Component Debugging
You can gain insights into what individual components are doing by inspecting their logs or peering inside via introspection. If that’s insufficient, the steps below explain how to get under the hood.
With istioctl
Get an overview of your mesh
You can get an overview of your mesh using the proxy-status
command:
$ istioctl proxy-status
If a proxy is missing from the output list it means that it is not currently connected to a Pilot instance and so it will not receive any configuration. Additionally, if it is marked stale, it likely means there are networking issues or Pilot needs to be scaled.
Get proxy configuration
istioctl
allows you to retrieve information about proxy configuration using the proxy-config
or pc
command.
For example, to retrieve information about cluster configuration for the Envoy instance in a specific pod:
$ istioctl proxy-config cluster <pod-name> [flags]
To retrieve information about bootstrap configuration for the Envoy instance in a specific pod:
$ istioctl proxy-config bootstrap <pod-name> [flags]
To retrieve information about listener configuration for the Envoy instance in a specific pod:
$ istioctl proxy-config listener <pod-name> [flags]
To retrieve information about route configuration for the Envoy instance in a specific pod:
$ istioctl proxy-config route <pod-name> [flags]
To retrieve information about endpoint configuration for the Envoy instance in a specific pod:
$ istioctl proxy-config endpoints <pod-name> [flags]
See Debugging Envoy and Pilot for more advice on interpreting this information.
With GDB
To debug Istio with gdb
, you will need to run the debug images of Envoy / Mixer / Pilot. A recent gdb
and the golang extensions (for Mixer/Pilot or other golang components) is required.
kubectl exec -it PODNAME -c [proxy | mixer | pilot]
Find process ID: ps ax
gdb -p PID binary
For go: info goroutines, goroutine x bt
With Tcpdump
Tcpdump doesn’t work in the sidecar pod - the container doesn’t run as root. However any other container in the same pod will see all the packets, since the
network namespace is shared. iptables
will also see the pod-wide configuration.
Communication between Envoy and the app happens on 127.0.0.1, and is not encrypted.