The diagram below shows the physical infrastructure of Domino 4.
Domino runs in a Kubernetes cluster with a standard set of three master nodes, a set of worker nodes dedicated to hosting Domino platform services, and a set of worker nodes dedicated to hosting compute workloads. Outside the cluster is a durable blob storage system, and a load balancer that regulates connections from users.
The Domino application hosts two major workloads:
These components provide user interfaces, the Domino API server, orchestration, metadata and supporting services.
This is where users’ data science, engineering, and machine learning workflows are executed.
All workloads in the Domino application run as containerized processes, orchestrated by Kubernetes. Kubernetes is an industry-standard container orchestration system. Kubernetes was launched by Google and has broad community and vendor support, including managed offerings from all major cloud providers.
Typically, Domino customers will provision and manage their own Kubernetes cluster into which they install Domino. Domino offers professional services for customers who require assistance provisioning a cluster. Please talk to your account executive for more information about these options.
Domino services are best understood when arranged into logical layers based on function and communication. A description of the functionality provided by each layer follows.
The client layer contains the Frontend pods that are the targets of a network load balancer. Domino users can access Domino’s core features by connecting to the Frontends via:
- Web browser, in which case the Frontend serves the Domino application
- HTTPS request to the Domino API, which the Frontend routes to the API server
- Domino CLI, which uses the API
The Frontends run on platform nodes.
The service layer contains the Domino API server, Dispatcher, Keycloak authentication service, and the metadata services that Domino uses to provide reproducibility and collaboration features. MongoDB stores application object metadata, Git manages code and file versioning, Elasticsearch powers in-app search, and the Docker registry is used by Domino Environments. Project data, logs, and backups are written to durable blob storage.
All of these services run on platform nodes.
The service layer also contains the dedicated master nodes for the Kubernetes cluster.
The execution layer is where Domino will launch and manage ephemeral pods that run user workloads. These may host Jobs, Model APIs, Apps, Workspaces, and Docker image builds.
These run on compute nodes.
The Domino platform runs or depends on the following software components.
The following primary application services run on platform nodes in the Domino Kubernetes cluster.
nginx is an open source HTTP and reverse proxy server. Domino uses NGINX to serve the Domino web application and as a reverse proxy to route requests to internal services.
Domino API server
The Domino application exposes the Domino API and handles REST API requests from the web application and user clients.
The Domino dispatcher handles orchestration of workloads on compute nodes. The dispatcher launches new compute pods, connects results telemetry back to the Domino application, and monitors the health of running workloads.
Keycloak is an enterprise-grade open source authentication service. Domino uses Keycloak to store user identities and properties, and optionally for identity brokering or identity federation to SSO systems and identity providers.
Keycloak supports the following protocols:
- SAML v2.0
- OpenID Connect v1.0
- OAuth v2.0
These metadata, communication, and processing services run on platform nodes.
MongoDB is an open source document database. Domino uses MongoDB to store Domino entities, like projects, users, and organizations. Domino stores the structure of these entities in MongoDB, but underlying data is stored separately in encrypted blob storage.
Git is a free and open source distributed version control system. Domino uses Git internally for revisioning projects and files. Domino Executors also run Git clients, and they can interact with user-controlled external repositories to access code or data.
Elasticsearch is a distributed, RESTful search and analytics engine. Domino uses Elasticsearch to power user searches for Domino objects like projects, files, and models. Domino also uses Elasticsearch for logging.
The Docker registry is an application used to store and distribute Docker images. Domino uses its registry to store images for Domino environments and Model APIs. These images are built to user specifications by compute nodes.
Fluentd is an open source application that unifies and processes logging and telemetry data. Domino uses Fluentd to aggregate logs and forward data to durable storage.
Redis is an open source data structure cache. Domino uses Redis to cache logs in-memory for streaming back to users through the web application.
RabbitMQ is an open source message broker. Domino uses RabbitMQ as an event bus to asynchronously distribute event messages between Domino services.
Postgres is an open source relational database system. Domino uses Postgres as a storage system for Keycloak data on user identities and attributes.
Domino uses Keycloak to manage user accounts. Keycloak supports the following modes of authentication to Domino.
When using local accounts, anyone with network access to the Domino application may create a Domino account. Users supply a username, password, and email address on the signup page to create a Domino-managed account. Domino administrators can track, manage, and deactivate these accounts through the application. Domino can be configured with multi-factor authentication and password requirements through Keycloak.
Keycloak can be configured to integrate with an Active Directory (AD) or LDAP(S) identity provider (IdP). When identity federation is enabled, local account creation is disabled and Keycloak will authenticate users against identities in the external IdP and retrieve configurable properties about those users for Domino usernames and email addresses.
Keycloak can be configured to broker authentication between Domino and an external authentication or SSO system. When identity brokering is enabled, Domino will redirect users in the authentication flow to a SAML, OAuth, or OIDC service for authentication. Following authentication in the external service, the user is routed back to Domino with a token containing user properties.
A service mesh provides a transparent and language-independent way to flexibly and easily automate application network functions, such as: traffic routing, load balancing, observability, and encryption. Domino can optionally deploy or integrate with Istio, an open source service mesh. We require Istio 1.7.2+. Istio is required to implement intra-cluster encryption in transit.