I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > Ukulungisa umzila we-MetalLB kumodi ye-L2

Ukulungisa umzila we-MetalLB kumodi ye-L2

Ukulungisa umzila we-MetalLB kumodi ye-L2
Esikhathini esingeside esidlule bengibhekene nomsebenzi ongajwayelekile wokusetha umzila we-MetalLB. Konke kuzolunga, ngoba... Ngokuvamile i-MetalLB ayidingi izenzo ezengeziwe, kodwa esimweni sethu sineqoqo elikhulu elinokucushwa kwenethiwekhi okulula kakhulu.

Kulesi sihloko ngizokutshela ukuthi ungamisa kanjani umzila osuselwe kumthombo kanye nenqubomgomo yenethiwekhi yangaphandle yeqoqo lakho.

Ngeke ngingene ngemininingwane mayelana nokufaka nokulungisa i-MetalLB, njengoba ngicabanga ukuthi usuvele unokuhlangenwe nakho okuthile. Ngiphakamisa ukuthi ngiqonde ngqo ephuzwini, okungukuthi ukusetha umzila. Ngakho sinezimo ezine:

Icala 1: Uma kungekho ukucushwa okudingekayo

Ake sibheke icala elilula.

Ukulungisa umzila we-MetalLB kumodi ye-L2

Ukucushwa komzila okwengeziwe akudingekile uma amakheli akhishwe i-MetalLB aku-subnet efanayo namakheli ezindawo zakho.

Isibonelo, une-subnet 192.168.1.0/24, inomzila 192.168.1.1, futhi ama-node akho athola amakheli: 192.168.1.10-30, bese ku-MetalLB ungakwazi ukulungisa ububanzi 192.168.1.100-120 futhi uqiniseke ukuthi zizosebenza ngaphandle kokucushwa okwengeziwe.

Kungani kunjalo? Ngoba amanodi akho asenayo imizila elungisiwe:

# ip route
default via 192.168.1.1 dev eth0 onlink 
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.10

Futhi amakheli asuka ebangeni elifanayo azophinda asetshenziswe ngaphandle kwanoma yiziphi izenzo ezengeziwe.

Icala 2: Uma ukwenza ngokwezifiso okwengeziwe kuyadingeka

Ukulungisa umzila we-MetalLB kumodi ye-L2

Kufanele ulungiselele imizila eyengeziwe noma nini lapho amanodi akho engenalo ikheli le-IP elimisiwe noma umzila oya ku-subnet i-MetalLB ekhipha amakheli ayo.

Ngizochaza ngokuningiliziwe okwengeziwe. Noma nini lapho i-MetalLB ikhipha ikheli, lingafaniswa nomsebenzi olula ofana nalo:

ip addr add 10.9.8.7/32 dev lo

Naka:

  • a) Ikheli linikezwe isiqalo /32 okungukuthi, umzila ngeke wengezwe ngokuzenzakalelayo ku-subnet yawo (ikheli nje)
  • b) Ikheli linamathiselwe kunoma iyiphi i-node interface (isibonelo i-loopback). Kufanelekile ukusho lapha izici zesitaki senethiwekhi ye-Linux. Noma ngabe ungeza kusiphi isixhumi esibonakalayo ikheli, i-kernel izohlala icubungula izicelo ze-arp futhi ithumele izimpendulo ze-arp kunoma iyiphi yazo, lokhu kuziphatha kuthathwa njengokulungile futhi, ngaphezu kwalokho, kusetshenziswa kabanzi endaweni eguquguqukayo njenge-Kubernetes.

Lokhu kuziphatha kungenziwa ngendlela oyifisayo, isibonelo ngokunika amandla i-arp eqinile:

echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce

Kulesi simo, izimpendulo ze-arp zizothunyelwa kuphela uma isixhumi esibonakalayo siqukethe ngokusobala ikheli le-IP elithile. Lesi silungiselelo siyadingeka uma uhlela ukusebenzisa i-MetalLB futhi i-kube-proxy yakho isebenza ngemodi ye-IPVS.

Nokho, i-MetalLB ayisebenzisi i-kernel ukucubungula izicelo ze-arp, kodwa izenzela yona ngokwayo endaweni yomsebenzisi, ngakho le nketho ngeke iphazamise ukusebenza kwe-MetalLB.

Asibuyele emsebenzini wethu. Uma umzila wamakheli akhishiwe ungekho kumanodi akho, wengeze kusengaphambili kuwo wonke ama-node:

ip route add 10.9.8.0/24 dev eth1

Icala 3: Uma udinga umzila osuselwe kumthombo

Uzodinga ukumisa umzila osuselwe kumthombo lapho uthola amaphakethe ngesango elihlukile, hhayi leli elilungiswe ngokuzenzakalela, ngakho-ke amaphakethe okuphendula kufanele adlule esangweni elifanayo.

Isibonelo, une-subnet efanayo 192.168.1.0/24 okunikezelwe kumanodi akho, kodwa ufuna ukukhipha amakheli angaphandle usebenzisa i-MetalLB. Ake sicabange ukuthi unamakheli amaningi avela ku-subnet 1.2.3.0/24 ezitholakala ku-VLAN 100 futhi ufuna ukuzisebenzisa ukuze ufinyelele izinsiza ze-Kubernetes ngaphandle.

Ukulungisa umzila we-MetalLB kumodi ye-L2

Uma uxhumana 1.2.3.4 uzobe wenza izicelo ezivela ku-subnet ehlukile kunaleyo 1.2.3.0/24 bese ulinda impendulo. Inodi okwamanje eyinhloko yekheli elikhishiwe le-MetalLB 1.2.3.4, izothola iphakethe kumzila 1.2.3.1, kodwa impendulo yakhe kufanele ihambe ngendlela efanayo, idlule 1.2.3.1.

Njengoba inodi yethu isivele inesango elimisiwe elimisiwe 192.168.1.1, bese ngokuzenzakalelayo impendulo izoya kuye, hhayi 1.2.3.1, esithole ngayo iphasela.

Indlela yokubhekana nalesi simo?

Kulesi simo, udinga ukulungiselela wonke ama-node akho ngendlela yokuthi alungele ukukhonza amakheli angaphandle ngaphandle kokucushwa okwengeziwe. Okusho ukuthi, ngesibonelo esingenhla, udinga ukudala isikhombimsebenzisi se-VLAN ku-node kusengaphambili:

ip link add link eth0 name eth0.100 type vlan id 100
ip link set eth0.100 up

Bese wengeza imizila:

ip route add 1.2.3.0/24 dev eth0.100 table 100
ip route add default via 1.2.3.1 table 100

Sicela uqaphele ukuthi sengeza imizila etafuleni elihlukile lomzila 100 izoqukatha imizila emibili kuphela edingekayo ukuze uthumele iphakethe lempendulo ngesango 1.2.3.1, etholakala ngemuva kwesixhumi esibonakalayo eth0.100.

Manje sidinga ukungeza umthetho olula:

ip rule add from 1.2.3.0/24 lookup 100

okusho ngokusobala: uma ikheli lomthombo wephakethe lingaphakathi 1.2.3.0/24, khona-ke udinga ukusebenzisa ithebula lomzila 100. Kuyo sesike sachaza indlela ezomdlulisa 1.2.3.1

Icala lesi-4: Uma udinga umzila osuselwe kunqubomgomo

I-topology yenethiwekhi iyafana naleyo esesibonelweni sangaphambilini, kodwa ake sithi ufuna ukwazi ukufinyelela amakheli angaphandle. 1.2.3.0/24 kusuka kumaphodi akho:

Ukulungisa umzila we-MetalLB kumodi ye-L2

Okukhethekile ukuthi uma ufinyelela noma yiliphi ikheli ku 1.2.3.0/24, iphakethe lempendulo lishaya inodi futhi linekheli lomthombo kububanzi 1.2.3.0/24 izothunyelwa ngokulalela eth0.100, kodwa sifuna i-Kubernetes iyiqondise kabusha ku-pod yethu yokuqala, ekhiqize isicelo sangempela.

Ukuxazulula le nkinga kube nzima, kodwa kube nokwenzeka ngenxa yomzila osuselwe kunqubomgomo:

Ukuze uthole ukuqonda okungcono kwenqubo, nawu umdwebo we-netfilter block:
Ukulungisa umzila we-MetalLB kumodi ye-L2

Okokuqala, njengasesibonelweni sangaphambilini, ake sakhe itafula lomzila elengeziwe:

ip route add 1.2.3.0/24 dev eth0.100 table 100
ip route add default via 1.2.3.1 table 100

Manje ake sengeze imithetho embalwa kuma-iptables:

iptables -t mangle -A PREROUTING -i eth0.100 -j CONNMARK --set-mark 0x100
iptables -t mangle -A PREROUTING  -j CONNMARK --restore-mark
iptables -t mangle -A PREROUTING -m mark ! --mark 0 -j RETURN
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

Le mithetho izomaka ukuxhumana okungenayo kusixhumi esibonakalayo eth0.100, ukumaka wonke amaphakethe ngethegi 0x100, izimpendulo ngaphakathi koxhumano olufanayo nazo zizomakwa ngomaka ofanayo.

Manje singakwazi ukwengeza isimiso somzila:

ip rule add from 1.2.3.0/24 fwmark 0x100 lookup 100

Okusho ukuthi, wonke amaphakethe anekheli lomthombo 1.2.3.0/24 kanye nethegi 0x100 kufanele ihanjiswe ngokusebenzisa itafula 100.

Ngakho-ke, amanye amaphakethe atholwe kwesinye isixhumi esibonakalayo awekho ngaphansi kwalo mthetho, okuzowavumela ukuthi ahanjiswe kusetshenziswa amathuluzi ajwayelekile e-Kubernetes.

Π•ΡΡ‚ΡŒ Π΅Ρ‰Ρ‘ ΠΎΠ΄Π½ΠΎ Π½ΠΎ, Π² Linux сущСствуСт Ρ‚Π°ΠΊ Π½Π°Π·Ρ‹Π²Π°Π΅ΠΌΡ‹ΠΉ reverse path filter, ΠΊΠΎΡ‚ΠΎΡ€Ρ‹ΠΉ ΠΏΠΎΡ€Ρ‚ΠΈΡ‚ всю ΠΌΠ°Π»ΠΈΠ½Ρƒ осущСствляСт ΠΏΡ€ΠΎΡΡ‚ΡƒΡŽ ΠΏΡ€ΠΎΠ²Π΅Ρ€ΠΊΡƒ: для всСх входящих ΠΏΠ°ΠΊΠ΅Ρ‚ΠΎΠ² ΠΎΠ½ мСняСт адрСс источника ΠΏΠ°ΠΊΠ΅Ρ‚Π° с адрСсом отправитСля ΠΈ провСряСт ΠΌΠΎΠΆΠ΅Ρ‚-Π»ΠΈ ΠΏΠ°ΠΊΠ΅Ρ‚ ΡƒΠΉΡ‚ΠΈ Ρ‡Π΅Ρ€Π΅Π· Ρ‚ΠΎΡ‚-ΠΆΠ΅ интСрфСйс Π½Π° ΠΊΠΎΡ‚ΠΎΡ€Ρ‹ΠΉ Π±Ρ‹Π» ΠΏΠΎΠ»ΡƒΡ‡Π΅Π½, Ссли Π½Π΅Ρ‚, Ρ‚ΠΎ ΠΎΡ‚Ρ„ΠΈΠ»ΡŒΡ‚Ρ€ΠΎΠ²Ρ‹Π²Π΅Ρ‚ Π΅Π³ΠΎ.

Inkinga ukuthi esimweni sethu ngeke isebenze kahle, kodwa singayikhubaza:

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0.100/rp_filter

Sicela uqaphele ukuthi umyalo wokuqala ulawula ukuziphatha komhlaba wonke kwe-rp_filter; uma ingakhutshaziwe, umyalo wesibili ngeke ube nomthelela. Nokho, i-interface esele izohlala ine-rp_filter enikwe amandla.

Ukuze singakhawuleli ngokuphelele ukusebenza kwesihlungi, singasebenzisa ukufakwa kwe-rp_filter kusihlungi se-net. Usebenzisa i-rpfilter njengemojula ye-iptables, ungamisa imithetho evumelana nezimo impela, isibonelo:

iptables -t raw -A PREROUTING -i eth0.100 -d 1.2.3.0/24 -j RETURN
iptables -t raw -A PREROUTING -i eth0.100 -m rpfilter --invert -j DROP

vumela i-rp_filter kusixhumi esibonakalayo eth0.100 kuwo wonke amakheli ngaphandle 1.2.3.0/24.

Source: www.habr.com

Engeza amazwana