cosign-discuss at umich.edu
general discussion of cosign development and deployment
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: replication behind load balancer


On Mar 23, 2005, at 4:58 PM, David Alexander wrote:


I added the opposite blade's IP address to the /etc/hosts file on each blade. Now, communication between cosignd processes is not crossing the load balancer, so I think I am just dealing with cosign configuration issues at this point.

The documentation is a little thin on replication. What should the consign.conf file contain on each host? Now that I can use the host names of the individual blades, I created client certs for 'cosign11' and 'cosign12'. I have tried various permutations in the cosign.conf file, but I still get the error "f_starttls: No access for cosign1[12]" in the log file. I get a "CHILD xxxxx talking to itself" error in the other host's log file. I was also getting a "cosign[12] is not a daemon" error at some point.

Can someone tell me more about these errors?


I think from your setup, cosign11 and cosign12 ( or whatever the cert names are that the daemon is using ) need to both be permitted as cgis. The "talking to itself" bit is basically so we can use a multiple A record like weblogin.umich.edu ( which contains a.umich.edu, b.umich.edu, and c.umich.edu ), and when we get the individual host records a only replicates to b and c, not itself. That's what the daemon flag/command is for ( f_daemon ).

In pusherhosts() ( in pusher.c ) we call gethostbyname() which I believe is aware of /etc/hosts.

The "%s is not a daemon" message comes from the CN of the host trying to do the replication ( aka the replicator ) not being listed as a cgi in the cosign.conf of the replicatee. The No access message is probably the same thing.

Since you have 2 hosts with 2 separate IPs, at least for testing purposes I'd just start with this do this:

host A:

cosign.conf:

cgi a.weblogin.ohio.edu ( just needs itself, and this is the CN for the cert A is running with, not domain name )

%/usr/local/sbin/cosignd -h b.weblogin.ohio.edu

( you also want to run monster the same way - %/usr/local/sbin/monster -h b.weblogin.ohio.edu )


and on host B you should also have "a.weblogin.ohio.edu" permitted in cosign.conf, and just the regular
% /usr/local/sbin/cosignd ( and /usr/local/sbin/monster, too ).

So A should replicate to B, one way. And only A would also house the CGI.

Once that's up and happy, you can do the exact same thing on B, so now permit A and B both as CGIs on each cosign.conf, and have A do % cosignd -h b.weblogin.ohio.edu and B do % cosignd -h a.weblogin.ohio.edu

I can see why this might need a bit more documentation. :) We're working on a few small tweaks for 1.8.1 release, so I'll try and add something to that or just put it up on the website.

Also, as a side note, I'm not sure fail over in the clients will work right if both cosign servers are behind a load balancer. I haven't drawn it all out yet, but the basic idea behind client fail over is that the filters ask every weblogin server they are aware of ( A, B, and C ) based on the lookup they did at startup. If they are talking to a load balancer that only had 1 IP/name, they might only get A when in fact B happen to have the most up-to-date information. Like I said, I haven't really thought about this though, so I might be wrong, too.

In any case, let us know if the above suggestions help with replication and/or what else we can do to help.

-Johanna