Kungekudala bendijongene nomsebenzi ongaqhelekanga kakhulu wokuseta indlela ye-MetalLB. Yonke into iya kulunga, kuba ... Ngokuqhelekileyo i-MetalLB ayifuni naziphi na izenzo ezongezelelweyo, kodwa kwimeko yethu sineqela elikhulu ngokufanelekileyo kunye noqwalaselo olulula kakhulu lwenethiwekhi.

Kweli nqaku ndiza kukuxelela indlela yokuqwalasela umgaqo-siseko kunye nomgaqo-nkqubo osekelwe kwinethiwekhi yangaphandle yeqela lakho.

Andizukungena kwiinkcukacha malunga nokufaka kunye nokuqwalasela i-MetalLB, kuba ndicinga ukuba sele unamava. Ndicebisa ukuya ngqo kwinqanaba, oko kukuthi ukuseta indlela. Ke sineemeko ezine:

Imeko 1: Xa kungekho lungiselelo lufunekayo

Makhe sijonge imeko elula.

Ulungelelwaniso lomzila olongezelelweyo alufunwa xa iidilesi ezikhutshwe yi-MetalLB zikwi-subnet efanayo needilesi zeendawo zakho.

Umzekelo, une-subnet 192.168.1.0/24, ine-router 192.168.1.1, kwaye iindawo zakho zifumana iidilesi: 192.168.1.10-30, emva koko kwi-MetalLB unokunyenyisa uluhlu 192.168.1.100-120 kwaye uqiniseke ukuba baya kusebenza ngaphandle koqwalaselo olongezelelweyo.

Kutheni kunjalo? Kuba iindawo zakho zokuhlala sele zineendlela ezicwangcisiweyo:

# ip route
default via 192.168.1.1 dev eth0 onlink 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.10

Kwaye iidilesi ezikuluhlu olufanayo ziya kuphinda zisetyenziswe ngaphandle kwezenzo ezongezelelweyo.

Ityala lesi-2: Xa uhlengahlengiso olongezelelweyo lufuneka

Kuya kufuneka uqwalasele iindlela ezongezelelweyo nanini na iindawo zakho zokuhlala zingenayo idilesi ye-IP emiselweyo okanye indlela eya kwi-subnet apho i-MetalLB ikhupha iidilesi.

Ndiza kucacisa ngakumbi kancinci. Nanini na i-MetalLB ikhupha idilesi, inokuthelekiswa nesabelo esilula esinje:

ip addr add 10.9.8.7/32 dev lo

Naka u:

• a) Idilesi yabelwe isimaphambili /32 oko kukuthi, indlela ayizukufakwa ngokuzenzekelayo kwi subnet yayo (yidilesi nje)
• b) Idilesi incanyathiselwe kuyo nayiphi na i-node interface (umzekelo loopback). Kufanelekile ukukhankanya apha iimpawu zothungelwano lwe-Linux. Nokuba yeyiphi na indlela osongeza kuyo idilesi, i-kernel iyakuhlala iqhuba izicelo ze-arp kwaye ithumele iimpendulo ze-arp kuyo nayiphi na yazo, le ndlela yokuziphatha ithathwa njengechanekileyo kwaye, ngaphezu koko, isetyenziswa ngokubanzi kwindawo eguqukayo efana ne-Kubernetes.

Oku kuziphatha kunokwenziwa ngokwezifiso, umzekelo ngokwenza i-arp engqongqo:

echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce

Kule meko, iimpendulo ze-arp ziya kuthunyelwa kuphela ukuba i-interface iqulethe ngokucacileyo idilesi ye-IP ethile. Olu seto luyafuneka ukuba uceba ukusebenzisa i-MetalLB kunye ne-kube-proxy yakho isebenza ngendlela ye-IPVS.

Nangona kunjalo, i-MetalLB ayisebenzisi i-kernel ukucubungula izicelo ze-arp, kodwa iyenza ngokwayo kwindawo yomsebenzisi, ngoko olu khetho aluyi kuchaphazela ukusebenza kwe-MetalLB.

Masibuyele kumsebenzi wethu. Ukuba indlela yeedilesi ezikhutshiweyo ayikho kwiindawo zakho, yongeze kwangaphambili kuzo zonke iindawo:

ip route add 10.9.8.0/24 dev eth1

Ityala lesi-3: Xa ufuna indlela esekwe kumthombo

Kuya kufuneka uqwalasele indlela esekwe kumthombo xa ufumana iipakethi ngaphaya kwesango elahlukileyo, ingelilo eliqwalaselwe ngokungagqibekanga, ngoko ke iipakethi zeempendulo kufuneka zidlule kwamasango afanayo.

Umzekelo, une subnet efanayo 192.168.1.0/24 ezinikezelwe kwiindawo zakho, kodwa ufuna ukukhupha iidilesi zangaphandle usebenzisa i-MetalLB. Makhe sicinge ukuba uneedilesi ezininzi kwi-subnet 1.2.3.0/24 ibekwe kwiVLAN 100 kwaye ufuna ukuzisebenzisa ukufikelela kwiinkonzo zeKubernetes ngaphandle.

Xa uqhagamshelana 1.2.3.4 uya kwenza izicelo kwi-subnet eyahlukileyo kune 1.2.3.0/24 kwaye ulindele impendulo. Indawo ekungoku nje eyinkosi yedilesi ekhutshiweyo ye-MetalLB 1.2.3.4, iya kufumana ipakethi kwi-router 1.2.3.1, kodwa impendulo yakhe kufuneka ihambe ngendlela efanayo, idlule 1.2.3.1.

Kuba indawo yethu yolawulo sele inesango elimiselweyo elimiselweyo 192.168.1.1, ngoko ngokungagqibekanga impendulo iya kuye, kwaye hayi 1.2.3.1, apho sifumene khona iphakheji.

Indlela yokuhlangabezana nale meko?

Kule meko, kufuneka ulungiselele zonke ii-nodes zakho ngendlela yokuba zilungele ukukhonza iidilesi zangaphandle ngaphandle koqwalaselo olongezelelweyo. Oko kukuthi, kulo mzekelo ungasentla, kufuneka wenze ujongano lweVLAN kwindawo kwangaphambili:

ip link add link eth0 name eth0.100 type vlan id 100
ip link set eth0.100 up

Kwaye wongeza iindlela:

ip route add 1.2.3.0/24 dev eth0.100 table 100
ip route add default via 1.2.3.1 table 100

Nceda uqaphele ukuba songeza iindlela kwitafile yomzila eyahlukileyo 100 iya kuqulatha kuphela iindlela ezimbini eziyimfuneko ukuthumela ipakethe yokuphendula ngesango 1.2.3.1, ebekwe emva kojongano eth0.100.

Ngoku kufuneka songeze umgaqo olula:

ip rule add from 1.2.3.0/24 lookup 100

ethi ngokucacileyo: ukuba idilesi yomthombo wepakethi ingaphakathi 1.2.3.0/24, emva koko kufuneka usebenzise itafile yomzila 100. Kuyo sele siyichazile indlela eza kumthumela ngayo 1.2.3.1

Ityala lesi-4: Xa ufuna indlela esekwe kumgaqo-nkqubo

I-topology yenethiwekhi iyafana naleyo kumzekelo wangaphambili, kodwa masithi nawe ufuna ukukwazi ukufikelela kwiidilesi zepool zangaphandle. 1.2.3.0/24 ukusuka kwiipod zakho:

Into engaqhelekanga kukuba xa ufikelela kuyo nayiphi na idilesi 1.2.3.0/24, ipakethe yokuphendula ibetha i-node kwaye inedilesi yomthombo kuluhlu 1.2.3.0/24 ziya kuthunyelwa ngokuthobela eth0.100, kodwa sifuna i-Kubernetes iyiqondise kwakhona kwi-pod yethu yokuqala, evelise isicelo sokuqala.

Ukusombulula le ngxaki kwabonakala kunzima, kodwa kuye kwenzeka ngenxa yomgaqo-nkqubo osekelwe kumgaqo-nkqubo:

Ukuqonda ngcono inkqubo, nantsi i-netfilter block diagram:

Okokuqala, njengakumzekelo wangaphambili, makhe senze itafile eyongezelelweyo yomzila:

ip route add 1.2.3.0/24 dev eth0.100 table 100
ip route add default via 1.2.3.1 table 100

Ngoku makhe songeze imithetho embalwa kwiiptables:

iptables -t mangle -A PREROUTING -i eth0.100 -j CONNMARK --set-mark 0x100
iptables -t mangle -A PREROUTING  -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j RETURN
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

Le migaqo iya kuphawula uqhagamshelwano olungenayo kwi-interface eth0.100, ukuphawula zonke iipakethi ngethegi 0x100, iimpendulo kunxibelelwano olufanayo nazo ziya kumakishwa ngethegi efanayo.

Ngoku singongeza umgaqo womzila:

ip rule add from 1.2.3.0/24 fwmark 0x100 lookup 100

Oko kukuthi, zonke iipakethi ezinedilesi yomthombo 1.2.3.0/24 kunye nethegi 0x100 kufuneka ihanjiswe ngokusebenzisa itafile 100.

Ngaloo ndlela, ezinye iipakethi ezifunyenwe kwenye i-interface azikho phantsi kwalo mgaqo, oya kubavumela ukuba bahanjiswe ngokusebenzisa izixhobo eziqhelekileyo ze-Kubernetes.

Kukho enye into, kwi Linux kukho into ebizwa ngokuba yi reverse indlela yokucoca, eyonakalisa yonke into, yenza utshekisho olulula: kuzo zonke iipakethi ezingenayo, itshintsha idilesi yemvelaphi yepakethi ngedilesi yomthumeli kwaye ijonga ukuba ipakethi inokushiya ujongano olufanayo apho yamkelwe khona, ukuba akunjalo, iyakuyihluza ngaphandle.

Ingxaki kukuba kwimeko yethu ayiyi kusebenza ngokuchanekileyo, kodwa sinokuyikhubaza:

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0.100/rp_filter

Nceda uqaphele ukuba umyalelo wokuqala ulawula ukuziphatha kwehlabathi jikelele kwe-rp_filter, ukuba ayicishwanga, umyalelo wesibini awuyi kuba nasiphumo. Nangona kunjalo, ujongano oluseleyo luya kuhlala lune-rp_filter enikwe amandla.

Ukuze singathinteli ngokupheleleyo ukusebenza kwesihluzi, sinokusebenzisa i-rp_filter uphumezo lwe-netfilter. Ukusebenzisa i-rpfilter njengemodyuli ye-iptables, ungaqwalasela imithetho ebhetyebhetye, umzekelo:

iptables -t raw -A PREROUTING -i eth0.100 -d 1.2.3.0/24 -j RETURN
iptables -t raw -A PREROUTING -i eth0.100 -m rpfilter --invert -j DROP

yenza i-rp_filter kujongano eth0.100 kuzo zonke iidilesi ngaphandle 1.2.3.0/24.

umthombo: www.habr.com