Okufanele ukwenze uma amandla eseva eyodwa enganele ukucubungula zonke izicelo, futhi umenzi wesoftware akahlinzeki ngokulinganisa komthwalo? Kunezinketho eziningi, kusukela ekuthengeni isilinganisi somthwalo ukuya ekukhawuleleni inani lezicelo. Iyiphi elungile kufanele inqunywe yisimo, kucatshangelwa izimo ezikhona. Kulesi sihloko sizokutshela ukuthi yini ongayenza uma isabelomali sakho silinganiselwe futhi uneseva yamahhala.
Njengesistimu obekudingekile ukwehlisa umthwalo kwenye yeziphakeli, sikhethe i-DLP (uhlelo lokuvimbela ukuvuza kolwazi) ku-InfoWatch. Isici sokusetshenziswa kwakuwukubekwa komsebenzi wokulinganisa kwenye yeziphakeli "zokulwa".
Enye yezinkinga esihlangabezane nayo ukungakwazi ukusebenzisa i-Source NAT (SNAT). Kungani lokhu kwakudingeka nokuthi inkinga yaxazululwa kanjani, sizochaza ngokuqhubekayo.
Ngakho, ekuqaleni umdwebo onengqondo wesistimu ekhona wawubukeka kanje:
Ithrafikhi ye-ICAP, i-SMTP, izehlakalo ezivela kumakhompuyutha abasebenzisi zicutshungulwe kuseva ye-Traffic Monitor (TM). Ngesikhathi esifanayo, iseva yedathabheki ibhekane kalula nomthwalo ngemva kokucubungula imicimbi ku-TM, kodwa umthwalo ku-TM ngokwayo wawunzima. Lokhu kubonakale ngokuvela komugqa womlayezo kuseva ye-Device Monitor (DM), kanye naku-CPU nomthwalo wememori ku-TM.
Uma uthi nhlΓ‘, uma sengeza enye iseva ye-TM kulolu hlelo, khona-ke i-ICAP noma i-DM ingashintshwa kuyo, kodwa sinqume ukungasebenzisi le ndlela, njengoba ukubekezelelana kwamaphutha kwehlisiwe.
Incazelo yesixazululo
Enqubweni yokucinga isixazululo esifanelekile, sazinza kuma-software asakazwa ngokukhululeka
Lokho ebesifuna ukukufeza (ukunciphisa umthwalo ku-TM futhi sigcine izinga lamanje lokubekezelela amaphutha) bekufanele ngabe sisebenzile ngohlelo olulandelayo:
Lapho kuhlolwa ukusebenza, kwavela ukuthi umhlangano wangokwezifiso we-RedHat ofakwe kumaseva awusekeli i-SNAT. Esimweni sethu, sihlele ukusebenzisa i-SNAT ukuze siqinisekise ukuthi amaphakethe angenayo nezimpendulo kuwo athunyelwa ekhelini elifanayo le-IP, ngaphandle kwalokho sizothola isithombe esilandelayo:
Lokhu akwamukelekile. Isibonelo, iseva elibamba, ngemva kokuthumela amaphakethe ekhelini le-Virtual IP (VIP), izolindela impendulo evela ku-VIP, kodwa kulokhu izovela ku-IP2 yezikhathi ezithunyelwe kukhophi yasenqolobaneni. Kutholwe isisombululo: bekudingeka ukuthi udale elinye ithebula lomzila kukhophi yasenqolobaneni bese uxhuma amaseva amabili e-TM ngenethiwekhi ehlukile, njengoba kukhonjisiwe ngezansi:
Izilungiselelo
Sizosebenzisa uhlelo lwamaseva amabili anezinsizakalo ze-ICAP, SMTP, TCP 9100 kanye nesilinganisi somthwalo esifakwe kwenye yazo.
Sinamaseva amabili e-RHEL6, lapho amakhosombe ajwayelekile namanye amaphakheji asusiwe.
Amasevisi esiwadingayo ukuze silinganisele:
β’ ICAP - tcp 1344;
β’ I-SMTP β tcp 25.
Isevisi yokuthutha kwethrafikhi esuka ku-DM - ββtcp 9100.
Okokuqala, sidinga ukuhlela inethiwekhi.
Ikheli le-IP elibonakalayo (VIP):
β’ IP: 10.20.20.105.
Iseva TM6_1:
β’ I-IP Yangaphandle: 10.20.20.101;
β’ IP yangaphakathi: 192.168.1.101.
Iseva TM6_2:
β’ I-IP Yangaphandle: 10.20.20.102;
β’ IP yangaphakathi: 192.168.1.102.
Bese sivumela ukudluliselwa kwe-IP kumaseva amabili e-TM. Indlela yokwenza lokhu ichazwe ku-RedHat
Sinquma ukuthi iyiphi iseva esizoba nayo eyinhloko nokuthi iyiphi ezoba isipele. Vumela kube yi-TM6_1, isipele sibe yi-TM6_2.
Ekwenzeni ikhophi yasenqolobaneni sakha ithebula lebhalansi elisha lomzila kanye nemithetho yomzila:
[root@tm6_2 ~]echo 101 balancer >> /etc/iproute2/rt_tables
[root@tm6_2 ~]ip rule add from 192.168.1.102 table balancer
[root@tm6_2 ~]ip route add default via 192.168.1.101 table balancer
Imiyalo engenhla isebenza kuze kube yilapho uhlelo luqalwa kabusha. Ukuqinisekisa ukuthi imizila iyagcinwa ngemva kokuqalisa kabusha, ungayifaka kuyo /etc/rc.d/rc.local, kodwa kangcono ngefayela lezilungiselelo /etc/sysconfig/network-scripts/route-eth1 (qaphela: i-syntax ehlukene isetshenziswa lapha).
Ukufaka kugcine kuphila kuzo zombili iziphakeli ze-TM. Sisebenzise i-rpmfind.net njengomthombo wokusabalalisa:
[root@tm6_1 ~]#yum install https://rpmfind.net/linux/centos/6.10/os/x86_64/Packages/keepalived-1.2.13-5.el6_6.x86_64.rpm
Kuzilungiselelo ezigciniwe, sinikeza enye yeziphakeli njengokuyinhloko, enye njengesipele. Bese sibeka i-VIP nezinsizakalo zokulinganisa umthwalo. Ifayela lezilungiselelo ngokuvamile litholakala lapha: /etc/keepalived/keepalived.conf.
Izilungiselelo Zeseva ye-TM1
vrrp_sync_group VG1 {
group {
VI_1
}
}
vrrp_instance VI_1 {
state MASTER
interface eth0
lvs_sync_daemon_inteface eth0
virtual_router_id 51
priority 151
advert_int 1
authentication {
auth_type PASS
auth_pass example
}
virtual_ipaddress {
10.20.20.105
}
}
virtual_server 10.20.20.105 1344 {
delay_loop 6
lb_algo wrr
lb_kind NAT
protocol TCP
real_server 192.168.1.101 1344 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 1344
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.1.102 1344 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 1344
nb_get_retry 3
delay_before_retry 3
}
}
}
virtual_server 10.20.20.105 25 {
delay_loop 6
lb_algo wrr
lb_kind NAT
protocol TCP
real_server 192.168.1.101 25 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 25
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.1.102 25 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 25
nb_get_retry 3
delay_before_retry 3
}
}
}
virtual_server 10.20.20.105 9100 {
delay_loop 6
lb_algo wrr
lb_kind NAT
protocol TCP
real_server 192.168.1.101 9100 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 9100
nb_get_retry 3
delay_before_retry 3
}
}
real_server 192.168.1.102 9100 {
weight 1
TCP_CHECK {
connect_timeout 3
connect_port 9100
nb_get_retry 3
delay_before_retry 3
}
}
}
Izilungiselelo Zeseva ye-TM2
vrrp_sync_group VG1 {
group {
VI_1
}
}
vrrp_instance VI_1 {
state BACKUP
interface eth0
lvs_sync_daemon_inteface eth0
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass example
}
virtual_ipaddress {
10.20.20.105
}
}
Sifaka i-LVS ku-master, ezolinganisela ithrafikhi. Akunangqondo ukufaka ibhalansi kuseva yesibili, njengoba sinamaseva amabili kuphela ekucushweni.
[root@tm6_1 ~]##yum install https://rpmfind.net/linux/centos/6.10/os/x86_64/Packages/ipvsadm-1.26-4.el6.x86_64.rpm
I-balancer izophathwa yi- keepalived, esesivele siyilungisile.
Ukuze uqedele isithombe, masingeze i- keeplived ukuze siqalise ngokuzenzakalela kuwo womabili amaseva:
[root@tm6_1 ~]#chkconfig keepalived on
isiphetho
Ukuhlola imiphumela
Masiqhubeke siphila kuwo womabili amaseva:
service keepalived start
Ihlola ukutholakala kwekheli le-VRRP elibonakalayo
Masiqinisekise ukuthi i-VIP isezingeni eliphezulu:
Futhi ayikho i-VIP ekwenzeni isipele:
Sisebenzisa umyalo we-ping, sizobheka ukutholakala kwe-VIP:
Manje usungakwazi ukuvala i-master bese uqhuba umyalo futhi ping
.
Umphumela kufanele uhlale ufana, futhi ekulondolozeni sizobona i-VIP:
Ihlola ukulinganisa kwesevisi
Ake sithathe i-SMTP njengesibonelo. Ake sethule ukuxhumana okubili ku-10.20.20.105 kanyekanye:
telnet 10.20.20.105 25
Ku-master kufanele sibone ukuthi kokubili ukuxhumana kuyasebenza futhi kuxhunywe kumaseva ahlukene:
[root@tm6_1 ~]#watch ipvsadm βLn
Ngakho-ke, sisebenzise ukucushwa okubekezelela iphutha kwamasevisi e-TM ngokufaka ibhalansi kwenye yeziphakeli ze-TM. Ohlelweni lwethu, lokhu kunciphise umthwalo ku-TM ngesigamu, okwenze kwaba nokwenzeka ukuxazulula inkinga yokuntuleka kokukalwa okuvundlile kusetshenziswa uhlelo.
Ezimweni eziningi, lesi sixazululo sisetshenziswa ngokushesha futhi ngaphandle kwezindleko ezengeziwe, kodwa ngezinye izikhathi kunenani lemikhawulo nobunzima ekucushweni, isibonelo, lapho kulinganisa ithrafikhi ye-UDP.
Source: www.habr.com