Layer 7 proxies like NGINX and HAProxy have been popular since the mid-2000s. The term “proxy” refers to their role as an intermediary for the traffic between an application client and an application server. The “layer 7” classification comes from the fact that these proxies take routing decisions based on URLs, IPs, TCP/UDP ports, cookies, or any information present in messages sent over a layer 7 (aka application layer) networking protocol like HTTP and gRPC. Modern applications use these proxies for a variety of needs including load balancing, security, and web acceleration.

从2000年代中期开始，像NGINX和HAProxy这样的第7层代理就很流行。 术语“代理”是指它们作为应用程序客户端和应用程序服务器之间的流量的中介。 “第7层”分类来自以下事实：这些代理根据URL，IP，TCP / UDP端口，Cookie或通过第7层(又称为应用程序层)网络协议(例如HTTP和HTTP )发送的消息中存在的任何信息做出路由决策。 gRPC。 现代应用程序将这些代理用于各种需求，包括负载平衡，安全性和Web加速。

什么是特使代理？ (What is Envoy Proxy?)

Envoy is a layer 7 proxy and communication bus designed for large modern service oriented architectures. Its home page has the following definition:

Envoy是第7层代理和通信总线，设计用于大型现代面向服务的体系结构。 其主页具有以下定义：

Originally built at Lyft, Envoy is a high performance C++ distributed proxy designed for single services and applications, as well as a communication bus and “universal data plane” designed for large microservice “service mesh” architectures. Built on the learnings of solutions such as NGINX, HAProxy, hardware load balancers, and cloud load balancers, Envoy runs alongside every application and abstracts the network by providing common features in a platform-agnostic manner. When all service traffic in an infrastructure flows via an Envoy mesh, it becomes easy to visualize problem areas via consistent observability, tune overall performance, and add substrate features in a single place.

Envoy最初是在Lyft上构建的，是为单个服务和应用程序而设计的高性能C ++分布式代理，以及为大型微服务“服务网格”体系结构而设计的通信总线和“通用数据平面”。 基于对NGINX，HAProxy，硬件负载平衡器和云负载平衡器等解决方案的学习，Envoy与每个应用程序一起运行，并通过与平台无关的方式提供通用功能来抽象化网络。 当基础设施中的所有服务流量都通过Envoy网格流动时，通过一致的可观察性，调整总体性能以及在单个位置添加基板功能，即可轻松可视化问题区域。

As the recently published Dropbox’s migration from NGINX to Envoy highlights, Envoy is rapidly becoming the default proxy for cloud native applications that need higher performance, observability, extensibility, security, building and testing, and last but not least, deep features (such as HTTP/2, gRPC, and egress proxying). It was the third CNCF project to reach the graduated status, following Kubernetes and Prometheus, and has gained widespread adoption in a relatively short period of time.

正如最近发布的Dropbox从NGINX到Envoy的迁移突出显示的那样，Envoy正在Swift成为云原生应用程序的默认代理，这些云原生应用程序需要更高的性能，可观察性，可扩展性，安全性，构建和测试，以及最后但并非最不重要的深度功能(例如HTTP) / 2，gRPC和出口代理)。 这是继Kubernetes和Prometheus之后的第三个获得毕业资格的 CNCF项目，并在较短的时间内得到了广泛的采用。

为什么使用Envoy的PostgreSQL过滤器？ (Why use Envoy’s PostgreSQL filter?)

Envoy supports configuration of multiple traffic listeners where each listener is composed of one or more filter chains. An individual filter chain is selected to process the incoming data based on the filter’s match criteria (which includes connection parameters such as destination port/IP, transport protocol name, source port/IP, and more). When a new connection is received on a listener, the matching filter chain is selected and instantiated. The filters then begin processing subsequent events. This generic listener architecture is used to perform the vast majority of different proxy tasks that Envoy is used for including rate limiting, TLS client authentication, HTTP connection management, raw TCP proxy, and more. One such task relevant to database deployments is the ability to instrument the wire protocol of popular databases such as MySQL, MongoDB, Kafka, and Amazon DynamoDB. PostgreSQL was missing from this list but the latest v1.15 release from July 2020 solved that problem by adding a PostgreSQL proxy filter. This filter is based on PostgreSQL frontend/backend protocol version 3.0, which was introduced in PostgreSQL 7.4.

Envoy支持配置多个流量侦听器，其中每个侦听器由一个或多个过滤器链组成。 根据过滤器的匹配条件 (包括连接参数，例如目标端口/ IP，传输协议名称，源端口/ IP等)，选择单个过滤器链来处理传入数据。 当在侦听器上收到新连接时，将选择并实例化匹配的过滤器链。 然后，筛选器开始处理后续事件。 这种通用的侦听器体系结构用于执行Envoy所使用的绝大多数不同的代理任务，包括速率限制，TLS客户端身份验证，HTTP连接管理，原始TCP代理等等。 与数据库部署相关的一项这样的任务是能够检测MySQL，MongoDB，Kafka和Amazon DynamoDB等流行数据库的有线协议。 该列表中缺少PostgreSQL，但是2020年7月发布的最新v1.15通过添加PostgreSQL代理过滤器解决了该问题。 此过滤器基于PostgreSQL前端/后端协议版本3.0 ，该版本在PostgreSQL 7.4中引入。

The main goal of the PostgreSQL filter is to capture runtime statistics while remaining completely transparent to the database server. There is no additional monitoring software to deploy or manage in order to collect these vital statistics! As listed in the official docs, the filter currently offers the following features:

PostgreSQL过滤器的主要目标是捕获运行时统计信息，同时对数据库服务器保持完全透明。 无需部署或管理其他监视软件即可收集这些重要统计信息！ 如官方文档中所列，该过滤器当前提供以下功能：

• Decode non SSL traffic, ignore SSL traffic
  解码非SSL流量，忽略SSL流量
• Decode session information
  解码会话信息
• Capture transaction information, including commits and rollbacks
  捕获事务信息，包括提交和回滚
• Expose counters for different types of statements (INSERTs, SELECTs, DELETEs, UPDATEs, etc.)
  公开不同类型的语句的计数器(INSERT，SELECT，DELETE，UPDATE等)
• Count frontend, backend, and unknown messages
  计算前端，后端和未知消息
• Identify errors and backend responses
  识别错误和后端响应

YugabyteDB is fully compatible with the PostgreSQL wire protocol and SQL syntax given that its SQL query layer is based on a fork of PostgreSQL 11.2’s query layer. As a result, YugabyteDB is able to leverage the PostgreSQL filter from Envoy without any modifications whatsoever. The rest of this post outlines the instructions to run the most basic YugabyteDB with Envoy setup (including the PostgreSQL & TCP filters) using Docker Compose. Official Envoy sandboxes use the same approach to test out different features and highlight sample configurations.

YugabyteDB完全兼容PostgreSQL有线协议和SQL语法，因为它SQL查询层基于PostgreSQL 11.2的查询层的分支。 结果，YugabyteDB能够利用Envoy的PostgreSQL过滤器而无需进行任何修改。 本文的其余部分概述了使用Docker Compose通过Envoy设置运行最基本的YugabyteDB(包括PostgreSQL和TCP过滤器)的说明。 官方Envoy沙箱使用相同的方法来测试不同的功能并突出显示示例配置。

YugabyteDB与Envoy一起行动 (YugabyteDB with Envoy in action)

安装Docker (Install Docker)

Ensure that you have docker and docker-compose installed on your local machine. Docker Desktop can be the simplest way to achieve this goal.

确保在本地计算机上安装了docker和docker-compose 。 Docker Desktop是实现此目标的最简单方法。

使用docker-compose创建“带有Envoy的YugabyteDB”堆栈 (Create the “YugabyteDB with Envoy” stack using docker-compose)

Create a working directory

创建一个工作目录

mkdir yugabyte-envoy

Create the envoy.yaml

创建envoy.yaml

Copy the following contents into a file named envoy.yaml.

将以下内容复制到名为envoy.yaml的文件中。

static_resources:
  listeners:
  - name: yb_listener
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 1999
    filter_chains:
    - filters:
      - name: envoy.filters.network.postgres_proxy
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.postgres_proxy.v3alpha.PostgresProxy
          stat_prefix: ysql
      - name: envoy.tcp_proxy
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy
          stat_prefix: tcp_ysql
          cluster: yb_clusterclusters:
  - name: yb_cluster
    connect_timeout: 1s
    type: strict_dns
    load_assignment:
      cluster_name: yb_cluster
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: ysql
                port_value: 5433admin:
  access_log_path: "/dev/null"
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 8001

As we can see above, we have configured an Envoy listener on port 1999 that has a filter chain with two filters, namely PostgreSQL and TCP.

如上所示，我们在端口1999上配置了一个Envoy侦听器，该侦听器具有一个包含两个过滤器的过滤器链，即PostgreSQL和TCP。

Create the envoy dockerfile

创建特使dockerfile

Copy the following contents into a file named Dockerfile-proxy. When built and instantiated, we will have an envoyproxy container that will use the envoy.yaml configuration we created in the previous step.

将以下内容复制到名为Dockerfile-proxy的文件中。 构建并实例化后，我们将拥有一个envoyproxy容器，该容器将使用在上一步中创建的envoy.yaml配置。

FROM envoyproxy/envoy-dev:latest COPY ./envoy.yaml /etc/envoy.yaml 
RUN chmod go+r /etc/envoy.yaml CMD /usr/local/bin/envoy -c /etc/envoy.yaml -l debug

Create the yugabytedb dockerfile

创建yugabytedb dockerfile

Copy the following contents into a file named Dockerfile-yugabyte. When built and instantiated, we will have a single YugabyteDB container with the PostgreSQL-compatible YSQL API available on port 5433.

将以下内容复制到名为Dockerfile-yugabyte的文件中。 构建并实例化后，我们将在端口5433上使用单个YugabyteDB容器和兼容PostgreSQLYSQL API。

FROM yugabytedb/yugabyte:latest CMD ["/home/yugabyte/bin/yugabyted","start","--daemon=false"]

Create the docker-compose.yaml

创建docker-compose.yaml

Copy the following contents into a file named docker-compose.yaml.

将以下内容复制到名为docker-compose.yaml的文件中。

version: "3.7"
services:proxy:
    build:
      context: .
      dockerfile: Dockerfile-proxy
    networks:
      envoymesh:
        aliases:
          - envoy
    expose:
      - "1999"
      - "8001"
    ports:
      - "1999:1999"
      - "8001:8001"yugabyte:
    build:
      context: .
      dockerfile: Dockerfile-yugabyte
    networks:
      envoymesh:
        aliases:
          - ysql
    expose:
      - "5433"
    ports:
      - "5433:5433"networks:
  envoymesh:
    name: envoymesh

启动docker-compose堆栈 (Start the docker-compose stack)

docker-compose pull 
docker-compose up --build -d 
docker-compose ps

Output from the ps command is shown below.

ps命令的输出如下所示。

Name                      Command                     State    Ports                                              
---------------------------------------------------------------------------------
yugabyte_proxy_1      /docker-entrypoint.sh /bin ...   Up      ... 0.0.0.0:1999->1999/tcp, 0.0.0.0:8001->8001/tcp                                                                    
yugabyte_yugabyte_1   /home/yugabyte/bin/yugabyt ...   Up      ... 0.0.0.0:5433->5433/tcp, ...

As we can see, two containers have been spun up on a common envoymesh network.

如我们所见，两个容器已在一个通用的envoymesh网络上旋转。

1. yugabyte_yugabyte_1 is the YugabyteDB container that is ready to interact with PostgreSQL clients on port 5433.

1. yugabyte_yugabyte_1是YugabyteDB容器，可以在端口5433上与PostgreSQL客户端进行交互。

2. yugabyte_proxy_1 is the Envoy proxy container that is running the PostgreSQL proxy on the 1999 port. Requests to this port get automatically redirected to the port 5433 on the YugabyteDB container.

2. yugabyte_proxy_1是在1999端口上运行PostgreSQL代理的Envoy代理容器。 对此端口的请求将自动重定向到YugabyteDB容器上的端口5433。

通过使节监听器使用ysqlsh连接 (Connect using ysqlsh via the envoy listener)

We are now ready to connect to the YugabyteDB cluster using ysqlsh. However, instead of directly connecting to the 5433 port of the YugabyteDB container, we will connect to the Envoy proxy at the 1999 port.

现在，我们准备使用ysqlsh连接到YugabyteDB集群。 但是，我们将直接连接到1999端口的Envoy代理，而不是直接连接到YugabyteDB容器的5433端口。

docker run --rm -it --network envoymesh yugabytedb/yugabyte /home/yugabyte/bin/ysqlsh "sslmode=disable" -h envoy -p 1999

As highlighted in the Envoy docs, the current PostgreSQL filter decodes only non-SSL (aka unencrypted) traffic and ignores any SSL/encrypted traffic. The sslmode=disable option shown above is mandatory for Envoy to treat the PostgreSQL traffic as unencrypted even though the cluster has been set up without any encryption. Since this behavior is reproducible with both PostgreSQL 12 and 11.2 (Yugabyte SQL is based on a fork of this version), this is most likely a bug in the filter implementation.

如Envoy文档中突出显示的那样，当前的PostgreSQL过滤器仅解码非SSL(也称为未加密)流量，并忽略任何SSL /加密流量。 上面显示的sslmode=disable选项对于Envoy将PostgreSQL流量视为未加密是必不可少的，即使群集已设置为未加密也是如此。 由于此行为在PostgreSQL 12和11.2上均可以重现(Yugabyte SQL基于此版本的fork)，因此这很可能是过滤器实现中的错误。

运行基本的YSQL命令 (Run basic YSQL commands)

Let’s create a table.

让我们创建一个表。

CREATE TABLE links (
  id SERIAL PRIMARY KEY,
  url VARCHAR(255) NOT NULL,
  name VARCHAR(255) NOT NULL,
  description VARCHAR (255),
  last_update DATE
);

Now let us insert four rows into the table we created.

现在，让我们在创建的表中插入四行。

INSERT INTO links (url, name) VALUES('https://www.postgresqltutorial.com','PostgreSQL Tutorial'); INSERT INTO links (url, name) VALUES('https://www.oreilly.com','O''Reilly Media'); INSERT INTO links (url, name) VALUES('https://docs.yugabyte.com','YugabyteDB Docs'); INSERT INTO links (url, name) VALUES('https://blog.yugabyte.com','YugabyteDB Blog') RETURNING id;

We can now run a SELECT statement to get all the rows we inserted.

现在，我们可以运行SELECT语句来获取插入的所有行。

SELECT * FROM links;

We can also run a SELECT statement to get the count of rows we inserted.

我们还可以运行SELECT语句来获取插入的行数。

SELECT count(*) FROM links;

查看Envoy筛选器收集的YSQL统计信息 (Review YSQL statistics collected by Envoy’s filters)

Each of the two filters configured provide us with statistics relevant to the data they observe. All these statistics are available on the Envoy stats page http://localhost:8001/stats.

配置的两个过滤器中的每一个都向我们提供了与它们观察到的数据相关的统计信息。 所有这些统计信息都可以在Envoy stats页面http://localhost:8001/stats 。

Using the PostgreSQL filter

使用PostgreSQL过滤器

Since we gave the stats prefix as ysql, we see all the statistics with the overall prefix as postgres.ysql. The ones that we can easily verify based on the queries we executed in the ysqlsh session we created are highlighted in bold.

因为我们给stats前缀是ysql ，所以我们看到所有带有整体前缀的统计信息都是postgres.ysql 。 我们可以根据在创建的ysqlsh会话中执行的查询轻松验证的内容以粗体突出显示 。

postgres.ysql.errors: 0
postgres.ysql.errors_error: 0
postgres.ysql.errors_fatal: 0
postgres.ysql.errors_panic: 0
postgres.ysql.errors_unknown: 0
postgres.ysql.messages: 45
postgres.ysql.messages_backend: 37
postgres.ysql.messages_frontend: 8
postgres.ysql.messages_unknown: 0
postgres.ysql.notices: 0
postgres.ysql.notices_debug: 0
postgres.ysql.notices_info: 0
postgres.ysql.notices_log: 0
postgres.ysql.notices_notice: 0
postgres.ysql.notices_unknown: 0
postgres.ysql.notices_warning: 0postgres.ysql.sessions: 1
postgres.ysql.sessions_encrypted: 0postgres.ysql.sessions_unencrypted: 1postgres.ysql.statements: 7
postgres.ysql.statements_delete: 0
postgres.ysql.statements_insert: 4
postgres.ysql.statements_other: 1
postgres.ysql.statements_parse_error: 2
postgres.ysql.statements_parsed: 5postgres.ysql.statements_select: 2
postgres.ysql.statements_update: 0postgres.ysql.transactions: 7
postgres.ysql.transactions_commit: 7
postgres.ysql.transactions_rollback: 0

Using the TCP filter

使用TCP过滤器

The TCP statistics relevant to YSQL are available with the tcp.tcp_ysql prefix. As we can see, the statistics are at the network level including bytes transmitted and bytes received.

与YSQL相关的TCP统计信息带有tcp.tcp_ysql前缀。 如我们所见，统计信息是在网络级别上进行的，包括已发送字节和已接收字节。

tcp.tcp_ysql.downstream_cx_no_route: 0 tcp.tcp_ysql.downstream_cx_rx_bytes_buffered: 33 tcp.tcp_ysql.downstream_cx_rx_bytes_total: 693 tcp.tcp_ysql.downstream_cx_total: 1 tcp.tcp_ysql.downstream_cx_tx_bytes_buffered: 0 tcp.tcp_ysql.downstream_cx_tx_bytes_total: 991 tcp.tcp_ysql.downstream_flow_control_paused_reading_total: 0 tcp.tcp_ysql.downstream_flow_control_resumed_reading_total: 0 tcp.tcp_ysql.idle_timeout: 0 tcp.tcp_ysql.upstream_flush_active: 0 tcp.tcp_ysql.upstream_flush_total: 0

取出堆栈中的所有容器 (Remove all the containers in the stack)

We can remove the containers we have previously spun up using the command below.

我们可以使用以下命令删除之前旋转过的容器。

docker rm -f $(docker ps -aq)

摘要 (Summary)

The recently released PostgreSQL filter from Envoy Proxy makes it extremely easy for developers and operations engineers to collect SQL statistics from YSQL, YugabyteDB’s PostgreSQL-compatible fully-relational distributed SQL API. The filter runs inside the Envoy Proxy sidecar container and works by simply sniffing the network traffic in a manner that is completely transparent to the database server. As a result, developers and operations engineers can leverage the integration without deploying and managing any additional software.

Envoy Proxy最近发布的PostgreSQL过滤器使开发人员和运营工程师从YgabyteDB的PostgreSQL兼容的全关系分布式SQL API YSQL收集SQL统计信息变得非常容易。 该筛选器在Envoy代理sidecar容器内运行，并且通过以对数据库服务器完全透明的方式简单地嗅探网络流量来工作。 因此，开发人员和运营工程师可以利用集成而无需部署和管理任何其他软件。

We welcome all users to give the integration a try today and provide us feedback via GitHub and Slack.

我们欢迎所有用户立即尝试进行集成，并通过GitHub和Slack向我们提供反馈。

Originally published at https://blog.yugabyte.com on August 26, 2020.

最初于 2020年8月26日 发布在 https://blog.yugabyte.com 。