1 of 4

How to Install Oz Software

Terms and Definitions

Term

Description

APM

Analyses per minute. Please note:

Analysis is a request for Quality (Liveness) or Biometry analysis using a single media.
A single analysis with multiple media counts as separate analyses in terms of APM.
Multiple analysis types on single media (two media for Biometry) count as separate analyses in terms of APM.

PoC

Proof of Concept

Node

A Node is a worker machine. Can be either a virtual or a physical machine.

High availability

K8s

Kubernetes

StorageClass

RWX

ReadWriteMany

Components' Description

Oz API components:

APP is the API front app that receives REST requests, performs preprocessing, and creates tasks for other API components.
Celery is the asynchronous task queue. API has 6 celery queues:
- Celery-default processes system-wide tasks.
- Celery-maintenance processes maintenance tasks.
- Celery-tfss processes analysis tasks.
- Celery-resolution checks for completion of all nested analyses within a folder and changes folder status.
- Celery-preview_convert creates a video preview for media.
- Celery-beat is a CronJob for managing maintenance celery tasks.
- Celery-Flower is a Celery metrics collector.
- Celery-regula (optional) processes document analysis tasks.
Redis is a message broker and result backend for Celery.
RabbitMQ (optional) can be used as a message broker for Celery instead of Redis.
Nginx serves static media files for external HTTP(s) requests.
O2N (optional) processes the Blacklist analysis.
Statistic (optional) provides statistics' collection for Web UI.
Web UI provides the web interface.

BIO-Updater checks for models updates and downloads new models.

Oz BIO (TFSS) runs TensorFlow with AI models and makes decisions for incoming media.

The BIO-Updater and BIO components require access to the following external resources:

Deployment Scenarios

The deployment scenario depends on the workload you expect.

Small Business or PoC

Medium Load

High

Use cases

Testing/Development purposes
Small installations with low number of APM

Typical usage with moderate load

High load with HA and autoscaling
Usage with cloud provider

Environment

Docker

Kubernetes

Partially

Yes

Pros

Requires a minimal amount of computing resources
Low complexity, so no high-qualified engineers are needed on-site
Easy to manage and support

Partially supports HA
Can be scaled up to support higher workload

HA and autoscaling
Observability and manageability
Allows high workload and can be scaled up

Cons

Suitable only for low loads, no high APM
No scaling and high-availability

API HA requires precise balancing
Higher staff qualification requirements

High staff qualification requirements
Additional infrastructure requirements

External resource requirements

PostgreSQL

For Kubernetes deployments:
- K8s v1.25+
- ingress-nginx
- clusterIssuer
- kube-metrics
- Prometheus
- clusterAutoscaler
PostgreSQL

Autoscaling is implemented on the basis of ClusterAutoscaler and must be supported by your infrastructure.

Small business or PoC

Please find the installation guide here: Docker.

Type of containerization: Docker,
Type of installation: Docker compose,
Autoscaling/HA: none.

Requirements

Software

Docker 19.03+,
Podman 4.4+,
Python 3.4+.

Storage

Depends on image quality and required archive depth.
May be count as: [average image size] * 2 * [analyses per day] * [archive depth in days].

Staff qualification:

Basic knowledge of Linux and Docker.

Deployment

Single node.

Resources:

1 node,
16 CPU/32 RAM.

Two nodes.

Resources:

2 nodes,
16 CPU/32 RAM for the first node; 8 CPU/16 RAM for the second node.

Medium Load

Please find the installation guide here: Docker.

Type of containerization: Docker/Podman,
Type of installation: Docker compose,
Autoscaling/HA: manual scaling; HA is partially supported.

Requirements

Computational resources

Depending on load, you can change the number of nodes. However, for 5+ nodes, we recommend that you proceed to the High Load section.

From 2 to 4 Docker nodes (see schemes):
- 2 Nodes:
  - 24 CPU/32 RAM per node.
- 3 Nodes:
  - 16 CPU/24 RAM per node.
- 4 Nodes:
  - 8 CPU/16 RAM for two nodes (each),
  - 16 CPU/24 RAM for two nodes (each).

We recommend using external self-managed PostgreSQL database and NFS share.

Software

Docker 19.03+,
Podman 4.4+,
Python 3.4+.

Storage

Depends on image quality and required archive depth.
May be count as: [average image size] * 2 * [analyses per day] * [archive depth in days].

Staff qualification:

Advanced knowledge of Linux, Docker, and Postgres.

Deployment

2 nodes:

3 nodes:

4 nodes:

High Load

Please find the installation guide here: Kubernetes.

Type of containerization: Type of containerization: Docker containers with Kubernetes orchestration,
Type of installation: Helm charts,
Autoscaling/HA: supports autoscaling; HA for most components.

Requirements

Computational resources

3-4 nodes. Depending on load, you can change the number of nodes.

16 CPU/32 RAM Nodes for the BIO pods,
8+ CPU/16+ RAM Nodes for all other workload.

We recommend using external self-managed PostgreSQL database.

Requires RWX (ReadWriteMany) StorageClass or NFS share.

Software

Docker 19.03+,
Python 3.4+.

Storage

Depends on image quality and required archive depth.
May be count as: [average image size] * 2 * [analyses per day] * [archive depth in days].

Staff qualification:

Advanced knowledge of Linux, Docker, Kubernetes, and Postgres.

Deployment Scheme

Docker

Hardware and Software Requirements

To launch the services, you'll require:

CPU: 16 cores,
RAM: 32 GB,
Disk: 100 GB, SSD,
Linux-compatible OS,
Docker 19.03+ (or Podman 4.4+),
Docker Compose 1.27+ (or podman-compose 1.2.0+, if you use Podman).

Distribution Package Contents

The package you get consists of the following directories and files:

Installation

Installing TFSS and the API on the Same Host

Put the license file in ./configs/tfss/license.key.
Unzip the file that contains models into the ./data/tfss/models directory.
Before starting system configuration, we recommend running the host readiness check scripts. Navigate to the checkers directory and run the pre-checker-all.sh script.

Set the initial passwords and values:

Configuration

configs\api\config.py
- Line 15: 'PORT' is the same port as set in line 2 of configs\nginx\default.conf. Needed to set URLs to serve static via nginx.
- Line 21: 'HOST' is the same name as set in docker-compose for oz-api-nginx container. Needed to set URLs to serve static via nginx.
- Line 24-28: 'DB_*' are parameters for connecting to PostgreSQL database. Must refer to oz-api-pg name and parameters, that are set in configs\init\init-db.sh, configs\postgres\init.sql
- Line 33-34: 'TFSS' must refer to oz-tfss container name and port, that are set in the docker-compose.yaml oz-tfss start command.
- Line 36: Regula. Currently, we support only external Regula.
- Line 54-57: Redis connection. Change password or Redis container name and port, corresponding to lines 2 and 4 of configs\redis\redis.conf.
- Line 69: Celery workers' healthcheck list. Remove Celery workers from list, if you have disabled them in docker-compose.yaml.
- Line 141: O2N. Change o2n name and port, corresponding to docker-compose.yaml.
configs\init\init-*.sh
- VARS section of each file (Lines 4-9) must refer to PostgreSQL names, ports in docker-compose, parameters in config.py and sets up user and database that are created during startup.
nginx\default.conf
- Line 2: Listen port. Must be set corresponding to the docker-compose oz-api-nginx port parameter and config.py
- Lines 27, 43, 48: Service names in redirect. oz-api, oz-statistic. Change if container names are changed in docker-compose.yaml
configs\pg-o2n\init.sql
- Username, database name, password that are pre-created in database.
- Username in lines 1, 9.
- Password in line 1.
- DB name in lines 8, 16.
configs\postgres\init.sql
- Username, database name, password that are pre-created in database.
- Username in lines 1, 9.
- Password in line 1.
- DB name in lines 8, 16.
configs\redis\redis.conf
- Line 2: password for security. Refers to config.py.
- Line 4: port. Refers to config.py.
data\tfss
- Must have 'models' folder with models.
configs\webui\aquireToken.sh
- Line 3-6: API parameters. Web UI should point to the oz-api-nginx container. Set name and port same as in oz-api-nginx.
- Line 5-6: login and password must be the same as in configs\init\init-user.sh (if you have created another user manually, you can also use other credentials)
configs\o2n\config.env
- Lines 6-10: pg-o2n parameters. Must be the same as listed in init-o2n.sh and pg-o2n\init.sql.
- Line 12: password for superuser in PostgreSQL for O2N.
- Lines 14-16: service parameters for superuser in PostgreSQL.
- Lines 24-29: database parameters. Must be the same as listed in configs\postgres\init.sql.
- Line 38: 'APP_ENV' User 'local' for http, 'https' for https.
- Line 51-57: mail parameters. Set up for 'send password to email' option.

For this configuration, run all services on a single host:

We recommend using PostgreSQL as a container only for testing purposes. For the production deployment, it is recommended to use a standalone database.

Installing TFSS and the API on Separate Hosts

TFSS Host

Create a directory and unzip the distribution package into it. The package contains Docker Compose manifests and directories with the configuration files required for operation.
Put the license file in ./configs/tfss/license.key.
Unzip the file that contains models into the ./data/tfss/models directory.
Before starting system configuration, we recommend running the host readiness check scripts. Navigate to the checkers directory and run the pre-checker-all.sh script.
For this configuration, run TFSS service on a separate host:

API Host

Create a directory and unzip the distribution package into it. The package contains Docker Compose manifests and directories with the configuration files required for operation.
Before starting system configuration, we recommend running the host readiness check scripts. Navigate to the checkers directory and run the pre-checker-all.sh script.

For this configuration, run all services on a single host:

Kubernetes

To install Oz product via Kubernetes, consider using Helm charts.

Oz API and related components: Helm chart.
- API 5.2: version 0.11.x,
- API 5.3 (regulatory update for Kazakhstan): 0.12.x.
Web SDK: Helm chart. Please note: the version of the chart is not tied to the Web SDK version.

Database Creation

For testing purposes, the database installed and created automatically by the chart is sufficient. However, for production, we strongly recommend using a separate, self-managed database.

Chart Deployment

API and Web SDK charts require RWX SC.

Example of creating SC using AWS EFS

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: efs-sc-api
provisioner: efs.csi.aws.com
allowVolumeExpansion: true
#Use Retain if you are going to use PVC for static, or your static will be deleted on chart uninstall
reclaimPolicy: Retain 
mountOptions:
  - tls
  - iam
parameters:
  provisioningMode: efs-ap
  fileSystemId: fs-____________
  directoryPerms: "770"
  uid: "1000"
  gid: "1000"
  basePath: ""

To deploy in Kubernetes, download the chart version you require and adjust the values.yaml file. This file specifies parameters for deployment of Oz products.

API

This example is based on the 0.11.28 chart version.

Adjust the values.yaml file, setting the following mandatory parameters before deployment:

ozDockerHubCreds: you'll receive them from Oz Engineer.
UserParams:
- URLs:
  - apiURL: URL for API. May be internal, if you use Web SDK only. For Mobile SDKs, should be public. Please refer to this article for more information.
- DB: must be set, if you use an external PostgreSQL server. For details, please check Database Creation.
  - use_chart_postgres: false by default. Enables internal PostgreSQL server (not recommended for production).
  - postgresUser: same as <<USERNAME>>.
  - postgresHost: the hostname of your PostgreSQL server.
  - postgresDB: same as <<DB_NAME>>.
  - postgresUserPassword: same as <<PASSWORD>>.
  - postgresPort: 5432 by default.
  - o2nDB:
    use_chart_o2nDB: false by default. Enables internal PostgreSQL server (not recommended for production).
    startinit: true by default. Enables database init scripts. Set to false after chart is deployed.
    creds:
    postgresHost: the hostname of your PostgreSQL server with O2N database.
    postgresPort: 5432 by default.
    postgresDB: same as <<O2N_DB_NAME>>.
    postgresUser: same as <<O2N_USERNAME>>.
    postgresUserPassword: Same as <<O2N_PASSWORD>>.
- Creds:
  - apiAdminLogin: login for new (default) user for API. Will be created on the first run.
  - apiAdminPass: password for the default user.
  - webUILocalAdminLogin: local Admin for Web UI. Should differ from apiAdminLogin.
  - webUILocalAdminPass: password for webUILocalAdminLogin.
- BIO:
  - licenseKey: you'll receive it from Oz Engineer / Sales.
  - clientToken: you'll receive it from Oz Engineer.
- pvc:
  - api:
    static:
    storageClassName: RWX StorageClass.
    size: Expected size for PV.
Params:
- Global:
  - startinits: false by default. Set to true on the first run, then, after successful deployment, change back to false.

To adjust API behavior, you might want to change other parameters. Please refer to comments in the values.yaml file.

TFSS (BIO)

BIO is a part of the API chart. The BIO pods require separate nodes for each pod. To ensure BIO resides on dedicated nodes, you can use affinity and tolerations.

The BIO behavior can be customized via Params -> global -> affinity in values.yaml.

The default parameters are listed below:

# We recommend using separate nodes for API and BIO pods,
# and separate node for each BIO pod.
 ## Default affinity is:
 ## Try to start API pods on nodes with "oz:api" label, BIO pods on nodes with "oz:bio" label
affinity: 
  API:
  # You may add additional keys, or comment the whole section to disable affinity
    nodeAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 1
        preference:
          matchExpressions:
          - key: oz
            operator: In
            values:
            - api
    # nodeName: "myNode" #Node name can be changed. Uncomment to use

    # nodeSelector: ##NodeSelector can be changed. Uncomment to use
    #   oz: api

    # fill tolerations according to node taints, uncomment to use
    #tolerations:
    #- key: nodegroup
    #  operator: Equal
    #  value: api
    #  effect: NoSchedule

  BIO:
  # You may add additional keys, or comment the whole section to disable affinity
    nodeAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 1
        preference:
          matchExpressions:
          - key: oz
            operator: In
            values:
            - bio

    # nodeName: "myNode" ## Node name can be changed. Uncomment to use.

    # nodeSelector: ## NodeSelector can be changed. Uncomment to use.
    #   oz: bio

    # fill tolerations according to node taints, uncomment to use.
    #tolerations:
    #- key: nodegroup
    #  operator: Equal
    #  value: bio
    #  effect: NoSchedule

The example of chart deployment via Helm:

helm install oz-api https://chartmuseum.infra.ozforensics.ai/charts/oz-k8s-0.11.28.tgz --namespace oz-api --values custom-api-values.yaml

Web SDK

Installation of Web SDK requires API pre-installed. Except specific cases, Web SDK cannot work without API.

For proper deployment, Web SDK requires an API service account. Pre-create a user for Web SDK with the CLIENT type and is_service flag set. Please refer to User Roles for more details.

This example is based on the 1.5.1+onPremise chart version.

Adjust the values.yaml file, setting the following mandatory parameters before deployment:

ozDockerHubCreds: you'll receive them from Oz Engineer.
UserParams:
- URLs:
  - apiURL: API URL. Can be an internal API URL.
  - webSDKURL: WebSDK url that will be used for public access.
- Creds:
  - AdminLogin: login of the user that should be pre-created in API. Do not use the default admin login.
  - AdminPass: password of the pre-created user.
PVC:
- persistentStorage: false be default. Set to true if you use more than 1 Web SDK pod.
- storageClassName: RWX StorageClass.
Params:
- websdk:
  - license: should contain your Web SDK license. You'll receive it from Oz Engineer / Sales.

# Format:
# Remark: Indentations are critical for yaml.
    license: |-
      {
          "payload_b64": "",
          "signature": "",
          "enc_public_key": ""
      }

To adjust API behavior, you might want to change other parameters. Please refer to comments in the values.yaml file.

The example of chart deployment via Helm:

helm install oz-websdk https://chartmuseum.infra.ozforensics.ai/charts/oz-k8s-sdk-1.5.1+onPremise.tgz --namespace oz-websdk --values custom-websdk-values.yaml

Making API methods Accessible from the Internet: Security Recommendations

By default, all API methods are published without restrictions, that may possess security threats. For accessing API methods from Internet, we recommend enabling limitations on WAF, border L7 balancer, etc.

If you use Web SDK only, you don't need to publish API methods on the Internet.

API

The information below is relevant for Oz API 5.2.

For Oz API with Mobile SDK, make sure these methods are accessible from the Internet:

You may need to extend this list depending on how Oz API has been integrated into your infrastructure.

Web SDK

For Web SDK, make sure these methods are accessible from the Internet. Your Web SDK URL is the Web Adapter URL you have received from us.

How to Install Oz Software

Terms and Definitions

Term

Description

APM

Analyses per minute. Please note:

Analysis is a request for Quality (Liveness) or Biometry analysis using a single media.
A single analysis with multiple media counts as separate analyses in terms of APM.
Multiple analysis types on single media (two media for Biometry) count as separate analyses in terms of APM.

PoC

Proof of Concept

Node

A Node is a worker machine. Can be either a virtual or a physical machine.

High availability

K8s

Kubernetes

StorageClass

RWX

ReadWriteMany

Components' Description

Oz API components:

APP is the API front app that receives REST requests, performs preprocessing, and creates tasks for other API components.
Celery is the asynchronous task queue. API has 6 celery queues:
- Celery-default processes system-wide tasks.
- Celery-maintenance processes maintenance tasks.
- Celery-tfss processes analysis tasks.
- Celery-resolution checks for completion of all nested analyses within a folder and changes folder status.
- Celery-preview_convert creates a video preview for media.
- Celery-beat is a CronJob for managing maintenance celery tasks.
- Celery-Flower is a Celery metrics collector.
- Celery-regula (optional) processes document analysis tasks.
Redis is a message broker and result backend for Celery.
RabbitMQ (optional) can be used as a message broker for Celery instead of Redis.
Nginx serves static media files for external HTTP(s) requests.
O2N (optional) processes the Blacklist analysis.
Statistic (optional) provides statistics' collection for Web UI.
Web UI provides the web interface.

BIO-Updater checks for models updates and downloads new models.

Oz BIO (TFSS) runs TensorFlow with AI models and makes decisions for incoming media.

The BIO-Updater and BIO components require access to the following external resources:

Deployment Scenarios

The deployment scenario depends on the workload you expect.

Small Business or PoC

Medium Load

High

Use cases

Testing/Development purposes
Small installations with low number of APM

Typical usage with moderate load

High load with HA and autoscaling
Usage with cloud provider

~ APM
~ analyses per month

~ APM
analyses per month

APM
analyses per month

Environment

Docker

Kubernetes

Partially

Yes

Pros

Requires a minimal amount of computing resources
Low complexity, so no high-qualified engineers are needed on-site
Easy to manage and support

Partially supports HA
Can be scaled up to support higher workload

HA and autoscaling
Observability and manageability
Allows high workload and can be scaled up

Cons

Suitable only for low loads, no high APM
No scaling and high-availability

API HA requires precise balancing
Higher staff qualification requirements

High staff qualification requirements
Additional infrastructure requirements

External resource requirements

PostgreSQL

For Kubernetes deployments:
- K8s v1.25+
- ingress-nginx
- clusterIssuer
- kube-metrics
- Prometheus
- clusterAutoscaler
PostgreSQL

Autoscaling is implemented on the basis of ClusterAutoscaler and must be supported by your infrastructure.

Small business or PoC

Please find the installation guide here: Docker.

Type of containerization: Docker,
Type of installation: Docker compose,
Autoscaling/HA: none.

Requirements

Software

Docker 19.03+,
Podman 4.4+,
Python 3.4+.

Storage

Depends on image quality and required archive depth.
May be count as: [average image size] * 2 * [analyses per day] * [archive depth in days].

Staff qualification:

Basic knowledge of Linux and Docker.

Deployment

Single node.

Resources:

1 node,
16 CPU/32 RAM.

Two nodes.

Resources:

2 nodes,
16 CPU/32 RAM for the first node; 8 CPU/16 RAM for the second node.

Medium Load

Please find the installation guide here: Docker.

Type of containerization: Docker/Podman,
Type of installation: Docker compose,
Autoscaling/HA: manual scaling; HA is partially supported.

Requirements

Computational resources

Depending on load, you can change the number of nodes. However, for 5+ nodes, we recommend that you proceed to the High Load section.

From 2 to 4 Docker nodes (see schemes):
- 2 Nodes:
  - 24 CPU/32 RAM per node.
- 3 Nodes:
  - 16 CPU/24 RAM per node.
- 4 Nodes:
  - 8 CPU/16 RAM for two nodes (each),
  - 16 CPU/24 RAM for two nodes (each).

We recommend using external self-managed PostgreSQL database and NFS share.

Software

Docker 19.03+,
Podman 4.4+,
Python 3.4+.

Storage

Depends on image quality and required archive depth.
May be count as: [average image size] * 2 * [analyses per day] * [archive depth in days].

Staff qualification:

Advanced knowledge of Linux, Docker, and Postgres.

Deployment

2 nodes:

3 nodes:

4 nodes:

High Load

Please find the installation guide here: Kubernetes.

Type of containerization: Type of containerization: Docker containers with Kubernetes orchestration,
Type of installation: Helm charts,
Autoscaling/HA: supports autoscaling; HA for most components.

Requirements

Computational resources

3-4 nodes. Depending on load, you can change the number of nodes.

16 CPU/32 RAM Nodes for the BIO pods,
8+ CPU/16+ RAM Nodes for all other workload.

We recommend using external self-managed PostgreSQL database.

Requires RWX (ReadWriteMany) StorageClass or NFS share.

Software

Docker 19.03+,
Python 3.4+.

Storage

Depends on image quality and required archive depth.
May be count as: [average image size] * 2 * [analyses per day] * [archive depth in days].

Staff qualification:

Advanced knowledge of Linux, Docker, Kubernetes, and Postgres.

Deployment Scheme

Docker

Hardware and Software Requirements

To launch the services, you'll require:

CPU: 16 cores,
RAM: 32 GB,
Disk: 100 GB, SSD,
Linux-compatible OS,
Docker 19.03+ (or Podman 4.4+),
Docker Compose 1.27+ (or podman-compose 1.2.0+, if you use Podman).

Distribution Package Contents

The package you get consists of the following directories and files:

Installation

Installing TFSS and the API on the Same Host

Put the license file in ./configs/tfss/license.key.
Unzip the file that contains models into the ./data/tfss/models directory.
Before starting system configuration, we recommend running the host readiness check scripts. Navigate to the checkers directory and run the pre-checker-all.sh script.

docker compose --env-file configs/config.env -f docker-compose-all.yml

Set the initial passwords and values:

Configuration

configs\api\config.py
- Line 15: 'PORT' is the same port as set in line 2 of configs\nginx\default.conf. Needed to set URLs to serve static via nginx.
- Line 21: 'HOST' is the same name as set in docker-compose for oz-api-nginx container. Needed to set URLs to serve static via nginx.
- Line 24-28: 'DB_*' are parameters for connecting to PostgreSQL database. Must refer to oz-api-pg name and parameters, that are set in configs\init\init-db.sh, configs\postgres\init.sql
- Line 33-34: 'TFSS' must refer to oz-tfss container name and port, that are set in the docker-compose.yaml oz-tfss start command.
- Line 36: Regula. Currently, we support only external Regula.
- Line 54-57: Redis connection. Change password or Redis container name and port, corresponding to lines 2 and 4 of configs\redis\redis.conf.
- Line 69: Celery workers' healthcheck list. Remove Celery workers from list, if you have disabled them in docker-compose.yaml.
- Line 141: O2N. Change o2n name and port, corresponding to docker-compose.yaml.
configs\init\init-*.sh
- VARS section of each file (Lines 4-9) must refer to PostgreSQL names, ports in docker-compose, parameters in config.py and sets up user and database that are created during startup.
nginx\default.conf
- Line 2: Listen port. Must be set corresponding to the docker-compose oz-api-nginx port parameter and config.py
- Lines 27, 43, 48: Service names in redirect. oz-api, oz-statistic. Change if container names are changed in docker-compose.yaml
configs\pg-o2n\init.sql
- Username, database name, password that are pre-created in database.
- Username in lines 1, 9.
- Password in line 1.
- DB name in lines 8, 16.
configs\postgres\init.sql
- Username, database name, password that are pre-created in database.
- Username in lines 1, 9.
- Password in line 1.
- DB name in lines 8, 16.
configs\redis\redis.conf
- Line 2: password for security. Refers to config.py.
- Line 4: port. Refers to config.py.
data\tfss
- Must have 'models' folder with models.
configs\webui\aquireToken.sh
- Line 3-6: API parameters. Web UI should point to the oz-api-nginx container. Set name and port same as in oz-api-nginx.
- Line 5-6: login and password must be the same as in configs\init\init-user.sh (if you have created another user manually, you can also use other credentials)
configs\o2n\config.env
- Lines 6-10: pg-o2n parameters. Must be the same as listed in init-o2n.sh and pg-o2n\init.sql.
- Line 12: password for superuser in PostgreSQL for O2N.
- Lines 14-16: service parameters for superuser in PostgreSQL.
- Lines 24-29: database parameters. Must be the same as listed in configs\postgres\init.sql.
- Line 38: 'APP_ENV' User 'local' for http, 'https' for https.
- Line 51-57: mail parameters. Set up for 'send password to email' option.

For this configuration, run all services on a single host:

docker compose --env-file configs/config.env -f docker-compose-all.yml up -d

We recommend using PostgreSQL as a container only for testing purposes. For the production deployment, it is recommended to use a standalone database.

Installing TFSS and the API on Separate Hosts

TFSS Host

Create a directory and unzip the distribution package into it. The package contains Docker Compose manifests and directories with the configuration files required for operation.
Put the license file in ./configs/tfss/license.key.
Unzip the file that contains models into the ./data/tfss/models directory.
Before starting system configuration, we recommend running the host readiness check scripts. Navigate to the checkers directory and run the pre-checker-all.sh script.
```
./pre-checker-bio.sh
```
For this configuration, run TFSS service on a separate host:

docker compose --env-file configs/config.env -f docker-compose-bio.yml up -d

API Host

Create a directory and unzip the distribution package into it. The package contains Docker Compose manifests and directories with the configuration files required for operation.
Before starting system configuration, we recommend running the host readiness check scripts. Navigate to the checkers directory and run the pre-checker-all.sh script.

./pre-checker-bio.sh

Set the initial passwords and values as described in .
For this configuration, run all services on a single host:

docker compose --env-file configs/config.env -f docker-compose-api.yml up -d

Kubernetes

To install Oz product via Kubernetes, consider using Helm charts.

Oz API and related components: Helm chart.
- API 5.2: version 0.11.x,
- API 5.3 (regulatory update for Kazakhstan): 0.12.x.
Web SDK: Helm chart. Please note: the version of the chart is not tied to the Web SDK version.

Database Creation

For testing purposes, the database installed and created automatically by the chart is sufficient. However, for production, we strongly recommend using a separate, self-managed database.

Chart Deployment

API and Web SDK charts require RWX SC.

Example of creating SC using AWS EFS

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: efs-sc-api
provisioner: efs.csi.aws.com
allowVolumeExpansion: true
#Use Retain if you are going to use PVC for static, or your static will be deleted on chart uninstall
reclaimPolicy: Retain 
mountOptions:
  - tls
  - iam
parameters:
  provisioningMode: efs-ap
  fileSystemId: fs-____________
  directoryPerms: "770"
  uid: "1000"
  gid: "1000"
  basePath: ""

To deploy in Kubernetes, download the chart version you require and adjust the values.yaml file. This file specifies parameters for deployment of Oz products.

API

This example is based on the 0.11.28 chart version.

Adjust the values.yaml file, setting the following mandatory parameters before deployment:

ozDockerHubCreds: you'll receive them from Oz Engineer.
UserParams:
- URLs:
  - apiURL: URL for API. May be internal, if you use Web SDK only. For Mobile SDKs, should be public. Please refer to this article for more information.
- DB: must be set, if you use an external PostgreSQL server. For details, please check Database Creation.
  - use_chart_postgres: false by default. Enables internal PostgreSQL server (not recommended for production).
  - postgresUser: same as <<USERNAME>>.
  - postgresHost: the hostname of your PostgreSQL server.
  - postgresDB: same as <<DB_NAME>>.
  - postgresUserPassword: same as <<PASSWORD>>.
  - postgresPort: 5432 by default.
  - o2nDB:
    use_chart_o2nDB: false by default. Enables internal PostgreSQL server (not recommended for production).
    startinit: true by default. Enables database init scripts. Set to false after chart is deployed.
    creds:
    postgresHost: the hostname of your PostgreSQL server with O2N database.
    postgresPort: 5432 by default.
    postgresDB: same as <<O2N_DB_NAME>>.
    postgresUser: same as <<O2N_USERNAME>>.
    postgresUserPassword: Same as <<O2N_PASSWORD>>.
- Creds:
  - apiAdminLogin: login for new (default) user for API. Will be created on the first run.
  - apiAdminPass: password for the default user.
  - webUILocalAdminLogin: local Admin for Web UI. Should differ from apiAdminLogin.
  - webUILocalAdminPass: password for webUILocalAdminLogin.
- BIO:
  - licenseKey: you'll receive it from Oz Engineer / Sales.
  - clientToken: you'll receive it from Oz Engineer.
- pvc:
  - api:
    static:
    storageClassName: RWX StorageClass.
    size: Expected size for PV.
Params:
- Global:
  - startinits: false by default. Set to true on the first run, then, after successful deployment, change back to false.

To adjust API behavior, you might want to change other parameters. Please refer to comments in the values.yaml file.

TFSS (BIO)

BIO is a part of the API chart. The BIO pods require separate nodes for each pod. To ensure BIO resides on dedicated nodes, you can use affinity and tolerations.

The BIO behavior can be customized via Params -> global -> affinity in values.yaml.

The default parameters are listed below:

# We recommend using separate nodes for API and BIO pods,
# and separate node for each BIO pod.
 ## Default affinity is:
 ## Try to start API pods on nodes with "oz:api" label, BIO pods on nodes with "oz:bio" label
affinity: 
  API:
  # You may add additional keys, or comment the whole section to disable affinity
    nodeAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 1
        preference:
          matchExpressions:
          - key: oz
            operator: In
            values:
            - api
    # nodeName: "myNode" #Node name can be changed. Uncomment to use

    # nodeSelector: ##NodeSelector can be changed. Uncomment to use
    #   oz: api

    # fill tolerations according to node taints, uncomment to use
    #tolerations:
    #- key: nodegroup
    #  operator: Equal
    #  value: api
    #  effect: NoSchedule

  BIO:
  # You may add additional keys, or comment the whole section to disable affinity
    nodeAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 1
        preference:
          matchExpressions:
          - key: oz
            operator: In
            values:
            - bio

    # nodeName: "myNode" ## Node name can be changed. Uncomment to use.

    # nodeSelector: ## NodeSelector can be changed. Uncomment to use.
    #   oz: bio

    # fill tolerations according to node taints, uncomment to use.
    #tolerations:
    #- key: nodegroup
    #  operator: Equal
    #  value: bio
    #  effect: NoSchedule

The example of chart deployment via Helm:

helm install oz-api https://chartmuseum.infra.ozforensics.ai/charts/oz-k8s-0.11.28.tgz --namespace oz-api --values custom-api-values.yaml

Web SDK

Installation of Web SDK requires API pre-installed. Except specific cases, Web SDK cannot work without API.

For proper deployment, Web SDK requires an API service account. Pre-create a user for Web SDK with the CLIENT type and is_service flag set. Please refer to User Roles for more details.

This example is based on the 1.5.1+onPremise chart version.

Adjust the values.yaml file, setting the following mandatory parameters before deployment:

ozDockerHubCreds: you'll receive them from Oz Engineer.
UserParams:
- URLs:
  - apiURL: API URL. Can be an internal API URL.
  - webSDKURL: WebSDK url that will be used for public access.
- Creds:
  - AdminLogin: login of the user that should be pre-created in API. Do not use the default admin login.
  - AdminPass: password of the pre-created user.
PVC:
- persistentStorage: false be default. Set to true if you use more than 1 Web SDK pod.
- storageClassName: RWX StorageClass.
Params:
- websdk:
  - license: should contain your Web SDK license. You'll receive it from Oz Engineer / Sales.

# Format:
# Remark: Indentations are critical for yaml.
    license: |-
      {
          "payload_b64": "",
          "signature": "",
          "enc_public_key": ""
      }

To adjust API behavior, you might want to change other parameters. Please refer to comments in the values.yaml file.

The example of chart deployment via Helm:

helm install oz-websdk https://chartmuseum.infra.ozforensics.ai/charts/oz-k8s-sdk-1.5.1+onPremise.tgz --namespace oz-websdk --values custom-websdk-values.yaml