CEEMS Load Balancer
Basic Usage
The CEEMS load balancer can be started with its core and web configuration files as follows:
ceems_lb --config.file=/path/to/core/config/file --web.config.file=/path/to/web/config/file
This will start the CEEMS load balancer at the default port 9030
, listening on all interfaces.
To change the default port and host, the --web.listen-address
CLI argument must be passed to
the binary:
ceems_lb --web.listen-address="localhost:8030"
All available command-line options are listed in the CEEMS LB CLI documentation.
The CEEMS LB supports both TSDB and Pyroscope backends and starts a load balancing server
for each of TSDB and Pyroscope when both backends are configured. To control the
address of each instance of CEEMS LB, --web.listen-address
can be repeated. The first
configured address will be used for TSDB and the second one for Pyroscope. For example, when
the CEEMS LB is launched as follows:
ceems_lb --web.listen-address="localhost:7030" --web.listen-address=":10030"
the TSDB load balancer will be reachable at localhost:7030
while the Pyroscope load
balancer will be available at localhost:10030
.
Access Control
The CEEMS load balancer is capable of providing basic access control for TSDB using the CEEMS API server. For this to work, the CEEMS load balancer configuration file must include configuration related to the CEEMS API server as discussed in the Configuration section. If the CEEMS load balancer has access to the data directory of the CEEMS API server, the load balancer will query the database directly to enforce access control.
If the data directory of the CEEMS API server is not accessible to the CEEMS load balancer, it is possible to configure the client configuration of the CEEMS API server in the CEEMS load balancer, and the load balancer will make API requests to the API server to determine the ownership details of a given compute unit before enforcing access control.
As described in the CEEMS API Server documentation, Grafana must be configured to send the user header in the requests to the data source for access control to work.
Using with Grafana
As discussed in the CEEMS Load Balancer section, it is possible for a single instance of the CEEMS load balancer to support multiple clusters at the same time. Let's take a sample CEEMS load balancer configuration file as follows:
ceems_lb:
strategy: round-robin
backends:
- id: slurm-one
tsdb_urls:
- http://slurm-one-tsdb-one:9090
- http://slurm-one-tsdb-two:9090
- id: slurm-two
tsdb_urls:
- http://slurm-two-tsdb-one:9090
- http://slurm-two-tsdb-two:9090
ceems_api_server:
data:
path: /var/lib/ceems
It is clear from the configuration that there are two different SLURM clusters, namely slurm-one
and slurm-two
. Each cluster has its own dedicated set of TSDB instances.
Conventionally, operators configure two different data sources on Grafana, one for each cluster. In the current case, the frontend load balancer of both clusters is the CEEMS load balancer, and it is a single instance. Then the question arises: How do we target the correct cluster when configuring the data source?
This is done using a custom header. When configuring the data source for cluster
slurm-one
, a custom header X-Ceems-Cluster-Id
must be configured to slurm-one
,
and a similar configuration must be done for slurm-two
. The CEEMS load balancer will look up
this custom header and load balance the traffic between the TSDB instances
of the correct target cluster.
Even if there is only one cluster, it is necessary to add the custom header to the TSDB Grafana data source configuration.
Thus, the difference in configuring the Prometheus data source on Grafana compared to vanilla Prometheus TSDB and CEEMS load balancer is the addition of this custom header in the data source configuration.
Admin Users
The CEEMS load balancer supports admin users with privileged access to TSDB. Users that are configured as admin users in the CEEMS API server will have admin privileges in the CEEMS load balancer as well. The CEEMS load balancer will allow admin users to query data of any compute unit. It is not possible to have admin privileges on the CEEMS load balancer without having admin privileges on the CEEMS API server.