部署Envoy的常用方法
鏡像方式部署
- Envoy項目為多種平台(例如amd64和arm64等)維護有相應的Docker Image,我們可按需獵取相應鏡像后以容器形式運行Envoy,而且它們存在以下幾種變化形式
- envoy:基於Ubuntu Bionic制作的Docker Image
- envoy-alpine和envoy-alpine-dev:基於alpine制作的Docker Image
- envoy-debug和envoy-debug-dev:基於Ubuntu制作的帶有debug環境的Docker Image
- envoy-windows和envoy-windows-dev:基於Windows 1809制作的Docker Image
二進制部署
- Get Envoy項目為多個主流的Linux發行版(例如Ubuntu、 CentOS和RHEL等)維護了二進制的發行版,配置相應的倉庫后,即可使用系統的包管理器進行安裝
- Ubuntu
- https://dl.bintray.com/tetrate/getenvoy-deb
- centos
- https://tetrate.bintray.com/getenvoy-rpm/centos/
- https://tetrate.bintray.com/getenvoy-rpm/centos/
- RHEL
- https://tetrate.bintray.com/getenvoy-rpm/rhel/
- Ubuntu
部署文檔
https://www.envoyproxy.io/docs/envoy/latest/start/install
部署Envoy
Ubuntu部署Envoy
~# sudo apt update
~# sudo apt install apt-transport-https gnupg2 curl lsb-release
~# curl -sL 'https://deb.dl.getenvoy.io/public/gpg.8115BA8E629CC074.key' | sudo gpg --dearmor -o /usr/share/keyrings/getenvoy-keyring.gpg
Verify the keyring - this should yield "OK"
~# echo a077cb587a1b622e03aa4bf2f3689de14658a9497a9af2c427bba5f4cc3c4723 /usr/share/keyrings/getenvoy-keyring.gpg | sha256sum --check
~# echo "deb [arch=amd64 signed-by=/usr/share/keyrings/getenvoy-keyring.gpg] https://deb.dl.getenvoy.io/public/deb/ubuntu $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/getenvoy.list
~# sudo apt update
~# sudo apt install -y getenvoy-envoyCentos部署Envoy
[root@node-01 ~]# sudo yum install yum-utils
[root@node-01 ~]# sudo rpm --import 'https://rpm.dl.getenvoy.io/public/gpg.CF716AF503183491.key'
[root@node-01 ~]# curl -sL 'https://rpm.dl.getenvoy.io/public/config.rpm.txt?distro=el&codename=7' > /tmp/tetrate-getenvoy-rpm-stable.repo
[root@node-01 ~]# sudo yum-config-manager --add-repo '/tmp/tetrate-getenvoy-rpm-stable.repo'
[root@node-01 ~]# sudo yum makecache --disablerepo='*' --enablerepo='tetrate-getenvoy-rpm-stable'
[root@node-01 ~]# sudo yum install getenvoy-envoy編譯安裝Envoy
下載地址:https://github.com/envoyproxy/envoy/releases
官方文檔:https://www.envoyproxy.io/docs/envoy/latest/start/building
部署文檔:https://github.com/envoyproxy/envoy/blob/2950cf0afd4bfe48a72d8c475262305c0e258ba1/bazel/README.md
編譯過程此處省略
Docker方式部署
可用的docker image
https://www.envoyproxy.io/docs/envoy/latest/start/install#pre-built-envoy-docker-images
| stable |
stable |
main |
main |
||
|---|---|---|---|---|---|
| Docker image |
Description |
amd64 |
arm64 |
amd64 |
arm64 |
| Release binary with symbols stripped on top of an Ubuntu 20.04 base. |
v1.24-latest |
v1.24-latest |
|||
| Release contrib binary with symbols stripped on top of an Ubuntu 20.04 base. |
v1.24-latest |
v1.24-latest |
|||
| Release binary with symbols stripped on top of a distroless base. |
v1.24-latest |
v1.24-latest |
|||
| Release binary with symbols stripped on top of a Windows Server 1809 base. |
v1.24-latest |
||||
| Release binary with debug symbols on top of an Ubuntu 20.04 base. |
v1.24-latest |
v1.24-latest |
|||
| Release contrib binary with debug symbols on top of an Ubuntu 20.04 base. |
v1.24-latest |
v1.24-latest |
|||
| Release tools on top of an Ubuntu 20.04 base. |
v1.24-latest |
v1.24-latest |
|||
| Release binary with symbols stripped on top of an Ubuntu 20.04 base. |
latest |
latest |
|||
| Release contrib binary with symbols stripped on top of an Ubuntu 20.04 base. |
latest |
latest |
|||
| Release binary with symbols stripped on top of a distroless base. |
latest |
latest |
|||
| Release binary with debug symbols on top of an Ubuntu 20.04 base. |
latest |
latest |
|||
| Release contrib binary with debug symbols on top of an Ubuntu 20.04 base. |
latest |
latest |
|||
| Release binary with symbols stripped on top of a Windows Server 1809 base. Includes build tools. |
latest |
||||
| Release tools on top of an Ubuntu 20.04 base. |
latest |
latest |
|||
| Build image which includes tools for building multi-arch Envoy and containers. |
See Docker Hub |
See Docker Hub |
以docker-compose方式運行
准備docker-compose.yaml
~# cat docker-compose.yaml
version: '3'
services:
envoy:
image: envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1
ports:
- "10000:10000"
volumes:
- ./envoy.yaml:/etc/envoy/envoy.yaml
environment:
- "ENVOY_UID=0"運行Envoy
~# docker-compose up構建envoy docker image
准備Dockerfile
~# cat Dockerfile
FROM envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1
COPY envoy.yaml /etc/envoy/envoy.yaml
RUN chmod go+r /etc/envoy/envoy.yaml構建image
~# docker build -t envoy:v1 .測試image
~# docker run -d --name envoy -p 9901:9901 -p 10000:10000 envoy:v1啟動Envoy
檢測envoy版本
envoy --verison獲取幫助
envoy --help檢測配置文件語法
envoy --mode validate -c /path/to/my-envoy-config.yaml運行envoy
- 啟動envoy時,需要通過-c選項為其指定初始配置文件以提供引導配置(Bootstrap configuration),這也是v3 API的必然要求。
- envoy -c /path/to/envoy-demo.yaml --log-path logs/custom.log
-
引導配置是Envoy配置信息的基點,用於承載Envoy的初始配置,它可能包括靜態資源和動態資源的定義;
-
靜態資源(static_resources)於啟動直接加載;
-
動態資源(dynamic_resources)則需要通過配置的xDS服務獲取並生成;
-
-
通常,Listener和Cluster是Envoy得以運行的基礎,而二者的配置可以全部為靜態格式,也可以混合使用動態及靜態方式提供,或者配合全部配置為動態;
配置文件示例
https://www.envoyproxy.io/docs/envoy/latest/_downloads/92dcb9714fb6bc288d042029b34c0de4/envoy-demo.yaml
查看代碼
static_resources:
listeners:
- name: listener_0
address:
socket_address:
address: 0.0.0.0
port_value: 10000
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
access_log:
- name: envoy.access_loggers.stdout
typed_config:
"@type": type.googleapis.com/envoy.extensions.access_loggers.stream.v3.StdoutAccessLog
http_filters:
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
host_rewrite_literal: www.envoyproxy.io
cluster: service_envoyproxy_io
clusters:
- name: service_envoyproxy_io
type: LOGICAL_DNS
# Comment out the following line to test on v6 networks
dns_lookup_family: V4_ONLY
load_assignment:
cluster_name: service_envoyproxy_io
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: www.envoyproxy.io
port_value: 443
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
sni: www.envoyproxy.io常見問題
以非root用戶運行權限的問題
默認情況下,envoy Docker映像將作為root用戶啟動,但將切換到構建時在Docker入口點中創建的envoy用戶。
更改容器內envoy用戶的uid或gid。 envoy用戶的默認uid和gid為101。此用戶的uid和gid可以在運行時使用Envision_uid和Envision_gid環境變量進行設置。
要以root用戶身份在容器內運行進程,可以將UID設置為0,但這樣做可能會削弱正在運行的容器的安全性。
例如,可以在Docker命令行上執行此操作:
~# docker run -d --name envoy -e ENVOY_UID=777 -e ENVOY_GID=777 envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1Envoy容器內的日志記錄權限
默認情況下,envoy映像將應用程序日志發送到/dev/stdout和/dev/stderr,這些日志可以在容器日志中查看。
如果向文件輸出發送應用程序、管理或訪問日志,則envoy用戶將需要必要的權限才能寫入此文件。這可以通過設置envoy UID或envoy用戶有可寫入文件權限來實現。
~# mkdir logs
~# chown 777 logs
~# docker run -d --name envoy -v $(pwd)/logs:/var/log -e ENVOY_UID=777 envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1Envoy容器內的配置和二進制文件權限
envoy用戶還需要具有訪問訪問容器中的任何所需配置文件的權限。
配置中指定的任何二進制文件也應由envoy用戶執行。
如果在具有嚴格umask設置的環境中運行,則可能需要通過設置文件的所有權或權限來為envoy提供訪問權限。
在不更改任何文件權限的情況下執行此操作的一種方法是使用主機用戶的uid啟動容器。
~# docker run -d --name envoy -v $(pwd)/envoy.yaml:/etc/envoy/envoy.yaml -e ENVOY_UID=$(id -u) envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1指定envoy在容器內監聽的端口
~# docker run -d --name envoy -p 80:8000 envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1