Table of Contents
The Tungsten Cluster Manager listens on port 8090 for API calls, so we configure the HA Proxy listener ports to not conflict with that.
As of v1.0.11-2, the default listener port for HAProxy is 8201, changed from 8091 to prevent port conflicts with Prometheus exporters when installed on a Tungsten v7+ cluster node.
There must be one frontend per cluster, so the first cluster is assigned the default listener port number 8201.
In the examples below, we assign frontend port 8201 to the composite global, frontend port 8202 to the cluster east and frontend port 8203 to the cluster west.
It is imperative that there be one backend per cluster containing all nodes in that cluster. In the case of a composite, the backend should contain all nodes from all member clusters.
In the below examples, backend east contains member nodes db1-3, backend west contains nodes db4-6 and backend global contains nodes db1-6.
NOTE: See haproxy.cfg
in the
examples/
directory for a more complete sample config
to be used locally on a web server or jump host.
Install and prepare the HA Proxy deployment:
shell>sudo -i
shell>yum install haproxy
shell>cd /etc/haproxy/
shell>cp haproxy.cfg haproxy.cfg.orig
Generate the custom frontend and backend definitions for HAProxy from
the /etc/tungsten/tungsten.ini
file.
The following will only work on a host where Tungsten Clustering is
installed and a valid /etc/tungsten/tungsten.ini
file exists.
Create cluster-specific HAProxy entries - for example, perform this command on a single database node per cluster:
shell > tpm generate-haproxy-for-api --port 8201 >> haproxy/haproxy.cfg
Edit /etc/haproxy/haproxy.cfg
and define the global
options, defaults, frontend listeners, backend services and associated
hosts using the provided defaults below and the output from above:
shell> vim /etc/haproxy/haproxy.cfg
global
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
defaults
mode tcp
log global
option tcplog
option dontlognull
option redispatch
retries 3
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
maxconn 3000
frontend world
bind *:8201
default_backend global
frontend east
bind *:8202
default_backend east
frontend west
bind *:8203
default_backend west
backend world
balance roundrobin
server db1 db1.yourdomain.com:8090 check
server db2 db2.yourdomain.com:8090 check
server db3 db3.yourdomain.com:8090 check
server db4 db4.yourdomain.com:8090 check
server db5 db5.yourdomain.com:8090 check
server db6 db6.yourdomain.com:8090 check
backend east
balance roundrobin
server db1 db1.yourdomain.com:8090 check
server db2 db2.yourdomain.com:8090 check
server db3 db3.yourdomain.com:8090 check
backend west
balance roundrobin
server db4 db4.yourdomain.com:8090 check
server db5 db5.yourdomain.com:8090 check
server db6 db6.yourdomain.com:8090 check
Configure start at boot:
shell>sudo chkconfig haproxy on
~OR~ shell>sudo systemctl enable haproxy
Restart the HA Proxy service:
shell>sudo service haproxy restart
~OR~ shell>sudo systemctl restart haproxy
Verify that HAProxy has started properly:
shell>sudo service haproxy status
~OR~ shell>sudo systemctl status haproxy
shell>sudo socat stdio /var/run/haproxy.sock | grep -i stat
shell>telnet localhost 8201
shell>telnet localhost 8202
shell>telnet localhost 8203
There are additional steps to take when SELinux is enabled.
To check if SELinux is enabled:
shell>getenforce
shell>sestatus
These are example extra steps to take if SELinux is enabled:
shell>sudo setsebool -P httpd_can_network_connect 1
shell>sudo setsebool -P haproxy_connect_any 1
shell>sudo systemctl restart haproxy
Be sure to check in the audit.log
for any
denied
messages containing
haproxy
.
Here are two example commands to run to help troubleshoot selinux and haproxy:
shell>ausearch -m avc -c haproxy
shell>grep haproxy /var/log/audit/audit.log
For more information about HAProxy, please visit http://www.haproxy.org