Simplify and extend the function of service grid based on wasm and oras


Simplify and extend the function of service grid based on wasm and oras

Author Wang Xining, senior technical expert of Alibaba cloud
Source|Alibaba cloud native official account

This article will introduce how to use the oras client to push the wasm module with allowed media types to the ACR Registry (an OCI compatible Registry), and then deploy the wasm filter to the pod corresponding to the specified workload through the ASM controller. All steps in wasm filter deployment use declaration, that is, you can create a custom resource CRD to describe the deployment of wasm filter. Once the CRD is created, the ASM controller can load the wasm module into the corresponding envoy agent in the data plane layer, and create the corresponding istio envoyfilter custom resource in the control plane layer.

Introduction to envoy filter

First, review the implementation mechanism of envoyproxy. The core of envoy is an L3 / L4 network proxy and supports L7 proxy. By providing a pluggable filter chain mechanism, it allows developers to write filters to perform different tasks. For example, the commonly used HTTP connection manager converts raw bytes into HTTP level messages and events, and also handles the common functions of all HTTP connections and requests, including access log, tracing, etc.

Simplify and extend the function of service grid based on wasm and oras

As can be seen from the above figure, downstream is the client part that connects to envoy and sends requests and receives responses. The listener component is used to bind to the IP address / port and receive connections from downstream downstream. The ability to manage multiple users’ traffic can be enhanced by configuring multiple filters. It can be seen that after these filter chains are processed, the requests will be mapped to the corresponding cluster (the cluster here refers to a group of logically identical upstream hosts to which envoy is connected, which has nothing to do with the kubernetes cluster submitted below). The role of the cluster is to connect to a group of upstream node services and forward these requests using the associated load balancing policy.

According to different processing tasks, envoy filter is divided into three categories:

  • Listener filter: used to process metadata in L4 connection.
  • Network filter: used to process the original data in L4 connection.
  • HTTP filter: used to handle HTTP requests and responses in L7 connections.

In addition to these built-in filters, you can also develop custom filters. You can use native C + + compilation or build filters through wasm technology.

In addition, envoy provides a set of APIs, which is often called XDS API. Through these APIs, the control plane can dynamically configure the envoy agent.

Simplify and extend the function of service grid based on wasm and oras

As shown in the figure above, similar to inbound traffic, for outbound traffic, the listener requests to listen to network traffic at the configured address or port. Each listener will also define a set of filters in the data path and form a set of filter chains. Through such a set of filters, users can configure envoy to do specific tasks for outbound traffic, including data protocol processing, generating call statistics, executing RBAC permissions, etc.

Simplify and extend the function of service grid based on wasm and oras

In order to better understand these envy filters and filter chains, let’s take a look at a practical example. This is the first service productpage in istio’s official example bookinfo. Firstly, the invoke proxy in the productpage pod is configured with a listener listening to port 9080. Traffic requests entering port 9080 of this pod will be intercepted into this proxy, and then the requests will be processed through these filter chains. The details are as follows:

  • The first filter is envoy filters. network. metadata_ Exchange, as its name suggests, is mainly used to exchange metadata between filters.
  • The second filter: envy http_ connection_ Manager, which usually has the following HTTP specific filters, including:

    • envoy. filters. http. wasm/envoy. wasm. metadata_ Exchange (for metadata interaction)
    • Istio_ Authn filter (for authorization and authentication)
    • envoy. filters. http. CORS (filter for cross domain resource sharing)
    • envoy. filters. http. Fault (fault injection filter, which can be used to test the fault tolerance in the micro service architecture. Users can customize the error code to realize delay injection or terminate the request, and provide the ability of error handling in different failure scenarios, such as service failure, service overload, high service delay, etc. This is also a commonly used filter)
    • envoy. filters. http. wasm/envoy. wasm. stats、envoy. filters. http. Wasm / xxx wasmfilter (user-defined filter implemented by wasm)
    • envoy. filters. http. Router (realize HTTP forwarding, and this filter will be used in almost all HTTP scenarios)

Note: you can obtain configuration information by requesting this URL address: kubectl exec – it [productpage XXX] – C istio proxy curl localhost: 15000 / config_ dump

Add a new filter

Envoy community has provided several build in filters. For details, see:

In the service grid, these built-in filter capabilities can be enabled through the API.

If these built-in filters cannot meet the requirements, they can also be implemented through custom filters in the following two ways:

  • Static precompiling

    • Integrate other filters into envoy’s source code and compile a new version of envoy.
    • The disadvantage of this approach is that you need to maintain the envoy version and keep it synchronized with the official release.
    • Since envoy is implemented in C + +, the newly developed filter must also be implemented in C + +.
  • Dynamic runtime loading

    • The new filter is dynamically loaded into the envoy agent at run time.
    • In order to simplify the process of extending envoy, webassembly technology is introduced, which is an effective portable binary instruction format and provides an embedded and isolated execution environment.

Advantages and disadvantages of using wasm to extend envoy proxy

In practical application, it will be decided whether to use wasm to extend envoy filter according to the following advantages and disadvantages.


  • Agility: filters can be dynamically loaded into a running envoy process without stopping or recompiling.
  • Maintainability: envoy can expand its functions without changing its own basic code base.
  • Diversity: popular programming languages (such as C / C + + and rust) can be compiled into wasm, so developers can choose the programming language to implement the filter.
  • Reliability and isolation: the filter will be deployed in the VM sandbox, so it is isolated from the envoy process itself; Even when the wasm filter crashes due to a problem, it will not affect the envoy process.
  • Security: filters communicate with envoy agents through predefined APIs, so they can access and modify only a limited number of connection or request properties.


  • The performance is about 70% of the original statically compiled filter written in C + +.
  • Due to the need to start one or more wasm virtual machines, it will consume a certain amount of memory usage.
  • The WebAssembly ecosystem is still young。

Envoy wasm operation mechanism

As shown in the figure below, envy wasm operation mechanism includes the following steps:

Simplify and extend the function of service grid based on wasm and oras

  • Wasm binary code needs to be able to be loaded dynamically, whether through local file or XDS remote access.
  • Whether a wasm filter is allowed to be loaded requires consistency verification:
  • Once loaded, the wasm filter becomes a part of the filter chain. When a new request comes in, it first enters the native filter and then the proxy wasm extension controller.
  • The proxy wasm extension controller will call and execute the registered and verified wasm filters according to the configuration information defined in the filter chain.
  • Built in wasm runtime support: llvm based wavm ~ 20MB, and V8 ~ 10MB.
  • Event driven model.
  • Compatible with the calling mode of native filter.

As shown below, it is the configuration content of a wasm filter distributed to the envoy proxy side.

Simplify and extend the function of service grid based on wasm and oras

The above describes the envy filter and the way of wasm extension, which leads to the wasm filter mechanism, which will be the mainstream way in the future.

In a service grid system, how to manage the deployment and operation of wasm filter in an effective and simple way will be a problem that cloud products need to solve.

OPAs and wasm filter registry

In the cloud native ecosystem, how to manage an artifact file? I believe most people will think of the OCI specification standard and whether these wasm filters can be managed like docker images.

Oras project is used to solve this problem. Its full name is OCI registry as storage. Oras is the reference implementation of OCI artifacts project, which can significantly simplify the storage of any content in OCI registry.

Using oras API / SDK library, you can build custom tools to complete the following functions:

  • Push the web assembly module into the OCI registry.
  • Pull the web assembly module from the OCI registry.

The use of oras cli is similar to docker cli, as follows:

Simplify and extend the function of service grid based on wasm and oras

Taking Alibaba cloud container image service enterprise version ACR EE as an example, as an enterprise level cloud native application product management platform, it has provided the life cycle management of container image, helm chart and OCI compliant products. After opening, create a mirror warehouse and assign an address, which provides two ways: VPC and public network.

Log in using the oras login command line and execute the following commands:

Oras login — username = < login account > acree-1-registry cn-hangzhou. cr.aliyuncs. com

Push through the oras push command and execute the following commands:

oras push –manifest-config runtime-config.json:application/vnd.module.wasm.config.v1+json  example-filter.wasm:application/vnd.module.wasm.content.layer.v1+wasm

Note that for the parameter — manifest config, you can refer to the wasm artifact image specification.

After the wasm filter is pushed to the ACR EE registry, you can view the relevant information as follows:

Simplify and extend the function of service grid based on wasm and oras

Alibaba cloud service grid ASM architecture

How to use wasm technology in Alibaba cloud service grid ASM products? First, let’s understand the technical architecture of ASM products, as shown in the figure below. As the first fully managed istio compatible service grid product in the industry, ASM is positioned to focus on building a fully managed, secure, stable and easy-to-use service grid and support the unified governance of cross regional, multi cluster and multi cloud hybrid cloud services. The components of the control plane are hosted on the Alibaba cloud side and are decoupled and independent from the user cluster on the data side to reduce the complexity of users. Users only need to focus on the development and deployment of business applications. In the hosting mode, it maintains compatibility with istio, supports the declarative definition of flexible routing rules, and supports the unified traffic management of multiple kubernetes clusters.

Simplify and extend the function of service grid based on wasm and oras

As an important link connecting the upper application and the lower computing infrastructure, service grid ASM can be understood from three perspectives:

  • From the perspective of downward integration with infrastructure
  • From the perspective of service grid’s own capacity-building
  • From the perspective of upward support for application layer and integrated capability

From the perspective of capacity-building of service grid itself, ASM, as a managed service grid product, provides a flexible architecture, which can support different versions of customized istio control surface and data surface proxy agents.

  • On the trusteeship side, the core components of the control plane are transformed into trusteeship, and are responsible for the life cycle management of the whole control plane and data plane components. In terms of product capability, ASM has enhanced mesh Ca and security audit to improve the security of grid instances; The common problems in customer scenarios are formed into diagnostic rules, and users can run diagnostic analysis by themselves.
  • In addition to the construction of the core hosting side, ASM optimizes and integrates multiple Alibaba cloud products and services, such as xtrace, arms and log services in terms of observability; In the aspect of cross VPC network connection, CEN is integrated to realize the interconnection of multiple clusters; In terms of current limiting, AHAS’s current limiting service is integrated.
  • ASM also integrates and extends the community’s open source component capabilities, including OPA security engine support, spiffe / spire support, envoyfilter extension support, etc. Therefore, this part needs to provide a simple and effective way to help users easily expand these capabilities.

Using wasm in alicloud ASM

With the optimization of the new architecture, web assembly technology is introduced into service grid to solve the problem of agent expansion. In this way, ASM architecture becomes the mode of “managed high availability elastic control plane + extensible plug-in data plane”.

Alibaba cloud service grid ASM products provide support for web assembly (wasm) technology. Service grid users can deploy the extended wasm filter to the corresponding envoy agent in the data plane cluster through ASM. Through the asmfilterdeployment controller component, you can support the capabilities of dynamically loading plug-ins, easy to use, and hot update.

Simplify and extend the function of service grid based on wasm and oras

Through this filter extension mechanism, the functions of envoy can be easily extended and its application in service grid can be pushed to a new height.

Let’s look at how this capability is enabled in the ASM instance?

After deploying an ASM instance, the function is not enabled by default, and users need to take the initiative to enable it. For example, aliyun cli can be used as follows:

aliyun servicemesh UpdateMeshFeature  --ServiceMeshId=xxxxxx --WebAssemblyFilterEnabled=true

After this function is enabled, the ASM instance will deploy relevant components and perform the following tasks:

  • Deploy a daemon set (asmwasm controller) to the k8s cluster.
  • Asmwasm controller listens to a configmap, which stores the address of the wasm filter to be pulled, for example: acree-1-registry cn-hangzhou. cr.aliyuncs. com/*/sample:v0.1。
  • If authorization authentication is required, the asmwasm controller will obtain the corresponding secret value according to the defined pullsecret value.
  • Then, call the oras API to dynamically pull the wasm filter from the registry.
  • The asmwasm controller uses the hostpath method to mount the volume, so the pulled wasm filter will fall on the corresponding node.

After this function is enabled, how to deploy a wasm filter and mount it into the invoke proxy of the corresponding workload?

Simplify and extend the function of service grid based on wasm and oras

Alibaba cloud service grid ASM products provide a new CRD asmfilterdeployment and related controller components. This controller component will listen to the asmfilterdeployment resource object and do two things:

  • Create istio envoyfilter customer resource for the control surface and push it to the corresponding ASM control surface istiod.
  • Pull the corresponding wasm filter image from the OCI registry and mount it into the corresponding workload pod.

The following is an example of asmfilterdeployment Cr:

kind: ASMFilterDeployment
  name: details-v1-wasmfiltersample
    kind: Deployment
      app: details
      version: v1
    parameters: '{"name":"hello","value":"hello details"}'
    image: ''
      pullSecret: 'asmwasm-cache'
    rootID: 'my_root_id'
    id: 'details-v1-wasmfiltersample.default'

The generated istio envy filter resource is as follows:

Simplify and extend the function of service grid based on wasm and oras

Among them, envoy is defined in the match fragment Insert is defined in the filter and patch fragments of router_ Before operation, insert a wasm filter as follows:

Simplify and extend the function of service grid based on wasm and oras

After the workload definition of wasm filter is updated, the wasm filter file is mounted in the proxy container in the form of hostpath:

apiVersion: extensions/v1beta1
kind: Deployment

Confirm whether wasm filter is effective. Log in to the istio proxy container of productpage pod and execute the following command to send some traffic to the details service. In the response, you can see that the header of the filter is added to the response header.

kubectl exec -ti  deploy/productpage-v1 -c istio-proxy -- curl -v http://details:9080/details/123
*   Trying
* Connected to details ( port 9080 (#0)
> GET /details/123 HTTP/1.1
> Host: details:9080
> User-Agent: curl/7.58.0
> Accept: */*
< HTTP/1.1 200 OK
< resp-header-demo: added by our filter
* Connection #0 to host details left intact


During the development phase:

According to the following process, use the appropriate wasm SDK / programming language to create and compile a wasm binary file, and upload it to the OCI image warehouse by using oras cli.

Simplify and extend the function of service grid based on wasm and oras

During the deployment run phase:

First, confirm that the wasm support capability has been enabled in ASM, and then create an asmfilterdeployment custom resource. Note that this Cr is created in the apiserver corresponding to the ASM instance of the service grid. Once created, the corresponding CRD controller will monitor and synchronize the corresponding resources. On the one hand, an istio envoyfilter CR will be generated and sent to the control surface apiserver of the ASM instance. The user can check whether the generated istio envoyfilter CR meets the expectations.

Simplify and extend the function of service grid based on wasm and oras

On the other hand, confirm that the workload deployment changes take effect, including:

  • You can log in to the proxy container to check whether the wasm filter is successfully mounted.
  • Print relevant information by adjusting wasm log level.

As the first fully managed istio compatible service grid product in the industry, Alibaba cloud service grid (ASM) is a managed platform that uniformly manages micro service application traffic and is compatible with istio. It focuses on building a fully managed, secure, stable and easy-to-use service grid and supports the unified governance of cross regional multi cluster and multi cloud hybrid cloud services. Through the functions of flow control, grid observation and inter service communication security, service grid ASM can comprehensively simplify your service governance and provide unified management capabilities for services running on heterogeneous computing infrastructure. It is applicable to kubernetes clusters, serverless kubernetes clusters, ECS virtual machines and self built clusters.

Welcome toAlibaba cloud service grid ASM product official websiteExperience!

Introduction to the author

Wang Xining, senior technical expert of Alibaba cloud and technical director of ASM of Alibaba cloud service grid, focuses on kubernetes, service grid and other cloud native fields. Previously, he worked in IBM China Development Center and served as the chairman of the Patent Technology Review Committee. As an architect and major developer, he was responsible for or participated in a series of work in SOA middleware, cloud computing and other fields, and has more than 50 international technology patents in related fields. He has participated in technology sharing in many technical conferences, such as kubecon, archsummit, yunqi conference, etc. Write “analysis and practice of service grid technology” and publish several articles in multiple technical communities.

Recommended Today

Transaction management of mybatis

This article will talk about the transaction management mechanism of mybatis, which is based on mybatis 3.4.6 and mybatis spring 1.3.2. Knowledge points What is a transaction Transaction management supported by mybatis Mybatis transaction management implementation mechanism How is spring integrated What is a transaction Anyone who has studied SQL must know this concept. Transaction […]