Nws twb los txog lub Xyoo Tshiab. Cov menyuam yaus thoob plaws lub tebchaws twb tau xa ntawv mus rau Santa Claus lossis ua khoom plig rau lawv tus kheej, thiab lawv tus thawj coj tseem ceeb, ib qho ntawm cov khw muag khoom loj, tab tom npaj rau apotheosis ntawm kev muag khoom. Nyob rau lub Kaum Ob Hlis, kev thauj khoom ntawm nws qhov chaw khaws ntaub ntawv nce ntau zaus. Yog li ntawd, lub tuam txhab tau txiav txim siab los kho tshiab cov ntaub ntawv chaw thiab muab tso rau hauv kev ua haujlwm ntau lub kaum os tshiab servers es tsis txhob siv cov cuab yeej uas tau mus txog qhov kawg ntawm nws lub neej kev pabcuam. Qhov no xaus zaj dab neeg tawm tsam keeb kwm yav dhau los ntawm swirling snowflakes, thiab thriller pib.
Cov khoom siv tuaj txog ntawm qhov chaw ob peb lub hlis ua ntej qhov kev muag khoom siab tshaj plaws. Cov kev pabcuam kev ua haujlwm, tau kawg, paub yuav ua li cas thiab teeb tsa ntawm cov servers li cas thiaj li coj lawv mus rau qhov chaw tsim khoom. Tab sis peb xav tau automate qhov no thiab tshem tawm tib neeg yam. Tsis tas li ntawd, cov servers tau hloov ua ntej kev tsiv teb tsaws ntawm cov txheej txheem SAP uas tseem ceeb rau lub tuam txhab.
Kev ua haujlwm ntawm cov servers tshiab tau nruj me ntsis rau lub sijhawm kawg. Thiab txav nws txhais tau tias ua rau muaj kev puas tsuaj rau ob qho tib si kev xa khoom ntawm ib lab khoom plig thiab kev tsiv teb tsaws ntawm cov tshuab. Txawm tias ib pab neeg uas muaj Leej Txiv Frost thiab Santa Claus tsis tuaj yeem hloov hnub - koj tuaj yeem hloov SAP system rau kev tswj cov khoom lag luam ib xyoos ib zaug xwb. Txij lub Kaum Ob Hlis 31 txog Lub Ib Hlis Ntuj Tim 1, cov khw muag khoom loj loj, tag nrho qhov loj ntawm 20 qhov chaw ncaws pob, tso tseg lawv txoj haujlwm rau 15 teev. Thiab qhov no tsuas yog lub sijhawm ntawm kev txav lub system. Peb tsis muaj chaw rau qhov yuam kev thaum qhia cov servers.
Cia kuv qhia meej: kuv zaj dab neeg qhia txog cov cuab yeej thiab cov txheej txheem tswj kev teeb tsa uas peb pab neeg siv.
Lub configuration tswj complex muaj ob peb theem. Lub ntsiab tseem ceeb yog CMS system. Hauv kev lag luam kev lag luam, qhov tsis muaj ib qho ntawm cov qib yuav ua rau muaj kev tsis txaus siab ua txuj ci tseem ceeb.
OS installation kev tswj
Thawj theem yog ib qho kev tswj hwm kev teeb tsa kev ua haujlwm ntawm lub cev thiab virtual servers. Nws tsim cov txheej txheem OS yooj yim, tshem tawm tib neeg yam.
Siv cov txheej txheem no, peb tau txais cov qauv neeg rau zaub mov piv txwv nrog OS haum rau kev ua haujlwm ntxiv. Thaum lub sij hawm "dhau" lawv tau txais qhov tsawg kawg nkaus ntawm cov neeg siv hauv zos thiab cov yuam sij SSH pej xeem, nrog rau kev teeb tsa OS zoo ib yam. Peb tuaj yeem lav tau los tswj cov servers los ntawm CMS thiab paub tseeb tias tsis muaj qhov xav tsis thoob "hauv qab" ntawm OS qib.
Txoj haujlwm "qhov siab tshaj plaws" rau kev tswj hwm kev teeb tsa yog txhawm rau teeb tsa cov servers los ntawm BIOS / Firmware qib mus rau OS. Ntau ntawm no nyob ntawm cov khoom siv thiab teeb tsa cov haujlwm. Rau cov khoom siv heterogeneous, koj tuaj yeem xav txog . Yog tias tag nrho cov khoom siv yog los ntawm ib tus neeg muag khoom, feem ntau nws yooj yim dua los siv cov cuab yeej tswj kev npaj ua ntej (piv txwv li, HP ILO Amplifier, DELL OpenManage, thiab lwm yam).
Txhawm rau txhim kho OS ntawm lub cev servers, peb siv lub npe Cobbler, uas txhais tau hais tias cov txheej txheem installation tau pom zoo nrog cov kev pabcuam ua haujlwm. Thaum ntxiv ib tus neeg rau zaub mov tshiab rau hauv kev tsim kho vaj tse, tus kws ua haujlwm khi tus neeg rau zaub mov MAC chaw nyob rau qhov xav tau profile hauv Cobbler. Thaum pib dua lub network thawj zaug, tus neeg rau zaub mov tau txais qhov chaw nyob ib ntus thiab OS tshiab. Tom qab ntawd nws raug xa mus rau lub hom phiaj VLAN / IP chaw nyob thiab txuas ntxiv ua haujlwm nyob ntawd. Yog lawm, hloov VLAN yuav siv sij hawm thiab xav tau kev sib koom tes, tab sis nws muab kev tiv thaiv ntxiv tiv thaiv kev sib tsoo ntawm cov neeg rau zaub mov hauv qhov chaw tsim khoom.
Peb tsim virtual servers raws li cov qauv npaj siv HashiΠ‘orp Packer. Qhov laj thawj yog tib yam: txhawm rau tiv thaiv tib neeg kev ua yuam kev thaum txhim kho OS. Tab sis, tsis zoo li cov servers lub cev, Packer tshem tawm qhov xav tau ntawm PXE, network booting, thiab VLAN hloov. Qhov no tau ua kom yooj yim dua thiab yooj yim dua los tsim virtual servers.
Rice. 1. Tswj lub installation ntawm kev khiav hauj lwm systems.
Tswj cov secrets
Txhua qhov kev tswj hwm kev teeb tsa muaj cov ntaub ntawv uas yuav tsum tau muab zais los ntawm cov neeg siv zoo tib yam, tab sis yuav tsum tau npaj cov tshuab. Cov no yog cov passwords rau cov neeg siv hauv zos thiab cov nyiaj pabcuam, cov ntawv pov thawj, ntau yam API Tokens, thiab lwm yam. Lawv feem ntau hu ua "kev zais cia."
Yog tias koj tsis txiav txim siab txij thaum pib qhov twg thiab yuav khaws cov lus zais li cas, tom qab ntawd, nyob ntawm qhov hnyav ntawm cov ntaub ntawv kev ruaj ntseg yuav tsum, cov txheej txheem khaws cia hauv qab no yuav zoo li:
- ncaj qha nyob rau hauv lub configuration tswj code los yog nyob rau hauv cov ntaub ntawv nyob rau hauv lub repository;
- hauv cov cuab yeej tswj kev teeb tsa tshwj xeeb (piv txwv li, Ansible Vault);
- hauv CI/CD systems (Jenkins/TeamCity/GitLab/etc.) los yog nyob rau hauv configuration tswj systems (Ansible Tower/Ansible AWX);
- secrets kuj tseem raug xa mus "manually". Piv txwv li, lawv tau muab tso rau hauv qhov chaw tshwj xeeb, thiab tom qab ntawd lawv tau siv los ntawm kev tswj hwm kev teeb tsa;
- ntau yam ua ke ntawm cov saum toj no.
Txhua txoj kev muaj nws tus kheej qhov tsis zoo. Qhov tseem ceeb tshaj plaws yog qhov tsis muaj cov cai rau kev nkag mus rau cov lus zais: nws tsis tuaj yeem lossis nyuaj rau kev txiav txim siab leej twg tuaj yeem siv qee yam zais cia. Lwm qhov tsis zoo yog qhov tsis muaj kev txheeb xyuas kev nkag mus thiab lub neej tag nrho. Yuav ua li cas hloov sai sai, piv txwv li, tus yuam sij rau pej xeem uas tau sau rau hauv cov cai thiab nyob rau hauv ib tug xov tooj ntawm cov kab ke?
Peb siv lub hauv paus chaw zais cia HashiCorp Vault. Qhov no tso cai rau peb:
- khaws zais cia kom nyab xeeb. Lawv raug encrypted, thiab txawm tias ib tug neeg tau txais kev nkag mus rau Vault database (piv txwv li, los ntawm kev rov qab los ntawm kev thaub qab), lawv yuav tsis tuaj yeem nyeem cov lus zais cia nyob ntawd;
- teeb tsa cov cai rau kev nkag mus rau qhov zais cia. Tsuas yog cov lus zais "muab faib" rau lawv muaj rau cov neeg siv thiab cov ntawv thov;
- soj ntsuam nkag mus rau secrets. Txhua yam kev ua nrog cov lus zais tau sau tseg hauv Vault audit log;
- npaj ib tug tag nrho-fledged "lub neej voj voog" ntawm kev ua hauj lwm nrog secrets. Lawv tuaj yeem tsim, tshem tawm, teeb tsa hnub tas sijhawm, thiab lwm yam.
- yooj yim rau kev koom ua ke nrog lwm cov tshuab uas xav tau kev nkag mus rau cov lus zais;
- thiab tseem siv qhov kawg-rau-kawg encryption, ib-zaug passwords rau OS thiab database, daim ntawv pov thawj ntawm cov chaw tso cai, thiab lwm yam.
Tam sim no cia peb txav mus rau hauv nruab nrab authentication thiab tso cai system. Nws muaj peev xwm ua tau yam tsis muaj nws, tab sis kev tswj hwm cov neeg siv hauv ntau lub tshuab cuam tshuam yog qhov tsis tseem ceeb. Peb tau teeb tsa kev lees paub thiab kev tso cai los ntawm kev pabcuam LDAP. Txwv tsis pub, Vault yuav tsum tau teeb tsa txuas ntxiv thiab khaws cov ntawv pov thawj tokens rau cov neeg siv. Thiab rho tawm thiab ntxiv cov neeg siv yuav tig mus rau hauv qhov kev nug "Kuv puas tau tsim / rho tawm tus neeg siv nyiaj no txhua qhov chaw?"
Peb ntxiv lwm qib rau peb qhov system: kev tswj hwm zais cia thiab kev lees paub hauv nruab nrab / kev tso cai:
Rice. 2. Kev tswj tsis pub lwm tus paub.
Configuration tswj
Peb tau mus rau qhov tseem ceeb - CMS system. Hauv peb qhov xwm txheej, qhov no yog kev sib xyaw ntawm Ansible thiab Red Hat Ansible AWX.
Es tsis txhob Ansible, Kws ua zaub mov, Puppet, SaltStack tuaj yeem siv. Peb xaiv Ansible raws li ob peb yam.
- Firstly, nws yog versatility. Cov txheej txheem npaj ua tiav rau kev tswj hwm . Thiab yog tias koj tsis muaj txaus, koj tuaj yeem tshawb nrhiav ntawm GitHub thiab Galaxy.
- Qhov thib ob, tsis tas yuav nruab thiab txhawb nqa cov neeg sawv cev ntawm cov cuab yeej tswj hwm, ua pov thawj tias lawv tsis cuam tshuam nrog kev thauj khoom, thiab lees paub qhov tsis muaj "bookmarks".
- Thib peb, Ansible muaj qhov cuam tshuam tsawg rau kev nkag. Ib tus kws tshaj lij engineers yuav sau ib phau ntawv ua haujlwm ua haujlwm nyob rau thawj hnub ntawm kev ua haujlwm nrog cov khoom.
Tab sis Ansible ib leeg hauv ib puag ncig tsim khoom tsis txaus rau peb. Txwv tsis pub, ntau yam teeb meem yuav tshwm sim nrog kev txwv tsis pub nkag mus thiab tshawb xyuas cov kev ua ntawm cov thawj coj. Yuav txwv kev nkag mus li cas? Tom qab tag nrho, nws yog qhov tsim nyog rau txhua chav haujlwm tswj hwm (nyeem: khiav Ansible playbook) "nws tus kheej" cov servers. Yuav ua li cas tso cai rau qee tus neeg ua haujlwm los khiav Ansible playbooks tshwj xeeb? Los yog yuav ua li cas taug qab leej twg pib ua phau ntawv ua si yam tsis tau teeb tsa ntau qhov kev paub hauv zos ntawm cov servers thiab cov khoom siv khiav Ansible?
Tus tsov ntxhuav feem ntawm cov teeb meem no yog daws los ntawm Red Hat , los yog nws qhov kev qhib-qhov chaw nce dej . Yog vim li cas peb nyiam nws rau cov neeg siv khoom.
Thiab ib qho ntxiv kov rau cov duab ntawm peb CMS system. Ansible playbook yuav tsum tau muab khaws cia rau hauv cov cai tswj kev tswj hwm. Peb muaj .
Yog li, cov kev teeb tsa lawv tus kheej yog tswj hwm los ntawm kev sib txuas ntawm Ansible/Ansible AWX/GitLab (saib daim duab 3). Tau kawg, AWX/GitLab tau koom ua ke nrog ib qho kev lees paub ib leeg, thiab Ansible playbook yog kev koom ua ke nrog HashiCorp Vault. Configurations nkag mus rau qhov chaw tsim khoom tsuas yog los ntawm Ansible AWX, nyob rau hauv uas tag nrho cov "txoj cai ntawm qhov kev ua si" yog teev: leej twg yuav configure dab tsi, qhov twg yuav tau txais cov configuration tswj code rau CMS, thiab lwm yam.
Rice. 3. Kev tswj hwm kev teeb tsa.
Kev tswj xyuas
Peb qhov kev teeb tsa tau nthuav tawm hauv daim ntawv code. Yog li ntawd, peb raug yuam kom ua si los ntawm tib txoj cai raws li software tsim tawm. Peb xav tau los npaj cov txheej txheem ntawm kev txhim kho, kev sim tsis tu ncua, kev xa khoom thiab kev siv cov txheej txheem teeb tsa rau cov servers ntau lawm.
Yog tias qhov no tsis ua tiav tam sim ntawd, cov luag haujlwm sau rau kev teeb tsa yuav tsum tsis raug txhawb nqa thiab hloov kho, lossis yuav tsum tso tseg rau hauv kev tsim khoom. Kev kho mob rau qhov mob no paub, thiab nws tau ua pov thawj nws tus kheej hauv qhov project no:
- txhua lub luag hauj lwm yog them los ntawm kev xeem chav tsev;
- cov kev ntsuam xyuas tau ua tiav thaum twg muaj kev hloov pauv hauv cov cai uas tswj cov kev teeb tsa;
- Cov kev hloov pauv hauv cov cai tswj kev teeb tsa raug tso tawm rau hauv qhov chaw tsim khoom tsuas yog tom qab ua tiav tag nrho cov kev xeem thiab kev tshuaj xyuas cov cai.
Kev txhim kho kev cai lij choj thiab kev tswj hwm kev teeb tsa tau dhau los ua kom muaj kev thaj yeeb nyab xeeb thiab xav tau ntau dua. Txhawm rau txhim kho kev sim txuas ntxiv, peb siv GitLab CI / CD toolkit, thiab coj .
Thaum twg muaj kev hloov pauv hauv kev tswj hwm kev teeb tsa, GitLab CI / CD hu Molecule:
- nws xyuas cov code syntax,
- tsa lub thawv Docker,
- siv cov cai hloov kho rau lub thawv tsim,
- tshuaj xyuas lub luag hauj lwm rau ideempotency thiab khiav cov kev xeem rau cov cai no (cov granularity ntawm no yog nyob rau theem ansible luag hauj lwm, saib daim duab 4).
Peb xa cov kev teeb tsa mus rau qhov chaw tsim khoom siv Ansible AWX. Cov kws ua haujlwm ua haujlwm tau siv cov kev hloov pauv los ntawm cov qauv ua ntej. AWX ntawm nws tus kheej "thov" qhov tseeb version ntawm cov cai los ntawm GitLab tus tswv ceg txhua zaus nws tau siv. Txoj kev no peb tsis suav nrog kev siv cov lej uas tsis tau kuaj lossis dhau los hauv qhov chaw tsim khoom. Lawm, tus lej nkag mus rau tus tswv ceg tsuas yog tom qab kuaj, tshuaj xyuas thiab pom zoo.
Rice. 4. Tsis siv neeg kuaj lub luag haujlwm hauv GitLab CI/CD.
Kuj tseem muaj teeb meem cuam tshuam nrog kev ua haujlwm ntawm cov tshuab tsim khoom. Nyob rau hauv lub neej tiag tiag, nws yog ib qho nyuaj heev los hloov configuration los ntawm CMS code ib leeg. Cov xwm txheej kub ntxhov tshwm sim thaum tus kws tshaj lij yuav tsum hloov qhov kev teeb tsa "ntawm no thiab tam sim no", yam tsis tau tos rau kev hloov kho code, kuaj, kev pom zoo, thiab lwm yam.
Raws li qhov tshwm sim, vim kev hloov pauv ntawm phau ntawv, qhov tsis sib xws tshwm sim hauv kev teeb tsa ntawm tib hom khoom siv (piv txwv li, sysctl chaw teeb tsa txawv ntawm HA pawg nodes). Los yog qhov tseeb configuration ntawm cov cuab yeej txawv los ntawm ib tug teev nyob rau hauv CMS code.
Yog li ntawd, ntxiv rau kev sim txuas ntxiv, peb tshawb xyuas qhov chaw tsim khoom rau kev teeb tsa tsis sib xws. Peb xaiv qhov kev xaiv yooj yim tshaj plaws: khiav CMS teeb tsa code hauv hom "dry run", uas yog, tsis muaj kev hloov pauv, tab sis nrog kev ceeb toom ntawm txhua qhov tsis sib xws ntawm kev npaj thiab teeb tsa tiag tiag. Peb tau siv qhov no los ntawm kev khiav txhua lub sijhawm Ansible playbooks nrog "-check" kev xaiv ntawm cov servers ntau lawm. Raws li ib txwm muaj, Ansible AWX yog lub luag haujlwm rau kev tshaj tawm thiab khaws phau ntawv ua si mus txog hnub tim (saib daim duab 5):
Rice. 5. Tshawb xyuas qhov kev teeb tsa tsis sib xws hauv Ansible AWX.
Tom qab kuaj xyuas, AWX xa daim ntawv qhia tsis sib xws rau cov thawj coj. Lawv kawm txog cov teeb meem teeb meem thiab tom qab ntawd kho nws los ntawm kev hloov kho playbooks. Qhov no yog li cas peb tswj cov teeb tsa hauv ib puag ncig tsim khoom thiab CMS ib txwm hloov kho thiab synchronized. Qhov no tshem tawm qhov tsis kaj siab "txoj txuj ci tseem ceeb" thaum CMS code siv ntawm "tsim" servers.
Tam sim no peb muaj cov txheej txheem xeem tseem ceeb suav nrog Ansible AWX/GitLab/Molecule (Daim duab 6).
Rice. 6. Kev tswj xyuas.
Nyuaj? kuv tsis cam. Tab sis xws li ib tug complex ntawm configuration tswj tau dhau los ua cov lus teb rau ntau cov lus nug ntsig txog automation ntawm server configuration. Tam sim no tus neeg muag khoom tus qauv servers yeej ib txwm muaj kev teeb tsa nruj me ntsis. CMS, tsis zoo li tus kws tshaj lij, yuav tsis hnov ββββqab ntxiv qhov tsim nyog, tsim cov neeg siv thiab ua ntau ntau lossis ntau pua qhov xav tau.
Tsis muaj "kev paub zais cia" hauv qhov chaw ntawm servers thiab ib puag ncig niaj hnub no. Txhua yam tsim nyog tau tshwm sim hauv phau ntawv ua si. Tsis muaj tswv yim ntxiv thiab cov lus qhia tsis meej: "Nruab nws zoo li Oracle li niaj zaus, tab sis koj yuav tsum tau qhia ob peb lub sysctl chaw thiab ntxiv cov neeg siv nrog UID xav tau. Nug cov txiv neej ua haujlwm, lawv paub".
Lub peev xwm los txheeb xyuas qhov tsis sib xws ntawm kev teeb tsa thiab kho lawv kom muaj kev thaj yeeb nyab xeeb. Yog tsis muaj kev tswj hwm kev teeb tsa, qhov no feem ntau zoo li txawv. Cov teeb meem sib sau mus txog rau ib hnub lawv "tua" rau hauv kev tsim khoom. Tom qab ntawd ib tug debriefing yog nqa tawm, configurations yog xyuas thiab kho. Thiab lub voj voog rov ua dua
Thiab ntawm chav kawm, peb tau nrawm lub community launch ntawm servers los ntawm ob peb hnub mus rau teev.
Zoo, nyob rau Xyoo Tshiab Eve nws tus kheej, thaum cov menyuam yaus tau zoo siab unwrapping khoom plig thiab cov neeg laus tau xav tau raws li lub chimes ntaus, peb cov engineers tsiv SAP system mus rau cov servers tshiab. Txawm tias Santa Claus yuav hais tias qhov txuj ci tseem ceeb tshaj plaws yog cov uas npaj tau zoo.
PS Peb pab neeg feem ntau ntsib qhov tseeb tias cov neeg siv khoom xav daws teeb meem tswj kev teeb tsa kom yooj yim li sai tau. Qhov zoo tshaj plaws, zoo li yog los ntawm khawv koob - nrog ib lub cuab yeej. Tab sis hauv lub neej txhua yam nyuaj dua (yog, cov mos txwv nyiaj tsis tau xa rov qab): koj yuav tsum tsim kom muaj tag nrho cov txheej txheem siv cov cuab yeej uas yooj yim rau cov neeg siv khoom pab neeg.
Sau: Sergey Artemov, department architect "Jet Infosystems"
Tau qhov twg los: www.hab.com