Cloud License Server Proxy¶
Note
Topics covered in this page require you to have administrator/root access to your machine(s) to install/deploy software.
Overview¶
When using Usage-Based Licensing with a Cloud License Server, it is normally required that all Deadline Worker machines have access to the internet. However, this is not always possible due to security reasons. The recommended alternative is to set up a Cloud License Server Proxy on a single machine that does have internet access, and have the Deadline Workers point to it instead.
This documentation will go through the steps of installing and configuring a Cloud License Server Proxy using HAProxy on an Ubuntu machine. Note that this can be a physical or virtual machine. While there are probably many ways to set up a Cloud License Server Proxy, this is the solution we have tested and we can confirm it works.
Please contact Thinkbox Support if you need help setting up the Cloud License Server Proxy.
Installing HAProxy¶
Ubuntu¶
On Ubuntu to ensure you are using the latest version of HAProxy, you need to download and build before installing.
You must first install the required packages on your Ubuntu machine:
>>> sudo -s
>>> apt-get install build-essential libopenssl-dev
After those packages have finished installing, download HAProxy and extract the HAProxy tarball to a temporary location. Then open a Terminal, change directories to the extracted HAProxy folder, and compile HAProxy:
>>> make TARGET=linux2628 USE_OPENSSL=1
After compiling HAProxy, you can install it:
>>> make install
CentOS/RedHat¶
On RHEL/CentOS 7, we can use the EPEL repository RPM:
>>> sudo -s
>>> wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
>>> rpm -ivh epel-release-latest-7.noarch.rpm
>>> yum install haproxy
SSL Certificate¶
Before you can start using HAProxy, you need to generate an SSL certificate for HAProxy’s internal listener. This can either be signed by a trusted certificate authority, or it can be self-signed. To generate a self-signed CA and certificate, you can follow these instructions.
First, download our gen_ssl.py script and place it in a temporary directory. Then open a Terminal, change directories to the folder that you placed ssl_gen.py in, and run the following commands:
>>> python ssl_gen.py --ca --cert-org "Company Name" --cert-ou "Department Name"
>>> python ssl_gen.py --server --cert-name "haproxy-01"
Now change directories to the newly created keys folder, and concatenate the server key and certificate into one pem file:
>>> cat haproxy-01.crt haproxy.key > haproxy.pem
Configuring HAProxy¶
The next step is to configure HAProxy to use your SSL certificate and redirect traffic to the Cloud License Server. First, create a folder named /etc/haproxy, and then copy the keys folder that you created above to /etc/haproxy/keys.
Now create an HAProxy configuration file at /etc/haproxy/haproxy.cfg with the following contents. Note that the following lines in the frontend incoming_https section below need to be updated:
In the bind line, change the haproxy01.pem certificate name to reference the certificate you created avobe.
In the reqrep line, replace the haproxy-01 host name with the DNS name or IP address of the HAProxy server (the same host that you created the certificate for).
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
ca-base /etc/haproxy/keys
crt-base /etc/haproxy/keys
tune.ssl.default-dh-param 1024
defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 5000
timeout client 3600000
timeout server 3600000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend incoming_https
bind \*:443 ssl crt haproxy-01.pem ca-file ca.crt
reqrep "Host: haproxy-01" "Host: thinkbox.compliance.flexnetoperations.com"
option tcplog
mode tcp
default_backend fno
backend fno
mode tcp
option ssl-hello-chk
server fno thinkbox.compliance.flexnetoperations.com:443 ssl verify none
Now create an init script at /etc/init.d/haproxy with the following contents:
#!/bin/sh
### BEGIN INIT INFO
# Provides: haproxy
# Required-Start: $local_fs $network $remote_fs
# Required-Stop: $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: fast and reliable load balancing reverse proxy
# Description: This file should be used to start and stop haproxy.
### END INIT INFO
# Author: Arnaud Cornet <acornet@debian.org>
PATH=/sbin:/usr/sbin:/bin:/usr/bin
PIDFILE=/var/run/haproxy.pid
CONFIG=/etc/haproxy/haproxy.cfg
HAPROXY=/usr/local/sbin/haproxy
EXTRAOPTS=
ENABLED=0
test -x $HAPROXY || exit 0
if [ -e /etc/default/haproxy ]; then
. /etc/default/haproxy
fi
test -f "$CONFIG" || exit 0
test "$ENABLED" != "0" || exit 0
[ -f /etc/default/rcS ] && . /etc/default/rcS
. /lib/lsb/init-functions
clean()
{
if [ -e "$tmp" ];then
rm -f "$tmp"
fi
}
trap clean EXIT
check_haproxy_config()
{
$HAPROXY -c -f "$CONFIG" >/dev/null
if [ $? -eq 1 ]; then
log_end_msg 1
exit 1
fi
}
haproxy_start()
{
check_haproxy_config
start-stop-daemon --quiet --oknodo --start --pidfile "$PIDFILE" \
--exec $HAPROXY -- -f "$CONFIG" -D -p "$PIDFILE" \
$EXTRAOPTS || return 2
return 0
}
haproxy_stop()
{
tmp=$(tempfile -s .haproxy.init)
if [ ! -f $PIDFILE ] ; then
# This is a success according to LSB
return 0
fi
ret=0
for pid in $(cat $PIDFILE); do
echo $pid > "$tmp"
start-stop-daemon --quiet --oknodo --stop \
--retry 5 --pidfile "$tmp" --exec $HAPROXY || ret=$?
done
[ $ret -eq 0 ] && rm -f $PIDFILE
return $ret
}
haproxy_reload()
{
check_haproxy_config
$HAPROXY -f "$CONFIG" -p $PIDFILE -D $EXTRAOPTS -sf $(cat $PIDFILE) \
|| return 2
return 0
}
haproxy_status()
{
if [ ! -f $PIDFILE ] ; then
# program not running
return 3
fi
for pid in $(cat $PIDFILE) ; do
if ! ps --no-headers p "$pid" | grep haproxy > /dev/null ; then
# program running, bogus pidfile
return 1
fi
done
return 0
}
case "$1" in
start)
log_daemon_msg "Starting haproxy" "haproxy"
haproxy_start
ret=$?
case "$ret" in
0)
log_end_msg 0
;;
1)
log_end_msg 1
echo "pid file '$PIDFILE' found, haproxy not started."
;;
2)
log_end_msg 1
;;
esac
exit $ret
;;
stop)
log_daemon_msg "Stopping haproxy" "haproxy"
haproxy_stop
ret=$?
case "$ret" in
0|1)
log_end_msg 0
;;
2)
log_end_msg 1
;;
esac
exit $ret
;;
reload|force-reload)
log_daemon_msg "Reloading haproxy" "haproxy"
haproxy_reload
ret=$?
case "$ret" in
0|1)
log_end_msg 0
;;
2)
log_end_msg 1
;;
esac
exit $ret
;;
restart)
log_daemon_msg "Restarting haproxy" "haproxy"
haproxy_stop
haproxy_start
ret=$?
case "$ret" in
0)
log_end_msg 0
;;
1)
log_end_msg 1
;;
2)
log_end_msg 1
;;
esac
exit $ret
;;
status)
haproxy_status
ret=$?
case "$ret" in
0)
echo "haproxy is running."
;;
1)
echo "haproxy dead, but $PIDFILE exists."
;;
*)
echo "haproxy not running."
;;
esac
exit $ret
;;
*)
echo "Usage: /etc/init.d/haproxy {start|stop|reload|restart|status}"
exit 2
;;
esac
:
Running HAProxy¶
Now that HAProxy is configured, it’s almost ready to run. First, you need to restart rsyslog:
>>> service rsyslog restart
Next, add HAProxy to the default runlevels:
>>> update-rc.d haproxy defaults
or on CentOS/RedHat:
>>> chkconfig haproxy on
Finally, you can start HAProxy:
>>> service haproxy start
Network Access Requirements¶
There are a couple network access requirements to allow the Deadline Workers to connect to the Proxy, and to allow the Proxy to connect to the Cloud License Server.
First, you must ensure that the render nodes that the Deadline Workers are running on can reach the Proxy on TCP port 443.
Second, you must ensure that the Proxy can reach thinkbox.compliance.flexnetoperations.com on TCP Port 443. If you need help determining the IP address for thinkbox.compliance.flexnetoperations.com, you can do so by running the following command in a command prompt or terminal:
>>> nslookup thinkbox.compliance.flexnetoperations.com
Simply look in the “Address” field of the output. Note that the nslookup command is generally available on Windows, Mac OS X or Linux.
Configuring Deadline¶
Now that the Cloud License Server Proxy is running, you need to configure the Deadline Workers to point to it. The process is almost the same as if you were pointing to the Cloud License Server directly. The only difference is that instead of entering the URL to the Cloud License Server, you’ll be entering the URL to the Cloud License Server Proxy server. Note that you still enter an Activation Code as usual.
For example, let’s assume that the original URL was this:
https://thinkboxuat.compliance.flexnetoperations.com/instances/A1B2C3D4E5F6/request
If your Cloud License Server Proxy machine is called haproxy-01, you’ll enter in the following URL instead:
https://haproxy-01/instances/A1B2C3D4E5F6/request
Finally, if you used a self-signed CA certificate, you’ll need to import /etc/haproxy/keys/ca.crt as a trusted root certificate on any Deadline Worker machines that will be pulling licenses through the Cloud License Server Proxy. Once this is done, the Deadline Workers should be able to check out render time as if they were connected directly to the Cloud License Server.
