Skip to main content
Tungsten Dashboard

Install and Configure HAProxy

The Tungsten Cluster Manager listens on port 8090 for API calls, so we configure the HAProxy listener ports to not conflict with that.

Behavior Change

Behavior Change since 1.0.11-2.

The default listener port for HAProxy is 8201, changed from 8091 to prevent port conflicts with Prometheus exporters when installed on a Tungsten v7+ cluster node.

There must be one frontend per cluster, so the first cluster is assigned the default listener port number 8201.

In the examples below, we assign frontend port 8201 to the composite global, frontend port 8202 to the cluster east and frontend port 8203 to the cluster west.

It is imperative that there be one backend per cluster containing all nodes in that cluster. In the case of a composite, the backend should contain all nodes from all member clusters.

In the below examples, backend east contains member nodes db1-3, backend west contains nodes db4-6 and backend global contains nodes db1-6.

note

See haproxy.cfg in the examples/ directory for a more complete sample config to be used locally on a web server or jump host.

Install and Prepare HAProxy

Install and prepare the HAProxy deployment:

shell> sudo -i
shell> yum install haproxy
shell> cd /etc/haproxy/
shell> cp haproxy.cfg haproxy.cfg.orig

Generate the Frontend and Backend Definitions

Generate the custom frontend and backend definitions for HAProxy from the /etc/tungsten/tungsten.ini file.

important

The following will only work on a host where Tungsten Clustering is installed and a valid /etc/tungsten/tungsten.ini file exists.

Create cluster-specific HAProxy entries - for example, perform this command on a single database node per cluster:

shell > tpm generate-haproxy-for-api --port 8201 >> haproxy/haproxy.cfg

Modify the HAProxy Configuration File

Edit /etc/haproxy/haproxy.cfg and define the global options, defaults, frontend listeners, backend services and associated hosts using the provided defaults below and the output from above:

shell> vim /etc/haproxy/haproxy.cfg
global
chroot      /var/lib/haproxy
pidfile     /var/run/haproxy.pid
maxconn     4000
user        haproxy
group       haproxy
daemon

# turn on stats unix socket
stats socket /var/lib/haproxy/stats

defaults
mode                    tcp
log                     global
option                  tcplog
option                  dontlognull
option                  redispatch
retries                 3
timeout queue           1m
timeout connect         10s
timeout client          1m
timeout server          1m
timeout check           10s
maxconn                 3000

frontend world
bind *:8201
default_backend             global

frontend east
bind *:8202
default_backend             east

frontend west
bind *:8203
default_backend             west

backend world
balance     roundrobin
server  db1 db1.yourdomain.com:8090 check
server  db2 db2.yourdomain.com:8090 check
server  db3 db3.yourdomain.com:8090 check
server  db4 db4.yourdomain.com:8090 check
server  db5 db5.yourdomain.com:8090 check
server  db6 db6.yourdomain.com:8090 check

backend east
balance     roundrobin
server  db1 db1.yourdomain.com:8090 check
server  db2 db2.yourdomain.com:8090 check
server  db3 db3.yourdomain.com:8090 check

backend west
balance     roundrobin
server  db4 db4.yourdomain.com:8090 check
server  db5 db5.yourdomain.com:8090 check
server  db6 db6.yourdomain.com:8090 check

Ensure HAProxy Starts at Boot

Configure start at boot:

shell> sudo chkconfig haproxy on
~OR~
shell> sudo systemctl enable haproxy

Restart HAProxy

Restart the HAProxy service:

shell> sudo service haproxy restart
~OR~
shell> sudo systemctl restart haproxy

Verify HAProxy Started

Verify that HAProxy has started properly:

shell> sudo service haproxy status
~OR~
shell> sudo systemctl status haproxy

shell> sudo socat stdio /var/run/haproxy.sock | grep -i stat
shell> telnet localhost 8201
shell> telnet localhost 8202
shell> telnet localhost 8203

Configure SELinux for HAProxy

warning

There are additional steps to take when SELinux is enabled.

To check if SELinux is enabled:

shell> getenforce
shell> sestatus

These are example extra steps to take if SELinux is enabled:

shell> sudo setsebool -P httpd_can_network_connect 1
shell> sudo setsebool -P haproxy_connect_any 1
shell> sudo systemctl restart haproxy

Be sure to check in the audit.log for any denied messages containing haproxy.

Here are two example commands to run to help troubleshoot selinux and haproxy:

shell> ausearch -m avc -c haproxy
shell> grep haproxy /var/log/audit/audit.log

For more information about HAProxy, please visit http://www.haproxy.org