From ddf3f17887f5d7017e700bd3a710165f40aa0b13 Mon Sep 17 00:00:00 2001 From: Artem Navoiev Date: Sat, 10 Apr 2021 19:52:33 +0300 Subject: [PATCH] update vmgateway.md (#1201) --- docs/vmgateway.md | 86 +++++++++++++++++++++++------------------------ 1 file changed, 43 insertions(+), 43 deletions(-) diff --git a/docs/vmgateway.md b/docs/vmgateway.md index f2da4e476..97e432c5f 100644 --- a/docs/vmgateway.md +++ b/docs/vmgateway.md @@ -7,23 +7,23 @@ sort: 8 vmgateway -`vmgateway` is a proxy for Victoria Metrics TSDB. It provides the following features: +`vmgateway` is a proxy for the Victoria Metrics Time Series Database (TSDB). It provides the following features: * Rate Limiter - * Based on cluster tenants' utilization supports multiple time interval limits for ingestion/retrieving metrics + * Based on cluster tenant's utilization, it supports multiple time interval limits for both the ingestion and retrieval of metrics * Token Access Control - * Supports additional per-label access control for Single and Cluster versions of Victoria Metrics TSDB - * Provides access by tenantID at Cluster version - * Allows to separate write/read/admin access to data + * Supports additional per-label access control for both the Single and Cluster versions of the Victoria Metrics TSDB + * Provides access by tenantID in the Cluster version + * Allows for separate write/read/admin access to data -`vmgateway` is included in an [enterprise package](https://victoriametrics.com/enterprise.html). +`vmgateway` is included in our [enterprise packages](https://victoriametrics.com/enterprise.html). ## Access Control vmgateway-ac -`vmgateway` supports jwt based authentication. With jwt payload can be configured access to specific tenant, labels, read/write. +`vmgateway` supports jwt based authentication. With jwt payload can be configured to give access to specific tenants and labels as well as to read/write. jwt token must be in following format: ```json @@ -43,15 +43,15 @@ jwt token must be in following format: } ``` Where: -- `exp` - required, expire time in unix_timestamp. If token expires, `vmgateway` rejects request. +- `exp` - required, expire time in unix_timestamp. If the token expires then `vmgateway` rejects the request. - `vm_access` - required, dict with claim info, minimum form: `{"vm_access": {"tenand_id": {}}` -- `tenant_id` - optional, make sense only for cluster mode, routes request to corresponding tenant. -- `extra_labels` - optional, key-value pairs for label filters - added to ingested or selected metrics. -- `mode` - optional, access mode for api - read, write, full. supported values: 0 - full (default value), 1 - read, 2 - write. +- `tenant_id` - optional, for cluster mode, routes requests to the corresponding tenant. +- `extra_labels` - optional, key-value pairs for label filters added to the ingested or selected metrics. +- `mode` - optional, access mode for api - read, write, or full. Supported values: 0 - full (default value), 1 - read, 2 - write. ## QuickStart -Start single version of Victoria Metrics +Start the single version of Victoria Metrics ```bash # single @@ -65,12 +65,12 @@ Start vmgateway ./bin/vmgateway -eula -enable.auth -read.url http://localhost:8428 --write.url http://localhost:8428 ``` -Retrieve data from database +Retrieve data from the database ```bash curl 'http://localhost:8431/api/v1/series/count' -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ2bV9hY2Nlc3MiOnsidGVuYW50X2lkIjp7fSwicm9sZSI6MX0sImV4cCI6MTkzOTM0NjIxMH0.5WUxEfdcV9hKo4CtQdtuZYOGpGXWwaqM9VuVivMMrVg' ``` - Request with incorrect token or with out token will be rejected: +A request with an incorrect token or without any token will be rejected: ```bash curl 'http://localhost:8431/api/v1/series/count' @@ -82,22 +82,22 @@ curl 'http://localhost:8431/api/v1/series/count' -H 'Authorization: Bearer incor vmgateway-rl - Limits incoming requests by given pre-configured limits. It supports read and write limiting by a tenant. +Limits incoming requests by given, pre-configured limits. It supports read and write limiting by tenant. - `vmgateway` needs datasource for rate limits queries. It can be single-node or cluster version of `victoria-metrics`. -It must have metrics scrapped from cluster, that you want to rate limit. +`vmgateway` needs a datasource for rate limit queries. It can be either single-node or cluster version of `victoria-metrics`. +The metrics that you want to rate limit must be scraped from the cluster. List of supported limit types: -- `queries` - count of api requests made at tenant to read api, such as `/api/v1/query`, `/api/v1/series` and others. -- `active_series` - count of current active series at given tenant. -- `new_series` - count of created series aka churn rate +- `queries` - count of api requests made at tenant to read the api, such as `/api/v1/query`, `/api/v1/series` and others. +- `active_series` - count of current active series at any given tenant. +- `new_series` - count of created series; aka churn rate - `rows_inserted` - count of inserted rows per tenant. List of supported time windows: - `minute` - `hour` -Limits can be specified per tenant or at global level, if you omit `project_id` and `account_id`. +Limits can be specified per tenant or at a global level if you omit `project_id` and `account_id`. Example of configuration file: @@ -118,7 +118,7 @@ limits: ## QuickStart - cluster version required for rate limiting. +cluster version of VictoriaMetrics is required for rate limiting. ```bash # start datasource for cluster metrics @@ -168,24 +168,24 @@ curl 'http://localhost:8431/api/v1/labels' -H 'Authorization: Bearer eyJhbGciOiJ ## Configuration -The shortlist of configuration flags is the following: -```bash +The shortlist of configuration flags include the following: +```console -clusterMode - enable it for cluster version + enable this for the cluster version -datasource.appendTypePrefix - Whether to add type prefix to -datasource.url based on the query type. Set to true if sending different query types to VMSelect URL. + Whether to add type prefix to -datasource.url based on the query type. Set to true if sending different query types to the VMSelect URL. -datasource.basicAuth.password string Optional basic auth password for -datasource.url -datasource.basicAuth.username string Optional basic auth username for -datasource.url -datasource.lookback duration - Lookback defines how far to look into past when evaluating queries. For example, if datasource.lookback=5m then param "time" with value now()-5m will be added to every query. + Lookback defines how far into the past to look when evaluating queries. For example, if the datasource.lookback=5m then param "time" with value now()-5m will be added to every query. -datasource.maxIdleConnections int - Defines the number of idle (keep-alive connections) to configured datasource.Consider to set this value equal to the value: groups_total * group.concurrency. Too low value may result into high number of sockets in TIME_WAIT state. (default 100) + Defines the number of idle (keep-alive connections) to each configured datasource. Consider setting this value equal to the value: groups_total * group.concurrency. Too low a value may result in a high number of sockets in TIME_WAIT state. (default 100) -datasource.queryStep duration queryStep defines how far a value can fallback to when evaluating queries. For example, if datasource.queryStep=15s then param "step" with value "15s" will be added to every query. -datasource.tlsCAFile string - Optional path to TLS CA file to use for verifying connections to -datasource.url. By default system CA is used + Optional path to TLS CA file to use for verifying connections to -datasource.url. By default, system CA is used -datasource.tlsCertFile string Optional path to client-side TLS certificate file to use when connecting to -datasource.url -datasource.tlsInsecureSkipVerify @@ -193,7 +193,7 @@ The shortlist of configuration flags is the following: -datasource.tlsKeyFile string Optional path to client-side TLS certificate key to use when connecting to -datasource.url -datasource.tlsServerName string - Optional TLS server name to use for connections to -datasource.url. By default the server name from -datasource.url is used + Optional TLS server name to use for connections to -datasource.url. By default, the server name from -datasource.url is used -datasource.url string Victoria Metrics or VMSelect url. Required parameter. E.g. http://127.0.0.1:8428 -enable.auth @@ -203,25 +203,25 @@ The shortlist of configuration flags is the following: -enableTCP6 Whether to enable IPv6 for listening and dialing. By default only IPv4 TCP and UDP is used -envflag.enable - Whether to enable reading flags from environment variables additionally to command line. Command line flag values have priority over values from environment vars. Flags are read only from command line if this flag isnt set + Whether to enable reading flags from environment variables additionally to command line. Command line flag values have priority over values from environment vars. Flags are read only from command line if this flag isn't set -envflag.prefix string Prefix for environment variables if -envflag.enable is set -eula - By specifying this flag you confirm that you have an enterprise license and accept the EULA https://victoriametrics.com/assets/VM_EULA.pdf + By specifying this flag, you confirm that you have an enterprise license and accept the EULA https://victoriametrics.com/assets/VM_EULA.pdf -fs.disableMmap - Whether to use pread() instead of mmap() for reading data files. By default mmap() is used for 64-bit arches and pread() is used for 32-bit arches, since they cannot read data files bigger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() + Whether to use pread() instead of mmap() for reading data files. By default, mmap() is used for 64-bit arches and pread() is used for 32-bit arches as they cannot read data files larger than 2^32 bytes in memory. mmap() is usually faster for reading small data chunks than pread() -http.connTimeout duration - Incoming http connections are closed after the configured timeout. This may help spreading incoming load among a cluster of services behind load balancer. Note that the real timeout may be bigger by up to 10% as a protection from Thundering herd problem (default 2m0s) + Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression - Disable compression of HTTP responses for saving CPU resources. By default compression is enabled to save network bandwidth + Disable compression of HTTP responses to save CPU resources. By default compression is enabled to save network bandwidth -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration - The maximum duration for graceful shutdown of HTTP server. Highly loaded server may require increased value for graceful shutdown (default 7s) + The maximum duration for a graceful shutdown of the HTTP server. A highly loaded server may require increased value for a graceful shutdown (default 7s) -http.pathPrefix string An optional prefix to add to all the paths handled by http server. For example, if '-http.pathPrefix=/foo/bar' is set, then all the http requests will be handled on '/foo/bar/*' paths. This may be useful for proxied requests. See https://www.robustperception.io/using-external-urls-and-proxies-with-prometheus -http.shutdownDelay duration - Optional delay before http server shutdown. During this dealy the servier returns non-OK responses from /health page, so load balancers can route new requests to other servers + Optional delay before http server shutdown. During this dealay, the servier returns non-OK responses from /health page, so load balancers can route new requests to other servers -httpAuth.password string Password for HTTP Basic Auth. The authentication is disabled if -httpAuth.username is empty -httpAuth.username string @@ -231,7 +231,7 @@ The shortlist of configuration flags is the following: -loggerDisableTimestamps Whether to disable writing timestamps in logs -loggerErrorsPerSecondLimit int - Per-second limit on the number of ERROR messages. If more than the given number of errors are emitted per second, then the remaining errors are suppressed. Zero value disables the rate limit + Per-second limit on the number of ERROR messages. If more than the given number of errors are emitted per second, the remaining errors are suppressed. Zero values disable the rate limit -loggerFormat string Format for logs. Possible values: default, json (default "default") -loggerLevel string @@ -241,12 +241,12 @@ The shortlist of configuration flags is the following: -loggerTimezone string Timezone to use for timestamps in logs. Timezone must be a valid IANA Time Zone. For example: America/New_York, Europe/Berlin, Etc/GMT+3 or Local (default "UTC") -loggerWarnsPerSecondLimit int - Per-second limit on the number of WARN messages. If more than the given number of warns are emitted per second, then the remaining warns are suppressed. Zero value disables the rate limit + Per-second limit on the number of WARN messages. If more than the given number of warns are emitted per second, then the remaining warns are suppressed. Zero values disable the rate limit -memory.allowedBytes size - Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to non-zero value. Too low value may increase cache miss rate, which usually results in higher CPU and disk IO usage. Too high value may evict too much data from OS page cache, which will result in higher disk IO usage + Allowed size of system memory VictoriaMetrics caches may occupy. This option overrides -memory.allowedPercent if set to a non-zero value. Too low a value may increase the cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from OS page cache resulting in higher disk IO usage Supports the following optional suffixes for size values: KB, MB, GB, KiB, MiB, GiB (default 0) -memory.allowedPercent float - Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low value may increase cache miss rate, which usually results in higher CPU and disk IO usage. Too high value may evict too much data from OS page cache, which will result in higher disk IO usage (default 60) + Allowed percent of system memory VictoriaMetrics caches may occupy. See also -memory.allowedBytes. Too low a value may increase cache miss rate usually resulting in higher CPU and disk IO usage. Too high a value may evict too much data from OS page cache which will result in higher disk IO usage (default 60) -metricsAuthKey string Auth key for /metrics. It overrides httpAuth settings -pprofAuthKey string @@ -255,7 +255,7 @@ The shortlist of configuration flags is the following: path for configuration file -ratelimit.extraLabels array additional labels, that will be applied to fetchdata from datasource - Supports array of values separated by comma or specified via multiple flags. + Supports an array of values separated by comma or specified via multiple flags. -ratelimit.refreshInterval duration (default 5s) -read.url string @@ -263,7 +263,7 @@ The shortlist of configuration flags is the following: -tls Whether to enable TLS (aka HTTPS) for incoming requests. -tlsCertFile and -tlsKeyFile must be set if -tls is set -tlsCertFile string - Path to file with TLS certificate. Used only if -tls is set. Prefer ECDSA certs instead of RSA certs, since RSA certs are slow + Path to file with TLS certificate. Used only if -tls is set. Prefer ECDSA certs instead of RSA certs as RSA certs are slower -tlsKeyFile string Path to file with TLS key. Used only if -tls is set -version