Abin da za a yi idan ikon uwar garken daya bai isa ba don aiwatar da duk buƙatun, kuma masana'antar software ba ta samar da daidaita nauyi? Akwai zaɓuɓɓuka da yawa, daga siyan ma'aunin nauyi zuwa iyakance adadin buƙatun. Wanne ne daidai dole ne a ƙayyade ta yanayin, la'akari da yanayin da ake ciki. A cikin wannan labarin za mu gaya muku abin da za ku iya yi idan kasafin kuɗin ku ya iyakance kuma kuna da sabar kyauta.
A matsayin tsarin da ya wajaba don rage nauyin daya daga cikin sabobin, mun zaɓi DLP (tsarin rigakafin zubar da bayanai) daga InfoWatch. Wani fasalin aiwatarwa shine sanya aikin ma'auni akan ɗayan sabobin "yaƙi".
Daya daga cikin matsalolin da muka fuskanta shine rashin iya amfani da Source NAT (SNAT). Me ya sa ake buƙatar wannan da kuma yadda aka magance matsalar, za mu ƙara yin bayani.
Don haka, da farko zane mai ma'ana na tsarin da ke akwai yayi kama da haka:
An sarrafa zirga-zirgar ICAP, SMTP, abubuwan da suka faru daga kwamfutoci masu amfani akan sabar Traffic Monitor (TM). A lokaci guda kuma, uwar garken bayanai cikin sauƙin jimre wa lodi bayan sarrafa abubuwan da ke faruwa akan TM, amma nauyin da ke kan TM ɗin kansa ya yi nauyi. Wannan ya bayyana daga fitowar layin saƙo akan uwar garken Device Monitor (DM), da kuma daga CPU da nauyin ƙwaƙwalwar ajiya akan TM.
Da farko, idan muka ƙara wani uwar garken TM zuwa wannan makirci, to ko dai ICAP ko DM za a iya canza shi zuwa gare shi, amma mun yanke shawarar ba za mu yi amfani da wannan hanyar ba, tun da an rage yawan haƙuri.
Bayanin mafita
A cikin aiwatar da neman mafita mai dacewa, mun daidaita akan software da aka rarraba cikin 'yanci
Abin da muke so mu cimma (rage nauyi akan TM da kuma kula da matakin haƙuri na yanzu) yakamata yayi aiki bisa ga makirci mai zuwa:
Lokacin duba ayyukan, ya juya cewa al'ada RedHat taron da aka sanya akan sabobin baya goyan bayan SNAT. A cikin yanayinmu, mun shirya yin amfani da SNAT don tabbatar da cewa fakiti masu shigowa da martani an aika su daga adireshin IP iri ɗaya, in ba haka ba za mu sami hoto mai zuwa:
Wannan ba abin yarda ba ne. Misali, uwar garken wakili, bayan aika fakiti zuwa adireshin Virtual IP (VIP), zai yi tsammanin amsa daga VIP, amma a wannan yanayin zai fito daga IP2 don zaman da aka aika zuwa madadin. An samo mafita: ya zama dole a ƙirƙiri wani tebur mai tuƙi akan madadin kuma haɗa sabar TM guda biyu tare da hanyar sadarwa daban, kamar yadda aka nuna a ƙasa:
Saituna
Za mu aiwatar da makirci na sabobin biyu tare da ICAP, SMTP, sabis na TCP 9100 da ma'aunin nauyi da aka sanya akan ɗayansu.
Muna da sabobin RHEL6 guda biyu, waɗanda aka cire daidaitattun ma'ajin da wasu fakiti.
Ayyukan da muke buƙatar daidaitawa:
• ICAP - tcp 1344;
• SMTP – tcp 25.
Sabis na isar da zirga-zirga daga DM – tcp 9100.
Da farko, muna buƙatar tsara hanyar sadarwa.
Adireshin IP na Virtual (VIP):
• IP: 10.20.20.105.
Sabar TM6_1:
• IP na waje: 10.20.20.101;
• Na ciki IP: 192.168.1.101.
Sabar TM6_2:
• IP na waje: 10.20.20.102;
• Na ciki IP: 192.168.1.102.
Sannan muna ba da damar tura IP akan sabar TM guda biyu. An bayyana yadda ake yin wannan akan RedHat
Mun yanke shawarar wanene daga cikin sabobin da za mu samu shine babba kuma wanda zai zama madadin. Bari maigida ya zama TM6_1, madadin zama TM6_2.
A madadin mu ƙirƙiri sabon ma'auni mai ba da hanya tsakanin hanyoyin sadarwa da ka'idodin tuƙi:
[root@tm6_2 ~]echo 101 balancer >> /etc/iproute2/rt_tables
[root@tm6_2 ~]ip rule add from 192.168.1.102 table balancer
[root@tm6_2 ~]ip route add default via 192.168.1.101 table balancer
Dokokin da ke sama suna aiki har sai an sake kunna tsarin. Don tabbatar da cewa an kiyaye hanyoyin bayan sake kunnawa, zaku iya shigar dasu /etc/rc.d/rc.local, amma mafi kyau ta hanyar fayil ɗin saituna /etc/sysconfig/network-scripts/route-eth1 (bayanin kula: Ana amfani da ma'auni daban-daban a nan).
Shigar da kiyayewa akan sabar TM guda biyu. Mun yi amfani da rpmfind.net azaman tushen rarraba:
[root@tm6_1 ~]#yum install https://rpmfind.net/linux/centos/6.10/os/x86_64/Packages/keepalived-1.2.13-5.el6_6.x86_64.rpm
A cikin saitunan da aka kiyaye, muna sanya ɗayan sabobin a matsayin mai sarrafa, ɗayan azaman madadin. Sa'an nan kuma mun saita VIP da ayyuka don daidaita nauyi. Fayil ɗin saituna yawanci yana nan: /etc/keepalived/keepalived.conf.
Saituna don uwar garken TM1
vrrp_sync_group VG1 {
group {
VI_1
}
}
vrrp_instance VI_1 {
state MASTER
interface eth0
lvs_sync_daemon_inteface eth0
virtual_router_id 51
priority 151
advert_int 1
authentication {
auth_type PASS
auth_pass example
}
virtual_ipaddress {
10.20.20.105
}
}
virtual_server 10.20.20.105 1344 {
delay_loop 6
lb_algo wrr
lb_kind NAT
protocol TCP
real_server 192.168.1.101 1344 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 1344
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.1.102 1344 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 1344
nb_get_retry 3
delay_before_retry 3
}
}
}
virtual_server 10.20.20.105 25 {
delay_loop 6
lb_algo wrr
lb_kind NAT
protocol TCP
real_server 192.168.1.101 25 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 25
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.1.102 25 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 25
nb_get_retry 3
delay_before_retry 3
}
}
}
virtual_server 10.20.20.105 9100 {
delay_loop 6
lb_algo wrr
lb_kind NAT
protocol TCP
real_server 192.168.1.101 9100 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 9100
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.1.102 9100 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 9100
nb_get_retry 3
delay_before_retry 3
}
}
}
Saituna don uwar garken TM2
vrrp_sync_group VG1 {
group {
VI_1
}
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
lvs_sync_daemon_inteface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass example
}
virtual_ipaddress {
10.20.20.105
}
}
Mun shigar da LVS a kan maigidan, wanda zai daidaita zirga-zirga. Ba shi da ma'ana don shigar da ma'auni don uwar garken na biyu, tun da muna da sabobin biyu kawai a cikin tsarin.
[root@tm6_1 ~]##yum install https://rpmfind.net/linux/centos/6.10/os/x86_64/Packages/ipvsadm-1.26-4.el6.x86_64.rpm
Za a sarrafa ma'auni ta kiyayewa, wanda muka riga muka tsara shi.
Don kammala hoton, bari mu ƙara kiyayewa don farawa ta atomatik akan sabobin biyu:
[root@tm6_1 ~]#chkconfig keepalived on
ƙarshe
Duba sakamakon
Bari mu gudanar da kiyayewa a kan sabobin biyu:
service keepalived start
Duban samuwar adireshin kama-da-wane na VRRP
Bari mu tabbatar cewa VIP yana kan maigidan:
Kuma babu VIP akan madadin:
Yin amfani da umarnin ping, za mu bincika samuwar VIP:
Yanzu zaku iya kashe master kuma sake kunna umarnin ping
.
Sakamakon yakamata ya kasance iri ɗaya, kuma akan madadin za mu ga VIP:
Duba ma'auni na sabis
Bari mu dauki SMTP misali. Bari mu ƙaddamar da haɗi biyu zuwa 10.20.20.105 lokaci guda:
telnet 10.20.20.105 25
A kan maigida ya kamata mu ga cewa duka haɗin gwiwa suna aiki kuma suna haɗa su zuwa sabobin daban-daban:
[root@tm6_1 ~]#watch ipvsadm –Ln
Don haka, mun aiwatar da tsari mai jure rashin kuskure na ayyukan TM ta hanyar shigar da ma'auni akan ɗaya daga cikin sabar TM. Don tsarin mu, wannan ya rage nauyin da ke kan TM da rabi, wanda ya sa ya yiwu a magance matsalar rashin daidaituwa ta hanyar amfani da tsarin.
A mafi yawan lokuta, ana aiwatar da wannan bayani cikin sauri kuma ba tare da ƙarin farashi ba, amma wani lokacin akwai adadin iyakancewa da matsaloli a cikin tsari, misali, lokacin daidaita zirga-zirgar UDP.
source: www.habr.com