Runbook — Self-Hosting CVAT for the Inter-Rater Study (P1)
Goal: stand up a private, local CVAT instance so ≥2 annotators can label the validation subset and we can compute inter-rater κ — without sending intraoperative video to any third party.
Decision context: CVAT chosen over Encord (see validation-plan P1). This runbook covers the self-hosted Community Edition (free, best privacy story). If annotators are remote and can’t share a local network, fall back to CVAT Online Team (~$23/user/mo) and skip this.
Skill level: comfortable with a terminal. No coding. ~1–2 hours first time.
1. Hardware
The CVAT server is light; disk is the only spec to size deliberately (surgical video is large). The annotators’ laptops matter more than the server because the UI is browser-side.
| Role | Spec | Notes |
|---|---|---|
| Server box | 4 CPU cores, 8–16 GB RAM | Min is 2 cores / 4 GB; any modern desktop/Mac Mini/spare laptop clears this |
| Server disk | 256 GB–1 TB free | CVAT stores uploaded video + an extracted frame cache. Size to the video you host |
| GPU | none | Only needed for AI auto-annotation, which we don’t use for manual κ work |
| Annotator laptops | 16 GB RAM, recent Chrome | Bounding-box-on-video is memory-hungry client-side |
Disk-saving move: for P1, upload only the 3–5 cases / ~60 min being double-annotated, not all 16 cases. That drops the footprint to tens of GB — almost anything works as the server.
Where to run it: a machine on the lab/OR network that annotators can reach. Keep it local-only (not exposed to the public internet) — that’s the easy and IRB-clean configuration.
2. Prerequisites (install once)
- Docker Engine 20.10+ and the Docker Compose v2 plugin.
- Linux (Ubuntu): follow Docker’s official apt install (adds Docker’s GPG key + repo, installs
docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin). - macOS / Windows: install Docker Desktop (bundles Compose).
- Linux (Ubuntu): follow Docker’s official apt install (adds Docker’s GPG key + repo, installs
- Git (to clone the CVAT source).
- Confirm both work:
docker --version docker compose version git --version
3. Install CVAT
# 1. Get the full source (not just the compose file)
git clone https://github.com/cvat-ai/cvat
cd cvat
# 2. (local-only default) CVAT_HOST stays localhost — fine if annotators
# use this same machine. For other machines on the LAN, set the server's
# LAN IP instead:
export CVAT_HOST=<server-LAN-IP> # e.g. 192.168.1.50 ; skip for localhost-only
# 3. Start it
docker compose up -d
# 4. Create the admin account
docker exec -it cvat_server bash -ic 'python3 ~/manage.py createsuperuser'Then open http://localhost:8080 (or http://<server-LAN-IP>:8080 from another machine on the network) in Chrome and log in.
Do not open port 8080 to the internet. Keep access on the local network only. If remote access is genuinely required, that’s the harder HTTPS/TLS/firewall path — get technical help or use CVAT Online instead.
4. Set up the annotation work
- Create a user account for each annotator (Admin panel → users), so contributions are attributable for the audit trail.
- Create a Project = “FESS Inter-Rater Validation”. Load the label set by importing
specs/cvat-labels.jsoninto the project’s Raw labels editor (one paste — no hand-typing). It encodes the annotation-protocol exactly: 9 instrument rectangle labels with anactivecheckbox + 4 event tags. The annotation-protocol is the standard κ is measured against. - Create a Task per case/clip, upload the video. For an honest inter-rater study, have each annotator label independently — either duplicate tasks per annotator, or assign separate Jobs, so they don’t see each other’s boxes.
- Export annotations (COCO / CVAT XML) → feed into the κ / IoU / ICC computation (the
data:statistical-analysisskill can do this).
5. Ongoing upkeep (light)
- Backups — CVAT keeps everything in Docker volumes (
cvat_db,cvat_data,cvat_keys,cvat_logs,cvat_inmem_db,cvat_cache_db). Back upcvat_db(annotations) +cvat_data(media) regularly. This is your ground truth — don’t lose it. - Upgrades —
docker compose pull && docker compose up -dperiodically; check the CVAT upgrade guide before major version jumps. - Stop / start —
docker compose down(keeps data) /docker compose up -d.
6. Privacy / IRB notes
- Local-only deployment means OR video never leaves infrastructure you control — aligns with the grant’s “privacy by design” framing.
- Confirm the server box’s disk encryption + access controls meet your IRB / data-use terms before uploading patient video.
Decision: self-hosted vs CVAT Online
| Self-host (this runbook) | CVAT Online Team | |
|---|---|---|
| Cost | $0 + a machine | ~$23/user/mo annual |
| Setup | 1–2 hrs, terminal | instant |
| Privacy | best (you control it) | data on CVAT’s cloud |
| Best when | annotators share a LAN | annotators are remote |
Rule of thumb: can all annotators work on one machine / one local network? → self-host. Scattered/remote? → CVAT Online.
Links
- validation-plan — P1 inter-rater study this supports
- detection-ontology — the label set CVAT projects use
- FESS Cases Clean Dataset — source cases to upload (validation subset)
- CVAT install docs: https://docs.cvat.ai/docs/administration/community/basics/installation/