Allpool olev juhend on konkreetne samm-sammuline kokkuvõte üldjuhendist: https://github.com/nordic-institute/X-Road/blob/master/doc/Manuals/LoadBalancing/ig-xlb_x-road_external_load_balancer_installation_guide.md

load_balancing_state_replication.png

Pilt NIISi juhendist master-slave klastrist.



MASTER (osa käske vaja ka SLAVE peal teha; vaikimisi kõik on MASTER käsud):

  1. Install the X-Road security server packages using the normal installation procedure or use an existing standalone node. (Soovitus SLAVE peal ka X-Road tarkvara paigaldada, initsialiseerima ei pea)
  2. Stop the xroad services.
    1. service xroad-* stop
  3. Create a separate PostgreSQL instance for the serverconf database (see section 4. Database replication setup for details in GITHUB MANUAL, link above):

    1. Create replication keys for every node:

      openssl req -new -x509 -days 7300 -nodes -sha256 -out ca.crt -keyout ca.key -subj '/O=cluster/CN=CA'
      openssl req -new -nodes -days 7300 -keyout server.key -out server.csr -subj "/O=cluster/CN=master"
      openssl req -new -nodes -days 7300 -keyout server_slave1.key -out server_slave1.csr -subj "/O=cluster/CN=slave1"
      openssl x509 -req -in server.csr -CAcreateserial -CA ca.crt -CAkey ca.key -days 7300 -out server.crt
      openssl x509 -req -in server_slave1.csr -CAcreateserial -CA ca.crt -CAkey ca.key -days 7300 -out server_slave1.crt
      CODE
    2. kõigi node'de peal:

      sudo mkdir -p -m 0755 /etc/xroad/postgresql; sudo chmod o+x /etc/xroad
      CODE
    3. Copy ca.crt server.crt server.key to /etc/xroad/postgresql/

      # masteris
      cp ca.crt server.crt server.key /etc/xroad/postgresql/
      # igasse slave node-i masteri pealt: 
      scp ca.crt server_slave1.crt server_slave1.key domain-user@slave-ss-server:/tmp/
      # slave peal:
      cd /tmp; cp ca.crt server_slave1.crt server_slave1.key /etc/xroad/postgresql/
      # kõigis masinates
      sudo chown postgres:postgres /etc/xroad/postgresql/*; sudo chmod 400 /etc/xroad/postgresql/*
      CODE
    4. Master masinas:

      sudo -u postgres pg_createcluster -p 5433 10 serverconf
      
      # muuta alljärgnevad read failis:
      vi /etc/postgresql/10/serverconf/postgresql.conf
      
      ssl = on
      ssl_ca_file = '/etc/xroad/postgresql/ca.crt'
      ssl_cert_file = '/etc/xroad/postgresql/server.crt'
      ssl_key_file = '/etc/xroad/postgresql/server.key'
      
      listen_addresses = '*' 
      wal_level = replica
      max_wal_senders = 4
      wal_keep_segments = 10
      
      
      # vi /etc/postgresql/10/serverconf/pg_hba.conf
      #lisada lõppu rida
      hostssl replication +slavenode samenet cert
      
      # käivitab uue eraldatud serverconf baasi ja loob sinna kasutaja (kasutajale vaja parool määrata):
      systemctl start postgresql@10-serverconf
      sudo -u postgres psql -p 5433 -c "CREATE ROLE slavenode NOLOGIN";
      sudo -u postgres psql -p 5433 -c "CREATE USER slave1 REPLICATION PASSWORD NULL IN ROLE slavenode";
      sudo -u postgres psql -p 5433 -c "CREATE USER serverconf PASSWORD '<parool tuleb xroad/db_properties failist>'";
      sudo -u postgres pg_dump -C serverconf | sudo -u postgres psql -p 5433 -f -
      sudo -u postgres psql -p 5432 -c "ALTER DATABASE serverconf RENAME TO serverconf_old";
      CODE
    5. SLAVE peal:

      SLAVE:
      # sisesta käsud (viimane käsk on kaherealine):
      sudo -u postgres pg_createcluster -p 5433 10 serverconf;
      cd /var/lib/postgresql/10/serverconf/;
      rm -rf *;
      sudo -u postgres PGSSLMODE=verify-ca PGSSLROOTCERT=/etc/xroad/postgresql/ca.crt PGSSLCERT=/etc/xroad/postgresql/server_slave1.crt PGSSLKEY=/etc/xroad/postgresql/server_slave1.key pg_basebackup -h master-ss-server-IP-or-hostname -p 5433 -U slave1 -D .;
      
      # sisestada alljärgnevad read faili 
      vi /var/lib/postgresql/10/serverconf/recovery.conf
      
      standby_mode = 'on'
      primary_conninfo = 'host=master-ss-server-IP-or-hostname port=5433 user=slave1 sslmode=verify-ca sslcert=/etc/xroad/postgresql/server_slave1.crt sslkey=/etc/xroad/postgresql/server_slave1.key sslrootcert=/etc/xroad/postgresql/ca.crt'
      trigger_file = '/var/lib/xroad/postgresql.trigger'
      
      # muuta faili õigused:
      chown postgres:postgres recovery.conf; chmod 0600 recovery.conf
      
      # muuta alljärgnevad read failis:
      vi /etc/postgresql/10/serverconf/postgresql.conf
      
      listen_addresses = 'localhost'
      ssl = on
      ssl_ca_file = '/etc/xroad/postgresql/ca.crt'
      ssl_cert_file = '/etc/xroad/postgresql/server_slave1.crt'
      ssl_key_file = '/etc/xroad/postgresql/server_slave1.key'
      # no need to send WAL logs
      wal_level = minimal
      max_wal_senders = 0
      # wal_keep_segments = 0
      
      hot_standby = on
      hot_standby_feedback = on
      
      # käivitada uus baas
      systemctl start postgresql@10-serverconf
      CODE
  4. Change /etc/xroad/db.properties to point to the separate database instance (MASTER):
    1. vi /etc/xroad/db.properties
    2. serverconf.hibernate.connection.url : Change the url port number from 5432 to 5433
  5. If you are using an already configured server as the master, the existing configuration was replicated to the slaves in step 3. Otherwise, proceed to configure the master server: install the configuration anchor, set up basic information, create authentication and signing keys and so on. See the security server installation guide [IG-SS] for help with the basic setup.
  6. Set up the configuration file replication:

    adduser --system --shell /bin/bash --ingroup xroad xroad-slave
    sudo mkdir -m 755 -p /home/xroad-slave/.ssh && sudo touch /home/xroad-slave/.ssh/authorized_keys
    
    # SLAVE peal:
    su xroad
    ssh-keygen
    less ~/.ssh/id_rsa.pub
    
    # MASTER peal:
    vi /home/xroad-slave/.ssh/authorized_keys
    # kopeeri avanenud faili SLAVE-s olev id_rsa.pub sisu
    
    # SLAVE (ikka xroad kasutaja õigustes):
    #connect to the master host using ssh and accept the host key.
    ssh -i /var/lib/xroad/.ssh/id_rsa xroad-slave@master-ss-server-IP-or-hostname
    exit
    exit (tagasi root õigustesse)
    
    # SLAVE peal kopeeri allpool olevad read faili (sisesta õige master serveri aadress) 
    vi/etc/systemd/system/xroad-sync.service
    
    [Unit]
    Description=X-Road Sync Task
    After=network.target
    Before=xroad-proxy.service
    Before=xroad-signer.service
    Before=xroad-confclient.service
    Before=xroad-jetty.service
    [Service]
    User=xroad
    Group=xroad
    Type=oneshot
    Environment=XROAD_USER=xroad-slave
    Environment=MASTER=master-ss-server-IP-or-hostname
    ExecStartPre=/usr/bin/test ! -f /var/tmp/xroad/sync-disabled
    ExecStart=/usr/bin/rsync -e "ssh -o ConnectTimeout=5 " -aqz --timeout=10 --delete-delay --exclude db.properties --exclude "/conf.d/node.ini" --exclude "*.tmp" --exclude "/postgresql" --exclude "/nginx" --exclude "/globalconf" --exclude "/jetty" --delay-updates --log-file=/var/log/xroad/slave-sync.log ${XROAD_USER}@${MASTER}:/etc/xroad/ /etc/xroad/
    [Install]
    WantedBy=multi-user.target
    WantedBy=xroad-proxy.service
    
    # SLAVE peal tee samamoodi veel failiga 
    vi /etc/systemd/system/xroad-sync.timer
    
    [Unit]
    Description=Sync X-Road configuration
    [Timer]
    OnBootSec=60
    OnUnitActiveSec=60
    [Install]
    WantedBy=timers.target
    
    # SLAVE peal taustatöö käivitamiseks:
    systemctl enable xroad-sync.timer xroad-sync.service
    systemctl start xroad-sync.timer
    
    # SLAVE peal loo fail /etc/logrotate.d/xroad-slave-sync alljärgneva sisuga:
    vi /etc/logrotate.d/xroad-slave-sync
    
    /var/log/xroad/slave-sync.log {
    	daily
    	rotate 7
    	missingok
    	compress
    	su xroad xroad
    	nocreate
    }
    CODE
  7. Configure the node type as master in /etc/xroad/conf.d/node.ini (MASTER)

    # tekita fail /etc/xroad/conf.d/node.ini sisuga:
    [node]
    type=master
    
    #muuda faili õigused
    chown xroad:xroad /etc/xroad/conf.d/node.ini
    CODE
  8. Disable support for client-side pooled connections (HTTP connection persistence) in /etc/xroad/conf.d/local.ini

    # vi /etc/xroad/conf.d/local.ini
    [proxy]
    server-support-clients-pooled-connections=false
    CODE
  9. Seadista op-monitori teenus töötama ühes klastri masinas või eraldiseisvas masinas (https://www.x-tee.ee/docs/live/xroad/ug-ss_x-road_6_security_server_user_guide.html#1524-installing-an-external-operational-monitoring-daemon)

    # vi /etc/xroad/conf.d/local.ini
    [op-monitor]
    host = <masteri host aadress>
    CODE
  10. Start the X-Road services.
    1. service xroad-* start


SLAVE osa lisaks eespool tehtule:

  1. Install security server packages using the normal installation procedure.
  2. Stop the xroad services.
    1. service xroad-* stop
  3. Create a separate PostgreSQL instance for the serverconf database (juba tehtud eespool)
  4. Change /etc/xroad/db.properties to point to the separate database instance and change password to match the one defined in the master database

    # vi /etc/xroad/db.properties
    serverconf.hibernate.connection.url : Change the url port number from 5432 to 5433
    serverconf.hibernate.connection.password: Change to match the master db's password (vaata master masinast samast failist).
    CODE
  5. Set up SSH between the master and the slave (juba tehtud)

  6. Set up state synchronization using rsync+ssh (enamus tehtud, kuid lisaks):

    rsync -e "ssh -i /var/lib/xroad/.ssh/id_rsa" -avz --delete --exclude db.properties --exclude "/postgresql" --exclude "/conf.d/node.ini" --exclude "/nginx" xroad-slave@master-ss-server-IP-or-hostname:/etc/xroad/ /etc/xroad/
    
    # if got an error "rsync: opendir "/etc/xroad/signer" failed: Permission denied (13)" then:
    chmod 750 /etc/xroad/signer/
    CODE
  7. Configure the node type as slave in /etc/xroad/conf.d/node.ini

    # vi /etc/xroad/conf.d/node.ini
    [node]
    type=slave
    
    # muuda õigused
    chown xroad:xroad /etc/xroad/conf.d/node.ini
    CODE
  8. Start the X-Road services.

    1. service xroad-* start


PS!
Kui muutub master või slave masina hostname, siis vaja genereerida uued ssh võtmed xroad-slave kasutaja jaoks. Muidu ei tööta xroad-sync.service sees olev rsync enam. (käsitsi rsync ssh -i töötab edasi)
Hostinime vahetus vaja teha ka /var/lib/postgresql/10/serverconf/recovery.conf sees.