hngopher.com

       [HN Gopher] Container-to-Container Communication
       ___________________________________________________________________
        
       Container-to-Container Communication
        
       Author : miketheman
       Score  : 28 points
       Date   : 2021-12-28 19:10 UTC (3 hours ago)
        
 (HTM) web link (www.miketheman.net)
 (TXT) w3m dump (www.miketheman.net)
        
       | Jhsto wrote:
       | Bit besides the point, but how many of you do still run nginx
       | inside container infrastructures? I've been having container
       | hosts behind a firewall without explicit WAN access for a long
       | time -- to expose public services, I offload the nginx tasks to
       | CloudFlare by running `cloudflared` tunnel. These "Argo" tunnels
       | are free to use, and essentially give you a managed nginx for
       | free. Nifty if you are using CloudFlare anyway.
        
         | akvadrako wrote:
         | Not nginx, but I run haproxy, which serves the reverse proxy
         | role.
         | 
         | I use it instead of Google's own ingress because it gives you
         | better control over load balancing and can react faster to
         | deployments.
        
       | Klasiaster wrote:
       | No talk about permissions, I think locking down access is also an
       | interesting aspect of Unix Domain Sockets compared to TCP
       | sockets.
        
         | Jhsto wrote:
         | As if the TCP is less secure? Not necessarily as the TCP
         | sockets here most likely live in a private network between the
         | two containers: you run `podman network create example` and
         | then `podman run --net=example whatever`. This creates an
         | internal network (e.g., 10.0.0.1/10) over which the pods
         | communicate. Only if you want to expose some port would you use
         | `-p` flag to expose it to host LAN, which you then redirect to
         | WAN.
        
       | snicker7 wrote:
       | Doesn't 700 requests per second for such a trivial service seem
       | kinda slow?
        
         | miketheman wrote:
         | It may, but this is considering the overhead incurred in the
         | local setup - calling the app through a Docker Desktop exposed
         | port. Running locally on macOS produces ~5000 TPS. The `ab`
         | parameters are also not using any sort of concurrency, and
         | perform requests sequentially. The test is not designed to
         | maximize TPS or saturate the resources, rather isolate
         | variables to perform the comparison.
        
         | lmeyerov wrote:
         | I didn't look too closely, but I'm wondering if this is
         | Python's GIL. So instead of nginx -> multiple ~independent
         | Python processes, each async handler is fighting for the lock,
         | even if running on a different core. So read as 700 queries /
         | core vs 700 queries / server. If so, in a slightly tweaked
         | Python server setup, that'd be 3K-12K/s per server. For
         | narrower benchmarking, keeping sequential, and doing container
         | 1 pinned to core 1 <-> container 2 pinned to core 2 might tell
         | an even clearer picture.
         | 
         | I did enjoy the work overall, incl Graviton comparison.
         | Likewise, OS X's painfully slow Docker impl has driven me to
         | Windows w/ WSL2 -> Ubuntu + nvidia-docker, which has been night
         | and day, so not as surprised that those numbers are weird.
        
         | fyrn- wrote:
         | Yeah, it's so slow that I'm wondering if they were actually
         | measuring TCP/unix socket overhead. I wouldn't expect to see a
         | difference at such a low frequency.
        
           | Tostino wrote:
           | Yeah, seems like there was some other bottleneck. Maybe
           | changing the IPC method makes the small difference we are
           | seeing, but we should be seeing orders of magnitude higher
           | TPS prior to caring about the IPC method.
        
       | astrea wrote:
       | The multiple layers of abstraction in this make this test sorta
       | moot. You have the AWS infra, the poor MacOS implementation of
       | Docker, the server architecture. Couldn't you have just had a
       | vanilla Ubuntu install and curl some dummy load n times and get
       | some statistics from that?
        
         | miketheman wrote:
         | Possibly - however the premise is that I'm running an
         | application on cloud infrastructure that I don't control -
         | which is common today. I tried to call that out in the post.
        
       | KaiserPro wrote:
       | Normally I'm all for people using tried and tested primitives for
       | things, however I think that in this case unix sockets are
       | probably not the right choice.
       | 
       | Firstly you are creating a hard dependency for having the two
       | services sharing a same box, with a shared file system (that's
       | difficult to coordinate and secure.) But also should you add a
       | new service that _also_ want to connect via unix socket, stuff
       | could get tricky to orchestrate.
       | 
       | But this also limits your ability to move stuff about, should you
       | need it.
       | 
       | Inside a container, I think its probably a perfectly legitimate
       | way to do IPC. Between containers, I suspect you are asking for
       | trouble.
        
         | akvadrako wrote:
         | Within a pod it seems pretty reasonable.
        
           | erulabs wrote:
           | Exactly, and this is where the concept of "Pod" really
           | shines. Sharing networking and filesystems between containers
           | is, from time to time, exactly the right strategy, as long as
           | it can be encapsulated.
        
       ___________________________________________________________________
       (page generated 2021-12-28 23:01 UTC)