Intshayelelo
Singaphakathi
Π
Nge-Istio 1.1, i-proxy idla malunga ne-0,6 vCPUs (i-virtual cores) ngezicelo ze-1000 ngesekhondi.
Kummandla wokuqala kumnatha wenkonzo (ii-proxies ezi-2 kwicala ngalinye loqhagamshelo), siya kuba ne-1200 cores nje kwi-proxy, ngesantya sesigidi sezicelo ngesekhondi. Ngokwecalculator yeendleko zikaGoogle, isebenza malunga ne-40 yeedola / inyanga / isiseko soqwalaselo. n1-standard-64
, oko kukuthi, lo mmandla wodwa uya kusixabisa ngaphezu kwe-50 amawaka eedola ngenyanga ngezicelo ze-1 yezigidi ngomzuzwana.
UIvan Sim (
Kuyabonakala ukuba, ixabiso-istio-test.yaml liya kwandisa kakhulu izicelo ze-CPU. Ukuba ndiyenze imathematika yam ngokuchanekileyo, udinga malunga nama-24 e-CPU cores kwiphaneli yolawulo kunye ne-0,5 CPU kwiproksi nganye. Andinayo ingako. Ndiya kuziphinda iimvavanyo xa izibonelelo ezininzi zabelwe mna.
Bendifuna ukuzibonela ngokwam ukuba ifana njani intsebenzo ye-Istio kwenye i-mesh yenkonzo yomthombo ovulekileyo:
Ufakelo lomnatha wenkonzo
Okokuqala, ndiyifake kwiqela
$ supergloo init
installing supergloo version 0.3.12
using chart uri https://storage.googleapis.com/supergloo-helm/charts/supergloo-0.3.12.tgz
configmap/sidecar-injection-resources created
serviceaccount/supergloo created
serviceaccount/discovery created
serviceaccount/mesh-discovery created
clusterrole.rbac.authorization.k8s.io/discovery created
clusterrole.rbac.authorization.k8s.io/mesh-discovery created
clusterrolebinding.rbac.authorization.k8s.io/supergloo-role-binding created
clusterrolebinding.rbac.authorization.k8s.io/discovery-role-binding created
clusterrolebinding.rbac.authorization.k8s.io/mesh-discovery-role-binding created
deployment.extensions/supergloo created
deployment.extensions/discovery created
deployment.extensions/mesh-discovery created
install successful!
Ndisebenzise iSuperGloo kuba yenza i-bootstrapping ye-mesh yenkonzo ibe lula kakhulu. Kwakungeyomfuneko ukuba ndenze okuninzi. Asisebenzisi iSuperGloo kwimveliso, kodwa ilungele umsebenzi onjalo. Kwafuneka ndisebenzise ngokwenyani imiyalelo embalwa kumnatha wenkonzo nganye. Ndisebenzise amaqela amabini ukuba ndedwa - elinye lilinye kwi-Istio kunye ne-Linkerd.
Uvavanyo lwenziwe kwi-Google Kubernetes Engine. Ndisebenzise iKubernetes 1.12.7-gke.7
kunye nedama lamaqhuqhuva n1-standard-4
kunye ne-node scaling ngokuzenzekelayo (ubuncinci be-4, ubuninzi be-16).
Emva koko ndifake zombini iimeshes zenkonzo ukusuka kumgca womyalelo.
Okokuqala kudityaniswe:
$ supergloo install linkerd --name linkerd
+---------+--------------+---------+---------------------------+
| INSTALL | TYPE | STATUS | DETAILS |
+---------+--------------+---------+---------------------------+
| linkerd | Linkerd Mesh | Pending | enabled: true |
| | | | version: stable-2.3.0 |
| | | | namespace: linkerd |
| | | | mtls enabled: true |
| | | | auto inject enabled: true |
+---------+--------------+---------+---------------------------+
Emva koko Istio:
$ supergloo install istio --name istio --installation-namespace istio-system --mtls=true --auto-inject=true
+---------+------------+---------+---------------------------+
| INSTALL | TYPE | STATUS | DETAILS |
+---------+------------+---------+---------------------------+
| istio | Istio Mesh | Pending | enabled: true |
| | | | version: 1.0.6 |
| | | | namespace: istio-system |
| | | | mtls enabled: true |
| | | | auto inject enabled: true |
| | | | grafana enabled: true |
| | | | prometheus enabled: true |
| | | | jaeger enabled: true |
+---------+------------+---------+---------------------------+
I-crash-loop ithathe imizuzu embalwa, kwaye iipaneli zokulawula zizinzile.
(Qaphela: I-SuperGloo ixhasa kuphela i-Istio 1.0.x okwangoku. Ndiphindaphinde umfuniselo nge-Istio 1.1.3, kodwa andizange ndiqaphele nawuphi na umahluko obonakalayo.)
Ukumisela i-Istio Automatic Deployment
Ukwenza i-Istio ifakele i-sidecar uMthunywa, sisebenzisa i-injector ye-sidecar - MutatingAdmissionWebhook
. Asiyi kuthetha ngayo kweli nqaku. Manditsho nje ukuba lo ngumlawuli obeka esweni ukufikelela kuzo zonke iipod ezintsha kwaye wongeza ngamandla i-sidecar kunye ne-initContainer, enoxanduva lwemisebenzi. iptables
.
Thina kwa-Shopify sibhale umlawuli wethu wokufikelela ukuphumeza ii-sidecars, kodwa ngenxa yolu phawu ndisebenzise umlawuli oza kunye ne-Istio. Umlawuli ufaka iimoto ezisecaleni ngokungagqibekanga xa kukho indlela emfutshane kwindawo yamagama istio-injection: enabled
:
$ kubectl label namespace irs-client-dev istio-injection=enabled
namespace/irs-client-dev labeled
$ kubectl label namespace irs-server-dev istio-injection=enabled
namespace/irs-server-dev labeled
Ukumisela ukuthunyelwa kwe-Linkerd ngokuzenzekelayo
Ukuseta i-Linkerd sidecar embedding, sisebenzisa amanqakwana (ndiyongeze ngesandla nge kubectl edit
):
metadata:
annotations:
linkerd.io/inject: enabled
$ k edit ns irs-server-dev
namespace/irs-server-dev edited
$ k get ns irs-server-dev -o yaml
apiVersion: v1
kind: Namespace
metadata:
annotations:
linkerd.io/inject: enabled
name: irs-server-dev
spec:
finalizers:
- kubernetes
status:
phase: Active
I-Istio Fault Tolerance Simulator
Sakhe i-simulator yokunyamezela impazamo ebizwa ngokuba yi-Istio ukuze sivavanye itrafikhi ekhethekileyo kwi-Shopify. Sasidinga isixhobo sokudala i-topology yesiko esiya kubonisa inxalenye ethile yegrafu yenkonzo yethu, iqulunqwe ngamandla ukuba imodeli yomthwalo okhethekileyo womsebenzi.
Iziseko zophuhliso zikaShopify ziphantsi komthwalo onzima ngexesha lentengiso yeflash. Kwangaxeshanye, Shopify
Besifuna i-simulator yethu yokuqina ukuba imodeli yokuhamba komsebenzi ehambelana ne-topology kunye nomthwalo womsebenzi oye wongamela iziseko zoncedo zikaShopify kwixesha elidlulileyo. Injongo ephambili yokusebenzisa i-mesh yenkonzo kukuba sifuna ukuthembeka kunye nokunyamezela impazamo kwinqanaba lenethiwekhi, kwaye kubalulekile kuthi ukuba i-mesh yenkonzo ihlangabezane ngokufanelekileyo nemithwalo eyayiphazamisa iinkonzo ngaphambili.
Kwintliziyo ye-fault tolerance simulator yi-node yabasebenzi, esebenza njenge-mesh node yenkonzo. I-node yabasebenzi inokuqwalaselwa ngokwezibalo ekuqaleni okanye ngokuguquguqukayo nge-REST API. Sisebenzisa ukucwangciswa okuguquguqukayo kweenodi zabasebenzi ukudala ukuhamba komsebenzi ngendlela yovavanyo lokubuyisela.
Nanku umzekelo wenkqubo enjalo:
- Siphehlelela iiseva ezili-10 njenge
bar
inkonzo ebuyisela impendulo200/OK
emva kwe-100 ms. - Siqalisa abathengi 10 - ngamnye uthumela 100 izicelo ngomzuzwana ukuya
bar
. - Rhoqo kwimizuzwana eyi-10 sisusa iseva enye kwaye sibeke iliso kwiimpazamo
5xx
kumxhasi.
Ekupheleni kokuhamba komsebenzi, sihlola iilogi kunye neemetriki kwaye sikhangele ukuba uvavanyo luphumelele. Ngale ndlela sifunda malunga nokusebenza kwe-mesh yethu yenkonzo kwaye siqhuba uvavanyo lokubuyela umva ukuvavanya iingqikelelo zethu malunga nokunyamezela iimpazamo.
(Qaphela: Sicinga ngokuvula i-Istio fault tolerance simulator, kodwa asikakulungeli ukwenza oko okwangoku.)
Istio fault tolerance simulator yenkonzo inemesh benchmark
Siseta iindawo ezininzi zokusebenza zesifanisi:
irs-client-loadgen
: Iikopi ezi-3 ezithumela izicelo ezili-100 ngesekhondi nganyeirs-client
.irs-client
: Iikopi ezi-3 ezifumana isicelo, linda i-100ms kwaye uthumele isicelo kuirs-server
.irs-server
: Iikopi ezi-3 ezibuyayo200/OK
emva kwe-100 ms.
Ngolu lungelelwaniso, sinokulinganisa ukuhamba okuzinzile kwe-traffic phakathi kwe-9 endpoints. Sidecars ngaphakathi irs-client-loadgen
ΠΈ irs-server
ukufumana izicelo 100 ngomzuzwana, kwaye irs-client
β 200 (engenayo naphumayo).
Silandelela ukusetyenziswa kwemithombo
Iziphumo
Iiphaneli zokulawula
Okokuqala, sihlolisise ukusetyenziswa kwe-CPU.
Iphaneli yokulawula ye-Linkerd ~ 22 millicore
Iphaneli yokulawula ye-Istio: ~ 750 millicore
Iphaneli yolawulo ye-Istio isebenzisa malunga Amaxesha angama-35 ngaphezulu kwezixhobo ze-CPUngaphezu kwe-Linkerd. Ngokuqinisekileyo, yonke into ifakwe ngokungagqibekanga, kwaye i-istio-telemetry isebenzisa izixhobo ezininzi zeprosesa apha (inokukhutshazwa ngokukhubaza imisebenzi ethile). Ukuba sisusa eli candelo, sisafumana ngaphezulu kwe-100 millicores, oko kukuthi 4 amaxesha ngaphezulungaphezu kwe-Linkerd.
Ummeli wemoto esecaleni
Emva koko siye savavanya ukusetyenziswa kwe-proxy. Kufuneka kubekho ubudlelwane bomgca kunye nenani lezicelo, kodwa kwi-sidecar nganye kukho i-overhead ethile echaphazela ijika.
I-Linkerd: ~100 millicores ye-irs-client, ~50 millicores ye-irs-client-loadgen
Iziphumo zibukeka zinengqiqo, kuba umxhasi womxhasi ufumana i-traffic ephindwe kabini njenge-proxy ye-loadgen: kwisicelo ngasinye esiphumayo esivela kwi-loadgen, umxhasi unenye engenayo kunye nenye ephumayo.
Istio/Umthunywa: ~155 millicores ye-irs-client, ~75 millicores ye-irs-client-loadgen
Sibona iziphumo ezifanayo kwi-Istio sidecars.
Kodwa ngokubanzi, i-Istio/Envoy proxies idla malunga ne-50% yezibonelelo ze-CPU ngaphezulungaphezu kwe-Linkerd.
Sibona inkqubo efanayo kwicala lomncedisi:
I-Linkerd: ~ 50 millicore ye-irs-server
Istio/Umthunywa: ~80 millicore ye-irs-server
Kwicala lomncedisi, i-sidecar Istio / uMthunywa uyadla malunga ne-60% yezibonelelo ze-CPU ngaphezulungaphezu kwe-Linkerd.
isiphelo
Ummeli we-Istio utya i-50+% ye-CPU ngaphezulu kwe-Linkerd kumthwalo wethu wokulinganisa. Iphaneli yokulawula ye-Linkerd isebenzisa izixhobo ezingaphantsi kwe-Istio, ngakumbi kumacandelo angundoqo.
Sisacinga ngendlela yokunciphisa ezi ndleko. Ukuba unemibono, nceda wabelane!
umthombo: www.habr.com