envoy 链路追踪-日志收集-网格安全

一 日志收集

https://github.com/iKubernetes/servicemesh_in_practise/tree/MageEdu_N66/Monitoring-and-Tracing #日志和链路追踪实例代码

1.1 accesslog-with-efk

环境描述

7个Service:
front-envoy:Front Proxy,地址为172.31.76.10
3个后端服务,仅是用于提供测试用的上游服务器
service_blue
service_red
service_green
三个日志服务
elasticsearch,地址为172.31.76.15,绑定宿主机的9200端口
kibana,地址为172.31.76.16,绑定宿主机的5601端口
filebeat

特殊要求

目录logs/envoy/下的日志文件front-envoy-access.log的属主需要修改为envoy容器中运行envoy进程的用户envoy,其UID和GID默认分别为100和101,否则,front-envoy进程将日志写入到该文件时,将显示为“Permission Denied.”
chown 100.101 logs/envoy/front-envoy-access.log

运行并测试
启动服务

docker-compose up

文本日志

先使用类似如下命令向Front-Envoy发起请求,以便持续生成访问日志;

while true; do curl 172.31.76.10/service/colors; sleep 0.$RANDOM; done

查看是否已经存在由filebeat生成的索引;

curl 172.31.76.15:9200/_cat/indices

命令返回的索引中包含类似如下内容,即表示filebeat已经生成相应的索引
image

访问kibana
http://192.168.24.241:5601/
image

1.2 monitoring #监控

环境描述

10个Service:
front-envoy:Front Proxy,地址为172.31.70.10
6个后端服务
service_a_envoy和service_a:对应于Envoy中的service_a集群,会调用service_b和service_c;
service_b_envoy和service_b:对应于Envoy中的service_b集群;
service_c_envoy和service_c:对应于Envoy中的service_c集群;
1个statsd_exporter服务
1个prometheus服务
1个grafana服务

启动服务

docker-compose build
docker-compose up

访问测试

向Front-Envoy发起请求,下面的命令模拟间隔1秒之内的随机时长进行请求;

while true; do curl 172.31.70.10; sleep 0.$RANDOM; done

grafnan界面
image

1.3 monitoring-and-accesslog #监控和日志结合

环境描述

10个Service:
front-envoy:Front Proxy,地址为172.31.79.10
6个后端服务
service_a_envoy和service_a:对应于Envoy中的service_a集群,会调用service_b和service_c;
service_b_envoy和service_b:对应于Envoy中的service_b集群;
service_c_envoy和service_c:对应于Envoy中的service_c集群;
Prometheus指标监控相关的服务3个
statsd_exporter
prometheus
grafana
EFK日志相关的服务3个 
elaistchsearch
kibana
filebeat

特殊要求

目录logs/envoy/下的日志文件front-envoy-access.log的属主需要修改为envoy容器中运行envoy进程的用户envoy,其UID和GID默认分别为100和101,否则,front-envoy进程将日志写入到该文件时,将显示为“Permission Denied.”
chown 100.101 logs/envoy/*

启动服务

docker-compose build
docker-compose up

访问测试

向Front-Envoy发起请求,下面的命令模拟间隔1秒之内的随机时长进行请求;

while true; do curl 172.31.79.10; sleep 0.$RANDOM; done

查看promethes和grafna
image

查看kibana
image

查看es索引
image

二 链路追踪

2.1 zipkin-tracing-basics

服务描述:

Front-Proxy:前端代理,监听端口8000/tcp
2个后端服务
service1:接收Front-Envoy的请求,并会请求service2
service2:接收service1的请求
追踪服务zipkin,监听端口9411

启动服务

docker-compose build
docker-compose up

请求代理服务

curl -v 172.31.81.10:8000/trace/1

# 该命令会收到类似如下响应
*   Trying 172.31.81.10:8000...
* TCP_NODELAY set
* Connected to 172.31.81.10 (172.31.81.10) port 8000 (#0)
> GET /trace/1 HTTP/1.1
> Host: 172.31.81.10:8000
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< content-type: text/html; charset=utf-8
< content-length: 90
< server: envoy
< date: Wed, 03 Nov 2021 09:59:59 GMT
< x-envoy-upstream-service-time: 11
< x-b3-traceid: 103b7d704f28aafe
< x-request-id: 59960a6f-74fe-92f8-aba5-b4e7af7c249f
< 
Hello from behind Envoy (service 1)! hostname: 7ec5c840997d resolvedhostname: 172.31.81.2

可多次反复发起请求,以便于后面在UI中了解追踪的结果。
访问zipkin
image

2.2 zipkin-tracing

环境描述

8个Service:
front-envoy:Front Proxy,地址为172.31.85.10
6个后端服务
service_a_envoy和service_a:对应于Envoy中的service_a集群,会调用service_b和service_c;
service_b_envoy和service_b:对应于Envoy中的service_b集群;
service_c_envoy和service_c:对应于Envoy中的service_c集群;
zipkin:Zipkin服务

启动服务

docker-compose build
docker-compose up

访问测试

向Front-Envoy发起请求

curl -vv 172.31.85.10


* About to connect() to 172.31.85.10 port 80 (#0)
*   Trying 172.31.85.10...
* Connected to 172.31.85.10 (172.31.85.10) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 172.31.85.10
> Accept: */*
> 
< HTTP/1.1 200 OK
< date: Sat, 13 Aug 2022 08:40:02 GMT
< content-length: 85
< content-type: text/plain; charset=utf-8
< x-envoy-upstream-service-time: 4
< server: envoy
< x-b3-traceid: c86a1e9192a64f39
< x-request-id: fb84155c-65ae-933c-a15f-24b87179eb4f
< 
Calling Service B: Hello from service B.
Hello from service A.
Hello from service C.
* Connection #0 to host 172.31.85.10 left intact

image

2.3 jaeger-tracing

环境描述

8个Service:
front-envoy:Front Proxy,地址为172.31.88.10
6个后端服务
service_a_envoy和service_a:对应于Envoy中的service_a集群,会调用service_b和service_c;
service_b_envoy和service_b:对应于Envoy中的service_b集群;
service_c_envoy和service_c:对应于Envoy中的service_c集群;
zipkin:Jaeger all-in-one服务

启动服务

docker-compose build
docker-compose up

访问测试

向Front-Envoy发起一次请求

curl -vv 172.31.88.10

* About to connect() to 172.31.88.10 port 80 (#0)
*   Trying 172.31.88.10...
* Connected to 172.31.88.10 (172.31.88.10) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 172.31.88.10
> Accept: */*
> 
< HTTP/1.1 200 OK
< date: Sat, 13 Aug 2022 08:44:34 GMT
< content-length: 85
< content-type: text/plain; charset=utf-8
< x-envoy-upstream-service-time: 8
< server: envoy
< x-b3-traceid: 70948d1d41a58074
< x-request-id: a9858fbb-2e6c-9acb-957c-a276e9b1d7b3
< 
Calling Service B: Hello from service B.
Hello from service A.
Hello from service C.
* Connection #0 to host 172.31.88.10 left intact

Jaeger会记录到该请求相关的Trace。访问宿主机的16686端口,即可通过浏览器访问Jaeger UI。

image
image

三 安全

https://github.com/iKubernetes/servicemesh_in_practise/tree/MageEdu_N66/Envoy-TLS #实例

3.1 https-https-proxy

环境描述

五个Service:
envoy:Front Proxy,地址为172.31.8.2,监听于8443端口
webserver01:第一个后端服务
webserver01-sidecar:第一个后端服务的Sidecar Proxy,地址为172.31.8.11,监听于443端口
webserver02:第二个后端服务
webserver02-sidecar:第二个后端服务的Sidecar Proxy,地址为172.31.8.12, 监听于443端口

运行和测试

docker-compose up

测试
https请求测试

curl -k -v https://172.31.8.2:8443/

下面的命令输出示例,是因为我们在curl命令使用了-v选项所获取到的详细交互过程。

* About to connect() to 172.31.8.2 port 8443 (#0)
*   Trying 172.31.8.2...
* Connected to 172.31.8.2 (172.31.8.2) port 8443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=www.magedu.com
*       start date: 5月 19 03:56:18 2021 GMT
*       expire date: 5月 17 03:56:18 2031 GMT
*       common name: www.magedu.com
*       issuer: CN=www.magedu.com
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 172.31.8.2:8443
> Accept: */*

请求访问admin interface
curl http://172.31.8.2:9901/

posted @ 2022-08-13 17:57  huningfei  阅读(185)  评论(0编辑  收藏  举报
levels of contents