README.md Ansible Consul Role consul is an role which:. installs consul. configures consul.
optionally installs and configures consul ui. optionally installs dnsmasq.
optionally install consulate. optionally install consul-cli. configures consul service(s) Installation Using ansible-galaxy: $ ansible-galaxy install savagegus.ansible-consul Using arm : $ arm install savagegus.consul Using git: $ git clone Variables Here is a list of all the default variables for this role, which are also available in defaults/main.yml. # if you want Consul to send metrics to a statsd instance consulstatsdaddress: '127.0.0.1:8125 ' # if you want Consul to send metrics to a statsite instance consulstatsiteaddress: '127.0.0.1:8125 ' # this sets the prefix consul uses for all metrics consulstatsiteprefix: 'consul ' # if you don't want to prepend runtime telemetry with the machine's hostname (consul 0.6.4 or later) consultelemetrydisablehostname: true DNS Variables Consul provides the ability to use it as a for service and node lookups. To enable with the below default values, set the consuldnsconfig variable to true. Consulcorssupport: true Shutdown behavior Consul may be configured to perform (or not) cluster leave when it recieves TERM/INT signals. When service is stopped:.
systemd sends INT. init (init.d script) sends TERM. upstart sends TERM There are two variables that define if the node will attempt cluster leave when it recieves those signals:. consulleaveonterminate defines if leave is performed when TERM is recieved. Default: false. consulskipleaveoninterrupt defines if leave is not performed when INT is recieved.
Default: undefined. If this variable is not defined default consul behavior (which depends on version and server/agent role) will be used. Handlers These are the handlers that are defined in handlers/main.yml. restart consul. restart dnsmasq. reload consul config.
reload systemd Example playbook that configures a Consul server on Ubuntu. Consulservices: - service: name: 'redis localhost ' tags: - 'redis ' address: '127.0.0.1 ' port: 6379 checks: - name: 'Redis health check ' tcp: 'localhost:6379 ' interval: '10s ' timeout: '1s ' Testing $ git clone $ cd ansible-consul $ ansible-galaxy install -role-file=requirements.yml -roles-path=roles -force $ vagrant up or use the TestKitchen tests $ bundle $ rm -rf roles $ bundle exec kitchen test Contributing In lieu of a formal styleguide, take care to maintain the existing coding style. Add unit tests and examples for any new or changed functionality. Fork it. Create your feature branch ( git checkout -b my-new-feature). Commit your changes ( git commit -am 'Add some feature').
Push to the branch ( git push origin my-new-feature). Create new Pull Request License Copyright (c) Matthew Finlayson under the Apache license.
Configuration The agent has various configuration options that can be specified via the command-line or via configuration files. All of the configuration options are completely optional. Defaults are specified with their descriptions. Configuration precedence is evaluated in the following order:. Command line arguments. Environment Variables.
Configuration files When loading configuration, Consul loads the configuration from files and directories in lexical order. For example, configuration file basicconfig.json will be processed before extraconfig.json. You will never know imany zippy andra. Configuration can be in either or JSON format. Available in Consul 1.0 and later, the HCL support now requires an.hcl or.json extension on all configuration files in order to specify their format. Configuration specified later will be merged into configuration specified earlier. In most cases, 'merge' means that the later version will override the earlier.
In some cases, such as event handlers, merging appends the handlers to the existing configuration. The exact merging behavior is specified for each option below.
Consul also supports reloading configuration when it receives the SIGHUP signal. Not all changes are respected, but those that are are documented below in the section. The can also be used to trigger a configuration reload.
Command-line Options The options below are all specified on the command-line. The advertise address is used to change the address that we advertise to other nodes in the cluster. By default, the address is advertised.
However, in some cases, there may be a routable address that cannot be bound. This flag enables gossiping a different address to support this. If this address is not routable, the node will be in a constant flapping state as other nodes will treat the non-routability as a failure. The advertise WAN address is used to change the address that we advertise to server nodes joining through the WAN. This can also be set on client agents when used in combination with the configuration option. By default, the address is advertised. However, in some cases all members of all datacenters cannot be on the same physical or virtual network, especially on hybrid setups mixing cloud and private datacenters.
This flag enables server nodes gossiping through the public network for the WAN while using private VLANs for gossiping to each other and their client agents, and it allows client agents to be reached at this address when being accessed from a remote datacenter if the remote datacenter is configured with. This flag is used to control if a server is in 'bootstrap' mode. It is important that no more than one server per datacenter be running in this mode. Technically, a server in bootstrap mode is allowed to self-elect as the Raft leader. It is important that only a single node is in this mode; otherwise, consistency cannot be guaranteed as multiple nodes are able to self-elect. It is not recommended to use this flag after a cluster has been bootstrapped. This flag provides the number of expected servers in the datacenter.
Either this value should not be provided or the value must agree with other servers in the cluster. When provided, Consul waits until the specified number of servers are available and then bootstraps the cluster. This allows an initial leader to be elected automatically. This cannot be used in conjunction with the legacy flag. This flag requires mode.
The address that should be bound to for internal cluster communications. This is an IP address that should be reachable by all other nodes in the cluster. By default, this is '0.0.0.0', meaning Consul will bind to all addresses on the local machine and will the first available private IPv4 address to the rest of the cluster. If there are multiple private IPv4 addresses available, Consul will exit with an error at startup.
If you specify '::', Consul will the first available public IPv6 address. If there are multiple public IPv6 addresses available, Consul will exit with an error at startup.
Consul uses both TCP and UDP and the same port for both. If you have any firewalls, be sure to allow both protocols. The address that should be bound to for Serf WAN gossip communications. By default, the value follows the same rules as, and if this is not specified, the -bind option is used. This is available in Consul 0.7.1 and later. The address that should be bound to for Serf LAN gossip communications. This is an IP address that should be reachable by all other LAN nodes in the cluster.
By default, the value follows the same rules as, and if this is not specified, the -bind option is used. This is available in Consul 0.7.1 and later. The address to which Consul will bind client interfaces, including the HTTP and DNS servers. By default, this is '127.0.0.1', allowing only loopback connections.
In Consul 1.0 and later this can be set to a space-separated list of addresses to bind to, or a template that can potentially resolve to multiple addresses. A configuration file to load. For more information on the format of this file, read the section. This option can be specified multiple times to load multiple configuration files. If it is specified multiple times, configuration files loaded later will merge with configuration files loaded earlier. During a config merge, single-value keys (string, int, bool) will simply have their values replaced while list types will be appended together. A directory of configuration files to load.
![]()
Consul will load all files in this directory with the suffix '.json'. The load order is alphabetical, and the the same merge routine is used as with the option above. This option can be specified multiple times to load multiple directories. Edraw max 3 3 keygen crack autocad. Sub-directories of the config directory are not loaded. For more information on the format of the configuration files, see the section. The format of the configuration files to load. Normally, Consul detects the format of the config files from the '.json' or '.hcl' extension.
Setting this option to either 'json' or 'hcl' forces Consul to interpret any file with or without extension to be interpreted in that format. This flag provides a data directory for the agent to store state.
This is required for all agents. The directory should be durable across reboots.
This is especially critical for agents that are running in server mode as they must be able to persist cluster state. Additionally, the directory must support the use of filesystem locking, meaning some types of mounted folders (e.g. VirtualBox shared folders) may not be suitable. This flag controls the datacenter in which the agent is running. If not provided, it defaults to 'dc1'. Consul has first-class support for multiple datacenters, but it relies on proper configuration.
Nodes in the same datacenter should be on a single LAN. Enable development server mode. This is useful for quickly starting a Consul agent with all persistence options turned off, enabling an in-memory server which can be used for rapid prototyping or developing against the API. This mode is not intended for production use as it does not write any data to disk. Setting this to true will prevent Consul from using information from the host to generate a deterministic node ID, and will instead generate a random node ID which will be persisted in the data directory. This is useful when running multiple Consul agents on the same host for testing.
This defaults to false in Consul prior to version 0.8.5 and in 0.8.5 and later defaults to true, so you must opt-in for host-based IDs. Host-based IDs are generated using, which is shared with HashiCorp's, so if you opt-in to host-based IDs then Consul and Nomad will use information on the host to automatically assign the same ID in both systems. If set, the keyring will not be persisted to a file. Any installed keys will be lost on shutdown, and only the given -encrypt key will be available on startup.
This defaults to false. the DNS port to listen on. This overrides the default port 8600. This is available in Consul 0.7 and later. By default, Consul responds to DNS queries in the 'consul.' This flag can be used to change that domain. All queries in this domain are assumed to be handled by Consul and will not be recursively resolved.
This controls whether are enabled on this agent, and defaults to false so operators must opt-in to allowing these. If enabled, it is recommended to as well to control which users are allowed to register new checks to execute scripts. This was added in Consul 0.9.0. Specifies the secret key to use for encryption of Consul network traffic. This key must be 16-bytes that are Base64-encoded.
The easiest way to create an encryption key is to use. All nodes within a cluster must share the same encryption key to communicate. The provided key is automatically persisted to the data directory and loaded automatically whenever the agent is restarted.
This means that to encrypt Consul's gossip protocol, this option only needs to be provided once on each agent's initial startup sequence. If it is provided after Consul has been initialized with an encryption key, then the provided key is ignored and a warning will be displayed. A HCL configuration fragment. This HCL configuration fragment is appended to the configuration and allows to specify the full range of options of a config file on the command line. This option can be specified multiple times. This was added in Consul 1.0. the HTTP API port to listen on.
This overrides the default port 8500. This option is very useful when deploying Consul to an environment which communicates the HTTP port through the environment e.g. PaaS like CloudFoundry, allowing you to set the port directly via a Procfile. Address of another agent to join upon starting up. This can be specified multiple times to specify multiple agents to join. If Consul is unable to join with any of the specified addresses, agent startup will fail.
By default, the agent won't join any nodes when it starts up. Note that using could be more appropriate to help mitigate node startup race conditions when automating a Consul cluster deployment.
README.md Ansible Consul Role consul is an role which:. installs consul. configures consul. optionally installs and configures consul ui. optionally installs dnsmasq. optionally install consulate. optionally install consul-cli.
configures consul service(s) Installation Using ansible-galaxy: $ ansible-galaxy install savagegus.ansible-consul Using arm : $ arm install savagegus.consul Using git: $ git clone Variables Here is a list of all the default variables for this role, which are also available in defaults/main.yml. # if you want Consul to send metrics to a statsd instance consulstatsdaddress: '127.0.0.1:8125 ' # if you want Consul to send metrics to a statsite instance consulstatsiteaddress: '127.0.0.1:8125 ' # this sets the prefix consul uses for all metrics consulstatsiteprefix: 'consul ' # if you don't want to prepend runtime telemetry with the machine's hostname (consul 0.6.4 or later) consultelemetrydisablehostname: true DNS Variables Consul provides the ability to use it as a for service and node lookups. To enable with the below default values, set the consuldnsconfig variable to true. Consulcorssupport: true Shutdown behavior Consul may be configured to perform (or not) cluster leave when it recieves TERM/INT signals. When service is stopped:.
systemd sends INT. init (init.d script) sends TERM. upstart sends TERM There are two variables that define if the node will attempt cluster leave when it recieves those signals:. consulleaveonterminate defines if leave is performed when TERM is recieved. Default: false. consulskipleaveoninterrupt defines if leave is not performed when INT is recieved. Default: undefined.
If this variable is not defined default consul behavior (which depends on version and server/agent role) will be used. Handlers These are the handlers that are defined in handlers/main.yml.
restart consul. restart dnsmasq. reload consul config. reload systemd Example playbook that configures a Consul server on Ubuntu. Consulservices: - service: name: 'redis localhost ' tags: - 'redis ' address: '127.0.0.1 ' port: 6379 checks: - name: 'Redis health check ' tcp: 'localhost:6379 ' interval: '10s ' timeout: '1s ' Testing $ git clone $ cd ansible-consul $ ansible-galaxy install -role-file=requirements.yml -roles-path=roles -force $ vagrant up or use the TestKitchen tests $ bundle $ rm -rf roles $ bundle exec kitchen test Contributing In lieu of a formal styleguide, take care to maintain the existing coding style. Add unit tests and examples for any new or changed functionality. Fork it.
Create your feature branch ( git checkout -b my-new-feature). Commit your changes ( git commit -am 'Add some feature'). Push to the branch ( git push origin my-new-feature). Create new Pull Request License Copyright (c) Matthew Finlayson under the Apache license.
. Consul is an excellent piece of software, really. I don't think I've been this excited by any other software for the last couple of years. As they state in their page: Consul has multiple components, but as a whole, it is a tool for discovering and configuring services in your infrastructure is well documented, robust, fast, replicated, datacenter aware, integrates a Key/Value store, etc.
And their IRC community is very friendly. The only major flaw I've found, is that by default, it is not secure enough. What I mean by not secure enough, is that you must take a good care of how you configure and run the service if you don't wish to let too much opened doors to a harmful user. Chown root:consul /usr/sbin/consul chmod 750 /usr/sbin/consul Prevent users to execute their own Consul binary This is a bit out of the Consul scope, and more a matter of user containment, but indeed you must prevent a user to be able to upload and execute his/her own Consul binary.
The two main solutions i think of:. Mount filesystems where local users have write access with noexec flag. from the patchset Configuration access rights It's important that you forbid any read access of your Consul configuration by other unprivileged user in order to not leak sensible settings.
Consul Key Value As Array
Iptables -A OUTPUT -m tcp -p tcp -dport 8500 -m owner -uid-owner consul -j ACCEPT This would let only the consul user access the port locally, which is the user under which your daemon is running, and is unavailable to an unprivileged user. Key/Value store ACLs I've found the ACL system for the key/value store quite unsettling, it can be broken out like this:. Enable ACL at datacenter level. Set a master token - Not mandatory but i find it easier to manage.
Chose a default policy. Set access rules to keys using API Deny by default As a habit, i found that denying by default is easier to manage and allow read and/or write accesses per clients. Enabling the ACL system is a server only configuration.
README.md Ansible Consul Role consul is an role which:. installs consul. configures consul. optionally installs and configures consul ui. optionally installs dnsmasq. optionally install consulate. optionally install consul-cli.
configures consul service(s) Installation Using ansible-galaxy: $ ansible-galaxy install savagegus.ansible-consul Using arm : $ arm install savagegus.consul Using git: $ git clone Variables Here is a list of all the default variables for this role, which are also available in defaults/main.yml. # if you want Consul to send metrics to a statsd instance consulstatsdaddress: '127.0.0.1:8125 ' # if you want Consul to send metrics to a statsite instance consulstatsiteaddress: '127.0.0.1:8125 ' # this sets the prefix consul uses for all metrics consulstatsiteprefix: 'consul ' # if you don't want to prepend runtime telemetry with the machine's hostname (consul 0.6.4 or later) consultelemetrydisablehostname: true DNS Variables Consul provides the ability to use it as a for service and node lookups.
To enable with the below default values, set the consuldnsconfig variable to true. Consulcorssupport: true Shutdown behavior Consul may be configured to perform (or not) cluster leave when it recieves TERM/INT signals. When service is stopped:. systemd sends INT. init (init.d script) sends TERM. upstart sends TERM There are two variables that define if the node will attempt cluster leave when it recieves those signals:.
consulleaveonterminate defines if leave is performed when TERM is recieved. Default: false. consulskipleaveoninterrupt defines if leave is not performed when INT is recieved. Default: undefined. If this variable is not defined default consul behavior (which depends on version and server/agent role) will be used.
Handlers These are the handlers that are defined in handlers/main.yml. restart consul.
restart dnsmasq. reload consul config.
reload systemd Example playbook that configures a Consul server on Ubuntu. Consulservices: - service: name: 'redis localhost ' tags: - 'redis ' address: '127.0.0.1 ' port: 6379 checks: - name: 'Redis health check ' tcp: 'localhost:6379 ' interval: '10s ' timeout: '1s ' Testing $ git clone $ cd ansible-consul $ ansible-galaxy install -role-file=requirements.yml -roles-path=roles -force $ vagrant up or use the TestKitchen tests $ bundle $ rm -rf roles $ bundle exec kitchen test Contributing In lieu of a formal styleguide, take care to maintain the existing coding style. Add unit tests and examples for any new or changed functionality. Fork it. Create your feature branch ( git checkout -b my-new-feature). Commit your changes ( git commit -am 'Add some feature').
Push to the branch ( git push origin my-new-feature). Create new Pull Request License Copyright (c) Matthew Finlayson under the Apache license.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |