Cloud License Server Proxy

Note

Topics covered in this page require you to have administrator/root access to your machine(s) to install/deploy software.

Overview

When using Usage-Based Licensing with a Cloud License Server, it is normally required that all Deadline Worker machines have access to the internet. However, this is not always possible due to security reasons. The recommended alternative is to set up a Cloud License Server Proxy on a single machine that does have internet access, and have the Deadline Workers point to it instead.

This documentation will go through the steps of installing and configuring a Cloud License Server Proxy using HAProxy on an Ubuntu 14.04 machine. Note that this can be a physical or virtual machine. While there are probably many ways to set up a Cloud License Server Proxy, this is the solution we have tested and we can confirm it works.

Please contact Thinkbox Support if you need help setting up the Cloud License Server Proxy.

Installing HAProxy

Ubuntu

On Ubuntu to ensure you are using the latest version of HAProxy, you need to download and build before installing.

You must first install the required packages on your Ubuntu 14.04 machine:

>>> sudo -s
>>> apt-get install build-essential libopenssl-dev

After those packages have finished installing, download HAProxy 1.6 and extract the HAProxy tarball to a temporary location. Then open a Terminal, change directories to the extracted HAProxy folder, and compile HAProxy:

>>> make TARGET=linux2628 USE_OPENSSL=1

After compiling HAProxy, you can install it:

>>> make install

CentOS/RedHat

On CentOS 6/RedHat, we can use the EPEL repository RPM:

>>> sudo -s
>>> wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
>>> rpm -ivh epel-release-6.8.noarch.rpm
>>> yum install haproxy

SSL Certificate

Before you can start using HAProxy, you need to generate an SSL certificate for HAProxy’s internal listener. This can either be signed by a trusted certificate authority, or it can be self-signed. To generate a self-signed CA and certificate, you can follow these instructions.

First, download our gen_ssl.py script and place it in a temporary directory. Then open a Terminal, change directories to the folder that you placed ssl_gen.py in, and run the following commands:

>>> python ssl_gen.py --ca --cert-org "Company Name" --cert-ou "Department Name"
>>> python ssl_gen.py --server --cert-name "haproxy-01"

Now change directories to the newly created keys folder, and concatenate the server key and certificate into one pem file:

>>> cat haproxy-01.crt haproxy.key > haproxy.pem

Configuring HAProxy

The next step is to configure HAProxy to use your SSL certificate and redirect traffic to the Cloud License Server. First, create a folder named /etc/haproxy, and then copy the keys folder that you created above to /etc/haproxy/keys.

Now create an HAProxy configuration file at /etc/haproxy/haproxy.cfg with the following contents. Note that the following lines in the frontend incoming_https section below need to be updated:

  • In the bind line, change the haproxy01.pem certificate name to reference the certificate you created avobe.
  • In the reqrep line, replace the haproxy-01 host name with the DNS name or IP address of the HAProxy server (the same host that you created the certificate for).
global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        user haproxy
        group haproxy
        daemon
        ca-base /etc/haproxy/keys
        crt-base /etc/haproxy/keys
        tune.ssl.default-dh-param 1024

defaults
        log     global
        mode    tcp
        option  tcplog
        option  dontlognull
        timeout connect 5000
        timeout client 3600000
        timeout server 3600000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend incoming_https
        bind \*:443 ssl crt haproxy-01.pem ca-file ca.crt
        reqrep "Host: haproxy-01" "Host: thinkbox.compliance.flexnetoperations.com"
        option tcplog
        mode tcp
        default_backend fno

backend fno
        mode tcp
        option ssl-hello-chk
        server fno thinkbox.compliance.flexnetoperations.com:443 ssl verify none

Now create an init script at /etc/init.d/haproxy with the following contents:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          haproxy
# Required-Start:    $local_fs $network $remote_fs
# Required-Stop:     $local_fs $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: fast and reliable load balancing reverse proxy
# Description:       This file should be used to start and stop haproxy.
### END INIT INFO

# Author: Arnaud Cornet <acornet@debian.org>

PATH=/sbin:/usr/sbin:/bin:/usr/bin
PIDFILE=/var/run/haproxy.pid
CONFIG=/etc/haproxy/haproxy.cfg
HAPROXY=/usr/local/sbin/haproxy
EXTRAOPTS=
ENABLED=0

test -x $HAPROXY || exit 0

if [ -e /etc/default/haproxy ]; then
        . /etc/default/haproxy
fi

test -f "$CONFIG" || exit 0
test "$ENABLED" != "0" || exit 0

[ -f /etc/default/rcS ] && . /etc/default/rcS
. /lib/lsb/init-functions

clean()
{
    if [ -e "$tmp" ];then
        rm -f "$tmp"
    fi
}

trap clean EXIT

check_haproxy_config()
{
        $HAPROXY -c -f "$CONFIG" >/dev/null
        if [ $? -eq 1 ]; then
                log_end_msg 1
                exit 1
        fi
}

haproxy_start()
{
        check_haproxy_config

        start-stop-daemon --quiet --oknodo --start --pidfile "$PIDFILE" \
                --exec $HAPROXY -- -f "$CONFIG" -D -p "$PIDFILE" \
                $EXTRAOPTS || return 2
        return 0
}

haproxy_stop()
{
        tmp=$(tempfile -s .haproxy.init)

        if [ ! -f $PIDFILE ] ; then
                # This is a success according to LSB
                return 0
        fi

        ret=0
        for pid in $(cat $PIDFILE); do
                echo $pid > "$tmp"
                start-stop-daemon --quiet --oknodo --stop \
                        --retry 5 --pidfile "$tmp" --exec $HAPROXY || ret=$?
        done

        [ $ret -eq 0 ] && rm -f $PIDFILE

        return $ret
}

haproxy_reload()
{
        check_haproxy_config

        $HAPROXY -f "$CONFIG" -p $PIDFILE -D $EXTRAOPTS -sf $(cat $PIDFILE) \
                || return 2
        return 0
}

haproxy_status()
{
        if [ ! -f $PIDFILE ] ; then
                # program not running
                return 3
        fi

        for pid in $(cat $PIDFILE) ; do
                if ! ps --no-headers p "$pid" | grep haproxy > /dev/null ; then
                        # program running, bogus pidfile
                        return 1
                fi
        done

        return 0
}


case "$1" in
start)
        log_daemon_msg "Starting haproxy" "haproxy"
        haproxy_start
        ret=$?
        case "$ret" in
        0)
                log_end_msg 0
                ;;
        1)
                log_end_msg 1
                echo "pid file '$PIDFILE' found, haproxy not started."
                ;;
        2)
                log_end_msg 1
                ;;
        esac
        exit $ret
        ;;
stop)
        log_daemon_msg "Stopping haproxy" "haproxy"
        haproxy_stop
        ret=$?
        case "$ret" in
        0|1)
                log_end_msg 0
                ;;
        2)
                log_end_msg 1
                ;;
        esac
        exit $ret
        ;;
reload|force-reload)
        log_daemon_msg "Reloading haproxy" "haproxy"
        haproxy_reload
        ret=$?
        case "$ret" in
        0|1)
                log_end_msg 0
                ;;
        2)
                log_end_msg 1
                ;;
        esac
        exit $ret
        ;;
restart)
        log_daemon_msg "Restarting haproxy" "haproxy"
        haproxy_stop
        haproxy_start
        ret=$?
        case "$ret" in
        0)
                log_end_msg 0
                ;;
        1)
                log_end_msg 1
                ;;
        2)
                log_end_msg 1
                ;;
        esac
        exit $ret
        ;;
status)
        haproxy_status
        ret=$?
        case "$ret" in
        0)
                echo "haproxy is running."
                ;;
        1)
                echo "haproxy dead, but $PIDFILE exists."
                ;;
        *)
                echo "haproxy not running."
                ;;
        esac
        exit $ret
        ;;
*)
        echo "Usage: /etc/init.d/haproxy {start|stop|reload|restart|status}"
        exit 2
        ;;
esac

:

Running HAProxy

Now that HAProxy is configured, it’s almost ready to run. First, you need to restart rsyslog:

>>> service rsyslog restart

Next, add HAProxy to the default runlevels:

>>> update-rc.d haproxy defaults

or on CentOS/RedHat:

>>> chkconfig haproxy on

Finally, you can start HAProxy:

>>> service haproxy start

Network Access Requirements

There are a couple network access requirements to allow the Deadline Workers to connect to the Proxy, and to allow the Proxy to connect to the Cloud License Server.

First, you must ensure that the render nodes that the Deadline Workers are running on can reach the Proxy on TCP port 443.

Second, you must ensure that the Proxy can reach thinkbox.compliance.flexnetoperations.com on TCP Port 443. If you need help determining the IP address for thinkbox.compliance.flexnetoperations.com, you can do so by running the following command in a command prompt or terminal:

>>> nslookup thinkbox.compliance.flexnetoperations.com

Simply look in the “Address” field of the output. Note that the nslookup command is generally available on Windows, Mac OS X or Linux.

Configuring Deadline

Now that the Cloud License Server Proxy is running, you need to configure the Deadline Workers to point to it. The process is almost the same as if you were pointing to the Cloud License Server directly. The only difference is that instead of entering the URL to the Cloud License Server, you’ll be entering the URL to the Cloud License Server Proxy server. Note that you still enter an Activation Code as usual.

For example, let’s assume that the original URL was this:

https://thinkboxuat.compliance.flexnetoperations.com/instances/A1B2C3D4E5F6/request

If your Cloud License Server Proxy machine is called haproxy-01, you’ll enter in the following URL instead:

https://haproxy-01/instances/A1B2C3D4E5F6/request

Finally, if you used a self-signed CA certificate, you’ll need to import /etc/haproxy/keys/ca.crt as a trusted root certificate on any Deadline Worker machines that will be pulling licenses through the Cloud License Server Proxy. Once this is done, the Deadline Workers should be able to check out render time as if they were connected directly to the Cloud License Server.