Arbab Nazar arbabnazar

Session Management in an Autoscaling Environment

Problem Statement

User sessions in J2EE and LAMP stacks have traditionally been handled in memory by the application server handling the user request. Because of that, load balancers have been configured to use sticky sessions. By sticky sessions we mean that once the user has visited the site, they will be assigned an app server and will return to that server for subsequent requests. The load balancers typically handle that by referencing the users session cookie.

Elastic cloud environments differ from traditional server configurations in that they have a variable number of servers based on traffic loads whereas traditional configurations had a fixed number of servers. When traffic volumes decline it is necessary to vaporize servers. In doing so, we would lose user sessions (essentially forcing a logout) unless we come up with a new strategy for session management.

A new approach

After much research, it is clear that the best

SSH forward local port to remote AWS RDS instance

The scenario:

We have connectivity to remote server (EC2 instance) REMOTE_EC2_HOST over SSH.
Connectivity to AWS RDS MySQL instance RDS.ENDPOINT.rds.amazonaws.com from remote server only (due to security group/firewall settings).

# forward requests from 127.0.0.1:6400 -> RDS.ENDPOINT.rds.amazonaws.com:3306
# add [-f] switch to background ssh process
$ ssh -vvvN \
	-L 6400:RDS.ENDPOINT.rds.amazonaws.com:3306 \

An Ansible summary

Patterns

all (or *)
hostname: foo.example.com
groupname: webservers
or: webservers:dbserver
exclude: webserver:!phoenix
intersection: webservers:&staging

	#!/usr/bin/env python
	"""Determine if the instances in an autoscaling group are InService in its ELBs
	attached to that group.
	"""

	import sys
	import boto.ec2.elb
	import boto.ec2.autoscale
	import argparse

	# The various ${var.foo} come from variables.tf

	# Specify the provider and access details
	provider "aws" {
	region = "${var.aws_region}"
	access_key = "${var.aws_access_key}"
	secret_key = "${var.aws_secret_key}"
	}

	- name: ensure github.com is a known host
	lineinfile:
	dest: /root/.ssh/known_hosts
	create: yes
	state: present
	line: "{{ lookup('pipe', 'ssh-keyscan -t rsa github.com') }}"
	regexp: "^github\\.com"

	---
	# Patches openssl problem and restarts needed services
	- name: Apply common configration to all nodes
	hosts: all
	sudo: yes
	# Uncomment to apply update one server at a time
	# serial: 1
	tasks:

	- name: "Install packages and update cache"

	# Idempotent way to build a /etc/hosts file with Ansible using your Ansible hosts inventory for a source.
	# Will include all hosts the playbook is run on.
	# Inspired from http://xmeblog.blogspot.com/2013/06/ansible-dynamicaly-update-etchosts.html

	- name: "Build hosts file"
	lineinfile: dest=/etc/hosts regexp='.*{{ item }}$' line="{{ hostvars[item].ansible_default_ipv4.address }} {{item}}" state=present
	when: hostvars[item].ansible_default_ipv4.address is defined
	with_items: groups['all']

	---
	#
	# Setup mysvchere in this environment
	#
	- name: Add the mysvchere user
	user: name=mysvchere comment="My company mysvchere" system=yes shell="/bin/bash"

	- name: Install mysvchere certificates
	copy: src=server_crt.pem dest=/etc/ssl/certs/{{ mysvchere_hostname }}.crt mode=0644 owner=root group=root