The following diagram shows the physical infrastructure of Domino.
Domino runs in a Kubernetes cluster with a standard set of three master nodes, a set of worker nodes dedicated to hosting Domino platform services, and a set of worker nodes dedicated to hosting compute workloads. Outside the cluster is a durable blob storage system, and a load balancer that regulates connections from users.
The Domino application hosts the following major workloads:
These components provide user interfaces, the Domino API server, orchestration, metadata and supporting services.
This is where users' data science, engineering, and machine learning workflows are executed.
All workloads in the Domino application run as containerized processes, orchestrated by Kubernetes. Kubernetes is an industry-standard container orchestration system. Kubernetes was launched by Google and has broad community and vendor support, including managed offerings from all major cloud providers.
Typically, you will provision and manage your own Kubernetes cluster into which you will install Domino. Domino can advise on best practices for creating and managing Kubernetes clusters. Contact your account executive for more information about deployment options.
Domino services are best understood when arranged into logical layers based on function and communication. A description of the functionality provided by each layer follows.
The client layer contains the Frontend pods that are the targets of a network load balancer. Domino users can access Domino’s core features by connecting to the Frontends through:
Web browser, in which case the Frontend serves the Domino application
HTTPS request to the Domino API, which the Frontend routes to the API server
Domino CLI, which uses the API
The Frontends run on platform nodes.
The service layer contains the Domino API server, Dispatcher, Keycloak authentication service, and the metadata services that Domino uses to provide reproducibility and collaboration features.
MongoDB stores application object metadata, Git manages code and file versioning, Elasticsearch powers in-app search, and the Docker registry is used by Domino Environments. Project data, logs, and backups are written to durable blob storage.
All these services run on platform nodes.
The service layer also contains the dedicated master nodes for the Kubernetes cluster.
The Domino platform runs or depends on the following software components.
The following primary application services run on platform nodes in the Domino Kubernetes cluster.
nginx is an open source HTTP and reverse proxy server. Domino uses NGINX to serve the Domino web application and as a reverse proxy to route requests to internal services.
Learn more about nginx.
Domino API server
The Domino application exposes the Domino API and handles REST API requests from the web application and user clients.
The Domino dispatcher handles orchestration of workloads on compute nodes. The dispatcher launches new compute pods, connects results telemetry back to the Domino application, and monitors the health of running workloads.
Keycloak is an enterprise-grade open source authentication service. Domino uses Keycloak to store user identities and properties, and optionally for identity brokering or identity federation to SSO systems and identity providers.
Keycloak supports the following protocols:
OpenID Connect v1.0
Learn more about Keycloak.
Metadata, communication, and processing services run on platform nodes.
MongoDB is an open source document database. Domino uses MongoDB to store Domino entities, like projects, users, and organizations. Domino stores the structure of these entities in MongoDB, but underlying data is stored separately in encrypted blob storage.
Learn more about MongoDB.
Git is a free and open source distributed version control system. Domino uses Git internally for revisioning projects and files. Domino Executors also run Git clients, and they can interact with user-controlled external repositories to access code or data.
Learn more about Git.
Elasticsearch is a distributed, RESTful search and analytics engine. Domino uses Elasticsearch to power user searches for Domino objects like projects, files, and models. Domino also uses Elasticsearch for logging.
Learn more about Elasticsearch.
The Docker registry is an application used to store and distribute Docker images. Domino uses its registry to store images for Domino environments and Model APIs. These images are built to user specifications by compute nodes.
Learn more about Docker registry.
Fluentd is an open source application that unifies and processes logging and telemetry data. Domino uses Fluentd to aggregate logs and forward data to durable storage.
Learn more about Fluentd.
Redis is an open source data structure cache. Domino uses Redis to cache logs in-memory for streaming back to users through the web application.
Learn more about Redis.
RabbitMQ is an open source message broker. Domino uses RabbitMQ as an event bus to asynchronously distribute event messages between Domino services.
Learn more about RabbitMQ.
Postgres is an open source relational database system. Domino uses Postgres as a storage system for Keycloak data on user identities and attributes.
Learn more about Postgres.
Domino uses Keycloak to manage user accounts. Keycloak supports the following modes of authentication to Domino.
When using local accounts, anyone with network access to the Domino application can create a Domino account. Users supply a username, password, and email address on the signup page to create a Domino-managed account. You can track, manage, and deactivate these accounts through the application. Domino can be configured with multi-factor authentication and password requirements through Keycloak.
Learn more about Keycloak administration.
Keycloak can be configured to integrate with an Active Directory (AD) or LDAP(S) identity provider (IdP). When identity federation is enabled, local account creation is disabled and Keycloak will authenticate users against identities in the external IdP and retrieve configurable properties about those users for Domino usernames and email addresses.
Learn more about Keycloak identity federation.
Keycloak can be configured to broker authentication between Domino and an external authentication or SSO system. When identity brokering is enabled, Domino will redirect users in the authentication flow to a SAML, OAuth, or OIDC service for authentication. Following authentication in the external service, the user is routed back to Domino with a token containing user properties.
Learn more about Keycloak identity brokering.
A service mesh provides a transparent and language-independent way to flexibly and easily automate application network functions, such as: traffic routing, load balancing, observability, and encryption. Domino can optionally deploy or integrate with Istio, an open source service mesh. We require Istio 1.7.2+. Istio is required to implement intra-cluster encryption in transit.
Learn more about Istio.