Installing Zoe

If you are looking for the five-minutes install procedure, just for testing, check the test install section, below.

When installing Zoe for production you should, first of all, look at the following requirements and take a decision about each of them:

  • Container back-end: Kubernetes or DockerEngine
  • Shared filesystem: we have deployments on NFS and CephFS, but anything similar should work
  • Network: how your users will connect to the containers
  • Authentication back-end: how your users will authenticate to Zoe (LDAP or text file)
  • How to manage Zoe Applications (ZApps)
  • ZApp output logs: see Zoe logs and service output

After, you can start the installation, as outlined in the manual install section.

Choosing the container back-end

At this time Zoe supports three back-ends:

  • DockerEngine: uses one or more Docker Engines. It is simple to install and to scale.
  • Kubernetes: the most complex to setup, we suggest using it only if you already have (or need) a Kubernetes setup for running other software.
  • Legacy Docker Swarm (deprecated): simple to install, additional features like SSL, high-availability and dynamic host discovery can be added as needed. Please note that Zoe does not support the new Swarm Mode of Docker Engine as the API is too limited.


The DockerEngine back-end uses one or more nodes with Docker Engine installed and configured to listen to network requests.

The Docker Engines must be configured to enable multi host networking.

This sample config file, usually found in /etc/docker/daemon.conf may help to get you started:

   "dns": [""],
   "dns-search": [""],
   "tlsverify": true,
   "tlscacert": "/mnt/certs/cacert.pem"
   "tlscert": "/mnt/certs/cert.pem",
   "tlskey": "/mnt/certs/key.pem",
   "hosts": ["tcp://", "unix:///var/run/docker.sock"]

Once you have your docker hosts up and running, to tell the back-end which nodes are available and how to connect to them, you need to create a file with this format:

use_tls: no
tls_cert: /mnt/cephfs/admin/cert-authority/container-router/cert.pem
tls_key: /mnt/cephfs/admin/cert-authority/container-router/key.pem
tls_ca: /mnt/cephfs/admin/cert-authority/ca.pem

address: localhost:2375

use_tls: yes

use_tls: yes
labels: gpu,ssd

This sample configuration describes three hosts. The DEFAULT section contains items that are common to all hosts, in any case these entries can be overwritten in the host definition.

Host foo does not use TLS (from the default config item), Zoe needs to connect to localhost on port 2375 to talk to it and users connecting to containers running on this host need to use the address to connect. This external_address will be used by Zoe to generate links in the web interface.

Host bar uses TLS and host baz has also two labels that can be matched when starting services with the corresponding label. Labels are comma separated.

You tell Zoe the location of this file using the backend-docker-config-file option in zoe.conf.


See Kubernetes backend for Zoe for configuration details.

Shared filesystem

Users need to put data and binaries in a place accessible by Zoe and need to be able to access the results and the logs generated by running ZApp.

Zoe uses the concept of workspaces: each user has a private directory that is attached to all the containers of each ZApp belonging to her in a well-known location. This filesystem can be accessed by a special gateway container spawned by the administrator (see gateway containers) or by other methods (direct mount on user machines, webdav, web file managers).

Zoe implements a “directory” back-end for workspaces. Container back-ends may implement more volume technologies: Zoe is not involved, it needs only the information on how to attach the user volume to the container, so the effort required to support new volume types should be minimal.

At Eurecom we use CephFS, but we know of successful Zoe deployments based on NFS.


Most of the ZApps expose a number of interfaces (web, REST and others) to the user. Zoe configures the active back-end to expose these ports, but does not perform any additional action to configure routing or DNS to make the ports accessible. Keeping in mind that the back-end network configuration is outside Zoe’s competence area, here there is non-exhaustive list of the possible configurations:

Authentication back-end

Zoe has a simple user model: users are authenticated against an external source of truth, that assigns also one of three roles:

  • guest: cannot access the API (and the command-line tools) and can run one execution at a time
  • user: can use the API and has no limits on executions
  • admin: can operate on executions belonging to other users, can delete records of past executions

Zoe supports two authentication back-ends:

  • LDAP and LDAP+SASL (auth-type=ldap ot auth-type=ldapsasl)
  • Text file (auth-type=text)

As most of Zoe, the authentication back-end is pluggable and others can be easily implemented.


Plain LDAP or LDAP+SASL GSSAPI are available.

In Zoe configuration you need to specify the following options:

  • ldap-server-uri
  • ldap-bind-user
  • ldap-bind-password
  • ldap-base-dn
  • ldap-admin-gid
  • ldap-user-gid
  • ldap-guest-gid
  • ldap-group-name

Text file

For testing and for simple deployments with a few users, a CSV text file can be used.

Its format is:


The file location can be specified in the zoe.conf file and it needs to be readable only be the Zoe processes.

Managing Zoe applications

At the very base, ZApps are composed of a container image and a JSON description. The container image can be stored on the Docker nodes, in a local private registry, or in a public one, accessible via the Internet.

Zoe does not provide a way to automatically build images, push them to a local registry, or pull them to the hosts when needed. At Eurecom we provide an automated environment based on GItLab’s CI features: users are able to customize their applications (JSON and Dockerfiles) by working on git repositories. Images are rebuilt and pushed on commit and JSON files are generated and copied to the ZApp shop directory. You can check out how we do it here:

The ZApp Shop

The Zoe web interface provides a ZApp shop to showcase available ZApps and have a friendly and easy way for users to list and access ZApps.

The shop is managed locally. It looks for ZApps in a configured directory (option zapp-shop-path). Each ZApp must live in its own directory, that must contain:

  • manifest.json : a JSON file that describes the contents of the ZApp
  • a logo that is displayed on the web interface
  • one or more text files in markdown format with ZApp information and documentation
  • one or more JSON Zoe application descriptions

The manifest.json file gather all this information together for the ZApp Shop interface. Its format is as follows:

    "version": 1,
    "zapps": [
            "category": "TensorFlow",
            "name": "Google TensorFlow notebook",
            "description": "tf-google.json",
            "readable_descr": "",
            "parameters": []
            "category": "TensorFlow",
            "name": "Google TensorFlow batch",
            "description": "tf-google.json",
            "readable_descr": "",
            "parameters": [
                    "kind": "command",
                    "name": "tf-jupyter",
                    "readable_name": "Command",
                    "description": "The Python script to run, relative to the workspace directory",
                    "type": "string",
                    "default": "./my-tf-app/"
            "guest_access": true
  • version : a internal version, used by Zoe to recognize the manifest format. For now only 1 is supported.
  • zapps : a list of ZApps that have to be shown in the shop

For each ZApp:

  • category : the category this ZApp belongs to, it is used to group ZApps in the web interfaces. There are no pre-defined categories and you are free to put anything you want in here
  • name : the human-readable name
  • description : the name of the json file with the Zoe description
  • readable_descr : the name of the markdown file containing user documentation for the ZApp
  • parameters : a list of parameters the user can set to tune the ZApp before starting it
  • guest_access (optional) : if true the ZApp is visible to guest users, default is false


Parameters are values of the JSON description that are modified at run time.

  • kind : the kind of parameter, it can be command or environment
  • name : the machine-friendly name of the parameter
  • readable_name : the human-friendly name of the parameter
  • description : an helpful description
  • type : string or integer, used for basic for validation
  • default : the default value
  • max : if type is integer, this is required and is the maximum value the user can set
  • min : if type is integer, this is required and is the minimum value the user can set
  • step : if type is integer, this is required and is the step for moving between values

Parameters can be of two kinds:

  • environment : the parameter is passed as an environment variable. The name of the environment variable is stored in the name field. The JSON description is modified by setting the user-defined value in the environment variable with the corresponding name. All services that have the variable defined are modified.
  • command : the service named name has its start-up command changed to the user-defined value

By default users with the user and admin roles have access also to resource parameters via the web interface. They can set the amount of memory and cores to reserve before starting their execution. The configuration option no-user-edit-limits-web can be used to disable access to this feature.

To get started, in the contrib/zapp-shop-sample/ directory there is a sample of the structure needed for a working zapp-shop, including some data science related ZApps. Copy it as-is in your ZApp shop directory to have some Zapps to play with.

Example of distributed environment

For running heavier workloads and distributed applications, you need a real container cluster. In this example we will use the DockerEngine back-end, as it is simpler to setup than Kubernetes.


  • One or more Docker Engines
  • Zoe
  • NFS (or another distributed filesystem like CephFS)
  • A Postgresql server


  • One node running Zoe. Depending on how your users will access the workspaces you may want to add gateway containers for SSH and/or SOCKS proxies on this node.
  • At least one worker node with a Docker Engine
  • A file server running NFS: depending on the workload it can be co-located with Zoe
  • A Postgresql server, again it can be colocated depending on your expected load

To configure container networking, we suggest the standard Docker multi-host networking.

In this configuration Zoe expects the network filesystem to be mounted in the same location on all worker nodes. This location is specified in the workspace-base-path Zoe configuration item. Zoe will create a directory under it named as deployment-name by default or workspace-deployment-path if specified. Under it a new directory will be created for each user accessing Zoe.

Stand-alone environment for development and testing

A simple deployment for development and testing is possible with just:

  • A Docker Engine
  • Zoe

In the root of the repository you can find a docker-compose.yml file that should help get you started.

You will need to create a /etc/zoe directory containing the docker.conf file that lists the Docker engine nodes available to Zoe.

API Managers

To provide TLS termination, authentication, load balancing, metrics, and other services to the Zoe API, you can use an API manager in front of the Zoe API. For example: