My new book - Istio & Envoy Insider

cover

My new open source book - Istio and Envoy Insider, has just reached a milestone. So I want to Introduce it.

Overview of this book

This book is called Istio & Envoy Insider. It is a book in progress, now in draft stage.

What this book is about

This book includes: Envoy source code deep dive, in-depth Envoy fundamentals analysis , Istio fundamentals analysis. But it’s not a traditional “deep dive xyz source code” type of book. on the contrary, I have done my best not to directly paste source code in the book. Reading source code is a necessary step to grasp the details of the implementation, but browsing source code in a book is generally a very bad experience. So, this book uses source code navigation diagrams to let readers understand the full picture of the implementation, rather than getting lost in the details of fragmented source code snippets and forgetting the whole picture.

In this book, I’ve tried to think as systematically as possible from a design and implementation perspective:

The design and implementation details of Envoy
Why Istio is what it is
The Truth Behind Those Magic Configurations: Linux + Envoy
- How traffic is intercepted to the Envoy using Linux’s netfilter technology.
- How istiod programs the Envoy to fulfill the traffic policies of the Service Mesh.
What Istio might look like in the future

The book is just a collection of thoughts and notes after I’ve been researching and using Istio for a while. I’ve just been troubleshooting some Istio/Envoy related functionality and performance issues, and browsing and debugging some Istio/Envoy code.

While diving into Istio. I found that there is a lot of valuable information on the Internet. However, either it is mainly from the user’s point of view, but does not talk about the implementation mechanism; or it does talk about the mechanism, but the content lacks systematization and consistency.

What this book is not

This book is not a user’s manual. It does not teach how to learn Istio from a user’s point of view, it does not preach how powerful Istio is, and it does not teach how to use Istio, there are too many excellent books, articles, and documents on this topic.

🤷 : Yet, another Istio User Guide?
🙅 : No!

Target Audience

This book focuses on the design and implementation mechanism of Istio/Envoy. It is assumed that the reader already has some experience in using Istio and is interested in further studying its implementation mechanism.

Book access address

https://istio-insider.mygraphql.com/en

About the Author

My name is Mark Zhu, a middle-aged programmer with little hair. I’m not an Istio expert, not even an Istio contributor, not even an employee of a major Internet company.

Why do I learn from others and write a book when my level is limited? Because of this sentence:

You don’t need to be great to get started, but you do need to get started to be great.

In order to facilitate readers to follow the book’s updates:

Blog(English, RSS subscription supported): https://blog.mygraphql.com/en/
Medium: Mark Zhu
Blog(Chinese): https://blog.mygraphql.com/

Participate in writing

If you are also interested in writing this book, feel free to contact me.

Thanks to the fellow who suggested the Issue 🌻

tanjunchen: lots of very good comments on the reading experience and typography.

Dedication 💞

First, to my dear parents, for showing me how to live a happy
and productive life. To my dear wife and our amazing kid - thanks for all your love and patience.

Copyleft Disclaimer

If you reproduce or modify any text or image, please give credit to the original source.

Feedback

As this is an open source interactive book, feedback from readers is of course very important. If you find a mistake in the book, or have a better suggestion, you may want to submit an Issue:
https://github.com/labilezhu/istio-insider/issues

Chinese version

There is a Chinese version: 中文版 .

Catalog

Interactive Book
Istio Architecture
- Istio Overall Architecture
  - Concepts of Service Mesh
    - Concepts of service invocation relationships
    - Upstream & Downstream
      - Upstream Cluster & Downstream Cluster
      - Inbound & Outbound
  - Istio Ports and Components
    - Listening on ports
    - iptables
    - Connections
    - Miscellaneous Ops guide
      - Packet captures
      - Miraculous 127.0.0.6
    - Ending words
  - Istio Data Plane Architecture
    - netfilter/iptables
Inside Envoy
- Native Programmable Proxy Envoy Proxy Architecture
  - A little history
    - Why C++?
  - Envoy Proxy L1 architecture
- Catalog
  - Envoy Configuration Example under Istio
    - Experimental Environment
    - Inbound Data Flow “Inference”
      - Examining data flow with logs
    - Outbound data stream “extrapolation”
    - Checking the stream with bpftrace
  - Envoy main process and concepts
  - upstream/upstream
  - Envoy Architecture
    - Source code design
      - Design Patterns and Jargon
      - Subsystems
    - Event-driven vs. threaded model
    - Listener
    - Network Filter
    - Network Filter Chains
    - Network Filter
    - Extended Reading
    - http connection manager
      - http filter abstract object definition
      - http filter C++ class relationships
    - Router
      - Extended Reading
    - HTTP/1.1 Stream (draft)
    - Flow Control
  - Envoy request and response scheduling
    - Request and Response Scheduling
    - Request and Response Scheduling Timeline
    - Summary
      - HTTP Timeout setting(draft)
    - Some interesting extended reading
  - HTTP Connection Lifecycle Management
    - Upstream/Downstream connection uncoupling
    - Connection timeout related configuration parameters
    - Racing conditions after Envoy connection closure
      - Racing conditions after an Envoy connection is closed
  - Circuit Breaking(Draft)
    - Ref.
  - Istio and Envoy Metrics
    - Overview of Istio and Envoy metrics
Istio/Envoy Performance
Disruptions and Recover
- worker node disruptions
Observability
- Ref
Troubleshooting
- Decrypt and Dump TLS Traffic
  - TLS key log feature
    - Envoy Key Log configuration
      - extensions.transport_sockets.tls.v3.TlsKeyLog
  - Decryption Tools
  - Key Log Format
  - Ref
- TCP Proxy half-closed connection leak for 1 hour in some scenarios
  - Base knowledge
  - Environment
  - socket leak & occupy on FIN_WAIT2
- App outbound connecting timed out because App selected a ephemeral port which collisions with the existing socket on 15001(outbound) listener
  - Base knowledge
    - TCP
      - TCP Challenge ACK
    - Conntrack table
  - Environment
  - New connection timeout
    - App build connection on the same ephemeral port
      - Case 1: connect timed out by collision ephemeral port
      - Case 2: connect by collision ephemeral port but seq-no happens to be in the TCP window of the old connection
  - Skills
Developing Istio
- Istio Data Plane
  - istio-proxy
    - Debugging Envoy sidecar C++ code in an Istio mesh
    - Debugging and observing the startup of the istio-proxy Envoy sidecar
- Istio Control Plane
  - Debug Istiod
  - Reference list for getting started with Istio development
  - Code Description
  - Design documentations
  - Development environment
  - Istio project health dashboard
  - discuss
  - Participation in the development of Istio
    - Workgroup

Appendix

Lab Environment
- Basic environment installation
  - Default namespace
  - Install istio
- Install tools
  - netshoot
  - httpbin
- Setup shell
  - istio gateway & node port
- List of lab environment
  - Simple layered lab environment
    - Installation process
      - fortio