非Kubernetes工作负载（如虚拟机或裸机服务器）加入网格（续1）

• 用好你的瑞士军刀/netcat - 知乎 (zhihu.com)
• Netcat: the TCP/IP swiss army (sourceforge.io)
• netcat 1.11 for Win32/Win64 (eternallybored.org)
• Ubuntu10.04 netcat nc OpenBsd-netcat [转]_ITPUB博客
• openbsd-netcat/netcat.c at master · keithbusch/openbsd-netcat · GitHub
• *nc(1) - OpenBSD manual pages
• *The GNU Netcat -- Official homepage (sourceforge.net)
• LWN: Nmap许可证更改带来的烦恼！-CSDN博客

***：某主机Ping不通网关，原因是网关路由器该主机添加入了已禁设备

摘要：

workloadgroup类似于deployment；workloadentry类似于pod；存活探针不是服务网格的关注点；workloadgroup必须配置应用程序的就绪探针；mtls；nc；难在提出问题；nmap源码安装

关键点：

• 在vm上输入所有节点的路由route add -net 172.25.244.192/26 gw  192.168.31.211......；在/etc/rc.d/rc.local
  启动配置文件永久添加所有节点的路由；另将提供健康检测的进程设置为自动执行：

# vim /etc/rc.d/rc.local 
nohup /home/forum-linux-amd64 > /dev/null 2>&1 &       //使workloadentry的监控检查Healthy状态为 "True"
nohup /home/cdatc/AirNet/bin/mnt  > /dev/null 2>&1 &   //自动运行服务器进程

• 将东西向网关的主机名硬编码到vm的hosts文件中；
• istio-eastwestgateway为NodePort，修改/etc/istio/envoy/sidecar.env (与/var/lib/istio/envoy/sidecar.env是一个文件）和/var/lib/istio/config/mesh，将15012修改为对应的NodePort端口号；
• ！！！token 失效，通过在 master 节点重新生成vm配置信息，将 token 的内容复制过来再重试OK；另重启VM，目录/var/run/secrets/会自动被删除！——重启vm前systemctl stop istio也一样删除该目录，原因待查？istio服务可以运行，但是日志报错：

#  tail /var/log/istio/istio.err.log /var/log/istio/istio.log -Fq -n 100
2024-01-22T02:27:16.482139Z     warn    Failed to create directory for ./var/run/secrets/workload-spiffe-uds/socket: mkdir var/run/secrets: permission denied
2024-01-22T02:27:16.482383Z     error   sds     SDS grpc server for workload proxies failed to set up UDS: failed to listen on unix socket "./var/run/secrets/workload-spiffe-uds/socket": listen unix ./var/run/secrets/workload-spiffe-uds/socket: bind: no such file or directory

# export CLUSTER="kubernetes"  CLUSTER_NETWORK=""  VM_NETWORK="" SERVICE_ACCOUNT="account-vm" WORK_DIR="/home/vm-airnet" VM_APP="airnet-mysql" VM_NAMESPACE="vm-airnet"
# istioctl x workload entry configure -f workloadgroup.yaml -o "${WORK_DIR}" --clusterID "${CLUSTER}" --autoregister --namespace vm-airnet --internalIP 192.168.31.222 --ingressService istio-eastwestgateway.istio-system.svc --ingressIP 192.168.31.212 --capture-dns
# scp istio-token root@192.168.31.222:/home/vm-airnet/      //测试这里直接拷贝几天前的istio-token，不再生成也行！
root@debian:/home/vm-airnet# cp istio-token /var/run/secrets/tokens/istio-token
root@debian:/home/vm-airnet# chown -R istio-proxy  /var/run/secrets 
root@debian:/home/vm-airnet# systemctl daemon-reload & systemctl restart istio

• 重新安装istio-sidecar.deb前使用-P参数删除dpkg -P istio-sidecar；
• readinessProbe问题见以下第一项（必须在workloadgroup.yaml中配置应用程序的就绪探针，因为控制平面要根据工作负载的健康状态确定流量是否应该被路由，当应用程序不健康时，端点会被从数据平面中移除）。
• SERVICE_ACCOUNT从"airnet-fdp1"改为"airnet-fdp2"后，重新cp配置文件后生效，但是需要注意删除原来的以下文件，否则认证失败（可能是cert-chain.pem里存有旧的airnet-fdp1账户信息导致的）。

ls /etc/certs
cert-chain.pem  key.pem  root-cert.pem

1、查看自动生成的workloadentry，Healthy状态为 "False"的处理，原因是debian虚拟机的/etc/istio/config/mesh文件中path与workloadgroup.yaml中的不一致，修改mesh文件，重新生成vm配置信息后OK。

# k -n vm-airnet get workloadentry airnet-mysql-192.168.31.222 -oyaml
   message: 'failed to get readiness stats: server.state is not yet updated: '
   status: "False"            --------->status: "True"，服务进程 未 启动也为"False"
   type: Healthy  
root@debian:/home# ./forum-linux-amd64 
Server is listening in port:8080
root@debian:/home/vm-airnet# nmap -Pn -p 8080 192.168.31.222
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-02 06:55 EST
Nmap scan report for debian (192.168.31.222)
Host is up (0.000093s latency).
PORT     STATE SERVICE
8080/tcp open  http-proxy
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
root@debian:/home/vm-airnet# more /etc/istio/config/mesh   
  readinessProbe:
    httpGet:
      path: /api/healthz
      port: 8080              --------->监听8080端口的服务进程必须启动./forum-linux-amd64  Server is listening in port:8080
root@k8s-master01 vm-airnet]# more workloadgroup.yaml 
apiVersion: networking.istio.io/v1alpha3
kind: WorkloadGroup
spec:
  probe:
    httpGet:
      port: 8080
      path: /api/healthz

2、测试将流量路由到workloadentry

[root@k8s-master01 vm-airnet]#  k -n vm-airnet exec -ti tool-97f9cfd66-4j9b2  -- curl -is forum.vm-airnet.svc:/api/users |grep HTTP
HTTP/1.1 200 OK
[root@k8s-master01 vm-airnet]# istioctl proxy-config endpoints deploy/webapp.vm-airnet |grep forum
172.27.14.210:8080     HEALTHY     OK                outbound|80||forum.bookinfo.svc.cluster.local
192.168.31.222:8080    HEALTHY     OK                outbound|80||forum.vm-airnet.svc.cluster.local
root@k8s-master01 vm-airnet]# curl -is -H "host: wepapp.atc.com" http://192.168.31.214:21932/api/healthz
HTTP/1.1 200 OK
content-length: 8
date: Tue, 02 Jan 2024 15:06:50 GMT
content-type: text/plain; charset=utf-8
x-envoy-upstream-service-time: 2
server: istio-envoy
Healthy!
[root@k8s-master01 vm-airnet]# curl -is -H "host: wepapp.atc.com" http://192.168.31.214:21932/api/users |grep HTTP
HTTP/1.1 200 OK
[root@k8s-master01 vm-airnet]#  k -n vm-airnet logs deploy/webapp -c istio-proxy |tail -2
[2024-01-02T15:12:24.240Z] "GET /api/users HTTP/1.1" 200 - via_upstream - "-" 0 5645 1596 1595 "172.17.125.0" "beegoServer" "92500293-a9db-4782-b216-b4bef3f55cff" "forum.vm-airnet:80" "192.168.31.222:8080" outbound|80||forum.vm-airnet.svc.cluster.local 172.19.199.177:48208 10.16.10.182:80 172.17.125.0:0 - default
[2024-01-02T15:12:24.237Z] "GET /api/users HTTP/1.1" 200 - via_upstream - "-" 0 3679 1601 1600 "172.17.125.0" "curl/7.29.0" "92500293-a9db-4782-b216-b4bef3f55cff" "wepapp.atc.com" "172.19.199.177:8080" inbound|8080|| 127.0.0.6:47767 172.19.199.177:8080 172.17.125.0:0 outbound_.80_._.webapp.vm-airnet.svc.cluster.local default
---->vm退出# ./forum  --------> HTTP/1.1" 500
[root@k8s-master01 vm-airnet]# curl -is -H "host: wepapp.atc.com" http://192.168.31.214:21932/api/users |grep HTTP
HTTP/1.1 500 Internal Server Error
[root@k8s-master01 vm-airnet]#  k -n vm-airnet logs deploy/webapp -c istio-proxy |tail -2
[2024-01-02T15:14:04.528Z] "GET /api/users HTTP/1.1" 503 URX via_upstream - "-" 0 152 35 35 "172.17.125.0" "beegoServer" "f455292b-8c84-49a0-a45a-91400a049bf7" "forum.vm-airnet:80" "192.168.31.222:8080" outbound|80||forum.vm-airnet.svc.cluster.local 172.19.199.177:49066 10.16.10.182:80 172.17.125.0:0 - default
[2024-01-02T15:14:04.525Z] "GET /api/users HTTP/1.1" 500 - via_upstream - "-" 0 27 44 43 "172.17.125.0" "curl/7.29.0" "f455292b-8c84-49a0-a45a-91400a049bf7" "wepapp.atc.com" "172.19.199.177:8080" inbound|8080|| 127.0.0.6:41005 172.19.199.177:8080 172.17.125.0:0 outbound_.80_._.webapp.vm-airnet.svc.cluster.local default

3、双向认证测试

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system    # 给default添加命名空间策略，istio-system是所有命名空间
spec:
  mtls:                      #采用对等认证
    mode: STRICT             # 严格模式；PERMISSIVE 兼容模式
----->物理主机上不通，网格内pod通    
root@debian:/home/vm-airnet# python3 -m http.server 7001
Serving HTTP on 0.0.0.0 port 7001 (http://0.0.0.0:7001/) ...    
[root@k8s-master01 vm-airnet]# curl -i 192.168.31.222:7001     ---> PERMISSIVE模式可以
curl: (56) Recv failure: Connection reset by peer  
(06:14 tool-97f9cfd66-4j9b2:/) curl -i forum.vm-airnet.svc:7001
HTTP/1.1 200 OK

4、nc测试问题（原因是nc版本问题：出现不识别指定端口问题的nc版本必须使用-p标志选择监听端口）。

• 排除该猜测：vm（debian系统）上使用nc监听，会监听在另外一个端口(k8s-master01也如此，X 可能是装了docker引起的?)，不知道该vm主机操作系统有什么软件引起的？因为k8s-node03就不会改变监听端口。
• 难就难在提出问题，而不在于寻找答案，一个愚蠢的问题只能招来同样愚蠢的答案，提出正确的问题能够打开一片崭新的知识领域，并使其他极其重要的问题随之浮现。nc -v -l 7001 --->listening on [any] 41759，针对这个现象，提出问题：

• 愚蠢的问题：某台主机指定的端口7001怎么转变为41759（被k8s service暴露expose端口的方式带歪了），而其它主机正常，导致花了2天时间排查系统环境不一致的问题；
• 正确的问题：其它主机正常，为啥这台主机端口指定没生效，nc随机[any] 选择了一个端口监听，这样提问排查就easy了，原因是没加-p参数，导致参数没生效；进而又拓展了新的知识领域，使其他重要的问题（GNU与OpenBSD版本【已改变为Nmap Public Source License (NPSL)】的差别）随之浮现：由于nc版本不同，其它正常的主机nc版本指定监听端口可以不加-p参数。
• GNU版本的nc的链接是/usr/local/bin/netcat(The GNU Netcat -- Official homepage (sourceforge.net))；openbsd版本的/usr/bin/ncat （Ncat 是 nmap 项目对传统的 Netcat(即 nc 命令)的重写，是包含在 nmap 安装包里的。Ncat - Netcat for the 21st Century (nmap.org)——Nmap Public Source License：the Annotated HTML Nmap Public Source License）。
• 没装Ncat,那么nc是netcat的alias，命令行里输入nc ==输入netcat;如果你装了Ncat，那么nc,netcat都成了ncat的alias（测试需要手动改链接），命令行里输入这三者都是一样的。但是存在问题：nc链接到netcat但是man nc对应的是Ncat 7.50

# readlink -f $(which nc)     //结果会有两种
/bin/nc.traditional: 默认 GNU 基础版本，一般系统自带。
/bin/nc.openbsd: openbsd 版本，强大很多。
//不管是 gnu 版本还是 openbsd 版本，都有新老的区别，主要是传送文件时 stdin 发生 EOF 了，老版本会自动断开，而新的 gnu/openbsd 还会一直连着
[root@k8s-master01 ~]# readlink -f $(which nc) 
/usr/local/bin/netcat   ---> GNU netcat 0.7.1
[root@k8s-master01 ~]# ll /usr/local/bin/nc
lrwxrwxrwx 1 root root 6 8月   1 12:23 /usr/local/bin/nc -> netcat   
[root@k8s-master01 ~]# man nc    --->• nc链接到netcat但是man nc对应的是Ncat 7.50
OPTIONS SUMMARY
           Ncat 7.50 ( https://nmap.org/ncat )
[root@k8s-master02 ~]# readlink -f $(which nc) 
/usr/bin/ncat           ---> （OpenBSD）Ncat: Version 7.50 ( https://nmap.org/ncat )
[root@k8s-master02 ~]# ll /usr/bin/nc
lrwxrwxrwx. 1 root root 22 6月   1 2022 /usr/bin/nc -> /etc/alternatives/nmap
--->安装Source RPM (includes Nmap, Zenmap, Ncat, and Nping)
bzip2 -cd nmap-7.94.tar.bz2 | tar xvf -
cd nmap-7.94
./configure
make
make install
[root@k8s-master02 nmap-7.94]# nmap -V
Nmap version 7.94 ( https://nmap.org )
[root@k8s-master02 nmap-7.94]# which nmap
/usr/local/bin/nmap
[root@k8s-master02 nmap-7.94]# ncat --version
Ncat: Version 7.94 ( https://nmap.org/ncat )
[root@k8s-master02 nmap-7.94]# which ncat
/usr/local/bin/ncat
[root@k8s-master02 nmap-7.94]# readlink -f $(which nc)
/usr/bin/ncat

• 注意，openbsd 版本 netcat 用 -l 后指定监听端口不用“-p”参数，否则提示语法不对，会显示语法帮助信息“-p source_portSpecify the source port nc should use, subject to privilege restrictions and availability. Cannot be used together with -l.”手册，说”-l”和“-p”不能同时用，”-l”后面直接带端口号，写做：nc -l 8080 ；但在 GNU netcat 下必须加-p参数，否者不识别-l参数后指定的监听端口，然后会随机[any]选择一个端口来监听！（If this option is not specified, the OS will assign a random available port.）

[root@k8s-master01 ~]# man netcat
-p NUM
--local-port=NUM
  Selects the local port.  In listen and tunnel mode, it specifies which port to use for listening, while in connect mode it specifies the source port
  (the port from which originating the connection).
  If this option is not specified, the OS will assign a random available port.

--->以下内容未删除，实际原因是没有加-p指定端口
root@debian:/home/vm-airnet# nc -v -l 7001    //即使systemctl stop  docker.socket； systemctl stop istio也会改变端口
//-k（--keep-open  Accept multiple connections in listen mode）永久监听,当一个连接结束时,强制nc监听另一个连接,必须和-l一起使用
//-n, --nodns     Do not resolve hostnames via DNS
//-t, --telnet     Answer Telnet negotiations 使用telnet作为客户端测试
7001: inverse host lookup failed: Unknown host   --->反向主机查找失败
listening on [any] 41759 ...
root@debian:~# lsof -Pni |grep nc
nc        5042        root    3u  IPv4 239462      0t0  TCP *:41759 (LISTEN)
root@debian:~# netstat -anutp |grep 7001
root@debian:~# netstat -anutp |grep 41759
tcp        0      0 0.0.0.0:41759           0.0.0.0:*               LISTEN      5042/nc
----k8s-master01的nc版本netcat (The GNU Netcat) 0.7.1-------参数是两个v
[root@k8s-master01 vm-airnet]#  nc -lv 22222
Warning: Inverse name lookup failed for `0.0.86.206'
^CExiting.
[root@k8s-master01 vm-airnet]#  nc -lvv 22222     //两次 -v 是让它报告更详细的内容
Warning: Inverse name lookup failed for `0.0.86.206'
Listening on any address 43683
[root@k8s-master01 vm-airnet]#  nc -lvv -p  22222
Listening on any address 22222
-----k8s-master02的nc版本cat: Version 7.50 ( https://nmap.org/ncat )---
[root@k8s-master02 ~]#  nc -lv  7001
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::7001
Ncat: Listening on 0.0.0.0:7001
[root@k8s-master02 ~]#  nc -lv -p  7001
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Listening on :::7001
Ncat: Listening on 0.0.0.0:7001
----------debian系统的nc版本 查不到Versions:--------------
Netcat was written by a guy we know as the Hobbit <hobbit@avian.org>
root@debian:/home/vm-airnet# apt-cache showpkg nc
Package: nc
Versions: 
Reverse Depends: 
  netdata-core,nc
root@debian:/home/vm-airnet#  nc -lv -p 7001
listening on [any] 7001 ...
root@debian:/home/vm-airnet#  nc -l -p 7001
root@debian:/home/vm-airnet#  nc -lv 7001
7001: inverse host lookup failed: Unknown host
listening on [any] 34505 ...

• 经debian系统测试nc监听端口改变与docker及docker0网桥无关，监听端口还是变了(192.168.31.222.40513)

删除 docker0 网卡
#yum -y install bridge-utils
#ifconfig docker0 down      //ip link set dev docker0 down
#brctl delbr docker0
# apt purge docker-buildx-plugin  docker-ce-rootless-extras docker-compose-plugin docker-ce docker //连带删除docker0
# systemctl stop istio
#  nc -vl 43131
Warning: Inverse name lookup failed for `0.0.168.123'
# lsof -Pni |grep nc
nc        20848      root    3u  IPv4 481773740      0t0  TCP *:33631 (LISTEN)
root@debian:~#  nc -t  -lvn  6666
listening on [any] 40513 ...
root@debian:~# tcpdump -n -i ens192 port 40513
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:29:16.103423 IP 192.168.31.216.52868 > 192.168.31.222.40513: Flags [S], seq 1090472297, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
21:29:16.103482 IP 192.168.31.222.40513 > 192.168.31.216.52868: Flags [S.], seq 2028132961, ack 1090472298, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0

• ***：对于处于监听模式的netcat，你应该使用-p标志来选择监听端口，例如nc -vvv -l -p 5349，不加-p，相当于没有指定端口参数，所以nc自己选择一个端口来用。

nc测试OK!!!

root@debian:/home/vm-airnet# nc -lv -p 7001
listening on [any] 7001 ...
127.0.0.6: inverse host lookup failed: Unknown host
connect to [192.168.31.222] from (UNKNOWN) [127.0.0.6] 56813
sent to vm
[root@k8s-master01 vm-airnet]#  k -n vm-airnet  exec -ti tool-97f9cfd66-4j9b2 -- nc  forum.vm-airnet.svc 7001
sent to vm