A10 AX2000 Load Balancer Review
Posted by Sam
We've been using a Kemp load balancer for a bit over a year now. At the time we purchased the Kemp we weren't pushing that much traffic and the Kemp was an OK replacement for the Cisco LocalDirector that it replaced. However, our needs grew more quickly than we expected and the Kemp just couldn't keep up. When it was only pushing L4 traffic it was fine, but once we started pushing L7 traffic it just couldn't keep up. The CPU would spike to 100% and the load balancer would stop passing traffic until it caught it's breath. Usually only a few seconds but that's a lifetime for a website. The Kemp had other things that I didn't really like once I dug deeper. For example there was no way to setup a second server to only get traffic when the primary went down. You could set the weighting really high but it was still hacky. The interface also had it's quirks. Sometimes you could set a label on a VIP and sometimes you couldn't. I didn't feel confident that another Kemp would serve us well with our increased requirements. So I started researching other load balancers.
I'd never heard of A10 until I read this article on selective source NATing. I prefer to use the load balancer as the gateway in what's often called routed mode. This works great for everything except being able to hit the VIP on the same subnet. Selective source NATing lets me use routed mode, keep the client IP addresses and still be able to hit the VIP locally. This is really useful when you have one site that needs to call another site or for monitoring. You can hit the VIP and keep the benefits of load balancing the servers.
Another thing I like about the A10 is that they don't have licensing fees. Once you own the box you own all of the features that the software has. F5 and most of the other big vendors charge you a licensing fee to "unlock" additional features. They also don't require a license key like the Kemp does.
So far the A10 has been extremely fast. It's a quad CPU box and I've never seen the dedicated data CPUs rise about 2-3%. The A10 has other features that you'd expect such as caching, compression and SSL offloading. I'm not too concerned with any of those features yet, but so far the A10 nails the basics. I expect to be able to use caching and compression without any CPU congestion.
There are a couple of nitpicks with the A10 such as the web interface could use some usability tweaks and a quick start guide would be nice. Also, looking through the aFlex rules it looks like you can't override which server traffic goes to if you are using server persistence. I understand the logic but it's very possible that you might want to offload static files to a very fast web server while serving dynamic content from an app server for example. If I'm reading the aFlex guide correctly this isn't possible.
A couple of features I'd like to see are the ability to limit traffic based on bandwidth. This can be done through the firewall but it would be nice if it was integrated into the load balancer. The other thing I'd like to see are combined bandwidth and connections graphs. The A10 shows one graph per VIP. It would be really nice to see one graph with all the VIPs so you could see all the traffic with one graph instead of switching among perhaps a dozen or more individual graphs. This can be accomplished with something that monitors the A10 via SNMP but it would be nice to have it in the web interface. And last on my wish list would be some sort of application firewall. This might be possible with aFlex rules but writing a decent set of rules from scratch would be a pretty big task. At least a basic set of rules would be helpful (assuming the aFlex rules would work for that).
All in all I'm pretty happy with the A10. It's solid and fast. A few more features and nothing in it's price range could touch the A10. If you have any specific questions feel free to leave them in the comments.
Tags: loadbalancer
Installing RMagick on Solaris
Posted by Sam
It seems that installing RMagick is a pain on any OS but recently installing on Solaris seemed a bit impossible. Previously we were using ImageMagick 5.2.9 and an older version of RMagick. We've recently switched from Blastwave to OpenCSW to get our Solaris package fix. With that came a new version of ImageMagick and new problems. Turns out ImageMagick from OpenCSW was using compiled using OpenMP but support for that isn't in the current version of GCC that OpenCSW has. Here are the steps I took to install RMagick. There might be a simpler way but this worked for me.
wget http://rubyforge.org/frs/download.php/51093/rmagick-2.9.1.gem
gem unpack rmagick-2.9.1.gem
Change line #139 rmagick-2.9.1/ext/RMagick/extconf.rb to: $CFLAGS = ENV["CFLAGS"].to_s + " -I/opt/csw/include/ImageMagick"
cd rmagick-2.9.1
gem build rmagick.gemspec
gem install rmagick-2.9.1.gem
Automating Windows Tasks with Capistrano
Posted by Sam
It seems that I've been getting more and more work but my group is still me and one other guy. And the crazy thing is we just keep getting our work done. It seems no matter how much work we get we just keep finding ways to get it done. A big part of this is because of Ruby on Rails and to a lesser extent Solaris.
I discovered Ruby on Rails about 4 years ago and I haven't looked back since. You might be wondering what Ruby on Rails has to do with automating windows tasks. Well that's a good question. Rails is about getting things done and not repeating yourself. There are two types of programmers and system admins. Those that automate and those that don't. If you find yourself doing the same thing more than twice than you should be finding a way to automate it. The Rails community has been driving this since the very beginning and because of this dogged determination to automate and streamline programming and processes several tools have been created to handle this. One of those tools is Capistrano. Capistrano is a great way to run remote tasks on one or a hundred servers. It's relatively easy to use and once you're written your scripts you will save a mountain of time.
Capistrano wasn't written with deploying to Windows server in mind and that's fine. It's open source. You can either create your own tool and make it work for your environment. Fortunately, making it work in Windows is actually quite easy. Basically you need a SSH server and a Unix shell installed on your Windows server. Both tasks can be handled easily by installing copSSH. CopSSH installs OpenSSH and BASH along with several other gnu tools. This is enough for you to start writing Capistrano tasks. In a future post I'll show how to automate some common (for me) windows tasks like creating sites in IIS and creating domain names.
Tags: windows capistrano
GZip IIS logs in four lines of ruby
Posted by Sam
I've been running IIS web servers for about 8 years now. I have to say that I'm not a big fan. It's more of a hassle to move and automate, especially compared to Apache. One of the things I haven't taken time to really take care of until now is managing the logs in an automated fashion. I decided it was time to take 5 minutes to handle this repetitive task. So I took a couple of minutes and installed Ruby 1.8.6 on the web servers and wrote the four line script to find and gzip all IIS log files excluding todays. Hopefully you find it useful.
ignore_file = Time.now.strftime 'ex%y%m%d.log'
Dir.glob 'C:/logs/**/*.log' do |f|
`c:/scripts/gzip.exe -9 #{f}` unless f.include? ignore_file
end
Nagios plugin for Apache
Posted by Sam
I've been using Nagios for years and for monitoring it's been great. The biggest problem is that there has never been a decent graphing solution that wasn't a giant pain in the butt. Thankfully that's no longer the case. I recently stumbled across pnp and it's been perfect. Good enough in fact that I've stopped looking for a replacement.
Since Phusion will now compile on Solaris I've switched from LiteSpeed back to Apache. Since going back to Apache I decided to dust off an old Nagios script I had for monitoring Apache's processes. It's pretty basic but it works with pnp to graph how busy your Apache servers are. Here's the script.
#!/opt/csw/bin/python
import httplib,re,sys,getopt
#Return codes
OK = 0
Warning = 1
Critical = 2
Unknown = 3
#Variables
hostname = ''
warningThreshold = -1
criticalThreshold = -1
def getUsers(hostname):
con = httplib.HTTPConnection(hostname)
con.request("GET", "/server-status")
res = con.getresponse()
results = res.read()
con.close()
match = re.search("\d+ requests currently", results)
if match:
newmatch = re.search("\d+", match.group())
if newmatch:
return int(newmatch.group())
else:
return -1
else:
return -1
def showUsage():
print sys.argv[0]+' -h -H hostname -w warning -c critical'
sys.exit()
#Get command line options
try:
optlist, args = getopt.getopt(sys.argv[1:], '-h-H:-w:-c:')
except:
showUsage()
for o, a in optlist:
if o == '-h':
showUsage()
sys.exit()
if o == '-H':
hostname = a
if o == '-c':
criticalThreshold = int(a)
if o == '-w':
warningThreshold = int(a)
# Validate command line options
if criticalThreshold == -1:
print 'critical threshold was not set'
showUsage()
if warningThreshold == -1:
print warningThreshold
print 'warning threshold was not set'
showUsage()
if hostname == '':
print 'hostname was not set'
showUsage()
try:
currentUsers = getUsers(hostname)
except:
print 'Unknown'
sys.exit(Unknown)
if currentUsers >= criticalThreshold:
print 'Critical: '+str(currentUsers)+' users|current_users='+str(currentUsers)
sys.exit(Critical)
elif currentUsers >= warningThreshold:
print 'Warning: '+str(currentUsers)+' users|current_users='+str(currentUsers)
sys.exit(Warning)
elif currentUsers >= 0:
print 'OK: '+str(currentUsers)+' users|current_users='+str(currentUsers)
sys.exit(OK)
else:
print 'Unknown'
sys.exit(Unknown)