Snowstorm server

en

Deployment diagram

We recommend installing SNOMED-related software on a separate machine.

Minimal

The minimal configuration consists of Snowstorm storage (Elastic) and Snowstorm server (green box on the deployment diagram).
The minimal deployment required to support operations with SNOMED in the TermX installation or during the development process.

With SNOMED browser

The additional SNOMED browser (like official browser) may be installed in your environment to have an additional view of SNOMED concepts (blue box on the deployment diagram).

See “snomed-browser” component in the docker-compose.yml. We recommend using the image of the SNOMED browser from docker.kodality.com/snomedct-browser:latest.
The web server also should be configured to provide access to the Snowstorm API and SNOMED Browser.
Ensure that /snowstorm/, /snomed-ct/ and /snowstorm/snomed-ct/ locations are configured in the web server.

Public and secure access

In the case you want to provide public access, you should separate Snowstorm installations.
We recommend installing a separate Snowstorm server in read-only mode that will be publically available

Use --snowstorm.rest-api.readonly=true parameter to activate read-only mode.

The private Snowstorm server should be secured and accessible from the internal DMZ.

Use --spring.security.user.name=USER and --spring.security.user.password=PWD parameters to secure private Snowstorm instance.

Daily build

According to the design of the SNOMED browser, the Daily build mode will be enabled if url contains -dailybuild suffix in the url. For example, if Snowstorm url is snowstorm.mysite.org then daily build will be automatically enabled on the site snowstorm-dailybuild.mysite.org.
You can decide do you need 2 browsers - one for the public environment without daily build and another for private with daily build.

Review the latest docker-compose file from IHTSDO.
Create own docker-compose.yml

version: '2.1'
services:
  elasticsearch:
    restart: unless-stopped
    image: docker.elastic.co/elasticsearch/elasticsearch:8.11.1
    container_name: elasticsearch
    environment:
      - discovery.type=single-node
      - xpack.security.enabled=false
      - node.name=snowstorm
      - cluster.name=snowstorm-cluster
      - "ES_JAVA_OPTS=-Xms4g -Xmx4g"
    volumes:
      - /opt/snomed/data:/usr/share/elasticsearch/data
    networks:
      elastic:
        aliases:
          - es
    healthcheck:
      test: ["CMD", "curl", "-f", "http://elasticsearch:9200"]
      interval: 1s
      timeout: 1s
      retries: 60
    ports:
      - 127.0.0.1:9200:9200
    mem_reservation: 4g

  snowstorm:
    restart: unless-stopped
    image: snomedinternational/snowstorm:latest
    container_name: snowstorm
    depends_on:
      elasticsearch:
        condition: service_healthy
    entrypoint: java -Xms2g -Xmx4g --add-opens java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED -cp @/app/jib-classpath-file org.snomed.snowstorm.SnowstormApplication --elasticsearch.urls=http://elasticsearch:9200
    networks:
      - elastic
        aliases:
         - snowstorm
    ports:
      - 8080:8080

networks:
  elastic:

We recommend to protect Snowstorm endpoints using username and password as shown in the next block. Secured Snowstorm instance and TermX server should be installed in the same DMZ.

    entrypoint: java -Xms2g -Xmx4g -jar snowstorm.jar --elasticsearch.urls=http://elasticsearch:9200  --spring.security.user.name=termx-appuser --spring.security.user.password=termx-userpwd

You can also setup additional Snowstorm instance for open access.

  snowstorm_public:
    restart: unless-stopped
    image: snomedinternational/snowstorm:latest
    container_name: snowstorm-public
    depends_on:
      elasticsearch:
        condition: service_healthy
    depends_on:
      - snowstorm
    entrypoint: java -Xms2g -Xmx2g --add-opens java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED -cp @/app/jib-classpath-file org.snomed.snowstorm.SnowstormApplication --elasticsearch.urls=http://elasticsearch:9200 --snowstorm.rest-api.readonly=true
    networks:
      - elastic
    ports:
      - 8082:8080

In case of the external volume Elasticsearch requires additional permissions

chown -R 1000:1000 /opt/snomed/data/

You can also install public SNOMED Browser

  browser:
    restart: unless-stopped
    image: docker.kodality.com/snomedct-browser:latest
    container_name: browser
    depends_on:
      - snowstorm-public
    environment:
      - API_HOST=http://snowstorm-public:8080/
      - TERMX_URL=https://termx.kodality.dev/
    networks:
      - elastic
    ports:
      - 9000:80

where API_HOST is the url of the public Snowstorm server and TERMX_URL url of the TermX installation for redirect to the translation component.

Build and run containers

docker-compose pull && docker-compose up -d

Implements basic authentication for snowstorm service.

The example configuration for private Snowstorm configuration:

server {
    server_name snowstorm.kodality.dev;

    auth_basic           "Authenticate yourself!";
    auth_basic_user_file /etc/nginx/.htpasswd; #user-password credentials
    client_max_body_size 6G; # allow huge file uploads, like the initial Snomed International release

    add_header Strict-Transport-Security "max-age=0";
    
    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for
        proxy_set_header X-Forwarded-Proto $scheme;   # for https in Swagger
        proxy_pass http://localhost:8080/;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate .../fullchain.pem; # managed by Certbot
    ssl_certificate_key .../privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = snowstorm.kodality.dev) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name snowstorm.kodality.dev;
    listen 80;
    return 404; # managed by Certbot
}

htpasswd tool created basic credentials file.

To change password use htpasswd /etc/nginx/.htpasswd username where ‘username’ is replaced with actual value.

The example configuration for public Snowstorm configuration:

server {
    server_name snowstorm-public.kodality.dev;

    client_max_body_size 2G;

    add_header Strict-Transport-Security "max-age=0";

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://localhost:8082/;
    }
    location /snomed-ct/ {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8082/;
    }
    location /snowstorm/snomed-ct/ {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8082/;
    }
    location /snomed-browser/ {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:9000/;
    }


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/snowstorm-public.kodality.dev/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/snowstorm-public.kodality.dev/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

The example configuration for Daily build Snowstorm configuration:

server {
    server_name snowstorm-public-dailybuild.kodality.dev;

    client_max_body_size 2G;

    add_header Strict-Transport-Security "max-age=0";

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_pass http://localhost:8082/;
    }
    location /snomed-ct/ {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8082/;
    }
    location /snowstorm/snomed-ct/ {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:8082/;
    }
    location /snomed-browser/ {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://localhost:9000/;
    }


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/snowstorm-public-dailybuild.kodality.dev/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/snowstorm-public-dailybuild.kodality.dev/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

Snowstorm Server can be installed by Helm chart.

NB! This is not an official chart. It’s made only for testing purposes.


Page last modified: Mar 5 2024 at 07:13 AM.