Okwu Mmalite
N'oge na-adịbeghị anya, ewu ewu nke Kubernetes na-eto ngwa ngwa - ọtụtụ ọrụ na-emejuputa ya. Achọrọ m imetụ aka na onye na-agụ egwú dị ka Nomad: ọ dị mma maka ọrụ ndị na-eji ihe ngwọta ndị ọzọ sitere na HashiCorp, dịka ọmụmaatụ, Vault na Consul, na ọrụ ndị ahụ n'onwe ha adịghị mgbagwoju anya n'ihe gbasara akụrụngwa. Ihe a ga-enwe ntuziaka maka ịwụnye Nomad, ijikọta ọnụ abụọ n'ime ụyọkọ, yana ijikọ Nomad na Gitlab.
Nwale oche
Obere banyere bench ule: a na-eji sava atọ mebere eme ihe na njirimara nke 2 CPU, 4 RAM, 50 Gb SSD, jikọtara ọnụ na netwọkụ mpaghara. Aha ha na adreesị IP ha:
- nomad-livelinux-01: 172.30.0.5
- nomad-livelinux-02: 172.30.0.10
- consul-livelinux-01: 172.30.0.15
Nwụnye nke Nomad, Consul. Ịmepụta ụyọkọ Nomad
Ka anyị malite na nwụnye nkiti. Ọ bụ ezie na nhazi ahụ dị mfe, m ga-akọwa ya n'ihi iguzosi ike n'ezi ihe nke isiokwu ahụ: emepụtara ya site na ederede na ndetu maka ịnweta ngwa ngwa mgbe ọ dị mkpa.
Tupu anyị amalite omume, anyị ga-atụle akụkụ nke usoro ihe omume, n'ihi na n'oge a ọ dị mkpa ịghọta usoro n'ọdịnihu.
Anyị nwere ọnụ ụzọ abụọ nomad na anyị chọrọ ikpokọta ha na ụyọkọ, na n'ọdịnihu anyị ga-achọkwa akpaka ụyọkọ scaling - maka nke a anyị ga-achọ Consul. Site na ngwá ọrụ a, nchịkọta na ịgbakwunye ọnụ ọhụrụ na-aghọ ọrụ dị nnọọ mfe: Nomad node kere na-ejikọta na onye ọrụ Consul, wee jikọọ na ụyọkọ Nomad dị adị. Ya mere, na mmalite, anyị ga-etinye ihe nkesa Consul, hazie ikike http nke bụ isi maka panel weebụ (ọ bụ na-enweghị ikike na ndabara ma nwee ike ịnweta ya na adreesị mpụga), yana ndị ọrụ Consul onwe ha na sava Nomad, mgbe nke ahụ gasịrị. naanị anyị ga-aga Nomad.
Ịwụnye ngwa HashiCorp dị nnọọ mfe: n'ụzọ bụ isi, anyị na-ebuga faịlụ ọnụọgụ abụọ na ndekọ ndekọ, dozie faịlụ nhazi ngwá ọrụ, ma mepụta faịlụ ọrụ ya.
Budata faịlụ ọnụọgụ abụọ nke Consul wee bupụ ya na ndekọ ụlọ onye ọrụ:
root@consul-livelinux-01:~# wget https://releases.hashicorp.com/consul/1.5.0/consul_1.5.0_linux_amd64.zip
root@consul-livelinux-01:~# unzip consul_1.5.0_linux_amd64.zip
root@consul-livelinux-01:~# mv consul /usr/local/bin/Ugbu a, anyị nwere ọnụọgụ abụọ consul emebere maka nhazi ọzọ.
Iji soro Consul rụọ ọrụ, anyị kwesịrị ịmepụta igodo pụrụ iche site na iji iwu keygen:
root@consul-livelinux-01:~# consul keygen
Ka anyị gaa n'ihu n'ịhazi nhazi Consul, na-eke ndekọ aha /etc/consul.d/ nwere usoro a:
/etc/consul.d/
├── bootstrap
│ └── config.jsonAkwụkwọ ndekọ bootstrap ga-enwe faịlụ nhazi config.json - n'ime ya anyị ga-edozi ntọala Consul. Ihe dị n'ime ya:
{
"bootstrap": true,
"server": true,
"datacenter": "dc1",
"data_dir": "/var/consul",
"encrypt": "your-key",
"log_level": "INFO",
"enable_syslog": true,
"start_join": ["172.30.0.15"]
}Ka anyị leba anya na ntuziaka ndị bụ isi na nkọwa ha iche iche:
- bootstrap: eziokwu. Anyị na-eme ka mgbakwunye ọnụ ọhụrụ na-akpaghị aka ma ọ bụrụ na ejikọtara ha. M mara na anyị anaghị egosi ebe a kpọmkwem ọnụ ọgụgụ nke ọnụ ọnụ na-atụ anya.
- server: eziokwu. Kwado ụdị nkesa. Consul na igwe mebere a ga-arụ ọrụ dị ka naanị ihe nkesa na nna ukwu ugbu a, VM Nomad ga-abụ ndị ahịa.
- datacenterihe: dc1. Ezipụta aha etiti data iji mepụta ụyọkọ. Ọ ga-abụrịrị otu na ndị ahịa na sava.
- encrypt: igodo gi. Igodo ahụ, nke ga-abụrịrị ihe pụrụ iche ma dakọtara na ndị ahịa na sava niile. Emepụtara site na iji iwu consul keygen.
- mmalite_join. N'ime ndepụta a anyị na-egosi ndepụta adreesị IP nke a ga-ejikọta ya. Ugbu a anyị na-ahapụ naanị adreesị nke anyị.
N'oge a, anyị nwere ike ịgba consul site na iji ahịrị iwu:
root@consul-livelinux-01:~# /usr/local/bin/consul agent -config-dir /etc/consul.d/bootstrap -uiNke a bụ ụzọ dị mma iji megharịa ugbu a, agbanyeghị, ị gaghị enwe ike iji usoro a na-aga n'ihu maka ebumnuche doro anya. Ka anyị mepụta faịlụ ọrụ iji jikwaa Consul site na systemd:
root@consul-livelinux-01:~# nano /etc/systemd/system/consul.service
Ọdịnaya nke faịlụ consul.service:
[Unit]
Description=Consul Startup process
After=network.target
[Service]
Type=simple
ExecStart=/bin/bash -c '/usr/local/bin/consul agent -config-dir /etc/consul.d/bootstrap -ui'
TimeoutStartSec=0
[Install]
WantedBy=default.targetMepụta Consul site na systemctl:
root@consul-livelinux-01:~# systemctl start consul
Ka anyị lelee: ọrụ anyị ga na-agba ọsọ, na site na imezu iwu ndị otu consul anyị kwesịrị ịhụ ihe nkesa anyị:
root@consul-livelinux:/etc/consul.d# consul members
consul-livelinux 172.30.0.15:8301 alive server 1.5.0 2 dc1 <all>Nzọụkwụ ọzọ: wụnye Nginx na ịtọ proxying na ikike http. Anyị na-etinye nginx site na njikwa ngwugwu yana na /etc/nginx/sites-enabled directory anyị na-emepụta faịlụ nhazi consul.conf na ọdịnaya ndị a:
upstream consul-auth {
server localhost:8500;
}
server {
server_name consul.doman.name;
location / {
proxy_pass http://consul-auth;
proxy_set_header Host $host;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Password-protected Area";
}
}Echefula ịmepụta faịlụ .htpasswd wee mepụta aha njirimara na paswọọdụ maka ya. Achọrọ ihe a ka panel webụ ghara ịdị maka onye ọ bụla maara ngalaba anyị. Agbanyeghị, mgbe ị na-edozi Gitlab, anyị ga-ahapụ nke a - ma ọ bụghị ya, anyị agaghị enwe ike ibuga ngwa anyị na Nomad. N'ime ọrụ m, ma Gitlab na Nomad nọ na webụ isi awọ, yabụ enweghị nsogbu dị otú ahụ ebe a.
Na sava abụọ fọdụrụnụ anyị na-etinye ndị ọrụ Consul dịka ntuziaka ndị a si dị. Anyị na-emegharị usoro ahụ na faịlụ ọnụọgụ abụọ:
root@nomad-livelinux-01:~# wget https://releases.hashicorp.com/consul/1.5.0/consul_1.5.0_linux_amd64.zip
root@nomad-livelinux-01:~# unzip consul_1.5.0_linux_amd64.zip
root@nomad-livelinux-01:~# mv consul /usr/local/bin/Site na ntụnyere na sava gara aga, anyị na-emepụta ndekọ aha maka faịlụ nhazi /etc/consul.d nwere usoro a:
/etc/consul.d/
├── client
│ └── config.jsonỌdịnaya nke faịlụ config.json:
{
"datacenter": "dc1",
"data_dir": "/opt/consul",
"log_level": "DEBUG",
"node_name": "nomad-livelinux-01",
"server": false,
"encrypt": "your-private-key",
"domain": "livelinux",
"addresses": {
"dns": "127.0.0.1",
"https": "0.0.0.0",
"grpc": "127.0.0.1",
"http": "127.0.0.1"
},
"bind_addr": "172.30.0.5", # локальный адрес вм
"start_join": ["172.30.0.15"], # удаленный адрес консул сервера
"ports": {
"dns": 53
}Chekwaa mgbanwe ndị a wee gaa n'ihu ịtọlite faịlụ ọrụ, ọdịnaya ya:
/etc/systemd/system/consul.service:
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
[Service]
User=root
Group=root
ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul.d/client
ExecReload=/usr/local/bin/consul reload
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.targetAnyị na-amalite consul na sava. Ugbu a, ka emechara, anyị kwesịrị ịhụ ọrụ ahaziri n'ime ndị otu nsul. Nke a ga-apụta na ọ jikọọla na ụyọkọ ahụ nke ọma dịka onye ahịa. Tinyegharịa otu ihe ahụ na sava nke abụọ ma emesịa anyị nwere ike ịmalite ịwụnye na ịhazi Nomad.
A kọwara nrụnye nke Nomad nke ọma n'ime akwụkwọ gọọmentị ya. Enwere ụzọ nwụnye ọdịnala abụọ: nbudata faịlụ ọnụọgụ abụọ na ịnakọta site na isi mmalite. Aga m ahọrọ usoro nke mbụ.
Примечание: Ọrụ a na-etolite ngwa ngwa, a na-ahapụkarị mmelite ọhụrụ. Ikekwe, a ga-ewepụta ụdị ọhụrụ mgbe emechara akụkọ a. Ya mere, tupu ịgụ akwụkwọ, a na m akwado ịlele ụdị Nomad dị ugbu a ma budata ya.
root@nomad-livelinux-01:~# wget https://releases.hashicorp.com/nomad/0.9.1/nomad_0.9.1_linux_amd64.zip
root@nomad-livelinux-01:~# unzip nomad_0.9.1_linux_amd64.zip
root@nomad-livelinux-01:~# mv nomad /usr/local/bin/
root@nomad-livelinux-01:~# nomad -autocomplete-install
root@nomad-livelinux-01:~# complete -C /usr/local/bin/nomad nomad
root@nomad-livelinux-01:~# mkdir /etc/nomad.dMgbe emechara ngwugwu, anyị ga-enweta faịlụ ọnụọgụ abụọ Nomad na-atụ 65 MB - a ga-ebuga ya na /usr/local/bin.
Ka anyị mepụta ndekọ data maka Nomad wee dezie faịlụ ọrụ ya (o yikarịrị ka ọ gaghị adị na mbido):
root@nomad-livelinux-01:~# mkdir --parents /opt/nomad
root@nomad-livelinux-01:~# nano /etc/systemd/system/nomad.serviceTapawa ahịrị ndị a ebe ahụ:
[Unit]
Description=Nomad
Documentation=https://nomadproject.io/docs/
Wants=network-online.target
After=network-online.target
[Service]
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
KillMode=process
KillSignal=SIGINT
LimitNOFILE=infinity
LimitNPROC=infinity
Restart=on-failure
RestartSec=2
StartLimitBurst=3
StartLimitIntervalSec=10
TasksMax=infinity
[Install]
WantedBy=multi-user.targetAgbanyeghị, anyị adịghị ngwa ngwa ịmalite nomad - anyị emebebeghị faịlụ nhazi ya:
root@nomad-livelinux-01:~# mkdir --parents /etc/nomad.d
root@nomad-livelinux-01:~# chmod 700 /etc/nomad.d
root@nomad-livelinux-01:~# nano /etc/nomad.d/nomad.hcl
root@nomad-livelinux-01:~# nano /etc/nomad.d/server.hcl
Nhazi ndekọ aha ikpeazụ ga-abụ nke a:
/etc/nomad.d/
├── nomad.hcl
└── server.hclFaịlụ nomad.hcl kwesịrị ịnwe nhazi ndị a:
datacenter = "dc1"
data_dir = "/opt/nomad"Ọdịnaya nke faịlụ server.hcl:
server {
enabled = true
bootstrap_expect = 1
}
consul {
address = "127.0.0.1:8500"
server_service_name = "nomad"
client_service_name = "nomad-client"
auto_advertise = true
server_auto_join = true
client_auto_join = true
}
bind_addr = "127.0.0.1"
advertise {
http = "172.30.0.5"
}
client {
enabled = true
}Echefula ịgbanwe faịlụ nhazi na nkesa nke abụọ - n'ebe ahụ ị ga-achọ ịgbanwe uru nke ntuziaka http.
Ihe ikpeazụ na ọkwa a bụ ịhazi Nginx maka proxying na melite ikike http. Ọdịnaya nke faịlụ nomad.conf:
upstream nomad-auth {
server 172.30.0.5:4646;
}
server {
server_name nomad.domain.name;
location / {
proxy_pass http://nomad-auth;
proxy_set_header Host $host;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Password-protected Area";
}
}Ugbu a, anyị nwere ike ịnweta panel weebụ site na netwọk mpụga. Jikọọ wee gaa na ibe sava:
Foto 1. Ndepụta nke sava dị na ụyọkọ Nomad
A na-egosipụta sava abụọ ahụ nke ọma na panel ahụ, anyị ga-ahụ otu ihe ahụ na mmepụta nke iwu nomad node:
Foto 2. Mpụta iwu ọkwa nomad nomad
Kedu maka Consul? Ka anyị lee anya. Gaa na njikwa njikwa Consul, na ibe ọnụ:
Foto 3. Ndepụta ọnụ ọnụ na ụyọkọ Consul
Ugbu a, anyị nwere Nomad a kwadebere nke ya na Consul na-arụkọ ọrụ. N'ọkwa ikpeazụ, anyị ga-erute akụkụ ihe ụtọ: ịtọlite ebuga Docker site na Gitlab gaa Nomad, na-ekwukwa maka ụfọdụ njirimara ya ndị ọzọ pụrụ iche.
Ịmepụta Gitlab Runner
Iji bufee onyonyo docker na Nomad, anyị ga-eji onye na-agba ọsọ dị iche nwere faịlụ ọnụọgụ abụọ Nomad n'ime (ebe a, n'ụzọ, anyị nwere ike ịhụ akụkụ ọzọ nke ngwa Hashicorp - n'otu n'otu ha bụ otu faịlụ ọnụọgụ abụọ). Bulite ya na ndekọ ndị na-agba ọsọ. Ka anyị jiri ọdịnaya ndị a mepụta Dockerfile dị mfe maka ya:
FROM alpine:3.9
RUN apk add --update --no-cache libc6-compat gettext
COPY nomad /usr/local/bin/nomad
N'otu ọrụ ahụ anyị na-emepụta .gitlab-ci.yml:
variables:
DOCKER_IMAGE: nomad/nomad-deploy
DOCKER_REGISTRY: registry.domain.name
stages:
- build
build:
stage: build
image: ${DOCKER_REGISTRY}/nomad/alpine:3
script:
- tag=${DOCKER_REGISTRY}/${DOCKER_IMAGE}:latest
- docker build --pull -t ${tag} -f Dockerfile .
- docker push ${tag}N'ihi ya, anyị ga-enwe ihe oyiyi dịnụ nke onye na-agba ọsọ Nomad na Gitlab Registry, ugbu a, anyị nwere ike ịga ozugbo na ebe nchekwa ọrụ, mepụta Pipeline ma hazie ọrụ nomad Nomad.
Nhazi oru ngo
Ka anyị malite na faịlụ ọrụ maka Nomad. Ọrụ m n'isiokwu a ga-abụ ihe ochie: ọ ga-abụ otu ọrụ. Ọdịnaya nke .gitlab-ci ga-adị ka ndị a:
variables:
NOMAD_ADDR: http://nomad.address.service:4646
DOCKER_REGISTRY: registry.domain.name
DOCKER_IMAGE: example/project
stages:
- build
- deploy
build:
stage: build
image: ${DOCKER_REGISTRY}/nomad-runner/alpine:3
script:
- tag=${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${CI_COMMIT_SHORT_SHA}
- docker build --pull -t ${tag} -f Dockerfile .
- docker push ${tag}
deploy:
stage: deploy
image: registry.example.com/nomad/nomad-runner:latest
script:
- envsubst '${CI_COMMIT_SHORT_SHA}' < project.nomad > job.nomad
- cat job.nomad
- nomad validate job.nomad
- nomad plan job.nomad || if [ $? -eq 255 ]; then exit 255; else echo "success"; fi
- nomad run job.nomad
environment:
name: production
allow_failure: false
when: manualN'ebe a, ntinye aka na-eme na aka, ma ị nwere ike ịhazi ya ka ọ gbanwee ọdịnaya nke ndekọ ọrụ ahụ. Pipeline nwere nkebi abụọ: mgbakọ onyonyo na ibuga ya na ndị njem. Na ọkwa nke mbụ, anyị na-achịkọta ihe oyiyi docker wee tinye ya n'ime ndekọ aha anyị, na nke abụọ anyị na-amalite ọrụ anyị na Nomad.
job "monitoring-status" {
datacenters = ["dc1"]
migrate {
max_parallel = 3
health_check = "checks"
min_healthy_time = "15s"
healthy_deadline = "5m"
}
group "zhadan.ltd" {
count = 1
update {
max_parallel = 1
min_healthy_time = "30s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
}
task "service-monitoring" {
driver = "docker"
config {
image = "registry.domain.name/example/project:${CI_COMMIT_SHORT_SHA}"
force_pull = true
auth {
username = "gitlab_user"
password = "gitlab_password"
}
port_map {
http = 8000
}
}
resources {
network {
port "http" {}
}
}
}
}
}Biko mara na enwere m ndekọ nkeonwe yana iji dọpụta onyonyo docker nke ọma achọrọ m ịbanye na ya. Ihe ngwọta kachasị mma na nke a bụ ịbanye nbanye na paswọọdụ n'ime Vault wee jikọta ya na Nomad. Nomad na-akwado Vault nke obodo. Mana nke mbụ, na Vault n'onwe ya, anyị ga-etinye iwu ndị dị mkpa maka Nomad, ị nwere ike budata ha:
# Download the policy and token role
$ curl https://nomadproject.io/data/vault/nomad-server-policy.hcl -O -s -L
$ curl https://nomadproject.io/data/vault/nomad-cluster-role.json -O -s -L
# Write the policy to Vault
$ vault policy write nomad-server nomad-server-policy.hcl
# Create the token role with Vault
$ vault write /auth/token/roles/nomad-cluster @nomad-cluster-role.jsonUgbu a, n'ịmepụta iwu ndị dị mkpa, anyị ga-agbakwunye ntinye aka na Vault na ngọngọ ọrụ na faịlụ job.nomad:
vault {
enabled = true
address = "https://vault.domain.name:8200"
token = "token"
}Ana m eji ikike site token wee debanye aha ya ozugbo ebe a, enwerekwa nhọrọ nke ịkọwapụta akara ahụ dị ka mgbanwe mgbe ị na-amalite onye nnọchi anya:
$ VAULT_TOKEN=<token> nomad agent -config /path/to/config
Ugbu a, anyị nwere ike iji igodo na Vault. Ụkpụrụ nke ịrụ ọrụ dị mfe: anyị na-emepụta faịlụ na ọrụ Nomad nke ga-echekwa ụkpụrụ nke mgbanwe, dịka ọmụmaatụ:
template {
data = <<EOH
{{with secret "secrets/pipeline-keys"}}
REGISTRY_LOGIN="{{ .Data.REGISTRY_LOGIN }}"
REGISTRY_PASSWORD="{{ .Data.REGISTRY_LOGIN }}{{ end }}"
EOH
destination = "secrets/service-name.env"
env = true
}Site na usoro a dị mfe, ị nwere ike hazie nnyefe nke arịa na ụyọkọ Nomad ma soro ya rụọ ọrụ n'ọdịnihu. M ga-ekwu na ruo n'ókè ụfọdụ m na-enwe ọmịiko na Nomad - ọ dabara adaba maka obere ọrụ ebe Kubernetes nwere ike ime ka mgbagwoju anya ọzọ na agaghị aghọta ikike ya zuru oke. Na mgbakwunye, Nomad zuru oke maka ndị mbido — ọ dị mfe ịwụnye na hazie. Otú ọ dị, mgbe m na-anwale na ụfọdụ oru ngo, m na-ezute a nsogbu na ya mbụ nsụgharị - ọtụtụ isi ọrụ adịghị nnọọ ebe ma ọ bụ na ha anaghị arụ ọrụ nke ọma. Agbanyeghị, ekwenyere m na Nomad ga-aga n'ihu na-etolite na n'ọdịnihu ọ ga-enweta ọrụ ndị mmadụ niile chọrọ.
Onye edemede: Ilya Andreev, nke Alexey Zhadan deziri na otu Live Linux
isi: www.habr.com