Docker Compose-based production installation

This installation requires a separately available PostgreSQL database and is intended for the production deployment of Governor. If you prefer an easier option to install Governor for evaluation and demonstration purposes, use the demo setup instead.

Prerequisites

  1. Docker must be available on the production server.

  2. PostgreSQL server (version 13 or later) must be available in order to hold the Governor database. Empty database should be created prior to installation of Governor and login credentials for this database should be known.

  3. Download and unzip governor-compose-prod.zip. This file contains recommended setup for backend (JVM-based) and frontend (nginx-based) Docker containers.

Setting up Docker Compose

Setting up the access to the Governor database

Modify the following lines in the docker-compose file:

- SPRING_DATASOURCE_URL=jdbc:postgresql://host.docker.internal:5432/governor (1)
- SPRING_DATASOURCE_USERNAME=apiuser (2)
- SPRING_DATASOURCE_PASSWORD=apipassword (3)
  1. Modify JDBC URL in order to point to your PostgreSQL database for Governor. If it is being run on the same host as Docker images for Governor, then host.docker.internal can be used as a host name.

  2. Set the correct user name for Governor database

  3. Set the correct password for Governor database

For RHEL with SELinux enabled runtime only

Allow the 389 (ldap) and 80 (frontend http) ports for usage in SELinux subsystem

sudo semanage port -a -t http_port_t -p tcp 80
sudo echo "net.ipv4.ip_unprivileged_port_start=80" >> /etc/sysctl.conf
sudo sysctl -p

Configuring environment variables

JWT_SECRET

Generate a JWT secret to serve as the signing key for authentication. Follow these steps based on your operating system:

  • Mac/Linux

  • Windows (Powershell)

openssl rand -base64 256 | tr -d '\n'
[Convert]::ToBase64String((Get-Random -Count 256 -InputObject (0..255)))

After generating the key, replace [your jwt secret] in the docker-compose.yml file with the newly generated secret key.

ADMIN_EMAIL and ADMIN_DEFAULT_PASSWORD

Generate admin password:

  • Mac/Linux

  • Windows (Powershell)

openssl rand -hex 20
-join ((33..126) | Get-Random -Count 20 | ForEach-Object {[char]$_})

Replace [your admin email] and [your default admin password] in the docker-compose.yml with credentials for a seed admin user.

SYNTHESIZED_LICENSE

Insert your Synthesized license key into the docker-compose.yml file by replacing [your synthesized key].

(Optional) Setting up volumes for logs and RocksDB

In most scenarios, it makes sense to keep logs and RocksDB storage on the host’s filesystem, not the Docker’s internal filesystem.

In order to do so, uncomment the following lines in the docker-compose.yml:

    # volumes:
      # - [your path to rocksdb]:/app/rocksdb
      # - [your path to logs]:/app/logs
  1. substitute [your path to rocksdb] to the path where you would like to store RocksDB data

  2. substitute [your path to logs] to the path where you would like to store application logs.

The required free disk space for partitions containing RocksDB and logs heavily depends on your usage scenarios, we recommend that at least 100Gb must be available for production usage.

Running

Use the detached mode of docker compose to run the Governor containers in production:

docker compose up --detach

The Governor UI will be available at http://localhost:80. Use the username and password specified as ADMIN_EMAIL and ADMIN_DEFAULT_PASSWORD to log in.

Use docker compose ps command in order to make sure that backend and frontend services are both running and in healthy state. The most common source of potential problems is connectivity to the database. Verify that database connection URL, username and password are correct, check backend logs (docker compose logs backend) for details if the problem persists.

Setting up TLS termination

Governor requires https:// protocol in order to run successfully from any address besides localhost. If you want to set up a domain name for Governor, you have to set up TLS termination as well.

The simplest way to do so is to install nginx and provide domain certificates.

  • Setup nginx.

  • Create a file named after your domain in /etc/nginx/sites-available with the following

server {
    listen 443 ssl;
    server_name [domain name];

    ssl_certificate [path-to-your-certificate]/fullchain.pem;
    ssl_certificate_key [path-to-your-certificate]/privkey.pem;

    location / {
        proxy_pass http://localhost:80;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
  • In this file

    • [domain name] is the domain name for your website, e.g. governor.example.com.

    • [path-to-your-certificate] is the folder where website certificates are stored.

  • Create a symlink with nginx configuration from /etc/nginx/sites-available to /etc/nginx/sites-enabled

  • Execute nginx -s reload.

You may also be interested in automatic creation and renewal of your domain certificates with Certbot. In this case, refer to the relevant documentation.