Gabatarwar
Muna ciki ya fara tura Istio azaman layin sabis. A ka'ida, komai yana da kyau, sai dai abu ɗaya: yana da tsada.
В Ga Istio yana cewa:
Tare da Istio 1.1, wakili yana cinye kusan 0,6 vCPUs (nau'i na zahiri) a cikin buƙatun 1000 a sakan daya.
Don yanki na farko a cikin layin sabis (proxies 2 a kowane gefen haɗin), za mu sami nau'ikan nau'ikan 1200 kawai don wakili, a ƙimar buƙatun miliyan ɗaya a sakan daya. Dangane da kalkuleta na farashi na Google, yana aiki kusan $40/month/core don daidaitawa n1-standard-64Wato wannan yanki kadai zai kashe mana fiye da dala dubu 50 a kowane wata kan buƙatun miliyan 1 a sakan daya.
Ivan Sim () jinkirin ragamar sabis a bara kuma yayi alƙawarin iri ɗaya don ƙwaƙwalwar ajiya da processor, amma bai yi aiki ba:
A bayyane yake, ƙimar-istio-test.yaml za ta ƙara yawan buƙatun CPU. Idan na yi lissafi na daidai, kuna buƙatar kusan 24 CPU cores don panel iko da 0,5 CPU ga kowane wakili. Bani da yawa haka. Zan maimaita gwaje-gwajen lokacin da aka ware mani ƙarin albarkatu.
Ina so in ga yadda aikin Istio yayi kama da wani buɗaɗɗen layin sabis na tushen: .
Shigar ragamar sabis
Da farko, na shigar da shi a cikin gungu :
$ supergloo init
installing supergloo version 0.3.12
using chart uri https://storage.googleapis.com/supergloo-helm/charts/supergloo-0.3.12.tgz
configmap/sidecar-injection-resources created
serviceaccount/supergloo created
serviceaccount/discovery created
serviceaccount/mesh-discovery created
clusterrole.rbac.authorization.k8s.io/discovery created
clusterrole.rbac.authorization.k8s.io/mesh-discovery created
clusterrolebinding.rbac.authorization.k8s.io/supergloo-role-binding created
clusterrolebinding.rbac.authorization.k8s.io/discovery-role-binding created
clusterrolebinding.rbac.authorization.k8s.io/mesh-discovery-role-binding created
deployment.extensions/supergloo created
deployment.extensions/discovery created
deployment.extensions/mesh-discovery created
install successful!Na yi amfani da SuperGloo saboda yana sa bootstrapping ragamar sabis ya fi sauƙi. Ba sai na yi yawa ba. Ba ma amfani da SuperGloo wajen samarwa, amma ya dace da irin wannan aikin. Dole ne in yi amfani da wasu umarni guda biyu don kowane layin sabis. Na yi amfani da gungu biyu don ware - ɗaya kowanne don Istio da Linkerd.
An gudanar da gwajin akan Injin Google Kubernetes. Na yi amfani da Kubernetes 1.12.7-gke.7 da tafkin nodes n1-standard-4 tare da sikelin kumburi ta atomatik (mafi ƙarancin 4, matsakaicin 16).
Sannan na shigar da meshes biyu na sabis daga layin umarni.
Farkon Haɗe:
$ supergloo install linkerd --name linkerd
+---------+--------------+---------+---------------------------+
| INSTALL | TYPE | STATUS | DETAILS |
+---------+--------------+---------+---------------------------+
| linkerd | Linkerd Mesh | Pending | enabled: true |
| | | | version: stable-2.3.0 |
| | | | namespace: linkerd |
| | | | mtls enabled: true |
| | | | auto inject enabled: true |
+---------+--------------+---------+---------------------------+Sai Istio:
$ supergloo install istio --name istio --installation-namespace istio-system --mtls=true --auto-inject=true
+---------+------------+---------+---------------------------+
| INSTALL | TYPE | STATUS | DETAILS |
+---------+------------+---------+---------------------------+
| istio | Istio Mesh | Pending | enabled: true |
| | | | version: 1.0.6 |
| | | | namespace: istio-system |
| | | | mtls enabled: true |
| | | | auto inject enabled: true |
| | | | grafana enabled: true |
| | | | prometheus enabled: true |
| | | | jaeger enabled: true |
+---------+------------+---------+---------------------------+Rikicin-madauki ya ɗauki 'yan mintoci kaɗan, sannan na'urorin sarrafa su sun daidaita.
(Lura: SuperGloo kawai yana goyan bayan Istio 1.0.x a yanzu. Na maimaita gwajin tare da Istio 1.1.3, amma ban lura da wani bambanci mai ban mamaki ba.)
Kafa Istio Aiki ta atomatik
Don sanya Istio shigar da wakilin motar gefen, muna amfani da injector na gefe - MutatingAdmissionWebhook. Ba za mu yi magana game da shi a cikin wannan labarin ba. Bari in faɗi cewa wannan mai sarrafawa ne wanda ke sa ido kan samun damar duk sabbin kwas ɗin kuma yana ƙara haɓakar motar gefe da initContainer, wanda ke da alhakin ayyuka. iptables.
Mu a Shopify mun rubuta namu mai sarrafa shiga don aiwatar da motocin gefe, amma don wannan ma'auni na yi amfani da mai sarrafawa wanda ya zo tare da Istio. Mai sarrafawa yana shigar da motocin gefe ta tsohuwa lokacin da akwai gajeriyar hanya a cikin filin suna istio-injection: enabled:
$ kubectl label namespace irs-client-dev istio-injection=enabled
namespace/irs-client-dev labeled
$ kubectl label namespace irs-server-dev istio-injection=enabled
namespace/irs-server-dev labeledƘirƙirar turawa ta atomatik Linkerd
Don saita haɗin haɗin gefe na Linkerd, muna amfani da annotations (Na ƙara su da hannu ta hanyar kubectl edit):
metadata:
annotations:
linkerd.io/inject: enabled$ k edit ns irs-server-dev
namespace/irs-server-dev edited
$ k get ns irs-server-dev -o yaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
linkerd.io/inject: enabled
name: irs-server-dev
spec:
finalizers:
- kubernetes
status:
phase: ActiveIstio Fault Tolerance Simulator
Mun gina na'urar kwaikwayo ta haƙura da kuskure mai suna Istio don gwaji tare da zirga-zirga na musamman ga Shopify. Muna buƙatar kayan aiki don ƙirƙirar topology na al'ada wanda zai wakilci takamaiman yanki na jadawali na sabis ɗinmu, an daidaita shi da ƙarfi don ƙirƙira takamaiman kayan aiki.
Kayan aikin Shopify yana ƙarƙashin nauyi yayin siyar da walƙiya. A lokaci guda, Shopify . Manyan abokan ciniki wani lokaci suna yin gargaɗi game da shirin siyar da walƙiya. Wasu suna yi mana ba zato ba tsammani a kowane lokaci na dare ko rana.
Muna son na'urar kwaikwayo ta juriyarmu don yin ƙirar ayyukan aiki waɗanda suka dace da topologies da nauyin aiki waɗanda suka mamaye kayan aikin Shopify a baya. Babban manufar yin amfani da ragar sabis shine muna buƙatar dogaro da haƙuri da kuskure a matakin hanyar sadarwa, kuma yana da mahimmanci a gare mu cewa layin sabis ɗin ya iya jure lodin da a baya ya rushe sabis.
A tsakiyar na'urar kwaikwayo ta haƙura laifi ita ce kullin ma'aikaci, wanda ke aiki azaman kumburin ragar sabis. Za a iya daidaita kullin ma'aikaci a tsaye a farawa ko kuma ta hanyar REST API. Muna amfani da ƙayyadaddun tsari na nodes na ma'aikata don ƙirƙirar ayyukan aiki a cikin nau'i na gwaje-gwajen koma baya.
Ga misalin irin wannan tsari:
- Mun kaddamar da sabobin 10 kamar yadda
barsabis ɗin da ke mayar da martani200/OKbayan 100 ms. - Mun ƙaddamar da abokan ciniki 10 - kowanne yana aika buƙatun 100 a sakan daya zuwa
bar. - Kowane daƙiƙa 10 muna cire uwar garken 1 kuma muna saka idanu akan kurakurai
5xxa kan abokin ciniki.
A ƙarshen aikin, muna bincika rajistan ayyukan da awo da kuma duba ko gwajin ya wuce. Ta wannan hanyar muna koyo game da aikin ragar sabis ɗinmu kuma muna gudanar da gwajin koma baya don gwada tunaninmu game da haƙurin kuskure.
(Lura: Muna tunanin buɗe buɗaɗɗen na'urar na'urar haƙuri ta Istio, amma ba mu shirya yin hakan ba tukuna.)
Istio laifi haƙuri na'urar kwaikwayo don sabis mesh benchmark
Mun kafa nodes masu aiki da yawa na na'urar kwaikwayo:
irs-client-loadgen: Kwafi guda 3 waɗanda ke aika buƙatun 100 a kowane daƙiƙa gudairs-client.irs-client: 3 kwafi waɗanda suka karɓi buƙatar, jira 100ms kuma tura buƙatar zuwairs-server.irs-server: 3 kwafi wanda ya dawo200/OKbayan 100 ms.
Tare da wannan saitin, za mu iya auna daidaiton zirga-zirgar ababen hawa tsakanin makirufo 9. Sidecars in irs-client-loadgen и irs-server karbi buƙatun 100 a sakan daya, kuma irs-client - 200 (mai shigowa da masu fita).
Muna bin hanyar amfani da albarkatu ta hanyar saboda ba mu da gungun Prometheus.
Результаты
Panelsungiyoyin sarrafawa
Da farko, mun bincika yawan amfani da CPU.
Linkerd iko panel ~ 22 millicore
Istio iko panel: ~ 750 millicore
Ƙungiyar kula da Istio tana amfani da kusan Sau 35 ƙarin albarkatun CPUfiye da Linkerd. Tabbas, an shigar da komai ta tsohuwa, kuma istio-telemetry yana cinye albarkatu masu yawa a nan (ana iya kashe shi ta hanyar kashe wasu ayyuka). Idan muka cire wannan bangaren, har yanzu muna samun fiye da millicores 100, wato Sau 4 kenanfiye da Linkerd.
Sidecar wakili
Sai muka gwada amfani da wakili. Dole ne a sami alaƙar layi tare da adadin buƙatun, amma ga kowane motar gefen gefe akwai wasu sama da ke shafar lanƙwasa.
Linkerd: ~ 100 millicores don irs-abokin ciniki, ~ 50 millicores don irs-abokin ciniki-loadgen
Sakamakon yana da ma'ana, saboda wakili na abokin ciniki yana karɓar nau'ikan zirga-zirga sau biyu kamar na wakili na loadgen: ga kowane buƙatun mai fita daga loadgen, abokin ciniki yana da mai shigowa da mai fita ɗaya.
Istio / Manzo: ~ 155 millicores na irs-abokin ciniki, ~ 75 millicores don irs-abokin ciniki-loadgen
Muna ganin sakamako makamancin haka don motocin gefen Istio.
Amma gabaɗaya, Istio/Envoy proxies suna cinyewa kusan 50% ƙarin albarkatun CPUfiye da Linkerd.
Muna ganin makirci iri ɗaya a gefen uwar garken:
Linkerd: ~ 50 millicore don uwar garken irs
Istio/Manzo: ~ 80 millicore don uwar garken irs
A gefen uwar garken, sidecar Istio/Envoy yana cinyewa kusan 60% ƙarin albarkatun CPUfiye da Linkerd.
ƙarshe
Wakilin Wakilin Istio yana cinye 50+% fiye da CPU fiye da Linkerd akan aikin mu na kwaikwayi. Ƙungiyar sarrafawa ta Linkerd tana cinye albarkatun ƙasa da yawa fiye da Istio, musamman don ainihin abubuwan haɗin gwiwa.
Har yanzu muna tunanin yadda za a rage waɗannan farashin. Idan kuna da ra'ayoyi, don Allah raba!
source: www.habr.com