SAS Open Model Manager 1.2 has just been released, so what do you need to know?

• SAS Open Model Manager enables data scientists and developers to register, deploy and monitor open source models in a consistent and rigorous manner.
• Using SAS Open Model Manager, you can import, manage, and evaluate open-source analytical models in a common model repository.
• SAS Open Model Manager is delivered as a singular, portable image that can be deployed in a Docker Community Edition (Docker CE) or Docker Enterprise Edition (Docker EE) Linux environment.
• SAS Open Model Manager 1.2 is based on SAS Viya 3.5, but does not require a full SAS Viya installation.

Let’s have a quick look at the architecture and deployment, and the key considerations that you need to understand.

SAS Open Model Manager is a new offering that runs on Docker. With this release (February 2020) it is only supported on Docker CE or Docker EE, this initial release does not support running on Kubernetes. So, what are the system requirements?

What you need to run SAS Open Model Manager – system requirements

The following is a summary of the system requirements:

• Runs on Docker version 17.05.0 or later
• Both Docker Community Edition (CE) and Docker Enterprise Edition (EE) on Linux are supported
• SAS Open Model Manager is built on top of a CentOS 7 distribution for Docker
• Docker host resource requirements (minimum):
  • 4 cores (vCPUs)
  • 48 – 64GB RAM
  • 32GB disk space
    • Assumes data is not stored in the file system inside the running container.
    • SAS recommends mounting an external storage volume for logs and data.
• The use of a private Docker registry is supported
• SAS Open Model Manager only supports host authentication to secure the user interface:
  • LDAP is used for user authentication
  • The container includes support for the Linux System Security Services Daemon (SSSD)
• SAS Open Model Manager requires home directories. Each user must log on with an account that has a home directory.

Note, SAS Open Model Manager 1.2 is only supported on Docker, it is not supported running on a Kubernetes platform or on a managed container service such as AWS Elastic Container Service (ECS).

Architecture overview

The SAS Open Model Manager container includes the SAS Open Model Manager web application, an SMP CAS server, the SAS Micro Analytic Service and a subset of the SAS Viya servers and microservices. This is illustrated in the Figure 1.

Figure 1. SAS Open Model Manager architecture overview
Select any image to see a larger version.
Mobile users: To view the images, select the "Full" version at the bottom of the page.

In the diagram you can see the input files that are used when launching an instance of SAS Open Model Manager and the script that is used to start the container (run_docker_container). The start script and the input files must all be in the same directory, a working directory.

The default implementation is to use the container storage, but persistent storage external to the container can and should be used, especially for home directories and user data. Unless you are truly experimenting and are not worried about losing your work after killing the container. The persistent storage is depicted as the ‘/my_data’ mount in the figure.

As part of launching a container a set of volumes are created for your SAS Viya environment, using the naming format <volume>-<container_name>. The following volumes are created:

• casdata
• caspermstore
• consul
• postgres
• sasmmastore
• sasmmsresources

For my testing I created a container called ‘myOMM’, then using Portainer to manage my docker environment you can see the volumes that were created. This is illustrated below.

Note, each SAS Open Model Manager container that is launched must have a unique name and has its own set of storage volumes. By default, these storage volumes are under the /var/lib/docker/volumes/ path.

SAS Open Model Manager does not include SAS Environment Manager, so additional customization and configuration is performed using the sas-admin command-line interface. For example, while you can specify the initial user (administrator) in the sitedefault.yml file, to add additional users to the administrators group you use the sas-admin CLI. You would also use the CLI to create CASlib definitions.

You can download the SAS Administration Command Line Interface (CLI).

Authentication and security

As previously stated, host authentication is required to access SAS Open Model Manager. To support this the System Security Services Daemon (SSSD) layer is included in the container. To enable the SSSD configuration you must provide a ‘sssd.conf’ file and any required certificate to connect to Active Directory or LDAP. The default configuration assumes that the certificate file is named ‘sssd.cert’.

You must also include the ‘ldap_tls_cacert = /etc/sssd/sssd.cert’ statement in the sssd.conf file. This statement is commented out in the sample file on GitHub.

It is also possible to enable TLS security for the web application, this is called running in ‘TLS mode’. To enable TLS mode, you must provide a CA Certificate and an associated Public Key file, and use the ‘--TLS’ flag when you launch the container.

The CA certificate must be named ‘casigned.crt’ and the public key file must be named ‘servertls.key’.

To recap, all the input files must be located within the working directory and named as shown.

Getting started - deployment steps

Once you have your software order you can use the following steps to pull the image from SAS and launch a container instance of SAS Open Model Manager. I used a folder called ‘/working’ as my workspace.

Step 1 – Extracting the license files and certificates

To extract the license files and certificates you must unzip the SAS_Viya_deployment_data.zip file. The zip file is provided in the Software Order Email (SOE) when you place an order for SAS Open Model Manager.

$ unzip ~/working/SAS_Viya_deployment_data.zip

Then copy the license files to the working directory, these are in the ‘licenses’ directory that was created by the unzip step.

$ cd ~/working/licenses
$ cp SASViyaV0300_order-number_Linux_x86-64.tx ~/working/
$ cp SASViyaV0300_order-number_site-number_Linux_x86-64.jwt ~/working/

The highlighted text is unique to each order.

Step 2 – Configure Docker to use the SAS certificates

The first step is to create the ‘ses.sas.download’ directory.

$ sudo mkdir -p /etc/docker/certs.d/ses.sas.download

Now you need to copy the required files from the SAS_Viya_deployment_data.zip file into this directory. Using the following commands.

$ cd ~/working
$ sudo cp -v $(pwd)/ca-certificates/SAS_CA_Certificate.pem /etc/docker/certs.d/ses.sas.download/ca.crt
$ sudo cp -v $(pwd)/entitlement-certificates/entitlement_certificate.pem /etc/docker/certs.d/ses.sas.download/client.cert
$ sudo cp -v $(pwd)/entitlement-certificates/entitlement_certificate.pem /etc/docker/certs.d/ses.sas.download/client.key

Step 3 – Pulling the image for SAS Open Model Manager

To pull the image for SAS Open Model Manager we need to first obtain the image name. You do this using the SAS Mirror Manager for SAS Viya 3.5 software, which is available from SAS Support.

You can copy the image name into a text file for later use, using the following command.

$ ./mirrormgr list remote docker tags --deployment-data ~/working/SAS_Viya_deployment_data.zip --latest | tee ~/working/image_name.txt

The output is written to the text file and echoed to the terminal, in this case the image name is.

ses.sas.download/modmgrsta-145-x64_redhat_linux_7-docker/sas-open-modelmanager:1.2.17-20200207.1581118212423

Now that you have the image name, you can pull the image.

$ docker pull $(cat ~/working/image_name.txt)

Step 4 – Starting a container instance

There are a number of sample files available on GitHub.

At a minimum you need the following configured for your environment:

• sitedefault.yml
• sssd.conf and you may need a sssd.cert file
• The script to launch the container, this is called ‘run_docker_container’.

As described above, if you are enabling TLS security then you will also need the CA certificate and a public key.

To get the sample files downloaded into your working folder, a few quick Linux commands can make short work of it.

BASE=~/working
CONTENT="https://raw.githubusercontent.com/sassoftware/open-model-manager-resources/master/runOpenMM"
curl -s -o "$BASE/#1" "$CONTENT/{sssd_sample.conf,run_docker_container,sitedefault_sample.yml}"

Now with these files downloaded and configured for your environment you can start an instance of SAS Open Model Manager. Let’s assume that you want to start a container instance called ‘myOMM’ and will use port 8080 to access the container, then you would use the following command.

$ ./run_docker_container --container-name myOMM --image $(cat ~/working/image_name.txt) --order <SAS order number> --http-port 8080

You will see that the run_docker_container command will set the required permissions and ownership on the input files. This is shown in the screenshot below.

This leads to the following deployment.

Figure 2. Deployment overview

If you wanted to enable TLS mode using port 8443 you would add the following parameters on the start command, but remember you also need the CA certificate and public key files.

run_docker_container --container-name myOMM --image $(cat ~/working/image_name.txt)
--order <SAS order number> --http-port 8080 --https-port 8443 --tls

Step 5 – Login and start using SAS Open Model Manager

Once your container instance has started you can login to SAS Open Model Manager. For my testing, my docker server had 12 vCPUs with 64GB of memory. The startup time will be dependent on the resources (size) of your Docker host, the number of docker containers that you have running and whether you are limiting the resources for the SAS Open Model Manager container instance. 

The easiest way to determine when SAS Open Model Manager is ready for you to login is to monitor the log file. Using Portainer you can watch for the startup complete message, as shown below.

To access SAS Open Model Manager you use the Docker host name and the port that you specified, in this case post 8080.

http://<host_server>:8080/SASModelManager

To login to SAS Open Model Manager you can use the administrator user that you specified in the sitedefault.yml file, or any of the users that were cached from your LDAP or Active Directory.

One of the requirements is for each user to have a home directory, the good news is, this is automatically created (assuming you have a valid sssd configuration) on first login to SAS Open Model Manager.

The screenshot below (Figure 3) is from my initial login to SAS Open Model Manager.

Figure 3. SAS Open Model Manager user interface

At this point you could use the SAS Open Model Manager 1.2: Quick Start Tutorial to validate your deployment, or just to get started.

Conclusion

SAS Open Model Manager is a new offering from SAS that runs on Docker. The key points to remember are:

• All the input files and the start script must be in the same directory.
• The run script can be renamed but the input files must be named as described above.
• The container name and ports being used must be unique.
• You need a SAS order with a valid license to be able to download and use the software.

Finally, I have created a short video to take you through the deployment: Get Up and Running with Open Model Manager 1.2.

I hope this is useful and thanks for reading.

References

• SAS Open Model Manager 1.2 for Containers: Deployment Guide
• SAS Open Model Manager 1.2: User’s Guide
• SAS Open Model Manager 1.2: Quick Start Tutorial
• GitHub resources