sidecar详解

时间:2022-12-16 18:58:13


 欢迎关注我的公众号:

sidecar详解

 目前刚开始写一个月,一共写了18篇原创文章,文章目录如下:

​istio多集群探秘,部署了50次多集群后我得出的结论​

​istio多集群链路追踪,附实操视频​

​istio防故障利器,你知道几个,istio新手不要读,太难!​

​istio业务权限控制,原来可以这么玩​

​istio实现非侵入压缩,微服务之间如何实现压缩​

​不懂envoyfilter也敢说精通istio系列-http-rbac-不要只会用AuthorizationPolicy配置权限​

​不懂envoyfilter也敢说精通istio系列-02-http-corsFilter-不要只会vs​

​不懂envoyfilter也敢说精通istio系列-03-http-csrf filter-再也不用再代码里写csrf逻辑了​

​不懂envoyfilter也敢说精通istio系列http-jwt_authn-不要只会RequestAuthorization​

​不懂envoyfilter也敢说精通istio系列-05-fault-filter-故障注入不止是vs​

​不懂envoyfilter也敢说精通istio系列-06-http-match-配置路由不只是vs​

​不懂envoyfilter也敢说精通istio系列-07-负载均衡配置不止是dr​

​不懂envoyfilter也敢说精通istio系列-08-连接池和断路器​

​不懂envoyfilter也敢说精通istio系列-09-http-route filter​

​不懂envoyfilter也敢说精通istio系列-network filter-redis proxy​

​不懂envoyfilter也敢说精通istio系列-network filter-HttpConnectionManager​

​不懂envoyfilter也敢说精通istio系列-ratelimit-istio ratelimit完全手册​

学习目标

sidecar详解

什么是sidecar

Sidecar描述了sidecar代理的配置,sidecar代理调解与其连接的工作负载的 inbound 和 outbound 通信。 默认情况下,Istio将为网格中的所有Sidecar代理服务,使其具有到达网格中每个工作负载所需的必要配置,并在与工作负载关联的所有端口上接收流量。 Sidecar资源提供了一种的方法,在向工作负载转发流量或从工作负载转发流量时,微调端口集合和代理将接收的协议。 此外,可以限制代理在从工作负载转发 outbound 流量时可以达到的服务集合。

网格中的服务和配置被组织成一个或多个名称空间(例如,Kubernetes名称空间或CF org/space)。 命名空间中的Sidecar资源将应用于同一命名空间中的一个或多个工作负载,由workloadSelector选择。 如果没有workloadSelector,它将应用于同一名称空间中的所有工作负载。 在确定要应用于工作负载的Sidecar资源时,将优先使用通过workloadSelector而选择到此工作负载的的资源,而不是没有任何workloadSelector的资源。

注意:每个命名空间只能有一个没有任何工作负载选择器的Sidecar资源。 如果给定命名空间中存在多个无选择器的Sidecar资源,则系统的行为是不确定的。 如果具有工作负载选择器的两个或多个Sidecar资源选择相同的工作负载,则系统的行为是不确定的。

资源详解

Field

Type

Description

Required

​workloadSelector​

​WorkloadSelector​

Criteria used to select the specific set of pods/VMs on which this ​​Sidecar​​​ configuration should be applied. If omitted, the ​​Sidecar​​ configuration will be applied to all workload instances in the same namespace.

No

​ingress​

​IstioIngressListener[]​

Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. If omitted, Istio will automatically configure the sidecar based on the information about the workload obtained from the orchestration platform (e.g., exposed ports, services, etc.). If specified, inbound ports are configured if and only if the workload instance is associated with a service.

No

​egress​

​IstioEgressListener[]​

Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh.

Yes

​outboundTrafficPolicy​

​OutboundTrafficPolicy​

This allows to configure the outbound traffic policy. If your application uses one or more external services that are not known apriori, setting the policy to ​​ALLOW_ANY​​ will cause the sidecars to route any unknown traffic originating from the application to its requested destination.

No

全局有效

sc-default-global.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
namespace: istio-system
spec:
ingress:
- port:
number: 9080
protocol: HTTP
name: http
defaultEndpoint: 127.0.0.1:9080

workloadSelector

没有selector

sc-default-istio-ingress.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: default
spec:
ingress:
- port:
number: 9080
protocol: HTTP
name: http
defaultEndpoint: 127.0.0.1:9080

有selector

sc-productpage-selector.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- port:
number: 9081
protocol: HTTP
name: http
defaultEndpoint: 127.0.0.1:9080

监听端口和目标端口不一致,可用于端口转换

此时service需要添加端口

kubectl edit svc productpage -n istio

- name: http9081
port: 9081
protocol: TCP
targetPort: 9081

修改vs端口

sidecar/vs-bookinfo-hosts-star.yaml

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: bookinfo
spec:
hosts:
- "*"
gateways:
- bookinfo-gateway
http:
- match:
- uri:
exact: /productpage
- uri:
prefix: /static
- uri:
exact: /login
- uri:
exact: /logout
- uri:
prefix: /api/v1/products
route:
- destination:
host: productpage.istio.svc.cluster.local
port:
number: 9081

egress

Field

Type

Description

Required

​port​

​Port​

The port associated with the listener. If using Unix domain socket, use 0 as the port number, with a valid protocol. The port if specified, will be used as the default destination port associated with the imported hosts. If the port is omitted, Istio will infer the listener ports based on the imported hosts. Note that when multiple egress listeners are specified, where one or more listeners have specific ports while others have no port, the hosts exposed on a listener port will be based on the listener with the most specific port.

No

​bind​

​string​

The IP or the Unix domain socket to which the listener should be bound to. Port MUST be specified if bind is not empty. Format: ​​x.x.x.x​​​ or ​​unix:///path/to/uds​​​ or ​​unix://@foobar​​​ (Linux abstract namespace). If omitted, Istio will automatically configure the defaults based on imported services, the workload instances to which this configuration is applied to and the captureMode. If captureMode is ​​NONE​​, bind will default to 127.0.0.1.

No

​captureMode​

​CaptureMode​

When the bind address is an IP, the captureMode option dictates how traffic to the listener is expected to be captured (or not). captureMode must be DEFAULT or ​​NONE​​ for Unix domain socket binds.

No

​hosts​

​string[]​

One or more service hosts exposed by the listener in ​​namespace/dnsName​​​ format. Services in the specified namespace matching ​​dnsName​​​ will be exposed. The corresponding service can be a service in the service registry (e.g., a Kubernetes or cloud foundry service) or a service specified using a ​​ServiceEntry​​​ or ​​VirtualService​​​ configuration. Any associated ​​DestinationRule​​​ in the same namespace will also be used.The ​​dnsName​​​ should be specified using FQDN format, optionally including a wildcard character in the left-most component (e.g., ​​prod/*.example.com​​​). Set the ​​dnsName​​​ to ​​*​​​ to select all services from the specified namespace (e.g., ​​prod/*​​​).The ​​namespace​​​ can be set to ​​*​​​, ​​.​​​, or ​​~​​​, representing any, the current, or no namespace, respectively. For example, ​​*/foo.example.com​​​ selects the service from any available namespace while ​​./foo.example.com​​​ only selects the service from the namespace of the sidecar. If a host is set to ​​*/*​​​, Istio will configure the sidecar to be able to reach every service in the mesh that is exported to the sidecar’s namespace. The value ​​~/*​​​ can be used to completely trim the configuration for sidecars that simply receive traffic and respond, but make no outbound connections of their own.NOTE: Only services and configuration artifacts exported to the sidecar’s namespace (e.g., ​​exportTo​​​ value of ​​*​​​) can be referenced. Private configurations (e.g., ​​exportTo​​​ set to ​​.​​​) will not be available. Refer to the ​​exportTo​​​ setting in ​​VirtualService​​​, ​​DestinationRule​​​, and ​​ServiceEntry​​ configurations for details.WARNING: The list of egress hosts in a ​​Sidecar​​​ must also include the Mixer control plane services if they are enabled. Envoy will not be able to reach them otherwise. For example, add host ​​istio-system/istio-telemetry.istio-system.svc.cluster.local​​​ if telemetry is enabled, ​​istio-system/istio-policy.istio-system.svc.cluster.local​​​ if policy is enabled, or add ​​istio-system/*​​​ to allow all services in the ​​istio-system​​ namespace. This requirement is temporary and will be removed in a future Istio release.

Yes

port

sc-productpage-egress-port.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp

bind

0.0.0.0

sc-productpage-egress-bind.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 0.0.0.0

目标svc ip

sc-productpage-egress-bind-svc-ip.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 10.68.190.94

captureMode

Name

Description

​DEFAULT​

The default capture mode defined by the environment.

​IPTABLES​

Capture traffic using IPtables redirection.

​NONE​

No traffic capture. When used in an egress listener, the application is expected to explicitly communicate with the listener port or Unix domain socket. When used in an ingress listener, care needs to be taken to ensure that the listener port is not in use by other processes on the host.

DEFAULT

sc-productpage-egress-captureMode-DEFAULT.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 0.0.0.0
captureMode: DEFAULT

IPTABLES

sc-productpage-egress-captureMode-IPTABLES.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 0.0.0.0
captureMode: IPTABLES

NONE

sc-productpage-egress-captureMode-NONE.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 0.0.0.0
captureMode: NONE

sc-productpage-ingress-captureMode-NONE.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: NONE
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 127.0.0.1
captureMode: NONE

进入和出去流量都不捕获,相当于去掉了sidecar,对这个pod的istio资源将不起作用。

注意mesh配置,允许集群外访问

outboundTrafficPolicy: mode: REGISTRY_ONLY| ALLOW_ANY

hosts

dot

sc-productpage-egress-hosts-dot.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "./*"

semi-star

sc-productpage-egress-hosts-semi-star.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "istio/*"

double-star

sc-productpage-egress-hosts-double-star.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "*/*"

specific

sc-productpage-egress-hosts-specific.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
egress:
- hosts:
- "istio/details.istio.svc.cluster.local"

ingress

Field

Type

Description

Required

​port​

​Port​

The port associated with the listener.

Yes

​bind​

​string​

The IP to which the listener should be bound. Must be in the format ​​x.x.x.x​​. Unix domain socket addresses are not allowed in the bind field for ingress listeners. If omitted, Istio will automatically configure the defaults based on imported services and the workload instances to which this configuration is applied to.

No

​captureMode​

​CaptureMode​

The captureMode option dictates how traffic to the listener is expected to be captured (or not).

No

​defaultEndpoint​

​string​

The loopback IP endpoint or Unix domain socket to which traffic should be forwarded to. This configuration can be used to redirect traffic arriving at the bind ​​IP:Port​​​ on the sidecar to a ​​localhost:port​​​ or Unix domain socket where the application workload instance is listening for connections. Format should be ​​127.0.0.1:PORT​​​ or ​​unix:///path/to/socket​

Yes

port

sc-productpage-ingress-port.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: IPTABLES
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http

bind

sc-productpage-ingress-bind.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: IPTABLES
bind: 0.0.0.0
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http

sc-productpage-ingress-bind-pod-ip.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: IPTABLES
bind: 172.20.1.174
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http

bind pod ip

captureMode

Name

Description

​DEFAULT​

The default capture mode defined by the environment.

​IPTABLES​

Capture traffic using IPtables redirection.

​NONE​

No traffic capture. When used in an egress listener, the application is expected to explicitly communicate with the listener port or Unix domain socket. When used in an ingress listener, care needs to be taken to ensure that the listener port is not in use by other processes on the host.

DEFAULT

sc-productpage-ingress-capture-mode-DEFAULT.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: DEFAULT
bind: 0.0.0.0
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http

IPTABLES

sc-productpage-ingress-capture-mode-IPTABLES.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: IPTABLES
bind: 0.0.0.0
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http

NONE

sc-productpage-ingress-capture-mode-NONE.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: NONE
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http

defaultEndpoint

unix socket

1部署mysqlgateway

kubectl apply -f gateway/gateway-mysql.yaml -n istio

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: mysql
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 3306
name: mysql
protocol: MYSQL
hosts:
- "*"

2部署mysql vs

kubectl apply -f gateway/protocol/vs-mysql.yaml

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: mysql
spec:
hosts:
- "*"
gateways:
- mysql
tcp:
- match:
- port: 3306
route:
- destination:
host: mysqldb.istio.svc.cluster.local
port:
number: 3306

3添加svc 端口

kubectl edit svc istio-ingressgateway -n istio-system

3306端口

4部署sidecar

sc-mysql-defaultEndpoint-unix.yaml

当绑定地址是IP时,captureMode选项指示如何劫持(或不劫持)到监听器的流量。 对于Unix domain socket,captureMode必须为DEFAULT或NONE。

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: mysql
spec:
workloadSelector:
labels:
app: mysqldb
ingress:
- bind: 0.0.0.0
port:
number: 3306
protocol: MYSQL
name: mysql
defaultEndpoint: unix:///var/run/mysqld/mysqld.sock
captureMode: NONE

ip -port

sc-productpage-ingerss-defaultEndpoint-ip.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: NONE
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http

outboundTrafficPolicy

egressProxy

egressProxy

Destination

Specifies the details of the egress proxy to which unknown traffic should be forwarded to from the sidecar. Valid only if the mode is set to ALLOW_ANY. If not specified when the mode is ALLOW_ANY, the sidecar will send the unknown traffic directly to the IP requested by the application. ** NOTE 1: The specified egress host must be imported in the egress section for the traffic forwarding to work. NOTE 2**: An Envoy based egress gateway is unlikely to be able to handle plain text TCP connections forwarded from the sidecar. Envoy's dynamic forward proxy can handle only HTTP and TLS connections. $hide_from_docs

FIELD

TYPE

LABEL

DESCRIPTION

host

string

The name of a service from the service registry. Service names are looked up from the platform's service registry (e.g., Kubernetes services, Consul services, etc.) and from the hosts declared by ​​ServiceEntry​​. Traffic forwarded to destinations that are not found in either of the two, will be dropped. Note for Kubernetes users: When short names are used (e.g. “reviews” instead of “reviews.default.svc.cluster.local”), Istio will interpret the short name based on the namespace of the rule, not the service. A rule in the “default” namespace containing a host “reviews will be interpreted as “reviews.default.svc.cluster.local”, irrespective of the actual namespace associated with the reviews service. To avoid potential misconfiguration, it is recommended to always use fully qualified domain names over short names.

subset

string

The name of a subset within the service. Applicable only to services within the mesh. The subset must be defined in a corresponding DestinationRule.

port

PortSelector

Specifies the port on the host that is being addressed. If a service exposes only a single port it is not required to explicitly select the port

host

sc-productpage-outboundTrafficPolicy-egressProxy-host.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
outboundTrafficPolicy:
egressProxy:
host: "details.istio.svc.cluster.local"
port:
number: 9080
mode: ALLOW_ANY

port

sc-productpage-outboundTrafficPolicy-egressProxy-port.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
outboundTrafficPolicy:
egressProxy:
host: "details.istio.svc.cluster.local"
port:
number: 9080
mode: ALLOW_ANY

subset

sc-productpage-outboundTrafficPolicy-egressProxy-subset.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
outboundTrafficPolicy:
egressProxy:
host: "details.istio.svc.cluster.local"
port:
number: 9080
subset: v1
mode: ALLOW_ANY

mode

Name

Description

​REGISTRY_ONLY​

Outbound traffic will be restricted to services defined in the service registry as well as those defined through ​​ServiceEntry​​ configurations.

​ALLOW_ANY​

Outbound traffic to unknown destinations will be allowed, in case there are no services or ​​ServiceEntry​​ configurations for the destination port.

REGISTRY_ONLY

sc-productpage-outboundTrafficPolicy-mode-REGISTRY_ONLY.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
outboundTrafficPolicy:
mode: REGISTRY_ONLY

ALLOW_ANY

sc-productpage-outboundTrafficPolicy-mode-ALLOW_ANY.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
outboundTrafficPolicy:
mode: ALLOW_ANY

组合应用

sc-productpage-complex.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: NONE
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 127.0.0.1
captureMode: NONE
outboundTrafficPolicy:
mode: REGISTRY_ONLY

outbound将不能访问

sc-productpage-complex-02.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: NONE
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 127.0.0.1
captureMode: NONE
outboundTrafficPolicy:
mode: ALLOW_ANY

可以访问outbound

sc-productpage-complex-03.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: productpage
spec:
workloadSelector:
labels:
app: productpage
ingress:
- captureMode: NONE
defaultEndpoint: 127.0.0.1:9080
port:
number: 9080
protocol: HTTP
name: http
egress:
- hosts:
- "./*"
port:
number: 9080
protocol: HTTP
name: egresshttp
bind: 127.0.0.1
captureMode: NONE
outboundTrafficPolicy:
mode: ALLOW_ANY
egressProxy:
host: "details.istio.svc.cluster.local"
port:
number: 9080
subset: v1

只有detail outbound能访问

egress_proxy must be set only with ALLOW_ANY outbound_traffic_policy mode

使用ServiceEntry

1进入pod访问​​www.baidu.com​

kubectl exec -it sleep-557747455f-ft9bs -n istio -- /bin/sh

curl ​​www.baidu.com​

可以访问

2部署sidecar

sc-sleep-REGISTRY_ONLY.yaml

apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: sleep
spec:
workloadSelector:
labels:
app: sleep
outboundTrafficPolicy:
mode: REGISTRY_ONLY

3在访问​​www.baidu.com​

不能访问

4部署serviceentry

serviceentries/se-baidu.yaml

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
name: baidu
spec:
hosts:
- "www.baidu.com"
ports:
- number: 80
name: http
protocol: HTTP
location: MESH_EXTERNAL
resolution: DNS

5再访问​​www.baidu.com​

可以访问