jpuyy的网志

Author: jpuyy

  • shell 遍历 0-f

    for i in `seq 0 15`
do
letter=$(printf '%#x' $i | sed -e 's/0x//g')
echo $letter
done

  • git-crypt

    gpg --list-secret-keys
gpg --list-keys

    导出 secret key

    gpg --export-secret-keys YOUR_ID_HERE > private.key

    导入 secret key

    gpg --import private.key

    查看加密文件

    git-crypt status

    解密整个 repo

    git-crypt unlock

  • istio-pilot pod

    istio-pilot 包含两个容器 discovery, istio-proxy

    容器 discovery 包含一个进程 pilot-discovery

    kubectl exec -it istio-pilot-8bdcc884d4-hj8k6 -c discovery /bin/bash -n istio-system

    容器 istio-proxy 包含两个进程 pilot-agent, envoy

    kubectl exec -it istio-pilot-8bdcc884d4-hj8k6 -c istio-proxy /bin/bash -n istio-system
ps aux | grep ''
/usr/local/bin/pilot-agent proxy --domain istio-system.svc.cluster.local --serviceCluster istio-pilot --templateFile /etc/istio/proxy/envoy_pilot.yaml.tmpl --controlPlaneAuthPolicy MUTUAL_TLS --log_output_level=default:info
# pilot-agent 是以 sidecar 模式运行的

  • truncate 日志文件

    文件过大,大几十G

    ls -lhai newrelic_agent.log
truncate -s 0 newrelic_agent.log
ls -lhai newrelic_agent.log

    清理前后的 inode number, 文件权限都没有发生变化
    清理完之后 tail -f newrelic_agent.log 观察是否能正常写入

    How to empty (truncate) Log files in Linux

  • k8s 容器内访问 apiserver

    kubectl exec -it cassandra-0  bash -n noah

TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)

curl https://kubernetes.default.svc.cluster.local/api/v1/namespaces/noah/endpoints/cassandra --header "Authorization: Bearer $TOKEN" --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

  • istio 运维笔记

    docker desktop

    查看 istio 版本

    istioctl version --remote
client version: 1.5.1
control plane version: 1.4.0
data plane version: 1.4.0 (114 proxies)

    bin/istioctl manifest versions
Operator version is 1.4.5.

The following installation package versions are recommended for use with this version of the operator:
  1.4.3

The following installation package versions are supported for upgrade by this version of the operator:
  >=1.3.3
   <1.6

    proxy 状态

    istioctl proxy-status

    查看 istio-proxy 的配置

    kubectl -n istio-system exec istio-ingressgateway-7f648d44cf-dkdkp -c istio-proxy -- curl -s 127.0.0.1:15000/help
admin commands are:
  /: Admin home page
  /certs: print certs on machine
  /clusters: upstream cluster status
  /config_dump: dump current Envoy configs (experimental)
  /contention: dump current Envoy mutex contention stats (if enabled)
  /cpuprofiler: enable/disable the CPU profiler
  /drain_listeners: drain listeners
  /healthcheck/fail: cause the server to fail health checks
  /healthcheck/ok: cause the server to pass health checks
  /heapprofiler: enable/disable the heap profiler
  /help: print out list of admin commands
  /hot_restart_version: print the hot restart compatibility version
  /listeners: print listener info
  /logging: query/change logging levels
  /memory: print current allocation/heap usage
  /quitquitquit: exit the server
  /ready: print server state, return 200 if LIVE, otherwise return 503
  /reset_counters: reset all counters to zero
  /runtime: print runtime values
  /runtime_modify: modify runtime values
  /server_info: print server version/status information
  /stats: print server stats
  /stats/prometheus: print server stats in prometheus format
  /stats/recentlookups: Show recent stat-name lookups
  /stats/recentlookups/clear: clear list of stat-name lookups and counter
  /stats/recentlookups/disable: disable recording of reset stat-name lookup names
  /stats/recentlookups/enable: enable recording of reset stat-name lookup names

    查看 dashboard

    istioctl dashboard --help
Access to Istio web UIs

Usage:
  istioctl dashboard [flags]
  istioctl dashboard [command]

Aliases:
  dashboard, dash, d

Available Commands:
  controlz    Open ControlZ web UI
  envoy       Open Envoy admin web UI
  grafana     Open Grafana web UI
  jaeger      Open Jaeger web UI
  kiali       Open Kiali web UI
  prometheus  Open Prometheus web UI
  zipkin      Open Zipkin web UI

Flags:
  -h, --help   help for dashboard

Global Flags:
      --context string            The name of the kubeconfig context to use
  -i, --istioNamespace string     Istio system namespace (default "istio-system")
  -c, --kubeconfig string         Kubernetes configuration file
      --log_output_level string   Comma-separated minimum per-scope logging level of messages to output, in the form of :,:,... where scope can be one of [ads, all, analysis, attributes, authn, cache, citadelclient, configmapcontroller, default, googleca, grpcAdapter, installer, mcp, model, patch, processing, rbac, resource, sds, secretfetcher, source, stsclient, tpath, translator, util, validation, vault] and level can be one of [debug, info, warn, error, fatal, none] (default "default:info,validation:error,processing:error,source:error,analysis:warn,installer:warn,translator:warn")
  -n, --namespace string          Config namespace

Use "istioctl dashboard [command] --help" for more information about a command.

    查看 proxy config, 缩写 pc, 查看指定 pod 的istio-proxy的保存的某服务的endpoint

    istioctl proxy-config endpoint servicefoo.app | grep servicebar

    查看 authn

    istioctl authn tls-check istio-ingressgateway-7f837d44cf-f6vdm.istio-system

    更改日志级别为 debug

     curl -X POST http://localhost:15000/logging?level=debug
    curl http://localhost:15000/server_info
{
 "version": "07581234567ae48193a43ff6d86572968ae00e7/1.12.0/Clean/RELEASE/BoringSSL",
 "state": "LIVE",
 "hot_restart_version": "11.104",
 "command_line_options": {
  "base_id": "0",
  "concurrency": 8,
  "config_path": "/etc/istio/proxy/envoy-rev1.json",
  "config_yaml": "",
  "allow_unknown_static_fields": false,
  "reject_unknown_dynamic_fields": false,
  "admin_address_path": "",
  "local_address_ip_version": "v4",
  "log_level": "warning",
  "component_log_level": "misc:error",
  "log_format": "[Envoy (Epoch 1)] [%Y-%m-%d %T.%e][%t][%l][%n] %v",
  "log_path": "",
  "service_cluster": "istio-ingressgateway",
  "service_node": "router~10.74.24.9~istio-ingressgateway-7f123456cf-9qrvk.istio-system~istio-system.svc.cluster.local",
  "service_zone": "",
  "mode": "Serve",
  "max_stats": "0",
  "max_obj_name_len": "0",
  "disable_hot_restart": false,
  "enable_mutex_tracing": false,
  "restart_epoch": 1,
  "cpuset_threads": false,
  "file_flush_interval": "10s",
  "drain_time": "45s",
  "parent_shutdown_time": "60s"
 },
 "uptime_current_epoch": "275710s",
 "uptime_all_epochs": "815942s"
}

    PodDisruptionBudget 策略

    kubectl get PodDisruptionBudget -n istio-system                                                                                                    [git:master] ✖  
NAME                           MIN AVAILABLE   MAX UNAVAILABLE   ALLOWED DISRUPTIONS   AGE
ingressgateway                 1               N/A               1                     208d
istio-citadel                  1               N/A               0                     208d
istio-egressgateway            1               N/A               1                     208d
istio-galley                   1               N/A               0                     208d
istio-ingressgateway           1               N/A               1                     208d
istio-metrics-ingressgateway   1               N/A               1                     208d
istio-pilot                    1               N/A               1                     208d
istio-policy                   1               N/A               1                     208d
istio-sidecar-injector         1               N/A               0                     208d
istio-telemetry                1               N/A               1                     208d

    istio 证书过期时间

    root-cert.pem 十年
    ca-cert.pem 两年