Azure Cloud Installs - Anyone using

Working with a team to see if we can do an Azure Install of DHIS2. I haven’t found any references or successful installations, so if you have one, or have links to more information we would be interested.

We are focusing on Azure since that is our primary cloud foundation and experience, as well as grants and non-profit pricing that we utilize. I’ve worked on basic cloud projects for a couple of years, I’m a beginner when it comes to DHIS2 however. I have a local DHIS2 server running on a VM I used to become familiar with he basic install process.

In absence of instructions for Azure, below is where I’ve started, although I don’t have a working install yet. We are working through the process to see if one can be setup, and then sharing the steps out to others that might be interested. I have found the installation information on AWS, but the process is a little different for what we are trying to do. You can use the information below as a starting point and share any lessons learned as you go if you’d like to help. If we are successful, I’ll publish the steps here for others to use and improve upon

Thought Process:

We could work from a VM with either an included PostgreSQL DB, or link to an Azure PostgreSQL DB. Preference is to keep the two separate, and have a very lightweight app service for the application. Ideally we would be able to use a Linux App Service which is small and light, but so far I have not had any success.

Basic Steps and what we are using:

Creating an “App Service + DB” which allows you to create a separate container for the App, and a database server in Azure. Starting with this allows you to do the majority of software setup, environment variables, and networking/firewall requirements as part of their Quickstart Template. At that point it should just be setting up the DHIS2 application on the App Service.

First, we created a Resource Group to hold all the resources that are created. Keeping them in one place, and only using the group for our DHIS2 Instance makes it much easier for changes and updates. Also to give permissions to other groups that may need access to the Infrastructure portion of the install.

When setting up the App Service + DB, the following selections are made:

• Subscription:
• Resource Group:
• Region:
• Name: will be accessed by .azurewebsites.net
• Runtime Stack: Java 11
• Java web server stack: Apache Tomcat 9.0
• DB Engine: PostgreSQL - Flexible Server
• Server name:
• Database name:
• Hosting: for practice testing

Will take several minutes to provision, but will create an App Server, DB Server, Virtual Networks/DNS. It will also create firewall rules to limit access to resources from the public, except for the App server which will be public facing by default.

To deploy the WAR file to the server, using the Azure CLI, type the following command:

az webapp deploy --resource-group --name --src-url <URL to the .WAR file release you want to install> --type war

I used https://releases.dhis2.org/2.38/dhis2-stable-latest.war as my URL above. make sure to include the “–type war” command at the end.

This command will download the .WAR file and place it in the correct location for Tomcat on the app service.

In the App Service, Configuration, it creates several ENV variables that can be used within the container This include DBSERVER, DBNAME, DBPASS among others. I also added a DHIS2_HOME variable with the link to the location for the config files.

Last I used Kudu SSH to go into the container and create the DHIS2_HOME folder as well as the dhis.conf file You can use the ENV variables within the dhis.conf file to build the connection string. Make sure to only save things in the /home directory. That is persistent between moves and reboots. changing files anywhere else may not persist. Also, make sure to restart the container when making changes so that they will take effect.

All of this got me two things.

1. Accessing the App URL the first time I had a blank screen for awhile. But it ended up with a Tomcat 404 error eventually. This was similar to the behavior of an initial install locally, except that it ended at the login screen instead.
2. Subsequent visits went straight to 404.

Still reviewing logs on both the app service and the DB server, but no clues so far.

Questions:

1. The instructions talk about not running as root, but in these type of containers that is usually how they run them. Is there a particular security reason within DHIS2 itself that I wouldn’t want to do that?
2. Is the startup.sh necessary? It looks like it starts Tomcat with DHIS2, but again in this case, I think the app service does that when it starts, especially using the “az deploy” cmd. Is there another reason why it would need a separate startup.sh? It is possible to run a script as part of the startup process of the service if needed.

Thanks in advance. I just wanted to put this out there to see if we could come up with a way to deploy DHIS2 on Azure in a quick, lightweight reproducible way.

Ken

You might be able to connect (or tag in the post) with some people in the community who have posted about using azure from before. Yes most are asking for support but probably have things to share and have learned a lot since their last post. Check out this search query Search results for 'azure' - DHIS2 Community

I got one response from @netroms which answers this question: “you don’t want tomcat to run as root incase it gets hacked, since if it runs as root the attacker can get root privileges.”

The rest requires someone with experience in azure or would require having a look at the logs for an expert to make a judgement. Thank you for the detailed post and I hope you will make progress with this asap.

Thanks @Gassim. Most the Azure discussions seemed to be related more towards OpenID/authentication type questions. I did use @UniMatrix post on connecting to a remote PostgreSQL DB on azure for some hints as well.

I have to do some more studying on Tomcat on the app services. Since by default that is how the container is setup, and most of their tomcat applications are run, in that particular configuration, it seems locked down. Services and apps are pretty limited on those containers so there is very little footprint to cause issues, but definitely noted. Not sure it even allows creation of another user.

For the startup.sh file on normal installs, does it do anything other than “turn on” the tomcat server with DHIS2? I think that in the case of an app service it runs when ever someone visits the URL, but I wasn’t sure if there was something else running in the background by starting that script.

I have a few different things to try and will see what I come up with on these. Will update as I have more news!

Thanks again!
Ken

We deploy our instances mostly on Azure Linux VMs, we have them containerized as per these instructions by @bobj https://github.com/bobjolliffe/dhis2-tools-ng

It does look like you got the installation right as per your deployment, you might want to check if inbound/outbound traffic is configured correctly on the VM. Previously, I deployed an instance, that runs fine as per the logs but on the browser, nothing showed - I later figured out that this was a firewall issue, and got that fixed by configuring the network inbound/outbound traffic rules on Azure.

Thanks,
Mike

Hi @mykbitz, thank you.

For this Azure setup, they will be containers for both the App and the DB running directly on their App Service infrastructure. If I’m reading it correctly, this article is running a VM and then running the containers on the VM. I’ll look through I may be able to use some of the configuration to work on this
as well which will help.

The good thing about their App Service + DB offering is that for the most part it configures the networking/firewall and may just need tweeks. Right now is just tracing the traffic to make sure I have the DB configuration first since I’m thinking that’s where I may be getting stuck.

Will definitely update steps once I get there, and if I can template/script it out that would be even better!

Thank you again for pointing me to some additional resources!!

Ken

Thanks @ken.richards the App Service + DB method sounds interesting, could we zoom/Teams call on this, am interested in learning from you, and could possibly resolve the challenge you got as well.

Thanks, Mike

Mike, Definitely would be interested. I’ll send you a DM with more info.

Ken

Hi @ken.richards did you get through with this?

Hi @Motloheloa_Maieane, we haven’t yet. I did talk to a couple of other members, and it looks like we were on the right track, but still weren’t able to track the specific error or configuration that was causing the problem. Still working on it though. Will definitely post an update if we get it figured out.

Ken