OpenAM: Multi-guest test environment with VirtualBox

OpenAM Community Logo Last week I posted some notes on the basic installation done for the initial OpenAM install chapter that I was writing. Looking at the work Steve is doing for session management, I decided that a single instance would not be enough. Luckily I have 8 GB RAM on this laptop. Using VirtualBox, CentOS, and HAProxy, I now have a host-only network of 3 systems, 2 for OpenAM, 1 for the load balancer (and probably a test application at some point).

OpenAM Multi-guest


For each guest in VirtualBox, I have configured host-only networking, no DHCP, for 3 guests in VirtualBox, each based on CentOS 6.

$ cat /etc/redhat-release
CentOS Linux release 6.0 (Final)

Root user: root:password

Normal user: mark:password

Set up networking on /etc/hosts in each machine and in the host. Static networking, with the gateway being the host. Here’s the hosts file excerpt:

$ cat /etc/hosts
...
192.168.56.1     host
192.168.56.2     openam.example.com
192.168.56.3     openam-bis.example.com
192.168.56.4     lb.example.com

Installed Java 6 (/path/to/jdk1.6).

$ cat .bash_profile
...
# User specific environment and startup programs

PATH=.:/path/to/jdk1.6/bin:$PATH:$HOME/bin

export PATH

JAVA_HOME=/path/to/jdk1.6
export JAVA_HOME
JRE_HOME=$JAVA_HOME/jre
export JRE_HOME

Installed Apache Tomcat 7 (/path/to/tomcat) on each host. Then configured Tomcat to start at boot time and stop at shutdown (chkconfig --add tomcat).

$ cat /etc/init.d/tomcat
#!/bin/sh
#
# tomcat
#
# chkconfig: 345 95 5
# description: Manage Tomcat web application container
CATALINA_HOME="/path/to/tomcat"
export CATALINA_HOME
JAVA_HOME=/path/to/jdk1.6
export JAVA_HOME
JAVA_OPTS="-Xmx1024m -XX:MaxPermSize=256m"
export JAVA_OPTS

cd ${CATALINA_HOME}

# Determine what action should be performed on the server
case "${1}" in
start)
  /bin/su mark -c "${CATALINA_HOME}/bin/startup.sh"
  exit ${?}
  ;;
stop)
  /bin/su mark -c "${CATALINA_HOME}/bin/shutdown.sh"
  exit ${?}
  ;;
*)
  echo "Usage:  $0 { start | stop }"
  exit 1
  ;;
esac

On the system with HAProxy and only 1024 MB memory, removed the following lines from /etc/init.d/tomcat:

JAVA_OPTS="-Xmx1024m -XX:MaxPermSize=256m"
export JAVA_OPTS

For the two openam*.example.com guests, installed OpenDJ on both openam.example.com and openam-bis.example.com in /path/to/OpenDJ, and enabled OpenDJ to start at boot time (chkconfig --add opendj).

$ cat /etc/init.d/opendj
#!/bin/sh
#
# CDDL HEADER START
#
# The contents of this file are subject to the terms of the
# Common Development and Distribution License, Version 1.0 only
# (the "License").  You may not use this file except in compliance
# with the License.
#
# You can obtain a copy of the license at
# https://OpenDS.dev.java.net/OpenDS.LICENSE.
# See the License for the specific language governing permissions
# and limitations under the License.
#
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at
# trunk/opends/resource/legal-notices/OpenDS.LICENSE.  If applicable,
# add the following below this CDDL HEADER, with the fields enclosed
# by brackets "[]" replaced with your own identifying information:
#      Portions Copyright [yyyy] [name of copyright owner]
#
# CDDL HEADER END
# chkconfig: 345 95 5
# description: Control the OpenDJ Directory Server

# Set the path to the OpenDJ instance to manage
INSTALL_ROOT="/path/to/OpenDJ"
export INSTALL_ROOT

cd ${INSTALL_ROOT}

# Determine what action should be performed on the server
case "${1}" in
start)
  /bin/su mark -c "${INSTALL_ROOT}/bin/start-ds --quiet"
  exit ${?}
  ;;
stop)
  /bin/su mark -c "${INSTALL_ROOT}/bin/stop-ds --quiet"
  exit ${?}
  ;;
restart)
  /bin/su mark -c "${INSTALL_ROOT}/bin/stop-ds --restart --quiet"
  exit ${?}
  ;;
*)
  echo "Usage:  $0 { start | stop | restart }"
  exit 1
  ;;
esac

OpenDJ listens on 1389 (LDAP), 1636 (LDAPS), 4444 (Admin), 8989 (Repl) on each host. Contains Example.com data from http://mcraig.org/ldif/Example.ldif.

Fixed up iptables for all the ports needed.

# /etc/init.d/iptables stop
# vi /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Jul 13 10:42:56 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1233:104093]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1389 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1636 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2389 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4444 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5444 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8989 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9989 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jul 13 10:42:56 2011
# /etc/init.d/iptables start

Installed OpenAM as a web app in Tomcat. (cp openam/deployable-war/opensso.war /path/to/tomcat/webapps/openam.war)

  • amadmin:password
  • policy agents pwd:secret12
  • Embedded config directory 1689 (JMX), 2389 (LDAP), 5444 (Admin), 9989 (Repl)
  • Site “Example Site” + load balancer URL “http://lb.example.com:8080/openam”

On the lb.example.com guest, installed HAProxy.

# ls /etc/haproxy/
haproxy  haproxy.conf
# /etc/haproxy/haproxy -v
HA-Proxy version 1.4.15 2011/04/08
Copyright 2000-2010 Willy Tarreau 

# cat /etc/haproxy/haproxy.conf
global
     daemon
     user nobody
     group nobody

defaults
     mode     http
     timeout connect 5000ms
     timeout client     50000ms
     timeout server     50000ms

frontend http-in
     bind *:8080
     default_backend     servers

backend servers
     #appsession amlbcookie len 20 timeout 3h request-learn
     balance roundrobin
     cookie SERVERID insert nocache
     server openam.example.com 192.168.56.2:8080 check cookie 1
     server openam-bis.example.com 192.168.56.3:8080 check cookie 2

The non-self explanatory parts in the backend servers section:

  • cookie SERVERID insert nocache
    IIRC adds a cookie to help HAProxy direct client traffic to the same backend server where possible.
  • server fqdn ip:port check cookie value
    IIRC tells HAProxy to check the server accepts HTTP requests and assigns the cookie the specified value.
  • The appsession line is what Sam thought should be sufficient instead of the cookie line and extra server parameters to know how to balance requests.

I’m not sure this configuration actually works as expected, yet. I only know that it seems to work at least a bit.

Configured HAProxy to start at boot time (chkconfig --add haproxy):

# cat /etc/init.d/haproxy
#!/bin/sh
#
# haproxy
#
# chkconfig: 345 95 5
# description: Manage HAProxy service
#
# Inspired by http://mattiasgeniar.be/downloads/haproxy/haproxy.init.
#
HAPROXY="/etc/haproxy/haproxy"
export HAPROXY

checkconfig() {
     ${HAPROXY} -c -q -f /etc/haproxy/haproxy.conf
     if [ $? -ne 0 ]; then
          echo "Errors found in configuration file."
          return 1
     fi
     return 0
}

start() {
     ${HAPROXY} -c -q -f /etc/haproxy/haproxy.conf
     if [ $? -ne 0 ]; then
          echo "Errors found in configuration file."
          return 1
     fi

     echo -n "Starting HAProxy..."
     ${HAPROXY} -D -f /etc/haproxy/haproxy.conf -p /var/run/haproxy.pid

     RETVAL=$?
     echo
     [ $RETVAL -eq 0 ] && touch /var/lock/subsys/haproxy
     return $RETVAL
}

stop() {
     echo -n "Shutting down HAProxy..."
     kill $(cat /var/run/haproxy.pid)

     RETVAL=$?
     echo
     [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/haproxy
     [ $RETVAL -eq 0 ] && rm -f /var/run/haproxy.pid
     return $RETVAL
}

restart() {
     ${HAPROXY} -c -q -f /etc/haproxy/haproxy.conf
     if [ $? -ne 0 ]; then
          echo "Errors found in configuration file."
          return 1
     fi

     stop
     start
}

check() {
     ${HAPROXY} -c -q -V -f /etc/haproxy/haproxy.conf
}

reload() {
     ${HAPROXY} -c -q -f /etc/haproxy/haproxy.conf
     if [ $? -ne 0 ]; then
          echo "Errors found in configuration file."
          return 1
     fi

     echo -n "Reloading HAProxy config: "
     ${HAPROXY} -f /etc/haproxy/haproxy.conf -p /var/run/haproxy.pid -sf $(cat /var/run/haproxy.pid)

     success $"Reloading HAProxy config: "
     echo
}

# Possible parameters
case "$1" in
     start)
          start
     ;;
     stop)
          stop
     ;;
     restart)
          restart
     ;;
     reload)
          reload
     ;;
     checkconfig)
          check
     ;;
     *)
          echo "Usage: haproxy {start|stop|status|restart|reload|checkconfig}"
     exit 1
esac

exit 0

Hope to provide more news as I start to test Steve’s new session management feature.

Advertisements

One thought on “OpenAM: Multi-guest test environment with VirtualBox

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s