vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/asm/umn/asm_faq_0039.html
Dong, Qiu Jian ec0b45029f ASM UMN initial version -20240425 
Reviewed-by: Kovács, Zoltán <zkovacs@t-systems.com>
Co-authored-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
Co-committed-by: Dong, Qiu Jian <qiujiandong1@huawei.com>
2024-09-18 09:02:28 +00:00

40 lines
7.1 KiB
HTML
Raw Permalink Blame History

<a name="asm_faq_0039"></a><a name="asm_faq_0039"></a>
<h1 class="topictitle1">What Can I Do If A Pod Cannot Be Started Due to Unready Sidecar</h1>
<div id="body0000001416537088"><div class="section" id="asm_faq_0039__section13605431272"><h4 class="sectiontitle">Description</h4><p id="asm_faq_0039__p158541327718">Pods of services managed by a mesh may fail to be started and keep restarting. When the service container communicates with external systems, the traffic passes through the <strong id="asm_faq_0039__b8829174674415">istio-proxy</strong> container. However, the service container is started earlier than the <strong id="asm_faq_0039__b17795457184413">istio-proxy</strong> container. As a result, the communication with external systems fails and the pod keeps restarting.</p>
</div>
<div class="section" id="asm_faq_0039__section533210301494"><h4 class="sectiontitle">Solution</h4><p id="asm_faq_0039__p15691639496">In Istio 1.7 and later versions, the community adds a switch named <strong id="asm_faq_0039__b16318164516466">HoldApplicationUntilProxyStarts</strong> to the <strong id="asm_faq_0039__b1327174911466">istio-injector</strong> injection logic. After the switch is enabled, the proxy is injected to the first container and the <strong id="asm_faq_0039__b152221254154711">istio-proxy</strong> container is started earlier than the service container.</p>
<p id="asm_faq_0039__p155691339496">The switch can be configured globally or locally. The following describes two ways to enable the switch.</p>
<div class="notice" id="asm_faq_0039__note10877133574418"><span class="noticetitle"><img src="public_sys-resources/notice_3.0-en-us.png"> </span><div class="noticebody"><p id="asm_faq_0039__p787783524414">After this switch is enabled, the service container cannot be started until the sidecar is fully ready, which slows down pod startup and reduces scalability for burst traffic. You are advised to evaluate service scenarios and enable this switch only for required services.</p>
</div></div>
<ul id="asm_faq_0039__ul5973203951113"><li id="asm_faq_0039__li159731839111118"><strong id="asm_faq_0039__b298917211546">Global Configuration</strong><ol id="asm_faq_0039__ol02451524181213"><li id="asm_faq_0039__li1424518249128">Run the following command to edit the IOP CR resource:<p id="asm_faq_0039__p156121036111211"><a name="asm_faq_0039__li1424518249128"></a><a name="li1424518249128"></a><strong id="asm_faq_0039__b9682046151219">kubectl edit iop private-data-plane -n istio-system</strong></p>
<p id="asm_faq_0039__p104637523125">Add the following command to the <strong id="asm_faq_0039__b6511135545416">spec.values.global.proxy</strong> field:</p>
<pre class="screen" id="asm_faq_0039__screen1683321021316">holdApplicationUntilProxyStarts: true</pre>
<p id="asm_faq_0039__p2908162419169"><span><img id="asm_faq_0039__image890813245162" src="en-us_image_0000001416062808.png"></span></p>
</li><li id="asm_faq_0039__li1787413350127">Run the following command to check whether the latest logs contain no error information:<p id="asm_faq_0039__p1775013126175"><a name="asm_faq_0039__li1787413350127"></a><a name="li1787413350127"></a><strong id="asm_faq_0039__b104261821141713">kubectl logs -n istio-operator $(kubectl get po -n istio-operator | awk '{print $1}' | grep -v NAME)</strong></p>
</li><li id="asm_faq_0039__li4552151120177">Run the following command to check whether the IOP CR is normal:<p id="asm_faq_0039__p1017024613173"><a name="asm_faq_0039__li4552151120177"></a><a name="li4552151120177"></a><strong id="asm_faq_0039__b135219543174">kubectl get iop -n istio-system</strong></p>
<p id="asm_faq_0039__p9464165217213"><span><img id="asm_faq_0039__image246465215219" src="en-us_image_0000001416224808.png"></span></p>
</li><li id="asm_faq_0039__li1158321122211">Run the following command to upgrade the services in the mesh in a rolling manner:<p id="asm_faq_0039__p10542152235"><a name="asm_faq_0039__li1158321122211"></a><a name="li1158321122211"></a><strong id="asm_faq_0039__b1638251515238">kubectl rollout restart deployment </strong><em id="asm_faq_0039__i0738171518231">nginx</em><strong id="asm_faq_0039__b998032612311"> -n </strong><em id="asm_faq_0039__i203321927192313">default</em></p>
<p id="asm_faq_0039__p52922482318">where, <strong id="asm_faq_0039__b14174182414319">nginx</strong> is an example service, and <strong id="asm_faq_0039__b1725520281435">default</strong> is the namespace. Replace them with the actual values.</p>
</li><li id="asm_faq_0039__li20809847233">Run the following command to check whether the pod is restarted:<p id="asm_faq_0039__p16470512414"><a name="asm_faq_0039__li20809847233"></a><a name="li20809847233"></a><strong id="asm_faq_0039__b352081622414">kubectl get pod -n </strong><em id="asm_faq_0039__i155216169249">default</em><strong id="asm_faq_0039__b18299141962414"> | grep </strong><em id="asm_faq_0039__i146291419192416">nginx</em></p>
<p id="asm_faq_0039__p3198122913259"><span><img id="asm_faq_0039__image16198122972515" src="en-us_image_0000001416065480.png"></span></p>
</li><li id="asm_faq_0039__li2870334101211">Run the following command to check whether <strong id="asm_faq_0039__b333314121549">postStart lifecycle</strong> is added to the pod and whether the <strong id="asm_faq_0039__b240151815410">istio-proxy</strong> container is placed in the first position:<p id="asm_faq_0039__p995575614257"><strong id="asm_faq_0039__b18832511162612">kubectl edit pod</strong> <em id="asm_faq_0039__i14521101417265">nginx-7bc96f87b9-l4dbl</em></p>
<p id="asm_faq_0039__p4118254366"><span><img id="asm_faq_0039__image2112258362" src="en-us_image_0000001466625829.png"></span></p>
</li></ol>
</li><li id="asm_faq_0039__li1997393981112"><strong id="asm_faq_0039__b1377545711361">Local Configuration</strong><p id="asm_faq_0039__p1526744420116">For Istio 1.8 or later versions, you can label the pods for which this function needs to be enabled with <strong id="asm_faq_0039__b164702414819">proxy.istio.io/config</strong> and set <strong id="asm_faq_0039__b1243311357816">holdApplicationUntilProxyStarts</strong> to true.</p>
<p id="asm_faq_0039__p142873506374">The following uses the <strong id="asm_faq_0039__b1213192371010">nginx</strong> service in the <strong id="asm_faq_0039__b5903112815103">default</strong> namespace as an example. The operations for other services are similar.</p>
<p id="asm_faq_0039__p1831714173819"><strong id="asm_faq_0039__b3358720144517">kubectl edit deploy </strong><em id="asm_faq_0039__i19727020134511">nginx</em><strong id="asm_faq_0039__b169992022164517"> -n </strong><em id="asm_faq_0039__i838132317452">default</em></p>
<p id="asm_faq_0039__p1569845016375">Add the following commands to the <strong id="asm_faq_0039__b2144114141310">spec.template.metadata.annotations</strong> field:</p>
<pre class="screen" id="asm_faq_0039__screen889844817381">proxy.istio.io/config: |
holdApplicationUntilProxyStarts: true</pre>
<p id="asm_faq_0039__p1888116433428"><span><img id="asm_faq_0039__image18881174304215" src="en-us_image_0000001416387696.png"></span></p>
</li></ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="asm_faq_0019.html">Mesh Management</a></div>
</div>
</div>
View Git Blame Copy Permalink