On Wed, 16 Jan 2008, Colin Farrow wrote:
> Does anyone have any experience, comments or otherwise on using
> Linux-HA/heartbeat software in an active/passive configuration to
> provide some measure of resilience to server failure of an IdP service?
Well, for what it's worth we are doing exactly this, and it seems to
basically work.
As currently configured, heartbeat is managing the service IP address,
Apache and Tomcat. It appears that Tomcat takes a while to get its
clockwork going after start-up so there is a rather longer loss of service
following a manual transition than I would like. Elsewhere we have plain
Apache and Squid managed by heartbeat and manual transitions are
sufficiently fast that we are happy to do them at any time to suite our
own convenience. It may be that in the Shib case I could run Apache and
Tomcat all the time on both servers and just use Heartbeat to manage the
service IP address, but I haven't tried.
My other concern is that, since I'm not running any of the shib-HA stuff,
there is state stored on the active Shib server that isn't replicated on
the backup. Because of this, a service transition will at least be
problematic for transactions in progress (e.g. if an authentication
assertion is issued by one server and the corresponding attribute query
arrives on the other). So far this hasn't caused any (observed or
reported) problems, but I expect it could and will.
Of course in the case of an automatic transition caused by the failure of
the live server there is bound to be some loss of service, but at least
you'll have a replacement service up and running a lot faster than if
manual intervention is required.
Frankly the main gain we've seen with heartbeat is the ability to take
servers down in sequence for patching or maintenance with minimal loss of
service. Of course there are ways of achieving this other than using
heartbeat. Genuine failures that require an automatic transition are very
rare.
Jon.
--
Jon Warbrick
Web/News Development, Computing Service, University of Cambridge
|