一 ubuntu安装envoy
~# sudo apt update
~# sudo apt install apt-transport-https gnupg2 curl lsb-release
~# curl -sL 'https://deb.dl.getenvoy.io/public/gpg.8115BA8E629CC074.key' | sudo gpg --dearmor -o /usr/share/keyrings/getenvoy-keyring.gpg
Verify the keyring - this should yield "OK"
~# echo a077cb587a1b622e03aa4bf2f3689de14658a9497a9af2c427bba5f4cc3c4723 /usr/share/keyrings/getenvoy-keyring.gpg | sha256sum --check
~# echo "deb [arch=amd64 signed-by=/usr/share/keyrings/getenvoy-keyring.gpg] https://deb.dl.getenvoy.io/public/deb/ubuntu $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/getenvoy.list
~# sudo apt update
~# sudo apt install -y getenvoy-envoy
二 centos安装envoy
[root@node-01 ~]# sudo yum install yum-utils
[root@node-01 ~]# sudo rpm --import 'https://rpm.dl.getenvoy.io/public/gpg.CF716AF503183491.key'
[root@node-01 ~]# curl -sL 'https://rpm.dl.getenvoy.io/public/config.rpm.txt?distro=el&codename=7' > /tmp/tetrate-getenvoy-rpm-stable.repo
[root@node-01 ~]# sudo yum-config-manager --add-repo '/tmp/tetrate-getenvoy-rpm-stable.repo'
[root@node-01 ~]# sudo yum makecache --disablerepo='*' --enablerepo='tetrate-getenvoy-rpm-stable'
[root@node-01 ~]# sudo yum install getenvoy-envoy
三 编译安装envoy
下载地址:https://github.com/envoyproxy/envoy/releases
官方文档:https://www.envoyproxy.io/docs/envoy/latest/start/building
部署文档:https://github.com/envoyproxy/envoy/blob/2950cf0afd4bfe48a72d8c475262305c0e258ba1/bazel/README.md
编译过程此处省略
四 以docker方式运行
4.1 可用的docker image
stable |
stable |
main |
main |
||
---|---|---|---|---|---|
Docker image |
Description |
amd64 |
arm64 |
amd64 |
arm64 |
Release binary with symbols stripped on top of an Ubuntu Bionic base. |
v1.21-latest |
v1.21-latest |
|||
Release contrib binary with symbols stripped on top of an Ubuntu Bionic base. |
v1.21-latest |
v1.21-latest |
|||
Release binary with symbols stripped on top of a distroless base. |
v1.21-latest |
||||
Release binary with symbols stripped on top of a glibc alpine base. |
v1.21-latest |
||||
Release binary with symbols stripped on top of a Windows Server 1809 base. |
v1.21-latest |
||||
Release binary with debug symbols on top of an Ubuntu Bionic base. |
v1.21-latest |
v1.21-latest |
|||
Release contrib binary with debug symbols on top of an Ubuntu Bionic base. |
v1.21-latest |
v1.21-latest |
|||
Release binary with symbols stripped on top of an Ubuntu Bionic base. |
latest |
latest |
|||
Release contrib binary with symbols stripped on top of an Ubuntu Bionic base. |
latest |
latest |
|||
Release binary with symbols stripped on top of a distroless base. |
latest |
||||
Release binary with symbols stripped on top of a glibc alpine base. |
latest |
||||
Release binary with debug symbols on top of an Ubuntu Bionic base. |
latest |
latest |
|||
Release contrib binary with debug symbols on top of an Ubuntu Bionic base. |
latest |
latest |
|||
Release binary with symbols stripped on top of a Windows Server 1809 base. Includes build tools. |
latest |
||||
Build image which includes tools for building multi-arch Envoy and containers. |
See Docker Hub |
See Docker Hub |
4.2 以docker-compose方式运行
4.2.1 准备docker-compose.yaml
~# cat docker-compose.yaml
version: '3'
services:
envoy:
image: envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1
ports:
- "10000:10000"
volumes:
- ./envoy.yaml:/etc/envoy/envoy.yaml
environment:
- "ENVOY_UID=0"
4.2.2 运行envoy
~# docker-compose up
4.3 构建envoy docker image
4.3.1 准备Dockerfile
~# cat Dockerfile
FROM envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1
COPY envoy.yaml /etc/envoy/envoy.yaml
RUN chmod go+r /etc/envoy/envoy.yaml
4.3.2 构建image
~# docker build -t envoy:v1 .
4.3.3 测试image
~# docker run -d --name envoy -p 9901:9901 -p 10000:10000 envoy:v1
五 常见问题
5.1 以非root用户运行权限的问题
默认情况下,envoy Docker映像将作为root用户启动,但将切换到构建时在Docker入口点中创建的envoy用户。
更改容器内envoy用户的uid或gid。 envoy用户的默认uid和gid为101。此用户的uid和gid可以在运行时使用Envision_uid和Envision_gid环境变量进行设置。
要以root用户身份在容器内运行进程,可以将UID设置为0,但这样做可能会削弱正在运行的容器的安全性。
例如,可以在Docker命令行上执行此操作:
~# docker run -d --name envoy -e ENVOY_UID=777 -e ENVOY_GID=777 envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1
5.2 envoy容器内的日志记录权限
默认情况下,envoy映像将应用程序日志发送到/dev/stdout和/dev/stderr,这些日志可以在容器日志中查看。
如果向文件输出发送应用程序、管理或访问日志,则envoy用户将需要必要的权限才能写入此文件。这可以通过设置envoy UID或envoy用户有可写入文件权限来实现。
~# mkdir logs
~# chown 777 logs
~# docker run -d --name envoy -v $(pwd)/logs:/var/log -e ENVOY_UID=777 envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1
5.3 envoy容器内的配置和二进制文件权限
envoy用户还需要具有访问访问容器中的任何所需配置文件的权限。
配置中指定的任何二进制文件也应由envoy用户执行。
如果在具有严格umask设置的环境中运行,则可能需要通过设置文件的所有权或权限来为envoy提供访问权限。
在不更改任何文件权限的情况下执行此操作的一种方法是使用主机用户的uid启动容器。
~# docker run -d --name envoy -v $(pwd)/envoy.yaml:/etc/envoy/envoy.yaml -e ENVOY_UID=$(id -u) envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1
5.4 指定envoy在容器内监听的端口
~# docker run -d --name envoy -p 80:8000 envoyproxy/envoy-dev:2950cf0afd4bfe48a72d8c475262305c0e258ba1