Server Configuration
This reference describes all server-related configuration options for the ros2_medkit gateway.
Quick Start
The gateway can be configured via:
Command line:
--ros-args -p server.port:=9000Launch files:
parameters=[{'server.port': 9000}]YAML file: See
src/ros2_medkit_gateway/config/gateway_params.yaml
Network Settings
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
string |
|
Host to bind the REST server. Use |
|
int |
|
Port for REST API. Valid range: 1024-65535. |
Example:
# Expose on all interfaces (Docker/network)
ros2 run ros2_medkit_gateway gateway_node --ros-args \
-p server.host:=0.0.0.0 \
-p server.port:=8080
TLS/HTTPS Configuration
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
bool |
|
Enable HTTPS using OpenSSL. |
|
string |
|
Path to PEM-encoded certificate file. |
|
string |
|
Path to PEM-encoded private key file. Restrict permissions (chmod 600). |
|
string |
|
Path to CA certificate file (reserved for mutual TLS). |
|
string |
|
Minimum TLS version: |
Example:
ros2_medkit_gateway:
ros__parameters:
server:
tls:
enabled: true
cert_file: "/etc/ros2_medkit/certs/cert.pem"
key_file: "/etc/ros2_medkit/certs/key.pem"
min_version: "1.2"
See Configuring HTTPS/TLS for a complete HTTPS setup tutorial.
CORS Configuration
Cross-Origin Resource Sharing (CORS) settings for browser-based clients.
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
list |
|
List of allowed origins. Use |
|
list |
|
Allowed HTTP methods. |
|
list |
|
Allowed headers in requests. |
|
bool |
|
Allow credentials (cookies, auth headers). |
|
int |
|
Preflight response cache duration (24 hours). |
Example for development with ros2_medkit_web_ui:
ros2_medkit_gateway:
ros__parameters:
cors:
allowed_origins: ["http://localhost:5173"]
allowed_methods: ["GET", "PUT", "POST", "DELETE", "OPTIONS"]
allowed_headers: ["Content-Type", "Accept", "Authorization"]
allow_credentials: true
Data Access Settings
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
int |
|
Max concurrent topic samples. Higher values use more resources. Range: 1-50. |
|
float |
|
Timeout for sampling topics with active publishers. Range: 0.1-30.0. |
Note
The defaults listed above match the recommended gateway configuration in
src/ros2_medkit_gateway/config/gateway_params.yaml. If these parameters are
not provided at all, the DataAccessManager fallback defaults are
max_parallel_topic_samples = 10 and topic_sample_timeout_sec = 1.0.
Fault Manager Integration
Configure how the gateway connects to the fault manager services and event topic.
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
string |
|
Optional namespace prefix for fault manager service and event topic resolution.
Examples: |
|
float |
|
Timeout for fault manager service calls such as |
When fault_manager.namespace is set, the gateway also subscribes to the matching
fault event topic (for example /robot1/fault_manager/events instead of the default
/fault_manager/events).
Example:
ros2_medkit_gateway:
ros__parameters:
fault_manager:
namespace: "robot1"
service_timeout_sec: 5.0
Logging Configuration
Configure the in-memory log buffer that collects /rosout messages.
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
int |
|
Maximum log entries retained per node. Valid range: 1-100000 (values outside this range are clamped with a warning). |
Example:
ros2_medkit_gateway:
ros__parameters:
logs:
buffer_size: 500
A LogProvider plugin can replace the default /rosout backend.
See Plugin System for details.
Performance Tuning
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
int |
|
Cache refresh interval. How often to discover ROS 2 nodes. Range: 100-60000 (0.1s-60s). |
Lower values provide faster updates but increase CPU usage.
Bulk Data Storage
Configure file-based bulk data storage for uploads (calibration files, firmware, etc.).
The rosbags category is always available via the Fault Manager and does not need
configuration.
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
string |
|
Base directory for uploaded files. Each entity gets a subdirectory. |
|
int |
|
Maximum upload file size in bytes (default: 100 MB). Set to 0 for unlimited. |
|
string[] |
|
Allowed bulk data categories for upload/download (e.g., |
Example:
ros2_medkit_gateway:
ros__parameters:
bulk_data:
storage_dir: "/var/ros2_medkit/bulk_data"
max_upload_size: 52428800 # 50 MB
categories: ["calibration", "firmware", "logs"]
Note
The rosbags category is always available through the Fault Manager and cannot be
used for uploads or deletes. It is automatically included in the category list.
Note
The gateway uses native rclcpp APIs for all ROS 2 interactions - no ROS 2 CLI dependencies. Topic discovery, sampling, publishing, service calls, and action operations are implemented in pure C++ using ros2_medkit_serialization.
SSE (Server-Sent Events)
Configure limits for SSE-based streaming (fault events and cyclic subscriptions).
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
int |
|
Maximum number of concurrent SSE connections (fault stream, cyclic subscription streams, and trigger event streams combined). |
|
int |
|
Maximum number of active cyclic subscriptions across all entities. Returns HTTP 503 when this limit is reached. |
|
int |
|
Maximum allowed subscription duration in seconds. Requests exceeding this are rejected with HTTP 400. |
Example:
ros2_medkit_gateway:
ros__parameters:
sse:
max_clients: 10
max_subscriptions: 100
max_duration_sec: 3600
Triggers
Configure condition-based push notifications for resource changes.
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
bool |
|
Enable/disable the trigger subsystem. When disabled, trigger endpoints return HTTP 501. |
|
int |
|
Maximum number of concurrent triggers across all entities. Returns HTTP 503 when this limit is reached. |
|
string |
|
Behavior on gateway restart for persistent triggers. |
|
string |
|
Path to SQLite database for persistent trigger storage. When empty (default), triggers are stored in-memory only and lost on restart. |
Example:
ros2_medkit_gateway:
ros__parameters:
triggers:
enabled: true
max_triggers: 1000
on_restart_behavior: "restore"
storage:
path: "/var/lib/ros2_medkit/triggers.db"
Rate Limiting
Token-bucket-based rate limiting for API requests. Disabled by default.
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
bool |
|
Enable rate limiting. |
|
int |
|
Maximum RPM across all clients combined. |
|
int |
|
Maximum RPM per client IP. |
|
string[] |
|
Per-endpoint overrides as |
|
int |
|
How often to scan and remove idle client tracking entries (seconds). |
|
int |
|
Remove client entries idle longer than this (seconds). |
Example:
ros2_medkit_gateway:
ros__parameters:
rate_limiting:
enabled: true
global_requests_per_minute: 600
client_requests_per_minute: 60
endpoint_limits: ["/api/v1/*/operations/*:10"]
See REST API Reference for rate limiting response headers and 429 behavior.
Authentication
JWT-based authentication with Role-Based Access Control (RBAC). Disabled by default for local development.
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
bool |
|
Enable/disable JWT authentication. |
|
string |
|
JWT signing secret. For HS256: the shared secret string. For RS256: path to the private key file (PEM format). |
|
string |
|
Path to public key file for RS256. Required for RS256, optional for HS256. |
|
string |
|
JWT signing algorithm: |
|
int |
|
Access token validity period in seconds (1 hour). |
|
int |
|
Refresh token validity period in seconds (24 hours). Must be >= |
|
string |
|
When to require authentication: |
|
string |
|
JWT issuer claim ( |
|
string[] |
|
Pre-configured clients as |
Note
RBAC roles and their permissions:
viewer - Read-only access (GET on areas, components, data, faults)
operator - Viewer + trigger operations, acknowledge faults, publish data
configurator - Operator + modify/reset configurations
admin - Full access including auth management
Danger
The example below uses placeholder secrets for illustration only.
In production, generate secrets with openssl rand -base64 32 and
never commit them to configuration files. Use environment variable
substitution or a secrets manager.
Example:
ros2_medkit_gateway:
ros__parameters:
auth:
enabled: true
jwt_secret: "CHANGE-ME-use-openssl-rand-base64-32"
jwt_algorithm: "HS256"
require_auth_for: "write"
token_expiry_seconds: 3600
clients: ["admin:REPLACE_WITH_STRONG_SECRET:admin", "viewer:REPLACE_WITH_STRONG_SECRET:viewer"]
See Configuring Authentication for a complete setup tutorial.
Plugin Framework
Extend the gateway with custom plugins loaded from shared libraries (.so).
Plugins can implement provider interfaces (e.g., UpdateProvider, IntrospectionProvider)
that are automatically detected and wired into the gateway’s subsystem managers.
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
string[] |
|
List of plugin names to load. Each plugin requires a corresponding |
|
string |
(required) |
Absolute path to the plugin |
Plugin loading lifecycle:
Shared library is loaded via
dlopenwithRTLD_NOW | RTLD_LOCALAPI version is checked (must match gateway headers)
create_plugin()factory is called to instantiate the pluginProvider interfaces are queried via
extern "C"functionsconfigure()is called with per-plugin configset_context()passes the gateway context to the pluginregister_routes()allows the plugin to add custom REST endpoints
Error isolation: if a plugin throws during any lifecycle call, it is disabled without crashing the gateway. Other plugins continue to operate normally.
Example:
ros2_medkit_gateway:
ros__parameters:
plugins: ["my_ota_plugin"]
plugins.my_ota_plugin.path: "/opt/ros2_medkit/lib/libmy_ota_plugin.so"
Software Updates
Configure the software updates system. Updates are disabled by default.
When enabled, a plugin implementing UpdateProvider is required to provide
the backend functionality (see Plugin Framework above).
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
bool |
|
Enable/disable software updates endpoints. When disabled, |
Example:
ros2_medkit_gateway:
ros__parameters:
plugins: ["my_update_plugin"]
plugins.my_update_plugin.path: "/opt/ros2_medkit/lib/libmy_update_plugin.so"
updates:
enabled: true
Complete Example
ros2_medkit_gateway:
ros__parameters:
server:
host: "0.0.0.0"
port: 8080
tls:
enabled: false
refresh_interval_ms: 5000
max_parallel_topic_samples: 30
topic_sample_timeout_sec: 3.0
cors:
allowed_origins: ["http://localhost:5173", "https://dashboard.example.com"]
allowed_methods: ["GET", "PUT", "POST", "DELETE", "OPTIONS"]
allowed_headers: ["Content-Type", "Accept", "Authorization"]
allow_credentials: true
max_age_seconds: 86400
bulk_data:
storage_dir: "/var/ros2_medkit/bulk_data"
max_upload_size: 104857600
categories: ["calibration", "firmware"]
sse:
max_clients: 10
max_subscriptions: 100
max_duration_sec: 3600
triggers:
enabled: true
max_triggers: 1000
on_restart_behavior: "reset"
logs:
buffer_size: 200
plugins: ["my_ota_plugin"]
plugins.my_ota_plugin.path: "/opt/ros2_medkit/lib/libmy_ota_plugin.so"
updates:
enabled: true
auth:
enabled: true
jwt_secret: "CHANGE-ME-use-openssl-rand-base64-32"
jwt_algorithm: "HS256"
require_auth_for: "write"
clients: ["admin:REPLACE_WITH_STRONG_SECRET:admin"]
rate_limiting:
enabled: false
scripts:
scripts_dir: "/var/ros2_medkit/scripts"
allow_uploads: true
max_concurrent_executions: 5
API Documentation
Configure the self-describing OpenAPI capability description endpoint.
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
bool |
|
Enable/disable |
Build option: ENABLE_SWAGGER_UI
Set -DENABLE_SWAGGER_UI=ON during CMake configure to embed Swagger UI assets
in the gateway binary. This provides an interactive API browser at
/api/v1/swagger-ui. Requires network access to download assets from unpkg.com
during configure. Disabled by default.
Example:
ros2_medkit_gateway:
ros__parameters:
docs:
enabled: true
Scripts
Diagnostic scripts: upload, manage, and execute scripts on entities. Set
scripts.scripts_dir to a directory path to enable the feature. When left
empty, all script endpoints return HTTP 501.
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
string |
|
Directory for storing uploaded scripts. Empty string disables the feature. |
|
bool |
|
Allow uploading scripts via HTTP. Set to |
|
int |
|
Maximum uploaded script file size in megabytes. |
|
int |
|
Maximum number of scripts executing concurrently. |
|
int |
|
Default timeout per execution in seconds (5 minutes). |
|
int |
|
Maximum number of completed executions to keep in memory. Oldest completed entries are evicted when this limit is exceeded. |
Example:
ros2_medkit_gateway:
ros__parameters:
scripts:
scripts_dir: "/var/ros2_medkit/scripts"
allow_uploads: true
max_file_size_mb: 10
max_concurrent_executions: 5
default_timeout_sec: 300
Locking
SOVD resource locking (ISO 17978-3, Section 7.17). Clients acquire locks on components and apps to prevent concurrent modification.
Parameter |
Type |
Default |
Description |
|---|---|---|---|
|
bool |
|
Enable the LockManager and lock endpoints |
|
int |
|
Maximum lock TTL in seconds |
|
int |
|
Seconds between expired lock cleanup sweeps |
|
[string] |
|
Collections requiring a lock on components (empty = no requirement) |
|
bool |
|
Whether component locks can be broken |
|
[string] |
|
Collections requiring a lock on apps (empty = no requirement) |
|
bool |
|
Whether app locks can be broken |
Per-entity overrides are configured in the manifest lock: section.
See Manifest Schema Reference and Locking API.
See Also
Configuring Authentication - JWT authentication setup
Configuring HTTPS/TLS - HTTPS configuration
Discovery Options Reference - Discovery and entity mapping options