24.6. Clustered JBoss EAP 6
24.6.1. About Clustered Instances
standalone-ec2-ha.xml
and standalone-mod_cluster-ec2-ha.xml
. Each of these configuration files provides clustering without the use of multicast because Amazon EC2 does not support multicast. This is done by using TCP unicast for cluster communications and S3_PING as the discovery protocol. The standalone-mod_cluster-ec2-ha.xml
configuration also provides easy registration with mod_cluster proxies.
domain-ec2.xml
configuration file provides two profiles for use in clustered managed domains: ec2-ha, and mod_cluster-ec2-ha.
24.6.2. About Virtual Private Clouds
24.6.3. Create a Virtual Private Cloud (VPC)
This topic covers the steps required to create a Virtual Private Cloud, using a database external to the VPC as an example. Your security policies may require connection to the database to be encrypted. Please refer to Amazon's RDS FAQ for details about encrypting the database connections.
Important
- Go to the VPC tab in the AWS console.
- Subscribe to the service if needed.
- Click on "Create new VPC".
- Choose a VPC with one public and one private subnet.
- Set the public subnet to be
10.0.0.0/24
. - Set the private subnet to be
10.0.1.0/24
.
- Go to Elastic IPs.
- Create an elastic IP for use by the mod_cluster proxy/NAT instance.
- Go to Security groups and create a security group to allow all traffic in and out.
- Go to Network ACLs
- Create an ACL to allow all traffic in and out.
- Create an ACL to allow all traffic out and traffic in on only TCP ports
22
,8009
,8080
,8443
,9443
,9990
and16163
.
The Virtual Private Cloud has been successfully created.
24.6.4. Launch an Apache HTTP Server Instance to Serve as a mod_cluster Proxy and a NAT Instance for the VPC
This topic covers the steps required to launch an Apache HTTP server instance to serve as a mod_cluster proxy and a NAT instance for the Virtual Private Cloud.
Prerequisites
Procedure 24.8. Launch an Apache HTTP server Instance to Serve as a mod_cluster proxy and a NAT Instance for the VPC
- Create an elastic IP for this instance.
- Select an AMI.
- Go to Security Group and allow all traffic (use Red Hat Enterprise Linux's built-in firewall capabilities to restrict access if desired).
- Select "
running
" in the public subnet of the VPC. - Select a static IP (e.g.
10.0.0.4
). - Put the following in the User Data: field:
JBOSSCONF=disabled cat > $USER_SCRIPT << "EOS" echo 1 > /proc/sys/net/ipv4/ip_forward echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter iptables -I INPUT 4 -s 10.0.1.0/24 -p tcp --dport 7654 -j ACCEPT iptables -I INPUT 4 -p tcp --dport 80 -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -s 10.0.1.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 ! -s 10.0.0.4 -j MASQUERADE # balancer module incompatible with mod_cluster sed -i -e 's/LoadModule proxy_balancer_module/#\0/' /etc/httpd/conf/httpd.conf cat > /etc/httpd/conf.d/mod_cluster.conf << "EOF" #LoadModule proxy_module modules/mod_proxy.so #LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule slotmem_module modules/mod_slotmem.so LoadModule manager_module modules/mod_manager.so LoadModule proxy_cluster_module modules/mod_proxy_cluster.so LoadModule advertise_module modules/mod_advertise.so Listen 7654 # workaround JBPAPP-4557 MemManagerFile /var/cache/mod_proxy/manager <VirtualHost *:7654> <Location /mod_cluster-manager> SetHandler mod_cluster-manager Order deny,allow Deny from all Allow from 127.0.0.1 </Location> <Location /> Order deny,allow Deny from all Allow from 10. Allow from 127.0.0.1 </Location> KeepAliveTimeout 60 MaxKeepAliveRequests 0 ManagerBalancerName mycluster ServerAdvertise Off EnableMCPMReceive </VirtualHost> EOF echo "`hostname | sed -e 's/ip-//' -e 'y/-/./'` `hostname`" >> /etc/hosts semanage port -a -t http_port_t -p tcp 7654 #add port in the apache port list for the below to work setsebool -P httpd_can_network_relay 1 #for mod_proxy_cluster to work chcon -t httpd_config_t -u system_u /etc/httpd/conf.d/mod_cluster.conf #### Uncomment the following line when launching a managed domain #### # setsebool -P httpd_can_network_connect 1 service httpd start EOS
- Disable the Amazon EC2 cloud source/destination checking for this instance so it can act as a router.
- Right-click on the running Apache HTTP server instance and choose "Change Source/Dest check".
- Click on Yes, Disable.
- Assign the elastic IP to this instance.
The Apache HTTP server instance has been launched successfully.
24.6.5. Configure the VPC Private Subnet Default Route
This topic covers the steps required to configure the VPC private subnet default route. JBoss EAP 6 cluster nodes will run in the private subnet of the VPC, but cluster nodes require Internet access for S3 connectivity. A default route needs to be set to go through the NAT instance.
Procedure 24.9. Configure the VPC Private Subnet Default Route
- Navigate to the Apache HTTP server instance in the Amazon AWS console.
- Navigate to the
. - Click on the routing table used by the private subnet.
- In the field for a new route enter
0.0.0.0/0
. - Click on "Select a target".
- Select "
Enter Instance ID
". - Choose the ID of the running Apache HTTP server instance.
The default route has been successfully configured for the VPC subnet.
24.6.6. About Identity and Access Management (IAM)
24.6.7. Configure IAM Setup
This topic covers the configuration steps required for setting up IAM for clustered JBoss EAP 6 instances. The S3_PING
protocol uses an S3 bucket to discover other cluster members. JGroups version 3.0.x requires Amazon AWS account access and secret keys to authenticate against the S3 service.
S3_PING
protocol used by JGroups). The IAM user and S3 bucket used for S3 discovery must be different from the IAM user and S3 bucket used for clustering.
Procedure 24.10. Configure IAM Setup
- Go to the IAM tab in the AWS console.
- Click on users.
- Select Create New Users.
- Choose a name, and ensure the Generate an access key for each User option is checked.
- Select Download credentials, and save them in a secure location.
- Close the window.
- Click on the newly created user.
- Make note of the
User ARM
value. This value is required to set up the S3 bucket, documented here: Section 24.6.9, “Configure S3 Bucket Setup”.
The IAM user account has been successfully created.
24.6.8. About the S3 Bucket
24.6.9. Configure S3 Bucket Setup
This topic covers the steps required to configure a new S3 bucket.
Prerequisites
Procedure 24.11. Configure S3 Bucket Setup
- Open the S3 tab in the AWS console.
- Click on Create Bucket.
- Choose a name for the bucket and click.
Note
Bucket names are unique across the entire S3. Names cannot be reused. - Right click on the new bucket and select Properties.
- Click Add bucket policy in the permissions tab.
- Click New policy to open the policy creation wizard.
- Copy the following content into the new policy, replacing
arn:aws:iam::05555555555:user/jbosscluster*
with the value defined here: Section 24.6.7, “Configure IAM Setup”. Change both instances ofclusterbucket123
to the name of the bucket defined in step 3 of this procedure.{ "Version": "2008-10-17", "Id": "Policy1312228794320", "Statement": [ { "Sid": "Stmt1312228781799", "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::055555555555:user/jbosscluster" ] }, "Action": [ "s3:ListBucketVersions", "s3:GetObjectVersion", "s3:ListBucket", "s3:PutBucketVersioning", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts", "s3:PutObject", "s3:GetBucketVersioning" ], "Resource": [ "arn:aws:s3:::clusterbucket123/*", "arn:aws:s3:::clusterbucket123" ] } ] }
A new S3 bucket has been created, and configured successfully.