Docker Stack -- api and db domain name

Hello,

Currently, I am trying to set up lamp.yml file under Deploying the LAMP Platform/LAMP Platform/Docker Stack.

**Docker Stack:** `**lamp.yml**`

**You MUST replace the following configuration variables in your copy of this file:**

1. `32_BIT_ENCRYPTION_KEY_HERE` See above.
2. `DB_PASSSWORD_HERE` See above.
3. `YOUR_PUSH_KEY_HERE` → **[Please contact us to enable push notifications.](mailto:team@digitalpsych.org)**
4. `api.example.com` Your LAMP Platform API Server domain shared with others to use.
5. `db.example.com` Your internal database management domain.

I am following the instructions in https://docs.lamp.digital to set up mindLamp server on AWS, and I am not sure what the api.example.com and db.example.com would be in our case.

Our host name (DNS) set in Route 53 is:

mindlamp.itpmclean.org

Then would it be simply:

api.mindlamp.itpmclean.org

and

db.mindlamp.itpmclean.org?

Can someone help with this part?

Thank you,
Yoon

Hi Yoon,

This is a very good question (and one I think we have not seen before). Without knowing your exact setup I think you will be fine to use those subdomains. However, if you encounter any bugs or issues, please keep us updated.

Best,
Luke

Hi Luke,

Thank you for the reply!

I am following the instructions exactly as described in the documentation (https://docs.lamp.digital/) with AWS. I was unsure if these domain names (api & db) are specified somewhere (or if there is a separate process where I have to set them on somewhere in AWS) or if I just have to just come up with them. I will proceed as what I suggested above, but please let me know if you know otherwise. Thanks!

Best,
Yoon

Hi Yoon,

That makes sense - if you are following the documentation you should be okay. I think the only thing to make sure of is that you are replacing api.example.com with your new subdomain address wherever it appears in your yaml file, and the same for your db.

Best,
Luke

Hello, I am still having trouble setting up the lamp.yml file ( as instructed in: Deploying the LAMP Platform | LAMP Platform). The instructions in this doc does not tell you how to set or retrieve the api and database domain names. I have tried using the hostname, but I failed to pass the test (Testing the LAMP Platform | LAMP Platform). Can someone please help?

Hi Yoon,

I am sorry you are having difficulties setting up the LAMP platform, but thank you for reaching out and making us aware of the issues you are facing. To help us, would you be able to let us know at what testing step you are encountering issues?

Also, I realize that my earlier comment may have been unclear - to clarify, were you able to try using api.mindlamp.itpmclean.org as your api address, and replacing api.example.com? If that doesn’t work, you may be able to use api.itpmclean.org instead. Similarly, could you try using db.mindlamp.itpmclean.org (or db.itpmclean.org).

I hope this helps, but of course please let us know if it does not.

Best,
Luke

Hi Luke,

Thank you for the message.

This is what my `lamp.yml’ file looks like. I censored out the password keys.

[ec2-user@mindlamp ~]$ cat lamp.yml
version: '3.7'
services:
  server:
    image: ghcr.io/bidmcdigitalpsychiatry/lamp-server:2021
    healthcheck:
      test: wget --no-verbose --tries=1 --spider http://localhost:3000 || exit 1
    environment:
      HTTPS: 'off'
      ROOT_KEY: 'xxxxx'
      CDB: 'http://admin:xxxxx@database:5984/'
      PUSH_API_GATEWAY: 'https://app-gateway.lamp.digital/'
      PUSH_API_KEY: 'xxxxx'
      DASHBOARD_URL: 'dashboard.lamp.digital'
      REDIS_HOST: 'redis://cache:6379/0'
      NATS_SERVER: 'message_queue:4222'
    networks:
      - default
      - public
    logging:
      options:
        max-size: "10m"
        max-file: "3"
    deploy:
      mode: replicated
      update_config:
        order: start-first
        failure_action: rollback
      labels:
        traefik.enable: 'true'
        traefik.docker.network: 'public'
        traefik.http.routers.lamp_server.entryPoints: 'websecure'
        traefik.http.routers.lamp_server.rule: 'Host(`api.mindlamp.itpmclean.org`)'
        traefik.http.routers.lamp_server.tls.certresolver: 'default'
        traefik.http.services.lamp_server.loadbalancer.server.port: 3000
      placement:
        constraints:
          - node.role == manager
  database:
    image: apache/couchdb:3.1.1
    healthcheck:
      test: curl --fail --silent http://localhost:5984/_up || exit 1
    environment:
      COUCHDB_USER: 'admin'
      COUCHDB_PASSWORD: 'xxxx'
    volumes:
      - /data/couchdb:/opt/couchdb/data
    networks:
      - public
    deploy:
      mode: replicated
      update_config:
        order: stop-first
        failure_action: rollback
      labels:
        traefik.enable: 'true'
        traefik.http.routers.lamp_database.entryPoints: 'websecure'
        traefik.http.routers.lamp_database.rule: 'Host(`db.mindlamp.itpmclean.org`)'
        traefik.http.routers.lamp_database.tls.certresolver: 'default'
        traefik.http.services.lamp_database.loadbalancer.server.port: 5984
      placement:
        constraints:
          - node.role == manager
  cache:
    image: redis:6.0.8-alpine
    healthcheck:
      test: redis-cli ping
    deploy:
      mode: replicated
      update_config:
        order: stop-first
        failure_action: rollback
      placement:
        constraints:
          - node.role == manager
  message_queue:
    image: nats:2.1.9-alpine3.12
    healthcheck:
      test: wget --no-verbose --tries=1 --spider http://localhost:8222/varz || exit 1
    deploy:
      mode: replicated
      update_config:
        order: start-first
        failure_action: rollback
      placement:
        constraints:
          - node.role == manager
networks:
  public:
    external: true

then I ran (as instructed in https://docs.lamp.digital/deploy/deploying):

[ec2-user@mindlamp ~]$ docker stack deploy --compose-file lamp.yml lamp
Updating service lamp_database (id: 1ivnxbhrsntdf8vezmlpvpeqg)
Updating service lamp_cache (id: 9dmdqnrkph3tr6gr52m5564ce)
Updating service lamp_message_queue (id: kixmrlky41hakqc98a281npgm)
Updating service lamp_server (id: sukigeu0ic7lyx59on5xrzjir)

Next, to test this, I tried (Testing the LAMP Platform | LAMP Platform)

# passcode censored
[ec2-user@mindlamp ~]$ curl -k https://admin:xxxxx@db.mindlamp.itpmclean.org/
curl: (6) Could not resolve host: db.mindlamp.itpmclean.org

[ec2-user@mindlamp ~]$ curl -k https://api.mindlamp.itpmclean.org/
curl: (6) Could not resolve host: api.mindlamp.itpmclean.org

I tried the subdomain name pairs below by replacing api.example.com and db.example.com accordingly as you suggested but they all don’t seem to work.

`api.mindlamp.itpmclean.org`
`api.itpmclean.org`

`db.mindlamp.itpmclean.org`
`db.itpmclean.org`

What is puzzling to me is that I did not set these db and api domain names in AWS prior to running the lamp.yml file, as they are not instructed in the documentation. The only domain name I set in AWS Route 52 is the hostname, which is described in the documentation. So I am wondering if I have to set api and db domain names somewhere in AWS prior to setting up the lamp.yml file. If so, I need some guidance on how to do that.

To provide you with more information regarding setting DNS name in AWS Route 53:

[ec2-user@mindlamp ~]$ hostnamectl
   Static hostname: mindlamp.itpmclean.org

Screenshot of my AWS Route 53 DNS host page.

Screen Shot 2021-09-14 at 5.38.35 PM3068×1682 456 KB

I hope I am describing the problem clearly. Thank you Luke for looking into this!

Best,
Yoon

Hi Yoon,

Thank you for your clear descriptions and screenshots - these will be very helpful as we work on getting you setup. I think I have a better of idea of (at least one of ) the problem you are facing, and it is exactly what you pointed out yourself. Under normal conditions, when you set up routing in AWS per the lamp documentation, you would add an extra rule routing traffic going to *.itpmclean.org (in your case) to your ec2 node - this would direct all incoming traffic that ended in itpmclean.org to your node (* is a wildcard). You can see this in step 2 on this page: Deploying the LAMP Platform | LAMP Platform.

In this case, however, you are using other subdomains, like studies.itpmclean.org, so we’ll avoid doing that - but this means that the incoming traffic is not being rerouted correctly. You could get around this in a simple manner by provisioning another domain name, but I don’t think that will be necessary here.

To start, can you please add routing for api.mindlamp.itpmclean.org or api.itpmclean.org (whichever you are using in your LAMP yaml)to your Route 53 records? The value/traffic target should be your same ec2 instance you are using for mindlamp.itpmclean.org. Then do the same for your db domain.

Once you’ve done that, please verify your docker containers are still running if possible, then try the testing steps again. Hopefully this should, at the least, let you get farther in the testing process. Of course, if it does not, please let me know and we can keep working on this.

Best,

Luke

Hi Luke,

I didn’t realize I had to define the routing with the wild card (*) - I missed that detail. Thank you for catching that.

I followed along your suggestion and added routing for api.mindlamp.itpmclean.org and db.mindlamp.itpmclean.org in our Route 53 records and set the target with our Public IPv4 DNS, which is the same for mindlamp.itpmclean.org.

Screen Shot 2021-09-15 at 1.54.51 PM1920×861 107 KB

So I ran the test again on my own terminal and now I am getting a different error message.

yochung@YC-MBPro$ curl -k https://api.mindlamp.itpmclean.org/
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.mindlamp.itpmclean.org:443 

This is what you see if I add the verbose flag.

yochung@YC-MBPro:$ curl -k https://api.mindlamp.itpmclean.org/ -v
*   Trying 18.191.199.106:443...
* TCP_NODELAY set
* Connected to api.mindlamp.itpmclean.org (18.191.199.106) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /opt/anaconda3/ssl/cacert.pem
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.mindlamp.itpmclean.org:443 
* Closing connection 0

I get the same error message for the `db.mindlamp.itpmclean.org.

The screenshot below is the description of our security group. As instructed, HTTPS: TCP 443 is set to anywhere

Screen Shot 2021-09-15 at 1.56.10 PM3486×1910 410 KB

Do you know what kind of response I should be getting if see if this is working?

Another detail is that I didn’t set up Cloud Mesh Router (traefik.yml) bc it says this step is optional.

Best,
Yoon

Hi Yoon,

Well, the good news is that the error changing means we have made progress!

This error (I believe) shouldn’t be due to LAMP itself - it looks like you are able to connect to LAMP. Instead, this appears to be some sort of security issue. Unfortunately, there are a few reasons you could be encountering this error, and it is difficult to determine which one you are facing. One that seems possible given your circumstances is a firewall or other network interference. The easiest way to confirm this would be to try the curl command again from another machine, such as a personal computer not connected to (for example) hospital wifi, but instead to your home wifi.

I will continue looking for other options, but please let me know if you have any success trying this.

Best,
Luke

Hi Luke,

I didn’t have any luck when I tried to curl using my home wifi. I get the same message as before.

**yochung@YC-MBPro** :  $ curl -k https://api.mindlamp.itpmclean.org/ -v

* Trying 18.191.199.106:443...

* TCP_NODELAY set
* Connection failed
* connect to 18.191.199.106 port 443 failed: Operation timed out
* Failed to connect to api.mindlamp.itpmclean.org port 443: Operation timed out
* Closing connection 0

Perhaps the docker container is not working? Do you know how to check? I don’t know how to check the status other than these two from the EC2 instance we have,

[ec2-user@mindlamp ~]$  docker node ls
ID                            HOSTNAME                 STATUS    AVAILABILITY   MANAGER STATUS   ENGINE VERSION
nrwc5viiydmdhenvh8h6ongsx *   mindlamp.itpmclean.org   Ready     Active         Leader           20.10.7

[ec2-user@mindlamp ~]$ docker service ls
ID             NAME                  MODE         REPLICAS   IMAGE                                             PORTS
9dmdqnrkph3t   lamp_cache            replicated   1/1        redis:6.0.8-alpine                                
1ivnxbhrsntd   lamp_database         replicated   1/1        apache/couchdb:3.1.1                              
kixmrlky41ha   lamp_message_queue    replicated   1/1        nats:2.1.9-alpine3.12                             
sukigeu0ic7l   lamp_server           replicated   1/1        ghcr.io/bidmcdigitalpsychiatry/lamp-server:2021   
p3owvr8ouv0v   portainer_agent       global       1/1        portainer/agent:latest                            
ye38w8kuhx0o   portainer_portainer   replicated   1/1        portainer/portainer-ce:latest                     *:8000->8000/tcp, *:9000->9000/tcp
y17m8u1ev5xk   router_traefik        replicated   1/1        traefik:latest                                    *:80->80/tcp, *:443->443/tcp

Do you have some suggestions on where to check next?

Best,
Yoon

Hi Luke,

With help of AWS Solution Architect, together we went through mindlamp doc and tried configuring the security group settings slightly differently.

We set the source for TCP port 80 and 443 to ::/0

And also attached the elastic IP for assigned the elastic IP in Route 53 records and now we now see a different output than before when we performed a curl test (see below). Is this an output you expect?

**yochung@yc-mbpro** :$ curl -k https://admin:<redacted>@db.mindlamp.itpmclean.org/ -v
* Trying 3.140.157.30:443...
* TCP_NODELAY set
* Connected to db.mindlamp.itpmclean.org (3.140.157.30) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /opt/anaconda3/ssl/cacert.pem
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to db.mindlamp.itpmclean.org:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to db.mindlamp.itpmclean.org:443

**yochung@yc-mbpro** :$ curl -k https://api.mindlamp.itpmclean.org/ -v
* Trying 18.191.199.106:443...
* TCP_NODELAY set
* Connected to api.mindlamp.itpmclean.org (18.191.199.106) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /opt/anaconda3/ssl/cacert.pem
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):

I went ahead and tried the next step Generate your server administrator password but ran into this error.

**yochung@YC-MBPro** :  $ curl -k https://api.mindlamp.itpmclean.org/researcher -H 'Authorization: Basic admin:admin' -v
* Trying 3.140.157.30:443...
* TCP_NODELAY set
* Connected to api.mindlamp.itpmclean.org (3.140.157.30) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /opt/anaconda3/ssl/cacert.pem
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.mindlamp.itpmclean.org:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.mindlamp.itpmclean.org:443

Any idea what kind of problems we are running into? Would it be easier to deploy with less room for an error if we try via Cloudformation (Deploying via CloudFormation | LAMP Platform)?

Thank you,
Yoon

@yochung I suspect that Traefik may not be configured correctly. Can you share your Traefik configuration? You should not expose the LAMP-server directly to the outside world, and Traefik is supposed to manage the SSL certificate process automatically.