.. _interactivetools: Galaxy InteractiveTools ======================= Galaxy Interactive Tools allows launching a container-backed Galaxy Tool and enabling a Galaxy User to gain access to content inside in real-time. How Galaxy InteractiveTools work -------------------------------- A InteractiveTool is defined in the same familiar way as standard Galaxy Tools, but are specified with ``tool_type="interactive"``, and providing additional entry point information: .. code-block:: xml 80 **Note** that name, port, and url are each able to be templated from the InteractiveTool's parameter dictionary. Some important benefits of using Galaxy InteractiveTools -------------------------------------------------------- - You can have and access **any number of InteractiveTools at a time** (admin configurable) - If you accidentally close the **InteractiveTool browser window**, you can **regain access** by selecting from a **list of active InteractiveTools** - A single **InteractiveTool** can **grant access** to **multiple running applications, servers, and interfaces** - **InteractiveTools** can be **added to** Galaxy **Workflows** - **InteractiveTools** are **bonafide Galaxy Tools**; just specify **tool_type as "interactive"** and list the ports you want to expose - **InteractiveTools** can be **added** to and **installed from the ToolShed**. - **R Shiny apps**, **Javascript-based VNC** access to desktop environments, **genome-browsers-in-a-box**, **interactive notebook environments**, etc, are all possible with **InteractiveTools** - **InteractiveTools** typically run as software (e.g. Docker) containers in an isolated environment Server-side configuration of Galaxy InteractiveTools ---------------------------------------------------- Basic configuration ^^^^^^^^^^^^^^^^^^^ For production deployments and additional considerations please see the `Galaxy Interactive Tools Tutorial `__. The ``galaxy.yml`` file will need to be populated as seen in ``config/galaxy.yml.interactivetools``. Galaxy InteractiveTool routing by default relies on wildcard subdomain routes and a proxy server that forwards requests to a running container. For users who manage their own DNS, you can set the appropriate A records to redirect ``*.interactivetool.yourdomain``. ``gravity`` will automatically start the needed proxy server. The following configuration is only recommended for local testing, as users will directly connect to the InteractiveTool Proxy. In a production setup an upstream proxy should route requests to the proxy via the ``*.interactivetool.yourdomain`` subdomain, or use path-based proxying for interactive tools that support it (``requires_domain=False``, see below for more details). Set these values in ``galaxy.yml``: .. code-block:: yaml gravity: gx_it_proxy: enable: true port: 4002 #handlers: # handler: # processes: 3 # pools: # - job-handlers # - workflow-schedulers galaxy: interactivetools_enable: true interactivetools_map: database/interactivetools_map.sqlite # outputs_to_working_directory will provide you with a better level of isolation. It is highly recommended to set # this parameter with InteractiveTools. outputs_to_working_directory: true # `galaxy_infrastructure_url` needs to be reachable from IT containers. # For local development you can map arbitrary hostnames. See `job_conf.yml.interactivetools` # for an example. # In the local development case you should use the `http` protocol (e.g http://localhost:8080) to access # your Galaxy, so saving notebooks doesn't fail due to invalid certificates. galaxy_infrastructure_url: http://localhost:8080 # Do not set the following 2 options if you are using an upstream proxy server like nginx interactivetools_upstream_proxy: false interactivetools_proxy_host: localhost:4002 The ``gx-it-proxy`` config relates to an important service in the InteractiveTool infrastructure: the InteractiveTool proxy. ``gx-it-proxy`` runs as a separate process listening at port 4002 (by default). HTTP requests are decoded based on the URL and headers, then somewhat massaged, and finally forwarded to the correct entry point port of the target InteractiveTool. .. note:: A previous config option ``interactivetools_shorten_url`` was removed in commit `#73100de `_ since similar functionality is now default behavior. Setting ``interactivetools_shorten_url`` to ``true`` shortened long interactive tool URLs (then default) from e.g. ``8c24e5aaae1db3a3-d0fc9f05229e40259142c4d8b5829797.interactivetoolentrypoint.interactivetool.mygalaxy.org`` down to ``8c24e5aaae1db3a3-d0fc9f0522.interactivetool.mygalaxy.org`` Now, all interactive tool URLs are similarly short, e.g. ``24q1dbzrknq1v-1a1p13jnahscj.ep.interactivetool.mygalaxy.org`` Note that the previous ``.interactivetoolentrypoint`` part has been shortened down to ``.ep``, but this is now always included. For this reason, URLs are now up to ``3`` character longer than was previously the case when ``interactivetools_shorten_url`` was set to ``true``. For deployments that require URLs to be shorter than a specific limit (for example ``63`` characters for some kubernetes setups), this slight ``3`` character increase could cause the URLs to break the limit. If so, please adjust the ``interactivetools_prefix`` config (default value: ``interactivetool``) to counter this. You will also need to enable a docker destination in the job_conf.xml file. An example ``job_conf.yml`` file as seen in ``config/job_conf.yml.interactivetools``: .. code-block:: yaml ## A sample job config for InteractiveTools using local runner. ## runners: local: load: galaxy.jobs.runners.local:LocalJobRunner workers: 4 # Uncomment if dynamic handlers are defined in "gravity:handlers" section in galaxy.yml # #handling: # assign: # - db-skip-locked execution: default: docker_dispatch environments: local: runner: local docker_local: runner: local docker_enabled: true #docker_volumes: $defaults,/mnt/galaxyData/libraries:ro,/mnt/galaxyData/indices:ro #docker_volumes_from: parent_container_name #docker_memory: 24G #docker_sudo: false #docker_sudo_cmd: /usr/bin/sudo -extra_param #docker_net: bridge #docker_auto_rm: true #docker_set_user: $UID docker_set_user: # InteractiveTools do need real hostnames or URLs to work - simply specifying IPs will not work. # If you develop interactive tools on your 'localhost' and don't have a proper domain name # you need to tell all Docker containers a hostname where Galaxy is running. # This can be done via the add-host parameter during the `docker run` command. # 'localhost' here is an arbitrary hostname that matches the IP address of your # Galaxy host. Make sure this hostname ('localhost') is also set in your galaxy.yml file, e.g. # `galaxy_infrastructure_url: http://localhost:8080`. #docker_run_extra_arguments: add-host localhost:host-gateway #docker_cmd: /usr/local/custom_docker/docker #docker_host: #docker_container_id_override: busybox:ubuntu-14.04 #docker_default_container_id: busybox:ubuntu-14.04 #require_container: true #container_monitor: true #container_monitor_result: file #container_monitor_command: python /path/to/galaxy/lib/galaxy_ext/container_monitor/monitor.py #container_monitor_get_ip_method: null #container_resolvers_config_file: null #container_resolvers: docker_dispatch: runner: dynamic type: docker_dispatch docker_destination_id: docker_local default_destination_id: local The Galaxy currently contains a sizable collection of **InteractiveTools** directly in the code base. To be enabled, they need to be commented in or added to the ``config/tool_conf.xml``: .. code-block:: xml A InteractiveTool is defined in the same familiar way as standard Galaxy Tools, but are specified with ``tool_type="interactive"``, and providing additional entry point information: .. code-block:: xml 80 **Note** that name, port, and url are each able to be templated from the InteractiveTool's parameter dictionary. Path-based InteractiveTools ^^^^^^^^^^^^^^^^^^^^^^^^^^^ As will become clear in the NGINX tutorial below, the default configuration of InteractiveTools in a production setting gives rise to some complications - in particular the need to set up a wildcard DNS entry and procuring a wildcard SSL certificate. This is necessary to support unique URLs for InteractiveTool instances using only the domain part of the URL, e.g. ``https://24q1dbzrknq1v-1a1p13jnahscj.ep.interactivetool.myserver.net/``. Wildcard SSL certificates are less convenient than regular certificates and are inherently less safe and thus prohibited at many institutions. Hence, path-based interactive tools was implemented as an alternative way to configure InteractiveTools. Path-based URLs to InteractiveTools look something like this: ``https://myserver.net/interactivetool/ep/24q1dbzrknq1v/1a1p13jnahscj/``. To enable path-based InteractiveTools, set ``requires_domain="False"`` in the relevant ``entry_point`` tag in the tool XML: .. code-block:: xml 80 Path-based InteractiveTools are somewhat more difficult to configure than domain-based ITs. This is due to the fact that the web server within an InteractiveTool container now must serve the contents under a path prefix. There are two main ways this can be solved: 1. Relative links. If the web server embedded in the InteractiveTool only serves HTML pages with relative links then the contents can be served at any level in the path hierarchy. The InteractiveTool proxy then strips away the "path prefix" or "entry point path" part of the URL (e.g. ``interactivetool/ep/24q1dbzrknq1v/1a1p13jnahscj/``) from forwarded HTTP requests so that the InteractiveTool web server operates like if it was served at the top level (directly under ``/``). Since all links are relative, the web browser will automatically handle merging of the path prefix with the relative path appended by the InteractiveTool. This setup is the default setup provided by the tool XML example above, but to be more explicit one can also set ``requires_path_in_url="False"`` in the ``entry_point`` tag. As the web service operates with relative links it does not need to know the entry point path under which it is served. 2. Absolute links. Unfortunately many relevant services are implemented with absolute links, i.e. starting at the top-level ``/``. For such InteractiveTools to work with path-based URLs the contained web server needs to be configured with the path prefix/entry point path under which the content should be served. Two issues then needs to be considered: a. How to inject the path prefix into the InteractiveTool at run-time? Two injection mechanisms are provided, injecting the path prefix as an environment variable or as an HTTP header. i. Injecting the path prefix as an environment variable: .. code-block:: xml 80 mytool Here, the entry point is attached a ``label="mytool"`` attribute. This label is then used by the ``entry_point_path_for_label`` injection mechanism to identify the entry point whose path shall be injected into the environment variable, here ``EP_PATH``. This environment variable must then be mobilized in the InteractiveTool tool XML to properly configure the contained web server, such as in the ``command`` tag of the JupyTool InteractiveTool: .. code-block:: xml If we follow the same entry point path example as above, the ``PROXY_PREFIX`` variable will in this case be set to the value ``interactivetool/ep/24q1dbzrknq1v/1a1p13jnahscj/ipython``. This variable is further parsed by the Jupyter Notebook software as a configuration of the path prefix under which the contents will be served. ii. Injecting the path prefix as an HTTP header: .. code-block:: xml 80 Here, the InteractiveTool proxy service is informed to inject the path prefix as a HTTP header, e.g. ``X-My-Header="interactivetool/ep/24q1dbzrknq1v/1a1p13jnahscj/`` in the proxied requests to the InteractiveTool server. b. Does the InteractiveTool service require that the full path is provided in the URL? When ``requires_path_in_url="True"`` in the ``entry_point`` tag, the InteractiveTool proxy service forwards the HTTP requests with the full path intact. Both values of ``requires_path_in_url`` can be combined with both injection mechanisms, leading two four configuration variants for path-based InteractiveTools. Choosing the correct one depends on the implementation of the web server contained in the InteractiveTool and can be a bit tricky to get correct. In some cases, none of these options will work. One solution can then be to configure another highly customized proxy web server within the InteractiveTool, e.g. using NGINX. NGINX proxy server configuration (in production) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If you want to use nginx as an proxy server upstream of a Galaxy installation (in a production setting), you can use the following server section to route domain-based requests to the InteractiveTool proxy: .. code-block:: nginx server { # Listen on port 443 listen *:443 ssl; # Match all requests for the interactive tools subdomain server_name *.interactivetool.localhost; # Route all domain-based interactive tool requests to the InteractiveTool proxy application location / { proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass http://localhost:4002; } } Note that this nginx example uses https, so you need to have a wildcard certificate for your domain, and you need to adjust ``galaxy_infrastructure_url`` as appropriate. You should also set up nginx to route path-based InteractiveTool URLs to the InteractiveTool proxy. Path-based InteractiveTool URLs will only be created for tools that have defined ``requires_domain=False`` in the tool XML file (which signals that the web server running on the container are configured to operate at a subpath under the main Galaxy installation). Hence, no wildcard DNS configuration or wildcard SSL certificates are needed for path-based interactive tools. To support path-based interactive tools through nginx proxy, add the following to the main Galaxy "server" section (serving port 443): .. code-block:: nginx # Route all path-based interactive tool requests to the InteractiveTool proxy application location ~* ^/(interactivetool/.+)$ { proxy_redirect off; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass http://localhost:4002; } This example config works for default values of ``interactivetools_base_path`` and ``interactivetools_prefix`` as defined in ``galaxy.yml``. For other values, you will need to adjust the location patterns accordingly. In both nginx config examples, you might want to replace localhost with your server domain (or possibly ``127.0.0.1``), depending on your server setup. Job runner configuration in production ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ InteractiveTools have been enabled for the Condor, Slurm, Pulsar and Kuberneters job runner. A destination configuration for Condor may look like this: .. code-block:: xml condor: runner: condor docker_enabled: true docker_sudo: false **Note on resource consumption:** Keep in mind that Distributed Resource Management (DRM) / cluster systems may have a maximum runtime configured for jobs. From the Galaxy point of view, such a container could run as long as the user desires, this may not be advisable and an admin may want to restrict the runtime of InteractiveTools *(and jobs in general)*. However, if the job is killed by the DRM, the user is not informed beforehand and data in the container could be discarded.