Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

...

...

Info

This article is valid for Digital Access 6.2 and later.

This article describes how to

...

run Smart ID Digital Access component in distributed mode.

Distributed mode is used when the different functions in Digital Access component are distributed to several virtual appliances. A typical case is when you want to enforce the access in one appliance (PEP, Policy Enforcement Point) and process the authorization and authentication requests in one appliance (PDP, Policy Decision Point). In this case you will need two appliances. One that runs access point and another that runs the other Digital Access component services.

Administration service limitations

There can be only one administration service in a node network. Nodes running other services should be connected to the administration service node. Once a service has successfully connected to an administration service, then that service cannot easily be switched to work with another appliance's administration service. ­­

Note
  • Manager node is the node that hosts the administration service.

  • Worker node is a node that hosts other services, not running the administration service.

  • Make sure 1003 is available for user id and group id.

Prerequisites

...

titlePrerequisites

...

  • Two Digital Access components with services and docker swarm available 

  • The following ports shall be open to traffic to and from each Docker host participating on an overlay network:

    • TCP port 2377 for cluster management communications

    • TCP and UDP port 7946 for communication among nodes

    • UDP port 4789 for overlay network traffic

  • For more details refer to: https://docs.docker.com/network/overlay/

  • Keep a note of IP addresses of nodes where access point is running.

Step-by-step instruction

Get token and stop services - manager node

...

Get cluster join token

  1. SSH to the node running the administration service, that is, the manager node.

  2. Get the cluster join token by running this command. This token will be used for joining worker nodes to the manager node.

...

...

Get token
Code Block
sudo docker swarm join-token worker

...


The output of the command will be like:

...

Code Block

...

titleOutput
docker swarm join --token SWMTKN-1-5dxny21y4oslz87lqjzz4wj2wejy6vicjtqwq33mvqqni42ki2-1gvl9xiqcrlxuxoafesxampwq 192.168.253.139:2377

...

Stop services

Stop the running services.

...

Stop services
Code Block
sudo docker stack rm <your da stack name>

Join as worker nodes

...

See Join as worker nodes in Set up high availability for Digital Access component

...

.

At manager node

...

Remove labels, verify and identify nodes

...

  1. SSH to manager node.

  2. Remove label for all services which are not required on this node.

...

  1. Remove label

    Code Block
    sudo docker node update --label-rm  da-access-point <nodeid>
  2. Verify if all nodes are part of cluster by running this command.

...

  1. Verify if all nodes are part of cluster

    Code Block
    sudo docker node ls

...

  1. Image Added
  2. Identify nodes ID, master and worker where the service will be distributed.

...

  1. Identify nodes

    Code Block
    sudo docker node inspect --format '{{ .Status }}' h9u7iiifi6sr85zyszu8xo54l

    Output: {ready  192.168.86.129} - IP address will help to identify the DA node  

...

Update labels for each service

...

  1.  Update labels for each service which you want to run on worker nodes.

  2.  <node ID> is the id of the node on which the service will be running.

...

  1. Commands to update labels

    Code Block
    sudo docker node update --label-add da-policy-service=true <worker node ID>
    sudo docker node update --label-add da-access-point=true <worker node ID>
  2. Deploy your stack using this command. To run the command your working directory should be docker-compose.

...

  1. Deploy DA stack

    Code Block
    sudo docker stack deploy --compose-file docker-compose.yml -c network.yml -c versiontag.yml <your da stack name>

Here: 


  • docker stack deploy is the command to deploy services as stack. 

  • compose file flag is used to provide the file name of base docker-compose file. 

  • -c is short for –compose-file flag. It is used to provide override files for docker -compose. 

  • <your da stack name> is the name of the stack. You can change it based on requirements.

This article describes how to run Smart ID Digital Access component in distributed mode.

Distributed mode is used when the different functions in Digital Access component are distributed to several virtual appliances. A typical case is when you want to enforce the access in one appliance (PEP, Policy Enforcement Point) and process the authorization and authentication requests in one appliance (PDP, Policy Decision Point). In this case you will need two appliances. One that runs access point and another that runs the other Digital Access component services.

Administration service limitations

There can be only one administration service in a node network. Nodes running other services should be connected to the administration service node. Once a service has successfully connected to an administration service, then that service cannot easily be switched to work with another appliance's administration service. ­­

Note
  • Manager node is the node that hosts the administration service.
  • Worker node is a node that hosts other services, not running the administration service.

Prerequisites

Expand
titlePrerequisites

The following prerequisites apply:

  • Two Digital Access components with services and docker swarm available 
  • The following ports shall be open to traffic to and from each Docker host participating on an overlay network:
    • TCP port 2377 for cluster management communications
    • TCP and UDP port 7946 for communication among nodes
    • UDP port 4789 for overlay network traffic
  • For more details refer to: https://docs.docker.com/network/overlay/
  • Keep a note of IP addresses of nodes where access point is running.

Step-by-step instruction

Get token and stop services - manager node

...

title Get cluster join token

...

Get the cluster join token by running this command. This token will be used for joining worker nodes to the manager node.

Code Block
titleGet token
sudo docker swarm join-token worker

Output of the command will be like:

Panel
titleOutput

docker swarm join --token SWMTKN-1-5dxny21y4oslz87lqjzz4wj2wejy6vicjtqwq33mvqqni42ki2-1gvl9xiqcrlxuxoafesxampwq 192.168.253.139:2377

...

titleStop services

Stop the running services.

Code Block
titleStop services
sudo docker stack rm <your da stack name>

Join as worker nodes

...

At manager node

...

titleRemove labels, verify and identify nodes

...

Remove label for all services which are not required on this node.

Code Block
titleRemove label
sudo docker node update --label-rm  da-access-point <nodeid>

...

Verify if all nodes are part of cluster by running this command.

Code Block
titleVerify if all nodes are part of cluster
sudo docker node ls

Image Removed

...

Identify nodes ID, master and worker where the service will be distributed.

Code Block
titleIdentify nodes
sudo docker node inspect --format '{{ .Status }}' h9u7iiifi6sr85zyszu8xo54l

Output: {ready  192.168.86.129} - IP address will help to identify the DA node  

...

titleUpdate labels for each service

 Update labels for each service which you want to run on worker nodes.
 <node ID> is the id of the node on which the service will be running.

Code Block
titleCommands to update labels
sudo docker node update --label-add da-policy-service=true <worker node ID>
sudo docker node update --label-add da-access-point=true <worker node ID>


...

Deploy your stack using this command. To run the command your working directory should be docker-compose.

Code Block
titleDeploy DA stack
sudo docker stack deploy --compose-file docker-compose.yml -c network.yml -c versiontag.yml <your da stack name>

Here: 

  • docker stack deploy is the command to deploy services as stack. 
  • compose file flag is used to provide the file name of base docker-compose file. 
  • -c is short for –compose-file flag. It is used to provide override files for docker -compose. 
  • <your da stack name> is the name of the stack. You can change it based on requirements.

This article is valid for Digital Access 6.0.5/Smart ID 21.04 and later.

...

Additional information

Expand
titleUseful links