Limiting exposure of your deployment

The TERR service is installed on a Spotfire Server node running under Linux or Windows. The Linux installation provides the option of running the TERR service in a containerization platform.

When you install the TERR service and run the TERR engine, you can take steps to protect the server deployment, to minimize the risk of unauthorized access, and to minimize the possibility of malicious acts.

Statistical engines such as TERR provide functions to access data and packages on the internet. Additionally, they have functions that access the host computer system, such as those for executing system commands, and those for reading and writing files. By their very design, these languages can expose computer systems to risk from bad actors, unless the deployer takes steps to secure the environments in which they run. We strongly recommend reviewing and implementing the practices described here.

Note: The TERR service installed on a Spotfire Server node running under Windows does not have a containerized installation available.

Restricting user access

Run the TERR service using an account that limits network access to required external data sources and services only. (Note that taking this step can limit availability to data and package updates.)
Always run the node manager containing the TERR service as a non-root user. (That is, not as root or under an Administrative account.)
If you are running a system where other servers have access to computers running the TERR service, disable passwordless access between the server and other servers.

Configuring for tighter engine control

Preserve the default settings for using the TERR service in restricted mode with the property terr.restricted.execution.mode: TRUE. Note that this property is set to TRUE by default. See Safeguarding your environment for more information.
If your deployment is on a Linux server, then the default configuration for the TERR service is to use containers (the property use.engine.containers: TRUE). Running the TERR service with containers enabled prevents the engines from having access to the host system. See Containerized Service for more information.
Note: Docker is available under separate software license terms and is not part of the Spotfire Server or the TERR service. As such, Docker is not within the scope of your license for Spotfire Server or the TERR service. Docker is not supported, maintained, or warranted in any way by Cloud Software Group, Inc. Download and use of Docker is solely at your own discretion and subject to license terms applicable to Docker.