ProHoster > Блог > Gudanarwa > Banana Pi R64 na'ura mai ba da hanya tsakanin hanyoyin sadarwa - Debian, Wireguard, RKN

Banana Pi R64 na'ura mai ba da hanya tsakanin hanyoyin sadarwa - Debian, Wireguard, RKN

Banana Pi 64 kwamfuta ce mai guda ɗaya mai kama da Raspberry Pi, amma tare da tashoshin Ethernet da yawa, wanda ke ba da damar juya ta zuwa na'ura mai ba da hanya tsakanin hanyoyin sadarwa dangane da rarraba Linux gaba ɗaya.

Banana Pi R64 na'ura mai ba da hanya tsakanin hanyoyin sadarwa - Debian, Wireguard, RKN

Ee, akwai riga Openwrt, amma yana da nasa matsalolin, GUI da CLI; Akwai Mikrotik, amma kuma yana da nasa GUI / CLI, kuma Wireguard ba ya aiki daga cikin akwatin ... Gabaɗaya, Ina son na'ura mai ba da hanya tsakanin hanyoyin sadarwa tare da saitunan sassauƙa, yayin da ya rage cikin tsarin daidaitaccen Linux, wanda kuke aiki. da kullum.

A cikin labarin a ƙarƙashin sunayen BPI, R64, allon guda ɗaya, Zan ma'anar abu ɗaya - Banana Pi R64 guda ɗaya da kanta.

Zaɓin hoto. Zazzagewa ta hanyar eMMC

Ƙwarewar farko da kuke buƙatar samu yayin aiki da ita SBC Gabaɗaya, kuma tare da R64 musamman, wannan yana nufin koyon yadda ake loda tsarin aiki a cikinsa da kuma samun damar yin hulɗa da shi, saboda R64 ba shi da tashar jiragen ruwa don dubawa (HDMI, misali). Lokacin da komai ya fadi - Wifi, Ethernet, Bluetooth, USB, da dai sauransu sun daina aiki.Akwai UART, ta hanyar haɗin yanar gizon wanda koyaushe zaka iya ganin abin da ba daidai ba, sannan kuma aiwatar da umarni biyu daga na'urar bidiyo, idan ya cancanta.

Algorithm don haɗi zuwa R64 ta USB-UART:

  • muna gudu zuwa kantin sayar da sassan rediyo don kebul na USB-UART (PL2303, Serial-to-USB)
  • haɗa ƙarshen ƙarshen USB ɗaya zuwa kwamfutar, ɗayan kuma, UART, zuwa R64, tare da wayoyi uku cikin huɗu, kamar yadda yake a hoton da ke ƙasa.
  • gudu a cikin na'ura mai kwakwalwa sudo minicom

Bayan wannan, a mafi yawan lokuta na'ura mai kwakwalwa guda ɗaya zai bayyana = nasara.
Kuna iya ganin ƙarin cikakkun bayanai a nan.

Banana Pi R64 na'ura mai ba da hanya tsakanin hanyoyin sadarwa - Debian, Wireguard, RKN

Na gaba, hanya mafi sauƙi ita ce loda tsarin aiki daga katin SD: zazzagewa ta mahada hoto kuma cika shi:

unzip -p 2019-08-23-ubuntu-16.04-lite-preview-bpi-r64-sd-emmc.img.zip | pv | sudo dd of=/dev/mmcblk0 bs=10M status=noxfer

Muna saka katin a cikin R64 SD Ramin, kunna shi, kuma mu lura da abin da aka haɗa na'ura mai ba da hanya tsakanin hanyoyin sadarwa na farko uboot, sa'an nan daidaitaccen loading Linux.

Wani zaɓi na taya yana amfani da katin 64Gb da aka riga aka gina a cikin R8, wanda ake kira eMMC. Bisa ga umarnin a cikin wiki, muna kwafi hoton zuwa na'urar
/dev/mmcblk0 zuwa BPI, sake yi, cire katin SD, kunna BPI kuma ... kuma baya aiki. Yadda ake komawa da baya Boot select kada ku damu.

Gaskiyar ita ce, aƙalla don BPI kuna buƙatar saita tuta ta musamman don samun damar yin taya daga filasha ta ciki:

root@bpi-r64:~# ./mmc extcsd read /dev/mmcblk1 | grep 'PARTITION_CONFIG'
Boot configuration bytes [PARTITION_CONFIG: 0x00]
root@bpi-r64:~# ./mmc bootpart enable 1 1 /dev/mmcblk1
root@bpi-r64:~# ./mmc extcsd read /dev/mmcblk1 | grep 'PARTITION_CONFIG'
Boot configuration bytes [PARTITION_CONFIG: 0x48]

Na gaba, kuna buƙatar rubuta preloader a cikin ɓangaren taya na musamman

root@bpi-r64:~# echo 0 > /sys/block/mmcblk0boot0/force_ro 
root@bpi-r64:~# dd if=preloader_evb7622_64_foremmc.bin of=/dev/mmcblk0boot0

Manufacturer R64 (China) ya buga wannan binary a nan. Abin da yake yi ba a sani ba (babu lambobin tushe), amma ba zai yi aiki ba tare da shi ba.

Gabaɗaya, bayan wannan, hotuna sun fara ɗauka daga eMMC. Idan kuna son gano shi kuma ƙirƙirar hotuna daga karce, to duka lokuta biyu (SD/eMMC) kuna buƙatar rubuta ƙarin fayiloli da yawa (mai ɗaukar hoto don katin SD, ATF, u-boot) don kawai kuna loda kernel. Wannan batu har yanzu yana nan yana tasowa, amma a gare mu babban abu shi ne cewa yana aiki kuma lafiya.

Yanzu na zazzage ta eMMC, a gaskiya, ba na amfani da shi, katin SD ya isa, amma na ɓata lokaci mai yawa don samun aiki, don haka bari ya kasance a cikin labarin.

Zabar tsarin aiki. Armiya

Aikin farko na aikace-aikacen shine ƙaddamar da VPN, Wireguard ta dabi'a. Nan take aka gano cewa a gefen kwaya ba a hada ta ba kuma babu kai. Na sake gina kwaya kuma, kamar yadda al'adata ke da x86, na tattara kernel module ta amfani da DKMS. Duk da haka, gudun ginin ko da ƙananan kayan aiki a kan arm64 ya ba ni mamaki. Sannan an bukaci wani tsarin kwaya, da sauransu. Gabaɗaya, ya zama cewa duk abin da ke da alaƙa da kernel ya fi haɗuwa a kan kwamfutar tafi-da-gidanka mai dumi x86, sannan a canza shi zuwa R64 ta hanyar kwafi mai sauƙi, sake kunnawa da gwadawa.

Wani abu kuma shine bangaren mai amfani. A cikin yanayin zabar Debian, komai na gine-gine na arm64 ya riga ya kasance akan packages.debian.org kuma babu buƙatar sake gina wani abu.

Don kar a kera wani keken, I ported Armiya da BPI R64.
Ko kuma a maimakon haka, wannan: ɓangaren mai amfani shine Armbian, kuma ana ɗaukar kernel daga ma'ajiyar Frank-A. Za a iya sauke sabon hoton a nan.

Ana aiwatar da duk ayyukan haɓaka ɓangaren software na R64 taro. Gabaɗaya magana, masana'anta da kanta suna ƙoƙari don haɓaka na'ura mai ba da hanya tsakanin hanyoyin sadarwa don Openwrt, amma godiya ga aikin mai haɓaka Frank daga Jamus, duk abubuwan da ke cikin sauri sun ƙare a cikin kernel don Debian. Abin mamaki, Frank yana aiki a kowane zaren dandalin.

Ƙungiyar sararin aiki: wayoyi

Na dabam, Ina so in gaya muku yadda, yayin haɓakawa / gwaji, sanya SBC (ba kawai BPI ba) akan tebur don kada ku gudanar da kebul na Ethernet zuwa gare ta daga tushen Intanet a duk ɗakin / ofis. Gaskiyar ita ce, a gefe guda, kuna buƙatar samar da kayan aiki tare da Intanet, amma a gefe guda, duk abin da ke cikin wannan kayan yana iya rushewa, kuma da farko Wifi.

Da farko, na yanke shawarar siyan arha na USB-Wifi "whistle", toshe shi cikin tashar tashar jiragen ruwa kawai akan BPI kuma in manta game da wayoyi. Don yin wannan, na sayi TP-LINK TL-WN725N USB 2.0 mara tsada, amma ba da daɗewa ba ya bayyana a fili cewa ba zai tashi ba: don buguwa don aiki, kuna buƙatar direban kwaya, wanda, ba shakka, ba ya nan. (daga baya na tattara direban RTL8XXXU da ake buƙata, amma har yanzu ba shi da amfani). Kuma kebul na Ethernet ya bata kamannin dakin na dan wani lokaci.

A sakamakon haka, na yi nasarar kawar da kebul tare da taimakon Tenda MW3 (tsarin haɗin Wifi): Na kawai sanya cube ɗaya a ƙarƙashin teburin kuma na haɗa BPI zuwa tashar LAN ta ƙarshe tare da kebul na Ethernet mai tsayin mita. Nasara

Wireguard, RKN, Bird

Ɗaya daga cikin abubuwan da nake so in yi amfani da Banana PI don shi ne samun damar shiga yanar gizo da RKN ta toshe kyauta, musamman don kiran Telegram da Slack ya yi aiki. An riga an gabatar da labarai kan Habré kan wannan batu: sau, два, uku.

Na tura daidai wannan maganin ta amfani da Asible: mahada.

Ana tsammanin VPS yana gudana Ubuntu 18.04. Na duba aikin akan masu masaukin baki biyu a Turai: Amazon da Digital Ocean.

Don haka, mun shigar da Armbian na sama akan R64, ana samun dama ta hanyar ssh a ƙarƙashin sunan hm-bananapi-1 kuma yana da damar Intanet. Muna tura Rubutun Mai yiwuwa, na atomatik kuma muna ƙaddamar da shigarwa da kanta akan R64:

# зависимости для Debian-based дистрибутивов
$ sudo apt install --no-install-recommends python3-pip python3-setuptools python3-wheel git
$ which pip3
/usr/bin/pip3

# ansible с pybook, скриптование на Python
$ pip3 install https://github.com/muravjov/ansible/archive/ansible-2.10.0.dev0-pybook2019.tar.gz

$ export PATH=~/.local/bin:$PATH
$ which ansible-playbook
/home/sa/.local/bin/ansible-playbook

$ git clone https://github.com/muravjov/ansible-bpi-r64.git
$ cd ansible-bpi-r64

$ git submodule update --init

# убеждаемся в доступности hm-bananapi-1
$ ssh hm-bananapi-1 which python3
/usr/bin/python3

# собственно установка
$ ansible-playbook ./router.py -l hm-bananapi-1

Na gaba, kuna buƙatar tura VPN ɗinmu zuwa VPS kamar haka:

ansible-playbook ./router.py -l current-vpn

Anan gardamar koyaushe tana kasancewa-vpn, kuma ainihin sunan VPS ana saita shi a cikin mai canzawa (a cikin wannan yanayin paris-vpn-aws-t2-micro-1):

$ grep current_vpn group_vars/all 
current_vpn: paris-vpn-aws-t2-micro-1
#current_vpn: frankfurt-vpn-d0-starter-1

Ee, kafin duk waɗannan ayyukan kuna buƙatar ƙirƙirar sirri (musamman maɓallan Wireguard) a cikin babban fayil ɗin ./secrets, directory yakamata yayi kama haka.

Automation mai yiwuwa a cikin Python

Kuna iya lura cewa maimakon kasancewa cikin tsarin YAML, ana sanya umarnin da za a iya yiwuwa a cikin rubutun Python. Don kwatanta, yadda ake kunna daemon tsuntsu a hanyar da ta saba:

- name: start bird
  systemd:
    name: bird
    state: started
    enabled: yes

da kuma yadda ake yin haka ta hanyar Python:

with mapping:
    append("name", "start bird")
    with mapping("systemd"):
        append("name",  "bird")
        append("state", "started")
        append("enabled", "yes")

Rubuta umarni masu dacewa a cikin Python yana ba ku damar sake amfani da lambar, kuma gabaɗaya yana buɗe duk yuwuwar yaren gama-gari. Misali, shigar da tsuntsu akan R64 da VPS:

install_bird("router/bird.conf.j2")
install_bird("vpn/bird.conf.j2")

duba lambar aikin install_bird().

Wannan fasalin da ake kira pybook aiwatar a nan. Babu wani takardu akan littafin pybook tukuna, amma zan gyara wannan batun daga baya.

Me yake tunani cirewa a wannan lokaci.

Saka idanu. Prometheus

Jimlar: telegram yana aiki, linkedin da pornhub kuma, gabaɗaya ƙwarewar mai amfani ba shi da kyau. Amma komai na iya karya, gami da kayan aikin kasar Sin.

Sabunta kernel kuma na iya zama mai ban sha'awa: alal misali, Ina so in sabunta kernel 5.4 => 5.6, da kyau, Wireguard yana can daga cikin akwatin, babu buƙatar faci… zuwa 5.4, kernel ya fara tashi, rami zuwa VPS pinged, amma tsuntsu ba zai iya haɗawa tare da kuskuren "Kuskuren BGP" ... "Na koma cikin tsoro" (c) zuwa 5.6; An jinkirta ƙaura zuwa 5.4 a cikin TODO.

Sabili da haka, ban da shigar da na'ura mai ba da hanya tsakanin hanyoyin sadarwa da VPS, na ƙara saka idanu (akan x86 Ubuntu 18.04), wanda aka shigar akan wani rukunin daban tare da abubuwan da suka biyo baya:

  • prometheus, alertmanager, blackbox_exporter - duk a cikin docker
  • Ana aika faɗakarwa zuwa tashar telegram ta amfani da metalmatze/alertmanager-bot bot - shima a cikin Docker.
  • tor don bot, don bot ɗin zai iya faɗakar da yanayi lokacin da akwai Intanet, amma telegram har yanzu bai yi aiki ba, kuma bot ɗin kanta ba zai iya haɗawa ba.
  • amfani faɗakarwa: NodeVPNTroules (ba ping zuwa VPS), BirdVPNTroubles (babu zaman Bird), AntifilterDownloadTroubles (kuskuren loda adiresoshin IP da aka toshe), SiteTroubles (ba a samun telegram mara lafiya)
  • faɗakarwar tsarin, misali, HostGrowingDiskReadLatency (katin SD mai arha ya zama mara karantawa)

Misalin shigarwa na kulawa:

ansible-playbook ./monitoring.py -l monitoring-preprod

An saita Ganowa ta atomatik don Prometheus a cikin /etc/prometheus/auto_http babban fayil, misali na ƙara mai watsa shiri zuwa saka idanu (ba a kula da runduna ta tsohuwa):

bash << 'EOF'
HOSTNAME=hm-bananapi-1
IP_ADDRESS=`ssh -G $HOSTNAME | awk '/^hostname / { print $2 }'`

ssh monitoring-preprod sudo sponge /etc/prometheus/auto_http/$HOSTNAME.json << EOF2
[
  {
    "targets": ["$IP_ADDRESS:9100"],
    "labels": {
      "env": "prod",
      "hostname": "$HOSTNAME"
    }
  }
]
EOF2
EOF

TODO: 2 azurtawa, 2 BPI, anycast failover

Baya ga komai, na shirya haɗawa da masu samar da yanar gizo guda biyu don Intanet ta ci gaba da aiki, ko da mai samar da ita yana da matsala tare da hanyar sadarwar, ko sun manta da biyan kuɗin Intanet, da sauransu, da sauran abubuwan ɗan adam.

Mafi kyawun ƙwarewar mai amfani akan batun Multi-wan an bayyana shi a nan don tsarin Mwan3 karkashin Openwrt. Wannan bayani yana da wadataccen ayyuka, amma kafawa da sarrafa shi gabaɗaya don Multi-wan abu ne mai wahala sosai. Misali ɗaya kawai: idan kun zo wasu rukunin yanar gizo daga adiresoshin IP guda biyu a lokaci ɗaya, ƙila ba za su so shi ba, za su daina aiki => "Intanet baya aiki."

Yin la'akari da wannan ƙwarewar, na yanke shawarar cewa multihoming ba shine fifiko ba tukuna, kawai kasawa. Kodayake, yana da alama cewa a cikin sabbin nau'ikan Linux komai yakamata suyi aiki tare da umarni ɗaya kamar:

ip route add default 
    nexthop via 192.168.1.1 weight 10 
    nexthop via 192.168.2.1 weight 5

Don haka, don guje wa maƙasudin gazawa ɗaya, muna ɗaukar 2 BPIs, haɗa kowanne zuwa mai ba da sabis ɗaya, haɗa su da juna kuma mu sanya haɗin kai tare da juna mai ƙarfi ta hanyar tsuntsu / OSPF.

Bayan haka, muna tallata adireshin IP iri ɗaya akan kowane ɗayan idan sabis ɗin yana samuwa (Internet, DNS). Wato, ba za mu saita hanyar da ta dace da kanmu ba, amma ta hanyar tsuntsu. Na leka mafita a nan .

Har yanzu ba a aiwatar da wannan aikin ba, maƙarƙashiyar coronavirus ta taka leda a nan (ba komai ya zo daga Aliexpress ba; wani kantin sayar da kan layi, Layta, ya yi alkawarin bayarwa a cikin mako guda, amma sama da wata guda ya wuce; mai bayarwa na biyu bai sami lokaci ba. don tsawaita kebul kafin keɓe, kawai an sami damar samun rami a cikin bango don kebul ɗin).

Yadda ake yin odar R64

Hukumar da kanta tana cikin kantin sayar da kayayyaki SinoVoip.
Hakanan yana da kyau a yi oda nan da nan:

  • abinci mai gina jiki + sanar da ma'aunin toshe EU ko Amurka
  • kwandon zafi: radiators / magoya; saboda duka CPU da guntuwar wuta suna dumama
  • eriya wifi, misali

Akwai nuance - farashin isarwa ya zama ƙasa da ƙasa a cikin kantin sayar da hukuma na ɗan lokaci. Manaja Judy Huang ya gamsar da ni cewa babu kuskure, kuma zaku iya zaɓar ePacket akan $5, amma na ga cewa ga Rasha akwai EMS kawai don> $ 33. M, amma ba m. Haka kuma, idan kun zaɓi kowace ƙasa don isarwa (Na bi ta duk nahiyoyi), bayarwa zai kai ~ $5. Russophobes? .. Amma sai na gano cewa ga Faransa farashin isarwa ma ~ 30 $, kuma na kwantar da hankali.

Sakamakon haka, Judy ta ba da umarnin yin oda, amma ba ta biya ba (habaicin: sanya ƙasa a kan katin don kada ku biya ta atomatik); rubuta mata za ta rage kudin da za a kai mata. Nasara

Batutuwa

Ba duk abin da ke aiki daidai ba tukuna.

Yawan aiki

Ansible=An aiwatar da umarnin Python a hankali, har ma da marasa aiki, na daƙiƙa 20-30; tsari na girma fiye da kan kwamfutar tafi-da-gidanka x86. Haka kuma, da farko ana aiwatar da su cikin sauri, ~ 3 seconds, sannan suna raguwa sosai. Wannan na iya zama saboda dumama CPU (matsewa). Lambar Go kuma yana ɗaukar lokaci mai tsawo don aiki:

# запрос метрик для прометея из node_exporter на Go
$ time curl -s http://172.30.1.1:9100/metrics > /dev/null

real    0m6,118s
user    0m0,005s
sys     0m0,009s

# однако температура 51 градус, не так и много
sa@bananapir64:~$ cat /sys/devices/virtual/thermal/thermal_zone0/temp
51700

Wifi

Wifi yana aiki, amma akan Armbian yana tsayawa bayan kusan kwana ɗaya, ya rubuta:

sa@bananapir64:~$ dmesg | grep -E 'mt7622_wmac.*timeout'
[470303.802539] mt7622_wmac 18000000.wmac: Message 38 (seq 3) timeout
[470314.042508] mt7622_wmac 18000000.wmac: Message 50 (seq 4) timeout
...

Sake farawa kawai yana taimakawa. Muna bukatar mu ci gaba warware.

Ethernet

Ethernet yana aiki, amma bayan ~ 64 sa'o'i fakiti (DHCP) daga RXNUMX daina zuwa.
Sake kunna dubawa yana taimakawa:

ifdown br0; sleep 30; ifup br0

Direban sabo ne, har yanzu ba a yarda da shi cikin kwaya ba, ina fata Landen Chao na kasar Sin ne. yana gamawa.

source: www.habr.com

Add a comment