Concepts (AEN 4.1.3)
====================

.. raw:: html

    <div class="contents local topic" id="contents">
    <ul class="simple">
    <li><a class="reference internal" href="#system-overview" id="id1">System overview</a></li>
    <li><a class="reference internal" href="#server-node" id="id2">Server node</a></li>
    <li><a class="reference internal" href="#gateway-node" id="id3">Gateway node</a></li>
    <li><a class="reference internal" href="#compute-node-s" id="id4">Compute node(s)</a></li>
    <li><a class="reference internal" href="#supervisor-and-supervisord" id="id5">Supervisor and supervisord</a></li>
    <li><a class="reference internal" href="#anaconda-environments" id="id6">Anaconda environments</a></li>
    <li><a class="reference internal" href="#projects-and-permissions" id="id7">Projects and permissions</a></li>
    </ul>
    </div>
    <div class="section" id="system-overview">
    <span id="admin-concept-sys-overview"></span><h2><a class="toc-backref" href="#id1">System overview</a><a class="headerlink" href="#system-overview" title="Permalink to this headline">¶</a></h2>
    <p>The Anaconda Enterprise Notebooks platform consists of 3 main
    service groups: AEN server, AEN gateway and AEN compute, which
    are called &#8220;nodes&#8221;:</p>
    <ul class="simple">
    <li><a class="reference internal" href="#admin-concept-server"><span class="std std-ref">Server node</span></a>&#8212;The administrative
    front-end to the system where users login, user accounts are
    stored, and administrators manage the system.</li>
    <li><a class="reference internal" href="#admin-concept-gateway"><span class="std std-ref">Gateway node(s)</span></a>&#8212;A reverse proxy
    that authenticates users and directs them to the proper compute
    node for their project. Users will not notice this node after
    installation as it automatically routes them.</li>
    <li><a class="reference internal" href="#admin-concept-compute"><span class="std std-ref">Compute nodes</span></a>&#8212;Where projects
    are stored and run.</li>
    </ul>
    <div class="figure align-center">
    <a class="reference internal image-reference" href="../../../_images/ae-notebooks/4.1.3/aen-install-components.png"><img alt="../../../_images/ae-notebooks/4.1.3/aen-install-components.png" src="../../../_images/ae-notebooks/4.1.3/aen-install-components.png" style="width: 816.0px; height: 1056.0px;" /></a>
    </div>
    <div class="line-block">
    <div class="line"><br /></div>
    </div>
    <p>These services can be run on a single machine or distributed
    across multiple servers.</p>
    <div class="figure">
    <a class="reference internal image-reference" href="../../../_images/ae-notebooks/4.1.3/aen-install-network-diagram.png"><img alt="../../../_images/ae-notebooks/4.1.3/aen-install-network-diagram.png" src="../../../_images/ae-notebooks/4.1.3/aen-install-network-diagram.png" style="width: 50%;" /></a>
    </div>
    <div class="line-block">
    <div class="line"><br /></div>
    </div>
    <p>Organizationally, each AEN installation has exactly 1 server
    instance and 1 or more gateway instances. Each compute node can
    only be connected to a single gateway. The collection of
    compute nodes served by a single gateway is called a <strong>data
    center</strong>. You can add data centers to the AEN installation at any
    time.</p>
    <p>EXAMPLE: An AEN deployment with 2 data centers, where 1 gateway
    has a cluster of 20 physical computers, and the second gateway
    has 30 virtual machines, must have the following services
    installed and running:</p>
    <ul class="simple">
    <li>1  AEN server instance</li>
    <li>2  AEN gateway instances</li>
    <li>50 AEN compute instances (20 + 30)</li>
    </ul>
    <p>Nodes must be configured and maintained separately.</p>
    </div>
    <div class="section" id="server-node">
    <span id="admin-concept-server"></span><h2><a class="toc-backref" href="#id2">Server node</a><a class="headerlink" href="#server-node" title="Permalink to this headline">¶</a></h2>
    <p>The server node controls login, accounts, admin, project creation
    and management as well as interfacing with the database. It is
    the main entry point to AEN for all users. The server node
    handles project setup and ensures that users are sent to the
    correct project data center.</p>
    <p>Since AEN is web-based, it uses the standard HTTP port 80 or
    HTTPS port 443 on the server.</p>
    <p>AEN uses MongoDB for its internal data persistency. It is
    typically run on the same host as the server but can also be
    <a class="reference internal" href="install/config/config-remote-mongodb.html"><span class="doc">installed</span></a> on a
    separate host.</p>
    <p>Server nodes use NGINX to handle the user-facing AEN web
    interface. NGINX acts as a request proxy for the actual server
    web-process which runs on a high numbered port that only listens
    on localhost. NGINX is also responsible for static content.</p>
    <p>Server is installed in the <code class="docutils literal"><span class="pre">/opt/wakari/wakari-server</span></code>
    directory.</p>
    <div class="section" id="server-processes">
    <span id="admin-concept-server-processes"></span><h3>Server processes<a class="headerlink" href="#server-processes" title="Permalink to this headline">¶</a></h3>
    <p>When you <a class="reference internal" href="sys-mgmt/manage-services.html#check-server-process-status"><span class="std std-ref">view the status of server processes</span></a>, you may see the processes
    explained below.</p>
    <table border="1" class="docutils">
    <colgroup>
    <col width="19%" />
    <col width="81%" />
    </colgroup>
    <thead valign="bottom">
    <tr class="row-odd"><th class="head">supervisord</th>
    <th class="head">details</th>
    </tr>
    </thead>
    <tbody valign="top">
    <tr class="row-even"><td>description</td>
    <td>Manage <code class="docutils literal"><span class="pre">wakari-worker</span></code>, multiple processes of <code class="docutils literal"><span class="pre">wk-server</span></code>.</td>
    </tr>
    <tr class="row-odd"><td>user</td>
    <td><code class="docutils literal"><span class="pre">wakari</span></code></td>
    </tr>
    <tr class="row-even"><td>configuration</td>
    <td><code class="docutils literal"><span class="pre">/opt/wakari/wakari-server/etc/supervisord.conf</span></code></td>
    </tr>
    <tr class="row-odd"><td>log</td>
    <td><code class="docutils literal"><span class="pre">/opt/wakari/wakari-server/var/log/supervisord.log</span></code></td>
    </tr>
    <tr class="row-even"><td>control</td>
    <td><code class="docutils literal"><span class="pre">service</span> <span class="pre">wakari-server</span></code></td>
    </tr>
    <tr class="row-odd"><td>ports</td>
    <td>none</td>
    </tr>
    </tbody>
    </table>
    <table border="1" class="docutils">
    <colgroup>
    <col width="21%" />
    <col width="79%" />
    </colgroup>
    <thead valign="bottom">
    <tr class="row-odd"><th class="head">wk-server</th>
    <th class="head">details</th>
    </tr>
    </thead>
    <tbody valign="top">
    <tr class="row-even"><td>description</td>
    <td>Handles user interaction and passing jobs on to the
    wakari gateway. Access to it is managed by NGINX.</td>
    </tr>
    <tr class="row-odd"><td>user</td>
    <td><code class="docutils literal"><span class="pre">wakari</span></code></td>
    </tr>
    <tr class="row-even"><td>command</td>
    <td><code class="docutils literal"><span class="pre">/opt/wakari/wakari-server/bin/wk-server</span></code></td>
    </tr>
    <tr class="row-odd"><td>configuration</td>
    <td><code class="docutils literal"><span class="pre">/opt/wakari/wakari-server/etc/wakari/</span></code></td>
    </tr>
    <tr class="row-even"><td>control</td>
    <td><code class="docutils literal"><span class="pre">service</span> <span class="pre">wakari-server</span></code></td>
    </tr>
    <tr class="row-odd"><td>logs</td>
    <td><code class="docutils literal"><span class="pre">/opt/wakari/wakari-server/var/log/wakari/server.log</span></code></td>
    </tr>
    <tr class="row-even"><td>ports</td>
    <td>Not used in versions after 4.1.2 *</td>
    </tr>
    </tbody>
    </table>
    <p>* AEN 4.1.2 and earlier use port 5000. This port is used only on localhost.
    Later versions of AEN use Unix sockets instead. The Unix socket path is:
    <code class="docutils literal"><span class="pre">unix:/tmp/wakari-server.sock</span></code></p>
    <table border="1" class="docutils">
    <colgroup>
    <col width="21%" />
    <col width="79%" />
    </colgroup>
    <thead valign="bottom">
    <tr class="row-odd"><th class="head">wakari-worker</th>
    <th class="head">details</th>
    </tr>
    </thead>
    <tbody valign="top">
    <tr class="row-even"><td>description</td>
    <td>Asynchronously executes tasks from <code class="docutils literal"><span class="pre">wk-server</span></code>.</td>
    </tr>
    <tr class="row-odd"><td>user</td>
    <td><code class="docutils literal"><span class="pre">wakari</span></code></td>
    </tr>
    <tr class="row-even"><td>logs</td>
    <td><code class="docutils literal"><span class="pre">/opt/wakari/wakari-server/var/log/wakari/worker.log</span></code></td>
    </tr>
    <tr class="row-odd"><td>control</td>
    <td><code class="docutils literal"><span class="pre">service</span> <span class="pre">wakari-server</span></code></td>
    </tr>
    </tbody>
    </table>
    <table border="1" class="docutils">
    <colgroup>
    <col width="19%" />
    <col width="81%" />
    </colgroup>
    <thead valign="bottom">
    <tr class="row-odd"><th class="head">nginx</th>
    <th class="head">details</th>
    </tr>
    </thead>
    <tbody valign="top">
    <tr class="row-even"><td>description</td>
    <td>Serves static files and acts as proxy for all other requests
    passed to wk-server process. *</td>
    </tr>
    <tr class="row-odd"><td>user</td>
    <td>nginx</td>
    </tr>
    <tr class="row-even"><td>configuration</td>
    <td><code class="docutils literal"><span class="pre">/etc/nginx/nginx.conf</span></code>
    <code class="docutils literal"><span class="pre">/opt/wakari/wakari-server/etc/conf.d/www.enterprise.conf</span></code></td>
    </tr>
    <tr class="row-odd"><td>logs</td>
    <td><code class="docutils literal"><span class="pre">/var/log/nginx/woc.log</span></code> <code class="docutils literal"><span class="pre">/var/log/nginx/woc-error.log</span></code></td>
    </tr>
    <tr class="row-even"><td>control</td>
    <td><code class="docutils literal"><span class="pre">service</span> <span class="pre">nginx</span> <span class="pre">status</span></code></td>
    </tr>
    <tr class="row-odd"><td>port</td>
    <td>80</td>
    </tr>
    </tbody>
    </table>
    <p>* In AEN 4.1.2 and earlier the wk-server process runs on port 5000 on
    localhost only. In later versions of AEN the wk-server process uses the Unix
    socket path <code class="docutils literal"><span class="pre">unix:/tmp/wakari-server.sock</span></code>.</p>
    <p>NGINX runs at least two processes:</p>
    <ul class="simple">
    <li>Master process running as root user.</li>
    <li>Worker processes running as nginx user.</li>
    </ul>
    </div>
    </div>
    <div class="section" id="gateway-node">
    <span id="admin-concept-gateway"></span><h2><a class="toc-backref" href="#id3">Gateway node</a><a class="headerlink" href="#gateway-node" title="Permalink to this headline">¶</a></h2>
    <p>The gateway node serves as an access point for a given group of
    compute nodes. It acts as a proxy service and manages the
    authorization and mapping of URLs and ports to services that are
    running on those nodes. The gateway nodes provide a consistent
    uniform interface for the user.</p>
    <p>NOTE: The gateway may also be referred to as a data center
    because it serves as the proxy for a collection of compute nodes.</p>
    <p>You can put a gateway in each data center in a tiered scale-out
    fashion.</p>
    <p>AEN gateway is installed in the <code class="docutils literal"><span class="pre">/opt/wakari/wakari-gateway</span></code>
    directory.</p>
    <div class="section" id="gateway-processes">
    <span id="admin-concept-gateway-processes"></span><h3>Gateway processes<a class="headerlink" href="#gateway-processes" title="Permalink to this headline">¶</a></h3>
    <p>When you <a class="reference internal" href="sys-mgmt/manage-services.html#check-gateway-process-status"><span class="std std-ref">view the status of server processes</span></a>, you may see the processes
    explained below.</p>
    <table border="1" class="docutils">
    <colgroup>
    <col width="21%" />
    <col width="79%" />
    </colgroup>
    <thead valign="bottom">
    <tr class="row-odd"><th class="head">supervisord</th>
    <th class="head">details</th>
    </tr>
    </thead>
    <tbody valign="top">
    <tr class="row-even"><td>description</td>
    <td>Manages the <code class="docutils literal"><span class="pre">wk-gateway</span></code> process.</td>
    </tr>
    <tr class="row-odd"><td>user</td>
    <td><code class="docutils literal"><span class="pre">wakari</span></code></td>
    </tr>
    <tr class="row-even"><td>configuration</td>
    <td><code class="docutils literal"><span class="pre">/opt/wakari/wakari-gateway/etc/supervisord.conf</span></code></td>
    </tr>
    <tr class="row-odd"><td>log</td>
    <td><code class="docutils literal"><span class="pre">/opt/wakari/wakari-gateway/var/log/supervisord.log</span></code></td>
    </tr>
    <tr class="row-even"><td>control</td>
    <td><code class="docutils literal"><span class="pre">service</span> <span class="pre">wakari-gateway</span></code></td>
    </tr>
    <tr class="row-odd"><td>ports</td>
    <td>none</td>
    </tr>
    </tbody>
    </table>
    <table border="1" class="docutils">
    <colgroup>
    <col width="18%" />
    <col width="82%" />
    </colgroup>
    <thead valign="bottom">
    <tr class="row-odd"><th class="head">wakari-gateway</th>
    <th class="head">details</th>
    </tr>
    </thead>
    <tbody valign="top">
    <tr class="row-even"><td>description</td>
    <td>Passes requests from the AEN Server to the Compute nodes.</td>
    </tr>
    <tr class="row-odd"><td>user</td>
    <td><code class="docutils literal"><span class="pre">wakari</span></code></td>
    </tr>
    <tr class="row-even"><td>configuration</td>
    <td><code class="docutils literal"><span class="pre">/opt/wakari/wakari-gateway/etc/wakari/wk-gateway-config.json</span></code></td>
    </tr>
    <tr class="row-odd"><td>logs</td>
    <td><code class="docutils literal"><span class="pre">/opt/wakari/wakari-gateway/var/log/wakari/gateway.application.log</span></code>
    <code class="docutils literal"><span class="pre">/opt/wakari/wakari-gateway/var/log/wakari/gateway.log</span></code></td>
    </tr>
    <tr class="row-even"><td>working dir</td>
    <td><code class="docutils literal"><span class="pre">/</span></code> (root)</td>
    </tr>
    <tr class="row-odd"><td>port</td>
    <td>8089 (webcache)</td>
    </tr>
    </tbody>
    </table>
    </div>
    </div>
    <div class="section" id="compute-node-s">
    <span id="admin-concept-compute"></span><h2><a class="toc-backref" href="#id4">Compute node(s)</a><a class="headerlink" href="#compute-node-s" title="Permalink to this headline">¶</a></h2>
    <p>Compute nodes are where applications such as Jupyter
    Notebook and Workbench actually run. They are also the hosts
    that a user sees when using the Terminal app or when using SSH
    to access a node. Compute nodes contain all user-visible
    programs.</p>
    <p>Compute nodes only need to communicate with a gateway, so they
    can be completely isolated by a firewall.</p>
    <p>Each project is associated with one or more compute nodes that
    are part of a single data center.</p>
    <p>AEN compute nodes are installed in the
    <code class="docutils literal"><span class="pre">/opt/wakari/wakari-compute</span></code> directory.</p>
    <p>Each compute node in the AEN system requires a compute launcher
    service to mediate access to the server and gateway.</p>
    <div class="section" id="compute-processes">
    <span id="admin-concept-compute-processes"></span><h3>Compute processes<a class="headerlink" href="#compute-processes" title="Permalink to this headline">¶</a></h3>
    <p>When you <a class="reference internal" href="sys-mgmt/manage-services.html#check-compute-process-status"><span class="std std-ref">view the status of server processes</span></a>, you may see the processes
    explained below.</p>
    <table border="1" class="docutils">
    <colgroup>
    <col width="21%" />
    <col width="79%" />
    </colgroup>
    <thead valign="bottom">
    <tr class="row-odd"><th class="head">supervisord</th>
    <th class="head">details</th>
    </tr>
    </thead>
    <tbody valign="top">
    <tr class="row-even"><td>description</td>
    <td>Manages the <code class="docutils literal"><span class="pre">wk-compute</span></code> process.</td>
    </tr>
    <tr class="row-odd"><td>user</td>
    <td><code class="docutils literal"><span class="pre">wakari</span></code></td>
    </tr>
    <tr class="row-even"><td>configuration</td>
    <td><code class="docutils literal"><span class="pre">/opt/wakari/wakari-compute/etc/supervisord.conf</span></code></td>
    </tr>
    <tr class="row-odd"><td>log</td>
    <td><code class="docutils literal"><span class="pre">/opt/wakari/wakari-compute/var/log/supervisord.log</span></code></td>
    </tr>
    <tr class="row-even"><td>control</td>
    <td><code class="docutils literal"><span class="pre">service</span> <span class="pre">wakari-compute</span></code></td>
    </tr>
    <tr class="row-odd"><td>working dir</td>
    <td><code class="docutils literal"><span class="pre">/opt/wakari/wakari-compute/etc</span></code></td>
    </tr>
    <tr class="row-even"><td>ports</td>
    <td>none</td>
    </tr>
    </tbody>
    </table>
    <table border="1" class="docutils">
    <colgroup>
    <col width="16%" />
    <col width="84%" />
    </colgroup>
    <thead valign="bottom">
    <tr class="row-odd"><th class="head">wk-compute</th>
    <th class="head">details</th>
    </tr>
    </thead>
    <tbody valign="top">
    <tr class="row-even"><td>description</td>
    <td>Launches compute processes.</td>
    </tr>
    <tr class="row-odd"><td>user</td>
    <td><code class="docutils literal"><span class="pre">wakari</span></code></td>
    </tr>
    <tr class="row-even"><td>configuration</td>
    <td><code class="docutils literal"><span class="pre">/opt/wakari/wakari-compute/etc/wakari/wk-compute-launcher-config.json</span></code>
    <code class="docutils literal"><span class="pre">/opt/wakari/wakari-compute/etc/wakari/scripts/config.json</span></code></td>
    </tr>
    <tr class="row-odd"><td>logs</td>
    <td><code class="docutils literal"><span class="pre">/opt/wakari/wakari-compute/var/log/wakari/compute-launcher.application.log</span></code>
    <code class="docutils literal"><span class="pre">/opt/wakari/wakari-compute/var/log/wakari/compute-launcher.log</span></code></td>
    </tr>
    <tr class="row-even"><td>working dir</td>
    <td><code class="docutils literal"><span class="pre">/</span></code> (root)</td>
    </tr>
    <tr class="row-odd"><td>control</td>
    <td><code class="docutils literal"><span class="pre">service</span> <span class="pre">wakari-compute</span></code></td>
    </tr>
    <tr class="row-even"><td>port</td>
    <td>5002 (rfe)</td>
    </tr>
    </tbody>
    </table>
    <p>Wk-compute loads each of the following configuration files, in
    this order:</p>
    <ul class="simple">
    <li><code class="docutils literal"><span class="pre">/etc/wakari/config.json</span></code>.</li>
    <li><code class="docutils literal"><span class="pre">/etc/wakari/compute-launcher-config.json</span></code>.</li>
    <li><code class="docutils literal"><span class="pre">./compute-launcher-config.json</span></code>.</li>
    <li>Any configuration file specified by the <code class="docutils literal"><span class="pre">-c</span></code> option.</li>
    </ul>
    <p>If an option is specified in multiple files, the last one
    encountered takes precedence.</p>
    </div>
    </div>
    <div class="section" id="supervisor-and-supervisord">
    <span id="admin-concept-supervisord"></span><h2><a class="toc-backref" href="#id5">Supervisor and supervisord</a><a class="headerlink" href="#supervisor-and-supervisord" title="Permalink to this headline">¶</a></h2>
    <p>AEN uses a process control system called &#8220;Supervisor&#8221; to run its
    services. Supervisor is run by the AEN Service Account user,
    usually wakari or aen_admin.</p>
    <p>The Supervisor daemon process is called &#8220;supervisord&#8221;. It runs
    in the background and should rarely need to be restarted.</p>
    </div>
    <div class="section" id="anaconda-environments">
    <span id="admin-concept-environments"></span><h2><a class="toc-backref" href="#id6">Anaconda environments</a><a class="headerlink" href="#anaconda-environments" title="Permalink to this headline">¶</a></h2>
    <p>Each project has an associated conda environment containing the
    packages needed for that project. When a project is first
    started, AEN clones a default environment with the name &#8220;default&#8221;
    into the project directory.</p>
    <p>For more information about environments, see
    <a class="reference internal" href="../user-guide/adv-tasks/work-with-environments.html"><span class="doc">Working with environments</span></a>.</p>
    </div>
    <div class="section" id="projects-and-permissions">
    <span id="admin-concept-projects-permissions"></span><h2><a class="toc-backref" href="#id7">Projects and permissions</a><a class="headerlink" href="#projects-and-permissions" title="Permalink to this headline">¶</a></h2>
    <p>AEN users interact with the system predominantly through
    <a class="reference internal" href="../user-guide/concepts.html#user-concept-projects"><span class="std std-ref">projects</span></a>.</p>
    <p>Projects are associated with a single data center within the
    AEN environment. The team of users includes one owner, which is
    the user that created the project.</p>
    <p>Projects live in the <code class="docutils literal"><span class="pre">projectRoot</span></code> folder on the compute
    node&#8212;by default, <code class="docutils literal"><span class="pre">/projects</span></code>.</p>
    <p>The project directory is created the first time a project is
    started. The <code class="docutils literal"><span class="pre">start-project</span></code> script clones it
    from <code class="docutils literal"><span class="pre">/opt/wakari/wakari-compute/lib/node_modules/wakari-compute-launcher/skeleton</span></code>.</p>
    <p>Project directory permissions are:</p>
    <div class="highlight-bash"><div class="highlight"><pre><span></span>owner: rwx, user who created the project
    group: rwx, group of the owner
    other: --x, to allow access to the Public folder
    ACL: rwx <span class="k">for</span> any other team members
    </pre></div>
    </div>
    <p>Files and subdirectories within the project directory have the
    same permissions as the project directory, except:</p>
    <ul class="simple">
    <li>The public folder and everything in it are open to anyone.</li>
    <li>Any files hardlinked into the root anaconda
    environment&#8212;<code class="docutils literal"><span class="pre">/opt/wakari/anaconda</span></code>&#8212;are owned by the
    root or wakari users.</li>
    </ul>
    <p>Project file and directory permissions are maintained by the
    <code class="docutils literal"><span class="pre">start-project</span></code> script. All files and directories in the
    project will have their permissions set when the project is
    started, except for files owned by root or the AEN_SRVC_ACCT
    user&#8212;by default, wakari or aen_admin.</p>
    <p>The permissions set for files owned by root or the AEN_SRVC_ACCT
    user are not changed to avoid changing the permissions settings
    of any linked files in the <code class="docutils literal"><span class="pre">/opt/wakari/anaconda</span></code> directory.</p>
    <p>CAUTION: Do not start a project as the AEN_SRVC_ACCT user.
    The permissions system does not correctly manage project files
    owned by this user.</p>
    </div>
