“eBPF 是我见过的 Linux 中最神奇的技术,没有之一,已成为 Linux 内核中顶级子模块,从 tcpdump 中用作网络包过滤的经典 cbpf,到成为通用 Linux 内核技术的 eBPF,已经完成华丽蜕变,为应用与神奇的内核打造了一座桥梁,在系统跟踪、观测、性能调优、安全和网络等领域发挥重要的角色。为 Service Mesh 打造了具备 API 感知和安全高效的容器网络方案 Cilium,其底层正是基于 eBPF 技术”
# yum install bcc -y Resolving Dependencies --> Running transaction check ---> Package bcc.x86_64 0:0.8.0-1.el7 will be updated --> Processing Dependency: bcc(x86-64) = 0.8.0-1.el7 for package: python-bcc-0.8.0-1.el7.x86_64 ---> Package bcc.x86_64 0:0.10.0-1.el7 will be an update --> Processing Dependency: bcc-tools = 0.10.0-1.el7 for package: bcc-0.10.0-1.el7.x86_64 --> Running transaction check ---> Package bcc-tools.x86_64 0:0.8.0-1.el7 will be updated ---> Package bcc-tools.x86_64 0:0.10.0-1.el7 will be an update ---> Package python-bcc.x86_64 0:0.8.0-1.el7 will be updated ---> Package python-bcc.x86_64 0:0.10.0-1.el7 will be an update --> Finished Dependency Resolution ...
positional arguments: duration duration of trace, in seconds
optional arguments: -h, --help show this help message and exit -p PID, --pid PID profile process with this PID only -L TID, --tid TID profile thread with this TID only -U, --user-stacks-only show stacks from user space only (no kernel space stacks) -K, --kernel-stacks-only show stacks from kernel space only (no user space stacks) -F FREQUENCY, --frequency FREQUENCY sample frequency, Hertz -c COUNT, --count COUNT sample period, number of events -d, --delimited insert delimiter between kernel/user stacks -a, --annotations add _[k] annotations to kernel frames -I, --include-idle include CPU idle stacks -f, --folded output folded format, one line per stack (for flame graphs) --stack-storage-size STACK_STORAGE_SIZE the number of unique stack traces that can be stored and displayed (default 16384) -C CPU, --cpu CPU cpu number to run profile on
examples: ./profile # profile stack traces at 49 Hertz until Ctrl-C ./profile -F 99 # profile stack traces at 99 Hertz ./profile -c 1000000 # profile stack traces every 1 in a million events ./profile 5 # profile at 49 Hertz for 5 seconds only ./profile -f 5 # output in folded format for flame graphs ./profile -p 185 # only profile process with PID 185 ./profile -L 185 # only profile thread with TID 185 ./profile -U # only show user space stacks (no kernel) ./profile -K # only show kernel space stacks (no user)
optional arguments: -h, --help show this help message and exit -T, --time include time column on output (HH:MM:SS) -t, --timestamp include timestamp on output (seconds) -w, --wide wide column output (fits IPv6 addresses) -s, --csv comma separated values output -p PID, --pid PID trace this PID only -L LOCALPORT, --localport LOCALPORT comma-separated list of local ports to trace. -D REMOTEPORT, --remoteport REMOTEPORT comma-separated list of remote ports to trace.
examples: ./tcplife # trace all TCP connect()s ./tcplife -t # include time column (HH:MM:SS) ./tcplife -w # wider colums (fit IPv6) ./tcplife -stT # csv output, with times & timestamps ./tcplife -p 181 # only trace PID 181 ./tcplife -L 80 # only trace local port 80 ./tcplife -L 80,81 # only trace local ports 80 and 81 ./tcplife -D 80 # only trace remote port 80
通过在机器上使用 tcplife 来获取的网络连接信息,我们可以看到包括了 PID、COMM、本地 IP 地址、本地端口、远程 IP 地址和远程端口,通过这些信息非常方便排查到连接到特定 IP 地址的程序,尤其是连接的过程非常短暂,通过 netstat 等其他工具不容易排查的场景。
如果我们想知道更加详细的 TCP 状态情况,那么 tcptracer 可展示更加详细的 TCP 状态,其中 C 代表 Connect X 表示关闭, A 代表 Accept。
1 2 3 4 5 6 7
# /usr/share/bcc/tools/tcptracer Tracing TCP established connections. Ctrl-C to end. T PID COMM IP SADDR DADDR SPORT DPORT C 21066 ilogtail 4 10.81.128.12 100.100.49.128 40906 80 X 21066 ilogtail 4 10.81.128.12 100.100.49.128 40906 80 C 21066 ilogtail 4 10.81.128.12 100.100.49.128 40908 80 X 21066 ilogtail 4 10.81.128.12 100.100.49.128 40908 80
# This may not work for 4.17 on x64, you need replace kprobe__sys_clone with kprobe____x64_sys_clone prog = """ int kprobe__sys_clone(void *ctx) { bpf_trace_printk("Hello, World!\\n"); return 0; } """
b = BPF(text=prog, debug=0x04) b.trace_print()
运行程序前需要安装过 bcc 相关工具包,当运行正常的时候我们发现每当 sys_clone 系统调用时,运行的控制台上就会打印 “Hello, World!”,在打印文字前面还包含了调用程序的进程名称,进程 ID 等信息;
// SyncPod syncs the running pod into the desired pod by executing following steps: // // 1. Compute sandbox and container changes. // 2. Kill pod sandbox if necessary. // 3. Kill any containers that should not be running. // 4. Create sandbox if necessary. // 5. Create init containers. // 6. Create normal containers. func(m *kubeGenericRuntimeManager)SyncPod(pod *v1.Pod, _ v1.PodStatus, podStatus *kubecontainer.PodStatus, pullSecrets []v1.Secret, backOff *flowcontrol.Backoff)(result kubecontainer.PodSyncResult) { // Step 1: Compute sandbox and container changes.
// Step 2: Kill the pod if the sandbox has changed. if podContainerChanges.KillPod { // ... } else { // Step 3: kill any running containers in this pod which are not to keep. // ... }
// Keep terminated init containers fairly aggressively controlled // This is an optimization because container removals are typically handled // by container garbage collector. m.pruneInitContainersBeforeStart(pod, podStatus)
// We pass the value of the podIP down to generatePodSandboxConfig and // generateContainerConfig, which in turn passes it to various other // functions, in order to facilitate functionality that requires this // value (hosts file and downward API) and avoid races determining // the pod IP in cases where a container requires restart but the // podIP isn't in the status manager yet. // // We default to the IP in the passed-in pod status, and overwrite it if the // sandbox needs to be (re)started. podIP := "" if podStatus != nil { podIP = podStatus.IP }
// Step 4: Create a sandbox for the pod if necessary. // 创建使用 pause 镜像创建的 sandbox podSandboxID := podContainerChanges.SandboxID if podContainerChanges.CreateSandbox { // ... podSandboxID, msg, err = m.createPodSandbox(pod, podContainerChanges.Attempt) // 底层调用 m.runtimeService.RunPodSandbox(podSandboxConfig, runtimeHandler) glog.V(4).Infof("Created PodSandbox %q for pod %q", podSandboxID, format.Pod(pod))
// Get podSandboxConfig for containers to start. podSandboxConfig, err := m.generatePodSandboxConfig(pod, podContainerChanges.Attempt)
// Step 5: start the init container. 启动所有的 init container if container := podContainerChanges.NextInitContainerToStart; container != nil { // Start the next init container. glog.V(4).Infof("Creating init container %+v in pod %v", container, format.Pod(pod)) if msg, err := m.startContainer(podSandboxID, podSandboxConfig, container, pod, podStatus, pullSecrets, podIP, kubecontainer.ContainerTypeInit); err != nil { // ... }
// Successfully started the container; clear the entry in the failure glog.V(4).Infof("Completed init container %q for pod %q", container.Name, format.Pod(pod)) }
// Step 6: start containers in podContainerChanges.ContainersToStart. 启动 container for _, idx := range podContainerChanges.ContainersToStart { container := &pod.Spec.Containers[idx] // ...
glog.V(4).Infof("Creating container %+v in pod %v", container, format.Pod(pod)) if msg, err := m.startContainer(podSandboxID, podSandboxConfig, container, pod, podStatus, pullSecrets, podIP, kubecontainer.ContainerTypeRegular); err != nil { // ... } }
containerManager cm.ContainerManager // cgroup driver used by Docker runtime. cgroupDriver string checkpointManager checkpointmanager.CheckpointManager // caches the version of the runtime. // To be compatible with multiple docker versions, we need to perform // version checking for some operations. Use this cache to avoid querying // the docker daemon every time we need to do such checks. versionCache *cache.ObjectCache // startLocalStreamingServer indicates whether dockershim should start a // streaming server on localhost. startLocalStreamingServer bool }
RuntimeService 接口定义:
1 2 3 4 5 6 7 8 9 10 11 12 13
// RuntimeService interface should be implemented by a container runtime. // The methods should be thread-safe. type RuntimeService interface { RuntimeVersioner ContainerManager PodSandboxManager ContainerStatsManager
// UpdateRuntimeConfig updates runtime configuration if specified UpdateRuntimeConfig(runtimeConfig *runtimeapi.RuntimeConfig) error // Status returns the status of the runtime. Status() (*runtimeapi.RuntimeStatus, error) }
PodSandboxManager 接口定义:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
// PodSandboxManager contains methods for operating on PodSandboxes. The methods // are thread-safe. type PodSandboxManager interface { // RunPodSandbox creates and starts a pod-level sandbox. Runtimes should ensure // the sandbox is in ready state. RunPodSandbox(config *runtimeapi.PodSandboxConfig, runtimeHandler string) (string, error) // StopPodSandbox stops the sandbox. If there are any running containers in the // sandbox, they should be force terminated. StopPodSandbox(podSandboxID string) error // RemovePodSandbox removes the sandbox. If there are running containers in the // sandbox, they should be forcibly removed. RemovePodSandbox(podSandboxID string) error // PodSandboxStatus returns the Status of the PodSandbox. PodSandboxStatus(podSandboxID string) (*runtimeapi.PodSandboxStatus, error) // ListPodSandbox returns a list of Sandbox. ListPodSandbox(filter *runtimeapi.PodSandboxFilter) ([]*runtimeapi.PodSandbox, error) // PortForward prepares a streaming endpoint to forward ports from a PodSandbox, and returns the address. PortForward(*runtimeapi.PortForwardRequest) (*runtimeapi.PortForwardResponse, error) }
// RunPodSandbox creates and starts a pod-level sandbox. Runtimes should ensure // the sandbox is in ready state. // For docker, PodSandbox is implemented by a container holding the network // namespace for the pod. // Note: docker doesn't use LogDirectory (yet). func(ds *dockerService)RunPodSandbox(ctx context.Context, r *runtimeapi.RunPodSandboxRequest)(*runtimeapi.RunPodSandboxResponse, error) { config := r.GetConfig()
// Step 1: Pull the image for the sandbox. image := defaultSandboxImage if err := ensureSandboxImageExists(ds.client, image); err != nil { }
// Step 4: Start the sandbox container. // Assume kubelet's garbage collector would remove the sandbox later, if // startContainer failed. err = ds.client.StartContainer(createResp.ID)
// 设置 DNS config // Do not invoke network plugins if in hostNetwork mode. if config.GetLinux().GetSecurityContext().GetNamespaceOptions().GetNetwork() == runtimeapi.NamespaceMode_NODE { return resp, nil }
// Step 5: Setup networking for the sandbox. // All pod networking is setup by a CNI plugin discovered at startup time. // This plugin assigns the pod ip, sets up routes inside the sandbox, // creates interfaces etc. In theory, its jurisdiction ends with pod // sandbox networking, but it might insert iptables rules or open ports // on the host as well, to satisfy parts of the pod spec that aren't // recognized by the CNI standard yet. cID := kubecontainer.BuildContainerID(runtimeName, createResp.ID) err = ds.network.SetUpPod(config.GetMetadata().Namespace, config.GetMetadata().Name, cID, config.Annotations) return resp, nil }
func(plugin *cniNetworkPlugin)SetUpPod(namespace string, name string, id kubecontainer.ContainerID, annotations map[string]string)error { netnsPath, err := plugin.host.GetNetNS(id.ID)
// Windows doesn't have loNetwork. It comes only with Linux if plugin.loNetwork != nil { if _, err = plugin.addToNetwork(plugin.loNetwork, name, namespace, id, netnsPath, annotations); err != nil { } } _, err = plugin.addToNetwork(plugin.getDefaultNetwork(), name, namespace, id, netnsPath, annotations)
// Plugin is an interface to network plugins for the kubelet type NetworkPlugin interface { // Init initializes the plugin. This will be called exactly once // before any other methods are called. Init(host Host, hairpinMode kubeletconfig.HairpinMode, nonMasqueradeCIDR string, mtu int) error
// Called on various events like: // NET_PLUGIN_EVENT_POD_CIDR_CHANGE Event(name string, details map[string]interface{})
// Name returns the plugin's name. This will be used when searching // for a plugin by name, e.g. Name() string
// Returns a set of NET_PLUGIN_CAPABILITY_* Capabilities() utilsets.Int
// SetUpPod is the method called after the infra container of // the pod has been created but before the other containers of the // pod are launched. SetUpPod(namespace string, name string, podSandboxID kubecontainer.ContainerID, annotations map[string]string) error
// TearDownPod is the method called before a pod's infra container will be deleted TearDownPod(namespace string, name string, podSandboxID kubecontainer.ContainerID) error
// GetPodNetworkStatus is the method called to obtain the ipv4 or ipv6 addresses of the container GetPodNetworkStatus(namespace string, name string, podSandboxID kubecontainer.ContainerID) (*PodNetworkStatus, error)
// Status returns error if the network plugin is in error state Status() error }
sort.Strings(files) for _, confFile := range files { var confList *libcni.NetworkConfigList if strings.HasSuffix(confFile, ".conflist") { confList, err = libcni.ConfListFromFile(confFile) } else { conf, err := libcni.ConfFromFile(confFile)
// Ensure the config has a "type" so we know what plugin to run. // Also catches the case where somebody put a conflist into a conf file. if conf.Network.Type == "" { glog.Warningf("Error loading CNI config file %s: no 'type'; perhaps this is a .conflist?", confFile) continue }
confList, err = libcni.ConfListFromConf(conf) if err != nil { glog.Warningf("Error converting CNI config file %s to list: %v", confFile, err) continue } } iflen(confList.Plugins) == 0 { glog.Warningf("CNI config list %s has no networks, skipping", confFile) continue }
// 启动 informer 监听 go c.PodInformer.Informer().Run(stopCh) c.InformerFactory.Start(stopCh)
// Wait for all caches to sync before scheduling. c.InformerFactory.WaitForCacheSync(stopCh) controller.WaitForCacheSync("scheduler", stopCh, c.PodInformer.Informer().HasSynced)
// Prepare a reusable run function. run := func(ctx context.Context) { sched.Run() // 主入口 <-ctx.Done() }
// ... run(ctx) return fmt.Errorf("finished without leader elect") }
k8s.io/kubernetes/pkg/scheduler/scheduler.go
1 2 3 4 5 6 7 8 9
// Run begins watching and scheduling. It waits for cache to be synced, then starts a goroutine and returns immediately. func(sched *Scheduler)Run() { if !sched.config.WaitForCacheSync() { return }
// 主入口函数 scheduleOne go wait.Until(sched.scheduleOne, 0, sched.config.StopEverything) }
// Set up leader election if enabled. var leaderElectionConfig *leaderelection.LeaderElectionConfig if c.ComponentConfig.LeaderElection.LeaderElect { leaderElectionConfig, err = makeLeaderElectionConfig(c.ComponentConfig.LeaderElection, leaderElectionClient, recorder) }
type completedConfig struct { *Config } // CompletedConfig same as Config, just to swap private object. type CompletedConfig struct { // Embed a private pointer that cannot be instantiated outside of this package. // 嵌入一个私有的指针,避免在包外初始化 *completedConfig }
// Config has all the context to run a Scheduler type Config struct { // config is the scheduler server's configuration object. ComponentConfig kubeschedulerconfig.KubeSchedulerConfiguration // 认证相关的 Authentication apiserver.AuthenticationInfo Authorization apiserver.AuthorizationInfo Client clientset.Interface // k8s client InformerFactory informers.SharedInformerFactory // infromer factory PodInformer coreinformers.PodInformer // pod informer EventClient v1core.EventsGetter Recorder record.EventRecorder Broadcaster record.EventBroadcaster // LeaderElection is optional. LeaderElection *leaderelection.LeaderElectionConfig }
// KubeSchedulerConfiguration configures a scheduler type KubeSchedulerConfiguration struct { metav1.TypeMeta
// SchedulerName is name of the scheduler, used to select which pods // will be processed by this scheduler, based on pod's "spec.SchedulerName". // 调度器的名字,用于用户选择不同的调度器 SchedulerName string // AlgorithmSource specifies the scheduler algorithm source. // 指定算法的来源 AlgorithmSource SchedulerAlgorithmSource // RequiredDuringScheduling affinity is not symmetric, but there is an implicit PreferredDuringScheduling affinity rule // corresponding to every RequiredDuringScheduling affinity rule. // HardPodAffinitySymmetricWeight represents the weight of implicit PreferredDuringScheduling affinity rule, in the range 0-100. HardPodAffinitySymmetricWeight int32
// LeaderElection defines the configuration of leader election client. LeaderElection KubeSchedulerLeaderElectionConfiguration
// ClientConnection specifies the kubeconfig file and client connection // settings for the proxy server to use when communicating with the apiserver. ClientConnection apimachineryconfig.ClientConnectionConfiguration // HealthzBindAddress is the IP address and port for the health check server to serve on, // defaulting to 0.0.0.0:10251 HealthzBindAddress string // MetricsBindAddress is the IP address and port for the metrics server to // serve on, defaulting to 0.0.0.0:10251. MetricsBindAddress string
// DisablePreemption disables the pod preemption feature. // 是否禁止强制调度 DisablePreemption bool
// Complete fills in any fields not set that are required to have valid data. It's mutating the receiver. func(c *Config)Complete()CompletedConfig { cc := completedConfig{c}
if c.InsecureServing != nil { c.InsecureServing.Name = "healthz" } if c.InsecureMetricsServing != nil { c.InsecureMetricsServing.Name = "metrics" }
return CompletedConfig{&cc} }
配置初始化-之 scheduler.Config
切换整体,回到 Run 函数的初始化函数 schedulerConfig, err := NewSchedulerConfig(c)
// NewSchedulerConfig creates the scheduler configuration. funcNewSchedulerConfig(s schedulerserverconfig.CompletedConfig)(*scheduler.Config, error) {
// Set up the configurator which can create schedulers from configs. // 创建 configurator,用于生成各种需要的 config // 返回 configFactory, 文件定义在 k8s.io/kubernetes/pkg/scheduler/factory/factory.go // NewConfigFactory() -> 初始化各种 informer,比较重要的是 PodInformer // unscheduled pod queue /* args.PodInformer.Informer().AddEventHandler( cache.FilteringResourceEventHandler{ FilterFunc: func(obj interface{}) bool { // 用于过滤 pod.Spec.NodeName 为空等条件 Pod switch t := obj.(type) { case *v1.Pod: return unassignedNonTerminatedPod(t) && responsibleForPod(t, args.SchedulerName) case cache.DeletedFinalStateUnknown: if pod, ok := t.Obj.(*v1.Pod); ok { return unassignedNonTerminatedPod(pod) && responsibleForPod(pod, args.SchedulerName) } runtime.HandleError(fmt.Errorf("unable to convert object %T to *v1.Pod in %T", obj, c)) return false default: runtime.HandleError(fmt.Errorf("unable to handle object in %T: %T", c, obj)) return false } }, Handler: cache.ResourceEventHandlerFuncs{ AddFunc: c.addPodToSchedulingQueue, UpdateFunc: c.updatePodInSchedulingQueue, DeleteFunc: c.deletePodFromSchedulingQueue, }, }, ) */ configurator := factory.NewConfigFactory(&factory.ConfigFactoryArgs{ SchedulerName: s.ComponentConfig.SchedulerName, Client: s.Client, NodeInformer: s.InformerFactory.Core().V1().Nodes(), PodInformer: s.PodInformer, PvInformer: s.InformerFactory.Core().V1().PersistentVolumes(), PvcInformer: s.InformerFactory.Core().V1().PersistentVolumeClaims(), ReplicationControllerInformer: s.InformerFactory.Core().V1().ReplicationControllers(), ReplicaSetInformer: s.InformerFactory.Apps().V1().ReplicaSets(), StatefulSetInformer: s.InformerFactory.Apps().V1().StatefulSets(), ServiceInformer: s.InformerFactory.Core().V1().Services(), PdbInformer: s.InformerFactory.Policy().V1beta1().PodDisruptionBudgets(), StorageClassInformer: storageClassInformer, HardPodAffinitySymmetricWeight: s.ComponentConfig.HardPodAffinitySymmetricWeight, EnableEquivalenceClassCache: utilfeature.DefaultFeatureGate.Enabled(features.EnableEquivalenceClassCache), DisablePreemption: s.ComponentConfig.DisablePreemption, PercentageOfNodesToScore: s.ComponentConfig.PercentageOfNodesToScore, BindTimeoutSeconds: *s.ComponentConfig.BindTimeoutSeconds, })
// https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/ source := s.ComponentConfig.AlgorithmSource // KubeSchedulerConfiguration` var config *scheduler.Config switch { // 创建调度算法有两种方式 Provider 和 用户指定的 Ploicy 文件(文件或Configmap) // --algorithm-provider string // DEPRECATED: the scheduling algorithm provider to use, one of: // ClusterAutoscalerProvider | DefaultProvider case source.Provider != nil: // Create the config from a named algorithm provider. // 使用前面创建的 configurator 创建命名的算法 provider 配置 // ClusterAutoscalerProvider | DefaultProvider sc, err := configurator.CreateFromProvider(*source.Provider) config = sc // --policy-config-file string //DEPRECATED: file with scheduler policy configuration. This file is used if policy ConfigMap is not provided or --use-legacy-policy-config=true
case source.Policy != nil: // Create the config from a user specified policy source. policy := &schedulerapi.Policy{} switch { case source.Policy.File != nil: // Use a policy serialized in a file. policyFile := source.Policy.File.Path data, err := ioutil.ReadFile(policyFile) err = runtime.DecodeInto(latestschedulerapi.Codec, []byte(data), policy)
// Creates a scheduler from a set of registered fit predicate keys and priority keys. func(c *configFactory)CreateFromKeys(predicateKeys, priorityKeys sets.String, extenders []algorithm.SchedulerExtender)(*scheduler.Config, error) { // ...
// scheduleOne does the entire scheduling workflow for a single pod. It is serialized on the scheduling algorithm's host fitting. func(sched *Scheduler)scheduleOne() { // 从队列中取出待调度的 Pod,最终调用的函数为 configFactory.getNextPod() pod := sched.config.NextPod() // 检查是否是被删除的,如果是则跳过 // Synchronously attempt to find a fit for the pod. start := time.Now() // 获取待调度 Pod 匹配的主机名 suggestedHost, err := sched.schedule(pod) // 见后续分析 if err != nil { // schedule() 可能因为没有满足调度的 Node 而失败,后续进行 preempt, if fitError, ok := err.(*core.FitError); ok { preemptionStartTime := time.Now() sched.preempt(pod, fitError) } return } // Tell the cache to assume that a pod now is running on a given node, even though it hasn't been bound yet. // This allows us to keep scheduling without waiting on binding to occur. assumedPod := pod.DeepCopy()
// 判断是否需要VolumeScheduling特性 // Assume volumes first before assuming the pod. If all volumes are completely bound, then allBound is true and binding will be skipped. Otherwise, binding of volumes is started after the pod is assumed, but before pod binding. This function modifies 'assumedPod' if volume binding is required. allBound, err := sched.assumeVolumes(assumedPod, suggestedHost) if err != nil { return }
// assume modifies `assumedPod` by setting NodeName=suggestedHost // Pod 对应的 NodeName 写上主机名,存入缓存 err = sched.assume(assumedPod, suggestedHost)
// bind the pod to its host asynchronously (we can do this b/c of the assumption step above). // 请求apiserver,异步处理最终的绑定,写入到etcd gofunc() { // Bind volumes first before Pod if !allBound { err = sched.bindVolumes(assumedPod) }
// Schedule tries to schedule the given pod to one of the nodes in the node list. // If it succeeds, it will return the name of the node. // If it fails, it will return a FitError error with reasons. func(g *genericScheduler)Schedule(pod *v1.Pod, nodeLister algorithm.NodeLister)(string, error) {
nodes, err := nodeLister.List()
// Used for all fit and priority funcs. err = g.cache.UpdateNodeNameToInfoMap(g.cachedNodeInfoMap)
// Filters the nodes to find the ones that fit based on the given predicate functions // Each node is passed through the predicate functions to determine if it is a fit func(g *genericScheduler)findNodesThatFit(pod *v1.Pod, nodes []*v1.Node)([]*v1.Node, FailedPredicateMap, error) { var filtered []*v1.Node failedPredicateMap := FailedPredicateMap{}
// Stops searching for more nodes once the configured number of feasible nodes // are found. workqueue.ParallelizeUntil(ctx, 16, int(allNodes), checkNode)
// podFitsOnNode checks whether a node given by NodeInfo satisfies the given predicate functions. // For given pod, podFitsOnNode will check if any equivalent pod exists and try to reuse its cached // predicate results as possible. // This function is called from two different places: Schedule and Preempt. // When it is called from Schedule, we want to test whether the pod is schedulable // on the node with all the existing pods on the node plus higher and equal priority // pods nominated to run on the node. // When it is called from Preempt, we should remove the victims of preemption and // add the nominated pods. Removal of the victims is done by SelectVictimsOnNode(). // It removes victims from meta and NodeInfo before calling this function. funcpodFitsOnNode( pod *v1.Pod, meta algorithm.PredicateMetadata, info *schedulercache.NodeInfo, predicateFuncs map[string]algorithm.FitPredicate, cache schedulercache.Cache, nodeCache *equivalence.NodeCache, queue SchedulingQueue, alwaysCheckAllPredicates bool, equivClass *equivalence.Class, )(bool, []algorithm.PredicateFailureReason, error) { var ( eCacheAvailable bool failedPredicates []algorithm.PredicateFailureReason )
podsAdded := false // We run predicates twice in some cases. If the node has greater or equal priority // nominated pods, we run them when those pods are added to meta and nodeInfo. // If all predicates succeed in this pass, we run them again when these // nominated pods are not added. This second pass is necessary because some // predicates such as inter-pod affinity may not pass without the nominated pods. // If there are no nominated pods for the node or if the first run of the // predicates fail, we don't run the second pass. // We consider only equal or higher priority pods in the first pass, because // those are the current "pod" must yield to them and not take a space opened // for running them. It is ok if the current "pod" take resources freed for // lower priority pods. // Requiring that the new pod is schedulable in both circumstances ensures that // we are making a conservative decision: predicates like resources and inter-pod // anti-affinity are more likely to fail when the nominated pods are treated // as running, while predicates like pod affinity are more likely to fail when // the nominated pods are treated as not running. We can't just assume the // nominated pods are running because they are not running right now and in fact, // they may end up getting scheduled to a different node. for i := 0; i < 2; i++ { metaToUse := meta nodeInfoToUse := info // 第一次调度,根据NominatedPods更新meta和nodeInfo信息,pod根据更新后的信息去预选 // 第二次调度,meta和nodeInfo信息不变,保证pod不完全依赖于NominatedPods(主要考虑到pod亲和性之类的) if i == 0 { podsAdded, metaToUse, nodeInfoToUse = addNominatedPods(pod, meta, info, queue) } elseif !podsAdded || len(failedPredicates) != 0 { break } // Bypass eCache if node has any nominated pods. // TODO(bsalamat): consider using eCache and adding proper eCache invalidations // when pods are nominated or their nominations change. eCacheAvailable = equivClass != nil && nodeCache != nil && !podsAdded for _, predicateKey := range predicates.Ordering() { var ( fit bool reasons []algorithm.PredicateFailureReason err error )
if !fit { // eCache is available and valid, and predicates result is unfit, record the fail reasons failedPredicates = append(failedPredicates, reasons...) // if alwaysCheckAllPredicates is false, short circuit all predicates when one predicate fails.
// PrioritizeNodes prioritizes the nodes by running the individual priority functions in parallel. // Each priority function is expected to set a score of 0-10 // 0 is the lowest priority score (least preferred node) and 10 is the highest // Each priority function can also have its own weight // The node scores returned by the priority function are multiplied by the weights to get weighted scores // All scores are finally combined (added) to get the total weighted scores of all nodes funcPrioritizeNodes( pod *v1.Pod, nodeNameToInfo map[string]*schedulercache.NodeInfo, meta interface{}, priorityConfigs []algorithm.PriorityConfig, nodes []*v1.Node, extenders []algorithm.SchedulerExtender, )(schedulerapi.HostPriorityList, error) { // If no priority configs are provided, then the EqualPriority function is applied // This is required to generate the priority list in the required format iflen(priorityConfigs) == 0 && len(extenders) == 0 { result := make(schedulerapi.HostPriorityList, 0, len(nodes)) for i := range nodes { hostPriority, err := EqualPriorityMap(pod, meta, nodeNameToInfo[nodes[i].Name]) if err != nil { returnnil, err } result = append(result, hostPriority) } return result, nil }
var ( mu = sync.Mutex{} wg = sync.WaitGroup{} errs []error )
for i, priorityConfig := range priorityConfigs { if priorityConfig.Function != nil { wg.Add(1) gofunc(index int, config algorithm.PriorityConfig) { defer wg.Done() var err error results[index], err = config.Function(pod, nodeNameToInfo, nodes) if err != nil { appendError(err) } }(i, priorityConfig) } else { results[i] = make(schedulerapi.HostPriorityList, len(nodes)) } }
processNode := func(index int) { nodeInfo := nodeNameToInfo[nodes[index].Name] var err error for i := range priorityConfigs { // 使用 map 函数计算过程数据 results[i][index], err = priorityConfigs[i].Map(pod, meta, nodeInfo) } } workqueue.Parallelize(16, len(nodes), processNode) for i, priorityConfig := range priorityConfigs { wg.Add(1) gofunc(index int, config algorithm.PriorityConfig) { // 使用 reduce 函数结算结果 if err := config.Reduce(pod, meta, nodeNameToInfo, results[index]); err != nil { appendError(err) } }(i, priorityConfig) } // Wait for all computations to be finished. wg.Wait() // Summarize all scores. result := make(schedulerapi.HostPriorityList, 0, len(nodes))
for i := range nodes { result = append(result, schedulerapi.HostPriority{Host: nodes[i].Name, Score: 0}) for j := range priorityConfigs { result[i].Score += results[j][i].Score * priorityConfigs[j].Weight } }
// 继续使用 extenders 来进行优选 iflen(extenders) != 0 && nodes != nil { combinedScores := make(map[string]int, len(nodeNameToInfo)) for _, extender := range extenders { wg.Add(1) gofunc(ext algorithm.SchedulerExtender) { defer wg.Done() prioritizedList, weight, err := ext.Prioritize(pod, nodes) if err != nil { // Prioritization errors from extender can be ignored, let k8s/other extenders determine the priorities return } mu.Lock() for i := range *prioritizedList { host, score := (*prioritizedList)[i].Host, (*prioritizedList)[i].Score combinedScores[host] += score * weight } mu.Unlock() }(extender) } // wait for all go routines to finish wg.Wait() for i := range result { result[i].Score += combinedScores[result[i].Host] } } return result, nil }
// IMPORTANT NOTES for predicate developers: // We are using cached predicate result for pods belonging to the same equivalence class. // So when implementing a new predicate, you are expected to check whether the result // of your predicate function can be affected by related API object change (ADD/DELETE/UPDATE). // If yes, you are expected to invalidate the cached predicate result for related API object change. // For example: // https://github.com/kubernetes/kubernetes/blob/36a218e/plugin/pkg/scheduler/factory/factory.go#L422
// Registers predicates and priorities that are not enabled by default, but user can pick when creating their // own set of priorities/predicates.
// PodFitsPorts has been replaced by PodFitsHostPorts for better user understanding. // For backwards compatibility with 1.0, PodFitsPorts is registered as well. factory.RegisterFitPredicate("PodFitsPorts", predicates.PodFitsHostPorts) // Fit is defined based on the absence of port conflicts. // This predicate is actually a default predicate, because it is invoked from // predicates.GeneralPredicates() factory.RegisterFitPredicate(predicates.PodFitsHostPortsPred, predicates.PodFitsHostPorts) // Fit is determined by resource availability. // This predicate is actually a default predicate, because it is invoked from // predicates.GeneralPredicates() factory.RegisterFitPredicate(predicates.PodFitsResourcesPred, predicates.PodFitsResources) // Fit is determined by the presence of the Host parameter and a string match // This predicate is actually a default predicate, because it is invoked from // predicates.GeneralPredicates() factory.RegisterFitPredicate(predicates.HostNamePred, predicates.PodFitsHost) // Fit is determined by node selector query. factory.RegisterFitPredicate(predicates.MatchNodeSelectorPred, predicates.PodMatchNodeSelector)
// ServiceSpreadingPriority is a priority config factory that spreads pods by minimizing // the number of pods (belonging to the same service) on the same node. // Register the factory so that it's available, but do not include it as part of the default priorities // Largely replaced by "SelectorSpreadPriority", but registered for backward compatibility with 1.0 factory.RegisterPriorityConfigFactory( "ServiceSpreadingPriority", factory.PriorityConfigFactory{ MapReduceFunction: func(args factory.PluginFactoryArgs)(algorithm.PriorityMapFunction, algorithm.PriorityReduceFunction) { return priorities.NewSelectorSpreadPriority(args.ServiceLister, algorithm.EmptyControllerLister{}, algorithm.EmptyReplicaSetLister{}, algorithm.EmptyStatefulSetLister{}) }, Weight: 1, }, ) // EqualPriority is a prioritizer function that gives an equal weight of one to all nodes // Register the priority function so that its available // but do not include it as part of the default priorities factory.RegisterPriorityFunction2("EqualPriority", core.EqualPriorityMap, nil, 1) // Optional, cluster-autoscaler friendly priority function - give used nodes higher priority. factory.RegisterPriorityFunction2("MostRequestedPriority", priorities.MostRequestedPriorityMap, nil, 1) factory.RegisterPriorityFunction2( "RequestedToCapacityRatioPriority", priorities.RequestedToCapacityRatioResourceAllocationPriorityDefault().PriorityMap, nil, 1) }
// IMPORTANT NOTE: this list contains the ordering of the predicates, if you develop a new predicate // it is mandatory to add its name to this list. // Otherwise it won't be processed, see generic_scheduler#podFitsOnNode(). // The order is based on the restrictiveness & complexity of predicates. // Design doc: https://github.com/kubernetes/community/blob/master/contributors/design-proposals/scheduling/predicates-ordering.md
funcdefaultPredicates()sets.String { return sets.NewString( // ... // Fit is determined by node conditions: not ready, // network unavailable or out of disk. factory.RegisterMandatoryFitPredicate(predicates.CheckNodeConditionPred, predicates.CheckNodeConditionPredicate), // 见下文函数分析
// CheckNodeConditionPredicate checks if a pod can be scheduled on a node reporting out of disk, // network unavailable and not ready condition. Only node conditions are accounted in this predicate. funcCheckNodeConditionPredicate(pod *v1.Pod, meta algorithm.PredicateMetadata, nodeInfo *schedulercache.NodeInfo)(bool, []algorithm.PredicateFailureReason, error) { reasons := []algorithm.PredicateFailureReason{}
// RegisterFitPredicate registers a fit predicate with the algorithm // registry. Returns the name with which the predicate was registered. funcRegisterFitPredicate(name string, predicate algorithm.FitPredicate)string { return RegisterFitPredicateFactory(name, func(PluginFactoryArgs)algorithm.FitPredicate { return predicate }) }
funcdefaultPriorities()sets.String { return sets.NewString( // spreads pods by minimizing the number of pods (belonging to the same service or replication controller) on the same node. factory.RegisterPriorityConfigFactory( "SelectorSpreadPriority", factory.PriorityConfigFactory{ MapReduceFunction: func(args factory.PluginFactoryArgs)(algorithm.PriorityMapFunction, algorithm.PriorityReduceFunction) { return priorities.NewSelectorSpreadPriority(args.ServiceLister, args.ControllerLister, args.ReplicaSetLister, args.StatefulSetLister) }, Weight: 1, }, ), // pods should be placed in the same topological domain (e.g. same node, same rack, same zone, same power domain, etc.) // as some other pods, or, conversely, should not be placed in the same topological domain as some other pods. factory.RegisterPriorityConfigFactory( "InterPodAffinityPriority", factory.PriorityConfigFactory{ Function: func(args factory.PluginFactoryArgs)algorithm.PriorityFunction { return priorities.NewInterPodAffinityPriority(args.NodeInfo, args.NodeLister, args.PodLister, args.HardPodAffinitySymmetricWeight) }, Weight: 1, }, ),
// Prioritize nodes by least requested utilization. factory.RegisterPriorityFunction2("LeastRequestedPriority", priorities.LeastRequestedPriorityMap, nil, 1),
// Prioritizes nodes to help achieve balanced resource usage factory.RegisterPriorityFunction2("BalancedResourceAllocation", priorities.BalancedResourceAllocationMap, nil, 1),
// Set this weight large enough to override all other priority functions. // TODO: Figure out a better way to do this, maybe at same time as fixing #24720. factory.RegisterPriorityFunction2("NodePreferAvoidPodsPriority", priorities.CalculateNodePreferAvoidPodsPriorityMap, nil, 10000),
// Prioritizes nodes that have labels matching NodeAffinity factory.RegisterPriorityFunction2("NodeAffinityPriority", priorities.CalculateNodeAffinityPriorityMap, priorities.CalculateNodeAffinityPriorityReduce, 1),
// Prioritizes nodes that marked with taint which pod can tolerate. factory.RegisterPriorityFunction2("TaintTolerationPriority", priorities.ComputeTaintTolerationPriorityMap, priorities.ComputeTaintTolerationPriorityReduce, 1),
// ImageLocalityPriority prioritizes nodes that have images requested by the pod present. factory.RegisterPriorityFunction2("ImageLocalityPriority", priorities.ImageLocalityPriorityMap, nil, 1), ) }
Available Commands: discovery Start Istio proxy discovery service help Help about any command request Makes an HTTP request to Pilot metrics/debug endpoint version Prints out build version information
# kubectl exec -ti istio-pilot-f9d78b7b9-fmhfb -n istio-system -c discovery -- /usr/local/bin/pilot-discovery discovery --help Defaulting container name to discovery.
Start Istio proxy discovery service
Usage: pilot-discovery discovery [flags]
Flags: -a, --appNamespace string Restrict the applications namespace the controller manages; if not set, controller watches all namespaces --cfConfig string Cloud Foundry config file --clusterRegistriesConfigMap string ConfigMap map for clusters config store --clusterRegistriesNamespace string Namespace for ConfigMap which stores clusters configs --configDir string Directory to watch for updates to config yaml files. If specified, the files will be used as the source of config, rather than a CRD client. --consulserverInterval duration Interval (in seconds) for polling the Consul service registry (default 2s) --consulserverURL string URL for the Consul server --disable-install-crds Disable discovery service from verifying the existence of CRDs at startup and then installing if not detected. It is recommended to be disablefor highly available setups. --discovery_cache Enable caching discovery service responses (default true) --domain string DNS domain suffix (default "cluster.local") --grpcAddr string Discovery service grpc address (default ":15010") -h, --helphelpfor discovery --httpAddr string Discovery service HTTP address (default ":8080") --kubeconfig string Use a Kubernetes configuration file instead of in-cluster configuration --meshConfig string File name for Istio mesh configuration. If not specified, a default mesh will be used. (default "/etc/istio/config/mesh") --monitoringAddr string HTTP address to use for the exposing pilot self-monitoring information (default ":9093") -n, --namespace string Select a namespace where the controller resides. If not set, uses ${POD_NAMESPACE} environment variable --plugins stringSlice comma separated list of networking plugins to enable (default [authn,authz,health,mixer,envoyfilter]) --profile Enable profiling via web interface host:port/debug/pprof (default true) --registries stringSlice Comma separated list of platform service registries to read from (choose one or more from {Kubernetes, Consul, CloudFoundry, Mock, Config}) (default [Kubernetes]) --resync duration Controller resync interval (default 1m0s) --secureGrpcAddr string Discovery service grpc address, with https (default ":15012") --webhookEndpoint string Webhook API endpoint (supports http://sockethost, and unix:///absolute/path/to/socket
// Create the stop channel for all of the servers. stop := make(chanstruct{})
// Create the server for the discovery service. discoveryServer, err := bootstrap.NewServer(serverArgs) if err != nil { return fmt.Errorf("failed to create discovery service: %v", err) }
// Start the server if err := discoveryServer.Start(stop); err != nil { return fmt.Errorf("failed to start discovery service: %v", err) }
// NewServer creates a new Server instance based on the provided arguments. funcNewServer(args PilotArgs)(*Server, error) { // ... s := &Server{ filewatcher: filewatcher.NewWatcher(), } // 省略错误处理 s.initKubeClient(&args) // 初始化到 k8s 集群的客户端 s.kubeClient s.initMesh(&args) // 初始化配置,并添加到 filewatcher 中, /etc/istio/config/mesh // 1.0.5 版本的 cmd 中未包括,应该是 1.1 中添加 // serverArgs.NetworksConfigFile, "networksConfig", "/etc/istio/config/meshNetworks" // 初始化配置,并加入到 filewatcher 中监听 s.initMeshNetworks(&args) // initMixerSan configures the mixerSAN configuration item. // The mesh must already have been configured. s.initMixerSan(&args) // creates the config controller in the pilotConfig. // 最终会创建一个 crd.NewController 实例 s.initConfigController(&args) /* 内部以 kube 为例,表明主要流程 controller, err := s.makeKubeConfigController(args) s.configController = controller s.addStartFunc(func(stop <-chan struct{}) error { go s.configController.Run(stop) // 1. 第一个启动的 configController }) */ // creates and initializes the service controllers s.initServiceControllers(&args) /* s.createK8sServiceControllers(serviceControllers, args) --> kube.NewController(s.kubeClient, args.Config.ControllerOptions) s.addStartFunc(func(stop <-chan struct{}) error { go s.ServiceController.Run(stop) // 2. 第二个启动的 ServiceController return nil }) */ // 初始化 DiscoveryService gRPC 服务器,后面详细讲解 // 添加2个 func 到 startFuncs 中 s.initDiscoveryService(&args) // initializes the configuration for the pilot monitoring server. // 添加1个 func 到 startFuncs 中 s.initMonitor(&args) // starts the secret controller to watch for remote // clusters and initialize the multicluster structures. // 主要指定了,连接到远程集群的配置和需要监控的 namespace,并启动一个 secret controller // 监视 istio/multiCluster=true 的 secret // --clusterRegistriesConfigMap ConfigMap map for clusters config store // --clusterRegistriesNamespace string Namespace for ConfigMap which stores clusters configs // 暂时不分析 s.initClusterRegistries(&args)
return s, nil }
// 将 NewServer 函数中初始化的函数依次启动起来 func(s *Server)Start(stop <-chanstruct{})error { // Now start all of the components. for _, fn := range s.startFuncs { fn(stop) } }
istio.io/api/mesh/v1alpha1/network.pb.go
其中 MeshNetworks 结构体和定义说明如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
// MeshNetworks (config map) provides information about the set of networks // inside a mesh and how to route to endpoints in each network. For example // // MeshNetworks(file/config map): // networks: // - network1: // - endpoints: // - fromRegistry: registry1 #must match secret name in kubernetes // - fromCidr: 192.168.100.0/22 #a VM network for example // gateways: // - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local // port: 15443 // locality: us-east-1a type MeshNetworks struct { // REQUIRED: The set of networks inside this mesh. Each network should // have a unique name and information about how to infer the endpoints in // the network as well as the gateways associated with the network. Networks map[string]*Network `protobuf:"bytes,1,rep,name=networks" json:"networks,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value"` }
// 初始化相关配置,并监视配置的变化情况 // ... // creates the config controller in the pilotConfig. // 最终会创建一个 crd.NewController 实例 s.initConfigController(&args) // s.makeKubeConfigController(args) // s.configController.Run(stop)
// creates and initializes the service controllers s.initServiceControllers(&args) // kube.NewController(s.kubeClient, args.Config.ControllerOptions) // go s.ServiceController.Run(stop) // 初始化 DiscoveryService gRPC 服务器,后面详细讲解 // 添加 2 个 func 到 startFuncs 中 s.initDiscoveryService(&args)
return s, nil }
ConfigController
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
// initConfigController creates the config controller in the pilotConfig. func(s *Server)initConfigController(args *PilotArgs)error { // k8s 方式下初始化 controller, err := s.makeKubeConfigController(args) s.configController = controller
// Defer starting the controller until after the service is created. s.addStartFunc(func(stop <-chanstruct{})error { go s.configController.Run(stop) returnnil })
//...
// Create the config store. s.istioConfigStore = model.MakeIstioStore(s.configController)
// NewController creates a new Kubernetes controller for CRDs // Use "" for namespace to listen for all namespace changes funcNewController(client *Client, options kube.ControllerOptions)model.ConfigStoreCache { log.Infof("CRD controller watching namespaces %q", options.WatchedNamespace)
// Queue requires a time duration for a retry delay after a handler error out := &controller{ client: client, queue: kube.NewQueue(1 * time.Second), kinds: make(map[string]cacheHandler), }
// add stores for CRD kinds for _, schema := range client.ConfigDescriptor() { out.addInformer(schema, options.WatchedNamespace, options.ResyncPeriod) }
return out }
对于 CRD 的监视,每一类资源需要启动一个单独的客户端连接,目前 CRD 的 Group 主要有 network/config/authentication/rbac 等;
1 2 3 4 5 6 7 8 9 10 11 12
// controller is a collection of synchronized resource watchers. // Caches are thread-safe type controller struct { client *Client // 每类资源一个连接 queue kube.Queue kinds map[string]cacheHandler }
type cacheHandler struct { informer cache.SharedIndexInformer handler *kube.ChainHandler }
1 2 3 4 5 6 7 8
// Client is a basic REST client for CRDs implementing config store type Client struct { // Map of apiVersion to restClient. clientset map[string]*restClient
// domainSuffix for the config metadata domainSuffix string }
// NewController creates a new Kubernetes controller // Created by bootstrap and multicluster (see secretcontroler). funcNewController(client kubernetes.Interface, options ControllerOptions) *Controller { log.Infof("Service controller watching namespace %q for services, endpoints, nodes and pods, refresh %s", options.WatchedNamespace, options.ResyncPeriod)
// Queue requires a time duration for a retry delay after a handler error out := &Controller{ domainSuffix: options.DomainSuffix, client: client, queue: NewQueue(1 * time.Second), ClusterID: options.ClusterID, XDSUpdater: options.XDSUpdater, servicesMap: make(map[model.Hostname]*model.Service), externalNameSvcInstanceMap: make(map[model.Hostname][]*model.ServiceInstance), }
// See https://github.com/lyft/envoy-api#apis for a description of the role of // ADS and how it is intended to be used by a management server. ADS requests // have the same structure as their singleton xDS counterparts, but can // multiplex many resource types on a single stream. The type_url in the // DiscoveryRequest/DiscoveryResponse provides sufficient information to recover // the multiplexed singleton APIs at the Envoy instance and management server. service AggregatedDiscoveryService { // This is a gRPC-only API. rpc StreamAggregatedResources(stream envoy.api.v2.DiscoveryRequest) returns (stream envoy.api.v2.DiscoveryResponse) { }
// A DiscoveryRequest requests a set of versioned resources of the same type for // a given Envoy node on some API. message DiscoveryRequest { // The version_info provided in the request messages will be the version_info // received with the most recent successfully processed response or empty on // the first request. It is expected that no new request is sent after a // response is received until the Envoy instance is ready to ACK/NACK the new // configuration. ACK/NACK takes place by returning the new API config version // as applied or the previous API config version respectively. Each type_url // (see below) has an independent version associated with it. string version_info = 1;
// The node making the request. core.Node node = 2;
// List of resources to subscribe to, e.g. list of cluster names or a route // configuration name. If this is empty, all resources for the API are // returned. LDS/CDS expect empty resource_names, since this is global // discovery for the Envoy instance. The LDS and CDS responses will then imply // a number of resources that need to be fetched via EDS/RDS, which will be // explicitly enumerated in resource_names. repeated string resource_names = 3;
// Type of the resource that is being requested, e.g. // "type.googleapis.com/envoy.api.v2.ClusterLoadAssignment". This is implicit // in requests made via singleton xDS APIs such as CDS, LDS, etc. but is // required for ADS. string type_url = 4;
// nonce corresponding to DiscoveryResponse being ACK/NACKed. See above // discussion on version_info and the DiscoveryResponse nonce comment. This // may be empty if no nonce is available, e.g. at startup or for non-stream // xDS implementations. string response_nonce = 5;
// This is populated when the previous :ref:`DiscoveryResponse <envoy_api_msg_DiscoveryResponse>` // failed to update configuration. The *message* field in *error_details* provides the Envoy // internal exception related to the failure. It is only intended for consumption during manual // debugging, the string provided is not guaranteed to be stable across Envoy versions. google.rpc.Status error_detail = 6; }
message DiscoveryResponse { // The version of the response data. string version_info = 1;
// The response resources. These resources are typed and depend on the API being called. repeated google.protobuf.Any resources = 2 [(gogoproto.nullable) = false];
// [#not-implemented-hide:] // Canary is used to support two Envoy command line flags: // // * --terminate-on-canary-transition-failure. When set, Envoy is able to // terminate if it detects that configuration is stuck at canary. Consider // this example sequence of updates: // - Management server applies a canary config successfully. // - Management server rolls back to a production config. // - Envoy rejects the new production config. // Since there is no sensible way to continue receiving configuration // updates, Envoy will then terminate and apply production config from a // clean slate. // * --dry-run-canary. When set, a canary response will never be applied, only // validated via a dry run. bool canary = 3;
// Type URL for resources. This must be consistent with the type_url in the // Any messages for resources if resources is non-empty. This effectively // identifies the xDS API when muxing over ADS. string type_url = 4;
// For gRPC based subscriptions, the nonce provides a way to explicitly ack a // specific DiscoveryResponse in a following DiscoveryRequest. Additional // messages may have been sent by Envoy to the management server for the // previous version on the stream prior to this DiscoveryResponse, that were // unprocessed at response send time. The nonce allows the management server // to ignore any further DiscoveryRequests for the previous version until a // DiscoveryRequest bearing the nonce. The nonce is optional and is not // required for non-stream based xDS implementations. string nonce = 5;
// [#not-implemented-hide:] // The control plane instance that sent the response. core.ControlPlane control_plane = 6; }
for { // Block until either a request is received or a push is triggered. select { case discReq, ok := <-reqChannel: err = s.initConnectionNode(discReq, con)
switch discReq.TypeUrl { case ClusterType: // ... // CDS REQ is the first request an envoy makes. This shows up // immediately after connect. It is followed by EDS REQ as // soon as the CDS push is returned. adsLog.Infof("ADS:CDS: REQ %v %s %v raw: %s", peerAddr, con.ConID, time.Since(t0), discReq.String()) con.CDSWatch = true err := s.pushCds(con, s.globalPushContext(), versionInfo()) case ListenerType: // ... adsLog.Debugf("ADS:LDS: REQ %s %v", con.ConID, peerAddr) con.LDSWatch = true err := s.pushLds(con, s.globalPushContext(), true, versionInfo())
// PushContext tracks the status of a push - metrics and errors. // Metrics are reset after a push - at the beginning all // values are zero, and when push completes the status is reset. // The struct is exposed in a debug endpoint - fields public to allow // easy serialization as json. type PushContext struct {
// privateServices are reachable within the same namespace. privateServicesByNamespace map[string][]*Service // publicServices are services reachable within the mesh. publicServices []*Service
// destination rules are of three types: // namespaceLocalDestRules: all public/private dest rules pertaining to a service defined in a given namespace // namespaceExportedDestRules: all public dest rules pertaining to a service defined in a namespace // allExportedDestRules: all (public) dest rules across all namespaces // We need the allExportedDestRules in addition to namespaceExportedDestRules because we select // the dest rule based on the most specific host match, and not just any destination rule namespaceLocalDestRules map[string]*processedDestRules namespaceExportedDestRules map[string]*processedDestRules allExportedDestRules *processedDestRules
// sidecars for each namespace sidecarsByNamespace map[string][]*SidecarScope ////////// END ////////
// The following data is either a global index or used in the inbound path. // Namespace specific views do not apply here.
// ServiceByHostname has all services, indexed by hostname. ServiceByHostname map[Hostname]*Service `json:"-"`
// AuthzPolicies stores the existing authorization policies in the cluster. Could be nil if there // are no authorization policies in the cluster. AuthzPolicies *AuthorizationPolicies `json:"-"`
// ServicePort2Name is used to keep track of service name and port mapping. // This is needed because ADS names use port numbers, while endpoints use // port names. The key is the service name. If a service or port are not found, // the endpoint needs to be re-evaluated later (eventual consistency) ServicePort2Name map[string]PortList `json:"-"`
initDone bool }
// InitContext will initialize the data structures used for code generation. // This should be called before starting the push, from the thread creating // the push context. func(ps *PushContext)InitContext(env *Environment)error { ps.Mutex.Lock() defer ps.Mutex.Unlock() if ps.initDone { returnnil } ps.Env = env var err error
// Caches list of services in the registry, and creates a map // of hostname to service -> ServicePort2Name map[string]PortList `json:"-"` ps.initServiceRegistry(env)
// Caches list of virtual services -> publicVirtualServices []Config ps.initVirtualServices(env)
// Split out of DestinationRule expensive conversions - once per push. // 最后保存到以下三个变量中: // * namespaceLocalDestRules map[string]*processedDestRules // * namespaceExportedDestRules map[string]*processedDestRules // * allExportedDestRules *processedDestRules ps.initDestinationRules(env)
// Get the ClusterRbacConfig -> AuthzPolicies *AuthorizationPolicies ps.initAuthorizationPolicies(env)
// Must be initialized in the end -> sidecarsByNamespace map[string][]*SidecarScope ps.InitSidecarScopes(env)
for { // Block until either a request is received or a push is triggered. select { case discReq, ok := <-reqChannel: // 主要是调用 `ParseServiceNodeWithMetadata` 函数, // 从 Req 的消息中获取到各种信息,并生产 `Proxy` 对象 // 当前 discReq.Node.Id 格式为 Type~IPAddress~ID~Domain err = s.initConnectionNode(discReq, con) switch discReq.TypeUrl { case ClusterType: // 如果已经发送过 CDS 数据后的响应消息的处理 if con.CDSWatch { // ... } // CDS REQ is the first request an envoy makes. This shows up // immediately after connect. It is followed by EDS REQ as // soon as the CDS push is returned. adsLog.Infof("ADS:CDS: REQ %v %s %v raw: %s", peerAddr, con.ConID, time.Since(t0), discReq.String()) con.CDSWatch = true err := s.pushCds(con, s.globalPushContext(), versionInfo()) if err != nil { return err }
Identifies a specific Envoy instance. The node identifier is presented to the management server, which may use this identifier to distinguish per Envoy configuration for serving.{ “id”: “…”, “cluster”: “…”, “metadata”: “{…}”, “locality”: “{…}”, “build_version”: “…” }
id (string) An opaque node identifier for the Envoy node. This also provides the local service node name. It should be set if any of the following features are used: statsd, CDS, and HTTP tracing, either in this message or via –service-node.
cluster (string) Defines the local service cluster name where Envoy is running. Though optional, it should be set if any of the following features are used: statsd, health check cluster verification, runtime override directory, user agent addition, HTTP global rate limiting, CDS, and HTTP tracing, either in this message or via –service-cluster.
metadata (Struct) Opaque metadata extending the node identifier. Envoy will pass this directly to the management server.
locality (core.Locality) Locality specifying where the Envoy instance is running.
build_version (string) This is motivated by informing a management server during canary which version of Envoy is being tested in a heterogeneous fleet. This will be set by Envoy in management server RPCs.
// Proxy contains information about an specific instance of a proxy (envoy sidecar, gateway, // etc). The Proxy is initialized when a sidecar connects to Pilot, and populated from // 'node' info in the protocol as well as data extracted from registries. // // In current Istio implementation nodes use a 4-parts '~' delimited ID. // Type~IPAddress~ID~Domain type Proxy struct { // ClusterID specifies the cluster where the proxy resides. // TODO: clarify if this is needed in the new 'network' model, likely needs to // be renamed to 'network' ClusterID string
// Type specifies the node type. First part of the ID. Type NodeType
// IPAddresses is the IP addresses of the proxy used to identify it and its // co-located service instances. Example: "10.60.1.6". In some cases, the host // where the poxy and service instances reside may have more than one IP address IPAddresses []string
// ID is the unique platform-specific sidecar proxy ID. For k8s it is the pod ID and // namespace. ID string
// Locality is the location of where Envoy proxy runs. Locality Locality
// DNSDomain defines the DNS domain suffix for short hostnames (e.g. // "default.svc.cluster.local") DNSDomain string
// TrustDomain defines the trust domain of the certificate TrustDomain string
// ConfigNamespace defines the namespace where this proxy resides // for the purposes of network scoping. // NOTE: DO NOT USE THIS FIELD TO CONSTRUCT DNS NAMES ConfigNamespace string
// Metadata key-value pairs extending the Node identifier Metadata map[string]string
// the sidecarScope associated with the proxy SidecarScope *SidecarScope }
// BuildClusters returns the list of clusters for the given proxy. This is the CDS output // For outbound: Cluster for each service/subset hostname or cidr with SNI set to service hostname // Cluster type based on resolution // For inbound (sidecar only): Cluster for each inbound endpoint port and for each service port func(configgen *ConfigGeneratorImpl)BuildClusters(env *model.Environment, proxy *model.Proxy, push *model.PushContext)([]*apiv2.Cluster, error) { clusters := make([]*apiv2.Cluster, 0)
switch proxy.Type { case model.SidecarProxy: // GetProxyServiceInstances returns service instances co-located with the proxy // 获取与 proxy 所在主机上的 service instance,包括 headless 服务 instances, err := env.GetProxyServiceInstances(proxy)
// Let ServiceDiscovery decide which IP and Port are used for management if // there are multiple IPs managementPorts := make([]*model.Port, 0) for _, ip := range proxy.IPAddresses { managementPorts = append(managementPorts, env.ManagementPorts(ip)...) } // 追加与 proxy ip 上 managementPorts 相关的 InboundClusters clusters = append(clusters, configgen.buildInboundClusters(env, proxy, push, instances, managementPorts)...)
default: // Gateways // ... }
// Add a blackhole and passthrough cluster for catching traffic to unresolved routes // DO NOT CALL PLUGINS for these two clusters. clusters = append(clusters, buildBlackHoleCluster()) clusters = append(clusters, buildDefaultPassthroughCluster())
临时的调试方法,挂载到了 9093 端口,但是是否保存 ads 相关的信息,还会受到 pilot 相关选项的限制,参见
istio.io/istio/pkg/features/pilot/pilot.go
1 2 3 4 5
> // DebugConfigs controls saving snapshots of configs for /debug/adsz. > // Defaults to false, can be enabled with PILOT_DEBUG_ADSZ_CONFIG=1 > // For larger clusters it can increase memory use and GC - useful for small tests. > DebugConfigs = os.Getenv("PILOT_DEBUG_ADSZ_CONFIG") == "1" >
// Environment provides an aggregate environmental API for Pilot type Environment struct { // Discovery interface for listing services and instances. ServiceDiscovery ServiceAccounts IstioConfigStore
// BuildClusters returns the list of clusters for the given proxy. This is the CDS output // For outbound: Cluster for each service/subset hostname or cidr with SNI set to service hostname // Cluster type based on resolution: For inbound (sidecar only): // Cluster for each inbound endpoint port and for each service port func(configgen *ConfigGeneratorImpl)BuildClusters(env *model.Environment, proxy *model.Proxy, push *model.PushContext)([]*apiv2.Cluster, error) { clusters := make([]*apiv2.Cluster, 0)
switch proxy.Type { case model.SidecarProxy: // 1. 获取 Proxy 所在 Pod 上的监听的服务名,在 k8s 中是通过 proxyIP 进行相关的 Pod 查找 // 主要用于生成 Inbound 相关的集群 // GetProxyServiceInstances returns the service instances that // co-located(in the same network namespace and security context) // with a given Proxy instances, err := env.GetProxyServiceInstances(proxy)
// Let ServiceDiscovery decide which IP and Port are used for management if // there are multiple IPs // managementPorts 主要是从 Pod 中获取 Liveness && Readiness probes 的端口 managementPorts := make([]*model.Port, 0) for _, ip := range proxy.IPAddresses { managementPorts = append(managementPorts, env.ManagementPorts(ip)...) } // clusters = append(clusters, configgen.buildInboundClusters(env, proxy, push, instances, managementPorts)...) // ... // Add a blackhole and passthrough cluster for catching traffic to unresolved routes // DO NOT CALL PLUGINS for these two clusters. // 添加 blackhole 和 passthrough cluster clusters = append(clusters, buildBlackHoleCluster()) clusters = append(clusters, buildDefaultPassthroughCluster()) }
// GetProxyServiceInstances returns service instances co-located with a given proxy func(c *Controller)GetProxyServiceInstances(proxy *model.Proxy)([]*model.ServiceInstance, error) { out := make([]*model.ServiceInstance, 0)
// There is only one IP for kube registry proxyIP := proxy.IPAddresses[0] proxyNamespace := ""
pod := c.pods.getPodByIP(proxyIP) if pod != nil { proxyNamespace = pod.Namespace // 1. find proxy service by label selector, // if not any, there may exist headless service // failover to 2 svcLister := listerv1.NewServiceLister(c.services.informer.GetIndexer()) if services, err := svcLister.GetPodServices(pod); err != nil && len(services) > 0 { for _, svc := range services { item, exists, err := c.endpoints.informer.GetStore().GetByKey(KeyFunc(svc.Namespace, svc.Name))
ep := *item.(*v1.Endpoints) out = append(out, c.getProxyServiceInstancesByEndpoint(ep, proxy)...) } return out, nil } }
// 2. Headless service endpointsForPodInSameNS := make([]*model.ServiceInstance, 0) endpointsForPodInDifferentNS := make([]*model.ServiceInstance, 0) for _, item := range c.endpoints.informer.GetStore().List() { ep := *item.(*v1.Endpoints) endpoints := &endpointsForPodInSameNS if ep.Namespace != proxyNamespace { endpoints = &endpointsForPodInDifferentNS }
// Put the endpointsForPodInSameNS in front of endpointsForPodInDifferentNS so that Pilot will // first use endpoints from endpointsForPodInSameNS. This makes sure if there are two endpoints // referring to the same IP/port, the one in endpointsForPodInSameNS will be used. (The other one // in endpointsForPodInDifferentNS will thus be rejected by Pilot). out = append(endpointsForPodInSameNS, endpointsForPodInDifferentNS...) iflen(out) == 0 { if c.Env != nil { c.Env.PushContext.Add(model.ProxyStatusNoService, proxy.ID, proxy, "") status := c.Env.PushContext } else {} } return out, nil }
buildOutboundClusters
查找出 proxy 可见的 Service 和 公开的 Service,设置成对应的 Cluster。
// push.Services(proxy) 会返回对于Proxy 可见的 PrivateService 和 PublicServices for _, service := range push.Services(proxy) { config := push.DestinationRule(proxy, service) for _, port := range service.Ports { if port.Protocol == model.ProtocolUDP { continue } inputParams.Service = service inputParams.Port = port
// ManagementPorts implements a service catalog operation // addr 为 proxy 的 IP 地址 func(c *Controller)ManagementPorts(addr string)model.PortList { pod := c.pods.getPodByIP(addr) if pod == nil { returnnil }
// convertProbesToPorts // convertProbesToPorts returns a PortList consisting of the ports where the // pod is configured to do Liveness and Readiness probes funcconvertProbesToPorts(t *v1.PodSpec)(model.PortList, error) { set := make(map[string]*model.Port) for _, container := range t.Containers { for _, probe := range []*v1.Probe{container.LivenessProbe, container.ReadinessProbe} {
p, err := convertProbePort(&container, &probe.Handler) if err != nil { errs = multierror.Append(errs, err) } elseif p != nil && set[p.Name] == nil { // Deduplicate along the way. We don't differentiate between HTTP vs TCP mgmt ports set[p.Name] = p } } }
mgmtPorts := make(model.PortList, 0, len(set)) for _, p := range set { mgmtPorts = append(mgmtPorts, p) } sort.Slice(mgmtPorts, func(i, j int)bool { return mgmtPorts[i].Port < mgmtPorts[j].Port })
// Plugin is called during the construction of a xdsapi.Listener which may alter the Listener in any // way. Examples include AuthenticationPlugin that sets up mTLS authentication on the inbound Listener // and outbound Cluster, the mixer plugin that sets up policy checks on the inbound listener, etc. type Plugin interface { // OnOutboundListener is called whenever a new outbound listener is added to the LDS output for a given service. // Can be used to add additional filters on the outbound path. OnOutboundListener(in *InputParams, mutable *MutableObjects) error
// OnInboundListener is called whenever a new listener is added to the LDS output for a given service // Can be used to add additional filters. OnInboundListener(in *InputParams, mutable *MutableObjects) error
// OnOutboundCluster is called whenever a new cluster is added to the CDS output. // This is called once per push cycle, and not for every sidecar/gateway, except for gateways with non-standard // operating modes. OnOutboundCluster(in *InputParams, cluster *xdsapi.Cluster)
// OnInboundCluster is called whenever a new cluster is added to the CDS output. // Called for each sidecar OnInboundCluster(in *InputParams, cluster *xdsapi.Cluster)
// OnOutboundRouteConfiguration is called whenever a new set of virtual hosts (a set of virtual hosts with routes) is // added to RDS in the outbound path. OnOutboundRouteConfiguration(in *InputParams, routeConfiguration *xdsapi.RouteConfiguration)
// OnInboundRouteConfiguration is called whenever a new set of virtual hosts are added to the inbound path. OnInboundRouteConfiguration(in *InputParams, routeConfiguration *xdsapi.RouteConfiguration)
// OnInboundFilterChains is called whenever a plugin needs to setup the filter chains, including relevant filter chain // configuration, like FilterChainMatch and TLSContext. OnInboundFilterChains(in *InputParams) []FilterChain }
// call plugins,用于通知到相关的处理函数调用 for _, p := range configgen.Plugins { p.OnInboundCluster(pluginParams, localCluster) }
// When users specify circuit breakers, they need to be set on the receiver end // (server side) as well as client side, so that the server has enough capacity // (not the defaults) to handle the increased traffic volume
// DestinationRule returns a destination rule for a service name in a given domain. config := pluginParams.Push.DestinationRule(pluginParams.Node, instance.Service) if config != nil { destinationRule := config.Spec.(*networking.DestinationRule) if destinationRule.TrafficPolicy != nil { // only connection pool settings make sense on the inbound path. // upstream TLS settings/outlier detection/load balancer don't apply here. applyConnectionPool(pluginParams.Env, localCluster, destinationRule.TrafficPolicy.ConnectionPool, model.TrafficDirectionInbound) } } return localCluster }
// FIXME: there isn't a way to distinguish between unset values and zero values funcapplyConnectionPool(env *model.Environment, cluster *apiv2.Cluster, settings *networking.ConnectionPoolSettings, direction model.TrafficDirection) { threshold := GetDefaultCircuitBreakerThresholds(direction) if settings.Http != nil { if settings.Http.Http2MaxRequests > 0 { // Envoy only applies MaxRequests in HTTP/2 clusters threshold.MaxRequests = &types.UInt32Value{Value: uint32(settings.Http.Http2MaxRequests)} } if settings.Http.Http1MaxPendingRequests > 0 { // Envoy only applies MaxPendingRequests in HTTP/1.1 clusters threshold.MaxPendingRequests = &types.UInt32Value{Value: uint32(settings.Http.Http1MaxPendingRequests)} }
if settings.Http.MaxRequestsPerConnection > 0 { cluster.MaxRequestsPerConnection = &types.UInt32Value{Value: uint32(settings.Http.MaxRequestsPerConnection)} }
// FIXME: zero is a valid value if explicitly set, otherwise we want to use the default if settings.Http.MaxRetries > 0 { threshold.MaxRetries = &types.UInt32Value{Value: uint32(settings.Http.MaxRetries)} } }
if settings.Tcp != nil { if settings.Tcp.ConnectTimeout != nil { cluster.ConnectTimeout = util.GogoDurationToDuration(settings.Tcp.ConnectTimeout) }
if settings.Tcp.MaxConnections > 0 { threshold.MaxConnections = &types.UInt32Value{Value: uint32(settings.Tcp.MaxConnections)} }
// buildSidecarListeners produces a list of listeners for sidecar proxies func(configgen *ConfigGeneratorImpl)buildSidecarListeners(env *model.Environment, node *model.Proxy, push *model.PushContext)([]*xdsapi.Listener, error) {
// outbound 相关的 Listeners // buildSidecarOutboundListeners generates http and tcp listeners for // outbound connections from the proxy based on the sidecar scope associated with the proxy. // TODO(github.com/istio/pilot/issues/237) // // Sharing tcp_proxy and http_connection_manager filters on the same port for // different destination services doesn't work with Envoy (yet). When the // tcp_proxy filter's route matching fails for the http service the connection // is closed without falling back to the http_connection_manager. // // Temporary workaround is to add a listener for each service IP that requires // TCP routing // // Connections to the ports of non-load balanced services are directed to // the connection's original destination. This avoids costly queries of instance // IPs and ports, but requires that ports of non-load balanced service be unique. outbound := configgen.buildSidecarOutboundListeners(env, node, push, proxyInstances)
// Do not generate any management port listeners if the user has specified a SidecarScope object // with ingress listeners. Specifying the ingress listener implies that the user wants // to only have those specific listeners and nothing else, in the inbound path. generateManagementListeners := true
if mesh.OutboundTrafficPolicy.Mode == meshconfig.MeshConfig_OutboundTrafficPolicy_ALLOW_ANY { // We need a passthrough filter to fill in the filter stack for orig_dst listener tcpProxy = &tcp_proxy.TcpProxy{ StatPrefix: util.PassthroughCluster, ClusterSpecifier: &tcp_proxy.TcpProxy_Cluster{Cluster: util.PassthroughCluster}, } } var transparent *google_protobuf.BoolValue if node.GetInterceptionMode() == model.InterceptionTproxy { transparent = proto.BoolTrue }
// add an extra listener that binds to the port that is the recipient of the iptables redirect listeners = append(listeners, &xdsapi.Listener{ Name: VirtualListenerName, Address: util.BuildAddress(WildcardAddress, uint32(mesh.ProxyListenPort)), Transparent: transparent, UseOriginalDst: proto.BoolTrue, FilterChains: []listener.FilterChain{ { Filters: []listener.Filter{ { Name: xdsutil.TCPProxy, ConfigType: &listener.Filter_Config{ Config: util.MessageToStruct(tcpProxy), }, }, }, }, }, }) }
httpProxyPort := mesh.ProxyHttpPort if httpProxyPort == 0 && noneMode { // make sure http proxy is enabled for 'none' interception. httpProxyPort = int32(pilot.DefaultPortHTTPProxy) } // enable HTTP PROXY port if necessary; this will add an RDS route for this port if httpProxyPort > 0 { useRemoteAddress := false traceOperation := http_conn.EGRESS listenAddress := LocalhostAddress
opts := buildListenerOpts{ env: env, proxy: node, proxyInstances: proxyInstances, bind: listenAddress, port: int(httpProxyPort), filterChainOpts: []*filterChainOpts{{ httpOpts: &httpListenerOpts{ rds: RDSHttpProxy, useRemoteAddress: useRemoteAddress, direction: traceOperation, connectionManager: &http_conn.HttpConnectionManager{ HttpProtocolOptions: &core.Http1ProtocolOptions{ AllowAbsoluteUrl: proto.BoolTrue, }, }, }, }}, bindToPort: true, skipUserFilters: true, } l := buildListener(opts) // TODO: plugins for HTTP_PROXY mode, envoyfilter needs another listener match for SIDECAR_HTTP_PROXY // there is no mixer for http_proxy mutable := &plugin.MutableObjects{ Listener: l, FilterChains: []plugin.FilterChain{{}}, } pluginParams := &plugin.InputParams{ ListenerProtocol: plugin.ListenerProtocolHTTP, ListenerCategory: networking.EnvoyFilter_ListenerMatch_SIDECAR_OUTBOUND, Env: env, Node: node, ProxyInstances: proxyInstances, Push: push, } if err := buildCompleteFilterChain(pluginParams, mutable, opts); err != nil { log.Warna("buildSidecarListeners ", err.Error()) } else { listeners = append(listeners, l) } // TODO: need inbound listeners in HTTP_PROXY case, with dedicated ingress listener. }
// EdsCluster tracks eds-related info for monitored clusters. In practice it'll include // all clusters until we support on-demand cluster loading. type EdsCluster struct { // ... LoadAssignment *xdsapi.ClusterLoadAssignment // 记录当前 cluster 被那些 proxy 使用 // EdsClients keeps track of all nodes monitoring the cluster. EdsClients map[string]*XdsConnection `json:"-"` }
type ClusterLoadAssignment struct { // Name of the cluster. This will be the :ref:`service_name // <envoy_api_field_Cluster.EdsClusterConfig.service_name>` value if specified // in the cluster :ref:`EdsClusterConfig // <envoy_api_msg_Cluster.EdsClusterConfig>`. ClusterName string // List of endpoints to load balance to. Endpoints []endpoint.LocalityLbEndpoints // Map of named endpoints that can be referenced in LocalityLbEndpoints. NamedEndpoints map[string]*endpoint.Endpoint // Load balancing policy settings. Policy *ClusterLoadAssignment_Policy }
// 配置发生变化,如果有更新则出发增量更新 case pushEv := <-con.pushChannel: // It is called when config changes. // This is not optimized yet - we should detect what changed based on event and only // push resources that need to be pushed.
// TODO: possible race condition: if a config change happens while the envoy // was getting the initial config, between LDS and RDS, the push will miss the // monitored 'routes'. Same for CDS/EDS interval. // It is very tricky to handle due to the protocol - but the periodic push recovers // from it.
// pushEds is pushing EDS updates for a single connection. Called the first time // a client connects, for incremental updates and for full periodic updates. func(s *DiscoveryServer)pushEds(push *model.PushContext, con *XdsConnection, full bool, edsUpdatedServices map[string]*EndpointShards)error { loadAssignments := []*xdsapi.ClusterLoadAssignment{}
emptyClusters := 0 endpoints := 0
// 根据 conn 连接上发送过来的 clusters name 循环拉取相关的信息 for _, clusterName := range con.Clusters { _, _, hostname, _ := model.ParseSubsetKey(clusterName) if edsUpdatedServices != nil && edsUpdatedServices[string(hostname)] == nil { // Cluster was not updated, skip recomputing. continue }
// BuildHTTPRoutes produces a list of routes for the proxy func(configgen *ConfigGeneratorImpl)BuildHTTPRoutes(env *model.Environment, node *model.Proxy, push *model.PushContext, routeName string)(*xdsapi.RouteConfiguration, error) { proxyInstances, err := env.GetProxyServiceInstances(node)
// buildSidecarOutboundHTTPRouteConfig builds an outbound HTTP Route for sidecar. // Based on port, will determine all virtual hosts that listen on the port. func(configgen *ConfigGeneratorImpl)buildSidecarOutboundHTTPRouteConfig(env *model.Environment, node *model.Proxy, push *model.PushContext, proxyInstances []*model.ServiceInstance, routeName string) *xdsapi.RouteConfiguration {
var virtualServices []model.Config var services []*model.Service
// Get the list of services that correspond to this egressListener from the sidecarScope sidecarScope := node.SidecarScope // sidecarScope should never be nil if sidecarScope != nil && sidecarScope.Config != nil { // egress 相关的 } else { // 从默认的 meshGateway 中获取 meshGateway := map[string]bool{model.IstioMeshGateway: true} services = push.Services(node) virtualServices = push.VirtualServices(node, meshGateway) }
nameToServiceMap := make(map[model.Hostname]*model.Service) for _, svc := range services { if listenerPort == 0 { nameToServiceMap[svc.Hostname] = svc } else { if svcPort, exists := svc.Ports.GetByPort(listenerPort); exists {
// Collect all proxy labels for source match var proxyLabels model.LabelsCollection for _, w := range proxyInstances { proxyLabels = append(proxyLabels, w.Labels) }
// Get list of virtual services bound to the mesh gateway virtualHostWrappers := istio_route.BuildSidecarVirtualHostsFromConfigAndRegistry(node, push, nameToServiceMap, proxyLabels, virtualServices, listenerPort) vHostPortMap := make(map[int][]route.VirtualHost)
for _, virtualHostWrapper := range virtualHostWrappers { virtualHosts := make([]route.VirtualHost, 0, len(virtualHostWrapper.VirtualServiceHosts)+len(virtualHostWrapper.Services)) for _, host := range virtualHostWrapper.VirtualServiceHosts { virtualHosts = append(virtualHosts, route.VirtualHost{ Name: fmt.Sprintf("%s:%d", host, virtualHostWrapper.Port), Domains: []string{host, fmt.Sprintf("%s:%d", host, virtualHostWrapper.Port)}, Routes: virtualHostWrapper.Routes, }) }
Istio 1.1 代码中实现,参见 PR 10278,早期的版本实现是通过注解的方式来进行的,打在 service 上,注解如下:
1 2 3 4 5
> // ServiceConfigScopeAnnotation configs the scope the service visible to. > // "PUBLIC" which is the default, indicates it is reachable within the mesh > // "PRIVATE" indicates it is reachable within its namespace > ServiceConfigScopeAnnotation = "networking.istio.io/configScope" >
# obtained from debian ca-certs deb using fetch_cacerts.sh ADD ca-certificates.tgz / # All containers need a /tmp directory WORKDIR /tmp/ ADD istio_ca /usr/local/bin/istio_ca
Available Commands: help Help about any command probe Check the liveness or readiness of a locally-running server version Prints out build version information
Flags: --append-dns-names Append DNS names to the certificates for webhook services. (default true) --cert-chain string Path to the certificate chain file --citadel-storage-namespace string Namespace where the Citadel pod is running. Will not be used if explicit file or other storage mechanism is specified. (default "istio-system") --custom-dns-names string The list of account.namespace:customdns names, separated by comma. --enable-profiling Enabling profiling when monitoring Citadel. --grpc-host-identities string The list of hostnames for istio ca server, separated by comma. (default "istio-ca,istio-citadel") --grpc-hostname string DEPRECATED, use --grpc-host-identites. (default "istio-ca") --grpc-port int The port number for Citadel GRPC server. If unspecified, Citadel will not serve GRPC requests. (default 8060) -h, --helphelpfor istio_ca --key-size int Size of generated private key (default 2048) --kube-config string Specifies path to kubeconfig file. This must be specified when not running inside a Kubernetes pod. --listened-namespace string Select a namespace for the CA to listen to. If unspecified, Citadel tries to use the ${NAMESPACE} environment variable. If neither is set, Citadel listens to all namespaces. --liveness-probe-interval duration Interval of updating file for the liveness probe. --liveness-probe-path string Path to the file for the liveness probe. --log_as_json Whether to format output as JSON or in plain console-friendly format --log_caller string Comma-separated list of scopes forwhich to include caller information, scopes can be any of [default, model] --log_output_level string Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [default, model] and level can be one of [debug, info, warn, error, none] (default "default:info") --log_rotate string The path for the optional rotating log file --log_rotate_max_age int The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30) --log_rotate_max_backups int The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000) --log_rotate_max_size int The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600) --log_stacktrace_level string Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [default, model] and level can be one of [debug, info, warn, error, none] (default "default:none") --log_target stringArray The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout]) --max-workload-cert-ttl duration The max TTL of issued workload certificates (default 2160h0m0s) --monitoring-port int The port number for monitoring Citadel. If unspecified, Citadel will disable monitoring. (default 9093) --org string Organization for the cert --probe-check-interval duration Interval of checking the liveness of the CA. (default 30s) --requested-ca-cert-ttl duration The requested TTL for the workload (default 8760h0m0s) --root-cert string Path to the root certificate file --self-signed-ca Indicates whether to use auto-generated self-signed CA certificate. When set to true, the '--signing-cert' and '--signing-key' options are ignored. --self-signed-ca-cert-ttl duration The TTL of self-signed CA root certificate (default 8760h0m0s) --self-signed-ca-org string The issuer organization used in self-signed CA certificate (default to k8s.cluster.local) (default "k8s.cluster.local") --sign-ca-certs Whether Citadel signs certificates for other CAs --signing-cert string Path to the CA signing certificate file --signing-key string Path to the CA signing key file --upstream-ca-address string The IP:port address of the upstream CA. When set, the CA will rely on the upstream Citadel to provision its own certificate. --workload-cert-grace-period-ratio float32 The workload certificate rotation grace period, as a ratio of the workload certificate TTL. (default 0.5) --workload-cert-min-grace-period duration The minimum workload certificate rotation grace period. (default 10m0s) --workload-cert-ttl duration The TTL of issued workload certificates (default 2160h0m0s)
Use "istio_ca [command] --help"for more information about a command.
funcrunCA() { //... // --listened-namespace 设置 CA 监控的 namespace,如果没有指定会从 ${NAMESPACE} 环境变量中获取,如果都没有设置,Citadel 则会监听全部的 namespace. if value, exists := os.LookupEnv(cmd.ListenedNamespaceKey); exists { // When -namespace is not set, try to read the namespace from environment variable. if opts.listenedNamespace == "" { opts.listenedNamespace = value } // Use environment variable for istioCaStorageNamespace if it exists opts.istioCaStorageNamespace = value }
// 验证命令行 verifyCommandLineOptions()
var webhooks map[string]controller.DNSNameEntry // 如果设置了添加 DNS 名字的后缀 if opts.appendDNSNames { webhooks = make(map[string]controller.DNSNameEntry) /* // ServiceAccount/DNS pair for generating DNS names in certificates. // TODO: move it to a configmap later when we have more services to support. webhookServiceAccounts = []string{ "istio-sidecar-injector-service-account", "istio-galley-service-account", } webhookServiceNames = []string{ "istio-sidecar-injector", "istio-galley", } */ for i, svcAccount := range webhookServiceAccounts { // istio-sidecar-injector-service-account // istio-galley-service-account webhooks[svcAccount] = controller.DNSNameEntry{ ServiceName: webhookServiceNames[i], Namespace: opts.istioCaStorageNamespace, // opts.istioCaStorageNamespace 运行的 namespace,默认为 istio-system } } // ...
// 创建连接到集群中的 client cs := createClientset() // 返回 ca.IstioCA,用于管理证书链和签新的证书 ca := createCA(cs.CoreV1()) // For workloads in K8s, we apply the configured workload cert TTL. // 1. 创建 NewSecretController 来完成对于 API Server 中的 ServiceAccount 和 Secret 的创建 sc, err := controller.NewSecretController(ca, opts.workloadCertTTL, opts.workloadCertGracePeriodRatio, opts.workloadCertMinGracePeriod, opts.dualUse, cs.CoreV1(), opts.signCACerts, opts.listenedNamespace, webhooks) if err != nil { fatalf("Failed to create secret controller: %v", err) }
// Run starts the SecretController until a value is sent to stopCh. func(sc *SecretController)Run(stopCh chanstruct{}) { go sc.scrtController.Run(stopCh)
// saAdded calls upsertSecret to update and insert secret // it throws error if the secret cache is not synchronized, but the secret exists in the system cache.WaitForCacheSync(stopCh, sc.scrtController.HasSynced)
// KubeServiceAccountsOnVMAnnotation is to specify the K8s service accounts that are allowed to run // this service on the VMs KubeServiceAccountsOnVMAnnotation = "alpha.istio.io/kubernetes-serviceaccounts" // CanonicalServiceAccountsAnnotation is to specify the non-Kubernetes service accounts that // are allowed to run this service. CanonicalServiceAccountsAnnotation = "alpha.istio.io/canonical-serviceaccounts"
结构体定义如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
// ServiceController monitors the service definition changes in a namespace. If a // new service is added with "alpha.istio.io/kubernetes-serviceaccounts" or // "alpha.istio.io/canonical-serviceaccounts" annotations enabled, // the corresponding service account will be added to the identity registry // for whitelisting. type ServiceController struct { core corev1.CoreV1Interface
// identity registry object reg registry.Registry
// controller for service objects controller cache.Controller }
NewServiceAccountController: 监听 ServiceAccount 对象;对于获取到 sa 信息,生成相对应的 SpiffeID 保存到 Reg 注册表的映射关系中,当前 key 和 value 都是相同 c.reg.DeleteMapping(id, id);
// ServiceAccountController monitors service account definition changes in a namespace. // For each service account object, its SpiffeID is added to identity registry for // whitelisting purpose. type ServiceAccountController struct { core corev1.CoreV1Interface
// identity registry object reg registry.Registry
// controller for service objects controller cache.Controller }
// CreateCertificate handles an incoming certificate signing request (CSR). It does // authentication and authorization. Upon validated, signs a certificate that: // the SAN is the identity of the caller in authentication result. // the subject public key is the public key in the CSR. // the validity duration is the ValidityDuration in request, or default value if the given duration is invalid. // it is signed by the CA signing key. func(s *Server)CreateCertificate(ctx context.Context, request *pb.IstioCertificateRequest)( *pb.IstioCertificateResponse, error) { // 根据请求生成对应的证书 _, _, certChainBytes, rootCertBytes := s.ca.GetCAKeyCertBundle().GetAll() cert, signErr := s.ca.Sign( []byte(request.Csr), caller.Identities, time.Duration(request.ValidityDuration)*time.Second, false)
// HandleCSR handles an incoming certificate signing request (CSR). It does // proper validation (e.g. authentication) and upon validated, signs the CSR // and returns the resulting certificate. If not approved, reason for refusal // to sign is returned as part of the response object. // [TODO](myidpt): Deprecate this function. func(s *Server)HandleCSR(ctx context.Context, request *pb.CsrRequest)(*pb.CsrResponse, error) {
// Start periodically rotates the KeyCertBundle by interacting with the upstream CA. // It is a blocking function that should run as a go routine. Thread safe. func(c *KeyCertBundleRotator)Start(errCh chan<- error) { c.stoppedMutex.Lock() if !c.stopped { errCh <- fmt.Errorf("rotator already started") c.stoppedMutex.Unlock() return } c.stopped = false c.stoppedMutex.Unlock()
// Make sure we mark rotator stopped after this method finishes. deferfunc() { c.stoppedMutex.Lock() c.stopped = true c.stoppedMutex.Unlock() }()
for { certBytes, _, _, _ := c.keycert.GetAllPem() iflen(certBytes) != 0 { waitTime, ttlErr := c.certUtil.GetWaitTime(certBytes, time.Now()) if ttlErr != nil { log.Errorf("Error getting TTL from cert: %v. Rotate immediately.", ttlErr) } else { timer := time.NewTimer(waitTime) log.Infof("Will rotate key and cert in %v.", waitTime) select { case <-c.stopCh: return case <-timer.C: // Continue in the loop. } } } co, coErr := c.keycert.CertOptions() if coErr != nil { err := fmt.Errorf("failed to extact CertOptions from bundle: %v, abort auto rotation", coErr) log.Errora(err) errCh <- err return } certBytes, certChainBytes, privKeyBytes, rErr := c.retriever.Retrieve(co) if rErr != nil { err := fmt.Errorf("error retrieving the key and cert: %v, abort auto rotation", rErr) log.Errora(err) errCh <- err return } _, _, _, rootCertBytes := c.keycert.GetAllPem() if vErr := c.keycert.VerifyAndSetAll(certBytes, privKeyBytes, certChainBytes, rootCertBytes); vErr != nil { err := fmt.Errorf("cannot verify the retrieved key and cert: %v, abort auto rotation", vErr) log.Errora(err) errCh <- err return } log.Infof("Successfully retrieved new key and certs.") } }
# /usr/local/bin/pilot-agent --help Istio Pilot agent runs in the side car or gateway container and bootstraps envoy.
Usage: pilot-agent [command]
Available Commands: help Help about any command proxy Envoy proxy agent request Makes an HTTP request to the Envoy admin API version Prints out build version information
Flags: -h, --helphelpfor pilot-agent --log_as_json Whether to format output as JSON or in plain console-friendly format --log_caller string Comma-separated list of scopes forwhich to include caller information, scopes can be any of [default, model] --log_output_level string Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>,... where scope can be one of [default, model] and level can be one of [debug, info, warn, error, none] (default "default:info") --log_rotate string The path for the optional rotating log file --log_rotate_max_age int The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30) --log_rotate_max_backups int The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000) --log_rotate_max_size int The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600) --log_stacktrace_level string Comma-separated minimum per-scope logging level at which stack traces are captured, in the form of <scope>:<level>,<scope:level>,... where scope can be one of [default, model] and level can be one of [debug, info, warn, error, none] (default "default:none") --log_target stringArray The set of paths where to output the log. This can be any path as well as the special values stdout and stderr (default [stdout])
Use "pilot-agent [command] --help"for more information about a command.
Flags: --applicationPorts stringSlice Ports exposed by the application. Used to determine that Envoy is configured and ready to receive traffic. --availabilityZone string Availability zone --binaryPath string Path to the proxy binary (default "/usr/local/bin/envoy") --bootstrapv2 Use bootstrap v2 - DEPRECATED (default true) --concurrency int number of worker threads to run --configPath string Path to the generated configuration file directory (default "/etc/istio/proxy") --connectTimeout duration Connection timeout used by Envoy for supporting services (default 1s) --controlPlaneAuthPolicy string Control Plane Authentication Policy (default "NONE") --customConfigFile string Path to the custom configuration file --disableInternalTelemetry Disable internal telemetry --discoveryAddress string Address of the discovery service exposing xDS (e.g. istio-pilot:8080) (default "istio-pilot:15007") --discoveryRefreshDelay duration Polling interval for service discovery (used by EDS, CDS, LDS, but not RDS) (default 1s) --domain string DNS domain suffix. If not provided uses ${POD_NAMESPACE}.svc.cluster.local --drainDuration duration The time in seconds that Envoy will drain connections during a hot restart (default 2s) -h, --helphelpfor proxy --id string Proxy unique ID. If not provided uses ${POD_NAME}.${POD_NAMESPACE} from environment variables --ip string Proxy IP address. If not provided uses ${INSTANCE_IP} environment variable. --parentShutdownDuration duration The time in seconds that Envoy will wait before shutting down the parent process during a hot restart (default 3s) --proxyAdminPort uint16 Port on which Envoy should listen for administrative commands (default 15000) --proxyLogLevel string The log level used to start the Envoy proxy (choose from {trace, debug, info, warn, err, critical, off}) (default "warn") --serviceCluster string Service cluster (default "istio-proxy") --serviceregistry string Select the platform for service registry, options are {Kubernetes, Consul, CloudFoundry, Mock, Config} (default "Kubernetes") --statsdUdpAddress string IP Address and Port of a statsd UDP listener (e.g. 10.75.241.127:9125) --statusPort uint16 HTTP Port on which to serve pilot agent status. If zero, agent status will not be provided. --templateFile string Go template bootstrap config --zipkinAddress string Address of the Zipkin service (e.g. zipkin:9411)
type Agent interface { // ConfigCh returns the config channel used to send configuration updates. // Agent compares the current active configuration to the desired state and // initiates a restart if necessary. If the restart fails, the agent attempts // to retry with an exponential back-off. ConfigCh() chan<- interface{}
// Run starts the agent control loop and awaits for a signal on the input // channel to exit the loop. Run(ctx context.Context) }
// Proxy defines command interface for a proxy type Proxy interface { // Run command for a config, epoch, and abort channel Run(interface{}, int, <-chan error) error
// Cleanup command for an epoch Cleanup(int)
// Panic command is invoked with the desired config when all retries to // start the proxy fail just before the agent terminating Panic(interface{}) }
// Throttle processing up to smoothed 1 qps with bursts up to 10 qps. // High QPS is needed to process messages on all channels. rateLimiter := rate.NewLimiter(1, 10)
var reconcileTimer *time.Timer for { err := rateLimiter.Wait(ctx) if err != nil { a.terminate() return }
// maximum duration or duration till next restart var delay time.Duration = 1<<63 - 1 if a.retry.restart != nil { // 如果设置了下次重启的时间间隔,则 delay 设置为该值 delay = time.Until(*a.retry.restart) } // 停止原有的 reconcileTimer, 并设置成当前的 delay 值 if reconcileTimer != nil { reconcileTimer.Stop() } reconcileTimer = time.NewTimer(delay)
select { // 1. 如果相关的配置发生了变化,如果没有变化则忽略 case config := <-a.configCh: if !reflect.DeepEqual(a.desiredConfig, config) { log.Infof("Received new config, resetting budget") a.desiredConfig = config
// reset retry budget if and only if the desired config changes // 因为配置发生了变化,把下一次重启时间间隔设置为最大 a.retry.budget = a.retry.MaxRetries a.reconcile() } // 默认的重试策略值为 /* DefaultRetry = Retry{ MaxRetries: 10, InitialInterval: 200 * time.Millisecond, }*/ // 2. 如果 proxy-envoy 的状态发生了变化 case status := <-a.statusCh: // delete epoch record and update current config // avoid self-aborting on non-abort error delete(a.epochs, status.epoch) delete(a.abortCh, status.epoch) a.currentConfig = a.epochs[a.latestEpoch()]
// NOTE: due to Envoy hot restart race conditions, an error from the // process requires aggressive non-graceful restarts by killing all // existing proxy instances // Envoy热重启竞争条件,进程中的错误需要通过终止所有现有代理实例来进行积极的非正常重启 a.abortAll() } else { // 正常情况下的退出 log.Infof("Epoch %d exited normally", status.epoch) }
// cleanup for the epoch // 删除当前 epoch 对应的配置文件 a.proxy.Cleanup(status.epoch)
// check that the config is current if reflect.DeepEqual(a.desiredConfig, a.currentConfig) { log.Infof("Desired configuration is already applied") return }
// discover and increment the latest running epoch epoch := a.latestEpoch() + 1 // buffer aborts to prevent blocking on failing proxy abortCh := make(chan error, maxAborts) a.epochs[epoch] = a.desiredConfig a.abortCh[epoch] = abortCh a.currentConfig = a.desiredConfig // 最终的调用,会将相关相关结果放到 abortCh channel 中 go a.runWait(a.desiredConfig, epoch, abortCh) }
reconcile 设置相关参数后,最终启动一个新的 goroutine 来进行启动最终的程序
1 2 3 4 5 6
// runWait runs the start-up command as a go routine and waits for it to finish func(a *agent)runWait(config interface{}, epoch int, abortCh <-chan error) { log.Infof("Epoch %d starting", epoch) err := a.proxy.Run(config, epoch, abortCh) a.statusCh <- exitStatus{epoch: epoch, err: err} }
func(e *envoy)Run(config interface{}, epoch int, abort <-chan error)error { var fname string // Note: the cert checking still works, the generated file is updated if certs are changed. // We just don't save the generated file, but use a custom one instead. Pilot will keep // monitoring the certs and restart if the content of the certs changes. // 1. 如果指定了模板文件,则使用用户指定的,否则则使用默认的 iflen(e.config.CustomConfigFile) > 0 { // there is a custom configuration. Don't write our own config - but keep watching the certs. fname = e.config.CustomConfigFile } else { out, err := bootstrap.WriteBootstrap(&e.config, e.node, epoch, e.pilotSAN, e.opts, os.Environ(), e.nodeIPs) if err != nil { log.Errora("Failed to generate bootstrap config", err) os.Exit(1) // Prevent infinite loop attempting to write the file, let k8s/systemd report return err } fname = out }
// spin up a new Envoy process args := e.args(fname, epoch) log.Infof("Envoy command: %v", args)
// Set if the caller is monitoring envoy, for example in tests or if envoy runs in same // container with the app. if e.errChan != nil { // Caller passed a channel, will wait itself for termination gofunc() { e.errChan <- cmd.Wait() }() returnnil }
func(w *watcher)Run(ctx context.Context) { // kick start the proxy with partial state (in case there are no notifications coming) w.SendConfig() // 用于向 agent 发送相关的摘要值
// monitor certificates certDirs := make([]string, 0, len(w.certs)) for _, cert := range w.certs { certDirs = append(certDirs, cert.Directory) }
go watchCerts(ctx, certDirs, watchFileEvents, defaultMinDelay, w.SendConfig)
// watchCerts watches all certificate directories and calls the provided // `updateFunc` method when changes are detected. This method is blocking // so it should be run as a goroutine. // updateFunc will not be called more than one time per minDelay. funcwatchCerts(ctx context.Context, certsDirs []string, watchFileEventsFn watchFileEventsFn, minDelay time.Duration, updateFunc func()) { fw, err := fsnotify.NewWatcher() if err != nil { log.Warnf("failed to create a watcher for certificate files: %v", err) return } deferfunc() { if err := fw.Close(); err != nil { log.Warnf("closing watcher encounters an error %v", err) } }()
// watch all directories for _, d := range certsDirs { if err := fw.Watch(d); err != nil { log.Warnf("watching %s encounters an error %v", d, err) return } } watchFileEventsFn(ctx, fw.Event, minDelay, updateFunc) }
关于监听的相关证书,则来自于注入时从命名空间中 secret 中加载到 pod 中的文件,deployment文件如下:
]]>
<p>作者:<a href="https://blog.avinetworks.com/from-fragmented-microservices-ecosystem-to-service-mesh" target="_blank" rel="noopener">Manish C
Kubernetes DNS 入门指南http://www.cn18k.com/2018/10/25/k8s-dns/2018-10-25T03:00:00.000Z2018-10-25T03:00:00.000Z 正文
这里可能会出现竞争状况;如果 Envoy 在版本 X 上发布了资源提示更新请求,但在管理服务器处理该请求之前发送了新的版本号为 Y 的响应,针对 version_info 为 X 的版本,资源提示更新可能会被解释为拒绝 Y 。为避免这种情况,通过使用管理服务器提供的 nonce,Envoy 可用来保证每个 DiscoveryRequest 对应到相应的 DiscoveryResponse :
type Discoverer interface { Run(ctx context.Context, ch chan<- []*targetgroup.Group) }
Prometheus 支持了众多的 SD 发现机制,代码位于 discovery 目录下。
Group 的结构定义如下:
1 2 3 4 5 6 7 8 9 10 11
// Group is a set of targets with a common label set(production , test, staging etc.). type Group struct { // Targets is a list of targets identified by a label set. Each target is // uniquely identifiable in the group by its address label. Targets []model.LabelSet // Labels is a set of labels that is common across all targets in the group. Labels model.LabelSet
// Source is an identifier that describes a group of targets. Source string }
// ApplyConfig removes all running discovery providers and starts new ones using the provided config. func(m *Manager)ApplyConfig(cfg map[string]sd_config.ServiceDiscoveryConfig)error { m.mtx.Lock() defer m.mtx.Unlock()
m.cancelDiscoverers() // 对于配置文件组织管理 for name, scfg := range cfg { m.registerProviders(scfg, name) } // 全部启动 for _, prov := range m.providers { m.startProvider(m.ctx, prov) }
returnnil }
将每个 JobName 为 key 的结构进行注册管理
1 2 3 4 5 6 7 8
// provider 用于管理可能相同配置的不同 job 任务 // provider holds a Discoverer instance, its configuration and its subscribers. type provider struct { name string// "kubernetes_sd_configs/[0-n]" d Discoverer // 对应的 Discoverer subs []string// 配置相关情况下的,可能是不同的 JobName config interface{} // 对应的相关配置 }
Manager 结构如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
// Manager maintains a set of discovery providers and sends each update to a map channel. // Targets are grouped by the target set name. type Manager struct { logger log.Logger mtx sync.RWMutex ctx context.Context discoverCancel []context.CancelFunc
// Some Discoverers(eg. k8s) send only the updates for a given target group // so we use map[tg.Source]*targetgroup.Group to know which group to update. // poolkey: job_name + provider_n, 将事件放到各个 job 任务的队列中 targets map[poolKey]map[string]*targetgroup.Group // providers keeps track of SD providers. providers []*provider // The sync channels sends the updates in map[targetSetName] where targetSetName is the job value from the scrape config. // 经过聚合后,将需要更新的对象信息发送到 jobName 的队列中 syncCh chanmap[string][]*targetgroup.Group }
for { select { case <-ctx.Done(): return case tgs, ok := <-updates: if !ok { level.Debug(m.logger).Log("msg", "discoverer channel closed, sending the last update", "provider", p.name) select { case m.syncCh <- m.allGroups(): // Waiting until the receiver can accept the last update. level.Debug(m.logger).Log("msg", "discoverer exited", "provider", p.name) return case <-ctx.Done(): return }
} // s: job_name, provider: k8s/n // 针对可能的订阅者(包括相同配置的订阅者) 发送事件 for _, s := range p.subs { m.updateGroup(poolKey{setName: s, provider: p.name}, tgs) }
select { case triggerUpdate <- struct{}{}: default: } case <-ticker.C: // Some discoverers send updates too often so we throttle these with the ticker. select { case <-triggerUpdate: select { // m.allGroups() 按照 pkey.SetName (job_name 进行聚合) case m.syncCh <- m.allGroups(): default: level.Debug(m.logger).Log("msg", "discovery receiver's channel was full so will retry the next cycle", "provider", p.name) select { case triggerUpdate <- struct{}{}: default: } } default: } } } }
for _, tg := range tgs { if tg != nil { // Some Discoverers send nil target group so need to check for it to avoid panics. if _, ok := m.targets[poolKey]; !ok { m.targets[poolKey] = make(map[string]*targetgroup.Group) } // poolkey: job_name + provider_n, m.targets[poolKey][tg.Source] = tg } } }
int main(){ // ... { // Scrape manager. g.Add( func() error { // When the scrape manager receives a new targets list // it needs to read a valid config for each job. // It depends on the config being in sync with the discovery manager so // we wait until the config is fully loaded. <-reloadReady.C
err := scrapeManager.Run(discoveryManagerScrape.SyncCh()) level.Info(logger).Log("msg", "Scrape manager stopped") return err }, func(err error) { // Scrape manager needs to be stopped before closing the local TSDB // so that it doesn't try to write samples to a closed storage. level.Info(logger).Log("msg", "Stopping scrape manager...") scrapeManager.Stop() }, ) }
// Manager maintains a set of scrape pools and manages start/stop cycles // when receiving new target groups form the discovery manager. type Manager struct { logger log.Logger append Appendable graceShut chanstruct{}
// Run starts background processing to handle target updates and reload the scraping loops. func(m *Manager)Run(tsets <-chanmap[string][]*targetgroup.Group)error { for { select { case ts := <-tsets: m.reload(ts) case <-m.graceShut: returnnil } } }
// Sync converts target groups into actual scrape targets and synchronizes // the currently running scraper with the resulting set and returns all scraped and dropped targets. // 同步将目标组转换为实际的抓取目标,并将当前运行的抓取与结果集同步,并返回所有刮取和删除的目标。 func(sp *scrapePool)Sync(tgs []*targetgroup.Group)(tActive []*Target, tDropped []*Target) { start := time.Now()
var all []*Target sp.mtx.Lock() sp.droppedTargets = []*Target{} for _, tg := range tgs { // targetsFromGroup 函数通过相关配置完成转换 targets, err := targetsFromGroup(tg, sp.config)
for _, t := range targets { // 返回目标的标签,不是处理后的,不以 “__” 为前缀 if t.Labels().Len() > 0 { // 不存在以 “__" 为前缀匹配的标签 all = append(all, t) } elseif t.DiscoveredLabels().Len() > 0 { sp.droppedTargets = append(sp.droppedTargets, t) } } } sp.mtx.Unlock() sp.sync(all)
// Target refers to a singular HTTP or HTTPS endpoint. type Target struct { // Labels before any processing. discoveredLabels labels.Labels
// Any labels that are added to this target and its metrics. labels labels.Labels // Additional URL parmeters that are part of the target URL. params url.Values
// populateLabels builds a label set from the given label set and scrape configuration. // It returns a label set before relabeling was applied as the second return value. // Returns the original discovered label set found before relabelling was applied if the target is dropped during relabeling. // 函数根据给定的 labels 和 相关配置的选项,来进行 relabel 的处理,返回的第一个参数为匹配后的结果集,第二个参数返回应用之前的 labels, 如果第一个参数为空,则表示该目标被丢失,比如 action:drop funcpopulateLabels(lset labels.Labels, cfg *config.ScrapeConfig)(res, orig labels.Labels, err error) { // Copy labels into the labelset for the target if they are not set already. scrapeLabels := []labels.Label{ {Name: model.JobLabel, Value: cfg.JobName}, {Name: model.MetricsPathLabel, Value: cfg.MetricsPath}, {Name: model.SchemeLabel, Value: cfg.Scheme}, } lb := labels.NewBuilder(lset)
for _, l := range scrapeLabels { if lv := lset.Get(l.Name); lv == "" { lb.Set(l.Name, l.Value) } } // Encode scrape query parameters as labels. for k, v := range cfg.Params { iflen(v) > 0 { lb.Set(model.ParamLabelPrefix+k, v[0]) } }
// Check if the target was dropped. if lset == nil { returnnil, preRelabelLabels, nil } if v := lset.Get(model.AddressLabel); v == "" { returnnil, nil, fmt.Errorf("no address") }
lb = labels.NewBuilder(lset)
// addPort checks whether we should add a default port to the address. // If the address is not valid, we don't append a port either. addPort := func(s string)bool { // If we can split, a port exists and we don't have to add one. if _, _, err := net.SplitHostPort(s); err == nil { returnfalse } // If adding a port makes it valid, the previous error // was not due to an invalid address and we can append a port. _, _, err := net.SplitHostPort(s + ":1234") return err == nil } addr := lset.Get(model.AddressLabel) // If it's an address with no trailing port, infer it based on the used scheme. if addPort(addr) { // Addresses reaching this point are already wrapped in [] if necessary. switch lset.Get(model.SchemeLabel) { case"http", "": addr = addr + ":80" case"https": addr = addr + ":443" default: returnnil, nil, fmt.Errorf("invalid scheme: %q", cfg.Scheme) } lb.Set(model.AddressLabel, addr) }
// Meta labels are deleted after relabelling. Other internal labels propagate to // the target which decides whether they will be part of their label set. for _, l := range lset { if strings.HasPrefix(l.Name, model.MetaLabelPrefix) { lb.Del(l.Name) } }
// Default the instance label to the target address. if v := lset.Get(model.InstanceLabel); v == "" { lb.Set(model.InstanceLabel, addr) }
res = lb.Labels() for _, l := range res { // Check label values are valid, drop the target if not. if !model.LabelValue(l.Value).IsValid() { returnnil, nil, fmt.Errorf("invalid label value for %q: %q", l.Name, l.Value) } } return res, preRelabelLabels, nil }
// Builder creates a resolver that will be used to watch name resolution updates. type Builder interface { // Build creates a new resolver for the given target. // // gRPC dial calls Build synchronously, and fails if the returned error is // not nil. Build(target Target, cc ClientConn, opts BuildOption) (Resolver, error) // Scheme returns the scheme supported by this resolver. // Scheme is defined at https://github.com/grpc/grpc/blob/master/doc/naming.md. Scheme() string }
Resover 的接口定义如下:
1 2 3 4 5 6 7 8 9 10 11
// Resolver watches for the updates on the specified target. // Updates include address updates and service config updates. type Resolver interface { // ResolveNow will be called by gRPC to try to resolve the target name // again. It's just a hint, resolver can ignore this if it's not necessary. // // It could be called multiple times concurrently. ResolveNow(ResolveNowOption) // Close closes the resolver. Close() }
// NewBuilder creates a dnsBuilder which is used to factory DNS resolvers. funcNewBuilder()resolver.Builder { return &dnsBuilder{minFreq: defaultFreq} }
// dnsResolver watches for the name resolution update for a non-IP target. type dnsResolver struct { freq time.Duration backoff backoff.Exponential retryCount int host string port string ctx context.Context cancel context.CancelFunc cc resolver.ClientConn // rn 是一个 channel, 用于 ResolveNow() 调用的时候强制进行解析 // rn channel is used by ResolveNow() to force an immediate resolution of the target. rn chanstruct{} t *time.Timer // wg 用于等待 watcher 的 goroutine 结束,否则可能导致 data race // wg is used to enforce Close() to return after the watcher() goroutine has finished. // Otherwise, data race will be possible. [Race Example] in dns_resolver_test we // replace the real lookup functions with mocked ones to facilitate testing. // If Close() doesn't wait for watcher() goroutine finishes, race detector sometimes // will warns lookup (READ the lookup function pointers) inside watcher() goroutine // has data race with replaceNetFunc (WRITE the lookup function pointers). wg sync.WaitGroup disableServiceConfig bool }
// Build creates and starts a DNS resolver that watches the name resolution of the target. func(b *dnsBuilder)Build(target resolver.Target, cc resolver.ClientConn, opts resolver.BuildOption)(resolver.Resolver, error) { // ... host, port, err := parseTarget(target.Endpoint)
传入参数 cc resolver.ClientConn,ClientConn 包含 resolver 的回调,以通知 gRPCClientConn 的任何更新。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
// ClientConn contains the callbacks for resolver to notify any updates // to the gRPC ClientConn. // // This interface is to be implemented by gRPC. Users should not need a // brand new implementation of this interface. For the situations like // testing, the new implementation should embed this interface. This allows // gRPC to add new methods to this interface. type ClientConn interface { // NewAddress is called by resolver to notify ClientConn a new list // of resolved addresses. // The address list should be the complete list of resolved addresses. NewAddress(addresses []Address) // NewServiceConfig is called by resolver to notify ClientConn a new // service config. The service config should be provided as a json string. NewServiceConfig(serviceConfig string) }
func(d *dnsResolver)watcher() { defer d.wg.Done() // 设置一个 watcher 死循环,一直在监听 for { select { case <-d.ctx.Done(): // 如果被取消,通过 ctx,则直接结束 for 循环 return case <-d.t.C: // 定时器触发,第一次为0,所以直接通过 case <-d.rn: // rn 是一个 channel, 用于 ResolveNow() 调用的时候强制进行解析 // ResolveNow 的时候操作 ase d.rn <- struct{}{}: } // 开始异步进行解析 result, sc := d.lookup() // Next lookup should happen within an interval defined by d.freq. It may be // more often due to exponential retry on empty address list. iflen(result) == 0 { d.retryCount++ d.t.Reset(d.backoff.Backoff(d.retryCount)) } else { d.retryCount = 0 d.t.Reset(d.freq) } d.cc.NewServiceConfig(sc) // 回调进行通知 d.cc.NewAddress(result) // 回调进行通知 } }
通过 Close 函数的调用来达到停止 watcher 的效果:
1 2 3 4 5 6
// Close closes the dnsResolver. func(d *dnsResolver)Close() { d.cancel() d.wg.Wait() d.t.Stop() }
RR Balancer
Banlancer Builder 接口定义如下:
1 2 3 4 5 6 7 8
// Builder creates a balancer. type Builder interface { // Build creates a new balancer with the ClientConn. Build(cc ClientConn, opts BuildOptions) Balancer // Name returns the name of balancers built by this builder. // It will be used to pick balancers (for example in service config). Name() string }
// Balancer takes input from gRPC, manages SubConns, and collects and aggregates // the connectivity states. // // It also generates and updates the Picker used by gRPC to pick SubConns for RPCs. // // HandleSubConnectionStateChange, HandleResolvedAddrs and Close are guaranteed // to be called synchronously from the same goroutine. // There's no guarantee on picker.Pick, it may be called anytime. type Balancer interface { // HandleSubConnStateChange is called by gRPC when the connectivity state // of sc has changed. // Balancer is expected to aggregate all the state of SubConn and report // that back to gRPC. // Balancer should also generate and update Pickers when its internal state has // been changed by the new state. HandleSubConnStateChange(sc SubConn, state connectivity.State) // HandleResolvedAddrs is called by gRPC to send updated resolved addresses to // balancers. // Balancer can create new SubConn or remove SubConn with the addresses. // An empty address slice and a non-nil error will be passed if the resolver returns // non-nil error to gRPC. HandleResolvedAddrs([]resolver.Address, error) // Close closes the balancer. The balancer is not required to call // ClientConn.RemoveSubConn for its existing SubConns. Close() }
banlancer/base 中实现了大多数 banlancer 功能,不同选择算法的实现,基于 base 实现 pickBuilder 与 picker 接口即可。
base.NewBalancerBuilder 函数定义如下:
1 2 3 4 5 6 7 8 9
// Base 实现的函数 // NewBalancerBuilder returns a balancer builder. The balancers // built by this builder will use the picker builder to build pickers. funcNewBalancerBuilder(name string, pb PickerBuilder)balancer.Builder { return &baseBuilder{ name: name, pickerBuilder: pb, } }
// Name is the name of round_robin balancer. const Name = "round_robin"
// newBuilder creates a new roundrobin balancer builder. funcnewBuilder()balancer.Builder { return base.NewBalancerBuilder(Name, &rrPickerBuilder{}) }
funcinit() { balancer.Register(newBuilder()) }
PickerBuilder 接口定义如下:
1 2 3 4 5 6
// PickerBuilder creates balancer.Picker. type PickerBuilder interface { // Build takes a slice of ready SubConns, and returns a picker that will be // used by gRPC to pick a SubConn. Build(readySCs map[resolver.Address]balancer.SubConn) balancer.Picker }
type rrPicker struct { // subConns is the snapshot of the roundrobin balancer when this picker was // created. The slice is immutable. Each Get() will do a round robin // selection from it and return the selected SubConn. subConns []balancer.SubConn
$ cd$GOPATH/src/ && go install google.golang.org/grpc
$ go get -u github.com/golang/protobuf/{proto,protoc-gen-go}
# go get -u github.com/grpc-ecosystem/grpc-gateway/protoc-gen-grpc-gateway # go get -u github.com/grpc-ecosystem/grpc-gateway/protoc-gen-swagger $ go get -u github.com/golang/protobuf/protoc-gen-go
// Set up a connection to the server. conn, err := grpc.Dial(address, grpc.WithInsecure(), grpc.WithBalancerName()) if err != nil { log.Fatalf("did not connect: %v", err) } defer conn.Close() c := pb.NewGreeterClient(conn)
// Contact the server and print out its response. name := defaultName iflen(os.Args) > 1 { name = os.Args[1] }
// explicitly set our tracer to be the default tracer. opentracing.InitGlobalTracer(tracer) }
funcmain() {
// Logrus entry is used, allowing pre-definition of certain fields by the user. logrusLogger = logrus.New() logrusLogger.SetFormatter(&logrus.JSONFormatter{}) logrusEntry := logrus.NewEntry(logrusLogger) // Shared options for the logger, with a custom gRPC code to log level function.
// Shared options for the logger, with a custom duration to log field function. //opts := []grpc_logrus.Option{ //grpc_logrus.WithDurationField(func(duration time.Duration) (key string, value interface{}) { //return "grpc.time_ns", duration.Nanoseconds() //}), //}
// Make sure that log statements internal to gRPC library are logged using the logrus Logger as well. grpc_logrus.ReplaceGrpcLogger(logrusEntry)
lis, err := net.Listen("tcp", port) if err != nil { log.Fatalf("failed to listen: %v", err) }
// Create a server, make sure we put the grpc_ctxtags context before everything else. s := grpc.NewServer( grpc_middleware.WithUnaryServerChain( grpc_ctxtags.UnaryServerInterceptor(grpc_ctxtags.WithFieldExtractor(grpc_ctxtags.CodeGenRequestFieldExtractor)), grpc_logrus.UnaryServerInterceptor(logrusEntry, opts...), grpc_opentracing.UnaryServerInterceptor(), ), grpc_middleware.WithStreamServerChain( grpc_ctxtags.StreamServerInterceptor(grpc_ctxtags.WithFieldExtractor(grpc_ctxtags.CodeGenRequestFieldExtractor)), grpc_logrus.StreamServerInterceptor(logrusEntry, opts...), grpc_opentracing.StreamServerInterceptor(),
), )
// s := grpc.NewServer() pb.RegisterGreeterServer(s, &server{}) // Register reflection service on gRPC server. reflection.Register(s) if err := s.Serve(lis); err != nil { log.Fatalf("failed to serve: %v", err) } }
Kong is a cloud-native, fast, scalable, and distributed Microservice Abstraction Layer (also known as an API Gateway, API Middleware or in some cases Service Mesh). Made available as an open-source project in 2015, its core values are high performance and extensibility
Kong CE Features
Cloud-Native: Platform agnostic, Kong can run from bare metal to Kubernetes.
Dynamic Load Balancing: Load balance traffic across multiple upstream services.
Hash-based Load Balancing: Load balance with consistent hashing/sticky sessions.
Circuit-Breaker: Intelligent tracking of unhealthy upstream services.
Health Checks: Active and passive monitoring of your upstream services.
Service Discovery: Resolve SRV records in third-party DNS resolvers like Consul.
Serverless: Invoke and secure AWS Lambda or OpenWhisk functions directly from Kong.
WebSockets: Communicate to your upstream services via WebSockets.
OAuth2.0: Easily add OAuth2.0 authentication to your APIs.
Logging: Log requests and responses to your system over HTTP, TCP, UDP, or to disk.
Træfik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. Træfik integrates with your existing infrastructure components (Docker, Swarm mode,Kubernetes, Marathon, Consul, Etcd, Rancher, Amazon ECS, …) and configures itself automatically and dynamically. Pointing Træfik at your orchestrator should be the onlyconfiguration step you need.
Traefik Features
Continuously updates its configuration (No restarts!)
Supports multiple load balancing algorithms
Provides HTTPS to your microservices by leveraging Let’s Encrypt (wildcard certificates support)
Ambassador is an open source Kubernetes-native API Gateway built on Envoy, designed for microservices. Ambassador essentially serves as an Envoy ingress controller, but with many more features.
Ambassador Features
Self-service configuration, via Kubernetes annotations
traefik server 启动成功后可以,会启动一个 dashboard 地址,可以通过地址访问 http://172.16.71.9:8080/dashboard/,其中 172.16.71.9 为启动的 IP 地址。
greeter_client 必须使用域名访问,如果使用 IP 地址访问,会导致证书不匹配的错误:
1 2 3
$ go run greeter_client/main.go 2018/08/29 10:01:56 could not greet: rpc error: code = Unavailable desc = all SubConns are in TransientFailure, latest connection error: connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for backend.local, not localhost" exit status 1
// Dial with specific Transport (with credentials) conn, err := grpc.Dial("frontend.local:4443", grpc.WithTransportCredentials(credsClient)) if err != nil { log.Fatalf("did not connect: %v", err) }
language: go fprocess: ./handler welcome_message: | You have created a new function which uses Golang 1.9.7. To include third-party dependencies, use a vendoring tool like dep: dep documentation: https://github.com/golang/dep#installation
$ cat Dockerfile FROM golang:1.9.7-alpine3.7 as builder
RUN apk --no-cache add curl \ && echo"Pulling watchdog binary from Github." \ && curl -sSL https://github.com/openfaas/faas/releases/download/0.8.9/fwatchdog > /usr/bin/fwatchdog \ && chmod +x /usr/bin/fwatchdog \ && apk del curl --no-cache
WORKDIR /go/src/handler COPY . .
# Run a gofmt and exclude all vendored code. RUN test -z "$(gofmt -l $(find . -type f -name '*.go' -not -path "./vendor/*" -not -path "./function/vendor/*"))" || { echo"Run \"gofmt -s -w\" on your Golang code"; exit 1; }
RUN CGO_ENABLED=0 GOOS=linux \ go build --ldflags "-s -w" -a -installsuffix cgo -o handler . && \ go test $(go list ./... | grep -v /vendor/) -cover
FROM alpine:3.7 RUN apk --no-cache add ca-certificates
# Add non root user RUN addgroup -S app && adduser -S -g app app RUN mkdir -p /home/app
ADD https://github.com/openfaas/faas/releases/download/0.8.0/fwatchdog /usr/bin RUN chmod +x /usr/bin/fwatchdog
# Define your binary here ENV fprocess="/bin/cat"# 通过环境变量到处 watchdog 需要派生的子进程二进制
CMD ["fwatchdog"] # 必须将 watchdog 作为镜像运行的入口
对于 watchdog 的配置,主要是通过环境变量的方式进行,可以配置的值如下:
Option
Usage
fprocess
The process to invoke for each function call (function process). This must be a UNIX binary and accept input via STDIN and output via STDOUT
cgi_headers
HTTP headers from request are made available through environmental variables - Http_X_Served_Byetc. See section: Handling headers for more detail. Enabled by default
marshal_request
Instead of re-directing the raw HTTP body into your fprocess, it will first be marshalled into JSON. Use this if you need to work with HTTP headers and do not want to use environmental variables via the cgi_headers flag.
content_type
Force a specific Content-Type response for all responses
write_timeout
HTTP timeout for writing a response body from your function (in seconds)
read_timeout
HTTP timeout for reading the payload from the client caller (in seconds)
suppress_lock
The watchdog will attempt to write a lockfile to /tmp/ for swarm healthchecks - set this to true to disable behaviour.
exec_timeout
Hard timeout for process exec’d for each incoming request (in seconds). Disabled if set to 0
write_debug
Write all output, error messages, and additional information to the logs. Default is false
combine_output
True by default - combines stdout/stderr in function response, when set to false stderr is written to the container logs and stdout is used for function response
iflen(hasEnv.Getenv("functions_provider_url")) > 0 { var err error cfg.FunctionsProviderURL, err = url.Parse(hasEnv.Getenv("functions_provider_url")) if err != nil { log.Fatal("If functions_provider_url is provided, then it should be a valid URL.", err) } } // .... }
来源
From: 
