Istio Mixer 容器日志导致高磁盘 space 使用率
Istio Mixer container logs causing high disk space usage
我有一个支持 Istio 的 EKS 集群,我的节点经常 运行 磁盘不足 space。
计算整体磁盘使用率让我找到了 istio-mixer 容器,它有一个 日志文件 使用了超过 50GB 的磁盘space 正常运行时间仅 12 天:
[root@ip-some-ip containers]# pwd
/var/lib/docker/containers
[root@ip-some-ip containers]# du -schx .[!.]* * | sort -h | tail -n 10
66M 8bf5e8ee5a03096c589ad8f53b9e1a3d3088ca67b0064f3796e406f00336b532
73M 657eca261461d10c5b1b81ab3078d2058b931a357395903808b0145b617c1662
101M bb338296ff06ef42ae6177c8a88e63438c26c398a457dc3f5301ffcb4ef2682b
127M 21f2da86055ad76882730abf65d4465386bb85598f797f451e7ad66726243613
134M 9c2be24e8b9345659b6f208c9f2d4650bb1ece11e0c4b0793aa01fdfebadb44e
383M 5d5fdbe6813ddc3ff2f6eb96f62f8317bd73e24730e2f44ebc537367d9987142
419M 475f8dfc74c3df2bc95c47df56e37d1dfb9181fae9aa783dafabba8283023115
592M 9193c50e586e0c7ecaeb87cecd8be13714a5d6ccd6ea63557c034ef56b07772f
52G 9c6b3e4f26603471d0aa9b6a61b3da5a69001e6b9be34432ffa62d577738c149
54G total
[root@ip-192-168-228-194 containers]# du -hs 9c6b3e4*/*.log
52G 9c6b3e4f26603471d0aa9b6a61b3da5a69001e6b9be34432ffa62d577738c149-json.log
[root@ip-ip-some-ip containers]# docker ps -a | grep 9c6b3e4f2660
9c6b3e4f2660 d559bdcd7a88 "/usr/local/bin/mi..." 12 days ago Up 12 days k8s_mixer_istio-telemetry-6b5579595f-fvm5x_istio-system_6324c262-f3b5-11e8-b615-0eccb0bb4724_0
我的问题是:
- 这是预期的日志输出量吗?
- 可以降低混音器日志级别吗?如何?更改它会影响我的遥测指标吗?
- 有配置日志的方法"retention period"?
附加信息:
- Istio v1.0.2(使用官方 helm 图表部署;无自定义配置)
- k8s v1.10.11-eks
- 集群有大约 20 pods 运行 in Istio-enabled namespaces
Mixer 中日志级别的默认值为信息。并且您提供的日志确认您具有此设置。因此,日志中收集了大量冗余信息,并且可以降低某些来源的日志记录级别。
您可以通过两种方式更改它:
无需重启即可正常工作。
在您的日志中,您可以找到以下行:
2018-12-12T17:54:55.461261Z info ControlZ available at 192.168.87.249:9876
这意味着,在 9876 端口上的混合器容器中,您可以找到 Istio ControlZ web 界面。要从安装了 kubectl 的计算机访问它,您需要 运行 以下命令:
kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l istio=mixer,istio-mixer-type=telemetry -o jsonpath='{.items[0].metadata.name}') 9876:9876 &
之后,在您的浏览器中转到 link http://localhost:9876/scopez/,您将看到以下仪表板,您可以在其中更改日志级别:
将 --log_output_level 标志添加到 mixer 容器的 istio-telemetry 部署。
以下是混音器文档中对标志的描述:
--log_output_level string
Comma-separated minimum per-scope logging level of messages to output, in the form of :,:,... where scope can be one of [adapters, api, attributes, default, grpcAdapter, loadshedding] and level can be one of [debug, info, warn, error, none] (default "default:info")
请注意,对于 yaml 文件中的密钥 --log_output_level attributes:warn,api:error,您需要使用以下之一:
- 价值
- --log_output_level=attributes:warn,api:error或
- 值
- --log_output_level 和 - attributes:warn,api:error 在不同的行上
部署示例:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
labels:
chart: mixer-1.0.4
istio: mixer
release: istio
name: istio-telemetry
namespace: istio-system
spec:
progressDeadlineSeconds: 600
replicas: 2
revisionHistoryLimit: 10
selector:
matchLabels:
app: telemetry
istio: mixer
istio-mixer-type: telemetry
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
sidecar.istio.io/inject: "false"
creationTimestamp: null
labels:
app: telemetry
istio: mixer
istio-mixer-type: telemetry
spec:
containers:
- args: #Flags for the Mixer process
- --address #Flag on two different lines
- unix:///sock/mixer.socket
- --configStoreURL=k8s:// #Flag with '='
- --configDefaultNamespace=istio-system
- --trace_zipkin_url=http://zipkin:9411/api/v1/spans
- --log_output_level=attributes:warn,api:error # <------ THIS LINE IS WHAT YOU ARE LOOKING FOR
env:
- name: GODEBUG
value: gctrace=2
image: docker.io/istio/mixer:1.0.4
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /version
port: 9093
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
name: mixer
ports:
- containerPort: 9093
protocol: TCP
- containerPort: 42422
protocol: TCP
resources:
requests:
cpu: 10m
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /sock
name: uds-socket
- args:
- proxy
- --serviceCluster
- istio-telemetry
- --templateFile
- /etc/istio/proxy/envoy_telemetry.yaml.tmpl
- --controlPlaneAuthPolicy
- MUTUAL_TLS
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: INSTANCE_IP
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: status.podIP
image: docker.io/istio/proxyv2:1.0.4
imagePullPolicy: IfNotPresent
name: istio-proxy
ports:
- containerPort: 15090
name: http-envoy-prom
protocol: TCP
resources:
requests:
cpu: 10m
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/certs
name: istio-certs
readOnly: true
- mountPath: /sock
name: uds-socket
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: istio-mixer-service-account
serviceAccountName: istio-mixer-service-account
terminationGracePeriodSeconds: 30
volumes:
- name: istio-certs
secret:
defaultMode: 420
optional: true
secretName: istio.istio-mixer-service-account
- emptyDir: {}
name: uds-socket
此外,您可以使用以下标志为混合器进程配置日志轮换:
--log_rotate string The path for the optional rotating log file
--log_rotate_max_age int The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30)
--log_rotate_max_backups int The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000)
--log_rotate_max_size int The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600)
但是,我不可能生成大量这样的日志并测试它是如何工作的。
链接:
不幸的是,official documentation 不是很好,但也许它在某种程度上有所帮助。
作为奖励,here 是所有混音器服务器标志的列表。
这就是我解决问题的方法和一些对新 Istio 版本有用的信息。
Istio v1.0.2:
Stdio adapter 生成了大量日志:
The stdio adapter enables Istio to output logs and metrics to the
local machine. Logs and metrics can be directed to Mixer’s standard
output stream, standard error stream, or to any locally reachable
file.
在 Istio v1.0.2 中默认启用此适配器,将日志流式传输到 Mixer 容器 stderr。为了暂时解决这个问题,我 deleted the following rules:
kubectl delete rule stdio --namespace=istio-system
kubectl delete rule stdio-tcp --namespace=istio-system
删除这些规则不会影响 Prometheus 指标(由 another adapter 处理)。
Istio v1.1.0+:
在此版本中,Istio 将 mixer.adapters.stdio.enabled 引入 helm installation options, disabling the stdio adapter by default, and including the following comment:
# stdio is a debug adapter in istio-telemetry, it is not recommended
for production use.
在以下 PR 中进行了更改:
我有一个支持 Istio 的 EKS 集群,我的节点经常 运行 磁盘不足 space。
计算整体磁盘使用率让我找到了 istio-mixer 容器,它有一个 日志文件 使用了超过 50GB 的磁盘space 正常运行时间仅 12 天:
[root@ip-some-ip containers]# pwd
/var/lib/docker/containers
[root@ip-some-ip containers]# du -schx .[!.]* * | sort -h | tail -n 10
66M 8bf5e8ee5a03096c589ad8f53b9e1a3d3088ca67b0064f3796e406f00336b532
73M 657eca261461d10c5b1b81ab3078d2058b931a357395903808b0145b617c1662
101M bb338296ff06ef42ae6177c8a88e63438c26c398a457dc3f5301ffcb4ef2682b
127M 21f2da86055ad76882730abf65d4465386bb85598f797f451e7ad66726243613
134M 9c2be24e8b9345659b6f208c9f2d4650bb1ece11e0c4b0793aa01fdfebadb44e
383M 5d5fdbe6813ddc3ff2f6eb96f62f8317bd73e24730e2f44ebc537367d9987142
419M 475f8dfc74c3df2bc95c47df56e37d1dfb9181fae9aa783dafabba8283023115
592M 9193c50e586e0c7ecaeb87cecd8be13714a5d6ccd6ea63557c034ef56b07772f
52G 9c6b3e4f26603471d0aa9b6a61b3da5a69001e6b9be34432ffa62d577738c149
54G total
[root@ip-192-168-228-194 containers]# du -hs 9c6b3e4*/*.log
52G 9c6b3e4f26603471d0aa9b6a61b3da5a69001e6b9be34432ffa62d577738c149-json.log
[root@ip-ip-some-ip containers]# docker ps -a | grep 9c6b3e4f2660
9c6b3e4f2660 d559bdcd7a88 "/usr/local/bin/mi..." 12 days ago Up 12 days k8s_mixer_istio-telemetry-6b5579595f-fvm5x_istio-system_6324c262-f3b5-11e8-b615-0eccb0bb4724_0
我的问题是:
- 这是预期的日志输出量吗?
- 可以降低混音器日志级别吗?如何?更改它会影响我的遥测指标吗?
- 有配置日志的方法"retention period"?
附加信息:
- Istio v1.0.2(使用官方 helm 图表部署;无自定义配置)
- k8s v1.10.11-eks
- 集群有大约 20 pods 运行 in Istio-enabled namespaces
Mixer 中日志级别的默认值为信息。并且您提供的日志确认您具有此设置。因此,日志中收集了大量冗余信息,并且可以降低某些来源的日志记录级别。
您可以通过两种方式更改它:
无需重启即可正常工作。
在您的日志中,您可以找到以下行:
2018-12-12T17:54:55.461261Z info ControlZ available at 192.168.87.249:9876这意味着,在 9876 端口上的混合器容器中,您可以找到 Istio ControlZ web 界面。要从安装了
kubectl的计算机访问它,您需要 运行 以下命令:kubectl -n istio-system port-forward $(kubectl -n istio-system get pod -l istio=mixer,istio-mixer-type=telemetry -o jsonpath='{.items[0].metadata.name}') 9876:9876 &之后,在您的浏览器中转到 link http://localhost:9876/scopez/,您将看到以下仪表板,您可以在其中更改日志级别:
将
--log_output_level标志添加到mixer容器的istio-telemetry部署。以下是混音器文档中对标志的描述:
--log_output_level string
Comma-separated minimum per-scope logging level of messages to output, in the form of :,:,... where scope can be one of [adapters, api, attributes, default, grpcAdapter, loadshedding] and level can be one of [debug, info, warn, error, none] (default "default:info")请注意,对于 yaml 文件中的密钥
--log_output_level attributes:warn,api:error,您需要使用以下之一:- 价值
- --log_output_level=attributes:warn,api:error或 - 值
- --log_output_level和- attributes:warn,api:error在不同的行上
部署示例:
apiVersion: extensions/v1beta1 kind: Deployment metadata: annotations: labels: chart: mixer-1.0.4 istio: mixer release: istio name: istio-telemetry namespace: istio-system spec: progressDeadlineSeconds: 600 replicas: 2 revisionHistoryLimit: 10 selector: matchLabels: app: telemetry istio: mixer istio-mixer-type: telemetry strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: annotations: scheduler.alpha.kubernetes.io/critical-pod: "" sidecar.istio.io/inject: "false" creationTimestamp: null labels: app: telemetry istio: mixer istio-mixer-type: telemetry spec: containers: - args: #Flags for the Mixer process - --address #Flag on two different lines - unix:///sock/mixer.socket - --configStoreURL=k8s:// #Flag with '=' - --configDefaultNamespace=istio-system - --trace_zipkin_url=http://zipkin:9411/api/v1/spans - --log_output_level=attributes:warn,api:error # <------ THIS LINE IS WHAT YOU ARE LOOKING FOR env: - name: GODEBUG value: gctrace=2 image: docker.io/istio/mixer:1.0.4 imagePullPolicy: IfNotPresent livenessProbe: failureThreshold: 3 httpGet: path: /version port: 9093 scheme: HTTP initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 name: mixer ports: - containerPort: 9093 protocol: TCP - containerPort: 42422 protocol: TCP resources: requests: cpu: 10m terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /sock name: uds-socket - args: - proxy - --serviceCluster - istio-telemetry - --templateFile - /etc/istio/proxy/envoy_telemetry.yaml.tmpl - --controlPlaneAuthPolicy - MUTUAL_TLS env: - name: POD_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: apiVersion: v1 fieldPath: metadata.namespace - name: INSTANCE_IP valueFrom: fieldRef: apiVersion: v1 fieldPath: status.podIP image: docker.io/istio/proxyv2:1.0.4 imagePullPolicy: IfNotPresent name: istio-proxy ports: - containerPort: 15090 name: http-envoy-prom protocol: TCP resources: requests: cpu: 10m terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /etc/certs name: istio-certs readOnly: true - mountPath: /sock name: uds-socket dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: istio-mixer-service-account serviceAccountName: istio-mixer-service-account terminationGracePeriodSeconds: 30 volumes: - name: istio-certs secret: defaultMode: 420 optional: true secretName: istio.istio-mixer-service-account - emptyDir: {} name: uds-socket- 价值
此外,您可以使用以下标志为混合器进程配置日志轮换:
--log_rotate string The path for the optional rotating log file
--log_rotate_max_age int The maximum age in days of a log file beyond which the file is rotated (0 indicates no limit) (default 30)
--log_rotate_max_backups int The maximum number of log file backups to keep before older files are deleted (0 indicates no limit) (default 1000)
--log_rotate_max_size int The maximum size in megabytes of a log file beyond which the file is rotated (default 104857600)
但是,我不可能生成大量这样的日志并测试它是如何工作的。
链接:
不幸的是,official documentation 不是很好,但也许它在某种程度上有所帮助。
作为奖励,here 是所有混音器服务器标志的列表。
这就是我解决问题的方法和一些对新 Istio 版本有用的信息。
Istio v1.0.2:
Stdio adapter 生成了大量日志:
The stdio adapter enables Istio to output logs and metrics to the local machine. Logs and metrics can be directed to Mixer’s standard output stream, standard error stream, or to any locally reachable file.
在 Istio v1.0.2 中默认启用此适配器,将日志流式传输到 Mixer 容器 stderr。为了暂时解决这个问题,我 deleted the following rules:
kubectl delete rule stdio --namespace=istio-system
kubectl delete rule stdio-tcp --namespace=istio-system
删除这些规则不会影响 Prometheus 指标(由 another adapter 处理)。
Istio v1.1.0+:
在此版本中,Istio 将 mixer.adapters.stdio.enabled 引入 helm installation options, disabling the stdio adapter by default, and including the following comment:
# stdio is a debug adapter in istio-telemetry, it is not recommended for production use.
在以下 PR 中进行了更改: