Nhanganyaya
Munguva pfupi yapfuura, kufarirwa kweKubernetes kwave kukura nekukurumidza - mapurojekiti mazhinji ari kuzviita. Ini ndaida kubata pane orchestrator senge Nomad: yakanakira mapurojekiti anotoshandisa mamwe mhinduro kubva kuHashiCorp, semuenzaniso, Vault uye Consul, uye mapurojekiti pachawo haana kuoma maererano nezvivakwa. Ichi chinyorwa chichava nemirairo yekuisa Nomad, kusanganisa node mbiri kuita sumbu, pamwe nekubatanidza Nomad neGitlab.
test bhenji
Zvishoma nezve bhenji rekuyedza: maseva matatu chaiwo anoshandiswa ane maitiro e2 CPU, 4 RAM, 50 Gb SSD, akabatanidzwa mune yakajairika network network. Mazita avo uye IP kero:
- nomad-livelinux-01: 172.30.0.5
- nomad-livelinux-02: 172.30.0.10
- consul-livelinux-01: 172.30.0.15
Kuiswa kweNomad, Consul. Kugadzira boka reNomad
Ngatitange nekutanga kuiswa. Kunyangwe iyo setup yanga iri nyore, ndichaitsanangura nekuda kwekuvimbika kwechinyorwa: chakanyatso gadzirwa kubva kudhizaini uye manotsi kuti uwane nekukurumidza pazvinenge zvichidikanwa.
Tisati tatanga kudzidzira, tichakurukura chikamu chezvinyorwa, nokuti panguva ino zvakakosha kunzwisisa chimiro chemangwana.
Tine maviri nomad node uye tinoda kuasanganisa kuita sumbu, uye mune ramangwana isu tichada otomatiki cluster scaling - pane izvi tichada Consul. Nechishandiso ichi, kuunganidza uye kuwedzera node itsva inova basa rakareruka: iyo yakasikwa Nomad node inobatanidza kune Consul agent, uye yozobatana neiyo Nomad cluster iripo. Naizvozvo, pakutanga isu tichaisa iyo Consul server, gadzirisa yekutanga http mvumo yewebhu pani (haisina mvumo nekusarudzika uye inogona kuwanikwa kune imwe kero yekunze), pamwe nevamiriri veConsul pachavo paNomad maseva, mushure meizvozvo. tichangopfuurira kwaNomad.
Kuisa zvishandiso zveHashiCorp zviri nyore: zvakanyanya, isu tinongofambisa iyo bhinari faira kune bhini dhairekitori, kumisikidza chishandiso faira rekugadzirisa, uye kugadzira faira rayo rebasa.
Dhawunirodha iyo Consul binary faira uye riburitse mudhairekitori remusha remushandisi:
root@consul-livelinux-01:~# wget https://releases.hashicorp.com/consul/1.5.0/consul_1.5.0_linux_amd64.zip
root@consul-livelinux-01:~# unzip consul_1.5.0_linux_amd64.zip
root@consul-livelinux-01:~# mv consul /usr/local/bin/Iye zvino tave neyakagadzirirwa-yakagadzirwa consul binary yekuenderera mberi nekumisikidza.
Kuti tishande naConsul, tinoda kugadzira kiyi yakasarudzika tichishandisa keygen command:
root@consul-livelinux-01:~# consul keygen
Ngatienderere mberi nekumisikidza Consul gadziriso, tichigadzira dhairekitori /etc/consul.d/ neinotevera chimiro:
/etc/consul.d/
├── bootstrap
│ └── config.jsonIyo bootstrap dhairekitori ichange iine configuration file config.json - mairi tichaisa Consul marongero. Zvirimo:
{
"bootstrap": true,
"server": true,
"datacenter": "dc1",
"data_dir": "/var/consul",
"encrypt": "your-key",
"log_level": "INFO",
"enable_syslog": true,
"start_join": ["172.30.0.15"]
}Ngatitarisei mirairo mikuru uye zvazvinoreva zvakasiyana:
- bootstrap: chokwadi. Isu tinogonesa otomatiki kuwedzera kwemanode matsva kana akabatana. Ndinocherechedza kuti hatiratidzi pano nhamba chaiyo yemanodhi anotarisirwa.
- Server: chokwadi. Vhura server mode. Consul pamushini uyu chaiwo uchaita seyega sevha uye tenzi panguva ino, Nomad's VM ndiyo ichave vatengi.
- Datacenter:dc1. Taura zita renzvimbo yedata kuti ugadzire cluster. Inofanira kunge yakafanana kune vese vatengi uye maseva.
- encrypt: kiyi yako. Kiyi, iyo inofanirwawo kuve yakasarudzika uye inowirirana pane vese vatengi nemaseva. Yakagadzirwa uchishandisa iyo consul keygen command.
- start_join. Mune ino runyorwa tinoratidza runyoro rwe IP kero uko kubatana kuchaitwa. Parizvino tinosiya kero yedu chete.
Panguva ino tinogona kumhanya consul tichishandisa mutsara wekuraira:
root@consul-livelinux-01:~# /usr/local/bin/consul agent -config-dir /etc/consul.d/bootstrap -uiIyi inzira yakanaka yekugadzirisa ikozvino, zvisinei, haugone kushandisa nzira iyi nguva dzose nekuda kwezvikonzero zviri pachena. Ngatigadzire sevhisi faira kubata Consul kuburikidza ne systemd:
root@consul-livelinux-01:~# nano /etc/systemd/system/consul.service
Zviri mukati me consul.service faira:
[Unit]
Description=Consul Startup process
After=network.target
[Service]
Type=simple
ExecStart=/bin/bash -c '/usr/local/bin/consul agent -config-dir /etc/consul.d/bootstrap -ui'
TimeoutStartSec=0
[Install]
WantedBy=default.targetTanga Consul kuburikidza ne systemctl:
root@consul-livelinux-01:~# systemctl start consul
Ngatitarisei: sevhisi yedu inofanirwa kunge ichimhanya, uye nekuita iyo consul nhengo yekuraira tinofanira kuona sevha yedu:
root@consul-livelinux:/etc/consul.d# consul members
consul-livelinux 172.30.0.15:8301 alive server 1.5.0 2 dc1 <all>Nhanho inotevera: kuisa Nginx uye kumisikidza proxying uye http mvumo. Isu tinoisa nginx kuburikidza nepakeji maneja uye mune /etc/nginx/saiti-inogonesa dhairekitori tinogadzira faira rekugadzirisa consul.conf ine zvinotevera zvirimo:
upstream consul-auth {
server localhost:8500;
}
server {
server_name consul.doman.name;
location / {
proxy_pass http://consul-auth;
proxy_set_header Host $host;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Password-protected Area";
}
}Usakanganwa kugadzira .htpasswd faira uye kugadzira zita rekushandisa uye password yayo. Ichi chinhu chinodiwa kuitira kuti webhupu yewebhu isawanikwe kune wese anoziva nzvimbo yedu. Nekudaro, pakumisikidza Gitlab, isu tichafanirwa kusiya izvi - zvikasadaro isu hatizokwanisa kuendesa chikumbiro chedu kuNomad. Muchirongwa changu, Gitlab naNomad vari pawebhu grey chete, saka hapana dambudziko rakadaro pano.
Pamasevha maviri akasara tinoisa Consul agents maererano nemirairo inotevera. Isu tinodzokorora matanho neiyo binary faira:
root@nomad-livelinux-01:~# wget https://releases.hashicorp.com/consul/1.5.0/consul_1.5.0_linux_amd64.zip
root@nomad-livelinux-01:~# unzip consul_1.5.0_linux_amd64.zip
root@nomad-livelinux-01:~# mv consul /usr/local/bin/Nekufananidza neyekare sevha, tinogadzira dhairekitori rekugadzirisa mafaera /etc/consul.d neinotevera chimiro:
/etc/consul.d/
├── client
│ └── config.jsonZviri mukati meiyo config.json faira:
{
"datacenter": "dc1",
"data_dir": "/opt/consul",
"log_level": "DEBUG",
"node_name": "nomad-livelinux-01",
"server": false,
"encrypt": "your-private-key",
"domain": "livelinux",
"addresses": {
"dns": "127.0.0.1",
"https": "0.0.0.0",
"grpc": "127.0.0.1",
"http": "127.0.0.1"
},
"bind_addr": "172.30.0.5", # локальный адрес вм
"start_join": ["172.30.0.15"], # удаленный адрес консул сервера
"ports": {
"dns": 53
}Sevha shanduko uye uenderere mberi nekumisikidza iyo sevhisi faira, zvirimo:
/etc/systemd/system/consul.service:
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
[Service]
User=root
Group=root
ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul.d/client
ExecReload=/usr/local/bin/consul reload
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.targetIsu tinotanga consul pane server. Zvino, mushure mekutangwa, isu tinofanirwa kuona iyo yakagadziriswa sevhisi mu nsul nhengo. Izvi zvinoreva kuti yakabudirira kubatana kune cluster semutengi. Dzokorora zvakafanana pane yechipiri sevha uye mushure mezvo tinogona kutanga kuisa nekugadzirisa Nomad.
Kumwe kutsanangurwa kwakadzama kweNomad kunotsanangurwa muzvinyorwa zvayo zvepamutemo. Pane nzira mbiri dzechinyakare dzekuisa: kurodha bhinari faira uye kugadzira kubva kunobva. Ndichasarudza nzira yekutanga.
taura pfungwa: Iyo purojekiti iri kukura nekukurumidza, zvigadziriso zvitsva zvinowanzoburitswa. Zvichida imwe vhezheni ichaburitswa panozopera chinyorwa ichi. Naizvozvo, ndisati ndaverenga, ini ndinokurudzira kutarisa yazvino vhezheni yeNomad panguva iyoyo uye kuidhawunirodha.
root@nomad-livelinux-01:~# wget https://releases.hashicorp.com/nomad/0.9.1/nomad_0.9.1_linux_amd64.zip
root@nomad-livelinux-01:~# unzip nomad_0.9.1_linux_amd64.zip
root@nomad-livelinux-01:~# mv nomad /usr/local/bin/
root@nomad-livelinux-01:~# nomad -autocomplete-install
root@nomad-livelinux-01:~# complete -C /usr/local/bin/nomad nomad
root@nomad-livelinux-01:~# mkdir /etc/nomad.dMushure mekuburitsa, tinogashira Nomad bhinari faira inorema 65 MB - inofanirwa kutamiswa kuenda ku /usr/local/bin.
Ngatigadzire dhairekitori redhata reNomad uye tigadzirise faira rayo resevhisi (inogona kunge isipo pakutanga):
root@nomad-livelinux-01:~# mkdir --parents /opt/nomad
root@nomad-livelinux-01:~# nano /etc/systemd/system/nomad.serviceNamatidza mitsara inotevera ipapo:
[Unit]
Description=Nomad
Documentation=https://nomadproject.io/docs/
Wants=network-online.target
After=network-online.target
[Service]
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
KillMode=process
KillSignal=SIGINT
LimitNOFILE=infinity
LimitNPROC=infinity
Restart=on-failure
RestartSec=2
StartLimitBurst=3
StartLimitIntervalSec=10
TasksMax=infinity
[Install]
WantedBy=multi-user.targetNekudaro, isu hatisi kukurumidza kuvhura nomad - isu hatisati tagadzira iyo yekumisikidza faira:
root@nomad-livelinux-01:~# mkdir --parents /etc/nomad.d
root@nomad-livelinux-01:~# chmod 700 /etc/nomad.d
root@nomad-livelinux-01:~# nano /etc/nomad.d/nomad.hcl
root@nomad-livelinux-01:~# nano /etc/nomad.d/server.hcl
Iyo yekupedzisira dhairekitori chimiro ichave seizvi:
/etc/nomad.d/
├── nomad.hcl
└── server.hclIyo nomad.hcl faira inofanira kunge iine zvinotevera zvigadziriso:
datacenter = "dc1"
data_dir = "/opt/nomad"Zviri mukati me server.hcl file:
server {
enabled = true
bootstrap_expect = 1
}
consul {
address = "127.0.0.1:8500"
server_service_name = "nomad"
client_service_name = "nomad-client"
auto_advertise = true
server_auto_join = true
client_auto_join = true
}
bind_addr = "127.0.0.1"
advertise {
http = "172.30.0.5"
}
client {
enabled = true
}Usakanganwa kushandura faira yekumisikidza pane yechipiri sevha - ipapo iwe uchafanirwa kushandura kukosha kweiyo http dhairekitori.
Chinhu chekupedzisira pane ino nhanho kugadzirisa Nginx ye proxying uye kumisikidza http mvumo. Zviri mukati menomad.conf faira:
upstream nomad-auth {
server 172.30.0.5:4646;
}
server {
server_name nomad.domain.name;
location / {
proxy_pass http://nomad-auth;
proxy_set_header Host $host;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Password-protected Area";
}
}Iye zvino isu tinokwanisa kuwana iyo pawebhu pawebhu kuburikidza neyekunze network. Batanidza uye enda kune maseva peji:
Mufananidzo 1. Rondedzero yemaseva ari muNomad cluster
Masevha ese ari maviri akabudirira kuratidzwa mupaneri, isu tichaona chinhu chimwe chete mukubuda kweiyo nomad node mamiriro ekuraira:
Mufananidzo 2. Kubuda kweiyo nomad node mamiriro ekuraira
Ko Consul? Ngationei. Enda kune Consul control panel, kune nodes peji:
Mufananidzo 3. Rondedzero yemanodhi muConsul cluster
Iye zvino tine Nomad yakagadzirira inoshanda pamwe chete neConsul. Muchikamu chekupedzisira, tichasvika kune chikamu chinonakidza: kumisikidza kutakura kweDocker midziyo kubva kuGitlab kuenda kuNomad, uye zvakare kutaura nezve mamwe ayo akasiyana maficha.
Kugadzira Gitlab Runner
Kuendesa docker mifananidzo kuNomad, isu tichashandisa yakaparadzana mumhanyi neNomad binary faira mukati (pano, nenzira, tinogona kucherechedza chimwe chimiro cheHashicorp application - yega ivo ibhinari faira rimwe chete). Irodha kune runner directory. Ngatigadzire yakapusa Dockerfile yayo neinotevera zvirimo:
FROM alpine:3.9
RUN apk add --update --no-cache libc6-compat gettext
COPY nomad /usr/local/bin/nomad
Muchirongwa chimwe chete tinogadzira .gitlab-ci.yml:
variables:
DOCKER_IMAGE: nomad/nomad-deploy
DOCKER_REGISTRY: registry.domain.name
stages:
- build
build:
stage: build
image: ${DOCKER_REGISTRY}/nomad/alpine:3
script:
- tag=${DOCKER_REGISTRY}/${DOCKER_IMAGE}:latest
- docker build --pull -t ${tag} -f Dockerfile .
- docker push ${tag}Nekuda kweizvozvo, isu tichava nemufananidzo uripo weNomad mumhanyi muGitlab Registry, ikozvino isu tinogona kuenda takananga kunzvimbo yeprojekiti, kugadzira Pipeline uye kugadzirisa Nomad's nomad basa.
Kugadziriswa kweprojekiti
Ngatitange nefaira rebasa raNomad. Basa rangu mune ino chinyorwa richava rekare: richave nebasa rimwe chete. Zviri mukati me .gitlab-ci zvichave sezvizvi:
variables:
NOMAD_ADDR: http://nomad.address.service:4646
DOCKER_REGISTRY: registry.domain.name
DOCKER_IMAGE: example/project
stages:
- build
- deploy
build:
stage: build
image: ${DOCKER_REGISTRY}/nomad-runner/alpine:3
script:
- tag=${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${CI_COMMIT_SHORT_SHA}
- docker build --pull -t ${tag} -f Dockerfile .
- docker push ${tag}
deploy:
stage: deploy
image: registry.example.com/nomad/nomad-runner:latest
script:
- envsubst '${CI_COMMIT_SHORT_SHA}' < project.nomad > job.nomad
- cat job.nomad
- nomad validate job.nomad
- nomad plan job.nomad || if [ $? -eq 255 ]; then exit 255; else echo "success"; fi
- nomad run job.nomad
environment:
name: production
allow_failure: false
when: manualPano kutumirwa kunoitika nemaoko, asi iwe unogona kuzvigadzirisa kuti uchinje zviri mukati mechirongwa cheprojekiti. Pipeline ine nhanho mbiri: mufananidzo musangano uye kuendesa kune nomad. Padanho rekutanga, tinounganidza mufananidzo wedocker tousundira muRegistry yedu, uye kechipiri tinotangisa basa redu muNomad.
job "monitoring-status" {
datacenters = ["dc1"]
migrate {
max_parallel = 3
health_check = "checks"
min_healthy_time = "15s"
healthy_deadline = "5m"
}
group "zhadan.ltd" {
count = 1
update {
max_parallel = 1
min_healthy_time = "30s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
}
task "service-monitoring" {
driver = "docker"
config {
image = "registry.domain.name/example/project:${CI_COMMIT_SHORT_SHA}"
force_pull = true
auth {
username = "gitlab_user"
password = "gitlab_password"
}
port_map {
http = 8000
}
}
resources {
network {
port "http" {}
}
}
}
}
}Ndokumbira utarise kuti ndine Registry yakavanzika uye kuti ndibudirire kudhonza mufananidzo wedocker ini ndinoda kupinda mairi. Mhinduro yakanakisa mune iyi kesi ndeyekuisa login uye password muVault wobva waibatanidza neNomad. Nomad natively inotsigira Vault. Asi chekutanga, ngatiisei inodiwa marongero eNomad muVault pachayo; anogona kutorwa pasi:
# Download the policy and token role
$ curl https://nomadproject.io/data/vault/nomad-server-policy.hcl -O -s -L
$ curl https://nomadproject.io/data/vault/nomad-cluster-role.json -O -s -L
# Write the policy to Vault
$ vault policy write nomad-server nomad-server-policy.hcl
# Create the token role with Vault
$ vault write /auth/token/roles/nomad-cluster @nomad-cluster-role.jsonZvino, tagadzira iyo inodiwa marongero, isu tichawedzera kubatanidzwa neVault mune yebasa block mune job.nomad faira:
vault {
enabled = true
address = "https://vault.domain.name:8200"
token = "token"
}Ini ndinoshandisa mvumo nechiratidzo uye nekuinyoresa zvakananga pano, pane zvakare sarudzo yekutsanangura chiratidzo sechinochinja kana uchitanga nomad mumiriri:
$ VAULT_TOKEN=<token> nomad agent -config /path/to/config
Iye zvino tinogona kushandisa makiyi neVault. Nheyo yekushanda iri nyore: isu tinogadzira faira muNomad basa iro rinochengeta kukosha kwezvakasiyana, semuenzaniso:
template {
data = <<EOH
{{with secret "secrets/pipeline-keys"}}
REGISTRY_LOGIN="{{ .Data.REGISTRY_LOGIN }}"
REGISTRY_PASSWORD="{{ .Data.REGISTRY_LOGIN }}{{ end }}"
EOH
destination = "secrets/service-name.env"
env = true
}Neiyi nzira iri nyore, unogona kugadzirisa kuendeswa kwemidziyo kuNomad cluster uye kushanda nayo mune ramangwana. Ini ndichataura kuti kune imwe nhanho ndinonzwira tsitsi Nomad - yakanyatsokodzera mapurojekiti madiki uko Kubernetes inogona kukonzera kuwedzera kuomarara uye isingazive kugona kwayo kuzere. Uyezve, Nomad yakanakira vanotanga-zviri nyore kuisa nekugadzirisa. Nekudaro, kana ndichiyedza pane mamwe mapurojekiti, ndinosangana nedambudziko neshanduro dzayo dzekutanga - mabasa mazhinji ekutanga haapo kana kuti haashande nemazvo. Nekudaro, ini ndinotenda kuti Nomad icharamba ichikura uye mune ramangwana inowana mabasa anodiwa nemunhu wese.
Munyori: Ilya Andreev, rakapepetwa naAlexey Zhadan uye Live Linux timu
Source: www.habr.com