Snowstorm server
enDeployment diagram
We recommend installing SNOMED-related software on a separate machine.
Minimal
The minimal configuration consists of Snowstorm storage (Elastic) and Snowstorm server (green box on the deployment diagram).
The minimal deployment required to support operations with SNOMED in the TermX installation or during the development process.
With SNOMED browser
The additional SNOMED browser (like official browser) may be installed in your environment to have an additional view of SNOMED concepts (blue box on the deployment diagram).
See “snomed-browser” component in the docker-compose.yml. We recommend using the image of the SNOMED browser from
docker.kodality.com/snomedct-browser:latest.
The web server also should be configured to provide access to the Snowstorm API and SNOMED Browser.
Ensure that/snowstorm/,/snomed-ct/and/snowstorm/snomed-ct/locations are configured in the web server.
Public and secure access
In the case you want to provide public access, you should separate Snowstorm installations.
We recommend installing a separate Snowstorm server in read-only mode that will be publically available
Use
--snowstorm.rest-api.readonly=trueparameter to activate read-only mode.
The private Snowstorm server should be secured and accessible from the internal DMZ.
Use
--spring.security.user.name=USERand--spring.security.user.password=PWDparameters to secure private Snowstorm instance.
Daily build
According to the design of the SNOMED browser, the Daily build mode will be enabled if url contains -dailybuild suffix in the url. For example, if Snowstorm url is snowstorm.mysite.org then daily build will be automatically enabled on the site snowstorm-dailybuild.mysite.org.
You can decide do you need 2 browsers - one for the public environment without daily build and another for private with daily build.
Review the latest docker-compose file from IHTSDO.
Create own docker-compose.yml
version: '2.1'
services:
elasticsearch:
restart: unless-stopped
image: docker.elastic.co/elasticsearch/elasticsearch:8.11.1
container_name: elasticsearch
environment:
- discovery.type=single-node
- xpack.security.enabled=false
- node.name=snowstorm
- cluster.name=snowstorm-cluster
- "ES_JAVA_OPTS=-Xms4g -Xmx4g"
volumes:
- /opt/snomed/data:/usr/share/elasticsearch/data
networks:
elastic:
aliases:
- es
healthcheck:
test: ["CMD", "curl", "-f", "http://elasticsearch:9200"]
interval: 1s
timeout: 1s
retries: 60
ports:
- 127.0.0.1:9200:9200
mem_reservation: 4g
snowstorm:
restart: unless-stopped
image: snomedinternational/snowstorm:latest
container_name: snowstorm
depends_on:
elasticsearch:
condition: service_healthy
entrypoint: java -Xms2g -Xmx4g --add-opens java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED -cp @/app/jib-classpath-file org.snomed.snowstorm.SnowstormApplication --elasticsearch.urls=http://elasticsearch:9200
networks:
- elastic
aliases:
- snowstorm
ports:
- 8080:8080
networks:
elastic:
We recommend to protect Snowstorm endpoints using username and password as shown in the next block. Secured Snowstorm instance and TermX server should be installed in the same DMZ.
entrypoint: java -Xms2g -Xmx4g -jar snowstorm.jar --elasticsearch.urls=http://elasticsearch:9200 --spring.security.user.name=termx-appuser --spring.security.user.password=termx-userpwd
You can also setup additional Snowstorm instance for open access.
snowstorm_public:
restart: unless-stopped
image: snomedinternational/snowstorm:latest
container_name: snowstorm-public
depends_on:
elasticsearch:
condition: service_healthy
depends_on:
- snowstorm
entrypoint: java -Xms2g -Xmx2g --add-opens java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED -cp @/app/jib-classpath-file org.snomed.snowstorm.SnowstormApplication --elasticsearch.urls=http://elasticsearch:9200 --snowstorm.rest-api.readonly=true
networks:
- elastic
ports:
- 8082:8080
In case of the external volume Elasticsearch requires additional permissions
chown -R 1000:1000 /opt/snomed/data/
You can also install public SNOMED Browser
browser:
restart: unless-stopped
image: docker.kodality.com/snomedct-browser:latest
container_name: browser
depends_on:
- snowstorm-public
environment:
- API_HOST=http://snowstorm-public:8080/
- TERMX_URL=https://termx.kodality.dev/
networks:
- elastic
ports:
- 9000:80
where API_HOST is the url of the public Snowstorm server and TERMX_URL url of the TermX installation for redirect to the translation component.
Build and run containers
docker-compose pull && docker-compose up -d
Implements basic authentication for snowstorm service.
The example configuration for private Snowstorm configuration:
server {
server_name snowstorm.kodality.dev;
auth_basic "Authenticate yourself!";
auth_basic_user_file /etc/nginx/.htpasswd; #user-password credentials
client_max_body_size 6G; # allow huge file uploads, like the initial Snomed International release
add_header Strict-Transport-Security "max-age=0";
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
proxy_set_header X-Forwarded-Proto $scheme; # for https in Swagger
proxy_pass http://localhost:8080/;
}
listen 443 ssl; # managed by Certbot
ssl_certificate .../fullchain.pem; # managed by Certbot
ssl_certificate_key .../privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = snowstorm.kodality.dev) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name snowstorm.kodality.dev;
listen 80;
return 404; # managed by Certbot
}
htpasswd tool created basic credentials file.
To change password use htpasswd /etc/nginx/.htpasswd username where ‘username’ is replaced with actual value.
The example configuration for public Snowstorm configuration:
server {
server_name snowstorm-public.kodality.dev;
client_max_body_size 2G;
add_header Strict-Transport-Security "max-age=0";
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8082/;
}
location /snomed-ct/ {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8082/;
}
location /snowstorm/snomed-ct/ {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8082/;
}
location /snomed-browser/ {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:9000/;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/snowstorm-public.kodality.dev/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/snowstorm-public.kodality.dev/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
The example configuration for Daily build Snowstorm configuration:
server {
server_name snowstorm-public-dailybuild.kodality.dev;
client_max_body_size 2G;
add_header Strict-Transport-Security "max-age=0";
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:8082/;
}
location /snomed-ct/ {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8082/;
}
location /snowstorm/snomed-ct/ {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8082/;
}
location /snomed-browser/ {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:9000/;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/snowstorm-public-dailybuild.kodality.dev/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/snowstorm-public-dailybuild.kodality.dev/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Snowstorm Server can be installed by Helm chart.
NB! This is not an official chart. It’s made only for testing purposes.