Active/active HAProxy

Mon, 18 Mar 2013 16:39:46 -0700 

Hello,

I'm starting to think about a way to setup an active/active HAProxy.

HAProxy can share as of 1.5 its connection table, which is really a
appreciated feature :) 

I've thought of different way to implement such a setup : 

* RR DNS on two VRRP interface (BP is really shared between boxes),
  conntrackd permit to also share TCP states between boxes that will
  also run iptables. I see no trivial race condition in this setup
  between in and out network stateful protocol.
* cluster iptables module to load balance between the 2 HAProxy boxes on
  on the VIP and conntrackd. This setup exhibit two main problems : 
        - network load is not really shared between the boxes, it's the
          intented behaviour of the setup; 
        - HA is not really the primary goal of iptables cluster module
          by default, some kind of script should be made or really big
          hammer like pacemaker must be used to handle HAProxy or boxes failure 
          (not really a big pb);
        - race condition might be triggered (depend on the cluster
          module configuration, with ARP and ARP cache, that might happen
          under very high load but I expect very high load). But the
          configuration that will trigger the race condition will unlikely to
          happen, I can't use loadbalanding at the layer 2 level.
  CARP with load balancing on *BSD and pfsync exibit the same issue on
  network load : packets go on the two boxes, which is not really what I
  want.

You might ask why I want this kind of setup : it's because of the
network load on the LB tiers and I can't change the network topology or network 
element setup and the backend 
application network protocol are not stateless at all (but hopefully not
opening very long TCP session).

For now, the RR DNS solution with VRRP sound the best but maybe I missed
some other tricks that can be able on the OS network layer (even thought to
play with VIP timer annoucement at layer 2, might work but very
hackish without an hand on the switch).

Do anyone have already tried to put HAProxy in active/active mode (with
firewalling) ?

Cheers.

-- 
J??r??me Benoit aka fraggle
La M??t??o du Net - http://grenouille.com
OpenPGP Key ID : 9FE9161D
Key fingerprint : 9CA4 0249 AF57 A35B 34B3 AC15 FAA0 CB50 9FE9 161D

Attachment: pgp8ToMlLAjuM.pgp
Description: PGP signature

Reply via email to