Wyden can be configured to run on Docker containers. The Algotrader-launch project contains a pre-configured docker-compose.yml file that will run 5 containers:
- Algotrader (Wyden application)
- MySQL
- InfluxDB
- Keycloak
- Grafana
When running Wyden (AlgoTrader) on Docker, all necessary AT configurations like license key, starter class, security settings, etc. can be populated through the algotrader container environment variables provided in the docker-compose.yml file. Thus, this way it is not possible to override those in Configuration UI, it's especially important in case of security settings.
For further details regarding Wyden (AlgoTrader) container environment variables please find the Wyden container section in our Reference Guide: Docker containers
Requirements:
- Docker version 20.10+
- Docker-compose version 1.27+
Steps to run Wyden on Docker containers:
1. Login to the Docker registry
Open the terminal window and log into the Docker Repository with the username and password provided when licensing Wyden:
docker login docker.wyden.io
2. Adjust your docker-compose.yml file
Below is a good example:
version: "3.9"
networks:
net:
services:
algotrader:
image: docker.wyden.io/algotrader/algotrader:6.5.1
environment:
VM_ARGUMENTS: -Dkeygen.id=
-Dflyway.url=jdbc:mysql://mysql:3306?useSSL=false&allowPublicKeyRetrieval=true
-DdataSource.url=jdbc:mysql://mysql:3306/algotrader?useSSL=false&allowPublicKeyRetrieval=true
-Dssl.enabled=true
-Djetty.host=0.0.0.0 -Djetty.https.port=443 -DactiveMQ.wss.port=61613
-Djetty.password=null -Djetty.user=null
-Dssl.keystore=file:///usr/local/algotrader/keystore/identity.jks
-Dsecurity.enabled=true
-Dsystem.useContainerRestart=true
DATABASE_HOST: "mysql"
DATABASE_PORT: "3306"
DATABASE_NAME: "algotrader"
DATABASE_USER: "root"
DATABASE_PASSWORD: "password"
INFLUXDB_HOST: "influxdb"
depends_on:
mysql:
condition: service_healthy
influxdb:
condition: service_healthy
keycloak:
condition: service_healthy
ports:
- 443:443 # REST API/UI
- 61613:61613 # WebSocket
- 9880:9880 # FIX API
volumes:
- ./configurationOverrides:/usr/local/algotrader/configurationOverrides
- /path/to/the/html5-keycloak.json:/usr/local/algotrader/conf/html5/keycloak.json
- /path/to/the/keycloak.json:/usr/local/algotrader/conf/keycloak.json
- /path/to/the/identity.jks:/usr/local/algotrader/keystore/identity.jks
- grafanaconfig:/usr/local/algotrader/conf/grafana
networks:
- net
mysql:
image: mysql/mysql-server:8.0.23
command: --default-authentication-plugin=mysql_native_password
environment:
MYSQL_ROOT_PASSWORD: password
MYSQL_DATABASE: algotrader
MYSQL_ROOT_HOST: "%"
ports:
- 3306:3306
volumes:
- mysqldb:/var/lib/mysql
networks:
- net
influxdb:
image: influxdb:1.8.10
volumes:
- /var/lib/influxdb
environment:
INFLUXDB_HTTP_FLUX_ENABLED: "true"
INFLUXDB_HTTP_ENABLED: "true"
ports:
- 8086:8086
networks:
- net
healthcheck:
test: "curl -f http://localhost:8086/ping"
interval: 15s
timeout: 15s
retries: 10
start_period: 180s
keycloak:
image: docker.wyden.io/keycloak:10.0.2-AT1-3
environment:
DB_VENDOR: h2
KEYCLOAK_FRONTEND_URL: "https://client.url.com:8444/auth"
CLIENT_KEYCLOAK_USER: mysuperuser
CLIENT_KEYCLOAK_PASSWORD: mysuperpassword
ALGOTRADER_URL: "https://client.url.com"
volumes:
- keycloakdb:/opt/jboss/keycloak/standalone/data/
- /path/to/the/tls.key:/etc/x509/https/tls.key
- /path/to/the/tls.crt:/etc/x509/https/tls.crt
networks:
- net
ports:
- 8444:8444
init-grafana:
image: joshkeegan/zip:latest
volumes:
- grafanaconfig:/data
- grafanashared:/data_shared
entrypoint: ["/bin/sh","-c"]
command:
- cp -R /data/* /data_shared
depends_on:
algotrader:
condition: service_healthy
grafana:
image: grafana/grafana:8.3.3
environment:
GF_AUTH_ANONYMOUS_ENABLED: "true"
GF_SERVER_PROTOCOL: "https"
GF_SERVER_CERT_FILE: "/var/lib/grafana/ssl/grafana.crt"
GF_SERVER_CERT_KEY: "/var/lib/grafana/ssl/grafana.key"
GF_SECURITY_ALLOW_EMBEDDING: "true"
GF_PATHS_CONFIG: "/etc/grafana/custom.ini"
ports:
- 3000:3000
networks:
- net
volumes:
- /path/to/the/tls.crt:/var/lib/grafana/ssl/grafana.crt
- /path/to/the/tls.key:/var/lib/grafana/ssl/grafana.key
- grafanashared:/etc/grafana
depends_on:
init-grafana:
condition: service_completed_successfully
algotrader:
condition: service_healthy
volumes:
mysqldb:
influxdb:
keycloakdb:
grafanaconfig:
grafanashared:
where
/path/to/the/tls.crt, /path/to/the/tls.key - path to the TLS certificate and key to use in Wyden, Keycloak, and Grafana correspondingly. Required to issue them if there is a need to access the dashboard from outside(client.url.com).
/path/to/the/identity.jks - path to JAVA key storage created from TLS certificate and key. Instructions on how to generate such a key can be found at https://www.ibm.com/support/pages/how-generate-jks-keystore-existing-private-key. Please keep in mind, that passwords for the Key store and a private TLS key can be provided using ssl.keystorePassword and ssl.keyPassword of Application configuration (may be specified in the VM_ARGUMENTS)
/path/to/the/html5-keycloak.json - Required for Keycloak configuration. It contains the following information:
{
"auth-server-url": "https://client.url.com:8444/auth",
"realm": "algotrader",
"resource": "algotrader-dashboard"
}
/path/to/the/keycloak.json- Required for Keyckloak configuration. It contains the following information:
{
"realm": "algotrader",
"auth-server-url": "https://client.url.com:8444/auth/",
"ssl-required": "external",
"resource": "algotrader-server",
"verify-token-audience": true,
"credentials": {
"secret": "7dc3cf93-f2a4-48e9-b6a4-873fadc83391"
},
"confidential-port": 0
}
3. Run Server Starter
Now when everything is configured, executing the following command in the folder containing docker-compose.yml will create and run the containers:
docker-compose up -d
After a few seconds Wyden will start:
To look at logs:
docker logs -f launch_algotrader_1
More detailed information about server starter configuration can be found in our documentation: Server Starter
4. Open Wyden Web UI
After that, Wyden Web UI can be accessed by the following address:
https://client.url.com
More detailed information regarding Docker-based installation can be found in our documentation: Docker-based installation
FAQ
Where API keys are stored?
They are stored in the configurationOverrides mounted directory in the config-overrides.json file which can be encrypted (link to the documentation)
How to start the application if I have self-signed TLS?
To be able to start the application with self-signed TLS, adjust the docker-compose
version: "3.9"
networks:
net:
services:
algotrader:
...
volumes:
...
- /path/to/the/tls.crt:
keycloak:
...
user: root
entrypoint: ["/bin/bash","-c"]
command: ["update-ca-trust && /opt/jboss/startup.sh -b 0.0.0.0"]
volumes:
...
- /path/to/the/tls.crt:/etc/pki/ca-trust/source/anchors/https/tls.crt
With such a setup, Keycloak and Algotrader services will import certificates in the internal trusted CA, so it will be valid for both applications.
Why Keycloak TLS is using my certificate and key?
Make sure both files are mounted in the /etc/x509/https/tls.crt and /etc/x509/https/tls.key correspondingly.
Keycloak is designed in a way to expect those files in a certain location and can not be configured in a custom way.
Why is Keycloak throwing an error to connect?
In case you observe a connection error similar to the one you see below, or any other
Make sure that
- the keystore (identity.jks) mounted to the application contains the fullchain
- if the certificate is self-signed or uses a custom CA, it is imported into the container truststore, mentioned above
- check there are no firewall rules that block access from the Keycloak container to the Application (algotrader) container
- check that the same request passes from the inside of Keycloak container, using cURL
Comments
0 comments
Please sign in to leave a comment.