NAV
This is an archived version
of the documentation
View the latest version

Introduction

A linkerd config example

admin:
  port: 9990

routers:
- protocol: http
  label: int-http
  baseDtab: |
    /host       => /#/io.l5d.fs;
    /http/1.1/* => /host;
  identifier:
    kind: io.l5d.methodAndHost
    httpUriInDst: true
  servers:
  - port: 4140
    ip: 0.0.0.0

- protocol: thrift
  servers:
  - port: 8081
    ip: 0.0.0.0
    thriftFramed: true
  client:
    thriftFramed: true
  thriftMethodInDst: false
  baseDtab: |
    /thrift => /#/io.l5d.fs/thrift;

namers:
- kind: io.l5d.fs
  rootDir: disco

tracers:
- kind: io.l5d.zipkin
  sampleRate: 0.02

Welcome to the Configuration Reference for linkerd!

linkerd’s configuration is controlled via config file, which must be provided as a command-line argument. It may be a local file path or - to indicate that the configuration should be read from the standard input. For convenience, the release package includes a default linkerd.yaml file in the config/ directory.

File Format

The configuration may be specified as a JSON or YAML object. There are no requirements on field ordering, though it’s generally good style to start a router with the protocol. Four top level keys are supported:

Key Required Description
admin no Configures linkerd’s administrative interface.
routers yes Configures linkerd’s RPC support for various protocols.
namers no Configures linkerd’s integration with various service discovery backends.
tracers no Configures linkerd’s request instrumentation.

Administrative interface

admin:
  ip: 127.0.0.1
  port: 9990

linkerd supports an administrative interface, both as a web ui and a collection of json endpoints. The exposed admin port and ip to listen on are configurable via a top-level admin section.

Key Default Value Description
ip 0.0.0.0 IP for the admin interface.
port 9990 Port for the admin interface.

Routers

A minimal linkerd configuration example, which forwards all requests on localhost:8080 to localhost:8888

routers:
- protocol: http
  baseDtab: /http => /$/inet/127.1/8888
  servers:
  - port: 8080

All configurations must define a routers key, the value of which must be an array of router configurations. Each router implements RPC for a supported protocol. linkerd doesn’t need to understand the payload in an RPC call, but it does need to know enough about the protocol to determine the logical name of the destination.

See routers.

Namers and Service Discovery

namers:
- kind: io.l5d.fs
  rootDir: disco

linkerd supports a variety of common service discovery backends, including ZooKeeper and Consul. linkerd provides abstractions on top of service discovery lookups that allow the use of arbitrary numbers of service discovery backends, and for precedence and failover rules to be expressed between them. This logic is governed by the routing configuration.

Naming and service discovery are configured via the namers section of the configuration file. A namer acts on paths that start with /# followed by the namer’s prefix. See namers.

Tracers

tracers:
- kind: io.l5d.zipkin
  sampleRate: 0.02

Requests that are routed by linkerd are also traceable using Finagle’s built-in tracing instrumentation. Trace data can be exported from a linkerd process by configuring tracers via a top-level tracers section. See tracers.

Routers

All configurations must define a routers key, the value of which must be an array of router configurations. Routers also include servers, which define their entry points, and client, which configures how clients are built.

Router Parameters

routers:
- protocol: http
  servers: ...
  client: ...
  announcers: ...
  bindingCache: ...
  label: myPackIce
  dstPrefix: /walruses/http
  baseDtab: |
    /host                => /#/io.l5d.fs;
    /walruses/http/1.1/* => /host;
  failFast: false
  originator: true
  timeoutMs: 10000
  bindingTimeoutMs: 5000
  responseClassifier:
    kind: io.l5d.nonRetryable5XX
Key Default Value Description
protocol required Either http, thrift, or mux.
servers required A list of server objects.
announcers an empty list A list of service discovery announcers that servers can announce to.
baseDtab an empty dtab Sets the base delegation table. See dtabs for more.
bindingTimeoutMs 10 seconds The maximum amount of time in milliseconds to spend binding a path.
bindingCache see binding cache Binding cache size configuration.
client an empty object An object of client params.
dstPrefix protocol dependent A path prefix to be used on request destinations.
failFast false If true, connection failures are punished more aggressively. Should not be used with small destination pools.
originator false If true, indicates that this router is the first hop for linker-to-linker requests, and reflects that in the router’s stats. Useful for deduping linker-to-linker stats.
interpreter default interpreter An interpreter object determining what module will be used to process destinations.
label the value of protocol The name of the router (in stats and the admin ui)
response Classifier io.l5d.nonRetryable5XX A (sometimes protocol-specific) response classifier that determines which responses should be considered failures and, of those, which should be considered retryable.
timeoutMs no timeout Per-request timeout in milliseconds.

Binding Cache

- protocol: http
  servers:
  - port: 9000
  bindingCache:
    paths: 100
    trees: 100
    bounds: 100
    clients: 10
Key Default Value Description
paths 100 Max number of paths in the path cache.
trees 100 Max number of trees in the tree cache.
bounds 100 Max number of bounds in the bounds cache.
clients 10 Max number of clients in the clients cache.

Server Parameters

servers:
- port: 8080
  ip: 0.0.0.0
  tls:
    certPath: /foo/cert.pem
    keyPath: /foo/key.pem
  maxConcurrentRequests: 1000
  announce:
    - /#/io.l5d.serversets/discovery/prod/web
Key Default Value Description
port protocol dependent The TCP port number. Protocols may provide default values. If no default is provided, the port parameter is required.
ip loopback address The local IP address. A value like 0.0.0.0 configures the server to listen on all local IPv4 interfaces.
tls no tls The server will serve over TLS if this parameter is provided. see TLS.
maxConcurrentRequests unlimited The maximum number of concurrent requests the server will accept.
announce an empty list A list of concrete names to announce using the router’s announcers.

Client Parameters

client:
  tls:
    kind: io.l5d.noValidation
    commonName: foo
    caCertPath: /foo/caCert.pem
  loadBalancer:
    kind: ewma
    enableProbation: false
  retries:
    backoff:
      kind: jittered
      minMs: 10
      maxMs: 10000
  failureAccrual:
    kind: io.l5d.consecutiveFailures
    failures: 10
Key Default Value Description
hostConnectionPool An empty object see hostConnectionPool.
tls no tls The router will make requests using TLS if this parameter is provided. It must be a client TLS object.
loadBalancer p2c A load balancer object.
retries see retries A retry policy for all clients created by this router.
failureAccrual 5 consecutive failures a failure accrual policy for all clients created by this router.

Host Connection Pool

client:
  hostConnectionPool:
    minSize: 0
    maxSize: 1000
    idleTimeMs: 10000
    maxWaiters: 5000
Key Default Value Description
minSize 0 The minimum number of connections to maintain to each host.
maxSize Int.MaxValue The maximum number of connections to maintain to each host.
idleTimeMs forever The amount of idle time for which a connection is cached in milliseconds.
maxWaiters Int.MaxValue The maximum number of connection requests that are queued when the connection concurrency exceeds maxSize.

HTTP/1.1 protocol

Below: http-specific configuration options

routers:
- protocol: http
  httpAccessLog: access.log
  identifier:
    kind: io.l5d.methodAndHost
  maxChunkKB: 8
  maxHeadersKB: 8
  maxInitialLineKB: 4
  maxRequestKB: 5120
  maxResponseKB: 5120
  servers:
  - port: 5000

Below: an example HTTP router config that routes all POST requests to 8091 and all other requests to 8081, using the default identifier of io.l5d.methodAndHost, listening on port 5000

routers:
- protocol: http
  label: split-get-and-post
  baseDtab: |
    /method/*    => /$/inet/127.1/8081;
    /method/POST => /$/inet/127.1/8091;
    /http/1.1    => /method;
  servers:
  - port: 5000

The baseDtab above is written to work with the methodAndHost identifier. Using a different identifier would require a different set of dtab rules.

protocol: http

The HTTP/1.1 protocol is used when the protocol option of the routers configuration block is set to http. This protocol has additional configuration options on the routers block.

Key Default Value Description
dstPrefix http A path prefix used by Http-specific identifiers.
httpAccessLog none Sets the access log path. If not specified, no access log is written.
identifier The methodAndHost identifier An identifier or list of identifiers. See Http-specific identifiers.
maxChunkKB 8 The maximum size of an HTTP chunk.
maxHeadersKB 8 The maximum size of all headers in an HTTP message.
maxInitialLineKB 4 The maximum size of an initial HTTP message line.
maxRequestKB 5120 The maximum size of a non-chunked HTTP request payload.
maxResponseKB 5120 The maximum size of a non-chunked HTTP response payload.
compressionLevel -1, automatically compresses textual content types with compression level 6 The compression level to use (on 0-9).

HTTP/1.1 Identifiers

Identifiers are responsible for creating logical names from an incoming request; these names are then matched against the dtab. (See the linkerd routing overview for more details on this.) All HTTP/1.1 identifiers have a kind. If a list of identifiers is provided, each identifier is tried in turn until one successfully assigns a logical name to the request.

Key Default Value Description
kind required Either io.l5d.methodAndHost or io.l5d.path.

Method and Host Identifier

kind: io.l5d.methodAndHost.

With this identifier, HTTP requests are turned into logical names using a combination of Host header, method, and (optionally) URI. Host header value is lower-cased as per RFC 2616.

Identifier Configuration:

Configuration example

identifier:
  kind: io.l5d.methodAndHost
  httpUriInDst: true
Key Default Value Description
httpUriInDst false If true http paths are appended to destinations. This allows a form of path-prefix routing. This option is not recommended as performance implications may be severe; Use the path identifier instead.

Identifier Path Parameters:

Dtab Path Format for HTTP/1.1

  / dstPrefix / "1.1" / method / host [/ uri* ]

Dtab Path Format for HTTP/1.0

  / dstPrefix / "1.0" / method [/ uri* ]
Key Default Value Description
dstPrefix http The dstPrefix as set in the routers block.
method N/A The HTTP method of the current request, ie OPTIONS, GET, HEAD, POST, PUT, DELETE, TRACE, or CONNECT.
host N/A The value of the current request’s Host header. Case sensitive!. Not used in HTTP/1.0.
uri Not used Only considered a part of the logical name if the config option httpUriInDst is true.

Path Identifier

kind: io.l5d.path

With this identifier, HTTP requests are turned into names based only on the path component of the URL, using a configurable number of “/” separated segments from the start of their HTTP path.

Identifier Configuration:

With this configuration, a request to :5000/true/love/waits.php will be mapped to /http/true/love and will be routed based on this name by the corresponding dtab. Additionally, because consume is true, after routing, requests will be proxied to the destination service with /waits.php as the path component of the URL.

routers:
- protocol: http
  identifier:
    kind: io.l5d.path
    segments: 2
    consume: true
  servers:
  - port: 5000
Key Default Value Description
segments 1 Number of segments from the path that are appended to destinations.
consume false Whether to additionally strip the consumed segments from the HTTP request proxied to the final destination service. This only affects the request sent to the destination service; it does not affect identification or routing.

Identifier Path Parameters:

Dtab Path Format

  / dstPrefix [/ *urlPath ]
Key Default Value Description
dstPrefix http The dstPrefix as set in the routers block.
urlPath N/A A path from the URL whose number of segments is set in the identifier block.

Header Identifier

kind: io.l5d.header

With this identifier, HTTP requests are turned into names based only on the value of an HTTP header. The value of the HTTP header is interpreted as a path and therefore must start with a /.

Identifier Configuration:

With this configuration, the value of the my-header HTTP header will be used as the logical name.

routers:
- protocol: http
  identifier:
    kind: io.l5d.header
    header: my-header
  servers:
  - port: 5000
Key Default Value Description
header l5d-name The name of the HTTP header to use

Identifier Path Parameters:

Dtab Path Format

  / dstPrefix [*headerValue ]
Key Default Value Description
dstPrefix http The dstPrefix as set in the routers block.
headerValue N/A The value of the HTTP header as a path.

Header Token Identifier

kind: io.l5d.header.token

With this identifier, HTTP requests are turned into names based only on the value of an HTTP header. The name is a path with one segment and the value of that segment is taken from the HTTP header.

Identifier Configuration:

With this configuration, the value of the my-header HTTP header will be used as the logical name.

routers:
- protocol: http
  identifier:
    kind: io.l5d.header.token
    header: my-header
  servers:
  - port: 5000
Key Default Value Description
header Host The name of the HTTP header to use

Identifier Path Parameters:

Dtab Path Format

  / dstPrefix / [headerValue]
Key Default Value Description
dstPrefix http The dstPrefix as set in the routers block.
headerValue N/A The value of the HTTP header as a path segment.

Static Identifier

kind: io.l5d.static

This identifier always assigns the same static name to all requests.

Identifier Configuration:

routers:
- protocol: http
  identifier:
    kind: io.l5d.static
    path: /foo/bar
Key Default Value Description
path required The name to assign to all requests

Identifier Path Parameters

Dtab Path Format

  / dstPrefix / *path
Key Default Value Description
dstPrefix http The dstPrefix as set in the routers block.
path N/A The path given in the configuration.

HTTP Engines

This configures an HTTP router that uses the new netty4 implementation on both the client and server:

- protocol: http
  servers:
  - port: 4141
    ip: 0.0.0.0
    engine:
      kind: netty4
  client:
    engine:
      kind: netty4

An engine may be configured on HTTP clients and servers, causing an alternate HTTP implementation to be used.

Key Default Value Description
kind netty3 Either netty3 or netty4 (netty4 will become default in an upcoming release).

HTTP Headers

linkerd reads and sets several headers prefixed by l5d-.

Context Headers

Context headers (l5d-ctx-*) are generated and read by linkerd instances. Applications should forward all context headers in order for all linkerd features to work.

Header Description
dtab-local Deprecated. Use l5d-ctx-dtab and l5d-dtab.
l5d-ctx-deadline Describes time bounds within which a request is expected to be satisfied. Currently deadlines are only advisory and do not factor into request cancellation.
l5d-ctx-trace Encodes Zipkin-style trace IDs and flags so that trace annotations emitted by linkerd may be correlated.

User Headers

Append a dtab override to the baseDtab for this request

curl -H 'l5d-dtab: /host/web => /host/web-v2' "localhost:5000"

User headers enable user-overrides.

Header Description
l5d-dtab A client-specified delegation override.
l5d-sample A client-specified trace sample rate override.

Informational Request Headers

The informational headers linkerd emits on outgoing requests.

Header Description
l5d-dst-logical The logical name of the request as identified by linkerd.
l5d-dst-concrete The concrete client name after delegation.
l5d-dst-residual An optional residual path remaining after delegation.
l5d-reqid A token that may be used to correlate requests in a callgraph across services and linkerd instances.

Applications are not required to forward these headers on downstream requests.

Informational Response Headers

The informational headers linkerd emits on outgoing responses.

Header Description
l5d-err Indicates a linkerd-generated error. Error responses that do not have this header are application errors.

Applications are not required to forward these headers on upstream responses.

HTTP/2 protocol

Below: Authority (Host) based routing for HTTP/2 over TLS

routers:
- protocol: h2
  experimental: true
  servers:
  - port: 4143
    tls:
      certPath: .../public/linkerd.pem
      keyPath: .../private/linkerd.pem
      caCertPath: .../ca.pem
  identifier:
    kind: io.l5d.headerToken
    header: ":authority"
  baseDtab: |
    /srv => /#/io.l5d.fs ;
    /h2 => /srv ;
  client:
    tls:
      kind: io.l5d.boundPath
      caCertPath: .../ca.pem
      names:
      - prefix: "/#/io.l5d.fs/{service}"
        commonNamePattern: "{service}"

Below: plaintext gRPC

routers:
- protocol: h2
  experimental: true
  label: grpc
  servers:
  - port: 4142
  identifier:
    kind: io.l5d.headerPath
    segments: 2
  baseDtab: |
    /srv => /#/io.l5d.fs ;
    /h2 => /srv ;

because gRPC encodes URLs as /serviceName/methodName, we can simply register service names into a discovery system and route accordingly. Note that gRPC may be configured over TLS as well.

protocol: h2

linkerd now has experimental support for HTTP/2. There are a number of open issues that are being addressed. Please report any additional issues with this protocol!

Key Default Value Description
dstPrefix h2 A path prefix used by H2-specific identifiers.
experimental false Set this to true to opt-in to experimental h2 support.

When TLS is configured, h2 routers negotiate to communicate over HTTP/2 via ALPN.

When TLS is not configured, h2 servers accept both prior knowledge and HTTP Upgrade requests. Plaintext clients are currently only capable of issuing prior-knowledge requests.

HTTP/2 Identifiers

Identifiers are responsible for creating logical names from an incoming request; these names are then matched against the dtab. (See the linkerd routing overview for more details on this.) All h2 identifiers have a kind. If a list of identifiers is provided, each identifier is tried in turn until one successfully assigns a logical name to the request.

Key Default Value Description
kind required The name of an identifier plugin, such as io.l5d.headerToken or io.l5d.headerPath.

Header Token identifier

kind: io.l5d.headerToken.

With this identifier, requests are turned into logical names using the value of the named header. By default, the :authority pseudo-header is used to provide host-based routing.

Namer Configuration:

With this configuration, the value of the my-header header will be used as the logical name.

routers:
- protocol: h2
  experimental: true
  identifier:
    kind: io.l5d.headerToken
    header: my-header
  servers:
  - port: 5000
Key Default Value Description
header :authority The name of the header to extract a token from. If there are multiple headers with this name, the last one is used.

Namer Path Parameters:

Dtab Path Format

  / dstPrefix / headerValue
Key Default Value Description
dstPrefix http The dstPrefix as set in the routers block.
headerValue N/A The value of the header.

Header Path Identifier

kind: io.l5d.headerPath

With this identifier, requests are identified using a path read from a header. This is useful for routing gRPC requests. By default, the :path psuedo-header is used.

Namer Configuration:

With this configuration, a request to :5000/true/love/waits.php?thing=1 will be mapped to /h2/true/love and will be routed based on this name by the corresponding Dtab.

routers:
- protocol: h2
  experimental: true
  identifier:
    kind: io.l5d.headerPath
    segments: 2
  servers:
  - port: 5000
Key Default Value Description
header :path The name of the header to extract a Path from. If there are multiple headers with this name, the last one is used.
segments None If specified, the number of path segments that are required extracted from each request.

Namer Path Parameters:

Dtab Path Format

  / dstPrefix / *urlPath
Key Default Value Description
dstPrefix h2 The dstPrefix as set in the routers block.
urlPath N/A The first segments elements of the path from the URL

Headers

linkerd reads and sets several headers prefixed by l5d-, as is done by the http protocol.

Context Headers

Context headers (l5d-ctx-*) are generated and read by linkerd instances. Applications should forward all context headers in order for all linkerd features to work.

Header Description
dtab-local Deprecated. Use l5d-ctx-dtab and l5d-dtab.
l5d-ctx-deadline Describes time bounds within which a request is expected to be satisfied. Currently deadlines are only advisory and do not factor into request cancellation.
l5d-ctx-trace Encodes Zipkin-style trace IDs and flags so that trace annotations emitted by linkerd may be correlated.

User Headers

Append a dtab override to the baseDtab for this request

curl -H 'l5d-dtab: /host/web => /host/web-v2' "localhost:5000"

User headers enable user-overrides.

Header Description
l5d-dtab A client-specified delegation override.
l5d-sample A client-specified trace sample rate override.

Informational Request Headers

The informational headers linkerd emits on outgoing requests.

Header Description
l5d-dst-logical The logical name of the request as identified by linkerd.
l5d-dst-concrete The concrete client name after delegation.
l5d-dst-residual An optional residual path remaining after delegation.
l5d-reqid A token that may be used to correlate requests in a callgraph across services and linkerd instances.

Applications are not required to forward these headers on downstream requests.

Informational Response Headers

The informational headers linkerd emits on outgoing responses.

Header Description
l5d-err Indicates a linkerd-generated error. Error responses that do not have this header are application errors.

Applications are not required to forward these headers on upstream responses.

Thrift Protocol

This config routes thrift (via buffered transport using the TCompactProtocol) from port 4004 to port 5005

routers:
- protocol: thrift
  label: port-shifter
  baseDtab: |
    /thrift => /$/inet/127.1/5005;
  servers:
  - port: 4004
    ip: 0.0.0.0
    thriftFramed: false
    thriftProtocol: compact
  client:
    thriftFramed: false
    thriftProtocol: compact

protocol: thrift

Since the Thrift protocol does not encode a destination name in the message itself, routing must be done per port. This implies one port per Thrift service. For out-of-the-box configuration, this means that the contents of disco/thrift will be treated as a newline-delimited list of host:port combinations for a specific thrift service.

Thrift Router Parameters

Key Default Value Description
dstPrefix thrift A path prefix used in baseDtab.
thriftMethodInDst false If true, thrift method names are appended to destinations for outgoing requests.

Thrift Server Parameters

Key Default Value Description
port 4114 The TCP port number.
thriftFramed true If true, a framed thrift transport is used for incoming requests; otherwise, a buffered transport is used. Typically this setting matches the router’s thriftFramed param.
thriftProtocol binary Either binary (TBinaryProtocol) or compact (TCompantProtocol). Typically this setting matches the router’s client thriftProtocol param.

Thrift Client Parameters

Key Default Value Description
thriftFramed true If true, a framed thrift transport is used for outgoing requests; otherwise, a buffered transport is used. Typically this setting matches the router’s servers’ thriftFramed param.
thriftProtocol binary Either binary (TBinaryProtocol) or compact (TCompantProtocol). Typically this setting matches the router’s servers’ thriftProtocol param.
attemptTTwitterUpgrade false Controls whether thrift protocol upgrade should be attempted.

Mux Protocol (experimental)

A mux router configuration that routes requests to port 9001


routers:
- protocol: mux
  label: power-level-router
  dstPrefix: /overNineThousand
  baseDtab: |
    /overNineThousand => /$/inet/127.0.1/9001;

protocol: mux

linkerd experimentally supports the mux protocol.

Mux Router Parameters

Key Default Value Description
dstPrefix mux A path prefix used in baseDtab.

Mux Server Parameters

Key Default Value Description
port 4141 The TCP port number.

Interpreter

Example Interpreter Configuration

routers:
- ...
  interpreter:
    kind: io.l5d.namerd
    dst: /$/inet/1.2.3.4/4180

An interpreter determines how names are resolved.

Key Default Value Description
kind default Either default, io.l5d.namerd, or io.l5d.fs.
transformers No transformers A list of transformers to apply to the resolved addresses.

Default

kind: default

The default interpreter resolves names via the configured namers, with a fallback to the default Finagle Namer.Global that handles paths of the form /$/.

namerd

kind: io.l5d.namerd kind: io.l5d.namerd.http

The namerd interpreter offloads the responsibilities of name resolution to the namerd service. Any namers configured in this linkerd are not used. The io.l5d.namerd interpreter uses namerd’s long-poll thrift interface and the io.l5d.namerd.http interpreter uses namerd’s HTTP streaming interface. Note that the protocol that the interpreter uses to talk to namerd is unrelated to the protocols of linkerd’s routers.

Key Default Value Description
experimental required Because the http version is still considered experimental, you must set this to true to use it.
dst required A Finagle path locating the namerd service.
namespace default The name of the namerd dtab to use.
retry see namerd retry An object configuring retry backoffs for requests to namerd.
tls no tls Requests to namerd will be made using TLS if this parameter is provided. It must be a namerd client TLS object.

namerd retry

Key Default Value Description
baseSeconds 5 seconds The base number of seconds to wait before retrying.
maxSeconds 10 minutes The maximum number of seconds to wait before retrying.

namerd client tls

Key Default Value Description
commonName required The common name to use for namerd requests.
caCert N/A The path to the CA cert used for common name validation.

File-System

kind: io.l5d.fs

The file-system interpreter resolves names via the configured namers, just like the default interpreter, but also uses a dtab read from a file on the local file-system. The specified file is watched for changes so that the dtab may be edited live.

Key Default Value Description
dtabFile required The file-system path to a file containing a dtab.

Transformer

Example Transformer Configuration

routers:
- ...
  interpreter:
    ...
    transformers:
    - kind: io.l5d.localhost

Transformers perform a transformation on the addresses resolved by the interpreter. Transformations are applied sequentially in the order they appear.

Key Default Value Description
kind required One of the transformer kinds listed below.

Localhost

kind: io.l5d.localhost

The localhost transformer filters the list of addresses down to only addresses that have the same IP address as localhost. The IP of localhost is determined by doing a one-time dns lookup of the local hostname. This transformer can be used by an incoming router to only route traffic to local destinations.

Port

kind: io.l5d.port

The port transformer replaces the port number in every addresses with a configured value. This can be used if there is an incoming linkerd router (or other reverse-proxy) running on a fixed port on each host and you with to send traffic to that port instead of directly to the destination address.

Key Default Value Description
port required The port number to use.

DaemonSet (Kubernetes)

kind: io.l5d.k8s.daemonset

The DaemonSetTransformer maps each address in the destination NameTree to a member of a given daemonset that is on the same /24 subnet. Since each k8s node is its own /24 subnet, the result is that each destination address is mapped to the member of the daemonset that is running on the same node. This can be used to redirect traffic to a reverse-proxy that runs as a daemonset.

This transformer assumes that there is a Kubernetes service for the daemonset which can be used to find all pods in the daemonset.

Key Default Value Description
k8sHost localhost The Kubernetes master host.
k8sPort 8001 The Kubernetes master port.
namespace required The Kubernetes namespace of the daemonset.
service required The Kubernetes service name for the daemonset.
port required The name of the daemonset port to use.
hostNetwork false If true, use nodeName instead of /24 subnet to determine which daemonset pod is on the destination node. Set this to true if the daemonset is running with hostNetwork: true.

Localnode (Kubernetes)

kind: io.l5d.k8s.localnode

The localnode transformer filters the list of addresses down to only addresses that are on the same /24 subnet as localhost. Since each k8s node is its own /24 subnet, the result is that only addresses on the local node are used.

This transformer does not have any configuration properties but it does require the POD_IP environment variable be set with the localhost IP address. This is most easily done with the Kubernetes downward API.

In your container spec:

env:
- name: POD_IP
    valueFrom:
      fieldRef:
        fieldPath: status.podIP
Key Default Value Description
hostNetwork false If true, use nodeName to determine which pods are on the local node. This adds the requirement that the NODE_NAME environment variable be set with the node name. Set this to true if the pod is running with hostNetwork: true.

Replace

kind: io.l5d.replace

The replace transformer replaces all bound names with a configurable path. This differs from the Const transformer in that if the original NameTree is Neg then the result will be Neg as well. This is useful if you want to use a namer to check the validity of a name but then actually route to a different name.

Key Default Value Description
path required Bound names will be replaced with this path.

Const

kind: io.l5d.const

The const transformer ignores the input and always returns a constant configurable path. This differs from the Replace transformer in that it always returns the configured path, even when the original NameTree is Neg.

Key Default Value Description
path required Ignore the input and return this path.

HTTP Response Classifiers

Example response classifier config

routers:
- ...
  client:
  responseClassifier:
    kind: io.l5d.retryableRead5XX

Response classifiers determine which HTTP responses are considered to be failures (for the purposes of success rate calculation) and which of these responses may be retried.

Key Default Value Description
kind io.l5d.nonRetryable5XX Either io.l5d.nonRetryable5XX, io.l5d.retryableRead5XX, or io.l5d.retryableIdempotent5XX.

Non-Retryable 5XX

kind: io.l5d.nonRetryable5XX

All 5XX responses are considered to be failures and none of these requests are considered to be retryable.

Retryable Read 5XX

kind: io.l5d.retryableRead5XX

All 5XX responses are considered to be failures. However, GET, HEAD, OPTIONS, and TRACE requests may be retried automatically.

Retryable Idempotent 5XX

kind: io.l5d.retryableIdempotent5XX

Like io.l5d.retryableRead5XX, but PUT and DELETE requests may also be retried.

Failure Accrual

routers:
- ...
  client:
    failureAccrual:
      kind: io.l5d.successRate
      successRate: 0.9
      requests: 1000
      backoff:
        kind: jittered
        minMs: 5000
        maxMs: 300000

linkerd uses failure accrual to track the number of requests that have failed to a given node, and it will backoff sending requets to any nodes whose failures have exceeded a given threshold. Both the failure threshold and the backoff behavior are configurable. By default, if linkerd observes 5 consecutive failures from a node, it will mark the node as dead and only attempt to resend it traffic in increasing intervals between 5 seconds and 5 minutes.

Key Default Value Description
kind required Either io.l5d.consecutiveFailures, io.l5d.successRate, io.l5d.successRateWindowed, or none.
backoff jittered backoff from 5s to 300s A backoff policy that determines how long to wait before resending traffic.

Consecutive Failures

kind: io.l5d.consecutiveFailures

Observes the number of consecutive failures to each node, and backs off sending requests to nodes that have exceeded the specified number of failures.

Key Default Value Description
failures required Number of consecutive failures.

Success Rate

kind: io.l5d.successRate

Computes an exponentially-weighted moving average success rate for each node, and backs off sending requests to nodes that have fallen below the specified success rate. The window size for computing success rate is constrained to a fixed number of requests.

Key Default Value Description
successRate required Target success rate.
requests required Number of requests over which success rate is computed.

Success Rate (windowed)

kind: io.l5d.successRateWindowed

Computes an exponentially-weighted moving average success rate for each node, and backs off sending requests to nodes that have fallen below the specified success rate. The window size for computing success rate is constrained to a fixed time window.

Key Default Value Description
successRate required Target success rate.
window required Number of seconds over which success rate is computed.

None

kind: none

Disables failure accrual altogether. This policy does not accept any additional parameters.

TLS

Server TLS

routers:
- protocol: http
  servers:
  - port: 4140
    # accept incoming TLS traffic from remote linkerd
    tls:
      certPath: /certificates/certificate.pem
      keyPath: /certificates/key.pem
  baseDtab: |
    /http => /$/inet/127.1/8080;

In order to accept incoming tls traffic, the tls parameter must be defined on the server.

Key Default Value Description
certPath required File path to the TLS certificate file.
keyPath required File path to the TLS key file.

See Transparent TLS with linkerd for more on how to generate certificate and key files.

Client TLS

Client TLS is defined in the client section of routers:

routers:
- protocol: http
  client:
    tls:
      kind: io.l5d.noValidation

In order to send outgoing tls traffic, the tls parameter must be defined on the client.

A client TLS object describes how linkerd should use TLS when sending requests to destination services.

Key Default Value Description
kind required Either io.l5d.noValidation, io.l5d.static, or io.l5d.boundPath.

No Validation TLS

tls:
  kind: io.l5d.noValidation

kind: io.l5d.noValidation

Static TLS

tls:
  kind: io.l5d.static
  commonName: foo
  caCertPath: /foo/caCert.pem

kind: io.l5d.static

Uses a single common name for all TLS requests. This assumes all servers that the router connects to use the same TLS cert (or all use certs generated with the same common name).

Key Default Value Description
commonName required The common name to use for all TLS requests.
caCertPath N/A The path to the CA cert used for common name validation.

TLS with Bound Path

tls:
  kind: io.l5d.boundPath
  caCertPath: /foo/cacert.pem
  names:
  - prefix: "/#/io.l5d.fs/{host}"
    commonNamePattern: "{host}.buoyant.io"
  strict: false

kind: io.l5d.boundPath

Determine the common name based on the destination bound path. This plugin supports the following options:

Key Default Value Description
caCertPath ? The path to the CA cert used for common name validation.
names required A list of name matchers.
strict true When true, paths that fail to match any prefixes throw an exception.

Bound Path Name Matchers

Key Default Value Description
prefix required A path prefix. All destinations which match this prefix will use this entry to determine the common name. Wildcards and variable capture are allowed (see: io.buoyant.linkerd.util.PathMatcher).
commonNamePattern required The common name to use for destinations matching the above prefix. Variables captured in the prefix may be used in this string.

See Transparent TLS with linkerd for more on how boundPath matches prefixes when routing requests.

Load Balancer

Example load balancer configuration

routers:
- ...
  client:
    loadBalancer:
      kind: ewma
      maxEffort: 10
      decayTimeMs: 15000
Key Default Value Description
kind p2c Either p2c, ewma, aperture, or heap.
enableProbation false If true, endpoints are eagerly evicted from service discovery. See Finagle’s LoadBalancerFactory.EnableProbation.

Power of Two Choices: Least Loaded

kind: p2c

Key Default Value Description
maxEffort 5 The number of times a load balancer can retry if the previously picked node was marked unavailable.

Power of Two Choices: Peak EWMA

kind: ewma

Key Default Value Description
maxEffort 5 The number of times a load balancer can retry if the previously picked node was marked unavailable.
decayTimeMs 10 seconds The window of latency observations.

Aperture: Least Loaded

kind: aperture

Key Default Value Description
maxEffort 5 The number of times a load balancer can retry if the previously picked node was marked unavailable.
smoothWin 5 seconds The window of concurrent load observation.
lowLoad 0.5 The lower bound of the load band used to adjust an aperture.
highLoad 2 The upper bound of the load band used to adjust an aperture.
minAperture 1 The minimum size of the aperture.

Heap: Least Loaded

kind: heap

Retries

routers:
- ...
  client:
    retries:
      budget:
        minRetriesPerSec: 5
        percentCanRetry: 0.5
        ttlSecs: 15
      backoff:
        kind: jittered
        minMs: 10
        maxMs: 10000

linkerd can automatically retry requests on certain failures (for example, connection errors) and can be configured via the retries block.

Key Default Value Description
budget See retry budget Object that determins how many failed requests are eligible to be retried.
backoff See retry backoff Object that determines which backoff algorithm should be used.

Retry Budget Parameters

For every 10 non-retry calls, allow 1 retry

client:
  retries:
    budget:
      percentCanRetry: 0.1

For every non-retry call, allow 2 retries

client:
  retries:
    budget:
      percentCanRetry: 2.0
Key Default Value Description
minRetriesPerSec 10 The minimum rate of retries allowed in order to accommodate clients that have just started issuing requests, as well as clients that do not issue many requests per window. Must be non-negative. If 0, no reserve is given.
percentCanRetry 0.2 The percentage of calls that can be retried. This is in addition to any retries allowed via minRetriesPerSec. Must be >= 0 and <= 1000.
ttlSecs 10 The amount of time in seconds that successful calls are considered when calculating retry budgets.

Retry Backoff Parameters

Key Default Value Description
kind required Either constant or jittered.

Constant Backoff

kind: constant

Key Default Value Description
ms 0 The number of milliseconds to wait before each retry.

Jittered Backoff

kind: jittered

Uses a decorrelated jitter backoff algorithm.

Key Default Value Description
minMs required The minimum number of milliseconds to wait before each retry.
maxMs required The maximum number of milliseconds to wait before each retry.

Namers

namers:
- kind: io.l5d.fs
  prefix: /disco
  rootDir: disco

A namer binds a concrete name to a physical address.

Key Default Value Description
kind required Either io.l5d.fs, io.l5d.serversets, io.l5d.consul, io.l5d.k8s, io.l5d.marathon, or io.l5d.zkLeader.
prefix namer dependent Resolves names with /#/<prefix>.
experimental false Set this to true to enable the namer if it is experimental.
transformers No transformers A list of transformers to apply to the resolved addresses.

File-based service discovery

kind: io.l5d.fs

File-based Configuration

Example fs configuration:

namers:
- kind: io.l5d.fs
  rootDir: disco

Then reference the namer in the dtab to use it:

baseDtab: |
  /http/1.1/* => /#/io.l5d.fs

With the filesystem directory:

$ ls disco/
apps    users   web

The contents of the files look similar to this:

$ cat config/web
192.0.2.220 8080
192.0.2.105 8080
192.0.2.210 8080

linkerd ships with a simple file-based service discovery mechanism, called the file-based namer. This system is intended to act as a structured form of basic host lists.

While simple, the file-based namer is a full-fledged service discovery system, and can be useful in production systems where host configurations are largely static. It can act as an upgrade path for the introduction of an external service discovery system, since application code will be isolated from these changes. Finally, when chained with precedence rules, the file-based namer can be a convenient way to add local service discovery overrides for debugging or experimentation.

This service discovery mechanism is tied to the directory set by the namers/rootDir key in config.yaml. This directory must be on the local filesystem and relative to linkerd’s start path. Every file in this directory corresponds to a service, where the name of the file is the service’s concrete name, and the contents of the file must be a newline-delimited set of addresses.

linkerd watches all files in this directory, so files can be added, removed, or updated, and linkerd will pick up the changes automatically.

Key Default Value Description
prefix io.l5d.fs Resolves names with /#/<prefix>.
rootDir required the directory containing name files as described above.

File-based Path Parameters

Dtab Path Format:

/#/<prefix>/<fileName>
Key Required Description
prefix yes Tells linkerd to resolve the request path using the fs namer.
fileName yes The file in rootDir to use when resolving this request.

ZooKeeper ServerSets service discovery

kind: io.l5d.serversets

ServerSets Configuration

Example ServerSets configuration:

namers:
- kind: io.l5d.serversets
  zkAddrs:
  - host: 127.0.0.1
    port: 2181

Then reference the namer in the dtab to use it:

baseDtab: |
  /http/1.1/* => /#/io.l5d.serversets/discovery/prod;

linkerd provides support for ZooKeeper ServerSets.

Key Default Value Description
prefix io.l5d.serversets Resolves names with /#/<prefix>.
zkAddrs required A list of ZooKeeper addresses, each of which have host and port parameters.

ServerSets Path Parameters

Dtab Path Format:

/#/<prefix>/<zkHosts>/<zkPath>[:<endpoint>]
Key Required Description
prefix yes Tells linkerd to resolve the request path using the serversets namer.
zkHosts yes The ZooKeeper host to use for this request.
zkPath yes The ZooKeeper path to use for this request.
endpoint no The ZooKeeper endpoint to use for this request.

Consul service discovery

kind: io.l5d.consul

Consul Configuration

Configure a consul namer:

namers:
- kind: io.l5d.consul
  host: 127.0.0.1
  port: 2181
  includeTag: true
  useHealthCheck: true
  setHost: true
  consistencyMode: stale

Then reference the namer in the dtab to use it:

baseDtab: |
  /http/1.1/* => /#/io.l5d.consul/dc1/prod;

linker provides support for service discovery via Consul.

Key Default Value Description
prefix io.l5d.consul Resolves names with /#/<prefix>.
host localhost The Consul host.
port 8500 The Consul port.
includeTag false If true, read a Consul tag from the path.
useHealthCheck false If true, exclude app instances that are failing Consul health checks. Even if false, linkerd’s built-in resiliency algorithms will still apply.
token no authentication The auth token to use when making API calls.
setHost false If true, HTTP requests resolved by Consul will have their Host header overwritten to ${serviceName}.service.${datacenter}.${domain}. $domain is fetched from Consul.
consistencyMode default Select between Consul API consistency modes such as default, stale and consistent.
failFast false If false, disable fail fast and failure accrual for Consul client. Keep it false when using a local agent but change it to true when talking directly to an HA Consul API.

Consul Path Parameters

Dtab Path Format when includeTag is false

/#/<prefix>/<datacenter>/<serviceName>

Dtab Path Format when includeTag is true

/#/<prefix>/<datacenter>/<tag>/<serviceName>
Key Required Description
prefix yes Tells linkerd to resolve the request path using the consul namer.
datacenter yes The Consul datacenter to use for this request. It can have a value .local (otherwise invalid datacenter name from Consul’s perspective) in order to reference a datacenter of the agent namer is connected to.
tag yes if includeTag is true The Consul tag to use for this request.
serviceName yes The Consul service name to use for this request.

Kubernetes service discovery

kind : io.l5d.k8s

K8s Configuration

Configure a K8s namer

namers:
- kind: io.l5d.k8s
  host: localhost
  port: 8001
  labelSelector: version

Then reference the namer in the dtab to use it:

baseDtab: |
  /http/1.1/* => /#/io.l5d.k8s/prod/http;

linkerd provides support for service discovery via Kubernetes.

Key Default Value Description
prefix io.l5d.k8s Resolves names with /#/<prefix>.
host localhost The Kubernetes master host.
port 8001 The Kubernetes master port.
labelSelector none The key of the label to filter services.

K8s Path Parameters

Dtab Path Format

/#/<prefix>/<namespace>/<port-name>/<svc-name>[/<label-value>]
Key Required Description
prefix yes Tells linkerd to resolve the request path using the k8s namer.
namespace yes The Kubernetes namespace.
port-name yes The port name.
svc-name yes The name of the service.
label-value yes if labelSelector is defined The value used to filter services.

K8s External Configuration

Configure a K8s External namer

namers:
- kind: io.l5d.k8s.external
  experimental: true
  host: localhost
  port: 8001
  labelSelector: version

Then reference the namer in the dtab to use it:

baseDtab: |
  /http/1.1/* => /#/io.l5d.k8s.external/prod/http;

The Kubernetes External namer looks up the IP of the external load balancer for the given service on the given port. This can be used by linkerd instances running outside of k8s to route to services running in k8s.

Key Default Value Description
prefix io.l5d.k8s.external Resolves names with /#/<prefix>.
experimental required Because this namer is still considered experimental, you must set this to true to use it.
host localhost The Kubernetes master host.
port 8001 The Kubernetes master port.
labelSelector none The key of the label to filter services.

K8s External Path Parameters

Dtab Path Format

/#/<prefix>/<namespace>/<port-name>/<svc-name>[/<label-value>]
Key Required Description
prefix yes Tells linkerd to resolve the request path using the k8s external namer.
namespace yes The Kubernetes namespace.
port-name yes The port name.
svc-name yes The name of the service.
label-value yes if labelSelector is defined The label value used to filter services.

Marathon service discovery (experimental)

kind: io.l5d.marathon

Marathon Configuration

Configure a marathon namer

namers:
- kind:           io.l5d.marathon
  experimental:   true
  prefix:         /io.l5d.marathon
  host:           marathon.mesos
  port:           80
  uriPrefix:      /marathon
  ttlMs:          5000
  useHealthCheck: false

Then reference the namer in the dtab to use it:

baseDtab: |
  /marathonId => /#/io.l5d.marathon;
  /host       => /$/io.buoyant.http.domainToPathPfx/marathonId;
  /http/1.1/* => /host;

linkerd provides support for service discovery via Marathon.

Key Default Value Description
prefix io.l5d.marathon Resolves names with /#/<prefix>.
experimental required Because this namer is still considered experimental, you must set this to true to use it.
host marathon.mesos The Marathon master host.
port 80 The Marathon master port.
uriPrefix none The Marathon API prefix. This prefix depends on your Marathon configuration. For example, running Marathon locally, the API is avaiable at localhost:8080/v2/, while the default setup on AWS/DCOS is $(dcos config show core.dcos_url)/marathon/v2/apps.
ttlMs 5000 The polling interval in milliseconds against the Marathon API.
useHealthCheck false If true, exclude app instances that are failing Marathon health checks. Even if false, linkerd’s built-in resiliency algorithms will still apply.

Marathon Path Parameters

Dtab Path Format

/#/<prefix>/<appId>
Key Required Description
prefix yes Tells linkerd to resolve the request path using the marathon namer.
appId yes The app id of a marathon application. This id can be multiple path segments long. For example, the app with id “/users” can be reached with /#/io.l5d.marathon/users. Likewise, the app with id “/appgroup/usergroup/users” can be reached with /#/io.l5d.marathon/appgroup/usergroup/users.

Marathon Authentication

Example environment variable

{
  "login_endpoint": "https://leader.mesos/acs/api/v1/auth/login",
  "private_key": "<private-key-value>",
  "scheme": "RS256",
  "uid": "service-acct"
}

The Marathon namer supports loading authentication data from a DCOS_SERVICE_ACCOUNT_CREDENTIAL environment variable at boot time.

Further reading:

ZooKeeper Leader

kind: io.l5d.zkLeader

ZK Leader Configuration

A namer backed by ZooKeeper leader election.

Key Default Value Description
prefix io.l5d.zkLeader Resolves names with /#/<prefix>.
zkAddrs required A list of ZooKeeper addresses, each of which have host and port parameters.

ZK Leader Path Parameters

Dtab Path Format

/#/<prefix>/<zkPath>
Key Required Description
prefix yes Tells linkerd to resolve the request path using the marathon namer.
zkPath yes The ZooKeeper path of a leader group. This path can be multiple path segments long. The namer resolves to the address stored in the data of the leader.

Curator

kind: io.l5d.curator

Curator Configuration

A namer that uses the Curator discovery library to resolve names.

Note: If you have registered Curator services with a custom payload object, that class file must be on the classpath. Otherwise you will get a java.lang.IllegalArgumentException: Invalid type id '<some-payload-class' error.

Key Default Value Description
prefix io.l5d.curator Resolves names with /#/<prefix>.
experimental required Because this namer is still considered experimental, you must set this to true to use it.
zkAddrs required A list of ZooKeeper addresses, each of which have host and port parameters.
basePath / The ZooKeeper path for Curator discovery.

Curator Path Parameters

Dtab Path Format

/#/<prefix>/<serviceName>
Key Required Description
prefix yes Tells linkerd to resolve the request path using the curator namer.
serviceName yes The name of the Curator service to lookup in ZooKeeper.

Rewriting Namers

In addition to service discovery namers, linkerd supplies a number of utility namers. These namers assist in path rewriting when the transformation is more complicated than just prefix substitution. They are prefixed with /$/ instead of /#/, and can be used without explicitly adding them to the namers section of the config.

domainToPathPfx

/marathonId => /#/io.l5d.marathon;
/host       => /$/io.buoyant.http.domainToPathPfx/marathonId;
/http/1.1/* => /host;

Dtab Path Format

/$/io.buoyant.http.domainToPathPfx/<prefix>/<host>

Rewrites the path’s prefix with <prefix> first, followed by each subdomain of <host> separated and in reverse order.

For example, /$/io.buoyant.http.domainToPathPfx/pfx/foo.buoyant.io/resource/name would be rewritten to /pfx/io/buoyant/foo/resource/name.

subdomainOfPfx

/consulSvc  => /#/io.l5d.consul/.local
/host       => /$/io.buoyant.http.subdomainOfPfx/service.consul/consulSvc;
/http/1.1/* => /host;

Dtab Path Format

/$/io.buoyant.http.subdomainOfPfx/<domain>/<prefix>/<host>

Rewrites the path’s prefix with <prefix> first, followed by <host> with the <domain> dropped.

For example, /$/io.buoyant.http.subdomainOfPfx/buoyant.io/pfx/foo.buoyant.io/resource/name would be rewritten to /pfx/foo/resource/name

Tracers

Requests that are routed by linkerd are also traceable using Finagle’s built-in tracing instrumentation.

Key Default Value Description
kind required Only io.l5d.zipkin is available at this time.

Zipkin

Example zipkin config

tracers:
- kind: io.l5d.zipkin
  host: localhost
  port: 9410
  sampleRate: 0.02

kind: io.l5d.zipkin

Finagle’s zipkin-tracer.

Key Default Value Description
host localhost Host to send trace data to.
port 9410 Port to send trace data to.
sampleRate 0.001 What percentage of requests to trace.

Announcers

An announcer registers servers in service discovery. Each server may specify a list of concrete names to announce as in the announce server key. Each announcer has a prefix and will only announce names that begin with that prefix.

Key Default Value Description
kind required Only io.l5d.serversets is available at this time.
prefix kind-specific Announces names beginning with /#/<prefix>.

Serversets

kind: io.l5d.serversets

Announce to ZooKeeper using the serverset format.

Key Default Value Description
prefix io.l5d.serversets Announces names beginning with /#/<prefix>.
zkAddrs required A list of ZooKeeper addresses, each of which have host and port parameters.
pathPrefix /discovery The ZooKeeper path under which services should be registered.