From 154c74ff2f04f07ba4bdeb3cb96758aa811b50a0 Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Wed, 27 Mar 2019 08:00:00 -0400 Subject: [PATCH] New production info --- ee/ucp/interlock/deploy/production.md | 109 ++++++++++++++++++-------- 1 file changed, 75 insertions(+), 34 deletions(-) diff --git a/ee/ucp/interlock/deploy/production.md b/ee/ucp/interlock/deploy/production.md index 228701b1ae..d2a1736aee 100644 --- a/ee/ucp/interlock/deploy/production.md +++ b/ee/ucp/interlock/deploy/production.md @@ -5,15 +5,31 @@ description: Learn how to configure the layer 7 routing solution for a productio keywords: routing, proxy --- -The layer 7 solution that ships out of the box with UCP is highly available +# Deploying to production +This section includes documentation on configuring Interlock +for a production environment. If you have not yet deployed Interlock, refer to [Deploying Interlock](index.md) because this information builds upon the basic deployment. This topic does not cover infrastructure deployment - +it assumes you have a vanilla Swarm cluster (`docker init` and `docker swarm join` from the nodes). +Refer to the [Swarm](https://docs.docker.com/engine/swarm/) documentation if you need help +getting a Swarm cluster deployed. + +The layer 7 solution that ships with UCP is highly available and fault tolerant. It is also designed to work independently of how many nodes you're managing with UCP. ![production deployment](../../images/interlock-deploy-production-1.svg) -For a production-grade deployment, you should tune the default deployment to +For a production-grade deployment, you need to perform the following actions: + +1. Pick two nodes that are going to be dedicated to run the proxy service. +2. Apply labels to those nodes, so that you can constrain the proxy service to +only run on nodes with those labels. +3. Update the `ucp-interlock` service to deploy proxies using that constraint. +4. Configure your load balancer to only route traffic to the dedicated nodes. + +## Select dedicated nodes +Tuning the default deployment to have two nodes dedicated for running the two replicas of the -`ucp-interlock-proxy` service. This ensures: +`ucp-interlock-proxy` service ensures: * The proxy services have dedicated resources to handle user requests. You can configure these nodes with higher performance network interfaces. @@ -22,45 +38,54 @@ deployment secure. * The proxy service is running on two nodes. If one node fails, layer 7 routing continues working. -To achieve this you need to: - -1. Enable layer 7 routing. [Learn how](index.md). -2. Pick two nodes that are going to be dedicated to run the proxy service. -3. Apply labels to those nodes, so that you can constrain the proxy service to -only run on nodes with those labels. -4. Update the `ucp-interlock` service to deploy proxies using that constraint. -5. Configure your load balancer to route traffic to the dedicated nodes only. - -## Apply labels to nodes - -In this example, we chose node-5 and node-6 to be dedicated just for running -the proxy service. To apply labels to those nodes run: +## Apply node labels +Configure the selected nodes as load balancer worker nodes ( for example, `lb-00` and `lb-01`) with node labels in order to pin the Interlock Proxy service. After you log in to one of the Swarm managers, run the following commands to add node labels +to the dedicated ingress workers: ```bash -docker node update --label-add nodetype=loadbalancer +$> docker node update --label-add nodetype=loadbalancer lb-00 +lb-00 +$> docker node update --label-add nodetype=loadbalancer lb-01 +lb-01 ``` -To make sure the label was successfully applied, run: +You can inspect each node to ensure the labels were successfully added: -{% raw %} ```bash -docker node inspect --format '{{ index .Spec.Labels "nodetype" }}' +$> docker node inspect -f '{{ .Spec.Labels }}' lb-00 +map[nodetype:loadbalancer] +$> docker node inspect -f '{{ .Spec.Labels }}' lb-01 +map[nodetype:loadbalancer] ``` -{% endraw %} The command should print "loadbalancer". -## Configure the ucp-interlock service - +## Update proxy service Now that your nodes are labelled, you need to update the `ucp-interlock-proxy` -service configuration to deploy the proxy service with the correct constraints. - -Add a constraint to the `ucp-interlock-proxy` service to update the running service: +service configuration to deploy the proxy service with the correct constraints (constrained to those +workers). From a manager, add a constraint to the `ucp-interlock-proxy` service to update the running service: ```bash -docker service update \ +$> docker service update --replicas=2 \ --constraint-add node.labels.nodetype==loadbalancer \ - ucp-interlock-proxy + --stop-signal SIGQUIT \ + --stop-grace-period=5s \ + $(docker service ls -f 'label=type=com.docker.interlock.core.proxy' -q) +``` + +This updates the proxy service to have two (2) replicas and ensure they are constrained to +the workers with the label `nodetype==loadbalancer` as well as configure the stop signal for the tasks +to be a `SIGQUIT` with a grace period of five (5) seconds. This will ensure that Nginx uses a graceful shutdown +before exiting to ensure the client request is finished. + +Inspect the service to ensure the replicas have started on the desired nodes: + +```bash +$> docker service ps $(docker service ls -f 'label=type=com.docker.interlock.core.proxy' -q) +ID NAME IMAGE NODE DESIRED STATE CURRENT STATE ERROR PORTS +o21esdruwu30 interlock-proxy.1 nginx:alpine lb-01 Running Preparing 3 seconds ago +n8yed2gp36o6 \_ interlock-proxy.1 nginx:alpine mgr-01 Shutdown Shutdown less than a second ago +aubpjc4cnw79 interlock-proxy.2 nginx:alpine lb-00 Running Preparing 3 seconds ago ``` Then add the constraint to the `ProxyConstraints` array in the `interlock-proxy` service @@ -72,18 +97,34 @@ configuration so it takes effect if Interlock is restored from backup: ProxyConstraints = ["node.labels.com.docker.ucp.orchestrator.swarm==true", "node.platform.os==linux", "node.labels.nodetype==loadbalancer"] ``` -[Learn how to configure ucp-interlock](configure.md). +[Learn how to configure ucp-interlock](../config/index.md). -Once reconfigured you can check if the proxy service is running on the dedicated nodes: +Once reconfigured, you can check if the proxy service is running on the dedicated nodes: ```bash docker service ps ucp-interlock-proxy ``` -## Configure your load balancer +## Configure load balancer +Update the settings in the upstream load balancer (ELB, F5, etc) with the +addresses of the dedicated ingress workers. This directs all traffic to these nodes. -Once the proxy service is running on dedicated nodes, configure your upstream -load balancer with the domain names or IP addresses of those nodes. +You have now configured Interlock for a dedicated ingress production environment. Refer to the [configuration information](../config/tuning.md) if you want to continue tuning. -This makes sure all traffic is directed to these nodes. +## Production deployment configuration example +The following example shows the configuration of an eight (8) node Swarm cluster. There are three (3) managers +and five (5) workers. Two of the workers are configured with node labels to be dedicated +ingress cluster load balancer nodes. These will receive all application traffic. +There is also an upstream load balancer (such as an Elastic Load Balancer or F5). The upstream +load balancers will be statically configured for the two load balancer worker nodes. +This configuration has several benefits. The management plane is both isolated and redundant. +No application traffic hits the managers and application ingress traffic can be routed +to the dedicated nodes. These nodes can be configured with higher performance network interfaces +to provide more bandwidth for the user services. + +![Interlock 2.0 Production Deployment](../../images/interlock_production_deploy.png) + +## Next steps +- [Configuring Interlock](../config/index.md) +- [Deploying applications](../usage.index.md)