ProHoster > Blog > Utongi > Yakanaka-tuning nzira yeMetalLB muL2 modhi

Yakanaka-tuning nzira yeMetalLB muL2 modhi

Yakanaka-tuning nzira yeMetalLB muL2 modhi
Nguva pfupi yapfuura ndakatarisana nebasa risingaite rekugadzira nzira yeMetalLB. Zvese zvichave zvakanaka, nekuti ... Kazhinji MetalLB haidi chero zviito zvekuwedzera, asi kwatiri isu tine sumbu rakakura kwazvo rine yakapusa network kumisikidza.

Muchikamu chino ini ndichakuudza maitiro ekugadzirisa sosi-yakavakirwa uye mutemo-yakavakirwa routing kune yekunze network yesumbu rako.

Ini handisi kuzoenda mune zvakadzama nezve kuisa nekugadzirisa MetalLB, sezvo ini ndichifungidzira iwe uchitova neruzivo. Ini ndinokurudzira kuenda zvakananga kune iyo poindi, kureva kumisikidza nzira. Saka tine nyaya ina:

Case 1: Kana pasina kugadzirisa kunodiwa

Ngatitarisei nyaya iri nyore.

Yakanaka-tuning nzira yeMetalLB muL2 modhi

Yekuwedzera routing gadziriso haidiwe kana kero dzakapihwa neMetalLB dziri mu subnet yakafanana nekero dzenodhi dzako.

Somuenzaniso, une subnet 192.168.1.0/24, ine router 192.168.1.1, uye node dzako dzinogamuchira kero: 192.168.1.10-30, ipapo yeMetalLB unogona kugadzirisa huwandu 192.168.1.100-120 uye iva nechokwadi chekuti vachashanda pasina kumwe kugadziridzwa.

Nei zvakadaro? Nekuti node dzako dzatove nemakwara akagadziridzwa:

# ip route
default via 192.168.1.1 dev eth0 onlink 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.10

Uye kero kubva muchikamu chimwe chete chinozoashandisa zvakare pasina mamwe maitiro.

Case 2: Kana imwe gadziriso inodiwa

Yakanaka-tuning nzira yeMetalLB muL2 modhi

Iwe unofanirwa kugadzirisa dzimwe nzira pese kana node dzako dzisina yakagadziriswa IP kero kana nzira inoenda kune subnet iyo MetalLB inoburitsa kero.

Ndichatsanangura muchidimbu. Pese MetalLB painoburitsa kero, inogona kufananidzwa nebasa rakapusa senge:

ip addr add 10.9.8.7/32 dev lo

Chenjerera kune:

  • a) Kero inopihwa nechivakashure /32 ndiko kuti, nzira haizongowedzerwa kune subnet yayo (ingori kero)
  • b) Iyo kero yakanamatira kune chero node interface (semuenzaniso loopback). Zvakakodzera kutaura pano maficha eLinux network stack. Hazvina mhosva kuti ndeipi interface yaunowedzera kero, iyo kernel inogara ichigadzirisa zvikumbiro zvearp uye kutumira mhinduro dzearp kune chero ipi zvayo, maitiro aya anoonekwa seakanaka uye, uyezve, anoshandiswa zvakanyanya munzvimbo ine simba seKubernetes.

Maitiro aya anogona kugadzirwa, semuenzaniso nekugonesa yakasimba arp:

echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce

Muchiitiko ichi, mhinduro dzearp dzinongotumirwa chete kana iyo interface iine chaiyo IP kero. Kuseta uku kunodiwa kana ukaronga kushandisa MetalLB uye yako kube-proxy iri kushanda muIPVS mode.

Nekudaro, MetalLB haishandise kernel kugadzirisa zvikumbiro zvearp, asi inozviita pachayo munzvimbo yemushandisi, saka iyi sarudzo haizokanganisa kushanda kweMetalLB.

Ngatidzokere kubasa redu. Kana nzira yemakero akapihwa isipo pane yako node, wedzera mberi kune ese ma node:

ip route add 10.9.8.0/24 dev eth1

Case 3: Paunoda sosi-yakavakirwa routing

Iwe unozofanirwa kugadzirisa sosi-yakavakirwa routing paunogamuchira mapaketi kuburikidza negedhi rakaparadzana, kwete iro rakagadziridzwa nekusarudzika, saka mhinduro mapaketi anofanirwawo kupinda nepagedhi rimwe chete.

Semuenzaniso, une subnet yakafanana 192.168.1.0/24 yakatsaurirwa kune node dzako, asi iwe unoda kuburitsa ekunze kero uchishandisa MetalLB. Ngatifungei kuti une kero dzakawanda kubva kune subnet 1.2.3.0/24 iri muVLAN 100 uye iwe unoda kuvashandisa kuwana Kubernetes masevhisi kunze.

Yakanaka-tuning nzira yeMetalLB muL2 modhi

Pakubata 1.2.3.4 unenge uchiita zvikumbiro kubva kune imwe subnet pane 1.2.3.0/24 uye mirira mhinduro. Iyo node iyo parizvino tenzi weMetalLB-yakapihwa kero 1.2.3.4, ichagamuchira pakiti kubva router 1.2.3.1, asi mhinduro kwaari inofanira kuenda nenzira imwe chete, kuburikidza 1.2.3.1.

Sezvo node yedu yatove neyakagadziriswa gedhi gedhi 192.168.1.1, ipapo nekusarudzika mhinduro ichaenda kwaari, uye kwete 1.2.3.1, yatakagamuchira pasuru yacho.

Nzira yekugadzirisa sei mamiriro ezvinhu aya?

Muchiitiko ichi, unofanirwa kugadzirira node dzako dzose nenzira yekuti dzakagadzirira kushumira kunze kwekero pasina imwe gadziriro. Ndokunge, yemuenzaniso wepamusoro, unofanirwa kugadzira VLAN interface pane node pamberi:

ip link add link eth0 name eth0.100 type vlan id 100
ip link set eth0.100 up

Uye wobva wawedzera nzira:

ip route add 1.2.3.0/24 dev eth0.100 table 100
ip route add default via 1.2.3.1 table 100

Ndokumbira utarise kuti tinowedzera nzira kune imwe tafura yenzira 100 ichange iine nzira mbiri chete dzinodiwa kutumira mhinduro pakiti nepagedhi 1.2.3.1, iri kuseri kweiyo interface eth0.100.

Iye zvino tinoda kuwedzera mutemo uri nyore:

ip rule add from 1.2.3.0/24 lookup 100

iyo inotaura zvakajeka: kana kero yepaketi yepakiti iri mukati 1.2.3.0/24, ipapo unofanira kushandisa routing tafura 100. Imomo takatotsanangura nzira ichamuendesa 1.2.3.1

Case 4: Paunenge uchida policy-based routing

Iyo network topology yakafanana neiyo yapfuura muenzaniso, asi ngatiti iwe unodawo kukwanisa kuwana ekunze dziva kero. 1.2.3.0/24 kubva pamapodhi ako:

Yakanaka-tuning nzira yeMetalLB muL2 modhi

Iyo peculiarity ndeyekuti kana uchiwana chero kero mukati 1.2.3.0/24, mhinduro yepakiti inorova node uye ine kero yekwakabva muhuwandu 1.2.3.0/24 achatumirwa kunoteerera eth0.100, asi isu tinoda Kubernetes kuti iendese kune yedu yekutanga pod, iyo yakagadzira yekutanga chikumbiro.

Kugadzirisa dambudziko iri kwakave kwakaoma, asi zvakave zvinogoneka nekuda kweiyo policy-based routing:

Kuti unzwisise zviri nani maitiro, heino dhayagiramu netfilter block:
Yakanaka-tuning nzira yeMetalLB muL2 modhi

Kutanga, semumuenzaniso wapfuura, ngatigadzire imwe tafura yekuwedzera:

ip route add 1.2.3.0/24 dev eth0.100 table 100
ip route add default via 1.2.3.1 table 100

Zvino ngatiwedzerei mitemo mishoma kune iptables:

iptables -t mangle -A PREROUTING -i eth0.100 -j CONNMARK --set-mark 0x100
iptables -t mangle -A PREROUTING  -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j RETURN
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

Mitemo iyi inozomaka inopinda yekubatanidza kune interface eth0.100, ichimaka mapaketi ese netag 0x100, mhinduro dziri mukati memubatanidzwa mumwe chete dzichamakwa netagi rimwe chete.

Iye zvino tinogona kuwedzera mutemo wenzira:

ip rule add from 1.2.3.0/24 fwmark 0x100 lookup 100

Ndiko kuti, ese mapaketi ane tsime kero 1.2.3.0/24 uye tag 0x100 inofanira kufambiswa uchishandisa tafura 100.

Nekudaro, mamwe mapaketi akagamuchirwa pane imwe interface haasi pasi pemutemo uyu, izvo zvinovatendera kuti vafambiswe vachishandisa yakajairwa Kubernetes zvishandiso.

Pane chimwezve chinhu, muLinux pane inonzi reverse nzira sefa, iyo inoparadza chinhu chose; inoita cheki yakapusa: pamapaketi ese anouya, inoshandura kero yepaketi nekero yekutumira uye inotarisa kana. iyo packet inogona kubva kuburikidza neiyo yakafanana interface yayakagamuchirwa, kana zvisiri, ichaisefa kunze.

Dambudziko nderekuti kwatiri hazvishande nemazvo, asi tinogona kuzvidzima:

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0.100/rp_filter

Ndapota cherechedza kuti murairo wekutanga unodzora maitiro epasi rose e rp_filter; kana isina kuvharwa, murairo wechipiri hauzove nemigumisiro. Nekudaro, iyo yasara maficha icharamba iine rp_filter yakagoneswa.

Kuti tisanyatso kudzikamisa kushanda kwesefa, tinogona kushandisa iyo rp_filter kuita kune netfilter. Uchishandisa rpfilter se iptables module, unogona kugadzirisa mitemo inoshanduka, semuenzaniso:

iptables -t raw -A PREROUTING -i eth0.100 -d 1.2.3.0/24 -j RETURN
iptables -t raw -A PREROUTING -i eth0.100 -m rpfilter --invert -j DROP

gonesa rp_filter pane iyo interface eth0.100 kumakero ese kunze 1.2.3.0/24.

Source: www.habr.com

Voeg