Ngo-2010 inkampani bekunamaseva angama-50 kanye nemodeli yenethiwekhi elula: i-backend, i-frontend kanye ne-firewall. Inani lamaseva lakhula, imodeli yaba inkimbinkimbi kakhulu: ukwenza isiteji, ama-VLAN ahlukanisiwe anama-ACL, kwase kuba ama-VPN anama-VRF, ama-VLAN anama-ACL ku-L2, ama-VRF anama-ACL ku-L3. Ikhanda liyajikeleza? Kuzoba mnandi kakhulu kamuva.
Lapho kunamaseva angu-16, kwaba nzima ukusebenza ngaphandle kwezinyembezi ngezigaba eziningi ezihlukene. Ngakho siqhamuke nesinye isixazululo. Sithathe isitaki se-Netfilter, sengeza i-Consul kuso njengomthombo wedatha, futhi sathola i-firewall esakazwa ngokushesha. Bashintshe ama-ACL kumarutha futhi bawasebenzisa njengendawo yokuvikela yangaphandle neyangaphakathi. Ukuze silawule ithuluzi ngamandla, sithuthukise isistimu ye-BEFW, eyayisetshenziswa yonke indawo: kusukela ekulawuleni ukufinyelela komsebenzisi kunethiwekhi yomkhiqizo kuye ekuhlukaniseni amasegimenti enethiwekhi ukusuka kwelinye.
Uzokutshela ukuthi konke kusebenza kanjani nokuthi kungani kufanele ubhekisise lesi simiso. U-Ivan Agarkov () uyinhloko yeqembu lokuvikela ingqalasizinda yophiko lweMaintenance esikhungweni sokuthuthukiswa kwenkampani iMinsk. U-Ivan ungumlandeli we-SELinux, uthanda uPerl, futhi ubhala ikhodi. Njengenhloko yeqembu lokuvikela ulwazi, usebenza njalo ngamalogi, izipele kanye ne-R&D ukuze avikele i-Wargaming kubaduni futhi aqinisekise ukusebenza kwawo wonke amaseva egeyimu enkampanini.
Isizinda Esimlando
Ngaphambi kokuthi ngikutshele ukuthi sikwenze kanjani, ngizokutshela ukuthi sifike kanjani kulokhu kwasekuqaleni nokuthi kungani bekudingeka. Ukuze wenze lokhu, ake sibuyele emuva eminyakeni engu-9: 2010, i-World of Tanks isanda kuvela. I-Wargaming inamaseva acishe abe ngu-50.
Ishadi lokukhula kweseva yenkampani.
Sibe nemodeli yenethiwekhi. Ngaleso sikhathi kwakungcono kakhulu.
Imodeli yenethiwekhi ngo-2010.
Kukhona abantu ababi ngaphambili abafuna ukusigqekeza, kodwa ine-firewall. Ayikho i-firewall ku-backend, kodwa kukhona amaseva angu-50 lapho, siyawazi wonke. Konke kusebenza kahle.
Eminyakeni engu-4, imikhumbi ye-server yanda izikhathi ezingu-100, kuya ku-5000. Amanethiwekhi okuqala angawodwa avela - isiteji: ayengakwazi ukuya ekukhiqizeni, futhi kwakuvame ukuba khona izinto ezigijima lapho ezingaba yingozi.
Imodeli yenethiwekhi ngo-2014.
Nge-inertia, sasebenzisa izingcezu ezifanayo zehadiwe, futhi wonke umsebenzi wenziwa kuma-VLAN angawodwa: Ama-ACL abhalwa kuma-VLAN, avumela noma aphike uhlobo oluthile lokuxhumana.
Ngo-2016, inani lamaseva lifinyelele ku-8000 XNUMX. I-Wargaming yamunca ezinye izitudiyo, futhi kwavela amanethiwekhi engeziwe ahambisanayo. Kubonakala sengathi ezethu, kodwa akunjalo: I-VLAN ngokuvamile ayisebenzi kozakwethu, kufanele usebenzise i-VPN nge-VRF, ukuzihlukanisa kuba nzima kakhulu. Ingxube ye-ACL insulation ikhule.
Imodeli yenethiwekhi ngo-2016.
Ekuqaleni kuka-2018, imikhumbi yemishini yayikhule yaba ngu-16 000. Kwakukhona izingxenye ezingu-6, futhi asizange sibale ezinye, kuhlanganise nezivaliwe lapho idatha yezezimali igcinwe khona. Amanethiwekhi esitsha (Kubernetes), i-DevOps, amanethiwekhi wamafu axhunywe nge-VPN, isibonelo, avela ku-IVS, avele. Kwakunemithetho eminingi - kwakubuhlungu.
Imodeli yenethiwekhi nezindlela zokuzihlukanisa ngo-2018.
Ukuzihlukanisa sisebenzise: I-VLAN ene-ACL ku-L2, i-VRF ne-ACL ku-L3, i-VPN nokunye okuningi. Kakhulu.
Izinkinga
Wonke umuntu uhlala ne-ACL ne-VLAN. Kwenzenjani? Lo mbuzo uzophendulwa uHarold, efihla ubuhlungu.
Kwakukhona izinkinga eziningi, kodwa kwakukhona ezinhlanu ezinkulu.
- Ukukhuphuka kwentengo yeJiyomethri yemithetho emisha. Umthetho omusha ngamunye wawuthatha isikhathi eside ukwengeza kunowangaphambili, ngoba kwakudingekile kuqala ukubona ukuthi ngabe wawukhona yini umthetho onjalo.
- Awekho ama-firewall ngaphakathi kwamasegimenti. Amasegimenti ngandlela thize ahlukanisiwe komunye nomunye, futhi zase zingenazo izinsiza ezanele ngaphakathi.
- Imithetho yasetshenziswa isikhathi eside. Abasebenzisi bangabhala umthetho wendawo owodwa ngesandla ngehora. Owomhlaba wonke wathatha izinsuku ezimbalwa.
- Ubunzima ngemithetho yokucwaningwa kwamabhuku. Ngokunembe kakhudlwana, kwakungenakwenzeka. Imithetho yokuqala yabhalwa emuva ngo-2010, futhi iningi lababhali bayo abasayisebenzelanga inkampani.
- Izinga eliphansi lokulawula ingqalasizinda. Lena inkinga enkulu - besingazi kahle ukuthi kwenzekani ezweni lethu.
Yile ndlela unjiniyela wenethiwekhi ayebukeka ngayo ngo-2018 lapho ezwa ukuthi: "Idinga enye i-ACL."
Izixazululo
Ekuqaleni kuka-2018, kwanqunywa ukuthi kwenziwe okuthile ngakho.
Intengo yokuhlanganiswa ikhula njalo. Iphuzu lokuqala kwaba ukuthi izikhungo zedatha ezinkulu ziye zayeka ukusekela ama-VLAN nama-ACL ahlukanisiwe ngenxa yokuthi amadivayisi aphelelwe yinkumbulo.
Isixazululo: sisuse isici somuntu futhi senza ngokuzenzakalelayo ukunikezwa kokufinyelela kumkhawulo.
Imithetho emisha ithatha isikhathi eside ukusebenza. Isixazululo: sheshisa ukusetshenziswa kwemithetho, yenze isatshalaliswe futhi ihambisane. Lokhu kudinga uhlelo olusabalalisiwe ukuze imithetho ilethwe ngokwayo, ngaphandle kwe-rsync noma i-SFTP kumasistimu ayinkulungwane.
Awekho ama-firewall ngaphakathi kwamasegimenti. I-firewall phakathi kwamasegimenti yaqala ukuza kithi lapho amasevisi ahlukene evela kunethiwekhi efanayo. Isixazululo: sebenzisa i-firewall ezingeni lomsingathi - ama-firewall asekelwe kumsingathi. Cishe yonke indawo esinayo i-Linux, futhi yonke indawo sinama-iptables, lokhu akuyona inkinga.
Ubunzima ngemithetho yokucwaningwa kwamabhuku. Isixazululo: Gcina yonke imithetho endaweni eyodwa ukuze ibuyekezwe futhi iphathwe, ukuze sikwazi ukuhlola yonke into.
Izinga eliphansi lokulawula ingqalasizinda. Isixazululo: thatha uhlu lwazo zonke izinsiza kanye nokufinyelela phakathi kwazo.
Lena inqubo yokuphatha engaphezu kweyobuchwepheshe. Kwesinye isikhathi siba nokukhishwa okusha okungu-200-300 ngeviki, ikakhulukazi phakathi namaphromoshini namaholide. Ngaphezu kwalokho, lokhu okweqembu elilodwa kuphela lama-DevOps ethu. Ngokukhishwa okuningi kangaka, akunakwenzeka ukubona ukuthi yiziphi izimbobo, ama-IPs, nokuhlanganiswa okudingekayo. Ngakho-ke, sasidinga abaphathi benkonzo abaqeqeshwe ngokukhethekile ababebuza amaqembu: “Noma kunjalo, yini ekhona futhi kungani niyiveze?”
Ngemuva kwakho konke esiyethule, unjiniyela wenethiwekhi ngo-2019 waqala ukubukeka kanje.
Umthengi
Sinqume ukuthi sizobeka konke esikutholile ngosizo lwabaphathi bezinsizakalo ku-Consul futhi sisuka lapho sizobhala imithetho ye-iptables.
Sanquma kanjani ukwenza lokhu?
- Sizoqoqa wonke amasevisi, amanethiwekhi nabasebenzisi.
- Masidale imithetho ye-iptables ngokusekelwe kuyo.
- Silawula ngokuzenzakalelayo.
- ....
- INZUZO.
I-Consul akuyona i-API ekude, ingasebenza kuwo wonke ama-node futhi ibhale kuma-iptables. Okusele nje wukuqhamuka nezilawuli ezizenzakalelayo ezizohlanza izinto ezingadingekile, futhi izinkinga eziningi zizoxazululeka! Sizolungisa okusele njengoba sihamba.
Kungani Consul?
Uzibonakalise kahle. Ngo-2014-15, sayisebenzisa njenge-backend ye-Vault, lapho sigcina khona amaphasiwedi.
Ayilahlekelwa yidatha. Ngesikhathi sokusetshenziswa, i-Consul ayizange ilahlekelwe idatha ngesikhathi sengozi eyodwa. Lokhu kuhlanganisa okukhulu kwesistimu yokulawula i-firewall.
Ukuxhumana kwe-P2P kusheshisa ukusabalala koshintsho. Nge-P2P, zonke izinguquko ziza ngokushesha, asikho isidingo sokulinda amahora.
I-REST API elula. Siphinde sacabangela i-Apache ZooKeeper, kodwa ayinayo i-REST API, ngakho-ke kuzodingeka ukuthi ufake izinduku.
Isebenza njenge-Key Vault (KV) kanye Nohlu Lwemibhalo (Ukutholwa Kwesevisi). Ungagcina amasevisi, amakhathalogi, nezikhungo zedatha ngesikhathi esisodwa. Lokhu akulungile kithina kuphela, kodwa namaqembu angomakhelwane, ngoba lapho sakha isevisi yomhlaba wonke, sicabanga kakhulu.
Ibhalwe kokuthi Go, okuyingxenye yesitaki se-Wargaming. Siyaluthanda lolu limi, sinabathuthukisi be-Go abaningi.
Isistimu ye-ACL enamandla. Ku-Consul, ungasebenzisa ama-ACL ukuze ulawule ukuthi ubani obhala lokho. Siyaqinisekisa ukuthi imithetho ye-firewall ngeke idlulele nanoma yini enye futhi ngeke sibe nezinkinga ngalokhu.
Kodwa i-Consul nayo inezihibe zayo.
- Ayilinganisi ngaphakathi kwesikhungo sedatha ngaphandle uma unenguqulo yebhizinisi. Inyuswa kuphela yi-federation.
- Kuncike kakhulu kwikhwalithi yenethiwekhi nomthwalo weseva. I-Consul ngeke isebenze kahle njengeseva kuseva ematasa uma kukhona ama-lags kunethiwekhi, isibonelo, isivinini esingalingani. Lokhu kungenxa yoxhumo lwe-P2P nokubuyekeza amamodeli wokusabalalisa.
- Ukutholakala kokuqapha kobunzima. Esimeni se-Consul angasho ukuthi konke kuhamba kahle, kodwa washona kudala.
Sixazulule iningi lalezi zinkinga ngenkathi sisebenzisa i-Consul, yingakho siyikhethile. Inkampani inezinhlelo zesinye isixazululo, kodwa sifunde ukubhekana nezinkinga futhi njengamanje sihlala ne-Consul.
Isebenza kanjani i-Consul
Sizofaka amaseva amathathu kuya kwamahlanu esikhungweni sedatha esinemibandela. Iseva eyodwa noma ezimbili ngeke zisebenze: ngeke zikwazi ukuhlela ikhoramu futhi zinqume ukuthi ubani olungile nokuthi ubani ongalungile uma idatha ingafani. Okungaphezu kwezinhlanu akunangqondo, ukukhiqiza kuzokwehla.
Amaklayenti axhuma kumaseva nganoma iyiphi indlela: ama-ejenti afanayo, ngefulegi kuphela server = false.
Ngemuva kwalokhu, amaklayenti athola uhlu lokuxhumana kwe-P2P futhi akhe ukuxhumana phakathi kwawo.
Ezingeni lomhlaba, sixhuma izikhungo zedatha ezimbalwa. Baphinde baxhuma i-P2P futhi baxhumane.
Uma sifuna ukubuyisa idatha kwesinye isikhungo sedatha, isicelo sisuka kuseva siye kuseva. Lolu hlelo lubizwa ngokuthi Iphrothokholi ye-Serf. Iphrothokholi ye-Serf, njenge-Consul, yakhiwe yi-HashiCorp.
Amanye amaqiniso abalulekile mayelana ne-Consul
I-Consul inemibhalo echaza ukuthi isebenza kanjani. Ngizonikeza amaqiniso akhethiwe kuphela okufanele ukuwazi.
Amaseva e-consul akhetha inkosi phakathi kwabavoti. I-Consul ikhetha uchwepheshe ohlwini lwamaseva esikhungo ngasinye sedatha, futhi zonke izicelo ziya kuyo kuphela, kungakhathaliseki inani lamaseva. Ukubanda okuyinhloko akuholeli ekukhethweni kabusha. Uma inkosi ingakhethiwe, izicelo aziseviswa muntu.
Ubufuna ukukala okuvundlile? Uxolo, cha.
Isicelo esiya kwesinye isikhungo sedatha sisuka kokuyinhloko siye kokuyinhloko, kungakhathaliseki ukuthi sifike kuyiphi iseva. Inkosi ekhethiwe ithola u-100% womthwalo, ngaphandle komthwalo wezicelo zokuya phambili. Wonke amaseva kusikhungo sedatha anekhophi yakamuva yedatha, kodwa eyodwa kuphela esabelayo.
Okuwukuphela kwendlela yokukala ukunika amandla imodi endala kuklayenti.
Ngemodi endala, ungaphendula ngaphandle kwekhoramu. Lena imodi lapho siyeka khona ukuvumelana kwedatha, kodwa sifunde ngokushesha kunokujwayelekile, futhi noma iyiphi iseva iyaphendula. Ngokwemvelo, ukuqopha kuphela ngenkosi.
I-Consul ayikopishi idatha phakathi kwezikhungo zedatha. Uma umfelandawonye uhlanganiswa, iseva ngayinye izoba nedatha yayo kuphela. Kwabanye, uhlala ephendukela komunye umuntu.
I-atomicity yokusebenza ayiqinisekisiwe ngaphandle kokwenziwe. Khumbula ukuthi akuwena wedwa ongashintsha izinto. Uma uyifuna ngendlela ehlukile, yenza umsebenzi ngokhiye.
Ukuvimbela imisebenzi akuqinisekisi ukukhiya. Isicelo sisuka ku-master to master, hhayi ngokuqondile, ngakho-ke asikho isiqinisekiso sokuthi ukuvimbela kuzosebenza uma uvimba, isibonelo, kwesinye isikhungo sedatha.
I-ACL futhi ayikuqinisekisi ukufinyelela (ezimweni eziningi). I-ACL ingase ingasebenzi ngoba igcinwe esikhungweni sedatha esisodwa senhlangano - kusikhungo sedatha se-ACL (Primary DC). Uma i-DC ingakuphenduli, i-ACL ngeke isebenze.
Inkosi eyodwa eqandisiwe izobangela wonke umfelandawonye ukuba yiqhwa. Isibonelo, kunezikhungo zedatha ze-10 kumfelandawonye, futhi eyodwa inenethiwekhi embi, futhi inkosi eyodwa ihluleka. Wonke umuntu oxhumana naye uzobe eboshwe embuthanweni: kukhona isicelo, akukho mpendulo kuso, intambo iqhwa. Ayikho indlela yokwazi ukuthi lokhu kuzokwenzeka nini, ehoreni elilodwa noma amabili wonke umfelandawonye uzowa. Akukho ongakwenza ngakho.
Isimo, ikhoramu kanye nokhetho kuphathwa ngochungechunge oluhlukene. Ukuqokwa kabusha ngeke kwenzeke, isimo ngeke sikhombise lutho. Ucabanga ukuthi une-Consul ephilayo, uyabuza, futhi akukho okwenzekayo - ayikho impendulo. Ngesikhathi esifanayo, isimo sibonisa ukuthi konke kuhamba kahle.
Sihlangabezane nale nkinga futhi kudingeke ukuthi sakhe kabusha izingxenye ezithile zezikhungo zedatha ukuze siyigweme.
Inguqulo yebhizinisi ye-Consul Enterprise ayinakho okunye ububi obungenhla. Inemisebenzi eminingi ewusizo: ukukhetha abavoti, ukusatshalaliswa, ukukala. Kukhona eyodwa kuphela "kodwa" - uhlelo lwamalayisense ohlelo olusabalalisiwe lubiza kakhulu.
Ukuqapha impilo: rm -rf /var/lib/consul - ikhambi lazo zonke izifo ze-ejenti. Uma okuthile kungasebenzi kuwe, vele ususe idatha yakho bese ulanda idatha kukhophi. Ngokunokwenzeka, u-Consul uzosebenza.
BEFW
Manje ake sikhulume ngalokho esikwengezile ku-Consul.
isifinyezo se BAckEndFireWkonke. Bekufanele ngiqambe umkhiqizo ngandlela thize lapho ngidala indawo yokugcina ukuze ngibeke uvivinyo lokuqala kuwo. Leli gama lihlala.
Izifanekiso zokubusa
Imithetho ibhalwe nge-iptables syntax.
- -N BEFW
- -P INPUT DROP
- -A OKUFAKAYO -m isimo—isimo ESIHLOBANE, SISUKIWE -j YAMUKELA
- -UMFAKALO -i lo -j YAMUKELA
- -I-INPUT -j BEFW
Konke kungena ku-BEFW chain, ngaphandle ESTABLISHED, RELATED kanye ne-localhost. Isifanekiso singaba yinoma yini, lesi isibonelo nje.
Iwusizo kanjani i-BEFW?
Izinsizakalo
Sinesevisi, ihlala inechweba, indawo esebenza kuyo. Ku-node yethu, singabuza i-ejenti endaweni futhi sithole ukuthi sinohlobo oluthile lwesevisi. Ungakwazi futhi ukubeka amathegi.
Noma iyiphi isevisi esebenzayo futhi ebhaliswe ne-Consul iphenduka umthetho wama-iptables. Sine-SSH - imbobo evulekile 22. Umbhalo we-Bash ulula: ama-curl nama-iptables, akukho okunye okudingekayo.
Amakhasimende
Ungavula kanjani ukufinyelela hhayi kuwo wonke umuntu, kodwa ngokukhetha? Engeza uhlu lwe-IP kusitoreji se-KV ngegama lesevisi.
Isibonelo, sifuna wonke umuntu okunethiwekhi yeshumi akwazi ukufinyelela insiza ye-SSH_TCP_22. Engeza inkambu eyodwa encane ye-TTL? futhi manje sinezimvume zesikhashana, isibonelo, usuku.
Ukufinyelela
Sixhuma amasevisi namakhasimende: sinesevisi, isitoreji se-KV silungele ngayinye. Manje asinikezeli ukufinyelela kuwo wonke umuntu, kodwa ngokukhetha.
Amaqembu
Uma sibhala izinkulungwane zama-IP ukuze sifinyelele ngaso sonke isikhathi, sizokhathala. Ake siqhamuke namaqembu - isethi engaphansi ehlukile ku-KV. Masiyibize ngo-Alias (noma amaqembu) futhi sigcine amaqembu lapho ngokuvumelana nesimiso esifanayo.
Masixhume: manje sesingavula i-SSH hhayi i-P2P ngokuqondile, kodwa yeqembu lonke noma amaqembu amaningana. Ngendlela efanayo, kukhona i-TTL - ungangeza eqenjini futhi ususe eqenjini okwesikhashana.
Ukuhlanganisa
Inkinga yethu yisici somuntu kanye ne-automation. Kuze kube manje sikuxazulule ngale ndlela.
Sisebenza noPuppet, futhi sidlulisela yonke into ehlobene nesistimu (ikhodi yesicelo) kubo. I-Puppetdb (i-PostgreSQL evamile) igcina uhlu lwezinsizakalo ezisebenza lapho, zingatholwa ngohlobo lwensiza. Lapho ungathola ukuthi ubani ofaka isicelo lapho. Siphinde sibe nesicelo sokudonsa futhi sihlanganise uhlelo lwesicelo salokhu.
Sibhale i-befw-sync, isixazululo esilula esiza ukudlulisa idatha. Okokuqala, amakhukhi okuvumelanisa afinyelelwa yi-puppetdb. I-HTTP API ilungiselelwe lapho: sicela ukuthi yiziphi izinsizakalo esinazo, yini okudingeka yenziwe. Bese benza isicelo ku-Consul.
Ingabe kukhona ukuhlanganisa? Yebo: babhale imithetho futhi bavumela ukuthi Izicelo Zokudonsa zamukelwe. Ingabe udinga ichweba elithile noma wengeze umsingathi eqenjini elithile? Donsa Isicelo, buyekeza - awusekho "Thola amanye ama-ACL angama-200 bese uzama ukwenza okuthile ngakho."
Ukuthuthukisa
I-Pinging localhost enochungechunge lwemithetho engenalutho kuthatha 0,075 ms.
Ake sengeze amakheli e-iptable angu-10 kulolu chungechunge. Ngenxa yalokho, i-ping izokhula izikhathi ezingu-000: ama-iptables aqondile ngokuphelele, ukucubungula ikheli ngalinye kuthatha isikhathi esithile.
Ku-firewall lapho sithuthela khona izinkulungwane zama-ACL, sinemithetho eminingi, futhi lokhu kwethula ukubambezeleka. Lokhu kubi kumaphrothokholi emidlalo.
Kodwa uma sibeka 10 amakheli ku-IPset I-ping izokwehla ngisho.
Iphuzu liwukuthi “O” (i-algorithm complexity) ye-ipset ihlala ilingana no-1, kungakhathaliseki ukuthi mingaki imithetho. Yiqiniso, kunomkhawulo - angeke kube nemithetho engaphezu kuka-65535. Okwamanje siphila nalokhu: ungakwazi ukuhlanganisa, ukwandisa, wenze ama-ipsets amabili kwelinye.
Isitoreji
Ukuqhubeka okunengqondo kwenqubo yokuphindaphinda ukugcina ulwazi olumayelana namaklayenti wesevisi ku-ipset.
Manje sine-SSH efanayo, futhi asibhali ama-IP angu-100 ngesikhathi esisodwa, kodwa setha igama le-ipset okudingeka sixhumane nayo, kanye nomthetho olandelayo. DROP. Ingaguqulwa ibe umthetho owodwa "Ubani ongekho lapha, DROP", kodwa kucace kakhudlwana.
Manje sinemithetho namasethi. Umsebenzi oyinhloko ukwenza isethi ngaphambi kokubhala umthetho, ngoba ngaphandle kwalokho iptables ngeke ibhale umthetho.
Uhlelo olujwayelekile
Ngendlela yomdwebo, konke engikushilo kubukeka kanje.
Siyazibophezela kuPuppet, yonke into ithunyelwa kumsingathi, izinkonzo lapha, ipset lapho, futhi noma ngubani ongabhalisiwe lapho akavunyelwe.
Vumela futhi unqabe
Ukusindisa umhlaba ngokushesha noma ukukhubaza umuntu ngokushesha, ekuqaleni kwawo wonke amaketanga senze ama-ipsets amabili: rules_allow и rules_deny. Isebenza kanjani?
Isibonelo, othile udala umthwalo kuwebhu yethu ngama-bots. Ngaphambilini, bekufanele uthole i-IP yakhe ezingodweni, uyiyise konjiniyela benethiwekhi, ukuze bathole umthombo wethrafikhi futhi bamvimbe. Kubukeka kuhlukile manje.
Siyithumela ku-Consul, linda imizuzwana engu-2,5, futhi isiqedile. Njengoba i-Consul isabalalisa ngokushesha nge-P2P, isebenza yonke indawo, kunoma iyiphi ingxenye yomhlaba.
Ngake ngamisa ngandlela thile i-WOT ngokuphelele ngenxa yephutha nge-firewall. rules_allow - lena umshwalense wethu ngokumelene namacala anjalo. Uma senze iphutha endaweni ethile nge-firewall, kukhona okuvinjiwe endaweni ethile, singahlala sithumela okunemibandela 0.0/0ukuqoqa konke ngokushesha. Kamuva sizolungisa yonke into ngesandla.
Amanye amasethi
Ungangeza noma yimaphi amanye amasethi esikhaleni $IPSETS$.
Kwani? Kwesinye isikhathi umuntu udinga i-ipset, ngokwesibonelo, ukuze alingise ukuvalwa kwengxenye ethile yeqoqo. Noma ubani angaletha noma yimaphi amasethi, awaqambe, futhi azolandwa ku-Consul. Ngesikhathi esifanayo, amasethi angabamba iqhaza emithethweni ye-iptables noma enze njengeqembu NOOP: Ukuvumelana kuzogcinwa yi-daemon.
Abasebenzisi
Ngaphambilini, bekunje: umsebenzisi uxhumeke kunethiwekhi futhi wathola amapharamitha ngesizinda. Ngaphambi kokufika kwama-firewall esizukulwane esisha, i-Cisco yayingazi ukuthi iqonde kanjani ukuthi umsebenzisi ukuphi nokuthi i-IP ikuphi. Ngakho-ke, ukufinyelela kunikezwe kuphela ngegama lomethuleli lomshini.
Senzeni? Sibambeke ngesikhathi sithola ikheli. Ngokuvamile lena i-dot1x, i-Wi-Fi noma i-VPN - yonke into ihamba nge-RADIUS. Kumsebenzisi ngamunye, sakha iqembu ngegama lomsebenzisi bese sibeka i-IP kuyo nge-TTL elingana ne-dhcp.lease yayo - ngokushesha lapho iphelelwa yisikhathi, umthetho uzonyamalala.
Manje sesingakwazi ukuvula ukufinyelela ezinsizeni, njengamanye amaqembu, ngegama lomsebenzisi. Sisuse ubuhlungu emagameni abasingathi uma beshintsha, futhi sesisuse umthwalo konjiniyela benethiwekhi ngoba abasayidingi iCisco. Manje onjiniyela ngokwabo babhalisa ukufinyelela kumaseva abo.
I-Insulation
Ngesikhathi esifanayo, saqala ukuqaqa i-insulation. Abaphathi besevisi bathatha i-inventory, futhi sahlaziya wonke amanethiwekhi ethu. Ake siwahlukanise emaqenjini afanayo, futhi kumaseva adingekayo amaqembu angeziwe, isibonelo, ukuphika. Manje ukuhlukaniswa okufanayo kwesiteji kugcina kumithetho_ekuphikisweni kokukhiqizwa, kodwa hhayi emkhiqizweni ngokwawo.
Uhlelo lusebenza ngokushesha futhi kalula: sisusa wonke ama-ACL kumaseva, sethula ihadiwe, futhi sinciphisa inani lama-VLAN angawodwa.
Ukulawula ubuqotho
Ngaphambilini, sibe ne-trigger ekhethekile eyabika lapho othile eshintsha umthetho we-firewall mathupha. Bengibhala i-linter enkulu yokuhlola imithetho ye-firewall, kwakunzima. Ubuqotho manje sebulawulwa yi-BEFW. Uqinisekisa ngentshiseko ukuthi imithetho ayenzayo ayishintshi. Uma othile eshintsha imithetho ye-firewall, izoshintsha yonke into emuva. “Ngasheshe ngenza i-proxy ukuze ngisebenze ngisekhaya”—azisekho izinketho ezinjalo.
I-BEFW ilawula i-IPset kusukela kumasevisi kanye nohlu ku-befw.conf, imithetho yezinsizakalo kuchungechunge lwe-BEFW. Kodwa ayiqapheli amanye amaketanga nemithetho kanye namanye ama-ipsets.
Ukuvikelwa kokuphahlazeka
I-BEFW ihlale igcina isimo esihle sokugcina esaziwayo ngqo ku-state.bin isakhiwo kanambambili. Uma kukhona okungahambi kahle, ihlala ibuyela emuva kule state.bin.
Lona umshwalense ngokumelene nokusebenza kwe-Consul okungazinzile, lapho ingazange ithumele idatha noma othile enze iphutha futhi asebenzise imithetho engakwazi ukusetshenziswa. Ukuqinisekisa ukuthi asishiywa singenabo i-firewall, i-BEFW izobuyela esimweni sakamuva uma kwenzeka iphutha kunoma yisiphi isigaba.
Ezimweni ezibucayi, lokhu kuyisiqinisekiso sokuthi sizosala ne-firewall esebenzayo. Sivula wonke ama-network ampunga ngethemba lokuthi uzofika u-admin azokulungisa. Ngolunye usuku ngizobeka lokhu kuma-configs, kodwa manje sinamanethiwekhi amathathu ampunga: 10/8, 172/12 kanye ne-192.168/16. Ngaphakathi kwe-Consul yethu, lesi isici esibalulekile esisisiza ukuthi sithuthuke ngokuqhubekayo.
Idemo: phakathi nombiko, u-Ivan ubonisa imodi yedemo ye-BEFW. Kulula ukubuka umbukiso . Ikhodi yomthombo wedemo iyatholakala .
izingibe
Ngizokutshela mayelana nezimbungulu esihlangabezane nazo.
ipset add set 0.0.0.0/0. Kwenzekani uma wengeza u-0.0.0.0/0 ku-ipset? Ingabe wonke ama-IP azongezwa? Ingabe i-inthanethi izotholakala?
Cha, sizothola isiphazamisi esisibize amahora amabili okuphumula. Ngaphezu kwalokho, isiphazamisi asizange sisebenze kusukela ngo-2016, sitholakala e-RedHat Bugzilla ngaphansi kwenombolo #1297092, futhi siyithole ngephutha - kusuka embikweni wonjiniyela.
Manje sekuwumthetho oqinile kwaBEFW lokho 0.0.0.0/0 iphenduka ibe amakheli amabili: 0.0.0.0/1 и 128.0.0.0/1.
ipset buyisela isethi <file. Ikwenzani ipset uma uyitshela restore? Ucabanga ukuthi isebenza ngokufana nama-iptables? Ingabe izobuyisa idatha?
Ayikho into efana naleyo - iyahlanganisa, futhi amakheli amadala awayi ndawo, awukuvimbi ukufinyelela.
Sithole isiphazamisi lapho sihlola ukuzihlukanisa. Manje kukhona uhlelo oluyinkimbinkimbi - esikhundleni salokho restore kubanjwe create temp, Khona-ke restore flush temp и restore temp. Ekupheleni kokushintshana: kwe-atomicity, ngoba uma uyenza kuqala flush futhi ngalo mzuzu kufika iphakethe elithile, lizolahlwa futhi kukhona okuzokonakala. Ngakho kukhona umlingo omnyama lapho.
consul kv thola -datacenter=okunye. Njengoba ngishilo, sicabanga ukuthi sicela idatha ethile, kodwa sizothola idatha noma iphutha. Lokhu singakwenza endaweni nge-Consul, kodwa kulokhu zombili zizoba yiqhwa.
Iklayenti le-Consul lendawo liyisisonga phezu kwe-HTTP API. Kodwa ivele ilenge futhi ayiphenduli ku-Ctrl+C, noma u-Ctrl+Z, nanoma yini, kuphela kill -9 kukhonsoli elandelayo. Sahlangabezana nalokhu ngesikhathi sakha iqoqo elikhulu. Kodwa okwamanje asinaso isixazululo; silungiselela ukulungisa leli phutha ku-Consul.
Umholi wenxusa akaphenduli. Umphathi wethu esikhungweni sedatha akaphenduli, sicabanga ukuthi: "Mhlawumbe i-algorithm yokukhetha kabusha izosebenza manje?"
Cha, ngeke kusebenze, futhi ukuqapha ngeke kubonise lutho: I-Consul izothi kukhona inkomba yokuzibophezela, umholi utholakele, konke kuhamba kahle.
Sibhekana kanjani nalokhu? service consul restart ku-cron njalo ngehora. Uma unamaseva angama-50, akukho lutho olukhulu. Lapho kukhona i-16 yazo, uzoqonda ukuthi isebenza kanjani.
isiphetho
Ngenxa yalokho, sithole izinzuzo ezilandelayo:
- Ukufakwa okungu-100% kwayo yonke imishini ye-Linux.
- Isivinini.
- Okuzenzakalelayo.
- Sakhulula ihadiwe kanye nonjiniyela benethiwekhi ebugqilini.
- Amathuba okuhlanganiswa avele cishe angenamkhawulo: ngisho ne-Kubernetes, ngisho ne-Ansible, ngisho ne-Python.
Минусы: I-Consul, okumele siphile ngayo manje, kanye nezindleko eziphakeme kakhulu zephutha. Njengesibonelo, kanye ngo-6 pm (isikhathi sokuqala eRussia) bengihlela okuthile ohlwini lwamanethiwekhi. Besisakha i-insulation e-BEFW ngaleso sikhathi. Ngenze iphutha endaweni ethile, kubonakala sengathi ngikhombe imaski engalungile, kodwa yonke into yawa emizuzwaneni emibili. Ukuqapha kuyakhanya, umuntu osekelayo osemsebenzini uyeza egijima: “Sinakho konke!” Inhloko yomnyango iphenduke impunga ngesikhathi ichazela ibhizinisi ukuthi kungani kwenzeke lokhu.
Izindleko zephutha ziphezulu kangangokuthi size nenqubo yethu yokuvimbela eyinkimbinkimbi. Uma usebenzisa lokhu endaweni enkulu yokukhiqiza, awudingi ukunikeza ithokheni eyinhloko phezu kwe-Consul kuwo wonke umuntu. Lokhu kuzophela kabi.
Izindleko Ngibhale ikhodi amahora angama-400 ngedwa. Ithimba lami labantu abangu-4 lichitha amahora angu-10 ngenyanga ekusekeleni wonke umuntu. Uma kuqhathaniswa nenani lanoma iyiphi i-firewall yesizukulwane esisha, kumahhala.
Izinhlelo. Uhlelo lwesikhathi eside wukuthola enye into yokuthutha ezothatha indawo noma ehambisana ne-Consul. Mhlawumbe kuzoba yiKafka noma into efanayo. Kodwa eminyakeni ezayo sizophila ku-Consul.
Izinhlelo ezisheshayo: ukuhlanganiswa ne-Fail2ban, nokuqapha, nama-nftables, okungenzeka nokunye ukusatshalaliswa, amamethrikhi, ukuqapha okuthuthukisiwe, ukwenza kahle. Ukusekelwa kwe-Kubernetes nakho kukhona endaweni ethile ezinhlelweni, ngoba manje sinamaqembu amaningana nesifiso.
Okuningi okuvela ezinhlelweni:
- sesha okudidayo kuthrafikhi;
- ukuphathwa kwemephu yenethiwekhi;
- Ukusekelwa kwe-Kubernetes;
- ukuhlanganisa amaphakheji azo zonke izinhlelo;
- I-Web-UI.
Sihlala sisebenzela ukukhulisa ukucushwa, ukwandisa amamethrikhi kanye nokwenza kahle.
Joyina iphrojekthi. Iphrojekthi ibonakale ipholile, kodwa, ngeshwa, isewumsebenzi womuntu oyedwa. Woza ku bese uzama ukwenza okuthile: zibophezele, zivivinye, ziphakamise okuthile, nikeza ukuhlola kwakho.
Okwamanje silungiselela , ezokwenzeka ngo-April 6 no-7 e-St. Petersburg, futhi simema abathuthukisi bezinhlelo ezilayisha kakhulu . Izikhulumi ezinolwazi seziyazi ukuthi zenzeni, kodwa kulabo abasha ekukhulumeni sincoma okungenani . Ukubamba iqhaza engqungqutheleni njengesikhulumi kunezinzuzo eziningi. Ungafunda ukuthi yiziphi, isibonelo, ekugcineni .
Source: www.habr.com