I-ProHoster > Блог > Ukuphatha > Okujabulisayo mayelana nokusetha amaseva ngaphandle kwezimangaliso Ngokuphathwa Kokucushwa

Okujabulisayo mayelana nokusetha amaseva ngaphandle kwezimangaliso Ngokuphathwa Kokucushwa

Kwase kusondele unyaka omusha. Izingane kulo lonke izwe zase zithumele kakade izincwadi kuSanta Claus noma zizenzele izipho, futhi umabi wazo oyinhloko, omunye wabathengisi abakhulu, wayelungiselela i-apotheosis yokuthengisa. NgoDisemba, umthwalo esikhungweni sayo sedatha ukhuphuka izikhathi eziningana. Ngakho-ke, inkampani yanquma ukwenza isikhungo sedatha sibe sesimanje futhi sisebenzise amaseva amasha ayishumi nambili esikhundleni semishini eyayifinyelela ekupheleni kwempilo yayo yesevisi. Lokhu kuphetha indaba ngokuphathelene nokwasemuva kwamakhekheba eqhwa aphephukayo, bese kuqala ubumnandi.

Okujabulisayo mayelana nokusetha amaseva ngaphandle kwezimangaliso Ngokuphathwa Kokucushwa
Imishini yafika esizeni ezinyangeni ezimbalwa ngaphambi kwenani eliphakeme lokuthengisa. Isevisi yokusebenza, vele, iyazi ukuthi kanjani nokuthi yini okufanele ilungiswe kumaseva ukuze iwalethe endaweni yokukhiqiza. Kepha besidinga ukwenza lokhu ngokuzenzakalelayo futhi sisuse isici somuntu. Ngaphezu kwalokho, amaseva ashintshiwe ngaphambi kokufuduka kwesethi yezinhlelo ze-SAP ezazibalulekile enkampanini.

Ukukhishwa kwamaseva amasha kwakuboshelwe ngokuqinile kumnqamulajuqu. Futhi ukuyihambisa kwakusho ukubeka engcupheni kokubili ukuthunyelwa kwezipho eziyisigidigidi kanye nokufuduka kwezinhlelo. Ngisho nethimba elihlanganisa uFather Frost no-Santa Claus alikwazanga ukushintsha usuku - ungadlulisela uhlelo lwe-SAP lokuphathwa kwempahla kanye kuphela ngonyaka. Kusukela ngoDisemba 31 kuya kuJanuwari 1, izindawo zokugcina izimpahla ezinkulu zomthengisi, ezilingana nezinkundla zebhola ezingama-20, zimisa umsebenzi wazo amahora ayi-15. Futhi lesi ukuphela kwenkathi yesikhathi sokuhambisa uhlelo. Asizange sibe nendawo yephutha ngenkathi sethula amaseva.

Ake ngicacise: indaba yami ibonisa amathuluzi nenqubo yokuphatha yokumisa esetshenziswa ithimba lethu.

Inkimbinkimbi yokuphatha ukucushwa inamazinga amaningana. Ingxenye ebalulekile uhlelo lwe-CMS. Ekusebenzeni kwezimboni, ukungabi khona kwelinye lamazinga kungaholela ezimangalisweni ezingemnandi.

Ukuphathwa kokufakwa kwe-OS

Izinga lokuqala liwuhlelo lokuphatha ukufakwa kwezinhlelo zokusebenza kumaseva aphathekayo nangokoqobo. Idala ukucushwa okuyisisekelo kwe-OS, isusa isici somuntu.

Sisebenzisa le sistimu, sithole izimo zeseva ezijwayelekile ezine-OS elungele ukuqhubeka ngokuzenzakalela. Ngesikhathi "sokuthululwa" bathole isethi encane yabasebenzisi bendawo kanye nokhiye basesidlangalaleni be-SSH, kanye nokucushwa kwe-OS okungaguquki. Besingaqinisekiswa ukuthi sizophatha amaseva nge-CMS futhi besiqiniseka ukuthi azikho izimanga “ngezansi” ezingeni le-OS.

Umsebenzi "omkhulu" wohlelo lokuphatha ukufakwa wukumisa ngokuzenzakalelayo amaseva ukusuka kuzinga le-BIOS/Firmware kuya ku-OS. Okuningi lapha kuncike ezintweni zokusebenza nemisebenzi yokusetha. Ukuze uthole imishini ehlukahlukene, ungacabangela IREDFISH API. Uma yonke i-Hardware ivela kumthengisi oyedwa, ngakho-ke kuvame ukusebenziseka kalula ukusebenzisa amathuluzi okuphatha esenziwe ngomumo (isibonelo, i-HP ILO Amplifier, i-DELL OpenManage, njll.).

Ukufaka i-OS kumaseva aphathekayo, sisebenzise i-Cobbler eyaziwa kakhulu, echaza isethi yamaphrofayili wokufaka avunyelwene nensizakalo yokusebenza. Lapho engeza iseva entsha nengqalasizinda, unjiniyela ubophe ikheli le-MAC leseva kuphrofayela edingekayo ku-Cobbler. Lapho ivula inethiwekhi okokuqala ngqa, iseva ithole ikheli lesikhashana kanye ne-OS entsha. Yabe isidluliselwa ekhelini elihlosiwe le-VLAN/IP futhi waqhubeka nomsebenzi lapho. Yebo, ukushintsha i-VLAN kuthatha isikhathi futhi kudinga ukusebenzisana, kodwa kunikeza ukuvikeleka okwengeziwe ekufakweni ngephutha kweseva endaweni yokukhiqiza.

Sakhe amaseva abonakalayo asuselwa kuzifanekiso ezilungiselelwe kusetshenziswa i-HashiСorp Packer. Isizathu sasifana: ukuvimbela amaphutha abantu okungenzeka lapho ufaka i-OS. Kodwa, ngokungafani namaseva angokwenyama, i-Packer iqeda isidingo se-PXE, ukubhutha kwenethiwekhi, nezinguquko ze-VLAN. Lokhu kwenze kwaba lula futhi kwaba lula ukwakha amaseva abonakalayo.

Okujabulisayo mayelana nokusetha amaseva ngaphandle kwezimangaliso Ngokuphathwa Kokucushwa
Ilayisi. 1. Ukuphatha ukufakwa kwamasistimu okusebenza.

Ukuphatha izimfihlo

Noma iyiphi isistimu yokuphatha ukucushwa iqukethe idatha okufanele ifihlwe kubasebenzisi abajwayelekile, kodwa iyadingeka ukuze kulungiswe amasistimu. Lawa amagama ayimfihlo abasebenzisi basendaweni nama-akhawunti wesevisi, okhiye besitifiketi, amathokheni e-API ahlukahlukene, njll. Ngokuvamile abizwa ngokuthi “izimfihlo.”

Uma unganqumi kwasekuqaleni ukuthi lezi zimfihlo uzigcina kuphi futhi kanjani, ngakho-ke, ngokuya ngobunzima bezidingo zokuphepha kolwazi, izindlela ezilandelayo zokugcina kungenzeka:

  • ngokuqondile kukhodi yokulawula ukumisa noma kumafayela endaweni yokugcina;
  • kumathuluzi okuphatha okukhethekile (isibonelo, i-Ansible Vault);
  • ezinhlelweni ze-CI/CD (Jenkins/TeamCity/GitLab/etc.) noma ezinhlelweni zokuphatha zokumisa (Ansible Tower/Ansible AWX);
  • izimfihlo zingabuye zidluliselwe "ngesandla". Isibonelo, zibekwe endaweni ethile, bese zisetshenziswa izinhlelo zokuphatha ukucushwa;
  • inhlanganisela ehlukahlukene yalokhu okungenhla.

Indlela ngayinye inemibi yayo. Okuyinhloko ukuntuleka kwezinqubomgomo zokufinyelela ezimfihlo: akunakwenzeka noma kunzima ukucacisa ukuthi ubani ongasebenzisa izimfihlo ezithile. Okunye okubi wukuntuleka kokuhlolwa kokufinyelela kanye nomjikelezo wempilo ephelele. Indlela yokushintsha ngokushesha, isibonelo, ukhiye womphakathi obhalwe kukhodi kanye nezinhlelo eziningi ezihlobene?

Sisebenzise indawo yokugcina eyimfihlo i-HashiCorp Vault. Lokhu kusivumele:

  • gcina izimfihlo ziphephile. Zibethelwe, futhi ngisho noma othile ezuza ukufinyelela kusizindalwazi se-Vault (isibonelo, ngokuyibuyisela kukhophi yasenqolobaneni), ngeke akwazi ukufunda izimfihlo ezigcinwe lapho;
  • hlela izinqubomgomo zokufinyelela ezimfihlo. Izimfihlo kuphela “ezinikezwe” kubo ezitholakala kubasebenzisi nezinhlelo zokusebenza;
  • ukucwaningwa kokufinyelela ezimfihlo. Noma yiziphi izenzo ezinezimfihlo zirekhodwa kulogi yokuhlola ye-Vault;
  • hlela “umjikelezo wokuphila” ophelele wokusebenza nezimfihlo. Angadalwa, ahoxiswe, asethe idethi yokuphelelwa yisikhathi, njll.
  • kulula ukuhlanganisa nezinye izinhlelo ezidinga ukufinyelela ezimfihlo;
  • futhi usebenzise ukubethela kokuphela ukuya ekupheleni, amaphasiwedi esikhathi esisodwa we-OS kanye nesizindalwazi, izitifiketi zezikhungo ezigunyaziwe, njll.

Manje ake sidlulele ohlelweni olumaphakathi lokufakazela ubuqiniso nokugunyaza. Bekungenzeka ukwenza ngaphandle kwayo, kodwa ukuphatha abasebenzisi kumasistimu amaningi ahlobene akuyona into encane kakhulu. Silungiselele ukuqinisekiswa nokugunyazwa ngesevisi ye-LDAP. Uma kungenjalo, i-Vault kuzodingeka ikhiphe futhi ilandelele amathokheni okuqinisekisa kubasebenzisi. Futhi ukususa nokwengeza abasebenzisi kuzophenduka umbuzo othi "ingabe ngidale/ngasusa le akhawunti yomsebenzisi yonke indawo?"

Sengeza elinye izinga kusistimu yethu: ukuphathwa kwezimfihlo kanye nokuqinisekisa okumaphakathi/ukugunyazwa:

Okujabulisayo mayelana nokusetha amaseva ngaphandle kwezimangaliso Ngokuphathwa Kokucushwa
Ilayisi. 2. Ukuphathwa kwezimfihlo.

Ukuphathwa kokucushwa

Sifinyelele kumnyombo - uhlelo lwe-CMS. Esimweni sethu, lokhu kuyinhlanganisela ye-Ansible ne-Red Hat Ansible AWX.

Esikhundleni se-Ansible, Chef, Puppet, SaltStack ingasetshenziswa. Sikhethe i-Ansible ngokusekelwe kumibandela embalwa.

  • Okokuqala, kuwukuguquguquka. Isethi yamamojula enziwe ngomumo okulawula kuyahlaba umxhwele. Futhi uma ungenayo eyanele, ungasesha ku-GitHub ne-Galaxy.
  • Okwesibili, asikho isidingo sokufaka nokusekela ama-agent emishinini ephethwe, afakazele ukuthi awaphazamisi umthwalo, futhi aqinisekise ukungabikho "kwamabhukhimakhi".
  • Okwesithathu, i-Ansible inomgoqo ophansi wokungena. Unjiniyela onekhono uzobhala incwadi yokudlala esebenzayo ngokoqobo ngosuku lokuqala lokusebenza nomkhiqizo.

Kodwa i-Ansible iyodwa endaweni yokukhiqiza yayinganele ngathi. Uma kungenjalo, izinkinga eziningi zingavela ngokukhawulela ukufinyelela nokuhlola izenzo zabaphathi. Ungakukhawulela kanjani ukufinyelela? Phela, kwakudingeka ukuthi umnyango ngamunye uphathe (funda: sebenzisa i-playbook Ansible) isethi "yayo" yamaseva. Uzivumela kanjani izisebenzi ezithile kuphela ukuthi zisebenzise izincwadi zokudlala ezithize? Noma ulandelelwa kanjani ukuthi ubani oqalise incwadi yokudlala ngaphandle kokusetha ulwazi oluningi lwasendaweni kumaseva namathuluzi asebenzisa i-Ansible?

Ingxenye yengonyama yezindaba ezinjalo ixazululwa yi-Red Hat I-Ansible Tower, noma iphrojekthi yakhe ephezulu yomthombo ovulekile Inani eliphakeme kakhulu lama-AWX. Yingakho siyikhethele ikhasimende.

Nokuthinta okukodwa kusithombe sesistimu yethu ye-CMS. Ibhuku lokudlala elifanele kufanele ligcinwe ezinhlelweni zokuphatha inqolobane yekhodi. Sinayo I-GitLab CE.

Ngakho, ukucupha ngokwako kulawulwa yinhlanganisela ye-Ansible/Ansible AWX/GitLab (bona umdwebo 3). Yebo, i-AWX/GitLab ihlanganiswe nesistimu eyodwa yokuqinisekisa, futhi incwadi yokudlala ye-Ansible ihlanganiswe ne-HashiCorp Vault. Ukucushwa kungena endaweni yokukhiqiza kuphela nge-Ansible AWX, lapho kucaciswa khona yonke "imithetho yegeyimu": ubani ongalungisa ukuthi yini, angathola kuphi ikhodi yokuphatha yokucushwa ye-CMS, njll.

Okujabulisayo mayelana nokusetha amaseva ngaphandle kwezimangaliso Ngokuphathwa Kokucushwa
Ilayisi. 3. Ukuphathwa kokumisa.

Ukuphathwa kokuhlolwa

Ukucushwa kwethu kuvezwe ngekhodi. Ngakho-ke, siphoqeleka ukuthi sidlale ngemithetho efanayo nabathuthukisi be-software. Besidinga ukuhlela izinqubo zokuthuthukiswa, ukuhlola okuqhubekayo, ukulethwa kanye nokusetshenziswa kwekhodi yokumisa kumaseva okukhiqiza.

Uma lokhu kungenziwa ngokushesha, izindima ezibhalelwe ukulungiselelwa zizoyeka ukusekelwa nokushintshwa, noma ziyeke ukwethulwa ekukhiqizweni. Ikhambi lalobu buhlungu liyaziwa, futhi lizibonakalise kulo msebenzi:

  • indima ngayinye ihlanganiswa ukuhlolwa kweyunithi;
  • ukuhlola kwenziwa ngokuzenzakalelayo noma nini lapho kunoshintsho kukhodi ephethe izilungiselelo;
  • izinguquko kukhodi yokuphatha ukucushwa zikhishwa endaweni yokukhiqiza kuphela ngemva kokuphasa ngempumelelo zonke izivivinyo nokubuyekezwa kwekhodi.

Ukuthuthukiswa kwekhodi nokuphathwa kokumisa sekuzolile futhi kuyabikezelwa. Ukuze sihlele ukuhlola okuqhubekayo, sisebenzise ikhithi yamathuluzi ye-GitLab CI/CD, futhi sathatha I-Ansible molecule.

Noma nini lapho kuba noshintsho kukhodi yokuphatha yokucushwa, i-GitLab CI/CD ibiza i-Molecule:

  • ihlola i-syntax yekhodi,
  • iphakamisa isitsha se-Docker,
  • isebenzisa ikhodi eshintshiwe esitsheni esidaliwe,
  • ihlola indima yokungabi namandla futhi iqhube izivivinyo zale khodi (imbudumbudu lapha isezingeni lendima efanelekile, bheka u-Fig. 4).

Silethe ukucupha endaweni yokukhiqiza sisebenzisa i-Ansible AWX. Onjiniyela bokusebenza basebenzise izinguquko zokumisa ngezifanekiso ezichazwe ngaphambilini. I-AWX “icele” ngokuzimela inguqulo yakamuva yekhodi evela egatsheni eliyinhloko le-GitLab njalo uma isetshenziswa. Ngale ndlela sikukhiphele ngaphandle ukusetshenziswa kwekhodi engahloliwe noma ephelelwe yisikhathi endaweni yokukhiqiza. Ngokwemvelo, ikhodi yangena egatsheni eliyinhloko kuphela ngemva kokuhlolwa, ukubuyekezwa nokuvunyelwa.

Okujabulisayo mayelana nokusetha amaseva ngaphandle kwezimangaliso Ngokuphathwa Kokucushwa
Ilayisi. 4. Ukuhlola okuzenzakalelayo kwezindima ku-GitLab CI/CD.

Kuphinde kube nenkinga ehambisana nokusebenza kwezinhlelo zokukhiqiza. Empilweni yangempela, kunzima kakhulu ukwenza izinguquko zokumisa ngekhodi ye-CMS iyodwa. Izimo eziphuthumayo zivela lapho unjiniyela kufanele aguqule ukumisa "lapha futhi manje", ngaphandle kokulinda ukuhlelwa kwekhodi, ukuhlolwa, ukugunyazwa, njll.

Ngenxa yalokho, ngenxa yezinguquko ezenziwa ngesandla, ukungafani kuyavela ekucushweni kohlobo olufanayo lwemishini (isibonelo, izilungiselelo ze-sysctl zilungiswa ngendlela ehlukile kuma-HA Cluster node). Noma ukucushwa kwangempela kwemishini kuyahluka kunaleyo eshiwo kukhodi ye-CMS.

Ngakho-ke, ngaphezu kokuhlola okuqhubekayo, sihlola izindawo zokukhiqiza ukuze sithole ukungezwani kokucushwa. Sikhethe inketho elula: ukusebenzisa ikhodi yokumisa ye-CMS kumodi "yokugijima okomile", okungukuthi, ngaphandle kokusebenzisa izinguquko, kodwa ngesaziso sakho konke ukungqubuzana phakathi kokucushwa okuhleliwe nokwangempela. Sisebenzise lokhu ngokuqalisa ngezikhathi ezithile zonke izincwadi zokudlala ze-Ansible ngenketho ethi “—hlola” kumaseva okukhiqiza. Njengenjwayelo, i-Ansible AWX inesibopho sokwethula nokugcina incwadi yokudlala isesikhathini samanje (bona u-Fig. 5):

Okujabulisayo mayelana nokusetha amaseva ngaphandle kwezimangaliso Ngokuphathwa Kokucushwa
Ilayisi. 5. Ihlola ukungezwani kokucushwa ku-Ansible AWX.

Ngemva kokuhlola, i-AWX ithumela umbiko wokungafani kubalawuli. Bafunda ukucushwa okuyinkinga bese bekulungisa ngezincwadi zokudlala ezilungisiwe. Lena yindlela esigcina ngayo ukucushwa endaweni yokukhiqiza futhi i-CMS ihlala isesikhathini futhi ivumelaniswa. Lokhu kuqeda "izimangaliso" ezingajabulisi lapho kusetshenziswa ikhodi ye-CMS kumaseva "wokukhiqiza".

Manje sinesendlalelo esibalulekile sokuhlola esihlanganisa i-Ansible AWX/GitLab/Molecule (Umfanekiso 6).

Okujabulisayo mayelana nokusetha amaseva ngaphandle kwezimangaliso Ngokuphathwa Kokucushwa
Ilayisi. 6. Ukuphathwa kokuhlolwa.

Kunzima? Angiphikisani. Kodwa inkimbinkimbi enjalo yokuphathwa kokucushwa isiphenduke impendulo ebanzi emibuzweni eminingi ehlobene nokuzenzakalelayo kokucushwa kweseva. Manje amaseva ajwayelekile omthengisi ahlala enokucushwa okuchazwe ngokuqinile. I-CMS, ngokungafani nonjiniyela, ngeke ikhohlwe ukungeza izilungiselelo ezidingekayo, dala abasebenzisi futhi yenze inqwaba noma amakhulu ezilungiselelo ezidingekayo.

Alukho “ulwazi oluyimfihlo” kuzilungiselelo zamaseva nasezindaweni ezizungezile namuhla. Zonke izici ezidingekayo ziboniswa encwadini yokudlala. Akusekho ukuqamba kanye nemiyalelo engacacile: “Ifake njenge-Oracle evamile, kodwa udinga ukucacisa izilungiselelo ezimbalwa ze-sysctl futhi wengeze abasebenzisi nge-UID edingekayo. Buza abafana abasebenzayo, bayazi".

Ikhono lokubona ukungqubuzana kokucushwa nokukulungisa ngokuqhubekayo linikeza ukuthula kwengqondo. Ngaphandle kwesistimu yokuphatha ukucushwa, lokhu kuvame ukubukeka kuhlukile. Izinkinga zinqwabelana kuze kube usuku olulodwa "zidubula" ekukhiqizeni. Khona-ke i-debriefing iyenziwa, ukucupha kuyahlolwa futhi kulungiswe. Futhi umjikelezo uphinda futhi

Futhi kunjalo, sisheshise ukwethulwa kwamaseva kusukela ezinsukwini ezimbalwa kuya emahoreni.

Nokho, ngoNcibijane ngokwawo, lapho izingane zivula izipho ngenjabulo futhi abantu abadala benza izifiso njengoba kushaya ama-chimes, onjiniyela bethu bathuthela uhlelo lwe-SAP kumaseva amasha. Ngisho noSanta Claus uzothi izimangaliso ezinhle kakhulu yilezo ezilungiselelwe kahle.

PS Ithimba lethu livame ukuhlangana neqiniso lokuthi amakhasimende afuna ukuxazulula izinkinga zokuphatha ukucushwa kalula ngangokunokwenzeka. Ngokufanelekile, njengokungathi ngomlingo - ngethuluzi elilodwa. Kodwa empilweni yonke into iyinkimbinkimbi (yebo, izinhlamvu zesiliva azizange zilethwe futhi): kufanele udale yonke inqubo usebenzisa amathuluzi alungele ithimba lekhasimende.

Umbhali: USergey Artemov, umakhi womnyango Izixazululo ze-DevOps "Jet Infosystems"

Source: www.habr.com

Engeza amazwana