Smart ID Digital Access component supports distributed mode to enable high availability and failover that provides powerful flexibility and scalability. With this mode, Digital Access component will switch to a redundant service once the primary one has stopped working. Thereby, not only one but several redundant services are supported. Using high availability enables systems to meet high service-level agreement (SLA) requirements.
This article describes the setup of high availability for two Digital Access components with docker swarm and running services. See also High availability architecture for Digital Access component.
- Manager node is the node that hosts the administration service.
- Worker node is a node that hosts other services, not running the administration service.
The following prerequisites apply:
- The following ports shall be open to traffic to and from each Docker host participating on an overlay network:
- TCP port 2377 for cluster management communications
- TCP and UDP port 7946 for communication among nodes
- UDP port 4789 for overlay network traffic
- For more details refer to: https://docs.docker.com/network/overlay/
- Keep a note of IP addresses of nodes where access point is running.
Get token and stop services - manager node
- SSH to the node running administration service, that is, the manager node.
Get the cluster join token by running this command. This token will be used for joining worker nodes to the manager node.
Output of the command will be like:
Stop the running services.
Join as worker nodes
Do these steps on all worker nodes. SSH to the worker node(s). Stop the running services. Get the node ID. Remove the labels. if you are using PostgreSQL as database then remove label using this command (not to run on PostgreSQL node): Remove the node from the current swarm. Join to manager swarm using the command output from "Get cluster join token" above. On success, the output will be: This node joined a swarm as a worker.
Do these steps on all worker nodes.
SSH to the worker node(s).
Stop the running services.
Get the node ID.
Remove the labels.
if you are using PostgreSQL as database then remove label using this command (not to run on PostgreSQL node):
Remove the node from the current swarm.
Join to manager swarm using the command output from "Get cluster join token" above.
On success, the output will be: This node joined a swarm as a worker.
Remove labels at manager node
- SSH to manager node.
Remove label for all services which are not required on this node.
Edit configuration files
Navigate to the docker-compose folder and edit these files:
For each service, add one section in the docker-compose.yml file.
For example, if you want to deploy two policy services on two nodes you will have two configuration blocks as shown in the example below.
Change the values for the following keys:
- Service name
For each service add network configuration in the network.yml file. For example, if you want to deploy two policy services on two nodes you will have two blocks of configuration as shown below.
Change the value of:
- Service name: Service name should be identical to what is mentioned in docker-compose.yml
Also make sure all the listeners that are used for access point Load balance are exposed on network.yml.
Add one line for each service in this file also.
For example, if you have two policy services with name policy1 and policy2, you will have two lines for each service.
At manager node
Verify if all nodes are part of cluster by running this command.
Identify nodes ID, master and worker where the service will be distributed.
Output from this command:
IP address will help to identify the Digital Access node
Add new labels for each service which you want to run in worker nodes. In this example, we have used “2” as postfix for each service name. You can choose any name based on your requirement, but make sure they are in accordance with what we have defined in constraint section in the docker-compose.yml file.
Use these commands to add label for each service:
Deploy your stack using this command. To run the command your working directory should be docker-compose.
docker stack deployis the command to deploy services as stack.
- compose file flag is used to provide the file name of base docker-compose file.
- -c is short for –compose-file flag. It is used to provide override files for docker -compose.
- <your da stack name> is the name of the stack. You can change it based on requirements.
In Digital Access Admin
- Log in to Digital Access Admin and change the internal host and port for each added service according to the docker-compose.yml and network.yml files.
- Go to Manage System > Distribution Services and
- select the checkbox “Listen on all Interfaces” in case of the ports that are to be exposed
- also select the checkbox “Distribute key files automatically”.
- Go to Manage System >Access Points and provide the IP address instead of the service name. Also enable the "Listen on all Interfaces" option.
Do final steps
Make sure all services are stopped, else remove stack using this command.
- In worker node, edit service Local Configuration file, and provide values for:
<core> <id>6</id> </core>
<attribute name="mHost" type="string" value="policy1"/>
<attribute name="mId" type="integer" value="6"/>
Copy the keys from manager node to worker node services.
For access point: copy only shared key.
For all services enabled in worker node: copy internal and shared keys.
Restart services using these commands.
For Database connection issue, enter this command.
Check connection in Digital Access Admin for IP and password provided.
This article is valid for Digital Access 6.0.5/Smart ID 21.04 and later.