2011-07-22

Firewalls using iptables

Since some clouds like Rackspace do not offer a service similar to Amazon's EC2 Security Groups for firewall purposes, there is now built-in support for using iptables to control port permissions.  For all Linux servers, iptables are enabled by default and are used to configure a local firewall with the following ports opened: 22 (SSH), 80 (HTTP), and 443 (HTTPS).  To disable the firewall set the 'Firewall' input to 'disabled' and run the 'sys_firewall::default' Chef recipe. To manually open or close a port use the 'sys_firewall::setup_rule' Chef recipe.   For services that require additional ports to be opened/closed, set the inputs appropriately and run the recipes as boot or decommission scripts.  Refer to RightScale's public 'app' and 'db' cookbooks for Chef recipe examples of how to leverage the 'sys_firewall' Chef cookbook for opening and closing specific ports.

Reconvergence

To help enforce system and deployment consistency the 'sys::do_reconverge_list_enable' Chef recipe can schedule cron jobs to periodically run recipes associated with the ServerTemplate.  By default, the period is every 15 minutes – with a random starting offset (to distribute runs being performed by multiple systems).  Use the 'Reconverge List' input to add a space-separated list of recipes to run. Clear or ignore this input if you wish to disable re-converge at launch time.

Chef Cookbooks

RightScale has three main cookbook repositories at github.com:

• https://github.com/rightscale/cookbooks_public - RightScale's publicly available cookbook repository
• https://github.com/rightscale/cookbooks_premium - RightScale's premium cookbook repository that's reserved for pay editions of RightScale.
• https://github.com/rightscale/cookbooks - Subset of the Opscode cookbooks repository that only contains the cookbooks on which the RightScale cookbooks depend.

Load Balancer (Chef) - Alpha

Description: Chef-based ServerTemplate that configures a Load Balancer and Apache server. It creates an entry vhost (http or https) and forwards requests to port 8000 of all the web application servers.  Servers launched with this ServerTemplate will automatically be labeled with a machine tag that will be used to identify it as a load balancer.  (e.g. "loadbalancer:lb=<applistener_name>" where the <applistener_name> value defines the listener pool (or vhost) for which they load balance.)  Machine tags are used to connect/disconnect the load balancers with the application servers instead of using the less secure 11H1 technique where a locally stored SSH Key is used to update the load balancer's configurations files.  Connections are made using remote script invocation over RightNet.  A freshly launched LB will attach all active application servers in the deployment that are tagged with the "loadbalancer:app=<applistener_name>" tag of the same listener pool. Conversely, a freshly launched application server will request connections to each of the load balancers in the listener pool so that it's automatically attached during the boot phase (using a remote recipe call sent to each load balancer). 

Note: It's a premium ServerTemplate that's reserved for pay editions of RightScale and requires access to use the premium 'lb_haproxy' cookbook

Supported Compute Clouds: Amazon Web Services EC2, Rackspace, CloudStack, Eucalyptus

MultiCloud Marketplace Link: http://www.rightscale.com/library/se...ef-Alpha/22197

Ancestor:  N/A

Supported OS: CentOS 5.4, RightLink v5.6

Additional Documentation (if any): 

• Supports tag-based connections with Application Servers
• The alpha version is specifically designed to work "PHP App Server (Chef) - Alpha" ServerTemplate. 
• Installs Apache 2.2.3 (CentOS) and HAProxy 1.3.

PHP App Server (Chef) - Alpha

Description: Chef-based ServerTemplate that configures a PHP application server with Apache.  Servers launched with this ServerTemplate will automatically be labeled with a machine tag that will be used to identify it as an application server.  (e.g. "appserver:active=true")  Tags are used to connect the application server to the load balancers as well as to the database server.  A database server will use the tag to update its port permissions so that it accepts requests from application servers with the appropriate tag.  Machine tags are used to connect/disconnect the application servers with the load balancers instead of using the less secure 11H1 technique where a locally stored SSH Key is used to update the load balancer's configurations files.  The recipes that are used to make the appropriate connections are found in the public "app" cookbook.   Reconvergence is used to update the firewall port permissions on an application server so that it will accept requests from the load balancers.

Supported Compute Clouds: Amazon Web Services EC2; Rackspace, CloudStack, Eucalyptus

MultiCloud Marketplace Link:  http://www.rightscale.com/library/se...ef-Alpha/22199

Ancestor:  N/A

Supported OS: CentOS 5.4, RightLink v5.6

Additional Documentation (if any): 

• Supports tag-based connections with Load Balancers
• Installs Apache 2.2.3 (CentOS) and PHP 5.3.6.
• The 'php/modules_list' defined by the 'PHP module packages' input contains an array of package names of PHP modules to install on the server at boot time. Since packages are used from the IUS repository, package names must be prepended with the 'php53u' prefix. The input type should also be set to "Array" in the dropdown menu.

Database Manager for MySQL 5.1 (Chef) - Alpha

Description: For more information, see the Database Manager with MySQL 5.1 (Chef) Alpha setup guide. Configures a single MySQL 5.1 database server. Support for multiple clouds, using either instance-based storage or attachable volumes. Instance-based snapshot backups are automatically uploaded to your choice of remote object storage (Amazon S3 or Rackspace Cloud Files). It also includes iptables management for clouds that do not have firewall services.  Servers launched with this ServerTemplate will automatically be labeled with a machine tag that will be used to identify it as a database server.  (e.g. "database:active=true")  Application servers will use the tag to identify active database servers.  Firewall port management recipes located in the "db_mysql" cookbook are used to make the connections between the database and application servers.  Reconvergence is used on the database servers to periodically check for new application servers and open up firewall ports for them.

For more information, see the Database Manager with MySQL 5.1 (Chef) Alpha setup guide. 

Supported Compute Clouds: Amazon Web Services EC2, Rackspace

MultiCloud Marketplace Link:  http://www.rightscale.com/library/se...ySQL-5-1/22192

Ancestor:  N/A

Supported OS: CentOS 5.4, RightLink v5.6

Additional Documentation (if any): 

• Supports LVM snapshots backed by S3, Cloudfiles or Volumes (as available) for a production-quality backup solution on any cloud. (ac-20315)
• The appropriate escape_string calls were added in order to sanitize the SQL credentials. (tr-3829)
• Two definitions were created for authors writing recipes which want to customize monitoring. These definitions encapsulate the logic for adding collectd plugins or processes to monitor. (tr-3828)
• Volume support for EC2 only.  
• Master-Slave data replication is currently not supported 

Base ServerTemplate for Linux (Chef) - Beta

Description: Simple "Hello World" Chef-based ServerTemplate.

• Basic set of scripts for a RightLink-based server with monitoring, alerts, etc.
• MultiCloud Images that reference the latest supported images.
• Basic set of alerts for monitoring.
• Examples of system required input variables.

Supported Compute Clouds: Amazon Web Services EC2, Rackspace, CloudStack, Eucalyptus

MultiCloud Marketplace Link:  http://www.rightscale.com/library/se...r-Linux-/22195

Ancestor:  N/A

Supported OS: Windows Server 2008 R2 SP1; Windows Server 2003 R2 SP2; Windows Server 2008 SP2

Additional Documentation (if any):

• N/A

V5 Images