Subordinate WildFly Host Controller Post-Install Configuration: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
 
(32 intermediate revisions by the same user not shown)
Line 5: Line 5:
=Overview=
=Overview=


This procedure is part of [[WildFly Unzip Installation#Subordinate_Host_Controller_Configuration|WildFly Unzip Installation]]. Once completed, return to [[WildFly Unzip Installation#Subordinate_Host_Controller_Configuration|WildFly Unzip Installation]] to continue the post-install procedure.
This procedure is part of [[WildFly Unzip Installation#Subordinate_Host_Controller_Configuration|WildFly Unzip Installation]]. Once completed, return to [[WildFly Unzip Installation#Subordinate_Host_Controller_Configuration|WildFly Unzip Installation]] to continue the post-install procedure.  
 
For more details on subordinate host controllers, see:
 
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[WildFly_Domain_Mode_Concepts#Subordinate_Host_Controller|Subordinate Host Controller]]
</blockquote>


=Prerequisites=
=Prerequisites=
Line 12: Line 18:
:<br>The domain controller must be fully configured and up and running when configuring subordinated host controllers, since we need to interact with the domain controller during the subordinated host controller installation (create users, etc.)<br><br>
:<br>The domain controller must be fully configured and up and running when configuring subordinated host controllers, since we need to interact with the domain controller during the subordinated host controller installation (create users, etc.)<br><br>
</blockquote>
</blockquote>


=<tt>host.xml</tt> Host Name=
=<tt>host.xml</tt> Host Name=
Line 34: Line 39:
</pre>
</pre>


Note that the management functionality can be exposed over 9999 or 9990.
Note that the management functionality can be exposed over 9999 (native) or 9990 (http).


It is possible to expose the master domain controller address externally as '<tt>jboss.domain.master.address</tt>' system property. In this case, you'd have to add the following to <tt>domain.conf</tt>:
It is possible to expose the master domain controller address externally as '<tt>jboss.domain.master.address</tt>' system property. In this case, you'd have to add the following to <tt>domain.conf</tt>:
Line 42: Line 47:
</pre>
</pre>


However, this is NOT a good idea. If we go through a domain controller failover, promotion and unpromotion, the IP address will be written into the <tt>host.xml</tt> file directly, so the '<tt>jboss.domain.master.address</tt>' will lose its usefulness and it will suddenly become confusing - we used a system property but also we have hardcode in the file.
<blockquote style="background-color: Gold; border: solid thin Goldenrod;">
:<br>However, this is NOT a good idea. If we go through a domain controller failover, promotion and unpromotion, the IP address will be written into the <tt>host.xml</tt> file directly, so the '<tt>jboss.domain.master.address</tt>' will lose its usefulness and it will suddenly become confusing - we used a system property but also we have hardcode in the file.<br><br>
</blockquote>


For more details on <tt>jboss.domain.master.address</tt> see:
For more details on <tt>jboss.domain.master.address</tt> see:
Line 71: Line 78:
</blockquote>
</blockquote>


=Configure the Host Controller's Identity on the Domain Controller=
=Configure the Host Controller Identity=
 
Host controller identity is explained here:
 
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[WildFly_Security_Concepts#Subordinated_Host_Controller_Identity|Subordinated Host Controller Identity]]
</blockquote>
 
==Add a Domain Controller Management Realm User==
 
Add a Management Realm user on the domain controller. The user name should be the subordinated host controller host name as specified in <tt><host name="..."></tt> of the subordinated host controller's <tt>host.xml</tt>. The procedure must be executed on the domain controller, and it is described here:
 
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[Adding Users to WildFly Security Realms#Add_a_User_to_the_Management_Realm|Adding a User to the Management Realm]]
</blockquote>
 
Use the password value specified there for the [[#Configure_Server_Identity_Secret|Configure Server Identity Secret]] step.
 
==Domain Controller High Availability and Security==
 
In order to create "equivalent" domain controller, you could configure the users corresponding to the hosts on the primary, and then just copy the relevant content of <tt>mgmt-users.properties</tt> to the backup controllers. The passwords and their corresponding "secret" values will stay the same.
 
==Configure Server Identity Secret==
 
===Manual Procedure===
 
Calculate the secret's value by sending the clear text password into openssl:
 
<pre>
echo -n "password-in-clear" | openssl enc -base64
</pre>
 
Then copy the resulted string as <tt>secret</tt>'s "<tt>value</tt>" in a <tt><server-identities></tt> element to <tt>host.xml</tt> of the subordinate host controller:
 
<pre>
<host ...>
    <management>
        <security-realms>
            <security-realm name="ManagementRealm">
                ...
                </authorization>
                <server-identities>
                    <secret value="YXAwMm11MTIzIQ=="/>
                </server-identities>
            </security-realm>
            ...
        </security-realms>
        ...
    </management>
    ...
</host>
</pre>
 
===CLI Procedure===
 
<blockquote style="background-color: #f9f9f9; border: solid thin lightgrey;">
:[[WildFly CLI - Add Subordinate Host Controller Server Identity Secret Value|Add Subordinate Host Controller Server Identity Secret Value with CLI]]
</blockquote>


==Symptoms of Failure to Authenticate with the Domain Controller==
==Symptoms of Failure to Authenticate with the Domain Controller==
Line 79: Line 143:
</pre>
</pre>


=Registration Success=
In the domain controller's log:
<pre>
21:43:39,412 INFO  [org.jboss.as.domain] (Host Controller Service Threads - 34) JBAS010918: Registered remote slave host "n1", JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21)
</pre>
=Configure the Servers that are Running on this Host=
Update <tt>host.xml</tt> accordingly, specify the server names and their association with a server group defined in <tt>domain.xml</tt>.
Example:
<pre>
<servers>
    <server name="app1" group="web-apps" auto-start="true">
        ...
    </server>
</servers>
</pre>


<font color=red>
==Configure the Network Interface Server Nodes Use to Deliver Business Content==


=Return Here=
Server nodes exists to process requests, and they must be able to receive those requests and return responses over a network interface that is publicly accessible. More details on how to configure this is available here:


'''TODO'''
{{Internal|WildFly_System_Properties#jboss.bind.address_for_Host_Controller|jboss.bind.address for Host Controllers}}


* Configure the host controller's server-identity so it can authenticate against the domain controller. Process and deplete https://home.feodorov.com:9443/wiki/Wiki.jsp?page=JBoss7HostControllerServerIdentity#section-JBoss7HostControllerServerIdentity-Procedure
Since EAP 7, "jboss.bind.address.private" must also be configured:


* Then deplete the remaining steps from host controller post-install configuration: https://home.feodorov.com:9443/wiki/Wiki.jsp?page=JBoss7ConfigureHostController
{{Internal|WildFly_System_Properties#jboss.bind.address.private|jboss.bind.address.private for Host Controllers}}


* Return to [[WildFly Unzip Installation#Return_Here]].
=Optionally Remove <tt>domain.xml</tt>=


</font>
You could remove <tt>domain.xml</tt> to eliminate confusion, but only if you don't plan to run this host controller as a backup domain controller. If you plan to run this host controller as a backup domain controller, <tt>domain.xml</tt> '''has to be in place''' or the promotion procedure will fail (alternatively, you could set <tt>JBOSS_DOMAIN_CONFIG=domain.cached-remote.xml</tt> in <tt>jboss-host-controller</tt>, but this is an undocumented procedure and I am not sure how stable/safe it is).

Latest revision as of 03:56, 5 April 2017

Internal

Overview

This procedure is part of WildFly Unzip Installation. Once completed, return to WildFly Unzip Installation to continue the post-install procedure.

For more details on subordinate host controllers, see:

Subordinate Host Controller

Prerequisites


The domain controller must be fully configured and up and running when configuring subordinated host controllers, since we need to interact with the domain controller during the subordinated host controller installation (create users, etc.)

host.xml Host Name

A subordinate host controller uses its host name as username when authenticating against the Management Realm of the domain controller, so the host name it is configured with is important. The host name can be hardcoded in host.xml or specified as a system property. For more details see:

host.xml host name

Specify the Master Domain Controller

Modify $JBOSS_HOME/domain/configuration/host.xml as follows:

    ...
    <domain-controller>
       <remote host="1.2.3.4" port="${jboss.domain.master.port:9999}" security-realm="ManagementRealm"/>
    </domain-controller>
    ...

Note that the management functionality can be exposed over 9999 (native) or 9990 (http).

It is possible to expose the master domain controller address externally as 'jboss.domain.master.address' system property. In this case, you'd have to add the following to domain.conf:

HOST_CONTROLLER_JAVA_OPTS="${HOST_CONTROLLER_JAVA_OPTS} -Djboss.domain.master.address=1.2.3.4"

However, this is NOT a good idea. If we go through a domain controller failover, promotion and unpromotion, the IP address will be written into the host.xml file directly, so the 'jboss.domain.master.address' will lose its usefulness and it will suddenly become confusing - we used a system property but also we have hardcode in the file.

For more details on jboss.domain.master.address see:

jboss.domain.master.address

Connection Failure Symptoms

In $JBOSS_HOME/domain/log/host-controller.log:

22:36:16,823 WARN  [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010900: Could not connect to remote domain controller at remote://10.155.78.202:9999 -- java.net.ConnectException: JBAS012174: Could not connect to remote://10.155.78.202:9999. The connection failed
22:36:16,828 WARN  [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010900: Could not connect to remote domain controller at remote://10.155.78.202:9999 -- java.lang.IllegalStateException: JBAS010951: Could not connect to master in 11 attempts within 30000 ms
22:36:16,828 WARN  [org.jboss.as.host.controller] (Controller Boot Thread) JBAS016581: No domain controller discovery options remain.
22:36:16,829 ERROR [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010901: Could not connect to master. Aborting. Error was: java.lang.IllegalStateException: JBAS016519: Tried all domain controller discovery option(s) but unable to connect

The Host Controller's Management Interface

A subordinate host controller does not need to expose its management interface.

Specify the Backup Domain Controllers

WildFly High Availability Domain Controller

Configure the Host Controller Identity

Host controller identity is explained here:

Subordinated Host Controller Identity

Add a Domain Controller Management Realm User

Add a Management Realm user on the domain controller. The user name should be the subordinated host controller host name as specified in <host name="..."> of the subordinated host controller's host.xml. The procedure must be executed on the domain controller, and it is described here:

Adding a User to the Management Realm

Use the password value specified there for the Configure Server Identity Secret step.

Domain Controller High Availability and Security

In order to create "equivalent" domain controller, you could configure the users corresponding to the hosts on the primary, and then just copy the relevant content of mgmt-users.properties to the backup controllers. The passwords and their corresponding "secret" values will stay the same.

Configure Server Identity Secret

Manual Procedure

Calculate the secret's value by sending the clear text password into openssl:

echo -n "password-in-clear" | openssl enc -base64

Then copy the resulted string as secret's "value" in a <server-identities> element to host.xml of the subordinate host controller:

<host ...>
    <management>
        <security-realms>
            <security-realm name="ManagementRealm">
                ...
                </authorization>
                <server-identities>
                    <secret value="YXAwMm11MTIzIQ=="/>
                </server-identities>
            </security-realm>
            ...
        </security-realms>
        ...
    </management>
    ...
</host>

CLI Procedure

Add Subordinate Host Controller Server Identity Secret Value with CLI

Symptoms of Failure to Authenticate with the Domain Controller

22:40:23,855 WARN  [org.jboss.as.host.controller] (Controller Boot Thread) JBAS010900: Could not connect to remote domain controller at remote://10.155.78.202:9999 -- java.lang.IllegalStateException: JBAS010942: Unable to connect due to authentication failure.

Registration Success

In the domain controller's log:

21:43:39,412 INFO  [org.jboss.as.domain] (Host Controller Service Threads - 34) JBAS010918: Registered remote slave host "n1", JBoss EAP 6.4.0.GA (AS 7.5.0.Final-redhat-21)

Configure the Servers that are Running on this Host

Update host.xml accordingly, specify the server names and their association with a server group defined in domain.xml.

Example:

<servers>
    <server name="app1" group="web-apps" auto-start="true">
        ...
    </server>
</servers>

Configure the Network Interface Server Nodes Use to Deliver Business Content

Server nodes exists to process requests, and they must be able to receive those requests and return responses over a network interface that is publicly accessible. More details on how to configure this is available here:

jboss.bind.address for Host Controllers

Since EAP 7, "jboss.bind.address.private" must also be configured:

jboss.bind.address.private for Host Controllers

Optionally Remove domain.xml

You could remove domain.xml to eliminate confusion, but only if you don't plan to run this host controller as a backup domain controller. If you plan to run this host controller as a backup domain controller, domain.xml has to be in place or the promotion procedure will fail (alternatively, you could set JBOSS_DOMAIN_CONFIG=domain.cached-remote.xml in jboss-host-controller, but this is an undocumented procedure and I am not sure how stable/safe it is).