DevOps Braga #12 discussed infrastructural challenges at a fast-growing startup and solutions implemented by the DevOps team. The startup had storage issues with large VMs and a monolithic infrastructure across regions. The team rethought the infrastructure, moving to smaller VMs with horizontal scaling, SMB file sharing, and an HAProxy load balancer. They also discussed implementing containers to build a microservices-oriented pipeline with autonomous CI/CD environments for each team.

1. DevOps Braga #12:
Infrastructural challenges of a
fast-pace startup
Gustavo Balbino | Rui Matos - DevOps Team

2. Agenda
About Us
Storage Issues
Rethinking our Infrastructure
Load balancing Web Applications
Containers

3. Primeira Gráfica Online Portuguesa, líderes Ibéricos e no Brasil
• Founded in 2013
• 200 Employees
• Offices in 3 cities
• Braga
• Torres Vedras
• Lisboa
• Looking for +150 employees by the end 2019
• 21 countries
North America
Brazil
Europe
*GB
IE
FR
DE
IT
PL
CZ
NL
AT
SE
DK
BE
CH
NO
FI

4. 3 Stores
Brazil MexicoIberia
Each Store is (almost) independent in terms of infrastructure, virtual machines, database, etc…

5. 2019 Market Expansion
Iberia Europe
Mexico North America

6. 100% Cloud - Microsoft
Azure

7. Some numbers
40
VMs
19
DBs
90
Disks

8. Production Resources

9. Storage Issues

10. 2 Big Size VMs >= D8s v3
Azure Load Balancer
Windows VMs running IIS, SOFS e S2D
Scalable but at what cost?
Production Environment MX Aug/2018

11. Windows Server 2012 R2 Scale-Out File Server
• A set of clustered file servers that make
up a transparent failover file server
cluster
• SOFS is a fantastic way to deploy small
and affordable clustered storage
• The Concept of Storage Spaces
Direct (S2D)
• Fault Tolerance
• Performance
• Scaling Out and In

12. Rethinking our infrastructure

13. One role, one machine
HAProxy Load Balancer
Smaller size VMs
Horizontal & vertical scalability
Divide to conquer

14. 2 Smaller Virtual Machines
Faster Asynchronous replication every 30 seconds
Dedicated NICs for Replication
Scalable
SMB File Server with Storage Replica

15. Load Balancing Web Applications

16. Azure Load Balancer

17. Load balancing methods

18. What is HAProxy
• HAProxy (High Availability Proxy) , is a popular open source software TCP/HTTP
Load Balancer and proxying solution which can be run on Linux, Solaris and
FreeBSD.
• Its most common use is to improve the performance and reliability of a server
environment by distributing the workload across multiple servers (Web,
applications, databases).
• Some happy users;
 GitHub
 Reddit
 Instagram
 Stack Overflow
 Twitter
 Tumblr
 Vimeo
 YouPorn

19. Why HAProxy?
• Absolutely free and and widely supported
• Supports SPDY (obsolet) & HTTP/2
• Supports Traffic Encryption & SSL Termination
• Let's Encrypt ACME client integration
• Access to Integrated Server Monitoring Dashboard
• Several Load Balancing Algorithms/Configurations
• Easy to form a Active/Passive cluster configuration
• “Runtime API” for automation/integration
• Personalized error page

20. Active/Passive Health Check in a private
cloud

21. How to implement it in Azure?
PUBLIC IP ADDRESS AZURE LOAD BALANCER 2 VIRTUAL MACHINES

22. HAProxy & Keepalived Installation
sudo apt-get update
sudo apt-get -y upgrade
sudo apt-get install -y software-properties-common
sudo apt-get install -y haproxy keepalived
sudo apt-get install socat

23. Inbound NAT rules LB Azure
Inbound Custom port NAT for SSH - because you won’t have an addressable IP Address to operate your machines

24. Building an Active/Passive HAProxy in
Azure
Set during LB creation
Where you’ll declare HAProxy VM NIC
Simple check over port 80
HTTP & HTTPS

25. Before Keepalived MagicEnabling non local Virtual IP binding
sudo nano /etc/sysctl.conf
net.ipv4.ip_nonlocal_bind=1
fs.file-max = 10000000
fs.nr_open = 10000000
net.ipv4.tcp_mem = 786432 1697152 1945728
net.ipv4.tcp_rmem = 4096 4096 16777216
net.ipv4.tcp_wmem = 4096 4096 16777216
net.ipv4.ip_local_port_range = 1024 65000
sudo sysctl -p

26. Keepalived configuration MASTERglobal_defs {global_defs {
enable_script_security
script_user root
}
enable_script_security
script_user root
}
/etc/keepalived/keepalived.conf
vrrp_script chk_appsvc {
script /usr/local/sbin/keepalived-check.sh
interval 1
fall 2
rise 2
}
vrrp_instance VIP_1 {
advert_int 1
interface eth0
authentication {
auth_type PASS
auth_pass S0meTrickP4ss0rdY0uCantR3m3mb3R
}
virtual_router_id 51
virtual_ipaddress {
111.222.333.444
}
track_script {
chk_appsvc
}
notify /usr/local/sbin/keepalived-action.sh
notify_stop "/usr/local/sbin/keepalived-action.sh INSTANCE VIP_1 STOP"
state MASTER
priority 101
unicast_src_ip 10.255.1.51
unicast_peer {
10.255.1.52
}
}

27. Keepalived configuration SLAVEglobal_defs {global_defs {
enable_script_security
script_user root
}
enable_script_security
script_user root
}
/etc/keepalived/keepalived.conf
vrrp_script chk_appsvc {
script /usr/local/sbin/keepalived-check.sh
interval 1
fall 2
rise 2
}
vrrp_instance VIP_1 {
advert_int 1
interface eth0
authentication {
auth_type PASS
auth_pass S0meTrickP4ss0rdY0uCantR3m3mb3R
}
virtual_router_id 51
virtual_ipaddress {
111.222.333.444
}
track_script {
chk_appsvc
}
notify /usr/local/sbin/keepalived-action.sh
notify_stop "/usr/local/sbin/keepalived-action.sh INSTANCE VIP_1 STOP"
state SLAVE
priority 100
unicast_src_ip 10.255.1.52
unicast_peer {
10.255.1.51
}
}

28. Keepalived check script
#!/bin/bash
URL="http://localhost"
if [[ `curl -s -o/dev/null --connect-timeout 0.5 $URL; echo $?` -ne 0 ]]; then
exit 1
else
exit 0
fi
/usr/local/sbin/keepalived-check.sh

29. #!/bin/bash
TYPE=$1
NAME=$2
STATE=$3
modify_probe_status_http() {
STATUS=$1
LB_PROBE_PORT=80
LB_PROBE_DEV=eth0
if [[ $STATUS == "down" ]]; then
# Add firewall rule to block LB probe port
/sbin/iptables -A INPUT -p tcp --dport $LB_PROBE_PORT -j REJECT -i $LB_PROBE_DEV
elif [[ $STATUS == "up" ]]; then
# Remove all entries to block LB probe port
RC=0
while [[ $RC -eq 0 ]]; do
RC=`/sbin/iptables -D INPUT -p tcp --dport $LB_PROBE_PORT -j REJECT -i $LB_PROBE_DEV 2>/dev/null; echo $?`
done
else
echo "Unknown probe status"
fi
}
if [[ "$NAME" == "VIP_1" ]]; then
case $STATE in
"MASTER") modify_probe_status_http up
exit 0
;;
"BACKUP"|"STOP") modify_probe_status_http down
exit 0
;;
"FAULT") modify_probe_status_http down
exit 0
;;
*) echo "unknown state"
exit 1
;;
esac
else
echo "Nothing to do"
exit 0
fi
HAPROXY is DOWN
/sbin/iptables -A INPUT -p tcp --dport 80 -j REJECT -i eth0
HAPROXY is UP
/sbin/iptables -D INPUT -p tcp --dport 80 -j REJECT -i eth0
Keepalived action script
/usr/local/sbin/keepalived-action.sh

30. Keepalived in Action/Demo
Master HAProxy Slave HAProxy
Because Azure LB can reach port 80, IP is delivered to VM

31. In what ways can HAProxy help you?
• Protect you from DDoS;
• Prevent SQL Injection and abnormal user behavior;
• Segregate traffic, by URL, domain, user agent, IP ranges and many, many more;
• URL Redirect and request rewrites;
• Cache server for small objects;
• Centralized logging
• Compression

32. Containers

33. Production Microservices
Linux hosts
Docker containers – 4 already!
Scale ready infrastructure
One infrastructure per region

34. Deployment infrastructure

35. Where we are
Team City is our CI – It builds the software
Octopus is hosted as a tentacle on each machine, and deploys the software
A total of 50 steps on the build process and 66 on the deployment phase
The complete deployment process could take about 2 hours right now

36. New pipeline – Microservices oriented
Jenkins is just an orchestrator
Docker pipeline will build the container image and push to the registry
Ansible will deploy the container in the Linux hosts via SSH

37. New pipeline – Microservices oriented
A real DevOps environment
Run by the Teams!
Autonomous CI/CD environment

38. Q & A
gustavo.balbino@360imprimir.pt | https://www.linkedin.com/in/gustavo-lima-969890a9/
rui.matos@360imprimir.pt | https://www.linkedin.com/in/rui-matos/