Lab 2.6 - Install OKD Cluster - Configure HAProxy and Rsyslog

1. Install packages

dnf install -y haproxy rsyslog

2. Configure HAProxy

mv /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.bak
vim /etc/haproxy/haproxy.cfg
...
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

    # utilize system-wide crypto-policies
    ssl-default-bind-ciphers PROFILE=SYSTEM
    ssl-default-server-ciphers PROFILE=SYSTEM

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend openshift-api-server
    bind api.openshift.podX.io:6443
    default_backend openshift-api-server
    mode tcp
    option tcplog
frontend machine-config-server
    bind api-int.openshift.podX.io:22623
    default_backend machine-config-server
    mode tcp
    option tcplog
frontend ingress-http
    bind *:80
    default_backend ingress-http
    mode tcp
    option tcplog
frontend ingress-https
    bind *:443
    default_backend ingress-https
    mode tcp
    option tcplog

#---------------------------------------------------------------------
# static backend for serving up API, MSC, HTTP and HTTPS
#---------------------------------------------------------------------
backend openshift-api-server
    balance source
    mode tcp
    server bootstrap.openshift.podX.io 10.6X.6X.4:6443 check
    server master1.openshift.podX.io 10.6X.6X.5:6443 check
    server master2.openshift.podX.io 10.6X.6X.6:6443 check
    server master3.openshift.podX.io 10.6X.6X.7:6443 check
backend machine-config-server
    balance source
    mode tcp
    server bootstrap.openshift.podX.io 10.6X.6X.4:22623 check
    server master1.openshift.podX.io 10.6X.6X.5:22623 check
    server master2.openshift.podX.io 10.6X.6X.6:22623 check
    server master3.openshift.podX.io 10.6X.6X.7:22623 check
backend ingress-http
    balance source
    mode tcp
    server worker1.openshift.podX.io 10.6X.6X.8:80 check
    server worker2.openshift.podX.io 10.6X.6X.9:80 check
backend ingress-https
    balance source
    mode tcp
    server worker1.openshift.podX.io 10.6X.6X.8:443 check
    server worker2.openshift.podX.io 10.6X.6X.9:443 check
...

3. Enable haproxy log. Comment out below line

vim /etc/rsyslog.conf
...
module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
...

vim /etc/rsyslog.d/haproxy.conf
...
#Add this line
local2.*    /var/log/haproxy.log
...

4. Setsebool to allow haproxy socket to open on any port

setsebool -P haproxy_connect_any=1

5. Allow haproxy to connect to unbind IP Address

vim /etc/sysctl.d/99-sysctl.conf
...
#Add this line
net.ipv4.ip_nonlocal_bind=1
...

6. Enable and restart haproxy

systemctl enable haproxy
systemctl restart haproxy
systemctl status haproxy

7. Enable and restart rsyslog

systemctl enable rsyslog
systemctl restart rsyslog
systemctl status rsyslog

8. Set firewalld for haproxy

firewall-cmd --permanent --add-service http
firewall-cmd --permanent --add-service https
firewall-cmd --permanent --add-port 6443/tcp
firewall-cmd --permanent --add-port 22623/tcp
firewall-cmd --reload

Daftar Materi