Dejinta koox reer guuraa ah iyadoo la adeegsanayo Qunsulka iyo la dhexgalka Gitlab

Horudhac

Dhawaan, caannimada Kubernetes ayaa si degdeg ah u kordheysa - mashruucyo badan oo badan ayaa fulinaya. Waxaan rabay inaan taabto orchestra sida Nomad: waxay ku fiican tahay mashaariicda horeyba u isticmaalay xalalka kale ee HashiCorp, tusaale ahaan, Vault iyo Consul, iyo mashaariicda laftoodu maaha kuwo ku adag xagga kaabayaasha. Qalabkani waxa uu ka koobnaan doonaa tilmaamo lagu rakibayo Nomad, isku darka laba nood oo isku xidhan, iyo sidoo kale isku dhafka reer guuraaga iyo Gitlab.

Tijaabi istaag

Wax yar oo ku saabsan kursiga tijaabada: saddex server-yada farsamada ah ayaa loo isticmaalaa sifooyin 2 CPU, 4 RAM, 50 Gb SSD, oo ku midoobay shabakad maxalli ah oo caadi ah. Magacyadooda iyo ciwaankooda IP:

1. nomad-livelinux-01: 172.30.0.5
2. nomad-livelinux-02: 172.30.0.10
3. qunsulka-livelinux-01: 172.30.0.15

Rakibaadda reer guuraaga, Qunsulka. Abuuritaanka koox reer guuraa ah

Aan ku bilowno rakibaadda aasaasiga ah. In kasta oo habayntu ay ahayd mid fudud, waxaan ku sifayn doonaa daacadnimada maqaalka aawadood: waxa asal ahaan laga sameeyay qoraallo iyo qoraallo si degdeg ah loo galo marka loo baahdo.

Kahor intaanan bilaabin tababarka, waxaan ka wada hadli doonaa qaybta aragtida, sababtoo ah marxaladan waxaa muhiim ah in la fahmo qaabka mustaqbalka.

Waxaan leenahay laba nood nomad oo waxaan rabnaa in aan isugu geyno koox, mustaqbalkana sidoo kale waxaan u baahan doonaa si toos ah cluster scaling - tan waxaan u baahan doonaa Qunsul. Qalabkan, ururinta iyo ku darida qanjidhada cusub waxay noqotaa hawl aad u fudud: nomad nomad-ka la abuuray waxay ku xidhaa wakiilka Qunsulka, ka dibna waxay ku xidhaa kooxda reer guuraaga ah ee hadda jirta. Sidaa darteed, bilowga hore waxaan ku rakibi doonaa server-ka Qunsulka, waxaan u habeyn doonaa ogolaanshaha http aasaasiga ah ee guddiga webka (waa amar la'aan si caadi ah waxaana laga heli karaa ciwaan dibadda ah), sidoo kale Qunsulka ayaa laftiisa u wakiila server-yada Nomad, ka dib markaa Waxaan u sii gudbi doonaa oo kaliya Nomad.

Ku rakibida aaladaha HashiCorp waa mid aad u fudud: asal ahaan, waxaanu kaliya u wareejinaa faylka binary-ga hagaha bin, waxaanu dejinaynaa faylka qaabaynta qalabka, waxaanu abuurnaa faylka adeegiisa.

Soo deji feylka binary-ga Qunsulka oo ka fur tusaha guriga isticmaalaha:

root@consul-livelinux-01:~# wget https://releases.hashicorp.com/consul/1.5.0/consul_1.5.0_linux_amd64.zip
root@consul-livelinux-01:~# unzip consul_1.5.0_linux_amd64.zip
root@consul-livelinux-01:~# mv consul /usr/local/bin/

Hadda waxaan haynaa qunsuliyadda binary oo diyaarsan si loo qaabeeyo dheeraad ah.

Si aan ula shaqeyno Qunsulka, waxaan u baahanahay inaan abuurno fure gaar ah anagoo adeegsanayna amarka keygen:

root@consul-livelinux-01:~# consul keygen

Aan u gudubno dejinta qaabeynta Qunsulka, anagoo abuurayna buug-tusaha /etc/consul.d/ oo leh qaab-dhismeedka soo socda:

/etc/consul.d/
├── bootstrap
│   └── config.json

Tusaha bootstrap-ka wuxuu ka koobnaan doonaa qaabeynta faylka config.json - dhexdiisa waxaan dejin doonaa dejinta Qunsulka. Waxa ku jira:

{
"bootstrap": true,
"server": true,
"datacenter": "dc1",
"data_dir": "/var/consul",
"encrypt": "your-key",
"log_level": "INFO",
"enable_syslog": true,
"start_join": ["172.30.0.15"]
}

Aynu si gaar ah u eegno dardaaranka ugu muhiimsan iyo macnahooda:

• bootstrap: run. Waxaan awood u si toos ah ugu darida qanjidhada cusub haddii ay ku xiran yihiin. Waxaan ogsoonahay in aynaan halkan ku tilmaamin tirada saxda ah ee noodhka la filayo.
• server: run. Daar qaabka adeegaha Qunsulka mishiinkan casriga ah waxa uu u shaqayn doonaa sidii adeegaha kaliya ee wakhtigan xaadirka ah, Nomad's VM ayaa noqon doona macaamiisha.
• xogta: dc1. Sheeg magaca xarunta xogta si aad u abuurto kooxda Waa inay isku mid ka ahaato macaamiisha iyo adeegayaasha labadaba.
• qarsoodi: furahaaga. Furaha, kaas oo sidoo kale waa inuu ahaado mid gaar ah oo ku habboon dhammaan macaamiisha iyo adeegayaasha. La sameeyay iyadoo la adeegsanayo taliska qunsulka keygen.
• bilow_ku biir. Liiskaan waxaan ku muujineynaa liiska cinwaanada IP-ga kaas oo xiriirka lagu sameyn doono. Waqtigan xaadirka ah waxaan ka tagaynaa oo kaliya cinwaankayaga.

Halkaa marka ay marayso waxaan ku socodsiin karnaa qunsulka anagoo adeegsanayna khadka taliska:

root@consul-livelinux-01:~# /usr/local/bin/consul agent -config-dir /etc/consul.d/bootstrap -ui

Tani waa hab wanaagsan oo hadda wax lagu saxo, si kastaba ha ahaatee, ma awoodi doontid inaad habkan u isticmaasho si joogto ah sababo muuqda dartood. Aan abuurno faylka adeegga si aan ugu maamulno Qunsulka systemd:

root@consul-livelinux-01:~# nano /etc/systemd/system/consul.service

Nuxurka faylka consul.service:

[Unit]
Description=Consul Startup process
After=network.target
 
[Service]
Type=simple
ExecStart=/bin/bash -c '/usr/local/bin/consul agent -config-dir /etc/consul.d/bootstrap -ui' 
TimeoutStartSec=0
 
[Install]
WantedBy=default.target

Ku billow Qunsulka adoo isticmaalaya systemctl:

root@consul-livelinux-01:~# systemctl start consul

Aynu hubino: adeegayagu waa inuu socdaa, anagoo fulinayna amarka xubnaha qunsulka waa inaan aragnaa server-kayaga:

root@consul-livelinux:/etc/consul.d# consul members
consul-livelinux    172.30.0.15:8301  alive   server  1.5.0  2         dc1  <all>

Marxaladda xigta: rakibidda Nginx iyo dejinta wakiilnimada iyo oggolaanshaha http. Waxaan ku rakibnay nginx iyada oo loo marayo maareeyaha xirmada iyo /etc/nginx/sites-enabled directory waxaan ku abuurnaa faylka qaabeynta consul.conf oo leh waxyaabaha soo socda:

upstream consul-auth {
    server localhost:8500;
}

server {

    server_name consul.doman.name;
    
    location / {
      proxy_pass http://consul-auth;
      proxy_set_header Host $host;
      auth_basic_user_file /etc/nginx/.htpasswd;
      auth_basic "Password-protected Area";
    }
}

Ha iloobin inaad abuurto faylka .htpasswd oo aad u samayso magac isticmaale iyo furaha sirta ah. Shaygan waxa loo baahan yahay si guddida shabakadu aanay u helin qof kasta oo yaqaan domainkayaga. Si kastaba ha ahaatee, marka aan samaynayno Gitlab, waa inaan ka tagno tan - haddii kale ma awoodi doono inaan arjigayaga geyno Nomad. Mashruucayga, labada Gitlab iyo Nomad labaduba waxay ku yaalliin shabakadda cawl, markaa halkan dhibaato caynkaas ah kama jiraan.

Labada server ee soo haray waxaan ku rakibnaa wakiilada qunsulka sida waafaqsan tilmaamaha soo socda. Waxaan ku celineynaa tillaabooyinka faylka binary:

root@nomad-livelinux-01:~# wget https://releases.hashicorp.com/consul/1.5.0/consul_1.5.0_linux_amd64.zip
root@nomad-livelinux-01:~# unzip consul_1.5.0_linux_amd64.zip
root@nomad-livelinux-01:~# mv consul /usr/local/bin/

Anaga oo la mid ah serferkii hore, waxa aanu u abuurnaa hagaha habaynta faylasha /etc/consul.d oo leh qaabkan soo socda:

/etc/consul.d/
├── client
│   └── config.json

Nuxurka faylka config.json:

{
    "datacenter": "dc1",
    "data_dir": "/opt/consul",
    "log_level": "DEBUG",
    "node_name": "nomad-livelinux-01",
    "server": false,
    "encrypt": "your-private-key",
    "domain": "livelinux",
    "addresses": {
      "dns": "127.0.0.1",
      "https": "0.0.0.0",
      "grpc": "127.0.0.1",
      "http": "127.0.0.1"
    },
    "bind_addr": "172.30.0.5", # локальный адрес вм
    "start_join": ["172.30.0.15"], # удаленный адрес консул сервера
    "ports": {
      "dns": 53
     }

Keydi isbeddellada oo u gudub dejinta faylka adeegga, waxa ku jira:

/etc/systemd/system/consul.service:

[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target

[Service]
User=root
Group=root
ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul.d/client
ExecReload=/usr/local/bin/consul reload
KillMode=process
Restart=on-failure

[Install]
WantedBy=multi-user.target

Waxaan furnay qunsulka server-ka. Hadda, ka dib bilawga, waa inaan ku aragnaa adeegga habaysan ee xubnaha nsul. Tani waxay ka dhigan tahay inay si guul leh ugu xidhidhisay kooxda macmiil ahaan. Ku soo celi si la mid ah server-ka labaad ka dibna waxaan bilaabi karnaa rakibidda iyo habaynta Nomad.

Rakibaadda reer-guuraaga oo faahfaahsan ayaa lagu sifeeyay dukumeentigeeda rasmiga ah. Waxaa jira laba hab oo dhaqameed oo rakibaadda: soo dejinta faylka binary iyo ururinta ilaha. Waxaan dooran doonaa habka ugu horreeya.

tacliiq: Mashruucu si dhakhso leh ayuu u horumarayaa, wax cusub ayaa inta badan la sii daayaa. Waxaa laga yaabaa in nooc cusub la sii daayo marka qodobkan la dhammeeyo. Sidaa darteed, ka hor intaanan akhrin, waxaan ku talinayaa inaad hubiso nooca hadda ee Nomad ee hadda oo aad soo dejiso.

root@nomad-livelinux-01:~# wget https://releases.hashicorp.com/nomad/0.9.1/nomad_0.9.1_linux_amd64.zip
root@nomad-livelinux-01:~# unzip nomad_0.9.1_linux_amd64.zip
root@nomad-livelinux-01:~# mv nomad /usr/local/bin/
root@nomad-livelinux-01:~# nomad -autocomplete-install
root@nomad-livelinux-01:~# complete -C /usr/local/bin/nomad nomad
root@nomad-livelinux-01:~# mkdir /etc/nomad.d

Furitaanka ka dib, waxaan heli doonaa faylka Nomad binary ee culeyskiisu yahay 65 MB - waa in loo raro /usr/local/bin.

Aan u abuurno tusaha xogta ee Nomad oo aan tafatirno galka adeegga (waxay u badan tahay inaysan jiri doonin bilowga):

root@nomad-livelinux-01:~# mkdir --parents /opt/nomad
root@nomad-livelinux-01:~# nano /etc/systemd/system/nomad.service

Halkaa ku dheji sadarradan soo socota:

[Unit]
Description=Nomad
Documentation=https://nomadproject.io/docs/
Wants=network-online.target
After=network-online.target

[Service]
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
KillMode=process
KillSignal=SIGINT
LimitNOFILE=infinity
LimitNPROC=infinity
Restart=on-failure
RestartSec=2
StartLimitBurst=3
StartLimitIntervalSec=10
TasksMax=infinity

[Install]
WantedBy=multi-user.target

Si kastaba ha ahaatee, kuma degdegno inaan bilowno reer guuraa - wali maanu abuurin faylka qaabaynta:

root@nomad-livelinux-01:~# mkdir --parents /etc/nomad.d
root@nomad-livelinux-01:~# chmod 700 /etc/nomad.d
root@nomad-livelinux-01:~# nano /etc/nomad.d/nomad.hcl
root@nomad-livelinux-01:~# nano /etc/nomad.d/server.hcl

Qaab dhismeedka hagaha kama dambaysta ahi wuxuu ahaan doonaa sidan soo socota:

/etc/nomad.d/
├── nomad.hcl
└── server.hcl

Faylka nomad.hcl waa inuu ka kooban yahay qaabeynta soo socota:

datacenter = "dc1"
data_dir = "/opt/nomad"

Nuxurka faylka serverka.hcl:

server {
  enabled = true
  bootstrap_expect = 1
}

consul {
  address             = "127.0.0.1:8500"
  server_service_name = "nomad"
  client_service_name = "nomad-client"
  auto_advertise      = true
  server_auto_join    = true
  client_auto_join    = true
}

bind_addr = "127.0.0.1" 

advertise {
  http = "172.30.0.5"
}

client {
  enabled = true
}

Ha iloobin inaad bedesho faylka qaabeynta ee server-ka labaad - halkaas waxaad u baahan doontaa inaad bedesho qiimaha dardaaranka http.

Waxa ugu dambeeya ee marxaladan waa in la habeeyo Nginx si loo matalo oo loo dejiyo oggolaanshaha http. Nuxurka faylka nomad.conf:

upstream nomad-auth {
        server 172.30.0.5:4646;
}

server {

        server_name nomad.domain.name;
        
        location / {
	        proxy_pass http://nomad-auth;
	        proxy_set_header Host $host;
	        auth_basic_user_file /etc/nginx/.htpasswd;
		   auth_basic "Password-protected Area";
        }
        
}

Hadda waxaan ka geli karnaa guddiga shabakadda iyada oo loo marayo shabakad dibadda ah. Ku xidh oo tag bogga adeegayaasha:

Sawirka 1. Liiska adeegayaasha ee kutlada reer guuraaga

Labada serverba si guul leh ayaa loogu soo bandhigay guddiga, waxaan ku arki doonaa wax la mid ah soo saarida amarka heerka nomad nomad:

Sawirka 2. Soo saarida amarka heerka nomad nomad

Ka warran Qunsulka? Aan eegno. Tag guddiga kantaroolka Qunsulka, bogga noodhka:

Sawirka 3. Liiska qanjirada ee kutlada Qunsulka

Hadda waxaan haynaa nin reer guuraa ah oo diyaarsan oo la shaqaynaya Qunsulka. Marxaladda ugu dambeysa, waxaan gaari doonaa qeybta madadaalada: dejinta gaarsiinta weelasha Docker ee Gitlab ilaa Nomad, iyo sidoo kale kahadalka qaar ka mid ah sifooyinkeeda kale ee gaarka ah.

Abuuritaanka Gitlab Runner

Si loo geeyo sawirada docker-ka Nomad, waxaan u adeegsan doonaa orodyahan gooni ah oo wata feylka binary-ga ee reer guuraaga (halkan, dhanka kale, waxaan ku xusi karnaa sifa kale ee codsiyada Hashicorp - shaqsi ahaan waa fayl binary kaliya ah). U soo rar tusaha orodyahanka Aan u abuurno Dockerfile fudud oo wata nuxurka soo socda:

FROM alpine:3.9
RUN apk add --update --no-cache libc6-compat gettext
COPY nomad /usr/local/bin/nomad

Isla mashruucan waxaanu ku abuurnay .gitlab-ci.yml:

variables:
  DOCKER_IMAGE: nomad/nomad-deploy
  DOCKER_REGISTRY: registry.domain.name
 

stages:
  - build

build:
  stage: build
  image: ${DOCKER_REGISTRY}/nomad/alpine:3
  script:
    - tag=${DOCKER_REGISTRY}/${DOCKER_IMAGE}:latest
    - docker build --pull -t ${tag} -f Dockerfile .
    - docker push ${tag}

Natiijo ahaan, waxaan heli doonaa sawir la heli karo oo ah orodyahanka reer guuraaga ah ee ku jira Diiwaanka Gitlab, hadda waxaan si toos ah u aadi karnaa kaydka mashruuca, abuurista Pipeline iyo habaynta shaqada reer guuraaga ee Nomad.

Dejinta mashruuca

Aan ku bilowno faylka shaqada ee Nomad. Mashruucayga maqaalkani wuxuu noqon doonaa mid hore: wuxuu ka koobnaan doonaa hal hawl. Waxa ku jira .gitlab-ci waxay noqon doontaa sida soo socota:

variables:
  NOMAD_ADDR: http://nomad.address.service:4646
  DOCKER_REGISTRY: registry.domain.name
  DOCKER_IMAGE: example/project

stages:
  - build
  - deploy

build:
  stage: build
  image: ${DOCKER_REGISTRY}/nomad-runner/alpine:3
  script:
    - tag=${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${CI_COMMIT_SHORT_SHA}
    - docker build --pull -t ${tag} -f Dockerfile .
    - docker push ${tag}


deploy:
  stage: deploy
  image: registry.example.com/nomad/nomad-runner:latest
  script:
    - envsubst '${CI_COMMIT_SHORT_SHA}' < project.nomad > job.nomad
    - cat job.nomad
    - nomad validate job.nomad
    - nomad plan job.nomad || if [ $? -eq 255 ]; then exit 255; else echo "success"; fi
    - nomad run job.nomad
  environment:
    name: production
  allow_failure: false
  when: manual

Halkan hawlgelintu waxay ku dhacdaa gacanta, laakiin waxaad u habayn kartaa si aad u bedesho waxa ku jira tusaha mashruuca. Dhuunta waxay ka kooban tahay laba marxaladood: isu-ururinta sawirka iyo u-diridda reer-guuraaga. Marxaladda kowaad, waxaanu soo ururinay sawir-qaade oo aanu ku riixnay Diiwaankayaga, marka labaadna waxaanu bilaabaynaa shaqadayada Nomad.

job "monitoring-status" {
    datacenters = ["dc1"]
    migrate {
        max_parallel = 3
        health_check = "checks"
        min_healthy_time = "15s"
        healthy_deadline = "5m"
    }

    group "zhadan.ltd" {
        count = 1
        update {
            max_parallel      = 1
            min_healthy_time  = "30s"
            healthy_deadline  = "5m"
            progress_deadline = "10m"
            auto_revert       = true
        }
        task "service-monitoring" {
            driver = "docker"

            config {
                image = "registry.domain.name/example/project:${CI_COMMIT_SHORT_SHA}"
                force_pull = true
                auth {
                    username = "gitlab_user"
                    password = "gitlab_password"
                }
                port_map {
                    http = 8000
                }
            }
            resources {
                network {
                    port "http" {}
                }
            }
        }
    }
}

Fadlan ogow in aan haysto diiwaan gaar ah si aan si guul leh u jiido sawirka docker-ka waxaan u baahanahay inaan galo. Xalka ugu fiican ee kiiskan waa in la geliyo login iyo erayga sirta ah Vault ka dibna lagu daro Nomad. Reer guuraagu asal ahaan waxay taageeraan Vault. Laakiin marka hore, aynu ku rakibno siyaasadaha lagama maarmaanka u ah Nomad in Vault laftiisa; waa la soo dejisan karaa:

# Download the policy and token role
$ curl https://nomadproject.io/data/vault/nomad-server-policy.hcl -O -s -L
$ curl https://nomadproject.io/data/vault/nomad-cluster-role.json -O -s -L

# Write the policy to Vault
$ vault policy write nomad-server nomad-server-policy.hcl

# Create the token role with Vault
$ vault write /auth/token/roles/nomad-cluster @nomad-cluster-role.json

Hadda, annagoo abuurnay siyaasadaha lagama maarmaanka ah, waxaan ku dari doonaa la dhexgalka Vault ee shaqada block ee faylka job.nomad:

vault {
  enabled = true
  address = "https://vault.domain.name:8200"
  token = "token"
}

Waxaan u isticmaalaa oggolaanshaha calaamad oo si toos ah halkan uga diiwaan gashan, waxa kale oo jira ikhtiyaarka lagu qeexayo calaamadda doorsoome marka la bilaabayo wakiilka reer guuraaga:

$ VAULT_TOKEN=<token> nomad agent -config /path/to/config

Hadda waxaan ku isticmaali karnaa furayaasha Vault. Mabda'a hawlgalku waa mid fudud: waxaanu ku abuurnaa fayl ku jira shaqada Nomad kaas oo kaydin doona qiyamka doorsoomayaasha, tusaale ahaan:

template {
                data = <<EOH
{{with secret "secrets/pipeline-keys"}}
REGISTRY_LOGIN="{{ .Data.REGISTRY_LOGIN }}"
REGISTRY_PASSWORD="{{ .Data.REGISTRY_LOGIN }}{{ end }}"

EOH
    destination = "secrets/service-name.env"
    env = true
}

Habkan fudud, waxaad u habayn kartaa gaarsiinta weelasha kooxda reer guuraaga oo aad mustaqbalka kala shaqeyso. Waxaan dhihi doonaa in ilaa xad aan u naxariisto reer guuraaga - waxay ku habboon tahay mashaariicda yaryar halkaasoo Kubernetes ay keeni karto kakanaanta dheeraadka ah mana ogaan doonto awooddeeda buuxda. Waxaa dheer, Nomad waxay ku fiican tahay kuwa bilowga ah - way fududahay in la rakibo oo la habeeyo. Si kastaba ha noqotee, marka la tijaabiyo mashaariicda qaarkood, waxaan la kulmaa dhibaato noocyadeeda hore - hawlo badan oo aasaasi ah ma jiraan ama si sax ah uma shaqeeyaan. Si kastaba ha ahaatee, waxaan aaminsanahay in Nomad ay sii wadi doonto horumarinta iyo mustaqbalka ay heli doonto hawlaha qof kastaa u baahan yahay.

Qore: Ilya Andreev, oo uu tafatiray Alexey Zhadan iyo kooxda Live Linux


Source: www.habr.com