Nice. I just tried Jan's suggestion of using the exact same line (including the pbkdf2 hash) in the [admins] section of local.ini on all my nodes and disabled sticky load balancing in haproxy and the admin session now appears to persist across all nodes!
I'm going to try to figure out a good way to automate this setup via docker-compose and will then update my examples. Thanks for the help! On Sun, May 14, 2017 at 2:52 PM Robert Samuel Newson <[email protected]> wrote: > As Jan says, and as my SO reply says, this is fixable. > > You absolutely do not need sticky load balancer routing for this (I can > state definitely that Cloudant uses round-robin haproxy in their lb tier). > > Since the salt is the likely issue here and only applies to admins (as > user hashes are in the distributed _users database), I recommend you not > use admin credentials for regular database access, reserve those for the > operations that require admin powers. > > B. > > > On 14 May 2017, at 18:55, Geoffrey Cox <[email protected]> wrote: > > > > Thanks Robert, but in my testing, I found that you need to use cookie > based > > routing, i.e. sticky sessions, in order for the the session to persist > when > > you are using haproxy. This is even when you set the secret to be the > same > > on all nodes. > > > > My working solution with cookie-based routing can be found at > > > https://github.com/redgeoff/couchdb-docker/blob/production-multi-node/README.md#run-cluster-via-docker-compose-wip > > > > On Sun, May 14, 2017, 09:50 Robert Samuel Newson <[email protected]> > wrote: > > > >> A session cookie acquired on one node is recognised by any other node if > >> you follow the instructions below (these are in the docs and > _cluster_setup > >> does this too). > >> > >> You need to ensure each node has the same secret in couch_httpd_auth. > It's > >> randomized at startup if not set, so set it to something (large, random) > >> before starting couchdb. > >> > >> For _admin_ users, you also need to ensure you set the same hashed > version > >> in the .init file as the salt value is part of the cookie state (so that > >> cookies are invalidated when passwords change). > >> > >> Basically, anything in the .ini file needs synchronising between the > nodes > >> externally. By hand, but more likely using chef / puppet, etc. > >> > >> Cloudant, for example, generates default.ini from a template which sets > a > >> cluster-wide couch_httpd_auth secret and the [admins] section. > >> > >> B. > >> > >>> On 14 May 2017, at 02:43, Geoffrey Cox <[email protected]> wrote: > >>> > >>> Hi! > >>> > >>> Anyone have any ideas on this? > >> http://stackoverflow.com/q/43958527/2831606 > >>> > >>> Thanks! > >>> > >>> Geoff > >> > >> > >
