21 Feb
2019
21 Feb
'19
1:19 p.m.
Hi all,
I’m exploring the idea of using two VPSs on different hosts to implement some sort of
failover mechanism. Is anyone here doing something similar, or have any recommendations?
Regards,
Chris
—
Chris Smith <space.dandy(a)icloud.com>
21 Feb
21 Feb
1:41 p.m.
Without some additional information it is nearly impossible to comment
on your request.
Fail over is invariably highly application specific.
To make load ballancing (active active) or actual fail over (primary and
backup) function at a network level you need far more support from the
hosting provider and their networking infrastructure, than a standard
VPS deal, but it is doable.
Check out Linux HA for tools, strategy's and STONITH.
http://www.linux-ha.org/wiki/Main_Page
Other than that it is all down to your application.
Cheers
kirbs
On 21/02/2019 13:19, Chris Smith via users wrote:
Hi all,
I’m exploring the idea of using two VPSs on different hosts to implement some sort of
failover mechanism. Is anyone here doing something similar, or have any recommendations?
Regards,
Chris
—
Chris Smith <space.dandy(a)icloud.com>
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
2:08 p.m.
Hi Chris,
On Thu, Feb 21, 2019 at 01:19:14PM +0000, Chris Smith via users wrote:
I’m exploring the idea of using two VPSs on different
hosts to
implement some sort of failover mechanism. Is anyone here doing
something similar, or have any recommendations?
I do it myself but I'm not aware of any customers doing it.
All solutions in this space are going to require paying for multiple
VPSes, and I guess that is the major turn-off for people.
As a customer you cannot yet by yourself programmatically float an IP
address between two different VPSes, but it's what I do with the auid of
a script. I have asked in the past if any customers wanted to explore
that, in which case I would be able to turn that into a service.
Probably for free given that you need to pay for an extra VPS and at
least one extra IP.
A lot of this depends on what the very vague and high level term
"failover" means to you.
As one example architecture, I have two VMs each of which runs haproxy.
The haproxy fronts various different TCP services such as some web
sites, spamd, entropy service etc. There are multiple backend VMs
running each service.
Clients talk to the haproxy IP. The haproxy health-checks backends and
decides where to proxy the client connection to.
There is also a keepalived on each haproxy host which in the event of
the live haproxy host becoming unavailable moves the floating IPs to the
other haproxy host. By this means it is possible for me to take some of
the backend VMs out of service without clients noticing (connected
clients will reconnect, however).
So, downsides here:
- Added complexity, although once you understand them haproxy and
keepalived are pretty simple sturdy pieces of software
- Have to pay for an extra VM sitting around doing nothing until it's
needed. How much is the continuity worth it to you though? I mean,
minimal BitFolk VM, £6.49+VAT/mo., arguably in many contects I could
charge more than that for writing this email… 😀
- It's all at BitFolk. You survive death of a BitFolk host, but a lot of
disruptions affect entire colo provider / site.
Maybe that's excessive work / expenditure for the level of resilience
you desire though. An essential first step is deciding what it is you
want to achieve.
The main reason I put floating IPs in front of customer-visible services
is because if I don't then customers will see errors and problems when I
do maintenance work either on the services themselves or when I reboot a
whole BitFolk server. In truth I think that a half hour unavailability
of spamd, apt-cacher, entropy etc is bearable but I know I will get
complaints and queries about it and so they have floating IPs just so I
don't have to deal with that.
BitFolk's resolvers are a different matter. They can't be unavailable
for half an hour, or even minutes really. At the moment there's four of
them and they live behind a Pacemaker cluster that always ensures that
two of them are available, again by use of floating IPs. This is very
complex and in hindsight I wish I had not done this. keepalived probably
would have sufficed. This cluster needs replacing due to its constiuent
VMs being obsolete OS versions and its next incarnation most likely will
not be a full Pacemaker cluster.
Maybe you are only trying to beat the catastrophic failure of a piece of
BitFolk's hardware.
In such a case, we try to limit the downtime to a handful of hours. We
have spare hardware, we hope that we could just have someone insert the
storage into a spare's chassis and boot the server again. It becomes
trickier if we think of a case where both the SSDs are destroyed. In
that case your data is gone; we can boot the OS but after many hours all
you would get is a clean VPS account.
In terms of resilience then, "have backups" is a really good second
step, as you can put your stuff back on BitFolk or any of the other
virtual machine hosting providers.
Beyond that, maybe you are thinking that if there were some sort of
storage snapshot you could at least boot your single VM on a different
piece of hardware pretty quickly resulting in only minutes of downtime
without having to pay for any extra VMs or doing anything particularly
complicated.
There currently is no such facility for this at BitFolk though it
doesn't seem that hard to do. I can even probably implement migration
with only a suspend/resore while storage deltas are transferred
(typically <10 secs pause). The main issue about that from my point of
view is, I still need to reserve storage and memory for you on another
host. The only thing saved from my point of view is CPU, and we're not
short of CPU. So how can I make that service available without charging
almost the same as an extra VPS?
People using cloud providers often solve these problems by spinning up
new guests as and when needed. BitFolk is not a cloud provider and
pivoting into that space is probably not something that can happen any
time soon, if ever, so unfortunately exploration of solutions in that
direction will be limited.
Most VM-as-cheap-colo-style providers like BitFolk do not offer live
migration and migration-in-event-of-failure products, probably because
of it costing almost the same as two VMs to begin with. Many more do
offer IPs that you can float about between your VMs programmatically
and/or by API. The latter sounds a lot more appealing to me than the
former, but who knows, maybe it could be a way for BitFolk to
differentiate itself in the marketplace. Something that is sorely
needed.
As I say, knowing your requirements is going to be a bare minimum for
you to make progress here regardless of what provider you use, but alsdo
on a personal level I would be interested to hear what your goals and
requirements are.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
3:33 p.m.
On 21 Feb 2019, at 14:08, Andy Smith
<andy(a)bitfolk.com> wrote:
Hi Chris,
On Thu, Feb 21, 2019 at 01:19:14PM +0000, Chris Smith via users wrote:
I understand that, and it really isn’t a concern for me — I can just pass that cost on.
I’m exploring the idea of using two VPSs on
different hosts to
implement some sort of failover mechanism. Is anyone here doing
something similar, or have any recommendations?
I do it myself but I'm not aware of any customers doing it.
All solutions in this space are going to require paying for multiple
VPSes, and I guess that is the major turn-off for people. A lot of this depends on what the very vague and high
level term
"failover" means to you.
I provide a small number of web-based services to clients; it’s not my bread-and-butter,
but simply a small part of the other services that I provide, and my clients usually
expect some form of SLA. I don’t mean ‘five nines availability’ or any of that guff, but
simply ‘If something happens, how soon can you fix it?’ — it’s about managing
expectations. Now, I’m a one-man band, and I do spend time out of the office, so the
honest answer is ‘within one week’, which often draws worried looks.
We are blessed with good service from BitFolk and problems, when rarely they occur, are
usually things like the networking has failed (this hasn’t happened for a very long time
now, though) and are usually resolved by rebooting the VPS. What I’m looking for is an
automated way to maintain service in the face of the more usual problems — to hold the
fort until I can deal with it. I’d like to be able to say to my clients something more
comforting, like ‘most issues will be resolved within 48 hours’, which is a lot more
palatable.
You mention using haproxy internally and I wonder if that is a service that you could
extend to us — we provide you with a list of VPSs that provide a particular service and
your haproxy manages it for us?
As an addition/alternative to that, is it possible to extend the existing monitoring
services to be able to automatically shutdown and restart the VPS under certain
conditions?
Regards,
Chris
10:41 p.m.
In a previous life we ran a pair of HA load ballancers, serial connected
heartbeat and with STONITH, in a Primary Backup config, as a front end
to a whole bunch of ISP type services.
Then had these point to the services (multiples thereof). The published
IP/s on the load ballancers were virtual or floating and moved between
the two.
It gave us a lot of flexibility to adjust the load balancing parameters
sometimes pressing the same in to service for fail-over of a back-end
service, or dropping back end services out of the list for maintenance
or reloads. When you do this though it kills any TCP sessions and it is
up to the client to re-establish these but the load ballancers just
point them at a different service when the re-connect happened. The
state was lost though and each re-connect was a new application session.
For web servers or squid proxys this does not matter much though
Basically if the backend services were load balanced of that front end
then when one failed at least some service was maintained via what
remained and we could drop the failed one out of the load balancing list
once we spotted it (Nagios monitoring). There is no reason why this
could not be scripted. Monit as such was not available to us at that
point in time.
This might be a useful as a paid for service, to offer as an ISP offered
service, but is overkill for a single request from a customer.
Alternatively if virtual/floating IP's were available there is no reason
that you could not run a similar setup on your pair of VPS with STONITH
running on the same pair that ran the services, a direct heartbeat
interconnect on a Private-LAN/VLAN or some such if a dedicated heartbeat
serial link was not available and run them as a primary/backup pair.
But as suggested earlier your provider would need to be offering those
extra things (heartbeat link, and virtual/floating IP).
You would of course need to keep the contents of the servers
sufficiently synced in readiness for fail-over taking place, and it all
would have to reside at the same provider.
If you tried anything like this across different providers (unlikely to
be possible with floating/virtual IP's) there is a very real risk that
network congestion could mess with your heartbeat link with unforeseen
results and loss of service.
Heartbeat and STONITH are part (or were last I looked) of the linked
Linux HA bunch. Last I looked at these though it was a long while ago. YMMV
Cheers
Kirbs
On 21/02/2019 14:08, Andy Smith wrote:
Hi Chris,
On Thu, Feb 21, 2019 at 01:19:14PM +0000, Chris Smith via users wrote:
--
admins(a)sheffieldhackspace.org.uk
www.sheffieldhackspace.org.uk
I’m exploring the idea of using two VPSs on
different hosts to
implement some sort of failover mechanism. Is anyone here doing
something similar, or have any recommendations?
I do it myself but I'm not
aware of any customers doing it.
All solutions in this space are going to require paying for multiple
VPSes, and I guess that is the major turn-off for people.
As a customer you cannot yet by yourself programmatically float an IP
address between two different VPSes, but it's what I do with the auid of
a script. I have asked in the past if any customers wanted to explore
that, in which case I would be able to turn that into a service.
Probably for free given that you need to pay for an extra VPS and at
least one extra IP.
A lot of this depends on what the very vague and high level term
"failover" means to you.
As one example architecture, I have two VMs each of which runs haproxy.
The haproxy fronts various different TCP services such as some web
sites, spamd, entropy service etc. There are multiple backend VMs
running each service.
Clients talk to the haproxy IP. The haproxy health-checks backends and
decides where to proxy the client connection to.
There is also a keepalived on each haproxy host which in the event of
the live haproxy host becoming unavailable moves the floating IPs to the
other haproxy host. By this means it is possible for me to take some of
the backend VMs out of service without clients noticing (connected
clients will reconnect, however).
So, downsides here:
- Added complexity, although once you understand them haproxy and
keepalived are pretty simple sturdy pieces of software
- Have to pay for an extra VM sitting around doing nothing until it's
needed. How much is the continuity worth it to you though? I mean,
minimal BitFolk VM, £6.49+VAT/mo., arguably in many contects I could
charge more than that for writing this email… 😀
- It's all at BitFolk. You survive death of a BitFolk host, but a lot of
disruptions affect entire colo provider / site.
Maybe that's excessive work / expenditure for the level of resilience
you desire though. An essential first step is deciding what it is you
want to achieve.
The main reason I put floating IPs in front of customer-visible services
is because if I don't then customers will see errors and problems when I
do maintenance work either on the services themselves or when I reboot a
whole BitFolk server. In truth I think that a half hour unavailability
of spamd, apt-cacher, entropy etc is bearable but I know I will get
complaints and queries about it and so they have floating IPs just so I
don't have to deal with that.
BitFolk's resolvers are a different matter. They can't be unavailable
for half an hour, or even minutes really. At the moment there's four of
them and they live behind a Pacemaker cluster that always ensures that
two of them are available, again by use of floating IPs. This is very
complex and in hindsight I wish I had not done this. keepalived probably
would have sufficed. This cluster needs replacing due to its constiuent
VMs being obsolete OS versions and its next incarnation most likely will
not be a full Pacemaker cluster.
Maybe you are only trying to beat the catastrophic failure of a piece of
BitFolk's hardware.
In such a case, we try to limit the downtime to a handful of hours. We
have spare hardware, we hope that we could just have someone insert the
storage into a spare's chassis and boot the server again. It becomes
trickier if we think of a case where both the SSDs are destroyed. In
that case your data is gone; we can boot the OS but after many hours all
you would get is a clean VPS account.
In terms of resilience then, "have backups" is a really good second
step, as you can put your stuff back on BitFolk or any of the other
virtual machine hosting providers.
Beyond that, maybe you are thinking that if there were some sort of
storage snapshot you could at least boot your single VM on a different
piece of hardware pretty quickly resulting in only minutes of downtime
without having to pay for any extra VMs or doing anything particularly
complicated.
There currently is no such facility for this at BitFolk though it
doesn't seem that hard to do. I can even probably implement migration
with only a suspend/resore while storage deltas are transferred
(typically <10 secs pause). The main issue about that from my point of
view is, I still need to reserve storage and memory for you on another
host. The only thing saved from my point of view is CPU, and we're not
short of CPU. So how can I make that service available without charging
almost the same as an extra VPS?
People using cloud providers often solve these problems by spinning up
new guests as and when needed. BitFolk is not a cloud provider and
pivoting into that space is probably not something that can happen any
time soon, if ever, so unfortunately exploration of solutions in that
direction will be limited.
Most VM-as-cheap-colo-style providers like BitFolk do not offer live
migration and migration-in-event-of-failure products, probably because
of it costing almost the same as two VMs to begin with. Many more do
offer IPs that you can float about between your VMs programmatically
and/or by API. The latter sounds a lot more appealing to me than the
former, but who knows, maybe it could be a way for BitFolk to
differentiate itself in the marketplace. Something that is sorely
needed.
As I say, knowing your requirements is going to be a bare minimum for
you to make progress here regardless of what provider you use, but alsdo
on a personal level I would be interested to hear what your goals and
requirements are.
Cheers,
Andy
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users 
22 Feb
22 Feb
2:02 a.m.
On 2019-02-21 14:41, admins wrote:
In a previous life we ran a pair of HA load
ballancers, serial
connected heartbeat and with STONITH, in a Primary Backup config, as a
front end to a whole bunch of ISP type services.
Then had these point to the services (multiples thereof). The
published IP/s on the load ballancers were virtual or floating and
moved between the two.
It gave us a lot of flexibility to adjust the load balancing
parameters sometimes pressing the same in to service for fail-over of
a back-end service, or dropping back end services out of the list for
maintenance or reloads. When you do this though it kills any TCP
sessions and it is up to the client to re-establish these but the load
ballancers just point them at a different service when the re-connect
happened. The state was lost though and each re-connect was a new
application session. For web servers or squid proxys this does not
matter much though
<snip other stuff>
It's 2019 and I wouldn't wish the product formerly known as "Linux HA"
on my worst enemy. Maybe that's overstating it a teeny bit, but it's not
that far from the truth. Heartbeat/Pacemaker/Corosync/STONITH are
horrible to configure and use, and are likely to lead to lower
availability when used inexpertly, which is very easy to achieve.
keepalived/LVS is a simpler and superior way to manage services which
require (or can manage with just) TCP load balancing and/or failover,
and it can even share TCP connection state so connections aren't
interrupted when handing over between redundant load balancers. It's
just Linux kernel plus a bit of user-space, so fast and robust. It has
been around since the days of Linux 2.4, but for some reason seems less
well-known than the linux-ha abominations. It can even do MAC-based
forwarding to hosts (on the same subnet or via a tunnel), so you can
handle high-bandwidth traffic flows without carrying the majority
server-to-client traffic through the load balancer.
At a pinch it can also run scripts on state change, but at that point
the OP needs to understand exactly what they're doing to achieve
resilient service because again it's not necessarily straightforward to
get what you want to happen automatically without bad things happening
that you didn't expect or plan for (see "automatic database failover").
For HTTP it often doesn't matter though, as people have already said.
haproxy is inaptly named, other than the fact that individual instances
tend to be very reliable, but it sits well for HTTP load-balancing on
top of LVS if for some reason plain connections with TCP are not enough.
People seem to love to stack haproxy/nginx/Apache/etc. reverse HTTP
proxies for some reason.
Ant
9:11 a.m.
I certainly don’t need anything as complex as all that. I’m not dealing with anything
mission-critical as such and I don’t need it to work seamlessly to the user either, I just
need it to be automated. The more I think about this, the more I realise that all I need
is an automated way to detect a problem and reboot the server. Ideally, this would happen
from an external VPS or other system being able to poke Xen (in case the server cannot
restart itself) and ideally this would be tied in to the existing BitFolk monitoring
services (if possible) to avoid re-inventing the wheel.
Regards,
Chris
—
Chris Smith <space.dandy(a)icloud.com>
On 22 Feb 2019, at 02:02, Anthony Newman via users
<users(a)lists.bitfolk.com> wrote:
On 2019-02-21 14:41, admins wrote:
In a previous life we ran a pair of HA load
ballancers, serial connected heartbeat and with STONITH, in a Primary Backup config, as a
front end to a whole bunch of ISP type services.
Then had these point to the services (multiples thereof). The published IP/s on the load
ballancers were virtual or floating and moved between the two.
It gave us a lot of flexibility to adjust the load balancing parameters sometimes
pressing the same in to service for fail-over of a back-end service, or dropping back end
services out of the list for maintenance or reloads. When you do this though it kills any
TCP sessions and it is up to the client to re-establish these but the load ballancers just
point them at a different service when the re-connect happened. The state was lost though
and each re-connect was a new application session. For web servers or squid proxys this
does not matter much though
<snip other stuff>
It's 2019 and I wouldn't wish the product formerly known as "Linux HA"
on my worst enemy. Maybe that's overstating it a teeny bit, but it's not that far
from the truth. Heartbeat/Pacemaker/Corosync/STONITH are horrible to configure and use,
and are likely to lead to lower availability when used inexpertly, which is very easy to
achieve.
keepalived/LVS is a simpler and superior way to manage services which require (or can
manage with just) TCP load balancing and/or failover, and it can even share TCP connection
state so connections aren't interrupted when handing over between redundant load
balancers. It's just Linux kernel plus a bit of user-space, so fast and robust. It has
been around since the days of Linux 2.4, but for some reason seems less well-known than
the linux-ha abominations. It can even do MAC-based forwarding to hosts (on the same
subnet or via a tunnel), so you can handle high-bandwidth traffic flows without carrying
the majority server-to-client traffic through the load balancer.
At a pinch it can also run scripts on state change, but at that point the OP needs to
understand exactly what they're doing to achieve resilient service because again
it's not necessarily straightforward to get what you want to happen automatically
without bad things happening that you didn't expect or plan for (see "automatic
database failover").
For HTTP it often doesn't matter though, as people have already said. haproxy is
inaptly named, other than the fact that individual instances tend to be very reliable, but
it sits well for HTTP load-balancing on top of LVS if for some reason plain connections
with TCP are not enough. People seem to love to stack haproxy/nginx/Apache/etc. reverse
HTTP proxies for some reason.
Ant
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users 
9:17 a.m.
On 22.02.2019 10:11, Chris Smith via users wrote:
I certainly don’t need anything as complex as all
that. I’m not dealing with anything mission-critical as such and I don’t need it to work
seamlessly to the user either, I just need it to be automated. The more I think about
this, the more I realise that all I need is an automated way to detect a problem and
reboot the server. Ideally, this would happen from an external VPS or other system being
able to poke Xen (in case the server cannot restart itself) and ideally this would be tied
in to the existing BitFolk monitoring services (if possible) to avoid re-inventing the
wheel.
Have you considered watchdog? If likely problems would be detectable
from the VM then watchdog can run custom tests and trigger reboot or
attemt to fix things.
- OM
2:09 p.m.
If all you want to do is monitor the functionality of a service and
restart the service, or service and its dependents (rebooting the full
box is often not necessary and much quicker). You could do much worse
then look into Monit.
It is already in the repo's too.
Kirbs
On 22/02/2019 09:11, Chris Smith via users wrote:
I certainly don’t need anything as complex as all
that. I’m not dealing with anything mission-critical as such and I don’t need it to work
seamlessly to the user either, I just need it to be automated. The more I think about
this, the more I realise that all I need is an automated way to detect a problem and
reboot the server. Ideally, this would happen from an external VPS or other system being
able to poke Xen (in case the server cannot restart itself) and ideally this would be tied
in to the existing BitFolk monitoring services (if possible) to avoid re-inventing the
wheel.
Regards,
Chris
—
Chris Smith <space.dandy(a)icloud.com>
On 22 Feb 2019, at 02:02, Anthony Newman via
users <users(a)lists.bitfolk.com> wrote:
On 2019-02-21 14:41, admins wrote:
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users In a previous life we ran a pair of HA load
ballancers, serial connected heartbeat and with STONITH, in a Primary Backup config, as a
front end to a whole bunch of ISP type services.
Then had these point to the services (multiples thereof). The published IP/s on the load
ballancers were virtual or floating and moved between the two.
It gave us a lot of flexibility to adjust the load balancing parameters sometimes
pressing the same in to service for fail-over of a back-end service, or dropping back end
services out of the list for maintenance or reloads. When you do this though it kills any
TCP sessions and it is up to the client to re-establish these but the load ballancers just
point them at a different service when the re-connect happened. The state was lost though
and each re-connect was a new application session. For web servers or squid proxys this
does not matter much though
<snip other stuff>
It's 2019 and I wouldn't wish the product formerly known as "Linux HA"
on my worst enemy. Maybe that's overstating it a teeny bit, but it's not that far
from the truth. Heartbeat/Pacemaker/Corosync/STONITH are horrible to configure and use,
and are likely to lead to lower availability when used inexpertly, which is very easy to
achieve.
keepalived/LVS is a simpler and superior way to manage services which require (or can
manage with just) TCP load balancing and/or failover, and it can even share TCP connection
state so connections aren't interrupted when handing over between redundant load
balancers. It's just Linux kernel plus a bit of user-space, so fast and robust. It has
been around since the days of Linux 2.4, but for some reason seems less well-known than
the linux-ha abominations. It can even do MAC-based forwarding to hosts (on the same
subnet or via a tunnel), so you can handle high-bandwidth traffic flows without carrying
the majority server-to-client traffic through the load balancer.
At a pinch it can also run scripts on state change, but at that point the OP needs to
understand exactly what they're doing to achieve resilient service because again
it's not necessarily straightforward to get what you want to happen automatically
without bad things happening that you didn't expect or plan for (see "automatic
database failover").
For HTTP it often doesn't matter though, as people have already said. haproxy is
inaptly named, other than the fact that individual instances tend to be very reliable, but
it sits well for HTTP load-balancing on top of LVS if for some reason plain connections
with TCP are not enough. People seem to love to stack haproxy/nginx/Apache/etc. reverse
HTTP proxies for some reason.
Ant
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users
2:12 p.m.
Checkout the manual particularly the section on connection tests.
https://mmonit.com/monit/documentation/monit.html
Kirbs
On 22/02/2019 14:09, admins wrote:
If all you want to do is monitor the functionality of
a service and
restart the service, or service and its dependents (rebooting the full
box is often not necessary and much quicker). You could do much worse
then look into Monit.
It is already in the repo's too.
Kirbs
On 22/02/2019 09:11, Chris Smith via users wrote:
I certainly don’t need anything as complex as all
that. I’m not
dealing with anything mission-critical as such and I don’t need it to
work seamlessly to the user either, I just need it to be automated.
The more I think about this, the more I realise that all I need is an
automated way to detect a problem and reboot the server. Ideally,
this would happen from an external VPS or other system being able to
poke Xen (in case the server cannot restart itself) and ideally this
would be tied in to the existing BitFolk monitoring services (if
possible) to avoid re-inventing the wheel.
Regards,
Chris
—
Chris Smith <space.dandy(a)icloud.com>
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users On 22 Feb 2019, at 02:02, Anthony Newman via
users
<users(a)lists.bitfolk.com> wrote:
On 2019-02-21 14:41, admins wrote:
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users In a previous life we ran a pair of HA load
ballancers, serial
connected heartbeat and with STONITH, in a Primary Backup config,
as a front end to a whole bunch of ISP type services.
Then had these point to the services (multiples thereof). The
published IP/s on the load ballancers were virtual or floating and
moved between the two.
It gave us a lot of flexibility to adjust the load balancing
parameters sometimes pressing the same in to service for fail-over
of a back-end service, or dropping back end services out of the
list for maintenance or reloads. When you do this though it kills
any TCP sessions and it is up to the client to re-establish these
but the load ballancers just point them at a different service when
the re-connect happened. The state was lost though and each
re-connect was a new application session. For web servers or squid
proxys this does not matter much though
<snip other stuff>
It's 2019 and I wouldn't wish the product formerly known as "Linux
HA" on my worst enemy. Maybe that's overstating it a teeny bit, but
it's not that far from the truth.
Heartbeat/Pacemaker/Corosync/STONITH are horrible to configure and
use, and are likely to lead to lower availability when used
inexpertly, which is very easy to achieve.
keepalived/LVS is a simpler and superior way to manage services
which require (or can manage with just) TCP load balancing and/or
failover, and it can even share TCP connection state so connections
aren't interrupted when handing over between redundant load
balancers. It's just Linux kernel plus a bit of user-space, so fast
and robust. It has been around since the days of Linux 2.4, but for
some reason seems less well-known than the linux-ha abominations. It
can even do MAC-based forwarding to hosts (on the same subnet or via
a tunnel), so you can handle high-bandwidth traffic flows without
carrying the majority server-to-client traffic through the load
balancer.
At a pinch it can also run scripts on state change, but at that
point the OP needs to understand exactly what they're doing to
achieve resilient service because again it's not necessarily
straightforward to get what you want to happen automatically without
bad things happening that you didn't expect or plan for (see
"automatic database failover").
For HTTP it often doesn't matter though, as people have already
said. haproxy is inaptly named, other than the fact that individual
instances tend to be very reliable, but it sits well for HTTP
load-balancing on top of LVS if for some reason plain connections
with TCP are not enough. People seem to love to stack
haproxy/nginx/Apache/etc. reverse HTTP proxies for some reason.
Ant
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users 
9:25 a.m.
Hi Ant,
On Fri, 22 Feb 2019 at 02:02, Anthony Newman via users
<users(a)lists.bitfolk.com> wrote:
On 2019-02-21 14:41, admins wrote:
Just a nitpick here: Heartbeat is now obsolete, and was an entirely
different beast to Pacemaker and Corosync. My vague memory is that it
was also drastically simpler to configure.
I agree with you on the other point so far, but ...
In a previous life we ran a pair of HA load
ballancers, serial
connected heartbeat and with STONITH, in a Primary Backup config, as a
front end to a whole bunch of ISP type services.
Then had these point to the services (multiples thereof). The
published IP/s on the load ballancers were virtual or floating and
moved between the two.
It gave us a lot of flexibility to adjust the load balancing
parameters sometimes pressing the same in to service for fail-over of
a back-end service, or dropping back end services out of the list for
maintenance or reloads. When you do this though it kills any TCP
sessions and it is up to the client to re-establish these but the load
ballancers just point them at a different service when the re-connect
happened. The state was lost though and each re-connect was a new
application session. For web servers or squid proxys this does not
matter much though
<snip other stuff>
It's 2019 and I wouldn't wish the product formerly known as "Linux HA"
on my worst enemy. Maybe that's overstating it a teeny bit, but it's not
that far from the truth. Heartbeat/Pacemaker/Corosync/STONITH are
horrible to configure and use, and are likely to lead to lower
availability when used inexpertly, which is very easy to achieve. keepalived/LVS is a simpler and superior way to manage
services which
require (or can manage with just) TCP load balancing and/or failover,
This innocent-looking clause hides a myriad of scenarios which
keepalived/LVS cannot handle. I suspect you already know that, and
most likely it's not relevant to Chris' original question, but maybe
it's not clear for all readers.
Essentially this is an apples to oranges (or at least pears) comparison.
In its full generality, HA is *really* hard, and the complexity of
Pacemaker stems from that. Having said that, it certainly does have
usability problems. I personally know the original author, current
maintainer, and several of the core team of developers, and I think
it's fair to say they are all aware of this. We discussed it quite a
bit at the last Clusterlabs Summit in 2017 after I explicitly called
it out in my presentation:
https://aspiers.github.io/clusterlabs-summit-2017-openstack-ha/#/general-qu…
(press N and P to navigate, M for a menu)
and there is some ongoing work to address it, although unfortunately
pressures from paying customers generally force the majority of the
investment into other areas, so it's more of a marathon than a sprint.
and it can even share TCP connection state so
connections aren't
interrupted when handing over between redundant load balancers. It's
just Linux kernel plus a bit of user-space, so fast and robust. It has
been around since the days of Linux 2.4, but for some reason seems less
well-known than the linux-ha abominations. It can even do MAC-based
forwarding to hosts (on the same subnet or via a tunnel), so you can
handle high-bandwidth traffic flows without carrying the majority
server-to-client traffic through the load balancer.
At a pinch it can also run scripts on state change, but at that point
the OP needs to understand exactly what they're doing to achieve
resilient service because again it's not necessarily straightforward to
get what you want to happen automatically without bad things happening
that you didn't expect or plan for (see "automatic database failover").
Right. Again this hides a multitude of sins. For many stateful
scenarios, STONITH is a hard requirement for correct (safe) behaviour
without risking data corruption. Yes, automatic database failover is
a classic example, so again I doubt I'm saying anything you don't
already know, but maybe worth clarifying for other readers. In these
scenarios keepalived simply cannot achieve what is required.
2129
days inactive
2130
days old
10 comments
6 participants
participants (6)
-
Adam Spiers -
admins -
Andy Smith -
Anthony Newman -
Chris Smith -
Ole-Morten Duesund