Kana Linux contrack isisiri shamwari yako

Yekubatanidza yekutevera ("contrack") chinhu chakakosha cheLinux kernel networking stack. Iyo inobvumira kernel kuti itarise zvese zvine musoro network yekubatanidza kana kuyerera uye nekudaro inoona ese mapaketi anoumba imwe neimwe kuyerera kuitira kuti igadziriswe pamwe chete zvakateerana.

Contrack chinhu chakakosha kernel chinoshandiswa mune dzimwe nyaya dzekutanga:

• NAT inovimba neruzivo kubva kune contrack saka inogona kubata ese mapaketi kubva murukova rwumwechete zvakaenzana. Semuenzaniso, kana pod ikawana sevhisi yeKubernetes, kube-proxy load balancer inoshandisa NAT kutungamira traffic kune chaiyo pod mukati mesumbu. Conntrack inorekodha kuti kune yakapihwa kubatana, ese mapaketi kuIP sevhisi anofanirwa kutumirwa kune imwechete pod, uye kuti mapaketi akadzoserwa nebackend pod anofanira kuNATED kudzoserwa kune pod kwakabva chikumbiro.
• Stateful firewall senge Calico inovimba neruzivo kubva pakubatanidza kune whitelist "mhinduro" traffic. Izvi zvinokutendera kuti unyore mutemo wetiweki unoti "bvumira pod yangu kuti ibatane kune chero kure IP kero" pasina kunyora mutemo kuti ubvumire zvakajeka mhinduro traffic. (Pasina izvi, iwe unofanirwa kuwedzera iyo yakanyanya kuchengetedzeka "bvumira mapaketi kune yangu pod kubva kune chero IP" mutemo.)

Pamusoro pezvo, contrack kazhinji inovandudza mashandiro ehurongwa (nekudzikisa mashandisiro eCPU uye packet latency) kubva chete packet rekutanga murukova.
inofanirwa kupfuura yese network stack kuti uone zvekuita nayo. Ona iyo post "Kuenzanisa kwekube-proxy modes" kuona muenzaniso wekuti inoshanda sei.

Nekudaro, contrack ine painogumira ...

Saka zvakakanganisika papi?

Iyo contrack tafura ine inogadziriswa yakakura saizi, uye kana ikazara, zvinongedzo zvinowanzotanga kurambwa kana kudonhedzwa. Pane yakakwana yemahara nzvimbo mutafura yekubata traffic yeakawanda maapplication, uye izvi hazvizombove dambudziko. Nekudaro, pane mashoma mamiriro aungangoda kufunga nezve kushandisa iyo contrack tafura:

• Nyaya iri pachena ndeye kana sevha yako inobata nhamba yakakura kwazvo yekubatanidza inoshanda panguva imwe chete. Semuenzaniso, kana tafura yako ye contrack yakagadzirirwa 128k zvinyorwa, asi iwe une> 128k yakabatana yekubatanidza, iwe zvechokwadi uchapinda mudambudziko!
• Mhosva isinganyatso kuoneka: kana sevha yako ichiita nhamba yakakura kwazvo yekubatanidza pasekondi. Kunyangwe kana makubatanidza ari kwenguva pfupi, anoramba achitariswa neLinux kweimwe nguva yenguva (120s nekusarudzika). Semuenzaniso, kana yako conntrack tafura yakagadzirirwa 128k kupinda uye uri kuyedza kubata 1100 yekubatanidza pasekondi, inodarika saizi yetafura yecontrack kunyangwe iyo yakabatana inogara kwenguva pfupi (128k/120s = 1092 kubatana/s). )

Kune akati wandei niche marudzi emaapplication anowira muzvikamu izvi. Pamusoro pezvo, kana iwe uine akawanda evatambi vakaipa, kuzadza server yako contrack tafura ine akawanda hafu-yakavhurika yekubatanidza inogona kushandiswa sechikamu chekuramba sevhisi (DOS) kurwisa. Muzviitiko zvese izvi, contrack inogona kuve inodzikamisa bhodhoro muhurongwa hwako. Mune zvimwe zviitiko, kugadzirisa iyo contrack tafura paramita inogona kukwana kuti isangane nezvido zvako - nekuwedzera saizi kana kudzikisa iyo contrack timeouts (asi kana ukazviita zvisizvo, unowira mudambudziko rakawanda). Kune zvimwe zviitiko zvichave zvakakodzera kunzvenga contrack yehukasha traffic.

Muenzaniso chaiwo

Ngatipei muenzaniso chaiwo: mupi mukuru weSaaS watakashanda naye aive nenhamba yememcached maseva pane mauto (kwete chaiwo muchina), imwe neimwe yaigadzirisa 50K + yenguva pfupi yekubatanidza pasekondi.

Vakaedza necontrack configuration, kuwedzera hukuru hwetafura uye kuderedza nguva yekutevera, asi gadziriro yacho yakanga isingavimbike, kushandiswa kweRAM kwakawedzera zvakanyanya, iro raiva dambudziko (pahurongwa hweGBytes!) gadzira iyo yakajairwa kuita bhenefiti (yakaderedzwa kushandiswa CPU kana packet latency).

Vakatendeukira kuCalico seimwe nzira. Calico network inobvumidza iwe kuti usashandise contrack kune mamwe marudzi etraffic (uchishandisa iyo doNotTrack mutemo sarudzo). Izvi zvakavapa mwero wekuita kwavanoda, pamwe nekuwedzera mwero wekuchengetedza wakapihwa naCalico.

Ndeapi marefu auchafanira kuenda kuti avhare contrack?

• Usaite-kutevedzera network mitemo inofanirwa kuenderana. Panyaya yemupi weSaaS: zvikumbiro zvavo zvakamhanya mukati menzvimbo yakachengetedzwa uye nekudaro, vachishandisa network network, vaigona kuchena traffic kubva kune mamwe maapplication akabvumidzwa kupinda memcached.
• Iyo do-not-track policy haifungidzire kutungamira kwekubatanidza. Nekudaro, kana iyo memcached server ikabiwa, unogona kuyedza kubatanidza kune chero memcached vatengi, chero ichishandisa chaiyo sosi chiteshi. Nekudaro, kana iwe wakatsanangura nemazvo mutemo wetiweki yevatengi vako memcached, saka kuedza uku kwekubatanidza kucharamba kukarambwa kudivi revatengi.
• Iyo do-not-track policy inoshandiswa papakiti imwe neimwe, kusiyana nemitemo yakajairwa, iyo inoshandiswa chete kune yekutanga packet mukuyerera. Izvi zvinogona kuwedzera kushandiswa kweCPU packet nekuti mutemo unofanirwa kuiswa pakiti yega yega. Asi pakubatana kwenguva pfupi, mari iyi inoenzaniswa nekudzikiswa kwekushandisa zviwanikwa zve contrack processing. Semuenzaniso, muchiitiko chemupi weSaaS, nhamba yemapakiti ekubatana kwega kwega yaive diki, saka iyo yakawedzera CPU kushandiswa pakushandisa marongero packet yega yega yaive yakakodzera.

Ngatitangei kuedza

Isu takamhanyisa bvunzo pane imwechete pod ine memcached server uye akawanda memcached macustomer pods anomhanya panzvimbo dziri kure kuitira kuti tikwanise kumhanya nhamba yakakura kwazvo yekubatanidza pasekondi. Sevha ine memcached server pod yaive ne8 cores uye 512k zvinyorwa mucontrack tafura (iyo yakajairwa tafura saizi yemugamuchiri).
Takayera mutsauko wekuita pakati pe: hapana network network; neCalico yenguva dzose mutemo; uye Calico do-not-track policy.

Kune bvunzo yekutanga, isu takaisa huwandu hwekubatanidza kune 4.000 pasekondi, saka tinogona kutarisa pamusiyano weCPU mashandisiro. Pakanga pasina misiyano yakakosha pakati pepasina mutemo uye mutemo wenguva dzose, asi usaite-yekutevera yakawedzera CPU kushandiswa ne20%:

Muyedzo yechipiri, takatangisa kubatanidza kwakawanda sezvo vatengi vedu vaigona kugadzira uye kuyera huwandu hwepamusoro hwekubatanidza pasekondi imwe chete iyo memcached server yaigona kubata. Sezvinotarisirwa, iyo "hapana mutemo" uye "yenguva dzose mutemo" nyaya dzese dzakasvika pamuganho wepamusoro pe4,000 yekubatanidza pasekondi (512k / 120s = 4,369 yekubatanidza / s). Iine do-not-track policy, vatengi vedu vakatumira 60,000 yekubatanidza pasekondi pasina matambudziko. Tine chokwadi chekuti tinogona kuwedzera nhamba iyi nekuwedzera vatengi, asi isu tinonzwa kuti nhamba idzi dzatokwana kuratidza pfungwa yechinyorwa ichi!

mhedziso

Contrack chinhu chakakosha kernel. Anoita basa rake nemazvo. Inowanzoshandiswa nezvikamu zvakakosha zvehurongwa. Nekudaro, mune mamwe mamiriro chaiwo, kusangana nekuda kwe contrack kunodarika zvakajairika mabhenefiti ayo anopa. Mune ino mamiriro, Calico network marongero anogona kushandiswa kusarudzika kudzima kushandiswa kwe contrack uku uchiwedzera kuchengetedzeka kwenetiweki. Kune mamwe ese traffic, contrack inoramba iri shamwari yako!

Verengawo zvimwe zvinyorwa pane yedu blog:

• Kuvaka dynamic modules yeNginx
• Nhanganyaya kune Hashicorp Consul's Kubernetes Mvumo
• Stateful backups muKubernetes
• Backup yenhamba huru yemapurojekiti ewebhu
• Teregiramu bot yeRedmine. Nzira yekurerutsa hupenyu iwe pachako uye nevamwe

Source: www.habr.com