I finally switched back to Linux after a long hiatus. Things have gotten so much better with Ubuntu since I last checked out 7.04. My college at work turned me to VirtualBox hosting Windows and the seamless integration mode they have, so I decided to give it a try tonight.

I did get a very odd error when trying to install right when it was expanding windows files. I searched for a long time trying to find the answer and I tried many different disk images and burnt images that I knew just had to work.

c:\windows\winsxs is corrupt 0x80070570

In short the solution to this was to go into VirtualBox settings for the VM and change the storage to be 100% IDE based and not use the RAID driver that comes with it. It seems the SATA controller it provides to the windows installer is busted. If you remove it from your system configuration, and instead attach your virtual hard drive to the IDE controller, your installation will actually work.

Been toying around with horizontal scaling in Amazon EC2 for distributed searches. In short, I was looking for an effective software load balancer and came across HAProxy and Pound. Both a very nice software based load balancers.

HAProxy Software Load Balancer

HAProxy is a bit more bare metal as it targets a very specific set of scenarios focused on TCPIP more than HTTP. You can use cookie based injection with HAProxy to do round robin and stick users to a specific server. However, you can not do this if your site is running SSL traffic. HAProxy can not decrypt the SSL traffic. This is more of the authors dead-fast belief that SSL should not be terminated because of CPU load on the load balancer preventing scaling as you would need to scale the load balancers at some point (we’re talking millions of requests, facebook style).

Pound Software Load Balancer

Pound is a bit more specific to HTTP/Web scenarios. It functions as a 100% Layer-7 load balancer as it does full HTTP(S) integration and has full access to the HTTP stack. What this means is that you can do some fancy routing based on cookies, url regex, and do this with SSL termination. You can combine the two and have Pound decrypt the traffic and forward to HAProxy but your setting up a scaling issue if you do.

Overview

In the above context diagram we can see that we should have a firewall (software and/or hardware based) to only allow port 80 and 443. We use pound proxy (see below reference) to decrypt the SSL traffic and then pass the request on to HAProxy. HAProxy then inspects/injects the server cookie ID used for sticking somebody to a particular server and then proceeds to do round robin.

Note that the above assumes all servers/appdomain are up. HAProxy will detect if a server is down and redirect any new clients / old clients from the current domain to a different domain (sometimes causing a session loss event, but not much you can do about that). If you are performing an upgrade and would like to “bleed” users off the box that you want to recycle see the below article as HAProxy can support this as well.

Basic HAProxy Configuration

Below is an example configuration that shows a sharepoint farm (using NTLM) a aspnet_farm (using asp.net forms/basic) and a tomcat farm.

# /etc/haproxy.cfg
global
        user haproxy
        group haproxy

defaults
        mode http
        option forwardfor
        option redispatch
        retries 3
        maxconn 2000
        contimeout 5000
        clitimeout 50000
        srvtimeout 50000

backend sharepoint_farm
        balance roundrobin
        option redispatch
        cookie SERVERID insert nocache indirect
        server myServer1 192.168.1.1:80 cookie sharepoint01 check
        server myServer2 192.168.1.2:80 cookie sharepoint02 check
        server myServer3 192.168.1.3:80 cookie sharepoint03 check

backend aspnet_farm
        balance roundrobin
        option redispatch
        cookie ASP.NET_SessionId prefix
        option httpclose
        option forwardfor
        server myServer1 192.168.1.3:80 cookie aspnet01 check

backend tomcat_farm
        balance roundrobin
        option redispatch
        option httpclose
        cookie SERVERID insert nocache indirect
        server farmsvr1 192.168.1.4:8080 cookie tomcat01 check
        stats uri /stats
        stats realm haproxy
        stats auth admin:P@ss0wrd
        stats scope .
        stats scope aspnet_farm
        stats scope sharepoint_farm

frontend httpid
        bind *:80
        acl is_sharepoint_farm hdr_end(host) -i sharepoint.itcontoso.com
        acl is_aspnet_farm hdr_end(host) -i aspnet.itcontoso.com
        use_backend sharepoint_farm if is_sharepoint_farm
        use_backend aspnet_farm if is_aspnet_farm
        default_backend tomcat_farm

Now what is really nice about HAProxy is that we can have a zero-downtime restart/deploy of all servers. For a detailed guide you can see the below article. How I miss Linux sometimes…

Zero-Downtime Restarts with HAProxy

SSL Termination with Pound + HAProxy

One of the things that might cause a problem is if you need to insert cookie but are running 443. If this is the case and you really have no other alternative (risk vs. reward, total cost of ownership, etc) than you can configure HAProxy + Pount to deliver SSL Termination and then forward calls down to the web-servers as HTTP and the SSL decrypt/crypt happens on the load balancer. This can increase CPU, but last checked some Intel Celeron CPUs can handle 700+ transactions per second with this configuration.

We can test this by generating a self-signed certificate…

# install ssl
sudo apt-get install openssl

# create self signed cert
cd /etc/ssl
sudo openssl req -x509 -newkey rsa:1024 -keyout local.server.pem -out local.server.pem -days 365 -nodes

And then updating the /etc/pound/pound.cfg to include an SSL terminator:

ListenHTTPS
  Address 192.168.1.4
  Port    443
  Cert    "/etc/ssl/local.server.pem"
End

Full Layer-7 Load Balancer Scenarios

One of the huge benefits we get by having a layer-7 load balancer is that we can perform intelligent routing and have it be seamless to our applications.

Examples

• Load balance all png, jpg, gif requests to a specific server(s).
• Load balance all mov, avi, mkv requests to a specific server(s).
• Load balance users in South East US IP range to southeast.yoursite.com
• Load balance users by ranking (gold customers, silver, bronze)

Additional Resources

Transparent proxy of SSL traffic using Pound to HAProxy backend patch and howto

Linux install and configure pound reverse proxy for Apache http / https web server

Pound Configuration Information

In the previous post we got the bare minimum SOLR install up and running with apache, tomcat, and SOLR with multicore/multiindex. So you should be able to navigate to http://localhost/ we should be seeing the manage your cores screen.

All is well with this but we need to modify our default install a bit to more represent a real world multi-core setup.

Download SOLR Example

The schemas provided by the SOLR distribution are rather basic and do not include field types commonly found in production deployments. To simplify this I created a new template that you can use to get a jump-start. It includes;

• Settings: A more robust schema.xml that includes field types such as text_ws, string, int, decimal, and ignore.
• Performance: A solr core exists [see: distrib] that simply provides distributed search via a requestHandler that auto injects the shards parameter on any search request.
• Performance: The solrconfg.xml of each has a more aggressive caching mechanism in place to provide better scalability as well as some further options to enhance performance out of the box (etag, cache control headers, etc).
• Security: Disabled remote streaming.

You can download the example here.

How to issue multi-core/multi-index queries

To issue a multi-core query by hand we can use a url template like below:

http://localhost/core1/select/?q=solr&shards=localhost/core01,localhost/core02

You will notice the use of the shards parameter. This allows us to query multiple cores (indexes) simultaneously. This proves invaluable as you horizontally scale your search as shards can be on different pcs all together. In our case, however, we are simply using it to query across indexes in a search on the same PC, but you don’t have to do it like this.

Distributed Search Scenarios

From the above we can explore two scenarios for deployment depending on the needs of our search architecture and current scale. Scenarios differ only in their physical deployment so moving from scenario 1 to scenario 2 is as painless as it can get. Note: The reasons for moving to a distributed platform usually revolve around bottlenecks at the IO level either IO is too slow, or size of index is too large (>1 million)

As the size of our indexes grow we may move a shard to a different server to get the benefit of higher IO. However, keep in mind, this will increase CPU on the core servers respectively. We might also consider still keeping 1-2 search servers in place and as IO becomes an issue mount new drives to take care of the load. I would strongly recommend SSD drives for any search server as 99% of the time you are concerned with how fast your “gets” are and not your “sets”.

Benefits

• Easier to maintain
• Allows migration to multi-server solutions
• Allows higher up-time through multi-cores

Potential Drawbacks

• Scalability at start is diminished

Alternate Considerations

• Consider scenario 2 when you need massive scalability.
• Consider a replicated index with multiple hosts.

Benefits

• Massive horizontal scale

Potential Drawbacks

• The increased scale can be hard to manage
• Effective performance tuning is required
• More testing to establish best configuration

Alternate Considerations

• Reconsider scenario 1 if IO is the main bottleneck, instead of scaling horizontal with physical servers, mount different RAID configurations

Additional Resources

Scaling up Large Scale Search from 500,000 volumes to 5 Million volumes and beyond

SOLR Performance Benchmark Single index vs Multiple (Multicore)

Multicore admin commands for SOLR