Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

connect: write envoy bootstrap debugging info #11975

Merged
merged 1 commit into from
Feb 18, 2022
Merged

connect: write envoy bootstrap debugging info #11975

merged 1 commit into from
Feb 18, 2022

Conversation

schmichael
Copy link
Member

When Consul Connect just works, it's wonderful. When it doesn't work it
can be exceeding difficult to debug: operators have to check task
events, Nomad logs, Consul logs, Consul APIs, and even then critical
information is missing.

Using Consul to generate a bootstrap config for Envoy is notoriously
difficult. Nomad doesn't even log stderr, so operators are left trying
to piece together what went wrong.

This patch attempts to provide maximal context which unfortunately
includes secrets. Secrets are always restricted to the secrets/
directory. This makes debugging a little harder, but allows operators
to know exactly what operation Nomad was trying to perform.

What's added:

  • stderr is sent to alloc/logs/envoy_bootstrap.stderr.0
  • the CLI is written to secrets/.envoy_bootstrap.cmd
  • the environment is written to secrets/.envoy_bootstrap.env as JSON

Accessing this information is unfortunately awkward:

nomad alloc exec -task connect-proxy-count-countdash b36a cat secrets/.envoy_bootstrap.env
nomad alloc exec -task connect-proxy-count-countdash b36a cat secrets/.envoy_bootstrap.cmd
nomad alloc fs b36a alloc/logs/envoy_bootstrap.stderr.0

The above assumes an alloc id that starts with b36a and a Connect
sidecar proxy for a service named count-countdash.

shoenig
shoenig reviewed Feb 2, 2022
View reviewed changes
client/allocrunner/taskrunner/envoy_bootstrap_hook.go Outdated
buf := bytes.NewBuffer(nil)
cmd.Stderr = buf
// Redirect stderr into another file for later debugging.
stderr, fileErr := os.OpenFile(bootstrapStderrPath, os.O_RDWR|os.O_CREATE, 0666)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this need to be 0666 and not 0644?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, changed it.

shoenig
shoenig approved these changes Feb 2, 2022
View reviewed changes
Copy link
Member

@shoenig shoenig left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM; just the one suggestion

@vercel vercel bot temporarily deployed to Preview – nomad February 18, 2022 19:58 Inactive
@schmichael
connect: write envoy bootstrap debugging info
d476780 
When Consul Connect just works, it's wonderful. When it doesn't work it
can be exceeding difficult to debug: operators have to check task
events, Nomad logs, Consul logs, Consul APIs, and even then critical
information is missing.

Using Consul to generate a bootstrap config for Envoy is notoriously
difficult. Nomad doesn't even log stderr, so operators are left trying
to piece together what went wrong.

This patch attempts to provide *maximal* context which unfortunately
includes secrets. **Secrets are always restricted to the secrets/
directory.** This makes debugging a little harder, but allows operators
to know exactly what operation Nomad was trying to perform.

What's added:

- stderr is sent to alloc/logs/envoy_bootstrap.stderr.0
- the CLI is written to secrets/.envoy_bootstrap.cmd
- the environment is written to secrets/.envoy_bootstrap.env as JSON

Accessing this information is unfortunately awkward:
```
nomad alloc exec -task connect-proxy-count-countdash b36a cat secrets/.envoy_bootstrap.env
nomad alloc exec -task connect-proxy-count-countdash b36a cat secrets/.envoy_bootstrap.cmd
nomad alloc fs b36a alloc/logs/envoy_bootstrap.stderr.0
```

The above assumes an alloc id that starts with `b36a` and a Connect
sidecar proxy for a service named `count-countdash`.

If the alloc is unable to start successfully, the debugging files are
only accessible from the host filesystem.
@vercel vercel bot temporarily deployed to Preview – nomad February 18, 2022 20:02 Inactive
@schmichael schmichael marked this pull request as ready for review February 18, 2022 20:04
@schmichael schmichael merged commit bdeea4b into main Feb 18, 2022
@schmichael schmichael deleted the f-connect-debugging branch February 18, 2022 21:56
@schmichael schmichael added this to the 1.3.0 milestone Feb 18, 2022
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 28, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@shoenig shoenig shoenig approved these changes

@jazzyfresh jazzyfresh Awaiting requested review from jazzyfresh

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.3.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@schmichael @shoenig