Installation (AEN 4.1.2)
========================

.. raw:: html

    <div class="section" id="overview">
    <h2>Overview<a class="headerlink" href="#overview" title="Permalink to this headline">¶</a></h2>
    <p>This installation procedure covers the steps needed to install
    a basic Anaconda Enterprise Notebooks (AEN) system comprised of a
    front-end Server, one or more Gateways, and one or more Compute Nodes.</p>
    <p>If you have any questions about installation instructions,
    please contact your sales representative or Priority
    Support team.</p>
    </div>
    <div class="section" id="components">
    <h2>Components<a class="headerlink" href="#components" title="Permalink to this headline">¶</a></h2>
    <p>The AEN platform consists of three main service groups:
    <em>AEN Server</em>, <em>AEN Gateway</em>, and <em>AEN Compute</em>.
    These services can be either be distributed
    across multiple servers (recommended), or run on a single machine.</p>
    <div class="section" id="server">
    <h3>Server<a class="headerlink" href="#server" title="Permalink to this headline">¶</a></h3>
    <p>The <em>Server</em> component is the administrative front-end to the system.
    This is where users login to the system, where user accounts are stored,
    where admins can manage the system, and interfacing with the database.</p>
    <p>The Server is the main entry point for all users. It handles setting up
    projects and ensuring users are sent to the correct <em>Data Center</em> for a
    given <em>Project</em>.</p>
    <p>Anaconda Enterprise Notebooks uses <em>MongoDB</em> to store internal data.
    This is typically run on the same host as the Server but
    can also be deployed on a separate host.</p>
    <p>The Server uses <em>NGINX</em> to handle the user-facing web interface.
    NGINX acts as a request proxy. The actual Server web-process runs on
    a high numbered port listening only on <code class="docutils literal"><span class="pre">localhost</span></code>, and NGINX
    forwards requests there. The NGINX server is also responsible for
    static content.</p>
    </div>
    <div class="section" id="gateway">
    <h3>Gateway<a class="headerlink" href="#gateway" title="Permalink to this headline">¶</a></h3>
    <p>The <em>Gateway</em> is a reverse proxy that authenticates
    users and automatically directs them to the proper AEN Compute
    machine for their project.</p>
    <p>The Gateway provides a single access point to a set of <em>Compute
    Nodes</em>, and acts as a <em>proxy service</em> to manage authorization and
    mapping of URLs and ports to services that are running on Compute
    Nodes, thus providing a consistent uniform interface for the user.</p>
    <p>Generally you need one Gateway for each physical location in
    your organization using AEN for firewall reasons.</p>
    <p>Users will not notice the Gateway as it automatically routes
    requests to the proper Compute Node.</p>
    </div>
    <div class="section" id="compute-nodes">
    <h3>Compute Nodes<a class="headerlink" href="#compute-nodes" title="Permalink to this headline">¶</a></h3>
    <p>Compute Nodes are where <em>Apps</em> (such as Jupyter Notebook
    and Workbench) actually run. These are also the hosts that a user would
    see in a <em>terminal session</em> or if they used <em>SSH</em> to access the node. It
    is where all user-visible programs run. Each Project is associated
    with one or more Compute Nodes, and these in turn are part of a single
    Data Center. Compute Nodes need only be reachable by the AEN Gateway,
    so they can be completely isolated by a firewall.</p>
    </div>
    <div class="section" id="component-organization">
    <h3>Component organization<a class="headerlink" href="#component-organization" title="Permalink to this headline">¶</a></h3>
    <a class="reference internal image-reference" href="../../../_images/ae-notebooks/4.1.2/install/components.png"><img alt="../../../_images/ae-notebooks/4.1.2/install/components.png" class="align-center" src="../../../_images/ae-notebooks/4.1.2/install/components.png" style="width: 816.0px; height: 1056.0px;" /></a>
    <p><img alt="image1" src="../../../_images/ae-notebooks/4.1.2/install/network-diagram.png" /></p>
    <p>Organizationally, each Anaconda Enterprise Notebooks installation has
    exactly one Server instance. One or more Gateway instances can be configured
    and each Compute Node can only connect to one Gateway. The collection of
    Compute Nodes served by a single Gateway will be referred to as a <em>Data Center</em>.
    New Data Centers can be added to the AEN installation at any time.</p>
    <p>For example, a Anaconda Enterprise Notebooks deployment with two
    Data Centers, where one Gateway had a cluster of 20 physical computers,
    and the second Gateway had 30 virtual machines would have the
    following complement of services installed and running:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="mi">1</span>  <span class="n">AEN</span> <span class="n">Server</span> <span class="n">instance</span>
    <span class="mi">2</span>  <span class="n">AEN</span> <span class="n">Gateway</span> <span class="n">instances</span>
    <span class="mi">50</span> <span class="n">AEN</span> <span class="n">Compute</span> <span class="n">instances</span> <span class="p">(</span><span class="mi">20</span> <span class="o">+</span> <span class="mi">30</span><span class="p">)</span>
    </pre></div>
    </div>
    <p>Anaconda Enterprise Notebooks users interact with the system
    predominantly through Projects, a set of <em>conda environments</em>, Jupyter Notebooks,
    and other Apps that can be accessed by a <em>Team</em> of users.</p>
    <p>Projects are associated with a single Data Center within the AEN environment.
    The team of users includes one <em>Owner</em>, which is the user that created the Project.</p>
    <p>Since Anaconda Enterprise Notebooks is web-based, it uses configurable HTTP
    ports on the Server.</p>
    </div>
    </div>
    <div class="section" id="installers">
    <h2>Installers<a class="headerlink" href="#installers" title="Permalink to this headline">¶</a></h2>
    <p>The Anaconda Enterprise Notebooks installers are available to paid
    customers only. If you are interested in a demonstration of Anaconda
    Enterprise Notebooks, please <a class="reference external" href="https://www.continuum.io/contact-us">contact
    us</a>.</p>
    <div class="section" id="distributed-install">
    <h3>Distributed install<a class="headerlink" href="#distributed-install" title="Permalink to this headline">¶</a></h3>
    <p>In a distributed install the Server and Gateway run on separate
    hosts.</p>
    </div>
    <div class="section" id="single-box-install">
    <h3>Single box install<a class="headerlink" href="#single-box-install" title="Permalink to this headline">¶</a></h3>
    <p>Both the Server and the Gateway need separate external ports since
    they are independent services that are running on the same host in the
    <em>single-box</em> installation.</p>
    </div>
    </div>
    <div class="section" id="installation-requirements">
    <h2>Installation requirements<a class="headerlink" href="#installation-requirements" title="Permalink to this headline">¶</a></h2>
    <p>Ensure you have the proper hardware and software resources before
    installing AEN.</p>
    <div class="section" id="hardware-requirements">
    <h3>Hardware requirements<a class="headerlink" href="#hardware-requirements" title="Permalink to this headline">¶</a></h3>
    <p>See <a class="reference internal" href="../../../anaconda-enterprise/system-requirements.html"><span class="doc">System Requirements</span></a> for all Anaconda Enterprise hardware
    requirements.</p>
    <p>NOTE: We recommend putting ``/opt/wakari`` and ``/projects`` on the same
    filesystem. If the project and conda env directories are on separate
    filesystems then more disk space will be required on compute nodes and
    performance will be worse.</p>
    </div>
    <div class="section" id="software-requirements">
    <h3>Software requirements<a class="headerlink" href="#software-requirements" title="Permalink to this headline">¶</a></h3>
    <ul class="simple">
    <li>Red Hat/CentOS versions 6.5 to 7.2 on all nodes (Other Linux distros are supported,
    but this installation document assumes Red Hat or CentOS.)</li>
    <li>Linux home directories are required since Jupyter looks in $HOME for profiles and extensions.</li>
    <li><strong>/opt/wakari:</strong> Ability to install here and at least 10 GB of storage.</li>
    <li><strong>/projects:</strong> Size depends on number and size of projects. At least
    20 GB of storage.</li>
    </ul>
    <div class="section" id="linux-system-accounts-required">
    <h4>Linux system accounts required<a class="headerlink" href="#linux-system-accounts-required" title="Permalink to this headline">¶</a></h4>
    <p>Some Linux system accounts (UIDs) are added to the system during installation.
    If your organization requires special actions, here is the list of UIDs:</p>
    <ul class="simple">
    <li><strong>mongod</strong> (Red Hat) or <strong>mongodb</strong> (Ubuntu/Debian): Created by the RPM or deb package</li>
    <li><strong>elasticsearch</strong>: Created by RPM or deb package</li>
    <li><strong>nginx</strong>: Created by RPM or deb package</li>
    <li><strong>AEN_SRVC_ACCT</strong>: Created during installation of Anaconda Enterprise Notebooks, and defaults to &#8220;wakari&#8221;</li>
    <li><strong>ANON_USER</strong>: An account such as <code class="docutils literal"><span class="pre">public</span></code> or <code class="docutils literal"><span class="pre">anonymous</span></code> on the Compute Node
    If this user is not found, <code class="docutils literal"><span class="pre">AEN_SRVC_ACCT</span></code> will try to create it, and if this
    fails, projects will fail to start.</li>
    <li><strong>ACL</strong>: These directories need the filesystem mounted with Posix ACL (Access Control List) support
    (Posix.1e). Check with <code class="docutils literal"><span class="pre">mount</span></code> and <code class="docutils literal"><span class="pre">tune2fs</span> <span class="pre">-l</span> <span class="pre">/path/to/filesystem</span> <span class="pre">|</span> <span class="pre">grep</span> <span class="pre">options</span></code></li>
    </ul>
    </div>
    <div class="section" id="additional-software-requirements">
    <h4>Additional software requirements<a class="headerlink" href="#additional-software-requirements" title="Permalink to this headline">¶</a></h4>
    <div class="section" id="aen-server">
    <h5>AEN Server<a class="headerlink" href="#aen-server" title="Permalink to this headline">¶</a></h5>
    <ul class="simple">
    <li>Mongo Version: &gt;= 2.6.8 and &lt; 3.0</li>
    <li>NGINX version: &gt;= 1.6.2</li>
    <li>ElasticSearch: &gt;= 1.7.2</li>
    <li>Oracle JRE 7 or 8</li>
    <li>bzip2</li>
    </ul>
    </div>
    <div class="section" id="aen-gateway">
    <h5>AEN Gateway<a class="headerlink" href="#aen-gateway" title="Permalink to this headline">¶</a></h5>
    <p>No additional software prerequisites.</p>
    </div>
    <div class="section" id="aen-compute-node">
    <h5>AEN Compute Node<a class="headerlink" href="#aen-compute-node" title="Permalink to this headline">¶</a></h5>
    <ul class="simple">
    <li>git</li>
    <li>bzip2</li>
    <li>bash (Red Hat default) or zsh</li>
    <li>X Window System</li>
    </ul>
    <p>Note: If you don&#8217;t want to install the whole X Window System,
    you still need to install the following packages for R
    plotting support:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">sudo</span> <span class="n">yum</span> <span class="n">install</span> <span class="n">libXrender</span> <span class="n">libXext</span> <span class="n">libXdmcp</span> <span class="n">libSM</span> <span class="n">libICE</span> <span class="n">libXt</span> \
    <span class="n">dejavu</span><span class="o">-</span><span class="n">sans</span><span class="o">-</span><span class="n">fonts</span> <span class="n">dejavu</span><span class="o">-</span><span class="n">serif</span><span class="o">-</span><span class="n">fonts</span> <span class="n">dejavu</span><span class="o">-</span><span class="n">fonts</span><span class="o">-</span><span class="n">common</span> \
    <span class="n">fontpackages</span><span class="o">-</span><span class="n">filesystem</span>
    </pre></div>
    </div>
    </div>
    </div>
    <div class="section" id="security-requirements">
    <h4>Security requirements<a class="headerlink" href="#security-requirements" title="Permalink to this headline">¶</a></h4>
    <ul class="simple">
    <li>Root or sudo access</li>
    <li>SELinux in Permissive or Disabled mode</li>
    </ul>
    <p>One way to change SELinux to either permissive or disabled mode is
    to edit the /etc/sysconfig/selinux file and set SELINUX parameters
    value to either disable or permissive.
    Edit the following file using either root or sudo access:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">sysconfig</span><span class="o">/</span><span class="n">selinux</span>
    </pre></div>
    </div>
    <p>Edit the following and reboot for changes to take effect:</p>
    <div class="highlight-default"><div class="highlight"><pre><span></span><span class="c1"># This file controls the state of SELinux on the system.</span>
    <span class="c1"># SELINUX= can take one of these three values:</span>
    <span class="c1">#     enforcing - SELinux security policy is enforced.</span>
    <span class="c1">#     permissive - SELinux prints warnings instead of enforcing.</span>
    <span class="c1">#     disabled - No SELinux policy is loaded.</span>

    <span class="n">SELINUX</span><span class="o">=</span><span class="n">enforcing</span>

    <span class="c1"># SELINUXTYPE= can take one of these two values:</span>
        <span class="c1">#     targeted - Targeted processes are protected,</span>
        <span class="c1">#     mls - Multi Level Security protection.</span>

    <span class="n">SELINUXTYPE</span><span class="o">=</span><span class="n">targeted</span>
    </pre></div>
    </div>
    <p>Verify changes with <code class="docutils literal"><span class="pre">getenforce</span></code>.</p>
    </div>
    <div class="section" id="network-tcp-requirements">
    <h4>Network/TCP requirements<a class="headerlink" href="#network-tcp-requirements" title="Permalink to this headline">¶</a></h4>
    <p>Note that all port numbers are configurable, but defaults are shown below.</p>
    <table border="1" class="docutils">
    <colgroup>
    <col width="13%" />
    <col width="6%" />
    <col width="17%" />
    <col width="23%" />
    <col width="12%" />
    <col width="17%" />
    <col width="12%" />
    </colgroup>
    <thead valign="bottom">
    <tr class="row-odd"><th class="head">Direction</th>
    <th class="head">Type</th>
    <th class="head">Default Port</th>
    <th class="head">Protocol</th>
    <th class="head">Optional</th>
    <th class="head">Configurable</th>
    <th class="head">Comments</th>
    </tr>
    </thead>
    <tbody valign="top">
    <tr class="row-even"><td>Inbound</td>
    <td>TCP</td>
    <td>80</td>
    <td>HTTP or HTTPS</td>
    <td>No</td>
    <td>Yes</td>
    <td>Server</td>
    </tr>
    <tr class="row-odd"><td>Inbound</td>
    <td>TCP</td>
    <td>8089</td>
    <td>HTTP or HTTPS</td>
    <td>No</td>
    <td>Yes</td>
    <td>Gateway</td>
    </tr>
    <tr class="row-even"><td>Inbound</td>
    <td>TCP</td>
    <td>5002</td>
    <td>HTTP</td>
    <td>No</td>
    <td>Yes</td>
    <td>Compute</td>
    </tr>
    </tbody>
    </table>
    </div>
    <div class="section" id="other-requirements">
    <h4>Other requirements<a class="headerlink" href="#other-requirements" title="Permalink to this headline">¶</a></h4>
    <p>Assuming the above requirements are met, there are no additional
    dependencies necessary for AEN.</p>
    <p>Note: While not a requirement for running the software, these
    instructions use <cite>curl</cite> or <cite>wget</cite> to download packages used in the install process.
    You may use other appropriate means to put the needed files into the
    installation directory.</p>
    </div>
    </div>
    </div>

Install Steps
-------------

Carry out the procedures linked from the table below to perform a 
complete install of all Anaconda Enterprise Notebooks components. 

.. toctree::
   :maxdepth: 1

   install-prep
   install-server
   install-gateway
   install-compute
   
The following optional install procedures may need to be performed, 
depending on how you set up your Data Center:
   
.. toctree::
   :maxdepth: 1
   
   option-config
   customization
   ldap
   ssl
   sso
   
Additional post-install information:
   
.. toctree::
   :maxdepth: 1
   
   installation_update
   uninstall
   release
