- Create a THREDDS AWS Nexrad VM on Jetstream
- Create a THREDDS VM on Jetstream
- Clone the science-gateway Repository
- Build the AWS Nexrad TDS Docker Container
- Start TDS With Docker and docker-compose
- TDS Configuration
- TDS log Directories
- SSL Certificate
- Ports 80, 443 and 8443
- docker-compose.yml
- Start the TDS
- Navigate to the TDS
- Blocking IPs That Are Filling up the Cache
Create an m1.large
VM with the Jetstream OpenStack API. Work with Unidata system administrator staff to have this VM's IP address resolve to tds-nexrad.scigw.unidata.ucar.edu
We will be making heavy use of the Unidata/science-gateway
git repository.
git clone https://github.com/Unidata/science-gateway ~/science-gateway
From the ~/science-gateway/vms/thredds-aws
directory:
docker build -t unidata/thredds-docker:<5-version> .
With the help of Docker and docker-compose
, starting a VM with the TDS should be fairly easy. There are a few directories you will need to map from outside to within the container. See here to install Docker and docker-compose.
mkdir -p ~/tdsconfig/
wget http://unidata-tds.s3.amazonaws.com/tdsConfig/awsL2/config.zip -O ~/tdsconfig/config.zip
unzip ~/tdsconfig/config.zip -d ~/tdsconfig/
In order to not have the TDS fill up with data, the cache has to be periodically cleared. Edit the ~/tdsconfig/threddsConfig.xml
and add:
<DiskCache>
<alwaysUse>true</alwaysUse>
<scour>1 hour</scour>
<maxSize>1 Gb</maxSize>
</DiskCache>
Edit the ~/tdsconfig/threddsConfig.xml
to supply contact and host institution by filling out the contact
and hostInstitution
XML elements. For example:
<contact>
<name>THREDDS Support</name>
<organization>Unidata</organization>
<email>support-thredds@unidata.ucar.edu</email>
</contact>
<hostInstitution>
<name>Unidata</name>
<webSite>http://www.unidata.ucar.edu/</webSite>
<logoUrl>https://ral.ucar.edu/sites/default/files/public/images/project/Unidata_logo_vertical_400x400_alpha.png</logoUrl>
<logoAltText>Unidata</logoAltText>
</hostInstitution>
You will need Apache Tomcat and TDS log directories:
mkdir -p /logs/tds-tomcat/
mkdir -p /logs/tds/
In the ~/science-gateway/vms/thredds-aws/files/
directory, generate a self-signed certificate with openssl
(or better yet, obtain a real certificate from a certificate authority).
openssl req -new -newkey rsa:4096 -days 3650 -nodes -x509 -subj \
"/C=US/ST=Colorado/L=Boulder/O=Unidata/CN=jetstream.unidata.ucar.edu" \
-keyout ~/science-gateway/vms/thredds-aws/files/ssl.key \
-out ~/science-gateway/vms/thredds-aws/files/ssl.crt
Open port 80
on the THREDDS VM via OpenStack. Port 80
requests will be forwarded to 8080
inside the THEREDDS Docker container. In addition, open ports 443
and 8443
for SSL and communication from the TDM.
Based on the directory set we have defined, the docker-compose.yml
file that looks like:
###
# THREDDS
###
version: '3'
services:
thredds-production:
image: unidata/thredds-docker:5.5-SNAPSHOT
container_name: thredds
restart: always
ports:
- "80:8080"
- "443:8443"
- "8443:8443"
volumes:
- /logs/tds-tomcat/:/usr/local/tomcat/logs/
- /logs/tds/:/usr/local/tomcat/content/thredds/logs/
# ssl certs, keys not in version control, see readme.md
- ./files/tomcat-users.xml:/usr/local/tomcat/conf/tomcat-users.xml
- ./files/tdsCat.css:/usr/local/tomcat/webapps/thredds/tdsCat.css
- ./files/folder.gif:/usr/local/tomcat/webapps/thredds/folder.gif
- ./files/index.jsp:/usr/local/tomcat/webapps/ROOT/index.jsp
# HTTPS
- ./files/keystore.jks:/usr/local/tomcat/conf/keystore.jks
- ./files/server.xml:/usr/local/tomcat/conf/server.xml
- ./files/web.xml:/usr/local/tomcat/conf/web.xml
# AWS TDS Nexrad server
- ~/tdsconfig/:/usr/local/tomcat/content/thredds/
- ~/files/credentials:/usr/local/tomcat/.aws/credentials
env_file:
- "compose${THREDDS_COMPOSE_ENV_LOCAL}.env"
You can provide additional THREDDS parameterization via the compose.env
file referenced in the docker-compose.yml
file.
### THREDDS related environment variables
# TDS Content root
# Paremeterization of the TDS_CONTENT_ROOT_PATH is probably not needed here
# since paremeterization can already achieved through the docker-compose.yml but
# here it is anyway
TDS_CONTENT_ROOT_PATH=/usr/local/tomcat/content
# The minimum and maximum Java heap space memory to be allocated to the TDS
THREDDS_XMX_SIZE=4G
THREDDS_XMS_SIZE=4G
# See https://github.com/Unidata/tomcat-docker#configurable-tomcat-uid-and-gid
TOMCAT_USER_ID=1000
TOMCAT_GROUP_ID=1000
Once you have done the work of setting up THREDDS related directories in the way you like,
docker-compose up -d
to start the TDS
In a web browser, navigate to https://tds-nexrad.scigw.unidata.ucar.edu/thredds/catalog.html to see if is running.
You will sometimes find that data scraper bots are overloading the TDS Radar server which leads to the cache filling up the disk. One way to mitigate this is to block IPs via iptables
. To find the offending IP ranges, navigate to the /logs/tds-tomcat
looking for user agents like "spider", "oc4", etc. in the Tomcat access logs.
grep -i -h -E "oc4|rain|spider" access* | awk '{print $1}' | sort | uniq | awk -F "." '{print $1 "." $2}' | sort -n | uniq
Work with Unidata system administration staff to block the IP ranges with something like the snippet below. Note that the rule is being inserted into the DOCKER-USER
chain with the -I
option which is important to get iptables
to work with the THREDDS Docker container.
sudo iptables -I DOCKER-USER -s xx.xxx.0.0/16 -j DROP
# etc.
To see how these rules take affect you can:
sudo iptables -L DOCKER-USER -n -v
which will yield something like:
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
22404 1344K DROP all -- * * xx.22.0.0/16 0.0.0.0/0
134K 8044K DROP all -- * * xx.128.0.0/16 0.0.0.0/0
270K 16M DROP all -- * * xx.249.0.0/16 0.0.0.0/0
265K 16M DROP all -- * * xx.225.0.0/16 0.0.0.0/0
30892 1606K DROP all -- * * xx.199.0.0/16 0.0.0.0/0
60216 3613K DROP all -- * * xx.204.182.0/24 0.0.0.0/0
50M 107G RETURN all -- * * 0.0.0.0/0 0.0.0.0/0