yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1649164] [NEW] Layer 4 load balancing & SSL termination

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: James Hebden <1649164@xxxxxxxxxxxxxxxxxx>
Date: Mon, 12 Dec 2016 01:08:23 -0000
Reply-to: Bug 1649164 <1649164@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

With current charms, SSL is terminated on each service by Apache, and as
a result HA services are configured to perform layer2 checks and
failover only. SSL termination should be handled by a load balancer, so
that layer4 checks and load balancing/HA can be used. A tool such as
haproxy could perform this task, and would be more efficient as we would
have fewer services doing the busy-work of encrypting and decrypting
traffic.

As the connection is encrypted all the way to the endpoint, there is no
opportunity for tools such as haproxy to be used as part of the high
availability configuration to check the response code of certain HTTP
endpoints, for example - keystone, cinder, glance, swift, ceph radosgw
or horizon services, as a means to determine endpoint health. Currently,
only port connectability is considered. This means that potentially, the
configured virtual IP and LVS configuration could be directing traffic
to a failed endpoint.

I would like to request, as a feature request, that the current high
availability solution is revised to address these shortcomings.

** Affects: hacluster (Juju Charms Collection)
     Importance: Undecided
         Status: New

** Also affects: horizon
   Importance: Undecided
       Status: New

** No longer affects: horizon

** Package changed: keystone (Juju Charms Collection) => hacluster (Juju
Charms Collection)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1649164

Title:
  Layer 4 load balancing & SSL termination

Status in hacluster package in Juju Charms Collection:
  New

Bug description:
  With current charms, SSL is terminated on each service by Apache, and
  as a result HA services are configured to perform layer2 checks and
  failover only. SSL termination should be handled by a load balancer,
  so that layer4 checks and load balancing/HA can be used. A tool such
  as haproxy could perform this task, and would be more efficient as we
  would have fewer services doing the busy-work of encrypting and
  decrypting traffic.

  As the connection is encrypted all the way to the endpoint, there is
  no opportunity for tools such as haproxy to be used as part of the
  high availability configuration to check the response code of certain
  HTTP endpoints, for example - keystone, cinder, glance, swift, ceph
  radosgw or horizon services, as a means to determine endpoint health.
  Currently, only port connectability is considered. This means that
  potentially, the configured virtual IP and LVS configuration could be
  directing traffic to a failed endpoint.

  I would like to request, as a feature request, that the current high
  availability solution is revised to address these shortcomings.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charms/+source/hacluster/+bug/1649164/+subscriptions