HTTP requests.
849-
This is most likely related to the `host` or `bind address` specified in `anms-ui/server/shared/config.py`,
850-
or an environment variable that overrides this.
876+
This is most likely related to the `host` or `bind address` specified in `anms-ui/server/shared/config.py`, an environment variable that overrides this, or a firewall issue.
851877

852878
===== ANMS-UI is not visible at hostname
853879

@@ -858,6 +884,74 @@ Check the status of the `authnz` container in the compose services list.
858884
It may be necessary to restart the container using:
859885
`sudo podman compose -p anms restart authnz`.
860886

887+
Port numbers can be overridden through environment variables (see .env file). Check that ports are mapped to the expected ports and are not being blocked by your system's firewall (if applicable).
888+
889+
When running rootless podman the container may fail to start if the user does not have permission to bind on the configured port(s). Users typically cannot bind to low numbered ports, including 80 (http) and 443 (https). If this is the issue, try to set AUTHNZ_PORT and AUTHNZ_HTTPS_PORT to higher values and test at the specified port (ie: In .env set AUTHNZ_PORT=9080 and test at http://hostname:9080).
890+
891+
Check that the authnz container is running with `podman compose ps`.
892+
893+
Logs can be viewed with `podman compose logs authnz` to identify potential issues.
894+
895+
896+
===== Other container startup issues
897+
898+
Following an upgrade or failed installation step, it is possible for the system to be in an inconsistent state resulting in containers failing to start, initialize properly, or using outdated caches.
899+
900+
As a first debug step, it is recmmended to fully restart the host system and all containers. If that fails to resolve the issue, backup any existing data and proceed with a full reset of your installation files. See <<sec-reset-system>> for details and ensure you restart the host system prior to rebuilding.
901+
902+
==== Advanced
903+
904+
[#sec-volume-mount-tip]
905+
===== Override Configuration Files with Volume Mounts
906+
907+
It is sometimes necessary to override configuration files or scripts built into the container environment. Volume mounts can be used override select files or directories without rebuilding containers.
908+
909+
For example, to override the ION NM Manager configuration file add the following to the `volumes section of `ion-manager` in `docker-compose.yml`. Adjust the source file to any relative or absolute path desired. For this change to take effect, you must restart all containers with `podman compose down` and then restart with `podman compose up`. Simply restarting the affected contaner may not refresh changes made to the compose file.
910+
911+
```
912+
- ./ion/configs/simple-2-node/mgr.rc:/etc/ion.rc
913+
```
914+
915+
This approach can also be used to override sample agent configurations (see agent-compose.yml), extend authentication settings in the selected auth container, or for developers to quickly test changes.
916+
917+
===== General Networking Issues
918+
919+
If services cannot be accessed from remote machines, verify that it is not being blocked by your system's firewall.
920+
921+
In rare cases, it may be useful to utilize Wireshark or Tshark to verify network traffic within the containers, particularly if debugging NM agents within the container network. The following is a quick guide to installing and running these tools within the container if you do not have the ability to view activity from the host system. This example is for the ion-manager container, but can be adapted to any.
922+
923+
To temporarily install in the ion-manager container run `podman compose exec ion-manager yum install tshark`. Alternatively, modify the ion/Dockerfile to permanently add it to your installation and rebuild. It can then be run with `podman compose exec ion-manager tshark -i any`, with tshark arguments modified as needed.
924+
925+
To use the GUI wireshark, install with `podman compose exec ion-manager yum install wireshark`. To easily run, create a file `novnc-compose.yml` with the definition below. Start it with `podman compose -f novnc-compose.yml up`. From the shell run `podman compose exec ion-manager bash` followed by `DISPLAY=novnc:0.0 wireshark` to launch wireshark in the VNC session acessible from http://hostname:9081
926+
927+
```
928+
# noVNC provides browser access to network to aide debugging.
929+
# This container is NOT intended for production usage.
930+
931+
networks:
932+
# This network is created by docker-compose.yml
933+
default:
934+
name: ${DOCKER_CTR_PREFIX}anms
935+
external: true
936+
937+
services:
938+
novnc:
939+
image: chrome-novnc
940+
build:
941+
dockerfile: novnc.Dockerfile
942+
environment:
943+
# Adjust to your screen size
944+
- DISPLAY_WIDTH=1920
945+
- DISPLAY_HEIGHT=1080
946+
- RUN_XTERM=yes
947+
ports:
948+
- "9081:8080"
949+
```
950+
951+
See <<sec-volume-mount-tip>> for an example of volume mounting a local directory for easier saving of captures for later analysis. In this case, you may wish to mount a directory instead of a single file, such as `- ./logs:/logs` and append to the tshark command `-w /logs/log.pcap`
952+
953+
954+
861955

862956
[#sec-contact]
863957
=== Contacting or Contributing

user-guide/docinfo.xml.in

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@
66
</orgname>
77
</author>
88
<copyright>
9-
<year>2023-2024</year>
9+
<year>2023-2025</year>
1010
<holder>The Johns Hopkins University Applied Physics Laboratory LLC</holder>
1111
</copyright>
1212
<legalnotice>
@@ -46,4 +46,11 @@ subcontract 1658085.
4646
Updates for ANMS v1.1.0
4747
</revdescription>
4848
</revision>
49+
<revision>
50+
<revnumber>B</revnumber>
51+
<date>31 July 2025</date>
52+
<revdescription>
53+
Updates for ANMS v2.0
54+
</revdescription>
55+
</revision>
4956
</revhistory>

0 commit comments

Comments
 (0)