Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PostgreSQL Network Filter for EnvoyProxy

OnGres
February 07, 2021
Technology
0
150

PostgreSQL Network Filter for EnvoyProxy

How do you monitor Postgres? What information can you get out of it, and to what degree does this information help to troubleshoot operational issues? What if you want/need to log all the queries? That may bring heavy trafficked databases down.

At OnGres we’re obsessed with improving PostgreSQL’s observability. So we worked together with Tetrate folks on an Envoy’s Network Filter extension for PostgreSQL, to provide and extend observability of the traffic inout a cluster infrastructure. This extension is public and open source. You can use it anywhere you use Envoy. It allows you to capture automated metrics and to debug network traffic. This talk will be a technical deep-dive into PostgreSQL’s protocol decoding, Envoy proxy filters and will cover all the capabilities of the tool and its usage and deployment in any environment.

Envoy [1] is a high performance C++ distributed proxy designed for single services and applications, as well as a communication bus and “universal data plane” designed for large microservice “service mesh” architectures. Built on the learnings of solutions such as NGINX, HAProxy, hardware load balancers, and cloud load balancers, Envoy runs alongside every application and abstracts the network by providing common features in a platform-agnostic manner. When all service traffic in an infrastructure flows via an Envoy mesh, it becomes easy to visualize problem areas via consistent observability, tune overall performance, and add substrate features in a single place.

Envoy can be used to proxy connections to PostgreSQL instances and in this talk we’ll see how we improve PostgreSQL observability without impacting the performance of the database and without needing to install and/or configure a bunch of things like logs, pgstatstatements, etc, using a Network Filter [2] for PostgreSQL we developed that decodes frontend and backend protocol to get transparently some metrics and metadata about it operation.

Roadmap: * [WIP] SSL termination and monitoring [3] [4] * Integrate Postgres parser to improve dynamic metadata and per-query tracking * Individual (per-query) tracking of query performance * Traffic mirroring for Postgres major upgrade testing and validations

[1] https://www.envoyproxy.io/ [2] https://www.envoyproxy.io/docs/envoy/latest/intro/archoverview/otherprotocols/postgres#arch-overview-postgres [3] https://github.com/envoyproxy/envoy/issues/10942 [4] https://github.com/envoyproxy/envoy/issues/9577

Talk video: https://mirror.as35701.net/video.fosdem.org/2021/D.monitoring/postgresql_filter_envoy.webm

OnGres

February 07, 2021
Tweet

More Decks by OnGres

See All by OnGres
Where should I run my Database?
ongres
0
12
Why you should be running Postgres on Kubernetes
ongres
0
12
Postgres on Kubernetes Hands-on Lab
ongres
1
8
Time-series on SQL Server on Kubernetes on ARM64… without SQL Server!
ongres
0
33
How to measure Postgres Query Performance
ongres
1
270
Modernización de Bases de Datos Open Source
ongres
0
39
Postgres Extensions in Kubernetes
ongres
1
410
StackGres Running on EKS
ongres
0
51
Can Postgres scale like DynamoDB?
ongres
1
280

Other Decks in Technology

See All in Technology
100アカウントを見据えたAWSマルチアカウント運用 / AWS multi-account operation for 100 accounts
yayoi_dd
0
150
Race Conditions em Microsserviços: Desmistificando um Problema Comum em Arquiteturas Distribuídas
jordihofc
0
130
位置情報ビッグデータの可視化技術の紹介と実社会での活用
sbtechnight
PRO
1
380
S3からBigQueryへ閉域ネットワーク経由でデータ転送する方法
sbtechnight
PRO
0
370
Win Testing Trophy Easily / テスティングトロフィーを獲得する / PHPerKaigi 2023
k1low
1
110
ローコードで改革!End to Endテストの再定義!
odasho
0
100
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
1
2.4k
学びが形になる!〜DeNAで6年間プロダクト開発に携わって学んだこと〜
dena_tech
PRO
0
340
Bluesky と Android / Bluesky and Android
akiomik
0
110
可読性を高めるためのコードレビューテクニック
sbtechnight
PRO
0
470
Invitation to K8s-Docs ja
nasa9084
0
130
自動運転レベル4解禁にあたり求められる遠隔監視技術
sbtechnight
PRO
0
550

Featured

See All Featured
The Pragmatic Product Professional
lauravandoore
21
3.6k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
349
27k
Writing Fast Ruby
sferik
613
58k
Code Review Best Practice
trishagee
50
12k
Teambox: Starting and Learning
jrom
124
7.9k
No one is an island. Learnings from fostering a developers community.
thoeni
12
1.6k
Gamification - CAS2011
davidbonilla
75
4.2k
Become a Pro
speakerdeck
PRO
6
3.3k
10 Git Anti Patterns You Should be Aware of
lemiorhan
643
55k
Building an army of robots
kneath
300
41k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
2
470

Transcript

  1. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    POSTGRESQL NETWORK FILTER
    FOR ENVOY PROXY
    FABRÍZIO DE ROYES MELLO
    ÁLVARO HERNÁNDEZ

    View Slide

  2. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    ` whoami `
    ● 25+ years on IT
    ● PostgreSQL Developer at OnGres
    ● PostgreSQL Contributor
    ● Brazilian Community Leader
    Fabrízio de Royes Mello

    @fabriziomello

    View Slide

  3. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    ` whoami `
    ● Founder & CEO, OnGres
    ● 20+ years Postgres user and DBA
    ● Mostly doing R&D to create new,
    innovative software on Postgres
    ● Frequent speaker at Postgres, database
    conferences
    ● Founder and President of the NPO
    Fundación PostgreSQL
    ● AWS Data Hero
    Álvaro Hernández

    aht.es

    View Slide

  4. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    ENHANCING
    POSTGRES
    OBSERVABILITY

    View Slide

  5. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    Postgres monitoring
    ● Not in-core integrated solution.
    ● Postgres provides catalog views with rich monitoring information.
    ● But that means making queries to gather monitoring data.
    ● Eg. Prometheus exporter: dozens/hundreds/... of queries per
    monitoring cycle.
    ● Postgres monitoring extensions:
    ○ may require restart -> downtime.
    ○ may require configuration / external binaries-> complexity
    Can we do better?

    View Slide

  6. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    Postgres wire protocol (FeBe)
    ● Custom (layer 7) TCP protocol. Well
    documented.
    ● Well structured and defined
    messages (no “generic message” for
    many things).
    ● Very stable (current v3 was
    introduced in 2003 with PG 7.4).
    ● Implemented by countless tools and
    drivers.
    ● Used also for non-Postgres
    databases (Yugabyte, CockroachDB,
    Crate.io, NoisePage, ...).

    View Slide

  7. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    FeBe protocol architecture

    View Slide

  8. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    Idea: proxy and decode the protocol to get metrics!

    View Slide

  9. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    Advantages of metrics via proxying/decoding
    ● s/pull/push/
    ● Zero impact on the database. 100% transparent.
    ○ No performance impact.
    ○ No configuration required. No agents/tools to install.
    ● Can be deployed as a sidecar (eg. via injection in K8s).
    ● May significantly increase the volume of metrics obtained.
    ● Opens the door for other added functionality.

    View Slide

  10. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    ENVOY PROXY
    POSTGRES FILTER

    View Slide

  11. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    Envoy extensibility: simple connection model
    Application (client)
    tcp_proxy

    View Slide

  12. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    Envoy extensibility: filter chain
    Application (client)
    tcp_proxy
    PostgreSQL

    View Slide

  13. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    PostgreSQL Filter Architecture: metadata
    Application (client)
    tcp_proxy
    PostgreSQL
    RBAC
    Metadata

    View Slide

  14. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    How it all started
    https://github.com/envoyproxy/envoy/issues/9107

    View Slide

  15. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    An effort developed by a great Community
    ● Contributions from Tetrate, Envoy Maintainers, OnGres and others.
    ● Merged and released with Envoy 1.15.
    ● Led to 10 issues and new functionality being implemented in several
    other areas.
    ● New features to come in new releases!
    Help wanted!

    View Slide

  16. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    Postgres filter Timeline
    November
    2019
    Issue #9107
    created
    January
    2020
    First filter POC
    July
    2020
    Release 1.15.0
    first version of postgres filter
    October
    2020
    Release 1.16.0
    postgres filter metadata
    January
    2021
    Release 1.17.0
    start_tls transport socket
    March
    2021
    Future Release 1.18.0
    postgres SSL termination

    View Slide

  17. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    Metrics currently being exported
    errors (error, fatal, panic, …) messages (frontend, backend)
    sessions (encrypted, unencrypted) statements (insert, update, delete, …)
    transactions (commit, rollback) notices (notice, log, warning, …)
    Counters (metric / second)

    View Slide

  18. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    DEMO

    View Slide

  19. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    Expected result
    https://github.com/ongres/envoy-postgres-stats-example

    View Slide

  20. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    COMING TO ENVOY 1.18*:
    POSTGRES
    SSL OFFLOADING AND MONITORING

    View Slide

  21. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    Postgres SSL
    ● Doesn’t operate at the TCP level 4, but rather application level (7).
    ● Initial connection is unencrypted, then a request to “upgrade the
    connection to SSL” is performed. Similar to STARTTLS in SMTPS.
    ● Database connection costs are high. SSL database connection
    costs are very high.
    ● Use a connection pooler! Like PgBouncer!
    PgBouncer -> single threaded -> swamped under heavy SSL
    connection load.
    ● Turning on/off SSL or rotating certificates
    requires database restart -> downtime.

    View Slide

  22. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    Offload Postgres SSL to Envoy!
    ● Avoids both Postgres and PgBouncer SSL performance problems.
    ● Allows monitoring of encrypted traffic!
    ● Turn on/off, rotate certificates without database impact.
    ● Programmatic management: use Envoy xDS APIs to manage
    certificates.
    StartTls infrastructure already released on 1.17. Postgres specific filter
    implementation coming on 1.18*.

    View Slide

  23. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    Architecture

    View Slide

  24. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    SSL DEMO

    View Slide

  25. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    USE CASES
    THE FUTURE OF
    ENVOY’S POSTGRES PLUGIN

    View Slide

  26. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    Envoy’s filter use-case: StackGres.io
    StackGres
    Architecture

    View Slide

  27. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    Future plans
    ● Better SQL parsing
    ● Producing per-database statistics
    ● Routing based on Query type
    ● Traffic drain
    ● Opent Telemetry Integration
    Community:
    ● Envoy slack: envoyproxy.slack.com
    ● PostgreSQL specific channel: #envoy-postgres
    ● PostgreSQL related issues:
    https://github.com/envoyproxy/envoy/labels/area%2Fpostgres

    View Slide

  28. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    References
    Original Github Issue:
    https://github.com/envoyproxy/envoy/issues/9107
    First post about Envoy Postgres Filter:
    https://www.cncf.io/blog/2020/08/13/envoy-1-15-introduces-a-new-
    postgres-extension-with-monitoring-support/
    Envoy Documentation:
    https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/o
    ther_protocols/postgres
    https://www.envoyproxy.io/docs/envoy/latest/configuration/listener
    s/network_filters/postgres_proxy_filter

    View Slide

  29. POSTGRES NETWORK FILTER FOR ENVOY PROXY
    Questions?

    View Slide