I-ProHoster > Блог > Ukuphatha > Irutha yeBanana Pi R64 – Debian, Wireguard, RKN

Irutha yeBanana Pi R64 – Debian, Wireguard, RKN

I-Banana Pi 64 iyikhompyutha enebhodi elilodwa efana ne-Raspberry Pi, kodwa enamachweba amaningana e-Ethernet, okwenza kube nokwenzeka ukuyiguqula ibe umzila osuselwe ekusabalaliseni kwe-Linux kwenhloso evamile.

Irutha yeBanana Pi R64 – Debian, Wireguard, RKN

Yebo, isivele ikhona i-Openwrt, kodwa inezinkinga zayo, i-GUI yayo ne-CLI; Kukhona i-Mikrotik, kodwa futhi ine-GUI / CLI yayo, futhi i-Wireguard ayisebenzi ngaphandle kwebhokisi ... Ngokuvamile, ngifuna i-router enezilungiselelo eziguquguqukayo, ngenkathi ihlezi ngaphakathi kohlaka lwe-Linux evamile, osebenzayo. nazo zonke izinsuku.

Esihlokweni esingaphansi kwamagama e-BPI, u-R64, ibhodi elilodwa, ngizosho into efanayo - ibhodi elilodwa le-Banana Pi R64 uqobo.

Ukukhetha isithombe. Landa nge-EMMC

Ikhono lokuqala okufanele ulithole lapho usebenza nalo I-SBC ngokuvamile, futhi nge-R64 ikakhulukazi, lokhu kusho ukufunda indlela yokulayisha isistimu yokusebenza kuyo futhi ukwazi ukuxhumana nayo, ngoba i-R64 ayinayo ichweba lokuqapha (i-HDMI, isibonelo). Lapho yonke into iwa - i-Wifi, i-Ethernet, i-Bluetooth, i-USB, njll. Yayeka ukusebenza. Kukhona i-UART, ngokusebenzisa isixhumi esibonakalayo ongabona ngaso sonke isikhathi ukuthi yini engalungile, futhi usebenzise imiyalo embalwa evela kukhonsoli, uma kunesidingo.

I-algorithm yokuxhuma ku-R64 nge-USB-UART:

  • sigijimela esitolo sezingxenye zomsakazo ukuthola intambo ye-USB-UART (PL2303, Serial-to-USB)
  • xhuma isiphetho esisodwa se-USB kukhompyutha, kanti enye, i-UART, ku-R64, nezintambo ezintathu kwezine, njengasesithombeni esingezansi.
  • sebenzisa ikhonsoli yekhompyutha sudo minicom

Ngemva kwalokhu, ezimweni eziningi kuzovela ikhonsoli yebhodi elilodwa = impumelelo.
Ungabona imininingwane eyengeziwe lapha.

Irutha yeBanana Pi R64 – Debian, Wireguard, RKN

Okulandelayo, indlela elula ukulayisha uhlelo lokusebenza ekhadini le-SD: landa nge isixhumanisi isithombe bese usigcwalisa:

unzip -p 2019-08-23-ubuntu-16.04-lite-preview-bpi-r64-sd-emmc.img.zip | pv | sudo dd of=/dev/mmcblk0 bs=10M status=noxfer

Sifaka ikhadi ku-slot ye-R64 SD, siyivule, bese sibheka ikhonsoli exhunyiwe ilayisha kuqala i-uboot, bese ilayisha i-Linux evamile.

Enye inketho yokuqalisa ukusebenzisa ikhadi le-64Gb eselivele lakhiwe ku-R8, elibizwa nge-EMMC. Ngokwemiyalelo eku-wiki, sikopisha isithombe kudivayisi
/dev/mmcblk0 ku-BPI, qalisa kabusha, susa ikhadi le-SD, uvule i-BPI futhi... futhi ayisebenzi. Indlela yokubuyela emuva naphambili Boot select ningazihluphi.

Iqiniso liwukuthi okungenani ku-BPI udinga ukusetha ifulege elikhethekile ukuze ukwazi ukuqala kusuka ku-flash drive yangaphakathi:

root@bpi-r64:~# ./mmc extcsd read /dev/mmcblk1 | grep 'PARTITION_CONFIG'
Boot configuration bytes [PARTITION_CONFIG: 0x00]
root@bpi-r64:~# ./mmc bootpart enable 1 1 /dev/mmcblk1
root@bpi-r64:~# ./mmc extcsd read /dev/mmcblk1 | grep 'PARTITION_CONFIG'
Boot configuration bytes [PARTITION_CONFIG: 0x48]

Okulandelayo, udinga ukubhala i-preloader ku-partition ye-boot ekhethekile

root@bpi-r64:~# echo 0 > /sys/block/mmcblk0boot0/force_ro 
root@bpi-r64:~# dd if=preloader_evb7622_64_foremmc.bin of=/dev/mmcblk0boot0

Umkhiqizi u-R64 (e-China) uthumele le kanambambili lapha. Ekwenzayo akwaziwa (awekho amakhodi omthombo), kodwa ngeke kusebenze ngaphandle kwawo.

Ngokuvamile, ngemva kwalokhu, izithombe ziqala ukulayisha kusuka ku-EMMC. Uma ufuna ukukuthola bese udala izithombe kusukela ekuqaleni, kuzo zombili izimo (i-SD/eMMC) udinga ukubhala amanye amafayela amaningana (isilayishi sangaphambili sekhadi le-SD, i-ATF, i-u-boot) ukuze nje uthole ukulayisha i-kernel. Lesi sihloko namanje iyathuthuka, kodwa kithi into eyinhloko ukuthi iyasebenza futhi ilungile.

Manje ngilanda nge-EMMC, uma ngikhuluma iqiniso, angilisebenzisi, ikhadi le-SD lanele, kodwa ngichithe isikhathi esiningi ngilisebenza, ngakho makube kusihloko.

Ukukhetha isistimu yokusebenza. I-Armbian

Umsebenzi wokuqala wohlelo lokusebenza ukwethula i-VPN, ngokwemvelo i-Wireguard. Kwavele kwatholakala ukuthi ngasohlangothini lwe-kernel ayizange ihlanganiswe futhi ingekho izihloko. Ngakhe kabusha i-kernel futhi, njengomkhuba wami nge-x86, ngahlanganisa imojula ye-kernel ngisebenzisa i-DKMS. Kodwa-ke, isivinini sokwakha ngisho nezinsiza ezincane ku-arm64 singimangaze kabi. Futhi-ke kwakudingeka enye imojula ye-kernel, njll. Ngokuvamile, kuvela ukuthi yonke into ehlobene ne-kernel ihlanganiswe kangcono kwi-laptop ye-x86 efudumele, bese idluliselwa ku-R64 ngokukopisha okulula, iqaliswe kabusha futhi ihlolwe.

Enye into ingxenye yendawo yomsebenzisi. Endabeni yami yokukhetha i-Debian, yonke into yokwakhiwa kwe-arm64 isivele iku-packages.debian.org futhi asikho isidingo sokwakha kabusha noma yini.

Ukuze ngingakhiqizi elinye ibhayisikili, I ported I-Armbian ku-BPI R64.
Noma kunalokho, lokhu: ingxenye yendawo yomsebenzisi i-Armbian, futhi i-kernel ithathwa endaweni yokugcina Frank-A. Isithombe sakamuva singalandwa lapha.

Wonke umsebenzi ekuthuthukisweni kwengxenye yesoftware ka-R64 wenziwa iforamu. Ngokuvamile, umenzi ngokwakhe ulwela ukwenza irutha yaziwe ye-Openwrt, kodwa ngenxa yomsebenzi womthuthukisi u-Frank waseJalimane, zonke izici ziphela ngokushesha ku-kernel ye-Debian. Kuyamangaza ukuthi uFrank uyasebenza kuzo zonke izinkundla zenkundla.

Inhlangano yendawo yokusebenza: izintambo

Ngokwehlukana, ngithanda ukukutshela ukuthi, ngesikhathi sokuthuthukiswa/ukuhlola, ubeka kanjani i-SBC (hhayi nje i-BPI) etafuleni ukuze ungasebenzisi ikhebula le-Ethernet kuyo kusuka kumthombo we-inthanethi kulo lonke igumbi/ihhovisi. Iqiniso liwukuthi, ngakolunye uhlangothi, udinga ukuhlinzeka ngocezu lwehadiwe nge-Intanethi, kodwa ngakolunye uhlangothi, yonke into ekuleso siqeshana sehadiwe ingadiliza, futhi okokuqala i-Wifi.

Okokuqala, nginqume ukuthenga “inlozi” ye-USB-Wifi eshibhile, ngiyixhume echwebeni okuwukuphela kwe-BPI futhi ngikhohlwe izintambo. Ukuze ngenze lokhu, ngithenge i-TP-LINK TL-WN725N USB 2.0 engabizi, kodwa ngokushesha kwacaca ukuthi ngeke isuke: ukuze impempe isebenze, udinga umshayeli we-kernel, okuyiqiniso ukuthi wayengekho. (kamuva ngahlanganisa umshayeli we-RTL8XXXU odingekayo, kodwa akusasebenzi ). Futhi ikhebula le-Ethernet lonakalise ukubukeka kwegumbi okwesikhashana.

Ngenxa yalokho, ngakwazi ukulahla ikhebula ngosizo lwe-Tenda MW3 (uhlelo lwe-Wifi mesh): Ngimane ngibeke i-cube eyodwa ngaphansi kwetafula futhi ngixhume i-BPI echwebeni le-LAN yakamuva ngentambo ye-Ethernet ubude obuyimitha. Impumelelo.

I-Wireguard, i-RKN, Inyoni

Enye yezinto engifuna ukuyisebenzisela i-Banana PI iwukuba nokufinyelela kwamahhala kumasayithi avinjwe i-RKN, ikakhulukazi, ukuze izingcingo zeTelegram ne-Slack zisebenze. Izindatshana ezimayelana no-Habré sezivele zihlongozwa ngalesi sihloko: izikhathi, два, ezintathu.

Ngisebenzise lesi sixazululo ngisebenzisa i-Ansible: isixhumanisi.

I-VPS kucatshangwa ukuthi isebenzisa Ubuntu 18.04. Ngihlole ukusebenza kwabasingathi ababili eYurophu: i-Amazon ne-Digital Ocean.

Ngakho-ke, sifake i-Armbian engenhla ku-R64, ifinyeleleka nge-ssh ngaphansi kwegama hm-bananapi-1 futhi inokufinyelela ku-inthanethi. Sisebenzisa ngokungaguquki imibhalo ye-Ansible, automation scripts futhi siqalise ukufakwa ngokwako ku-R64:

# зависимости для Debian-based дистрибутивов
$ sudo apt install --no-install-recommends python3-pip python3-setuptools python3-wheel git
$ which pip3
/usr/bin/pip3

# ansible с pybook, скриптование на Python
$ pip3 install https://github.com/muravjov/ansible/archive/ansible-2.10.0.dev0-pybook2019.tar.gz

$ export PATH=~/.local/bin:$PATH
$ which ansible-playbook
/home/sa/.local/bin/ansible-playbook

$ git clone https://github.com/muravjov/ansible-bpi-r64.git
$ cd ansible-bpi-r64

$ git submodule update --init

# убеждаемся в доступности hm-bananapi-1
$ ssh hm-bananapi-1 which python3
/usr/bin/python3

# собственно установка
$ ansible-playbook ./router.py -l hm-bananapi-1

Okulandelayo, udinga ukuthumela i-VPN yethu ku-VPS ngendlela efanayo:

ansible-playbook ./router.py -l current-vpn

Lapha i-agumenti ihlala imanje-vpn, futhi igama langempela le-VPS lilungiswa ngokuguquguquka (kulokhu kuyi-paris-vpn-aws-t2-micro-1):

$ grep current_vpn group_vars/all 
current_vpn: paris-vpn-aws-t2-micro-1
#current_vpn: frankfurt-vpn-d0-starter-1

Oh yebo, ngaphambi kwayo yonke le misebenzi udinga ukukhiqiza izimfihlo (ikakhulukazi okhiye be-Wireguard) kufolda ./secrets, uhla lwemibhalo kufanele lubukeke kanjalo.

I-Ansible Automation kuPython

Ungase uqaphele ukuthi esikhundleni sokuba ngefomethi ye-YAML, imiyalo e-Ansible ibhalwa ngekhodi ye-Python scripts. Ukuze uqhathanise, ungayinika kanjani amandla i-daemon yenyoni ngendlela evamile:

- name: start bird
  systemd:
    name: bird
    state: started
    enabled: yes

nokuthi ungakwenza kanjani okufanayo ngePython:

with mapping:
    append("name", "start bird")
    with mapping("systemd"):
        append("name",  "bird")
        append("state", "started")
        append("enabled", "yes")

Ukubhala imiyalo enengqondo ku-Python kukuvumela ukuthi usebenzise kabusha ikhodi, futhi ngokuvamile kuvula wonke amathuba olimi lwenhloso evamile. Isibonelo, ukufaka inyoni ku-R64 naku-VPS:

install_bird("router/bird.conf.j2")
install_bird("vpn/bird.conf.j2")

bona ikhodi yomsebenzi faka_inyoni().

Lesi sici esibizwa ngokuthi pybook kwenziwe lapha. Awekho amadokhumenti ku-pybook okwamanje, kodwa ngizoyilungisa le nkinga ngokuhamba kwesikhathi.

Ucabangani umfula kulesi senzakalo.

Ukuqapha. I-Prometheus

Ingqikithi: i-telegraph iyasebenza, i-linkedin ne-pornhub nayo, ngokuvamile ulwazi lomsebenzisi lulungile. Kepha konke kungaphuka, kufaka phakathi i-hardware yaseShayina.

Izibuyekezo ze-Kernel nazo zingathakazelisa: isibonelo, bengifuna ukubuyekeza i-kernel 5.4 => 5.6, kahle, I-Wireguard ikhona ngaphandle kwebhokisi, asikho isidingo sokuchibiyela... Ngokushesha nje lapho ngiqeda: Ngidlulise ngokucophelela amapheshana ukusuka ku-5.4 kuya ku-5.6, i-kernel yaqala phezulu, umhubhe oya ku-VPS u-pinged, kodwa inyoni ayikwazi ukuxhuma nephutha "Iphutha le-BGP" ... "Ngibuyele emuva ngokwesaba" (c) kuya ku-5.4; Ukuthuthela ku-5.6 kuhlehlisiwe ku-TODO.

Ngakho-ke, ngaphezu kokufaka i-router ne-VPS, ngengeze ukuqapha (ku-x86 Ubuntu 18.04), efakwe kumsingathi ohlukile ngezinto ezilandelayo:

  • i-prometheus, i-alertmanager, i-blackbox_exporter - konke ku-docker
  • Izaziso zithunyelwa esiteshini setelegram kusetshenziswa i-metalmatze/alertmanager-bot bot - futhi ku-Docker
  • tor for the bot, ukuze i-bot ikwazi ukuxwayisa izimo lapho kune-inthanethi, kodwa iTelegramu namanje ayisebenzi, futhi i-bot ngokwayo ayikwazi ukuxhuma
  • kusetshenzisiwe izexwayiso: I-NodeVPNIzinkinga (ayikho i-ping ku-VPS), I-BirdVPNIzinkinga (ayikho iseshini yezinyoni), I-AntifilterDownloadTroubles (iphutha ekulayisheni amakheli e-IP avinjiwe), SiteTroubles (i-telegram engasebenzi kahle ayitholakali)
  • izixwayiso zesistimu, isibonelo, i-HostGrowingDiskReadLatency (ikhadi le-SD elishibhile alifundeki)

Isibonelo sokusetha sokuqapha:

ansible-playbook ./monitoring.py -l monitoring-preprod

I-Auto Discovery ye-Prometheus ilungiselelwe kufolda /etc/prometheus/auto_http, isibonelo sokwengeza umsingathi ekuqashweni (ababungazi abagadwa ngokuzenzakalelayo):

bash << 'EOF'
HOSTNAME=hm-bananapi-1
IP_ADDRESS=`ssh -G $HOSTNAME | awk '/^hostname / { print $2 }'`

ssh monitoring-preprod sudo sponge /etc/prometheus/auto_http/$HOSTNAME.json << EOF2
[
  {
    "targets": ["$IP_ADDRESS:9100"],
    "labels": {
      "env": "prod",
      "hostname": "$HOSTNAME"
    }
  }
]
EOF2
EOF

OKUMELE UKWENZE: Abahlinzeki abangu-2, 2 BPI, anycast failover

Ngaphezu kwakho konke, ngihlele ukuxhuma kubahlinzeki ababili ukuze i-intanethi iqhubeke nokusebenza, ngisho noma umhlinzeki oyedwa enezinkinga ngenethiwekhi, noma ukhohlwe ukukhokhela i-intanethi, njll, nezinye izici zomuntu.

Okuhlangenwe nakho okuthuthuke kakhulu komsebenzisi esihlokweni se-multi-wan kuchaziwe lapha ngohlelo lwe-Mwan3 ngaphansi kwe-Openwrt. Lesi sixazululo sinokusebenza okucebile, kodwa ukusethwa nokusisebenzisa ngokujwayelekile kuma-multi-wan kunzima kakhulu. Isibonelo esisodwa nje: uma ufika kwamanye amasayithi usuka kumakheli e-IP amabili ngesikhathi esisodwa, angase angakuthandi, azoyeka ukusebenza => “i-inthanethi ayisebenzi.”

Ngokucabangela lokhu okuhlangenwe nakho, nginqume ukuthi i-multihoming ayiyona into ehamba phambili okwamanje, i-failover kuphela. Nakuba, kubonakala sengathi ezinguqulweni zakamuva ze-Linux yonke into kufanele isebenze ngomyalo owodwa ofana:

ip route add default 
    nexthop via 192.168.1.1 weight 10 
    nexthop via 192.168.2.1 weight 5

Ngakho-ke, ukuze sigweme iphuzu elilodwa lokuhluleka, sithatha ama-BPI angu-2, sixhuma ngayinye kumhlinzeki oyedwa, sixhumane nomunye nomunye futhi senze ukuxhumana komunye nomunye umzila oshukumisayo ngenyoni/OSPF.

Okulandelayo, sikhangisa ikheli le-IP elifanayo kulelo nalelo sevisi uma isevisi itholakala (I-inthanethi, i-DNS). Okusho ukuthi, ngeke sibeke umzila ozenzakalelayo ngokwethu, kodwa ngenyoni. Ngalihlola ikhambi lapha .

Lokhu kusebenza akukakaqaliswa ukusetshenziswa, i-coronavirus ekhohlisayo idlale iqhinga lapha (akuyona yonke into efike ivela ku-Aliexpress; esinye isitolo se-inthanethi, i-Layta, sithembise ukuletha ngesonto, kodwa sekudlule isikhathi esingaphezu kwenyanga; umhlinzeki wesibili wayengenaso isikhathi. ukunweba ikhebula ngaphambi kokuvalelwa, ukwazile kuphela ukuthola imbobo yokubhoboza odongeni yekhebula).

Unga-oda kanjani u-R64

Ibhodi ngokwalo lisesitolo esisemthethweni SinoVoip.
Kungcono futhi uku-oda ngokushesha:

  • umsoco + yazisa indinganiso yepulaki ye-EU noma yase-US
  • ukushisa okushisa: ama-radiator / abalandeli; ngoba kokubili i-CPU ne-switch chip kuyashisa
  • i-antenna ye-wifi, isibonelo

Kukhona i-nuance - intengo yokulethwa isibe phezulu ngokwanele esitolo esisemthethweni isikhathi esithile. Umphathi uJudy Huang wangiqinisekisa ukuthi belingekho iphutha, futhi ungakhetha i-ePacket ngama- $5, kodwa ngabona ukuthi eRussia kukhona i-EMS kuphela >$33. Akujabulisi, kodwa hhayi ukugxeka. Ngaphezu kwalokho, uma ukhetha noma yiliphi elinye izwe ozolethelwa kulo (ngadlula kuwo wonke amazwekazi), ukulethwa kuzobiza ~$5. AmaRussophobes?.. Kodwa-ke ngathola ukuthi eFrance intengo yokulethwa nayo ingu-~30$, futhi ngehlisa umoya.

Ngenxa yalokho, uJudy wacela ukufaka i-oda, kodwa angakhokhi (ukusikisela: faka kancane ekhadini ukuze ukukhokha okuzenzakalelayo kungadluli); mbhalele futhi uzokwehlisa inani lokudiliva libe ngokwejwayelekile. Impumelelo.

Issues

Akukona konke okusebenza kahle okwamanje.

Ukukhiqiza

Ansible=Imiyalo yePython ikhishwa kancane, ngisho neyize, imizuzwana engama-20-30; ukuhleleka kobukhulu okude kunekhompuyutha ephathekayo ye-x86. Ngaphezu kwalokho, ekuqaleni babulawa ngokushesha, ~ imizuzwana engu-3, ​​bese behlisa ijubane kakhulu. Lokhu kungase kube ngenxa yokushisa kwe-CPU (i-throttling). Ikhodi ye-Go iphinde ithathe isikhathi eside ukusebenza:

# запрос метрик для прометея из node_exporter на Go
$ time curl -s http://172.30.1.1:9100/metrics > /dev/null

real    0m6,118s
user    0m0,005s
sys     0m0,009s

# однако температура 51 градус, не так и много
sa@bananapir64:~$ cat /sys/devices/virtual/thermal/thermal_zone0/temp
51700

I-Wifi

I-Wifi iyasebenza, kodwa ku-Armbian iyama ngemva kosuku, kubhala:

sa@bananapir64:~$ dmesg | grep -E 'mt7622_wmac.*timeout'
[470303.802539] mt7622_wmac 18000000.wmac: Message 38 (seq 3) timeout
[470314.042508] mt7622_wmac 18000000.wmac: Message 50 (seq 4) timeout
...

Ukuqala kabusha kuphela kuyasiza. Sidinga ukuqhubeka Zibonele.

Ethernet

I-Ethernet iyasebenza, kodwa ngemva kwamahora angu-64 amaphakethe (DHCP) asuka ku-RXNUMX ayayeka ukufika.
Ukuqalisa kabusha isixhumi esibonakalayo kusiza:

ifdown br0; sleep 30; ifup br0

Umshayeli usemusha, akakamukelwa ku-kernel okwamanje, ngithemba ukuthi yi-Chinese Landen Chao uyaqeda.

Source: www.habr.com

Engeza amazwana