Security minded organisations have the option of deploying Foldr in a multi-appliance scenario where the central configuration database can be held on a non-internet facing appliance and one or more client access Foldr appliances can be deployed for handling user sessions.
To configure the mode an appliance is running is use the controls available within Infrastructure >> Configuration >> Appliance Mode.
Infrastructure / Database Appliance
To designate an appliance in this mode select ‘Provide database services to other appliances’. Enter the IP address of all other client access nodes, do not enter client access hostnames. Based upon the value(s) entered, the internal firewall on the appliance is automatically configured when the settings are applied.
Disabling Client Access (user sessions) on the Infrastructure / Database appliance
By default this setting is enabled, however it may desirable for an administrator to disallow user access to an appliance in Infrastructure mode.
Client Access Appliance
To designate an appliance in Client Access mode, select ‘Connect to another appliance for database services’. Enter the IP address of the infrastructure appliance in the field provided. Based upon the value entered, the internal firewall on the appliance is automatically configured when the settings are applied.
Creating an Infrastructure Cluster
Foldr v4 supports clustering the infrastructure role across any number of appliances from 2-20 instances. This may be desirable for environments that have the server resources available to create a scalable and highly available Foldr deployment.
The clustering technology used in Foldr v4 provides synchronous multi-master replication and as such any database changes made on one cluster node are immediately replicated to others in the cluster with no risk of data loss, even in the event of a cluster node going offline.
It is recommended to use a minimum of 3 nodes (infrastructure appliances) when creating a clustered environment to avoid a possible split-brain scenario. A 3 node cluster is able to support a single appliance failure and will continue to run without disruption from the 2 remaining appliances.
The steps to create a multi-node cluster are:
- Configure each appliance with a static IP address (or use reservations in DHCP to avoid possible IP configuration changes)
- Select ‘Provide database services to other appliances’ from Foldr Settings >> Infrastructure, entering the IP address of each cluster member in the Cluster tab. IMPORTANT – It is vital that you include the IP address of the appliance that you’re currently configuring on each.
- Once all cluster members have been configured and the changes saved. You should power down all but one cluster members. Once all cluster members are offline, reboot the remaining cluster member and wait for the system to complete the boot sequence.
- All other cluster members can now, one at a time, be powered on. It is recommended that you allow each system to complete the boot process (So the login screen is shown on the console) before powering on the next cluster member.
- If using satellite client access appliances to work with the infrastructure cluster, enter the IP address of each under TRUSTED SERVERS within Foldr Settings >> Infrastructure.
Checking Cluster Status
When the database cluster is operational you should be able to make changes on any cluster member or client access appliance (Add service account, install a licence, add shares, service accounts and so on) and all changes should be quickly reflected across all other members of the cluster.
You can check the size and health and of your cluster using the verbose information displayed on the Cluster tab. You should pay attention to the following three options in particular.
wsrep_cluster_size – This will display the number of nodes currently in the cluster (recommended minimum of 3) – Note that client access appliances do not count towards the total cluster size.
Checking Replication Health
wsrep_local_send_queue avg and wsrep_local_recv_queue_avg – In normal circumstances both values should remain at 0.0 (or very close to it). A higher value indicates replication throttling or network throughput issues.
Configuring Client Access Appliances with a Cluster For best performance and failover, it is recommended that you configure each client access appliance to use one cluster member for main database operations (read), another for database writes and select a third cluster member for failover.
Encryption Keys in an Infrastructure & Client Access deployment
IMPORTANT – When deploying Foldr v4 in multi-appliance design, the encryption key and hashing salt must match across all client access appliances.
You can reveal the encryption keys being used from Foldr Settings >> Infrastructure >> Keys and you will be prompted to supply the fadmin account password to reveal the current encryption key. To replace the key & salt, highlight the existing value from another appliance and copy/paste in the new desired value, finally click Save. Once the encryption key has been changed your session will be logged out and you will need to log back into Foldr Settings.