(How) Do Sidecar Proxies Work Without Containers?

egmanoj · December 23, 2021, 5:06pm

Context: Using Nomad to orchestrate Java applications (Tomcat, using exec), with Consul providing the service mesh.

How do sidecar proxies (specifically Envoy) work without containers? I’d like to run a group of Tomcat servers using Nomad’s exec driver. Following the service mesh idioms I should have a sidecar running with each instance of Tomcat. Is this possible at all, given that Tomcat will not be running inside containers?

I’m very new to Nomad and Consul. Do point me in the right direction if this has been answered elsewhere.

Thanks in advance.

davide · December 30, 2021, 2:05pm

Sure, i’m doing it in production, you need to explicitly declare the sidecar service systemd unit for each service (either inbound or outbound).

I usually use this config:

[Unit]
Requires=network-online.target
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/consul connect envoy \
    -token-file /my-token-file \
    -admin-bind localhost:0 \
    -sidecar-for my-service-name
Restart=on-failure
RestartSec=15
User=my-service-user
KillMode=process
KillSignal=SIGKILL
LimitNOFILE=65536
TimeoutSec=120
TimeoutStopSec=120

[Install]
WantedBy=multi-user.target

egmanoj · December 31, 2021, 6:17am

Thanks! Will try this out as soon as I have my Vagrant/Virtualbox local cluster up and running.

Noob question: do I declare the sidecar per instance of my service (Tomcat in my case)?

davide · December 31, 2021, 11:28am

Yes, each service instance must have one dedicated sidecar instance if it has at least one inbound connection or outbound dependency, the sidecar covers multiple inbound and outbound, you never need more than one per service instance.
Even if you use a plethora or sidecars the memory footprint will be lowered by the kernel, so it’s not that high.

You could access sidecars which are not specific to your service, but it would cause a mess keeping record and from security prospective, avoid it.

egmanoj · December 31, 2021, 12:37pm

Thanks for the quick revert.

I’m guessing that the above systemd service definition should be parametrised using a template in order create multiple instances of the same (sidecar) service. Is that correct?

blake · January 3, 2022, 6:36am

Yes, I recommend using this approach if you’re going to be running multiple proxies on the same host.

Here’s an example systemd unit I wrote a while back that you can use as a starting point to customize for your environment.

gist.github.com

https://gist.github.com/blake/96dd69b19f783223c029f63e5e511ee3

create-envoy-systemd-template-unit.md

# Create a systemd template unit for Envoy proxies with Consul

This brief tutorial will walk through the process of creating a systemd template
unit file for starting Envoy sidecars for use with Consul service mesh.

Template unit files allow systemd to address multiple units from a single
configuration file. You can call a systemd template unit file using a special
format to use this feature:

```plaintext

This file has been truncated. show original

egmanoj · January 3, 2022, 7:51am

Thanks @blake. This is really helpful

Topic		Replies	Views
Consul Connect Envoy without Docker Nomad	8	2669	May 2, 2022
Is it possible to set envoy as default proxy for Consul sidecars? Consul connect , consul-nomad	2	595	November 11, 2021
Replacing Envoy with something else Nomad	1	308	June 9, 2022
Connection refused on sidecar proxy Nomad connect , consul-nomad , service-mesh	2	812	October 19, 2023
Serve Consul-API to Services with Consul Connect Consul connect , consul-nomad	1	603	December 18, 2020

(How) Do Sidecar Proxies Work Without Containers?

Related topics