HA Docker Swarm Setup for Tomcat with Keepalived + Traefik
This guide provides a step-by-step implementation for a highly available Tomcat cluster in Docker Swarm, using Keepalived for VIP failover and Traefik for load balancing and SSL termination. Includes session replication and health checks.
1. Prerequisites
3+ nodes (1 manager minimum, 3 recommended for HA).
Static IPs for nodes.
Domain name (e.g., tomcat.yourdomain.com) pointing to the VIP.
2. Install Keepalived & Docker
2.1. On All Manager Nodes bash
# Ubuntu/Debian
sudo apt update && sudo apt install -y keepalived docker.io # CentOS/RHEL
sudo yum install -y keepalived docker-ce sudo systemctl enable --now docker
2.2. Enable Non-Local VIP Binding Add to /etc/sysctl.conf:
echo "net.ipv4.ip_nonlocal_bind = 1" | sudo tee -a /etc/sysctl.conf sudo sysctl -p
3. Configure Keepalived VIP
3.1. Master Node (/etc/keepalived/keepalived.conf)
vrrp_instance VI_1 {
state MASTER
interface ens192 # Replace with your network interface virtual_router_id 51
priority 255
advert_int 1
authentication {
auth_type PASS
auth_pass your_secure_password
}
virtual_ipaddress {
192.168.0.99/24 # Shared VIP
}
track_script {
chk_traefik
}
}
vrrp_script chk_traefik {
script "/etc/keepalived/healthcheck.sh"
interval 2
weight 50
}
3.2. Backup Nodes
Use the same config but set:
state BACKUP
priority 254 # Lower priority for backups
3.3. Health Check Script Create /etc/keepalived/healthcheck.sh to validate Traefik: bash
#!/bin/bash
if curl -s http://127.0.0.1:8080/ping | grep -q "OK"; then
exit 0
else
exit 1
fi
Make executable:
sudo chmod +x /etc/keepalived/healthcheck.sh
4. Deploy Traefik with Docker Swarm
4.1. Create Overlay Network
docker network create --driver=overlay traefik-public
4.2. Deploy Traefik Stack (traefik-stack.yml)
version: "3.9"
services:
traefik:
image: traefik:v2.10
command:
- "--providers.docker.swarmMode=true"
- "--providers.docker.exposedByDefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.letsencrypt.acme.email=admin@yourdomain.com"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.letsencrypt.acme.httpChallenge.entrypoint=web"
deploy:
mode: global # Deploy on all manager nodes
placement:
constraints:
- node.role == manager
ports:
- "80:80"
- "443:443"
- "8080:8080" # Dashboard
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "traefik-certificates:/letsencrypt"
networks:
- traefik-public
volumes:
traefik-certificates:
networks:
traefik-public:
external: true
Deploy:
docker stack deploy -c traefik-stack.yml traefik
5. Deploy Tomcat with Session Replication
5.1. Custom Tomcat Dockerfile Create Dockerfile:
FROM tomcat:9.0-jdk11 COPY conf/server.xml /usr/local/tomcat/conf/server.xml
5.2. Deploy Tomcat Stack (tomcat-stack.yml)
version: "3.9"
services:
tomcat:
image: custom-tomcat:latest # Built from the Dockerfile above
deploy:
replicas: 3
labels:
- "traefik.enable=true"
- "traefik.http.routers.tomcat.rule=Host(`tomcat.yourdomain.com`)"
- "traefik.http.routers.tomcat.entrypoints=websecure"
- "traefik.http.routers.tomcat.tls.certresolver=letsencrypt"
environment:
- DNS_MEMBERSHIP_SERVICE_NAME=tomcat-cluster
networks:
- traefik-public
networks:
traefik-public:
external: true
Deploy:
docker stack deploy -c tomcat-stack.yml tomcat
6. Verify Setup
6.1. Test HTTPS Access
curl -I https://tomcat.yourdomain.com
6.2. Check Session Replication
- Access https://tomcat.yourdomain.com in a browser.
- Log in or perform an action to create a session.
- Stop one Tomcat replica:
docker service scale tomcat_tomcat=2
- Refresh the page – the session should persist.
6.3. Simulate Node Failure
Stop Docker on the master node:
sudo systemctl stop docker
Verify VIP migrates to a backup node:
ip addr show dev ens192 | grep "192.168.0.99"
Troubleshooting
- Session not replicating: Ensure server.xml clustering config matches across replicas.
- VIP not failing over: Check Keepalived logs (journalctl -u keepalived).
- Traefik not routing: Verify service labels and overlay network.
This setup ensures high availability for Tomcat applications with automatic SSL, load balancing, and session replication.
| 