Lokacin da Linux conntrack ba abokinka bane

Bibiyar haɗin kai ("conntrack") shine ainihin fasalin tarin sadarwar kwaya ta Linux. Yana ba kernel damar ci gaba da bin diddigin duk hanyoyin haɗin yanar gizo na ma'ana ko gudana kuma ta haka ne za a gano duk fakitin da ke tattare da kowace kwarara ta yadda za a iya sarrafa su tare a jere.

Conntrack shine muhimmin fasalin kernel wanda ake amfani dashi a wasu lokuta na asali:

• NAT ya dogara da bayanai daga conntrack don haka zai iya kula da duk fakiti daga rafi ɗaya daidai. Misali, lokacin da kwafsa ya shiga sabis na Kubernetes, kube-proxy load balancer yana amfani da NAT don jagorantar zirga-zirga zuwa takamaiman kwafsa a cikin tari. Conntrack ya rubuta cewa don haɗin da aka bayar, duk fakitin zuwa sabis na IP dole ne a aika su zuwa kwas ɗin guda ɗaya, kuma fakitin da kwaf ɗin baya ya dawo dole ne a mayar da su NAT zuwa kwaf ɗin da buƙatun ya fito.
• Wuraren bangon wuta na jaha kamar Calico sun dogara da bayanai daga hanyar haɗin kai zuwa jerin abubuwan da ke ba da amsa "amsa". Wannan yana ba ku damar rubuta manufofin hanyar sadarwa da ke cewa "ba da damar kwafsa ta haɗi zuwa kowane adireshin IP mai nisa" ba tare da rubuta wata manufa don ba da izinin zirga-zirgar amsa ba. (Ba tare da wannan ba, dole ne ku ƙara ƙarancin aminci "ba da izinin fakiti zuwa kwafsa daga kowace doka ta IP".)

Bugu da ƙari, conntrack yawanci yana haɓaka aikin tsarin (ta rage yawan amfani da CPU da latency) tunda fakitin farko a cikin rafi kawai.
dole ne ya bi ta cikin dukkan tarin cibiyar sadarwa don sanin abin da za a yi da shi. Duba post"Kwatanta hanyoyin kube-proxy"don ganin misalin yadda yake aiki.

Duk da haka, conntrack yana da iyakokinsa ...

To a ina aka yi duk ba daidai ba?

Teburin ma'amala yana da matsakaicin girman daidaitacce, kuma idan ya cika, yawanci ana fara ƙi ko watsi da haɗin gwiwa. Akwai isasshen sarari kyauta a cikin tebur don sarrafa zirga-zirgar yawancin aikace-aikacen, kuma wannan ba zai taɓa zama matsala ba. Duk da haka, akwai ƴan al'amuran da za ku so kuyi la'akari da yin amfani da tebur conntrack:

• Mafi bayyananniyar lamarin shine idan uwar garken naka tana ɗaukar adadi mai yawa na haɗin haɗin kai a lokaci guda. Misali, idan an saita tebur ɗin ku don shigarwar 128k, amma kuna da> 128k haɗin haɗin gwiwa, tabbas za ku shiga matsala!
• Halin da ba shi da ɗan ƙaranci: idan uwar garken ku yana aiwatar da babban adadin haɗin gwiwa a sakan daya. Ko da haɗin gwiwar ba su daɗe ba, Linux yana ci gaba da kula da su na ɗan lokaci (120s ta tsohuwa). Misali, idan an saita tebur ɗin ku don shigarwar 128k kuma kuna ƙoƙarin sarrafa haɗin 1100 a sakan daya, za su wuce girman tebur ɗin conntrack, ko da haɗin gwiwar ba su da ɗan gajeren lokaci (128k/120s = 1092 haɗin gwiwa/ s).

Akwai nau'ikan ƙa'idodi da yawa waɗanda suka faɗi cikin waɗannan nau'ikan. Bugu da ƙari, idan kuna da mugayen ƴan wasan kwaikwayo da yawa, za a iya amfani da cika tebirin conntrack na uwar garken ku tare da yawancin haɗin kai na rabin buɗewa a matsayin wani ɓangare na harin hana sabis (DOS). A lokuta biyu, conntrack na iya zama ƙayyadaddun ƙulli a cikin tsarin ku. A wasu lokuta, daidaita sigogin tebur na conntrack na iya isa don biyan buƙatunku - ta hanyar ƙara girman ko rage lokacin katsewa (amma idan kun yi kuskure, za ku shiga cikin matsala mai yawa). Don wasu lokuta zai zama dole a ƙetare hanya don mugun nufi.

Misali na gaske

Bari mu ba da takamaiman misali: babban mai ba da sabis na SaaS da muka yi aiki da shi yana da sabar sabar da yawa a kan runduna (ba injina ba), kowannensu yana sarrafa haɗin ɗan gajeren lokaci 50K+ a sakan daya.

Sun yi gwaji tare da tsarin daidaitawa, haɓaka girman tebur da rage lokacin bin diddigin, amma tsarin bai kasance abin dogaro ba, yawan amfani da RAM ya karu sosai, wanda shine matsala (a kan tsari na GBytes!), Kuma haɗin gwiwar sun kasance gajere har ma'amalar ba ta daɗe. ƙirƙira fa'idar aikinta na yau da kullun (rage yawan amfani da CPU ko latency fakiti).

Sun juya zuwa Calico a matsayin madadin. Manufofin cibiyar sadarwar Calico suna ba ku damar yin amfani da haɗin kai don wasu nau'ikan zirga-zirga (ta amfani da zaɓin manufar doNotTrack). Wannan ya ba su matakin aikin da suke buƙata, da ƙarin matakan tsaro da Calico ya samar.

Wane tsayin da za ku yi don wucewa ta hanyar sadarwa?

• Manufofin sadarwar kar-a-bi-bi-bi ya kamata gabaɗaya su kasance masu ma'ana. A cikin yanayin mai ba da SaaS: aikace-aikacen su sun gudana a cikin yankin da aka karewa don haka, ta amfani da manufofin cibiyar sadarwa, za su iya ba da izinin zirga-zirgar zirga-zirga daga wasu takamaiman aikace-aikacen da aka ba da izinin shiga cikin memcached.
• Manufar kada-waƙa ba ta la'akari da jagorancin haɗin gwiwa. Don haka, idan memcached uwar garken aka yi hacking, za ka iya a ka'idar ka yi kokarin haɗi zuwa kowane daga cikin memcached abokan ciniki, muddun yana amfani da daidai tushen tashar jiragen ruwa. Koyaya, idan kun fayyace ma'anar hanyar sadarwa daidai ga abokan cinikin ku da aka ɓoye, to waɗannan yunƙurin haɗin kai har yanzu za a ƙi su a gefen abokin ciniki.
• Ana amfani da manufar kada-waƙa akan kowane fakiti, sabanin manufofin al'ada, waɗanda ake amfani da su kawai ga fakitin farko a cikin kwarara. Wannan na iya ƙara yawan amfani da CPU a kowane fakiti saboda dole ne a yi amfani da manufofin don kowane fakiti. Amma don haɗin kai na ɗan gajeren lokaci, wannan kuɗin yana daidaitawa ta hanyar rage yawan amfani da albarkatu don sarrafa haɗin gwiwa. Misali, a cikin yanayin mai ba da SaaS, adadin fakiti don kowane haɗin kai ya kasance ƙanƙanta, don haka ƙarin amfani da CPU lokacin amfani da manufofin zuwa kowane fakiti ya cancanta.

Bari mu fara gwaji

Mun gudanar da gwajin a kan kwafsa guda tare da sabar da aka ɓoye da kuma rumbun kwamfutoci da yawa na abokin ciniki da ke gudana akan nodes masu nisa domin mu iya gudanar da babban adadin haɗin gwiwa a sakan daya. Sabar da ke da kwaf ɗin sabar uwar garke tana da muryoyi 8 da shigarwar 512k a cikin tebirin conntrack (daidaitaccen girman tebur na mai masaukin).
Mun auna bambancin aiki tsakanin: babu manufofin hanyar sadarwa; tare da manufofin Calico na yau da kullum; da Calico kada-waƙa manufofin.

Don gwajin farko, mun saita adadin haɗin kai zuwa 4.000 a cikin daƙiƙa guda, don haka za mu iya mai da hankali kan bambancin yawan amfani da CPU. Babu wani bambance-bambance masu mahimmanci tsakanin babu manufa da manufofin yau da kullun, amma kar a-ba-wa-ƙawa da karuwar yawan amfani da CPU da kusan 20%:

A gwaji na biyu, mun ƙaddamar da haɗin kai da yawa kamar yadda abokan cinikinmu za su iya ƙirƙira kuma mu auna matsakaicin adadin haɗin kai a cikin daƙiƙa guda wanda sabar mu da ke cike da keɓaɓɓu za ta iya ɗauka. Kamar yadda aka zata, shari'o'in "babu manufa" da "manufofin yau da kullun" duka sun kai iyakar haɗin gwiwa sama da 4,000 a sakan daya (512k/120s = 4,369 haɗi/s). Tare da manufar kada-waƙa, abokan cinikinmu sun aika da haɗin kai 60,000 a sakan daya ba tare da wata matsala ba. Mun tabbata za mu iya ƙara wannan lambar ta ƙara ƙarin abokan ciniki, amma muna jin waɗannan lambobin sun riga sun isa su kwatanta batun wannan labarin!

ƙarshe

Conntrack shine muhimmin fasalin kwaya. Yana yin aikinsa daidai. Ana amfani dashi sau da yawa ta hanyar mahimman abubuwan tsarin tsarin. Koyaya, a wasu takamaiman yanayi, cunkoson da aka samu saboda sabawa ya zarce fa'idodin da yake bayarwa. A cikin wannan yanayin, ana iya amfani da manufofin cibiyar sadarwar Calico don zaɓin musaki amfani da haɗin gwiwa yayin ƙara tsaro na cibiyar sadarwa. Ga duk sauran zirga-zirgar ababen hawa, haɗin gwiwa ya ci gaba da zama abokin ku!

Hakanan karanta wasu labarai akan shafinmu:

• Gina samfura masu ƙarfi don Nginx
• Gabatarwa zuwa Hashicorp Consul's Kubernetes izini
• Mahimman bayanai a cikin Kubernetes
• Ajiyayyen babban adadin ayyukan gidan yanar gizo daban-daban
• Telegram bot don Redmine. Yadda za a sauƙaƙa rayuwa don kanka da wasu

source: www.habr.com