The configuration of an MSE application is written in a TOML file.
mse.toml file located in the current directory is used with
mse cloud deploy subcommand, you can specify another TOML file with argument
--path if needed.
name = "test" python_application = "app:app" healthcheck_endpoint = "/" tests_cmd = "pytest" tests_requirements = [ "intel-sgx-ra>=1.0.1,<1.1", "pytest==7.2.0",] [cloud] code = "my_project/code" tests = "my_project/tests" docker = "ghcr.io/cosmian/mse-flask:20230710125733" project = "my_project" hardware = "4g-eu-001"
|name||✔️||string||Name of the application. It must be unique per project|
|tests_cmd||✔️||string||The comman to run to test the application (used by
|tests_requirements||✔️||list of string||The requirements to install before testing the application. (used by
|code||✔️||string||Relative path to the application code folder|
|tests||✔️||string||Relative path to the application tests folder|
|docker||✔️||string||URL to the mse docker to run. It could be a local docker to run local test but it must be a remote url when deploying. See below section|
|project||✔️||string||Project name to regroup applications for payment|
|hardware||✔️||string||Name of the hardware booked to spawn your application|
||Expiration date before the application shutdowns (rfc3339 format)|
|secrets||string||A file path (absolute or relative to the configuration file) containing secrets needed by your application to run. See this page for more details.|
Two applications from the same project with the same name cannot be running at the same time.
You can list your booked hardware or buy new ones in the Cosmian Console. The hardwares are bought for a given project and can’t be transferred to another project. By default, you own one and only one free hardware called
4g-eu-001 (this amount cannot be changed for free hardware).
Let’s assume you own
N hardwares called:
2g-eu-001. You can deploy
N applications on that specific hardware configuration. If you need to deploy more applications, you need to buy new hardwares.
As soon as a new hardware is bought, you are charged for one month. If you drop the hardware before the end of the month, it is immediately unusable without prorata payback: you get a credit instead. In the event of a non-payment of a monthly invoice, you will receive 3 reminder emails. After 7 days, if the invoice remains unpaid, all your hardware subscriptions are cancelled and all your application are stopped.
Expiration date of the application¶
The expiration date is tied to the self-signed certificate. When the expiration date is reached, the application is not available anymore.
If the hardware is
4g-eu-001 (aka free hardware) then the expiration date of the app will be forced to 4 hours.
In case the SSL certificate is provided by the application owner, the expiration date of the app should be lower than the expiration date of the certificate.
expiration_date is specified in the configuration file, the expiration date of the application is the expiration date of the certificate.
Otherwise, the expiration date is set to 1 year (except for
docker parameter defines which Docker image will run in the MSE node. Cosmian offers several Docker images (use the tag with the most recent date):
- mse-flask: containing flask dependencies.
- mse-pytorch: containing flask and machine learning dependencies using pytorch.
- mse-tensorflow: containing flask and machine learning dependencies using tensorflow.
- mse-ds: containing flask and data science dependencies.
- mse-fastapi: containing fastapi dependencies.
- mse-nlp: containing natural language processing dependencies.
You can test your code properly runs inside this Docker using
mse cloud test.
If you need to install other dependencies, you can create a new Docker by forking mse-docker-flask.
This Docker will be allowed to be started in an MSE architecture after a review by a Cosmian member. To do so, please contact [email protected] and provide your
Dockerfile and the link to your docker image.
Note that, the
requirements.txt from your source code directory will still be read when the docker will run. We strongly recommend to put all your requirements into the docker and remove the
requirements.txt from your source code.
Useful if you want to use your own custom domain name. For more information, see scenarii.
|domain_name||✔️||string||Custom domain name of your application. Should also be in CN and Subject Alternative Name of the certificate|
|private_key||✔️||string||A file path (absolute or relative to the configuration file) containing the private key of the SSL connection (PEM format)|
|certificate||✔️||string||A file path (absolute or relative to the configuration file) containing the full certification chain of the SSL connection (PEM format)|
LetsEncrypt is supported and recommended to get a certificate for your custom domain. Be aware that the expiration date is set to 3 months for all LetsEncrypt certificate: to run a long-life application you should probably use another certificate authority.
Here is the procedure to generate the certificate with LetsEncrypt (e.g. example.domain.com).
- In your DNS provider interface, register a
CNAMEfield example.domain.com to the Cosmian proxy
proxy.mse.cosmian.com. This registration must be effective before running
mse cloud deploy.
To generate a certificate, the DNS-001 challenge will be used. With
$ sudo certbot certonly -d example.domain.com --manual --preferred-challenges dns -m [email protected] --agree-tos Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y Account registered. Requesting a certificate for example.domain.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please deploy a DNS TXT record under the name: _acme-challenge.example.domain.com. with the following value: M1XAAAAAAAAAAAAAAAAAAAAAAAAAAA5Yo [...] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Press Enter to Continue Successfully received certificate. Certificate is saved at: /etc/letsencrypt/live/example.domain.com/fullchain.pem Key is saved at: /etc/letsencrypt/live/example.domain.com/privkey.pem This certificate expires on 2023-03-07. These files will be updated when the certificate renews. [...]
TXTrecord should be registered under a given name in your DNS provider interface. After doing that, the certificate will be generated. Delete this record at the end of the process.
- Read the two PEM files and create your own
sslsection in the MSE configuration file. You are now ready to deploy your app using:
mse cloud deploy.