ProHoster > Ibhulogi > Ulawulo > I-thriller malunga nokuseta iiseva ngaphandle kwemimangaliso ngoLawulo loLungiselelo

I-thriller malunga nokuseta iiseva ngaphandle kwemimangaliso ngoLawulo loLungiselelo

Kwakusondele uNyaka oMtsha. Abantwana kulo lonke ilizwe babesele bethumele iileta kuSanta Claus okanye bazenzele izipho, kwaye umabi wabo oyintloko, omnye wabathengisi abakhulu, wayelungiselela i-apotheosis yokuthengisa. NgoDisemba, umthwalo kwiziko layo ledatha landa ngamaxesha amaninzi. Ke ngoko, inkampani igqibe ekubeni iphucule iziko ledatha kwaye isebenzise iiseva ezininzi ezitsha endaweni yezixhobo ezifikelela esiphelweni sobomi bayo benkonzo. Oku kuphelisa intsomi ngasemva kwamahlwantsi ekhephu ajikelezayo, kwaye i-thriller iyaqala.

I-thriller malunga nokuseta iiseva ngaphandle kwemimangaliso ngoLawulo loLungiselelo
Izixhobo zafika kwisiza kwiinyanga ezininzi ngaphambi kokuthengisa okuphezulu. Inkonzo yokusebenza, ngokuqinisekileyo, iyayazi indlela kunye nento yokuqwalasela kwiiseva ukuze izise kwindawo yokuvelisa. Kodwa bekufuneka siyenze ngokuzenzekelayo le nto kwaye siphelise into yomntu. Ukongezelela, iiseva zatshintshwa ngaphambi kokufuduka kwesethi yeenkqubo ze-SAP ezazibaluleke kakhulu kwinkampani.

Ukugunyaziswa kweeseva ezintsha kwakubotshelelwe ngokungqongqo kumhla wokugqibela. Kwaye ukuyihambisa kwakuthetha ukubeka emngciphekweni ukuthunyelwa kwezigidigidi zezipho kunye nokufuduka kweenkqubo. Nditsho neqela elibandakanya uBawo Frost kunye noSanta Claus alikwazanga ukutshintsha umhla - ungadlulisela inkqubo ye-SAP yolawulo lwe-warehouse kanye kuphela ngonyaka. Ukususela kwi-31 kaDisemba ukuya kwi-1 kaJanuwari, iindawo zokugcina ezinkulu zomthengisi, ngokubanzi ubukhulu bebhola lebhola le-20, bayeke umsebenzi wabo kwiiyure ze-15. Kwaye eli kuphela kwexesha lexesha lokuhambisa inkqubo. Sasingenandawo yempazamo xa sasizisa iiseva.

Mandicace: ibali lam libonisa izixhobo kunye nenkqubo yolawulo loqwalaselo olusetyenziswa liqela lethu.

Ulungelelwaniso lolawulo oluyinkimbinkimbi lunamanqanaba amaninzi. Icandelo eliphambili yinkqubo yeCMS. Kumsebenzi woshishino, ukungabikho kwelinye lamanqanaba ngokuqinisekileyo kuya kukhokelela kwimimangaliso engathandekiyo.

Ulawulo lofakelo lwe-OS

Inqanaba lokuqala yinkqubo yokulawula ukufakwa kweenkqubo zokusebenza kwiiseva eziphathekayo kunye nenyani. Yenza ulungelelwaniso olusisiseko lwe-OS, lususa into yomntu.

Sisebenzisa le nkqubo, sifumene iimeko zeseva ezisemgangathweni kunye ne-OS elungele ukuzenzela ngakumbi. Ngexesha "lokugalela" bafumana ubuncinci beesethi zabasebenzisi bendawo kunye nezitshixo ze-SSH zoluntu, kunye nokucwangciswa kwe-OS okuhambelanayo. Sinokuqiniseka ukuba silawula iiseva ngeCMS kwaye siqinisekile ukuba akukho nto imangalisayo "ezantsi ngaphantsi" kwinqanaba le-OS.

Umsebenzi "owona mkhulu" wenkqubo yolawulo lofakelo kukucwangcisa ngokuzenzekelayo iiseva ukusuka kwinqanaba le-BIOS/Firmware ukuya kwi-OS. Okuninzi apha kuxhomekeke kwisixhobo kunye nemisebenzi yokuseta. Kwizixhobo ze-heterogeneous, unokuqwalasela REFISH API. Ukuba yonke i-hardware ivela kumthengisi omnye, ngoko kudla ngokufanelekileyo ukusebenzisa izixhobo zokulawula esele zenziwe (umzekelo, i-HP ILO Amplifier, i-DELL OpenManage, njl.).

Ukufakela i-OS kwiiseva eziphathekayo, sasebenzisa i-Cobbler eyaziwayo, echaza isethi yeeprofayili zokufakela ezivunyelwene nenkonzo yokusebenza. Xa ukongeza iseva entsha kwisiseko, injineli ibophe idilesi ye-MAC yomncedisi kwiprofayili efunekayo kwi-Cobbler. Xa uqalisa umsebenzi womnatha okokuqala, umncedisi ufumene idilesi yethutyana kunye ne-OS entsha. Emva koko idluliselwe kwithagethi ye-VLAN/IP yokujongana nomsebenzi kwaye waqhubeka nomsebenzi apho. Ewe, ukutshintsha i-VLAN kuthatha ixesha kwaye kufuna ulungelelwaniso, kodwa kunika ukhuseleko olongezelelweyo ekufakweni ngengozi kweseva kwindawo yokuvelisa.

Senze iiseva ezinenyani ezisekwe kwiitemplate ezilungiselelwe kusetyenziswa iHashiСorp Packer. Isizathu sasifana: ukukhusela iimpazamo zomntu xa ufaka i-OS. Kodwa, ngokungafaniyo neeseva zomzimba, iPacker iyayiphelisa imfuno ye-PXE, ukubhuthwa kwenethiwekhi, kunye notshintsho lweVLAN. Oku kwenze kwalula kwaye kwalula ukwenza iiseva zenyani.

I-thriller malunga nokuseta iiseva ngaphandle kwemimangaliso ngoLawulo loLungiselelo
Irayisi. 1. Ukulawula ukufakwa kweenkqubo zokusebenza.

Ukulawula iimfihlo

Nayiphi na inkqubo yolawulo loqwalaselo iqulethe idatha ekufuneka ifihlwe kubasebenzisi abaqhelekileyo, kodwa iyafuneka ukulungiselela iinkqubo. La ngamagama ayimfihlo kubasebenzisi basekuhlaleni kunye neeakhawunti zenkonzo, izitshixo zesatifikethi, iiTokens ze-API ezahlukeneyo, njl. Ngokuqhelekileyo zibizwa ngokuba "ziimfihlo".

Ukuba awuqinisekanga kwasekuqaleni ukuba uzigcina phi kwaye njani ezi mfihlelo, ngoko ke, kuxhomekeke kubungqongqo beemfuno zokhuseleko lolwazi, ezi ndlela zilandelayo zogcino zinokwenzeka:

  • ngokuthe ngqo kwikhowudi yokulawula uqwalaselo okanye kwiifayile kwindawo yokugcina;
  • kwizixhobo ezikhethekileyo zolawulo loqwalaselo (umzekelo, iAnsible Vault);
  • kwiinkqubo zeCI/CD (Jenkins/TeamCity/GitLab/etc.) okanye kwiinkqubo zolawulo loqwalaselo (Ansible Tower/Ansible AWX);
  • iimfihlo zinokugqithiswa "ngesandla". Ngokomzekelo, zibekwe kwindawo ethile, kwaye emva koko zisetyenziswe yinkqubo yokulawula uqwalaselo;
  • indibaniselwano ezahlukeneyo ezingasentla.

Indlela nganye inezinto zayo ezingeloncedo. Eyona nto iphambili kukungabikho kwemigaqo-nkqubo yokufikelela kwiimfihlo: akunakwenzeka okanye kunzima ukugqiba ukuba ngubani ongasebenzisa iimfihlo ezithile. Enye into engalunganga kukunqongophala kophicotho-zincwadi kunye nomjikelo wobomi opheleleyo. Indlela yokutshintsha ngokukhawuleza, umzekelo, isitshixo sikawonke-wonke esibhaliweyo kwikhowudi kunye nenani leenkqubo ezinxulumene nazo?

Sisebenzise indawo yokugcina eyimfihlo yeHashiCorp Vault. Oku kusivumele:

  • gcina iimfihlo zikhuselekile. Zifihliwe, kwaye nokuba umntu ufumana ukufikelela kwi-database yeVault (umzekelo, ngokuyibuyisela kwi-backup), abayi kukwazi ukufunda iimfihlo ezigcinwe apho;
  • ququzelela imigaqo-nkqubo yokufikelela kwiimfihlo. Iimfihlo kuphela "ezizabelwe" kubo ziyafumaneka kubasebenzisi kunye nezicelo;
  • ukufikelela kuphicotho kwiimfihlo. Naziphi na izenzo ezineemfihlo zirekhodwa kwi-Vault audit log;
  • ququzelela "umjikelo wobomi" opheleleyo wokusebenza ngeemfihlo. Ziyakwazi ukudalwa, ukuchithwa, ukubeka umhla wokuphelelwa yisikhathi, njl.
  • kulula ukudibanisa nezinye iinkqubo ezifuna ukufikelela kwiimfihlo;
  • kwaye usebenzise i-encryption yokuphela kokuphela, iiphasiwedi zexesha elinye kwi-OS kunye nedathabheyisi, izatifikethi zamaziko agunyazisiweyo, njl.

Ngoku makhe siqhubele phambili kwinkqubo yoqinisekiso olusembindini kunye nogunyaziso. Bekunokwenzeka ukwenza ngaphandle kwayo, kodwa ukulawula abasebenzisi kwiinkqubo ezininzi ezinxulumeneyo akuyonto encinci kakhulu. Siye saqwalasela uqinisekiso kunye nogunyaziso ngenkonzo ye-LDAP. Ngaphandle koko, iVault kuya kufuneka ikhuphe ngokuqhubekayo kwaye igcine umkhondo weethokheni zokuqinisekisa kubasebenzisi. Kwaye ukucima kunye nokongeza abasebenzisi kuya kujika kube ngumbuzo "Ngaba ndiyenzile / ndayicima le akhawunti yomsebenzisi kuyo yonke indawo?"

Songeza elinye inqanaba kwinkqubo yethu: ulawulo lweemfihlo kunye nokuqinisekiswa okuphakathi / ugunyaziso:

I-thriller malunga nokuseta iiseva ngaphandle kwemimangaliso ngoLawulo loLungiselelo
Irayisi. 2. Ulawulo lweemfihlo.

Ulawulo loqwalaselo

Sifike kundoqo - inkqubo yeCMS. Kwimeko yethu, oku kukudibanisa kwe-Ansible kunye ne-Red Hat Ansible AWX.

Endaweni yeAnsible, Chef, Puppet, SaltStack ingasetyenziswa. Sakhetha i-Ansible ngokusekelwe kwiikhrayitheriya ezininzi.

  • Okokuqala, kukuguquguquka. Iseti yeemodyuli esele zenziwe zolawulo yenza impembelelo. Kwaye ukuba awunayo ngokwaneleyo, unokukhangela kwiGitHub kunye neGalaxy.
  • Okwesibini, akukho mfuneko yokufakela kunye nenkxaso yee-agent kwizixhobo ezilawulwayo, zibonise ukuba aziphazamisi umthwalo, kwaye ziqinisekisa ukungabikho "kweebhukhimakhi".
  • Okwesithathu, i-Ansible inomqobo ophantsi wokungena. Injineli enobuchule iya kubhala incwadi yokudlala esebenzayo ngokoqobo ngosuku lokuqala lokusebenza kunye nemveliso.

Kodwa i-Ansible yodwa kwindawo yemveliso yayinganelanga kuthi. Kungenjalo, zininzi iingxaki ezinokuvela ngokuthintelwa kofikelelo kunye nokuphicothwa kwezenzo zabalawuli. Ukuthintela njani ukufikelela? Emva kwayo yonke loo nto, bekuyimfuneko ukuba isebe ngalinye lilawule (funda: sebenzisa i-Ansible playbook) "yayo" iseti yeeseva. Ubavumela njani abasebenzi abathile kuphela ukuba baqhube iincwadi zokudlala ezikhethekileyo? Okanye ulandelelwa njani ukuba ngubani owasungula incwadi yokudlala ngaphandle kokuseta uninzi lolwazi lwasekhaya kwiiseva kunye nezixhobo eziqhuba i-Ansible?

Isabelo sengonyama kwimiba enjalo isonjululwa nguRed Hat INqaba yeAnsible, okanye iprojekthi yakhe yomthombo ovulekileyo onyukayo I-AWX ebonakalayo. Yiyo loo nto siyikhethele umthengi.

Kwaye omnye uchuku kumfanekiso wenkqubo yethu yeCMS. Incwadi yokudlala kufuneka igcinwe kwiisistim zolawulo lwekhowudi. Sinayo GitLab CE.

Ngoko ke, ulungelelwaniso ngokwalo lulawulwa yindibaniselwano ye-Ansible/Ansible AWX/GitLab (jonga umfanekiso wesi-3). Ewe kunjalo, i-AWX/GitLab idityaniswe nenkqubo enye yokuqinisekisa, kwaye incwadi yokudlala eAnsible idityaniswe neHashiCorp Vault. Ukucwangciswa kungena kwindawo yokuvelisa kuphela nge-Ansible AWX, apho yonke "imithetho yomdlalo" icacisiwe: ngubani onokumisela oko, apho ufumana khona ikhowudi yokulawula uqwalaselo lweCMS, njl.

I-thriller malunga nokuseta iiseva ngaphandle kwemimangaliso ngoLawulo loLungiselelo
Irayisi. 3. Ulawulo lolungelelwaniso.

Ulawulo lovavanyo

Ulungelelwaniso lwethu lunikezelwe kwifomu yekhowudi. Ke ngoko, sinyanzelekile ukuba sidlale ngemithetho efanayo nabaphuhlisi besoftware. Kwakudingeka siququzelele iinkqubo zophuhliso, uvavanyo oluqhubekayo, ukuhanjiswa kunye nokusetyenziswa kwekhowudi yokumisela kwiiseva zokuvelisa.

Ukuba oku akwenziwanga ngoko nangoko, ngoko ke iindima ezibhalelwe uqwalaselo ziya kuyeka ukuxhaswa kunye nokuguqulwa, okanye ziya kuyeka ukusungulwa kwimveliso. Unyango lwale ntlungu luyaziwa, kwaye luzibonakalise kule projekthi:

  • indima nganye ijongwa luvavanyo lweeyunithi;
  • iimvavanyo ziqhutywa ngokuzenzekelayo xa kukho naluphi na utshintsho kwikhowudi elawula uqwalaselo;
  • utshintsho kwikhowudi yolawulo loqwalaselo lukhutshwa kwindawo yokuvelisa kuphela emva kokuphumelela zonke iimvavanyo kunye nophononongo lwekhowudi.

Uphuhliso lwekhowudi kunye nolawulo lolungelelwaniso luzolile kwaye lunokucingeleka ngakumbi. Ukuququzelela uvavanyo oluqhubekayo, sasebenzisa iGitLab CI/CD toolkit, kwaye sayithatha I-Molekyuli engabonakaliyo.

Nanini na kukho utshintsho kwikhowudi yolawulo loqwalaselo, iGitLab CI/CD ifowunela iMolekule:

  • ijonga ikhowudi yesintaksi,
  • iphakamisa isitya seDocker,
  • isebenzisa ikhowudi elungisiweyo kwisikhongozeli esenziweyo,
  • ihlola indima ye-idempotency kwaye iqhuba iimvavanyo zale khowudi (i-granularity apha ikwinqanaba lendima enengqondo, jonga umzobo 4).

Sihambise ulungelelwaniso kwindawo yokuvelisa usebenzisa i-Ansible AWX. Iinjineli zemisebenzi zenze utshintsho kubumbeko ngokusebenzisa itemplates ezichazwe kwangaphambili. I-AWX ngokuzimeleyo "icele" inguqulelo yamva nje yekhowudi evela kwisebe elikhulu leGitLab ngalo lonke ixesha isetyenziswa. Ngale ndlela sikukhuphele ngaphandle ukusetyenziswa kwekhowudi engavavanywanga okanye ephelelwe lixesha kwindawo yemveliso. Ngokwemvelo, ikhowudi yangena kwi-master branch kuphela emva kokuvavanya, ukuphononongwa kunye nokuvunywa.

I-thriller malunga nokuseta iiseva ngaphandle kwemimangaliso ngoLawulo loLungiselelo
Irayisi. 4. Uvavanyo oluzenzekelayo lweendima kwi-GitLab CI/CD.

Kukwakho nengxaki ehambelana nokusebenza kweenkqubo zemveliso. Kubomi bokwenyani, kunzima kakhulu ukwenza utshintsho lolungelelwaniso ngekhowudi yeCMS yodwa. Iimeko ezingxamisekileyo zivela xa injineli kufuneka itshintshe ukucwangciswa "apha kwaye ngoku", ngaphandle kokulinda ukulungiswa kwekhowudi, ukuvavanywa, ukuvunywa, njl.

Ngenxa yoko, ngenxa yotshintsho lwezandla, ukungafani kubonakala kuqwalaselo kuhlobo olufanayo lwezixhobo (umzekelo, izicwangciso ze-sysctl ziqwalaselwe ngokwahlukileyo kwi-HA cluster nodes). Okanye ukucwangciswa kwangempela kwisixhobo kuyahluka kulowo uchazwe kwikhowudi yeCMS.

Ke ngoko, ukongeza kuvavanyo oluqhubekayo, sijonga iimeko zokuvelisa ukungafani koqwalaselo. Sakhetha inketho elula: ukuqhuba ikhowudi yokucwangcisa i-CMS kwimodi "yokusebenza okomileyo", oko kukuthi, ngaphandle kokufaka utshintsho, kodwa ngesaziso sazo zonke izinto ezingafaniyo phakathi kokucwangciswa okucwangcisiweyo kunye nokwangempela. Siphumeze oku ngokuthi ngamaxesha athile sisebenzise zonke iincwadi zokudlala ezinokuthi “-khangela” ukhetho kwiiseva zemveliso. Njengamaxesha onke, i-Ansible AWX inoxanduva lokusungula nokugcina incwadi yokudlala isexesheni (jonga umfanekiso 5):

I-thriller malunga nokuseta iiseva ngaphandle kwemimangaliso ngoLawulo loLungiselelo
Irayisi. 5. Ijonga ukungafani kolungelelwaniso kwi-Ansible AWX.

Emva kokuhlolwa, i-AWX ithumela ingxelo yokungafani kubalawuli. Bafunda uqwalaselo oluyingxaki baze bayilungise ngeencwadi zokudlala ezihlengahlengisiweyo. Yile ndlela esigcina ngayo ukucwangciswa kwimeko yokuvelisa kwaye i-CMS ihlala ihlaziywa kwaye ihambelana. Oku kuphelisa "imimangaliso" engathandekiyo xa ikhowudi yeCMS isetyenziswa kwiiseva "zemveliso".

Ngoku sinomgangatho obalulekileyo wokuvavanya oquka i-Ansible AWX/GitLab/Molecule (Umfanekiso 6).

I-thriller malunga nokuseta iiseva ngaphandle kwemimangaliso ngoLawulo loLungiselelo
Irayisi. 6. Ulawulo lovavanyo.

Kunzima? Andiphikisi. Kodwa olo bunzima bolawulo loqwalaselo lube yimpendulo ebanzi kwimibuzo emininzi enxulumene nokuzenzekela koqwalaselo lomncedisi. Ngoku iiseva ezisemgangathweni zomthengisi zihlala zinobumbeko oluchazwe ngokungqongqo. I-CMS, ngokungafaniyo nenjineli, ayiyi kulibala ukongeza useto oluyimfuneko, ukudala abasebenzisi kunye nokwenza ezininzi okanye amakhulu emimiselo efunekayo.

Akukho "ulwazi oluyimfihlo" kwiisetingi zeeseva kunye neemeko namhlanje. Zonke iimpawu eziyimfuneko zibonakaliswe kwincwadi yemidlalo. Akusekho buchule kunye nemiyalelo engacacanga: "Yifake njenge-Oracle eqhelekileyo, kodwa kufuneka uchaze izicwangciso ezimbalwa ze-sysctl kwaye wongeze abasebenzisi nge-UID efunekayo. Buza abafana abasebenzayo, bayazi».

Ukukwazi ukubona ukungangqinelani kolungelelwaniso kunye nokuzilungisa ngokukhawuleza kunika uxolo lwengqondo. Ngaphandle kwenkqubo yolawulo loqwalaselo, oku kudla ngokukhangeleka ngokwahlukileyo. Iingxaki ziqokelela kude kube yimini enye "zidubula" kwimveliso. Emva koko i-debriefing iyenziwa, ulungelelwaniso luyajongwa kwaye lulungiswe. Kwaye umjikelo uphinda kwakhona

Kwaye kunjalo, siye sakhawulezisa ukuqaliswa kweeseva ukuba zisebenze ukusuka kwiintsuku ezininzi ukuya kwiiyure.

Ewe, ngo-Eva woNyaka omtsha ngokwawo, xa abantwana bevuthulula izipho ngokuvuya kunye nabantu abadala benza iminqweno njengoko i-chimes yabetha, iinjineli zethu zafuduka inkqubo ye-SAP kwiiseva ezintsha. KwanoSanta Claus uya kuthi eyona mimangaliso ibalaseleyo yileyo ilungiselelwe kakuhle.

PS Iqela lethu lihlala lidibana nenyani yokuba abathengi bafuna ukusombulula iingxaki zolawulo loqwalaselo ngokulula kangangoko. Ngokufanelekileyo, njengokungathi ngomlingo - ngesixhobo esinye. Kodwa ebomini yonke into iyinkimbinkimbi (ewe, iibhola zesilivere azizange zihanjiswe kwakhona): kufuneka udale inkqubo yonke usebenzisa izixhobo ezifanelekileyo kwiqela lomthengi.

Umbhali: USergey Artemov, umakhi wesebe DevOps izisombululo "Jet Infosystems"

umthombo: www.habr.com

Yongeza izimvo