Mu 2010 kampani panali ma seva 50 ndi mtundu wosavuta wamaneti: backend, frontend ndi firewall. Chiwerengero cha maseva chinakula, chitsanzocho chinakhala chovuta kwambiri: masitepe, ma VLAN omwe ali ndi ma ACL, kenako ma VPN okhala ndi VRF, VLAN okhala ndi ACL pa L2, VRF okhala ndi ACL pa L3. Mutu ukuzungulira? Zidzakhala zosangalatsa kwambiri pambuyo pake.
Pomwe panali ma seva a 16, zidakhala zosatheka kugwira ntchito popanda misozi ndi magawo ochulukirapo. Choncho tinabwera ndi yankho lina. Tidatenga stack ya Netfilter, ndikuwonjezera Consul kwa iyo ngati gwero la data, ndipo tidalandira chowotcha moto chogawidwa mwachangu. Iwo m'malo ACLs pa routers ndi ntchito monga kunja ndi mkati firewall. Kuti tigwiritse ntchito chidacho mwamphamvu, tidapanga dongosolo la BEFW, lomwe linkagwiritsidwa ntchito paliponse: kuyambira pakuwongolera mwayi wa ogwiritsa ntchito pamaneti azinthu mpaka kulekanitsa magawo a netiweki wina ndi mnzake.
Adzakuuzani momwe zonsezi zimagwirira ntchito komanso chifukwa chake muyenera kuyang'anitsitsa dongosolo lino. Ivan Agarkov () ndi mtsogoleri wa gulu lachitetezo cha zomangamanga la gawo la Maintenance ku Minsk Development Center ya kampaniyo. Ivan ndi wokonda SELinux, amakonda Perl, ndipo amalemba code. Monga mutu wa gulu lachitetezo chazidziwitso, nthawi zonse amagwira ntchito ndi zipika, zosunga zobwezeretsera ndi R&D kuteteza Wargaming kuchokera kwa owononga ndikuwonetsetsa kuti ma seva onse amasewera pakampaniyo akugwira ntchito.
Mbiri Yakale
Ndisanakuuzeni momwe tinachitira, ndikuuzeni momwe tinafikira izi poyamba komanso chifukwa chake zinali zofunika. Kuti tichite izi, tiyeni tibwerere zaka 9: 2010, World of Tanks tangowonekera. Wargaming inali ndi ma seva pafupifupi 50.
Tchati cha kukula kwa seva ya kampani.
Tinali ndi chitsanzo cha netiweki. Kwa nthawi imeneyo zinali zabwino kwambiri.
Network model mu 2010.
Pali anyamata oyipa kutsogolo omwe akufuna kutithyola, koma ali ndi firewall. Palibe firewall kumbuyo, koma pali ma seva 50 pamenepo, timawadziwa onse. Zonse zimayenda bwino.
M'zaka 4, zombo za seva zinakula nthawi 100, kufika ku 5000. Maukonde oyamba odzipatula adawonekera - masitepe: sakanatha kupita kukupanga, ndipo nthawi zambiri pamakhala zinthu zomwe zimayenda kumeneko zomwe zingakhale zoopsa.
Network model mu 2014.
Mwa inertia, tinagwiritsa ntchito zidutswa za hardware zomwezo, ndipo ntchito yonse inachitika pa VLAN yokhayokha: ACLs amalembedwa kwa VLANs, zomwe zimalola kapena kukana mtundu wina wa kugwirizana.
Mu 2016, chiwerengero cha ma seva chinafika ku 8000. Wargaming inatenga ma studio ena, ndipo maukonde owonjezera owonjezera adawonekera. Zikuwoneka kuti ndi zathu, koma osati ndithu: VLAN nthawi zambiri sagwira ntchito kwa okondedwa, muyenera kugwiritsa ntchito VPN ndi VRF, kudzipatula kumakhala kovuta kwambiri. Kusakaniza kwa ACL Insurance kukukula.
Network model mu 2016.
Pofika kumayambiriro kwa chaka cha 2018, zombo za makina zidakula kufika pa 16 000. Panali zigawo 6, ndipo sitinawerenge zina zonse, kuphatikizapo zotsekedwa zomwe deta yachuma inasungidwa. Ma Container network (Kubernetes), DevOps, maukonde amtambo olumikizidwa kudzera pa VPN, mwachitsanzo, kuchokera ku IVS, awonekera. Panali malamulo ambiri - zinali zowawa.
Mawonekedwe a netiweki ndi njira zodzipatula mu 2018.
Podzipatula tidagwiritsa ntchito: VLAN yokhala ndi ACL pa L2, VRF yokhala ndi ACL pa L3, VPN ndi zina zambiri. Zopitilira muyeso.
Mavuto
Aliyense amakhala ndi ACL ndi VLAN. Chavuta ndi chiyani? Funso limeneli lidzayankhidwa ndi Harold, kubisa ululu.
Panali mavuto ambiri, koma panali asanu aakulu.
- Kuwonjezeka kwa mtengo wa geometric kwa malamulo atsopano. Lamulo lirilonse latsopano linatenga nthawi yaitali kuti liwonjezere kuposa lapitalo, chifukwa kunali koyenera kuona ngati pali kale lamulo loterolo.
- Palibe ma firewall mkati mwa magawo. Magawo anali olekanitsidwa mwanjira ina wina ndi mzake, ndipo panalibe zinthu zokwanira kale mkati.
- Malamulowo anagwiritsidwa ntchito kwa nthawi yaitali. Othandizira amatha kulemba lamulo limodzi la m'deralo ndi dzanja pa ola limodzi. Lapadziko lonse lapansi linatenga masiku angapo.
- Zovuta ndi malamulo owerengera. Kunena zowona, sikunali kotheka. Malamulo oyambirira adalembedwa mmbuyo mu 2010, ndipo ambiri mwa olemba awo sanagwirenso ntchito ku kampaniyo.
- Mulingo wochepa wowongolera zida. Ili ndiye vuto lalikulu - sitinkadziwa bwino zomwe zikuchitika m'dziko lathu.
Izi ndi zomwe injiniya wamawebusayiti adawoneka mu 2018 atamva kuti: "Mukufuna ACL ina."
Malangizo
Kumayambiriro kwa 2018, adaganiza zochitapo kanthu.
Mtengo wa kuphatikiza ukukulirakulira nthawi zonse. Choyambira chinali chakuti ma data akuluakulu adasiya kuthandizira ma VLAN ndi ma ACL akutali chifukwa zida zidatha kukumbukira.
Yankho: tinachotsa chinthu chaumunthu ndikudzipangira tokha kupereka mwayi wofikira pamlingo waukulu.
Malamulo atsopanowa amatenga nthawi yaitali kuti agwiritsidwe ntchito. Yankho: kufulumizitsa kugwiritsa ntchito malamulo, kugawaniza ndikufanana. Izi zimafuna dongosolo logawidwa kuti malamulo aperekedwe okha, popanda rsync kapena SFTP ku machitidwe chikwi.
Palibe ma firewall mkati mwa magawo. Chozimitsa moto mkati mwa magawo chinayamba kubwera kwa ife pamene mautumiki osiyanasiyana adawonekera mu netiweki yomweyo. Yankho: gwiritsani ntchito chozimitsa moto pamlingo wa khamu - ma firewall ozikidwa pa host. Pafupifupi kulikonse komwe tili ndi Linux, ndipo kulikonse komwe tili ndi iptables, ili si vuto.
Zovuta ndi malamulo owerengera. Yankho: Sungani malamulo onse pamalo amodzi kuti awonedwe ndikuwongolera, kuti tithe kuwunika zonse.
Mlingo wochepa wowongolera zomangamanga. Yankho: fufuzani mautumiki onse ndikupeza pakati pawo.
Iyi ndi njira yoyendetsera ntchito kuposa yaukadaulo. Nthawi zina timakhala ndi zotulutsa zatsopano 200-300 pa sabata, makamaka panthawi yotsatsa komanso tchuthi. Komanso, izi ndi za gulu limodzi la DevOps yathu. Ndi zotulutsidwa zambiri, ndizosatheka kuwona madoko, ma IP, ndi kuphatikiza komwe kumafunikira. Chotero, tinafunikira oyangβanira mautumiki ophunzitsidwa mwapadera amene anafunsa maguluwo kuti: βPali chiyani pamenepo ndipo nchifukwa ninji mwachitulutsa?β
Pambuyo pa chilichonse chomwe tidayambitsa, injiniya wama network mu 2019 adayamba kuwoneka chonchi.
Consum
Tinaganiza kuti tiyika zonse zomwe tapeza mothandizidwa ndi oyang'anira ntchito ku Consul ndipo kuchokera kumeneko tidzalemba malamulo a iptables.
Kodi tinasankha bwanji kuchita zimenezi?
- Tisonkhanitsa mautumiki onse, maukonde ndi ogwiritsa ntchito.
- Tiyeni tipange malamulo a iptables kutengera iwo.
- Timayendetsa zokha.
- ....
- PHINDU.
Consul si API yakutali, imatha kuthamanga pa node iliyonse ndikulembera ma iptables. Zomwe zatsala ndikukhazikitsa zowongolera zokha zomwe zimatsuka zinthu zosafunikira, ndipo mavuto ambiri adzathetsedwa! Tikonza zina zonse pamene tikupita.
Chifukwa chiyani Consul?
Zadzitsimikizira bwino. Mu 2014-15, tidagwiritsa ntchito ngati kumbuyo kwa Vault, momwe timasungira mapasiwedi.
Sikutaya deta. Panthawi yogwiritsira ntchito, Consul sanataye deta pa ngozi imodzi. Ichi ndi chophatikiza chachikulu cha kasamalidwe ka firewall.
Kulumikizana kwa P2P kumathandizira kufalikira kwa kusintha. Ndi P2P, zosintha zonse zimabwera mwachangu, palibe chifukwa chodikirira maola.
Convenient REST API. Tidaganiziranso Apache ZooKeeper, koma ilibe REST API, chifukwa chake muyenera kukhazikitsa ndodo.
Imagwira ntchito ngati Key Vault (KV) ndi Directory (Service Discovery). Mutha kusunga mautumiki, makatalogu, ndi malo opangira data nthawi imodzi. Izi ndizosavuta kwa ife, komanso kwa magulu oyandikana nawo, chifukwa pomanga ntchito yapadziko lonse lapansi, timaganiza zazikulu.
Zalembedwa mu Go, yomwe ili gawo la Wargaming stack. Timakonda chilankhulochi, tili ndi opanga ambiri a Go.
Dongosolo lamphamvu la ACL. Mu Consul, mutha kugwiritsa ntchito ma ACL kuwongolera omwe amalemba chiyani. Timatsimikizira kuti malamulo a firewall sangagwirizane ndi china chilichonse ndipo sitidzakhala ndi vuto ndi izi.
Koma Consul alinso ndi zovuta zake.
- Simakula mkati mwa data center pokhapokha mutakhala ndi mtundu wabizinesi. Ndi scalable ndi chitaganya.
- Zimatengera kwambiri kuchuluka kwa maukonde ndi katundu wa seva. Consul sigwira ntchito bwino ngati seva pa seva yotanganidwa ngati pali zotsalira pamaneti, mwachitsanzo, kuthamanga kosagwirizana. Izi ndichifukwa cha kulumikizana kwa P2P ndikusintha mitundu yogawa.
- Kuvuta kuyang'anira kupezeka. Mu Consul udindo akhoza kunena kuti zonse zili bwino, koma anamwalira kalekale.
Tinathetsa mavuto ambiri pogwiritsa ntchito Consul, ndichifukwa chake tidasankha. Kampaniyo ili ndi mapulani a njira ina yakumbuyo, koma taphunzira kuthana ndi mavuto ndipo tikukhala ndi Consul.
Momwe Consul amagwirira ntchito
Tidzayika ma seva atatu kapena asanu pamalo opangira data. Seva imodzi kapena ziwiri sizigwira ntchito: sangathe kukonza quorum ndikusankha yemwe ali wolondola ndi yemwe ali wolakwika pamene deta sagwirizana. Zoposa zisanu sizimveka, zokolola zidzatsika.
Makasitomala amalumikizana ndi ma seva mwanjira iliyonse: othandizira omwewo, ndi mbendera yokha server = false.
Pambuyo pake, makasitomala amalandira mndandanda wamalumikizidwe a P2P ndikupanga maulumikizidwe pakati pawo.
Padziko lonse lapansi, timagwirizanitsa malo angapo a deta. Amalumikizanso P2P ndikulumikizana.
Pamene tikufuna kupeza deta kuchokera kumalo ena a deta, pempho limachokera ku seva kupita ku seva. Chiwembu ichi chimatchedwa Serf protocol. Protocol ya Serf, monga Consul, imapangidwa ndi HashiCorp.
Mfundo zina zofunika za Consul
Consul ali ndi zolemba zofotokoza momwe zimagwirira ntchito. Ndipereka mfundo zosankhidwa zokha zomwe zili zoyenera kuzidziwa.
Ma seva a Consul amasankha mbuye pakati pa ovota. Consul amasankha mbuye kuchokera pamndandanda wa maseva pa data iliyonse, ndipo zopempha zonse zimangopita kwa izo, mosasamala kanthu za kuchuluka kwa ma seva. Kuzizira kwakukulu sikupangitsa kuti asankhenso. Ngati mbuye sanasankhidwe, zopempha sizimathandizidwa ndi aliyense.
Kodi mumafuna makulitsidwe opingasa? Pepani, ayi.
Pempho lopita kumalo ena a data limapita kuchokera kwa master kupita kwa master, mosasamala kanthu za seva yomwe idabwera. Mbuye wosankhidwa amalandira 100% ya katunduyo, kupatulapo katundu pa zopempha zamtsogolo. Ma seva onse mu data center ali ndi kopi yamakono ya deta, koma imodzi yokha imayankha.
Njira yokhayo yowonjezerera ndikutsegula mawonekedwe a stale pa kasitomala.
Mumayendedwe akale, mutha kuyankha popanda quorum. Iyi ndi njira yomwe timasiya kusasinthika kwa data, koma kuwerenga mwachangu kuposa nthawi zonse, ndipo seva iliyonse imayankha. Mwachibadwa, kujambula kokha kupyolera mwa mbuye.
Consul samatengera deta pakati pa malo opangira deta. Pamene chitaganya chasonkhanitsidwa, seva iliyonse idzakhala ndi deta yake yokha. Kwa ena, nthawi zonse amatembenukira kwa munthu wina.
Atomicity of operations sichimatsimikiziridwa kunja kwa malonda. Kumbukirani kuti si inu nokha amene mungasinthe zinthu. Ngati mukufuna mosiyana, chitani malonda ndi loko.
Kuletsa ntchito sikutsimikizira kutseka. Pempholo limachokera kwa mbuye kupita kwa mbuye, osati mwachindunji, kotero palibe chitsimikizo kuti kutsekereza kudzagwira ntchito pamene mutsekereza, mwachitsanzo, mu data ina.
ACL sichimatsimikiziranso mwayi wopezeka (nthawi zambiri). ACL sangagwire ntchito chifukwa imasungidwa mu data center imodzi - mu ACL data center (Primary DC). Ngati DC sakuyankhani, ACL sigwira ntchito.
Mbuye m'modzi wozizira adzachititsa kuti chitaganya chonsecho chiwume. Mwachitsanzo, pali ma data 10 m'chitaganya, ndipo wina ali ndi netiweki yoyipa, ndipo mbuye m'modzi amalephera. Aliyense amene amalankhulana naye adzakhala mozungulira: pali pempho, palibe yankho kwa izo, ulusi amaundana. Palibe njira yodziwira kuti izi zidzachitika liti, mu ola limodzi kapena awiri chitaganya chonse chidzagwa. Palibe chimene mungachite nazo.
Mkhalidwe, quorum ndi zisankho zimayendetsedwa ndi ulusi wosiyana. Kusankhidwanso sikudzachitika, udindo sudzawonetsa kalikonse. Mukuganiza kuti muli ndi kazembe wamoyo, mumafunsa, ndipo palibe chomwe chimachitika - palibe yankho. Panthawi imodzimodziyo, mawonekedwe amasonyeza kuti zonse zili bwino.
Takumana ndi vutoli ndipo tidapanganso magawo ena a data kuti tipewe.
Bizinesi ya Consul Enterprise ilibe zovuta zina pamwambapa. Ili ndi ntchito zambiri zothandiza: kusankha ovota, kugawa, kukulitsa. Pali imodzi yokha "koma" - njira yoperekera zilolezo pamakina ogawidwa ndi okwera mtengo kwambiri.
Kuthamanga kwa moyo: rm -rf /var/lib/consul - mankhwala a matenda onse a wothandizira. Ngati china chake sichikukuthandizani, ingochotsani deta yanu ndikutsitsa zomwe mwakopera. Nthawi zambiri, Consul agwira ntchito.
BEFW
Tsopano tiyeni tikambirane zomwe tawonjezera kwa Consul.
ndi chidule cha BmaekEndFmkwiyoWzonse. Ndidayenera kutchula chinthucho mwanjira ina ndikapanga malo osungira kuti ndiike mayeso oyamba momwe amachitira. Dzinali lidakalipo.
Malamulo templates
Malamulowa amalembedwa mu iptables syntax.
- -N BEFW
- -P INPUT DROP
- -A INPUT -m stateβboma ZOKHUDZANA, ZOKHAZIKIKA -j KUVOMEREZA
- -ZOlowera -i lo -j KUVOMEREZA
- -ZOlowera -j BEFW
Chilichonse chimapita mu unyolo wa BEFW, kupatula ESTABLISHED, RELATED ndi localhost. Template ikhoza kukhala chilichonse, ichi ndi chitsanzo chabe.
Kodi BEFW ndiyothandiza bwanji?
Ntchito
Tili ndi ntchito, nthawi zonse imakhala ndi doko, node yomwe imayendera. Kuchokera kumalo athu, titha kufunsa wothandizila kwanuko ndikupeza kuti tili ndi mtundu wina wa ntchito. Mukhozanso kuika ma tag.
Ntchito iliyonse yomwe ikuyenda ndikulembetsedwa ndi Consul imasandulika lamulo la iptables. Tili ndi SSH - doko lotseguka 22. Script ya Bash ndi yosavuta: curl ndi iptables, palibe china chofunika.
Otsatsa
Momwe mungatsegule mwayi osati kwa aliyense, koma mosankha? Onjezani mindandanda ya IP posungira KV ndi dzina lautumiki.
Mwachitsanzo, tikufuna kuti aliyense pa netiweki yakhumi azitha kugwiritsa ntchito SSH_TCP_22. Onjezani gawo laling'ono la TTL? ndipo tsopano tili ndi zilolezo zosakhalitsa, mwachitsanzo, kwa tsiku limodzi.
Zolowera
Timagwirizanitsa mautumiki ndi makasitomala: tili ndi ntchito, KV yosungirako ndi yokonzeka aliyense. Tsopano timapereka mwayi osati kwa aliyense, koma mosankha.
Magulu
Ngati tilemba masauzande a IP kuti tipeze nthawi iliyonse, tidzatopa. Tiyeni tibwere ndi magulu - kagawo kakang'ono mu KV. Tiyeni tizitcha Alias ββββ(kapena magulu) ndikusunga magulu kumeneko molingana ndi mfundo yomweyo.
Tiyeni tilumikizane: tsopano titha kutsegula SSH osati P2P, koma gulu lonse kapena magulu angapo. Momwemonso, pali TTL - mutha kuwonjezera pagulu ndikuchotsa pagulu kwakanthawi.
Kuphatikiza
Vuto lathu ndi chinthu chaumunthu komanso makina opangira. Mpaka pano tazithetsa motere.
Timagwira ntchito ndi Chidole, ndikusamutsa chilichonse chokhudzana ndi dongosolo (code code) kwa iwo. Puppetdb (PostgreSQL yanthawi zonse) imasunga mndandanda wazinthu zomwe zikuyenda pamenepo, zitha kupezeka ndi mtundu wazinthu. Pamenepo mutha kudziwa yemwe akufunsira komweko. Tilinso ndi zopempha zokoka ndikuphatikiza zopempha izi.
Tinalemba befw-sync, njira yosavuta yomwe imathandiza kusamutsa deta. Choyamba, ma cookie olumikizana amafikiridwa ndi puppetdb. HTTP API imakhazikitsidwa pamenepo: timapempha zomwe tili nazo, zomwe ziyenera kuchitika. Kenako amapempha kwa Consul.
Kodi pali kuphatikiza? Inde: iwo adalemba malamulo ndikulola Kukoka Zopempha kuti zivomerezedwe. Kodi mukufuna doko lina kapena kuwonjezera wolandila ku gulu lina? Kokani Pempho, onaninso - osakhalanso "Pezani ma ACL ena 200 ndikuyesera kuchitapo kanthu."
Kukhathamiritsa
Pinging localhost ndi unyolo wopanda kanthu umatenga 0,075 ms.
Tiyeni tiwonjezere ma adilesi 10 a iptable pamaketani awa. Zotsatira zake, ping idzawonjezeka nthawi 000: ma iptables ali ofanana, kukonza adilesi iliyonse kumatenga nthawi.
Kwa firewall komwe timasamuka masauzande a ma ACL, tili ndi malamulo ambiri, ndipo izi zimabweretsa kuchedwa. Izi ndizoyipa pama protocol amasewera.
Koma ngati tiyika 10 ma adilesi mu ipset Ping idzachepa ngakhale.
Mfundo ndi yakuti "O" (kuvuta kwa algorithm) kwa ipset nthawi zonse kumakhala kofanana ndi 1, ziribe kanthu kuti pali malamulo angati. Zoona, pali malire - sipangakhale malamulo oposa 65535. Pakalipano tikukhala ndi izi: mukhoza kuziphatikiza, kuzikulitsa, kupanga ipsets ziwiri mu imodzi.
Kusungirako
Kupitiliza koyenera kwa njira yobwereza ndikusunga zambiri zamakasitomala a ntchitoyo mu ipset.
Tsopano tili ndi SSH yemweyo, ndipo sitilemba ma IP 100 nthawi imodzi, koma tiyike dzina la ipset lomwe tiyenera kulumikizana nalo, ndi lamulo lotsatirali. DROP. Ikhoza kusinthidwa kukhala lamulo limodzi "Ndani sali pano, DROP", koma ndizomveka bwino.
Tsopano tili ndi malamulo ndi ma seti. Ntchito yaikulu ndiyo kupanga ndondomeko musanalembe lamuloli, chifukwa mwinamwake iptables sichidzalemba lamulolo.
Chiwembu Chachikulu
Mu mawonekedwe a chithunzi, zonse zomwe ndinanena zimawoneka chonchi.
Timadzipereka ku Puppet, zonse zimatumizidwa kwa wolandira, mautumiki apa, ipset kumeneko, ndipo aliyense amene sanalembetsedwe kumeneko saloledwa.
Lolani & kukana
Kupulumutsa dziko mwachangu kapena kuletsa munthu mwachangu, koyambirira kwa maunyolo onse tidapanga ma ipsets awiri: rules_allow ΠΈ rules_deny. Zimagwira ntchito bwanji?
Mwachitsanzo, wina akupanga katundu pa Webusaiti yathu ndi bots. Poyamba, mumayenera kupeza IP yake kuchokera ku zipika, kupita nayo kwa akatswiri opanga maukonde, kuti athe kupeza gwero la magalimoto ndikumuletsa. Zikuwoneka mosiyana tsopano.
Timatumiza kwa Consul, dikirani masekondi 2,5, ndipo zatha. Popeza Consul imagawira mwachangu kudzera mu P2P, imagwira ntchito kulikonse, kudera lililonse ladziko lapansi.
Kamodzi ine mwanjira ina ndinasiya kwathunthu WOT chifukwa cholakwitsa ndi firewall. rules_allow - iyi ndi inshuwaransi yathu pamilandu yotere. Ngati talakwitsa kwinakwake ndi firewall, china chake chatsekedwa kwinakwake, titha kutumiza zovomerezeka nthawi zonse 0.0/0kuti atenge zonse mwachangu. Pambuyo pake tidzakonza zonse ndi manja.
Ma seti ena
Mutha kuwonjezera ma seti ena aliwonse mumlengalenga $IPSETS$.
Zachiyani? Nthawi zina wina amafunikira ipset, mwachitsanzo, kutsanzira kutsekedwa kwa gawo lina la masango. Aliyense akhoza kubweretsa ma seti aliwonse, kuwatchula, ndipo adzatengedwa kuchokera kwa Consul. Pa nthawi yomweyi, ma seti amatha kutenga nawo mbali pamalamulo a iptables kapena kuchita ngati gulu NOOP: Kusasinthika kudzasungidwa ndi daemon.
Ogwiritsa ntchito
M'mbuyomu, zinali motere: wogwiritsa ntchito adalumikizidwa ndi netiweki ndipo adalandira magawo kudzera mu domain. Asanabwere zozimitsa moto za m'badwo watsopano, Cisco sanadziwe momwe angamvetsetse komwe wogwiritsa ntchitoyo anali komanso komwe IP inali. Chifukwa chake, mwayi wofikira unaperekedwa kokha kudzera pa dzina la makinawo.
Kodi tinatani? Tidakakamira pomwe tidalandira adilesi. Nthawi zambiri izi ndi dot1x, Wi-Fi kapena VPN - chilichonse chimadutsa RADIUS. Kwa wogwiritsa ntchito aliyense, timapanga gulu pogwiritsa ntchito dzina lolowera ndikuyika IP mmenemo ndi TTL yomwe ili yofanana ndi dhcp.lease yake - ikangotha, lamuloli lidzatha.
Tsopano titha kutsegula mwayi wopeza ntchito, monga magulu ena, pogwiritsa ntchito dzina lolowera. Tachotsa zowawa za mayina a alendo akasintha, ndipo tachotsa zolemetsa kwa akatswiri opanga maukonde chifukwa safunanso Cisco. Tsopano mainjiniya amalembetsa okha mwayi wopezeka pa maseva awo.
Kutsegula
Pa nthawi yomweyi, tinayamba kumasula zotsekemera. Oyang'anira mautumiki adawerengera, ndipo tidasanthula maukonde athu onse. Tiyeni tiwagawanitse m'magulu omwewo, ndipo pa ma seva ofunikira magulu adawonjezeredwa, mwachitsanzo, kukana. Tsopano kudzipatula komweko kumathera mu malamulo_kukana kupanga, koma osati kupanga komweko.
Chiwembucho chimagwira ntchito mofulumira komanso mophweka: timachotsa ma ACL onse ku maseva, kutsitsa hardware, ndi kuchepetsa chiwerengero cha ma VLAN akutali.
Kulamulira kukhulupirika
M'mbuyomu, tinali ndi choyambitsa chapadera chomwe chinanena munthu atasintha pamanja lamulo la firewall. Ndinali kulemba linter yaikulu kuti ayang'ane malamulo a firewall, zinali zovuta. Umphumphu tsopano ukulamulidwa ndi BEFW. Iye amaonetsetsa kuti malamulo amene amakhazikitsa asasinthe. Ngati wina asintha malamulo a firewall, asintha zonse. "Mwamsanga ndinakhazikitsa proxy kuti ndizitha kugwira ntchito kunyumba" - palibenso zosankha zoterozo.
BEFW imayang'anira ipset kuchokera ku mautumiki ndikulemba mu befw.conf, malamulo a ntchito mu unyolo wa BEFW. Koma sichiyang'anira maunyolo ena ndi malamulo ndi ma ipsets ena.
Chitetezo cha ngozi
BEFW nthawi zonse imasunga chikhalidwe chabwino chomaliza chodziwika mwachindunji mu state.bin binary structure. Ngati china chake sichikuyenda bwino, nthawi zonse chimabwerera ku state.bin iyi.
Iyi ndi inshuwaransi motsutsana ndi ntchito yosakhazikika ya Consul, pomwe sinatumize deta kapena wina adalakwitsa ndikugwiritsa ntchito malamulo omwe sangagwiritsidwe ntchito. Kuwonetsetsa kuti sitisiyidwa opanda chotchingira moto, BEFW ibwerera kunthawi yaposachedwa ngati cholakwika chichitika nthawi iliyonse.
Muzochitika zovuta, ichi ndi chitsimikizo kuti tidzasiyidwa ndi firewall yogwira ntchito. Timatsegula ma network onse a imvi ndikuyembekeza kuti admin abwera ndikukonza. Tsiku lina ndidzayika izi mu configs, koma tsopano tili ndi maukonde atatu imvi: 10/8, 172/12 ndi 192.168/16. Mkati mwa Consul wathu, ichi ndi chinthu chofunikira chomwe chimatithandiza kukulitsa.
Chiwonetsero: pa lipotilo, Ivan akuwonetsa mawonekedwe a BEFW. Ndikosavuta kuwonera chiwonetserocho . Demo source code ilipo .
Zowopsa
Ndikuuzani za nsikidzi zomwe tidakumana nazo.
ipset add set 0.0.0.0/0. Kodi chimachitika ndi chiyani mukawonjezera 0.0.0.0/0 ku ipset? Kodi ma IP onse adzawonjezedwa? Kodi intaneti ipezeka?
Ayi, tipeza cholakwika chomwe chimatiwonongera maola awiri. Komanso, cholakwikacho sichinagwire ntchito kuyambira 2016, chili ku RedHat Bugzilla pansi pa nambala #1297092, ndipo tidazipeza mwangozi - kuchokera ku lipoti la wopanga.
Tsopano ndi lamulo lokhwima ku BEFW kuti 0.0.0.0/0 amasintha kukhala ma adilesi awiri: 0.0.0.0/1 ΠΈ 128.0.0.0/1.
ipset kubwezeretsa set <fayilo. Kodi ipset imachita chiyani mukauza restore? Kodi mukuganiza kuti imagwira ntchito mofanana ndi iptables? Kodi ibwezeretsa deta?
Palibe chonga icho - chimaphatikizira, ndipo maadiresi akale samapita kulikonse, simuletsa mwayi.
Tinapeza cholakwika poyesa kudzipatula. Tsopano pali dongosolo lovuta kwambiri - m'malo mwake restore yosungidwa create tempndiye restore flush temp ΠΈ restore temp. Pamapeto pa kusinthanitsa: kwa atomiki, chifukwa ngati muchita izo poyamba flush ndipo panthawiyi paketi ina ikafika, idzatayidwa ndipo chinachake chidzalakwika. Ndiye pali matsenga akuda pamenepo.
consul kv kupeza -datacenter=zina. Monga ndanenera, tikuganiza kuti tikupempha deta, koma tidzapeza deta kapena zolakwika. Titha kuchita izi kudzera pa Consul kwanuko, koma apa zonsezi zidzazizira.
Makasitomala a Consul wakomweko ndi chomata pa HTTP API. Koma imangolendewera ndipo sichimayankha Ctrl + C, kapena Ctrl + Z, kapena chirichonse, chokha kill -9 mu console yotsatira. Tinakumana ndi zimenezi pamene tinali kumanga gulu lalikulu. Koma tilibe yankho pano; tikukonzekera kukonza cholakwika ichi mu Consul.
Mtsogoleri wa Consul sakuyankha. Mbuye wathu mu data center sakuyankha, timaganiza kuti: "Mwinamwake algorithm yosankhanso ntchito igwira ntchito tsopano?"
Ayi, sizingagwire ntchito, ndipo kuyang'anira sikudzawonetsa kalikonse: Consul idzanena kuti pali ndondomeko yodzipereka, mtsogoleri wapezeka, zonse zili bwino.
Kodi timachita bwanji ndi izi? service consul restart mu cron ola lililonse. Ngati muli ndi ma seva 50, palibe vuto. Pakakhala 16 mwa iwo, mudzamvetsetsa momwe zimagwirira ntchito.
Pomaliza
Zotsatira zake, tidalandira zabwino izi:
- 100% Kuphimba makina onse a Linux.
- Kuthamanga
- Zochita zokha.
- Tinamasula akatswiri a hardware ndi maukonde ku ukapolo.
- Kuthekera kwaphatikizidwe kwawoneka komwe kuli kopanda malire: ngakhale ndi Kubernetes, ngakhale ndi Ansible, ngakhale ndi Python.
ΠΠΈΠ½ΡΡΡ: Consul, yomwe ife tsopano tiyenera kukhala ndi moyo, ndi mtengo wokwera kwambiri wa zolakwika. Mwachitsanzo, kamodzi pa 6 koloko masana (nthawi yoyamba ku Russia) ndinali ndikusintha china chake pamndandanda wamanetiweki. Tinkangomanga zotsekera ku BEFW panthawiyo. Ndinalakwitsa penapake, zikuwoneka kuti ndawonetsa chigoba cholakwika, koma zonse zidagwa mumasekondi awiri. Kuyang'anira kumayaka, wothandizira ali pantchito amabwera akuthamanga: "Tili ndi chilichonse!" Mkulu wa dipatimentiyo adachita imvi atafotokozera bizinesiyo chifukwa chake izi zidachitika.
Mtengo wolakwika ndi wokwera kwambiri kotero kuti tabwera ndi njira yathu yopewera zovuta. Ngati mugwiritsa ntchito izi patsamba lalikulu lopanga, simuyenera kupereka chizindikiro cha Consul kwa aliyense. Izi zidzatha moyipa.
Mtengo Ndinalemba code kwa maola 400 okha. Gulu langa la anthu 4 limagwiritsa ntchito maola 10 pamwezi pothandizira aliyense. Poyerekeza ndi mtengo wa ma firewall aliwonse a m'badwo watsopano, ndi zaulere.
Mapulani. Dongosolo lanthawi yayitali ndikupeza njira zina zoyendera kuti zilowe m'malo kapena kuthandiza a Consul. Mwina zikhala Kafka kapena zina zofananira. Koma m'zaka zikubwerazi tidzakhala pa Consul.
Mapulani apompopompo: kuphatikiza ndi Fail2ban, ndikuwunika, ndi ma nftables, mwina ndi magawo ena, ma metric, kuwunika kwapamwamba, kukhathamiritsa. Thandizo la Kubernetes lilinso kwinakwake mu mapulani, chifukwa tsopano tili ndi magulu angapo ndi chikhumbo.
Zambiri kuchokera pamapulani:
- fufuzani anomalies mu magalimoto;
- kasamalidwe ka mapu a maukonde;
- Kubernetes thandizo;
- kusonkhanitsa phukusi la machitidwe onse;
- Webusaiti ya UI.
Tikugwira ntchito nthawi zonse kukulitsa masinthidwe, kukulitsa ma metric ndi kukhathamiritsa.
Lowani nawo polojekitiyi. Ntchitoyi idakhala yabwino, koma, mwatsoka, ikadali ntchito yamunthu m'modzi. Bwerani ku ndipo yesani kuchitapo kanthu: kudzipereka, kuyesa, kupereka lingaliro, perekani kuwunika kwanu.
Pakali pano tikukonzekera , yomwe idzachitika pa April 6 ndi 7 ku St. . Oyankhula odziwa bwino amadziwa kale zoyenera kuchita, koma kwa omwe ayamba kuyankhula timalimbikitsa osachepera . Kutenga nawo mbali pa msonkhano ngati wokamba nkhani kuli ndi ubwino wambiri. Mukhoza kuwerenga zomwe, mwachitsanzo, kumapeto .
Source: www.habr.com