Ukuba isiseko sakho se-IT sikhula ngokukhawuleza, uya kuthi ngokukhawuleza okanye kamva ubhekane nokukhetha: ukunyusa ngomgca izibonelelo zoluntu ukuxhasa okanye ukuqala ukuzenzekelayo. Kude kube lixesha elithile, sasihlala kwiparadigm yokuqala, kwaye emva koko indlela ende eya kwi-Infrastructure-as-Code yaqala.
Ewe, i-NSPK ayiqali, kodwa imeko enjalo yalawula kwinkampani kwiminyaka yokuqala yobukho bayo, kwaye loo minyaka yayinomdla kakhulu. Igama lam ndingu , bendixhasa iziseko zeLinux ezineemfuno eziphezulu zokufumaneka ngaphezulu kweminyaka eyi-10. Wajoyina iqela le-NSPK ngoJanuwari 2016 kwaye, ngelishwa, akazange abone ukuqala kobukho benkampani, kodwa wafika kwinqanaba leenguqu ezinkulu.
Ngokubanzi, sinokuthi iqela lethu libonelela ngeemveliso ezi-2 zenkampani. Eyokuqala ziziseko zophuhliso. Imeyile kufuneka isebenze, i-DNS kufuneka isebenze, kwaye abalawuli besizinda kufuneka bakuvumele ukuba ungene kwiiseva ezingafanelekanga. Indawo ye-IT yenkampani inkulu! Ezi ziinkqubo ezibalulekileyo zeshishini & nobuthunywa, iimfuno zokufumaneka kwabanye ziyi-99,999. Imveliso yesibini ngabancedisi ngokwabo, ngokwasemzimbeni kunye nenyani. Ezikhoyo zifuna ukubekw’ esweni, yaye ezintsha zimele zisiwe rhoqo kubathengi abasuka kumasebe amaninzi. Kweli nqaku ndifuna ukugxila kwindlela esiphuhlise ngayo isiseko esinoxanduva lomjikelo wobomi bomncedisi.
Ukuqala kwendlela
Ekuqaleni kohambo lwethu, isitakhi setekhnoloji sasijongeka ngolu hlobo:
I-OS CentOS 7
I-FreeIPA Domain Controllers
Ukuzenzekela-Ansible(+Tower), Cobbler
Konke oku kwakubekwe kwimimandla ye-3, isasazwe kumaziko amaninzi edatha. Kwiziko ledatha enye kukho iinkqubo zeofisi kunye neendawo zokuvavanya, kwezinye kukho iPROD.
Ukudala iiseva ngexesha elinye kujongeka ngolu hlobo:
Kwi-template ye-VM, i-CentOS incinci kwaye ubuncinci obufunekayo bufana nechanekileyo /etc/resolv.conf, okunye kuza nge-Ansible.
I-CMDB-Excel.
Ukuba umncedisi wenyama, ngoko endaweni yokukopa umatshini wenyani, i-OS yafakwa kuyo kusetyenziswa i-Cobbler - iidilesi ze-MAC zomncedisi ekujoliswe kuzo zongezwa kwi-Cobbler config, umncedisi ufumana idilesi ye-IP nge-DHCP, kwaye emva koko i-OS. yongezwa.
Ekuqaleni siye sazama ukwenza uhlobo oluthile lolawulo loqwalaselo kwiCobbler. Kodwa ekuhambeni kwexesha, oku kwaqala ukuzisa iingxaki ngokuphatheka kolungelelwaniso kokubini kwamanye amaziko edatha kunye nekhowudi ye-Ansible yokulungiselela ii-VM.
Ngelo xesha, abaninzi bethu babona ukuba i-Ansible njengolwandiso olufanelekileyo lwe-Bash kwaye ayizange ikhuphe kuyilo usebenzisa iqokobhe kunye ne-sed. IBashsible iyonke. Oku ekugqibeleni kwakhokelela kwinto yokuba ukuba i-playbook ngesizathu esithile ayizange isebenze kumncedisi, kwakulula ukucima umncedisi, ukulungisa incwadi yokudlala kwaye uyiqhube kwakhona. Bekungekho ngokwesiseko luguqulelo lwezikripti, akukho ukuphatheka kolungelelwaniso.
Umzekelo, besifuna ukutshintsha uqwalaselo oluthile kuzo zonke iiseva:
- Sitshintsha uqwalaselo kwiiseva ezikhoyo kwicandelo elinengqiqo/iziko ledatha. Ngamanye amaxesha kungekhona ngosuku olunye - iimfuno zokufikeleleka kunye nomthetho wamanani amaninzi awuvumeli ukuba zonke iinguqu zisetyenziswe kanye. Kwaye ezinye iinguqu zinokonakalisa kwaye zifuna ukuqalisa kwakhona into - ukusuka kwiinkonzo ukuya kwi-OS ngokwayo.
- Ukulungisa kwi-Ansible
- Siyilungisa kwiCobbler
- Phinda amaxesha ka-N kwicandelo ngalinye elisengqiqweni/iziko ledatha
Ukuze zonke iinguqu zihambe kakuhle, kwakuyimfuneko ukuba kuthathelwe ingqalelo izinto ezininzi, kwaye utshintsho lwenzeka rhoqo.
- Ukuhlaziya ikhowudi esebenzayo, iifayile zoqwalaselo
- Ukutshintsha iindlela zokusebenza ezingcono zangaphakathi
- Utshintsho olusekelwe kwiziphumo zohlalutyo lweziganeko / iingozi
- Ukutshintsha imigangatho yokhuseleko, ngaphakathi nangaphandle. Umzekelo, i-PCI DSS ihlaziywa ngeemfuno ezintsha minyaka le
Ukukhula kweziseko zophuhliso kunye nesiqalo sohambo
Inani leeseva/imimandla esengqiqweni/amaziko edatha akhule, kunye nabo inani leempazamo kuqwalaselo. Ngexesha elithile, sifike kumacala amathathu apho ulawulo lolungelelwaniso kufuneka luphuhliswe:
- Ukuzenzekela. Impazamo yomntu ekusebenzeni ngokuphindaphindiweyo kufuneka igwenywe kangangoko kunokwenzeka.
- Ukuphindaphinda. Kulula kakhulu ukulawula iziseko zophuhliso xa kuqikelelwa. Ukucwangciswa kweeseva kunye nezixhobo zokulungiselela kwazo kufuneka zifane yonke indawo. Oku kubalulekile kumaqela emveliso - emva kovavanyo, isicelo kufuneka siqinisekiswe ukuba siphelela kwindawo yemveliso eqwalaselwe ngokufanayo kwimeko yovavanyo.
- Ukulula kunye nokungafihli ukwenza utshintsho kulawulo lolungelelwaniso.
Kuhlala ukongeza izixhobo ezimbalwa.
Sikhethe i-GitLab CE njengendawo yethu yokugcina ikhowudi, hayi kancinci kwiimodyuli zayo ezakhelwe ngaphakathi zeCI/CD.
Ivault yeemfihlo-iHashicorp Vault, incl. ye-API enkulu.
Ukuvavanywa kolungelelwaniso kunye neendima ezifanelekileyo - iMolecule + Testinfra. Uvavanyo luhamba ngokukhawuleza kakhulu ukuba uqhagamshela kwi-mitogen esebenzayo. Ngelo xesha, saqala ukubhala i-CMDB yethu kunye ne-orchestrator yokuthunyelwa ngokuzenzekelayo (kumfanekiso ongentla kweCobbler), kodwa eli libali elihluke ngokupheleleyo, apho umlingane wam kunye nomphuhlisi oyintloko wezi nkqubo baya kuxela kwixesha elizayo.
Ukhetho lwethu:
Imolekyuli + Testinfra
Ansible + Tower + AWX
Ilizwe leeSeva + DITNET (Uphuhliso lwalo)
I-Cobbler
Gitlab + GitLab imbaleki
I-Hashicorp Vault
Ngendlela, malunga neendima ezifanelekileyo. Ekuqaleni kwakukho enye kuphela, kodwa emva kwee-refactorings ezininzi kwakukho i-17. Ndincoma ngokuqinileyo ukuphula i-monolith kwiindima ezibuthathaka, ezinokuthi ziqaliswe ngokwahlukileyo; ukongeza, unokongeza iithegi. Sahlulahlula iindima ngokusebenza - inethiwekhi, ukugawulwa kwemithi, iipakethi, i-hardware, i-molecule njl. Ngokubanzi, silandele isicwangciso esingezantsi. Andinyanzelisi ukuba le yinyaniso yodwa, kodwa isisebenzele.
- Ukukopa iiseva "kumfanekiso wegolide" kubi!Eyona nto ingathandekiyo kukuba awuyazi kakuhle imeko yemifanekiso ngoku, kwaye zonke iinguqu ziya kuza kuyo yonke imifanekiso kuzo zonke iifama zokubona.
- Sebenzisa iifayile zoqwalaselo olusisiseko ubuncinci kwaye uvumelane namanye amasebe ukuba unoxanduva lweefayile zesistim eziphambili, umzekelo:
- Shiya /etc/sysctl.conf ingenanto, izicwangciso kufuneka zibe kwi/etc/sysctl.d/. Ukungagqibeki kwakho kwifayile enye, isiko losetyenziso kwenye.
- Sebenzisa iifayile ezingaphezulu ukuhlela iiyunithi zesistim.
- Template yonke imimiselo kwaye uzibandakanye ngokupheleleyo; ukuba kuyenzeka, akukho sed okanye izifaniso zayo kwiincwadi zokudlala.
- Ukuphinda kuqwalaselwe ikhowudi yenkqubo yolawulo:
- Yahlula imisebenzi ibe ngamaqumrhu anengqiqo kwaye uphinde ubhale i-monolith kwiindima
- Sebenzisa iilitha! Ansible-lint, yaml-lint, njl
- Guqula indlela yakho yokwenza! Akukho bashsible. Kuyimfuneko ukuchaza imeko yenkqubo
- Kuzo zonke iindima ze-Ansible kufuneka ubhale iimvavanyo kwi-molecule kwaye uvelise iingxelo kanye ngosuku.
- Kwimeko yethu, emva kokulungiselela iimvavanyo (apho kukho ngaphezu kwe-100), malunga nama-70000 amaphutha afunyenwe. Kwathatha iinyanga ezininzi ukuyilungisa.
Ukuphunyezwa kwethu
Ngoko ke, iindima ezithintekayo zazilungile, zifakwe itemplate kwaye zihlolwe ngamalitha. Kwaye neegits ziphakanyiswa kuyo yonke indawo. Kodwa umbuzo wokuhanjiswa kwekhowudi ethembekileyo kumacandelo ahlukeneyo ahlala evulekile. Sagqiba ekubeni singqamanise nezikripthi. Kubonakala ngathi:
Emva kokuba utshintsho lufikile, i-CI iqaliswe, iseva yokuvavanya yenziwa, iindima zikhutshwe, kwaye zivavanywe yi-molecule. Ukuba yonke into ilungile, ikhowudi iya kwisebe le-prod. Kodwa asisebenzisi ikhowudi entsha kwiiseva ezikhoyo kumatshini. Olu luhlobo lwesithinteli oluyimfuneko ekufumanekeni okuphezulu kweenkqubo zethu. Kwaye xa iziseko zophuhliso ziba zikhulu, umthetho wamanani amaninzi uya kudlala - nokuba uqinisekile ukuba utshintsho alunabungozi, kunokukhokelela kwimiphumo emibi.
Kukho neenketho ezininzi zokudala iiseva. Sigqibe kwelokuba sikhethe izikripthi zePython zesiko. Kwaye kwi-CI esebenzayo:
- name: create1.yml - Create a VM from a template
vmware_guest:
hostname: "{{datacenter}}".domain.ru
username: "{{ username_vc }}"
password: "{{ password_vc }}"
validate_certs: no
cluster: "{{cluster}}"
datacenter: "{{datacenter}}"
name: "{{ name }}"
state: poweredon
folder: "/{{folder}}"
template: "{{template}}"
customization:
hostname: "{{ name }}"
domain: domain.ru
dns_servers:
- "{{ ipa1_dns }}"
- "{{ ipa2_dns }}"
networks:
- name: "{{ network }}"
type: static
ip: "{{ip}}"
netmask: "{{netmask}}"
gateway: "{{gateway}}"
wake_on_lan: True
start_connected: True
allow_guest_control: True
wait_for_ip_address: yes
disk:
- size_gb: 1
type: thin
datastore: "{{datastore}}"
- size_gb: 20
type: thin
datastore: "{{datastore}}"Yile nto sifikile kuyo, inkqubo iyaqhubeka iphila kwaye iphuhlise.
- 17 Iindima ezifanelekileyo zokuseta umncedisi. Indima nganye yenzelwe ukusombulula umsebenzi onengqondo owahlukileyo (ukugawulwa kwemithi, ukuphicothwa, ukugunyazwa komsebenzisi, ukubeka iliso, njl.).
- Uvavanyo lwendima. Imolekyuli + TestInfra.
- Uphuhliso olulolwakho: CMDB + Orchestrator.
- Ixesha lokuyilwa kweseva yi ~ 30 imizuzu, iyazenzekela kwaye izimele ngokwenyani kumgca womsebenzi.
- Ilizwe elifanayo / ukubizwa kweziseko zophuhliso kuwo onke amacandelo - iincwadi zokudlala, iindawo zokugcina, izinto ezibonakalayo.
- Itshekhi yemihla ngemihla yobume beseva kunye nokuveliswa kweengxelo malunga nokungangqinelani nomgangatho.
Ndiyathemba ukuba ibali lam liya kuba luncedo kwabo basekuqaleni kohambo lwabo. Sesiphi isitakhi esizenzekelayo osisebenzisayo?
umthombo: www.habr.com