Intent-driven, fully automated deployment of anycasted loadbalancers with HAProxy and Python

DENOG 11

Maximilian Wilhelm

1 / 24

Agenda1. Who's who2. Context3. The past4. The Idea5. The now6. Q & A

2 / 24

Who's who Maximilian WilhelmNetworkerOpenSource HackerFanboy of

(Debian) Linuxifupdown2

Occupation:By day: Senior Infrastructure Architect, Uni PaderbornBy night: Infrastructure Archmage, Freifunk HochstiftIn between: Freelance Solution Architect for hire

Contact@BarbarossaTMmax@sdn.clinic

3 / 24

Who's who

Context

Context

4 / 24

Who's who

ContextContext

Paderborn University20.000 students2.500 employees

Lots of central IT servicesIDM (LDAP, Kerberos, AD, …)Mail (SMTP, IMAP, PMX, Mailman, Exchange)An aweful lot of websiteseLearning things (Moodle, PAUL, …)SharePointFile servicesThe Internet...

5 / 24

Who's who

Context

The Past

The Past

6 / 24

Who's who

Context

The Past

7 / 24

Who's who

Context

The Past

The PastCisco Nexus based L2 fabric

VLANs for service / backend networks2x F5 Viprion 2400 LBs

Router / default gateway for all service networksPrefixes for VIPs statically routed to VRRP IPPrefixes for backend networks statically routed to VRRP IPNo ACLs between service networksOut-of-everything end of 2018

Manually configuredEven monitoring

8 / 24

Who's who

Context

The Past

9 / 24

Who's who

Context

The Past

The Idea The Idea

10 / 24

Who's who

Context

The Past

The Idea

The big picture

11 / 24

Who's who

Context

The Past

The Idea

The ideaA service as central config elementCan be balanced by

AnycastHAProxy

If balancedService VIPs announced via BGPShould be Active/Active

Monitoring configured automaticallyChecks for frontends / VIPs as well as backends

Config of webserver(s) generatedShould additionally allow

H/A clustersCaching layer for web stuff

Subnets of service nodes should be routed by DC routerswith ACLs

12 / 24

Who's who

Context

The Past

The Idea

Working DC network setup

All VLANs everywhereBGP capable DC routers

Heavy automation for Linux boxes

bcfg2Written in PythonEasily extendableConfig generators for Icinga2Basic Apache2 templating

People not afraid of automation

On the contrary

What was in the cards?

13 / 24

Who's who

Context

The Past

The Idea

Now what IS a serviceHas an FQDN

resolves to IP and/or Legacy-IP addressesHas a proto and service

proto derived from service, if possiblee.g. tcp/http or tcp/80

Is provided by hosts of $bcfg2_groupe.g. kdc-production

May be anycastedMay be balanced

And the LBs anycastedMay be a web thing

With special http confige.g. template, redirects and stuff

May have special monitoring config

14 / 24

Who's who

Context

The Past

The Idea

How does it look like?mwilhelm@kili:/bcfg2/etc/services/imt/infrastructure/anycasted$ cat kerberos-kdc.srv

anycast: Truestatus: produktiv

name: kerberos-kdc

fqdn: kerberos.srv.imt.uni-paderborn.deservice: kerberos

bcfg2_srv_group: kdc-slave

monitoring: virtual_bcfg2_groups: - kdc - imt-master

15 / 24

Who's who

Context

The Past

The Idea

Well OK, it has a defaulting mechanism, toomwilhelm@kili:/bcfg2/etc/services/imt/infrastructure/anycasted$ cat defaults.yaml

anycast: Truestatus: produktiv

mwilhelm@kili:/bcfg2/etc/services/imt/infrastructure/anycasted$ cat kerberos-kdc.srv

name: kerberos-kdc

fqdn: kerberos.srv.imt.uni-paderborn.deservice: kerberos

bcfg2_srv_group: kdc-slave

monitoring: virtual_bcfg2_groups: - kdc - imt-master

16 / 24

Who's who

Context

The Past

The Idea

The NowThe Now

17 / 24

Who's who

Context

The Past

The Idea

The Now

18 / 24

Who's who

Context

The Past

The Idea

The Now

Lessons learnedBad NIC firmware is bad

BGP timeouts are longRecovery times are bad when L2 is a black holeBFD will solve this

HAProxy configuration is complex

Lots of switches have effect on other switchesNo way to ask HAProxy what config options are active

19 / 24

Who's who

Context

The Past

The Idea

The Now

The goodBackends with support for Proxy Protocol

Apache2Cyrus IMAPDovecotEximNginxPostfixVarnish...

20 / 24

Who's who

Context

The Past

The Idea

The Now

The badOpenLDAP

No support for Proxy ProtocolHas to be DNATed by HAProxy when slapd should see client IPsTherefore LDAP backends have to be routed by HAProxy

Exchange

Funny problems with timeouts (solved)Funny problems with Outlook for Mac clients

SharePoint

Funny problems when you don't use tcp mode for some vHostsI want this hour of my life back

21 / 24

Who's who

Context

The Past

The Idea

The Now

Bonus level: Packet �lter con�gurationWe know what ports a service is usingWe know where (backend, frontend)Let's generate netfilter rulesLimiting access to source prefixes just came on topSpecifying additional_ports, too

mwilhelm@kili:/bcfg2/etc/services/imt/infrastructure/anycasted$ cat proxy.srv

name: proxy

fqdn: proxy.srv.imt.uni-paderborn.deservice: proxyprotos: tcpport: 3128

bcfg2_srv_group: proxy-server-produktiv

acl: allow_from: - imt_thinclients - imt_fw_mgmt

22 / 24

Who's who

Context

The Past

The Idea

The Now

Links

Further ReadingBGP / networking basics

https://myfirst.network

Anycast with Cisco Nexus 7000 and Debian Linux

https://blog.sdn.clinic/2018/02/anycasted-services-with-debian-bird-anycast-healthchecker-and-cisco-nexus-7000/

Anycast all the things

https://www.slideshare.net/BarbarossaTM/anycast-all-the-things

23 / 24

Who's who

Context

The Past

The Idea

Outlook

Links

Questions?

Questions?

24 / 24