Ifihan
Laipẹ, olokiki ti Kubernetes ti dagba ni iyara - awọn iṣẹ akanṣe ati siwaju sii ti n ṣe imuse rẹ. Mo fẹ lati fi ọwọ kan akọrin bi Nomad: o jẹ pipe fun awọn iṣẹ akanṣe ti o ti lo awọn solusan miiran lati HashiCorp, fun apẹẹrẹ, Vault ati Consul, ati awọn iṣẹ akanṣe funrararẹ ko ni eka ni awọn ofin ti awọn amayederun. Ohun elo yii yoo ni awọn ilana fun fifi Nomad sori ẹrọ, apapọ awọn apa meji sinu iṣupọ kan, bakanna bi iṣọpọ Nomad pẹlu Gitlab.
igbeyewo imurasilẹ
Diẹ sii nipa ibujoko idanwo: awọn olupin foju mẹta ni a lo pẹlu awọn abuda ti 2 Sipiyu, 4 Ramu, 50 Gb SSD, ni iṣọkan sinu nẹtiwọọki agbegbe ti o wọpọ. Orukọ wọn ati adirẹsi IP:
- nomad-livelinux-01: 172.30.0.5
- nomad-livelinux-02: 172.30.0.10
- consul-livelinux-01: 172.30.0.15
Fifi sori ẹrọ ti Nomad, Consul. Ṣiṣẹda iṣupọ Nomad
Jẹ ká bẹrẹ pẹlu awọn ipilẹ fifi sori. Botilẹjẹpe iṣeto naa rọrun, Emi yoo ṣapejuwe rẹ nitori iduroṣinṣin ti nkan naa: o ṣẹda pataki lati awọn iyaworan ati awọn akọsilẹ fun iwọle ni iyara nigbati o nilo.
Ṣaaju ki a to bẹrẹ adaṣe, a yoo jiroro apakan imọ-jinlẹ, nitori ni ipele yii o ṣe pataki lati ni oye eto iwaju.
A ni awọn apa nomad meji ati pe a fẹ lati darapọ wọn sinu iṣupọ kan, ati ni ọjọ iwaju a yoo tun nilo iwọn iṣupọ laifọwọyi - fun eyi a yoo nilo Consul. Pẹlu ọpa yii, ikojọpọ ati fifi awọn apa tuntun di iṣẹ-ṣiṣe ti o rọrun pupọ: Nomad Nomad ti a ṣẹda sopọ si aṣoju Consul, ati lẹhinna sopọ si iṣupọ Nomad ti o wa tẹlẹ. Nitorinaa, ni ibẹrẹ a yoo fi olupin Consul sori ẹrọ, tunto aṣẹ http ipilẹ fun nronu wẹẹbu (o jẹ laisi aṣẹ nipasẹ aiyipada ati pe o le wọle si ni adirẹsi ita), ati awọn aṣoju Consul funrararẹ lori awọn olupin Nomad, lẹhin eyi a yoo tẹsiwaju si Nomad nikan.
Fifi awọn irinṣẹ HashiCorp jẹ rọrun pupọ: ni pataki, a kan gbe faili alakomeji si itọsọna bin, ṣeto faili iṣeto ni ọpa, ati ṣẹda faili iṣẹ rẹ.
Ṣe igbasilẹ faili alakomeji Consul naa ki o si ṣii rẹ sinu itọsọna ile olumulo:
root@consul-livelinux-01:~# wget https://releases.hashicorp.com/consul/1.5.0/consul_1.5.0_linux_amd64.zip
root@consul-livelinux-01:~# unzip consul_1.5.0_linux_amd64.zip
root@consul-livelinux-01:~# mv consul /usr/local/bin/Bayi a ni alakomeji consul ti o ti ṣetan fun iṣeto siwaju sii.
Lati ṣiṣẹ pẹlu Consul, a nilo lati ṣẹda bọtini alailẹgbẹ nipa lilo pipaṣẹ keygen:
root@consul-livelinux-01:~# consul keygen
Jẹ ki a tẹsiwaju lati ṣeto iṣeto Consul, ṣiṣẹda itọsọna kan /etc/consul.d/ pẹlu eto atẹle:
/etc/consul.d/
├── bootstrap
│ └── config.jsonItọsọna bootstrap yoo ni faili iṣeto ni config.json - ninu rẹ a yoo ṣeto awọn eto Consul. Awọn akoonu inu rẹ:
{
"bootstrap": true,
"server": true,
"datacenter": "dc1",
"data_dir": "/var/consul",
"encrypt": "your-key",
"log_level": "INFO",
"enable_syslog": true,
"start_join": ["172.30.0.15"]
}Jẹ ki a wo awọn itọsọna akọkọ ati awọn itumọ wọn lọtọ:
- Bootstrap: ooto. A jeki laifọwọyi afikun ti titun apa ti o ba ti won ti wa ni ti sopọ. Mo ṣe akiyesi pe a ko tọka nibi nọmba gangan ti awọn apa ti a nireti.
- server: ooto. Mu ipo olupin ṣiṣẹ. Consul lori ẹrọ foju yii yoo ṣiṣẹ bi olupin ati oluwa nikan ni akoko, Nomad's VM yoo jẹ awọn alabara.
- Datacenter: dc1. Pato orukọ ile-iṣẹ data lati ṣẹda iṣupọ naa. O gbọdọ jẹ aami kanna lori awọn onibara ati olupin.
- encrypt: bọtini rẹ. Bọtini naa, eyiti o tun gbọdọ jẹ alailẹgbẹ ati ibaamu lori gbogbo awọn alabara ati awọn olupin. Ti ipilẹṣẹ nipa lilo pipaṣẹ keygen consul.
- bẹrẹ_join. Ninu atokọ yii a tọka atokọ ti awọn adirẹsi IP si eyiti asopọ yoo ṣe. Ni akoko ti a fi nikan wa ti ara adirẹsi.
Ni aaye yii a le ṣiṣẹ consul nipa lilo laini aṣẹ:
root@consul-livelinux-01:~# /usr/local/bin/consul agent -config-dir /etc/consul.d/bootstrap -uiEyi jẹ ọna ti o dara lati yokokoro ni bayi, sibẹsibẹ, iwọ kii yoo ni anfani lati lo ọna yii lori ipilẹ ti nlọ lọwọ fun awọn idi ti o han gbangba. Jẹ ki a ṣẹda faili iṣẹ kan lati ṣakoso Consul nipasẹ systemd:
root@consul-livelinux-01:~# nano /etc/systemd/system/consul.service
Awọn akoonu ti faili consul.service:
[Unit]
Description=Consul Startup process
After=network.target
[Service]
Type=simple
ExecStart=/bin/bash -c '/usr/local/bin/consul agent -config-dir /etc/consul.d/bootstrap -ui'
TimeoutStartSec=0
[Install]
WantedBy=default.targetIfilọlẹ Consul nipasẹ systemctl:
root@consul-livelinux-01:~# systemctl start consul
Jẹ ki a ṣayẹwo: iṣẹ wa gbọdọ ṣiṣẹ, ati nipa pipaṣẹ aṣẹ awọn ọmọ ẹgbẹ consul a yẹ ki o rii olupin wa:
root@consul-livelinux:/etc/consul.d# consul members
consul-livelinux 172.30.0.15:8301 alive server 1.5.0 2 dc1 <all>Ipele t’okan: fifi Nginx sori ẹrọ ati siseto aṣoju ati aṣẹ http. A fi nginx sori ẹrọ nipasẹ oluṣakoso package ati ninu /etc/nginx/sites-ṣiṣẹ liana a ṣẹda faili iṣeto ni consul.conf pẹlu awọn akoonu wọnyi:
upstream consul-auth {
server localhost:8500;
}
server {
server_name consul.doman.name;
location / {
proxy_pass http://consul-auth;
proxy_set_header Host $host;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Password-protected Area";
}
}Maṣe gbagbe lati ṣẹda faili .htpasswd ki o ṣe ipilẹṣẹ orukọ olumulo ati ọrọ igbaniwọle fun rẹ. Ohun kan nilo ki nronu wẹẹbu ko wa fun gbogbo eniyan ti o mọ agbegbe wa. Sibẹsibẹ, nigba ti o ba ṣeto Gitlab, a yoo ni lati kọ eyi silẹ - bibẹẹkọ a kii yoo ni anfani lati gbe ohun elo wa lọ si Nomad. Ninu iṣẹ akanṣe mi, mejeeji Gitlab ati Nomad wa lori oju opo wẹẹbu grẹy nikan, nitorinaa ko si iru iṣoro nibi.
Lori awọn olupin meji ti o ku a fi awọn aṣoju Consul sori ẹrọ ni ibamu si awọn ilana atẹle. A tun awọn igbesẹ naa ṣe pẹlu faili alakomeji:
root@nomad-livelinux-01:~# wget https://releases.hashicorp.com/consul/1.5.0/consul_1.5.0_linux_amd64.zip
root@nomad-livelinux-01:~# unzip consul_1.5.0_linux_amd64.zip
root@nomad-livelinux-01:~# mv consul /usr/local/bin/Nipa afiwe pẹlu olupin ti tẹlẹ, a ṣẹda itọsọna kan fun awọn faili iṣeto ni /etc/consul.d pẹlu eto atẹle:
/etc/consul.d/
├── client
│ └── config.jsonAwọn akoonu inu faili config.json:
{
"datacenter": "dc1",
"data_dir": "/opt/consul",
"log_level": "DEBUG",
"node_name": "nomad-livelinux-01",
"server": false,
"encrypt": "your-private-key",
"domain": "livelinux",
"addresses": {
"dns": "127.0.0.1",
"https": "0.0.0.0",
"grpc": "127.0.0.1",
"http": "127.0.0.1"
},
"bind_addr": "172.30.0.5", # локальный адрес вм
"start_join": ["172.30.0.15"], # удаленный адрес консул сервера
"ports": {
"dns": 53
}Ṣafipamọ awọn ayipada ki o tẹsiwaju lati ṣeto faili iṣẹ, awọn akoonu inu rẹ:
/etc/systemd/system/consul.service:
[Unit]
Description="HashiCorp Consul - A service mesh solution"
Documentation=https://www.consul.io/
Requires=network-online.target
After=network-online.target
[Service]
User=root
Group=root
ExecStart=/usr/local/bin/consul agent -config-dir=/etc/consul.d/client
ExecReload=/usr/local/bin/consul reload
KillMode=process
Restart=on-failure
[Install]
WantedBy=multi-user.targetA ifilọlẹ consul lori olupin. Bayi, lẹhin ifilọlẹ, o yẹ ki a rii iṣẹ atunto ni awọn ọmọ ẹgbẹ nsul. Eyi yoo tumọ si pe o ti sopọ ni aṣeyọri si iṣupọ bi alabara. Tun ṣe kanna lori olupin keji ati lẹhin eyi a le bẹrẹ fifi sori ẹrọ ati tunto Nomad.
Alaye diẹ sii fifi sori ẹrọ ti Nomad jẹ apejuwe ninu iwe aṣẹ osise rẹ. Awọn ọna fifi sori ẹrọ ibile meji lo wa: gbigba faili alakomeji ati ikojọpọ lati orisun. Emi yoo yan ọna akọkọ.
Daakọ: Ise agbese na ni idagbasoke ni kiakia, awọn imudojuiwọn titun ti wa ni idasilẹ nigbagbogbo. Boya ẹya tuntun yoo tu silẹ ni akoko ti nkan yii ba ti pari. Nitorinaa, ṣaaju kika, Mo ṣeduro ṣiṣe ayẹwo ẹya lọwọlọwọ ti Nomad ni akoko ati ṣe igbasilẹ rẹ.
root@nomad-livelinux-01:~# wget https://releases.hashicorp.com/nomad/0.9.1/nomad_0.9.1_linux_amd64.zip
root@nomad-livelinux-01:~# unzip nomad_0.9.1_linux_amd64.zip
root@nomad-livelinux-01:~# mv nomad /usr/local/bin/
root@nomad-livelinux-01:~# nomad -autocomplete-install
root@nomad-livelinux-01:~# complete -C /usr/local/bin/nomad nomad
root@nomad-livelinux-01:~# mkdir /etc/nomad.dLẹhin ṣiṣi silẹ, a yoo gba faili alakomeji Nomad ti o ṣe iwọn 65 MB - o gbọdọ gbe lọ si /usr/local/bin.
Jẹ ki a ṣẹda iwe ilana data fun Nomad ki o ṣatunkọ faili iṣẹ rẹ (o ṣeese julọ kii yoo wa ni ibẹrẹ):
root@nomad-livelinux-01:~# mkdir --parents /opt/nomad
root@nomad-livelinux-01:~# nano /etc/systemd/system/nomad.serviceLẹẹmọ awọn ila wọnyi nibẹ:
[Unit]
Description=Nomad
Documentation=https://nomadproject.io/docs/
Wants=network-online.target
After=network-online.target
[Service]
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
KillMode=process
KillSignal=SIGINT
LimitNOFILE=infinity
LimitNPROC=infinity
Restart=on-failure
RestartSec=2
StartLimitBurst=3
StartLimitIntervalSec=10
TasksMax=infinity
[Install]
WantedBy=multi-user.targetSibẹsibẹ, a ko yara lati ṣe ifilọlẹ nomad - a ko tii ṣẹda faili iṣeto rẹ:
root@nomad-livelinux-01:~# mkdir --parents /etc/nomad.d
root@nomad-livelinux-01:~# chmod 700 /etc/nomad.d
root@nomad-livelinux-01:~# nano /etc/nomad.d/nomad.hcl
root@nomad-livelinux-01:~# nano /etc/nomad.d/server.hcl
Ilana ilana ikẹhin yoo jẹ bi atẹle:
/etc/nomad.d/
├── nomad.hcl
└── server.hclFaili nomad.hcl yẹ ki o ni iṣeto ni atẹle yii:
datacenter = "dc1"
data_dir = "/opt/nomad"Awọn akoonu ti faili server.hcl:
server {
enabled = true
bootstrap_expect = 1
}
consul {
address = "127.0.0.1:8500"
server_service_name = "nomad"
client_service_name = "nomad-client"
auto_advertise = true
server_auto_join = true
client_auto_join = true
}
bind_addr = "127.0.0.1"
advertise {
http = "172.30.0.5"
}
client {
enabled = true
}Maṣe gbagbe lati yi faili iṣeto pada lori olupin keji - nibẹ iwọ yoo nilo lati yi iye ti itọsọna http pada.
Ohun ti o kẹhin ni ipele yii ni lati tunto Nginx fun aṣoju ati ṣeto aṣẹ http. Awọn akoonu ti nomad.conf faili:
upstream nomad-auth {
server 172.30.0.5:4646;
}
server {
server_name nomad.domain.name;
location / {
proxy_pass http://nomad-auth;
proxy_set_header Host $host;
auth_basic_user_file /etc/nginx/.htpasswd;
auth_basic "Password-protected Area";
}
}Bayi a le wọle si nronu wẹẹbu nipasẹ nẹtiwọki ita. Sopọ ki o lọ si oju-iwe olupin naa:
Aworan 1. Akojọ awọn olupin ni akojọpọ Nomad
Awọn olupin mejeeji ti han ni aṣeyọri ninu nronu, a yoo rii ohun kanna ni abajade ti aṣẹ ipo nomad nomad:
Aworan 2. Ijade ti aṣẹ ipo ipade nomad
Kini nipa Consul? Jẹ ki a wo. Lọ si igbimọ iṣakoso Consul, si oju-iwe awọn apa:
Aworan 3. Akojọ awọn apa inu iṣupọ Consul
Bayi a ti pese Nomad ti n ṣiṣẹ ni apapo pẹlu Consul. Ni ipele ikẹhin, a yoo lọ si apakan igbadun: iṣeto ifijiṣẹ ti awọn apoti Docker lati Gitlab si Nomad, ati tun sọrọ nipa diẹ ninu awọn ẹya iyasọtọ miiran.
Ṣiṣẹda Gitlab Runner
Lati ran awọn aworan docker lọ si Nomad, a yoo lo olusare lọtọ pẹlu faili alakomeji Nomad inu (nibi, nipasẹ ọna, a le ṣe akiyesi ẹya miiran ti awọn ohun elo Hashicorp - ọkọọkan wọn jẹ faili alakomeji ẹyọkan). Po si o si awọn Isare liana. Jẹ ki a ṣẹda Dockerfile ti o rọrun fun rẹ pẹlu akoonu atẹle:
FROM alpine:3.9
RUN apk add --update --no-cache libc6-compat gettext
COPY nomad /usr/local/bin/nomad
Ninu agbese kanna a ṣẹda .gitlab-ci.yml:
variables:
DOCKER_IMAGE: nomad/nomad-deploy
DOCKER_REGISTRY: registry.domain.name
stages:
- build
build:
stage: build
image: ${DOCKER_REGISTRY}/nomad/alpine:3
script:
- tag=${DOCKER_REGISTRY}/${DOCKER_IMAGE}:latest
- docker build --pull -t ${tag} -f Dockerfile .
- docker push ${tag}Bi abajade, a yoo ni aworan ti o wa ti olusare Nomad ni Gitlab Registry, bayi a le lọ taara si ibi ipamọ ise agbese, ṣẹda Pipeline ati tunto iṣẹ Nomad Nomad.
Eto ise agbese
Jẹ ki a bẹrẹ pẹlu faili iṣẹ fun Nomad. Ise agbese mi ninu nkan yii yoo jẹ alakoko: yoo ni iṣẹ-ṣiṣe kan. Awọn akoonu ti .gitlab-ci yoo jẹ bi atẹle:
variables:
NOMAD_ADDR: http://nomad.address.service:4646
DOCKER_REGISTRY: registry.domain.name
DOCKER_IMAGE: example/project
stages:
- build
- deploy
build:
stage: build
image: ${DOCKER_REGISTRY}/nomad-runner/alpine:3
script:
- tag=${DOCKER_REGISTRY}/${DOCKER_IMAGE}:${CI_COMMIT_SHORT_SHA}
- docker build --pull -t ${tag} -f Dockerfile .
- docker push ${tag}
deploy:
stage: deploy
image: registry.example.com/nomad/nomad-runner:latest
script:
- envsubst '${CI_COMMIT_SHORT_SHA}' < project.nomad > job.nomad
- cat job.nomad
- nomad validate job.nomad
- nomad plan job.nomad || if [ $? -eq 255 ]; then exit 255; else echo "success"; fi
- nomad run job.nomad
environment:
name: production
allow_failure: false
when: manualNibi imuṣiṣẹ naa waye pẹlu ọwọ, ṣugbọn o le tunto rẹ lati yi awọn akoonu ti itọsọna iṣẹ naa pada. Pipeline ni awọn ipele meji: apejọ aworan ati imuṣiṣẹ rẹ si nomad. Ni ipele akọkọ, a ṣe apejọ aworan docker kan ati titari rẹ sinu Iforukọsilẹ wa, ati ni keji a ṣe ifilọlẹ iṣẹ wa ni Nomad.
job "monitoring-status" {
datacenters = ["dc1"]
migrate {
max_parallel = 3
health_check = "checks"
min_healthy_time = "15s"
healthy_deadline = "5m"
}
group "zhadan.ltd" {
count = 1
update {
max_parallel = 1
min_healthy_time = "30s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
}
task "service-monitoring" {
driver = "docker"
config {
image = "registry.domain.name/example/project:${CI_COMMIT_SHORT_SHA}"
force_pull = true
auth {
username = "gitlab_user"
password = "gitlab_password"
}
port_map {
http = 8000
}
}
resources {
network {
port "http" {}
}
}
}
}
}Jọwọ ṣe akiyesi pe Mo ni iforukọsilẹ ikọkọ ati lati fa aworan docker ni aṣeyọri Mo nilo lati wọle si. Ojutu ti o dara julọ ninu ọran yii ni lati tẹ iwọle ati ọrọ igbaniwọle sinu Vault ati lẹhinna ṣepọ pẹlu Nomad. Nomad abinibi ṣe atilẹyin Vault. Ṣugbọn akọkọ, jẹ ki a fi sori ẹrọ awọn ilana pataki fun Nomad ni Vault funrararẹ; wọn le ṣe igbasilẹ:
# Download the policy and token role
$ curl https://nomadproject.io/data/vault/nomad-server-policy.hcl -O -s -L
$ curl https://nomadproject.io/data/vault/nomad-cluster-role.json -O -s -L
# Write the policy to Vault
$ vault policy write nomad-server nomad-server-policy.hcl
# Create the token role with Vault
$ vault write /auth/token/roles/nomad-cluster @nomad-cluster-role.jsonNi bayi, ti ṣẹda awọn eto imulo to ṣe pataki, a yoo ṣafikun iṣọpọ pẹlu Vault ni bulọọki iṣẹ-ṣiṣe ninu faili job.nomad:
vault {
enabled = true
address = "https://vault.domain.name:8200"
token = "token"
}Mo lo aṣẹ nipasẹ ami-ami ati forukọsilẹ taara nibi, aṣayan tun wa ti asọye ami-ami bi oniyipada nigbati o bẹrẹ aṣoju nomad:
$ VAULT_TOKEN=<token> nomad agent -config /path/to/config
Bayi a le lo awọn bọtini pẹlu Vault. Ilana iṣiṣẹ rọrun: a ṣẹda faili kan ni iṣẹ Nomad ti yoo tọju awọn iye ti awọn oniyipada, fun apẹẹrẹ:
template {
data = <<EOH
{{with secret "secrets/pipeline-keys"}}
REGISTRY_LOGIN="{{ .Data.REGISTRY_LOGIN }}"
REGISTRY_PASSWORD="{{ .Data.REGISTRY_LOGIN }}{{ end }}"
EOH
destination = "secrets/service-name.env"
env = true
}Pẹlu ọna ti o rọrun yii, o le tunto ifijiṣẹ awọn apoti si iṣupọ Nomad ki o ṣiṣẹ pẹlu rẹ ni ọjọ iwaju. Emi yoo sọ pe si iye diẹ Mo ṣe aanu pẹlu Nomad - o dara julọ fun awọn iṣẹ akanṣe kekere nibiti Kubernetes le fa idiju afikun ati pe kii yoo mọ agbara rẹ ni kikun. Pẹlupẹlu, Nomad jẹ pipe fun awọn olubere-o rọrun lati fi sori ẹrọ ati tunto. Sibẹsibẹ, nigba idanwo lori diẹ ninu awọn iṣẹ akanṣe, Mo ba pade iṣoro kan pẹlu awọn ẹya akọkọ rẹ - ọpọlọpọ awọn iṣẹ ipilẹ ko wa nibẹ tabi wọn ko ṣiṣẹ ni deede. Sibẹsibẹ, Mo gbagbọ pe Nomad yoo tẹsiwaju lati dagbasoke ati ni ọjọ iwaju yoo gba awọn iṣẹ ti gbogbo eniyan nilo.
Onkọwe: Ilya Andreev, ṣatunkọ nipasẹ Alexey Zhadan ati ẹgbẹ Live Linux
orisun: www.habr.com