10.5.5　在虚拟机上进行配置

在虚拟机上创建用户istio-proxy，并将上述生成的文件复制到虚拟机上的目录/home/istio-proxy中，文件包括：

·Istio的配置文件cluster.env。

·DNS配置文件kubedns。

·三个密钥相关文件：root-cert.pem、cert-chain.pem以及key.pem。包含如下配置变量的关于Istio版本信息的文件istio.VERSION：

export CITADEL_HUB="docker.io/istio"
export CITADEL_TAG="1.0.0"
export MIXER_HUB="docker.io/istio"
export MIXER_TAG="1.0.0"
export PILOT_HUB="docker.io/istio"
export PILOT_TAG="1.0.0"
export PROXY_HUB="docker.io/istio"
export PROXY_TAG="1.0.0"
export PROXY_DEBUG=""
export ISTIO_NAMESPACE="istio-system"
export PILOT_DEBIAN_URL="http://myistio.oss-cn-hangzhou.aliyuncs.com/1.0.5"
export FORTIO_HUB="docker.io/istio"
export FORTIO_TAG="latest_release"
export HYPERKUBE_HUB="quay.io/coreos/hyperkube"
export HYPERKUBE_TAG="v1.7.6_coreos.0"

在虚拟机上安装Istio组件所需的脚本文件，具体可以参见istio-meshexpansion目录下的脚本文件setupIstioVM.sh。

在虚拟机上，通过运行以下脚本完成相关的配置：

sudo bash -c -x ./setupIstioVM.sh

执行完毕之后，可以通过如下命令检查运行的进程：

root@mesh-vm-classic1:~# ps aux |grep istio
root      8838  0.0  0.3  52284  3428 ?        S    11:25   0:00 su -s /bin/sh -c exec /usr/local/bin/node_agent --ca-address istio-citadel:8060 --cert-chain /etc/certs/cert-chain.pem --key /etc/certs/key.pem --root-cert /etc/certs/root-cert.pem --env onprem istio-proxy
istio-p+  8851  0.0  0.4  45276  4552 ?        Ss   11:25   0:00 /lib/systemd/systemd --user
istio-p+  8852  0.0  0.1  61268  2012 ?        S    11:25   0:00 (sd-pam)
istio-p+  8860  0.2  1.4  20004 14324 ?        Ssl  11:25   0:00 /usr/local/bin/node_agent --ca-address istio-citadel:8060 --cert-chain /etc/certs/cert-chain.pem --key /etc/certs/key.pem --root-cert /etc/certs/root-cert.pem --env onprem
root      9092  0.0  0.3  21000  3156 ?        Ss   11:26   0:00 /bin/bash /usr/local/bin/istio-node-agent-start.sh
root      9094  0.0  0.3  52284  3504 ?        S    11:26   0:00 su -s /bin/sh -c exec /usr/local/bin/node_agent --ca-address istio-citadel:8060 --cert-chain /etc/certs/cert-chain.pem --key /etc/certs/key.pem --root-cert /etc/certs/root-cert.pem --env onprem istio-proxy
root      9101  0.0  0.3  52284  3484 ?        Ss   11:26   0:00 su -s /bin/bash -c INSTANCE_IP=10.30.54.162 POD_NAME=mesh-vm-classic1 POD_NAMESPACE=default exec /usr/local/bin/pilot-agent proxy      --serviceCluster rawvm     --discoveryAddress istio-pilot.istio-system:15011     --controlPlaneAuthPolicy MUTUAL_TLS     2> /var/log/istio/istio.err.log > /var/log/istio/istio.log istio-proxy
istio-p+  9103  0.2  1.4  19940 14300 ?        Ssl  11:26   0:00 /usr/local/bin/node_agent --ca-address istio-citadel:8060 --cert-chain /etc/certs/cert-chain.pem --key /etc/certs/key.pem --root-cert /etc/certs/root-cert.pem --env onprem
istio-p+  9149  0.0  1.7  29656 18104 ?        Ssl  11:26   0:00 /usr/local/bin/pilot-agent proxy --serviceCluster rawvm --discoveryAddress istio-pilot.istio-system:15011 --controlPlaneAuthPolicy MUTUAL_TLS
istio-p+  9166  0.3  3.4 106356 34968 ?        Sl   11:26   0:00 /usr/local/bin/envoy -c /etc/istio/proxy/envoy-rev1.json --restart-epoch 1 --drain-time-s 2 --parent-shutdown-time-s 3 --service-cluster rawvm --service-node sidecar~10.30.54.162~mesh-vm-classic1.default~default.svc.cluster.local --max-obj-name-len 189 --allow-unknown-fields -l warn --v2-config-only

如果要查看Istio认证使用的节点代理（Node Agent）健康运行状态，执行如下命令：

root@mesh-vm-classic1:~# sudo systemctl status istio-auth-node-agent
istio-auth-node-agent.service - istio-auth-node-agent: The Istio auth node agent
   Loaded: loaded (/lib/systemd/system/istio-auth-node-agent.service; disabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-02-20 11:26:24 CST; 10min ago
     Docs: https://istio.io/
 Main PID: 9092 (istio-node-agen)
   CGroup: /system.slice/istio-auth-node-agent.service
           └─9092 /bin/bash /usr/local/bin/istio-node-agent-start.sh

Feb 20 11:26:24 mesh-vm-classic1 istio-node-agent-start.sh[9092]: 2019-02-20T03:26:24.388094Z        info        ClientConn switching balancer to "pick_first"
Feb 20 11:26:24 mesh-vm-classic1 istio-node-agent-start.sh[9092]: 2019-02-20T03:26:24.388164Z        info        pickfirstBalancer: HandleSubConnStateChange: 0xc420220db0, CONN
Feb 20 11:26:24 mesh-vm-classic1 istio-node-agent-start.sh[9092]: 2019-02-20T03:26:24.439472Z        info        grpc: addrConn.createTransport failed to connect to {istio-cita
Feb 20 11:26:24 mesh-vm-classic1 istio-node-agent-start.sh[9092]: 2019-02-20T03:26:24.461965Z        info        pickfirstBalancer: HandleSubConnStateChange: 0xc420220db0, TRAN
Feb 20 11:26:24 mesh-vm-classic1 istio-node-agent-start.sh[9092]: 2019-02-20T03:26:24.599389Z        info        Sending CSR (retrial #0) ...
Feb 20 11:26:24 mesh-vm-classic1 istio-node-agent-start.sh[9092]: 2019-02-20T03:26:24.599911Z        error        CSR signing failed: rpc error: code = Unavailable desc = all S
Feb 20 11:26:25 mesh-vm-classic1 istio-node-agent-start.sh[9092]: 2019-02-20T03:26:25.400388Z        info        pickfirstBalancer: HandleSubConnStateChange: 0xc420220db0, CONN
Feb 20 11:26:25 mesh-vm-classic1 istio-node-agent-start.sh[9092]: 2019-02-20T03:26:25.831992Z        info        pickfirstBalancer: HandleSubConnStateChange: 0xc420220db0, READ
Feb 20 11:26:29 mesh-vm-classic1 istio-node-agent-start.sh[9092]: 2019-02-20T03:26:29.860907Z        info        Sending CSR (retrial #1) ...
Feb 20 11:26:29 mesh-vm-classic1 istio-node-agent-start.sh[9092]: 2019-02-20T03:26:29.869853Z        info        CSR is approved successfully. Will renew cert in 1079h59m59.130