2 files changed, 626 insertions, 0 deletions
diff --git a/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml b/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml
index 1b04c40..74ff1dd 100644
--- a/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml
+++ b/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml
@@ -420,4 +420,630 @@ node0.1048576kB = 3 </programlisting>
      </note>
    </section>
  </section>
+  <section id="high_availability_ig">
+    <title>Installing the Enea uCPE Manager in High Availability Mode</title>
+    <para>The following describes the setup needed for running the Enea uCPE
+    Manager in High Availabilty (HA) mode, with a MariaDB database cluster.
+    The desired setup is depicted in the following diagram:</para>
+    <figure>
+      <title>The High Availability setup</title>
+      <mediaobject>
+        <imageobject>
+          <imagedata align="center" contentwidth="600"
+                     fileref="images/high_av_setup.png" />
+        </imageobject>
+      </mediaobject>
+    </figure>
+    <section id="ha_reqs">
+      <title>Requirements for High Availability</title>
+      
+      <para>The following hardware is needed for deploying the base configuration:</para>
+      <itemizedlist>
+        <listitem>
+          <para>Machines running the Enea uCPE Manager and MariaDB:</para>
+          <itemizedlist spacing="compact">
+            <listitem>
+              <para>4 CPU cores</para>
+            </listitem>
+            <listitem>
+              <para>12 - 16 GB memory</para>
+            </listitem>
+            <listitem>
+              <para>256 - 512 GB hard disk</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+        <listitem>
+          <para>Machines running only MariaDB:</para>
+          <itemizedlist spacing="compact">
+            <listitem>
+              <para>2 CPU cores</para>
+            </listitem>
+            <listitem>
+              <para>8 GB memory</para>
+            </listitem>
+            <listitem>
+              <para>256 - 512 GB hard disk</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+        <listitem>
+          <para>The Enea uCPE Manager machines should run CentOS 7, this is
+          the only currently supported version.</para>
+        </listitem>
+        <listitem>
+          <para>All machines should be on the same subnet. For geographically
+          distributed servers, a VPN can be used.</para>
+        </listitem>
+        <listitem>
+          <para>All VCPE devices will typically connect to the external IP
+          (WAN) address (exported by the Big-IP firewall).</para>
+        </listitem>
+        <listitem>
+          <para>WAN traffic will be HTTPS, whereas internal communication will
+          be through HTTP.</para>
+        </listitem>
+        <listitem>
+          <para>External clients (browsers using the GUI as well as clients
+          using the REST API) will connect to the external (WAN)
+          address.</para>
+        </listitem>
+      </itemizedlist>
+    </section>
+    <section id="firewall_rules">
+      <title>Firewall Rules</title>
+      <para>The following firewall configuration is needed:</para>
+      <orderedlist>
+        <listitem>
+          <para>Disable <literal>SELINUX</literal> on all database servers by
+          editing <literal>/etc/sysconfig/selinux</literal> and changing the
+          following:</para>
+          <programlisting>SELINUX=disabled
+SELINUXTYPE=targeted</programlisting>
+        </listitem>
+        <listitem>
+          <para>Reboot the server:</para>
+          <programlisting>[root@localhost ~]# sudo shutdown -r now</programlisting>
+        </listitem>
+      </orderedlist>
+      <para>The following ports should be opened in the local firewall (not
+      Big-IP), for each Enea uCPE Manager machine:</para>
+      <table>
+        <title>Ports for Enea uCPE Manager Machines</title>
+        <tgroup cols="2">
+          <colspec align="left" />
+          <thead>
+            <row>
+              <entry align="center">Port (Protocol)</entry>
+              <entry align="center">Usage</entry>
+            </row>
+          </thead>
+          <tbody>
+            <row>
+              <entry>80 (TCP)</entry>
+              <entry>HTTP (used by Big-IP firewall)</entry>
+            </row>
+            <row>
+              <entry>443 (TCP)</entry>
+              <entry>HTTPS</entry>
+            </row>
+            <row>
+              <entry>54327 (UDP)</entry>
+              <entry>Cluster multicasting (Hazelcast)</entry>
+            </row>
+            <row>
+              <entry>5701 - 5708 (TCP)</entry>
+              <entry>Hazelcast communications</entry>
+            </row>
+            <row>
+              <entry>4334 (TCP)</entry>
+              <entry>NETCONF call-home</entry>
+            </row>
+            <row>
+              <entry>7000 - 7009 (TCP)</entry>
+              <entry>Reverse SSH connection pool</entry>
+            </row>
+          </tbody>
+        </tgroup>
+      </table>
+      <para>For each MariaDB machine, the following firewall configuration is needed:</para>
+      <table>
+        <title>Ports for MariaDB Machines</title>
+        <tgroup cols="2">
+          <colspec align="left" />
+          <thead>
+            <row>
+              <entry align="center">Port (Protocol)</entry>
+              <entry align="center">Usage</entry>
+            </row>
+          </thead>
+          <tbody>
+            <row>
+              <entry>3306 (TCP)</entry>
+              <entry>Client connections</entry>
+            </row>
+            <row>
+              <entry>4567 (UDP/TCP)</entry>
+              <entry>Galera cluster replication with multicasting</entry>
+            </row>
+            <row>
+              <entry>4568 (TCP)</entry>
+              <entry>Incremental state transfer</entry>
+            </row>
+            <row>
+              <entry>4444 (TCP)</entry>
+              <entry>State snapshot transfer</entry>
+            </row>
+          </tbody>
+        </tgroup>
+      </table>
+      <para>The following ports should be accessible externally and translated
+      to the Virtual IP side as shown below (by the Big-IP firewall):</para>
+      <table>
+        <title>Ports for Virtual IP</title>
+        <tgroup cols="3">
+          <colspec align="left" />
+          <thead>
+            <row>
+              <entry align="center">External Port (Protocol)</entry>
+              <entry align="center">Usage</entry>
+              <entry align="center">Local Port (Protocol)</entry>
+            </row>
+          </thead>
+          <tbody>
+            <row>
+              <entry>443 (TCP)</entry>
+              <entry>HTTPS to/back HTTP</entry>
+              <entry>80 (TCP)</entry>
+            </row>
+            <row>
+              <entry>4334 (TCP)</entry>
+              <entry>NETCONF call-home</entry>
+              <entry>4334 (TCP)</entry>
+            </row>
+            <row>
+              <entry>7000 - 7009 (TCP)</entry>
+              <entry>Reverse SSH connection pool</entry>
+              <entry>7000 - 7009 (TCP)</entry>
+            </row>
+          </tbody>
+        </tgroup>
+      </table>
+    </section>
+    <section id="ha_installation">
+      <title>Installing High Availability</title>
+      <para>The Enea uCPE Manager can be installed in High Availability mode with 
+      a MariaDB database cluster by performing the following steps. The mandatory 
+      Java configuration is also detailed.</para>
+      <section id="ha_mariadb">
+        <title>Installing and configuring the MariaDB cluster</title>
+        <para>Install the latest MariaDB packages on all servers.</para>
+        <note>
+          <para>The setup was tested using MariaDB 10.5.8, built for CentOS
+          7.</para>
+        </note>
+        <para><emphasis role="bold">How to install MariaDB</emphasis></para>
+        <orderedlist>
+          <listitem>
+            <para>Make sure the following packages are installed:</para>
+            <programlisting>MariaDB-compat-10.5.8-1.el7.centos.x86_64
+MariaDB-common-10.5.8-1.el7.centos.x86_64
+MariaDB-server-10.5.8-1.el7.centos.x86_64
+MariaDB-client-10.5.8-1.el7.centos.x86_64
+galera-4-26.4.6-1.el7.centos.x86_64</programlisting>
+            <para>These provide the MariaDB server, client and the Galera
+            <literal>wsrep</literal> provider library.</para>
+          </listitem>
+          <listitem>
+            <para>Copy the <literal>wsrep</literal> template:</para>
+            <programlisting>[root@localhost ~]# cp /usr/share/mysql/wsrep.cnf /etc/my.cnf.d</programlisting>
+          </listitem>
+          <listitem>
+            <para>Change the following configuration:</para>
+            <programlisting># Full path to wsrep provider library or 'none'
+wsrep_provider=/usr/lib64/galera-4/libgalera_smm.so
+# Provider specific configuration options
+#wsrep_provider_options=
+# Logical cluster name. Should be the same for all nodes.
+wsrep_cluster_name="ucpemanager"
+# Group communication system handle
+wsrep_cluster_address="gcomm://192.168.10.11,192.168.10.12,..,192.168.10.16"
+# Human-readable node name (non-unique). Hostname by default.
+wsrep_node_name=Node1  
+# current node's name. set node name for each server in the cluster
+# Base replication &lt;address|hostname&gt;[:port] of the node.
+# The values supplied will be used as defaults for state transfer receiving,
+# listening ports and so on. Default: address of the first network interface.
+wsrep_node_address=192.168.10.11 
+#current node's interface IP . must be set for each node in the cluster</programlisting>
+            <note>
+              <para>Steps 2 and 3 must be performed for each MariaDB node in
+              the cluster.</para>
+            </note>
+          </listitem>
+          <listitem>
+            <para>Bootstrap the first node in the cluster (identified by
+            <literal>Node1</literal> for example), by running:</para>
+            <programlisting>[root@localhost ~]# galera_new_cluster</programlisting>
+            <para>This script passes the
+            <literal>--wsrep-new-cluster</literal> to
+            <literal>mysqld</literal> which tells the node that there is no
+            pre-existing cluster to connect to. The node will create a new
+            UUID to identify the new cluster.</para>
+            <note>
+              <para>Do not execute this script when connecting to an existing
+              cluster. It will create a new UUID to identify the cluster
+              again, and the node won't reconnect to the old cluster.</para>
+            </note>
+          </listitem>
+          <listitem>
+            <para>Go to <literal>Node1</literal> and start the service:</para>
+            <programlisting>[root@localhost ~]# systemctl start mariadb</programlisting>
+            <para>Subsequently, start the service on the other servers.</para>
+          </listitem>
+          <listitem>
+            <para>Verify that the nodes have entered the cluster:</para>
+            <programlisting>[root@localhost ~]# mysql --host=localhost --user=root -p
+MariaDB [(none)]&gt; show status like 'wsrep_cluster_conf_%';
+-----------------------+-------+
+| Variable_name         | Value |
+-----------------------+-------+
+| wsrep_cluster_conf_id | 3     |
+-----------------------+-------+
+1 row in set (0.001 sec)</programlisting>
+          </listitem>
+          <listitem>
+            <para>Run the initial configuration script (only once, on one of
+            the machines in the cluster):</para>
+            <programlisting>[root@localhost ~]# mysql_secure_installation
+Switch to unix_socket authentication [Y/n] Y
+Enabled successfully!
+Reloading privilege tables..
+ ... Success!
+…
+Change the root password? [Y/n] Y
+New password: 
+Re-enter new password: 
+Password updated successfully!
+Reloading privilege tables..
+ ... Success!
+…
+Remove anonymous users? [Y/n] Y
+ ... Success!
+…
+Disallow root login remotely? [Y/n] Y
+ ... Success!
+…
+Remove test database and access to it? [Y/n] Y (optional)
+ - Dropping test database...
+ ... Success!
+ - Removing privileges on test database...
+ ... Success!
+Reload privilege tables now? [Y/n] Y
+ ... Success!
+Cleaning up...
+All done!  If you've completed all of the above steps, your MariaDB
+installation should now be secure.
+Thanks for using MariaDB!</programlisting>
+          </listitem>
+          <listitem>
+            <para>Create the initial database and grant access to it:</para>
+            <programlisting>[root@localhost application]# mysql --host=localhost --user=root -p
+MariaDB [(none)]&gt; CREATE DATABASE ucpemanager CHARACTER SET='utf8' \
+COLLATE='utf8_bin';
+Query OK, 1 row affected (0.004 sec)
+MariaDB [(none)]&gt; GRANT ALL PRIVILEGES ON ucpemanager.* \
+TO 'enea'@'%' IDENTIFIED BY 'somepassword' WITH GRANT OPTION;</programlisting>
+          </listitem>
+        </orderedlist>
+      </section>
+      <section id="ha_java_sdk_install">
+        <title>Installing the Java SDK</title>
+        <para>The following steps describe the installation of Java 11 SDK on
+        the CentOS 7 machines that will run the Enea uCPE Manager
+        installation:</para>
+        <orderedlist>
+          <listitem>
+            <para>Install the following packages:</para>
+            <programlisting>java-11-openjdk-devel-11.0.10.0.9-0.el7_9.x86_64
+java-11-openjdk-11.0.10.0.9-0.el7_9.x86_64</programlisting>
+          </listitem>
+          <listitem>
+            <para>Check that java points to the current JRE:</para>
+            <programlisting>root@localhost ~]# java -version
+openjdk version "11.0.10" 2021-01-19 LTS
+OpenJDK Runtime Environment 18.9 (build 11.0.10+9-LTS)
+OpenJDK 64-Bit Server VM 18.9 (build 11.0.10+9-LTS, mixed mode, sharing)</programlisting>
+            <para>If it doesn't, then check the alternatives, and make sure
+            that java points to the JDK11 installation:</para>
+            <programlisting>[root@localhost ~]# alternatives --config java</programlisting>
+          </listitem>
+          <listitem>
+            <para>Set the <literal>JAVA_HOME</literal> environment variable
+            and update paths:</para>
+            <programlisting>export JAVA_HOME=$(dirname $(dirname $(readlink $(readlink $(which javac)))))
+export PATH=$PATH:$JAVA_HOME/bin
+export CLASSPATH=.:$JAVA_HOME/jre/lib:$JAVA_HOME/lib:$JAVA_HOME/lib/tools.jar</programlisting>
+            <para>As an alternative, the variables can be written into the
+            <filename>.bashrc</filename> file, so that they load every time a
+            console is opened. To enable these settings for all users, add the
+            variables to <literal>/etc/environment</literal>.</para>
+          </listitem>
+          <listitem>
+            <para>The <literal>JAVA_HOME</literal> variable should point
+            to:</para>
+            <programlisting>[root@localhost ~]# echo $JAVA_HOME
+/usr/lib/jvm/java-11-openjdk-11.0.10.0.9-0.el7_9.x86_64</programlisting>
+          </listitem>
+        </orderedlist>
+      </section>
+      <section id="ha_ucpe_mg">
+        <title>Installing the Enea uCPE Manager in High Availabilty
+        mode</title>
+        <para>These steps must be taken on each of the CentOS 7 machines that
+        will host the Enea uCPE Manager.</para>
+        <para>As the root user, go to the distribution folder of the Enea uCPE
+        Manager, and run:</para>
+        <programlisting>[root@localhost distro]#./install.sh /opt/ \
+Enea_NFV_Access_uCPEManager_2.3.0-build23.tar.gz
+This will install uCPEManager into /opt/ucpemanager folder.
+Select the following options, while asked by the installation script:
+Are you using the embedded PostgreSQL database? [Y/N]: N
+External database selected, getting user information ...
+Press 1 for PostgreSQL, 2 for MariaDB, 3 for SQL Server, 4 for Oracle and 5 \
+for MySQL: 2
+Specify database server name(s) or IP Address(es): \
+192.168.10.11,192.168.10.12,…,192.168.10.16 *(see note)
+Specify database ID (or name) [ucpemanager]: 
+Specify database server port [3306]: 
+Specify database user name [root]: enea
+Specify database password [root]: somepassword
+Specify database startup thread pool size [1]: 
+Creating database configuration file \
+/opt//ucpemanager/application/config/databaseConfig.xml ...
+Done .
+…
+Installing ucpemanager service ..
+Specify service username [ucpemanager]: 
+Specify service password [ucpemanager]: somepassword
+…
+Specify the IP address of the local interface: 192.168.10.11
+Is this server part of a cluster? [Y/N]: Y
+Specify the name of the cluster [ucpemanager]: 
+Specify the shared (virtual) cluster IP address: 192.168.10.10
+Specify the netmask for the cluster IP address [255.255.255.0]: 
+HA Configuration files modified successfully.
+Configuration complete.</programlisting>
+        <note>
+          <para>For each Enea uCPE Manager installation, place the local
+          interface IP first in the list of IPs. This will optimize database
+          communication, since the Enea uCPE Manager uses the list of IPs
+          sequentially, therefore using the internal loopback interface for
+          communicating with the database.</para>
+        </note>
+        <para>Once the servers are up and running, log into the <emphasis
+        role="bold">Primary</emphasis> and go to <emphasis
+        role="bold">System</emphasis> and select <emphasis role="bold">Cluster
+        View</emphasis>. The list of Enea uCPE Managers should be displayed,
+        with one listed as Primary and the rest as Backup.</para>
+      </section>
+    </section>
+    <section id="ha_upgrade">
+      <title>Upgrading a High Availability Deployment</title>
+      <para>Upgrading a High Availabilty deployment is a highly complex,
+      multi-step process that requires care to ensure both consistency and
+      high-availability. Some steps need to be done manually.</para>
+      <orderedlist>
+        <listitem>
+          <para>We start with the assumption that
+          <literal>ucpeManager-1</literal>is the "PRIMARY" server.</para>
+        </listitem>
+        <listitem>
+          <para>Shut down database services on one side of the network, for
+          example: MariaDB-4, MariaDB-5 and MariaDB-6.</para>
+        </listitem>
+        <listitem>
+          <para>Disconnect the network interfaces towards the VPN for machines
+          MariaDB-4, MariaDB-5 and MariaDB-6. This will prevent any attempts
+          at failover/synchronization.</para>
+        </listitem>
+        <listitem>
+          <para>Run the upgrade process on <literal>ucpeManager-3</literal>
+          and <literal>ucpeManager-4</literal>. This will upgrade the service
+          to the current release. Once the upgrade process completes, shutdown
+          the Enea uCPE Manager service on both machines.</para>
+        </listitem>
+        <listitem>
+          <para>Disconnect the <literal>ucpeManager-2</literal> machine from
+          the network (which will take MariaDB-2 offline as well). At this
+          point, only the "PRIMARY" server is running, this is the start of
+          the interval when we are susceptible to single-server
+          failure.</para>
+        </listitem>
+        <listitem>
+          <para>Shutdown the MariaDB-2 process and run the Enea uCPE Manager
+          upgrade process on <literal>ucpeManager-2</literal>. This will
+          upgrade the service to the current release. Once the upgrade process
+          completes, shutdown the uCPE Manager service on the machine.</para>
+        </listitem>
+        <listitem>
+          <para>Reconnect the network interfaces towards the VPN for MariaDB-4
+          (<literal>ucpeManager-3</literal>), MariaDB-5
+          (<literal>ucpeManager-4</literal>) and MariaDB-6
+          (<literal>ucpeManager-2</literal>). Restart database services on
+          MariaDB-2, MariaDB-4, MariaDB-5 and MariaDB-6. This will allow
+          database services on all machines to synchronize, any data that has
+          been modified during the upgrade process will be made
+          consistent.</para>
+        </listitem>
+        <listitem>
+          <para>Shutdown the "Primary" server
+          (<literal>ucpeManager-1</literal>). At this point, the service is no
+          longer available.</para>
+        </listitem>
+        <listitem>
+          <para>Start the Enea uCPE Manager services on
+          <literal>ucpeManager-2</literal>. This machine will come up as the
+          new "PRIMARY" with the upgraded software. As part of the startup
+          process, it will upgrade the database and perform any other
+          upgrade-related functionality.</para>
+        </listitem>
+        <listitem>
+          <para>At this point (once startup completes), service is available.
+          However, we are still susceptible to single-server failure.</para>
+        </listitem>
+        <listitem>
+          <para>Start the Enea uCPE Manager services on
+          <literal>ucpeManager-3</literal> and
+          <literal>ucpeManager-4</literal>. At this point, we are in
+          highly-available mode.</para>
+        </listitem>
+        <listitem>
+          <para>Upgrade the Enea uCPE Manager on
+          <literal>ucpeManager-1</literal> (the one that has been shut down).
+          Once that upgrade is complete and the service restarts, the entire
+          setup has been upgraded to the new version.</para>
+        </listitem>
+      </orderedlist>
+    </section>
+  </section>
 </chapter>
 \ No newline at end of file
diff --git a/doc/book-enea-nfv-access-getting-started/doc/images/high_av_setup.png b/doc/book-enea-nfv-access-getting-started/doc/images/high_av_setup.png
new file mode 100644
index 0000000..e2edd67
--- /dev/null
+++ b/doc/book-enea-nfv-access-getting-started/doc/images/high_av_setup.png
Binary files differ

diff --git a/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml b/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml index 1b04c40..74ff1dd 100644 --- a/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml +++ b/doc/book-enea-nfv-access-getting-started/doc/advanced_configurations.xml
@@ -420,4 +420,630 @@ node0.1048576kB = 3 </programlisting>
420	</note>	420	</note>
421	</section>	421	</section>
422	</section>	422	</section>
		423
		424	<section id="high_availability_ig">
		425	<title>Installing the Enea uCPE Manager in High Availability Mode</title>
		426
		427	<para>The following describes the setup needed for running the Enea uCPE
		428	Manager in High Availabilty (HA) mode, with a MariaDB database cluster.
		429	The desired setup is depicted in the following diagram:</para>
		430
		431	<figure>
		432	<title>The High Availability setup</title>
		433
		434	<mediaobject>
		435	<imageobject>
		436	<imagedata align="center" contentwidth="600"
		437	fileref="images/high_av_setup.png" />
		438	</imageobject>
		439	</mediaobject>
		440	</figure>
		441
		442	<section id="ha_reqs">
		443	<title>Requirements for High Availability</title>
		444
		445	<para>The following hardware is needed for deploying the base configuration:</para>
		446
		447	<itemizedlist>
		448	<listitem>
		449	<para>Machines running the Enea uCPE Manager and MariaDB:</para>
		450
		451	<itemizedlist spacing="compact">
		452	<listitem>
		453	<para>4 CPU cores</para>
		454	</listitem>
		455
		456	<listitem>
		457	<para>12 - 16 GB memory</para>
		458	</listitem>
		459
		460	<listitem>
		461	<para>256 - 512 GB hard disk</para>
		462	</listitem>
		463	</itemizedlist>
		464	</listitem>
		465
		466	<listitem>
		467	<para>Machines running only MariaDB:</para>
		468
		469	<itemizedlist spacing="compact">
		470	<listitem>
		471	<para>2 CPU cores</para>
		472	</listitem>
		473
		474	<listitem>
		475	<para>8 GB memory</para>
		476	</listitem>
		477
		478	<listitem>
		479	<para>256 - 512 GB hard disk</para>
		480	</listitem>
		481	</itemizedlist>
		482	</listitem>
		483
		484	<listitem>
		485	<para>The Enea uCPE Manager machines should run CentOS 7, this is
		486	the only currently supported version.</para>
		487	</listitem>
		488
		489	<listitem>
		490	<para>All machines should be on the same subnet. For geographically
		491	distributed servers, a VPN can be used.</para>
		492	</listitem>
		493
		494	<listitem>
		495	<para>All VCPE devices will typically connect to the external IP
		496	(WAN) address (exported by the Big-IP firewall).</para>
		497	</listitem>
		498
		499	<listitem>
		500	<para>WAN traffic will be HTTPS, whereas internal communication will
		501	be through HTTP.</para>
		502	</listitem>
		503
		504	<listitem>
		505	<para>External clients (browsers using the GUI as well as clients
		506	using the REST API) will connect to the external (WAN)
		507	address.</para>
		508	</listitem>
		509	</itemizedlist>
		510	</section>
		511
		512	<section id="firewall_rules">
		513	<title>Firewall Rules</title>
		514
		515	<para>The following firewall configuration is needed:</para>
		516
		517	<orderedlist>
		518	<listitem>
		519	<para>Disable <literal>SELINUX</literal> on all database servers by
		520	editing <literal>/etc/sysconfig/selinux</literal> and changing the
		521	following:</para>
		522
		523	<programlisting>SELINUX=disabled
		524	SELINUXTYPE=targeted</programlisting>
		525	</listitem>
		526
		527	<listitem>
		528	<para>Reboot the server:</para>
		529
		530	<programlisting>[root@localhost ~]# sudo shutdown -r now</programlisting>
		531	</listitem>
		532	</orderedlist>
		533
		534	<para>The following ports should be opened in the local firewall (not
		535	Big-IP), for each Enea uCPE Manager machine:</para>
		536
		537	<table>
		538	<title>Ports for Enea uCPE Manager Machines</title>
		539
		540	<tgroup cols="2">
		541	<colspec align="left" />
		542
		543	<thead>
		544	<row>
		545	<entry align="center">Port (Protocol)</entry>
		546
		547	<entry align="center">Usage</entry>
		548	</row>
		549	</thead>
		550
		551	<tbody>
		552	<row>
		553	<entry>80 (TCP)</entry>
		554
		555	<entry>HTTP (used by Big-IP firewall)</entry>
		556	</row>
		557
		558	<row>
		559	<entry>443 (TCP)</entry>
		560
		561	<entry>HTTPS</entry>
		562	</row>
		563
		564	<row>
		565	<entry>54327 (UDP)</entry>
		566
		567	<entry>Cluster multicasting (Hazelcast)</entry>
		568	</row>
		569
		570	<row>
		571	<entry>5701 - 5708 (TCP)</entry>
		572
		573	<entry>Hazelcast communications</entry>
		574	</row>
		575
		576	<row>
		577	<entry>4334 (TCP)</entry>
		578
		579	<entry>NETCONF call-home</entry>
		580	</row>
		581
		582	<row>
		583	<entry>7000 - 7009 (TCP)</entry>
		584
		585	<entry>Reverse SSH connection pool</entry>
		586	</row>
		587	</tbody>
		588	</tgroup>
		589	</table>
		590
		591	<para>For each MariaDB machine, the following firewall configuration is needed:</para>
		592
		593	<table>
		594	<title>Ports for MariaDB Machines</title>
		595
		596	<tgroup cols="2">
		597	<colspec align="left" />
		598
		599	<thead>
		600	<row>
		601	<entry align="center">Port (Protocol)</entry>
		602
		603	<entry align="center">Usage</entry>
		604	</row>
		605	</thead>
		606
		607	<tbody>
		608	<row>
		609	<entry>3306 (TCP)</entry>
		610
		611	<entry>Client connections</entry>
		612	</row>
		613
		614	<row>
		615	<entry>4567 (UDP/TCP)</entry>
		616
		617	<entry>Galera cluster replication with multicasting</entry>
		618	</row>
		619
		620	<row>
		621	<entry>4568 (TCP)</entry>
		622
		623	<entry>Incremental state transfer</entry>
		624	</row>
		625
		626	<row>
		627	<entry>4444 (TCP)</entry>
		628
		629	<entry>State snapshot transfer</entry>
		630	</row>
		631	</tbody>
		632	</tgroup>
		633	</table>
		634
		635	<para>The following ports should be accessible externally and translated
		636	to the Virtual IP side as shown below (by the Big-IP firewall):</para>
		637
		638	<table>
		639	<title>Ports for Virtual IP</title>
		640
		641	<tgroup cols="3">
		642	<colspec align="left" />
		643
		644	<thead>
		645	<row>
		646	<entry align="center">External Port (Protocol)</entry>
		647
		648	<entry align="center">Usage</entry>
		649
		650	<entry align="center">Local Port (Protocol)</entry>
		651	</row>
		652	</thead>
		653
		654	<tbody>
		655	<row>
		656	<entry>443 (TCP)</entry>
		657
		658	<entry>HTTPS to/back HTTP</entry>
		659
		660	<entry>80 (TCP)</entry>
		661	</row>
		662
		663	<row>
		664	<entry>4334 (TCP)</entry>
		665
		666	<entry>NETCONF call-home</entry>
		667
		668	<entry>4334 (TCP)</entry>
		669	</row>
		670
		671	<row>
		672	<entry>7000 - 7009 (TCP)</entry>
		673
		674	<entry>Reverse SSH connection pool</entry>
		675
		676	<entry>7000 - 7009 (TCP)</entry>
		677	</row>
		678	</tbody>
		679	</tgroup>
		680	</table>
		681	</section>
		682
		683	<section id="ha_installation">
		684	<title>Installing High Availability</title>
		685
		686	<para>The Enea uCPE Manager can be installed in High Availability mode with
		687	a MariaDB database cluster by performing the following steps. The mandatory
		688	Java configuration is also detailed.</para>
		689
		690	<section id="ha_mariadb">
		691	<title>Installing and configuring the MariaDB cluster</title>
		692
		693	<para>Install the latest MariaDB packages on all servers.</para>
		694
		695	<note>
		696	<para>The setup was tested using MariaDB 10.5.8, built for CentOS
		697	7.</para>
		698	</note>
		699
		700	<para><emphasis role="bold">How to install MariaDB</emphasis></para>
		701
		702	<orderedlist>
		703	<listitem>
		704	<para>Make sure the following packages are installed:</para>
		705
		706	<programlisting>MariaDB-compat-10.5.8-1.el7.centos.x86_64
		707	MariaDB-common-10.5.8-1.el7.centos.x86_64
		708	MariaDB-server-10.5.8-1.el7.centos.x86_64
		709	MariaDB-client-10.5.8-1.el7.centos.x86_64
		710	galera-4-26.4.6-1.el7.centos.x86_64</programlisting>
		711
		712	<para>These provide the MariaDB server, client and the Galera
		713	<literal>wsrep</literal> provider library.</para>
		714	</listitem>
		715
		716	<listitem>
		717	<para>Copy the <literal>wsrep</literal> template:</para>
		718
		719	<programlisting>[root@localhost ~]# cp /usr/share/mysql/wsrep.cnf /etc/my.cnf.d</programlisting>
		720	</listitem>
		721
		722	<listitem>
		723	<para>Change the following configuration:</para>
		724
		725	<programlisting># Full path to wsrep provider library or 'none'
		726	wsrep_provider=/usr/lib64/galera-4/libgalera_smm.so
		727
		728	# Provider specific configuration options
		729	#wsrep_provider_options=
		730
		731	# Logical cluster name. Should be the same for all nodes.
		732	wsrep_cluster_name="ucpemanager"
		733
		734	# Group communication system handle
		735	wsrep_cluster_address="gcomm://192.168.10.11,192.168.10.12,..,192.168.10.16"
		736
		737	# Human-readable node name (non-unique). Hostname by default.
		738	wsrep_node_name=Node1
		739	# current node's name. set node name for each server in the cluster
		740
		741	# Base replication <address\|hostname>[:port] of the node.
		742	# The values supplied will be used as defaults for state transfer receiving,
		743	# listening ports and so on. Default: address of the first network interface.
		744	wsrep_node_address=192.168.10.11
		745	#current node's interface IP . must be set for each node in the cluster</programlisting>
		746
		747	<note>
		748	<para>Steps 2 and 3 must be performed for each MariaDB node in
		749	the cluster.</para>
		750	</note>
		751	</listitem>
		752
		753	<listitem>
		754	<para>Bootstrap the first node in the cluster (identified by
		755	<literal>Node1</literal> for example), by running:</para>
		756
		757	<programlisting>[root@localhost ~]# galera_new_cluster</programlisting>
		758
		759	<para>This script passes the
		760	<literal>--wsrep-new-cluster</literal> to
		761	<literal>mysqld</literal> which tells the node that there is no
		762	pre-existing cluster to connect to. The node will create a new
		763	UUID to identify the new cluster.</para>
		764
		765	<note>
		766	<para>Do not execute this script when connecting to an existing
		767	cluster. It will create a new UUID to identify the cluster
		768	again, and the node won't reconnect to the old cluster.</para>
		769	</note>
		770	</listitem>
		771
		772	<listitem>
		773	<para>Go to <literal>Node1</literal> and start the service:</para>
		774
		775	<programlisting>[root@localhost ~]# systemctl start mariadb</programlisting>
		776
		777	<para>Subsequently, start the service on the other servers.</para>
		778	</listitem>
		779
		780	<listitem>
		781	<para>Verify that the nodes have entered the cluster:</para>
		782
		783	<programlisting>[root@localhost ~]# mysql --host=localhost --user=root -p
		784	MariaDB [(none)]> show status like 'wsrep_cluster_conf_%';
		785	+-----------------------+-------+
		786	\| Variable_name \| Value \|
		787	+-----------------------+-------+
		788	\| wsrep_cluster_conf_id \| 3 \|
		789	+-----------------------+-------+
		790	1 row in set (0.001 sec)</programlisting>
		791	</listitem>
		792
		793	<listitem>
		794	<para>Run the initial configuration script (only once, on one of
		795	the machines in the cluster):</para>
		796
		797	<programlisting>[root@localhost ~]# mysql_secure_installation
		798
		799	Switch to unix_socket authentication [Y/n] Y
		800	Enabled successfully!
		801	Reloading privilege tables..
		802	... Success!
		803	…
		804	Change the root password? [Y/n] Y
		805	New password:
		806	Re-enter new password:
		807	Password updated successfully!
		808	Reloading privilege tables..
		809	... Success!
		810	…
		811	Remove anonymous users? [Y/n] Y
		812	... Success!
		813	…
		814	Disallow root login remotely? [Y/n] Y
		815	... Success!
		816	…
		817	Remove test database and access to it? [Y/n] Y (optional)
		818	- Dropping test database...
		819	... Success!
		820	- Removing privileges on test database...
		821	... Success!
		822	Reload privilege tables now? [Y/n] Y
		823	... Success!
		824
		825	Cleaning up...
		826
		827	All done! If you've completed all of the above steps, your MariaDB
		828	installation should now be secure.
		829
		830	Thanks for using MariaDB!</programlisting>
		831	</listitem>
		832
		833	<listitem>
		834	<para>Create the initial database and grant access to it:</para>
		835
		836	<programlisting>[root@localhost application]# mysql --host=localhost --user=root -p
		837	MariaDB [(none)]> CREATE DATABASE ucpemanager CHARACTER SET='utf8' \
		838	COLLATE='utf8_bin';
		839	Query OK, 1 row affected (0.004 sec)
		840
		841	MariaDB [(none)]> GRANT ALL PRIVILEGES ON ucpemanager.* \
		842	TO 'enea'@'%' IDENTIFIED BY 'somepassword' WITH GRANT OPTION;</programlisting>
		843	</listitem>
		844	</orderedlist>
		845	</section>
		846
		847	<section id="ha_java_sdk_install">
		848	<title>Installing the Java SDK</title>
		849
		850	<para>The following steps describe the installation of Java 11 SDK on
		851	the CentOS 7 machines that will run the Enea uCPE Manager
		852	installation:</para>
		853
		854	<orderedlist>
		855	<listitem>
		856	<para>Install the following packages:</para>
		857
		858	<programlisting>java-11-openjdk-devel-11.0.10.0.9-0.el7_9.x86_64
		859	java-11-openjdk-11.0.10.0.9-0.el7_9.x86_64</programlisting>
		860	</listitem>
		861
		862	<listitem>
		863	<para>Check that java points to the current JRE:</para>
		864
		865	<programlisting>root@localhost ~]# java -version
		866	openjdk version "11.0.10" 2021-01-19 LTS
		867	OpenJDK Runtime Environment 18.9 (build 11.0.10+9-LTS)
		868	OpenJDK 64-Bit Server VM 18.9 (build 11.0.10+9-LTS, mixed mode, sharing)</programlisting>
		869
		870	<para>If it doesn't, then check the alternatives, and make sure
		871	that java points to the JDK11 installation:</para>
		872
		873	<programlisting>[root@localhost ~]# alternatives --config java</programlisting>
		874	</listitem>
		875
		876	<listitem>
		877	<para>Set the <literal>JAVA_HOME</literal> environment variable
		878	and update paths:</para>
		879
		880	<programlisting>export JAVA_HOME=$(dirname $(dirname $(readlink $(readlink $(which javac)))))
		881	export PATH=$PATH:$JAVA_HOME/bin
		882	export CLASSPATH=.:$JAVA_HOME/jre/lib:$JAVA_HOME/lib:$JAVA_HOME/lib/tools.jar</programlisting>
		883
		884	<para>As an alternative, the variables can be written into the
		885	<filename>.bashrc</filename> file, so that they load every time a
		886	console is opened. To enable these settings for all users, add the
		887	variables to <literal>/etc/environment</literal>.</para>
		888	</listitem>
		889
		890	<listitem>
		891	<para>The <literal>JAVA_HOME</literal> variable should point
		892	to:</para>
		893
		894	<programlisting>[root@localhost ~]# echo $JAVA_HOME
		895	/usr/lib/jvm/java-11-openjdk-11.0.10.0.9-0.el7_9.x86_64</programlisting>
		896	</listitem>
		897	</orderedlist>
		898	</section>
		899
		900	<section id="ha_ucpe_mg">
		901	<title>Installing the Enea uCPE Manager in High Availabilty
		902	mode</title>
		903
		904	<para>These steps must be taken on each of the CentOS 7 machines that
		905	will host the Enea uCPE Manager.</para>
		906
		907	<para>As the root user, go to the distribution folder of the Enea uCPE
		908	Manager, and run:</para>
		909
		910	<programlisting>[root@localhost distro]#./install.sh /opt/ \
		911	Enea_NFV_Access_uCPEManager_2.3.0-build23.tar.gz
		912	This will install uCPEManager into /opt/ucpemanager folder.
		913	Select the following options, while asked by the installation script:
		914	Are you using the embedded PostgreSQL database? [Y/N]: N
		915	External database selected, getting user information ...
		916	Press 1 for PostgreSQL, 2 for MariaDB, 3 for SQL Server, 4 for Oracle and 5 \
		917	for MySQL: 2
		918	Specify database server name(s) or IP Address(es): \
		919	192.168.10.11,192.168.10.12,…,192.168.10.16 *(see note)
		920	Specify database ID (or name) [ucpemanager]:
		921	Specify database server port [3306]:
		922	Specify database user name [root]: enea
		923	Specify database password [root]: somepassword
		924	Specify database startup thread pool size [1]:
		925	Creating database configuration file \
		926	/opt//ucpemanager/application/config/databaseConfig.xml ...
		927	Done .
		928	…
		929	Installing ucpemanager service ..
		930	Specify service username [ucpemanager]:
		931	Specify service password [ucpemanager]: somepassword
		932	…
		933	Specify the IP address of the local interface: 192.168.10.11
		934	Is this server part of a cluster? [Y/N]: Y
		935	Specify the name of the cluster [ucpemanager]:
		936	Specify the shared (virtual) cluster IP address: 192.168.10.10
		937	Specify the netmask for the cluster IP address [255.255.255.0]:
		938	HA Configuration files modified successfully.
		939	Configuration complete.</programlisting>
		940
		941	<note>
		942	<para>For each Enea uCPE Manager installation, place the local
		943	interface IP first in the list of IPs. This will optimize database
		944	communication, since the Enea uCPE Manager uses the list of IPs
		945	sequentially, therefore using the internal loopback interface for
		946	communicating with the database.</para>
		947	</note>
		948
		949	<para>Once the servers are up and running, log into the <emphasis
		950	role="bold">Primary</emphasis> and go to <emphasis
		951	role="bold">System</emphasis> and select <emphasis role="bold">Cluster
		952	View</emphasis>. The list of Enea uCPE Managers should be displayed,
		953	with one listed as Primary and the rest as Backup.</para>
		954	</section>
		955	</section>
		956
		957	<section id="ha_upgrade">
		958	<title>Upgrading a High Availability Deployment</title>
		959
		960	<para>Upgrading a High Availabilty deployment is a highly complex,
		961	multi-step process that requires care to ensure both consistency and
		962	high-availability. Some steps need to be done manually.</para>
		963
		964	<orderedlist>
		965	<listitem>
		966	<para>We start with the assumption that
		967	<literal>ucpeManager-1</literal>is the "PRIMARY" server.</para>
		968	</listitem>
		969
		970	<listitem>
		971	<para>Shut down database services on one side of the network, for
		972	example: MariaDB-4, MariaDB-5 and MariaDB-6.</para>
		973	</listitem>
		974
		975	<listitem>
		976	<para>Disconnect the network interfaces towards the VPN for machines
		977	MariaDB-4, MariaDB-5 and MariaDB-6. This will prevent any attempts
		978	at failover/synchronization.</para>
		979	</listitem>
		980
		981	<listitem>
		982	<para>Run the upgrade process on <literal>ucpeManager-3</literal>
		983	and <literal>ucpeManager-4</literal>. This will upgrade the service
		984	to the current release. Once the upgrade process completes, shutdown
		985	the Enea uCPE Manager service on both machines.</para>
		986	</listitem>
		987
		988	<listitem>
		989	<para>Disconnect the <literal>ucpeManager-2</literal> machine from
		990	the network (which will take MariaDB-2 offline as well). At this
		991	point, only the "PRIMARY" server is running, this is the start of
		992	the interval when we are susceptible to single-server
		993	failure.</para>
		994	</listitem>
		995
		996	<listitem>
		997	<para>Shutdown the MariaDB-2 process and run the Enea uCPE Manager
		998	upgrade process on <literal>ucpeManager-2</literal>. This will
		999	upgrade the service to the current release. Once the upgrade process
		1000	completes, shutdown the uCPE Manager service on the machine.</para>
		1001	</listitem>
		1002
		1003	<listitem>
		1004	<para>Reconnect the network interfaces towards the VPN for MariaDB-4
		1005	(<literal>ucpeManager-3</literal>), MariaDB-5
		1006	(<literal>ucpeManager-4</literal>) and MariaDB-6
		1007	(<literal>ucpeManager-2</literal>). Restart database services on
		1008	MariaDB-2, MariaDB-4, MariaDB-5 and MariaDB-6. This will allow
		1009	database services on all machines to synchronize, any data that has
		1010	been modified during the upgrade process will be made
		1011	consistent.</para>
		1012	</listitem>
		1013
		1014	<listitem>
		1015	<para>Shutdown the "Primary" server
		1016	(<literal>ucpeManager-1</literal>). At this point, the service is no
		1017	longer available.</para>
		1018	</listitem>
		1019
		1020	<listitem>
		1021	<para>Start the Enea uCPE Manager services on
		1022	<literal>ucpeManager-2</literal>. This machine will come up as the
		1023	new "PRIMARY" with the upgraded software. As part of the startup
		1024	process, it will upgrade the database and perform any other
		1025	upgrade-related functionality.</para>
		1026	</listitem>
		1027
		1028	<listitem>
		1029	<para>At this point (once startup completes), service is available.
		1030	However, we are still susceptible to single-server failure.</para>
		1031	</listitem>
		1032
		1033	<listitem>
		1034	<para>Start the Enea uCPE Manager services on
		1035	<literal>ucpeManager-3</literal> and
		1036	<literal>ucpeManager-4</literal>. At this point, we are in
		1037	highly-available mode.</para>
		1038	</listitem>
		1039
		1040	<listitem>
		1041	<para>Upgrade the Enea uCPE Manager on
		1042	<literal>ucpeManager-1</literal> (the one that has been shut down).
		1043	Once that upgrade is complete and the service restarts, the entire
		1044	setup has been upgraded to the new version.</para>
		1045	</listitem>
		1046	</orderedlist>
		1047	</section>
		1048	</section>
423	</chapter> \ No newline at end of file	1049	</chapter> \ No newline at end of file


diff --git a/doc/book-enea-nfv-access-getting-started/doc/images/high_av_setup.png b/doc/book-enea-nfv-access-getting-started/doc/images/high_av_setup.png new file mode 100644 index 0000000..e2edd67 --- /dev/null +++ b/doc/book-enea-nfv-access-getting-started/doc/images/high_av_setup.png
Binary files differ