Pamene Linux contrack sakhalanso bwenzi lanu

Kutsata kolumikizana ("contrack") ndichinthu chofunikira kwambiri pa intaneti ya Linux kernel. Imalola kernel kuti iwunikire maulalo onse omveka bwino a netiweki kapena kuyenda kwake ndikuzindikira mapaketi onse omwe amapanga kuyenda kulikonse kuti athe kusinthidwa motsatana.

Contrack ndichinthu chofunikira kwambiri chomwe chimagwiritsidwa ntchito nthawi zina:

• NAT imadalira zambiri kuchokera ku contrack kotero imatha kuchitira mapaketi onse amtsinje womwewo mofanana. Mwachitsanzo, pod ikapeza ntchito ya Kubernetes, kube-proxy load balancer imagwiritsa ntchito NAT kulondolera magalimoto kumalo enaake mkati mwa tsango. Zolemba za Contrack kuti pakugwirizana kopatsidwa, mapaketi onse ku IP service ayenera kutumizidwa ku pod yomweyi, ndi kuti mapaketi omwe abwezedwa ndi backend pod ayenera kukhala NATed kubwerera ku pod komwe pempholo linachokera.
• Ma firewall odziwika bwino monga Calico amadalira zambiri kuchokera pa cholumikizira kupita kugulu la "mayankho" ovomerezeka. Izi zimakulolani kuti mulembe ndondomeko ya netiweki yomwe imati "lolani pod yanga kuti ilumikizane ndi adilesi iliyonse yakutali ya IP" popanda kulemba ndondomeko yolola kuyankha momveka bwino. (Popanda izi, muyenera kuwonjezera zotetezeka kwambiri "lolani mapaketi ku pod yanga kuchokera kulamulo lililonse la IP".)

Kuphatikiza apo, contrack nthawi zambiri imathandizira magwiridwe antchito (pochepetsa kugwiritsa ntchito CPU ndi paketi latency) kuyambira paketi yoyamba yokha mumtsinje.
muyenera kudutsa mulu wonse wa netiweki kuti mudziwe zoyenera kuchita nawo. Onani positi"Kuyerekeza kwa mitundu ya kube-proxy" kuti muwone chitsanzo cha momwe izi zimagwirira ntchito.

Komabe, contrack ili ndi malire ake ...

Ndiye kodi zonsezi zinalakwika pati?

Tebulo la contrack limakhala ndi kukula kokwanira kosinthika, ndipo likadzadzadza, zolumikizira nthawi zambiri zimayamba kukanidwa kapena kugwetsedwa. Pali malo okwanira patebulo kuti athe kuthana ndi kuchuluka kwa mapulogalamu ambiri, ndipo izi sizidzakhala vuto. Komabe, pali zochitika zingapo zomwe mungafune kuziganizira pogwiritsa ntchito tebulo la contrack:

• Mlandu wodziwikiratu ndi ngati seva yanu imagwira ntchito zambiri zolumikizira zomwe zimagwira nthawi imodzi. Mwachitsanzo, ngati tebulo lanu la contrack likukonzekera zolemba 128k, koma muli ndi>128k zolumikizira nthawi imodzi, mudzakumana ndi vuto!
• Mlandu wodziwikiratu pang'ono: ngati seva yanu ikuchita maulumikizidwe ambiri pamphindikati. Ngakhale maulumikizidwewo akakhalitsa, amapitilira kuyang'aniridwa ndi Linux kwakanthawi (ma 120 mwachisawawa). Mwachitsanzo, ngati tebulo lanu la contrack likukonzekera zolembera za 128k ndipo mukuyesera kugwirizanitsa 1100 pa sekondi imodzi, zidzapitirira kukula kwa tebulo la contrack, ngakhale ngati malumikizidwewo ndi anthawi yochepa kwambiri (128k / 120s = 1092 kugwirizana / s).

Pali mitundu ingapo ya mapulogalamu omwe amagwera m'magulu awa. Kuphatikiza apo, ngati muli ndi ochita zoyipa ambiri, kudzaza tebulo la seva yanu ndikulumikizana ndi theka lotseguka kungagwiritsidwe ntchito ngati gawo la kukana ntchito (DOS). Muzochitika zonsezi, contrack ikhoza kukhala cholepheretsa m'dongosolo lanu. Nthawi zina, kusintha magawo a tebulo la contrack kungakhale kokwanira kuti mukwaniritse zosowa zanu - powonjezera kukula kapena kuchepetsa nthawi ya contrack (koma ngati muchita zolakwika, mudzakumana ndi vuto lalikulu). Pazifukwa zina, padzakhala kofunika kuti mulambalale mayendedwe ankhanza.

Chitsanzo chenicheni

Tiyeni tipereke chitsanzo chenicheni: wopereka wamkulu wa SaaS yemwe tidagwira naye ntchito anali ndi ma seva angapo osungidwa pa makamu (osati makina enieni), omwe adakonza ma 50K + maulumikizidwe akanthawi kochepa pamphindikati.

Iwo anayesa kasinthidwe ka contrack, kukulitsa kukula kwa tebulo ndikuchepetsa nthawi yotsata, koma kasinthidweko kunali kosadalirika, kugwiritsa ntchito RAM kunakula kwambiri, lomwe linali vuto (pa dongosolo la GBytes!), Ndipo maulumikizidwewo anali aafupi kwambiri kotero kuti conntrack sanatero. pangani phindu lake lanthawi zonse (kuchepa kwa CPU kapena packet latency).

Iwo adatembenukira ku Calico ngati njira ina. Ndondomeko za netiweki ya Calico zimakupatsani mwayi kuti musagwiritse ntchito njira zolumikizirana ndi mitundu ina yamagalimoto (pogwiritsa ntchito mfundo ya doNotTrack). Izi zidawapatsa gawo la magwiridwe antchito omwe amafunikira, kuphatikiza chitetezo chowonjezera choperekedwa ndi Calico.

Kodi muyenera kupita kutali bwanji kuti mulambalale contrack?

• Osatsata netiweki mfundo zake ziyenera kukhala zofanana. Pankhani ya SaaS provider: mapulogalamu awo adathamangira mkati mwa malo otetezedwa choncho, pogwiritsa ntchito ndondomeko ya intaneti, amatha kuyeretsa magalimoto kuchokera kuzinthu zina zomwe zimaloledwa kulowa memcached.
• Dongosolo losatsata-tsatane siliganizira komwe kulumikizidwa. Chifukwa chake, ngati seva ya memcached yabedwa, mutha kuyesa kulumikizana ndi kasitomala aliyense yemwe ali ndi memcached, bola ngati ikugwiritsa ntchito doko lolondola. Komabe, ngati mwafotokoza molondola ndondomeko ya netiweki yamakasitomala anu omwe ali ndi memcached, ndiye kuti zoyeserera izi zimakanidwabe kumbali ya kasitomala.
• Dongosolo losatsata likugwiritsidwa ntchito pa paketi iliyonse, mosiyana ndi ndondomeko zokhazikika, zomwe zimagwiritsidwa ntchito pa paketi yoyamba mukuyenda. Izi zitha kukulitsa kugwiritsa ntchito kwa CPU pa paketi iliyonse chifukwa ndondomekoyi iyenera kugwiritsidwa ntchito pa paketi iliyonse. Koma pamalumikizidwe akanthawi kochepa, ndalamazi zimayenderana ndi kuchepetsedwa kwa zinthu zomwe zimagwiritsidwa ntchito pokonza ma contrack. Mwachitsanzo, pankhani ya wothandizira SaaS, chiwerengero cha mapaketi a kugwirizana kulikonse chinali chochepa kwambiri, kotero kuti CPU yowonjezera yowonjezera pogwiritsira ntchito ndondomeko pa paketi iliyonse inali yoyenera.

Tiyeni tiyambe kuyesa

Tinayesa mayeso pa pod imodzi yokhala ndi seva ya memcached ndi ma memcached kasitomala pods omwe akuyenda pazitali zakutali kuti titha kuyendetsa maulumikizidwe ambiri pamphindikati. Seva yokhala ndi memcached server pod inali ndi ma cores 8 ndi 512k zolowa mu contrack table (mulingo wokhazikika wa tebulo la wolandirayo).
Tinayeza kusiyana kwa magwiridwe antchito pakati pa: palibe ndondomeko ya netiweki; ndi ndondomeko yanthawi zonse ya Calico; ndi ndondomeko ya Calico osatsata.

Pachiyeso choyamba, tinayika chiwerengero cha maulumikizidwe ku 4.000 pa sekondi iliyonse, kotero tikhoza kuyang'ana pa kusiyana kwa kugwiritsa ntchito CPU. Panalibe kusiyana kwakukulu pakati pa palibe ndondomeko ndi ndondomeko zokhazikika, koma osatsata kuchuluka kwa CPU ndi 20%:

Pakuyesa kwachiwiri, tidayambitsa maulumikizidwe ochuluka momwe makasitomala athu amatha kupanga ndikuyesa kuchuluka kwa maulumikizidwe pamphindikati yomwe seva yathu yolumikizidwa imatha kugwira. Monga zikuyembekezeredwa, milandu ya "palibe ndondomeko" ndi "ndondomeko yanthawi zonse" zonse zidafikira malire opitilira 4,000 pa sekondi imodzi (512k / 120s = 4,369 kulumikizana / s). Ndi ndondomeko yosatsata, makasitomala athu adatumiza maulumikizidwe 60,000 pamphindikati popanda vuto lililonse. Ndife otsimikiza kuti titha kuwonjezera chiwerengerochi powonjezera makasitomala ambiri, koma tikuwona kuti manambalawa ndiwokwanira kale kufotokozera mfundo ya nkhaniyi!

Pomaliza

Contrack ndi gawo lofunikira la kernel. Iye amachita ntchito yake mwangwiro. Nthawi zambiri amagwiritsidwa ntchito ndi zigawo zikuluzikulu zadongosolo. Komabe, muzochitika zina, kuchulukana chifukwa cha contrack kumaposa phindu lomwe limapereka. Munthawi imeneyi, mfundo za ma network a Calico zitha kugwiritsidwa ntchito kuletsa kugwiritsa ntchito contrack ndikuwonjezera chitetezo pamaneti. Kwa magalimoto ena onse, contrack akupitiliza kukhala bwenzi lanu!

Werenganinso zolemba zina pa blog yathu:

• Kupanga ma module amphamvu a Nginx
• Chidziwitso cha Hashicorp Consul's Kubernetes Authorization
• Zosunga zobwezeretsera ku Kubernetes
• Kusunga zosunga zobwezeretsera zama projekiti ambiri apaintaneti
• Telegraph bot ya Redmine. Momwe mungachepetsere moyo wanu ndi ena

Source: www.habr.com