Ngo-2010 inkampani bekukho iiseva ezingama-50 kunye nemodeli elula yenethiwekhi: i-backend, i-frontend kunye ne-firewall. Inani leeseva lakhula, imodeli yaba nzima ngakumbi: i-staging, i-VLAN eyedwa kunye ne-ACLs, emva koko ii-VPNs ezine-VRFs, ii-VLAN ezine-ACL kwi-L2, ii-VRF ezine-ACL kwi-L3. Intloko iyajikeleza? Kuya kuba mnandi ngakumbi kamva.
Xa bekukho iiseva ezili-16, kwaba nzima ukusebenza ngaphandle kweenyembezi ngamacandelo amaninzi ahlukeneyo. Ngoko size nesinye isisombululo. Sithathe isitaki se-Netfilter, songeza i-Consul kuyo njengomthombo wedatha, kwaye safumana i-firewall esasazwa ngokukhawuleza. Bathatha indawo ye-ACLs kwii-router kwaye bazisebenzise njenge-firewall yangaphandle kunye nengaphakathi. Ukulawula isixhobo esinamandla, saphuhlisa inkqubo ye-BEFW, eyayisetyenziswa kuyo yonke indawo: ukusuka ekulawuleni ukufikelela komsebenzisi kuthungelwano lwemveliso ukuya kukwahlula amacandelo enethiwekhi omnye komnye.
Uya kukuxelela indlela esebenza ngayo yonke into kwaye kutheni ufanele uhlolisise le nkqubo. Ivan Agarkov () yintloko yeqela lokhuseleko lweziseko zophuhliso lwecandelo loLondolozo kwiziko lophuhliso lwenkampani yaseMinsk. U-Ivan ungumlandeli we-SELinux, uyamthanda uPerl, kwaye ubhala ikhowudi. Njengentloko yeqela lokhuseleko lolwazi, uhlala esebenza kunye nezigodo, i-backups kunye ne-R & D ukukhusela i-Wargaming kubaduni kunye nokuqinisekisa ukusebenza kwazo zonke iiseva zomdlalo kwinkampani.
Umlando
Ngaphambi kokuba ndikuxelele ukuba senze njani, ndiza kukuxelela ukuba sifike njani kule ndawo kwasekuqaleni kwaye kutheni ibifuneka. Ukwenza oku, makhe sibuyele emva kwiminyaka eli-9: 2010, iWorld of Tanks ibonakala nje. IWargaming yayineseva ezimalunga nama-50.
Itshathi yokukhula komncedisi wenkampani.
Sasinemodeli yenethiwekhi. Ngeli xesha yayilungile.
Imodeli yenethiwekhi kwi-2010.
Kukho abantu ababi ngaphambili abafuna ukusiqhekeza, kodwa ine-firewall. Akukho firewall kwi-backend, kodwa kukho iiseva ezingama-50 apho, siyabazi bonke. Yonke into isebenza kakuhle.
Kwiminyaka emi-4, i-server ye-server yanda ngamaxesha angama-100, ukuya kwi-5000. Iinethiwekhi zokuqala ezizimeleyo zavela - isiteji: azikwazanga ukuya kwimveliso, kwaye kwakusoloko kukho izinto eziqhuba apho ezinokuba yingozi.
Imodeli yenethiwekhi kwi-2014.
Nge-inertia, sasebenzisa iziqwenga ezifanayo ze-hardware, kwaye wonke umsebenzi wenziwa kwii-VLAN ezizimeleyo: ii-ACL zibhalwa kwiiVLAN, ezivumela okanye zikhanyele uhlobo oluthile loqhagamshelwano.
Kwi-2016, inani leeseva lifikelele kwi-8000 XNUMX. I-Wargaming ithathe ezinye ii-studios, kunye neenethiwekhi ezongezelelweyo ezihambelanayo zavela. Zibonakala ngathi zezethu, kodwa hayi kakhulu: I-VLAN ihlala ingasebenzi kumaqabane, kuya kufuneka usebenzise VPN ngeVRF, ukuzihlukanisa kuba nzima ngakumbi. Umxube we-ACL wokugquma wakhula.
Imodeli yenethiwekhi kwi-2016.
Ekuqaleni kwe-2018, iinqwelo zoomatshini zikhule zibe yi-16 000. Kwakukho amacandelo e-6, kwaye asizange sibale ezinye, kubandakanywa ezivaliweyo apho idatha yemali igcinwe khona. Iinethiwekhi ze-Container (Kubernetes), i-DevOps, iinethiwekhi zefu ezixhunyiwe nge-VPN, umzekelo, ukusuka kwi-IVS, zivele. Kwakukho imithetho emininzi - kwakubuhlungu.
Imodeli yenethiwekhi kunye neendlela zokuzihlukanisa kwi-2018.
Ukuzihlukanisa sisebenzise: I-VLAN ene-ACL kwi-L2, i-VRF ene-ACL kwi-L3, i-VPN kunye nokunye okuninzi. Kaninzi.
Iingxaki
Wonke umntu uhlala kunye ACL kunye VLAN. Yintoni engalunganga? Lo mbuzo uya kuphendulwa nguHarold, efihla intlungu.
Kwakukho iingxaki ezininzi, kodwa zazintlanu ezinkulu.
- Ukunyuka kwexabiso lejometri kwimithetho emitsha. Umgaqo ngamnye omtsha uthatha ixesha elide ukongeza kunomnye wangaphambili, kuba kwakuyimfuneko kuqala ukubona ukuba sele kukho umgaqo onjalo.
- Akukho firewall ngaphakathi kwisegmenti. Amacandelo ngandlela-thile ahlulwe omnye komnye, kwaye kwakungekho zixhobo zaneleyo ngaphakathi.
- Imithetho yayisetyenziswa ixesha elide. Abanini-zithuthi banokubhala umgaqo omnye wasekuhlaleni ngesandla kwiyure. Eyomhlaba yathatha iintsuku ezininzi.
- Ubunzima kunye nemithetho yophicotho. Ngokuchanekileyo, kwakungenakwenzeka. Imithetho yokuqala yabhalwa ngo-2010, kwaye uninzi lwababhali babo abasayisebenzelanga inkampani.
- Umgangatho ophantsi wolawulo lweziseko ezingundoqo. Le yeyona ngxaki iphambili - besingazi kakuhle ukuba kuqhubeka ntoni kwilizwe lethu.
Yile nto injineli yenethiwekhi eyayijongeka ngayo ngo-2018 xa yasivayo: "Ifuna enye i-ACL."
Izisombululo
Ekuqaleni kuka-2018, kwagqitywa ukuba kwenziwe into malunga nayo.
Ixabiso lokudibanisa lihlala likhula. Isiqalo yayikukuba amaziko amakhulu edatha ayeke ukuxhasa ii-VLAN ezizimeleyo kunye nee-ACLs kuba izixhobo zaphelelwa yimemori.
Isixazululo: sisuse into yomntu kwaye ngokuzenzekelayo ukunikezelwa kokufikelela kubuninzi.
Imigaqo emitsha ithatha ixesha elide ukuba isetyenziswe. Isisombululo: ukukhawulezisa ukusetyenziswa kwemithetho, yenza ukuba isasazwe kwaye ihambelane. Oku kufuna inkqubo esasazwayo ukuze imithetho iziswe ngokwazo, ngaphandle kwe-rsync okanye i-SFTP kwiinkqubo eziliwaka.
Akukho firewall ngaphakathi kwisegmenti. I-firewall ngaphakathi kwamacandelo yaqala ukuza kuthi xa iinkonzo ezahlukeneyo zivela ngaphakathi kwenethiwekhi efanayo. Isisombululo: sebenzisa i-firewall kwinqanaba lomkhosi - i-firewall esekelwe kumamkeli. Phantse yonke indawo esinayo iLinux, kwaye yonke indawo sinayo iptables, oku akuyongxaki.
Ubunzima kunye nemithetho yophicotho. Isisombululo: Gcina yonke imithetho kwindawo enye ukuze iphononongwe kunye nolawulo, ukuze sikwazi ukuphicotha yonke into.
Inqanaba eliphantsi lolawulo kwiziseko ezingundoqo. Isisombululo: thatha uluhlu lwazo zonke iinkonzo kunye nokufikelela phakathi kwazo.
Oku kungaphezulu kwenkqubo yolawulo kuneyobugcisa. Ngamanye amaxesha sinokukhutshwa okutsha kwe-200-300 ngeveki, ngakumbi ngexesha lokunyuswa kunye neeholide. Ngaphezu koko, oku kuphela kweqela elinye le-DevOps yethu. Ngokukhutshwa okuninzi, akunakwenzeka ukubona ukuba yeyiphi izibuko, ii-IPs, kunye nodibaniso olufunekayo. Ngoko ke, sasifuna abaphathi benkonzo abaqeqeshwe ngokukhethekileyo ababebuza amaqela oku: “Yintoni ekhoyo yaye kutheni niyizisa nje?”
Emva kwayo yonke into esiyiqalileyo, injineli yenethiwekhi ngo-2019 yaqala ukujongeka ngolu hlobo.
Umthengi
Sagqiba ekubeni siza kubeka yonke into esiyifumeneyo ngoncedo lwabaphathi benkonzo kwi-Consul kwaye ukusuka apho siza kubhala imithetho yeptables.
Sagqiba njani ukwenza oku?
- Siza kuqokelela zonke iinkonzo, uthungelwano kunye nabasebenzisi.
- Masenze imithetho ye-iptables esekwe kuyo.
- Sizenza ulawulo.
- ....
- INZUZO.
I-Consul ayikho i-API ekude, inokuqhuba kuyo yonke i-node kwaye ibhale kwiiptables. Ekuphela kwento eseleyo kukuza nolawulo oluzenzekelayo oluya kucoca izinto ezingeyomfuneko, kwaye uninzi lweengxaki ziya kusonjululwa! Okuseleyo siza kukulungisa njengoko sihamba.
Kutheni uConsul?
Uzibonakalise kakuhle. Ngo-2014-15, sasisebenzisa njenge-backend ye-Vault, apho sigcina khona amagama ayimfihlo.
Ayilahli data. Ngethuba lokusetyenziswa, i-Consul ayizange ilahlekelwe idatha ngexesha lengozi enye. Oku kukudibanisa okukhulu kwenkqubo yokulawula i-firewall.
Unxibelelwano lweP2P lukhawulezisa ukusasazeka kotshintsho. Nge-P2P, lonke utshintsho luza ngokukhawuleza, akukho mfuneko yokulinda iiyure.
Convenient REST API. Sikwathathele ingqalelo i-Apache ZooKeeper, kodwa ayinayo i-REST API, ke kuya kufuneka ufakele iintonga.
Isebenza njengazo zombini iVault engundoqo (KV) kunye noMlawuli (uFundo lweNkonzo). Ungagcina iinkonzo, iikhathalogu, kunye namaziko edatha kanye. Oku kulungele thina kuphela, kodwa namaqela angabamelwane, kuba xa kwakhiwa inkonzo yehlabathi, sicinga ukuba sikhulu.
Ibhalwe kwi-Go, eyinxalenye ye-Wargaming stack. Siyaluthanda olu lwimi, sinabaphuhlisi abaninzi beGo.
Inkqubo ye-ACL enamandla. Kwi-Consul, ungasebenzisa ii-ACLs ukulawula ukuba ngubani obhala ntoni. Siyaqinisekisa ukuba imithetho ye-firewall ayiyi kudibana nayo nayiphi na enye into kwaye asiyi kuba neengxaki ngale nto.
Kodwa i-Consul nayo ineentsilelo zayo.
- Ayinyuki kwiziko ledatha ngaphandle kokuba unenguqulelo yeshishini. Inokwandiswa kuphela yi-federation.
- Kuxhomekeke kakhulu kumgangatho wothungelwano kunye nomthwalo weseva. I-Consul ayiyi kusebenza ngokufanelekileyo njengomncedisi kumncedisi oxakekileyo ukuba kukho nayiphi na i-lags kwinethiwekhi, umzekelo, isantya esingalinganiyo. Oku kungenxa yoqhagamshelo lweP2P kunye nohlaziyo lweemodeli zokusasaza.
- Ubukho beengxaki zokubeka iliso. Kwimeko ye-Consul unokuthi yonke into ilungile, kodwa wafa kudala.
Sizisombulule uninzi lwezi ngxaki ngelixa sisebenzisa i-Consul, yiyo loo nto siyikhethileyo. Inkampani inezicwangciso zendlela engenye, kodwa siye safunda ukujongana neengxaki kwaye ngoku sihlala no-Consul.
Usebenza njani u-Consul
Siza kufaka iiseva ezintathu ukuya kwezintlanu kwiziko ledatha enemiqathango. Iseva enye okanye ezimbini aziyi kusebenza: abayi kukwazi ukuququzelela ikhoram kwaye bagqibe ukuba ngubani ochanekileyo kwaye ngubani ongalunganga xa idatha ingahambelani. Ngaphezu kwesihlanu akukho ngqiqo, imveliso iya kuhla.
Abaxhasi baqhagamshela kwiiseva nangayiphi na indlela: ii-arhente ezifanayo, kuphela ngeflegi server = false.
Emva koku, abathengi bafumana uluhlu loqhagamshelo lweP2P kunye nokwakha unxibelelwano phakathi kwabo.
Kwinqanaba lehlabathi, sidibanisa amaziko amaninzi edatha. Bakwadibanisa i-P2P kunye nokunxibelelana.
Xa sifuna ukubuyisela idatha ukusuka kwelinye iziko ledatha, isicelo sisuka kwiseva ukuya kwiseva. Olu cwangciso lubizwa ngokuba Iprotocol yeSerf. Iprotocol yeSerf, njengoConsul, iphuhliswa nguHashiCorp.
Ezinye iinyani ezibalulekileyo malunga noConsul
Umthunywa unamaxwebhu achaza indlela esebenza ngayo. Ndiza kunika iinyani ezikhethiweyo kuphela ezifanele ukuzazi.
Abancedisi bakhetha inkosi phakathi kwabavoti. I-Consul ikhetha inkosi kuluhlu lweeseva kwiziko ngalinye ledatha, kwaye zonke izicelo ziya kuyo kuphela, kungakhathaliseki ukuba inani lamaseva. Ukukhenkceza okukhulu akukhokelela kunyulo kwakhona. Ukuba inkosi ayikhethwanga, izicelo azinikwa mntu.
Ubufuna ukukala okuthe tye? Uxolo, hayi.
Isicelo kwelinye iziko ledatha sisuka kwinkosi ukuya kwinkosi, kungakhathaliseki ukuba yeyiphi iseva esifike kuyo. Inkosi ekhethiweyo ifumana i-100% yomthwalo, ngaphandle komthwalo kwizicelo eziya phambili. Zonke iiseva kwiziko ledatha zinekopi yangoku yedatha, kodwa inye kuphela ephendulayo.
Ekuphela kwendlela yokukala kukuvumela imo yakudala kumxhasi.
Kwimo yakudala, ungaphendula ngaphandle kwekhoram. Le yindlela esiyeka ngayo ukungaguquguquki kwedatha, kodwa sifunde ngokukhawuleza kunesiqhelo, kwaye nayiphi na iseva iyaphendula. Ngokwemvelo, ukurekhoda kuphela ngenkosi.
I-Consul ayikopi idatha phakathi kwamaziko edatha. Xa umanyano ludityanisiwe, umncedisi ngamnye uya kuba nedatha yakhe kuphela. Kwabanye, uhlala ephethukela komnye umntu.
Iatomicity yemisebenzi ayiqinisekiswanga ngaphandle kwentengiselwano. Khumbula ukuba ayinguwe wedwa onokutshintsha izinto. Ukuba ufuna ngokuhlukileyo, yenza intengiselwano ngesitshixo.
Ukuvala imisebenzi akuqinisekisi ukutshixa. Isicelo sisuka kwinkosi ukuya kwinkosi, kwaye kungekhona ngokuthe ngqo, ngoko akukho siqinisekiso sokuba ukuvinjelwa kuya kusebenza xa uvimba, umzekelo, kwelinye iziko ledatha.
I-ACL nayo ayikuqinisekisi ukufikelela (kwiimeko ezininzi). I-ACL ayinakusebenza ngenxa yokuba igcinwe kwiziko ledatha enye yentlangano - kwiziko ledatha le-ACL (Primary DC). Ukuba i-DC ayikuphenduli, i-ACL ayiyi kusebenza.
Inkosi enye enomkhenkce iya kubangela ukuba wonke umanyano lube ngumkhenkce. Ngokomzekelo, kukho amaziko eenkcukacha ze-10 kwi-federation, kwaye enye inenethiwekhi embi, kwaye enye inkosi iyasilela. Wonke umntu onxibelelana naye uya kukhenkceza kwisangqa: kukho isicelo, akukho mpendulo kuyo, intambo iqhwa. Akukho ndlela yokwazi ukuba oku kuya kwenzeka nini, kwiyure nje enye okanye ezimbini yonke imanyano iya kuwa. Akukho nto unokuyenza ngayo.
Ubume, ikhoram kunye nonyulo zisingathwa ngomsonto owahlukileyo. Ukunyulwa kwakhona akuyi kwenzeka, isimo asiyi kubonisa nto. Ucinga ukuba une-Consul ephilayo, uyabuza, kwaye akukho nto eyenzekayo - akukho mpendulo. Ngelo xesha, isimo sibonisa ukuba yonke into ilungile.
Siye sadibana nale ngxaki kwaye kuye kwafuneka ukuba sakhe ngokutsha iindawo ezithile zamaziko edatha ukuyinqanda.
Inguqulelo yeshishini ye-Consul Enterprise ayinazo ezinye zezingalunganga zingentla. Inemisebenzi emininzi eluncedo: ukukhetha abavoti, ukuhanjiswa, ukukala. Inye kuphela "kodwa" - inkqubo yelayisensi yenkqubo esasazwayo ibiza kakhulu.
Ukuqhawula ubomi: rm -rf /var/lib/consul - ukunyanga zonke izifo ze-arhente. Ukuba kukho into engasebenzi kuwe, cima nje idatha yakho kwaye ukhuphele idatha kwikopi. Ngokunokwenzeka, u-Consul uya kusebenza.
BEFW
Ngoku makhe sithethe malunga noko songeze kuConsul.
sisishunqulelo se BackEndFingqumboWzonke. Kwafuneka ndibize imveliso ngandlela thile xa ndidala indawo yokugcina ukuze ndibeke uvavanyo lokuqala oluzibophelela kuyo. Eli gama lihleli.
Iitemplates zomthetho
Imigaqo ibhalwe kwi-iptables syntax.
- -N BEFW
- -P INPUT DROP
- -IGALELO -m urhulumente—ilizwe ELUXHUMENE, LUSEKWEYO -j YAMKELA
- -IGALELO -i lo -j YAMKELA
- -IGALELO -j BEFW
Yonke into ingena kwi-BEFW chain, ngaphandle ESTABLISHED, RELATED kunye ne-localhost. Ithemplate ingaba nantoni na, lo ngumzekelo nje.
Iluncedo njani iBEFW?
Iinkonzo
Sinenkonzo, ihlala ine-port, i-node ehamba kuyo. Ukusuka kwindawo yethu, sinokubuza kwi-arhente kwaye sifumanise ukuba sinohlobo oluthile lwenkonzo. Ungakwazi nokubeka iithegi.
Nayiphi na inkonzo esebenzayo kwaye ibhaliswe ku-Consul ijika ibe ngumgaqo we-iptables. Sine-SSH - i-port evulekile 22. Iskripthi se-Bash silula: i-curl kunye ne-iptables, akukho nto enye efunekayo.
Abaxhasi
Indlela yokuvula ukufikelela kungekhona kumntu wonke, kodwa ngokukhetha? Yongeza uluhlu lwe-IP kugcino lwe-KV ngegama lenkonzo.
Umzekelo, sifuna wonke umntu okwinethiwekhi yeshumi akwazi ukufikelela kwinkonzo ye-SSH_TCP_22. Yongeza intsimi enye encinci ye-TTL? kwaye ngoku sineemvume zethutyana, umzekelo, usuku.
Ufikelelo
Sidibanisa iinkonzo kunye nabathengi: sinenkonzo, ukugcinwa kwe-KV kukulungele ngamnye. Ngoku sinikeza ukufikelela kungekhona kumntu wonke, kodwa ngokukhetha.
Amaqela
Ukuba sibhala amawaka e-IPs ukufikelela rhoqo ngexesha, siya kukhathala. Makhe size namaqela - iseti engaphantsi eyahlukileyo kwi-KV. Masiyibize ngo-Alias (okanye amaqela) kwaye sigcine amaqela apho ngokomgaqo ofanayo.
Masiqhagamshele: ngoku sinokuvula i-SSH hayi ngokukodwa i-P2P, kodwa yeqela lonke okanye amaqela amaninzi. Ngendlela efanayo, kukho i-TTL - unokongeza kwiqela kwaye ususe kwiqela okwethutyana.
Ukudityaniswa
Ingxaki yethu yinto yomntu kunye ne-automation. Ukuza kuthi ga ngoku siyisombulule ngolu hlobo.
Sisebenza kunye nePuppet, kwaye sidlulisela yonke into enxulumene nenkqubo (ikhowudi yesicelo) kubo. I-Puppetdb (i-PostgreSQL eqhelekileyo) igcina uluhlu lweenkonzo ezisebenza apho, zinokufunyanwa ngohlobo lomthombo. Apho unokufumanisa ukuba ngubani ofaka isicelo apho. Sikwanaso nesicelo sokutsalwa kunye nokudibanisa inkqubo yesicelo koku.
Sabhala i-befw-sync, isisombululo esilula esinceda ukudlulisa idatha. Okokuqala, i-sync cookies ifikelelwa yi-puppetdb. I-HTTP API iqwalaselwe apho: sicela ukuba zeziphi iinkonzo esinazo, yintoni ekufuneka yenziwe. Emva koko benza isicelo ku-Consul.
Ngaba kukho ukudibanisa? Ewe: bayibhalile irules bavumela iiPull Requests zamkelwe. Ngaba ufuna izibuko elithile okanye ukongeza umamkeli kwiqela elithile? Tsala isicelo, uphonononge- akusekho “Fumana ezinye ii-ACL ezingama-200 kwaye uzame ukwenza okuthile ngazo.”
Ukucwangcisa
I-pinging host host ngekhonkco lomgaqo elingenanto ithatha i-0,075 ms.
Masidibanise iidilesi ze-iptable ezili-10 kolu luhlu. Ngenxa yoko, i-ping iya kwandisa amaxesha e-000: iptables ihambelana ngokupheleleyo, ukucubungula idilesi nganye kuthatha ixesha elithile.
Kwi-firewall apho sifudukela amawaka e-ACLs, sinemithetho emininzi, kwaye oku kwazisa ukubambezeleka. Oku kubi kwiiprothokholi zokudlala.
Kodwa ukuba sibeka 10 iidilesi kwi-IPset I-ping iya kuncipha.
Ingongoma kukuba "O" (ubunzima be-algorithm) ye-ipset ihlala ilingana no-1, kungakhathaliseki ukuba mingaphi imigaqo. Enyanisweni, kukho umda - akukho mithetho engaphezulu kwe-65535. Okwangoku siphila nale nto: unokuzihlanganisa, ukwandise, wenze iipset ezimbini kwelinye.
Ukugcina
Ukuqhubela phambili okunengqiqo kwenkqubo yokuphindaphinda kukugcina ulwazi malunga nabaxhasi benkonzo kwi-ipset.
Ngoku sine-SSH efanayo, kwaye asibhali ii-IP ezili-100 kanye, kodwa sibeka igama le-ipset esifuna ukunxibelelana ngayo, kunye nomgaqo olandelayo. DROP. Inokuguqulwa ibe ngumgaqo omnye "Ngubani ongekho apha, DROP", kodwa icace ngakumbi.
Ngoku sinemigaqo kunye neeseti. Umsebenzi oyintloko kukwenza isethi ngaphambi kokubhala umgaqo, kuba ngaphandle koko iiptables aziyi kubhala umgaqo.
Isikimu ngokubanzi
Ngohlobo lomzobo, yonke into endiyithethileyo ibonakala ngolu hlobo.
Siyazibophelela kwiPuppet, yonke into ithunyelwa kumamkeli, iinkonzo apha, ipset apho, kwaye nabani na ongabhaliswanga apho akavumelekanga.
Vumela kwaye ukhanye
Ukusindisa umhlaba ngokukhawuleza okanye ukukhubaza umntu ngokukhawuleza, ekuqaleni kwawo onke amatyathanga senze iipset ezimbini: rules_allow и rules_deny. Ingaba isebenza kanjani?
Umzekelo, umntu wenza umthwalo kwiWebhu yethu nge-bots. Ngaphambili, kufuneka ufumane i-IP yakhe kwiilogi, uyithathe kwiinjineli zenethiwekhi, ukuze bafumane umthombo wetrafikhi kwaye bamvimbe. Kubonakala ngokwahlukileyo ngoku.
Siyithumela ku-Consul, linda imizuzwana ye-2,5, kwaye yenziwe. Ekubeni u-Consul usasaza ngokukhawuleza nge-P2P, isebenza kuyo yonke indawo, kuyo nayiphi na indawo yehlabathi.
Kanye ngandlel 'ithile ndiyeke ngokupheleleyo i-WOT ngenxa yempazamo nge-firewall. rules_allow - le yi-inshurensi yethu malunga namatyala anjalo. Ukuba senze impazamo kwindawo ethile nge-firewall, kukho into evaliweyo kwindawo ethile, sinokuhlala sithumela imiqathango 0.0/0ukucofa yonke into ngokukhawuleza. Kamva siza kulungisa yonke into ngesandla.
Ezinye iiseti
Unokongeza naziphi na ezinye iiseti esithubeni $IPSETS$.
Yantoni? Ngamanye amaxesha umntu ufuna ipset, umzekelo, ukulinganisa ukuvalwa kwenxalenye yeqela. Nabani na unokuzisa naziphi na iiseti, azibize, kwaye ziya kuthathwa ku-Consul. Ngexesha elifanayo, iisethi zinokuthi zithathe inxaxheba kwimithetho ye-iptables okanye zisebenze njengeqela NOOP: Ukuhambelana kuya kugcinwa yidaemon.
Abasebenzisi
Ngaphambili, kwakunje: umsebenzisi uqhagamshelwe kwinethiwekhi kwaye wafumana iiparamitha nge-domain. Ngaphambi kokufika kwee-firewall zesizukulwana esitsha, uCisco wayengazi ukuba aqonde njani apho umsebenzisi wayekhona kwaye apho i-IP yayikhona. Ke ngoko, ukufikelela kwavunywa kuphela ngegama lomamkeli womatshini.
Senze ntoni? Siye saxinga ngelo xesha sifumana idilesi. Ngokuqhelekileyo le yi-dot1x, i-Wi-Fi okanye i-VPN - yonke into ihamba nge-RADIUS. Kumsebenzisi ngamnye, senza iqela ngegama lomsebenzisi kwaye sibeke i-IP kuyo kunye ne-TTL elingana ne-dhcp.lease yayo - ngokukhawuleza ukuba iphelelwe, umgaqo uya kunyamalala.
Ngoku sinokuvula ukufikelela kwiinkonzo, njengamanye amaqela, ngegama lomsebenzisi. Siyisusile intlungu kumagama abamkeli xa betshintsha, kwaye siwukhuphele umthwalo kwiinjineli zenethiwekhi kuba azisayifuni iCisco. Ngoku iinjineli ngokwazo zibhalisa ukufikelela kwiiseva zazo.
Ukufakwa
Kwangaxeshanye, saqalisa ukuqhawula i-insulation. Abaphathi benkonzo bathatha uluhlu, kwaye sahlalutya zonke iinethiwekhi zethu. Masibahlule kumaqela afanayo, kwaye kwiiseva eziyimfuneko amaqela ongezwa, umzekelo, ukukhanyela. Ngoku ukwahlukaniswa kweqonga okufanayo kuphelela kwimithetho_ukuphika imveliso, kodwa hayi kwimveliso ngokwayo.
Iskimu sisebenza ngokukhawuleza kwaye ngokulula: sisusa zonke ii-ACLs kwiiseva, sikhuphe i-hardware, kwaye sinciphise inani le-VLAN ezizimeleyo.
Ukulawula ingqibelelo
Ngaphambili, besine-trigger ekhethekileyo echaza xa umntu etshintsha umthetho we-firewall ngesandla. Ndandibhala i-linter enkulu yokujonga imithetho ye-firewall, kwakunzima. Ingqibelelo ngoku ilawulwa yiBEFW. Ngenzondelelo uyaqinisekisa ukuba imithetho ayimiselayo ayitshintshi. Ukuba umntu utshintsha imithetho ye-firewall, iya kutshintsha yonke into. “Ndikhawuleze ndaseta i-proxy ukuze ndisebenze ndisekhaya”—azisekho iindlela ezinjalo.
I-BEFW ilawula i-ipset kwiinkonzo kunye noluhlu kwi-befw.conf, imithetho yeenkonzo kwi-BEFW chain. Kodwa ayijongi amanye amatyathanga kunye nemithetho kunye nezinye iipsets.
Ukhuseleko kwingozi
I-BEFW ihlala igcina imo yokugqibela eyaziwayo elungileyo ngokuthe ngqo kwi-state.bin binary structure. Ukuba kukho into engahambi kakuhle, isoloko iqengqeleka emva kule state.bin.
Le yi-inshurensi ngokuchasene nokusebenza kwe-Consul engazinzanga, xa ingazange ithumele idatha okanye umntu enze impazamo kwaye asebenzise imigaqo engenakusetyenziswa. Ukuqinisekisa ukuba asishiywanga ngaphandle komlilo, i-BEFW iya kuphinda ibuyele kwimeko yamva nje ukuba kukho impazamo nakweliphi na inqanaba.
Kwiimeko ezinzima, esi sisiqinisekiso sokuba siya kushiywa nge-firewall esebenzayo. Sivula zonke iinetwork ezingwevu ngethemba lokuba u admin uzofika ayilungise. Ngenye imini ndiza kubeka oku kuqwalaselo, kodwa ngoku sineenethiwekhi ezintathu ezingwevu: 10/8, 172/12 kunye ne-192.168/16. Kwi-Consul yethu, eli liphawu elibalulekileyo elisinceda ukuba siphuhlise ngakumbi.
Idemo: ngexesha lengxelo, u-Ivan ubonisa imo yedemo ye-BEFW. Kulula ukubukela umboniso . Ikhowudi yedemo yomthombo iyafumaneka .
ngenye into
Ndiza kukuxelela ngezinambuzane esiye sadibana nazo.
ipset yongeza iseti 0.0.0.0/0. Kwenzeka ntoni xa udibanisa 0.0.0.0/0 kwi ipset? Ngaba zonke ii-IPs ziya kongezwa? Ngaba i-Intanethi iya kufumaneka?
Hayi, siza kufumana ibug esixabisa iiyure ezimbini zexesha lokuphumla. Ngaphezu koko, i-bug ayizange isebenze ukususela ngo-2016, ifumaneka kwi-RedHat Bugzilla phantsi kwenombolo #1297092, kwaye siyifumene ngengozi-kwingxelo yomphuhlisi.
Ngoku ngumgaqo ongqongqo kwi-BEFW lowo 0.0.0.0/0 ijika ibe ziidilesi ezimbini: 0.0.0.0/1 и 128.0.0.0/1.
ipset buyisela iseti < ifayile. Ipset yenza ntoni xa uyixelela restore? Ngaba ucinga ukuba isebenza ngokufanayo neeptables? Ngaba iya kubuyisela idatha?
Akukho nto injalo-iyadibanisa, kwaye iidilesi ezindala aziyi ndawo, awuthinteli ukufikelela.
Sifumene ibug xa sivavanya ukubekwa wedwa. Ngoku kukho inkqubo entsonkothileyo - endaweni yokuba restore ibanjiwe create tempngoko restore flush temp и restore temp. Ekupheleni kokutshintshana: ngenxa ye-atomiki, kuba ukuba uyenza kuqala flush kwaye ngalo mzuzu kufika ipakethi ethile, iya kulahlwa kwaye kukho into engahambi kakuhle. Ke kukho umlingo omnyama apho.
consul kv fumana -datacenter=enye. Njengoko benditshilo, sicinga ukuba sicela idatha ethile, kodwa siya kufumana idatha okanye impazamo. Singakwenza oku nge-Consul ekuhlaleni, kodwa kule meko zombini ziya kuba ngumkhenkce.
Umxhasi we-Consul wasekhaya ngumsongelo phezu kwe-HTTP API. Kodwa ijinga nje kwaye ayiphenduli ku-Ctrl+C, okanye Ctrl+Z, okanye nantoni na, kuphela kill -9 kwi-console elandelayo. Sadibana noku xa sasisakha iqela elikhulu. Kodwa okwangoku asinaso isisombululo; silungiselela ukulungisa le mpazamo ku-Consul.
Inkokeli ye-Consul ayiphenduli. Inkosi yethu kwiziko ledatha ayiphenduli, sicinga ukuba: "Mhlawumbi i-algorithm yokukhetha kwakhona iya kusebenza ngoku?"
Hayi, ayiyi kusebenza, kwaye ukubeka iliso akuyi kubonisa nantoni na: I-Consul iya kuthetha ukuba kukho isalathisi sokuzibophezela, inkokeli ifunyenwe, yonke into ilungile.
Sihlangabezana njani nale nto? service consul restart kwi-cron ngeyure nganye. Ukuba unamaseva angama-50, akukho nto inkulu. Xa kukho i-16 kubo, uya kuyiqonda indlela esebenza ngayo.
isiphelo
Ngenxa yoko, sifumene ezi zibonelelo zilandelayo:
- 100% ukhuselo lwabo bonke oomatshini beLinux.
- Isantya.
- Ukuzenzekela.
- Sakhulula izixhobo zekhompyutha kunye neenjineli zenethiwekhi ebukhobokeni.
- Amathuba okudibanisa avele aphantse angenamda: kunye ne-Kubernetes, kunye ne-Ansible, kunye nePython.
Минусы: Consul, apho ngoku kufuneka siphile, kunye neendleko eziphezulu kakhulu zempazamo. Njengomzekelo, kanye nge-6 pm (ixesha eliphambili eRashiya) ndandihlela into ethile kwizintlu zenethiwekhi. Besisakha i-insulation eBEFW ngeloxesha. Ndenze impazamo kwenye indawo, kubonakala ngathi ndibonise imaski engalunganga, kodwa yonke into yawa kwimizuzwana emibini. Ukubekwa esweni kuyakhanyisa, umntu oxhasayo osemsebenzini uza ebaleka: “Sinayo yonke into!” Intloko yeli sebe ijike yangwevu ngethuba icacisela eli shishini isizathu sokuba kwenzeke oku.
Iindleko zempazamo ziphezulu kangangokuba size nenkqubo yethu yokuthintela enzima. Ukuba uphumeza oku kwindawo enkulu yokuvelisa, akudingeki ukuba unike ithokheni enkulu phezu kwe-Consul kuwo wonke umntu. Oku kuya kuphela kakubi.
Ixabiso. Ndabhala ikhowudi kwiiyure ezingama-400 kuphela. Iqela lam labantu aba-4 lichitha iiyure ezili-10 ngenyanga kwinkxaso yomntu wonke. Xa kuthelekiswa nexabiso layo nayiphi na i-firewall yesizukulwana esitsha, isimahla.
Izicwangciso. Isicwangciso sexesha elide kukufumana enye isithuthi esinokubuyisela okanye sincedisane no-Consul. Mhlawumbi iya kuba yiKafka okanye into efanayo. Kodwa kwiminyaka ezayo siya kuhlala kwiConsul.
Izicwangciso zangoku: ukudityaniswa kunye ne-Fail2ban, kunye nokubeka iliso, kunye ne-nftables, mhlawumbi kunye nolunye unikezelo, i-metrics, ukubeka iliso okuphambili, ukulungelelaniswa. Inkxaso ye-Kubernetes nayo iyindawo ethile kwizicwangciso, kuba ngoku sinamaqela amaninzi kunye nomnqweno.
Okunye kwizicwangciso:
- khangela izinto ezingaqhelekanga kwi-traffic;
- ulawulo lwemephu yenethiwekhi;
- Inkxaso yeKubernetes;
- ukudibanisa iipakethe kuzo zonke iinkqubo;
- Web-UI.
Sihlala sisebenza ekwandiseni ubumbeko, ukwandisa i-metrics kunye nokwenza ngcono.
Joyina iprojekthi. Iprojekthi iye yabonakala ipholile, kodwa, ngelishwa, iseyiprojekthi yomntu omnye. Yiza ku kwaye uzame ukwenza into: zibophelele, uvavanye, ucebise into ethile, nika uhlolo lwakho.
Okwangoku silungiselela , eya kwenzeka ngoAprili 6 no-7 eSt. Petersburg, kwaye simema abaphuhlisi beenkqubo zomthwalo ophezulu. . Izithethi ezinamava sele ziyayazi into emayenze, kodwa kwabo batsha ekuthetheni sicebisa ubuncinci . Ukuthatha inxaxheba kwinkomfa njengesithethi kuneengenelo ezininzi. Unokufunda ukuba yeyiphi, umzekelo, ekupheleni .
umthombo: www.habr.com