Uma ingqalasizinda yakho ye-IT ikhula ngokushesha kakhulu, maduze nje uzobhekana nokukhetha: ukhuphule izinsiza zabantu ukuze uyisekele noma uqale ukuzenzela. Kuze kube isikhathi esithile, siphila kupharadigm yokuqala, kwase kuqala indlela ende eya ku-Infrastructure-as-Code.
Yiqiniso, i-NSPK akuyona isiqalo, kodwa isimo esinjalo sabusa enkampanini eminyakeni yokuqala yokuba khona kwayo, futhi leyo yayiyiminyaka ethakazelisayo kakhulu. Igama lami ngu , bengilokhu ngisekela ingqalasizinda ye-Linux enezidingo zokutholakala okuphezulu iminyaka engaphezu kwe-10. Ujoyine ithimba le-NSPK ngoJanuwari 2016 futhi, ngeshwa, akazange abone ukuqala kokuba khona kwenkampani, kodwa wafika esigabeni sezinguquko ezinkulu.
Ngokuvamile, singasho ukuthi ithimba lethu lihlinzeka ngemikhiqizo emi-2 yenkampani. Okokuqala ingqalasizinda. Imeyili kufanele isebenze, i-DNS kufanele isebenze, futhi abalawuli besizinda kufanele bakuvumele ungene kumaseva okungafanele aphahlazeke. Isimo se-IT senkampani sikhulu! Lezi yizinhlelo ezibalulekile zebhizinisi nezemishini, izidingo zokutholakala kwabanye zingu-99,999. Umkhiqizo wesibili amaseva ngokwawo, ngokomzimba nangokoqobo. Ezikhona zidinga ukugadwa, futhi ezintsha kumelwe zilethwe njalo kumakhasimende avela eminyangweni eminingi. Kulesi sihloko ngifuna ukugxila endleleni esithuthukise ngayo ingqalasizinda enesibopho somjikelezo wempilo yeseva.
Qala kohambo
Ekuqaleni kohambo lwethu, isitaki sethu sobuchwepheshe besibukeka kanje:
I-OS CentOS 7
I-FreeIPA Domain Controllers
Okuzenzakalelayo - I-Ansible(+Tower), Cobbler
Konke lokhu bekutholakala ezizindeni ezi-3, kusabalale kuzo zonke izikhungo zedatha. Kwesinye isikhungo sedatha kunezinhlelo zamahhovisi nezingosi zokuhlola, kokunye kukhona i-PROD.
Ukudala amaseva ngesikhathi esisodwa kubukeke kanje:
Kuthempulethi ye-VM, i-CentOS incane futhi ubuncane obudingekayo bufana nelungile /etc/resolv.conf, okunye kuza nge-Ansible.
I-CMDB - Excel.
Uma iseva ingokomzimba, esikhundleni sokukopisha umshini we-virtual, i-OS yafakwa kuyo kusetshenziswa i-Cobbler - amakheli e-MAC weseva eqondiwe engezwa ku-Cobbler config, iseva ithola ikheli le-IP nge-DHCP, bese kuba i-OS. yengezwa.
Ekuqaleni saze sazama ukwenza uhlobo oluthile lokuphatha ukucushwa ku-Cobbler. Kodwa ngokuhamba kwesikhathi, lokhu kwaqala ukuletha izinkinga ngokuphatheka kokucushwa kwezinye izikhungo zedatha kanye nekhodi Ansible yokulungiselela ama-VM.
Ngaleso sikhathi, abaningi bethu babona i-Ansible njengesandiso esikahle se-Bash futhi ayizange yeqe imiklamo isebenzisa igobolondo ne-sed. Sekukonke Bashsible. Lokhu ekugcineni kwaholela eqinisweni lokuthi uma i-playbook ngesizathu esithile ingasebenzi kuseva, kwakulula ukususa iseva, ukulungisa incwadi yokudlala bese uyiqhuba futhi. Bekungekho ukuguqulelwa kwemibhalo, kungekho ukuphatheka kokucushwa.
Isibonelo, besifuna ukushintsha ezinye izilungiselelo kuwo wonke amaseva:
- Sishintsha ukumisa kumaseva akhona engxenyeni enengqondo/isikhungo sedatha. Ngezinye izikhathi hhayi ngosuku olulodwa - izidingo zokufinyelela kanye nomthetho wezinombolo ezinkulu azivumeli zonke izinguquko ukuba zisetshenziswe ngesikhathi esisodwa. Futhi ezinye izinguquko zingase zicekele phansi futhi zidinga ukuqala kabusha okuthile - kusuka kumasevisi kuye ku-OS ngokwayo.
- Ukuyilungisa ku-Ansible
- Siyilungisa ku-Cobbler
- Phinda izikhathi ezingu-N ngesegimenti ngayinye enengqondo/isikhungo sedatha
Ukuze zonke izinguquko zihambe kahle, kwakudingeka kucatshangelwe izici eziningi, futhi izinguquko zenzeka njalo.
- Ifaka kabusha ikhodi enengqondo, amafayela wokumisa
- Ukushintsha imikhuba emihle yangaphakathi
- Izinguquko ezisekelwe emiphumeleni yokuhlaziywa kwezigameko/izingozi
- Ukushintsha izindinganiso zokuphepha, ngaphakathi nangaphandle. Isibonelo, i-PCI DSS ibuyekezwa ngezimfuneko ezintsha minyaka yonke
Ukukhula kwengqalasizinda kanye nokuqala kohambo
Inani lamaseva/izizinda ezinengqondo/izikhungo zedatha lakhula, futhi kuzo inani lamaphutha ekucushweni. Ngesinye isikhathi, sifike ezindleleni ezintathu lapho ukuphathwa kokucushwa kudinga ukuthuthukiswa:
- Okuzenzakalelayo. Iphutha lomuntu ekusebenzeni okuphindaphindiwe kufanele kugwenywe ngangokunokwenzeka.
- Ukuphindaphinda. Kulula kakhulu ukuphatha ingqalasizinda uma kungenzeka. Ukumiswa kwamaseva namathuluzi okulungiselelwa kwawo kufanele kufane yonke indawo. Lokhu kubalulekile futhi emaqenjini omkhiqizo - ngemva kokuhlolwa, uhlelo lokusebenza kufanele luqinisekiswe ukuthi luzogcina lusendaweni yokukhiqiza elungiselelwe ngokufana nendawo yokuhlola.
- Ubulula nokukhanyela kokwenza izinguquko ekuphatheni ukucushwa.
Kusele ukungeza amathuluzi ambalwa.
Sikhethe i-GitLab CE njengendawo yethu yokugcina amakhodi, hhayi okungenani kumamojula ayo akhelwe ngaphakathi e-CI/CD.
I-Vault of Secrets - I-Hashicorp Vault, kuhl. ye-API enkulu.
Ukuhlola ukucushwa kanye nezindima ezifanele - I-Molecule+Testinfra. Ukuhlola kuhamba ngokushesha kakhulu uma uxhuma ku-mitogen esebenzayo. Ngesikhathi esifanayo, saqala ukubhala i-CMDB yethu kanye ne-orchestrator yokuthunyelwa okuzenzakalelayo (esithombeni esingenhla kwe-Cobbler), kodwa lena indaba ehluke ngokuphelele, lapho uzakwethu kanye nomthuthukisi oyinhloko walezi zinhlelo bazokutshela esikhathini esizayo.
Inketho yethu:
I-Molecule + Testinfra
I-Ansible + Tower + AWX
Umhlaba wamaseva + DITNET (Ukuthuthukiswa Kwakho)
Umkhandi
Umgijimi we-Gitlab + GitLab
I-Hashicorp Vault
Ngendlela, mayelana nezindima ezifanele. Ekuqaleni kwakukhona eyodwa kuphela, kodwa ngemva kokuhlelwa kabusha okuningana kwakukhona angu-17. Ngincoma ngokuqinile ukwephula i-monolith ibe yizindima ezingenamandla, ezingase zethulwe ngokuhlukana; ngaphezu kwalokho, ungangeza amathegi. Sihlukanise izindima ngokusebenza - inethiwekhi, ukugawula, amaphakheji, ihadiwe, i-molecule njll. Ngokuvamile, silandele isu elingezansi. Angigcizeleli ukuthi leli yiqiniso kuphela, kodwa lasisebenzela.
- Ukukopisha amaseva "esithombeni segolide" kubi!Ububi obuyinhloko ukuthi awazi kahle ukuthi izithombe zikusiphi isimo manje, nokuthi zonke izinguquko zizofika kuzo zonke izithombe kuwo wonke amapulazi e-virtualization.
- Sebenzisa amafayela okumisa okuzenzakalelayo okungenani futhi uvumelane neminye iminyango ukuthi unomthwalo wemfanelo wamafayela esistimu ayinhlokoisibonelo:
- Shiya /etc/sysctl.conf ingenalutho, izilungiselelo kufanele zibe ku-/etc/sysctl.d/. Okuzenzakalelayo kwakho kufayela elilodwa, inkambiso yohlelo lokusebenza kwelinye.
- Sebenzisa ukukhipha amafayela ukuze uhlele amayunithi e-systemd.
- Yenza isifanekiso konke ukucushwa futhi ukufake ngokuphelele; uma kungenzeka, akukho sed noma ama-analogue ayo ezincwadini zokudlala
- Ukwenza kabusha ikhodi yesistimu yokuphatha:
- Hlukanisa imisebenzi ibe izinhlangano ezinengqondo futhi ubhale kabusha i-monolith ibe izindima
- Sebenzisa ama-linters! I-Ansible-lint, yaml-lint, njll
- Shintsha indlela yakho yokwenza! Ayikho i-bashsible. Kuyadingeka ukuchaza isimo sohlelo
- Kuwo wonke ama-Ansible indima udinga ukubhala izivivinyo ku-molecule futhi ukhiqize imibiko kanye ngosuku.
- Esimweni sethu, ngemva kokulungiselela ukuhlolwa (okungaphezu kuka-100), amaphutha angaba ngu-70000 atholakala. Kwathatha izinyanga ezimbalwa ukuyilungisa.
Ukuqaliswa kwethu
Ngakho-ke, izindima ezithintekayo zase zilungile, zifakwe isifanekiso futhi zihlolwe ngama-linters. Futhi ngisho nama-gits aphakanyiswa yonke indawo. Kodwa umbuzo wokulethwa okuthembekile kwekhodi ezingxenyeni ezahlukene uhlale uvulekile. Sinqume ukuvumelanisa nemibhalo. Kubukeka sengathi:
Ngemuva kokufika koshintsho, kwethulwa i-CI, kwakhiwa iseva yokuhlola, izindima ziyakhishwa, futhi zihlolwe yi-molecule. Uma konke kulungile, ikhodi iya egatsheni le-prod. Kodwa asisebenzisi ikhodi entsha kumaseva akhona emshinini. Lolu uhlobo lwesivimbo oludingekayo ukuze kube nokutholakala okuphezulu kwamasistimu ethu. Futhi uma ingqalasizinda iba nkulu, umthetho wesibalo esikhulu uyangena - ngisho noma unesiqiniseko sokuthi uguquko alunangozi, lungaholela emiphumeleni ebuhlungu.
Kukhona futhi izinketho eziningi zokudala amaseva. Sigcine ngokukhetha imibhalo yangokwezifiso yePython. Futhi ku-CI kufanelekile:
- name: create1.yml - Create a VM from a template
vmware_guest:
hostname: "{{datacenter}}".domain.ru
username: "{{ username_vc }}"
password: "{{ password_vc }}"
validate_certs: no
cluster: "{{cluster}}"
datacenter: "{{datacenter}}"
name: "{{ name }}"
state: poweredon
folder: "/{{folder}}"
template: "{{template}}"
customization:
hostname: "{{ name }}"
domain: domain.ru
dns_servers:
- "{{ ipa1_dns }}"
- "{{ ipa2_dns }}"
networks:
- name: "{{ network }}"
type: static
ip: "{{ip}}"
netmask: "{{netmask}}"
gateway: "{{gateway}}"
wake_on_lan: True
start_connected: True
allow_guest_control: True
wait_for_ip_address: yes
disk:
- size_gb: 1
type: thin
datastore: "{{datastore}}"
- size_gb: 20
type: thin
datastore: "{{datastore}}"Yilokhu esifike kukho, uhlelo luyaqhubeka nokuphila futhi luthuthuke.
- 17 Izindima ezifanele zokusetha iseva. Indima ngayinye yakhelwe ukuxazulula umsebenzi onengqondo ohlukile (ukugawula, ukucwaninga, ukugunyazwa komsebenzisi, ukuqapha, njll.).
- Ukuhlolwa kwendima. I-Molecule + TestInfra.
- Ukuthuthukiswa Kwakho: CMDB + Orchestrator.
- Isikhathi sokudala iseva singamaminithi angu-30, kuyazenzakalela futhi kuzimele emgqeni womsebenzi.
- Isimo esifanayo/ukuthiwa kwengqalasizinda kuwo wonke amasegimenti - izincwadi zokudlala, amakhosombe, izakhi ze-virtualization.
- Ukuhlola kwansuku zonke kwesimo seseva ngokukhiqizwa kwemibiko ngokungahambisani nendinganiso.
Ngethemba ukuthi indaba yami izoba wusizo kulabo abasaqala uhambo lwabo. Isiphi isitaki esizenzakalelayo osisebenzisayo?
Source: www.habr.com