Deploy QPR ProcessAnalyzer from Container: Difference between revisions

For deploying to a container platform, QPR ProcessAnalyzer is available as a container image having QPR ProcessAnalyzer Server for linux-x64 platform. The entire container volume doesn't need to be persistent but it's enough to map specific files to the container volume (explained below).

Container image content

In addition to the QPR ProcessAnalyzer Server, the following components are included in the container image:

• ODBC driver for SQL Server
• ODBC driver for Snowflake

Note that the SAP libraries for extracting data from SAP are not included.

The container does not require any superuser permissions and it runs under the user account pa.

Container parametrization

Application settings

The following configuration files are provider to the container using mapped volumes:

• appsettings.json should be mapped in the container volume to a file /pa/appsettings.json
• log4net.config should be mapped in the container volume to a file /pa/log4net.config

Instead of mapping the entire file, environment variables can be used to define the settings in the appsettings.json file. If both methods are applied, the environment variables override values set in appsettings.json file.

When using environment variables, the variable names for the hierarchical keys in the appsettings.json file are defined using the double underscore as separator, e.g., the LogFilePath setting in the Application section is defined as Application__LogFilePath (see a full example below in the examples section).

It's also possible to override settings in the PA_CONFIGURATION table using the environment variables. Setting names in the PA_CONFIGURATION table are converted into environment variable name using the snake case (underscores between words) in uppercase prefixed with QPRPA_, e.g., the SqlServerConnectionString setting is defined as QPRPA_SQL_SERVER_CONNECTION_STRING.

Database for configuration data

The connection string to the configuration database is a mandatory setting to start up QPR ProcessAnalyzer. See information about databases used by QPR ProcessAnalyzer.

• Database can be initialized using the initializedb.sql script provided in the installation package (instructions).
• Migrating the configuration database will be done automatically during the container startup. The migration is done if the QPR ProcessAnalyzer version uses a newer database schema than the current database.
• By default, the container image has the option CreateDatabase enabled, so it will attempt to initialize the database if it's not done.

Notes:

• Container image supports only the SQL Server authentication mode.
• To automatically update an existing database user must have the db_owner permissions to the database.
• To automatically create the configuration database, the user must have the dbcreator server role.

Snowflake user private key

For QPR ProcessAnalyzer to authenticate to Snowflake using the key-pair authentication (https://docs.snowflake.com/en/user-guide/key-pair-auth), the private key file needs to be mapped to the container volume. The mapping can be done for example using a Kubernetes secret. The location of the private key file needs to be speficied in the PRIV_KEY_FILE parameter in the Snowflake connection string.

Log writing

QPR ProcessAnalyzer Server writes log which can be stored to following targets:

• Store the log to a file in the container volume. The file can be mapped to any external storage system (see examples below).
• Write to stdout and stderr streams that can be listened to store the logs.
• Push logs to an OpenTelemetry endpoint.

Key storage for session cookies encryption

To make it possible to reuse session cookies after container restart, the session cookies encryption key must be saved in an external storage. The external storage should be mapped to /home/pa/.aspnet/DataProtection-Keys directory in the container.

CA certificates

CA certificates can be mapped to the directory /usr/local/share/ca-certificates (containing *.crt files in the PEM format). This default path can be changed by assigning value for the environment variable SSL_CERT_DIR.

HTTPS connection to UI

HTTPS connections can be terminated before the container (e.g., in a load-balancer). Alternatively, the container image supports passing HTTPS traffic to the container. Then, the certificate and key files need to be provided to the container via volume.

Following environment variables must be set to configure HTTPS:

• HTTPS_PORT: Port for listening for HTTPS connections.
• Kestrel_Certificates_Default_Path: Path to the .pem, .crt or .pfx file.
• Kestrel_Certificates_Default_Password: Passphrase for the certificate key.
• Kestrel_Certificates_Default_KeyPath: Path to .key file if Kestrel_Certificates_Default_Path contains path to .pem or .crt file.

Running in Docker

This section provides example commands to run the QPR ProcessAnalyzer container in Docker.

Minimal configuration where only the SQL Server database in the PA_CONFIGURATION table must be configured:

docker run -d -p 5000:5000 --restart unless-stopped \
  -e Application__SqlDatabaseConnectionString="Server=dbserver.host;DataBase=QPR_PA;Uid=user;PWD=password" \
  azure-repo/pa/server

This example additionally overrides the DefaultDataSource and SqlServerConnectionString settings in the PA_CONFIGURATION table, and provides a volume for storing logs:

docker run -d -p 5000:5000 --restart unless-stopped \
  -e Application__SqlDatabaseConnectionString="Server=dbserver.host;DataBase=QPR_PA;Uid=user;PWD=password" \
  -e QPRPA_DEFAULT_DATA_SOURCE=SqlServer \
  -e QPRPA_SQL_SERVER_CONNECTION_STRING="Server=dbserver.host;DataBase=QPR_PA_DATA;Uid=user;PWD=password" \
  -e Application__LogFilePath=/tmp/logs/pa/pa-server.log \
  -v /pa-logs:/tmp/logs/pa \
  azure-repo/pa/server

Provide the entire configuration in the appsettings.json by mapping is from an external file:

docker run -d -p 5000:5000 --restart unless-stopped \
  -v /pa/config/appsettings.json:/pa/appsettings.json \
  -v /pa/logs:/tmp/logs/pa \
  azure-repo/pa/server

This example maps the Snowflake private key to the container volume:

docker run -d -p 5000:5000 --restart unless-stopped \
  -e Application__SqlDatabaseConnectionString="Server=dbserver.host;DataBase=QPR_PA;Uid=user;PWD=password" \
  -e QPRPA_DEFAULT_DATA_SOURCE=SqlServer \
  -e QPRPA_SNOWFLAKE_CONNECTION_STRING="Driver={SnowflakeDSIIDriver};***;PRIV_KEY_FILE=/run/secrets/snowflake_private_key" \
  -v /private.key:/run/secrets/snowflake_private_key \
  azure-repo/pa/server

Running in Kubernetes

This section provides example Kubernetes configurations to run QPR ProcessAnalyzer container in Kubernetes.

UI endpoint:

apiVersion: v1
kind: Service
metadata:
  name: qprpa-server
  labels:
    app: qprpa-server
spec:
  type: ClusterIP
  ports:
    - port: 5000
      targetPort: qprpa-server-port
  selector:
    app: qprpa-server

The following example is the server deployment. Connection strings are provided via a secret containing following variables:

• Application__SqlDatabaseConnectionString="Server=dbserver.host;DataBase=QPR_PA;Uid=user;PWD=password"
• QPRPA_SQL_SERVER_CONNECTION_STRING="Server=dbserver.host;DataBase=QPR_PA_DATA;Uid=user;PWD=password"

apiVersion: apps/v1
kind: Deployment
metadata:
  name: qprpa-server
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: qprpa-server
  template:
    metadata:
      labels:
        app: qprpa-server
    spec:
      containers:
      - name: qprpa-server
        image: "azure-repo/pa/server"
        imagePullPolicy: "Always"
        ports:
        - containerPort: 5000
          name: qprpa-server-port
        envFrom:
        - secretRef:
            name: pa-secrets
        env:
        - name: QPRPA_DEFAULT_DATA_SOURCE
          value: "SqlServer"
        resources:
          requests:
            memory: "2Gi"
            cpu: "500m"
          limits:
            memory: "8Gi"
            cpu: "8000m"