--- alias: operation-guide-messtackcomponents tags: - containerized environments description: "This document details the container-based Critical Manufacturing MES stack, including its components and configurations for network routing and authentication" --- # Customer Environment MES Stack This page lists all the containers that are running inside the Critical Manufacturing MES stack, with an explanation of its purpose as well as specific configurations for each container. !!! info There can be multiple environments deployed for any infrastructure belonging to a single customer, each with its own URL. ```mermaid graph LR subgraph Infrastructure Agent Squid[Edge Squid Proxy] end subgraph Customer Environment Env[Environment Manager] UI[UI] Host[Host] Help[Help] Grafana[Grafana] SecurityPortal[Security Portal] Traefik[Traefik] TraefikForwardAuth[Traefik Forward Auth] Bus[MessageBus] DiscoveryService[Discovery Service] SQL[SQL Server] ConnectIoTManager[Connect IoT Manager] Rasa[Rasa] RasaActions[Rasa Actions] LBOGenerator[LBO Generator] MESScheduler[MES Scheduler] end subgraph DataPlatform direction RL ClickHouse[ClickHouse] Kafka[Kafka] RabbitMQ[RabbitMQ] S3[S3] DataManager[Data Manager] EPFAMAT[EPF Alarm Management Action Trigger] EPFAMERH[EPF Alarm Management Event Rule Handler] EPFMEH[EPF Alarm Management MES Event Handler] MLAgent[ML Platform Agent] MLPlatformTraining[ML Platform Training] Redis[Redis] end Traefik --> TraefikForwardAuth TraefikForwardAuth --> Traefik Traefik --> UI Traefik --> Host Traefik --> Help Traefik --> Grafana Traefik --> SecurityPortal Traefik --> Bus Traefik --> DataPlatform Traefik --> ConnectIoTManager Traefik --> Rasa Traefik --> RasaActions Traefik --> DiscoveryService Traefik --> LBOGenerator Traefik --> MESScheduler Host -.-> SQL SQL -.-> Env Host -.-> Env UI -.-> Env Help -.-> Env Grafana -.-> Env SecurityPortal -.-> Env Bus -.-> Env DataPlatform -.-> Env ConnectIoTManager -.-> Env Rasa -.-> Env RasaActions -.-> Env DiscoveryService -.-> Env LBOGenerator -.-> Env MESScheduler -.-> Env Env ---> Squid classDef mermaid_title color:#000, fill:#fafafa, stroke:#fafafa, stroke-width:0x, font-size:100%, font-weight:200; classDef mermaid_start color:#000, fill:#fafafa, stroke:#fafafa, color:#fafafa, stroke-width:0x, font-size:100%, visibility: hidden; classDef mermaid_businessdata color:#000, fill:#65CDE8, stroke:#65CDE8, stroke-width:0px, font-size:100%; classDef mermaid_nonbusinessdata color:#000, fill:#B7DEE8, stroke:#B7DEE8, stroke-width:0px, font-size:100%; classDef mermaid_entity color:#000, fill:#FB9F53, stroke:#FB9F53, stroke-width:0px, font-size:100%; classDef mermaid_entitylinked color:#000, fill:#FCD5B5, stroke:#FCD5B5, stroke-width:0px, font-size:100%; classDef mermaid_context color:#000, fill:#B9CDE5, stroke:#B9CDE5, stroke-width:0px, font-size:100%; classDef mermaid_optional color:#000, fill:#B7DEE8, stroke:#65CDE8, stroke-width:1px, font-size:100%, stroke-dasharray: 5 5; classDef mermaid_state color:#000, fill:#d7e4bd, stroke:#000, stroke-width:1px, font-size:100%, font-weight:300; class Squid,UI,Host,Help,SecurityPortal,ConnectIoTManager,Bus,Grafana,DiscoveryService,Rasa,RasaActions,LBOGenerator,MESScheduler mermaid_businessdata class Env,Traefik,TraefikForwardAuth mermaid_entitylinked class User mermaid_context class ClickHouse,Kafka,RabbitMQ,S3,DataManager,EPFAMAT,EPFAMERH,EPFMEH,MLAgent,MLPlatformTraining,Redis,ReplicateEvents,ReplicateIDs,ReplicateTableSchemas mermaid_nonbusinessdata class SQL mermaid_optional click Traefik "#traefik" click TraefikForwardAuth "#traefik-forward-auth" click Bus "#mesmessage-bus" click Host "#mes-host" click Env "#environment-manager" click SecurityPortal "#security-portal" click UI "#mes-gui" click Help "#mes-documentation" click HelpReference "#mes-documentation-reference" click Grafana "#grafana" click SQL "#sql-server" click ClickHouse "#clickhouse" click Kafka "#kafka" click RabbitMQ "#rabbitmq" click S3 "#s3" click ConnectIoTManager "#connect-iot-manager" click DataManager "#data-manager" click DiscoveryService "#discovery-service" click EPFAMAT "#epf-alarm-management-action-trigger" click EPFAMERH "#epf-alarm-management-event-rule-handler" click EPFMEH "#epf-alarm-management-mes-event-handler" click MLAgent "#ml-platform-agent" click MLPlatformTraining "#ml-platform-training" click Rasa "#rasa" click RasaActions "#rasa-actions" click Redis "#redis" click ReplicateEvents "#replicate-events" click ReplicateIDs "#replicate-ids" click ReplicateTableSchemas "#replicate-table-schemas" ``` ## Core Components ### Traefik Manages incoming network traffic, acting as a reverse proxy by forwarding requests to services based on routing rules. For more information, see . Each MES environment includes a Traefik instance that is entirely responsible for that same stack. A top-level Ingress Controller is required in order to route incoming traffic to the appropriate MES stack's Traefik. Security must be dealt with at this first level, such as handling certificate validations and ensuring secure connections. !!! note Currently, a Traefik instance is shipped together with the Infrastructure Agent, which is configured to act as the Ingress Controller for all the MES stacks running in the same container orchestrator cluster. For more information, see [Infrastructure Agent](https://portal.criticalmanufacturing.com/Help/devops-center/infrastructure-agent/). !!! warning If you're setting up your own ingress controller, the Infrastructure Agent's Traefik should **not** be deployed. If your custom ingress controller is **Traefik**, you must define an entrypoint named `web-secure`, for example: ```yaml spec: containers: - args: - --entrypoints.web-secure.address=:8443 ``` This is required because our MES stack references `web-secure` in `traefik.ingress.kubernetes.io/router.entrypoints`. If the entrypoint is missing or named differently, HTTPS traffic will fail. !!! warning "Deprecation warning" The **Infrastructure Agent's Traefik is deprecated** starting from Infrastructure Agent 11.1, and will be removed when MES 12.0 is released. Example: * `http:///` - the Traefik instance inside the MES stack sends this request to the proper container inside the MES stack for `domain_one` that handles the `/` path, which in this case is the `UI`. * `http:///api` - the Traefik instance inside the MES stack sends this request to the proper container inside the MES stack for `domain_one` that handles the `api` path, which in this case is the `host`. * `http:///help` - the Traefik instance inside the MES stack sends this request to the proper container inside the MES stack for `domain_two` that handles the `help` path, which in this case is the Documentation Portal. ```mermaid graph LR subgraph Agent Traefik[Traefik] end subgraph mes_instance_two Traefik3[Traefik] ui3["UI"] api3["Host"] help3["Documentation Portal"] end subgraph mes_instance_one Traefik2[Traefik] ui2["UI"] api2["Host"] help2["Documentation Portal"] end Traefik --->|https://mes_instance_one.domain.local/|Traefik2 Traefik --->|https://mes_instance_one.domain.local/api|Traefik2 Traefik --->|https://mes_instance_two.domain.local/help|Traefik3 Traefik2 -.->|/|ui2 Traefik2 -.->|/api|api2 Traefik3 -.->|/help|help3 classDef mermaid_title color:#000, fill:#fafafa, stroke:#fafafa, stroke-width:0x, font-size:100%, font-weight:200; classDef mermaid_start color:#000, fill:#fafafa, stroke:#fafafa, color:#fafafa, stroke-width:0x, font-size:100%, visibility: hidden; classDef mermaid_businessdata color:#000, fill:#65CDE8, stroke:#65CDE8, stroke-width:0px, font-size:100%; classDef mermaid_nonbusinessdata color:#000, fill:#B7DEE8, stroke:#B7DEE8, stroke-width:0px, font-size:100%; classDef mermaid_entity color:#000, fill:#FB9F53, stroke:#FB9F53, stroke-width:0px, font-size:100%; classDef mermaid_entitylinked color:#000, fill:#FCD5B5, stroke:#FCD5B5, stroke-width:0px, font-size:100%; classDef mermaid_context color:#000, fill:#B9CDE5, stroke:#B9CDE5, stroke-width:0px, font-size:100%; classDef mermaid_optional color:#000, fill:#B7DEE8, stroke:#65CDE8, stroke-width:1px, font-size:100%, stroke-dasharray: 5 5; classDef mermaid_state color:#000, fill:#d7e4bd, stroke:#000, stroke-width:1px, font-size:100%, font-weight:300; class Traefik,Traefik2,Traefik3 mermaid_entity class api2,api3,help2,help3,ui2,ui3 mermaid_businessdata ``` !!! info These rules and the configurations of which addresses are mapped to which internal containers are defined in Traefik Ingress Routes and Middlewares (for Kubernetes) and Traefik configuration file (for DockerSwarm). Both can be accessed through any container orchestrator management tool. ### Traefik Forward Auth Provides support to authentication through Critical Manufacturing Security Portal, equivalent to an IIS module that is installed and running in traditional installations. Every request that Traefik receives gets carried over to Traefik Forward Auth to ascertain whether that request has valid authentication. Relevant folders in container volumes: | Path | Description | | ----------- | --------------------------- | | `/opt/app/` | Main application directory. | Table: Traefik Forward Auth relevant folders for containerized environments ### Environment Manager The Environment Manager works as an overseer of the entire MES stack and coordinates as a primary information point from which all other containers depend. It performs operations like the actual installation setup application of the traditional environments, with added functionality, wherein every time the stack is started, all containers have the same entrypoint (a small piece of executable code) that queries the Environment Manager container to see whether the system is installed and running and also if there are any customization packages that need to be installed for any specific container. When the Environment Manager responds to the queries from all other containers to indicate that the system has been installed, the other containers can safely run. !!! note Currently, the Environment Manager uses the Edge Squid Proxy from the Infrastructure Agent as a pure proxy to interact with the Customer Portal's DevOps Center. !!! warning "Deprecation warning" The **Infrastructure Agent's Squid is deprecated** starting from Infrastructure Agent 11.1, and will be removed when MES 12.0 is released. ```mermaid sequenceDiagram Container in MES Stack->>Environment Manager: Is MES installed? activate Environment Manager Environment Manager-->>Container in MES Stack: Not yet, checking Environment Manager-->>Container in MES Stack: Yes, it is, you can run safely deactivate Environment Manager activate Container in MES Stack Container in MES Stack->>+Environment Manager: Are there any custom components I should know about? deactivate Container in MES Stack Environment Manager-->>Container in MES Stack: Yes, here they are activate Environment Manager Container in MES Stack->>Environment Manager: Ok, installing before running the main application deactivate Environment Manager ``` Customization packages are usually stored in one of the volumes bound by the Environment Manager and are accessible through it. Relevant folders in container volumes: | Path | Description | | ---------------- | ------------------------------------------------------------------------------------------------------------------------- | | `/opt/app/` | Main application directory. | | `/opt/packages/` | Custom packages location. | | `/opt/backups/` | Database backup location before a clean installation. | | `/var/log/cmf/` | If the volume type selected for logs is 'None', applications will not log to a file, and therefore, this location will be empty. Otherwise, the location will be shared with several containers, with each container having its own separate folder inside it. | Table: Environment Manager relevant folders for containerized environments ### Security Portal A multi-tenant application that acts as an identity management system. For more information, see [Security Portal](../security/security-portal/index.md). Relevant folders in container volumes: | Path | Description | | --------------- | ------------------------------------------------------------------------------------------------------------------------- | | `/app/` | Main application directory. | Table: Critical Manufacturing MES Security Portal relevant folders for containerized environments ### MES Host The set of services that operate the core of Critical Manufacturing MES services and orchestration, exposing a public API for external access. Relevant folders in container volumes: | Path | Description | | ------------------- | ----------------------------------------------------------------------------------------------------------------------- | | `/opt/app/` | Main application directory (includes Host config file and customization libraries). | | `/opt/document/` | Document storage location. | | `/var/log/cmf/` | Logging location, shared with several containers, where each container will have its own separate folder inside this one. | Table: Critical Manufacturing MES Host relevant folders for containerized environments ### MES GUI Web server used as the main visual entrypoint for the Critical Manufacturing MES. Relevant folders in container volumes: | Path | Description | | --------------- | ------------------------------------------------------------------------------------------------------------------------ | | `/app/` | Main application directory. | Table: Critical Manufacturing MES GUI relevant folders for containerized environments ### MES Documentation Complete set of user documentation for Critical Manufacturing MES, including this very page. Relevant folders in container volumes: | Path | Description | | --------------- | ------------------------------------------------------------------------------------------------------------------------- | | `/app/` | Main application directory. | | `/var/log/cmf/` | Logging location, shared with several containers, where each container will have its own separate folder inside this one. | Table: Critical Manufacturing MES Documentation relevant folders for containerized environments ### MES Reference Documentation Reference documentation for Critical Manufacturing MES, including API documentation and Design System. Relevant folders in container volumes: | Path | Description | | --------------- | ------------------------------------------------------------------------------------------------------------------------- | | `/app/` | Main application directory. | | `/var/log/cmf/` | Logging location, shared with several containers, where each container will have its own separate folder inside this one. | Table: Critical Manufacturing MES Reference Documentation relevant folders for containerized environments ### MES Message Bus A high-performance publish and subscribe message bus. For more information, see [Message Bus](../../application-administration/messagebus.md). Relevant folders in container volumes: | Path | Description | | --------------- | ------------------------------------------------------------------------------------------------------------------------- | | `/app/` | Main application directory. | | `/var/log/cmf/` | Logging location, shared with several containers, where each container will have its own separate folder inside this one. | | `/var/opt/app/token_rsa_publickey.pem` | Authentication Secret. | Table: Critical Manufacturing MES Message Bus relevant folders for containerized environments ### Grafana Visualization framework that allows you to query, visualize metrics from the Critical Manufacturing MES through widgets and dashboards. Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/var/lib/grafana/` | Shared directory for the Grafana host. | Table: Grafana relevant folders for containerized environments ### SQL Server Installed optionally through DevOps Center, this container holds an instance of SQL Server that can be used only with the Online database. It is lacking: * Reports * ODS database * DWH database * Analysis Services !!! info This container is the only one that can be configured to have an open port for the outside world. This port is used to access the database through SQL Server Management Studio, which can access the server through the name: `machine_name,[port]`. !!! warning Be aware that the character separator between machine name and port is a comma (`,`) and not the traditional colon (`:`). Relevant folders in container volumes: | Path | Description | | ---------------------- | --------------------------------------------------------------------------------------- | | `/app/` | Main application directory. | | `/opt/backups/` | Database backup location before a clean installation (shared with Environment Manager). | | `/var/opt/mssql/data/` | MSSQL Data files. | Table: SQL Server relevant folder for containerized environments ### Discovery Service The Discovery Service is a key component of highly-available infrastructures commonly used to improve the performance and availability of web sites, applications, databases and other services by distributing the workload across multiple servers. For more information, see [Discovery Service](../discovery-service/index.md) Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/var/opt/envmanager/installation` | Main application directory. | | `/var/opt/app/token_rsa_publickey.pem` | Authentication token | Table: Discovery Services relevant folders for containerized environments ### Rasa From [Rasa](https://rasa.com/): *Rasa Open Source is an open source conversational AI platform that allows you to understand and hold conversations, and connect to messaging channels and third party systems through a set of APIs. It supplies the building blocks for creating virtual (digital) assistants or chatbots.* Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/var/opt/envmanager/installation` | Main application directory. | Table: Rasa relevant folders for containerized environments ### Rasa Actions From [Rasa](https://rasa.com/): *When a Rasa assistant calls a custom action, it sends a request to the action server. Rasa only knows about whatever events and responses come back in the request response; it's up to the action server to call the correct code based on the action name that Rasa provides.* Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/var/opt/envmanager/installation` | Main application directory. | Table: Rasa Actions relevant folders for containerized environments ### Connect IoT Manager :lock: Connect IoT The Connect IoT Manager is responsible for the entire Automation component processes lifecycle. Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/opt/connectiot/` | Main application directory. | Table: Connect IoT Manager relevant folders for containerized environments ### LBO Generator :lock: LBO Generator The service responsible for generating and serving LBOs. | Path | Description | | --------------------- | -------------------------------------- | | `/opt/app` | Main application directory. | | `/opt/lbogen/output` | Intermediate artifacts location. | | `/opt/lbogen/assemblies` | Host assemblies location. | | `/opt/lbogen/lbos` | LBOs directory. | Table: LBO Generator relevant folders for containerized environments ### MES Scheduler :lock: MES Scheduler The service responsible for MES Scheduling operations. ## Data Platform ### ClickHouse :lock: Data Platform From [ClickHouse](https://clickhouse.com/clickhouse): *ClickHouse is a column-oriented database that enables its users to generate powerful analytics, using SQL queries, in real-time.* Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/var/lib/clickhouse/` | Main client application directory. | | `/var/log/clickhouse-server/` | Main application directory for the server section. | Table: ClickHouse relevant folders for containerized environments ### Kafka :lock: Data Platform From [Apache Kafka](https://kafka.apache.org/): *Apache Kafka is an open-source distributed event streaming platform used by thousands of companies for high-performance data pipelines, streaming analytics, data integration, and mission-critical applications.* This is the first instance of Kafka for streaming operations. Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/var/lib/kafka/data` | Application data. | Table: Kafka relevant folders for containerized environments ### RabbitMQ :lock: Data Platform From [RabbitMQ](https://www.rabbitmq.com//): *RabbitMQ is a reliable and mature messaging and streaming broker.* Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/var/lib/rabbitmq/mnesia` | Application data. | | `/var/log/rabbitmq` | Log folder. | Table: RabbitMQ relevant folders for containerized environments ### S3 :lock: Data Platform From [MinIO](https://min.io/): *MinIO is an object storage system. It is an API compatible with the Amazon S3 cloud storage service, capable of working with unstructured data such as photos, videos, log files, backups, and container images.* Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/bitnami/minio/data` | Application data. | Table: S3 relevant folders for containerized environments ### Data Manager :lock: Data Platform The Data Manager acts as the manager of all Data Stores. A Data Store is a physical data repository, typically a database of a certain technology that is abstracted by a Data Store Driver. Data Sets (structured tabular grid of rows (records) and columns (fields)) are written and read from a Data Store. For internally managed Data Sets, the system takes care of the schema creation, space provisioning and overall data set management (e.g.: purging). The Data Manager provides a central access to Data in the platform, enabling data security and also exposing the Data via an OData interface or by using the Grafana interface. Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/var/opt/envmanager/installation` | Main application directory. | Table: Data Manager relevant folders for containerized environments ### EPF Alarm Management Action Trigger :lock: Data Platform Listens to Kafka topics from Event Rules and executes the associated actions. Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/var/opt/envmanager/installation` | Main application directory. | Table: EPF Alarm Management Action Trigger relevant folders for containerized environments ### EPF Alarm Management Event Rule Handler :lock: Data Platform Receives an EventRule to be executed and instantiates a new **Notification** based on the properties defined in the EventRule. Alternatively, if the EventRule defines a **Rule**, it should be executed instead of creating a notification. This allows for almost infinite extensibility options. All inputs received by the TriggerNotification API should be passed as inputs to the executed rule. More information on [Notification](../../../userguide/business-data/notification/index.md) and [Rule](../../../userguide/administration/rule/index.md) Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/var/opt/envmanager/installation` | Main application directory. | Table: EPF Alarm Management Event Rule Handler relevant folders for containerized environments ### EPF Alarm Management MES Event Handler :lock: Data Platform Generating MES events in order to replicate data to an ODS database. It has a mechanism that watches for new Service History IDs in the Online Database, gathers all data that has been updated or inserted in that transaction, and publishes an MES Event to a specific topic in Kafka. Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/var/opt/envmanager/installation` | Main application directory. | Table: EPF Alarm Management MES Event Handler relevant folders for containerized environments ### ML Platform Agent :lock: Data Platform Interacts with the application, providing values extracted from trained models. Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/app/agent` | Main application directory. | Table: ML Platform Agent relevant folders for containerized environments ### ML Platform Training :lock: Data Platform Performs model training from events gathered by the Data Platform. Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/app/agent` | Main application directory. | | `/app/export` | Main export directory. | | `/app/training` | Main directory where training data is gathered and adapted. | Table: ML Platform Training relevant folders for containerized environments ### Redis :lock: Data Platform From [Redis](https://redis.io/): *The open source, in-memory data store used by millions of developers as a database, cache, streaming engine, and message broker.* Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/data` | Main data folder. | Table: Redis relevant folders for containerized environments ### Replicate Events :lock: Data Platform Listens to operation IDs on messages with Kafka topics sent by the Replicate IDs application, matching the retrieved IDs with the ones in the database to check for changes. When found, retrieves the information and produces a JSON document which is then sent through a Kafka topic. Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/var/opt/envmanager/installation` | Main application directory. | Table: Replicate Events relevant folders for containerized environments ### Replicate IDs :lock: Data Platform Checks the main database for all generated IDs, takes them and broadcasts them in a Kafka topic. Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/var/opt/envmanager/installation` | Main application directory. | Table: Replicate IDs relevant folders for containerized environments ### Replicate Table Schemas :lock: Data Platform Sends all table structures to Redis. Relevant folders in container volumes: | Path | Description | | --------------------- | -------------------------------------- | | `/var/opt/envmanager/installation` | Main application directory. | Table: Replicate Table Schemas relevant folders for containerized environments