Pulogalamu ya ProHoster > Blog > Ulamuliro > Chenjerani ndi zofooka zomwe zimabweretsa kuzungulira kwa ntchito. Gawo 1: FragmentSmack/SegmentSmack

Chenjerani ndi zofooka zomwe zimabweretsa kuzungulira kwa ntchito. Gawo 1: FragmentSmack/SegmentSmack

Chenjerani ndi zofooka zomwe zimabweretsa kuzungulira kwa ntchito. Gawo 1: FragmentSmack/SegmentSmack

Moni nonse! Dzina langa ndine Dmitry Samsonov, ndimagwira ntchito ngati woyang'anira dongosolo ku Odnoklassniki. Tili ndi ma seva opitilira 7, zotengera 11 mumtambo wathu ndi mapulogalamu 200, omwe mumasinthidwe osiyanasiyana amapanga magulu 700 osiyanasiyana. Ma seva ambiri amayendetsa CentOS 7.
Pa Ogasiti 14, 2018, zambiri zakusatetezeka kwa FragmentSmack zidasindikizidwa.
(CVE-2018-5391) ndi SegmentSmack (CVE-2018-5390). Izi ndi zofooka zomwe zili ndi vector ya network attack komanso chiwongola dzanja chokwanira (7.5), chomwe chimawopseza kukana ntchito (DoS) chifukwa cha kutha kwa zinthu (CPU). Kukonzekera kwa kernel kwa FragmentSmack sikunafotokozedwe panthawiyo; Komanso, kudatuluka mochedwa kwambiri kuposa kufalitsidwa kwa zidziwitso zachiwopsezocho. Kuti muchotse SegmentSmack, adalangizidwa kuti asinthe kernel. Phukusi losinthika lokha lidatulutsidwa tsiku lomwelo, zomwe zidatsala ndikuyiyika.
Ayi, sitikutsutsana ndi kukonzanso kernel! Komabe, pali ma nuances ...

Momwe timasinthira kernel pakupanga

Mwambiri, palibe chovuta:

  1. Tsitsani phukusi;
  2. Ikani pa ma seva angapo (kuphatikiza ma seva omwe ali ndi mtambo wathu);
  3. Onetsetsani kuti palibe chomwe chasweka;
  4. Onetsetsani kuti makonda onse a kernel akugwiritsidwa ntchito popanda zolakwika;
  5. Dikirani masiku angapo;
  6. Onani magwiridwe antchito a seva;
  7. Sinthani kutumiza kwa ma seva atsopano ku kernel yatsopano;
  8. Sinthani ma seva onse ndi data center (chimodzi cha data pa nthawi kuti muchepetse zotsatira za ogwiritsa ntchito pakagwa mavuto);
  9. Yambitsaninso ma seva onse.

Bwerezerani nthambi zonse za maso omwe tili nawo. Pakali pano ndi:

  • Stock CentOS 7 3.10 - kwa ma seva ambiri okhazikika;
  • Vanila 4.19 - yathu mitambo yamtambo umodzi, chifukwa tikufuna BFQ, BBR, etc.;
  • Elrepo kernel-ml 5.2 - kwa ofalitsa odzaza kwambiri, chifukwa 4.19 ankakhala osakhazikika, koma zomwezo ndizofunikira.

Monga momwe mungaganizire, kuyambitsanso ma seva masauzande ambiri kumatenga nthawi yayitali kwambiri. Popeza sizovuta zonse zomwe zili zofunika kwa ma seva onse, timangoyambitsanso zomwe zimapezeka mwachindunji pa intaneti. Mumtambo, kuti tisachepetse kusinthasintha, sitimamanga zotengera zomwe zingapezeke kunja kwa ma seva omwe ali ndi kernel yatsopano, koma yambitsaninso makamu onse popanda kupatula. Mwamwayi, ndondomeko kumeneko ndi yosavuta kusiyana ndi ma seva wamba. Mwachitsanzo, zotengera zopanda malire zitha kungosamukira ku seva ina pakuyambiranso.

Komabe, pali ntchito yambiri, ndipo zingatenge milungu ingapo, ndipo ngati pali vuto lililonse ndi Baibulo latsopanolo, mpaka miyezi ingapo. Owukira amamvetsetsa bwino izi, chifukwa chake amafunikira dongosolo B.

FragmentSmack/SegmentSmack. Njira yosinthira

Mwamwayi, pazovuta zina dongosolo B liripo, ndipo limatchedwa Workaround. Nthawi zambiri, uku ndikusintha kwa makonzedwe a kernel/application omwe amatha kuchepetsa zomwe zingachitike kapena kuthetseratu kugwiritsa ntchito ziwopsezo.

Pankhani ya FragmentSmack/SegmentSmack adafunsidwa Njira iyi:

Β«Mungathe kusintha misinkhu ya 4MB ndi 3MB mu net.ipv4.ipfrag_high_thresh ndi net.ipv4.ipfrag_low_thresh (ndi anzawo a ipv6 net.ipv6.ipfrag_high_thresh ndi net.ipv6.ipv256.iphrag 192.ipfrag 262144 kapena 64 kBlowXNUMX) pansi. Mayesero amawonetsa kutsika pang'ono kapena kwakukulu pakugwiritsa ntchito CPU panthawi yakuukira kutengera zida, zoikamo, ndi mikhalidwe. Komabe, pakhoza kukhala zotsatira zina chifukwa cha ipfrag_high_thresh=XNUMX byte, popeza zidutswa ziwiri zokha za XNUMXK zimatha kulowa pamzere wokonzanso nthawi imodzi. Mwachitsanzo, pali chiopsezo kuti mapulogalamu omwe amagwira ntchito ndi mapaketi akuluakulu a UDP adzasweka".

Magawo okha mu zolemba za kernel anafotokoza motere:

ipfrag_high_thresh - LONG INTEGER
    Maximum memory used to reassemble IP fragments.

ipfrag_low_thresh - LONG INTEGER
    Maximum memory used to reassemble IP fragments before the kernel
    begins to remove incomplete fragment queues to free up resources.
    The kernel still accepts new fragments for defragmentation.

Tilibe ma UDP akuluakulu pazantchito zopanga. Palibe magalimoto ogawanika pa LAN; pali magalimoto ogawanika pa WAN, koma osafunikira. Palibe zizindikiro - mutha kutulutsa Workaround!

FragmentSmack/SegmentSmack. Magazi oyamba

Vuto loyamba lomwe tidakumana nalo linali loti zotengera zamtambo nthawi zina zimagwiritsa ntchito zosintha zatsopano pang'ono (ipfrag_low_thresh), ndipo nthawi zina sizimazigwiritsa ntchito - zidangogwa poyambira. Sizinali zotheka kubweretsanso vutoli mokhazikika (zokonda zonse zidagwiritsidwa ntchito pamanja popanda zovuta). Kumvetsetsa chifukwa chomwe chidebe chimawonongeka poyambira sikophwekanso: palibe zolakwika zomwe zidapezeka. Chinthu chimodzi chinali chotsimikizika: kubweza makonda kumathetsa vuto ndi kuwonongeka kwa chidebe.

Chifukwa chiyani sizokwanira kugwiritsa ntchito Sysctl pa wolandirayo? Chidebecho chimakhala mu network yake yodzipatulira ya Namespace, kotero osachepera gawo la magawo a network Sysctl mu chidebe akhoza kusiyana khamu.

Kodi zokonda za Sysctl zimayikidwa bwanji mu chidebecho? Popeza zotengera zathu ndizopanda mwayi, simungathe kusintha masinthidwe aliwonse a Sysctl polowa mu chidebecho chokha - mulibe ufulu wokwanira. Kuyendetsa zotengera, mtambo wathu panthawiyo unkagwiritsa ntchito Docker (tsopano pansi). Magawo a chidebe chatsopano adaperekedwa ku Docker kudzera pa API, kuphatikiza zoikamo zofunika za Sysctl.
Ndikufufuza m'matembenuzidwewo, zidapezeka kuti Docker API sinabweze zolakwika zonse (osachepera mu mtundu 1.10). Titayesa kuyambitsa chidebecho kudzera pa "docker run", tidawona china chake:

write /proc/sys/net/ipv4/ipfrag_high_thresh: invalid argument docker: Error response from daemon: Cannot start container <...>: [9] System error: could not synchronise with container process.

Mtengo wa parameter siwolondola. Koma chifukwa chiyani? Nanga n’cifukwa ciani nthawi zina siyenela kugwila nchito? Zinapezeka kuti Docker samatsimikizira dongosolo lomwe magawo a Sysctl amagwiritsidwira ntchito (mtundu waposachedwa kwambiri ndi 1.13.1), kotero nthawi zina ipfrag_high_thresh amayesa kukhazikitsidwa ku 256K pamene ipfrag_low_thresh idakali 3M, ndiko kuti, malire apamwamba anali otsika. kuposa malire apansi, zomwe zinayambitsa zolakwika.

Panthawiyo, tidagwiritsa ntchito kale njira yathu yosinthira chidebecho titangoyamba (kuzizira chidebe pambuyo pake gulu mufiriji ndi kuchita malamulo mu namespace chidebe kudzera ip neti), ndipo tidawonjezeranso zolemba za Sysctl ku gawo ili. Vutoli linathetsedwa.

FragmentSmack/SegmentSmack. Mwazi Woyamba 2

Tisanakhale ndi nthawi yomvetsetsa kugwiritsa ntchito Workaround mumtambo, madandaulo oyamba osowa kuchokera kwa ogwiritsa ntchito adayamba kufika. Panthawiyo, milungu ingapo inali itadutsa chiyambireni kugwiritsa ntchito Workaround pa maseva oyambirira. Kufufuza koyambirira kunawonetsa kuti madandaulo adalandiridwa motsutsana ndi mautumiki apadera, osati ma seva onse a mautumikiwa. Vutoli lakhalanso losatsimikizika kwambiri.

Choyamba, ife, ndithudi, tinayesera kubweza makonda a Sysctl, koma izi sizinaphule kanthu. Kusintha kosiyanasiyana ndi seva komanso zosintha zamapulogalamu sikunathandizenso. Kuyambiranso kwathandiza. Kuyambitsanso Linux sikunali kwachilengedwe monga momwe zinalili kwa Windows m'masiku akale. Komabe, zidathandizira, ndipo tidaziyika pa "kernel glitch" tikayika zosintha zatsopano ku Sysctl. Zinali zopusa bwanji ...

Patapita milungu itatu vutolo linayambiranso. Kukonzekera kwa ma seva awa kunali kosavuta: Nginx mu proxy / balancer mode. Palibe magalimoto ambiri. Chidziwitso chatsopano: kuchuluka kwa zolakwika 504 kwa makasitomala kukuchulukira tsiku lililonse (Gateway Timeout). Chithunzichi chikuwonetsa kuchuluka kwa zolakwika 504 patsiku pautumikiwu:

Chenjerani ndi zofooka zomwe zimabweretsa kuzungulira kwa ntchito. Gawo 1: FragmentSmack/SegmentSmack

Zolakwa zonse zili pafupi kumbuyo komweko - za zomwe zili mumtambo. Grafu yogwiritsira ntchito kukumbukira kwa zidutswa za phukusi pa backend iyi imawoneka motere:

Chenjerani ndi zofooka zomwe zimabweretsa kuzungulira kwa ntchito. Gawo 1: FragmentSmack/SegmentSmack

Ichi ndi chimodzi mwa ziwonetsero zoonekeratu za vuto mu ma graph ogwiritsira ntchito makina. Mumtambo, nthawi yomweyo, vuto lina la netiweki ndi zosintha za QoS (Traffic Control) zidakhazikitsidwa. Pa graph ya kukumbukira kukumbukira zidutswa za paketi, zimawoneka chimodzimodzi:

Chenjerani ndi zofooka zomwe zimabweretsa kuzungulira kwa ntchito. Gawo 1: FragmentSmack/SegmentSmack

Lingaliro linali losavuta: ngati akuwoneka mofanana pa ma graph, ndiye kuti ali ndi chifukwa chomwecho. Komanso, mavuto aliwonse ndi kukumbukira kwamtunduwu ndi osowa kwambiri.

Chofunikira chavuto lokhazikika chinali chakuti tidagwiritsa ntchito fq paketi scheduler ndi zosintha zosasintha mu QoS. Mwachikhazikitso, kulumikiza kumodzi, kumakupatsani mwayi wowonjezera mapaketi 100 pamzere, ndipo maulumikizidwe ena, pakagwa kusowa kwa tchanelo, adayamba kutsekereza pamzere mpaka mphamvu. Pankhaniyi, mapaketi amachotsedwa. Mu tc statistics (tc -s qdisc) zitha kuwoneka motere:

qdisc fq 2c6c: parent 1:2c6c limit 10000p flow_limit 100p buckets 1024 orphan_mask 1023 quantum 3028 initial_quantum 15140 refill_delay 40.0ms
 Sent 454701676345 bytes 491683359 pkt (dropped 464545, overlimits 0 requeues 0)
 backlog 0b 0p requeues 0
  1024 flows (1021 inactive, 0 throttled)
  0 gc, 0 highprio, 0 throttled, 464545 flows_plimit

"464545 flows_plimit" ndi mapaketi omwe atsitsidwa chifukwa chodutsa malire a mzere umodzi, ndipo "kutsika 464545" ndiye kuchuluka kwa mapaketi onse omwe adagwa a scheduler uyu. Pambuyo poonjezera kutalika kwa mzere kufika pa 1 zikwi ndikuyambitsanso zotengerazo, vuto linasiya kuchitika. Mukhoza kukhala pansi ndi kumwa smoothie.

FragmentSmack/SegmentSmack. Magazi Otsiriza

Choyamba, miyezi ingapo chilengezo cha zofooka mu kernel, kukonza kwa FragmentSmack kunawonekera (ndiroleni ndikukumbutseni kuti pamodzi ndi chilengezo cha Ogasiti, kukonza kwa SegmentSmack kokha kunatulutsidwa), komwe kunatipatsa mwayi wosiya Workaround, zomwe zidatibweretsera mavuto ambiri. Panthawiyi, tinali titakwanitsa kale kusamutsa ma seva ena ku kernel yatsopano, ndipo tsopano tinayenera kuyamba kuyambira pachiyambi. Chifukwa chiyani tidasinthira kernel osadikirira kukonza kwa FragmentSmack? Chowonadi ndi chakuti njira yodzitetezera ku zovuta izi idagwirizana (ndi kuphatikizidwa) ndi njira yosinthira CentOS yokha (yomwe imatenga nthawi yochulukirapo kuposa kukonzanso kernel yokha). Kuphatikiza apo, SegmentSmack ndiwowopsa kwambiri, ndipo kukonza kwake kudawonekera nthawi yomweyo, kotero zidamveka. Komabe, sitinathe kungosintha kernel pa CentOS chifukwa chiwopsezo cha FragmentSmack, chomwe chidawonekera pa CentOS 7.5, chidangokhazikitsidwa mu mtundu wa 7.6, kotero tidayenera kuyimitsa kusinthira ku 7.5 ndikuyambanso ndikusintha mpaka 7.6. Ndipo izi zimachitikanso.

Kachiwiri, madandaulo osowa ogwiritsa ntchito pamavuto abwerera kwa ife. Tsopano tikudziwa kale kuti zonse zimagwirizana ndi kukweza mafayilo kuchokera kwa makasitomala kupita ku ma seva athu ena. Kuphatikiza apo, zotsitsa zochepa kwambiri kuchokera pagulu lonse zidadutsa ma seva awa.

Monga tikukumbukira m'nkhaniyi, kubweza Sysctl sikunathandize. Kuyambiranso kwathandiza, koma kwakanthawi.
Kukayikira za Sysctl sikunachotsedwe, koma nthawi ino kunali kofunikira kusonkhanitsa zambiri momwe kungathekere. Panalinso kusowa kwakukulu kwa kuthekera kopanganso vuto loyika pa kasitomala kuti aphunzire bwino lomwe zomwe zikuchitika.

Kusanthula kwa ziwerengero zonse zomwe zilipo komanso zipika sikunatifikitse pafupi ndi kumvetsetsa zomwe zikuchitika. Panali kusowa kwakukulu kwa kuthekera kopanganso vutoli kuti "mumve" kulumikizana kwina. Pomaliza, Madivelopa, pogwiritsa ntchito mtundu wapadera wa pulogalamuyo, adatha kukwaniritsa kubweza kosasunthika kwa zovuta pa chipangizo choyesera polumikizidwa kudzera pa Wi-Fi. Uku kunali kutulukira mu kafukufukuyu. Wothandizira wolumikizidwa ndi Nginx, yemwe adathandizira kumbuyo, yomwe inali ntchito yathu ya Java.

Chenjerani ndi zofooka zomwe zimabweretsa kuzungulira kwa ntchito. Gawo 1: FragmentSmack/SegmentSmack

Kukambitsirana kwamavuto kunali motere (kukhazikika kumbali ya proxy ya Nginx):

  1. Makasitomala: pemphani kuti mulandire zambiri pakutsitsa fayilo.
  2. Seva ya Java: yankho.
  3. Makasitomala: POST yokhala ndi fayilo.
  4. Seva ya Java: cholakwika.

Panthawi imodzimodziyo, seva ya Java imalemba ku chipika kuti ma byte 0 a data adalandiridwa kuchokera kwa kasitomala, ndipo woimira Nginx akulemba kuti pempholi linatenga masekondi oposa 30 (masekondi 30 ndi nthawi yopuma ya kasitomala). Chifukwa chiyani nthawi yatha ndipo chifukwa chiyani 0 mabayiti? Kuchokera pamalingaliro a HTTP, chilichonse chimagwira ntchito momwe chiyenera, koma POST yokhala ndi fayilo ikuwoneka kuti ikutha pamaneti. Komanso, zimasowa pakati pa kasitomala ndi Nginx. Yakwana nthawi yoti mukonzekere Tcpdump! Koma choyamba muyenera kumvetsetsa kasinthidwe ka netiweki. Wothandizira wa Nginx ali kumbuyo kwa L3 balancer NFware. Tunneling imagwiritsidwa ntchito popereka mapaketi kuchokera ku L3 balancer kupita ku seva, yomwe imawonjezera mitu yake pamapaketi:

Chenjerani ndi zofooka zomwe zimabweretsa kuzungulira kwa ntchito. Gawo 1: FragmentSmack/SegmentSmack

Pankhaniyi, maukonde amabwera ku seva iyi ngati mawonekedwe a Vlan-tagged traffic, yomwe imawonjezeranso magawo ake pamapaketi:

Chenjerani ndi zofooka zomwe zimabweretsa kuzungulira kwa ntchito. Gawo 1: FragmentSmack/SegmentSmack

Ndipo kuchuluka kwa magalimotowa kuthanso kugawika (chiwerengero chaching'ono chomwecho cha magalimoto omwe akubwera omwe tidakambirana powunika zoopsa za Workaround), zomwe zimasinthanso zomwe zili pamitu:

Chenjerani ndi zofooka zomwe zimabweretsa kuzungulira kwa ntchito. Gawo 1: FragmentSmack/SegmentSmack

Apanso: mapaketi amakutidwa ndi tag ya Vlan, yolumikizidwa ndi ngalande, yogawika. Kuti timvetse bwino momwe izi zimachitikira, tiyeni tifufuze njira ya paketi kuchokera kwa kasitomala kupita ku projekiti ya Nginx.

  1. Phukusili limafika pamlingo wa L3. Kuti muyende bwino mkati mwa data center, paketiyo imakutidwa mumsewu ndikutumizidwa ku netiweki khadi.
  2. Popeza kuti paketi + mitu yamphangayo simalowa mu MTU, paketiyo imadulidwa mu zidutswa ndikutumizidwa ku netiweki.
  3. Kusinthana pambuyo pa balancer ya L3, polandira paketi, kumawonjezera tag ya Vlan kwa iyo ndikuyitumiza.
  4. Kusinthana kutsogolo kwa projekiti ya Nginx kumawona (kutengera makonzedwe a doko) kuti seva ikuyembekezera paketi ya Vlan-encapsulated, kotero imatumiza monga momwe ilili, popanda kuchotsa chizindikiro cha Vlan.
  5. Linux imatenga zidutswa za paketi imodzi ndikuziphatikiza mu phukusi limodzi lalikulu.
  6. Kenako paketiyo imafika pa mawonekedwe a Vlan, pomwe gawo loyamba limachotsedwa - Vlan encapsulation.
  7. Linux kenako imatumiza ku mawonekedwe a Tunnel, komwe gawo lina limachotsedwamo - Tunnel encapsulation.

Chovuta ndikudutsa zonsezi ngati magawo ku tcpdump.
Tiyeni tiyambire kumapeto: kodi pali zoyera (zopanda mitu yosafunikira) mapaketi a IP kuchokera kwa makasitomala, ndi vlan ndi tunnel encapsulation achotsedwa?

tcpdump host <ip ΠΊΠ»ΠΈΠ΅Π½Ρ‚Π°>

Ayi, panalibe mapaketi oterowo pa seva. Choncho vuto liyenera kukhalapo kale. Kodi pali mapaketi okhala ndi Vlan encapsulation okha achotsedwa?

tcpdump ip[32:4]=0xx390x2xx

0xx390x2xx ndi adilesi ya IP ya kasitomala mumtundu wa hex.
32:4 - adilesi ndi kutalika kwa gawo lomwe SCR IP yalembedwa mu paketi ya Tunnel.

Adilesi yakumunda idayenera kusankhidwa mwankhanza, popeza pa intaneti amalemba za 40, 44, 50, 54, koma panalibe adilesi ya IP pamenepo. Mutha kuyang'ananso imodzi mwamapaketi mu hex (the -xx kapena -XX parameter mu tcpdump) ndikuwerengera adilesi ya IP yomwe mukudziwa.

Kodi pali zidutswa za paketi popanda Vlan ndi Tunnel encapsulation kuchotsedwa?

tcpdump ((ip[6:2] > 0) and (not ip[6] = 64))

Matsenga awa adzatiwonetsa zidutswa zonse, kuphatikiza chomaliza. Mwinamwake, chinthu chomwecho chikhoza kusefedwa ndi IP, koma sindinayese, chifukwa palibe mapaketi oterowo ambiri, ndipo zomwe ndimafunikira zinapezeka mosavuta mumayendedwe ambiri. Nawa:

14:02:58.471063 In 00:de:ff:1a:94:11 ethertype IPv4 (0x0800), length 1516: (tos 0x0, ttl 63, id 53652, offset 0, flags [+], proto IPIP (4), length 1500)
    11.11.11.11 > 22.22.22.22: truncated-ip - 20 bytes missing! (tos 0x0, ttl 50, id 57750, offset 0, flags [DF], proto TCP (6), length 1500)
    33.33.33.33.33333 > 44.44.44.44.80: Flags [.], seq 0:1448, ack 1, win 343, options [nop,nop,TS val 11660691 ecr 2998165860], length 1448
        0x0000: 0000 0001 0006 00de fb1a 9441 0000 0800 ...........A....
        0x0010: 4500 05dc d194 2000 3f09 d5fb 0a66 387d E.......?....f8}
        0x0020: 1x67 7899 4500 06xx e198 4000 3206 6xx4 [email protected].
        0x0030: b291 x9xx x345 2541 83b9 0050 9740 0x04 .......A...P.@..
        0x0040: 6444 4939 8010 0257 8c3c 0000 0101 080x dDI9...W.......
        0x0050: 00b1 ed93 b2b4 6964 xxd8 ffe1 006a 4578 ......ad.....jEx
        0x0060: 6966 0000 4x4d 002a 0500 0008 0004 0100 if..MM.*........

14:02:58.471103 In 00:de:ff:1a:94:11 ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 63, id 53652, offset 1480, flags [none], proto IPIP (4), length 40)
    11.11.11.11 > 22.22.22.22: ip-proto-4
        0x0000: 0000 0001 0006 00de fb1a 9441 0000 0800 ...........A....
        0x0010: 4500 0028 d194 00b9 3f04 faf6 2x76 385x E..(....?....f8}
        0x0020: 1x76 6545 xxxx 1x11 2d2c 0c21 8016 8e43 .faE...D-,.!...C
        0x0030: x978 e91d x9b0 d608 0000 0000 0000 7c31 .x............|Q
        0x0040: 881d c4b6 0000 0000 0000 0000 0000 ..............

Izi ndi zidutswa ziwiri za phukusi limodzi (ID yomweyi 53652) yokhala ndi chithunzi (mawu akuti Exif akuwoneka mu phukusi loyamba). Chifukwa chakuti pali mapaketi pamlingo uwu, koma osati mu mawonekedwe ophatikizidwa muzotayira, vuto liri bwino ndi msonkhano. Pomaliza pali umboni wolembedwa wa izi!

Decoder ya paketi sinawulule zovuta zilizonse zomwe zingalepheretse kumanga. Ndinayesa apa: hpd.gasmi.net. Poyamba, mukayesa kuyika china chake pamenepo, decoder sakonda mtundu wa paketi. Zinapezeka kuti panali ma octets awiri owonjezera pakati pa Srcmac ndi Ethertype (osagwirizana ndi chidziwitso cha zidutswa). Atawachotsa, decoder idayamba kugwira ntchito. Komabe, sizinasonyeze mavuto.
Chilichonse chomwe munthu anganene, palibe china chilichonse chomwe chidapezeka kupatula a Sysctl. Zomwe zidatsala ndikupeza njira yodziwira ma seva ovuta kuti amvetsetse kukula kwake ndikusankha zochita zina. Kauntala yofunikira idapezeka mwachangu mokwanira:

netstat -s | grep "packet reassembles failed”

Ilinso mu snmpd pansi pa OID=1.3.6.1.2.1.4.31.1.1.16.1 (ipSystemStatsReasmFails).

"Kuchuluka kwa zolephera zomwe zapezedwa ndi IP re-assembly algorithm (pazifukwa zilizonse: zatha, zolakwika, ndi zina zotero)."

Pakati pa gulu la ma seva omwe vutoli linaphunziridwa, pawiri kagawo kakang'ono kameneka kakuwonjezeka mofulumira, pawiri pang'onopang'ono, ndipo pa awiri ena sanawonjezere konse. Kuyerekeza kusinthasintha kwa kauntala iyi ndi kusintha kwa zolakwika za HTTP pa seva ya Java kunawonetsa kulumikizana. Ndiye kuti, mita imatha kuyang'aniridwa.

Kukhala ndi chisonyezo chodalirika chamavuto ndikofunikira kwambiri kuti muthe kudziwa molondola ngati kubweza Sysctl kumathandiza, popeza kuchokera m'nkhani yapitayi tikudziwa kuti izi sizingamveke mwachangu kuchokera pakugwiritsa ntchito. Chizindikirochi chingatithandizire kuzindikira madera onse omwe ali ndi vuto pakupanga ogwiritsa ntchito asanazindikire.
Pambuyo pobweza Sysctl, zolakwika zowunikira zidayima, motero chifukwa cha zovutazo zidatsimikiziridwa, komanso kuti kubwezeretsa kumathandizira.

Tidabweza makonda agawidwe pa maseva ena, pomwe kuwunika kwatsopano kudayamba, ndipo kwinakwake tidagawa zokumbukira zochulukirapo kuposa momwe zidaliri kale (izi zinali ziwerengero za UDP, kutayika pang'ono komwe sikunawonekere kumbuyo wamba) .

Mafunso ofunika kwambiri

Chifukwa chiyani mapaketi amagawika pa L3 balancer yathu? Ambiri mwa mapaketi omwe amafika kuchokera kwa ogwiritsa ntchito kupita ku ma balancers ndi SYN ndi ACK. Makulidwe a mapaketiwa ndi ang'onoang'ono. Koma popeza gawo la mapaketi oterowo ndi lalikulu kwambiri, motsutsana ndi maziko awo sitinazindikire kukhalapo kwa mapaketi akulu omwe adayamba kugawika.

Chifukwa chake chinali script yosweka ya kasinthidwe advms pa maseva okhala ndi Vlan interfaces (panali ma seva ochepa kwambiri okhala ndi magalimoto opangidwa panthawiyo). Advmss imatilola kuti tifotokozere kasitomala zidziwitso zomwe mapaketi akupita komwe tikupita ayenera kukhala ang'onoang'ono kukula kwake kotero kuti atalumikiza mitu yamphangayo kwa iwo sayenera kugawikana.

Chifukwa chiyani kubweza kwa Sysctl sikunathandize, koma kuyambiranso kunathandiza? Rolling back Sysctl idasintha kuchuluka kwa kukumbukira komwe kumapezeka pakuphatikiza mapaketi. Panthawi imodzimodziyo, mwachiwonekere mfundo yokumbukira kusefukira kwa zidutswa zinayambitsa kuchepa kwa maulumikizi, zomwe zinapangitsa kuti zidutswa zichedwetsedwe kwa nthawi yaitali pamzere. Ndiko kuti, ndondomekoyi inayenda mozungulira.
Kuyambiransoko kunachotsa kukumbukira ndipo zonse zidabwereranso.

Kodi zinali zotheka kuchita popanda Workaround? Inde, koma pali chiopsezo chachikulu chosiya ogwiritsa ntchito opanda ntchito pakachitika chiwonongeko. Zoonadi, kugwiritsa ntchito Workaround kunabweretsa mavuto osiyanasiyana, kuphatikizapo kuchepa kwa ntchito imodzi kwa ogwiritsa ntchito, komabe timakhulupirira kuti zochitazo zinali zoyenera.

Zikomo kwambiri kwa Andrey Timofeev (atimofeyev) kuti athandizidwe pakufufuza, komanso Alexey Krenev (chipangizox) - pa ntchito ya titanic yosintha ma Centos ndi maso pa maseva. Njira yomwe pankhaniyi idayenera kuyambika kangapo kuyambira pachiyambi, ndichifukwa chake idakokera kwa miyezi yambiri.

Source: www.habr.com

Kuwonjezera ndemanga