This describes the devices we deploy in the [[ phacility_cluster | Phacility Cluster]], and some related things which aren't technically devices.
Device Classes
======
| Device Class | Pool Size | Description | Notes |
|---|---|---|---|
| admin | 1 | Admin Application Server | Serves `admin.phacility.com`. |
| alb | 1 | Admin Load Balancer | ELB for `admin.phacility.com`.
| bastion | 1| SSH Bastion Host | Bastion host for ops commands. |
| db | 1 | Database Server | Runs MySQL. |
| lb | 1 | Web Load Balancer | ELB for instances. |
| repo | 1 | Repository + Daemon Host | Terminates VCS HTTP/SSH traffic. |
| vault | 1 | SSH Load Balancer | Load balances VCS SSH requests. |
| web | 1 | Application Server | Terminates normal HTTP traffic. |
Storage Classes
=======
| Storage Class | Count | Notes |
|---|---|---|
| adata | 1 | Administrative server working storage. |
| bak | 1 | Stores backups. |
| data | 1 | Database server working storage. |
| store | 1 | Repository working storage. |
Service Classes
=======
| Service Class | Count | Notes |
|---|---|---|
| repox | 1 | Repository cluster service, may have multiple devices. |
| dbx | 1 | Database cluster service, may have multiple devices. |
Device: admin
=====
| Listening Port | Interface | Notes |
|---|---|---|
| 22 | Internal | Operational SSH access. |
| 80 | Internal | Accepts requests from `alb` and `web` devices. |
These servers host `admin.phacility.com` and run the Instances application.
Instances in the cluster also make calls here to retrieve configuration.
Currently, a maximum of one `admin` device is supported, because some details about database credentials are assumed. Minor software changes are required to expand the size of this pool.
Device: alb
=====
| Listening Port | Interface | Notes |
|---|---|---|
| 80 | Public Internet | Serves `http://admin.phacility.com` |
| 443 | Public Internet | Serves `https://admin.phacility.com` |
These are ELBs which sit in front of the `admin` pool and terminate SSL for public requests to the web UI.
Device: bastion
=====
| Listening Port | Interface | Notes |
|---|---|---|
| 22 | Public Internet | Gatekeeper for operational access. |
For details on bastion hosts, see [[ phacility_cluster/bastion | Phacility Cluster Bastion]].
Device: db
=====
| Listening Port | Interface | Notes |
|---|---|---|
| 22 | Internal | Operational SSH access. |
| 3306 | Internal | Provides MySQL services. |
These database servers run MySQL.
Device: lb
=====
| Listening Port | Interface | Notes |
|---|---|---|
| 80 | Public Internet | Serves `phacility.com` wildcard DNS. |
| 443 | Public Internet | Serves `phacility.com` wildcard DNS. |
These are ELBs which sit in front of the `web` pool and terminate SSL for instance requests.
Device: repo
======
| Listening Port | Interface | Notes |
|---|---|---|
| 22 | Internal | Operational SSH access. |
| 80 | Internal | Serves Conduit requests from `web` hosts. |
| 2223 | Internal | Serves SSH requests from `web` hosts. |
These devices store and serve repositories, and run daemons.
Device: vault
=====
| Listening Port | Interface | Notes |
|---|---|---|
| 22 | Public Internet | Serves `vault.phacility.com` over SSH, forwarding requests to the `web` tier. |
| 2222 | Internal | Operational SSH access. |
These devices are SSH load balancers. They're implemented as normal hosts running HAProxy instead of as ELBs because ELBs can not forward inbound traffic on port 22.
Eventually, it would be nice to either merge these into the ELBs (if ELBs support forwarding port 22 in the future) or merge the ELBs into these (if we have some stronger reasoning for running our own load balancers).
The cost of having these machines in a separate class is twofold: the raw cost of more moving parts, and we have to serve SSH from `vault.phacility.com` (which we can direct here via DNS) instead of directly from instance domains. If we could merge the HTTP and SSH load balancing, we could accept both HTTP and SSH traffic on instance domains.
(We could serve SSH traffic on instance domains on a nonstandard port which the ELBs do support, but this seems worse to me than serving from a dedicated domain. We could also serve from both, so `instance@vault.phacility.com` and `instance@instance.phacility.com:2345` would both work.)
Device: web
=====
| Listening Port | Interface | Notes |
|---|---|---|
| 22 | Internal | Operational SSH access. |
| 80 | Internal | Serves HTTP application traffic from `lb` balancers. |
| 2223 | Internal | Serves SSH application traffic from `vault` balancers. |
These are standard application web servers.