Architecture

The diagram below shows the physical infrastructure of Domino 4.

Domino runs in a Kubernetes cluster with a standard set of three master nodes, a set of worker nodes dedicated to hosting Domino platform services, and a set of worker nodes dedicated to hosting compute workloads. Outside the cluster is a durable blob storage system, and a load balancer that regulates connections from users.

_images/logical-safe-harbor.png



Overview

The Domino application hosts two major workloads:

  1. Domino Platform

    These components provide user interfaces, the Domino API server, orchestration, metadata and supporting services.

  2. Domino Compute

    This is where users’ data science, engineering, and machine learning workflows are executed.

All workloads in the Domino application run as containerized processes, orchestrated by Kubernetes. Kubernetes is an industry-standard container orchestration system. Kubernetes was launched by Google and has broad community and vendor support, including managed offerings from all major cloud providers.

Typically, Domino customers will provision and manage their own Kubernetes cluster into which they install Domino. Domino offers professional services for customers who require assistance provisioning a cluster. Please talk to your account executive for more information about these options.




Services

Domino services are best understood when arranged into logical layers based on function and communication. A description of the functionality provided by each layer follows.

_images/safe-harbor-3-layers.png

Client layer

The client layer contains the Frontend pods that are the targets of a network load balancer. Domino users can access Domino’s core features by connecting to the Frontends via:

  • Web browser, in which case the Frontend serves the Domino application
  • HTTPS request to the Domino API, which the Frontend routes to the API server
  • Domino CLI, which uses the API

The Frontends run on platform nodes.

Service layer

The service layer contains the Domino API server, Dispatcher, Keycloak authentication servive, and the metadata services that Domino uses to provide reproducibility and collaboration features. MongoDB stores application object metadata, Git manages code and file versioning, Elasticsearch powers in-app search, and the Docker registry is used by Domino Environments. Project data, logs, and backups are written to durable blob storage.

All of these services run on platform nodes.

The service layer also contains the dedicated master nodes for the Kubernetes cluster.

Execution layer

The execution layer is where Domino will launch and manage ephemeral pods that run user workfloads. These may host Jobs, Model APIs, Apps, Workspaces, and Docker image builds.

These run on compute nodes.




Software

The Domino platform runs or depends on the following software components.

Application services

The following primary application services run on platform nodes in the Domino Kubernetes cluster.

  • nginx

    nginx is an open source HTTP and reverse proxy server. Domino uses NGINX to serve the Domino web application and as a reverse proxy to route requests to internal services.

    Learn more about nginx

  • Domino API server

    The Domino application exposes the Domino API and handles REST API requests from the web application and user clients.

  • Domino dispatcher

    The Domino dispatcher handles orchestration of workloads on compute nodes. The dispatcher launches new compute pods, connects results telemetry back to the Domino application, and monitors the health of running workloads.

  • Keycloak

    Keycloak is an enterprise-grade open source authentication service. Domino uses Keycloak to store user identities and properties, and optionally for identity brokering or identity federation to SSO systems and identity providers.

    Keycloak supports the following protocols:

    • SAML v2.0
    • OpenID Connect v1.0
    • OAuth v2.0
    • LDAP(S)

    Learn more about Keycloak

Supporting services

These metadata, communication, and processing services run on platform nodes.

  • MongoDB

    MongoDB is an open source document database. Domino uses MongoDB to store Domino entities, like projects, users, and organizations. Domino stores the structure of these entities in MongoDB, but underlying data is stored separately in encrypted blob storage.

    Learn more about MongoDB

  • Git

    Git is a free and open source distributed version control system. Domino uses Git internally for revisioning projects and files. Domino Executors also run Git clients, and they can interact with user-controlled external repositories to access code or data.

    Learn more about Git

  • Elasticsearch

    Elasticsearch is a distributed, RESTful search and analytics engine. Domino uses Elasticsearch to power user searches for Domino objects like projects, files, and models. Domino also uses Elasticsearch for logging.

    Learn more about Elasticsearch

  • Docker registry

    The Docker registry is an application used to store and distribute Docker images. Domino uses its registry to store images for Domino environments and Model APIs. These images are built to user specifications by compute nodes.

    Learn more about Docker registry

  • Fluentd

    Fluentd is an open source application that unifies and processes logging and telemetry data. Domino uses Fluentd to aggregate logs and forward data to durable storage.

    Learn more about Fluentd

  • Redis

    Redis is an open source data structure cache. Domino uses Redis to cache logs in-memory for streaming back to users through the web application.

    Learn more about Redis

  • RabbitMQ

    RabbitMQ is an open source message broker. Domino uses RabbitMQ as an event bus to asynchronously distribute event messages between Domino services.

    Learn more about RabbitMQ

  • Postgres

    Postgres is an open source relational database system. Domino uses Postgres as a storage system for Keycloak data on user identities and attributes.

    Learn more about Postgres




User accounts

Domino uses Keycloak to manage user accounts. Keycloak supports the following modes of authentication to Domino.

Local accounts

When using local accounts, anyone with network access the Domino application may create a Domino account. Users supply a username, password, and email address on the signup page to create a Domino-managed account. Domino administrators can track, manage, and deactivate these accounts through the application. Domino can be configured with multi-factor authentication and password requirements through Keycloak.

Learn more about Keycloak administration

Identity federation

Keycloak can be configured to integrate with an Active Directory (AD) or LDAP(S) identity provider (IdP). When identity federation is enabled, local account creation is disabled and Keycloak will authenticate users against identities in the external IdP and retrieve configurable properties about those users for Domino usernames and email addresses.

Learn more about Keycloak identity federation

Identity brokering

Keycloak can be configured to broker authentication between Domino and an external authentication or SSO system. When identity brokering is enabled, Domino will redirect users in the authentication flow to a SAML, OAuth, or OIDC service for authentication. Following authentication in the external service, the user is routed back to Domino with a token containing user properties.

Learn more about Keycloak identity brokering