26. 03. 2020 Alessandro Valentini NetEye

NetEye Voting-only Node

A common issue in cluster environment is the split brain condition. A split brain occurs when some nodes of the cluster are not able to communicate properly, but instead continue to work like two separate, distinct clusters leading to data or service inconsistency. To prevent this situation a common solution is to introduce the concept of a quorum: only the portion of the cluster which includes half+1 of the nodes can continue to work, while the other portion ceases operating, thus avoiding inconsistencies.

A NetEye cluster requires at least three nodes in order to guarantee resiliency against outages and to avoid downtime during maintenance. In a three nodes installation, the quorum is set to 2 and therefore it is possible to lose one node while still guaranteeing data integrity and NetEye availability.

NetEye clusters involve three main technologies:

  • DRBD provides clustered storage which synchronizes data between nodes, and mounts the partition on the node where the service is running
  • PCS is responsible for running services and moving them between nodes when necessary
  • Elasticsearch provides its own cluster solution and does not rely on PCS and DRBD technologies

Customers often consider three-node installations too expensive for several reasons:

  • Storage costs: all three nodes need to have the same amount of storage to synchronize DRBD resources and Elasticsearch data
  • RAM and CPU: all three nodes may run the same services and therefore they must have same computational power
  • License costs: it requires three full NetEye licenses

A voting-only node is a NetEye node which circumvents the limitations above. This type of node is a standard NetEye machine with several modifications aimed at reducing resource usage and therefore costs. As the name implies, the only purpose of a voting-only node is to provide a quorum for DRBD, PCS and Elasticsearch:

  • DRBD is set up in diskless mode: data are not synchronized on the voting-only node and minimum disk space is required.
  • The machine is configured as a PCS quorum device. A quorum device can join a PCS cluster providing quorum but the node cannot run resources.
  • Elasticsearch is configured as a voting-only master-eligible node: data will not be synchronized, machine-learning jobs cannot be run on it, and data will not be ingested. Elasticsearch is required only in NetEye SIEM clusters.

A voting-only node may run on a virtual machine with 4 vCPU, 8GB RAM and 60GB storage, thus reducing costs in comparison with a physical machine while maintaining cluster reliability.

Note that Elasticsearch as a voting-only master-eligible node is not available with the OSS license.

Alessandro Valentini

Alessandro Valentini

DevOps Engineer at Wuerth Phoenix
DevOps Engineer at Würth Phoenix

Author

Alessandro Valentini

DevOps Engineer at Würth Phoenix

Latest posts by Alessandro Valentini

16. 12. 2024 Development, DevOps
NetEye and RHUI Repositories
26. 07. 2024 DevOps
Bonding Configuration While Adding an OpenShift Node
14. 06. 2024 DevOps, NetEye
Automating the Full NetEye Release Procedure
24. 05. 2024 DevOps
OpenShift: How to Check and Reset Ceph Storage in Warning State
01. 12. 2023 Development, DevOps
How to Install Matomo on OpenShift
See All

Related Content

Tags: , ,

23. 12. 2024 APM, Development, Log-SIEM, NetEye

Continuous Profiling with NetEye – Elastic Universal Profiling

Elastic 8.16, which comes with NetEye 4.39, made Elastic Universal Profiling generally available for self-hosted installations. This means that NetEye SIEM installations will now be able to take advantage of the continuous profiling solution by Elastic. In this blogpost we'll Read More
20. 12. 2024 Atlassian, NetEye, Service Management

Managing Alerts with JSM: Focus on Incident Management (Part 2)

In the first part of this series, we explored how Jira Service Management (JSM) helps streamline Incident Management, aligning with ITIL v4 best practices. Incident Management aims to restore normal service operation as quickly as possible after a disruption, ensuring Read More
20. 12. 2024 Automation, Development, NetEye

When Less is More: NetEye Update and Upgrade Checkpoints

Hello everyone! Today, I'd like to briefly discuss an improvement to the update and upgrade procedures that we've started to adopt with NetEye 4.39! What we wanted to improve One aspect that made quite an impact was that whenever the Read More
19. 12. 2024 Automation, Development, NetEye

NetEye Install and Upgrades: Moving to a Parallel Architecture

Hello everyone! Today, I’d like to share an exciting improvement we’ve made to the installation and upgrade procedures in NetEye, introducing a faster and more efficient parallel architecture! Why Modernize the Installation and Upgrade Processes? At Würth Phoenix, we strive Read More
12. 12. 2024 Log Management, Log-SIEM

Sample osquery Investigations for a Security Incident

Note: This description of a security analyst's daily routine is fictitious. However, the osquery examples have been tested and can therefore be used as a template for your own research. 1. Alarm Detection Today started with a high-severity alarm from our Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive