ZEN LOAD BALANCER ADMINISTRATION

GUIDE
Created on December 2011 - Documentation Version v01
Table of Contents
1 Overview
2 Basic Concepts
3 Zen Installation
3.1 Download te install I!O ima"e
3.2 #pdates
3.3 Installation $rocess
% &ccess to te Zen 'eb &dministration $anel
( Zen 'eb &dministration $anel !ections
(.1 )ana"e**+lobal View !ection
(.2 )ana"e**,arms !ection !ection
(.2.1 -dit ,arm +lobal $arameters
(.2.1.1 .C$/#D$ $ro0ile Options
(.2.1.2 1..$/1..$! $ro0ile Options
(.2.2 -dit ,arm 2eal !ervers
(.2.2.1 .C$/#D$ $ro0ile
(.2.2.2 1..$/1..$! $ro0ile
(.2.3 View !tatus ,arm &ction
(.3 )ana"e**Certi0icates !ection
(.3.1 &ddin" a new Certi0icate
(.% )onitorin"**+raps !ection
(.( )onitorin"**3o"s !ection
(.4 !ettin"s**!erver !ection
(.5 !ettin"s**Inter0aces !ection
(.6 !ettin"s**Cluster !ection
(.7 !ettin"s**Can"e $assword !ection
(.10 !ettin"s**Bac8up !ection
4 ,arm +uardian #sa"e
4.1 $ilosop9
4.2 Con0i"uration
7 License
1 Overview
Zen Load Balancer is an Open Source Load Balancer Appliance Project that provides a full set of tools
to run and manage a complete load balancer solution which includes: farm and server definition
networ!ing clustering monitoring secure certificates management logs config bac!ups etc"
2 Basic Concepts
#arm is a set of servers that offer the same service over a single one entr$ point defined with an %P
address and a port which is commonl$ called virtual service" &he main farm wor! is to deliver the client
virtual service connection to the real bac!end service and bac!" 'eanwhile the farm definition
establishes the deliver$ policies to ever$ real server"
Bac!end is a server that offers the real service over a farm definition and it process all the real data
re(uested b$ the client"
)lient is called to the %P address that connects to the virtual service of the initial connection that usuall$
a user re(uests" &he client %P address that opens a new connection on the virtual service side is used to
communicate with the user" &he same client could generate several *la$er +, connections to the virtual
service and an %P client address could be generated b$ several users"
Application Session is a la$er 7 concept which tries to identif$ the re(uests of a single user although
several clients shares the same %P client address"
-eal %P is a ph$sical %P address over a la$er + networ! configuration which is assigned to a server or
.%)"
/irtual %P is a floating %P address over a la$er + networ! configuration which is used to be the entr$
point of a virtual service defined b$ a farm that is read$ to deliver connections between redundant load
balancing nodes"
3 Zen Installation
3.1 Download the install ISO image
&he load balance appliance installer is able to be downloaded from the official website that could be
used to:
Burn an installer )01-O' to install under a ph$sical machine
-ecord on an 2SB device to install on a ph$sical machine with usb boot support
%nstall on a virtual machine through a virtuali3ation software
Usually you'll be able to download the latest stable version or the latest release candidate testing version,
depending of your feature needs. They'll be avaliable from the download section of
http://www.zenloadbalancer.com.
3.2 Updates
Zen oad !alancer is under continuous development with new features, improves and bug fi"es, so
there is a very easy way to upgrade your Zen! to a newer version through a simple procedure.
To maintain updated your Zen! installation, be sure you've the following line into
the /etc/apt/sources.list config file:
#or v$ version:
deb http://zenloadbalancer.sourceforge.net/apt/x86 v1/
#or v% version:
deb http://zenloadbalancer.sourceforge.net/apt/x86 v2/
Then update the apt database with the root user:
&hec' the last version on our official repository:
(nd compare it with your Zen! installed version:
)f the last official version is greater than your installation, you'll be able to upgrade your Zen! through
the command below:
)f would be necessary you can force the reinstallation through the following command:
The process will as' you "install the package without verification", select !".
Then the process will as' if you want to rewrite the global.conf file, you've to select the default value
#".
#inally it's recommended to restart Zen oad !alancer service at your convenience.
To upgrade from v$ to v% you've to follow all these e"plained steps and additionally you've to delete the
**+ databases of monitoring to be automatically regenerated with the new structure.
rm -rf /usr/local/zenloadbalancer/app/zenrrd/rrd/*
3.3 Installation Process
&onfigure your physical or virtual ",- machine to boot from your iso/cd/usb Zen oad !alancer
installer. Then a splash is going to be loaded to start the install process.
.elect "$nstall" option and continue.
Zen oad !alancer is distributed under a standard )./ format built on top of the common 01U/+ebian
inu" stable distribution. )f you're familiar with this distribution then you should have no problems
installing Zen!.
.elect your language, location and 'eyboard map.
Later the installer is going to detect the hardware components and load additional software components.
Just wait a few seconds.
Now the installation process will configure the network interface, you must set up a static IP address that
it's going to be used in the startup to access to the Zen web administration panel. ther config data like
netmask, gateway and dns will be re!uested.
"et up a hostname for the load balancer.
Set up the domain name for your organization.
Introduce the root system password and repeat to validate. This password will be used when you access
over a console or ssh to the Zen Load Balancer system.
Set your timezone, once Zen LB is installed the local time will be syncronized every hour with
ntp.pool.org servers.
Configure your partition disk, if you havent e!perience with Linu! environment you can select Guide
use entire disk and automatically the system will be installed with a configuration by default.
"!perimented users could select their custom installation. #t would be interesting to know that a special
disk space is not needed to work with Zen Load Balancer, although minimal recommended is $ %B of
free space for the whole operating system. &n this e!ample we select the option by default.
#f youve got more than one disk on your machine, you can select one of them here to be installed.
'he partition table can be modified through the following menu.
Finish and continue.
Select Yes to apply the changes and continue.
Now you've to wait some seconds while the system is installed on your disk with your custom
configuration.
Now you've your brand new ZenLB installation and finally it's necessary to restart the system.
On the boot process is shown your management IP address configured and the system started.
Remember the configured root password on the installation process would be needed to enter to the
system on the server via ssh or console.
4 Access to the Zen Web Administration Panel
Once the Zen Load Balancer distro is installed into your server, youve to access through the secure !RL
shown below"
https"##$%enlb&ip&address'"(((
)he first time you enter to the administration panel, youve to accept the secure certificate of ZenLB and
then a login window will appear.
The default credentials to get into the Zen web administration panel are the following:
User name: admin
Password: admin
These credentials could be changed through the Settings::Change Password section.
5 Zen Web Administration Panel Sections
The menu bar is distributed by the sections of Manage, Monitoring, Settings and About.
5.1 Manage::Global View Section
The lobal !iew section is used to "now the actual instant state of the system, li"e a photo system
status.
Under this section you#ll be able to analyse the farms state, memory, cpu consumption, established
connections and the $ of established connections from the total system connections consumed by e%ery
farm.
The lobal &arms 'nformation table summari(es the farm status you#ll be able to control the farms status
with a simple %iew, which of them are on UP status, how many resources are using and which is on
)*+, status.
+ith this table you can analyse:
The $ of cpu usage by the farms
The $ of memory usage by the farms
The number of "Total connections on system" shows the concurrent connections that is used by the
farm compared with the total connections established on the system.
The Memory table shows the global memory status measured in Megabytes.
MemTotal: It's the total ram memory on the system.
MemFree: It's the total free memory not cached by the system.
MemUsed: It's the memory used by the system.
Buffers: It's the memory used by the buffers.
Cached: It's the total memory cached by the system.
SwapTotal: It's the total swap memory reserved.
SwapFree: It's the total free memory not used by swap, on optimal systems it should be the same that
SwapTotal.
SwapUsed: It's the swap used memory by the system, on optimal systems should be 0.
The oad table shows the system load:
The !etwor" Traffic Interfaces table shows the traffic used by the system since last time that it was
switched on:
5.2 Manage::Farms Section
Under the Farms section you'll be able to access to the main configuration panel of virtual services.
Through the Add New Farm icon, you can define a new farm with the next properties
Farm Description Name: !t's an identification for the farm and could be used to define a description
of the virtual service to be provided.
Profile: "efine the level of the sNAT load balancing method. #ou could choose one of the next
types
TCP !t's a simple load balancing that deliver traffic in raw T$% data. The basic mechanism is
about open & soc'ets for every connection, one to the client and other to the real server, and then
deliver the raw data between them. The selection of this method could be adecuated for protocols
li'e ()T%, *"%, !)A%, +"A%, ((,, etc.
UDP !t's a simple load balancing that deliver traffic in raw U"% data. The basic mechanism is
about open & soc'ets for every connection, one to the client and other to the real server, and then
deliver the raw data between them. The selection of this method could be adecuated for protocols
li'e "N(, NT%, TFT%, -..T%, (N)%, etc.
TTP !t's an advanced only ,TT% layer / load balancing 0or Application "elivery $ontroller1
with proxy special properties. This method is adecuated for web services 0web application servers
included1 and all application protocols based on ,TT% protocol li'e 2eb"av, *"% over ,TT%,
ICA over HTTP, etc.
HTTPS: It's an advanced only HTTPS layer 7 load balancing (or Application Delivery Controller
co!binated "it# SS$ "rapper acceleration. In t#is case, t#e co!!%nication bet"een t#e client
and t#e load balancer is sec%re t#ro%g# HTTPS, !ean"#ile t#e co!!%nication bet"een t#e load
balancer and t#e real server is clear t#ro%g# HTTP.
Virtual IP: T#e list s#o"s all t#e IP addresses avaliable in t#e syste! net"or& con'ig%ration to be
%sed to con'ig%re a virt%al service 'or a 'ar!. T#is IP "o%ld be t#e bind address "#ere t#e virt%al
service "ill be listen on 'or client re(%ests. I' t#e cl%ster service is enabled t#en t#e p#ysical IP
address o' t#e cl%ster nodes and t#e !anage!ent "eb )*I IP address aren't listed.
Virtual Port: T#is 'ield #as to be a port n%!ber avaliable on t#e syste!, "#ere t#e virt%al service
"ill be listen in.
It's not possible to de'ine t"o 'ar!s t#ro%g# t#e sa!e virt%al IP and port.
To 'inali+e t#e process adding a ne" 'ar! press t#e Save b%tton.
,nce t#e ne" 'ar! is created, it "ill be s#o"n %nder t#e -ar!s Table "it# t#e basic data abo%t t#e
virt%al service: t#e virt%al IP, t#e virt%al Port, t#e 'ar! connections, PID, stat%s, pro'ile and actions.
T#e connections data is collected 'ro! t#e syste! netstat.
T#e Pending Conns are calc%lated "it# t#e SYN re(%ests t#at are pending to be processed in t#e syste!
'or t#is 'ar!.
T#e Established Conns are calc%lated "it# t#e ESTABLISHED re(%ests t#at are processing c%rrently.
T#e Closed Conns are calc%lated "it# t#e CLOSE WAIT connections t#at #ave been processed in t#e
syste!.
The status field shows the state of the farm system process with a green dot if the farm is up and a red
dot if the farm is down.
The actions avaliable for a running farm are:
Stop Farm: The selected farm will be stopped, and the virtual service will be disabled. Once the
farm is stopped, it will not be started at the boot up process of the load balancer. The status field will
be shown with a red dot and the PID will be disappeared. A confirmation window will be shown.
Edit Farm: ou!ve to select this action to edit the farm properties and the definition of the real
servers for the current farm. The properties to be configured depends on the load balancing
profile selected for the current virtual service.
Delete Farm: This action disables the current farm and removes the virtual service. A
confirmation window will be shown.
View Farm Status: This action shows a complete bac"end status, pending connections,
established connections and closed connections of every real server, the clients and the properties
for every bac"end.
5.2.1 Edit Farm Global Parameters
In this panel you!ll be able to set the parameters for improving your farms performance and the basic
functionalities of your virtual service. The properties of the #dit $arm Action depends on the profile
type that we!ve selected while the farm was created.
The common parameters for all farm profiles are the following:
Farm's name. It!s the identification field and a description for the virtual service. To change this item
you!ve to modify the name field and press the %odify button. The load balancing service will be
restarted automatically after applying this operation. &e sure the new farm name is avaliable, if not,
an error message will appear.
Backend response timeout. It's the max seconds that the real server has to respond for a request. If
the backend response is too late, then the server will be marked as blacklisted. The change of this
parameter is applied online for TCP and !P profiles. To be applied for "TTP and "TTP#, the farm
needs to be restarted manuall$ through the restart icon .
Frecuency to check resurrected backends. This value in seconds is the period to get out a
blacklisted real server and checks if is alive. %ote that the backend will not be in up status until the
first successful connection is done. The change of this parameter is applied online for TCP and !P
profiles. To be applied for "TTP and "TTP#, the farm needs to be restarted manuall$ through the
restart icon .
Farm Virtual IP and Virtual Port. These are the virtual IP address and virtual port in which the
virtual service for the farm will be bind and listening in the load balancer s$stem. To make changes in
these fields, be sure the new virtual ip and virtual port are not in use. To appl$ the changes the farm
service will be restarted automaticall$ for TCP and !P profiles. To be applied for "TTP and
"TTP#, the farm needs to be restarted manuall$ through the restart icon .
5.2.1.1 TCP/UDP Profile Options
The specific parameters for a simple TCP or !P farm are the following&
Load Balance Algorithm. This field shows the different load balancing algorithms that are possible
to be configured for the current farm. 'our algorithms are avaliable. #electing an unappropiate
algorithm for $our service infrastructure could cause a lot of processor consumption over the load
balancer. To appl$ the changes check the (odif$ )utton and the new algorithm will be applied on
line without restarting the farm.
Here you've a brief explanation about the avaliable algorithms for TCP and UDP profiles.
Round Robin eual sha!ing. An equal balane of traffi to all ative real servers. !or every
inoming onnetion the balaner assigns the next round robin real server to deliver the request.
Hash sti"#$ "lient. The !arm "ill reate a hash string for eah #P lient and send eah
onnetion from that hash to the same real server. A hash table is reated "ith the real servers and
the requests are assigned through the follo"ing algorithm$
inde% & "li ' nSe!(e!s
%here &index' is the index of the real server hash table( &li' is the integer representation of the #P
address and the &n)ervers' is the number of real servers available. This algorithm is a "ay to
reate persistene through the #P address( but it's more po"erful if you've a variety of subnets
lients aessing to your servie *for example( an international servie+.
Weight "onne"tion linea! dis)at"hing b$ *eight. ,alane onnetions depending on the "eight
value( you have to edit this value for eah real server. The requests are delivered through an
algorithm to alulate the load of every server using the atual onnetions to them( and then to
apply a linear "eight assignation.
P!io!it$ "onne"tions to the highest )!io!it$ a(aliable. ,alane all onnetions to the same
highest priority server. #f this server is do"n( the onnetions s"ith to the next highest server.
%ith this algorithm you an build an Ative-Pasive luster servie "ith several real servers.
Enable client ip address persistence through memory. !or every algorithm a persistene by ip
address lient ould be onfigured. %ith this option enabled all the lients "ith the same ip address
"ill be onneted to the same server. A ne" inoming onnetion is delivered to the seleted server
by the algorithm and stored in the memory table. The next times the lient "ill be onneted is
delivered to this same server. This behaviour provides a basi persisteny by ip address. To apply the
hanges you've to press the .odify ,utton and "ill be modified on line on the load balaner servie.
This option is not avaliable for UDP farms.
Max number of clients memorized in the farm. This values have only sense if you enable the lient
ip persistene. The lient field is about the max number of lients that "ill be possible to memori/e
and the time value is the max time of life for this lients to be memori/ed *the max lient age+. To
hange these values you've to press the .odify ,utton and then the farm servie "ill be restarted
automatially. This option is not avaliable for UDP farms.
Max number of simultaneous connections for the virtual IP. It's the max value of established
connections and active clients that the virtual service will be able to manage. For UDP farms this
value indicates the max pending packets to be processed by the virtual service. o change this field
the farm will be restarted automatically.
Max number of real ip servers. It's the max number of real servers that the farm will be able to have
configured. o change this value the farm service will be restarted automatically.
Add X-Forwarded-For header to http requests. his option enables the !P header "#
Forwarded#For to provide to the real server the ip client address. o change this feature will be
applied online. $y default is disabled. his option is not avaliable for UDP farms.
Use farmuardian to chec! bac!end servers. %hecking this box will enable a more advanced
monitoring state for backends and totally personali&ed for your our scripts. 'hen a problem is
detected by farmguardian automatically disables the real server and will be marked as blacklisted.
his is an independent service so you've not to restart the farm service. o get more details about this
service( please read the Farm)uardian section. his option is not avaliable for UDP farms.
5.2.1.2 HTTP/HTTPS Profile Options
The vast majority of parameters you'll be able to configure in a HTTP/HTTPS farm, needs a manual
restart of the farm service, so a TIP message will be appear to alert at the administrator that there are
global parameters or bacend changes that needs to restart the service through the icon before be
applied! The system administrator is able to modify whatever parameters are needed and then restart the
farm service to apply all them at the same time!
"ote that in the HTTP/HTTPS farms profile, the HTTP header #$%orwarded$%or is included by default
with the IP client address data!
&y contrast with the T'P or ()P farms profile, the HTTP/HTTPS profile use a weight algorithm
implicitly!
The specific parameters for advanced HTTP or HTTPS farm are the following*
Persistence session. This parameter defines how the farm service is going to manage the client
session and what HTTP connection field has to be controlled to maintain safe client sessions! +hen a
type of persistence session is selected a persistence session TT, will appear!
No persistence. The farm service won't control the client sessions and the HTTP or HTTPS
requests will be free delivered to real servers.
IP client address. The IP client address will be used to maintain the client sessions through the
real servers.
BASIC basic authentication. The HTTP basic authentication header will be used to control the
client sessions. For example when a web page request a basic authentication to the client a HTTP
header will contain a string li!e the following"
Then the client answer with the header"
This basic authentication string is used li!e an I# for the session to identif$ the client session.
URL a request parameter. %hen the session I# is sent through a &'T parameter with the ()*
will be possible to use this option indicating the parameter name associated with the client session
I#. For example a client request li!e + http",,www.example.com,index.php-
sid=3a5ebc944f41daa6f849f730f1 + has be configured as shown below"
To configure the ()* session persistence $ou've to select this option in the Persistence Session
HTTP/1.1 401 Authorization Required
Server: HTTPd/1.0
Date: Sat, 27 Nov 2011 10:1:1! "#T
WWW-Authenticate: Basic realm="Secure Area"
$ontent%T&'e: te(t/ht)*
$ontent%+en,th: -1
".T /'rivate/inde(.ht)* HTTP/1.1
Ho/t: *o0a*ho/t
Authorization: Basic QWxhZGRpbjpcG!u"#$lc%&tZQ==
field and then press the Modify Button. Later, two new fields will be shown:
Persistence session time to limit (TTL. This value indicates the max time of life for an inactive
client session (max session age.
Persistence session identi!ier. This field is the !"L parameter name that will be analy#ed by
the farm service and will manage the client session.
$fter configuring this items and pressed the Modify Button, it%s needed to restart the farm
service to apply the changes.
PAR" a URI parameter. $nother way to identify a client session is done through a !"&
parameter. This is a field separated by a semicolon li'e the following (
http:))www.example.com)private.php;EFD4Y7 (
To configure this 'ind of persistence is sufficient to select the *$"M option and press the Modify
Button. +inally, to apply the changes will be necessary to restart the farm service.
C##$I% a certain coo&ie. $lso, you%ll be able to select a http coo'ie variable to maintain the
client session through the ,--.&/ option. $ coo'ie has to be created by the programmer into the
webpage to identify the client session, for example:
0ith this specification, the following configuration will be needed:
$fter configuring this items and pressed the Modify Button on all of them, it%s needed to restart
the farm service to apply the changes.
GET /spec.html HTTP/1.1
Host: www.example.org
Cookie: sessionidexample=75HRSd4356SDBfrte
'%A(%R a certain request header. A custom field of the HTTP header could be used to identify
the client session. For example:
With this specification, the following configuration will be needed:
After configuring this items and pressed the odify !utton on all of them, it"s needed to restart the
farm ser#ice to apply the changes.
HTTP verbs accepted. This field indicates the operations that will be permitted to the HTTP client
re$uests. %f a not permitted #erb is re$uested an error will be shown to the client.
Standard 'TTP request. Accept only standard HTTP re$uests &'(T, P)*T, H(A+,.
) e*tended 'TTP request. Additionally allow extended HTTP re$uests &P-T, +(.(T(,.
) standard +eb(A, -erbs. Additionally allow standard Web+A/ #erbs &.)01, -2.)01,
P3)PF%2+, P3)PPAT0H, *(A30H, 10)., )/(, 0)P4, )PT%)2*, T3A0(,
1A0T%/%T4, 0H(01)-T, (3'(, 3(P)3T,.
) "S e*tensions +eb(A, -erbs. Additionally allow * extensions Web+A/ #erbs
&*-!*03%!(, -2*-!*03%!(, 2)T%F4, !P3)PF%2+, !P3)PPAT0H, P).., !)/(,
!0)P4, !+(.(T(, 0)22(0T,.
) "S RPC e*tensions -erbs. Additionally allow * 3P0 extensions #erbs &3P05%25+ATA,
3P05)-T5+ATA,.
GET /index.html HTTP/1.1
Host: www.example.org
X-sess: 75HRSd4356SDBfrte
To apply any of these options, press the Modify Button and restart the farm service.
HTTPS Certificate. The SSL certificate is only avaliable for HTTPS farms, where a list of
certificates will be shown to be selected for the current farm. This list could be modified under the
Manage::Certificates section.
To apply this configuration press the Modify Button and restart the farm service.
Personalized error messages. Through the personalied error messages, the farm service is able to
answer a custom message of your site when a web code error is detected from the real servers. !
personalied HTML page will be shown.
To apply the changes press the Modify Button and restart the farm service.
5.2.2 Edit Farm Real Servers
"nce a new farm is created, you#ve to include the servers with the real services to deliver the input
connections.
$nder the %dit real &P servers table configuration you#ll be able to include the configuration bac'ends for
every bac'end and their specific parameters.
The common properties to be entered for a real backend are the following:
Server. It's an automatic ID established to be an index for the real server. The system administrator
can't change this value.
Address. It's the IP address of the real service.
Port. It's the port of the real server in which the real service is listening on.
5.2.2.1 TCP/UDP Profile
ith a T!P or "DP farm# you'll be able to configure the following properties:
Max connections. It's the max number of concurrent connections that the current real server will be
able to receive. This value must be less than the $ax clients of the %lobal Parameters.
Weight. It's the weight value for the current real server which is only useful if the eight &lgorithm
is enabled. $ore weight value indicates more connections delivered to the current backend.
Priority. It's the priority value for the current real server which is only useful if the Priority
&lgorithm is enabled. The priority value accepted is between ' and (# less value indicates more
priority to the current real server.
ith the )ave *eal )erver button you'll apply the new configuration# or you'll be able to cancel
the process through the button. & message with the result will be displayed.
Once the real server configuration is entered, you'll be able to edit the config throught the Edit button
or delete the configuration with the Delete Real Server button.
The server index is useful to identify the real server configuration for the current farm.
The changes of the real servers configuration for the T! and "D! #rofiles are a##lied online, and a
restart action isn't needed.
5.2.2.2 HTTP/HTTPS Profile
$ith a %TT! or %TT!S farm, you'll be able to configure the following #ro#erties&
Timeout. 't's the s#ecific value of timeout for a bac(end to res#onse. This value override the global
timeout farm #arameter for the current bac(end.
Weight. 't's the weight value for the current real server. )y default a value of * is established.
$ith the Save Real Server button you'll a##ly the new configuration, or you'll be able to cancel
the #rocess.
+or the %TT!,%TT!S farm #rofile a message with the result will be dis#layed and a restart action will
be re-uested to the administrator to the changes ta(e effect. To a##ly the new configuration you have to
restart the farm through the restart button .
The T'! message will not disa##ear until the farm is restarted.
Once the real server configuration is entered, you'll be able to edit the config throught the Edit button
or delete the configuration with the Delete Real Server button.
The server index is useful to identify the real server configuration for the current farm.
The changes of the real servers configuration for the %TT! and %TT!S #rofiles needs a manual farm
restart.
5.2.3 View Status Farm Action
This action shows the actual state of bac(ends, clients and connections that are being delivered from the
virtual service to the real servers.
The Real Server Status table shows the state of every bac(end&
Server. It's the backend identification number.
Address. It's the real server IP address.
Port. It's the port number where the real service of the current real server is listening on.
Status. A red dot means that the current real server is down or blacklisted, meanwhile a green dot
means that the backend is online and delivering connections.
Pending Conns. This is the number of pending connections in the system that are on S! state for
the current backend, indepently of farm service.
Established Conns. This is the number of established connections in the system that are on
"STA#$IS%"& state for the current backend, indepently of farm service.
Closed Conns. This is the number of closed connections in the system that are on TI'"()AIT state
for the current backend, indepently of farm service.
Clients. It's the number of clients *uni+ue IP addresses, that are associated with the current backend
server. This is only avaliable for T-P farms.
Sessions. It's the number of %TTP client sessions that are associated with the current backend server.
This is only avaliable for %TTP and %TTPS farms.
Weight. It's the weight value established for every backend.
Priority. It's the priority value established for every backend server. This option is only avaliable for
%TTP and %TTPS farms.
To analy.e with details the clients, sessions and connections to the backends, you've to e/pand the
Client sessions status or Active connections tables to show all this information pressing the 'a/imi.e
button.
!ote that for very high load farms showing this table could slowdown the machine and could be shown
a very large table.
5.3 Manage::Certificates Section
The -ertificates inventory table is used to manage the SS$ certificates to be used for the %TTPS profile
farms.
All the certificates has to be generated a PEM file extension to be valid for HTTPS farms. By default a
zencert.pem certificate is possible to be used and is not able to be deleted.
5.3.1 Adding a new Certificate
To upload a custom certificate its necessary to press the button !pload "ertificate to be used for
SS# $rapper.
A ne$ $indo$ is sho$n to upload a custom certificate through the Browse... button on your local
computer.
To upload the ne$ certificate file its needed to press the !pload button. Automatically% the ne$ file $ill
be accessible for the balancer.
Then we're able to select the certified uploaded to be used for the HTTPS farms.
5.4 Monitoring::Graphs Section
This section is useful to monitorize the internal load balancer system to detect problems through the
parameters of CPU usage, swap memory, ram memory, all configured newor interfaces, load and hard
dis storage.
!ll the graphs that are shown in the first page are the daily progress "alue of e"ery parameter. !lso,
you'll be able to access to the weely, mothly and yearly history through the button.
5.5 Monitoring::Logs Section
This section is used to access to the system logs. To display the logs you'"e to select one of the log files
and then establish the number of tailed lines to be shown pressing the See logs button.
The files are associated to the following services:
ucarp.log. Log file for cluster service.
zenlatency.log. Log file for latency service launcher of ucarp service.
zeninotify.log. Log file for config replication service.
mini_https.log. Log file for the web gui http service.
zenloadbalancer.log. Log file for the global zen load balancer actions service through the web GUI.
farmguardian.log. Log file for farmguardian advanced monitoring service.
5.6 Settings::Server Section
This section provides some global parameters for the load balancer server system.
The meaning of these parameters are the following:
Time out execution Zen GUI CGIs. The Zen GUI web administration panel has been implemented
in perl CGI, so this is the time limit to execute the cgi. If the page execution exceed this timeout, the
process will be killed.
NTP server. Time serer to s!ncroni"e the date#time of the s!stem.
Rsync replication parameters. These are the parameters to s!ncroni"e the config data of the cluster
replication. $o not change this settings if !ou dont know what are !ou doing.
Physical interface where is running the GUI service. This is the interface where the web panel
serice will be bind to. It%s safe to keep the All interfaces enabled. To appl! the changes it%s needed to
restart the GUI serice.
DN servers. This is the /etc/resolv.conf file content to appl! the $&' serers for the s!stem.
APT repository. This is the /etc/apt/sources.list file content to apply the APT repositories for the
system. These apt servers have to be appropiately updated when a system upgrading is needed.
5.7 Settings::Interfaces Section
This section is the main network configuration panel for Zen Load Balancer, where will be shown the
network interfaces table for physical, virtual and vlan interfaces, and the default gateway configuration
field.
At the nterfaces Table will appear all the physical network interfaces installed in the system after the
ZenLB installation. The meaning of every table fields are the following!
Name. t"s the name of the current interface and will be uni#ue. The virtual interfaces will be
identificated by a colon $!$ character within the interface name, meanwhile the vlan is identificated
by a dot $.$ character within the interface name which will be the vlan tag.
Addr. t"s the P address in ipv% format for the current network interface.
HWAddr. t"s the &A' physical address for the current network interface. (ote that the virtual and
vlan network interfaces have the same &A' address of its parent physical interface.
Netmask. t"s the netmask of the network interface, which defines the subnet of the network for the
current interface.
Gateway. t"s the gateway for the current network interface. ZenLB could work with independent
route tables for every physical or vlan network interfaces. )irtual interfaces always inherit the
gateway from the parent physical or vlan interface.
Status. A green dot means the interface is *P and running, meanwhile a red dot means an interface is
+,-(. .ometimes a disconnect icon will be shown when the interface is *P but it hasn"t link.
Actions. The action icons are used to apply changes to the current network interface. Applying a
certain action could affect to one or more network interfaces.
Down interface. Disables the current interface.
Up interface. Enable the current interface.
Edit interface. Change the current network interface configuration.
To apply the changes press the Save & Up! Button.
Add virtual interface. Adds a new virtual interface inherited from the current network
interface.
Creating a new virtual interface will appear a field with a colon "" character that will be used to
establish an identification for the virtual interface. The !" address has to be under the same subnet
that the parent interface.
To apply the changes you have to press the #ave button. "ress the Cancel button to re$ect
the changes.
Add vlan interface. Adds a new vlan interface inherited from the current network interface.
Creating a new vlan interface will appears a field with a dot "." character that will be used to
establish an identification for the vlan interface. The IP address could be different of the parent
interface.
To apply the changes you have to press the Save button. Press the Cancel button to reject
the changes.
Delete interface. This action disables and delete the current interface if it's possible.
Some actions are locked. This icon means that some actions are locked and disabled
temporarily. Some reasons to this behaviour are the following
GUI service is bind to a certain interface. In this case! a home icon is shown and some actions
are disabled to be safe from bad configurations that could produce an unaccessible "en web
#$I.
To restablish the actions! you've to go to the Settings::Server section and bind the #$I service
over all interfaces! and finally restart the #$I service.
luster configuration. In this case! the cluster has been configured and the interfaces
configuration is only enabled when the cluster is disabled.
%inally a default gateway for the system could be established through the &efatul gateway table.
To change this field! you've to press the edit button and enter the gateway address and interface.
To apply the new configuration press the Save button or Cancel to reject the changes.
To remove the default gateway press the Delete Button.
5.8 Settings::Cluster Section
On this section you can configure the cluster service and check the cluster service status. During the
cluster process configuration you dont have to access to the second node! as the configuration will be
replicated automatically.
Cluster status. "ts a global view of cluster elements! you can reload the check here
Virtual IP for Cluster, or create new virtual here. Select a virtual ip that will be used for the
cluster service! if you didnt configure one! please go to Settings::Interface and configure one! this
virtual interface is only needed to be configured on the first node that you are configuring the cluster
service.
Local hostname and Remote Hostname. Once a virtual interface is selected the hostnames and "#
address information about the cluster nodes are needed.
Press the Save button to save the changes. At this point, it's needed that the physical IP for both nodes
are configured over the same physical interface that the "virtual IP Cluster" on the last step (for
example, eth!.
Remote Hostname root password. "nter the second node root pass#ord, this information #on't be
memori$ed, it's only needed to configure the %&A comunication over the both nodes.
'nce the onfigure !SA onnection between nodes is pressed the communication process is
executed and if everything is right you'll see messages as sho#n belo#.
Pressing the "est !SA connection button #ill chec( that the %&A communication from the current
node to the remote node is #or(ing fine.
A message li(e the follo#ing #ill appear if everything is right.
Select the cluster type. Through this combo you can choose the behaviour of the cluster service.
##Disable cluster on all $osts##:The cluster service will be stopped and disabled on both nodes.
Only use this option if you need to stop the cluster service to make changes or disable the cluster
service.
node% master and node& backup automatic failback: If node1 is detected as down the node2 will
take over the load balancing service. When node1 is restored the service will automatically switch
back to node1. You should choose this option when node1 is a more powerful server than node2.
node% or node& can be masters: anyone can be master there is no automatic failback when one
node is recovered. If you have two very similar servers for node1 and node2 that can both handle
the full load of your traffic then you can use this option.
To connect two !en "oad #alancer servers over cross over cable for cluster communication you have
to check this option$
%ow press to save the changes.
The cluster service is going to start on both nodes and at the end of the process these messages will
appear.
Processes are going to be launched on background to configure the cluster, at this point you can press
the refresh icon to update the cluster status view.
If the cluster is configured and working fine you can see a similar view like this:
On this view will be shown the cluster services and the status that we describe on the next lines:
Zen latency. Is a launcher of UCARP service, this service has to be running on both cluster nodes,
and check that the communication between nodes is OK.
Cluster IP. his IP is UP onl! on the master node and configured but "O#$ on the backu% node.
Zen inotify. his service has to be running onl! on the master node and will send to the backu% node
all the configuration and changes of networking and farms.
Over the cluster configured view !ou can&
Reload the check for testing that the cluster service are working like a charm.
Force cluster sync from master to backup. his manual force is useful after a cluster service
recover!.
Test the RS connection. 'erif! that the R(A connection between nodes is working fine that it)s
needed for s!ncroni*ation over *en inotif! service.
Force failover. (witch the cluster service node. It)s useful if !ou need to do some maintenance tasks
on the master server or to test the cluster service. +or node1 master and node2 backup automatic
failback cluster t!%e will be switched for onl! ,- seconds, after that, the cluster service will be
switched back to node..
Once the cluster service is configured !ou)ll be able to change the cluster t!%e but the service could
%roduce some outages.
Over the web /UI is eas! to identif! which is the cluster role for both nodes. On the u%%er side of the
web%age will show this message for the master node&
And for the backu% node&
Once the cluster service is running on both nodes !ou onl! have to connect to master node to a%%l!
changes for farms and interfaces, which will be automaticall! configured and re%licated to the backu%
node.
5.9 Settings::Change Password Section
In this section you'll be able to change the web admin user password.
It's necessary to insert the current password and a repeated new password. Pressing the Change button
will change the admin web password. Optionally you'll be able to sync the admin password with the root
system password through the Change & Sync with root password button.
5.10 Settings::Backup
With the Backup option you can save the configurations on the en!B server and download to your
local computer.
On this panel you can create" restore" upload and download backup files.
#he Description name field will be the identification for the backup file to be generated pressing the
Create Backup button. Please" do not include blank spaces.
#he new backup file generated will be listed on the Backup files table$
#he actions to be applied are the following$
$ #hrough this icon you can download the selected file.
$ #hrough this icon you can delete the selected backup file.
$ #hrough this icon you can apply this backup. #he config files will be rewritten if e%ists.
$ #hrough this icon you can upload a backup file. It's useful if you've created a backup and
downloaded it for security reasons. If you press this icon a window will be shown$
Pressing the Browse... button you'll be able to navigate through your local files to select your backup file
to be uploaded. It is important to know that the file need to follow the ne%t pattern$
backup-description.tar.g
If you modify the pattern" then the file isn't going to be listed on the Settings!!Backup section.
6 Farm Guardian Usage
6.1 Philosophy
By default en !oad balancer checks the tcp backends port status" but sometimes this check its not
enough to conclude that the backend status is working fine. #o solve this problem en !oad Balancer
implement a way to execute an advanced and personalized backends checks called "arm #uardian.
With this advanced monitoring application you can develope your own personalized scripts or use some
avaliable scripts under the $usr$local$enloadbalancer$app$libe%ec$ directory.
Farm Guardian checks the execution error output from the selected script (&' ( ) when there isn't error
for the backend and &' *+ ) when there is an error for the backend.
!ll scripts used by Farm Gardian have to accept two minimal input arguments" #$%& and '$(&
(#$%&)backend ip" '$(&) port backend.
Farm Guardian connects to your farm and will list the backends and ports. &hen the selected script will
be runned for each server replacing the #$%& and '$(& token string by each backend and port
configured on your farm.
6.2 Configuration
!t the moment" Farm Guardian is only implemented for &*' profile+
&o enable the Farm Guardian monitoring check the box ,se "arm#uardian to check Backend Ser-ers
and establish the time period of checks+
,ow select a default script under the path $usr$local$enloadbalancer$app$libe%ec or include your own
script on that directory+
Farm Guardian connects to the farm to obtain the backend list and execute this script for each of them.
(eading the output of the execution through the &' variable we could determine that if the web content
on a real server doesn't contain the string .t works" the current backend will be marked as blacklisted.
-t's recomended to read the help page of check/http script to understand this example.
You can activate the execution logs for Farm Guardian checking the Active logs checkbox.
7 License
This documentation has been created by the Zen Load Balancer Develoers Team for the Zen Load
Balancer G!"#G$L $ro%ect.
This documentation is licensed under the terms of the G!" Free Documentation License.
This rogramm is licensed under the terms of the G!" General $ublic License.