zenload balancer administration guide

Upload: pbramesh5724

Post on 12-Oct-2015

42 views

Category:

Documents


2 download

DESCRIPTION

ISP Load Balancing Software Guide

TRANSCRIPT

  • zenlo adbalancer.o rg http://www.zenloadbalancer.org/web/index.php?page=zen-load-balancer-administration-guide

    Zen Load Balancer Administration GuideCreated on December 2011 - Documentation Version v01

    Table of contents:

    1. OVERVIEW2. BASIC CONCEPTS3. ZEN INSTALLATION3.1 DOWNLOAD THE INSTALL ISO IMAGE3.2 UPDATES3.3 INSTALLATION PROCESS4. ACCESS TO THE ZEN WEB ADMINISTRATION PANEL5. ZEN WEB ADMINISTRATION PANEL SECTIONS5.1 MANAGE::GLOBAL VIEW SECTION5.2 MANAGE::FARMS SECTION5.2.1 EDIT FARM GLOBAL PARAMETERS5.2.1.1 TCP/UDP PROFILE OPTIONS5.2.1.2 HTTP/HTTPS PROFILE OPTIONS5.2.2 EDIT FARM REAL SERVERS5.2.2.1 TCP/UDP PROFILE5.2.2.2 HTTP/HTTPS PROFILE5.2.3 VIEW STATUS FARM ACTION5.3 MANAGE::CERTIFICATES SECTION5.3.1 ADDING A NEW CERTIFICATE5.4 MONITORING::GRAPHS SECTION5.5 MONITORING::LOGS SECTION5.6 SETTINGS::SERVER SECTION5.7 SETTINGS::INTERFACES SECTION5.8 SETTINGS::CLUSTER SECTION5.9 SETTINGS::CHANGE PASSWORD SECTION5.10 SETTINGS::BACKUP SECTION6. FARM GUARDIAN USAGE6.1 PHILOSOFY6.2 CONFIGURATION7. LICENSE

    1. OVERVIEW

    Zen Load Balancer is an Open Source Load Balancer Appliance Project that provides a f ull set of tools torun and manage a complete load balancer solution which includes: f arm and server def init ion, networking,clustering, monitoring, secure certif icates management, logs, conf ig backups, etc.

    2. BASIC CONCEPTS

    Farm is a set of servers that of f er the same service over a single one entry point def ined with an IPaddress and a port, which is commonly called virtual service. The main f arm work is to deliver the clientvirtual service connection to the real backend service and back. Meanwhile, the f arm def init ion establishesthe delivery policies to every real server.

    Backend is a server that of f ers the real service over a f arm def init ion and it process all the real datarequested by the client.

  • Client is called to the IP address that connects to the virtual service of the init ial connection that usually auser requests. The client IP address that opens a new connection on the virtual service side is used tocommunicate with the user. The same client could generate several (layer 4) connections to the virtualservice, and an IP client address could be generated by several users.

    Application Session is a layer 7 concept which tries to identif y the requests of a single user althoughseveral clients shares the same IP client address.

    Real IP is a physical IP address over a layer 4 network conf iguration which is assigned to a server or NIC.

    Virtual IP is a f loating IP address over a layer 4 network conf iguration which is used to be the entry point ofa virtual service def ined by a f arm that is ready to deliver connections between redundant load balancingnodes.

    3. ZEN INSTALLATION

    3.1 DOWNLOAD THE INSTALL ISO IMAGE

    The load balance appliance installer is able to be downloaded f rom the of f icial website that could be usedto:

    Burn an installer CD-ROM to install under a physical machineRecord on an USB device to install on a physical machine with usb boot supportInstall on a virtual machine through a virtualization sof tware

    Usually you'll be able to download the latest stable version or the latest release candidate testing version,depending of your f eature needs. They'll be available f rom the download section ofhttp://www.zenloadbalancer.com.

    3.2 UPDATES

    Zen Load Balancer is under continuous development with new f eatures, improves and bug f ixes, so there isa very easy way to upgrade your ZenLB to a newer version through a simple procedure.

    To maintain updated your ZenLB installation, be sure you've the f ollowing line into the /etc/apt/sources.listconf ig f ile:

    For v1 version: deb http://zenloadbalancer.sourceforge.net/apt/x86 v1/

    For v2 version: deb http://zenloadbalancer.sourceforge.net/apt/x86 v2/

    Then update the apt database with the root user:

  • Check the last version on our of f icial repository:

    And compare it with your ZenLB installed version:

    If the last of f icial version is greater than your installation, you'll be able to upgrade your ZenLB through thecommand below:

    If would be necessary you can f orce the reinstallation through the f ollowing command:

    The process will ask you "install the package without verification", select [y].

    Then the process will ask if you want to rewrite the global.conf f ile, you've to select the def ault value [N].

    Finally it 's recommended to restart Zen Load Balancer service at your convenience.

    To upgrade f rom v1 to v2 you've to f ollow all these explained steps and additionally you've to delete theRRD databases of monitoring to be automatically regenerated with the new structure.rm -rf /usr/local/zenloadbalancer/app/zenrrd/rrd/*3.3 INSTALLATION PROCESS

    Conf igure your physical or virtual x86 machine to boot f rom your iso/cd/usb Zen Load Balancer installer.Then a splash is going to be loaded to start the install process.

  • Select "Install" option and continue.

    Zen Load Balancer is distributed under a standard ISO f ormat built on top of the common GNU/DebianLinux stable distribution. If you're f amiliar with this distribution then you should have no problems installingZenLB. Select your language, location and keyboard map.

  • Later the installer is going to detect the hardware components and load additional sof tware components.Just wait a f ew seconds. Now the installation process will conf igure the network interf ace, you must set upa static IP address that it 's going to be used in the startup to access to the Zen web administration panel.Other conf ig data like netmask, gateway and dns will be requested.

  • Set up a hostname f or the load balancer.

    Set up the domain name f or your organization.

  • Introduce the root system password and repeat to validate. This password will be used when you accessover a console or ssh to the Zen Load Balancer system.

    Set your t imezone, once Zen LB is installed the local t ime will be syncronized every hour with ntp.pool.orgservers.

  • Conf igure your partit ion disk, if you haven't experience with Linux environment you can select Guide useentire disk and automatically the system will be installed with a conf iguration by def ault. Experimentedusers could select their custom installation. It would be interesting to know that a special disk space is notneeded to work with Zen Load Balancer, although minimal recommended is 1 GB of f ree space f or thewhole operating system. On this example we select the option by def ault.

    If you've got more than one disk on your machine, you can select one of them here to be installed.

  • The partit ion table can be modif ied through the f ollowing menu.

    Finish and continue.

  • Select Yes to apply the changes and continue.

    Now you've to wait some seconds while the system is installed on your disk with your customconf iguration.

  • Now you've your brand new ZenLB installation and f inally it 's necessary to restart the system.

    On the boot process is shown your management IP address conf igured and the system started.

  • Remember that the conf igured root password on the installation process would be needed to enter to thesystem on the server via ssh or console.

    4. ACCESS TO THE ZEN WEB ADMINISTRATION PANEL

    Once the Zen Load Balancer distro is installed into your server, you've to access through the secure URLshown below:

    https://:444

    The f irst t ime you enter to the administration panel, you've to accept the secure certif icate of ZenLB andthen a login window will appear.

    The def ault credentials to get into the Zen web administration panel are the f ollowing:

    User name: adminPassword: admin

    These credentials could be changed through the Settings::Change Password section.

    5. ZEN WEB ADMINISTRATION PANEL SECTIONS

    The menu bar is distributed by the sections of Manage, Monitoring, Settings and About.

    5.1 MANAGE::GLOBAL VIEW SECTION

  • The Global View section is used to know the actual instant state of the system, like a photo system status.

    Under this section you'll be able to analyse the f arms state, memory, cpu consumption, establishedconnections and the % of established connections f rom the total system connections consumed by everyf arm.

    The Global Farms Inf ormation table summarizes the f arm status you'll be able to control the f arms statuswith a simple view, which of them are on UP status, how many resources are using and which is on DOWNstatus.

    With this table you can analyse:

    o The % of cpu usage by the f arms

    o The % of memory usage by the f arms

    o The number of "Total connections on system" shows the concurrent connections that is used by the f armcompared with the total connections established on the system.

    The Memory table shows the global memory status measured in Megabytes.

    MemTotal: It 's the total ram memory on the system.

    MemFree: It 's the total f ree memory not cached by the system.

    MemUsed: It 's the memory used by the system.

    Buffers: It 's the memory used by the buf f ers.

    Cached: It 's the total memory cached by the system.

    SwapTotal: It 's the total swap memory reserved.

    SwapFree: It 's the total f ree memory not used by swap, on optimal systems it should be the same thatSwapTotal.

    SwapUsed: It 's the swap used memory by the system, on optimal systems should be 0.

  • The Load table shows the system load:

    The Network Traf f ic Interf aces table shows the traf f ic used by the system since last t ime that it wasswitched on:

    5.2 MANAGE::FARMS SECTION

    Under the Farms section you'll be able to access to the main conf iguration panel of virtual services.

    Through the Add New Farm icon, you can def ine a new f arm with the next properties:

    Farm Description Name: It 's an identif ication f or the f arm and could be used to def ine a description of thevirtual service to be provided.

    Profile: Def ine the level of the sNAT load balancing method. You could choose one of the next types:

    TCP: It 's a simple load balancing that deliver traf f ic in raw TCP data. The basic mechanism is about open 2sockets f or every connection, one to the client and other to the real server, and then deliver the raw databetween them. The selection of this method could be adecuated f or protocols like SMTP, RDP, IMAP, LDAP,

  • SSH, etc.

    UDP: It 's a simple load balancing that deliver traf f ic in raw UDP data. The basic mechanism is about open 2sockets f or every connection, one to the client and other to the real server, and then deliver the raw databetween them. The selection of this method could be adecuated f or protocols like DNS, NTP, TFTP,BOOTP, SNMP, etc.

    HTTP: It 's an advanced only HTTP layer 7 load balancing (or Application Delivery Controller) with proxyspecial properties. This method is adecuated f or web services (web application servers included) and allapplication protocols based on HTTP protocol like WebDav, RDP over HTTP, ICA over HTTP, etc.

    HTTPS: It 's an advanced only HTTPS layer 7 load balancing (or Application Delivery Controller) combinatedwith SSL wrapper acceleration. In this case, the communication between the client and the load balancer issecure through HTTPS, meanwhile the communication between the load balancer and the real server isclear through HTTP.

    Virtual IP: The list shows all the IP addresses available in the system network conf iguration to be used toconf igure a virtual service f or a f arm. This IP would be the bind address where the virtual service will belisten on f or client requests. If the cluster service is enabled then the physical IP address of the clusternodes and the management web GUI IP address aren't listed.

    Virtual Port: This f ield has to be a port number available on the system, where the virtual service will belisten in.

    It 's not possible to def ine two f arms through the same virtual IP and port.

    To f inalize the process adding a new f arm press the Save button.

    Once the new f arm is created, it will be shown under the Farms Table with the basic data about the virtualservice: the virtual IP, the virtual Port, the f arm connections, PID, status, prof ile and actions.

    The connections data is collected f rom the system netstat.

    The Pending Conns are calculated with the SYN requests that are pending to be processed in the systemf or this f arm.

    The Established Conns are calculated with the ESTABLISHED requests that are processing currently.

  • The Closed Conns are calculated with the CLOSE WAIT connections that have been processed in thesystem.

    The status f ield shows the state of the f arm system process with a green dot if the f arm is up and a reddot if the f arm is down.

    The actions available f or a running f arm are:

    Stop Farm: The selected f arm will be stopped, and the virtual service will be disabled. Once the f armis stopped, it will not be started at the boot up process of the load balancer. The status f ield will beshown with a red dot and the PID will be disappeared. A conf irmation window will be shown.

    Edit Farm: You've to select this action to edit the f arm properties and the def init ion of the realservers f or the current f arm. The properties to be conf igured depends on the load balancing prof ileselected f or the current virtual service.

    Delete Farm: This action disables the current f arm and removes the virtual service. A conf irmationwindow will be shown.

    View Farm Status: This action shows a complete backend status, pending connections, establishedconnections and closed connections of every real server, the clients and the properties f or everybackend.

    5.2.1 EDIT FARM GLOBAL PARAMETERS

    In this panel you'll be able to set the parameters f or improving your f arms perf ormance and the basicf unctionalit ies of your virtual service. The properties of the Edit Farm Action depends on the prof ile typethat we've selected while the f arm was created.

    The common parameters f or all f arm prof iles are the f ollowing:

    Farm's name. It 's the identif ication f ield and a description f or the virtual service. To change this item you'veto modif y the name f ield and press the Modif y button. The load balancing service will be restartedautomatically af ter applying this operation. Be sure the new f arm name is available, if not, an error messagewill appear.

    Backend response t imeout. It 's the max seconds that the real server has to respond f or a request. If the

  • backend response is too late, then the server will be marked as blacklisted. The change of this parameter isapplied online f or TCP and UDP prof iles. To be applied f or HTTP and HTTPS, the f arm needs to berestarted manually through the restart icon .

    Frecuency to check resurrected backends. This value in seconds is the period to get out ablacklisted real server and checks if is alive. Note that the backend willnot be in up status until the f irst successf ul connection is done. Thechange of this parameter is applied online f or TCP and UDP prof iles.To be applied f or HTTP and HTTPS, the f arm needs to be restartedmanually through the restart icon .

    Farm Virtual IP and Virtual Port. These are the virtual IP address and virtual port in which the virtualservice f or the f arm will be bind and listening in the loadbalancer system. To make changes in these f ields, be surethe new virtual ip and virtual port are not in use. To apply thechanges the f arm service will be restarted automatically f orTCP and UDP prof iles. To be applied f or HTTP and HTTPS, the f arm needs to be restarted manuallythrough the restart icon .

    5.2.1.1 TCP/UDP PROFILE OPTIONS

  • The specif ic parameters f or a simple TCP or UDP f arm are the f ollowing:

    Load Balance Algorithm. This f ield shows the dif f erent load balancing algorithms that are possible to beconf igured f or the current f arm. Four algorithms are available. Selecting an unappropiate algorithm f or yourservice inf rastructure could cause a lot of processor consumption over the load balancer. To apply thechanges check the Modif y Button and the new algorithm will be applied on line without restarting the f arm.

    Here you've a brief explanation about the available algorithms f or TCP and UDP prof iles.

  • Round Robin equal sharing. An equal balance of traf f ic to all active real servers. For every incomingconnection the balancer assigns the next round robin real server to deliver the request.

    Hash sticky client. The Farm will create a hash string f or each IP client and send each connection f rom thathash to the same real server. A hash table is created with the real servers and the requests are assignedthrough the f ollowing algorithm:

    index = cli % nServers

    Where index is the index of the real server hash table, cli is the integer representation of the IP addressand the nServers is the number of real servers available. This algorithm is a way to create persistencethrough the IP address, but it s more powerf ul if youve a variety of subnets clients accessing to yourservice (f or example, an international service).

    Weight connection linear dispatching by weight. Balance connections depending on the weight value, youhave to edit this value f or each real server. The requests are delivered through an algorithm to calculate theload of every server using the actual connections to them, and then to apply a linear weight assignation.

    Priority connections to the highest priority available. Balance all connections to the same highest priorityserver. If this server is down, the connections switch to the next highest server. With this algorithm you canbuild an Active-Pasive cluster service with several real servers.

    Enable client ip address persistence through memory. For every algorithm a persistence by ip addressclient could be conf igured. With this option enabled all the clients with the same ip address will beconnected to the same server. A new incoming connection is delivered to the selected server by thealgorithm and stored in the memory table. The next t imes the client will be connected is delivered to thissame server. This behaviour provides a basic persistency by ip address. To apply the changes you've topress the Modif y Button and will be modif ied on line on the load balancer service. This option is notavailable f or UDP f arms.

    Max number of clients memorized in the farm.This values have only sense if you enable theclient ip persistence. The client f ield is about themax number of clients that will be possible tomemorize and the time value is the max time oflif e f or this clients to be memorized (the max client age). To change these values you've to press theModif y Button and then the f arm service will be restarted automatically. This option is not available f or UDPf arms.

    Max number of simultaneous connections for the virtual IP. It 's the max value of establishedconnections and active clients that the virtual service will be able to manage. For UDP f arms this valueindicates the max pending packets to be processed by the virtual service. To change this f ield the f arm willbe restarted automatically.

    Max number of real ip servers. It 's the max number of real servers that the f arm will be able to haveconf igured. To change this value the f arm service will be restarted automatically.

    Add X-Forwarded-For header to http requests.

  • This option enables the HTTP header X-Forwarded-For to provide to the real server the ip client address.To change this f eature will be applied online. Bydef ault is disabled. This option is not available f orUDP f arms.

    Use farmguardian to check backend servers.Checking this box will enable a more advanced monitoringstate f or backends and totally personalized f or your ourscripts. When a problem is detected by f armguardianautomatically disables the real server and will be markedas blacklisted. This is an independent service so you've not to restart the f arm service. To get more detailsabout this service, please read the FarmGuardian section. This option is not available f or UDP f arms.

    5.2.1.2 HTTP/HTTPS PROFILE OPTIONS

    The vast majority of parameters you'll be able to conf igure in a HTTP/HTTPS f arm, needs a manual restartof the f arm service, so a TIP message will be appear to alert at the administrator that there are globalparameters or backend changes that needs to restart the service through the icon bef ore be applied.The system administrator is able to modif y whatever parameters are needed and then restart thef arm service to apply all them at the same time.

    Note that in the HTTP/HTTPS f arms prof ile, the HTTP header X-Forwarded-For is included by def ault with

  • the IP client address data.

    By contrast with the TCP or UDP f arms prof ile, the HTTP/HTTPS prof ile use a weight algorithm implicit ly.

    The specif ic parameters f or advanced HTTP or HTTPS f arm are the f ollowing:

    Persistence session. This parameter def ines how the f arm service is going to manage the client sessionand what HTTP connection f ield has to be controlled to maintain saf e client sessions. When a type ofpersistence session is selected a persistence session TTL will appear.

    No persistence. The f arm service won't control theclient sessions and the HTTP or HTTPS requestswill be f ree delivered to real servers.

    IP client address. The IP client address will beused to maintain the client sessions through thereal servers.

    BASIC basic authentication. The HTTP basicauthentication header will be used to control theclient sessions. For example, when a web pagerequest a basic authentication to the client a HTTP header will contain a string like the f ollowing:

    HTTP/1.1 401 Authorization RequiredServer: HTTPd/1.0Date: Sat, 27 Nov 2011 10:18:15 GMTWWW-Authenticate: Basic realm="Secure Area"Content-Type: text/htmlContent-Length: 31

    Then the client answer with the header:

    GET /private/index.html HTTP/1.1Host: localhostAuthorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

    This basic authentication string is used like an ID f or the session to identif y the client session.

    URL a request parameter. When the session ID is sent through a GET parameter with the URL will bepossible to use this option indicating the parameter name associated with the client session ID. Forexample, a client request like " http://www.example.com/index.php?sid=3a5ebc944f41daa6f849f730f1 " hasbe conf igured as shown below:

  • To conf igure the URL session persistence, you've to select this option in the Persistence Session f ield andthen press the Modif y Button. Later, two new f ields will be shown:

    Persistence session time to limit (TTL). This value indicates the max time of lif e f or an inactive client session(max session age).

    Persistence session identifier. This f ield is the URL parameter name that will be analyzed by the f arm serviceand will manage the client session.

    Af ter conf iguring this items and pressed the Modif y Button, it 's needed to restart the f arm service toapply the changes.

    PARM a URI parameter. Another way to identif y a client session is done through a URI parameter. This isa f ield separated by a semicolon like the f ollowing " http://www.example.com/private.php;EFD4Y7 "

    To conf igure this kind of persistence is suf f icient toselect the PARM option and press the Modif y Button.Finally, to apply the changes will be necessary torestart the f arm service.

    COOKIE a certain cookie. Also, you'll be able to selecta http cookie variable to maintain the client sessionthrough the COOKIE option. A cookie has to becreated by the programmer into the webpage to identif y the client session, f or example:

    GET /spec.html HTTP/1.1Host: www.example.orgCookie: sessionidexample=75HRSd4356SDBfrte

    With this specif ication, the f ollowing conf iguration will be needed:

    Af ter conf iguring this items and pressed the Modif y Button on all of them, it 's needed to restart thef arm service to apply the changes.

    HEADER a certain request header. A custom f ield of the HTTP header could be used to identif y the clientsession. For example:

  • GET /index.html HTTP/1.1Host: www.example.orgX-sess: 75HRSd4356SDBfrte

    With this specif ication, the f ollowing conf iguration will be needed:

    Af ter conf iguring this items and pressed the Modif y Button on all of them, it 's needed to restart the f armservice to apply the changes.

    HTTP verbs accepted. This f ield indicates the operations that will be permitted to the HTTP clientrequests. If a not permitted verb is requested an error will be shown to the client.

    Standard HTTP request. Accept only standard HTTPrequests (GET, POST, HEAD).

    + extended HTTP request. Additionally allow extendedHTTP requests (PUT, DELETE).

    + standard WebDAV verbs. Additionally allow standardWebDAV verbs (LOCK, UNLOCK, PROPFIND,PROPPATCH, SEARCH, MKCOL, MOVE, COPY,OPTIONS, TRACE, MKACTIVITY, CHECKOUT, MERGE,REPORT).

    + MS extensions WebDAV verbs. Additionally allow MS extensions WebDAV verbs (SUBSCRIBE,UNSUBSCRIBE, NOTIFY, BPROPFIND, BPROPPATCH, POLL, BMOVE, BCOPY, BDELETE, CONNECT).

    + MS RPC extensions verbs. Additionally allow MS RPC extensions verbs (RPC_IN_DATA, RPC_OUT_DATA).

    To apply any of these options, press the Modif y Button and restart the f arm service.

    HTTPS Certif icate. The SSL certif icate is only available f or HTTPS f arms, where a list of certif icates willbe shown to be selected f or the current f arm. This list could be modif ied under the Manage::Certificatessection.

    To apply this conf iguration press the Modif y Buttonand restart the f arm service.

    Personalized error messages. Through thepersonalized error messages, the f arm service is ableto answer a custom message of your site when a webcode error is detected f rom the real servers. A personalized HTML page will be shown.

  • To apply the changes press the Modif y Button and restart the f arm service.

    5.2.2 EDIT FARM REAL SERVERS

    Once a new f arm is created, you've to include the servers with the real services to deliver the inputconnections.

    Under the Edit real IP servers table conf iguration you'll be able to include the conf iguration backends f orevery backend and their specif ic parameters.

    The common properties to be entered f or a real backend are the f ollowing:

    Server. It 's an automatic ID established to be an index f or the real server. The system administrator can'tchange this value.

    Address. It 's the IP address of the real service.

    Port. It 's the port of the real server in which the real service is listening on.

    5.2.2.1 TCP/UDP PROFILE

    With a TCP or UDP f arm, you'll be able to conf igure the f ollowing properties:

    Max connections. It 's the max number of concurrent connections that the current real server will be able toreceive. This value must be less than the Max clients of the Global Parameters.

  • Weight . It 's the weight value f or the current real server which is only usef ul if the Weight Algorithm isenabled. More weight value indicates more connections delivered to the current backend.

    Priority. It 's the priority value f or the current real server which is only usef ul if the Priority Algorithm isenabled. The priority value accepted is between 1 and 9, less value indicates more priority to the currentreal server.

    With the Save Real Server button you'll apply the new conf iguration, or you'll be able to cancel theprocess through the button. A message with the result will be displayed.

    Once the real server conf iguration is entered, you'll be able to edit the conf ig throught the Editbutton or delete the conf iguration with the Delete Real Server button.

    The server index is usef ul to identif y the real server conf iguration f or the current f arm.

    The changes of the real servers conf iguration f or the TCP and UDP prof iles are applied online, and arestart action isn't needed.

    5.2.2.2 HTTP/HTTPS PROFILE

    With a HTTP or HTTPS f arm, you'll be able to conf igure the f ollowing properties:

    Timeout . It 's the specif ic value of t imeout f or a backend to response. This value override the globaltimeout f arm parameter f or the current backend.

    Weight . It 's the weight value f or the current real server. By def ault a value of 5 is established.

  • With the Save Real Server button you'll apply the new conf iguration, or you'll be able to cancel theprocess.

    For the HTTP/HTTPS f arm prof ile a message with the result will be displayed and a restart action willbe requested to the administrator to the changes take ef f ect. To apply the new conf iguration youhave to restart the f arm through the restart button .

    The TIP message will not disappear until the f arm is restarted.

    Once the real server conf iguration is entered, you'll be able to edit the conf ig throught the Editbutton or delete the conf iguration with the Delete Real Server button.

    The server index is usef ul to identif y the real server conf iguration f or the current f arm.

    The changes of the real servers conf iguration f or the HTTP and HTTPS prof iles needs a manual f armrestart.

    5.2.3 VIEW STATUS FARM ACTION

    This action shows the actual state of backends, clients and connections that are being delivered f rom thevirtual service to the real servers.

  • The Real Server Status table shows the state of every backend:

    Server. It 's the backend identif ication number.

    Address. It 's the real server IP address.

    Port . It 's the port number where the real service of the current real server is listening on.

    Status. A red dot means that the current real server is down or blacklisted, meanwhile a green dot meansthat the backend is online and delivering connections.

    Pending Conns. This is the number of pending connections in the system that are on SYN state f or thecurrent backend, indepently of f arm service.

    Established Conns. This is the number of established connections in the system that are onESTABLISHED state f or the current backend, indepently of f arm service.

    Closed Conns. This is the number of closed connections in the system that are on TIME_WAIT state f orthe current backend, indepently of f arm service.

    Clients. It 's the number of clients (unique IP addresses) that are associated with the current backendserver. This is only available f or TCP f arms.

    Sessions. It 's the number of HTTP client sessions that are associated with the current backend server.This is only available f or HTTP and HTTPS f arms.

    Weight . It 's the weight value established f or every backend.

    Priority. It 's the priority value established f or every backend server. This option is only available f or TCPand UDP f arms.

    To analyze with details the clients, sessions and connections to the backends, you've to expand the Clientsessions status or Active connections tables to show all this inf ormation pressing the Maximize button.

    Note that f or very high load f arms showing this table could slowdown the machine and could be shown a

  • very large table.

    5.3 MANAGE::CERTIFICATES SECTION

    The Certif icates inventory table is used to manage the SSL certif icates to be used f or the HTTPS prof ilef arms.

    All the certif icates has to be generated a PEM f ile extension to be valid f or HTTPS f arms. By def ault azencert.pem certif icate is possible to be used and is not able to be deleted.

    The uploaded certif icate f ile must contain a PEM-encoded certif icate, optionally a certif icate chain f rom aknown Certif icate Authority to your server certif icate and a PEM-encoded private key (not passwordprotected).

    5.3.1 ADDING A NEW CERTIFICATE

    To upload a custom certif icate it 's necessary to press the button Upload Certif icate to be used f orSSL wrapper.

    A new window is shown to upload a custom certif icate through the Browse... button on your localcomputer.

    To upload the new certif icate f ile it 's needed to press the Upload button. Automatically, the new f ile will be

  • accessible f or the balancer.

    Then we're able to select the certif ied uploaded to be used f or the HTTPS f arms.

    5.4 MONITORING::GRAPHS SECTION

    This section is usef ul to monitorize the internal loadbalancer system to detect problems through theparameters of CPU usage, swap memory, ram memory,all conf igured nework interf aces, load and hard diskstorage.

    All the graphs that are shown in the f irst page are the daily progress value of every parameter. Also, you'llbe able to access to the weekly, mothly and yearly history through the button.

    5.5 MONITORING::LOGS SECTION

    This section is used to access to the system logs. To display the logs you've to select one of the log f ilesand then establish the number of tailed lines to be shown pressing the See logs button.

    The f iles are associated to the f ollowing services:

    ucarp.log. Log f ile f or cluster service.

    zenlatency.log. Log f ile f or latency service launcher of ucarp service.

    zeninotify.log. Log f ile f or conf ig replication service.

  • mini_https.log. Log f ile f or the web gui http service.

    zenloadbalancer.log. Log f ile f or the global zen load balancer actions service through the web GUI.

    farmguardian.log. Log f ile f or f armguardian advanced monitoring service.

    5.6 SETTINGS::SERVER SECTION

    This section provides some global parameters f or the load balancer server system.

    The meaning of these parameters are the f ollowing:

    Time out execution Zen GUI CGIs. The Zen GUI web administration panel has been implemented in perlCGI, so this is the time limit to execute the cgi. If the page execution exceed this t imeout, the process willbe killed.

    NTP server. Time server to syncronize the date-time of the system.

    Rsync replication parameters. These are the parameters to syncronize the conf ig data of the clusterreplication. Do not change this settings if you dont know what are you doing.

    Physical interface where is running the GUI service . This is the interf ace where the web panel service

  • will be bind to. It 's saf e to keep the All interfaces enabled. To apply the changes it 's needed to restart theGUI service.

    DNS servers. This is the /etc/resolv.conf f ile content to apply the DNS servers f or the system.

    APT repository. This is the /etc/apt/sources.list f ile content to apply the APT repositories f or the system.These apt servers have to be appropiately updated when a system upgrading is needed.

    5.7 SETTINGS::INTERFACES SECTION

    This section is the main network conf iguration panel f or Zen Load Balancer, where will be shown thenetwork interf aces table f or physical, virtual and vlan interf aces, and the def ault gateway conf igurationf ield.

    At the Interf aces Table will appear all the physical network interf aces installed in the system af ter theZenLB installation. The meaning of every table f ields are the f ollowing:

    Name . It 's the name of the current interf ace and will be unique. The virtual interf aces will be identif icated bya colon ":" character within the interf ace name, meanwhile the vlan is identif icated by a dot "." characterwithin the interf ace name which will be the vlan tag.

    Addr. It 's the IP address in ipv4 f ormat f or the current network interf ace.

    HWAddr. It 's the MAC physical address f or the current network interf ace. Note that the virtual and vlannetwork interf aces have the same MAC address of its parent physical interf ace.

    Netmask. It 's the netmask of the network interf ace, which def ines the subnet of the network f or thecurrent interf ace.

    Gateway. It 's the gateway f or the current network interf ace. ZenLB could work with independent routetables f or every physical or vlan network interf aces. Virtual interf aces always inherit the gateway f rom theparent physical or vlan interf ace.

    Status. A green dot means the interf ace is UP and running, meanwhile a red dot means an interf ace isDOWN. Sometimes a disconnect icon will be shown when the interf ace is UP but it hasn't link.

    Actions. The action icons are used to apply changes to the current network interf ace. Applying a certainaction could af f ect to one or more network interf aces.

    Down interface. Disables the current interf ace.

  • Up interface. Enable the current interf ace.

    Edit interface. Change the current network interf ace conf iguration.

    To apply the changes press the Save & Up! Button.

    Add virtual interface. Adds a new virtual interf ace inherited f rom the current network interf ace.

    Creating a new virtual interf ace will appear a f ield with a colon ":" character that will be used toestablish an identif ication f or the virtual interf ace. The IP address has to be under the same subnet thatthe parent interf ace.

    To apply the changes you have to press the Save button. Press the Cancel button to reject thechanges.

    Add vlan interface. Adds a new vlan interf ace inherited f rom the current network interf ace.

    Creating a new vlan interf ace will appears a f ield with a dot "." character that will be used to establishan identif ication f or the vlan interf ace. The IP address could be dif f erent of the parent interf ace.

    To apply the changes you have to press the Save button. Press the Cancel button to reject thechanges.

    Delete interface. This action disables and delete the current interf ace if it 's possible.

  • Some actions are locked. This icon means that some actions are locked and disabled temporarily.Some reasons to this behaviour are the f ollowing:

    GUI service is bind to a certain interface. In this case, a home icon is shown and some actions aredisabled to be saf e f rom bad conf igurations that could produce an unaccessible zen web GUI.

    To restablish the actions, you've to go to the Settings::Server section and bind the GUI service over allinterf aces, and f inally restart the GUI service.

    Cluster configuration. In this case, the cluster has been conf igured and the interf aces conf iguration is onlyenabled when the cluster is disabled.

    Finally a def ault gateway f or the system could be established through the Def atul gateway table.

    To change this f ield, you've to press the edit button and enter the gateway address and interf ace.

    To apply the new conf iguration press the Save button or Cancel to reject the changes.

    To remove the def ault gateway press the Delete Button.

    5.8 SETTINGS::CLUSTER SECTION

    On this section you can conf igure the cluster service and check the cluster service status. During thecluster process conf iguration you don't have to access to the second node, as the conf iguration willbe replicated automatically.

  • Cluster status. It 's a global view of cluster elements, you can reload the check here

    Virtual IP for Cluster, or create new virtual here . Select a virtual ip that will be used f or the clusterservice, if you didn't conf igure one, please go to Settings::Interface and conf igure one, this virtual interf aceis only needed to be conf igured on the f irst node that you are conf iguring the cluster service.

    Local hostname and Remote Hostname . Once a virtual interf ace is selected the hostnames and IPaddress inf ormation about the cluster nodes are needed.

    Press the Save button to save the changes. At this point, it 's needed that the physical IP f or both nodesare conf igured over the same physical interf ace that the "virtual IP Cluster" on the last step (f or example,eth0).

    Remote Hostname root password. Enter the second node root password, this inf ormation won't bememorized, it 's only needed to conf igure the RSA comunication over the both nodes.

    Once the Configure RSA Connection between nodes is pressed the communication process is executed andif everything is right you'll see messages as shown below.

  • Pressing the Test RSA connection button will check that the RSA communication f rom the current node tothe remote node is working f ine.

    A message like the f ollowing will appear if everything is right.

    Select the cluster type . Through this combo you can choose the behaviour of the cluster service.

    --Disable cluster on all hosts--:The cluster service will be stopped and disabled on both nodes. Only use thisoption if you need to stop the cluster service to make changes or disable the cluster service.

    node1 master and node2 backup automatic failback: If node1 is detected as down the node2 will take overthe load balancing service. When node1 is restored the service will automatically switch back to node1. Youshould choose this option when node1 is a more powerf ul server than node2.

    node1 or node2 can be masters: anyone can be master, there is no automatic f ailback when one node isrecovered. If you have two very similar servers f or node1 and node2 that can both handle the f ull load ofyour traf f ic then you can use this option.

    To connect two Zen Load Balancer servers over cross over cable f or cluster communication you have tocheck this option:

    Now press to save the changes.

    The cluster service is going to start on both nodes and at the end of theprocess these messages will appear.

  • Processes are going to be launched on background to conf igure the cluster, at this point you can press theref resh icon to update the cluster status view.

    If the cluster is conf igured and working f ine you can see a similar view like this:

    On this view will be shown the cluster services and the status that we describe on the next lines:

    Zen latency. Is a launcher of UCARP service, this service has to be running on both cluster nodes, andcheck that the communication between nodes is OK.

    Cluster IP. This IP is UP only on the master node and conf igured but DOWN on the backup node.

  • Zen inotify. This service has to be running only on the master node and will send to the backup node allthe conf iguration and changes of networking and f arms.

    Over the cluster conf igured view you can:

    Reload the check for testing that the cluster service are working like a charm.

    Force cluster sync from master to backup. This manual f orce is usef ul af ter acluster service recovery.

    Test the RSA connection . Verif y that the RSA connection between nodes isworking f ine that it 's needed f or syncronization over zen inotif yservice.

    Force failover. Switch the cluster service node. It 's usef ul if youneed to do some maintenance tasks on the master server or to test the clusterservice. For node1 master and node2 backup automatic failback cluster type will beswitched f or only 30 seconds, af ter that, the cluster service will be switched backto node1.

    Once the cluster service is conf igured you'll be able to change the cluster type but theservice could produce some outages.

    Over the web GUI is easy to identif y which is the cluster role f or both nodes. On theupper side of the webpage will show this message f or the master node:

    And f or the backup node:

    Once the cluster service is running on both nodes you only have to connect tomaster node to apply changes f or f arms and interf aces, which will beautomatically conf igured and replicated to the backup node.

    5.9 SETTINGS::CHANGE PASSWORD SECTION

    In this section you'll be able to change the web admin user password.

    It 's necessary to insert the current password and a repeated new password. Pressing the Change buttonwill change the admin web password. Optionally you'll be able to sync the admin password with the rootsystem password through the Change & Sync with root password button.

    5.10 SETTINGS::BACKUP SECTION

    With the Backup option you can save the conf igurations on the ZenLB server and download to your local

  • computer.

    On this panel you can create, restore, upload and download backup f iles.

    The Description name f ield will be the identif ication f or the backup f ile to be generated pressing the CreateBackup button. Please, do not include blank spaces.

    The new backup f ile generated will be listed on the Backup f iles table:

    The actions to be applied are the f ollowing:

    : Through this icon you can download the selected f ile.

    : Through this icon you can delete the selected backup f ile.

    : Through this icon you can apply this backup. The conf ig f iles will be rewritten if exists.

    : Through this icon you can upload a backup f ile. It 's usef ul if you've created a backup anddownloaded it f or security reasons. If you press this icon a window will be shown:

  • Pressing the Browse... button you'll be able to navigate through your local f iles to select your backup f ile tobe uploaded. It is important to know that the f ile need to f ollow the next pattern:

    backup-description.tar.gz

    If you modif y the pattern, then the f ile isn't going to be listed on the Settings::Backup section.

    6. FARM GUARDIAN USAGE

    6.1 PHILOSOPHY

    By def ault Zen Load balancer checks the tcp backends port status, but sometimes this check its notenough to conclude that the backend status is working f ine. To solve this problem Zen Load Balancerimplement a way to execute an advanced and personalized backends checks called Farm Guardian.

    With this advanced monitoring application you can develope your own personalized scripts or use someavailable scripts under the /usr/local/zenloadbalancer/app/libexec/ directory.

    Farm Guardian checks the execution error output f rom the selected script ($? = 0 when there isn't error f orthe backend and $? 0 when there is an error f or the backend).

    All scripts used by Farm Gardian have to accept two minimal input arguments, HOST and PORT(HOST=backend ip, PORT= port backend).

    Farm Guardian connects to your f arm and will list the backends and ports. Then the selected script will berunned f or each server replacing the HOST and PORT token string by each backend and port conf igured onyour f arm.

    6.2 CONFIGURATION

    At the moment, Farm Guardian is only implemented f or TCP prof ile:

    To enable the Farm Guardian monitoring check the box Use FarmGuardian to check Backend Servers andestablish the time period of checks:

    Now select a def ault script under the path/usr/local/zenloadbalancer/app/libexec or includeyour own script on that directory:

    Farm Guardian connects to the f arm to obtain the backend list and execute this script f or each of them.Reading the output of the execution through the $? variable we could determine that if the web content ona real server doesn't contain the string It works, the current backend will be marked as blacklisted.

  • It 's recomended to read the help page of check_http script to understand this example.

    You can activate the execution logs f or Farm Guardian checking the Active logs checkbox.

    7. LICENSE

    This documentation has been created by the Zen Load Balancer Developers Team f orthe Zen Load Balancer GNU/GPL Project.

    This documentation is licensed under the terms of the GNU Free Documentation License.

    This programm is licensed under the terms of the GNU General Public License.

    Zen Load Balancer Administration Guide