Technical introduction to Convier

Convier runs as a Docker container entirely within your organization’s environment, e.g. as an AppService or Virtual Machine in Azure or on-prem using providers like VMWare or Citrix. No data leaves your network, and Convier does not store or copy any data: All data is fetched from your existing databases and services on demand. Convier does also not need a database. Configuration is stored locally. Convier runs in your existing Azure tenant/organization.

Installation patterns

The preferred way to install Convier is as an App Service or Virtual Machine that can be accessed directly from employee laptops and from within the company intranet.

For user authentication, the preferred method is single sign on with OIDC, for example Microsoft 365 / Azure AD. Convier can run with an embedded OIDC provider for user authentication and authorization, but that is not recommended.

Convier has three different release tracks with different update intervals:

  • docker.convier.com/convier:release
  • docker.convier.com/convier:stable-staging
  • docker.convier.com/convier:stable

System requirements

Convier is designed to run with minimal resources within a Docker container. It consists of a server component, and a browser web app that is provided to users by the server.

Server

Hardware

The primary requirement is a physical or virtual machine capable of running Docker. A linux host is preferred, but not required. The Docker container will use storage mounted on the hardware, or a provided databaee, to persist configuration. No customer data is stored within Convier.

Convier does not need a database server. Configuration is stored locally.

Resources:

The total amount of estimated required resources. The required resources with depend on the intensity of use, and the amount of data that is being processed.

Concurrent users RAM CPU cores Disk space
1 - 2 4 2 4
2 - 10 8 4 8
11 - 30 16 8 16
31 - 50 20 16 24

Client:

Requirements for the hardware/laptop users are using to access the Convier web application.

  • High screen resolution is recommended (minimum 1920 x 1080)
  • A modern Internet browser
  • At least two CPU cores
  • 4GB of RAM

The web browser must allow cookies in order for Convier to maintain user sessions.

Security Architecture

A high-level overview of the application architecture with required connection points:

image

Inbound

  • The user needs to be able to access the URL of the Convier server running within the organization’s environment, either directly or through a VDI like Citrix

Outbound

  • An OIDC provider like Aure AD for user authentication and authorization (If none are available we can provide one)
  • The Convier private Docker registry to download software updates (currently https://docker.convier.com)
  • Databae connections to relevant data warehouses
  • HTTP connections to relevante APIs
  • (Optional) Database connection(s) to store application configuration and/or audit logs

Installation

Installation in Azure (preferred)

See Running as an App Service in Azure

Manual Installation

Make sure you have docker installed: https://www.docker.com/ and optionally docker-compose plugin.

Log in to Convier Docker registry 

docker login docker.convier.com

You will be asked for credentials. Get in touch with us if you don’t have these.

Run 

docker run -p "0.0.0.0:80:14445" \
  -v ./data/app:/opt/convier/data \
  -e JDBC_CONNECTION_STRING='jdbc:sqlite:/opt/convier/data/internal.db' \
  docker.convier.com/convier:stable

With docker-compose.yml 

version: '2'

services: 
  convier:
    image: docker.convier.com/convier:stable
    container_name: convier
    restart: always
    
    ports:
      - 0.0.0.0:80:14445

    volumes:      
      - ./data/app:/opt/convier/data

    environment:
      - JDBC_CONNECTION_STRING=jdbc:sqlite:/opt/convier/data/internal.db

Then run:

docker-compose up -d

Check logs:

docker compose logs -f convier

Upgrade 

docker compose pull && docker compose up -d

Audit logging

See Logging and Auditing

Backup

As Convier stores no data, only the configuration database needs to be backed up. When running an App Service with a persisted home folder, this backup is by default performed automatically.

Data Privacy

Convier stores no customer data, which limits the privacy challenges. The configuration database may contain customer data used for testing purposes, but this can be avoided, e.g. by testing on synthetic data in a User Acceptance Testing environment. The contents of this configuration is stored with AES256 encryption, where the symmetric key is provided to the application as an environment variable/secret.

Permissions

Within the Convier application, each user is assigned two different roles: One for the application as a whole, and one for each project. The roles are determined by the authentication provider, for example Azure AD.

Instance-level roles:

  • MANAGE
  • AUDIT
  • READ

One users to instance-level role MANAGE can add external data sources (limited by firewall settings) and also track high-level application usage. By default, only MANAGE role can create new projects.

The AUDIT instance role can query the internal audit log database, if enabled

Project-level roles

  • OWN
  • MANAGE
  • READ

The READ role is only able to access data, and make individual configuration changes that can not be shared with others without approval. They can not add external data source connections. The MANAGE project role is able to share configuration changes with others, and is usually reserved for Convier personel and customer subject matter experts. The OWN project role can do the same as the MANAGE project role, but can also assign project roles to others.