Balancing OpenLDAP

[Jordi Espasa Clofent]

Hi all,

Obviously, HAproxy can works fine in front of LDAP farm (using tcp 
balancing). I've read about 'leastconn' balance algorithm and it seems 
good for this goal. Althought, haproxy only knows if LDAP server is up 
using the tcp port check avaliability.


¿Is possible to check LDAP service using directily some LDAP command 
(layer 7) through HAproxy?


--
Thanks,
Jordi Espasa Clofent

Re: Balancing OpenLDAP

[Brian Gupta]

 ¿Is possible to check LDAP service using directily some LDAP command (layer
 7) through HAproxy?

Jordi's question got me thinking. Does haproxy support externally
scripted healthchecks? If not, this would be useful for implementing a
variety of healthchecks that aren't built into haproxy.

Cheers,
Brian
-- 
- Brian Gupta

New York City user groups calendar:
http://nyc.brandorr.com/

Re: Balancing OpenLDAP

[Willy Tarreau]

On Mon, Jan 19, 2009 at 10:16:46PM +0100, Jordi Espasa wrote:
 Jordi's question got me thinking. Does haproxy support externally
 scripted healthchecks? If not, this would be useful for implementing a
 variety of healthchecks that aren't built into haproxy.
 
 Yes. It would be a very cool feature.

No it does not. Yes it would be cool, but it's somewhat incompatible
with chroot. The possible long-term solutions include :
  - shared library support, in order to load external plugins,
including complex health-checks plugins ;

  - performing the checks in an independant process. That would
be very nice since it would allow better support for
multi-process usage.

Another solution would be to state that chroot is incompatible
with external scripts, and let the user make a choice. Maybe we
can try to think about the required parameters for an external
script, and see how that could be implemented. We might even
reuse some parts of what I had developped for Keepalived (VRRP
tracking scripts). It was quite advanced (cache of last result,
etc...), and keepalived's and haproxy's architectures are quite
similar.

Now, speaking about the LDAP checks, I was about to implement
one in the past due to a customer's need, and finally let go
because the customer was not interested due to some aspects
which were not covered (detection of end of replication). So
right now there's no LDAP check.

Regards,
willy

Re: HAProxy: listening port set up and performance

[Willy Tarreau]

Hi,

On Mon, Jan 19, 2009 at 06:11:13PM -0800, Hsin, Chih-fan wrote:
 Hi, I am new to HAProxy and have questions about the configuration and 
 performance.
 
 I downloaded HAProxy 1.3.15.7 from 
 http://haproxy.1wt.eu/blocked::http://haproxy.1wt.eu/ to /home/user/Tool
 Unpacked it by tar xopf name.tar.gz.tar
 Run make TARGET=linux26
 
 1) Apache HTTP testing
 Servers webA (192.168.5.4) and webB (192.168.5.5) have Apache server 
 started.
 Client (192.168.5.1) sends http requests to webA (192.168.5.4:80) and 
 webB (192.168.5.5:80), and can get valide http response (default Apache 
 response).
  [client] - [webA],[webB]
 
 Now, the HAProxy does not have Apache server and has IP address 
 192.168.5.3.
 At HAProxy, run ./haproxy -f ./haproxy1.cfg.  The haproxy1.cfg is below
 [client] - [HAProxy] - [webA],[webB].
 Client sends http request to HAProxy via IE web browing to 
 http://192.168.5.3. However, the client cannot get web response.


By this, do you mean that no response ever comes back, or that you get
an error ?

 Client sends http request to HAProxy via multiple IE web browsing to 
 http://192.168.5.3:80. Then it works.

Are you sure that your apache machines don't block access from haproxy ?
Also, do you have any form of virtual hosting on those machines, which
would refuse requests with a Host: field with a wrong IP address in it ?

 haproxy1.cfg file
listen webfarm 192.168.5.3:80- How do I decide the correct 
 port number to make http://192.168.5.3 work?

This is the correct form.


mode http
balance roundrobin
cookie SERVERID insert indirect
stats enable
server webA 192.168.5.4:80 cookie A check
server webB 192.168.5.5:80 cookie B check

I see that you have not configured timeouts. This is bad (though it
should not cause you the problem you're seeing). Please add the
following lines to the section above :

timeout client 30s
timeout server 30s
timeout connect 5s

Also, you should log, you would see in the logs what is wrong.
For this, please add the following line :

log 127.0.0.1 local0

Then ensure that your syslogd listens to the UDP socket (syslogd -r),
and check the log files (you will see one line added when you start
haproxy, then one line per request).

 2) TCP testing (using Iperf)
 Servers webA (192.168.5.4) and webB (192,168.5.5) run Iperf TCP sink to 
 listen to port 5001
 Client runs 2 Iperf TCP connections and send traffic to 192.168.5.3:80
 At HAProxy, run ./haproxy -f ./haproxy2.cfg
 haproxy2.cfg
 listen webfarm 192.168.5.3:80
mode tcp
balance roundrobin
stats enable
server webA 192.168.5.4:5001
server webB 192.168.5.5:5001
 I can achieve 36Mbps each under the following scenario.
 [client]   - 36Mbps - [webA]
 |-36Mbps - [webB]

36 Mbps ??? You definitely have something wrong in your setup !
This is the bandwidth you could expect from a saturated 100 Mbps
HUB at maximal collision rate !!! Please check that all your
connections are made to a switch and not a hub, and that all
your hosts have negociated full duplex (with ethtool).

 However, when I use HAProxy, I can only achieve 18Mbps each.  The 
 utilization of HAProxy machine is low.
 [client]  - [HAProxy] -  18Mbps - [webA]
 |  18Mbps - [webB]
 Is this normal? Is there any way to improve it?

No it's not normal, but expected from the bad numbers above.
If you are using a hub which is saturated, then making the
traffic pass twice over it will half the per-host bandwidth.

Right now, it does not make sense to use a hub for network
testing, not even a 100 Mbps switch. Gigabit switches are
very cheap, you can find a 5-port gig switch for less than
$50, it could save you a lot of time spent troubleshooting
connectivity issues.

Regards,
Willy