Chapter 9. Install and Configure HA Proxy

The Tungsten Cluster Manager listens on port 8090 for API calls, so we configure the HA Proxy listener ports to not conflict with that.

As of v1.0.11-2, the default listener port for HAProxy is 8201, changed from 8091 to prevent port conflicts with Prometheus exporters when installed on a Tungsten v7+ cluster node.

There must be one frontend per cluster, so the first cluster is assigned the default listener port number 8201.

In the examples below, we assign frontend port 8201 to the composite global, frontend port 8202 to the cluster east and frontend port 8203 to the cluster west.

It is imperative that there be one backend per cluster containing all nodes in that cluster. In the case of a composite, the backend should contain all nodes from all member clusters.

In the below examples, backend east contains member nodes db1-3, backend west contains nodes db4-6 and backend global contains nodes db1-6.

NOTE: See haproxy.cfg in the examples/ directory for a more complete sample config to be used locally on a web server or jump host.

9.1. Install and Prepare HA Proxy

Install and prepare the HA Proxy deployment:

shell> sudo -i
shell> yum install haproxy
shell> cd /etc/haproxy/
shell> cp haproxy.cfg haproxy.cfg.orig

9.2. Generate the Frontend and Backend Definitions

Generate the custom frontend and backend definitions for HAProxy from the /etc/tungsten/tungsten.ini file.

Important

The following will only work on a host where Tungsten Clustering is installed and a valid /etc/tungsten/tungsten.ini file exists.

Create cluster-specific HAProxy entries - for example, perform this command on a single database node per cluster:

shell > tpm generate-haproxy-for-api --port 8201 >> haproxy/haproxy.cfg

9.3. Modify the HAProxy Configuration File

Edit /etc/haproxy/haproxy.cfg and define the global options, defaults, frontend listeners, backend services and associated hosts using the provided defaults below and the output from above:

shell> vim /etc/haproxy/haproxy.cfg

global
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

defaults
    mode                    tcp
    log                     global
    option                  tcplog
    option                  dontlognull
    option                  redispatch
    retries                 3
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout check           10s
    maxconn                 3000

frontend world
    bind *:8201
    default_backend             global

frontend east
    bind *:8202
    default_backend             east

frontend west
    bind *:8203
    default_backend             west

backend world
    balance     roundrobin
    server  db1 db1.yourdomain.com:8090 check
    server  db2 db2.yourdomain.com:8090 check
    server  db3 db3.yourdomain.com:8090 check
    server  db4 db4.yourdomain.com:8090 check
    server  db5 db5.yourdomain.com:8090 check
    server  db6 db6.yourdomain.com:8090 check

backend east
    balance     roundrobin
    server  db1 db1.yourdomain.com:8090 check
    server  db2 db2.yourdomain.com:8090 check
    server  db3 db3.yourdomain.com:8090 check

backend west
    balance     roundrobin
    server  db4 db4.yourdomain.com:8090 check
    server  db5 db5.yourdomain.com:8090 check
    server  db6 db6.yourdomain.com:8090 check

9.4. Ensure HAProxy Starts at Boot

Configure start at boot:

shell> sudo chkconfig haproxy on
~OR~
shell> sudo systemctl enable haproxy

9.5. Restart HAProxy

Restart the HA Proxy service:

shell> sudo service haproxy restart
~OR~
shell> sudo systemctl restart haproxy 

9.6. Verify HAProxy Started

Verify that HAProxy has started properly:

shell> sudo service haproxy status
~OR~
shell> sudo systemctl status haproxy

shell> sudo socat stdio /var/run/haproxy.sock | grep -i stat
shell> telnet localhost 8201
shell> telnet localhost 8202
shell> telnet localhost 8203

9.7. Configure SELinux for HAProxy

Warning

There are additional steps to take when SELinux is enabled.

To check if SELinux is enabled:

shell> getenforce
shell> sestatus

These are example extra steps to take if SELinux is enabled:

shell> sudo setsebool -P httpd_can_network_connect 1
shell> sudo setsebool -P haproxy_connect_any 1
shell> sudo systemctl restart haproxy

Be sure to check in the audit.log for any denied messages containing haproxy.

Here are two example commands to run to help troubleshoot selinux and haproxy:

shell> ausearch -m avc -c haproxy
shell> grep haproxy /var/log/audit/audit.log

For more information about HAProxy, please visit http://www.haproxy.org