GCP prerequisites
This page describes the infrastructure and other prerequisites for deploying Tower on Google Cloud Platform (GCP).
Tower container images
Nextflow Tower is distributed as a collection of Docker containers available through the Seqera Labs
container registry cr.seqera.io
. Contact support to get your container access credentials. Once you have received your credentials, log in to the registry using these steps:
-
Retrieve the username and password you received from Seqera Labs support.
-
Run the following Docker command to authenticate to the registry (using the
username
andpassword
values copied in step 1):docker login -u '/\<USERNAME\>/' -p '/\PASSWORD\>/' cr.seqera.io
-
Pull the Nextflow Tower container images with the following commands:
docker pull {{ images.tower_be_image }}
docker pull {{ images.tower_fe_image }}
The Seqera Labs container registry cr.seqera.io
is the default Tower container image registry from version 22.4. Use of the AWS, Azure, and Google Cloud Tower image registries in existing installations is still supported but will be deprecated for new installations starting June 2023. See here for steps to use the Seqera Labs private GCP Artifact Registry.
Mandatory prerequisites
SMTP server
If you do not have an email server, Google Cloud provides several ways to send emails:
-
Google Workspace:
-
Third-party services from the Google Cloud marketplace, including:
Work with your IT team to select the best solution for your organization.
MySQL database
An external database (i.e. external to your Docker Compose or Kubernetes deployment) is highly recommended for production deployments. If you don't have your own database service, you can use Google CloudSQL.
If you decide to use an external database, you must create a MySQL user and database manually. See Configuration for more details.
VM instance (Docker Compose)
A Google Compute Engine (GCE) instance is required to deploy Tower via Docker Compose. See the detailed instructions to provision a VM instance for this purpose.
GKE cluster (Kubernetes)
A Google Kubernetes Engine (GKE) cluster is required to deploy Tower via Kubernetes. See the GKE documentation to provision your own cluster.
GKE Autopilot is not currently supported by Tower due to a privilege issue with the Redis deployment. However, you can achieve most of the same behavior with a Standard cluster by enabling autoscaling and node auto-provisioning.
Optional prerequisites
SSL certificate
An SSL certificate is required for your Tower instance to handle HTTPS traffic.
From Tower 22.1.1, HTTP-only implementations must set the TOWER_ENABLE_UNSAFE_MODE=true
environment variable in the Tower hosting infrastructure to enable user login.
Public IP address
A public IP address can be reserved for the Tower ingress to keep the IP address constant across restarts. If you do not reserve an IP address, the ingress will create one for you automatically, but it will be different every time you deploy the ingress. See the detailed instructions to reserve a public IP address.
-
Browse to VPC network → External IP addresses and select Reserve Static Address
-
Assign a name (e.g.,
tower-ip
). This name will be used later to configure the ingress. -
Select the region where your GKE cluster is deployed.
-
Select Reserve.
Detailed instructions
This section provides step-by-step instructions for some commonly used GCP services for Tower deployment. See the GCP documentation for up-to-date instructions and contact GCP support if you have any issues with provisioning GCP resources.
Google CloudSQL
-
Browse to Cloud SQL and select Create Instance.
-
Select MySQL (you may need to enable the API).
-
Change to Single zone availability, unless there is a need for high availability.
-
Update the Region and Zone to match the location of your Tower deployment.
-
Expand Show configuration options and update the Machine type and Storage settings. The recommended machine type and disk size depends on the number of parallel pipelines you expect to run. In this guide, we use the Standard machine type with 1 vCPU, and 20 GB SSD storage.
-
Expand Connections, disable Public IP, and enable Private IP.
-
Select the Network (usually default). You may need to set up a Private services access connection for this VPC if you have not done so already. Enable the API and select Use an automatically allocated IP range. Select Continue, then Create Connection.
-
Select Create Instance.
-
Once the database has been created, select the instance, then Databases. Create a new database named tower.
-
Note the Private IP address of the instance as it must be supplied to the
TOWER_DB_URL
environment variable.
Google Compute Engine
-
From the Navigation menu of the Google Cloud console, select Compute Engine to create a new VM instance. Select the machine name, region/zone, and machine type. In this example we have used an
e2-standard-2
instance (2 vCPUs, 8 GB memory). We recommend using the container-optimized OS for the VM. -
Enable HTTP traffic. By default, the frontend is exposed to port 8000, so you will need to add a firewall rule to the underlying VPC network to allow port 8000 (after VM creation).
-
Connect to the machine using SSH. If you run into issues with SSH, or would like to set up IAP SSH, refer to the documentation for TCP forward to IAP.
-
Install Docker if it is not already installed.
-
Test Docker by running the Docker Compose image. If Docker does not have sufficient permissions, use these steps to run it without root, or use
sudo
.# test docker compose
docker run docker/compose:1.24.0 version
# check that docker/compose image was pulled
docker images -
Create an alias for
docker-compose
:echo alias docker-compose="'"'docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "$PWD:$PWD" \
-w="$PWD" \
docker/compose:1.24.0'"'" >> ~/.bashrc
source .bashrc -
Configure
gcloud
and Docker as described in Tower container images.