Hei Habr!
I roto i tenei tuhinga e hiahia ana matou ki te korero mo te automation o nga hanganga whatunga. Ka whakaatuhia he hoahoa mahi o te whatunga e mahi ana i roto i tetahi kamupene iti engari tino whakahihi. Ko nga whakataetae katoa me nga taputapu whatunga tuuturu he matapōkeretia. Ka titiro tatou ki tetahi keehi i puta i roto i tenei whatunga, tera pea ka mutu te pakihi mo te wa roa me te nui o nga mate putea. Ko te otinga mo tenei keehi ka tino pai ki te kaupapa o te "Aunoatanga o nga hanganga whatunga". Ma te whakamahi i nga taputapu automation, ka whakaatu matou me pehea e taea ai e koe te whakaoti rapanga uaua i roto i te wa poto, a ka whakaarohia e matou he aha enei raruraru me whakaoti i tenei huarahi, kaua ki te rereke (ma te papatohu).
Whakakape
Ko a maatau taputapu matua mo te mahi aunoa ko Ansible (hei taputapu aunoa) me te Git (hei putunga mo nga pukapuka takaro Ansible). Kei te pirangi au ki te rahui tonu ehara tenei i te tuhinga whakataki, ka korero tatou mo te arorau o Ansible, Git ranei, me te whakamarama i nga mea taketake (hei tauira, he aha nga roletaskimodules, nga konae pukapuka, nga taurangi i Ansible, ka aha ranei ina ka uru koe ki te git push or git commit commands). Ehara tenei korero mo te pehea e taea ai e koe te mahi Ansible me te whirihora i te NTP, i te SMTP ranei ki o taputapu. He korero tenei mo te pehea e taea ai e koe te whakaoti tere me te pai ki te whakaoti rapanga whatunga me te kore he. He mea tika ano kia mohio pai koe ki te mahi o te whatunga, ina koa he aha te TCP/IP, OSPF, BGP kawa puranga. Ka tangohia ano e matou te whiringa o Ansible me Git mai i te wharite. Mena kei te hiahia tonu koe ki te whiriwhiri i tetahi otinga motuhake, ka tino taunaki matou ki te panui i te pukapuka "Te Whanaketanga Whatunga me te Aunoatanga. Nga Pukenga mo te Kaihanga Whatunga Whakatupuranga Ake" na Jason Edelman, Scott S. Lowe, me Matt Oswalt.
Inaianei ki te waahi.
Kaupapa raru
Ka whakaaro tatou ki tetahi ahuatanga: 3 karaka i te ata, kua moe koe me te moemoea. Waea waea. Ka karanga te kaiwhakahaere hangarau:
- Ae?
— ###, ####, #####, kua hinga te kāhui pātūahi karekau e piki!!!
Ka mirimiri koe i ou kanohi, ka ngana ki te mohio ki nga mea kei te tupu me te whakaaro me pehea e puta ai tenei. I runga i te waea ka rongo koe i nga makawe o te mahunga o te kaiwhakahaere e haehae ana, a ka tono ia kia waea mai na te mea kei te karanga te tianara ki a ia i te rarangi tuarua.
I te haurua haora i muri mai, ka kohia e koe nga korero whakataki tuatahi mai i te huringa mahi, ka oho nga tangata katoa ka oho ake. Ko te mutunga, kaore te kaiwhakahaere hangarau i teka, he rite tonu nga mea katoa, kua hinga te kahui matua o nga paahi ahi, a, kaore he nekehanga o te tinana e whakahoki mai i a ia. Ko nga ratonga katoa e tukuna ana e te kamupene kaore e mahi.
Kōwhirihia he raruraru ki to reka, ka mahara te katoa ki tetahi mea rereke. Hei tauira, i muri i te whakahou i te po i te kore o te kawenga taimaha, ka pai nga mea katoa, ka haere nga tangata katoa ki te moenga me te koa. I timata te rere o te waka, a ka timata te pupuhi atanga na te mea he pepeke kei te taraiwa kaari whatunga.
Ka taea e Jackie Chan te whakaatu pai i te ahuatanga.
Tēnā koe, Jackie.
Ehara i te ahuatanga tino pai, he?
Waiho ta tatou kupenga e te tuakana me ona whakaaro pouri mo tetahi wa.
Kia matapakihia me pehea e tupu ake ai nga huihuinga.
Ka whakaarohia e matou te raupapa o te whakaaturanga e whai ake nei
- Kia titiro tatou ki te hoahoa whatunga ka kite pehea te mahi;
- Ka whakaahuahia me pehea te whakawhiti i nga tautuhinga mai i tetahi pouara ki tetahi atu ma te whakamahi i te Ansible;
- Me korero mo te automation o te hanganga IT katoa.
Te hoahoa whatunga me te whakaahuatanga
Ko te kaupapa
Kia whai whakaaro tatou ki te hoahoa arorau o ta tatou whakahaere. Kaore matou e whakaingoatia nga kaihanga taputapu motuhake; mo nga kaupapa o tenei tuhinga kaore he mea nui (Ka whakaaro te kaipanui aro he aha te momo taputapu e whakamahia ana). Koinei tetahi o nga painga pai o te mahi me Ansible; i te wa e whakatuu ana, kaore matou e aro he aha te momo taputapu. Kia mohio noa, he taputapu tenei mai i nga kaihoko rongonui, penei i a Cisco, Juniper, Check Point, Fortinet, Palo Alto...ka taea e koe te whakakapi i to ake whiringa.
E rua nga mahi matua mo te neke waka:
- Me whakarite te whakaputanga o a maatau ratonga, he pakihi a te kamupene;
- Whakarato korero ki nga peka, he pokapū raraunga mamao me nga whakahaere tuatoru (hoa me nga kaihoko), me te uru atu ki nga manga ki te Ipurangi ma te tari matua.
Me timata tatou ki nga waahanga taketake:
- E rua nga pouara taitapa (BRD-01, BRD-02);
- Huihuinga Pātūahi (FW-CLUSTER);
- Whakawhiti matua (L3-CORE);
- He pouara ka noho hei oranga (i a matou e whakaoti rapanga, ka whakawhitia e matou nga tautuhinga whatunga mai i te FW-CLUSTER ki te EMERGENCY) (EMERGENCY);
- Whakawhiti mo te whakahaere hanganga whatunga (L2-MGMT);
- Mīhini mariko me te Git me te Ansible (VM-AUTOMATION);
- He pona hei whakamatautau me te whakawhanake i nga pukapuka takaro mo Ansible (Pona-Aunoa).
Kua whirihorahia te whatunga me te kawa ararere OSPF hihiri me nga waahi e whai ake nei:
- Rohe 0 – te waahi kei roto ko nga pouara te kawenga mo te neke waka ki te rohe WHAKAARO;
- Wāhanga 1 – wāhi kei roto i ngā pouara te kawenga mō te whakahaere i ngā ratonga kamupene;
- Wāhanga 2 – wāhi kei roto ko ngā pouara te kawenga mō te arataki waka whakahaere;
- Rohe N – nga waahi o nga whatunga manga.
I runga i nga pouara taitapa, ka hangaia he pouara mariko (VRF-INTERNET), kei runga eBGP te tirohanga katoa ka whakauruhia me te AS kua tohua. Kua whirihorahia te iBGP i waenga i nga VRF. Kei te kamupene he puna o nga wahitau ma e whakaputaina ana i runga i enei VRF-INTERNET. Ko etahi o nga wahitau ma ka tukuna tika atu ki te FW-CLUSTER (nga wahitau e whakahaere ana nga ratonga a te kamupene), ka tukuna etahi ma te rohe EXCHANGE (nga ratonga kamupene o roto e hiahia ana ki nga wahitau IP o waho, me nga wahitau NAT o waho mo nga tari). Whai muri, ka haere nga waka ki nga pouara mariko i hangaia i runga i te L3-CORE me nga wahitau ma me te hina (rohe haumaru).
Ko te whatunga Whakahaere e whakamahi ana i nga huringa whakatapua me te tohu i tetahi whatunga kua whakatapua. Ka wehewehea ano te whatunga whakahaere ki nga rohe haumaru.
Ko te pouara EMERGENCY ka whakaruarua i te FW-CLUSTER. Ko nga atanga katoa kei runga kua monoa engari ko era e titiro ana ki te whatunga whakahaere.
Aunoatanga me tona whakaahuatanga
I mohio matou me pehea te mahi a te whatunga. Inaianei me titiro maatau ki te mahi ki te whakawhiti waka mai i te FW-CLUSTER ki EMERGENCY:
- Ka whakakorehia e matou nga atanga o te whakawhiti matua (L3-CORE) e hono ana ki te FW-CLUSTER;
- Отключаем интерфейсы на коммутаторе ядра L2-MGMT, которые связывают его с FW-CLUSTER;
- Ka whirihorahia e matou te pouara EMERGENCY (ma te taunoa, kua monoa nga atanga katoa ki runga, haunga era e hono ana ki te L2-MGMT):
- Ka taea e matou nga atanga i runga i te EMERGENCY;
- Ka whirihorahia e matou te wahitau IP o waho (mo NAT) i runga i te FW-Cluster;
- Ka whakaputahia e matou nga tono gARP kia huri nga wahitau poppy i roto i nga ripanga arp L3-CORE mai i te FW-Cluster ki EMERGENCY;
- Ka rehita matou i te ara taunoa hei pateko ki BRD-01, BRD-02;
- Waihanga ture NAT;
- Hiki ki te EMERGENCY OSPF Area 1;
- Hiki ki te EMERGENCY OSPF Area 2;
- Ka hurihia e matou te utu o nga huarahi i te Rohe 1 ki te 10;
- Ka hurihia e matou te utu o te huarahi taunoa i te Rohe 1 ki te 10;
- Ka hurihia e matou nga wahitau IP e hono ana ki te L2-MGMT (ki era i runga i te FW-CLUSTER);
- Ka whakaputahia e matou nga tono gARP kia huri nga wahitau poppy i roto i nga ripanga arp L2-MGMT mai i te FW-CLUSTER ki te EMERGENCY.
Ano, ka hoki ano ki te whakatakotoranga taketake o te raruraru. I te toru karaka i te ata, te taumahatanga nui, na te he i nga wa katoa ka puta he raru hou. Kua reri ki te pato i nga tono ma te CLI? Ae? Ae, me horoi to kanohi, inu kawhe ka kohia to kaha.
Bruce, awhinatia nga tama.
Ana, kei te whakapai tonu taatau mahi aunoa.
Kei raro nei he hoahoa mo te mahi a te pukapuka takaro i roto i nga kupu Ansible. Ko tenei kaupapa e whakaatu ana i ta maatau korero i runga ake nei, he whakatinanatanga motuhake noa i Ansible.
I tenei wa, i mohio matou he aha nga mahi hei mahi, i whakawhanakehia he pukapuka takaro, i whakahaere i nga whakamatautau, inaianei kua reri matou ki te whakarewa.
Ko tetahi atu rerenga waiata iti. Ko te ngawari o te korero kia kaua koe e whakapohehe. Ko te tukanga o te tuhi pukapuka takaro kaore i te ngawari me te tere i te ahua. He roa te wa o te whakamatautau, i hangaia he tuunga mariko, he maha nga wa i whakamatauria te otinga, tata ki te 100 nga whakamatautau i mahia.
Ka whakarewahia... He whakaaro kei te tino puhoi nga mea katoa, he hapa tetahi wahi, karekau e mahi i te mutunga. Ko te ahua o te peke me te parachute, engari kaore te parachute e hiahia kia tuwhera tonu ... he mea noa tenei.
I muri mai, ka panuihia e matou te hua o nga mahinga o te pukapuka takaro Ansible (i whakakapihia nga wahitau IP mo nga kaupapa huna):
[xxx@emergency ansible]$ ansible-playbook -i /etc/ansible/inventories/prod_inventory.ini /etc/ansible/playbooks/emergency_on.yml
PLAY [------->Emergency on VCF] ********************************************************
TASK [vcf_junos_emergency_on : Disable PROD interfaces to FW-CLUSTER] *********************
changed: [vcf]
PLAY [------->Emergency on MGMT-CORE] ************************************************
TASK [mgmt_junos_emergency_on : Disable MGMT interfaces to FW-CLUSTER] ******************
changed: [m9-03-sw-03-mgmt-core]
PLAY [------->Emergency on] ****************************************************
TASK [mk_routeros_emergency_on : Enable EXT-INTERNET interface] **************************
changed: [m9-04-r-04]
TASK [mk_routeros_emergency_on : Generate gARP for EXT-INTERNET interface] ****************
changed: [m9-04-r-04]
TASK [mk_routeros_emergency_on : Enable static default route to EXT-INTERNET] ****************
changed: [m9-04-r-04]
TASK [mk_routeros_emergency_on : Change NAT rule to EXT-INTERNET interface] ****************
changed: [m9-04-r-04] => (item=12)
changed: [m9-04-r-04] => (item=14)
changed: [m9-04-r-04] => (item=15)
changed: [m9-04-r-04] => (item=16)
changed: [m9-04-r-04] => (item=17)
TASK [mk_routeros_emergency_on : Enable OSPF Area 1 PROD] ******************************
changed: [m9-04-r-04]
TASK [mk_routeros_emergency_on : Enable OSPF Area 2 MGMT] *****************************
changed: [m9-04-r-04]
TASK [mk_routeros_emergency_on : Change OSPF Area 1 interfaces costs to 10] *****************
changed: [m9-04-r-04] => (item=VLAN-1001)
changed: [m9-04-r-04] => (item=VLAN-1002)
changed: [m9-04-r-04] => (item=VLAN-1003)
changed: [m9-04-r-04] => (item=VLAN-1004)
changed: [m9-04-r-04] => (item=VLAN-1005)
changed: [m9-04-r-04] => (item=VLAN-1006)
changed: [m9-04-r-04] => (item=VLAN-1007)
changed: [m9-04-r-04] => (item=VLAN-1008)
changed: [m9-04-r-04] => (item=VLAN-1009)
changed: [m9-04-r-04] => (item=VLAN-1010)
changed: [m9-04-r-04] => (item=VLAN-1011)
changed: [m9-04-r-04] => (item=VLAN-1012)
changed: [m9-04-r-04] => (item=VLAN-1013)
changed: [m9-04-r-04] => (item=VLAN-1100)
TASK [mk_routeros_emergency_on : Change OSPF area1 default cost for to 10] ******************
changed: [m9-04-r-04]
TASK [mk_routeros_emergency_on : Change MGMT interfaces ip addresses] ********************
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n.254', u'name': u'VLAN-803'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+1.254', u'name': u'VLAN-805'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+2.254', u'name': u'VLAN-807'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+3.254', u'name': u'VLAN-809'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+4.254', u'name': u'VLAN-820'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+5.254', u'name': u'VLAN-822'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+6.254', u'name': u'VLAN-823'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+7.254', u'name': u'VLAN-824'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+8.254', u'name': u'VLAN-850'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+9.254', u'name': u'VLAN-851'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+10.254', u'name': u'VLAN-852'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+11.254', u'name': u'VLAN-853'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+12.254', u'name': u'VLAN-870'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+13.254', u'name': u'VLAN-898'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+14.254', u'name': u'VLAN-899'})
TASK [mk_routeros_emergency_on : Generate gARPs for MGMT interfaces] *********************
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n.254', u'name': u'VLAN-803'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+1.254', u'name': u'VLAN-805'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+2.254', u'name': u'VLAN-807'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+3.254', u'name': u'VLAN-809'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+4.254', u'name': u'VLAN-820'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+5.254', u'name': u'VLAN-822'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+6.254', u'name': u'VLAN-823'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+7.254', u'name': u'VLAN-824'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+8.254', u'name': u'VLAN-850'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+9.254', u'name': u'VLAN-851'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+10.254', u'name': u'VLAN-852'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+11.254', u'name': u'VLAN-853'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+12.254', u'name': u'VLAN-870'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+13.254', u'name': u'VLAN-898'})
changed: [m9-04-r-04] => (item={u'ip': u'х.х.n+14.254', u'name': u'VLAN-899'})
PLAY RECAP ************************************************************************Kua oti!
Inaa, kaore i tino rite, kaua e wareware ki te whakakotahitanga o nga kawa ararere hihiri me te uta i te maha o nga huarahi ki roto i te FIB. Kaore e taea e tatou te awe i tenei i tetahi huarahi. Ka tatari tatou. I whai hua. Inaianei kua reri.
Na i te kainga o Vilabajo (kaore e hiahia ki te whakaaunoa i te tatūnga whatunga) ka horoi tonu ratou i nga rihi. E ngana ana a Bruce (he rereke, engari he iti ake te hauhautanga) ki te mohio ki te nui ake o te whirihora a-ringa o nga taputapu ka mahia.
Kei te pirangi ano ahau ki te noho ki runga i tetahi take nui. Me pehea e hoki ai nga mea katoa? I muri i etahi wa, ka whakahokia mai e tatou to tatou FW-CLUSTER ki te ora. Koinei te taputapu matua, ehara i te taapiri, me rere te whatunga ki runga.
Kei te mohio koe he pehea te tiimata o nga kaiwhangai ki te wera? Ka rongo te kaiwhakahaere hangarau i te mano tohenga he aha te take e kore ai e mahia tenei, he aha e taea ai tenei i muri mai. Kia aroha mai, koinei te mahi a te whatunga mai i te paihere o nga papaki, nga kongakonga, me nga toenga o ona taonga papai o mua. Ka puta mai he kakahu papaki. Ko ta tatou mahi i roto i te nuinga, ehara i tenei ahuatanga motuhake, engari i roto i te nuinga o te tikanga, hei tohunga IT, ko te kawe mai i nga mahi o te whatunga ki te kupu Ingarihi ataahua "te riterite", he tino maha, ka taea te whakamaori hei: hononga. , te riterite, te arorau, te hono, te nahanaha, te whakataurite, te hono. He mea katoa mo ia. I roto i tenei ahua ka taea te whakahaere i te whatunga, ka marama taatau ki te mahi me te pehea, ka marama taatau ki nga mea e tika ana kia whakarereketia, mena e tika ana, ka tino mohio tatou ki hea ka tirohia mena ka puta nga raru. Na i roto i te whatunga penei ka taea e koe te mahi tinihanga penei i nga mea kua whakaahuahia ake nei.
Inaa, i whakaritea ano he pukapuka takaro, i whakahoki ai i nga tautuhinga ki te ahua taketake. He rite tonu te arorau o tana mahi (he mea nui kia mahara he mea nui te raupapa o nga mahi), kia kore ai e roa te roa o te tuhinga kua roa, ka whakatauhia kia kaua e whakairihia he rarangi o te mahi pukapuka takaro. I muri i te whakahaere i enei mahi, ka tino marino koe, ka nui ake te maia a muri ake nei, hei taapiri, ko nga tootoo i kohia e koe ki reira ka whakaatu tonu mai.
Ka taea e te tangata te tuhi mai ki a matou me te whiwhi i nga puna o nga waehere kua tuhia katoa, me nga pukapuka palybook katoa. Hoapā i roto i te kōtaha.
kitenga
Ki ta matou whakaaro, ko nga tikanga ka taea te mahi aunoa kaore ano kia maataata. I runga i nga mea i tutakihia e matou me nga korero e korerohia ana e o maatau hoa o te Tai Hauauru, ko nga kaupapa e whai ake nei ka kitea i tenei wa:
- Te whakarato taputapu;
- Kohinga raraunga;
- Pūrongo;
- Raparongoā;
- Te hanganga ture.
Mena he hiahia, ka taea e taatau te korero mo tetahi o nga kaupapa kua homai.
Kei te pirangi ano ahau ki te korero iti mo te automation. He aha te mea i roto i to maatau maarama:
- Me noho te punaha me te kore he tangata, i te wa e whakapai ake ana te tangata. Kaua te punaha e whakawhirinaki ki te tangata;
- Me tohunga nga mahi. Karekau he karaehe tohunga e mahi ana i nga mahi o ia ra. He tohunga kua whakaaunoa i te mahinga katoa me te whakaoti rapanga uaua anake;
- Ka mahia aunoatia nga mahi paerewa "ma te pa o te paatene", kaore he rauemi e moumou. Ko nga hua o enei mahi ka matapaehia, ka marama tonu.
A he aha enei tohu e arahi ai:
- Te maamaatanga o nga hanganga IT (He iti ake nga tupono o te mahi, te whakahou, te whakatinanatanga. He iti ake te wa mo ia tau);
- Te kaha ki te whakamahere i nga rauemi IT (Punaha-whakamahere-kaha - ka taea e koe te kite i te nui o te pau, ka kite koe i te maha o nga rauemi e hiahiatia ana i roto i te punaha kotahi, kaore i nga reta me nga haerenga ki nga tari o runga);
- Ka taea te whakaiti i te maha o nga kaimahi IT.
Ko nga kaituhi o te tuhinga: Alexander Chelovekov (CCIE RS, CCIE SP) me Pavel Kirillov. Kei te pirangi matou ki te matapaki me te tohe i nga otinga mo te kaupapa o te hangarau hangarau hangarau.
Source: will.com