Envoy部署
部署Envoy的常用方法
镜像方式部署
- Envoy项目为多种平台(例如amd64和arm64等)维护有相应的Docker Image,我们可按需猎取相应镜像后以容器形式运行Envoy,而且它们存在以下几种变化形式
- envoy:基于Ubuntu Bionic制作的Docker Image
- envoy-alpine和envoy-alpine-dev:基于alpine制作的Docker Image
- envoy-debug和envoy-debug-dev:基于Ubuntu制作的带有debug环境的Docker Image
- envoy-windows和envoy-windows-dev:基于Windows 1809制作的Docker Image
二进制部署
- Get Envoy项目为多个主流的Linux发行版(例如Ubuntu、 CentOS和RHEL等)维护了二进制的发行版,配置相应的仓库后,即可使用系统的包管理器进行安装
- Ubuntu
- https://dl.bintray.com/tetrate/getenvoy-deb
- centos
- https://tetrate.bintray.com/getenvoy-rpm/centos/
- https://tetrate.bintray.com/getenvoy-rpm/centos/
- RHEL
- https://tetrate.bintray.com/getenvoy-rpm/rhel/
- Ubuntu
部署文档
https://www.envoyproxy.io/docs/envoy/latest/start/install
部署Envoy
Ubuntu部署Envoy
~# sudo apt update
~# sudo apt install apt-transport-https gnupg2 curl lsb-release
~# curl -sL 'https://deb.dl.getenvoy.io/public/gpg.8115BA8E629CC074.key' | sudo gpg --dearmor -o /usr/share/keyrings/getenvoy-keyring.gpg
Verify the keyring - this should yield "OK"
~# echo a077cb587a1b622e03aa4bf2f3689de14658a9497a9af2c427bba5f4cc3c4723 /usr/share/keyrings/getenvoy-keyring.gpg | sha256sum --check
~# echo "deb [arch=amd64 signed-by=/usr/share/keyrings/getenvoy-keyring.gpg] https://deb.dl.getenvoy.io/public/deb/ubuntu $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/getenvoy.list
~# sudo apt update
~# sudo apt install -y getenvoy-envoyCentos部署Envoy
[root@node-01 ~]# sudo yum install yum-utils
[root@node-01 ~]# sudo rpm --import 'https://rpm.dl.getenvoy.io/public/gpg.CF716AF503183491.key'
[root@node-01 ~]# curl -sL 'https://rpm.dl.getenvoy.io/public/config.rpm.txt?distro=el&codename=7' > /tmp/tetrate-getenvoy-rpm-stable.repo
[root@node-01 ~]# sudo yum-config-manager --add-repo '/tmp/tetrate-getenvoy-rpm-stable.repo'
[root@node-01 ~]# sudo yum makecache --disablerepo='*' --enablerepo='tetrate-getenvoy-rpm-stable'
[root@node-01 ~]# sudo yum install getenvoy-envoy编译安装Envoy
下载地址:https://github.com/envoyproxy/envoy/releases
官方文档:https://www.envoyproxy.io/docs/envoy/latest/start/building
部署文档:https://github.com/envoyproxy/envoy/blob/2950cf0afd4bfe48a72d8c475262305c0e258ba1/bazel/README.md
编译过程此处省略
Docker方式部署
可用的docker image
https://www.envoyproxy.io/docs/envoy/latest/start/install#pre-built-envoy-docker-images
|
stable |
stable |
main |
main |
||
|---|---|---|---|---|---|
|
Docker image |
Description |
amd64 |
arm64 |
amd64 |
arm64 |
|
Release binary with symbols stripped on top of an Ubuntu 20.04 base. |
v1.24-latest |
v1.24-latest |
|||
|
Release contrib binary with symbols stripped on top of an Ubuntu 20.04 base. |
v1.24-latest |
v1.24-latest |
|||
|
Release binary with symbols stripped on top of a distroless base. |
v1.24-latest |
v1.24-latest |
|||
|
Release binary with symbols stripped on top of a Windows Server 1809 base. |
v1.24-latest |
||||
|
Release binary with debug symbols on top of an Ubuntu 20.04 base. |
v1.24-latest |
v1.24-latest |
|||
|
Release contrib binary with debug symbols on top of an Ubuntu 20.04 base. |
v1.24-latest |
v1.24-latest |
|||
|
Release tools on top of an Ubuntu 20.04 base. |
v1.24-latest |
v1.24-latest |
|||
|
Release binary with symbols stripped on top of an Ubuntu 20.04 base. |
latest |
latest |
|||
|
Release contrib binary with symbols stripped on top of an Ubuntu 20.04 base. |
latest |
latest |
|||
|
Release binary with symbols stripped on top of a distroless base. |
latest |
latest |
|||
|
Release binary with debug symbols on top of an Ubuntu 20.04 base. |
latest |
latest |
|||
|
Release contrib binary with debug symbols on top of an Ubuntu 20.04 base. |
latest |
latest |
|||
|
Release binary with symbols stripped on top of a Windows Server 1809 base. Includes build tools. |
latest |
||||
|
Release tools on top of an Ubuntu 20.04 base. |
latest |
latest |
|||
|
Build image which includes tools for building multi-arch Envoy and containers. |
See Docker Hub |
See Docker Hub |
以docker-compose方式运行
准备docker-compose.yaml
~# cat docker-compose.yaml
version: '3'
services:
envoy:
image: envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1
ports:
- "10000:10000"
volumes:
- ./envoy.yaml:/etc/envoy/envoy.yaml
environment:
- "ENVOY_UID=0"运行Envoy
~# docker-compose up构建envoy docker image
准备Dockerfile
~# cat Dockerfile
FROM envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1
COPY envoy.yaml /etc/envoy/envoy.yaml
RUN chmod go+r /etc/envoy/envoy.yaml构建image
~# docker build -t envoy:v1 .测试image
~# docker run -d --name envoy -p 9901:9901 -p 10000:10000 envoy:v1启动Envoy
检测envoy版本
envoy --verison获取帮助
envoy --help检测配置文件语法
envoy --mode validate -c /path/to/my-envoy-config.yaml运行envoy
- 启动envoy时,需要通过-c选项为其指定初始配置文件以提供引导配置(Bootstrap configuration),这也是v3 API的必然要求。
- envoy -c /path/to/envoy-demo.yaml --log-path logs/custom.log
-
引导配置是Envoy配置信息的基点,用于承载Envoy的初始配置,它可能包括静态资源和动态资源的定义;
-
静态资源(static_resources)于启动直接加载;
-
动态资源(dynamic_resources)则需要通过配置的xDS服务获取并生成;
-
-
通常,Listener和Cluster是Envoy得以运行的基础,而二者的配置可以全部为静态格式,也可以混合使用动态及静态方式提供,或者配合全部配置为动态;
配置文件示例
https://www.envoyproxy.io/docs/envoy/latest/_downloads/92dcb9714fb6bc288d042029b34c0de4/envoy-demo.yaml
查看代码
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
access_log:
- name: envoy.access_loggers.stdout
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
host_rewrite_literal: www.envoyproxy.io
cluster: service_envoyproxy_io
clusters:
- name: service_envoyproxy_io
type: LOGICAL_DNS
# Comment out the following line to test on v6 networks
dns_lookup_family: V4_ONLY
load_assignment:
cluster_name: service_envoyproxy_io
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: www.envoyproxy.io
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: www.envoyproxy.io常见问题
以非root用户运行权限的问题
默认情况下,envoy Docker映像将作为root用户启动,但将切换到构建时在Docker入口点中创建的envoy用户。
更改容器内envoy用户的uid或gid。 envoy用户的默认uid和gid为101。此用户的uid和gid可以在运行时使用Envision_uid和Envision_gid环境变量进行设置。
要以root用户身份在容器内运行进程,可以将UID设置为0,但这样做可能会削弱正在运行的容器的安全性。
例如,可以在Docker命令行上执行此操作:
~# docker run -d --name envoy -e ENVOY_UID=777 -e ENVOY_GID=777 envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1Envoy容器内的日志记录权限
默认情况下,envoy映像将应用程序日志发送到/dev/stdout和/dev/stderr,这些日志可以在容器日志中查看。
如果向文件输出发送应用程序、管理或访问日志,则envoy用户将需要必要的权限才能写入此文件。这可以通过设置envoy UID或envoy用户有可写入文件权限来实现。
~# mkdir logs
~# chown 777 logs
~# docker run -d --name envoy -v $(pwd)/logs:/var/log -e ENVOY_UID=777 envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1Envoy容器内的配置和二进制文件权限
envoy用户还需要具有访问访问容器中的任何所需配置文件的权限。
配置中指定的任何二进制文件也应由envoy用户执行。
如果在具有严格umask设置的环境中运行,则可能需要通过设置文件的所有权或权限来为envoy提供访问权限。
在不更改任何文件权限的情况下执行此操作的一种方法是使用主机用户的uid启动容器。
~# docker run -d --name envoy -v $(pwd)/envoy.yaml:/etc/envoy/envoy.yaml -e ENVOY_UID=$(id -u) envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1指定envoy在容器内监听的端口
~# docker run -d --name envoy -p 80:8000 envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1
