Shulou(Shulou.com)06/01 Report--

This article shows you how to achieve comparative analysis of traffic based on Istio, the content is concise and easy to understand, it can definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Traffic mirroring

Traffic mirroring, also known as shadow traffic, provides a powerful feature that brings changes to production with as little risk as possible. Mirroring sends a copy of real-time traffic to the mirroring service. Mirrored traffic occurs outside the critical request path of the main service.

In a non-production or test environment, trying to access all possible combinations of test cases for a service is a very unrealistic task. In some cases, all the work of writing these use cases may not match the use cases required for actual production. Ideally, real-time production cases and traffic can be used to help improve the functional areas that are missed in the test environment.

Once we can reliably mirror the traffic, we can start doing something valuable, such as comparing the traffic introduced into the test cluster with the expected behavior in the production cluster through the request traffic comparison tool Diffy. For example, we might want to compare the deviation between the requested result and the expected result, or the data corruption in the API protocol for better compatibility.

In addition, it is important to note:

When traffic is mirrored to different services, it occurs outside the critical path of the request

Ignore the response to any mirrored traffic; traffic is regarded as "immediately forgotten"

Traffic comparison

Here, by inserting an agent, you can be responsible for coordinating such traffic and making interesting comparisons. Diffy is one such proxy tool. Diffy starts a proxy service (such as listening port 8880), and then according to the two old service addresses of primary and secondary set by the user (primary and secondary codes are exactly the same to reduce noise interference), candidate the new service address.

It can also detect noise in the results and ignore them (such as timestamps, monotonous increment counters, etc.) by first invoking two real-time service instances (such as timestamps, monotonous increment counters, etc.), in summary, detection, and then ignore this part in the test service.

Diffy also provides a nice page for viewing call results, comparisons, and filtering based on certain characteristics. It also has a good administrative console to view functional metrics (metrics) and statistics (statistics) about the results of call comparisons.

Create a service for Istio traffic mirroring

In this task, you will first force all traffic to the v1 version of the service. Then, some of the traffic will be mirrored to the v2 version using rules.

First deploy two versions of the sample service.

Version 1 deployment uses the Docker image httpbin, which provides common http request access:

ApiVersion: extensions/v1beta1kind: Deploymentmetadata: name: mirrorservice-sample-v1spec: replicas: 1 template: metadata: labels: app: mirrorservice-sample version: v1spec: containers:-image: docker.io/kennethreitz/httpbin imagePullPolicy: IfNotPresent name: mirrorservice-sample command: ["gunicorn", "- access-logfile", "-", "- b", "0.0.0.0name 44134" "httpbin:app"] ports:-containerPort: 44134

Version 2 is deployed using a custom Docker image, and the corresponding Dockerfile is as follows:

FROM nginx:latestCOPY default.conf / etc/nginx/conf.d/EXPOSE 80

Required nginx profile:

Server {listen 44134; server_name localhost; location / {proxy_pass http://httpbin-diffy.diffy:8880/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade";}}

The deployment of version 2, as the traffic mirror target for Istio, is forwarded to the Diffy agent after the traffic is received. Currently, the Diffy agent is not directly used as the mirror target for Isito traffic, because there is a conflict between the Diffy agent and the Envoy agent, and the traffic cannot be forwarded normally, so this deployment needs to be transferred.

ApiVersion: extensions/v1beta1kind: Deploymentmetadata: name: mirrorservice-sample-v2spec: replicas: 1 template: metadata: labels: app: mirrorservice-sample version: v2spec: containers:-name: mirrorservice-sample image: registry.cn-beijing.aliyuncs.com/wangxining/mirrorservice:0.1 imagePullPolicy: Always ports:-containerPort: 44134

Corresponding Kubernetes service:

ApiVersion: v1kind: Servicemetadata: name: mirrorservice-samplespec: type: ClusterIP ports:-name: http port: 44134 selector: app: mirrorservice-sample Istio policy for creating traffic images

By default, Kubernetes performs load balancing between two versions of the service. Create the following traffic mirroring rule to send 100% of the traffic to v1, while specifying that the traffic is mirrored to v2. When traffic is mirrored, the request is sent to the mirroring service with-shadow through its host / authorization header.

ApiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata: name: mirrorservice-samplespec: host: mirrorservice-sample subsets:-name: v1 labels: version: V1-name: v2 labels: version: v2muri-apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata: name: mirrorservice-samplespec: hosts:-mirrorservice-sample http:-route:-destination: host: mirrorservice-sample subset: v1 weight: 100 #-destination: # host: mirrorservice-sample # subset: v2 # weight: 0 mirror: host: mirrorservice-sample subset: v2 build Diffy for request traffic comparison

Diffy can act as a proxy, intercept requests and send them to all running service instances, and find possible problems in each iteration by comparing the response results. Among them, there are three types of code examples running on Diffy:

Online stable version: a node that runs online stable version code

Online stable version backup: the online stable version is also running to eliminate noise

Test version: the test version to be launched, which is used to compare with the online environment code

In the actual Diffy test, you will find that most of the interfaces will be different because of the noise in these responses, which may include:

Timestamp generated in server response

Randomly generated numbers

Conditional competition among system services

Diffy can remove this kind of noise in a certain way to ensure that the analysis results will not be affected.

Create Diffy and sample service

Create the Diffy service with the following YAML:

ApiVersion: v1kind: Servicemetadata: name: httpbin-diffy labels: app: httpbin-diffyspec: ports:-name: http-proxy port: 8880-name: http-admin port: 8881-name: http-console port: 8888 selector: app: httpbin-diffy---apiVersion: extensions/v1beta1kind: Deploymentmetadata: labels: app: httpbin-diffy version: v2 name: httpbin-diffy-v2spec: replicas: 1 selector: matchLabels: app: httpbin-diffy Version: v2 template: metadata: labels: app: httpbin-diffy version: v2 spec: containers:-image: lordofthejars/diffy:1.0 imagePullPolicy: IfNotPresent livenessProbe: exec: command:-curl-localhost:8888 initialDelaySeconds: 10 periodSeconds: 60 timeoutSeconds: 1 Name: httpbin-diffy args: ["- candidate=httpbin-candidate:8080" "- master.primary=httpbin-master:8080", "- master.secondary=httpbin-master:8080", "- service.protocol=http", "- serviceName=httpbin", "- proxy.port=:8880", "- admin.port=:8881", "- http.port=:8888" "- rootUrl='localhost:8888'"] ports:-containerPort: 8888 name: http-console protocol: TCP-containerPort: 8880 name: http-proxy protocol: TCP-containerPort: 8881 name: http-admin protocol: TCP readinessProbe: exec: command:-curl -localhost:8888 initialDelaySeconds: 10 periodSeconds: 60 timeoutSeconds: 1 securityContext: privileged: false

The primary, secondary (the same as primary in the current example), and the candidate service used to create the example with the following YAML:

ApiVersion: v1kind: Servicemetadata: name: httpbin-master labels: app: httpbin-masterspec:-name: http port: 8080 selector: app: httpbin version: v1---apiVersion: v1kind: Servicemetadata: name: httpbin-candidate labels: app: httpbin-candidatespec: ports:-name: http port: 8080 selector: app: httpbin version: v2---apiVersion: extensions/v1beta1kind: Deploymentmetadata: name: httpbin-v1spec: replicas: 1 template: metadata : labels: app: httpbin version: v1 spec: containers:-image: docker.io/kennethreitz/httpbin imagePullPolicy: IfNotPresent name: httpbin command: ["gunicorn" "--access-logfile", "-", "- b", "0.0.0.0pur8080" "httpbin:app"] ports:-containerPort: 8080---apiVersion: extensions/v1beta1kind: Deploymentmetadata: httpbin-v2spec: replicas: 1 template: metadata: labels: app: httpbin version: v2spec: containers:-image: docker.io/kennethreitz/httpbin imagePullPolicy: IfNotPresent name: httpbin command: ["gunicorn", "- access-logfile", "-", "- b" "0.0.0.0 containerPort 8080", "httpbin:app"] ports:-containerPort: 8080 send traffic for image verification

Start the sleep service so that you can use curl to provide the load:

Cat

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.