Ba da dadewa ba na fuskanci wani sabon aikin da ba a saba gani ba na kafa hanyar tafiya don MetalLB. Komai zai yi kyau, saboda... Yawancin lokaci MetalLB ba ya buƙatar ƙarin ayyuka, amma a cikin yanayinmu muna da babban gungu mai ƙayyadaddun tsari mai sauƙi na hanyar sadarwa.
A cikin wannan labarin zan gaya muku yadda ake saita tushen tushen tushe da tushen manufofin don hanyar sadarwar waje na tarin ku.
Ba zan yi cikakken bayani game da shigarwa da daidaitawa MetalLB ba, tunda na ɗauka kun riga kun sami gogewa. Ina ba da shawarar a tafi kai tsaye zuwa ga ma'ana, wato kafa hanyar zirga-zirga. Don haka muna da shari'o'i hudu:
Hali 1: Lokacin da ba a buƙatar saiti
Bari mu dubi wani lamari mai sauƙi.
Ba a buƙatar ƙarin saitin hanyar zirga-zirga lokacin da adiresoshin da MetalLB suka bayar suna cikin rukunin yanar gizo iri ɗaya da adiresoshin nodes ɗin ku.
Misali, kuna da subnet 192.168.1.0/24, yana da na'ura mai ba da hanya tsakanin hanyoyin sadarwa 192.168.1.1, kuma nodes ɗin ku suna karɓar adireshi: 192.168.1.10-30, to don MetalLB zaka iya daidaita kewayon 192.168.1.100-120 kuma tabbatar da cewa za su yi aiki ba tare da wani ƙarin tsari ba.
Me yasa haka? Saboda nodes ɗinku sun riga sun tsara hanyoyin:
# ip route
default via 192.168.1.1 dev eth0 onlink
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.10Kuma adiresoshin daga kewayon iri ɗaya za su sake amfani da su ba tare da ƙarin ayyuka ba.
Hali na 2: Lokacin da ake buƙatar ƙarin keɓancewa
Ya kamata ku saita ƙarin hanyoyi a duk lokacin da nodes ɗinku ba su da ingantaccen adireshin IP ko hanya zuwa rukunin yanar gizo wanda MetalLB ke ba da adireshin.
Zan yi bayani dalla-dalla. Duk lokacin da MetalLB ya fitar da adireshi, ana iya kwatanta shi da aiki mai sauƙi kamar:
ip addr add 10.9.8.7/32 dev loKula da:
- a) An sanya adireshin tare da prefix
/32wato, ba za a ƙara wata hanya kai tsaye zuwa gidan yanar gizon ta ba (adireshi ne kawai) - b) Adireshin yana haɗe zuwa kowane ƙirar kumburi (misali loopback). Yana da daraja ambaton anan fasalulluka na tarin hanyar sadarwar Linux. Ko da wane nau'in haɗin da kuka ƙara adireshin zuwa, kernel koyaushe zai aiwatar da buƙatun arp kuma ya aika da martani ga kowane ɗayansu, ana ɗaukar wannan ɗabi'ar daidai kuma, haka ma, ana amfani da shi sosai a cikin irin wannan yanayi mai ƙarfi kamar Kubernetes.
Ana iya daidaita wannan ɗabi'a, alal misali ta hanyar ba da ƙarfi mai ƙarfi:
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announceA wannan yanayin, za a aika da martanin arp ne kawai idan mahaɗin yana ƙunshe da takamaiman adireshin IP. Ana buƙatar wannan saitin idan kuna shirin amfani da MetalLB kuma kube-proxy ɗinku yana gudana a yanayin IPVS.
Koyaya, MetalLB baya amfani da kernel don aiwatar da buƙatun arp, amma yana yin shi da kansa a cikin sarari mai amfani, don haka wannan zaɓin ba zai shafi aikin MetalLB ba.
Mu koma kan aikinmu. Idan hanyar adiresoshin da aka bayar ba su wanzu akan nodes ɗinku, ƙara ta gaba zuwa duk nodes:
ip route add 10.9.8.0/24 dev eth1Shari'a ta 3: Lokacin da kuke buƙatar tuƙin tushen tushen
Kuna buƙatar saita hanyar tuntuɓar tushe lokacin da kuka karɓi fakiti ta hanyar ƙofa ta daban, ba wacce aka saita ta hanyar tsohuwa ba, don haka fakitin amsa ya kamata su bi ta kofa ɗaya.
Misali, kuna da subnet iri ɗaya 192.168.1.0/24 sadaukar da nodes ɗin ku, amma kuna son fitar da adiresoshin waje ta amfani da MetalLB. Bari mu ɗauka cewa kuna da adireshi da yawa daga rukunin yanar gizo 1.2.3.0/24 yana cikin VLAN 100 kuma kuna son amfani da su don samun damar ayyukan Kubernetes a waje.
Lokacin tuntuɓar 1.2.3.4 za ku yi buƙatu daga wani gidan yanar gizo na daban fiye da 1.2.3.0/24 kuma jira amsa. Kumburi wanda a halin yanzu shine jagoran adireshin da MetalLB ya fitar 1.2.3.4, zai karɓi fakitin daga na'ura mai ba da hanya tsakanin hanyoyin sadarwa 1.2.3.1, amma amsar a gare shi dole ne ya bi hanya guda, ta hanyar 1.2.3.1.
Tunda kumburinmu ya riga yana da ingantaccen ƙofa 192.168.1.1, to ta hanyar tsohuwa amsa za ta je masa, ba zuwa ba 1.2.3.1, ta inda muka karbi kunshin.
Yadda za a bi da wannan yanayin?
A wannan yanayin, kuna buƙatar shirya duk nodes ɗinku ta hanyar da suke shirye don yin hidimar adiresoshin waje ba tare da ƙarin tsari ba. Wato, don misalin da ke sama, kuna buƙatar ƙirƙirar ƙirar VLAN akan kumburi a gaba:
ip link add link eth0 name eth0.100 type vlan id 100
ip link set eth0.100 upSannan ƙara hanyoyi:
ip route add 1.2.3.0/24 dev eth0.100 table 100
ip route add default via 1.2.3.1 table 100Da fatan za a lura cewa muna ƙara hanyoyi zuwa tebur na daban 100 zai ƙunshi hanyoyi biyu ne kawai waɗanda suka wajaba don aika fakitin amsa ta hanyar ƙofar 1.2.3.1, located a bayan dubawa eth0.100.
Yanzu muna buƙatar ƙara ƙa'ida mai sauƙi:
ip rule add from 1.2.3.0/24 lookup 100wanda a bayyane yake cewa: idan adireshin tushen fakitin yana ciki 1.2.3.0/24, to kuna buƙatar amfani da tebur mai tuƙi 100. A ciki mun riga mun bayyana hanyar da za ta tura shi 1.2.3.1
Case na 4: Lokacin da kuke buƙatar tsarin tushen siyasa
Cibiyar sadarwa topology iri ɗaya ce da a cikin misali na baya, amma bari mu ce kuna son samun damar shiga adiresoshin tafkin waje. 1.2.3.0/24 daga kwas ɗin ku:
Babban mahimmancin shine lokacin shiga kowane adireshi a ciki 1.2.3.0/24, fakitin amsa ya buga kumburi kuma yana da adireshin tushe a cikin kewayon 1.2.3.0/24 za a aika da biyayya ga eth0.100, amma muna son Kubernetes ya tura shi zuwa kwaf ɗin mu na farko, wanda ya haifar da buƙatun asali.
Magance wannan matsala ya zama mai wahala, amma ya zama mai yiwuwa godiya ga tsarin da ya dogara da manufofin:
Don ƙarin fahimtar tsarin, ga netfilter toshe zane:
Don farawa, kamar yadda yake a cikin misalin da ya gabata, bari mu ƙirƙiri ƙarin tebur mai tuƙi:
ip route add 1.2.3.0/24 dev eth0.100 table 100
ip route add default via 1.2.3.1 table 100Yanzu bari mu ƙara wasu 'yan dokoki zuwa iptables:
iptables -t mangle -A PREROUTING -i eth0.100 -j CONNMARK --set-mark 0x100
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j RETURN
iptables -t mangle -A POSTROUTING -j CONNMARK --save-markWaɗannan ƙa'idodin za su yi alamar haɗin haɗin gwiwa mai shigowa zuwa dubawa eth0.100, yiwa duk fakiti alama tare da alamar 0x100, martanin da ke cikin haɗin kai ɗaya kuma za a yi masa alama da alama iri ɗaya.
Yanzu za mu iya ƙara ƙa'idar hanya:
ip rule add from 1.2.3.0/24 fwmark 0x100 lookup 100Wato duk fakiti masu adireshin tushe 1.2.3.0/24 da tag 0x100 dole ne a rinjayi ta amfani da tebur 100.
Don haka, sauran fakitin da aka karɓa akan wani keɓancewa ba su ƙarƙashin wannan ka'ida, wanda zai ba da damar sarrafa su ta amfani da daidaitattun kayan aikin Kubernetes.
Akwai kuma wani abu guda, a cikin Linux akwai abin da ake kira reverse path filter, wanda ke lalatar da duka abu; yana yin bincike mai sauƙi: ga duk fakiti masu shigowa, yana canza adireshin tushen fakiti tare da adireshin mai aikawa kuma yana bincika ko fakitin na iya barin ta hanyar haɗin da aka karɓa akan shi, idan ba haka ba, zai tace shi.
Matsalar ita ce a cikin yanayinmu ba zai yi aiki daidai ba, amma za mu iya kashe shi:
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0.100/rp_filterLura cewa umarni na farko yana sarrafa halin duniya na rp_filter; idan ba a kashe shi ba, umarni na biyu ba zai yi tasiri ba. Koyaya, sauran hanyoyin sadarwa za su kasance tare da kunna rp_filter.
Don kada a iyakance aikin tacewa gaba ɗaya, zamu iya amfani da aiwatar da rp_filter don netfilter. Yin amfani da rpfilter azaman iptables module, zaku iya saita ƙa'idodi masu sassauƙa, misali:
iptables -t raw -A PREROUTING -i eth0.100 -d 1.2.3.0/24 -j RETURN
iptables -t raw -A PREROUTING -i eth0.100 -m rpfilter --invert -j DROPkunna rp_filter akan mahaɗin eth0.100 ga duk adireshi sai dai 1.2.3.0/24.
source: www.habr.com