How to install more instances of privacyidea webservers with an existing percona cluster

claudio.soprano · March 31, 2023, 5:03pm

Hi all, we need to install privacyidea in HA mode both frontend (privacyidea web servers) and DB servers.

Documentation, tells only to use same secret, enckey, same audit keys, same pi_perrer and so on, but nothing on the installation side.

That i did was:

I followed the installation for Ubuntu (we use 22.04 LTS), so:

added repository signature
added repository
installed privacyidea-apache2
it installed all that it needed (also mysql-server), create all the keys, create locally the DB.

I used ansible to do all the tasks, after that i configured the pi.cfg to use an external percona cluster (master-master), gives access to both privacyidea servers.

I copied enckey, secret, audit keys and all the needed from the first privacyidea server to the second (all with ansible).

On the percona cluster i create manually the db

CREATE DATABASE privacyidea;

then on the first server i execute

pi-manage createdb

and automatically all the tables were created on the percona cluster.

Is this enough to have privacyidea working, or the automatic installation process makes other steps ?

Can i remove mysql-server without problems using an external percona cluster ?

I had to fix permissions to 0644 on pi.cfg and public.pem and 0600 to private.pem (ansible used other default) i missed something ?

What else i have to do now ?

Because the web interface appears with login/password prompt but on the right side it tells in red 500 internal server error, i attached the screenshot

On the apache log i have:

[Fri Mar 31 18:54:08.399379 2023] [wsgi:error] [pid 43781:tid 139995924543040] The configuration name is: production
[Fri Mar 31 18:54:08.399463 2023] [wsgi:error] [pid 43781:tid 139995924543040] Additional configuration will be read from the file /etc/privacyidea/pi.cfg
[Fri Mar 31 18:54:08.527076 2023] [wsgi:error] [pid 43781:tid 139995924543040] Using PI_LOGLEVEL and PI_LOGFILE.
[Fri Mar 31 18:54:08.527126 2023] [wsgi:error] [pid 43781:tid 139995924543040] Using PI_LOGLEVEL 20.
[Fri Mar 31 18:54:08.527141 2023] [wsgi:error] [pid 43781:tid 139995924543040] Using PI_LOGFILE

/var/log/privacyidea/privacyidea.log.

[Fri Mar 31 19:14:13.583824 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083] mod_wsgi (pid=43781): Exception occurred processing WSGI script '/etc/privacyidea/privacyideaapp.wsgi'.
[Fri Mar 31 19:14:13.585031 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083] Traceback (most recent call last):
[Fri Mar 31 19:14:13.585119 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]   File "/opt/privacyidea/lib/python3.10/site-packages/pymysql/connections.py", line 732, in _read_bytes
[Fri Mar 31 19:14:13.585165 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]     data = self._rfile.read(num_bytes)
[Fri Mar 31 19:14:13.585203 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]   File "/usr/lib/python3.10/socket.py", line 705, in readinto
[Fri Mar 31 19:14:13.585234 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]     return self._sock.recv_into(b)
[Fri Mar 31 19:14:13.585276 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083] ConnectionResetError: [Errno 104] Connection reset by peer
[Fri Mar 31 19:14:13.585334 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]
[Fri Mar 31 19:14:13.585368 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083] During handling of the above exception, another exception occurred:
[Fri Mar 31 19:14:13.585397 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]
[Fri Mar 31 19:14:13.585442 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083] Traceback (most recent call last):
[Fri Mar 31 19:14:13.585533 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]   File "/opt/privacyidea/lib/python3.10/site-packages/sqlalchemy/engine/base.py", line 1276, in _execute_context
[Fri Mar 31 19:14:13.585575 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]     self.dialect.do_execute(
[Fri Mar 31 19:14:13.585634 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]   File "/opt/privacyidea/lib/python3.10/site-packages/sqlalchemy/engine/default.py", line 608, in do_execute
[Fri Mar 31 19:14:13.585666 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]     cursor.execute(statement, parameters)
[Fri Mar 31 19:14:13.585704 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]   File "/opt/privacyidea/lib/python3.10/site-packages/pymysql/cursors.py", line 148, in execute
[Fri Mar 31 19:14:13.585737 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]     result = self._query(query)
[Fri Mar 31 19:14:13.585771 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]   File "/opt/privacyidea/lib/python3.10/site-packages/pymysql/cursors.py", line 310, in _query
[Fri Mar 31 19:14:13.585814 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]     conn.query(q)
[Fri Mar 31 19:14:13.585873 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]   File "/opt/privacyidea/lib/python3.10/site-packages/pymysql/connections.py", line 548, in query
[Fri Mar 31 19:14:13.585919 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]     self._affected_rows = self._read_query_result(unbuffered=unbuffered)
[Fri Mar 31 19:14:13.585974 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]   File "/opt/privacyidea/lib/python3.10/site-packages/pymysql/connections.py", line 775, in _read_query_result
[Fri Mar 31 19:14:13.586011 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]     result.read()
[Fri Mar 31 19:14:13.586046 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]   File "/opt/privacyidea/lib/python3.10/site-packages/pymysql/connections.py", line 1156, in read
[Fri Mar 31 19:14:13.586076 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]     first_packet = self.connection._read_packet()
[Fri Mar 31 19:14:13.586113 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]   File "/opt/privacyidea/lib/python3.10/site-packages/pymysql/connections.py", line 692, in _read_packet
[Fri Mar 31 19:14:13.586144 2023] [wsgi:error] [pid 43781:tid 139995924543040] [remote XXX.XXX.XXX.XXX:50083]     packet_header = self._read_bytes(4)

and go on

if i would replicate the automatic installation process, which script, or commands sequence would I use ?

Thanks for any help
Claudio

claudio.soprano · April 4, 2023, 7:54am

Ok i solved, ansible template and copy module default permissions were wrong on the enckey, audit private e public key.

Now it seems to work.

Thanks anyway
Claudio

claudio.soprano · April 6, 2023, 11:35am

I saw there are two pi variables

PI_NODE and PI_NODES

i filled it for each rpivacyidea servers with

PI_NODE=‘fqdn server’

while

PI_NODES=[‘fqdn server1’, ‘fqdn server2’]

so i was thinking to see these two privacyidea nodes under the Policy privacyidea node selector, but nothing i see always only localhost

so my question is what is their utilization ?

thanks for any answer
Claudio

claudio.soprano · April 6, 2023, 2:21pm

Solved after an apache restart the nodes are now listed

claudio.soprano · April 7, 2023, 8:54am

I have a question,

in the audit log i would have to see on the privacyidea server column the privacyidea node (so i know from which privacyidea node a user has been authenticated or enrolled a new token and so on), instead i see the name of the “common name” webserver.

That i mean is, if my “common name” webserver is
privacyidea.example.org (this is the Load Balancer IP) and my privacyidea nodes are:
privacyidea1.example.com and privacyidea2.example.org,
i would have to see privacyidea1 or privacyidea2.example.com on the audit log depending on which privacyidea node i’m on, (it is decided by the Load Balancer), instead i see always privacyidea.example.com

Is it a bug ? or i need to specify the

PI_AUDIT_SERVERNAME

It would be the same like PI_NODE from that i read if PI_AUDIT_SERVERNAME is not specified

Let me know
Claudio

claudio.soprano · April 7, 2023, 8:59am

Ok i fixed it, defining the PI_AUDIT_SERVERNAME to the privacyidea PI_NODE value and now in the audit log appear the privacyidea node name instead of the “common name” webserver.

I suspect this is a bug.

I filed it here: privacyidea server in the audit log is wrong on privacyidea HA scenario · Issue #3589 · privacyidea/privacyidea · GitHub