VIP local setup - fli-iam/shanoir-ng GitHub Wiki
That paper explains how to setup VIP in a local environnement, and how to connect the VIP instance to the local Shanoir. Please be really carefull to ALL lines in this doc.
The idea will be to add the vip docker management into the shanoir docker-compose.yml.
Please, pay attention to that to ensure those changes are not pushed to the develop branch.
Create those files, you can add all of them in the .gitignore:
- Create a new /docker-compose/Dockerfile called /docker-compose/Dockerfile.vip
- Create a new /docker-compose.yml called docker-compose-vip.yml and copy the docker-compose.yml into it.
- Create a directory /docker-compose/vip
For the Dockerfile.vip, copy:
Dockerfile.vip
################ VIP ###############################################################
FROM viplatform/vip-portal as vip
COPY --link --chmod=0777 vip/entrypoint /usr/bin/
COPY --link vip/vip-oidc.json /vip/.vip/vip-oidc.json
COPY --link vip/vip.conf /vip/.vip/vip.conf
RUN mv /vip/storage/workflows/SharedData/groups/g1 /vip/storage/workflows/SharedData/groups/local
RUN mkdir /vip/storage/workflows/SharedData/groups/local/boutiques && mkdir /vip/storage/workflows/SharedData/groups/local/inputs
USER root
ENTRYPOINT ["/usr/bin/entrypoint"]For the /docker-compose/vip directory, create:
-A file named vip-oidc.json, and fill it with:
vip-oidc.json
{
"servers": [
{
"url": "https://shanoir-ng-nginx/auth/realms/shanoir-ng"
}
]
}
vip.conf
# This is a template for the vip.conf file. This should be changed for any new vip installation
host.url = https://localhost
dev = True
# Admin information
admin.first.name = admin
admin.last.name = test
admin.email = [email protected]
admin.institution =
admin.phone =
admin.pass = admin
# VIP internal config
simulation.max.beginner = 1
simulation.max.platfrom = 35
account.undesiredEmailDomains =
account.undesiredCountries =
last.publication.update = 6
ssh.publickey = TOCHANGE
# Gatelab Application config
appletGatelab.classes = GateLab
appletGatelabTest.classes = GateLab Test
# SAML config
#saml.trustedcertificate.ISSUERTOCHANGE = PATH_TO_CERT
#saml.accounttype = TOCHANGE
# Boutiques config for import and publication
boutiques.upload.repository = /tmp/boutiques-cache
boutiques.application.rootFolder = /vip/Support (group)/Applications
boutiques.application.requirements =
publication.system-command = bosh publish --no-int $FILE
# External Storage : Girder
girder.token.duration-in-days = 1.0
# VO config
vo.name = biomed
vo.root = /workflows/SharedData
# Grida / DFC config
execution.input.local-files = True
grida.server.host = localhost
grida.server.port = 9006
datamanager.path = /vip/grida
datamanager.users.home = /workflows/SharedData/users
datamanager.users.home.alternative =
datamanager.groups.home = /workflows/SharedData/groups
datamanager.groups.home.alternative =
# MyProxy config
myproxy.host = localhost
myproxy.port = 9999
myproxy.user =
myproxy.pass =
myproxy.lifetime = 86400
myproxy.min.hours = 0
myproxy.enabled = false
# Mail config
sma.enabled = False
sma.host = localhost
sma.port = 8084
# Simulation runtime information
workflows.directory = /workflows
workflows.db.host = localhost
moteurlite.enabled = True
moteur.rest.enabled = true
moteur.rest.password = pass
# Truststore file
truststore.file = not_existing_and_non_null_path_required_here
truststore.password = changeit
# Other Config (seems unused)
cas.url = DEPRECATED
apache.host = localhost
apache.ssl.port = 80
# Error cases
# EGI OIDC client
oidc.egi.client_id=TOCHANGE
oidc.egi.client_secret=TOCHANGE
oidc.egi.redirect_uri=https://localhost/login/oauth2/code/egi
oidc.egi.authorization_uri=https://aai.egi.eu/oidc/authorize
oidc.egi.token_uri=https://aai.egi.eu/oidc/token
oidc.egi.user_info_uri=https://aai.egi.eu/oidc/userinfo
oidc.egi.jwk_set_uri=https://aai.egi.eu/oidc/jwk
keycloak.active = True
cors.autorized-domains=https://shanoir-ng-nginx
# General info stuff
carmin.platform.name=VIP-dev
carmin.platform.description= Virtual Imaging Platform - Developer instance
carmin.platform.supported_transfer_protocols=HTTPS
carmin.platform.supported_modules=PROCESSING,DATA
carmin.platform.default_limit_list_execution=500
carmin.platform.unsupported_methods=playExecution
carmin.platform.supported_API_Version=0.3
[email protected]
carmin.platform.error_codes_and_message=
# Authentication stuff
carmin.authentication.apikey.header.name=apikey
carmin.authentication.apikey.generate_new_key_on_each_authentication=false
# DATA stuff
carmin.data.path.download=/path
carmin.data.mime_type.directory=text/directory
carmin.data.mime_type.default=application/octet-stream
carmin.data.download.retry=2
carmin.data.download.timeout=45
carmin.data.max_size=15000000
# Pipeline stuff
carmin.processing.pipelines.whitelist=
# Shanoir exeption on API to create account
shanoir.host.ip=127.0.0.1
entrypoint
#!/bin/bash
until [ -f /usr/share/pki/ca-trust-source/anchors/shanoir-ng-nginx.crt ]; do
echo "Volume not ready yet..."
sleep 2
done
update-ca-trust
exec su vip -c 'TINI_SUBREAPER=TRUE /usr/bin/tini -- sh -c "./vipdocker.sh boot"'For the docker-compose-vip.yml, first modify the datasets microservice by replacing :
- VIP_URL_SCHEME
- VIP_URL_HOST
- VIP_CLIENT_SECRET
With :
- VIP_URL_SCHEME=http
- VIP_URL_HOST=vip:8080
- VIP_CLIENT_SECRET=jH6XDA5L5cC2znVaQYrp25A2IIOIaYxM (only if you have one, visible in the keycloak local -> shanoir-ng realms -> clients -> service-account -> credentials -> secret)
Then add "vip:" in the "volumes:" part at the bottom to create a permanent vip volume, then add:
docker-compose-vip.yml
vip:
container_name: "vip"
build:
context: docker-compose
dockerfile: Dockerfile.vip
target: vip
volumes:
- [path/to/some/work/directories]/VIP/vipvolume/outputs:/vip/storage/outputs
- [path/to/some/work/directories]/VIP/vipvolume/boutiques:/vip/storage/workflows/SharedData/groups/local/boutiques
- certificate-share-data:/usr/share/pki/ca-trust-source/anchors:ro
- vip:/vip # Use the named volume
stdin_open: true
tty: true
networks:
- shanoir_ng_network
ports:
- "8021:8080"
- "8022:443"To finish, some things for Keycloak:
- Create a role called 'Service' in keycloak -> shanoir-ng-realms -> realm roles
- ensure that in keycloak -> shanoir-ng-realms -> clients -> service-account -> Service account roles -> service-account-service-account -> email = [email protected].
- Give 'Service' role to service-account-service-account by following path : keycloak -> shanoir-ng-realms -> clients -> service-account -> Service account roles -> service-account-service-account -> role mapping
Now that your VIP container is running, you have to configure it. You can find an additional doc from VIP here.
- Get a bash of the VIP container with "docker exec -it vip bash"
- Connect to the VIP DB with "./mariadb/bin/mariadb vip" from /vip.
- Modify the unique user present in VIPUsers table according to your Shanoir information (mail address must be synchronized). Your initial password is "admin", feel free to change it.
- Run those commands :
SQL commands
INSERT INTO VIPExternalPlatforms
(identifier, type, description, url, upload_url, keycloak_client_id, refresh_token_url)
VALUES
('local', 'SHANOIR', 'Shanoir local',
'https://shanoir-ng-nginx/shanoir-ng/datasets/carmin-data/path', 'https://shanoir-ng-nginx/shanoir-ng/import/carmin-data/', 'shanoir-uploader',
'https://shanoir-ng-nginx/auth/realms/shanoir-ng/protocol/openid-connect/token');
INSERT INTO VIPUsers
(email, next_email, pass, first_name, last_name, institution, code, confirmed, folder, session, registration, last_login, level, country_code, max_simulations, termsUse, lastUpdatePublications, failed_authentications, account_locked, apikey)
VALUES
('[email protected]', NULL, '21232f297a57a5a743894a0e4a801fc3', 'vip', 'piv', 'inria', '1b72bee1-daae-4667-8651-78a611b2393c', 1, 'vip_piv', '969c7203-61ad-4e07-a73d-1481da86b572', '2026-02-11 13:35:02', '2026-02-11 13:35:02', 'Administrator', 'fr', 1, '2026-02-11 13:35:02', '2026-02-11 13:35:02', 0, 0, NULL);
INSERT INTO VIPUsersGroups
(email, groupname, role)
VALUES
('[email protected]','g1','Admin');All you need is a boutique.json file, which describe the pre and post operations to realize for a pipeline (input/output management, command to launch, etc ...)
Here is a fake one, which is not running any process, but simulating an execution from the shanoir POV :
boutique.json
{
"name": "Fake-SIMS",
"tool-version": "1",
"author": "Shanoir",
"description": "Sleep 30",
"command-line": "echo '--------------ls -l ../------------' && echo [INPUT] && sleep 30 && cp -r /vip/storage/outputs output_folder && tar -cvzf [OUTPUT_FILE] output_folder",
"schema-version": "0.5",
"inputs": [{
"id": "dicom_archive",
"name": "Dicom Archive",
"type": "File",
"description": "Dicom ZIP including json listing",
"value-key": "[INPUT]"
}
],
"output-files": [{
"description" : "Tarball containing outputs.",
"id" : "outarchive",
"name" : "Output archive",
"path-template": "tarball_output.tgz",
"value-key": "[OUTPUT_FILE]"
}]
}Now, you have to import it into the VIP environment:
-
- Open the 'File transfer' windows (at the bottom)
-
- Move to a 'relevant' path
-
- Import the boutique.json
-
- Open the application importer
Then:
-
- Use it in the application importer
-
- Import it
-
- Once the pipeline is loaded, click on the 'Create application' button at the left of the screen
Finally, you have to allow your user to use it:
-
- Go back to home page, and click on the "application" menu at the right of the application importer
-
- Edit the newly imported pipeline
-
- Select the group your account is part of
And that's it, you have now access to it from Shanoir !