Kubernetes
In order to deploy Seer Box as a distributed application on Kubernetes, a set of pods and services must be defined, as well as the volumes required by the system for data persistence. Passwords and other tokens should be defined as secrets; the following manifest specifications refer to a minimal configuration for each required component.
Required third-party components
Seer Box requires PostgreSQL and RabbitMQ services to be available for its startup.
PostgreSQL
# -------------------
# PostgreSQL Database
# -------------------
apiVersion: v1
kind: Pod
metadata:
name: sbx-postgresql
labels:
app: sbx-postgresql
spec:
restartPolicy: Always
containers:
# -- PostgreSQL --
- name: postgresql
image: "docker.io/postgres:15"
imagePullPolicy: IfNotPresent
ports:
- containerPort: 5432
protocol: TCP
name: psql-pod
volumeMounts:
- name: postgresql-db
mountPath: /var/lib/postgresql/data/
securityContext:
seLinuxOptions:
type: container_runtime_t
env:
- name: POSTGRES_DB
value: "seer_box"
- name: POSTGRES_USER
value: "seer_box"
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: sbx-database-password
key: password
---
apiVersion: v1
kind: Service
metadata:
name: sbx-postgresql
spec:
selector:
app: sbx-postgresql
clusterIP: None
ports:
- name: psql-svc
port: 5432
protocol: TCP
targetPort: psql-pod
RabbitMQ
# -----------------------
# RabbitMQ message broker
# -----------------------
apiVersion: v1
kind: Pod
metadata:
name: sbx-rabbitmq
labels:
app: sbx-rabbitmq
spec:
restartPolicy: Always
containers:
# -- RabbitMQ --
- name: rabbitmq
image: "docker.io/rabbitmq:3"
imagePullPolicy: IfNotPresent
ports:
# AMQP Port
- containerPort: 5672
protocol: TCP
name: amqp-std-pod
# TLS-encrypted AMQP PORT
- containerPort: 5671
protocol: TCP
name: amqp-tls-pod
env:
- name: RABBITMQ_DEFAULT_USER
value: "seer_box"
- name: RABBITMQ_DEFAULT_PASS
valueFrom:
secretKeyRef:
name: sbx-queue-password
key: password
---
apiVersion: v1
kind: Service
metadata:
name: sbx-rabbitmq
spec:
selector:
app: sbx-rabbitmq
clusterIP: None
ports:
- name: amqp-std
port: 5672
protocol: TCP
targetPort: amqp-std-pod
Seer Box
Deployment Notes
Each Seer Box Engine and Seer Box Sentinel instance will require the user to accept the End User License Agreement as specified by the present documentation. In order to accept its terms, the SBX_ACCEPT_EULA variable must be explicitly set to YES.
System Integrity
In order to preserve the system's integrity, it is recommended to retain a few important characteristics of the following specifications:
-
Rather than referring to each image by tag, the full SHA-256 hash should be included according to the values recorded by the officially released images at
quay.io/pluribus_one, replacing the{HASH}placeholder in the pod definitions included below; -
File systems should be mounted as read-only where possible, by keeping the
readOnlyRootFilesystemoption set totrue.
This will guarantee that the software running on any production infrastructure is genuine and untampered.
Volumes
The volume specified by the Engine, Sentinel and Reporter pods should be shared as readable and writable by all involved containers, and refer to the same storage.
Secrets
The following secrets can be defined by the user and made available to running containers where needed, each with a password key:
sbx-database-passwordsbx-queue-passwordsbx-internal-auth-key
Once these requirements are ready, Seer Box pods can be created using the following sample definitions.
Engine
# --------------
# Seer Box Engine
# --------------
apiVersion: v1
kind: Pod
metadata:
name: sbx-engine
labels:
app: sbx-engine
spec:
restartPolicy: Always
containers:
# -- SeerBox Engine --
- name: engine
image: quay.io/pluribus_one/seer_box_engine@sha256:{HASH}
imagePullPolicy: IfNotPresent
ports:
# UDP traffic source
- containerPort: 20050
protocol: UDP
name: engine-udp-pod
# TCP traffic source
- containerPort: 20050
protocol: TCP
name: engine-tcp-pod
# Internal API port
- containerPort: 4000
protocol: TCP
name: engine-api-pod
volumeMounts:
- name: sbx-opt
readOnly: false
mountPath: /opt/seer_box/
securityContext:
runAsGroup: 53380
runAsUser: 53380
seLinuxOptions:
type: container_runtime_t
readOnlyRootFilesystem: true
env:
- name: SBX_ACCEPT_EULA
value: "NO"
- name: SBX_INTERNAL_AUTH_KEY
valueFrom:
secretKeyRef:
name: sbx-internal-auth-key
key: password
- name: SBX_DATABASE_HOSTNAME
value: "sbx-postgresql"
- name: SBX_QUEUE_HOSTNAME
value: "sbx-rabbitmq"
- name: SBX_SERVER_WEB_URL_HOST
value: "localhost"
- name: SBX_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: sbx-database-password
key: password
- name: SBX_QUEUE_PASSWORD
valueFrom:
secretKeyRef:
name: sbx-queue-password
key: password
---
apiVersion: v1
kind: Service
metadata:
name: sbx-engine
spec:
selector:
app: sbx-engine
type: NodePort
ports:
# UDP traffic source
- port: 20050
nodePort: 30050
protocol: UDP
name: engine-udp-svc
targetPort: engine-udp-pod
# TCP traffic source
- port: 20050
nodePort: 30050
protocol: TCP
name: engine-tcp-svc
targetPort: engine-tcp-pod
# Internal API port
- port: 4000
protocol: TCP
name: engine-api-svc
targetPort: engine-api-pod
Sentinel
# ----------------
# SeerBox Sentinel
# ----------------
apiVersion: v1
kind: Pod
metadata:
name: sbx-sentinel
labels:
app: sbx-sentinel
spec:
restartPolicy: Always
containers:
# -- SeerBox Sentinel --
- name: sentinel
image: quay.io/pluribus_one/seer_box_sentinel@sha256:{HASH}
imagePullPolicy: IfNotPresent
volumeMounts:
- name: sbx-opt
readOnly: false
mountPath: /opt/seer_box/
securityContext:
runAsGroup: 53380
runAsUser: 53380
seLinuxOptions:
type: container_runtime_t
readOnlyRootFilesystem: true
ports:
- containerPort: 2050
hostPort: 2050
protocol: UDP
name: snt-udp-pod
- containerPort: 2050
hostPort: 2050
protocol: TCP
name: snt-tcp-pod
env:
- name: SBX_ACCEPT_EULA
value: "NO"
- name: SBX_NAME
value: "SeerBox_Sentinel"
- name: SBX_LISTEN_ADDRESS
value: "0.0.0.0"
- name: SBX_PROTOCOL
value: "UDP"
- name: SBX_INPUT_FORMAT
value: "ncsa_extended_log"
- name: SBX_ENGINE_HOST
value: "sbx-engine.default.svc.cluster.local"
- name: SBX_INTERNAL_AUTH_KEY
valueFrom:
secretKeyRef:
name: sbx-internal-auth-key
key: password
- name: SBX_TRAFFIC_COLLECTOR_HOST
value: "sbx-rabbitmq"
- name: SBX_TRAFFIC_COLLECTOR_PASSWORD
valueFrom:
secretKeyRef:
name: sbx-queue-password
key: password
---
apiVersion: v1
kind: Service
metadata:
name: sbx-sentinel
spec:
selector:
app: sbx-sentinel
clusterIP: None
ports:
# UDP traffic source
- port: 2050
protocol: UDP
name: snt-udp-svc
targetPort: snt-udp-pod
# TCP traffic source
- port: 2050
protocol: TCP
name: snt-tcp-svc
targetPort: snt-tcp-pod
GUI
# -----------
# SeerBox GUI
# -----------
apiVersion: v1
kind: Pod
metadata:
name: sbx-gui
labels:
app: sbx-gui
spec:
restartPolicy: Always
containers:
# -- SeerBox GUI --
- name: gui
image: quay.io/pluribus_one/seer_box_gui@sha256:{HASH}
imagePullPolicy: IfNotPresent
ports:
# HTTP Server
- containerPort: 80
protocol: TCP
name: gui-http-pod
volumeMounts:
- name: vhosts
mountPath: /etc/nginx/conf.d/
- name: nginx-cache
mountPath: /var/cache/nginx/
- name: sys-run
mountPath: /run/
securityContext:
seLinuxOptions:
type: container_runtime_t
readOnlyRootFilesystem: true
env:
- name: SBX_DNS_RESOLVER
value: "10.96.0.10"
- name: SBX_API_HOST
value: "sbx-engine.default.svc.cluster.local"
- name: SBX_API_PORT
value: "4000"
volumes:
- name: vhosts
emptyDir: {}
- name: nginx-cache
emptyDir: {}
- name: sys-run
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: sbx-gui
spec:
type: NodePort
selector:
app: sbx-gui
ports:
# HTTP Server
- port: 53380
nodePort: 30035
protocol: TCP
name: gui-http-svc
targetPort: gui-http-pod
Reporter
# ----------------
# SeerBox Reporter
# ----------------
apiVersion: v1
kind: Pod
metadata:
name: sbx-reporter
labels:
app: sbx-reporter
spec:
restartPolicy: Always
containers:
# -- SeerBox Reporter --
- name: reporter
image: quay.io/pluribus_one/seer_box_reporter@sha256:{HASH}
imagePullPolicy: IfNotPresent
volumeMounts:
- name: sbx-opt
readOnly: false
mountPath: /opt/seer_box/
- name: cache
mountPath: /home/seer-box/.cache/
- name: pki
mountPath: /home/seer-box/.pki/
- name: locales
mountPath: /home/seer-box/.config/kaleido/bin/locales/
- name: tmp
mountPath: /tmp/
securityContext:
runAsGroup: 53380
runAsUser: 53380
seLinuxOptions:
type: container_runtime_t
readOnlyRootFilesystem: true
env:
- name: SBX_DATABASE_HOSTNAME
value: "sbx-postgresql"
- name: SBX_QUEUE_HOSTNAME
value: "sbx-rabbitmq"
- name: SBX_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: sbx-database-password
key: password
- name: SBX_QUEUE_PASSWORD
valueFrom:
secretKeyRef:
name: sbx-queue-password
key: password
volumes:
- name: cache
emptyDir: {}
- name: pki
emptyDir: {}
- name: locales
emptyDir: {}
- name: tmp
emptyDir: {}
System Initialization
Once the services have finished starting up, the graphical user interface will be exposed via HTTP by the sbx-gui service, mapped to the selected port.
It is recommended to expose the web interface behind a reverse proxy with SSL enabled and, if possible, limit access to a restricted set of IP addresses. In any circumstance, it should be regarded an internal service, not to be exposed publicly.
The default credentials for the administration user are:
- Username:
admin - Password:
SeerBox_4dm1n
After the first login, it is recommended to change the default password.
License
Following the first login, the user interface will ask for the License Key provided by Pluribus One in order to activate the software.
You can request a free license at the following link: https://license.seerbox.it