Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Internal listener access logging in Envoy #50321

Open
howardjohn opened this issue Apr 8, 2024 · 6 comments
Open

Internal listener access logging in Envoy #50321

howardjohn opened this issue Apr 8, 2024 · 6 comments
Labels
area/ambient Issues related to ambient mesh help wanted Indicates a PR/Issue that needs community help

Comments

@howardjohn
Copy link
Member

When we use HBONE in envoy, we get access logs showing unexpected info

Without hbone:

[2024-04-08T20:53:05.142Z] "GET / HTTP/1.1" 200 - via_upstream - "-" 0 1648 0 0 "10.244.0.1" "curl/8.7.1" "d68f23d1-02a2-4999-8572-6f154573c74c" "172.18.0.101" "10.244.0.10:80" outbound|80||echo.default.svc.cluster.local 10.244.0.7:53060 10.244.0.7:8080 10.244.0.1:59040 -

With hbone:

[2024-04-08T20:44:12.363Z] "GET / HTTP/1.1" 200 - via_upstream - "-" 0 1648 3 2 "10.244.0.1" "curl/8.7.1" "66dc2115-b7f5-45eb-96c2-2a2b221559f7" "172.18.0.101" "envoy://connect_originate/10.244.0.10:80" outbound|80||echo.default.svc.cluster.local envoy://internal_client_address/ 10.244.0.7:8080 10.244.0.1:27113 -

Probably we can tweak these to avoid exposing internals
@howardjohn howardjohn added area/ambient Issues related to ambient mesh Ambient Beta Must have for Beta of Ambient Mesh labels Apr 8, 2024
@zirain
Copy link
Member

zirain commented Apr 9, 2024

I recall istio only print listener access log when 404 in the past?

@howardjohn
Copy link
Member Author

This isn't about listener access logs, but for hbone the destination endpoint is an internal listener instead of ip

@zirain
Copy link
Member

zirain commented Apr 9, 2024

you can either change the hardcode log format or just remove it(this option may cause difficult to debug).

@howardjohn howardjohn added help wanted Indicates a PR/Issue that needs community help and removed Ambient Beta Must have for Beta of Ambient Mesh labels Apr 9, 2024
@howardjohn
Copy link
Member Author

I think we want to log the real source and dest IP. This may just be changing the format to access some other info, but we might need to make changes in Envoy/istio-proxy to expose that info if its not available (not sure what info we have)

@howardjohn
Copy link
Member Author

There are two parts here:

  • Source ip is envoy://internal_client_address/. This I think requires us to either change envoy core, or pass "real source ip" as metadata across the internal listener
  • Destination IP is "envoy://connect_originate/10.244.0.10:80". This seems easier, since the original IP is known to be in EDS metadata and access logs can access it. However, we would want to do something like metadata.ip OR upstream_addr for the non HBONE cases; I don't see how to do that in envoy. %CEL(...) seemed promising but has a lot of bugs

@zirain
Copy link
Member

zirain commented Jun 24, 2024

envoy://connect_originate/10.244.0.10:80 is from %UPSTREAM_HOST% which related to https://github.com/envoyproxy/envoy/blob/main/source/common/network/address_impl.cc#L470.
envoy://internal_client_address/ is from %UPSTREAM_LOCAL_ADDRESS% which related to https://github.com/envoyproxy/envoy/blob/main/source/extensions/bootstrap/internal_listener/client_connection_factory.cc#L30

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/ambient Issues related to ambient mesh help wanted Indicates a PR/Issue that needs community help
Projects
Ambient tracking
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@howardjohn @zirain