一 日志收集
https://github.com/iKubernetes/servicemesh_in_practise/tree/MageEdu_N66/Monitoring-and-Tracing #日志和鍊路追蹤執行個體代碼
1.1 accesslog-with-efk
環境描述
7個Service:
front-envoy:Front Proxy,位址為172.31.76.10
3個後端服務,僅是用于提供測試用的上遊伺服器
service_blue
service_red
service_green
三個日志服務
elasticsearch,位址為172.31.76.15,綁定主控端的9200端口
kibana,位址為172.31.76.16,綁定主控端的5601端口
filebeat 特殊要求
目錄logs/envoy/下的日志檔案front-envoy-access.log的屬主需要修改為envoy容器中運作envoy程序的使用者envoy,其UID和GID預設分别為100和101,否則,front-envoy程序将日志寫入到該檔案時,将顯示為“Permission Denied.”
chown 100.101 logs/envoy/front-envoy-access.log 運作并測試
啟動服務
docker-compose up 文本日志
先使用類似如下指令向Front-Envoy發起請求,以便持續生成通路日志;
while true; do curl 172.31.76.10/service/colors; sleep 0.$RANDOM; done 檢視是否已經存在由filebeat生成的索引;
curl 172.31.76.15:9200/_cat/indices 指令傳回的索引中包含類似如下内容,即表示filebeat已經生成相應的索引
通路kibana
http://192.168.24.241:5601/
1.2 monitoring #監控
環境描述
10個Service:
front-envoy:Front Proxy,位址為172.31.70.10
6個後端服務
service_a_envoy和service_a:對應于Envoy中的service_a叢集,會調用service_b和service_c;
service_b_envoy和service_b:對應于Envoy中的service_b叢集;
service_c_envoy和service_c:對應于Envoy中的service_c叢集;
1個statsd_exporter服務
1個prometheus服務
1個grafana服務 啟動服務
docker-compose build
docker-compose up 通路測試
向Front-Envoy發起請求,下面的指令模拟間隔1秒之内的随機時長進行請求;
while true; do curl 172.31.70.10; sleep 0.$RANDOM; done grafnan界面
1.3 monitoring-and-accesslog #監控和日志結合
環境描述
10個Service:
front-envoy:Front Proxy,位址為172.31.79.10
6個後端服務
service_a_envoy和service_a:對應于Envoy中的service_a叢集,會調用service_b和service_c;
service_b_envoy和service_b:對應于Envoy中的service_b叢集;
service_c_envoy和service_c:對應于Envoy中的service_c叢集;
Prometheus名額監控相關的服務3個
statsd_exporter
prometheus
grafana
EFK日志相關的服務3個
elaistchsearch
kibana
filebeat 特殊要求
目錄logs/envoy/下的日志檔案front-envoy-access.log的屬主需要修改為envoy容器中運作envoy程序的使用者envoy,其UID和GID預設分别為100和101,否則,front-envoy程序将日志寫入到該檔案時,将顯示為“Permission Denied.”
chown 100.101 logs/envoy/* 啟動服務
docker-compose build
docker-compose up 通路測試
向Front-Envoy發起請求,下面的指令模拟間隔1秒之内的随機時長進行請求;
while true; do curl 172.31.79.10; sleep 0.$RANDOM; done 檢視promethes和grafna
檢視kibana
檢視es索引
二 鍊路追蹤
2.1 zipkin-tracing-basics
服務描述:
Front-Proxy:前端代理,監聽端口8000/tcp
2個後端服務
service1:接收Front-Envoy的請求,并會請求service2
service2:接收service1的請求
追蹤服務zipkin,監聽端口9411 啟動服務
docker-compose build
docker-compose up 請求代理服務
curl -v 172.31.81.10:8000/trace/1
# 該指令會收到類似如下響應
* Trying 172.31.81.10:8000...
* TCP_NODELAY set
* Connected to 172.31.81.10 (172.31.81.10) port 8000 (#0)
> GET /trace/1 HTTP/1.1
> Host: 172.31.81.10:8000
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< content-type: text/html; charset=utf-8
< content-length: 90
< server: envoy
< date: Wed, 03 Nov 2021 09:59:59 GMT
< x-envoy-upstream-service-time: 11
< x-b3-traceid: 103b7d704f28aafe
< x-request-id: 59960a6f-74fe-92f8-aba5-b4e7af7c249f
<
Hello from behind Envoy (service 1)! hostname: 7ec5c840997d resolvedhostname: 172.31.81.2 可多次反複發起請求,以便于後面在UI中了解追蹤的結果。
通路zipkin
2.2 zipkin-tracing
環境描述
8個Service:
front-envoy:Front Proxy,位址為172.31.85.10
6個後端服務
service_a_envoy和service_a:對應于Envoy中的service_a叢集,會調用service_b和service_c;
service_b_envoy和service_b:對應于Envoy中的service_b叢集;
service_c_envoy和service_c:對應于Envoy中的service_c叢集;
zipkin:Zipkin服務 啟動服務
docker-compose build
docker-compose up 通路測試
向Front-Envoy發起請求
curl -vv 172.31.85.10
* About to connect() to 172.31.85.10 port 80 (#0)
* Trying 172.31.85.10...
* Connected to 172.31.85.10 (172.31.85.10) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 172.31.85.10
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Sat, 13 Aug 2022 08:40:02 GMT
< content-length: 85
< content-type: text/plain; charset=utf-8
< x-envoy-upstream-service-time: 4
< server: envoy
< x-b3-traceid: c86a1e9192a64f39
< x-request-id: fb84155c-65ae-933c-a15f-24b87179eb4f
<
Calling Service B: Hello from service B.
Hello from service A.
Hello from service C.
* Connection #0 to host 172.31.85.10 left intact 2.3 jaeger-tracing
環境描述
8個Service:
front-envoy:Front Proxy,位址為172.31.88.10
6個後端服務
service_a_envoy和service_a:對應于Envoy中的service_a叢集,會調用service_b和service_c;
service_b_envoy和service_b:對應于Envoy中的service_b叢集;
service_c_envoy和service_c:對應于Envoy中的service_c叢集;
zipkin:Jaeger all-in-one服務 啟動服務
docker-compose build
docker-compose up 通路測試
向Front-Envoy發起一次請求
curl -vv 172.31.88.10
* About to connect() to 172.31.88.10 port 80 (#0)
* Trying 172.31.88.10...
* Connected to 172.31.88.10 (172.31.88.10) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 172.31.88.10
> Accept: */*
>
< HTTP/1.1 200 OK
< date: Sat, 13 Aug 2022 08:44:34 GMT
< content-length: 85
< content-type: text/plain; charset=utf-8
< x-envoy-upstream-service-time: 8
< server: envoy
< x-b3-traceid: 70948d1d41a58074
< x-request-id: a9858fbb-2e6c-9acb-957c-a276e9b1d7b3
<
Calling Service B: Hello from service B.
Hello from service A.
Hello from service C.
* Connection #0 to host 172.31.88.10 left intact
Jaeger會記錄到該請求相關的Trace。通路主控端的16686端口,即可通過浏覽器通路Jaeger UI。
三 安全
https://github.com/iKubernetes/servicemesh_in_practise/tree/MageEdu_N66/Envoy-TLS #執行個體
3.1 https-https-proxy
環境描述
五個Service:
envoy:Front Proxy,位址為172.31.8.2,監聽于8443端口
webserver01:第一個後端服務
webserver01-sidecar:第一個後端服務的Sidecar Proxy,位址為172.31.8.11,監聽于443端口
webserver02:第二個後端服務
webserver02-sidecar:第二個後端服務的Sidecar Proxy,位址為172.31.8.12, 監聽于443端口 運作和測試
docker-compose up 測試
https請求測試
curl -k -v https://172.31.8.2:8443/
下面的指令輸出示例,是因為我們在curl指令使用了-v選項所擷取到的詳細互動過程。
* About to connect() to 172.31.8.2 port 8443 (#0)
* Trying 172.31.8.2...
* Connected to 172.31.8.2 (172.31.8.2) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=www.magedu.com
* start date: 5月 19 03:56:18 2021 GMT
* expire date: 5月 17 03:56:18 2031 GMT
* common name: www.magedu.com
* issuer: CN=www.magedu.com
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 172.31.8.2:8443
> Accept: */* 請求通路admin interface
curl http://172.31.8.2:9901/