Deploiement avec Podman
Chatbotaurus utilise exclusivement Podman (pas Docker) pour la conteneurisation. Ce guide couvre le deploiement complet de l'infrastructure.
Pre-requis
- Podman Desktop 5.7+ ou Podman CLI 4.x+
- 32 Go RAM minimum (VPS1 Core)
- 400 Go NVMe minimum
Reseaux
Chatbotaurus utilise deux reseaux Podman isoles :
# Reseau Core (services principaux)
podman network create --subnet 172.28.0.0/16 chatbotaurus-network
# Reseau MGaaS (services metier deployes)
podman network create --subnet 172.29.0.0/16 mgaas-network
| Reseau | Subnet | Usage |
|---|---|---|
| chatbotaurus-network | 172.28.0.0/16 | Services core (PostgreSQL, Ollama, Keycloak, etc.) |
| mgaas-network | 172.29.0.0/16 | Services metier deployes (Odoo, n8n, Matomo, etc.) |
Deploiement des Services Core
# Deployer les 23 services core
podman kube play --network chatbotaurus-network kubernetes/podman-local/00-core-pods.yaml
# Verifier les pods
podman pod ps
Services Core (VPS1)
| Service | Conteneur | IP | Port |
|---|---|---|---|
| PostgreSQL TimescaleDB | chatbotaurus-postgres | .35 | 5432 |
| Qdrant (vecteurs) | chatbotaurus-qdrant | .36 | 6333 |
| Valkey (cache) | chatbotaurus-valkey | .37 | 6379 |
| Vault (secrets) | chatbotaurus-vault | .38 | 8200 |
| Ollama (LLM) | chatbotaurus-ollama | .47 | 11434 |
| Keycloak (SSO) | chatbotaurus-keycloak | .60 | 8080 |
| Traefik (reverse proxy) | chatbotaurus-traefik | dyn | 80/443 |
| Backend x2 | chatbotaurus-backend-1/2 | .61/.62 | 3000 |
| Frontend x2 | chatbotaurus-frontend-1/2 | .73/.74 | 3001 |
| Forgejo (Git) | chatbotaurus-forgejo-dev | .51 | 3000 |
Deploiement des Services MGaaS
# Deployer les services metier (mode dev)
podman kube play --network mgaas-network kubernetes/podman-local/01-mgaas-pods.yaml
# Ou mode VPS complet (38 services)
podman kube play --network mgaas-network kubernetes/podman-local/01-mgaas-pods-vps.yaml
Build des Images
Les images sont construites directement sur le VPS (pas en local) :
# Backend
podman build -t localhost/chatbotaurus-backend:staging \
-f packages/server/Containerfile .
# Frontend
podman build -t localhost/chatbotaurus-frontend:staging \
-f packages/new-ui/Containerfile .
Modeles Ollama
Apres le demarrage d'Ollama, telecharger les modeles :
podman exec chatbotaurus-ollama ollama pull qwen3:8b
podman exec chatbotaurus-ollama ollama pull tomng/nanbeige4.1:3b
podman exec chatbotaurus-ollama ollama pull qwen3-embedding:0.6b
# Verifier les modeles installes
podman exec chatbotaurus-ollama ollama list
Scan de Securite (Trivy)
Avant chaque deploiement, scanner les images :
.\scripts\scan-images-trivy.ps1 -SeverityThreshold HIGH
- CRITICAL = deploiement bloque
- SBOM genere au format SPDX JSON
Contraintes Ressources
| Ressource | Limite | Alerte |
|---|---|---|
| RAM totale VPS1 | < 24 Go | > 20 Go |
| CPU | < 85% | > 70% |
| RAM Ollama | 16 Gi | - |
| RAM Backend (par instance) | 2 Gi | - |
| RAM Frontend (par instance) | 512 Mi | - |
Commandes Utiles
# Lister tous les conteneurs
podman ps -a
# Logs d'un conteneur
podman logs -f chatbotaurus-backend-1
# Restart d'un conteneur
podman restart chatbotaurus-backend-1
# Inspecter un conteneur
podman inspect chatbotaurus-backend-1
# Statistiques ressources
podman stats --no-stream
Notes Importantes
- Tous les conteneurs sont rootful (
sudo podman) - DNS fix requis :
--dns 153.92.2.6sur chaque conteneur (aardvark-dns casse) - Traefik utilise des IPs directes (pas de noms de conteneurs) dans la config dynamique
- Vault se re-seal au restart : prevoir auto-unseal
- Ollama :
num_ctx:2048obligatoire (pas 4096, sinon OOM)