A Helion Stackato cluster is made of a number of Helion Stackato VM instances linked together, each taking on a particular role for the platform. Each Helion Stackato VM contains all of software necessary to take on any role, and boots by default as a "micro cloud" with enough roles enabled to function as a self-contained system.
After designating one of the instances as a "Core" node, other nodes are connected and are given roles in the cluster, distributing the computational tasks of the platform as best suits the particular deployment.
A Helion Stackato node can take on one or more of the following roles:
The command line tool used to configure Helion Stackato servers is called kato. You can see a list of the available roles at the command line by running the kato info command.
Setup of cluster nodes is done using the kato node setup core and kato node attach sub-commands.
The kato info command will show:
kato role addIn a Helion Stackato cluster, one node is dedicated as the core node. This node will have a controller, primary, base, and router role but can also include additional roles.
Boot a Helion Stackato VM and set up the core node as described below, then add the other nodes and assign roles.
A static IP address is necessary to provide a consistent network interface for other nodes to connect to. This address is called the MBUS IP. If your IaaS or cloud orchestration software provide IP addresses which persist indefinitely and are not reset on reboot you may not have to set this explicitly.
Take note of the internal IP address of the core node. It will be required when configuring additional nodes in the following steps, so that they can attach to the core node.
Make sure that the IP address of its eth0 interface is registering
the correct address, which may not be the case if you have set a static
IP and not yet rebooted or restarted networking. To check the IP
address, run:
$ ifconfig eth0
If necessary, set the static IP address:
$ kato op static_ip
Note
If the IP address of the core node changes, you must reconfigure the cluster to use the new MBUS IP address. Run kato node migrate (or kato op static_ip) on the core node, then kato node attach on all other cluster nodes.
Next, set the fully qualified hostname of the core node. This is required so that the internal configuration of Helion Stackato matches the DNS record created for this system.
To set the hostname, run:
$ kato node rename hostname.example.com
Tip
To restart the router roles on the core node at a later time,
add --no-restart to the command.
This hostname will become the basename of the "API endpoint" address
used by clients (for example, https://api.hostname.example.com).
Note
If you are building a cluster with multiple Routers separate from the core node, the load balancer or gateway router must take on the API endpoint address. Consult the Load Balancer and Multiple Routers section below.
A wildcard DNS record is necessary to resolve not only the API endpoint, but all applications which will subsequently be deployed on the PaaS. Create a wildcard DNS record for the Core node (or Load Balancer/Router).
On the core node, execute the following command:
$ kato node setup core api.hostname.example.com
This sets up the core node with just the implicit controller, primary, and router roles. The router role is required on this node even if there are other routers in the cluster and the node is not exposed to the internet.
If you intend to set up the rest of the cluster immediately, you would carry on to enable those roles you ultimately intend to run on the Core node. For example, to set up a core node with the controller, primary, router, and dea roles:
$ kato node setup core api.hostname.example.com
$ kato role add dea
Then proceed to configure the other VMs by attaching them to the Core node and assigning their particular roles. Register Helion Stackato and add the license key before adding nodes to the cluster.
Adding nodes to the cluster involves attaching the new VMs to the Core node's IP address using the kato node attach command. This command will check that the new node has a version number compatible with the core node before attaching it.
Roles can be added (or removed) on the new node after attaching using
the kato role command, but it is
generally preferable to enable roles during the kato attach step
using the -e (enable) option as described below for each of the node
types.
Note
Setup and maintenance operations can be simplified if Passwordless SSH Authentication has been set up between the Core node and the other nodes in the cluster.
In smaller clusters, the Router enabled with the core node should be sufficient, and the core node can function as the gateway. To attach a node enabling just the router role:
$ kato node attach -e router <CORE_IP>
If a Router-only node is the gateway to Helion Stackato, the public DNS entry for the API endpoint must point to that node. For larger clusters requiring multiple gateway Routers, see the Load Balancer and Multiple Routers section below.
Data services can share a single node (small clusters) or run on separate nodes (recommended for production clusters). To set up all available data services on a single node and attach it to the core node, run the following command on the data services node:
$ kato node attach -e data-services <CORE_IP>
Note
The Harbor port service needs a publicly routable IP and exposed port range if you want to provide externally accessible TCP and UDP ports for user applications. See the Harbor Requirements & Setup documentation for details.
Nodes which stage application code and run application containers are called Droplet Execution Agents (DEAs). Once the controller node is running, you can begin to add some of these nodes with the kato node attach command. To turn a generic Helion Stackato VM into a DEA and connect it to the core node:
$ kato node attach -e dea <CORE_IP>
Continue this process until you have added all the desired DEA nodes. You will be prompted to enter the password for the core node during the attach process. You can avoid this prompt by configuring passwordless authentication from the DEA node to the core node before attaching:
$ ssh-copy-id stackato@<CORE_IP>
Important
A Helion Stackato cluster cannot have only Windows DEA nodes. At least
one node with the Linux DEA role is required.
Add the dea role to any Linux node. To determine the roles assigned
to each node, run the kato info or kato node list command.
Any stackato commands related to Linux containers (such as stackato
ssh or stackato scp) will not work on a WinDEA node.
Establish a Remote Desktop (RDP) connection to a Microsoft Windows Server 2012 R2 VM.
Note
Ensure that the VM has a public-facing IP address and inbound rules for TCP port 3389 and UDP port 3389.
To avoid configuring security configuration, use PowerShell to download the Stackato Windows Package archive with the following command:
> Invoke-WebRequest http://downloads.stackato.com/windea/latest/ -OutFile cf-stackato-windows.zip
Decompress the archive into a convenient directory and run helion-windows.exe.
Important
If you use any account with administrative privileges other than the default Administrator account,
you must right-click helion-windows.exe, click Run as administrator, and then click Yes on
the User Account Control dialog box.
Read and accept the license agreement.
In the PowerShell window, run the following command using the private IP of your core node, for example:
> Install-StackatoComponents -redisHost 10.0.0.9
At the end of the process, the following message is displayed:
[OK] Node attached to cluster.
You can view the operational cluster nodes by navigating to the Helion Stackato web console and clicking
Admin > Cluster or by running the kato node list and kato status commands after you ssh
into your core node.
Important
After you finish configuring your WinDEA node, remove its RDP ports and public-facing IP address.
Note
To allow developers to push application code to a WinDEA, remember to install the win2012r2 stack and the .NET Buildpack.
To verify that all the cluster nodes are configured as expected, run the following command on the core node:
$ kato status --all
Use the kato node remove to remove a node from the cluster. Run the following command on the core node:
$ kato node remove <NODE_IP>
Once cluster nodes are connected to the core node, roles can be enabled or disabled using the Cluster Admin interface in the Management Console.
This is a configuration (not actually a cluster) which you would not generally deploy in production, but it helps to illustrate the role architecture in Helion Stackato. A node in this configuration will function much like a micro cloud, but can be used as the starting point for building a cluster later.
All that is required here is to enable all roles except for mdns (not used in a clustered or cloud-hosted environment):
$ kato node setup core api.hostname.example.com
$ kato role add --all-but mdns
This is the smallest viable cluster deployment, but it lacks the fault tolerance of larger configurations:
This configuration can support more users and applications than a single node, but the failure of any single node will impact hosted applications.
A typical small Helion Stackato cluster deployment might look like this:
In this configuration, fault tolerance (and limited scalability) is introduced in the pool of DEA nodes. If any single DEA node fails, application instances will be automatically redeployed to the remaining DEA nodes with little or no application down time.
A larger cluster requires more separation and duplication of roles for scalability and fault tolerance. For example:
In this configuration:
The Helion Stackato micro cloud runs with the following ports exposed:
| Port | Type | Service |
|---|---|---|
| 22 | tcp | ssh |
| 25 | tcp | smtp |
| 80 | tcp | http |
| 111 | tcp | portmapper |
| 111 | udp | portmapper |
| 443 | tcp | https |
| 3306 | tcp | mysql |
| 5432 | tcp | postgresql |
| 5678 | tcp | DEA directory server |
| 8181 | tcp | upload server |
| 9001 | tcp | supervisord |
On a production cluster, or a micro cloud running on a cloud hosting provider, only ports 22 (SSH), 80 (HTTPS) and 443 (HTTPS) need to be exposed externally (for example, for the Router / core node).
Within the cluster (behind the firewall), it is advisable to allow communication between the cluster nodes on all ports. This can be done safely by using the security group / security policy tools provided by your hypervisor.
If you wish to restrict ports between some nodes (for example, if you do not have the option to use security groups), the following summary describes which ports are used by which components. Source nodes initiate the communication, Destination nodes need to listen on the specified port.
| Port Range | Type | Source | Destination | Required by |
|---|---|---|---|---|
| 22 | tcp | all nodes | all nodes | ssh/scp/sshfs |
| 4222 | tcp | all nodes | controller | NATS |
| 3306 | tcp | dea,controller | mysql nodes | MySQL |
| 4567 | tcp | router | controller | AOK (auth) |
| 4568 | tcp | controller | all nodes | upgrades (sentinel) |
| 5432 | tcp | dea,controller | postgresql nodes | PostgreSQL |
| 5454 | tcp | all nodes | controller | redis |
| 6464 | tcp | all nodes | all nodes | applog (redis) |
| 7000 - 7999 | tcp | all nodes | all nodes | kato log tail |
| 7474 | tcp | all nodes | all nodes | config (redis) |
| 8181 | tcp | dea,router | controller | upload server |
| 9001 | tcp | controller | all nodes | supervisord |
| 9022 | tcp | dea | controller | droplets |
| 9022 | tcp | controller | dea | droplets |
| 9025 | tcp | controller | router | stackato-rest |
| 9026 | tcp | router | controller | stackato-rest |
| 41000 - 61000 | tcp,udp | dea,controller | service nodes | service gateways |
| 41000 - 61000 | tcp,udp | router | dea | router,harbor |
Each node can be internally firewalled using iptables to apply the above rules.
Comments:
kato log tail command.stackato
ssh feature to your users (recommended), define a distinct security
group for the public-facing Cloud Controller node that is the same as
a generic Helion Stackato group, but has the additional policy of allowing
SSH (Port 22) from hosts external to the cluster.In addition to the ports listed above for service nodes and gateways, several service nodes assign a port for each individual user-requested service instance. These ranges should be kept open between DEA nodes and their respective service nodes. The default ranges are:
Note
You can check the currently configured port range for each service
with kato config (for example, kato config get redis_node port_range).
For security reasons, Docker application containers restrict access to
hosts on the eth0 subnet. By default, only ports and hosts for built-in
services and components (for example, service instances bound to an application)
are explicitly allowed.
To configure a cluster for host and port access, you must determine the
IP address of each DEA node using the kato node list command and then ssh
to each DEA node. For example:
$ ssh -i myClusterPublicKey stackato@198.51.100.0
The following commands display the current configuration:
fence docker/allowed_subnet_ips: Display a list of all allowed IP addresses. For example:
$ kato config get fence docker/allowed_subnet_ips
- 192.51.100.0
- 192.51.100.1
- 192.51.100.2
fence docker/allowed_host_ports: Display a list of all allowed ports. For example:
$ kato config get fence docker/allowed_host_ports
- 80
- 443
- 8123
- 3306
- 6379
The following commands modify the current configuration:
fence docker/allowed_subnet_ips <ip-address:port>: Delete an IP address from the allowed_subnet_ips list. For example:
$ kato config pop fence docker/allowed_subnet_ips 192.0.2.24:6379
Note
You can open a port for an individual IP address or an IP CIDR block. Port settings apply only to the specified individual IP address.
fence docker/allowed_host_ports <port>: Delete a port from the allowed_host_ports list. For example:
$ kato config pop fence docker/allowed_host_ports 6379
The following settings allow or restrict access from application containers:
fence docker/allowed_host_ports: If applications need access to
custom services on a specific port, but the IP address changes or is
not known ahead of time, add the port to this list. For example:
$ kato config push fence docker/allowed_host_ports 25
Warning
Because this action opens the port to all IP addresses, do not perform it on production systems.
fence docker/allowed_subnet_ips: If the specific IP address for
a service is static and known, add the IP address with or without
the port specification. For example:
$ kato config push fence docker/allowed_subnet_ips 198.51.100.0
$ kato config push fence docker/allowed_subnet_ips 198.51.100.1:9001
fence docker/block_network_ips: To explicitly block access to a
specific IP address (internal or external):
$ kato config push fence docker/block_network_ips 203.0.113.0
To apply these changes to new application containers, and to restart the applications that have already been deployed, restart the DEA role.
Warning
Two additional settings are exposed in kato config but in most cases
should not be modified:
fence docker/exposed_container_ports: Container ports to be accessed over the subnet (internal services).fence docker/network_interface: The docker bridge interface.To enable port forwarding for user applications, you must configure the optional Harbor TCP/UDP port service on a node with a public network interface. The security group or firewall settings for this node should make the configured port range publicly-accessible. For complete configuration instructions, see Harbor Setup.
Helion Stackato upgrades, patches, and the staging of user applications require the download of packages from external sources. This is most often done over HTTP (port 80) or HTTPS (port 443).
If a UTM (unified threat management) device or other network gateway software is inspecting traffic between the Helion Stackato nodes and upstream package repositories, then user application staging, patching, and upgrades can fail because of timeouts or dropped packets.
Gateway devices and software should be configured to whitelist the upstream sources listed in the Proxy Settings for Upgrades as well as any package repositories or download sources required by buildpacks.
If packet inspection of all inbound traffic is a requirement in your
network, consider setting up offline buildpacks and internal package repository mirrors (for example,
nexus, debmirror, or rubygems-mirror).
To improve performance, you can have a Helion Stackato cluster run multiple controller nodes on separate VMs. To do this, all controller nodes must share the following two important directories on a high-availability filesystem server:
/home/stackato/stackato/data
/var/stackato/data/cloud_controller_ng/tmp/staged_droplet_uploads
Warning
These directories are not empty.
You must copy the contents of these directories into the new, shared directories after creating symlinks.
Note
You may use any appropriate type of filesystem, storage server,
and network mount. However, when following the recommended workflow
that uses sshfs ensure that the following options are set
idmap=userreconnectallow_otherCreate a shared filesystem on a Network Attached Storage device.
Stop the controller process on the core node:
$ kato stop controller
Perform the following actions on the core node and each additional controller node, for example:
Create a mount point and give the stackato user ownership of the mount point:
$ sudo mkdir /mnt/controller
$ sudo chown stackato:stackato /mnt/controller
Allow non-root users to specify mount options:
$ sudo sed -i "s/#user_allow_other/user_allow_other/" /etc/fuse.conf
Add the stackato user to the fuse group and change the user's current group to fuse:
$ sudo addgroup stackato fuse
$ newgrp fuse
Mount the shared filesystem on the mount point (only on secondary controllers):
$ sshfs -o idmap=user -o reconnect -o allow_other -o ServerAliveInterval=15 \
stackato@10.0.0.3:/mnt/controller /mnt/controller
To mount the directory automatically when the system boots, add the mount
point to /etc/fstab on the secondary controllers so that the mount
point is restored when the system reboots. Copy the public SSH key of
the secondary controllers to the core node with ssh-copy-id
<CORE_NODE_IP> to allow sshfs to mount the filesystem without a
password.
The line should look something like the following:
sshfs#stackato@10.0.0.3:/mnt/controller /mnt/controller fuse IdentityFile=/home/stackato/.ssh/id_rsa,_netdev,delay_connect,idmap=user,reconnect,allow_other,ServerAliveInterval=15 0 0
Set aside the original /home/stackato/stackato/data directory
and create a symlink from this directory to the mount point:
$ mv /home/stackato/stackato/data /home/stackato/stackato/data.old
$ ln -s /mnt/controller /home/stackato/stackato/data
Move the original /var/stackato/data/cloud_controller_ng/tmp/staged_droplet_uploads directory and
and create a symlink from this directory to the mount point:
$ mv /var/stackato/data/cloud_controller_ng/tmp/staged_droplet_uploads \
/var/stackato/data/cloud_controller_ng/tmp/staged_droplet_uploads.old
$ ln -s /mnt/controller /var/stackato/data/cloud_controller_ng/tmp/staged_droplet_uploads
Copy the controller data and the droplets on the core node into the shared directory:
$ cp -r /home/stackato/stackato/data.old/* \
/var/stackato/data/cloud_controller_ng/tmp/staged_droplet_uploads.old/* /mnt/controller
Start the controller process:
$ kato start controller
To enable only the controller process, run the following command on the additional controller nodes:
$ kato node attach -e controller <CORE_IP>
Note
Although the router role must be enabled on the core node, it is
not required for the additional controller nodes.
For large-scale deployments that require multiple router nodes, you must configure a load balancer that will distribute connections between the routers.
You can configure a single load balancer to work with multiple router nodes in your Helion Stackato cluster. For the load balancer to work correctly, it must be able to communicate with the router nodes in the cluster.
Perform the following steps on each router node:
ssh into the node.
Rename the node using the kato node rename command.
Important
Each router node must have the same API endpoint.
Attach the node as a router to the core node:
$ kato node attach --enable router <core-ip>
(Optional) Set the HTTP and HTTPS proxies for applications <server-config-application-proxy>.
For more information, see Router Role.
You can configure load balancers to either terminate SSL connections or to pass them through to the routers. These configurations require different router settings.
If the load balancer terminates SSL:
Use HTTP or HTTPS listeners or ensure that the load balancer adds X-Headers.
In the router configuration, set prevent_x_spoofing to false.
Backends (connections to router nodes) should forward using HTTP.
Note
Using HTTPS is possible, but this requires chaining your certificates on the router nodes.
If the load balancer does not terminate SSL:
prevent_x_spoofing to true.Though most users will prefer to use a hardware load balancer or elastic load balancing service provided by the cloud hosting provider, a Helion Stackato VM can be configured to take on this role.
The kato node setup load_balancer command retrieves IP addresses of every router in the cluster and configures an nginx process to distribute load (via round-robin) among a pool of Routers and handle SSL termination.
For example, to setup a cluster with a Helion Stackato Load Balancer and multiple Routers:
The Load Balancer is the primary point of entry to the cluster. It must have a public-facing IP address and take on the primary hostname for the system as configured in DNS. Run the following on Load Balancer node:
$ kato node rename hostname.example.com
The core node will need to temporarily take on the API endpoint hostname of the Helion Stackato system (the same name as the Load Balancer above). Run the following on the core node:
$ kato node rename hostname.example.com
If it is not already configured as the core node, do so now:
$ kato node setup core api.hostname.example.com
The kato node rename command above is being used to set internal Helion Stackato
parameters, but all hosts on a network should ultimately have unique
hostnames. After setup, rename the core node manually by editing
/etc/hostname and /etc/hosts, then sudo service hostname restart.
As with the core node, you will need to run kato node rename on each
router with the same API endpoint hostname. Run the following on each
Router:
$ kato node rename hostname.example.com
Then enable the 'router' role and attach the node to the cluster:
$ kato node attach -e router <MBUS_IP>
As above, rename each host manually after configuration to give them
unique hostnames. The MBUS_IP is the network interface of the Core
node (usually eth0).
Note
A Helion Stackato node configured as a Load Balancer cannot have any other roles enabled.
Attach the Helion Stackato VM to the core node:
$ kato node attach <MBUS_IP>
To set up the node as a Load Balancer automatically:
$ kato node setup load_balancer --force
This command fetches the IP addresses of all configured routers in the cluster.
To set up the Load Balancer manually, specify the IP addresses of the Router nodes. For example:
$ kato node setup load_balancer 10.5.31.140 10.5.31.145
The Helion Stackato load balancer terminates SSL connections. SSL certificates must be set up and maintained on this node, and the backend router nodes in order for application SSO and AOK to work correctly.
See the Using your own SSL certificate and CA Certificate Chaining sections for Helion Stackato Load Balancer instructions.