Re: The gap between ``Total'' and ``LbTot'' in stats page

2009-03-17 Thread Sun Yijiang 
Backend servers were down about 2 hours during the 37 hour up time.  Session
limits have been reached for frontend and all backend servers.  Retr 138,
Redis 0 for Backend.

2009/3/17 John Lauro 

>  Mine don’t appear to have that much difference.  Are any of the servers
> down, or maybe reaching their session limits?  What’s your retr and redis
> look like?
>
>
>
> *From:* Sun Yijiang [mailto:sunyiji...@gmail.com]
> *Sent:* Tuesday, March 17, 2009 3:18 AM
> *To:* kuan...@mail.51.com
> *Cc:* haproxy@formilux.org
> *Subject:* Re: The gap between ``Total'' and ``LbTot'' in stats page
>
>
>
> Yeah, that's clear, thanks.  I just wonder why ``LbTot'' is much smaller
> than ``Total''.
>
> 2009/3/17 FinalBSD 
>
> check it here: http://haproxy.1wt.eu/download/1.3/doc/configuration.txt
>
> 30. lbtot: total number of times a server was selected
>
>
>
>  On Tue, Mar 17, 2009 at 1:56 PM, Sun Yijiang 
> wrote:
>
> Hi you guys,
>
> I noticed that there's a huge gap between ``Total'' and ``LbTot'' numbers
> in the stats page.  LbTot is only about 25% of Total sessions for backend
> server.  Is this the normal case?  What do they mean exactly?  I've read the
> source code for a while but could not find a clear answer.
>
> Thanks in advance.
>
>
> Steve
>
>
>
>
>

Re: Multiple Proxies

2009-03-17 Thread Guillaume Bourque 

Jan-Frode Myklebust a écrit :

On 2009-03-17, John Lauro  wrote:
  

You need to explain a little more, as I am not understating something.
Perhaps what you mean by VIP?



Virtual IP address. With heartbeat, one normally has one staticly defined
ip-address on the frontend interface on each server, and then additionally
one or more VIPs that can be moved between servers.

Server1 has static IP on eth0 and the VIP eth0:1
Server2 has static IP on eth0

If server1 fails, server2 takes over eth0:1.

  

If they share the same single VIP at the same time, then why would you use
round-robin DNS?  Round-robin is for multiple IP addresses...?



I use one VIP on each server, and use round robin DNS to distribute the
load over all the servers. If one of the servers go down / is taken down
for maintenance, I move its VIP to the other server.

  

Also, if you do a virtual IP like Microsoft Windows does for their multicast
load balancing, that is just plain nasty to your network infrastructure if
you have more than those servers on the same subnet and IMHO really doesn't
scale well...

That's true that Micro$oft use a lot of bandwith, but keepalived and 
haertbeat dont !  They generated a low traffic impact.  You can also 
specify the frequence on multicast which can be 1 / sec if you want.


Also if your worry about multicast you can specify on which nic the 
multicast will happen.What we usually do is connect a cross cable 
between server1 and server2 on a seperate nic and you we tell keepalived 
to use that seperate nic for cluster traffic, ( The traffic that will 
tell what server are up, not the actual web traffic)


Cheer.


That doesn't sound like what we do, no.

  

If you meant a different VIP instead of one bound to each server, I could
understand that.  However, 50% of the clients will feel the hit when first
connecting if a server is down.



Not when the VIP moves over to the server that's still up, which is what
heartbeat does for me.


  -jf


  



--
Guillaume Bourque, B.Sc.,
consultant, infrastructures technologiques libres !
514 576-7638

selinux policy for haproxy

2009-03-17 Thread Jan-Frode Myklebust 
Here's an selinux policy for haproxy. The patch is built and lightly
tested with haproxy-1.3.15.7-1.fc10.i386 on Fedora9, and haproxy-1.2.18
on RHEL5. 

Please apply :-)


   -jf
From 68f90b363e04404541e93e2aa25305381856dc8f Mon Sep 17 00:00:00 2001
From: Jan-Frode Myklebust 
Date: Tue, 17 Mar 2009 21:08:21 +0100
Subject: [PATCH] Added a SElinux policy for haproxy.

---
 contrib/selinux/README |   18 ++
 contrib/selinux/haproxy.fc |6 
 contrib/selinux/haproxy.if |2 +
 contrib/selinux/haproxy.te |   55 
 4 files changed, 81 insertions(+), 0 deletions(-)
 create mode 100644 contrib/selinux/README
 create mode 100644 contrib/selinux/haproxy.fc
 create mode 100644 contrib/selinux/haproxy.if
 create mode 100644 contrib/selinux/haproxy.te

diff --git a/contrib/selinux/README b/contrib/selinux/README
new file mode 100644
index 000..7ad924d
--- /dev/null
+++ b/contrib/selinux/README
@@ -0,0 +1,18 @@
+This directory includes an selinux policy for haproxy. It assumes
+the following file locations:
+
+   /usr/sbin/haproxy   -- binary
+   /etc/haproxy/haproxy\.cfg   -- configuration
+   /var/run/haproxy\.pid   -- pid-file
+   /var/run/haproxy\.sock(.*)  -- stats socket
+   /var/empty/haproxy  -- chroot dir
+
+To build and load it on RHEL5 you'll need the "selinux-policy-devel" package,
+and from within this directory run:
+
+   make -f /usr/share/selinux/devel/Makefile
+   sudo semodule -i haproxy.pp
+   restorecon /usr/sbin/haproxy /etc/haproxy/haproxy.cfg 
/var/run/haproxy.pid /var/run/haproxy.sock*
+
+
+Feedback to Jan-Frode Myklebust  is much appreciated,
diff --git a/contrib/selinux/haproxy.fc b/contrib/selinux/haproxy.fc
new file mode 100644
index 000..63a0828
--- /dev/null
+++ b/contrib/selinux/haproxy.fc
@@ -0,0 +1,6 @@
+# haproxy labeling policy
+# file: haproxy.fc
+/usr/sbin/haproxy   -- gen_context(system_u:object_r:haproxy_exec_t, 
s0)
+/etc/haproxy/haproxy\.cfg   -- gen_context(system_u:object_r:haproxy_conf_t, 
s0)
+/var/run/haproxy\.pid   -- 
gen_context(system_u:object_r:haproxy_var_run_t, s0)
+/var/run/haproxy\.sock(.*)  -- 
gen_context(system_u:object_r:haproxy_var_run_t, s0)
diff --git a/contrib/selinux/haproxy.if b/contrib/selinux/haproxy.if
new file mode 100644
index 000..236ad38
--- /dev/null
+++ b/contrib/selinux/haproxy.if
@@ -0,0 +1,2 @@
+## selinux policy module for haproxy
+
diff --git a/contrib/selinux/haproxy.te b/contrib/selinux/haproxy.te
new file mode 100644
index 000..024c02a
--- /dev/null
+++ b/contrib/selinux/haproxy.te
@@ -0,0 +1,55 @@
+policy_module(haproxy,1.0.0) 
+
+
+#
+# Declarations
+#
+
+type haproxy_t;
+type haproxy_exec_t;
+type haproxy_port_t;
+init_daemon_domain(haproxy_t, haproxy_exec_t)
+
+type haproxy_var_run_t;
+files_pid_file(haproxy_var_run_t)
+
+type haproxy_conf_t;
+files_config_file(haproxy_conf_t)
+
+
+#
+# Local policy
+#
+
+# Configuration files - read
+allow haproxy_t haproxy_conf_t : dir list_dir_perms;
+allow haproxy_t haproxy_conf_t : file read_file_perms;
+allow haproxy_t haproxy_conf_t : lnk_file read_file_perms;
+
+# PID and socket file - create, read, and write
+files_pid_filetrans(haproxy_t, haproxy_var_run_t, { file sock_file })
+allow haproxy_t haproxy_var_run_t:file manage_file_perms;
+allow haproxy_t haproxy_var_run_t:sock_file { create rename link setattr 
unlink };
+
+allow haproxy_t self : tcp_socket create_stream_socket_perms;
+allow haproxy_t self: udp_socket create_socket_perms;
+allow haproxy_t self: capability { setgid setuid sys_chroot sys_resource kill 
};
+allow haproxy_t self: process { setrlimit signal };
+
+
+logging_send_syslog_msg(haproxy_t)
+
+corenet_tcp_bind_all_ports(haproxy_t)
+corenet_tcp_connect_all_ports(haproxy_t)
+corenet_tcp_bind_all_nodes(haproxy_t)
+corenet_tcp_sendrecv_all_ports(haproxy_t)
+corenet_tcp_recvfrom_unlabeled(haproxy_t)
+
+# use shared libraries
+libs_use_ld_so(haproxy_t)
+libs_use_shared_libs(haproxy_t)
+
+# Read /etc/localtime:
+miscfiles_read_localization(haproxy_t)
+# Read /etc/passwd and more.
+files_read_etc_files(haproxy_t)
-- 
1.6.0.6

From f35efb3db3082e70bca4864e3a7fce94217dafed Mon Sep 17 00:00:00 2001
From: Jan-Frode Myklebust 
Date: Tue, 17 Mar 2009 21:22:12 +0100
Subject: [PATCH] Some additional allows needed on RHEL5.

---
 contrib/selinux/haproxy.te |   11 +++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/contrib/selinux/haproxy.te b/contrib/selinux/haproxy.te
index 024c02a..ef94f3f 100644
--- a/contrib/selinux/haproxy.te
+++ b/contrib/selinux/haproxy.te
@@ -53,3 +53,14 @@ libs_use_shared_libs(haproxy_t)
 miscfiles_read_localization(haproxy_t)
 # Read /etc/passwd and more.
 files_read_etc_files(haproxy_t)
+
+# RHEL5 specific:
+require {
+   type unlabeled_t;
+   type haproxy_t;
+   class packet send;
+

Re: Multiple Proxies

2009-03-17 Thread Jan-Frode Myklebust 
On 2009-03-17, John Lauro  wrote:
> You need to explain a little more, as I am not understating something.
> Perhaps what you mean by VIP?

Virtual IP address. With heartbeat, one normally has one staticly defined
ip-address on the frontend interface on each server, and then additionally
one or more VIPs that can be moved between servers.

Server1 has static IP on eth0 and the VIP eth0:1
Server2 has static IP on eth0

If server1 fails, server2 takes over eth0:1.

>
> If they share the same single VIP at the same time, then why would you use
> round-robin DNS?  Round-robin is for multiple IP addresses...?

I use one VIP on each server, and use round robin DNS to distribute the
load over all the servers. If one of the servers go down / is taken down
for maintenance, I move its VIP to the other server.

>
> Also, if you do a virtual IP like Microsoft Windows does for their multicast
> load balancing, that is just plain nasty to your network infrastructure if
> you have more than those servers on the same subnet and IMHO really doesn't
> scale well...

That doesn't sound like what we do, no.

>
> If you meant a different VIP instead of one bound to each server, I could
> understand that.  However, 50% of the clients will feel the hit when first
> connecting if a server is down.

Not when the VIP moves over to the server that's still up, which is what
heartbeat does for me.


  -jf

RE: Multiple Proxies

2009-03-17 Thread John Lauro 
You need to explain a little more, as I am not understating something.
Perhaps what you mean by VIP?

If they share the same single VIP at the same time, then why would you use
round-robin DNS?  Round-robin is for multiple IP addresses...?

Also, if you do a virtual IP like Microsoft Windows does for their multicast
load balancing, that is just plain nasty to your network infrastructure if
you have more than those servers on the same subnet and IMHO really doesn't
scale well...


If you meant a different VIP instead of one bound to each server, I could
understand that.  However, 50% of the clients will feel the hit when first
connecting if a server is down.



> -Original Message-
> From: news [mailto:n...@ger.gmane.org] On Behalf Of Jan-Frode Myklebust
> Sent: Tuesday, March 17, 2009 2:53 PM
> To: haproxy@formilux.org
> Subject: Re: Multiple Proxies
> 
> I would use one VIP bound to each server, and use round-robin DNS to
> distribute the load over them. And with cookies for pinning it
> shouldn't
> matter to the clients which VIP it reaches.
> 
> 
>-jf

Re: Multiple Proxies

2009-03-17 Thread Jan-Frode Myklebust 
On 2009-03-17, Joseph Hardeman  wrote:
>
> John is right, the way to do this is to use either heartbeat or 
> keepalive and fail over a VIP to a secondary machine in case the first 
> has issues.  Make sure your haproxy files are identical and then test 
> the failover. 

I would use one VIP bound to each server, and use round-robin DNS to
distribute the load over them. And with cookies for pinning it shouldn't
matter to the clients which VIP it reaches.


   -jf

Re: Multiple Proxies

2009-03-17 Thread Joseph Hardeman 

Scott,

John is right, the way to do this is to use either heartbeat or 
keepalive and fail over a VIP to a secondary machine in case the first 
has issues.  Make sure your haproxy files are identical and then test 
the failover. 

We use heartbeat for one of our clients and so far any time I have had 
to either fail it over or it failed over on its own, we only lost 1 - 2 
packets.


If your web servers require the visitors to be pinned to that system for 
application reasons, make sure you have cookies setup in haproxy so that 
when it fails over, the secondary haproxy server knows where to send the 
visitor.


Joe

John Lauro wrote:


Not built into Haproxy, but you can use heartbeat or keepalived along 
with haproxy for IP takeover on a pair of physical boxes (or VMs).


 


*From:* Scott Pinhorne [mailto:scott.pinho...@voxit.co.uk]
*Sent:* Tuesday, March 17, 2009 10:52 AM
*To:* haproxy@formilux.org
*Subject:* Multiple Proxies

 


Hi All

 

I am using haproxy to load balance/failover on a  couple of my dev 
HTTP servers and it works really well.


I would like to introduce hardware redundancy for the haproxy server, 
is this possible with the software?


 


Best Regards

Scott Pinhorne

 


Tel: 0845 862 0371

 


cid:image001.jpg@01C93684.B3F9B800

 


http://www.voxit.co.uk

 


/P //Please consider the environment before printing this email./

PRIVACY AND CONFIDENTIALITY NOTICE

The information in this email is for the named addressee only. As this 
email may contain confidential or privileged information if you are 
not, or suspect that you are not, the named addressee other person 
responsible for delivering the message to the named addressee, please 
contact us immediately. Please note that we cannot guarantee that this 
message has not been intercepted and amended. The views of the author 
may not necessarily reflect those of VoxIT Ltd.


 


VIRUS NOTICE

The contents of any attachment may contain software viruses, which 
could damage your own computer. While VoxIT Ltd has taken reasonable 
precautions to minimise the risk of software viruses, it cannot accept 
liability for any damage, which you may suffer as a result of such 
viruses. We recommend that you carry out your own virus checks before 
opening any attachment.


 



--
This message has been scanned for viruses and
dangerous content by *VOXIT LIMITED* , and is
believed to be clean.


--
This message has been scanned for viruses and
dangerous content by *MailScanner* , and is
believed to be clean. 


--
This message has been scanned for viruses by Colocube's AV Scanner

begin:vcard
fn:Joseph Hardeman
n:Hardeman;Joseph
org:Colocube, LLC;Operations
adr:;;4311 Communications Dr;Norcross;GA;30093;US
email;internet:jharde...@colocube.com
title:Data Center Manager
tel;work:678-427-5890
tel;cell:678-427-5890
note:This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments.  Thank you.
x-mozilla-html:FALSE
url:http://www.colocube.com
version:2.1
end:vcard

RE: Multiple Proxies

2009-03-17 Thread John Lauro 
Not built into Haproxy, but you can use heartbeat or keepalived along with
haproxy for IP takeover on a pair of physical boxes (or VMs).

 

From: Scott Pinhorne [mailto:scott.pinho...@voxit.co.uk] 
Sent: Tuesday, March 17, 2009 10:52 AM
To: haproxy@formilux.org
Subject: Multiple Proxies

 

Hi All

 

I am using haproxy to load balance/failover on a  couple of my dev HTTP
servers and it works really well.

I would like to introduce hardware redundancy for the haproxy server, is
this possible with the software?

 

Best Regards

Scott Pinhorne

 

Tel: 0845 862 0371

 

cid:image001.jpg@01C93684.B3F9B800

 

http://www.voxit.co.uk

 

P Please consider the environment before printing this email.

PRIVACY AND CONFIDENTIALITY NOTICE 

The information in this email is for the named addressee only. As this email
may contain confidential or privileged information if you are not, or
suspect that you are not, the named addressee other person responsible for
delivering the message to the named addressee, please contact us
immediately. Please note that we cannot guarantee that this message has not
been intercepted and amended. The views of the author may not necessarily
reflect those of VoxIT Ltd.

 

VIRUS NOTICE 

The contents of any attachment may contain software viruses, which could
damage your own computer. While VoxIT Ltd has taken reasonable precautions
to minimise the risk of software viruses, it cannot accept liability for any
damage, which you may suffer as a result of such viruses. We recommend that
you carry out your own virus checks before opening any attachment.

 


-- 
This message has been scanned for viruses and 
dangerous content by   VOXIT LIMITED, and is 
believed to be clean. 

<>

Multiple Proxies

2009-03-17 Thread Scott Pinhorne 
Hi All

 

I am using haproxy to load balance/failover on a  couple of my dev HTTP
servers and it works really well.

I would like to introduce hardware redundancy for the haproxy server, is
this possible with the software?

 

Best Regards

Scott Pinhorne

 

Tel: 0845 862 0371

 

 

 

http://www.voxit.co.uk  

 

P Please consider the environment before printing this email.

PRIVACY AND CONFIDENTIALITY NOTICE 

The information in this email is for the named addressee only. As this
email may contain confidential or privileged information if you are not,
or suspect that you are not, the named addressee other person
responsible for delivering the message to the named addressee, please
contact us immediately. Please note that we cannot guarantee that this
message has not been intercepted and amended. The views of the author
may not necessarily reflect those of VoxIT Ltd.

 

VIRUS NOTICE 

The contents of any attachment may contain software viruses, which could
damage your own computer. While VoxIT Ltd has taken reasonable
precautions to minimise the risk of software viruses, it cannot accept
liability for any damage, which you may suffer as a result of such
viruses. We recommend that you carry out your own virus checks before
opening any attachment.

 


-- 
This message has been scanned for viruses and
dangerous content by VOXIT Limited, and is
believed to be clean.

<>

RE: The gap between ``Total'' and ``LbTot'' in stats page

2009-03-17 Thread John Lauro 
Mine don't appear to have that much difference.  Are any of the servers
down, or maybe reaching their session limits?  What's your retr and redis
look like?

 

From: Sun Yijiang [mailto:sunyiji...@gmail.com] 
Sent: Tuesday, March 17, 2009 3:18 AM
To: kuan...@mail.51.com
Cc: haproxy@formilux.org
Subject: Re: The gap between ``Total'' and ``LbTot'' in stats page

 

Yeah, that's clear, thanks.  I just wonder why ``LbTot'' is much smaller
than ``Total''.

2009/3/17 FinalBSD 

check it here: http://haproxy.1wt.eu/download/1.3/doc/configuration.txt

30. lbtot: total number of times a server was selected





On Tue, Mar 17, 2009 at 1:56 PM, Sun Yijiang  wrote:

Hi you guys,

I noticed that there's a huge gap between ``Total'' and ``LbTot'' numbers in
the stats page.  LbTot is only about 25% of Total sessions for backend
server.  Is this the normal case?  What do they mean exactly?  I've read the
source code for a while but could not find a clear answer.

Thanks in advance.


Steve

Re: The gap between ``Total'' and ``LbTot'' in stats page

2009-03-17 Thread Sun Yijiang 
Yeah, that's clear, thanks.  I just wonder why ``LbTot'' is much smaller
than ``Total''.

2009/3/17 FinalBSD 

> check it here: http://haproxy.1wt.eu/download/1.3/doc/configuration.txt
>
> 30. lbtot: total number of times a server was selected
>
>
>
>
> On Tue, Mar 17, 2009 at 1:56 PM, Sun Yijiang  wrote:
>
>> Hi you guys,
>>
>> I noticed that there's a huge gap between ``Total'' and ``LbTot'' numbers
>> in the stats page.  LbTot is only about 25% of Total sessions for backend
>> server.  Is this the normal case?  What do they mean exactly?  I've read the
>> source code for a while but could not find a clear answer.
>>
>> Thanks in advance.
>>
>>
>> Steve
>>
>>
>