ProHoster > Блог > Gudanarwa > Ƙwallon Ƙwallon Ƙwallon Ƙwallon Ƙwararru

Ƙwallon Ƙwallon Ƙwallon Ƙwallon Ƙwararru

Ba zai zama kuskure ba a ce mafi kyawun maza
sami farin ciki ta wurin wahala.
Ludwig van Beethoven

Ƙwallon Ƙwallon Ƙwallon Ƙwallon Ƙwararru

Ni Sergey, Ina aiki a Yandex.Money a cikin ƙungiyar bincike na wasan kwaikwayo. Ina so in gaya muku farkon labarin game da hanyarmu ta amfani da ƙungiyar makaɗa - yadda muka zaɓi kayan kida da abin da muka la'akari. Duk abubuwan da suka faru daga labarin suna faruwa a ainihin lokacin, don haka ku, masu karatu masu ƙauna, kuna bin ci gaban yanayin kusan rayuwa.

Me yasa muke buƙatar madugu a ƙungiyarmu?

Wanene madugu? Daga fr. diriger - don sarrafa, kai tsaye, jagoranci - a cikin duniyar kiɗa - wannan mutum ne wanda shine jagoran ilmantarwa da wasan kwaikwayo na tarin kiɗa. A cikin yanayinmu, wannan wurin yana mamaye tsarin kade-kade da tsarin sarrafa kansa.

Matsayinsu bai bambanta da matsayin madugu a cikin kiɗa ba - ana buƙatar su don taimakawa ƙungiyar, jagora da tsara wasanta.

A matsayinka na mai mulki, ƙungiya tana da ƙayyadaddun damar aiki-bari mu kira su sabobin-wanda suke aiwatar da ayyukan su.

Hanyar samun da sarrafa waɗannan sabar ta bambanta. Misalai kaɗan:

  • Ƙungiyar ta yi buƙata, alal misali, zuwa ƙungiyar ayyuka, don samar musu da albarkatu tare da wasu sigogi.
  • Ƙungiyar ayyukan tana ba su adadin da ake buƙata - gajimare ko ƙarfe mara ƙarfi - kuma suna ɗaukar nauyin kula da su cikin yanayin da ya dace bisa ga SLA. Ƙungiyoyin ayyuka kuma suna aiwatar da saitin.
  • Ƙungiyar tana karɓar gajimare ko albarkatun ƙarfe maras tushe daga ƙungiyar ayyuka, kuma tana daidaita shi da kanta.
  • Ƙungiyar da kanta tana "sayan" albarkatun kuma tana kula da / saita su gaba ɗaya.

Ƙungiyarmu tana amfani da sabobin da ke buƙatar tallafi - sabunta OS, shigar da sabbin fakiti, da sauransu.

A gare mu, mun raba su zuwa manyan nau'i biyu:

  • kungiyar tanka,
  • ƙungiyar sabis.

Ƙungiyar tanki ta ƙunshi runduna tare da Yandex.Tank.

Ƙungiyar sabis ɗin ta haɗa da duk abin da ke da alaƙa da kiyayewa - waɗannan ayyuka ne daban-daban don ba da tallafi don sake zagayowar saki, samar da rahotanni na atomatik, da dai sauransu.

A wani lokaci, duk wannan ya zama rashin jin daɗi don sarrafawa da hannu, kuma mun yi tunani game da sarrafa kayan aiki gaba ɗaya, farawa daga sabobin "loading" da ƙarewa tare da haɓakawa, saki da ƙaddamar da sabis na ciki.

Me yasa ake buƙatar madugu, ko da ƙungiyar makaɗa da kanta za ta iya yin wasa?

Da farko, mun ƙware mai yiwuwa kuma muka fara “zuba” sabbin sabar ƙarfe ɗin mu don mu rage dogaro ga masu gudanar da tsarin - kowa ya sami nasara a nan, muna samun sabbin ƙwarewa da sauƙaƙe masu gudanar da wasu ayyukan waɗanda koyaushe suna da isasshen ba tare da mu ba. . Muna ƙoƙari don haɓaka fiye da ƙwarewarmu da yancin kai gwargwadon iko.

A cikin kamfani, an daidaita aiki tare da Ansible kuma an tsara shi na dogon lokaci, don haka cikin sauƙin haɗa maganin mu cikin wannan tsari.

A halin yanzu, wurin tafki ya ƙunshi ayyuka masu yiwuwa guda uku:

  • rawar farko ta shigar da OS,
  • na biyu yana gudanar da saitunan asali don mai watsa shiri, izini LDAP, misali,
  • kuma na uku yana shigar da Yandex.Tank da abubuwan dogaro a cikin akwati na docker.

Bari mu ci gaba zuwa ayyukan da muke amfani da su a cikin ƙungiyar.

Don ayyukanmu, muna amfani da Kotlin da Python daidai, da ɗan ƙaramin Golang. Don haɓaka haɓakawa da tura ayyukanmu, mun yanke shawarar tattara su a cikin kwantena na Docker. Wannan yana ba ku 'yancin zaɓin yaren shirye-shirye kuma a lokaci guda yana daidaita tsarin isarwa iri ɗaya don aikace-aikacenku.

Ƙananan bayanin kula game da iPV6 a cikin Docker

Wasu ayyukan da muke hulɗa da su suna samuwa ta hanyar ipv6 kawai, don haka dole ne mu gano yadda ake yin ipv6 don kwantena.

Dangane da takaddun ipv6 akan gidan yanar gizon Docker na hukuma, ana kunna ipv6 ta ƙara sigogi zuwa daemon.json:

{
  "ipv6": true,
  "fixed-cidr-v6": "2001:db8:1::/64"
}

A wannan yanayin, dole ne mai bada sabis ya ba da ipv6 subnet, wanda zaku yi rajista a ciki fixed-cidr-v6.
Koyaya, mun zaɓi wani zaɓi - ipv6 NAT, kuma ga dalilin:

  • Yanzu docker ba zai iya amfani ba kawai tare da iPV6.
  • Samun adireshi mai daidaitawa na duniya a cikin kowane akwati yana nufin cewa duk tashar jiragen ruwa (har ma waɗanda ba a buga ba) ana fallasa su ga kowa da kowa sai dai idan an ƙara tacewa.
  • mai amfani da wakili don buga tashar jiragen ruwa, iptables kawai don ipv4.

IPv6 NAT da kwandon docker, wanda kanta ke sarrafa dokoki a cikin ip6tables kuma yana gyara su lokacin ƙara sabon akwati.

Domin wannan maganin ya yi aiki daidai, ya zama dole a yi wasu magudi. Tabbatar farawa ip6table_nat akan tsarin. Kasancewar na'urar da aka sanya akan tsarin baya bada garantin cewa za'a loda tsarin a cikin kernel a farawa. Mun ci karo da wannan lokacin da muka sami wannan kuskure yayin gudanar da akwati tare da NAT akan sabon masauki:

2019/01/22 14:59:54 running [/sbin/ip6tables -t filter -N DOCKER --wait]: exit status 3: modprobe: can't change directory to '/lib/modules': No such file or directory
ip6tables v1.6.2: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)

An warware matsalar bayan ƙara farawa zuwa rawar da za a iya amfani da ita ta amfani da tsarin modprobe da loda shi a farawa OS ta amfani da lineinfile:

- name: Add ip6table_nat module
 modprobe:
   name: ip6table_nat
   state: present
- name: Add ip6table_nat to boot
 lineinfile:
   path: /etc/modules
   line: 'ip6table_nat'

Af, akwai mai kyau a kan cibiya labarin, wanda a takaice kuma a bayyane yake bayyana fa'ida da rashin amfani daya ko wata hanya don gudanar da iPV6 a cikin docker.

Amma mu koma ga tambayar da aka yi mana tun farko:
Me yasa ake buƙatar madugu, ko da ƙungiyar makaɗa da kanta za ta iya yin wasa?

Yanzu kowa yana tunanin yadda za mu yi wasa a ƙungiyarmu:

  • an ƙirƙiri tsarin sabar “zuba”,
  • haɓakawa da ƙaddamar da ayyuka sun haɗu.

Tambaya mai ma'ana ta taso: yadda ake turawa, sabuntawa, da sarrafa ayyukanmu a cikin kwantena na Docker da inganci kuma ta atomatik kamar yadda zai yiwu?

Duk da cewa kowane memba na ƙungiyar makaɗa ya san ɓangarensa, yana iya yin rudani kuma ya kauce wa ainihin ra'ayin. Anan mun kai ga ƙarshe cewa idan babu madugu ƙungiyar makaɗar mu ba za ta sake yin nazari da kyau da kuma wasa tare ba. Mai gudanarwa yana da alhakin duk sigogi na aikin, yana tabbatar da cewa komai yana haɗuwa da lokaci guda da yanayi.

Yadda za a sami shugaba mai kyau tare da ƙaramin jari?

Taken ƙungiyar kade-kade ya bunƙasa sosai a kasuwa. Amma da farko, bari mu yi magana game da kayan aikin taimako waɗanda za su iya taimaka wa mai gudanarwa.

Karamin - tsarin da ke ba da manyan ayyuka guda biyu:

  • gano sabis,
  • ma'ajiyar ƙimar maɓalli mai rarraba.

A cikin ƙungiyar makaɗar mu, Consul ne zai ɗauki alhakin yin rijistar sabis da adana tsarin su. Akwai zaɓuɓɓukan rajista guda biyu:

  • Mai aiki shine lokacin da sabis ɗin yayi rijista da kansa ta amfani da HTTP API;
  • M - dole ne a yi rajistar sabis ɗin da hannu.

Vault wurin ajiya ne wanda ke daidaitawa da haɓaka amintaccen ma'ajiya da sarrafa sirrin - kalmomin shiga, takaddun shaida.
Ga fa'idodin da za mu samu ta amfani da wannan kayan aikin:

  • Cibiya guda ɗaya don ƙirƙira da adana sirri da sarrafa tsarin rayuwarsu ta amfani da HTTP API.
  • Injin Sirri na Transit - ɓoyewa da ɓoye bayanan ba tare da adana shi ba. Ikon aika bayanai cikin rufaffen tsari akan hanyoyin sadarwa marasa tsaro.
  • Manufofin isa ga waɗanda suke da sauƙin daidaitawa.
  • Audit na samun sirrin sirri.
  • Ikon ƙirƙirar CA naku (Hukumar Takaddun shaida) don gudanar da takaddun sa hannu a cikin kayan aikin ku.

Idan aka yi la'akari da duk abubuwan da muke buƙata, zaɓuɓɓuka biyu sun dace da matsayin jagora - Kubernetes da Nomad.

Kubernetes

An riga an rubuta labarai da littattafai nawa game da shi (a nan irin wannan, alal misali), akwai rahotanni da zan rubuta a taƙaice - wannan mai girbi ne na duniya wanda zai iya yin kusan komai. Farashin wannan shine kafawa da kiyaye gungu akan Kubernetes ba koyaushe bane mai sauƙi.

Nomad

Kayan aiki daga HashiCorp, wani kamfani da aka sani da consul da vault da aka ambata a sama.

Mun sami Nomad yana da sauƙin shigarwa da daidaitawa fiye da Kubernetes. Fayil ɗin binary ɗaya yana aiki a duka uwar garken da yanayin abokin ciniki. A lokaci guda, Nomad ya ƙunshi duk jerin ayyukan da muke son warwarewa: sarrafa tari, mai tsara saurin sauri, tallafin multidatacenter. Bugu da ƙari, lokacin amfani da ofishin jakadanci da vault, muna samun ƙarin haɗin kai don tsara ayyukanmu.

Abin da ke gudana a halin yanzu:

  • shirye-shiryen sabobin don tura Consul,
  • Za a shigar da tsarin cluster nomad a cikin Consul, tare da taimakon wanda za a tura makiyaya ta atomatik,
  • A layi daya, za mu shigar da vault don adana sirri.

Tambaya ga masu sauraro: shin yana da daraja hayar madugu don irin waɗannan ayyuka ko ƙungiyar makaɗa tana yin kyau ba tare da shi ba? Faɗa mana a cikin sharhin menene ra'ayin ku game da wannan.

Biyan kuɗi zuwa shafinmu kuma ku kasance tare da mu - ba da daɗewa ba za mu gaya muku abin da ya faru a ƙarshe da kuma ko mun tsara ƙungiyar nomad yadda muke so.

Zo mu ji dadi hira ta telegram, Inda za ku iya ko da yaushe neman shawara, taimaka abokan aiki da kuma kawai hira game da yawan aiki bincike da sauransu.

source: www.habr.com

Sayi amintaccen masauki don shafuka tare da kariyar DDoS, sabar VPS VDS 🔥 Sayi ingantaccen masaukin yanar gizo tare da kariyar DDoS, sabar VPS VDS | ProHoster