Docs for Unix Domain Sockets #10252
Merged
Docs for Unix Domain Sockets #10252
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
type/docs
|
🤔 This PR has changes in the |
markan
added
the
pr/no-changelog
thomashashi
reviewed
May 21, 2021
| @@ -117,6 +118,10 @@ registering a proxy instance. | |||
| Defaults to the port advertised by the service instance identified by | |||
| `destination_service_id` if it exists otherwise it may be empty in responses. | |||
|
|
|||
| - `local_service_socket_path` - The path of a unix domain socket to connect to the local application | |||
There was a problem hiding this comment.
Both unix and Unix are used — do we have a stylistic guide which recommends one over the other, for consistency?
|
I made one stylistic comment, otherwise looks good to me. I feel like an example of use would belong on the Learn website, maybe with a link in any relevant place from the consul.io docs. |
blake
requested changes
May 25, 2021
There was a problem hiding this comment.
Looks good! I made a few suggestions.
Also a couple of the code examples were in JSON, while others were in HCL. May I suggest using the Tabs component to add examples for both? For example:
<Tabs>
<Tab heading="HCL">
destination_name = "service-1"
local_bind_socket_path = "/tmp/socket_service_1"
</Tab>
<Tab heading="JSON">
{
"destination_name": "service-1",
"local_bind_socket_path": "/tmp/socket_service_1"
}
</Tab>
</Tabs>
website/content/docs/connect/registration/service-registration.mdx
Outdated
Show resolved
Hide resolved
website/content/docs/connect/registration/service-registration.mdx
Outdated
Show resolved
Hide resolved
website/content/docs/connect/registration/service-registration.mdx
Outdated
Show resolved
Hide resolved
website/content/docs/connect/registration/service-registration.mdx
Outdated
Show resolved
Hide resolved
website/content/docs/connect/registration/service-registration.mdx
Outdated
Show resolved
Hide resolved
website/content/docs/connect/registration/service-registration.mdx
Outdated
Show resolved
Hide resolved
Comment on lines
418
to
420
| Again, the socket_path and local_service_socket_path fields conflict | ||
| with address/port and local_service_address/local_service_port | ||
| configuration entries. |
There was a problem hiding this comment.
Suggested change
| Again, the socket_path and local_service_socket_path fields conflict | |
| with address/port and local_service_address/local_service_port | |
| configuration entries. | |
| Again, the `socket_path` and `local_service_socket_path` fields conflict | |
| with `address`/`port` and `local_service_address`/`local_service_port` | |
| configuration options. |
johncowen
added a commit
that referenced
this pull request
May 26, 2021
hc-github-team-consul-core
pushed a commit
that referenced
this pull request
May 26, 2021
markan
commented
May 27, 2021
| @@ -81,6 +81,7 @@ registering a proxy instance. | |||
| "destination_service_id": "redis1", | |||
| "local_service_address": "127.0.0.1", | |||
| "local_service_port": 9090, | |||
| "local_service_socket_path": "/tmp/redis.sock", | |||
There was a problem hiding this comment.
@hashicorp/consul-docs team. I've listed this option because 'this shows all the options available'. However it conflicts with local_service_address, so this actual example doesn't work. I think this could generate confusion, but I don't have a great idea how to handle this.
blake
reviewed
Jun 1, 2021
website/content/docs/connect/registration/service-registration.mdx
Outdated
Show resolved
Hide resolved
website/content/docs/connect/registration/service-registration.mdx
Outdated
Show resolved
Hide resolved
website/content/docs/connect/registration/service-registration.mdx
Outdated
Show resolved
Hide resolved
website/content/docs/connect/registration/service-registration.mdx
Outdated
Show resolved
Hide resolved
website/content/docs/connect/registration/service-registration.mdx
Outdated
Show resolved
Hide resolved
blake
approved these changes
Jun 4, 2021
|
|
||
| The mode field is optional, and if omitted will use the default mode | ||
| for Envoy. This is not applicable for abstract sockets. See | ||
| https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-pipe |
There was a problem hiding this comment.
Suggested change
| https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-pipe | |
| <https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-pipe> |
Is this automatically rendered as a link on the site? If not, adding the angle brackets should do this in markdown.
There are a number of cases where a user might wish to either 1)
expose a service through a Unix Domain Socket in the filesystem
('downstream') or 2) connect to an upstream service by a local unix
domain socket (upstream).
As of Consul (1.10-beta2) we've added new syntax and support to configure
the Envoy proxy to support this
To connect to a service via local Unix Domain Socket instead of a
port, add local_bind_socket_path and optionally local_bind_socket_mode
to the upstream config for a service:
upstreams = [
{
destination_name = "service-1"
local_bind_socket_path = "/tmp/socket_service_1"
local_bind_socket_mode = "0700"
...
}
...
]
This will cause Envoy to create a socket with the path and mode
provided, and connect that to service-1
The mode field is optional, and if omitted will use the default mode
for Envoy. This is not applicable for abstract sockets. See
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-pipe
for details
NOTE: These options conflict the local_bind_socket_port and
local_bind_socket_address options. We can bind to an port or we can
bind to a socket, but not both.
To expose a service listening on a Unix Domain socket to the service
mesh use either the 'socket_path' field in the service definition or the
'local_service_socket_path' field in the proxy definition. These
fields are analogous to the 'port' and 'service_port' fields in their
respective locations.
services {
name = "service-2"
socket_path = "/tmp/socket_service_2"
...
}
OR
proxy {
local_service_socket_path = "/tmp/socket_service_2"
...
}
There is no mode field since the service is expected to create the
socket it is listening on, not the Envoy proxy.
Again, the socket_path and local_service_socket_path fields conflict
with address/port and local_service_address/local_service_port
configuration entries.
Set up a simple service mesh with dummy services:
socat -d UNIX-LISTEN:/tmp/downstream.sock,fork UNIX-CONNECT:/tmp/upstream.sock
socat -v tcp-l:4444,fork exec:/bin/cat
services {
name = "sock_forwarder"
id = "sock_forwarder.1"
socket_path = "/tmp/downstream.sock"
connect {
sidecar_service {
proxy {
upstreams = [
{
destination_name = "echo-service"
local_bind_socket_path = "/tmp/upstream.sock"
config {
passive_health_check {
interval = "10s"
max_failures = 42
}
}
}
]
}
}
}
}
services {
name = "echo-service"
port = 4444
connect = { sidecar_service {} }
Kind = "ingress-gateway"
Name = "ingress-service"
Listeners = [
{
Port = 8080
Protocol = "tcp"
Services = [
{
Name = "sock_forwarder"
}
]
}
]
consul agent -dev -enable-script-checks -config-dir=./consul.d
consul connect envoy -sidecar-for sock_forwarder.1
consul connect envoy -sidecar-for echo-service -admin-bind localhost:19001
consul config write ingress-gateway.hcl
consul connect envoy -gateway=ingress -register -service ingress-service -address '{{ GetInterfaceIP "eth0" }}:8888' -admin-bind localhost:19002
netcat 127.0.0.1 4444
netcat 127.0.0.1 8080
Signed-off-by: Mark Anderson <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
….mdx Co-authored-by: Blake Covarrubias <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
Co-authored-by: Blake Covarrubias <[email protected]>
Signed-off-by: Mark Anderson <[email protected]>
|
🍒 If backport labels were added before merging, cherry-picking will start automatically. To retroactively trigger a backport after merging, add backport labels and re-run https://circleci.com/gh/hashicorp/consul/381445. |
|
🍒✅ Cherry pick of commit 1bf3dc5 onto |
hc-github-team-consul-core
pushed a commit
that referenced
this pull request
Jun 5, 2021
* Docs for Unix Domain Sockets
There are a number of cases where a user might wish to either 1)
expose a service through a Unix Domain Socket in the filesystem
('downstream') or 2) connect to an upstream service by a local unix
domain socket (upstream).
As of Consul (1.10-beta2) we've added new syntax and support to configure
the Envoy proxy to support this
To connect to a service via local Unix Domain Socket instead of a
port, add local_bind_socket_path and optionally local_bind_socket_mode
to the upstream config for a service:
upstreams = [
{
destination_name = "service-1"
local_bind_socket_path = "/tmp/socket_service_1"
local_bind_socket_mode = "0700"
...
}
...
]
This will cause Envoy to create a socket with the path and mode
provided, and connect that to service-1
The mode field is optional, and if omitted will use the default mode
for Envoy. This is not applicable for abstract sockets. See
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-pipe
for details
NOTE: These options conflict the local_bind_socket_port and
local_bind_socket_address options. We can bind to an port or we can
bind to a socket, but not both.
To expose a service listening on a Unix Domain socket to the service
mesh use either the 'socket_path' field in the service definition or the
'local_service_socket_path' field in the proxy definition. These
fields are analogous to the 'port' and 'service_port' fields in their
respective locations.
services {
name = "service-2"
socket_path = "/tmp/socket_service_2"
...
}
OR
proxy {
local_service_socket_path = "/tmp/socket_service_2"
...
}
There is no mode field since the service is expected to create the
socket it is listening on, not the Envoy proxy.
Again, the socket_path and local_service_socket_path fields conflict
with address/port and local_service_address/local_service_port
configuration entries.
Set up a simple service mesh with dummy services:
socat -d UNIX-LISTEN:/tmp/downstream.sock,fork UNIX-CONNECT:/tmp/upstream.sock
socat -v tcp-l:4444,fork exec:/bin/cat
services {
name = "sock_forwarder"
id = "sock_forwarder.1"
socket_path = "/tmp/downstream.sock"
connect {
sidecar_service {
proxy {
upstreams = [
{
destination_name = "echo-service"
local_bind_socket_path = "/tmp/upstream.sock"
config {
passive_health_check {
interval = "10s"
max_failures = 42
}
}
}
]
}
}
}
}
services {
name = "echo-service"
port = 4444
connect = { sidecar_service {} }
Kind = "ingress-gateway"
Name = "ingress-service"
Listeners = [
{
Port = 8080
Protocol = "tcp"
Services = [
{
Name = "sock_forwarder"
}
]
}
]
consul agent -dev -enable-script-checks -config-dir=./consul.d
consul connect envoy -sidecar-for sock_forwarder.1
consul connect envoy -sidecar-for echo-service -admin-bind localhost:19001
consul config write ingress-gateway.hcl
consul connect envoy -gateway=ingress -register -service ingress-service -address '{{ GetInterfaceIP "eth0" }}:8888' -admin-bind localhost:19002
netcat 127.0.0.1 4444
netcat 127.0.0.1 8080
Signed-off-by: Mark Anderson <[email protected]>
* fixup Unix capitalization
Signed-off-by: Mark Anderson <[email protected]>
* Update website/content/docs/connect/registration/service-registration.mdx
Co-authored-by: Blake Covarrubias <[email protected]>
* Provide examples in hcl and json
Signed-off-by: Mark Anderson <[email protected]>
* Apply suggestions from code review
Co-authored-by: Blake Covarrubias <[email protected]>
* One more fixup for docs
Signed-off-by: Mark Anderson <[email protected]>
Co-authored-by: Blake Covarrubias <[email protected]>
|
🍒✅ Cherry pick of commit 1bf3dc5 onto |
hc-github-team-consul-core
pushed a commit
that referenced
this pull request
Jun 5, 2021
* Docs for Unix Domain Sockets
There are a number of cases where a user might wish to either 1)
expose a service through a Unix Domain Socket in the filesystem
('downstream') or 2) connect to an upstream service by a local unix
domain socket (upstream).
As of Consul (1.10-beta2) we've added new syntax and support to configure
the Envoy proxy to support this
To connect to a service via local Unix Domain Socket instead of a
port, add local_bind_socket_path and optionally local_bind_socket_mode
to the upstream config for a service:
upstreams = [
{
destination_name = "service-1"
local_bind_socket_path = "/tmp/socket_service_1"
local_bind_socket_mode = "0700"
...
}
...
]
This will cause Envoy to create a socket with the path and mode
provided, and connect that to service-1
The mode field is optional, and if omitted will use the default mode
for Envoy. This is not applicable for abstract sockets. See
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-pipe
for details
NOTE: These options conflict the local_bind_socket_port and
local_bind_socket_address options. We can bind to an port or we can
bind to a socket, but not both.
To expose a service listening on a Unix Domain socket to the service
mesh use either the 'socket_path' field in the service definition or the
'local_service_socket_path' field in the proxy definition. These
fields are analogous to the 'port' and 'service_port' fields in their
respective locations.
services {
name = "service-2"
socket_path = "/tmp/socket_service_2"
...
}
OR
proxy {
local_service_socket_path = "/tmp/socket_service_2"
...
}
There is no mode field since the service is expected to create the
socket it is listening on, not the Envoy proxy.
Again, the socket_path and local_service_socket_path fields conflict
with address/port and local_service_address/local_service_port
configuration entries.
Set up a simple service mesh with dummy services:
socat -d UNIX-LISTEN:/tmp/downstream.sock,fork UNIX-CONNECT:/tmp/upstream.sock
socat -v tcp-l:4444,fork exec:/bin/cat
services {
name = "sock_forwarder"
id = "sock_forwarder.1"
socket_path = "/tmp/downstream.sock"
connect {
sidecar_service {
proxy {
upstreams = [
{
destination_name = "echo-service"
local_bind_socket_path = "/tmp/upstream.sock"
config {
passive_health_check {
interval = "10s"
max_failures = 42
}
}
}
]
}
}
}
}
services {
name = "echo-service"
port = 4444
connect = { sidecar_service {} }
Kind = "ingress-gateway"
Name = "ingress-service"
Listeners = [
{
Port = 8080
Protocol = "tcp"
Services = [
{
Name = "sock_forwarder"
}
]
}
]
consul agent -dev -enable-script-checks -config-dir=./consul.d
consul connect envoy -sidecar-for sock_forwarder.1
consul connect envoy -sidecar-for echo-service -admin-bind localhost:19001
consul config write ingress-gateway.hcl
consul connect envoy -gateway=ingress -register -service ingress-service -address '{{ GetInterfaceIP "eth0" }}:8888' -admin-bind localhost:19002
netcat 127.0.0.1 4444
netcat 127.0.0.1 8080
Signed-off-by: Mark Anderson <[email protected]>
* fixup Unix capitalization
Signed-off-by: Mark Anderson <[email protected]>
* Update website/content/docs/connect/registration/service-registration.mdx
Co-authored-by: Blake Covarrubias <[email protected]>
* Provide examples in hcl and json
Signed-off-by: Mark Anderson <[email protected]>
* Apply suggestions from code review
Co-authored-by: Blake Covarrubias <[email protected]>
* One more fixup for docs
Signed-off-by: Mark Anderson <[email protected]>
Co-authored-by: Blake Covarrubias <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a starting point for docs for the Unix Domain Sockets work
Most of the below writeup has been incorporated in the docs text, but a few issues remain:
There are a number of cases where a user might wish to either 1)
expose a service through a Unix Domain Socket in the filesystem
('downstream') or 2) connect to an upstream service by a local unix
domain socket (upstream).
As of Consul (1.10-beta2) we've added new syntax and support to configure
the Envoy proxy to support this
Upstream sockets:
To connect to a service via local Unix Domain Socket instead of a
port, add local_bind_socket_path and optionally local_bind_socket_mode
to the upstream config for a service:
This will cause Envoy to create a socket with the path and mode
provided, and connect that to service-1
The mode field is optional, and if omitted will use the default mode
for Envoy. This is not applicable for abstract sockets. See
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/address.proto#envoy-v3-api-msg-config-core-v3-pipe
for details
NOTE: These options conflict the local_bind_socket_port and
local_bind_socket_address options. We can bind to an port or we can
bind to a socket, but not both.
Downstream sockets:
To expose a service listening on a Unix Domain socket to the service
mesh use either the 'socket_path' field in the service definition or the
'local_service_socket_path' field in the proxy definition. These
fields are analogous to the 'port' and 'service_port' fields in their
respective locations.
OR
There is no mode field since the service is expected to create the
socket it is listening on, not the Envoy proxy.
Again, the socket_path and local_service_socket_path fields conflict
with address/port and local_service_address/local_service_port
configuration entries.
Example:
Set up a simple service mesh with dummy services:
FORWARDER
ECHO SERVICE
Define the sock_forwarder service (consul.d/sock_forwarder.hcl)
define the echo service (consul.d/echo_service.hcl)
define the ingress gateway (ingress_gateway.hcl)
Signed-off-by: Mark Anderson [email protected]