Ukulandelela uxhumo (“conntrack”) kuyisici esibalulekile se-Linux kernel networking stack. Ivumela i-kernel ukuthi ilandele konke ukuxhumana okunengqondo kwenethiwekhi noma ukugeleza futhi ngaleyo ndlela ihlonze wonke amaphakethe akha ukugeleza ngakunye ukuze akwazi ukucutshungulwa ndawonye ngokulandelana.
I-Contrack isici esibalulekile se-kernel esisetshenziswa kwezinye izimo eziyisisekelo:
- I-NAT incike olwazini oluvela ku-contrack ukuze iphathe wonke amaphakethe asuka emfudlaneni ofanayo ngokulinganayo. Isibonelo, uma i-pod ifinyelela isevisi ye-Kubernetes, isilinganisi somthwalo we-kube-proxy sisebenzisa i-NAT ukuqondisa ithrafikhi ku-pod ethile ngaphakathi kweqoqo. I-Conntrack irekhoda ukuthi ngoxhumo olunikeziwe, wonke amaphakethe kusevisi ye-IP kufanele athunyelwe ku-pod efanayo, nokuthi amaphakethe abuyiswe yi-backend pod kufanele abuyiselwe ku-pod isicelo esivela kuyo.
- Iziqhumane eziqinile ezifana ne-Calico zincike olwazini olusuka kusixhumanisi ukuya kuthrafikhi "yempendulo" egunyaziwe. Lokhu kukuvumela ukuthi ubhale inqubomgomo yenethiwekhi ethi "vumela i-pod yami ukuthi ixhume kunoma yiliphi ikheli le-IP elikude" ngaphandle kokuthi ubhale inqubomgomo ukuze uvumele ngokusobala ithrafikhi yokuphendula. (Ngaphandle kwalokhu, kuzodingeka wengeze okuvikeleke kancane kakhulu kokuthi "vumela amaphakethe ku-pod yami kunoma yimuphi umthetho we-IP".)
Ukwengeza, contrack ngokuvamile kuthuthukisa ukusebenza kwesistimu (ngokunciphisa ukusetshenziswa kwe-CPU nokubambezeleka kwephakethe) kusukela kuphela iphakethe lokuqala emfudlaneni.
kufanele idlule kuso sonke isitaki senethiwekhi ukuze unqume ukuthi wenzeni ngaso. Bona okuthunyelwe ""ukubona isibonelo sokuthi isebenza kanjani.
Kodwa-ke, i-contrack inemikhawulo yayo ...
Pho konakele kuphi?
Ithebula le-contrack linosayizi omkhulu olungisekayo, futhi uma ligcwala, ukuxhumana ngokuvamile kuqala ukwenqatshwa noma ukwehliswa. Kunesikhala esanele esanele etafuleni sokusingatha ithrafikhi yezinhlelo zokusebenza eziningi, futhi lokhu akusoze kwaba inkinga. Kodwa-ke, kunezimo ezimbalwa lapho ongase uthande ukucabangela ukusebenzisa ithebula le-conntrack:
- Icala elisobala kakhulu uma iseva yakho iphethe inombolo enkulu kakhulu yokuxhumana okusebenzayo ngesikhathi esisodwa. Isibonelo, uma ithebula lakho le-contrack lihlelelwe ukufakwa okungu-128k, kodwa une>128k yokuxhumana ngesikhathi esisodwa, uzongena enkingeni!
- Icala elingabonakali kancane: uma iseva yakho icubungula inombolo enkulu kakhulu yokuxhumana ngomzuzwana. Ngisho noma ukuxhumeka kuphila isikhashana, kuyaqhubeka nokugadwa yi-Linux isikhathi esithile (ama-120 ngokuzenzakalelayo). Isibonelo, uma ithebula lakho le-conntrack lihlelelwe okufakiwe okungu-128k futhi uzama ukuphatha ukuxhumana okungu-1100 ngomzuzwana, azodlula usayizi wethebula le-conntrack, noma ngabe ukuxhumana kuphila isikhathi esifushane kakhulu (128k/120s = 1092 uxhumano/ s).
Kunezinhlobo ezimbalwa ze-niche zezinhlelo zokusebenza eziwela kulezi zigaba. Ukwengeza, uma unabalingisi abaningi ababi, ukugcwalisa ithebula le-conntrack yeseva yakho ngoxhumo oluningi oluvuleke uhhafu kungasetshenziswa njengengxenye yokuhlasela kwe-denial of service (DOS). Kuzo zombili izimo, ukungena ngemvume kungaba umgoqo ohlelweni lwakho. Kwezinye izimo, ukulungisa imingcele yethebula le-contrack kungase kwanele ukuhlangabezana nezidingo zakho - ngokwandisa usayizi noma ukunciphisa isikhathi sokuvala (kodwa uma ukwenzisa kahle, uzongena enkingeni enkulu). Kwezinye izimo kuyodingeka ukuthi udlule umgwaqo ukuze uthole ithrafikhi enolaka.
Isibonelo sangempela
Ake sinikeze isibonelo esiqondile: umhlinzeki oyedwa omkhulu we-SaaS esisebenze naye ubenenombolo yamaseva agcinwe kwi-memcached kubabungazi (hhayi imishini ebonakalayo), ngayinye ecubungula ukuxhumeka kwesikhashana okungu-50K+ ngomzuzwana.
Bazame ukucushwa kwe-conntrack, ukwandisa osayizi betafula nokunciphisa isikhathi sokulandela umkhondo, kodwa ukucushwa kwakungathembeki, ukusetshenziswa kwe-RAM kwanda kakhulu, okwakuyinkinga (ngokuhlelwa kwe-GBytes!), Futhi ukuxhumeka bekukufushane kangangokuthi ukuphikisana akuzange kwenzeke. dala inzuzo yayo evamile yokusebenza (i-CPU encishisiwe yokusetshenziswa noma ukubambezeleka kwephakethe).
Baphendukela kuCalico njengenye indlela. Izinqubomgomo zenethiwekhi ye-Calico zikuvumela ukuthi ungasebenzisi i-contrack ezinhlotsheni ezithile zethrafikhi (usebenzisa inketho yenqubomgomo ye-doNotTrack). Lokhu kubanike izinga lokusebenza abalidingayo, kanye nezinga elingeziwe lokuphepha elinikezwe u-Calico.
Yiziphi ubude okufanele uhambe kuzo ukuze udlule i-contrack?
- Ungalandeli izinqubomgomo zenethiwekhi ngokuvamile kufanele zilingane. Endabeni yomhlinzeki we-SaaS: izicelo zabo zisebenza ngaphakathi kwendawo evikelekile ngakho-ke, zisebenzisa inqubomgomo yenethiwekhi, zingagunyaza ithrafikhi kwezinye izinhlelo zokusebenza ezivunyelwe ukufinyelela ku-memcached.
- Inqubomgomo yokungalandeleli ayibheki inkomba yokuxhumana. Ngakho-ke, uma iseva ye-memcache intshontshiwe, ungazama ukuxhuma kunoma yimaphi amaklayenti agcinwe kwi-memcache, inqobo nje uma isebenzisa imbobo yomthombo efanele. Kodwa-ke, uma uyichaze kahle inqubomgomo yenethiwekhi yamakhasimende akho agcinwe kwi-memcached, le mizamo yokuxhumana isazonqatshwa ngasohlangothini lweklayenti.
- Inqubomgomo yokungalandeleli isetshenziswa kuwo wonke amaphakethe, ngokuphambene nezinqubomgomo ezivamile, ezisetshenziswa kuphela ephaketheni lokuqala ekugelezeni. Lokhu kungakhuphula ukusetshenziswa kwe-CPU ngephakethe ngalinye ngoba kufanele kusetshenziswe inqubomgomo ephaketheni ngalinye. Kodwa ekuxhumekeni kwesikhathi esifushane, lezi zindleko zilinganiswa ngokuncishiswa kokusetshenziswa kwezinsiza ekucubunguleni ama-contrack. Isibonelo, endabeni yomhlinzeki we-SaaS, inani lamaphakethe okuxhumana ngakunye lalincane kakhulu, ngakho ukusetshenziswa okwengeziwe kwe-CPU lapho kusetshenziswa izinqubomgomo ephaketheni ngalinye kwakufaneleka.
Ake siqale ukuhlola
Siqhube uhlolo ku-pod eyodwa ngeseva e-memcached kanye namaphodi eklayenti e-memcached amaningi asebenza kumanodi akude ukuze sikwazi ukusebenzisa inombolo enkulu kakhulu yokuxhumana ngomzuzwana. Iseva ene-memcached server pod yayinama-cores angu-8 kanye nokufakiwe okungu-512k kuthebula le-conntrack (usayizi wethebula omisiwe ojwayelekile womsingathi).
Silinganise umehluko wokusebenza phakathi: akukho nqubomgomo yenethiwekhi; ngenqubomgomo evamile ye-Calico; kanye nenqubomgomo ye-Calico yokungalandeleli.
Esivivinyweni sokuqala, sibeka inombolo yokuxhumeka ku-4.000 ngomzuzwana, ukuze sikwazi ukugxila kumehluko ekusetshenzisweni kwe-CPU. Kwakungekho mehluko obalulekile phakathi kokungabikho kwenqubomgomo kanye nenqubomgomo evamile, kodwa ungalandeli ukhuphule ukusetshenziswa kwe-CPU cishe ngo-20%:
Esivivinyweni sesibili, sethule ukuxhumana okuningi ngendlela amakhasimende ethu akwazi ngayo ukukhiqiza futhi sikala inani eliphezulu lokuxhumeka ngesekhondi ngalinye elingaphathwa yiseva yethu ye-memcache. Njengoba bekulindelekile, amacala "akukho nqubomgomo" kanye "nenqubomgomo evamile" womabili afinyelele umkhawulo wokufinyelela wokuxhumana okungaphezu kuka-4,000 ngomzuzwana (512k / 120s = 4,369 uxhumano/s). Ngenqubomgomo yokungalandeleli, amakhasimende ethu athumele ukuxhumana okungu-60,000 ngomzuzwana ngaphandle kwezinkinga. Siyaqiniseka ukuthi singayikhulisa le nombolo ngokwengeza amakhasimende amaningi, kodwa sinomuzwa wokuthi lezi zinombolo sezivele zanele ukukhombisa iphuzu lalesi sihloko!
isiphetho
I-Contrack iyisici esibalulekile se-kernel. Wenza umsebenzi wakhe ngokuphelele. Ngokuvamile isetshenziswa izingxenye zesistimu ezibalulekile. Kodwa-ke, kwezinye izimo ezithile, ukuminyana ngenxa ye-contrack kudlula izinzuzo ezijwayelekile ezihlinzekayo. Kulesi simo, izinqubomgomo zenethiwekhi ye-Calico zingasetshenziswa ukukhubaza ngokukhetha ukusetshenziswa kwe-contrack ngenkathi kukhulisa ukuphepha kwenethiwekhi. Kuwo wonke amanye amathrafikhi, i-contrack iyaqhubeka nokuba umngane wakho!
Funda nezinye izindatshana kubhulogi yethu:
Source: www.habr.com