Home > ServerTemplates > Infinity > Supplemental > Deployment Prerequisites (Linux)

Deployment Prerequisites (Linux)

Objective

To complete the necessary prerequisite steps before building a deployment with the Chef-based ServerTemplates.

Table of Contents

Overview

The following steps should be performed before you attempt to build a multi-tier deployment.

Steps

Create a Deployment

It's recommended that you create a new deployment (Manage > Deployments) for each new project or reference architecture that you're going to build because you do not want to accidentally inherit any unknown configuration settings.

See Create a New Deployment. (Requires 'actor' user role privileges.)

Tip: It's recommended that you create a bookmark to the deployment's Servers tab for quick navigation back to the deployment at any time.

Create Cloud-specific Resources

Prerequisites: Requires 'actor' user role privileges in the RightScale account to create SSH Keys and Elastic IPs, and 'security_manager' privileges to create/modify security groups.

Each cloud infrastructure is unique and requires different resources in order to launch a server in their cloud. Depending on the type of cloud infrastructure that you're going to use to launch servers, you will find it useful to create some of the required cloud-specific resources beforehand so that you can select them in the "Add Server Wizard" when you add servers into a deployment. Some cloud resources are also region-specific. For example, you cannot launch an EC2 instance in the 'us-east' region with a 'us-west' security group. 

SSH Key

If the cloud does not require the use an SSH Key, you can ignore this step. 

SSH Keys are used for authentication purposes to create SSH console sessions for root level access to the instance. Although you are required to associate an SSH Key to a server before you can launch it, the private key material is no longer required if managed SSH (Server Login Control) is enabled for the account (Settings > Account Settings > SSH). By default, Server Login Control is enabled at the account level, where a user's own unique RSA key pair (Settings > User Settings > SSH) is used for authentication purposes for establishing SSH console sessions on all RightLink-enabled instances.

You can either use an existing SSH Key or create a new one.

Security Groups

If the cloud does not support Security Groups, you can ignore this step. 

Security groups are firewall settings that apply to instances within a cloud at the infrastructure layer. Security groups are typically used to control ingress communication (i.e. inbound communication to an instance over a particular port and protocol) however, some clouds support the use of security groups to also control egress communication (i.e. outbound requests from the instance). Once you create a security group you can create different firewall rules that control the level of access to instances launched with that particular security group(s). Firewall rules are enforced at the cloud (infrastructure) level using IP-based or Group-based permissions.

If you are building this deployment for demonstration and testing purposes, you can simply create a single security group for all servers in your deployment. 

The steps for creating a single security group are different depending on the type of account and cloud that you are using.

  1. For a Unified Cluster Platform (UCP) RightScale account (e.g. us-3.rightscale.com), follow the cloud-specific instructions below. ​
  2. For a Legacy Platform RightScale account (e.g. my.rightscale.com), follow the cloud-specific instructions below. 

Once you are successful setting up your first multi-tier deployment you can set up more secure firewall permissions that would be more realistic for production environments. See Configuring multiple Security Groups for a multi-tiered Deployment.

Remappable Public IP Addresses

Some clouds support the use of public IP addresses that you can associate with a server at launch time or remap to another running server, as necessary for lifecycle management scenarios. It's recommended that you use this service, if available for front-end load balancer or web servers that are designed to be public facing. If you're using dedicated HAProxy load balancer servers, you should create/reserve one IP address for each load balancer server. Typically, you will have two HAProxy load balancer servers for high-availability and failover purposes. If you are using a cloud's load balancing service such as Amazon Elastic Load Balancers (ELB) or Rackspace Cloud Load Balancers (CLB) you cannot assign remappable IP addresses. In such cases, skip this step.

Create DNS Records

In a typical 3-tier architecture setup, DNS A records are used to create fully qualified domain names (FQDNs) that map to a particular server or tier of servers. The diagram below shows a typical example of a 3-tier website architecture.

In this type of architecure, the application servers and any "slave" database servers locate the "master" database server by using Master-DB's FQDN (e.g. db-master.example.com), which points to the Master-DB's private IP address. Similarly, front-end web traffic can be routed to a FQDN (e.g. www.example.com) where each load balancer server has a DNS record for that FQDN so that incoming requests are routed to one of the load balancer servers. Since the IP address of an instance in the cloud is often dynamically assigned at launch time, you are required to use a DNS provider that supports dynamic DNS (i.e. the ability to dynamically update the IP address of an A record) for the Master-DB server (at a minimum). You can also use the same DNS provider for creating FQDNs for the load balancer servers. However, since they do not require the use of dynamic DNS, any DNS provider can be used.

TTLs

When you create the DNS records, it's important to set appropriate TTLs to ensure that servers will not stay connected to an old IP address that is no longer assigned to a functional server. For example, the DNS record that points to the "master" database server should have a low TTL to ensure that the application servers will connect to the correct server within a reasonable amount of time. It's strongly recommended that you use a TTL of 60 seconds for the DNS record that points to the "master" database server. If you are also creating DNS records for the front-end load balancer servers, you can use a more conservative TTL than the database tier. (e.g. 1800 seconds)

Note: If you are using Rackspace's Cloud DNS service, you must use a TTL of 300 seconds because that is the lowest allowable TTL. Be sure to change the 'Database DNS TTL Limit' input from 60 (default) to 300.

diag-3tier_ga-v4.png

 

You will need to create DNS records for the following servers:

  • Each Load Balancer Server or Load Balancing service (e.g. Amazon Elastic Load Balancer, Rackspace Cloud Load Balancer, etc.)
  • Master Database Server
  • Slave Database Server (optional)

 

RightScale's ServerTemplates contain scripts that support one of the following DNS providers. Create an account with one of the DNS providers below and set up the A records accordingly.

Create Credentials

Prerequisites: Requires 'designer' user role privileges in the RightScale account to create a new credential.

Important!
Only the user who created the credential and any 'admin' users will be able to view and modify an existing credential. 

Credentials are a way of passing sensitive information to a script (as an input) in a discrete manner without making the actual value visible in the Dashboard. As a best practice, many of the ServerTemplates published by RightScale are preconfigured to use certain credentials. It's recommended that you create these common credentials in your own account. If they already exist and apply to a different deployment, you might want to create a new set of credentials to avoid any conflicts. In such cases, it's helpful to use a common prefix to group the credentials together. (e.g. APP1_DBADMIN_USER)

If you try to launch a server where one of the inputs references a credential that does not exist in the RightScale account, you will receive an error message and will not be able to launch the server. Therefore, it's best to create any required credentials before you configure and launch a server. Depending on your cloud provider and backup storage selections, you may want to create additional credentials.

At a minimum, create the following credentials. See Create a New Credential for more information.

Common Credentials for a 3-Tier Linux Architecture

If you are going through a 3-tier tutorial you should create the following credentials with your own values or you can use the example values, if desired.

  • DBADMIN_USER - Username of a database user with administrator privileges. Use this credential for the "Database Admin Username" input.
    • 3 Tier Tutorial: admindb
  • DBADMIN_PASSWORD - Password for DBADMIN_USER. Use this credential for the "Database Admin Password" input.
    • 3 Tier Tutorial: a1234
       
  • DBAPPLICATION_USER - User name of a database user with user-level privileges. Use this credential for the "Database Application Username" input. Note: For PostgreSQL databases, the username cannot start with a number.
    • 3 Tier Tutorial: johnsmith
  • DBAPPLICATION_PASSWORD - Password for DBAPPLICATION_USER. Use this credential for the "Database Application Password" input.
    • 3 Tier Tutorial: 1234z
       
  • DBREPLICATION_USER - Username of a database user with replication permissions on the server. Use this credential for the "Database Replication Username" input.
    • 3 Tier Tutorial: dbrpl
  • DBREPLICATION_PASSWORD - Password for DBREPLICATION_USER. Use this credential for the "Database Replication Password" input.
    • 3 Tier Tutorial: ic6789
       
  • DNS_USER* - Username that's used to log into your DNS provider and update DNS records. It's commonly used to update the A record with the private IP address of the "master" database server. Use this credential for the "DNS User" input.
  • DNS_PASSWORD* - Password for DNS_USER. Use this credential for the "DNS Password" input.

If you use Amazon Route 53 or Rackspace Cloud DNS as your DNS provider, you do not need to set up separate DNS user name and password credentials because your cloud credentials are used for authentication purposes. 

Remote Object Storage (ROS)

ServerTemplates published by RightScale have built-in support for several remote object storage (ROS) solutions. Valid cloud credentials are required to retrieve "private" files from an ROS container, create a new container, or store files in a container (such as a binary database backup files).

Set up your desired ROS service(s) and create the recommended user-defined credentials, which you will use when you define inputs for your deployments.

Software Repositories

Source Control Management (SVN, GitHub, FTP, rsync)

If you are using a source control management (SCM) system to host your application code, you will need to create the appropriate credentials to retrieve your source code from the specified repository.

  • GIT_SSH_KEY - A valid SSH Key for accessing a private repository hosted on GitHub.com. Use this credential for the "Account credential" input. 
     
  • SVN_USERNAME - The SVN username that has access to the specified repository. Use this credential for the "Account name" input.
  • SVN_PASSWORD - Password for SVN_USERNAME. Use this credential for the "Account credential" input.

 

  • FTP_USERNAME - The username that you use to log into the FTP server to access your software repository. Use this credential for the "Account name" input.
  • FTP_PASSWORD - Password for FTP_USERNAME. Use this credential for the "Account credential" input.

 

You can also download application source code from rsync sources.

  • RSYNC_USERNAME - The username to log into the remote host. Use this credential for the "Account name" input.
  • RSYNC_SSH_KEY - If the remote host supports SSH key authentication, create an SSH Key for rsyncing data between servers. Use this credential for the "Account credential" input.

Secure Sockets Layer (SSL)

Load Balancer

If you are using SSL to support HTTPS access, you should create credentials for any of the following values that apply. See How do I create an SSL certificate for my web server?

  • LB_STATUS_USERNAME - Optional user name to require in order to log in to the HAProxy status report page.
  • LB_STATUS_PASSWORD - Optional password corresponding to LB_STATUS_USERNAME.
  • SSL_CERTIFICATE - Contents of the X.509/PEM-format SSL server certificate used for enabling HTTPS communications.
  • SSL_CERTIFICATE_CHAIN - The certificate authority (CA) certificate chain associated with the server certificate used to set up HTTPS communications.
  • SSL_CERTIFICATE_KEY - The SSL server certificate's private key, in PEM format.
  • SSL_PASSPHRASE - If required by an SSL certificate, you must provide the passphrase so Apache can start.
Database

If you are using the public network to connect to the master database server, it's recommended that you use SSL to encrypt the data being transfered between the master database server and the associated slave and/or application servers. Note: SSL is currently only supported in the Database Manager for MySQL 5.1/5.5 ServerTemplates.

  • MYSQL_SSL_CERT - The name of your CA SSL Certificate.
  • MYSQL_SSL_MASTER_CERT - The name of your Master SSL Certificate.
  • MYSQL_SSL_MASTER_KEY - The name of your Master SSL Key.
  • MYSQL_SSL_SLAVE_CERT - The name of your Slave SSL Certificate.
  • MYSQL_SSL_SLAVE_KEY - The name of your Slave SSL Key.
You must to post a comment.
Last Modified
08:14, 6 Feb 2014

Page Rating

Was this article helpful?

Tags


Announcements

UCP Migration

Glossary | 用語용어 Site Map | Site Help Community Corporate Site Get Support Dashboard Login
Doc Feedback Product Feedback Resources MultiCloud Marketplace Forums

Dashboard Status


© 2006-2014 RightScale, Inc. All rights reserved.
RightScale is a registered trademark of RightScale, Inc. All other products and services may be trademarks or servicemarks of their respective owners.