Blog

Tips for IBM Cloud and running IBM FHIR Server

Here are my tips/setup for the IBM FHIR. I hope they help you as you setup your environment.

Create a variable to prefix the environment resources and the resource-group name.

The following generates a date that is 14 days in the future, and is in lower case, it’s best to lower case everything in the following case:

EXPIRY_DATE=$(date -j -v +14d +%Y-%b-%d |tr '[:upper:]' '[:lower:]')
echo ${EXPIRY_DATE}

The output is like the following:

2022-mar-07

Install the plugins

When deploying the IBM FHIR Server, you’ll need a few additional plugins than the IBM Cloud default: cloud-object-storage, kubernetes-service, container-registry, cloud-database, event-streams and the infrastructure-service.

ibmcloud plugin repo-plugins -r "IBM Cloud"
ibmcloud plugin install cloud-object-storage -f
ibmcloud plugin install container-service -f
ibmcloud plugin install container-registry -f
ibmcloud plugin install cloud-databases -f
ibmcloud plugin install event-streams -f
ibmcloud plugin install infrastructure-service -f

API_KEY=$(cat cloudpak.json | jq -r .apiKey)
ibmcloud login --apikey ${API_KEY} -r us-east

As a first step, you can check to see if there are any exisiting resources in the account:

# List the Current Databases
ibmcloud cdb ls --json

# List the Open Shift Cluster
ibmcloud oc cluster ls --json

# List the Open Shift Cluster or the Event Streams
ibmcloud resource service-instances

Check to see if you have an existing resource-group, if no group exists, create one.

if ! ibmcloud resource group cloudpak-testing-${EXPIRY_DATE}
then
    ibmcloud resource group-create 'cloudpak-testing'-${EXPIRY_DATE}
fi

Create a Cloud Object Storage Instance, if it does not exist.

if ! ibmcloud resource service-instance cloudpak-testing-cos-${EXPIRY_DATE}
then
    ibmcloud resource service-instance-create \
        cloudpak-testing-cos-${EXPIRY_DATE} \
        cloud-object-storage standard global \
    -g 'cloudpak-testing'-${EXPIRY_DATE}
    CRN=$(ibmcloud resource service-instance \
        cloudpak-testing-cos-${EXPIRY_DATE} \
        --output JSON | jq -r '.[].crn')
    ibmcloud cos config crn --crn "${CRN}"
    ibmcloud cos create-bucket --bucket \
        "fhir-cloudpak-testing-${EXPIRY_DATE}"
    ibmcloud resource service-key-create \
        test-user-hmac Writer --instance-id "${CRN}" \
        --parameters '{"HMAC":true}'
    ibmcloud resource service-key-create test-user-iam Writer \
        --instance-id "${CRN}" --parameters '{"HMAC":false}'
fi

Note, this creates an IAM and HMAC login user. The IBM FHIR Server team prefers the HMAC as it enables the use of presigned urls.

Create an Event Streams instance, if it does not exist.

if ! ibmcloud resource service-instance cloudpak-testing-es-${EXPIRY_DATE}
then
    ibmcloud resource service-instance-create \
        cloudpak-testing-es-${EXPIRY_DATE} messagehub standard \
        us-east -g 'cloudpak-testing'-${EXPIRY_DATE}
    ibmcloud resource service-key-create service_manager Manager \
        --instance-name cloudpak-testing-es-${EXPIRY_DATE}
    ibmcloud es init -i cloudpak-testing-es-${EXPIRY_DATE}
    ibmcloud es topic-create --name FHIR_AUDIT --partitions 3
    ibmcloud es topic-create --name FHIR_NOTIFICATIONS --partitions 3
fi

Create a Db2 Instance, if it does not exist.

if ! ibmcloud resource service-instance cloudpak-testing-db2-${EXPIRY_DATE}
then
    ibmcloud resource service-instance-create \
        cloudpak-testing-db2-${EXPIRY_DATE} \
        dashdb-for-transactions standard us-east \
        -g 'cloudpak-testing'-${EXPIRY_DATE} -p '{
            "datacenter": "us-south:washington d.c",
            "high_availability": "no",
            "key_protect_instance": "none",
            "key_protect_key": "none",
            "oracle_compatibility": "no",
            "service-endpoints": "public-and-private"
        }'
fi

Note, there are some manual steps to complete the db2 setup.

Create a postgres instance

if ! ibmcloud resource service-instance cloudpak-testing-postgres-${EXPIRY_DATE}
then
    ibmcloud resource service-instance-create \
        cloudpak-testing-postgres-${EXPIRY_DATE} \
        databases-for-postgresql standard us-east \
        -g 'cloudpak-testing'-${EXPIRY_DATE} \
        -p '{"service-endpoints": "public-and-private"}'
fi

Note, there are some manual steps to complete the postgres setup.

Create the OpenShift Cluster. The CRN is from the prior creation of the COS instance.

if [ $(ibmcloud oc cluster ls --provider vpc-gen2 --output json \
        | jq -r .[].name | grep -c cloudpak-testing) = 0 ]
then
    VPC_ID=$(ibmcloud ks vpcs --provider vpc-gen2 --output json \
                | jq -r .[].id)
    SUBNET_ID=$(ibmcloud ks subnets --provider vpc-gen2 \
        --vpc-id ${VPC_ID} --zone us-east-1 --output json \
            | jq -r '.[].id')
    ibmcloud oc cluster create vpc-gen2 \
        --name cloudpak-${EXPIRY_DATE} --flavor bx2.4x16 \
        --version 4.6_openshift \
        --cos-instance ${CRN} \
        --service-subnet 172.21.0.0/16 --pod-subnet 172.17.64.0/18 \
        --workers 3 --zone us-east-1 --vpc-id=${VPC_ID} \
        --subnet-id ${SUBNET_ID}
fi

Once the postgres instance is up, you can create users – fhiradmin and fhirserver:

PG_PASSWORD="$(openssl rand -base64 21| base64 | sed 's|=||g' )>"
echo "Postgres: " ${PG_PASSWORD}
ibmcloud cdb deployment-user-create \
    cloudpak-testing-postgres-${EXPIRY_DATE} fhiradmin 
ibmcloud cdb deployment-user-create \
    cloudpak-testing-postgres-${EXPIRY_DATE} fhirserver
ibmcloud resource service-key-create service_manager \
    --instance-name cloudpak-testing-postgres-${EXPIRY_DATE}
ibmcloud resource service-keys \
    --instance-name cloudpak-testing-postgres-${EXPIRY_DATE} \
    --output json

Using psql, create a fhirserver user for the db:

psql "host=********.databases.appdomain.cloud port=30794 dbname=ibmclouddb user=admin sslmode=verify-full"
    PGPASSWORD=******

Note, if you don’t have psql in your path, use brew install postgres to get it.

Login with the password from the json PGPASSWORD
Run the following SQL to create the fhirserver user.

CREATE USER fhirserver WITH LOGIN encrypted password '*****CHANGE*******';
GRANT CONNECT ON DATABASE ibmclouddb TO fhirserver;

Check the postgres configuration, and save locally:

ibmcloud cdb deployment-connections \
    cloudpak-testing-postgres-${EXPIRY_DATE} --json

Setup the necessary max_connections and max_prepared_transactions for postgres

ibmcloud cdb deployment-configuration \
    cloudpak-testing-postgres-${EXPIRY_DATE} \
    '{"max_connections": 150}'
sleep 2m
ibmcloud cdb deployment-configuration \
    cloudpak-testing-postgres-${EXPIRY_DATE} \ 
    '{"max_prepared_transactions": 150}'

Create the db2 service-key

ibmcloud resource service-key-create service_manager \
    Manager --instance-name cloudpak-testing-db2-${EXPIRY_DATE}

Your environment is ready to run the IBM offering for IBM FHIR Server along with the supporting resources.

2022-02-21

Recipe: Getting started with the IBM FHIR Server and Terminology

The IBM FHIR Server Terminology module fhir-term provides a FHIR terminology service provider interface (SPI) and a default implementation that implements terminology services using CodeSystem, ValueSet, and ConceptMap resources that have been made available through the FHIR registry module fhir-registry.

This document outlines a small test environment to setup Cassandra and ElasticSearch to run the Terminology and run a simple test.

Recipe

Clone the IBM FHIR Server repository and switch to the cloned repository.

git clone https://github.com/IBM/FHIR.git && cd $(basename $_ .git)

Setup the examples

mvn clean install -f fhir-examples -DskipTests

Edit line 68 – term/fhir-term-graph/pom.xml, change provided to compile

<dependency>
            <groupId>org.janusgraph</groupId>
            <artifactId>janusgraph-cql</artifactId>
            <scope>compile</scope>

Edit line 174 – term/fhir-term-graph/pom.xml, change provided to compile

        <dependency>
            <groupId>org.janusgraph</groupId>
            <artifactId>janusgraph-es</artifactId>
            <scope>compile</scope>
        </dependency>

Setup the fhir projects

mvn clean install -f fhir-parent -DskipTests

Build the IBM FHIR Server

export WORKSPACE=$(pwd)
export BUILD_ID=4.11.0-SNAPSHOT
docker logout
nerdctl build fhir-install -t ibmcom/ibm-fhir-server:graph

You’ll see:

Successfully built 196dd54732a4
Successfully tagged ibmcom/ibm-fhir-server:latest

Build the Graph Terminology Loader

pushd
cd ${WORKSPACE}/fhir-install/src/main/docker/ibm-fhir-term-graph-loader/
mkdir -p target/
cp ${WORKSPACE}/term/fhir-term-graph-loader/target/fhir-term-graph-loader-*-cli.jar target/
cp ${WORKSPACE}/LICENSE target/
nerdctl build --build-arg FHIR_VERSION=${BUILD_ID} -t ibmcom/ibm-fhir-term-loader:latest .
popd

Download the janusgraph-cassandra-elasticsearch.properties

curl -o janusgraph-cassandra-elasticsearch.properties -L \
    https://raw.githubusercontent.com/IBM/FHIR/main/term/fhir-term-graph-loader/src/test/resources/conf/janusgraph-cassandra-elasticsearch.properties

Download the fhir-server-config.json

curl -o fhir-server-config.json -L \
    https://gist.githubusercontent.com/prb112/c08613e6e21e77b92cfc0ea19c56f081/raw/a9e17bb2924b59de14bd04aa9fbbcc8ff38afb10/fhir-server-config-term.json

Download the docker-compose.yml

curl -o docker-compose.yml -L \
    https://gist.githubusercontent.com/prb112/1461e66d28767ba169843bded4b0aad8/raw/a4ed5b59fd8eb430745c173536dc5ab304186c7a/docker-compose.yml

Startup the cassandra container

nerdctl compose up cassandra

Check the logs until you see:

fhir-cassandra |INFO  [main] 2022-02-19 00:36:18,884 CassandraDaemon.java:780 - Startup complete

Startup the elasticsearch container

nerdctl compose up elasticsearch -d

Check the logs for "Yellow to Green"

Cluster health status changed from [YELLOW] to [GREEN]

Start the IBM FHIR Server

nerdctl compose up fhir-server -d

Check the logs for smarter planet

fhir-server_1 |[2/19/22, 0:40:09:547 UTC] 00000026 FeatureManage A   CWWKF0011I: The defaultServer server is ready to run a smarter planet. The defaultServer server started in 27.170 seconds.

You should also see the schema created:

fhir-server |[2/19/22, 1:20:11:487 UTC] 00000027 FHIRTermGraph I   Creating schema...
fhir-server |[2/19/22, 1:20:13:840 UTC] 00000027 FHIRTermGraph I   
fhir-server |------------------------------------------------------------------------------------------------
fhir-server |Vertex Label Name              | Partitioned | Static                                             |
fhir-server |---------------------------------------------------------------------------------------------------
fhir-server |CodeSystem                     | false       | false                                              |
fhir-server |Concept                        | false       | false                                              |
fhir-server |Designation                    | false       | false                                              |
fhir-server |Property_                      | false       | false                                              |
fhir-server |---------------------------------------------------------------------------------------------------
fhir-server |Edge Label Name                | Directed    | Unidirected | Multiplicity                         |
fhir-server |---------------------------------------------------------------------------------------------------
fhir-server |isa                            | true        | false       | MULTI                                |
fhir-server |concept                        | true        | false       | MULTI                                |
fhir-server |designation                    | true        | false       | MULTI                                |
fhir-server |property_                      | true        | false       | MULTI                                |
fhir-server |---------------------------------------------------------------------------------------------------
fhir-server |Property Key Name              | Cardinality | Data Type                                          |
fhir-server |---------------------------------------------------------------------------------------------------
fhir-server |valueCode                      | SINGLE      | class java.lang.String                             |
fhir-server |display                        | SINGLE      | class java.lang.String                             |
fhir-server |version                        | SINGLE      | class java.lang.String                             |
fhir-server |code                           | SINGLE      | class java.lang.String                             |
fhir-server |codeLowerCase                  | SINGLE      | class java.lang.String                             |
fhir-server |url                            | SINGLE      | class java.lang.String                             |
fhir-server |value                          | SINGLE      | class java.lang.String                             |
fhir-server |valueBoolean                   | SINGLE      | class java.lang.Boolean                            |
fhir-server |valueDateTimeLong              | SINGLE      | class java.lang.Long                               |
fhir-server |valueDecimal                   | SINGLE      | class java.lang.Double                             |
fhir-server |valueInteger                   | SINGLE      | class java.lang.Integer                            |
fhir-server |valueString                    | SINGLE      | class java.lang.String                             |
fhir-server |count                          | SINGLE      | class java.lang.Integer                            |
fhir-server |group                          | SINGLE      | class java.lang.String                             |
fhir-server |language                       | SINGLE      | class java.lang.String                             |
fhir-server |system                         | SINGLE      | class java.lang.String                             |
fhir-server |use                            | SINGLE      | class java.lang.String                             |
fhir-server |valueDateTime                  | SINGLE      | class java.lang.String                             |
fhir-server |valueDecimalString             | SINGLE      | class java.lang.String                             |
fhir-server |---------------------------------------------------------------------------------------------------
fhir-server |Graph Index (Vertex)           | Type        | Unique    | Backing        | Key:           Status |
fhir-server |---------------------------------------------------------------------------------------------------
fhir-server |byUrl                          | Composite   | false     | internalindex  | url:          ENABLED |
fhir-server |byCode                         | Composite   | false     | internalindex  | code:         ENABLED |
fhir-server |byCodeLowerCase                | Composite   | false     | internalindex  | codeLowerCase:    ENABLED |
fhir-server |byDisplay                      | Composite   | false     | internalindex  | display:      ENABLED |
fhir-server |byUrlAndVersion                | Composite   | false     | internalindex  | url:          ENABLED |
fhir-server |                               |             |           |                | version:      ENABLED |
fhir-server |byValue                        | Composite   | false     | internalindex  | value:        ENABLED |
fhir-server |byValueBoolean                 | Composite   | false     | internalindex  | valueBoolean:    ENABLED |
fhir-server |byValueCode                    | Composite   | false     | internalindex  | valueCode:    ENABLED |
fhir-server |byValueDateTimeLong            | Composite   | false     | internalindex  | valueDateTimeLong:    ENABLED |
fhir-server |byValueDecimal                 | Composite   | false     | internalindex  | valueDecimal:    ENABLED |
fhir-server |byValueInteger                 | Composite   | false     | internalindex  | valueInteger:    ENABLED |
fhir-server |byValueString                  | Composite   | false     | internalindex  | valueString:    ENABLED |
fhir-server |vertices                       | Mixed       | false     | search         | display:      ENABLED |
fhir-server |                               |             |           |                | value:        ENABLED |
fhir-server |                               |             |           |                | valueCode:    ENABLED |
fhir-server |                               |             |           |                | valueString:    ENABLED |
fhir-server |---------------------------------------------------------------------------------------------------
fhir-server |Graph Index (Edge)             | Type        | Unique    | Backing        | Key:           Status |
fhir-server |---------------------------------------------------------------------------------------------------
fhir-server |---------------------------------------------------------------------------------------------------
fhir-server |Relation Index (VCI)           | Type        | Direction | Sort Key       | Order    |     Status |
fhir-server |---------------------------------------------------------------------------------------------------
fhir-server |
fhir-server |[2/19/22, 1:20:15:061 UTC] 00000071 Clock         I com.datastax.oss.driver.internal.core.time.Clock getInstance Using native clock for microsecond precision
fhir-server |[2/19/22, 1:20:15:132 UTC] 00000027 ExecutorServi I org.janusgraph.diskstorage.configuration.ExecutorServiceBuilder buildFixedExecutorService Initiated fixed thread pool of size 10
fhir-server |[2/19/22, 1:20:15:197 UTC] 00000027 UniqueInstanc I org.janusgraph.graphdb.idmanagement.UniqueInstanceIdRetriever getOrGenerateUniqueInstanceId Generated unique-instance-id=0a04031316-fhir2
fhir-server |[2/19/22, 1:20:15:256 UTC] 00000084 Clock         I com.datastax.oss.driver.internal.core.time.Clock getInstance Using native clock for microsecond precision
fhir-server |[2/19/22, 1:20:15:331 UTC] 00000027 ExecutorServi I org.janusgraph.diskstorage.configuration.ExecutorServiceBuilder buildFixedExecutorService Initiated fixed thread pool of size 10
fhir-server |[2/19/22, 1:20:15:332 UTC] 00000027 Backend       I org.janusgraph.diskstorage.Backend getIndexes Configuring index [search]
fhir-server |[2/19/22, 1:20:15:373 UTC] 00000027 ExecutorServi I org.janusgraph.diskstorage.configuration.ExecutorServiceBuilder buildFixedExecutorService Initiated fixed thread pool of size 4
fhir-server |[2/19/22, 1:20:15:541 UTC] 00000027 KCVSLog       I org.janusgraph.diskstorage.log.kcvs.KCVSLog$MessagePuller initializeTimepoint Loaded unidentified ReadMarker start time 2022-02-19T01:20:15.541046Z into org.janusgraph.diskstorage.log.kcvs.KCVSLog$MessagePuller@2c491de4

Check the Capabilities endpoint, it should respond with a wealth of input

curl --request GET \
  --url https://localhost:9443/fhir-server/api/v4/metadata \
  --header 'Content-Type: application/fhir+json' \
  --header 'X-FHIR-TENANT-ID: default' \
  -k -o /dev/null -I

Copy over the Jar file term/fhir-term-graph-loader/target/fhir-term-graph-loader-4.11.0-SNAPSHOT-cli.jar
Loading the Data for your specific use-case.

CodeSystem

java -jar fhir-term-graph-loader-4.11.0-SNAPSHOT-cli.jar -config ./janusgraph-cassandra-elasticsearch.properties -file CodeSystem.json

Also -url

Snomed

java -jar fhir-term-graph-loader-4.11.0-SNAPSHOT-cli.jar -config ./janusgraph-cassandra-elasticsearch.properties \
    -base snomed/ \
    -concept concept.cpt \
    -relation relation.rt \
    -desc desc.file \
    -lang lang.file

UMLS

java -jar fhir-term-graph-loader-4.11.0-SNAPSHOT-cli.jar -config ./janusgraph-cassandra-elasticsearch.properties

I don’t actually execute these commands in this blog as it is licensed content.

Execute the queries for the terminology system.

There are some ancillary tasks you should do when done:

A. Shutdown the Containers when you are done.

nerdctl compose down

B. List current moby images.

nerdctl images

2022-02-18

Recipe: Setting up IBM FHIR Server and Azure in Development

The IBM FHIR Server has support for exporting and importing Bulk Data using extended operations for Bulk Data $import, $export and $bulkdata-status, which are implemented as Java Maven projects. The IBM FHIR Server uses JSR252 JavaBatch jobs running in the Open Liberty Java Batch Framework to enable access to Large Volumes of HL7 FHIR data.

This blog is a follow on to Recipe: IBM FHIR Server – Using Bulk Data with the Azure Blob Service, and provides a docker-compose file that works with the Azure emulator called Azurite.

Typically, you can run the container locally:

docker run -p 10000:10000 -v /local/path/to/azurite:/data mcr.microsoft.com/azure-storage/azurite \
    azurite-blob --blobHost 0.0.0.0 --blobPort 10000

Recipe

1. Pull the image

$docker pull mcr.microsoft.com/azure-storage/azurite

Using default tag: latest
latest: Pulling from azure-storage/azurite
396c31837116: Pull complete 
9e7b0c9574dd: Pull complete 
ec07c04a8d4c: Pull complete 
c1eb01e62785: Pull complete 
2cbc599970e9: Pull complete 
a0ee56369073: Pull complete 
ad1956587082: Pull complete 
29652032eab7: Pull complete 
Digest: sha256:4d40e97bf9345c9e321f4b8cf722dc4615d5d6080fd2953844be288a13eadb59
Status: Downloaded newer image for mcr.microsoft.com/azure-storage/azurite:latest
mcr.microsoft.com/azure-storage/azurite:latest

2. Download the docker-compose.yml and put it in a working folder

3. Download the fhir-server-config.json and put it in the same working folder

4. Create a folder azurite in the working folder.

5. The file layout should look like the following:

6. Startup the Docker Compose

nerdctl --address /var/run/docker/containerd/containerd.sock compose up

You can then upload data, and use the Azurite emulator, the key is:

"storageProviders": {
     "default" : {
     "type": "azure-blob",
     "bucketName": "fhirbulkdata",
     "auth" : {
          "type": "connection",
          "connection": "DefaultEndpointsProtocol=http;AccountName=account1;AccountKey=key1;BlobEndpoint=http://azure-blob:10000/account1;"
     },
     "disableOperationOutcomes": true,
     "duplicationCheck": false, 
     "validateResources": false, 
     "create": false
     }
}

Reference

2022-02-18

Recipe: Streaming the FHIR Audit from the IBM FHIR Server with Go

The IBM FHIR Server supports audit events for FHIR interactions (CREATE-READ-UPDATE-DELETE-SEARCH-EXTENDED_OPERATION) in Cloud Auditing Data Federation (CADF) and HL7 FHIR AuditEvent and pushing the events to an Apache Kafka backend. You can read more about it in another post I made.

This recipe shows how to stream the data with Go-Kafka in a small lightweight library and decode the BASE64 content embedded in CADF.

Let’s spin up an IBM FHIR Server with fhir-audit and how to stream and decode the important content.

Recipe

Log in to the IBM Cloud Console
Click Create Resource

3. Search for Event Streams, and click on Event Streams

4. Choose your Location. I chose us-south. Pick the data center that is closest or co-located with your IBM FHIR Server.

5. Select the Standard plan. A typical bundle which represents a patient history, such as Antonia30_Acosta403.json, include hundreds of resources which correspond to many messages sent over the topic when processed as a Bundle batch. For a Bundle transaction, you get only one notification message.

6. Click I Accept

7. Click Create. You are redirected to the EventStreams resource that is created.

8. Click Service Credentials

9. Click New Credentials

10. Click Add

11. Copy the Service Credentials and paste it locally (on the right hand-side)

12. Click on Topics

13. Click Create Topic

14. Enter Topic Name – FHIR_AUDIT

15. Click Next

16. Select the default number of partitions

17. Click Next

18. Select Message Retention – 1 Day

19. Click Create Topic

With the IBM EventStreams Kafka Topic setup, it’s now time to connect the IBM FHIR Server and the FHIR Audit module to Kafka.

20. Download the fhir-server-config.json

curl -L https://raw.githubusercontent.com/IBM/FHIR/main/fhir-server-webapp/src/main/liberty/config/config/default/fhir-server-config-audit-environment.json -o fhir-server-config-audit-environment.json

The file contains a setting for loading the properties from the Environment (e.g. Operation System variables) and some basic settings:

        "audit": {
            "serviceClassName" : "com.ibm.fhir.audit.impl.KafkaService",
            "serviceProperties" : {
                "auditTopic": "FHIR_AUDIT",
                "geoCity": "Dallas",
                "geoState": "TX",
                "geoCounty": "US"
            }
        }

21. Download the docker image

docker pull ibmcom/ibm-fhir-server:latest

22. Convert the copied Service Credentials into a file – ibm-creds.json

23. Make the JSON a single line

cat ibm-creds.json | tr -d '\n'

The output is:

{  "api_key": "credentialapikey",  "apikey": "credentialapikey",  "iam_apikey_description": "Auto-generated for key 01ba3165-85d9-410b-ad1a-1111",  "iam_apikey_name": "Service credentials-1",  "iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",  "iam_serviceid_crn": "crn:v1:bluemix:public:iam-identity::a/11111::serviceid:ServiceId-864b549f-ff90-4b24-84f2-1111",  "instance_id": "6b00cc8c-26ec-4c42-a1e8-f4da5b9f71e7",  "kafka_admin_url": "https://admin.eventstreams.cloud.ibm.com",  "kafka_brokers_sasl": [    "broker-3.eventstreams.cloud.ibm.com:9093",    "broker-5.eventstreams.cloud.ibm.com:9093",    "broker-1.eventstreams.cloud.ibm.com:9093",    "broker-2.eventstreams.cloud.ibm.com:9093",    "broker-4.eventstreams.cloud.ibm.com:9093",    "broker-0.eventstreams.cloud.ibm.com:9093"  ],  "kafka_http_url": "https://admin.eventstreams.cloud.ibm.com",  "password": "credentialapikey",  "user": "token"}

24. Export ES_CONFIG

export ES_CONFIG='{  "api_key": "credentialapikey",  "apikey": "credentialapikey",  "iam_apikey_description": "Auto-generated for key 01ba3165-85d9-410b-ad1a-1111",  "iam_apikey_name": "Service credentials-1",  "iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",  "iam_serviceid_crn": "crn:v1:bluemix:public:iam-identity::a/11111::serviceid:ServiceId-864b549f-ff90-4b24-84f2-1111",  "instance_id": "6b00cc8c-26ec-4c42-a1e8-f4da5b9f71e7",  "kafka_admin_url": "https://admin.eventstreams.cloud.ibm.com",  "kafka_brokers_sasl": [    "broker-3.eventstreams.cloud.ibm.com:9093",    "broker-5.eventstreams.cloud.ibm.com:9093",    "broker-1.eventstreams.cloud.ibm.com:9093",    "broker-2.eventstreams.cloud.ibm.com:9093",    "broker-4.eventstreams.cloud.ibm.com:9093",    "broker-0.eventstreams.cloud.ibm.com:9093"  ],  "kafka_http_url": "https://admin.eventstreams.cloud.ibm.com",  "password": "credentialapikey",  "user": "token"}'

Note the single quotes surround the above.

25. Start up the IBM FHIR Server with the EventStreams credentials and fhir-server-config.json we just downloaded.

docker run --rm -d -p 9443:9443 -e BOOTSTRAP_DB=true \
    -v $(pwd)/fhir-server-config-audit-environment.json:/config/config/default/fhir-server-config.json \
    -e EVENT_STREAMS_AUDIT_BINDING="${ES_CONFIG}" ibmcom/ibm-fhir-server

You see the container id output 60a5f1cae6d677d80772f1736db1be74836a8a4845fcccc81286b7c557bc2d86.

26. Check that the applications are started using the container id.

$ docker logs 60a | grep -i started
[4/21/21, 20:55:58:449 UTC] 00000001 FrameworkMana I   CWWKE0002I: The kernel started after 1.43 seconds
[4/21/21, 20:55:58:464 UTC] 0000002a FeatureManage I   CWWKF0007I: Feature update started.
[4/21/21, 20:56:01:328 UTC] 00000030 AppMessageHel A   CWWKZ0001I: Application fhir-openapi started in 1.588 seconds.
[4/21/21, 20:56:03:141 UTC] 00000031 AppMessageHel A   CWWKZ0001I: Application fhir-bulkdata-webapp started in 3.402 seconds.
[4/21/21, 20:56:07:824 UTC] 0000002d AppMessageHel A   CWWKZ0001I: Application fhir-server-webapp started in 7.871 seconds.
[4/21/21, 20:56:07:868 UTC] 0000002a TCPPort       I   CWWKO0219I: TCP Channel defaultHttpEndpoint-ssl has been started and is now listening for requests on host *  (IPv4) port 9443.
[4/21/21, 20:56:07:880 UTC] 0000002a FeatureManage A   CWWKF0011I: The defaultServer server is ready to run a smarter planet. The defaultServer server started in 10.885 seconds.

27. Download the Sample Data

curl -L https://raw.githubusercontent.com/IBM/FHIR/main/fhir-server-test/src/test/resources/testdata/everything-operation/Antonia30_Acosta403.json -o Antonia30_Acosta403.json

28. Load the Sample Data bundle to the IBM FHIR Server

curl -k --location --request POST 'https://localhost:9443/fhir-server/api/v4' \
--header 'Content-Type: application/fhir+json' \
-u "fhiruser:change-password" \
--data-binary  "@Antonia30_Acosta403.json" -o response.json

29. Scan the response.json for any status that is not "status": "201". For example, the status is in the family of User Request Error or Server Side Error.

30. Clone the repository fhir-kafka-go

31. Clone the repository

git clone https://github.com/prb112/fhir-kafka-go.git

32. Build the Go guild

go build

33. Run the fhir-kakfka-go library

./fhir-kafka-go $(cat ibm-creds.json | jq -r '.kafka_brokers_sasl | join(",")') "token" $(cat ibm-creds.json | jq -r '.password') FHIR_AUDIT

You’ll see the following output:

2022/02/18 12:53:02 The audit details are:  t${
    "request_unique_id": "8b7ebb8f-3b48-4633-92d3-4e1d423a3aa2",
    "action": "C",
    "start_time": "2022-02-18 17:52:22.444",
    "end_time": "2022-02-18 17:52:22.525",
    "api_parameters": {
        "request": "/fhir-server/api/v4/Patient",
        "request_status": 201
    },
    "data": {
        "resource_type": "Patient",
        "id": "17f0df6a5b6-1d8db4d7-5042-4742-a951-6c3a3d08ee34",
        "version_id": "1"
    },
    "event_type": "fhir-create",
    "description": "FHIR Create request",
    "location": "172.17.0.1/_gateway"
}

This tool uses Go-Kafka and a few extra tools to process Kafka Messages and help tail the messages.

I hope this works for you, it’s great to work with Go and Kafka.

2022-02-18

A Reliable CVE Dependency Check: How-To

dependency-check is a standalone maven plugin which checks for vulnerable dependencies. It’s hosted on GitHub. I switched to it from the victims-db, which no longer looks like it is updated. I had to carefully analyze the output, it was very helpful finding one issue where we had an unintended include.

Build

export TAG=4.10.2
git checkout ${TAG}
mvn clean install -f fhir-examples -DskipTests
mvn clean install -f fhir-parent -DskipTests
mvn org.owasp:dependency-check-maven:check -f fhir-parent/ -l output-${TAG}.log
grep -e 'vulnerabilities' -e CVE- output-${TAG}.log  > summary-${TAG}.log

Output Note, this is some what cleaned up.

fhir-term-graph:
ant-1.7.0.jar (pkg:maven/org.apache.ant/ant@1.7.0, cpe:2.3:a:apache:ant:1.7.0:*:*:*:*:*:*:*) : CVE-2020-1945
cassandra-driver-core-3.11.0.jar (pkg:maven/com.datastax.cassandra/cassandra-driver-core@3.11.0, cpe:2.3:a:apache:cassandra:3.11.0:*:*:*:*:*:*:*) : CVE-2018-8016, CVE-2020-13946, CVE-2020-17516
gremlin-core-3.5.1.jar (pkg:maven/org.apache.tinkerpop/gremlin-core@3.5.1, cpe:2.3:a:apache:tinkerpop:3.5.1:*:*:*:*:*:*:*) : CVE-2021-37136, CVE-2021-37137

2022-01-20

Bulk Data: Using the SMART-on-FHIR Bulk Data Client to test $export

I recently attended the HL7 FHIR Connectathon 29. For those that are not familiar with Connectathons, I think they are fairly unique events featuring standards enthusiasts, vendors and implementors doing hands-on standards development (FHIR) and testing. As an attendee I picked one of the tracks – bulk data.

This blog is part of a series on Bulk Data Setup and Testing based on my experience at HL7 FHIR Connectathon 29.

The SMART-on-FHIR team has built a node application to call Bulk Data $export and facilitate the calls to get a bearer token.

Clone the Bulk Data Client repository

/git/wffh/2023$ git clone -b main-pb --single-branch \
    https://github.com/prb112/bulk-data-client.git && \
    cd $(basename $_ .git)
Cloning into 'bulk-data-client'...
remote: Enumerating objects: 343, done.
remote: Counting objects: 100% (343/343), done.
remote: Compressing objects: 100% (188/188), done.
remote: Total 343 (delta 220), reused 261 (delta 146), pack-reused 0
Receiving objects: 100% (343/343), 407.93 KiB | 3.32 MiB/s, done.
Resolving deltas: 100% (220/220), done.
/git/wffh/2023/bulk-data-client$

Note I added a changes to support the IBM FHIR Server.

Install nvm

$ brew install nvm
Running `brew update --preinstall`...
==> Auto-updated Homebrew!
Updated 3 taps (homebrew/core, homebrew/cask and minio/stable).
==> New Formulae
cwb3                                                      erofs-utils                                               netmask                                                   scalingo                                                  zk
==> Updated Formulae
Updated 390 formulae.

...

nvm 0.35.3 is already installed but outdated (so it will be upgraded).
==> Downloading https://ghcr.io/v2/homebrew/core/nvm/manifests/0.39.1_1
######################################################################## 100.0%
==> Downloading https://ghcr.io/v2/homebrew/core/nvm/blobs/sha256:6e14c8a2bf94212545c1ebac9a722df168c318d0e8af2fc75b729a07fea54efe
==> Downloading from https://pkg-containers.githubusercontent.com/ghcr1/blobs/sha256:6e14c8a2bf94212545c1ebac9a722df168c318d0e8af2fc75b729a07fea54efe?se=2022-01-13T21%3A30%3A00Z&sig=52CYOAyuxabqLNYih9%2BjMQtHLFrN%2FVyHXf%2FgPuBgi6w%3D&sp=r&spr=https&sr=b&sv=2019-12-12
######################################################################## 100.0%
==> Upgrading nvm
  0.35.3 -> 0.39.1_1

==> Pouring nvm--0.39.1_1.all.bottle.tar.gz
...

Bash completion has been installed to:
  /usr/local/etc/bash_completion.d
==> Summary
🍺  /usr/local/Cellar/nvm/0.39.1_1: 9 files, 184.1KB
==> Running `brew cleanup nvm`...
Disable this behaviour by setting HOMEBREW_NO_INSTALL_CLEANUP.
Hide these hints with HOMEBREW_NO_ENV_HINTS (see `man brew`).
Removing: /usr/local/Cellar/nvm/0.35.3... (7 files, 149.9KB)

Switch to Node 16

$ nvm use 16
Now using node v16.13.0 (npm v8.1.2)

Install Node 16

$ nvm install
Found '/git/wffh/2023/bulk-data-client/.nvmrc' with version <16>
Downloading and installing node v16.13.2...
Downloading https://nodejs.org/dist/v16.13.2/node-v16.13.2-darwin-x64.tar.xz...
############################################################## 100.0%
Computing checksum with sha256sum
Checksums matched!
Now using node v16.13.2 (npm v8.1.2)

Create the binaries

$ npm run clean && npm run build

> bulk-data-client@1.0.0 clean
> rm -rf ./built


> bulk-data-client@1.0.0 build
> tsc

Create the config/ibm-fhir-server.js – update the fhirUrl, tokenUrl and privateKey. I used the RS384 Key.

Run the application

$ AUTO_RETRY_TRANSIENT_ERRORS=1 SHOW_ERRORS=1 node . --config config/ibm-fhir-server.js  --_type=Patient
Kick-off started
Got new access token
Kick-off completed
Bulk Data export started
Bulk Data export completed in 10 seconds
Export manifest:  {
  transactionTime: '2022-01-14T20:56:31.553Z',
  request: 'https://bulk.cluster1-blue-x123456.containers.appdomain.cloud/fhir-server/api/v4/Patient/$export?_type=Patient',
  requiresAccessToken: false,
  output: [
    {
      type: 'Patient',
      url: 'https://x123456.cloud-object-storage.appdomain.cloud/x123456/f1wSMD84-3eRVNTUlyIwctWtNxA33Odz14KiQctry-U/Patient_1.ndjson?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=x123456%2F20220114%2Fus-east%2Fs3%2Faws4_request&X-Amz-Date=20220114T205641Z&X-Amz-Expires=86400&X-Amz-SignedHeaders=host&X-Amz-Signature=abcdefgh',
      count: 2
    }
  ],
  error: []
}

Downloading exported files: ▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 100%
          Downloaded Files: 1 of 1
            FHIR Resources: 2
               Attachments: 0
           Downloaded Size: 6.3 kB

Download completed in 0 seconds
Do you want to signal the server that this export can be removed? [Y/n]n

If you need to debug, you’ll see all the outputs:

NODE_DEBUG=* AUTO_RETRY_TRANSIENT_ERRORS=1 SHOW_ERRORS=1 node . \
   --config config/ibm-fhir-server.js

The files are downloaded to a local directory, and you can check the data. cat downloads/1.Patient.ndjson

{"resourceType":"Patient","id":"17e44643c84-7618d4fe-e1d3-48e5-8a66-923bd4780c17","meta":{"versionId":"1","lastUpdated":"2022-01-10T14:28:46.854836Z"},"text":{"status":"generated","div":"<div xmlns=\"http://www.w3.org/1999/xhtml\">Generated by <a href=\"https://github.com/synthetichealth/synthea\">Synthea</a>.Version identifier: master-branch-latest-2-g8e7e92c\n .   Person seed: 7105486291024734541  Population seed: 0</div>"},"extension":[{"url":"http://hl7.org/fhir/StructureDefinition/patient-mothersMaidenName","valueString":"Graciela518 Badillo851"},{"url":"http://hl7.org/fhir/StructureDefinition/patient-birthPlace","valueAddress":{"city":"Caguas","state":"Puerto Rico","country":"PR"}},{"url":"http://synthetichealth.github.io/synthea/disability-adjusted-life-years","valueDecimal":1.6165934938317164},{"url":"http://synthetichealth.github.io/synthea/quality-adjusted-life-years","valueDecimal":47.383406506168285},{"url":"http://hl7.org/fhir/us/core/StructureDefinition/us-core-birthsex","valueCode":"F"},{"url":"http://hl7.org/fhir/us/core/StructureDefinition/us-core-birthsex","valueCode":"M"}],"identifier":[{"system":"https://github.com/synthetichealth/synthea","value":"bd958c64-56b6-f206-b03d-8f4b8a417215"},{"type":{"coding":[{"system":"http://terminology.hl7.org/CodeSystem/v2-0203","code":"MR","display":"Medical Record Number"}],"text":"Medical Record Number"},"system":"http://hospital.smarthealthit.org","value":"bd958c64-56b6-f206-b03d-8f4b8a417215"},{"type":{"coding":[{"system":"http://terminology.hl7.org/CodeSystem/v2-0203","code":"SS","display":"Social Security Number"}],"text":"Social Security Number"},"system":"http://hl7.org/fhir/sid/us-ssn","value":"999-93-6090"},{"type":{"coding":[{"system":"http://terminology.hl7.org/CodeSystem/v2-0203","code":"DL","display":"Driver's License"}],"text":"Driver's License"},"system":"urn:oid:2.16.840.1.113883.4.3.25","value":"S99913499"},{"type":{"coding":[{"system":"http://terminology.hl7.org/CodeSystem/v2-0203","code":"PPN","display":"Passport Number"}],"text":"Passport Number"},"system":"http://standardhealthrecord.org/fhir/StructureDefinition/passportNumber","value":"X26583229X"}],"name":[{"use":"official","family":"Acosta403","given":["Antonia30"],"prefix":["Mrs."]},{"use":"maiden","family":"Armenta418","given":["Antonia30"],"prefix":["Mrs."]}],"telecom":[{"system":"phone","value":"555-457-3489","use":"home"}],"gender":"female","birthDate":"1970-09-06","address":[{"extension":[{"extension":[{"url":"latitude","valueDecimal":41.6497330022825},{"url":"longitude","valueDecimal":-71.17511064024423}],"url":"http://hl7.org/fhir/StructureDefinition/geolocation"}],"line":["635 Littel Esplanade Suite 65"],"city":"Fall River","state":"Massachusetts","postalCode":"02790","country":"US"}],"maritalStatus":{"coding":[{"system":"http://terminology.hl7.org/CodeSystem/v3-MaritalStatus","code":"M","display":"M"}],"text":"M"},"multipleBirthBoolean":false,"communication":[{"language":{"coding":[{"system":"urn:ietf:bcp:47","code":"es","display":"Spanish"}],"text":"Spanish"}}]}
{"resourceType":"Patient","id":"17e4f2f3dca-67724e2c-3991-4ac1-b6f9-51fc30209894","meta":{"versionId":"1","lastUpdated":"2022-01-12T16:46:43.149786Z"},"text":{"status":"generated","div":"<div xmlns=\"http://www.w3.org/1999/xhtml\">Generated by <a href=\"https://github.com/synthetichealth/synthea\">Synthea</a>.Version identifier: v2.4.0-404-ge7ce2295\n .   Person seed: -8292973307042192125  Population seed: 0</div>"},"extension":[{"extension":[{"url":"ombCategory","valueCoding":{"system":"urn:oid:2.16.840.1.113883.6.238","code":"2135-2","display":"Other"}},{"url":"text","valueString":"Other"}],"url":"http://hl7.org/fhir/us/core/StructureDefinition/us-core-race"},{"extension":[{"url":"ombCategory","valueCoding":{"system":"urn:oid:2.16.840.1.113883.6.238","code":"2186-5","display":"Not Hispanic or Latino"}},{"url":"text","valueString":"Not Hispanic or Latino"}],"url":"http://hl7.org/fhir/us/core/StructureDefinition/us-core-ethnicity"},{"url":"http://hl7.org/fhir/StructureDefinition/patient-mothersMaidenName","valueString":"Isabel214 Reséndez908"},{"url":"http://hl7.org/fhir/us/core/StructureDefinition/us-core-birthsex","valueCode":"M"},{"url":"http://hl7.org/fhir/StructureDefinition/patient-birthPlace","valueAddress":{"city":"La Paz","state":"Baja California","country":"MX"}},{"url":"http://synthetichealth.github.io/synthea/disability-adjusted-life-years","valueDecimal":0.13213216767824654},{"url":"http://synthetichealth.github.io/synthea/quality-adjusted-life-years","valueDecimal":34.86786783232176}],"identifier":[{"system":"https://github.com/synthetichealth/synthea","value":"d171d808-1f31-4ad3-aba5-e03a2fa921c7"},{"type":{"coding":[{"system":"http://terminology.hl7.org/CodeSystem/v2-0203","code":"MR","display":"Medical Record Number"}],"text":"Medical Record Number"},"system":"http://hospital.smarthealthit.org","value":"d171d808-1f31-4ad3-aba5-e03a2fa921c7"},{"type":{"coding":[{"system":"http://terminology.hl7.org/CodeSystem/v2-0203","code":"SS","display":"Social Security Number"}],"text":"Social Security Number"},"system":"http://hl7.org/fhir/sid/us-ssn","value":"999-83-6585"},{"type":{"coding":[{"system":"http://terminology.hl7.org/CodeSystem/v2-0203","code":"DL","display":"Driver's License"}],"text":"Driver's License"},"system":"urn:oid:2.16.840.1.113883.4.3.25","value":"S99914532"},{"type":{"coding":[{"system":"http://terminology.hl7.org/CodeSystem/v2-0203","code":"PPN","display":"Passport Number"}],"text":"Passport Number"},"system":"http://standardhealthrecord.org/fhir/StructureDefinition/passportNumber","value":"X18544570X"}],"name":[{"use":"official","family":"Hurtado459","given":["Marco Antonio298"],"prefix":["Mr."]}],"telecom":[{"system":"phone","value":"555-185-5373","use":"home"}],"gender":"male","birthDate":"1983-04-03","address":[{"extension":[{"extension":[{"url":"latitude","valueDecimal":42.49384661818001},{"url":"longitude","valueDecimal":-70.92858466579901}],"url":"http://hl7.org/fhir/StructureDefinition/geolocation"}],"line":["552 Rippin Port"],"city":"Revere","state":"Massachusetts","postalCode":"02151","country":"US"}],"maritalStatus":{"coding":[{"system":"http://terminology.hl7.org/CodeSystem/v3-MaritalStatus","code":"M","display":"M"}],"text":"M"},"multipleBirthBoolean":false,"communication":[{"language":{"coding":[{"system":"urn:ietf:bcp:47","code":"es","display":"Spanish"}],"text":"Spanish"}}]}

As you can see the bulk-data-client is a handy tool to test Bulk Data with $export with SMART Backend Services Authorization.

We opened a few issues with the bulk data client team:

And one we’re watching:

Provides token even if requiresAccessToken is false #2

We opened an Pull Request #1 to address 1,2,4.

2022-01-14

IBM FHIR Server: Getting Started Links
The IBM FHIR Server supports FHIR R4 and is at version 4.10.2.

The conformance page outlines the features and capabilities of the main build link. The user’s guide outlines the features and configurations link. The module catalog outlines the features link.

The IBM FHIR Server is delivered in three ways.
1. A Modular Application
- Jars published to Maven Central
- Search for Jars at https://mvnrepository.com/artifact/com.ibm.fhir
- Javadocs
1. Docker
- DockerHub: ibmcom/ibm-fhir-server
  
  OpenLiberty OpenJ9 Application that runs the FHIR Server webapp.
- DockerHub: ibmcom/ibm-fhir-schematool
  
  SchemaTool used to deploy the IBM FHIR Server’s Operational Datastore to Postgres, Db2
- DockerHub: ibmcom/ibm-fhir-bucket-tool
  
  reindexing and synthetic loading tool
- DockerHub: ibmcom/ibm-fhir-term-loader
  
  Loads terminology
1. A Helm Chart to Install a Working Environment
- ArtifactHub: The IBM FHIR Server Helm Chart
If you have more specifics, we can work on diving into the features.
2022-01-11
USING THE IBM FHIR SERVER WITH HELM

This article walks folks through the process of using the IBM FHIR Server’s helm chart with Docker Desktop Kubernetes and getting it up and running.

The series of steps to use IBM FHIR Server and Helm Download

2022-01-06

Help… run nsenter

Per Enqueue Zero, Nsenter is a utility enters the namespaces of one or more other processes and then executes the specified program. In other words, we jump to the inner side of the namespace.

Search for the namespace, by searching for S+, and then using the PID to target the namespace, and run the local tools in the namespace. This is very helpful where the docker container does not contain the necessary tools by default.

[root@localhost ~]# ps aux | grep 'S+'
gdm         1203  0.0  0.0   6084  1064 tty1     S+    2021   0:00 dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart
root       24439  0.0  0.0   4420   632 pts/0    S+    2021   0:00 tail -f /database/config/db2inst1/sqllib/db2dump/DIAG0000/db2diag.log
root      922523  0.0  0.0 221568   776 pts/0    S+   14:07   0:00 grep --color=auto S+
[root@localhost ~]# nsenter --target 24439 --mount --uts  --net --pid ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.0  12100  2416 pts/0    Ss+   2021   0:01 /bin/bash /var/db2_setup/lib/setup_db2_instance.sh
root       14738  0.0  0.0 111996  5688 ?        Ss    2021  33:46 /usr/bin/python /usr/bin/supervisord -c /etc/supervisord.conf
root       14741  0.0  0.0   4420   632 pts/0    S+    2021   0:00 tail -f /database/config/db2inst1/sqllib/db2dump/DIAG0000/db2diag.log
root       14742  0.0  0.0  95724 12332 ?        S     2021   5:59 /opt/ibm/db2/V11.5/bin/db2fmcd
root       14743  0.0  0.0 112952  5696 ?        S     2021   0:00 /usr/sbin/sshd -D
root       65263  0.0  0.0 1313568 8708 ?        Sl    2021   0:06 db2wdog 0 [db2inst1]
db2inst1   65265  0.1  0.1 3716884 30216 ?       Sl    2021  88:11 db2sysc 0
root       65271  0.0  0.0 1316348 3548 ?        S     2021   0:00 db2ckpwd 0
root       65272  0.0  0.0 1316348 3548 ?        S     2021   0:00 db2ckpwd 0
root       65273  0.0  0.0 1316348 3544 ?        S     2021   0:00 db2ckpwd 0
db2inst1   65275  0.0  0.0 723620  7448 ?        S     2021   0:00 db2vend (PD Vendor Process - 1) 0
db2inst1   65283  0.0  0.1 961132 23452 ?        Sl    2021  16:42 db2acd 0 ,0,0,0,1,0,0,00000000,0,0,0000000000000000,0000000000000000,00000000,00000
db2fenc1   66416  0.0  0.1 650952 20416 ?        Sl    2021   0:01 db2fmp ( ,1,0,0,0,0,0,00000000,0,0,0000000000000000,0000000000000000,00000000,00000
db2fenc1   70651  0.0  0.1 424932 19852 ?        Sl    2021   0:00 db2fmp ( ,0,0,0,0,0,0,00000000,0,0,0000000000000000,0000000000000000,00000000,00000
db2fenc1 2274960  0.0  0.1 424932 19872 ?        Sl    2021   0:00 db2fmp ( ,0,0,0,0,0,0,00000000,0,0,0000000000000000,0000000000000000,00000000,00000
root     4113980  0.0  0.0  11704  2660 ?        S    19:05   0:00 bash -c /var/db2_setup/lib/backup_cfg.sh >> /tmp/backup_cfg.out 2>&1
root     4113981  0.0  0.0  11704  2816 ?        S    19:05   0:00 /bin/bash /var/db2_setup/lib/backup_cfg.sh
root     4114110  0.0  0.0   4380   736 ?        S    19:05   0:00 sleep 2m
root     4114269  0.1  0.0  12100  3072 ?        S    19:07   0:00 /bin/bash /var/db2_setup/lib/fix_etc_host.sh
root     4114285  0.0  0.0   4380   716 ?        S    19:07   0:00 sleep 10
root     4114290  0.0  0.0  53348  3856 pts/0    R+   19:07   0:00 ps aux
[root@localhost ~]#

2022-01-04

Never accept the defaults: Lessons Learned using OpenJ9 in a Container
Never accept the defaults: Lessons Learned using OpenJ9 in a Container

Eclipse OpenJ9 is an efficient virtual machine with a small-dynamic footprint that is used for many cloud applications. Many applications use the OpenJ9 to run their applications, such as the Apache OpenWhisk, IBM FHIR Server and Open Liberty.

I learned a few things about running Java applications with the OpenJ9 VM in Docker:
1. Eclipse OpenJ9 knows about modern applications
2. Tweak Your Settings
3. Review your Settings
1.   Eclipse OpenJ9 knows about modern applications

The Eclipse OpenJ9 team smartly realized many Java applications are in a container or namespace or virtual machine which has a runtime determined memory allocation. For instance, Kubernetes may scale the memory available to a Java Container from 4G to 8G. As such, the OpenJ9 VM automatically adjust the minimum and maximum heap sizes based on the available memory in the container.

There are plenty of nobs to tweak. Further, the Eclipse team has some compelling research on performance and places to look to tweak my application.

2.   Tweak your settings

I scanned through the JVM -XX Options and found -XX:InitialRAMPercentage / -XX:MaxRAMPercentage. These options combined with -XX:[+|-]UseContainerSupport

, the default, enable the VM to allocate a fraction of the available memory to the JVM. I tried this with a Docker container assigned 2GB Memory.

-XX:InitialRAMPercentage=50.00
-XX:MaxRAMPercentage=90.00

3.   Review and Test Your Settings

I turned on the -verbose:gc setting, and started my VM and ran some load.

I waited for a steady state and checked my available memory, and saw the 469M free of 858M total.

<gc-end id=”443″ type=”scavenge” contextid=”439″ durationms=”57.408″ usertimems=”223.188″ systemtimems=”0.172″ stalltimems=”4.439″ timestamp=”2021-12-20T18:00:43.360″ activeThreads=”4″>
<mem-info id=”444″ free=”469525144″ total=”858914816″ percent=”54″>
<mem type=”nursery” free=”269655128″ total=”468451328″ percent=”57″>
<mem type=”allocate” free=”269655128″ total=”349700096″ percent=”77″ />
<mem type=”survivor” free=”0″ total=”118751232″ percent=”0″ /> </mem>
<mem type=”tenure” free=”199870016″ total=”390463488″ percent=”51″ macro-fragmented=”99381968″>
<mem type=”soa” free=”180346432″ total=”370939904″ percent=”48″ />
<mem type=”loa” free=”19523584″ total=”19523584″ percent=”100″ /> </mem>

I tweaked the memory based on the Garbage Collection log and used the tools as mentioned in the OpenJ9 docs. You can also see some more of the enhancements for Containers that OpenJ9 has added.

Go forth, tweak the settings for the container and best wishes. Please comment if I can help.
2021-12-20

Blog

Recipe

Recipe

Reference

1. Eclipse OpenJ9 knows about modern applications

2. Tweak your settings

3. Review and Test Your Settings