VisionHub system requirements and deployment

This article outlines the hardware requirements, architecture and deployment of the arivis VisionHub system

Server Requirements (Central Server)

  • Windows Server 2012/2016/2019
    Fast access to image storage (gigabit ethernet) or local hard drives for images

  • 2 GB installation space

  • optional: 200 GB - x TB Fast hard disk for local caching

  • 32 GB main memory

  • 8 Core CPU

  • For analysis workflows we propose to provide extra servers to launch parallel analysis workers (Windows Server 2012/2016/2019, x Core CPU, 32GB Ram, fast access to image storage)

  • For server side rendering we propose to provide a high-performance graphics-card or a cluster of servers with high-performance graphics-cards

Client Requirements

  • VisionHub WebApp Dashboard access OS-independent, fully featured UI with Web Browser of choice (FireFox, Chrome, Edge, Safari etc. - performance and experience may vary on mobile platforms)

Server-side Rendering Requirements

arivis is a certified NVIDIA Elite Solution Provider. The renderer is based on the NVIDIA OptiX 7 ray-tracing engine (https://developer.nvidia.com/optix). It is therefore necessary to have an NVIDIA graphics card with the most-current driver installed.

nvidia-esp

Minimal

  • NVIDIA P4000 8GB (tested) or above

  • NVIDIA GeForce 10xx (8GB)

Recommended

  • NVIDIA GV100 64GB (tested)

  • NVIDIA QUADRO RTX 5000 or above

  • NVIDIA 20xx (10GB)

  • For large surface visualizations, we recommend using RTX hardware. RTX hardware drastically improves the performance of surface rendering. However, it doesn’t influence the volume rendering.

Known Issues

  • We use the NVIDIA hardware encoder for real-time video encoding. On a consumer graphics card and even on a professional graphics card the number of concurrently used encoders is limited.

arivis recommends ACQUIFER® HIVE™ Solutions for Big Data

HIVE_r

Why HIVE?

  • Designed for the pragmatic, biology-focused scientist, the HIVE platform boosts productivity in microscopy facilities and screening labs.
  • HIVE is a high speed centralized data repository that removes the need to constantly move or duplicate data sets in processing and analysis workflows.
  • Its modular design integrates high speed processing, visualization, remote access, project management, flexibility, data security, scalability and ease of use in one unit.
  • It saves time, space, costs and administrator workload.
  • More details available at the ACQUIFER HIVE website.  
  • Tested and certified by arivis for ideal VisionHub compatibility and performance out-of-the-box.

Architecture and Components

VisionHub Architecture

Deployment Example (parallel analysis)

VisionHub Components

  • Launcher — configuration, setup and launching of VisionHub components (nodejs, pm2, services, powershell/batch)
  •  Proxy-Server — configurable HTTP/S port mapping for VisionHub components, in default installations only api-server is proxied (nodejs, node-http-proxy)
  •  Api-Server — manages VisionHub entities (datasets, pipelines, workflows, users) and data flow; facilitates authorization, authentication (nodejs, IBM Loopback, database support: In-Memory, PostGres, MSSql)) 
  • Webapp-Client — HTML interface to VisionHub servers/api-server; includes Interactive Viewer, configurable components/theming (Typescript, NuxtJS, VueJS) 
  • Interactive Viewer — provides HTML UI to explore image data, comes with 2D (Tile-Server) and 3D (Render-Server) viewers, color/channel control (Typescript, VueJS) 
  • TileServer — provides access to image tiles for supported file formats, provides histogram calculation, applies color/channel transformations (Nodejs, C++, arivis imageCore, Windows, (Linux only for sis)) 
  • Object-Server — manages access to arivis ObjectsCore .objects files, used by Interactive-Viewer (create manual annotations) and Analysis-Worker (automatic result objects) (Nodejs, C++, arivis ObjectsCore, Windows) 
  • Render-Server — CUDA based renderer provides high quality 4D rendering, uses websockets to provide h264 videostream and receive control commands from Interactive-Viewer 3D controls (NodeJS, CUDA, OptiX, arivis RenderCore, C++, websockets, Windows) 
  • Watcher/Filepoller — monitors file system and automatically registers files to VisionHub, highly configurable (NodeJs) 
  • Analysis-Worker — executes arivis AnalysisPipelines (arivis AnalysisCore, C++, Windows) 
  •  Import-Worker — handles dataset import tasks (arivis ImportCore, Windows)
     

Deployment Information

VisionHub is based on a service architecture that allows flexible packaging and rollout scenarios (see architecture deployment examples).

As not all VisionHub components are completely restrictable regarding memory and processor usage we propose to use dedicated servers for the VisonHub installation. Deployment on dedicated servers ensures prevention of competition for resources (processing, or otherwise) with other non-arivis solutions.

If analysis or render workers are involved we propose to use additional dedicated servers (ideally for each worker). This ensures that worker load is not interfering with interactive user experience of the VisionHub frontend.

We propose to use VMs to setup the dedicated machines for an installation as they allow easy adoption of performance parameters even after installation.

Security Aspects

Authentication and Authorization

The VisionHub Api-Server manages users and all authenticatation/authorization tasks. All client communication is handled by the Api-Server and forwarded to sub-systems (Tile-Server, Objects-Server etc) only after successful authentication and authorization. All client communication is hidden behind a proxy-component that takes care of HTTP/S communication to external clients. VisionHub-Users are required to login via the WebApp-Client. A JWT session cookie is used to allow secure communication between WebApp-Client/Interactive Viewer and Api-Server.

The API-Server utilizes a configurable role-based model (default roles: admin, manager, user) to manage users. External authentication authorities (LDAP, AD, OAuth2) can be integrated.

For Authorization the API-Server combines:

  • RBAC/permission authorization: configurable application/user rights that are not bound to a specific entity (e. g. userXX/roleYY is allowed to upload/register files), and

  • entity specific ACLS: (e. g. userXX/roleYY is allowed to view dataset ZZ)

The WebApp-client provides a permission UI for each authorizable entity to define it’s ACLs.

Web Application Security

arivis ensures that all VisionHub’s publicly available routes pass the current OWASP TOP 10 security risks check list.