[Bro] bro cluster in containers

Azoff, Justin S jazoff at illinois.edu
Thu May 31 14:35:25 PDT 2018 

> On May 31, 2018, at 2:06 PM, Poore, Jeffrey S <jeffrey.s.poore at bankofamerica.com> wrote:
> 
> Has anyone implemented a bro cluster in containers?

I've been meaning to try to build this out using k8s, just haven't had time.

> The reason I ask is that we are looking to build a cluster on top of Mesos / DC/OS so that we can have high availability as we are processing tons of traffic, and it is just easier to deploy things on top of it if we do it in containers.

To really be useful you also need to automate the configuration of the tapagg layer.

> I understand how to do most of it, but the configuration so that the cluster master knows about all the other instances is kind of my sticking point.

Right now it would break because of how this is written:

event Cluster::hello(name: string, id: string) &priority=10
    {
    if ( name !in nodes )
        {
        Reporter::error(fmt("Got Cluster::hello msg from unexpected node: %s", name));
        return;
        }

    local n = nodes[name];

    if ( n?$id )
        {
        if ( n$id != id )
            Reporter::error(fmt("Got Cluster::hello msg from duplicate node:%s",
                                name));
        }
    else
        event Cluster::node_up(name, id);

    n$id = id;
    Cluster::log(fmt("got hello from %s (%s)", name, id));

    if ( n$node_type == WORKER )
        {
        add active_worker_ids[id];
        worker_count = |active_worker_ids|;
        }
    }

but I'm sure you could have a variation of that function that doesn't care if the node is unexpected.


> Is there a way to utilize a tool like zookeeper so that it can dynamically manage the instances in case one of them crashes and then gets spun up on a different host?

k8s and mesos should just do that for you, but what environment are you running in where that would be useful?

The deployment I was thinking of would involve a k8s operator to manage the Arista so as a cluster is created or scaled up and down it would
automatically manage the tool port etherchannel groups for me.  Without that it wouldn't be useful at all.

— 
Justin Azoff

More information about the Bro mailing list