My new open source book — Istio and Envoy Insider, has just reached a milestone. So I want to Introduce it.
Overview of this book
This book is called Istio & Envoy Insider. It is a book in progress, now in draft stage.
What this book is about
This book includes: Envoy source code deep dive, in-depth Envoy fundamentals analysis , Istio fundamentals analysis. But it’s not a traditional “deep dive xyz source code” type of book. on the contrary, I have done my best not to directly paste source code in the book. Reading source code is a necessary step to grasp the details of the implementation, but browsing source code in a book is generally a very bad experience. So, this book uses source code navigation diagrams to let readers understand the full picture of the implementation, rather than getting lost in the details of fragmented source code snippets and forgetting the whole picture.
In this book, I’ve tried to think as systematically as possible from a design and implementation perspective:
- The design and implementation details of Envoy
- Why Istio is what it is
- The Truth Behind Those Magic Configurations: Linux + Envoy
- How traffic is intercepted to the Envoy using Linux’s netfilter technology.
- How istiod programs the Envoy to fulfill the traffic policies of the Service Mesh.
- What Istio might look like in the future
The book is just a collection of thoughts and notes after I’ve been researching and using Istio for a while. I’ve just been troubleshooting some Istio/Envoy related functionality and performance issues, and browsing and debugging some Istio/Envoy code.
While diving into Istio. I found that there is a lot of valuable information on the Internet. However, either it is mainly from the user’s point of view, but does not talk about the implementation mechanism; or it does talk about the mechanism, but the content lacks systematization and consistency.
What this book is not
This book is not a user’s manual. It does not teach how to learn Istio from a user’s point of view, it does not preach how powerful Istio is, and it does not teach how to use Istio, there are too many excellent books, articles, and documents on this topic.
🤷 : Yet, another Istio User Guide?
🙅 : No!
Target Audience
This book focuses on the design and implementation mechanism of Istio/Envoy. It is assumed that the reader already has some experience in using Istio and is interested in further studying its implementation mechanism.
Book access address
About the Author
My name is Mark Zhu, a middle-aged programmer with little hair. I’m not an Istio expert, not even an Istio Committer, not even an employee of a major Internet company.
Why do I learn from others and write a book when my level is limited? Because of this sentence:
You don’t need to be great to get started, but you do need to get started to be great.
In order to facilitate readers to follow the book’s updates:
- Blog(English, RSS subscription supported): https://blog.mygraphql.com/en/
- Medium: Mark Zhu
- Blog(Chinese): https://blog.mygraphql.com/
Participate in writing
If you are also interested in writing this book, feel free to contact me.
Thanks to the fellow who suggested the Issue 🌻
- tanjunchen: lots of very good comments on the reading experience and typography.
Dedication 💞
First, to my dear parents, for showing me how to live a happy and productive life. To my dear wife and our amazing kid — thanks for all your love and patience.
Copyleft Disclaimer
If you reproduce or modify any text or image, please give credit to the original source.
Feedback
As this is an open source interactive book, feedback from readers is of course very important. If you find a mistake in the book, or have a better suggestion, you may want to submit an Issue: https://github.com/labilezhu/istio-insider/issues
Chinese version
There is a Chinese version: 中文版 .
Catalog
- Istio Architecture
- Istio Overall Architecture
- Concepts of Service Mesh
- Concepts of service invocation relationships
- Upstream & Downstream
- Upstream Cluster & Downstream Cluster
- Inbound & Outbound
- Istio Ports and Components
- Listening on ports
- iptables
- Connections
- Miscellaneous Ops guide
- Packet captures
- Miraculous 127.0.0.6
- Ending words
- Istio Data Plane Architecture
- netfilter/iptables
- Inside Envoy
- Native Programmable Proxy
Envoy Proxy
Architecture - A little history
- Why C++?
- Envoy Proxy L1 architecture
- Envoy Configuration Example under Istio
- Experimental Environment
- Inbound Data Flow “Inference”
- Examining data flow with logs
- Outbound data stream “extrapolation”
- Checking the stream with bpftrace
- Envoy main process and concepts
- upstream/upstream
- Envoy Architecture
- Source code design
- Design Patterns and Jargon
- Subsystems
- Event-driven vs. threaded model
- General flow of HTTP Reverse Proxy
- Downstream TCP connection establishment
- Event Handling Abstraction Framework
- libevent Core Ideas
- Extended reading
- Listener
- Listener example
- Listener internal components
- Listener related components and startup sequence
- The proof process
- Network Filter
- Network Filter Chains
- Network Filter
- Network Filter Framework Design Concepts
- Network Filter object relationships
- Network Filter Framework Design Details
- Extended Reading
- http connection manager
- http filter abstract object definition
- http filter C++ class relationships
- Router
- Extended Reading
- HTTP/1.1 Stream (draft)
- Flow Control
- Some flow control terms
- TCP flow control implementation
- HTTP2 Flow Control Implementation
- Ref.
- Envoy request and response scheduling
- Request and Response Scheduling
- Related Components
- Related monitoring metrics
- Envoy request scheduling flow
- Request and Response Scheduling Timeline
- Summary
- HTTP Timeout setting(draft)
- Some interesting extended reading
- HTTP Connection Lifecycle Management
- Upstream/Downstream connection uncoupling
- Connection timeout related configuration parameters
- idle_timeout
- max_connection_duration
- max_requests_per_connection
- drain_timeout — for downstream only
- delayed_close_timeout — for downstream only
- Racing conditions after Envoy connection closure
- Racing conditions after an Envoy connection is closed
- Circuit Breaking(Draft)
- Ref.
- Istio and Envoy Metrics
- Overview of Istio and Envoy metrics
- Envoy Metrics
- Istio metrics
- Implementation of Envoy metrics (draft)
- Metrics on Envoy request and response timing lines
- Istio/Envoy Performance
- Articles from my blog
- Factors Affecting Performance — Design Capacity
- Benchmark
- Analyzing Istio Performance
- Disruptions and Recover
- worker node disruptions
- Observability
- Ref
- Troubleshooting
- Decrypt and Dump TLS Traffic
- TLS key log feature
- Envoy Key Log configuration
- extensions.transport_sockets.tls.v3.TlsKeyLog
- Decryption Tools
- Key Log Format
- Ref
- TCP Proxy half-closed connection leak for 1 hour in some scenarios
- Base knowledge
- Conntrack base knowledge
- TCP
- Conntrack table
- Environment
- Testing POD
- TCP service pod
- enable conntrack’s invalid packet log on Testing POD
- skills
- nsenter network namespace
- socket leak & occupy on FIN_WAIT2
- 1. TCPProxy: connections ESTABLISHED
- 2. TCPProxy: upstream service active close connection
- 3. after 60s, conntrack table CLOSE_WAIT entry timeout
- 4. app close connection — FIN not reach peer
- App outbound connecting timed out because App selected a ephemeral port which collisions with the existing socket on 15001(outbound) listener
- Base knowledge
- TCP
- TCP Challenge ACK
- Conntrack table
- Environment
- Testing POD
- TCP service pod
- enable conntrack’s invalid packet log on Testing POD
- New connection timeout
- App build connection on the same ephemeral port
- Case 1: connect timed out by collision ephemeral port
- Case 2: connect by collision ephemeral port but seq-no happens to be in the TCP window of the old connection
- Skills
- Developing Istio
- Istio Data Plane
- istio-proxy
- Debugging Envoy sidecar C++ code in an Istio mesh
- Introduction
- My motivation
- Architecture
- Environment Assumption
- Environment construction steps
- FAQ
- More Cloud native flavor of remote debugging
- Debugging and observing the startup of the istio-proxy Envoy sidecar
- The Difficulty of initialization debugging
- Envoy’s startup attach method
- Appendices — some memos to myself
- Istio Control Plane
- Debug Istiod
- Reference list for getting started with Istio development
- Code Description
- Design documentations
- Development environment
- Istio project health dashboard
- discuss
- Participation in the development of Istio
- Workgroup